Writeup Exploits

64,159 exploits tracked across all sources.

Sort: Activity Stars
CVE-2024-2074 WRITEUP MEDIUM
Mini-Tmall <20231017 - SQL Injection
A vulnerability was found in Mini-Tmall up to 20231017 and classified as critical. This issue affects some unknown processing of the file ?r=tmall/admin/user/1/1. The manipulation of the argument orderBy leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-255389 was assigned to this vulnerability.
CVSS 6.3
CVE-2024-21489 WRITEUP HIGH
uplot < 1.6.31 - Prototype Pollution via uplot.assign Function
Versions of the package uplot before 1.6.31 are vulnerable to Prototype Pollution via the uplot.assign function due to missing check if the attribute resolves to the object prototype.
CVSS 8.2
CVE-2024-21501 WRITEUP MEDIUM
sanitize-html < 2.12.1 - Information Exposure via Style Attribute
Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.
CVSS 5.3
CVE-2024-21502 WRITEUP HIGH
fastecdsa < 2.3.2 - Use of Uninitialized Variable in curvemath_mul
Versions of the package fastecdsa before 2.3.2 are vulnerable to Use of Uninitialized Variable on the stack, via the curvemath_mul function in src/curveMath.c, due to being used and interpreted as user-defined type. Depending on the variable's actual value it could be arbitrary free(), arbitrary realloc(), null pointer dereference and other. Since the stack can be controlled by the attacker, the vulnerability could be used to corrupt allocator structure, leading to possible heap exploitation. The attacker could cause denial of service by exploiting this vulnerability.
CVSS 7.5
CVE-2024-21502 WRITEUP HIGH
fastecdsa < 2.3.2 - Use of Uninitialized Variable in curvemath_mul
Versions of the package fastecdsa before 2.3.2 are vulnerable to Use of Uninitialized Variable on the stack, via the curvemath_mul function in src/curveMath.c, due to being used and interpreted as user-defined type. Depending on the variable's actual value it could be arbitrary free(), arbitrary realloc(), null pointer dereference and other. Since the stack can be controlled by the attacker, the vulnerability could be used to corrupt allocator structure, leading to possible heap exploitation. The attacker could cause denial of service by exploiting this vulnerability.
CVSS 7.5
CVE-2024-21508 WRITEUP CRITICAL
mysql2 < 3.9.4 - Remote Code Execution via readCodeFor Function
Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.
CVSS 9.8
CVE-2024-21509 WRITEUP MEDIUM
sidorares/mysql2 < 3.9.4 - Prototype Pollution via Insecure Results Object Creation
Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js.
CVSS 6.5
CVE-2024-21510 WRITEUP MEDIUM
sinatra < 4.1.0 - Open Redirect via X-Forwarded-Host Header
Versions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host (XFH) header. When making a request to a method with redirect applied, it is possible to trigger an Open Redirect Attack by inserting an arbitrary address into this header. If used for caching purposes, such as with servers like Nginx, or as a reverse proxy, without handling the X-Forwarded-Host header, attackers can potentially exploit Cache Poisoning or Routing-based SSRF.
CVSS 5.4
CVE-2024-21512 WRITEUP HIGH
mysql2 < 3.9.8 - Prototype Pollution via nestTables Input
Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables.
CVSS 8.2
CVE-2024-21513 WRITEUP HIGH
langchain-experimental 0.0.15-<0.0.21 - Remote Code Execution via VectorSQLDatabaseChain Eval
Versions of the package langchain-experimental from 0.0.15 and before 0.0.21 are vulnerable to Arbitrary Code Execution when retrieving values from the database, the code will attempt to call 'eval' on all values. An attacker can exploit this vulnerability and execute arbitrary python code if they can control the input prompt and the server is configured with VectorSQLDatabaseChain. **Notes:** Impact on the Confidentiality, Integrity and Availability of the vulnerable component: Confidentiality: Code execution happens within the impacted component, in this case langchain-experimental, so all resources are necessarily accessible. Integrity: There is nothing protected by the impacted component inherently. Although anything returned from the component counts as 'information' for which the trustworthiness can be compromised. Availability: The loss of availability isn't caused by the attack itself, but it happens as a result during the attacker's post-exploitation steps. Impact on the Confidentiality, Integrity and Availability of the subsequent system: As a legitimate low-privileged user of the package (PR:L) the attacker does not have more access to data owned by the package as a result of this vulnerability than they did with normal usage (e.g. can query the DB). The unintended action that one can perform by breaking out of the app environment and exfiltrating files, making remote connections etc. happens during the post exploitation phase in the subsequent system - in this case, the OS. AT:P: An attacker needs to be able to influence the input prompt, whilst the server is configured with the VectorSQLDatabaseChain plugin.
CVSS 8.5
CVE-2024-21514 WRITEUP HIGH
OpenCart - Unauthenticated SQL Injection via Divido Payment Extension
This affects versions of the package opencart/opencart from 0.0.0. An SQL Injection issue was identified in the Divido payment extension for OpenCart, which is included by default in version 3.0.3.9. As an anonymous unauthenticated user, if the Divido payment module is installed (it does not have to be enabled), it is possible to exploit SQL injection to gain unauthorised access to the backend database. For any site which is vulnerable, any unauthenticated user could exploit this to dump the entire OpenCart database, including customer PII data.
