Exploit Database

146,719 exploits tracked across all sources.

Sort: Activity Stars
CVE-2018-5407 WRITEUP MEDIUM
Ubuntu Linux - Exposure of Sensitive Information via SMT Port Contention Timing Attack
Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.
CVSS 4.7
CVE-2018-5688 WRITEUP MEDIUM
ILIAS < 5.2.4 - Cross-Site Scripting via Setup Component cmd Parameter
ILIAS before 5.2.4 has XSS via the cmd parameter to the displayHeader function in setup/classes/class.ilSetupGUI.php in the Setup component.
CVSS 6.1
CVE-2018-5782 WRITEUP CRITICAL
Mitel Connect ONSITE <R1711-PREM - RCE
A vulnerability in the conferencing component of Mitel Connect ONSITE, versions R1711-PREM and earlier, and Mitel ST 14.2, release GA28 and earlier, could allow an unauthenticated attacker to inject PHP code using specially crafted requests to the vsethost.php page. Successful exploit could allow an attacker to execute arbitrary PHP code within the context of the application.
CVSS 9.8
CVE-2018-5802 WRITEUP HIGH
LibRaw < 0.18.7 - Out-of-bounds Read in kodak_radc_load_raw Function
An error within the "kodak_radc_load_raw()" function (internal/dcraw_common.cpp) related to the "buf" variable in LibRaw versions prior to 0.18.7 can be exploited to cause an out-of-bounds read memory access and subsequently cause a crash.
CVSS 8.8
CVE-2018-5811 WRITEUP MEDIUM
LibRaw < 0.18.9 - Out-of-bounds Read in nikon_coolscan_load_raw()
An error within the "nikon_coolscan_load_raw()" function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.9 can be exploited to cause an out-of-bounds read memory access and subsequently cause a crash.
CVSS 6.5
CVE-2018-5812 WRITEUP MEDIUM
LibRaw < 0.18.9 - NULL Pointer Dereference in nikon_coolscan_load_raw()
An error within the "nikon_coolscan_load_raw()" function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.9 can be exploited to trigger a NULL pointer dereference.
CVSS 6.5
CVE-2018-5813 WRITEUP MEDIUM
LibRaw < 0.18.11 - Denial of Service via Infinite Loop in parse_minolta()
An error within the "parse_minolta()" function (dcraw/dcraw.c) in LibRaw versions prior to 0.18.11 can be exploited to trigger an infinite loop via a specially crafted file.
CVSS 6.5
CVE-2018-5815 WRITEUP MEDIUM
LibRaw < 0.18.12 - Integer Overflow in parse_qt() Function
An integer overflow error within the "parse_qt()" function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.12 can be exploited to trigger an infinite loop via a specially crafted Apple QuickTime file.
CVSS 6.5
CVE-2018-5816 WRITEUP MEDIUM
LibRaw < 0.18.12 - Integer Overflow via NOKIARAW File in identify() Function
An integer overflow error within the "identify()" function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.12 can be exploited to trigger a division by zero via specially crafted NOKIARAW file (Note: This vulnerability is caused due to an incomplete fix of CVE-2018-5804).
CVSS 6.5
CVE-2018-5873 WRITEUP HIGH
Linux kernel <4.11 - Use After Free
An issue was discovered in the __ns_get_path function in fs/nsfs.c in the Linux kernel before 4.11. Due to a race condition when accessing files, a Use After Free condition can occur. This also affects all Android releases from CAF using the Linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-07-05.
CVSS 7.0
CVE-2018-5999 WRITEUP CRITICAL
AsusWRT <3.0.0.4.384_10007 - Info Disclosure
An issue was discovered in AsusWRT before 3.0.0.4.384_10007. In the handle_request function in router/httpd/httpd.c, processing of POST requests continues even if authentication fails.
CVSS 9.8
CVE-2018-6000 WRITEUP CRITICAL
AsusWRT <3.0.0.4.384_10007 - Privilege Escalation
An issue was discovered in AsusWRT before 3.0.0.4.384_10007. The do_vpnupload_post function in router/httpd/web.c in vpnupload.cgi provides functionality for setting NVRAM configuration values, which allows attackers to set the admin password and launch an SSH daemon (or enable infosvr command mode), and consequently obtain remote administrative access, via a crafted request. This is available to unauthenticated attackers in conjunction with CVE-2018-5999.
CVSS 9.8
CVE-2018-6383 WRITEUP HIGH
Monstra CMS < 3.0.4 - Authenticated Remote Code Execution via .pht or .phar File Upload
Monstra CMS through 3.0.4 has an incomplete "forbidden types" list that excludes .php (and similar) file extensions but not the .pht or .phar extension, which allows remote authenticated Admins or Editors to execute arbitrary PHP code by uploading a file, a different vulnerability than CVE-2017-18048.
