Writeup Exploits

63,933 exploits tracked across all sources.

Sort: Activity Stars
CVE-2023-36811 WRITEUP MEDIUM
borgbackup < 1.2.5 - Cryptographic Signature Spoofing via Archive Forgery
borgbackup is an opensource, deduplicating archiver with compression and authenticated encryption. A flaw in the cryptographic authentication scheme in borgbackup allowed an attacker to fake archives and potentially indirectly cause backup data loss in the repository. The attack requires an attacker to be able to: 1. insert files (with no additional headers) into backups and 2. gain write access to the repository. This vulnerability does not disclose plaintext to the attacker, nor does it affect the authenticity of existing archives. Creating plausible fake archives may be feasible for empty or small archives, but is unlikely for large archives. The issue has been fixed in borgbackup 1.2.5. Users are advised to upgrade. Additionally to installing the fixed code, users must follow the upgrade procedure as documented in the change log. Data loss after being attacked can be avoided by reviewing the archives (timestamp and contents valid and as expected) after any "borg check --repair" and before "borg prune". There are no known workarounds for this vulnerability.
CVSS 4.7
CVE-2023-36812 WRITEUP CRITICAL
OpenTSDB <2.4.2 - Remote Code Execution via Gnuplot Configuration Injection
OpenTSDB is a open source, distributed, scalable Time Series Database (TSDB). OpenTSDB is vulnerable to Remote Code Execution vulnerability by writing user-controlled input to Gnuplot configuration file and running Gnuplot with the generated configuration. This issue has been patched in commit `07c4641471c` and further refined in commit `fa88d3e4b`. These patches are available in the `2.4.2` release. Users are advised to upgrade. User unable to upgrade may disable Gunuplot via the config option`tsd.core.enable_ui = true` and remove the shell files `mygnuplot.bat` and `mygnuplot.sh`.
CVSS 9.8
CVE-2023-36828 WRITEUP MEDIUM
Statamic < 4.10.0 - Stored Cross-Site Scripting via Malicious SVG Upload
Statamic is a flat-first, Laravel and Git powered content management system. Prior to version 4.10.0, the SVG tag does not sanitize malicious SVG. Therefore, an attacker can exploit this vulnerability to perform cross-site scripting attacks using SVG, even when using the `sanitize` function. Version 4.10.0 contains a patch for this issue.
CVSS 5.5
CVE-2023-37068 WRITEUP CRITICAL
Gym Management System V1.0 - SQL Injection via Login Form
Code-Projects Gym Management System V1.0 allows remote attackers to execute arbitrary SQL commands via the login form, leading to unauthorized access and potential data manipulation. This vulnerability arises due to insufficient validation of user-supplied input in the username and password fields, enabling SQL Injection attacks.
CVSS 9.8
CVE-2023-37068 WRITEUP CRITICAL
Gym Management System V1.0 - SQL Injection via Login Form
Code-Projects Gym Management System V1.0 allows remote attackers to execute arbitrary SQL commands via the login form, leading to unauthorized access and potential data manipulation. This vulnerability arises due to insufficient validation of user-supplied input in the username and password fields, enabling SQL Injection attacks.
CVSS 9.8
CVE-2023-37152 WRITEUP CRITICAL
Online Art Gallery Project 1.0 - Unauthenticated Arbitrary File Upload via adminHome.php
Projectworlds Online Art Gallery Project 1.0 allows unauthenticated users to perform arbitrary file uploads via the adminHome.php page. Note: This has been disputed as not a valid vulnerability.
CVSS 9.8
CVE-2023-37189 WRITEUP MEDIUM
Issabel PBX 4 - Stored Cross-Site Scripting via Billing Rates Name or Prefix Fields
A stored cross site scripting (XSS) vulnerability in index.php?menu=billing_rates of Issabel PBX version 4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the Name or Prefix fields under the Create New Rate module.
