Writeup Exploits

63,783 exploits tracked across all sources.

Sort: Activity Stars
CVE-2023-2951 WRITEUP MEDIUM
Bus Dispatch and Information System 1.0 - SQL Injection via delete_bus.php busid Parameter
A vulnerability classified as critical has been found in code-projects Bus Dispatch and Information System 1.0. Affected is an unknown function of the file delete_bus.php. The manipulation of the argument busid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-230112.
CVSS 6.3
CVE-2023-30013 WRITEUP CRITICAL
TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 - OS Command Injection via Traceroute Configuration
TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 contain a command insertion vulnerability in setting/setTracerouteCfg. This vulnerability allows an attacker to execute arbitrary commands through the "command" parameter.
CVSS 9.8
CVE-2023-30058 WRITEUP CRITICAL
novel-plus 3.6.2 - SQL Injection
novel-plus 3.6.2 is vulnerable to SQL Injection.
CVSS 9.8
CVE-2023-30185 WRITEUP CRITICAL
crmeb 4.4.0-4.6.0 - Arbitrary File Upload via SystemAttachmentServices.php
CRMEB v4.4 to v4.6 was discovered to contain an arbitrary file upload vulnerability via the component \attachment\SystemAttachmentServices.php.
CVSS 9.8
CVE-2023-30186 WRITEUP CRITICAL
ONLYOFFICE DocumentServer 4.0.3-7.3.2 - Remote Code Execution via Use-After-Free
A use after free issue discovered in ONLYOFFICE DocumentServer 4.0.3 through 7.3.2 allows remote attackers to run arbitrary code via crafted JavaScript file.
CVSS 9.8
CVE-2023-30187 WRITEUP CRITICAL
ONLYOFFICE DocumentServer 4.0.3-7.3.2 - Remote Code Execution via Crafted JavaScript File
An out of bounds memory access vulnerability in ONLYOFFICE DocumentServer 4.0.3 through 7.3.2 allows remote attackers to run arbitrary code via crafted JavaScript file.
CVSS 9.8
CVE-2023-30188 WRITEUP HIGH
ONLYOFFICE Document Server 4.0.3-7.3.2 - Denial of Service via Crafted JavaScript File
Memory Exhaustion vulnerability in ONLYOFFICE Document Server 4.0.3 through 7.3.2 allows remote attackers to cause a denial of service via crafted JavaScript file.
CVSS 7.5
CVE-2023-30258 WRITEUP CRITICAL
magnusbilling 6.0.0-7.2.9 - Unauthenticated OS Command Injection
Command Injection vulnerability in MagnusSolution magnusbilling 6.x and 7.x allows remote attackers to run arbitrary commands via unauthenticated HTTP request.
CVSS 9.8
CVE-2023-30258 WRITEUP CRITICAL
magnusbilling 6.0.0-7.2.9 - Unauthenticated OS Command Injection
Command Injection vulnerability in MagnusSolution magnusbilling 6.x and 7.x allows remote attackers to run arbitrary commands via unauthenticated HTTP request.
CVSS 9.8
CVE-2023-30330 WRITEUP CRITICAL
SoftExpert Excellence Suite 2.0-2.1.2 - Local File Inclusion via defaultframe_filter.php
SoftExpert (SE) Excellence Suite 2.x versions before 2.1.3 is vulnerable to Local File Inclusion in the function /se/v42300/generic/gn_defaultframe/2.0/defaultframe_filter.php.
CVSS 9.8
CVE-2023-30347 WRITEUP MEDIUM
Neox Contact Center 2.3.9 - Cross-Site Scripting via SMA API search_sms_api_name Parameter
Cross Site Scripting (XSS) vulnerability in Neox Contact Center 2.3.9, via the serach_sms_api_name parameter to the SMA API search.
CVSS 4.8
CVE-2023-30351 WRITEUP HIGH
Tenda CP3 Firmware V11.10.00.2211041355 - Hard-Coded Root Password with Weak Encryption
Shenzen Tenda Technology IP Camera CP3 V11.10.00.2211041355 was discovered to contain a hard-coded default password for root which is stored using weak encryption. This vulnerability allows attackers to connect to the TELNET service (or UART) by using the exposed credentials.
