Writeup Exploits
63,933 exploits tracked across all sources.
XWiki 11.8-rc-1-14.4.7 - Authenticated Privilege Escalation via Mail.MailConfig Page
XWiki Platform is a generic wiki platform. Starting in version 11.8-rc-1 and prior to versions 14.4.8, 14.10.6, and 15.2, `Mail.MailConfig` can be edited by any logged-in user by default. Consequently, they can change the mail obfuscation configuration and view and edit the mail sending configuration, including the smtp domain name and credentials. The problem has been patched in XWiki 14.4.8, 14.10.6, and 15.1. As a workaround, the rights of the `Mail.MailConfig` page can be manually updated so that only a set of trusted users can view, edit and delete it (e.g., the `XWiki.XWikiAdminGroup` group).
CVSS 9.9
Service Provider Management System 1.0 - SQL Injection via ID Parameter
Sourcecodester Service Provider Management System v1.0 is vulnerable to SQL Injection via the ID parameter in /php-spms/?page=services/view&id=2
CVSS 9.8
Adiscon LogAnalyzer < 4.1.13 - SQL Injection
Adiscon LogAnalyzer v4.1.13 and before is vulnerable to SQL Injection.
CVSS 9.8
Greenshot < 1.2.10.6 - Remote Code Execution via Insecure .NET Deserialization
Greenshot 1.2.10 and below allows arbitrary code execution because .NET content is insecurely deserialized when a .greenshot file is opened.
CVSS 7.8
KioWare for Windows <= 8.33 - Unauthenticated OS Command Injection via showDirectoryPicker Function
KioWare for Windows through v8.33 was discovered to contain an incomplete blacklist filter for blocked dialog boxes on Windows 10. This issue can allow attackers to open a file dialog box via the function showDirectoryPicker() which can then be used to open an unprivileged command prompt.
CVSS 7.8
taocms <= 3.0.2 - Cross-Site Scripting
taocms <=3.0.2 is vulnerable to Cross Site Scripting (XSS).
CVSS 6.1
IthacaLabs Turnitin LTI 1.3 - HTML Injection via Submission Web Form Parameters
The "Submission Web Form" of Turnitin LTI tool/plugin version 1.3 is affected by HTML Injection attacks. The security issue affects the submission web form ("id" and "title" HTTP POST parameters) where the students submit their reports for similarity/plagiarism checks.
CVSS 5.4
eScan Management Console 14.0.1400.2281 - Cross-Site Scripting via delete_file Parameter
A Cross Site Scripting vulnerability in Microworld Technologies eScan Management console v.14.0.1400.2281 allows a remote attacker to execute arbitrary JavaScript code via a vulnerable delete_file parameter.
CVSS 5.4
eScan Management Console 14.0.1400.2281 - Cross-Site Scripting via Dtltyp and ListName Parameters
A Cross Site Scripting vulnerability in Microworld Technologies eScan Management console v.14.0.1400.2281 allows a remote attacker to execute arbitrary code via a crafted script to the Dtltyp and ListName parameters.
CVSS 5.4
eScan Management Console 14.0.1400.2281 - Cross-Site Scripting via GrpPath Parameter
A Cross Site Scripting vulnerability in Microworld Technologies eScan Management console v.14.0.1400.2281 allows a remote attacker to execute arbitrary code via a vulnerable parameter GrpPath.
CVSS 5.4
eScan Management Console 14.0.1400.2281 - Stored Cross-Site Scripting via Description Parameter
A Cross Site Scripting vulnerability in Microworld Technologies eScan Management console v.14.0.1400.2281 allows a remote attacker to execute arbitrary code via a crafted script to the Description parameter.
CVSS 5.4
Issabel PBX 4.0.0-6 - Cross-Site Request Forgery via New User Creation
A Cross Site Request Forgery (CSRF) vulnerability in Issabel issabel-pbx v.4.0.0-6 allows a remote attacker to gain privileges via a Custom CSRF exploit to create new user function in the application.
CVSS 6.8
PublicCMS <= 4.0.202302 - Insecure Permissions
PublicCMS <=V4.0.202302 is vulnerable to Insecure Permissions.
CVSS 9.8
Casdoor < 1.331.0 - Cross-Site Request Forgery via Password Reset Endpoint
Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-password. This vulnerability allows attackers to arbitrarily change the victim user's password via supplying a crafted URL.
CVSS 6.5
ONLYOFFICE Community Server < 12.5.2 - Remote Code Execution via UploadProgress.ashx
Onlyoffice Community Server before v12.5.2 was discovered to contain a remote code execution (RCE) vulnerability via the component UploadProgress.ashx.
