Writeup Exploits

64,419 exploits tracked across all sources.

Sort: Activity Stars
CVE-2024-21644 WRITEUP HIGH
pyload < 0.5.0b3.dev77 - Unauthenticated Information Exposure via Flask Config Endpoint
pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable. This issue has been patched in version 0.5.0b3.dev77.
CVSS 7.5
CVE-2023-47890 WRITEUP HIGH
pyload 0.5.0 - Unauthenticated Path Traversal via Unrestricted File Upload
pyLoad 0.5.0 is vulnerable to Unrestricted File Upload.
CVSS 8.8
CVE-2023-0297 WRITEUP CRITICAL
pyLoad js2py Python Execution
Code Injection in GitHub repository pyload/pyload prior to 0.5.0b3.dev31.
CVSS 9.8
CVE-2024-39205 WRITEUP CRITICAL
pyload-ng v0.5.0b3.dev85 - Remote Code Execution via Crafted HTTP Request
An issue in pyload-ng v0.5.0b3.dev85 running under python3.11 or below allows attackers to execute arbitrary code via a crafted HTTP request.
CVSS 9.8
CVE-2024-39207 WRITEUP HIGH
lua-shmem v1.0-1 - Buffer Overflow via shmem_write Function
lua-shmem v1.0-1 was discovered to contain a buffer overflow via the shmem_write function.
CVSS 8.2
CVE-2024-39208 WRITEUP CRITICAL
luci-app-lucky v2.8.3 - Info Disclosure
luci-app-lucky v2.8.3 was discovered to contain hardcoded credentials.
CVSS 9.8
CVE-2024-39209 WRITEUP MEDIUM
luci-app-sms-tool <1.9.6 - Command Injection
luci-app-sms-tool v1.9-6 was discovered to contain a command injection vulnerability via the score parameter.
CVSS 6.3
CVE-2024-39211 WRITEUP MEDIUM
Kaiten 57.128.8 - User Account Enumeration via Login Response Discrepancy
Kaiten 57.128.8 allows remote attackers to enumerate user accounts via a crafted POST request, because a login response contains a user_email field only if the user account exists.
CVSS 5.3
CVE-2024-39223 WRITEUP CRITICAL
gost 2.11.5 - Authentication Bypass via SSH HostKeyCallback Misconfiguration
An authentication bypass in the SSH service of gost v2.11.5 allows attackers to intercept communications via setting the HostKeyCallback function to ssh.InsecureIgnoreHostKey
CVSS 9.8
CVE-2024-39249 WRITEUP HIGH
Async <= 2.6.4 and <= 3.2.5 - Denial of Service via Inefficient Regular Expression in autoInject
Async <= 2.6.4 and <= 3.2.5 are vulnerable to ReDoS (Regular Expression Denial of Service) while parsing function in autoinject function. NOTE: this is disputed by the supplier because there is no realistic threat model: regular expressions are not used with untrusted input.
CVSS 7.5
CVE-2024-39302 WRITEUP LOW
BigBlueButton - Privilege Escalation
BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker may be able to exploit the overly elevated file permissions in the `/usr/local/bigbluebutton/core/vendor/bundle/ruby/2.7.0/gems/resque-2.6.0` directory with the goal of privilege escalation, potentially exposing sensitive information on the server. This issue has been patched in version(s) 2.6.18, 2.7.8 and 3.0.0-alpha.7.
CVSS 3.7
CVE-2024-39304 WRITEUP HIGH
ChurchCRM < 5.9.2 - Authenticated SQL Injection via EID Parameter in GetText.php
ChurchCRM is an open-source church management system. Versions of the application prior to 5.9.2 are vulnerable to an authenticated SQL injection due to an improper sanitization of user input. Authentication is required, but no elevated privileges are necessary. This allows attackers to inject SQL statements directly into the database query due to inadequate sanitization of the EID parameter in in a GET request to `/GetText.php`. Version 5.9.2 patches the issue.
CVSS 8.8
CVE-2024-39305 WRITEUP MEDIUM
Envoy < 1.30.4, 1.29.7, 1.28.5, 1.27.7 - Use-After-Free in Route Hash Policy Cookie Attributes
Envoy is a cloud-native, open source edge and service proxy. Prior to versions 1.30.4, 1.29.7, 1.28.5, and 1.27.7. Envoy references already freed memory when route hash policy is configured with cookie attributes. Note that this vulnerability has been fixed in the open as the effect would be immediately apparent if it was configured. Memory allocated for holding attribute values is freed after configuration was parsed. During request processing Envoy will attempt to copy content of de-allocated memory into request cookie header. This can lead to arbitrary content of Envoy's memory to be sent to the upstream service or abnormal process termination. This vulnerability is fixed in Envoy versions v1.30.4, v1.29.7, v1.28.5, and v1.27.7. As a workaround, do not use cookie attributes in route action hash policy.
CVSS 6.5
CVE-2024-39308 WRITEUP MEDIUM
rails_admin < 2.3.0 and >=3.0.0.beta <3.1.3 - Cross-Site Scripting via List View HTML Title Attribute
RailsAdmin is a Rails engine that provides an interface for managing data. RailsAdmin list view has the XSS vulnerability, caused by improperly-escaped HTML title attribute. Upgrade to 3.1.3 or 2.2.2 (to be released).
