Writeup Exploits

63,697 exploits tracked across all sources.

Sort: Activity Stars
CVE-2022-30528 WRITEUP CRITICAL
isic.lk < 2018-02-13 - SQL Injection via Username Parameter
SQL Injection vulnerability in asith-eranga ISIC tour booking through version published on Feb 13th 2018, allows attackers to execute arbitrary commands via the username parameter to /system/user/modules/mod_users/controller.php.
CVSS 9.8
CVE-2022-30591 WRITEUP HIGH
quic-go < 0.27.0 - Denial of Service via MTU Discovery Probe Timer Overflow
quic-go through 0.27.0 allows remote attackers to cause a denial of service (CPU consumption) via a Slowloris variant in which incomplete QUIC or HTTP/3 requests are sent. This occurs because mtu_discoverer.go misparses the MTU Discovery service and consequently overflows the probe timer. NOTE: the vendor's position is that this behavior should not be listed as a vulnerability on the CVE List
CVSS 7.5
CVE-2022-30592 WRITEUP CRITICAL
lsquic < 3.1.0 - NULL Pointer Dereference in lsquic_qenc_hdl.c
liblsquic/lsquic_qenc_hdl.c in LiteSpeed QUIC (aka LSQUIC) before 3.1.0 mishandles MAX_TABLE_CAPACITY.
CVSS 9.8
CVE-2022-30594 WRITEUP HIGH
Linux Kernel < 5.17.2 - Missing Authorization via PT_SUSPEND_SECCOMP Flag
The Linux kernel before 5.17.2 mishandles seccomp permissions. The PTRACE_SEIZE code path allows attackers to bypass intended restrictions on setting the PT_SUSPEND_SECCOMP flag.
CVSS 7.8
CVE-2022-30708 WRITEUP HIGH
Webmin < 1.991 - Remote Code Execution via Authentic Theme File Parameter
Webmin through 1.991, when the Authentic theme is used, allows remote code execution when a user has been manually created (i.e., not created in Virtualmin or Cloudmin). This occurs because settings-editor_write.cgi does not properly restrict the file parameter.
CVSS 8.8
CVE-2022-41556 WRITEUP HIGH
lighttpd 1.4.56-1.4.66 - Denial of Service via RDHUP Mishandling in HTTP/1.1 Chunked Requests
A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service (connection-slot exhaustion) after a large amount of anomalous TCP behavior by clients. It is related to RDHUP mishandling in certain HTTP/1.1 chunked situations. Use of mod_fastcgi is, for example, affected. This is fixed in 1.4.67.
CVSS 7.5
CVE-2022-41556 WRITEUP HIGH
lighttpd 1.4.56-1.4.66 - Denial of Service via RDHUP Mishandling in HTTP/1.1 Chunked Requests
A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service (connection-slot exhaustion) after a large amount of anomalous TCP behavior by clients. It is related to RDHUP mishandling in certain HTTP/1.1 chunked situations. Use of mod_fastcgi is, for example, affected. This is fixed in 1.4.67.
CVSS 7.5
CVE-2022-30780 WRITEUP HIGH
lighttpd 1.4.56-1.4.58 - Denial of Service via Large Header Processing
Lighttpd 1.4.56 through 1.4.58 allows a remote attacker to cause a denial of service (CPU consumption from stuck connections) because connection_read_header_more in connections.c has a typo that disrupts use of multiple read operations on large headers.
CVSS 7.5
CVE-2018-25103 WRITEUP MEDIUM
lighttpd <= 1.4.50 - Use After Free
There exists use-after-free vulnerabilities in lighttpd <= 1.4.50 request parsing which might read from invalid pointers to memory used in the same request, not from other requests.
CVSS 5.3
CVE-2018-19052 WRITEUP HIGH
lighttpd < 1.4.50 - Path Traversal via Alias Configuration
An issue was discovered in mod_alias_physical_handler in mod_alias.c in lighttpd before 1.4.50. There is potential ../ path traversal of a single directory above an alias target, with a specific mod_alias configuration where the matched alias lacks a trailing '/' character, but the alias target filesystem path does have a trailing '/' character.
