Writeup Exploits

63,730 exploits tracked across all sources.

Sort: Activity Stars
CVE-2022-3910 WRITEUP HIGH
Linux Kernel 5.18-5.19.10 - Use-After-Free in io_uring Fixed File Handling
Use After Free vulnerability in Linux Kernel allows Privilege Escalation. An improper Update of Reference Count in io_uring leads to Use-After-Free and Local Privilege Escalation. When io_msg_ring was invoked with a fixed file, it called io_fput_file() which improperly decreased its reference count (leading to Use-After-Free and Local Privilege Escalation). Fixed files are permanently registered to the ring, and should not be put separately. We recommend upgrading past commit https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679 https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679
CVSS 7.8
CVE-2022-3975 WRITEUP LOW
NukeViet CMS < 4.5 - Cross-Site Scripting in Data URL Handler
A vulnerability, which was classified as problematic, has been found in NukeViet CMS. Affected by this issue is the function filterAttr of the file vendor/vinades/nukeviet/Core/Request.php of the component Data URL Handler. The manipulation of the argument attrSubSet leads to cross site scripting. The attack may be launched remotely. Upgrading to version 4.5 is able to address this issue. The name of the patch is 0b3197fad950bb3383e83039a8ee4c9509b3ce02. It is recommended to upgrade the affected component. VDB-213554 is the identifier assigned to this vulnerability.
CVSS 3.5
CVE-2022-3976 WRITEUP MEDIUM
libiec61850 < 1.5 - Path Traversal in MMS File Services
A vulnerability has been found in MZ Automation libiec61850 up to 1.4 and classified as critical. This vulnerability affects unknown code of the file src/mms/iso_mms/client/mms_client_files.c of the component MMS File Services. The manipulation of the argument filename leads to path traversal. Upgrading to version 1.5 is able to address this issue. The name of the patch is 10622ba36bb3910c151348f1569f039ecdd8786f. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-213556.
CVSS 5.5
CVE-2022-40023 WRITEUP HIGH
Mako < 1.2.2 - Regular Expression Denial of Service via Lexer Class
Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin.
CVSS 7.5
CVE-2022-40468 WRITEUP HIGH
Tinyproxy <84f203f - Info Disclosure
Potential leak of left-over heap data if custom error page templates containing special non-standard variables are used. Tinyproxy commit 84f203f and earlier use uninitialized buffers in process_request() function.
CVSS 7.5
CVE-2022-40490 WRITEUP MEDIUM
Tiny File Manager < 2.4.7 - Stored Cross-Site Scripting via File Name
Tiny File Manager v2.4.7 and below was discovered to contain a Cross Site Scripting (XSS) vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload injected into the name of an uploaded or already existing file.
CVSS 4.8
CVE-2022-40624 WRITEUP CRITICAL
pfSense pfBlockerNG <= 2.1.4_27 - Remote Code Execution via HTTP Host Header
pfSense pfBlockerNG through 2.1.4_27 allows remote attackers to execute arbitrary OS commands as root via the HTTP Host header, a different vulnerability than CVE-2022-31814.
CVSS 9.8
CVE-2022-40760 WRITEUP HIGH
Samsung mTower <= 0.3.0 - Denial of Service via TEE_MACUpdate Excessive Chunk Size
A Buffer Access with Incorrect Length Value vulnerablity in the TEE_MACUpdate function in Samsung mTower through 0.3.0 allows a trusted application to trigger a Denial of Service (DoS) by invoking the function TEE_MACUpdate with an excessive size value of chunkSize.
CVSS 7.5
CVE-2022-40761 WRITEUP HIGH
Samsung mTower < 0.3.0 - Denial of Service via TEE_AllocateOperation Heap Layout Manipulation
The function tee_obj_free in Samsung mTower through 0.3.0 allows a trusted application to trigger a Denial of Service (DoS) by invoking the function TEE_AllocateOperation with a disturbed heap layout, related to utee_cryp_obj_alloc.
CVSS 7.5
CVE-2022-40769 WRITEUP HIGH
profanity < 1.60 - Use of Cryptographically Weak PRNG
profanity through 1.60 has only four billion possible RNG initializations. Thus, attackers can recover private keys from Ethereum vanity addresses and steal cryptocurrency, as exploited in the wild in June 2022.
CVSS 7.5
CVE-2022-40799 WRITEUP HIGH
D-Link DNR-322L <= 2.60B15 - Authenticated Remote Code Execution via Backup Config
Data Integrity Failure in 'Backup Config' in D-Link DNR-322L <= 2.60B15 allows an authenticated attacker to execute OS level commands on the device.
