Writeup Exploits

64,025 exploits tracked across all sources.

Sort: Activity Stars
CVE-2023-49371 WRITEUP CRITICAL
ruoyi < 4.6.0 - SQL Injection via /system/dept/edit
RuoYi up to v4.6 was discovered to contain a SQL injection vulnerability via /system/dept/edit.
CVSS 9.8
CVE-2023-49440 WRITEUP HIGH
AhnLab EPP 1.0.15 - SQL Injection via Preview Parameter
AhnLab EPP 1.0.15 is vulnerable to SQL Injection via the "preview parameter."
CVSS 8.8
CVE-2023-49515 WRITEUP MEDIUM
TP Link TC70 and C200 WIFI Camera <1.3.4 - Info Disclosure
Insecure Permissiosn vulnerability in TP Link TC70 and C200 WIFI Camera v.3 firmware v.1.3.4 and fixed in v.1.3.11 allows a physically proximate attacker to obtain sensitive information via a connection to the UART pin components.
CVSS 4.6
CVE-2023-49950 WRITEUP MEDIUM
Logpoint SIEM 6.10.0-7.x < 7.3.0 - Stored Cross-Site Scripting via Jinja Template in Alert View
The Jinja templating in Logpoint SIEM 6.10.0 through 7.x before 7.3.0 does not correctly sanitize log data being displayed when using a custom Jinja template in the Alert view. A remote attacker can craft a cross-site scripting (XSS) payload and send it to any system or device that sends logs to the SIEM. If an alert is created, the payload will execute upon the alert data being viewed with that template, which can lead to sensitive data disclosure.
CVSS 5.4
CVE-2023-50094 WRITEUP HIGH
reNgine < 2.0.2 - Authenticated OS Command Injection via WAF Detector URL Parameter
reNgine before 2.1.2 allows OS Command Injection if an adversary has a valid session ID. The attack places shell metacharacters in an api/tools/waf_detector/?url= string. The commands are executed as root via subprocess.check_output.
CVSS 8.8
CVE-2023-50245 WRITEUP CRITICAL
openexr_viewer < 0.6.1 - Buffer Overflow
OpenEXR-viewer is a viewer for OpenEXR files with detailed metadata probing. Versions prior to 0.6.1 have a memory overflow vulnerability. This issue is fixed in version 0.6.1.
CVSS 9.8
CVE-2023-50254 WRITEUP CRITICAL
deepin_reader < 6.0.7 - Remote Code Execution via Crafted DOCX File
Deepin Linux's default document reader `deepin-reader` software suffers from a serious vulnerability in versions prior to 6.0.7 due to a design flaw that leads to remote command execution via crafted docx document. This is a file overwrite vulnerability. Remote code execution (RCE) can be achieved by overwriting files like .bash_rc, .bash_login, etc. RCE will be triggered when the user opens the terminal. Version 6.0.7 contains a patch for the issue.
CVSS 9.3
CVE-2023-50257 WRITEUP CRITICAL
eProsima Fast DDS < 2.6.7 - Unauthenticated Denial of Service via RTPS Disconnect Packet Spoofing
eProsima Fast DDS (formerly Fast RTPS) is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Even with the application of SROS2, due to the issue where the data (`p[UD]`) and `guid` values used to disconnect between nodes are not encrypted, a vulnerability has been discovered where a malicious attacker can forcibly disconnect a Subscriber and can deny a Subscriber attempting to connect. Afterwards, if the attacker sends the packet for disconnecting, which is data (`p[UD]`), to the Global Data Space (`239.255.0.1:7400`) using the said Publisher ID, all the Subscribers (Listeners) connected to the Publisher (Talker) will not receive any data and their connection will be disconnected. Moreover, if this disconnection packet is sent continuously, the Subscribers (Listeners) trying to connect will not be able to do so. Since the initial commit of the `SecurityManager.cpp` code (`init`, `on_process_handshake`) on Nov 8, 2016, the Disconnect Vulnerability in RTPS Packets Used by SROS2 has been present prior to versions 2.13.0, 2.12.2, 2.11.3, 2.10.3, and 2.6.7.