CVSS 7.5
CVE-2022-30875 WRITEUP MEDIUM
Dolibarr 12.0.5 - Cross-Site Scripting via SQL Error Page
Dolibarr 12.0.5 is vulnerable to Cross Site Scripting (XSS) via Sql Error Page.
CVSS 6.1
CVE-2022-30929 WRITEUP HIGH
Mini-Tmall v1.0 - Privilege Escalation
Mini-Tmall v1.0 is vulnerable to Insecure Permissions via tomcat-embed-jasper.
CVSS 8.8
CVE-2022-3008 WRITEUP HIGH
tinygltf <2.6.0 - Command Injection
The tinygltf library uses the C library function wordexp() to perform file path expansion on untrusted paths that are provided from the input file. This function allows for command injection by using backticks. An attacker could craft an untrusted path input that would result in a path expansion. We recommend upgrading to 2.6.0 or past commit 52ff00a38447f06a17eab1caa2cf0730a119c751
CVSS 8.1
CVE-2022-31022 WRITEUP MEDIUM
Bleve < 2.5.0 - Unauthenticated Arbitrary Directory Creation and Deletion via HTTP Handlers
Bleve is a text indexing library for go. Bleve includes HTTP utilities under bleve/http package, that are used by its sample application. These HTTP methods pave way for exploitation of a node’s filesystem where the bleve index resides, if the user has used bleve’s own HTTP (bleve/http) handlers for exposing the access to the indexes. For instance, the CreateIndexHandler (`http/index_create.go`) and DeleteIndexHandler (`http/index_delete.go`) enable an attacker to create a bleve index (directory structure) anywhere where the user running the server has the write permissions and to delete recursively any directory owned by the same user account. Users who have used the bleve/http package for exposing access to bleve index without the explicit handling for the Role Based Access Controls(RBAC) of the index assets would be impacted by this issue. Version 2.5.0 relocated the `http/` dir used _only_ by bleve-explorer to `blevesearch/bleve-explorer`, thereby addressing the issue. However, the http package is purely intended to be used for demonstration purposes. Bleve was never designed handle the RBACs, nor it was ever advertised to be used in that way. The collaborators of this project have decided to stay away from adding any authentication or authorization to bleve project at the moment. The bleve/http package is mainly for demonstration purposes and it lacks exhaustive validation of the user inputs as well as any authentication and authorization measures. It is recommended to not use bleve/http in production use cases.
CVSS 6.2
CVE-2022-31025 WRITEUP LOW
Discourse <2.8.4-2.9.0.beta5 - Auth Bypass
Discourse is an open source platform for community discussion. Prior to version 2.8.4 on the `stable` branch and 2.9.0beta5 on the `beta` and `tests-passed` branches, inviting users on sites that use single sign-on could bypass the `must_approve_users` check and invites by staff are always approved automatically. The issue is patched in Discourse version 2.8.4 on the `stable` branch and version `2.9.0.beta5` on the `beta` and `tests-passed` branches. As a workaround, disable invites or increase `min_trust_level_to_allow_invite` to reduce the attack surface to more trusted users.
CVSS 2.6
CVE-2022-31032 WRITEUP MEDIUM
Tuleap <13.9.99.58 - Info Disclosure
Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In versions prior to 13.9.99.58 authorizations are not properly verified when creating projects or trackers from projects marked as templates. Users can get access to information in those template projects because the permissions model is not properly enforced. Users are advised to upgrade. There are no known workarounds for this issue.
CVSS 4.3
CVE-2022-31061 WRITEUP CRITICAL
GLPI 9.3.0-9.5.7 - Unauthenticated SQL Injection via Login Page
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions there is a SQL injection vulnerability which is possible on login page. No user credentials are required to exploit this vulnerability. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.