CVSS 7.5
CVE-2023-30354 WRITEUP CRITICAL
Tenda CP3 Firmware V11.10.00.2211041355 - Cleartext Transmission of Sensitive Information via UART
Shenzen Tenda Technology IP Camera CP3 V11.10.00.2211041355 does not defend against physical access to U-Boot via the UART: the Wi-Fi password is shown, and the hardcoded boot password can be inserted for console access.
CVSS 9.8
CVE-2023-30383 WRITEUP HIGH
TP-LINK Archer C2/C20/C50 Firmware - Buffer Overflow leading to Denial of Service
TP-LINK Archer C50v2 Archer C50(US)_V2_160801, TP-LINK Archer C20v1 Archer_C20_V1_150707, and TP-LINK Archer C2v1 Archer_C2_US__V1_170228 were discovered to contain a buffer overflow which may lead to a Denial of Service (DoS) when parsing crafted data.
CVSS 7.5
CVE-2023-30450 WRITEUP MEDIUM
Redpanda < 23.1.2 - Improper Input Validation in rpk RPC Server TLS Configuration
rpk in Redpanda before 23.1.2 mishandles the redpanda.rpc_server_tls field, leading to (for example) situations in which there is a data type mismatch that cannot be automatically fixed by rpk, and instead a user must reconfigure (while a cluster is turned off) in order to have TLS on broker RPC ports. NOTE: the fix was also backported to the 22.2 and 22.3 branches.
CVSS 4.3
CVE-2023-30545 WRITEUP HIGH
PrestaShop < 1.7.8.9 and 8.0.0-8.0.4 - Authenticated Arbitrary File Read via SQL LOAD_FILE Function
PrestaShop is an Open Source e-commerce web application. Prior to versions 8.0.4 and 1.7.8.9, it is possible for a user with access to the SQL Manager (Advanced Options -> Database) to arbitrarily read any file on the operating system when using SQL function `LOAD_FILE` in a `SELECT` request. This gives the user access to critical information. A patch is available in PrestaShop 8.0.4 and PS 1.7.8.9
CVSS 7.7
CVE-2023-30547 WRITEUP CRITICAL
Vm2 < 3.9.16 - Injection
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside `handleException()` which can be used to escape the sandbox and run arbitrary code in host context. This vulnerability was patched in the release of version `3.9.17` of `vm2`. There are no known workarounds for this vulnerability. Users are advised to upgrade.
CVSS 9.8
CVE-2023-30547 WRITEUP CRITICAL
Vm2 < 3.9.16 - Injection
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside `handleException()` which can be used to escape the sandbox and run arbitrary code in host context. This vulnerability was patched in the release of version `3.9.17` of `vm2`. There are no known workarounds for this vulnerability. Users are advised to upgrade.
CVSS 9.8
CVE-2023-30548 WRITEUP MEDIUM
gatsby-plugin-sharp < 5.8.1 and < 4.25.1 - Path Traversal via Gatsby Develop Server
gatsby-plugin-sharp is a plugin for the gatsby framework which exposes functions built on the Sharp image processing library. The gatsby-plugin-sharp plugin prior to versions 5.8.1 and 4.25.1 contains a path traversal vulnerability exposed when running the Gatsby develop server (`gatsby develop`). It should be noted that by default gatsby develop is only accessible via the localhost 127.0.0.1, and one would need to intentionally expose the server to other interfaces to exploit this vulnerability by using server options such as --host 0.0.0.0, -H 0.0.0.0, or the GATSBY_HOST=0.0.0.0 environment variable. Attackers exploiting this vulnerability will have read access to all files within the scope of the server process. A patch has been introduced in [email protected] and [email protected] which mitigates the issue by ensuring that included paths remain within the project directory. As stated above, by default gatsby develop is only exposed to the localhost 127.0.0.1. For those using the develop server in the default configuration no risk is posed. If other ranges are required, preventing the develop server from being exposed to untrusted interfaces or IP address ranges would mitigate the risk from this vulnerability. Users are non the less encouraged to upgrade to a safe version.