CVSS 8.8
CVE-2022-40862 WRITEUP CRITICAL
Tenda AC15-AC18 Router <V15.03.05.19 - Buffer Overflow
Tenda AC15 and AC18 router V15.03.05.19 contains stack overflow vulnerability in the function fromNatStaticSetting with the request /goform/NatStaticSetting
CVSS 9.8
CVE-2022-40864 WRITEUP CRITICAL
Tenda AC15-AC18 <V15.03.05.19 - Buffer Overflow
Tenda AC15 and AC18 routers V15.03.05.19 contain stack overflow vulnerabilities in the function setSmartPowerManagement with the request /goform/PowerSaveSet
CVSS 9.8
CVE-2022-40865 WRITEUP CRITICAL
Tenda AC15-AC18 <V15.03.05.19 - Buffer Overflow
Tenda AC15 and AC18 routers V15.03.05.19 contain heap overflow vulnerabilities in the function setSchedWifi with the request /goform/openSchedWifi/
CVSS 9.8
CVE-2022-40869 WRITEUP CRITICAL
Tenda AC15-AC18 <V15.03.05.19 - Buffer Overflow
Tenda AC15 and AC18 routers V15.03.05.19 contain stack overflow vulnerabilities in the function fromDhcpListClient with a combined parameter "list*" ("%s%d","list").
CVSS 9.8
CVE-2022-40870 WRITEUP HIGH
Parallels Remote Application Server <18.0 - Command Injection
The Web Client of Parallels Remote Application Server v18.0 is vulnerable to Host Header Injection attacks. This vulnerability allows attackers to execute arbitrary commands via a crafted payload injected into the Host header.
CVSS 8.1
CVE-2022-40881 WRITEUP CRITICAL
SolarView Compact 6.00 - Command Injection
SolarView Compact 6.00 was discovered to contain a command injection vulnerability via network_test.php
CVSS 9.8
CVE-2022-40897 WRITEUP MEDIUM
Python Packaging Authority (PyPA) setuptools <65.5.1 - DoS
Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.
CVSS 5.9
CVE-2022-40916 WRITEUP CRITICAL
Tiny File Manager <2.4.7 - Session Fixation
Tiny File Manager v2.4.7 and below is vulnerable to session fixation.
CVSS 9.8
CVE-2022-40924 WRITEUP HIGH
Zoo Management System v1.0 - File Upload
Zoo Management System v1.0 has an arbitrary file upload vulnerability in the picture upload point of the "save_animal" file of the "Animals" module in the background management system.
CVSS 7.2
CVE-2022-40946 WRITEUP HIGH
D-Link DIR-819 Firmware 1.06 - Denial of Service via sys_token Parameter
On D-Link DIR-819 Firmware Version 1.06 Hardware Version A1 devices, it is possible to trigger a Denial of Service via the sys_token parameter in a cgi-bin/webproc?getpage=html/index.html request.
CVSS 7.5
CVE-2022-4065 WRITEUP MEDIUM
cbeust testng <7.5.1,7.7.1 - Path Traversal
A vulnerability was found in cbeust testng 7.5.0/7.6.0/7.6.1/7.7.0. It has been declared as critical. Affected by this vulnerability is the function testngXmlExistsInJar of the file testng-core/src/main/java/org/testng/JarFileUtils.java of the component XML File Parser. The manipulation leads to path traversal. The attack can be launched remotely. Upgrading to version 7.5.1 and 7.7.1 is able to address this issue. The patch is named 9150736cd2c123a6a3b60e6193630859f9f0422b. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-214027.
CVSS 5.5
CVE-2022-4096 WRITEUP MEDIUM
Appsmith < 1.8.2 - Server-Side Request Forgery
Server-Side Request Forgery (SSRF) in GitHub repository appsmithorg/appsmith prior to 1.8.2.
CVSS 6.5
CVE-2022-41137 WRITEUP HIGH
Apache Hive - Remote Code Execution
Apache Hive Metastore (HMS) uses SerializationUtilities#deserializeObjectWithTypeInformation method when filtering and fetching partitions that is unsafe and can lead to Remote Code Execution (RCE) since it allows the deserialization of arbitrary data. In real deployments, the vulnerability can be exploited only by authenticated users/clients that were able to successfully establish a connection to the Metastore. From an API perspective any code that calls the unsafe method may be vulnerable unless it performs additional prerechecks on the input arguments.
CVSS 8.3
CVE-2022-41401 WRITEUP MEDIUM
OpenRefine <= 3.5.2 - Server-Side Request Forgery
OpenRefine <= v3.5.2 contains a Server-Side Request Forgery (SSRF) vulnerability, which permits unauthorized users to exploit the system, potentially leading to unauthorized access to internal resources and sensitive file disclosure.
CVSS 6.5