CVSS 9.8
CVE-2022-31081 WRITEUP HIGH
HTTP::Daemon <6.15 - Privilege Escalation
HTTP::Daemon is a simple http server class written in perl. Versions prior to 6.15 are subject to a vulnerability which could potentially be exploited to gain privileged access to APIs or poison intermediate caches. It is uncertain how large the risks are, most Perl based applications are served on top of Nginx or Apache, not on the `HTTP::Daemon`. This library is commonly used for local development and tests. Users are advised to update to resolve this issue. Users unable to upgrade may add additional request handling logic as a mitigation. After calling `my $rqst = $conn->get_request()` one could inspect the returned `HTTP::Request` object. Querying the 'Content-Length' (`my $cl = $rqst->header('Content-Length')`) will show any abnormalities that should be dealt with by a `400` response. Expected strings of 'Content-Length' SHOULD consist of either a single non-negative integer, or, a comma separated repetition of that number. (that is `42` or `42, 42, 42`). Anything else MUST be rejected.
CVSS 7.3
CVE-2022-31093 WRITEUP HIGH
next-auth < 3.29.5 - Denial of Service via Malformed Callback URL
NextAuth.js is a complete open source authentication solution for Next.js applications. In affected versions an attacker can send a request to an app using NextAuth.js with an invalid `callbackUrl` query parameter, which internally is converted to a `URL` object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to the **API route handler timing out and logging in to fail**. This has been remedied in versions 3.29.5 and 4.5.0. If for some reason you cannot upgrade, the workaround requires you to rely on Advanced Initialization. Please see the documentation for more.
CVSS 7.5
CVE-2022-31101 WRITEUP HIGH
PrestaShop blockwishlist < 2.1.1 - Authenticated SQL Injection
prestashop/blockwishlist is a prestashop extension which adds a block containing the customer's wishlists. In affected versions an authenticated customer can perform SQL injection. This issue is fixed in version 2.1.1. Users are advised to upgrade. There are no known workarounds for this issue.
CVSS 8.1
CVE-2022-31111 WRITEUP MEDIUM
Frontier - Incorrect Balance Conversion in EVM Compatibility Layer
Frontier is Substrate's Ethereum compatibility layer. In affected versions the truncation done when converting between EVM balance type and Substrate balance type was incorrectly implemented. This leads to possible discrepancy between appeared EVM transfer value and actual Substrate value transferred. It is recommended that an emergency upgrade to be planned and EVM execution temporarily paused in the mean time. The issue is patched in Frontier master branch commit fed5e0a9577c10bea021721e8c2c5c378e16bf66 and polkadot-v0.9.22 branch commit e3e427fa2e5d1200a784679f8015d4774cedc934. This vulnerability affects only EVM internal states, but not Substrate balance states or node. You can temporarily pause EVM execution (by setting up a Substrate `CallFilter` that disables `pallet-evm` and `pallet-ethereum` calls before the patch can be applied.
CVSS 5.3
CVE-2022-31112 WRITEUP HIGH
parse-server < 4.10.13 - Information Exposure via LiveQuery Protected Fields
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from the client response. Users are advised to upgrade. Users unable t upgrade should use `Parse.Cloud.afterLiveQueryEvent` to manually remove protected fields.
CVSS 8.2
CVE-2022-31124 WRITEUP HIGH
openssh_key_parser <0.0.6 - Info Disclosure
openssh_key_parser is an open source Python package providing utilities to parse and pack OpenSSH private and public key files. In versions prior to 0.0.6 if a field of a key is shorter than it is declared to be, the parser raises an error with a message containing the raw field value. An attacker able to modify the declared length of a key's sensitive field can thus expose the raw value of that field. Users are advised to upgrade to version 0.0.6, which no longer includes the raw field value in the error message. There are no known workarounds for this issue.
CVSS 7.7
CVE-2022-31130 WRITEUP MEDIUM
Grafana <9.1.8 & <8.5.14 - Info Disclosure
Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoints with authentication tokens. The destination plugin could receive a user's Grafana authentication token. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not use API keys, JWT authentication, or any HTTP Header based authentication.
CVSS 4.9
CVE-2022-31137 WRITEUP CRITICAL
Roxy-WI < 6.1.1.0 - Unauthenticated Remote Code Execution via subprocess_execute Function
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 6.1.1.0 are subject to a remote code execution vulnerability. System commands can be run remotely via the subprocess_execute function without processing the inputs received from the user in the /app/options.py file. Attackers need not be authenticated to exploit this vulnerability. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS 10.0