Writeup Exploits

64,413 exploits tracked across all sources.

Sort: Activity Stars
CVE-2024-36110 WRITEUP HIGH
ansibleguy-webui <0.0.21 - Code Injection
ansibleguy-webui is an open source WebUI for using Ansible. Multiple forms in versions < 0.0.21 allowed injection of HTML elements. These are returned to the user after executing job actions and thus evaluated by the browser. These issues have been addressed in version 0.0.21 (0.0.21.post2 on pypi). Users are advised to upgrade. There are no known workarounds for these issues.
CVSS 8.2
CVE-2024-36113 WRITEUP MEDIUM
Discourse <3.2.3-3.3.0.beta4-dev - Privilege Escalation
Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch, version 3.3.0.beta3 on the `beta` branch, and version 3.3.0.beta4-dev on the `tests-passed` branch, a rogue staff user could suspend other staff users preventing them from logging in to the site. The issue is patched in version 3.2.3 on the `stable` branch, version 3.3.0.beta3 on the `beta` branch, and version 3.3.0.beta4-dev on the `tests-passed` branch. No known workarounds are available.
CVSS 4.9
CVE-2024-36114 WRITEUP HIGH
Aircompressor < 0.27 - Out-of-bounds Read in Decompressor Implementations
Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. All decompressor implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash the JVM for certain input, and in some cases also leak the content of other memory of the Java process (which could contain sensitive information). When decompressing certain data, the decompressors try to access memory outside the bounds of the given byte arrays or byte buffers. Because Aircompressor uses the JDK class `sun.misc.Unsafe` to speed up memory access, no additional bounds checks are performed and this has similar security consequences as out-of-bounds access in C or C++, namely it can lead to non-deterministic behavior or crash the JVM. Users should update to Aircompressor 0.27 or newer where these issues have been fixed. When decompressing data from untrusted users, this can be exploited for a denial-of-service attack by crashing the JVM, or to leak other sensitive information from the Java process. There are no known workarounds for this issue.
CVSS 8.6
CVE-2024-36115 WRITEUP HIGH
Reposilite 3.3.0-3.5.12 - Stored Cross-Site Scripting via Artifact Content
Reposilite is an open source, lightweight and easy-to-use repository manager for Maven based artifacts in JVM ecosystem. As a Maven repository manager, Reposilite provides the ability to view the artifacts content in the browser, as well as perform administrative tasks via API. The problem lies in the fact that the artifact's content is served via the same origin (protocol/host/port) as the Admin UI. If the artifact contains HTML content with javascript inside, the javascript is executed within the same origin. Therefore, if an authenticated user is viewing the artifacts content, the javascript inside can access the browser's local storage where the user's password (aka 'token-secret') is stored. It is especially dangerous in scenarios where Reposilite is configured to mirror third party repositories, like the Maven Central Repository. Since anyone can publish an artifact to Maven Central under its own name, such malicious packages can be used to attack the Reposilite instance. This issue may lead to the full Reposilite instance compromise. If this attack is performed against the admin user, it's possible to use the admin API to modify settings and artifacts on the instance. In the worst case scenario, an attacker would be able to obtain the Remote code execution on all systems that use artifacts from Reposilite. It's important to note that the attacker does not need to lure a victim user to use a malicious artifact, but just open a link in the browser. This link can be silently loaded among the other HTML content, making this attack unnoticeable. Even if the Reposilite instance is located in an isolated environment, such as behind a VPN or in the local network, this attack is still possible as it can be performed from the admin browser. Reposilite has addressed this issue in version 3.5.12. Users are advised to upgrade. There are no known workarounds for this vulnerability. This issue was discovered and reported by the GitHub Security lab and is also tracked as GHSL-2024-072.
CVSS 7.1
CVE-2024-36122 WRITEUP LOW
Discourse < 3.2.3 and < 3.3.0.beta4 - Unauthorized Email Exposure in Review Queue
Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch and version 3.3.0.beta4 on the `beta` and `tests-passed` branches, moderators using the review queue to review users may see a users email address even when the Allow moderators to view email addresses setting is disabled. This issue is patched in version 3.2.3 on the `stable` branch and version 3.3.0.beta4 on the `beta` and `tests-passed` branches. As possible workarounds, either prevent moderators from accessing the review queue or disable the approve suspect users site setting and the must approve users site setting to prevent users from being added to the review queue.
CVSS 2.4
CVE-2024-36123 WRITEUP MEDIUM
citizen < 2.16.0 - Authenticated Stored Cross-Site Scripting via MediaWiki:Tagline Page
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. The page `MediaWiki:Tagline` has its contents used unescaped, so custom HTML (including Javascript) can be injected by someone with the ability to edit the MediaWiki namespace (typically those with the `editinterface` permission, or sysops). This vulnerability is fixed in 2.16.0.
CVSS 6.5
CVE-2024-36401 WRITEUP CRITICAL
Geoserver unauthenticated Remote Code Execution
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code. Versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.
CVSS 9.8
CVE-2024-36404 WRITEUP CRITICAL
GeoTools < 29.6, 30.0-30.4, 31.0-31.2 - Remote Code Execution via XPath Expression Evaluation
GeoTools is an open source Java library that provides tools for geospatial data. Prior to versions 31.2, 30.4, and 29.6, Remote Code Execution (RCE) is possible if an application uses certain GeoTools functionality to evaluate XPath expressions supplied by user input. Versions 31.2, 30.4, and 29.6 contain a fix for this issue. As a workaround, GeoTools can operate with reduced functionality by removing the `gt-complex` jar from one's application. As an example of the impact, application schema `datastore` would not function without the ability to use XPath expressions to query complex content. Alternatively, one may utilize a drop-in replacement GeoTools jar from SourceForge for versions 31.1, 30.3, 30.2, 29.2, 28.2, 27.5, 27.4, 26.7, 26.4, 25.2, and 24.0. These jars are for download only and are not available from maven central, intended to quickly provide a fix to affected applications.