CVSS 4.8
CVE-2023-37190 WRITEUP MEDIUM
Issabel PBX 4.0.0-6 - Stored Cross-Site Scripting via Virtual Fax Name and Caller ID Name Parameters
A stored cross-site scripting (XSS) vulnerability in Issabel issabel-pbx v.4.0.0-6 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Virtual Fax Name and Caller ID Name parameters under the New Virtual Fax feature.
CVSS 4.8
CVE-2023-37191 WRITEUP MEDIUM
Issabel PBX 4.0.0-6 - Stored Cross-Site Scripting via Group and Description Parameters
A stored cross-site scripting (XSS) vulnerability in Issabel issabel-pbx v.4.0.0-6 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Group and Description parameters.
CVSS 4.8
CVE-2023-37267 WRITEUP HIGH
Umbraco CMS 10.0.0-10.6.0 - Unauthenticated Privilege Escalation to Admin
Umbraco is a ASP.NET CMS. Under rare conditions a restart of Umbraco can allow unauthorized users access to admin-level permissions. This vulnerability was patched in versions 10.6.1, 11.4.2 and 12.0.1.
CVSS 7.5
CVE-2023-37269 WRITEUP LOW
Winter CMS < 1.2.3 - Authenticated Stored Cross-Site Scripting via SVG Logo Upload
Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Users with the `backend.manage_branding` permission can upload SVGs as the application logo. Prior to version 1.2.3, SVG uploads were not sanitized, which could have allowed a stored cross-site scripting (XSS) attack. To exploit the vulnerability, an attacker would already need to have developer or super user level permissions in Winter CMS. This means they would already have extensive access and control within the system. Additionally, to execute the XSS, the attacker would need to convince the victim to directly visit the URL of the maliciously uploaded SVG, and the application would have to be using local storage where uploaded files are served under the same domain as the application itself instead of a CDN. This is because all SVGs in Winter CMS are rendered through an `img` tag, which prevents any payloads from being executed directly. These two factors significantly limit the potential harm of this vulnerability. This issue has been patched in v1.2.3 through the inclusion of full support for SVG uploads and automatic sanitization of uploaded SVG files. As a workaround, one may apply the patches manually.
CVSS 2.0
CVE-2023-37269 WRITEUP LOW
Winter CMS < 1.2.3 - Authenticated Stored Cross-Site Scripting via SVG Logo Upload
Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Users with the `backend.manage_branding` permission can upload SVGs as the application logo. Prior to version 1.2.3, SVG uploads were not sanitized, which could have allowed a stored cross-site scripting (XSS) attack. To exploit the vulnerability, an attacker would already need to have developer or super user level permissions in Winter CMS. This means they would already have extensive access and control within the system. Additionally, to execute the XSS, the attacker would need to convince the victim to directly visit the URL of the maliciously uploaded SVG, and the application would have to be using local storage where uploaded files are served under the same domain as the application itself instead of a CDN. This is because all SVGs in Winter CMS are rendered through an `img` tag, which prevents any payloads from being executed directly. These two factors significantly limit the potential harm of this vulnerability. This issue has been patched in v1.2.3 through the inclusion of full support for SVG uploads and automatic sanitization of uploaded SVG files. As a workaround, one may apply the patches manually.
CVSS 2.0
CVE-2023-37378 WRITEUP MEDIUM
Nullsoft Scriptable Install System <3.09 - Privilege Escalation
Nullsoft Scriptable Install System (NSIS) before 3.09 mishandles access control for an uninstaller directory.
CVSS 5.3
CVE-2023-37460 WRITEUP HIGH
plexus-archiver < 4.8.0 - Arbitrary File Creation and Remote Code Execution via Symbolic Link Handling
Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory with a unified `Archiver`/`UnArchiver` API. Prior to version 4.8.0, using AbstractUnArchiver for extracting an archive might lead to an arbitrary file creation and possibly remote code execution. When extracting an archive with an entry that already exists in the destination directory as a symbolic link whose target does not exist - the `resolveFile()` function will return the symlink's source instead of its target, which will pass the verification that ensures the file will not be extracted outside of the destination directory. Later `Files.newOutputStream()`, that follows symlinks by default, will actually write the entry's content to the symlink's target. Whoever uses plexus archiver to extract an untrusted archive is vulnerable to an arbitrary file creation and possibly remote code execution. Version 4.8.0 contains a patch for this issue.