CVSS 8.8
CVE-2018-6389 WRITEUP HIGH
WordPress < 4.9.2 - Unauthenticated Denial of Service via Repeated JavaScript File Loading
In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times.
CVSS 7.5
CVE-2018-6389 WRITEUP HIGH
WordPress < 4.9.2 - Unauthenticated Denial of Service via Repeated JavaScript File Loading
In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times.
CVSS 7.5
CVE-2018-6407 WRITEUP HIGH
Conceptronic CIPCAMPTIWL V3 0.61.30.21 - Unauthenticated Denial of Service via Large POST Request to devices.cgi
An issue was discovered on Conceptronic CIPCAMPTIWL V3 0.61.30.21 devices. An unauthenticated attacker can crash a device by sending a POST request with a huge body size to /hy-cgi/devices.cgi?cmd=searchlandevice. The crash completely freezes the device.
CVSS 7.5
CVE-2018-6481 WRITEUP CRITICAL
Flexense Disksavvy - Memory Corruption
A buffer overflow vulnerability in the control protocol of Disk Savvy Enterprise v10.4.18 allows remote attackers to execute arbitrary code by sending a crafted packet to TCP port 9124.
CVSS 9.8
CVE-2018-6546 WRITEUP CRITICAL
plays.tv < 1.27.7.0 - Unauthenticated Remote Code Execution via execute_installer Parameter
plays_service.exe in the plays.tv service before 1.27.7.0, as distributed in AMD driver-installation packages and Gaming Evolved products, executes code at a user-defined (local or SMB) path as SYSTEM when the execute_installer parameter is used in an HTTP message. This occurs without properly authenticating the user.
CVSS 9.8
CVE-2018-6558 WRITEUP MEDIUM
fscrypt <0.2.4 - Privilege Escalation
The pam_fscrypt module in fscrypt before 0.2.4 may incorrectly restore primary and supplementary group IDs to the values associated with the root user, which allows attackers to gain privileges via a successful login through certain applications that use Linux-PAM (aka pam).
CVSS 6.5
CVE-2018-6574 WRITEUP HIGH
GO < 1.8.6 - Code Injection
Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.
CVSS 7.8
CVE-2018-0833 WRITEUP MEDIUM
Windows 8.1, RT 8.1, and Server 2012 R2 - Denial of Service via SMBv2/SMBv3 Client Null Pointer Dereference
The Microsoft Server Message Block 2.0 and 3.0 (SMBv2/SMBv3) client in Windows 8.1 and RT 8.1 and Windows Server 2012 R2 allows a denial of service vulnerability due to how specially crafted requests are handled, aka "SMBv2/SMBv3 Null Dereference Denial of Service Vulnerability".
CVSS 5.3
CVE-2018-6593 WRITEUP HIGH
MalwareFox AntiMalware 2.74.0.150 - Privilege Escalation via IOCTL 0x8000204C
An issue was discovered in MalwareFox AntiMalware 2.74.0.150. Improper access control in zam32.sys and zam64.sys allows a non-privileged process to register itself with the driver by connecting to the filter communication port and then using IOCTL 0x8000204C to \\.\ZemanaAntiMalware to elevate privileges.
CVSS 7.8
CVE-2018-6596 WRITEUP CRITICAL
django-anymail < 1.2.1 - Timing Attack on WEBHOOK_AUTHORIZATION Secret
webhooks/base.py in Anymail (aka django-anymail) before 1.2.1 is prone to a timing attack vulnerability on the WEBHOOK_AUTHORIZATION secret, which allows remote attackers to post arbitrary e-mail tracking events.
CVSS 9.1
CVE-2018-6606 WRITEUP HIGH
MalwareFox AntiMalware 2.74.0.150 - Privilege Escalation via IOCTL 0x80002010 and 0x8000204C
An issue was discovered in MalwareFox AntiMalware 2.74.0.150. Improper access control in zam32.sys and zam64.sys allows a non-privileged process to register itself with the driver by sending IOCTL 0x80002010 and then using IOCTL 0x8000204C to \\.\ZemanaAntiMalware to elevate privileges.
CVSS 7.8
CVE-2018-6651 WRITEUP HIGH
uncurl < 0.07 - Cross-Site Request Forgery via Origin Header Substring Match
In the uncurl_ws_accept function in uncurl.c in uncurl before 0.07, as used in Parsec before 140-3, insufficient Origin header validation (accepting an arbitrary substring match) for WebSocket API requests allows remote attackers to bypass intended access restrictions. In Parsec, this means full control over the victim's computer.
CVSS 8.8