CVSS 9.8
CVE-2024-36437 WRITEUP MEDIUM
TextNow <24.17.0.2 - Code Injection
The com.enflick.android.TextNow (aka TextNow: Call + Text Unlimited) application 24.17.0.2 for Android enables any installed application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.enflick.android.TextNow.activities.DialerActivity component.
CVSS 6.5
CVE-2024-36527 WRITEUP MEDIUM
Puppeteer-Renderer <3.2.0 - Path Traversal
puppeteer-renderer v.3.2.0 and before is vulnerable to Directory Traversal. Attackers can exploit the URL parameter using the file protocol to read sensitive information from the server.
CVSS 6.5
CVE-2024-36539 WRITEUP CRITICAL
Contour <1.28.3 - Privilege Escalation
Insecure permissions in contour v1.28.3 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.
CVSS 9.8
CVE-2024-36587 WRITEUP HIGH
DNSCrypt-proxy <2.1.5 - Privilege Escalation
Insecure permissions in DNSCrypt-proxy v2.0.0alpha9 to v2.1.5 allows non-privileged attackers to escalate privileges to root via overwriting the binary dnscrypt-proxy.
CVSS 7.8
CVE-2024-36597 WRITEUP HIGH
Aegon Life v1.0 - SQL Injection via client_id Parameter
Aegon Life v1.0 was discovered to contain a SQL injection vulnerability via the client_id parameter at clientStatus.php.
CVSS 8.8
CVE-2024-36599 WRITEUP MEDIUM
Aegon Life Insurance Management System 1.0 - Cross-Site Scripting via insertClient.php Name Parameter
A cross-site scripting (XSS) vulnerability in Aegon Life v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name parameter at insertClient.php.
CVSS 6.1
CVE-2024-36612 WRITEUP HIGH
zulip_server 8.0-8.3 - Memory Leak in Popover Handling
Zulip from 8.0 to 8.3 contains a memory leak vulnerability in the handling of popovers.
CVSS 7.5
CVE-2024-36612 WRITEUP HIGH
zulip_server 8.0-8.3 - Memory Leak in Popover Handling
Zulip from 8.0 to 8.3 contains a memory leak vulnerability in the handling of popovers.
CVSS 7.5
CVE-2024-36613 WRITEUP MEDIUM
FFmpeg n6.1.1 - Integer Overflow in DXA Demuxer
FFmpeg n6.1.1 has a vulnerability in the DXA demuxer of the libavformat library allowing for an integer overflow, potentially resulting in a denial-of-service (DoS) condition or other undefined behavior.
CVSS 6.2
CVE-2024-36615 WRITEUP MEDIUM
FFmpeg n7.0 - Race Condition in VP9 Decoder
FFmpeg n7.0 has a race condition vulnerability in the VP9 decoder. This could lead to a data race if video encoding parameters were being exported, as the side data would be attached in the decoder thread while being read in the output thread.
CVSS 5.9
CVE-2024-36616 WRITEUP MEDIUM
FFmpeg n6.1.1 - Denial of Service via Crafted VQA File Integer Overflow
An integer overflow in the component /libavformat/westwood_vqa.c of FFmpeg n6.1.1 allows attackers to cause a denial of service in the application via a crafted VQA file.
CVSS 6.5
CVE-2024-36617 WRITEUP MEDIUM
FFmpeg < 3.4.14 - Integer Overflow in CAF Decoder
FFmpeg n6.1.1 has an integer overflow vulnerability in the FFmpeg CAF decoder.
CVSS 6.2
CVE-2024-36618 WRITEUP MEDIUM
FFmpeg n6.1.1 - Denial of Service via Integer Overflow in AVI Demuxer
FFmpeg n6.1.1 has a vulnerability in the AVI demuxer of the libavformat library which allows for an integer overflow, potentially resulting in a denial-of-service (DoS) condition.
CVSS 6.2
CVE-2024-36619 WRITEUP MEDIUM
FFmpeg n6.1.1 - Denial of Service via WAVARC Decoder Integer Overflow
FFmpeg n6.1.1 has a vulnerability in the WAVARC decoder of the libavcodec library which allows for an integer overflow when handling certain block types, leading to a denial-of-service (DoS) condition.
CVSS 5.3
CVE-2024-36620 WRITEUP MEDIUM
moby <26.0.2 - Null Pointer Dereference
moby v25.0.0 - v26.0.2 is vulnerable to NULL Pointer Dereference via daemon/images/image_history.go.
CVSS 6.5
CVE-2024-36621 WRITEUP MEDIUM
Moby < 26.0.0 - Race Condition in Layer Snapshot Adapter
moby v25.0.5 is affected by a Race Condition in builder/builder-next/adapters/snapshot/layer.go. The vulnerability could be used to trigger concurrent builds that call the EnsureLayer function resulting in resource leaks/exhaustion.
CVSS 6.5
CVE-2024-36622 WRITEUP CRITICAL
RaspAP raspap-webgui <3.0.9 - Command Injection
In RaspAP raspap-webgui 3.0.9 and earlier, a command injection vulnerability exists in the clearlog.php script. The vulnerability is due to improper sanitization of user input passed via the logfile parameter.
CVSS 9.8