CVSS 4.3
CVE-2023-30549 WRITEUP HIGH
Apptainer < 1.1.8 - Use-After-Free via ext4 Filesystem Mounting
Apptainer is an open source container platform for Linux. There is an ext4 use-after-free flaw that is exploitable through versions of Apptainer < 1.1.0 and installations that include apptainer-suid < 1.1.8 on older operating systems where that CVE has not been patched. That includes Red Hat Enterprise Linux 7, Debian 10 buster (unless the linux-5.10 package is installed), Ubuntu 18.04 bionic and Ubuntu 20.04 focal. Use-after-free flaws in the kernel can be used to attack the kernel for denial of service and potentially for privilege escalation. Apptainer 1.1.8 includes a patch that by default disables mounting of extfs filesystem types in setuid-root mode, while continuing to allow mounting of extfs filesystems in non-setuid "rootless" mode using fuse2fs. Some workarounds are possible. Either do not install apptainer-suid (for versions 1.1.0 through 1.1.7) or set `allow setuid = no` in apptainer.conf. This requires having unprivileged user namespaces enabled and except for apptainer 1.1.x versions will disallow mounting of sif files, extfs files, and squashfs files in addition to other, less significant impacts. (Encrypted sif files are also not supported unprivileged in apptainer 1.1.x.). Alternatively, use the `limit containers` options in apptainer.conf/singularity.conf to limit sif files to trusted users, groups, and/or paths, and set `allow container extfs = no` to disallow mounting of extfs overlay files. The latter option by itself does not disallow mounting of extfs overlay partitions inside SIF files, so that's why the former options are also needed.
CVSS 7.1
CVE-2023-30591 WRITEUP HIGH
NodeBB <= 2.8.10 - Unauthenticated Denial of Service via Crafted Socket.IO Messages
Denial-of-service in NodeBB <= v2.8.10 allows unauthenticated attackers to trigger a crash, when invoking `eventName.startsWith()` or `eventName.toString()`, while processing Socket.IO messages via crafted Socket.IO messages containing array or object type for the event name respectively.
CVSS 7.5
CVE-2023-30608 WRITEUP MEDIUM
sqlparse >=0.1.15 <0.4.4 - Denial of Service via Inefficient Regular Expression
sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). This issue was introduced by commit `e75e358`. The vulnerability may lead to Denial of Service (DoS). This issues has been fixed in sqlparse 0.4.4 by commit `c457abd5f`. Users are advised to upgrade. There are no known workarounds for this issue.
CVSS 5.5
CVE-2023-30625 WRITEUP HIGH
Rudder Server SQLI Remote Code Execution
rudder-server is part of RudderStack, an open source Customer Data Platform (CDP). Versions of rudder-server prior to 1.3.0-rc.1 are vulnerable to SQL injection. This issue may lead to Remote Code Execution (RCE) due to the `rudder` role in PostgresSQL having superuser permissions by default. Version 1.3.0-rc.1 contains patches for this issue.
CVSS 8.8
CVE-2023-30625 WRITEUP HIGH
Rudder Server SQLI Remote Code Execution
rudder-server is part of RudderStack, an open source Customer Data Platform (CDP). Versions of rudder-server prior to 1.3.0-rc.1 are vulnerable to SQL injection. This issue may lead to Remote Code Execution (RCE) due to the `rudder` role in PostgresSQL having superuser permissions by default. Version 1.3.0-rc.1 contains patches for this issue.
CVSS 8.8
CVE-2023-30626 WRITEUP HIGH
Jellyfin 10.8.0-10.8.9 - Path Traversal and Arbitrary File Write via ClientLogController
Jellyfin is a free-software media system. Versions starting with 10.8.0 and prior to 10.8.10 and prior have a directory traversal vulnerability inside the `ClientLogController`, specifically `/ClientLog/Document`. When combined with a cross-site scripting vulnerability (CVE-2023-30627), this can result in file write and arbitrary code execution. Version 10.8.10 has a patch for this issue. There are no known workarounds.
CVSS 8.8