CVSS 9.6
CVE-2023-50259 WRITEUP MEDIUM
Medusa < 1.0.19 - Unauthenticated Server-Side Request Forgery via Slack Webhook URL
Medusa is an automatic video library manager for TV shows. Versions prior to 1.0.19 are vulnerable to unauthenticated blind server-side request forgery (SSRF). The `testslack` request handler in `medusa/server/web/home/handler.py` does not validate the user-controlled `slack_webhook` variable and passes it to the `notifiers.slack_notifier.test_notify` method, then `_notify_slack` and finally `_send_slack` method, which sends a POST request to the user-controlled URL on line 103 in `/medusa/notifiers/slack.py`, which leads to a blind server-side request forgery (SSRF). This issue allows for crafting POST requests on behalf of the Medusa server. Version 1.0.19 contains a fix for the issue.
CVSS 5.3
CVE-2023-50263 WRITEUP LOW
Nautobot 1.x-2.0.x < 1.6.7/2.0.6 - Unauthenticated Arbitrary File Download via FileProxy Endpoints
Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. In Nautobot 1.x and 2.0.x prior to 1.6.7 and 2.0.6, the URLs `/files/get/?name=...` and `/files/download/?name=...` are used to provide admin access to files that have been uploaded as part of a run request for a Job that has FileVar inputs. Under normal operation these files are ephemeral and are deleted once the Job in question runs. In the default implementation used in Nautobot, as provided by `django-db-file-storage`, these URLs do not by default require any user authentication to access; they should instead be restricted to only users who have permissions to view Nautobot's `FileProxy` model instances. Note that no URL mechanism is provided for listing or traversal of the available file `name` values, so in practice an unauthenticated user would have to guess names to discover arbitrary files for download, but if a user knows the file name/path value, they can access it without authenticating, so we are considering this a vulnerability. Fixes are included in Nautobot 1.6.7 and Nautobot 2.0.6. No known workarounds are available other than applying the patches included in those versions.
CVSS 3.7
CVE-2023-50465 WRITEUP MEDIUM
Monica 4.0.0 - Authenticated Stored Cross-Site Scripting via SVG Upload
A stored cross-site scripting (XSS) vulnerability exists in Monica (aka MonicaHQ) 4.0.0 via an SVG document uploaded by an authenticated user.
CVSS 5.4
CVE-2023-50564 WRITEUP HIGH
Pluck-CMS 4.7.18 - Arbitrary File Upload via ZIP File in Modules Install
An arbitrary file upload vulnerability in the component /inc/modules_install.php of Pluck-CMS v4.7.18 allows attackers to execute arbitrary code via uploading a crafted ZIP file.
CVSS 8.8
CVE-2023-50643 WRITEUP CRITICAL
Evernote for macOS 10.68.2 - Remote Code Execution via RunAsNode and enableNodeClilnspectArguments
An issue in Evernote Evernote for MacOS v.10.68.2 allows a remote attacker to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments components.
CVSS 9.8
CVE-2023-50685 WRITEUP HIGH
Hipcam Cameras RealServer <1.0 - DoS
An issue in Hipcam Cameras RealServer v.1.0 allows a remote attacker to cause a denial of service via a crafted script to the client_port parameter.
CVSS 7.5
CVE-2023-50723 WRITEUP CRITICAL
XWiki Platform 2.3-14.10.5 - Authenticated Remote Code Execution via Administration Interface
XWiki Platform is a generic wiki platform. Starting in 2.3 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, anyone who can edit an arbitrary wiki page in an XWiki installation can gain programming right through several cases of missing escaping in the code for displaying sections in the administration interface. This impacts the confidentiality, integrity and availability of the whole XWiki installation. Normally, all users are allowed to edit their own user profile so this should be exploitable by all users of the XWiki instance. This has been fixed in XWiki 14.10.15, 15.5.2 and 15.7RC1. The patches can be manually applied to the `XWiki.ConfigurableClassMacros` and `XWiki.ConfigurableClass` pages.
CVSS 9.9
CVE-2023-50914 WRITEUP MEDIUM
GOG Galaxy (Beta) 2.0.67.2-2.0.71.2 - Privilege Escalation
A Privilege Escalation issue in the inter-process communication procedure from GOG Galaxy (Beta) 2.0.67.2 through v2.0.71.2 allows authentictaed users to change the DACL of arbitrary system directories to include Everyone full control permissions by modifying the FixDirectoryPrivileges instruction parameters sent from GalaxyClient.exe to GalaxyClientService.exe.