CVSS 8.1
CVE-2023-37467 WRITEUP MEDIUM
Discourse beta and tests-passed < 3.1.0.beta7 - Unauthenticated Cross-Site Scripting via CSP Nonce Reuse
Discourse is an open source discussion platform. Prior to version 3.1.0.beta7 of the `beta` and `tests-passed` branches, a CSP (Content Security Policy) nonce reuse vulnerability was discovered could allow cross-site scripting (XSS) attacks to bypass CSP protection for anonymous (i.e. unauthenticated) users. There are no known XSS vectors at the moment, but should one be discovered, this vulnerability would allow the XSS attack to bypass CSP and execute successfully. This vulnerability isn't applicable to logged-in users. Version 3.1.0.beta7 contains a patch. The stable branch doesn't have this vulnerability. A workaround to prevent the vulnerability is to disable Google Tag Manager, i.e., unset the `gtm container id` setting.
CVSS 6.8
CVE-2023-37474 WRITEUP HIGH
copyparty < 1.8.2 - Path Traversal via .cpr Subfolder
Copyparty is a portable file server. Versions prior to 1.8.2 are subject to a path traversal vulnerability detected in the `.cpr` subfolder. The Path Traversal attack technique allows an attacker access to files, directories, and commands that reside outside the web document root directory. This issue has been addressed in commit `043e3c7d` which has been included in release 1.8.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS 7.5
CVE-2023-37596 WRITEUP HIGH
Issabel PBX 4.0.0-6 - Cross-Site Request Forgery via Delete User Function
Cross Site Request Forgery (CSRF) vulnerability in issabel-pbx v.4.0.0-6 allows a remote attacker to cause a denial of service via a crafted script to the deleteuser function.
CVSS 8.1
CVE-2023-37597 WRITEUP HIGH
Issabel PBX 4.0.0-6 - Cross-Site Request Forgery via User Grouplist Deletion
Cross Site Request Forgery (CSRF) vulnerability in issabel-pbx v.4.0.0-6 allows a remote attacker to cause a denial of service via the delete user grouplist function.
CVSS 8.1
CVE-2023-37613 WRITEUP MEDIUM
Trialworks 11.4 - Cross-Site Scripting via Asset Src Parameter
A cross-site scripting (XSS) vulnerability in Assembly Software Trialworks v11.4 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the asset src parameter.
CVSS 6.1
CVE-2023-37623 WRITEUP MEDIUM
netdisco < 2.063000 - Cross-Site Scripting via TypeAhead.pm
Netdisco before v2.063000 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /Web/TypeAhead.pm.
CVSS 4.8
CVE-2023-37624 WRITEUP MEDIUM
netdisco < 2.063000 - Open Redirect via Crafted Links
Netdisco before v2.063000 was discovered to contain an open redirect vulnerability. An attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click on crafted links.
CVSS 6.1
CVE-2023-37623 WRITEUP MEDIUM
netdisco < 2.063000 - Cross-Site Scripting via TypeAhead.pm
Netdisco before v2.063000 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /Web/TypeAhead.pm.
CVSS 4.8
CVE-2023-37625 WRITEUP MEDIUM
Netbox v3.4.7 - Stored Cross-Site Scripting in Custom Link Templates
A stored cross-site scripting (XSS) vulnerability in Netbox v3.4.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Custom Link templates.
CVSS 5.4
CVE-2023-37625 WRITEUP MEDIUM
Netbox v3.4.7 - Stored Cross-Site Scripting in Custom Link Templates
A stored cross-site scripting (XSS) vulnerability in Netbox v3.4.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Custom Link templates.
CVSS 5.4
CVE-2023-37629 WRITEUP CRITICAL
Online Piggery Management System 1.0 - Unauthenticated Arbitrary File Upload via add-pig.php
Online Piggery Management System 1.0 is vulnerable to File Upload. An unauthenticated user can upload a php file by sending a POST request to "add-pig.php."
CVSS 9.8