CVSS 7.4
CVE-2024-21520 WRITEUP MEDIUM
djangorestframework < 3.15.2 - Cross-Site Scripting via break_long_headers Template Filter
Versions of the package djangorestframework before 3.15.2 are vulnerable to Cross-site Scripting (XSS) via the break_long_headers template filter due to improper input sanitization before splitting and joining with <br> tags.
CVSS 6.1
CVE-2024-21521 WRITEUP HIGH
@discordjs/opus - Denial of Service via toString Property Manipulation
All versions of the package @discordjs/opus are vulnerable to Denial of Service (DoS) due to providing an input object with a property toString to several different functions. Exploiting this vulnerability could lead to a system crash.
CVSS 7.5
CVE-2024-21522 WRITEUP HIGH
audify - Denial of Service via Negative frameSize in OpusDecoder
All versions of the package audify are vulnerable to Improper Validation of Array Index when frameSize is provided to the new OpusDecoder().decode or new OpusDecoder().decodeFloat functions it is not checked for negative values. This can lead to a process crash.
CVSS 7.5
CVE-2024-21522 WRITEUP HIGH
audify - Denial of Service via Negative frameSize in OpusDecoder
All versions of the package audify are vulnerable to Improper Validation of Array Index when frameSize is provided to the new OpusDecoder().decode or new OpusDecoder().decodeFloat functions it is not checked for negative values. This can lead to a process crash.
CVSS 7.5
CVE-2024-21523 WRITEUP HIGH
npm/images - Denial of Service via Unexpected Input Types
All versions of the package images are vulnerable to Denial of Service (DoS) due to providing unexpected input types to several different functions. This makes it possible to reach an assert macro, leading to a process crash. **Note:** By providing some specific integer values (like 0) to the size function, it is possible to obtain a Segmentation fault error, leading to the process crash.
CVSS 7.5
CVE-2024-21524 WRITEUP HIGH
node-stringbuilder < 2.2.7 - Out-of-bounds Read via ToBuffer, ToString, or CharAt
All versions of the package node-stringbuilder are vulnerable to Out-of-bounds Read due to incorrect memory length calculation, by calling ToBuffer, ToString, or CharAt on a StringBuilder object with a non-empty string value input. It's possible to return previously allocated memory, for example, by providing negative indexes, leading to an Information Disclosure.
CVSS 8.2
CVE-2024-21527 WRITEUP HIGH
github.com/gotenberg/gotenberg/v8/pkg/* - SSRF
Versions of the package github.com/gotenberg/gotenberg/v8/pkg/gotenberg before 8.1.0; versions of the package github.com/gotenberg/gotenberg/v8/pkg/modules/chromium before 8.1.0; versions of the package github.com/gotenberg/gotenberg/v8/pkg/modules/webhook before 8.1.0 are vulnerable to Server-side Request Forgery (SSRF) via the /convert/html endpoint when a request is made to a file via localhost, such as <iframe src="\\localhost/etc/passwd">. By exploiting this vulnerability, an attacker can achieve local file inclusion, allowing of sensitive files read on the host system. Workaround An alternative is using either or both --chromium-deny-list and --chromium-allow-list flags.
CVSS 8.2
CVE-2024-21532 WRITEUP HIGH
ggit - OS Command Injection via fetchTags API
All versions of the package ggit are vulnerable to Command Injection via the fetchTags(branch) API, which allows user input to specify the branch to be fetched and then concatenates this string along with a git command which is then passed to the unsafe exec() Node.js child process API.
CVSS 7.3
CVE-2024-21532 WRITEUP HIGH
ggit - OS Command Injection via fetchTags API
All versions of the package ggit are vulnerable to Command Injection via the fetchTags(branch) API, which allows user input to specify the branch to be fetched and then concatenates this string along with a git command which is then passed to the unsafe exec() Node.js child process API.
CVSS 7.3
CVE-2024-21533 WRITEUP MEDIUM
ggit - Arbitrary Argument Injection via clone() API
All versions of the package ggit are vulnerable to Arbitrary Argument Injection via the clone() API, which allows specifying the remote URL to clone and the file on disk to clone to. The library does not sanitize for user input or validate a given URL scheme, nor does it properly pass command-line flags to the git binary using the double-dash POSIX characters (--) to communicate the end of options.
CVSS 6.5
CVE-2024-21533 WRITEUP MEDIUM
ggit - Arbitrary Argument Injection via clone() API
All versions of the package ggit are vulnerable to Arbitrary Argument Injection via the clone() API, which allows specifying the remote URL to clone and the file on disk to clone to. The library does not sanitize for user input or validate a given URL scheme, nor does it properly pass command-line flags to the git binary using the double-dash POSIX characters (--) to communicate the end of options.
CVSS 6.5
CVE-2024-21536 WRITEUP HIGH
http-proxy-middleware < 2.0.7 and 3.0.0-3.0.3 - Denial of Service via UnhandledPromiseRejection
Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.
CVSS 7.5
CVE-2024-21536 WRITEUP HIGH
http-proxy-middleware < 2.0.7 and 3.0.0-3.0.3 - Denial of Service via UnhandledPromiseRejection
Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.
CVSS 7.5
CVE-2024-21538 WRITEUP HIGH
cross-spawn < 6.0.6 and 7.0.0-7.0.5 - Regular Expression Denial of Service
Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
CVSS 7.5