CVSS 9.8
Ruijie RG-BCR860 2.5.13 - OS Command Injection via Network Diagnostic Page
A vulnerability was found in Ruijie RG-BCR860 2.5.13 and classified as critical. This issue affects some unknown processing of the component Network Diagnostic Page. The manipulation leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-232547. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVSS 4.7
XWiki Platform 12.9-14.4.8 - Authenticated Eval Injection via First Name Field
XWiki Platform is a generic wiki platform. Starting in version 12.9-rc-1 and prior to versions 14.4.8, 14.10.6, and 15.1, any logged in user can add dangerous content in their first name field and see it executed with programming rights. Leading to rights escalation. The vulnerability has been fixed on XWiki 14.4.8, 14.10.6, and 15.1. As a workaround, one may apply the patch manually.
CVSS 9.9
XWiki 6.0.1-14.10.5 - Stored Cross-Site Scripting via Delete Template URL Parameter
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the delete template to perform a XSS, e.g. by using URL such as: > xwiki/bin/get/FlamingoThemes/Cerulean?xpage=xpart&vm=delete.vm&xredirect=javascript:alert(document.domain). This vulnerability exists since XWiki 6.0-rc-1. The vulnerability has been patched in XWiki 14.10.6 and 15.1. Note that a partial patch has been provided in 14.10.5 but wasn't enough to entirely fix the vulnerability.
CVSS 9.6
Livebook 0.8.0-0.8.1 - Remote Code Execution via livebook:// URL Handler
Livebook is a web application for writing interactive and collaborative code notebooks. On Windows, it is possible to open a `livebook://` link from a browser which opens Livebook Desktop and triggers arbitrary code execution on victim's machine. Any user using Livebook Desktop on Windows is potentially vulnerable to arbitrary code execution when they expect Livebook to be opened from browser. This vulnerability has been fixed in version 0.8.2 and 0.9.3.
CVSS 8.6
elFinder < 2.1.62 - Path Traversal via LocalVolumeDriver Connector
_joinPath in elFinderVolumeLocalFileSystem.class.php in elFinder before 2.1.62 allows path traversal in the PHP LocalVolumeDriver connector.
CVSS 6.5
elFinder < 2.1.62 - Path Traversal via LocalVolumeDriver Connector
_joinPath in elFinderVolumeLocalFileSystem.class.php in elFinder before 2.1.62 allows path traversal in the PHP LocalVolumeDriver connector.
CVSS 6.5
lightdash < 0.510.3 - Path Traversal and Arbitrary File Write via Insecure File Endpoints
packages/backend/src/routers in Lightdash before 0.510.3 has insecure file endpoints, e.g., they allow .. directory traversal and do not ensure that an intended file extension (.csv or .png) is used.
CVSS 7.5
Suricata < 6.0.13 - Path Traversal and Arbitrary File Write via Dataset Filename
In Suricata before 6.0.13 (when there is an adversary who controls an external source of rules), a dataset filename, that comes from a rule, may trigger absolute or relative directory traversal, and lead to write access to a local filesystem. This is addressed in 6.0.13 by requiring allow-absolute-filenames and allow-write (in the datasets rules configuration section) if an installation requires traversal/writing in this situation.
CVSS 7.5
ManageEngine ADSelfService Plus <= 6113 - Authentication Bypass via Session Token Theft
Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass that can be exploited to steal the domain controller session token for identity spoofing, thereby achieving the privileges of the domain controller administrator. NOTE: the vendor's perspective is that they have "found no evidence or detail of a security vulnerability."
CVSS 9.8
yt-dlp <2023.07.06 - Cookie Leakage via Download Redirects and Fragments
yt-dlp is a command-line program to download videos from video sites. During file downloads, yt-dlp or the external downloaders that yt-dlp employs may leak cookies on HTTP redirects to a different host, or leak them when the host for download fragments differs from their parent manifest's host. This vulnerable behavior is present in yt-dlp prior to 2023.07.06 and nightly 2023.07.06.185519. All native and external downloaders are affected, except for `curl` and `httpie` (version 3.1.0 or later).
At the file download stage, all cookies are passed by yt-dlp to the file downloader as a `Cookie` header, thereby losing their scope. This also occurs in yt-dlp's info JSON output, which may be used by external tools. As a result, the downloader or external tool may indiscriminately send cookies with requests to domains or paths for which the cookies are not scoped.
yt-dlp version 2023.07.06 and nightly 2023.07.06.185519 fix this issue by removing the `Cookie` header upon HTTP redirects; having native downloaders calculate the `Cookie` header from the cookiejar, utilizing external downloaders' built-in support for cookies instead of passing them as header arguments, disabling HTTP redirectiong if the external downloader does not have proper cookie support, processing cookies passed as HTTP headers to limit their scope, and having a separate field for cookies in the info dict storing more information about scoping
Some workarounds are available for those who are unable to upgrade. Avoid using cookies and user authentication methods. While extractors may set custom cookies, these usually do not contain sensitive information. Alternatively, avoid using `--load-info-json`. Or, if authentication is a must: verify the integrity of download links from unknown sources in browser (including redirects) before passing them to yt-dlp; use `curl` as external downloader, since it is not impacted; and/or avoid fragmented formats such as HLS/m3u8, DASH/mpd and ISM.
CVSS 6.1
By Source