CVSS 6.7
CVE-2023-50915 WRITEUP MEDIUM
GOG Galaxy (Beta) <2.0.71.2 - Privilege Escalation
An issue exists in GalaxyClientService.exe in GOG Galaxy (Beta) 2.0.67.2 through 2.0.71.2 that could allow authenticated users to overwrite and corrupt critical system files via a combination of an NTFS Junction and an RPC Object Manager symbolic link and could result in a denial of service.
CVSS 6.5
CVE-2023-50917 WRITEUP CRITICAL
MajorDoMo < 2023-11-15 - Remote Code Execution via thumb.php Shell Metacharacters
MajorDoMo (aka Major Domestic Module) before 0662e5e allows command execution via thumb.php shell metacharacters. NOTE: this is unrelated to the Majordomo mailing-list manager.
CVSS 9.8
CVE-2023-50919 WRITEUP CRITICAL
GL.iNet Unauthenticated Remote Command Execution via the logread module.
An issue was discovered on GL.iNet devices before version 4.5.0. There is an NGINX authentication bypass via Lua string pattern matching. This affects A1300 4.4.6, AX1800 4.4.6, AXT1800 4.4.6, MT3000 4.4.6, MT2500 4.4.6, MT6000 4.5.0, MT1300 4.3.7, MT300N-V2 4.3.7, AR750S 4.3.7, AR750 4.3.7, AR300M 4.3.7, and B1300 4.3.7.
CVSS 9.8
CVE-2023-5016 WRITEUP MEDIUM
spider-flow < 0.5.0 - Remote Code Execution via Fastjson JDBC Deserialization
A vulnerability was found in spider-flow up to 0.5.0. It has been declared as critical. Affected by this vulnerability is the function DriverManager.getConnection of the file src/main/java/org/spiderflow/controller/DataSourceController.java of the component API. The manipulation leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-239857 was assigned to this vulnerability.
CVSS 6.3
CVE-2023-51073 WRITEUP HIGH
Buffalo LS210D v.1.78-0.03 - Remote Code Execution via Firmware Update Script
An issue in Buffalo LS210D v.1.78-0.03 allows a remote attacker to execute arbitrary code via the Firmware Update Script at /etc/init.d/update_notifications.sh.
CVSS 8.1
CVE-2023-51123 WRITEUP CRITICAL
D-Link DIR-815 soapcgi_main - service Parameter Command Injection
An issue discovered in D-Link dir815 v.1.01SSb08.bin allows a remote attacker to execute arbitrary code via a crafted POST request to the service parameter in the soapcgi_main function of the cgibin binary component.
CVSS 9.8
CVE-2023-51385 WRITEUP MEDIUM
OpenSSH < 9.6 - OS Command Injection via Shell Metacharacters in Username or Hostname
In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.
CVSS 6.5
CVE-2023-51444 WRITEUP HIGH
GeoServer < 2.23.4, 2.24.1 - Authenticated Arbitrary File Upload and Remote Code Execution via REST Coverage Store API
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. An arbitrary file upload vulnerability exists in versions prior to 2.23.4 and 2.24.1 that enables an authenticated administrator with permissions to modify coverage stores through the REST Coverage Store API to upload arbitrary file contents to arbitrary file locations which can lead to remote code execution. Coverage stores that are configured using relative paths use a GeoServer Resource implementation that has validation to prevent path traversal but coverage stores that are configured using absolute paths use a different Resource implementation that does not prevent path traversal. This vulnerability can lead to executing arbitrary code. An administrator with limited privileges could also potentially exploit this to overwrite GeoServer security files and obtain full administrator privileges. Versions 2.23.4 and 2.24.1 contain a fix for this issue.
CVSS 7.2
CVE-2023-51448 WRITEUP HIGH
Cacti 1.2.25 - Authenticated Blind SQL Injection via SNMP Notification Receivers
Cacti provides an operational monitoring and fault management framework. Version 1.2.25 has a Blind SQL Injection (SQLi) vulnerability within the SNMP Notification Receivers feature in the file `‘managers.php’`. An authenticated attacker with the “Settings/Utilities” permission can send a crafted HTTP GET request to the endpoint `‘/cacti/managers.php’` with an SQLi payload in the `‘selected_graphs_array’` HTTP GET parameter. As of time of publication, no patched versions exist.
CVSS 8.8