CVSS 5.4
CVE-2024-39309 WRITEUP CRITICAL
Parse Server < 6.5.7 and 7.0.0-7.1.0 - SQL Injection via PostgreSQL Configuration
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A vulnerability in versions prior to 6.5.7 and 7.1.0 allows SQL injection when Parse Server is configured to use the PostgreSQL database. The algorithm to detect SQL injection has been improved in versions 6.5.7 and 7.1.0. No known workarounds are available.
CVSS 9.8
CVE-2024-39317 WRITEUP MEDIUM
Wagtail 2.0-5.2.5, 6.0-6.0.5 - Denial of Service via parse_query_string Inefficient Regular Expression
Wagtail is an open source content management system built on Django. A bug in Wagtail's `parse_query_string` would result in it taking a long time to process suitably crafted inputs. When used to parse sufficiently long strings of characters without a space, `parse_query_string` would take an unexpectedly large amount of time to process, resulting in a denial of service. In an initial Wagtail installation, the vulnerability can be exploited by any Wagtail admin user. It cannot be exploited by end users. If your Wagtail site has a custom search implementation which uses `parse_query_string`, it may be exploitable by other users (e.g. unauthenticated users). Patched versions have been released as Wagtail 5.2.6, 6.0.6 and 6.1.3.
CVSS 6.5
CVE-2024-39319 WRITEUP MEDIUM
Aimeos Frontend Controller < 2020.10.15 - Insecure Direct Object Reference
aimeos/ai-controller-frontend is the Aimeos frontend controller package for e-commerce projects. Prior to versions 2024.4.2, 2023.10.9, 2022.10.8, 2021.10.8, and 2020.10.15, an insecure direct object reference allows an attacker to disable subscriptions and reviews of another customer. Versions 2024.4.2, 2023.10.9, 2022.10.8, 2021.10.8, and 2020.10.15 fix this issue.
CVSS 5.3
CVE-2024-39320 WRITEUP MEDIUM
Discourse < 3.2.5 - Unauthenticated iframe Injection via Allowed Iframes Bypass
Discourse is an open source discussion platform. Prior to 3.2.5 and 3.3.0.beta5, the vulnerability allows an attacker to inject iframes from any domain, bypassing the intended restrictions enforced by the allowed_iframes setting. This vulnerability is fixed in 3.2.5 and 3.3.0.beta5.
CVSS 6.1
CVE-2024-39322 WRITEUP MEDIUM
Aimeos ai-admin-jsonadm < 2020.10.13, 2021.10.6, 2022.10.3, 2023.10.4, 2024.4.2 - Incorrect Authorization
aimeos/ai-admin-jsonadm is the Aimeos e-commerce JSON API for administrative tasks. In versions prior to 2020.10.13, 2021.10.6, 2022.10.3, 2023.10.4, and 2024.4.2, improper access control allows editors to remove admin group and locale configuration in the Aimeos backend. Versions 2020.10.13, 2021.10.6, 2022.10.3, 2023.10.4, and 2024.4.2 contain a fix for the issue.
CVSS 5.5
CVE-2024-39323 WRITEUP HIGH
ai-admin-graphql 2022.04.1-2022.10.9, 2023.04.1-2023.10.5, 2024.04.1-2024.04.5 - Improper Access Control
aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.01 and prior to versions 2022.10.10, 2023.10.6, and 2024.04.6, an improper access control vulnerability allows an editor to modify and take over an admin account in the back end. Versions 2022.10.10, 2023.10.6, and 2024.04.6 fix this issue.
CVSS 7.1
CVE-2024-39324 WRITEUP LOW
ai-admin-graphql 2022.04.1-2022.10.9 - Insufficient Access Control via GraphQL API
aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.1 and prior to versions 2022.10.10, 2023.10.6, and 2024.4.2, improper access control allows a editors to manage own services via GraphQL API which isn't allowed in the JQAdm front end. Versions 2022.10.10, 2023.10.6, and 2024.4.2 contain a patch for the issue.
CVSS 3.8
CVE-2024-39325 WRITEUP MEDIUM
aimeos/ai-controller-frontend <2024.04.2,2023.10.9,2022.10.8,2021.1...
aimeos/ai-controller-frontend is the Aimeos frontend controller. Prior to versions 2024.04.2, 2023.10.9, 2022.10.8, 2021.10.8, and 2020.10.15, aimeos/ai-controller-frontend doesn't reset the payment status of a user's basket after the user completes a purchase. Versions 2024.04.2, 2023.10.9, 2022.10.8, 2021.10.8, and 2020.10.15 fix this issue.
CVSS 5.3
CVE-2024-39326 WRITEUP MEDIUM
NationalSecurityAgency skills-service < 2.12.6 - Cross-Site Request Forgery via Admin Video Upload Endpoint
SkillTree is a micro-learning gamification platform. Prior to version 2.12.6, the endpoint `/admin/projects/{projectname}/skills/{skillname}/video` (and probably others) is open to a cross-site request forgery (CSRF) vulnerability. Due to the endpoint being CSRFable e.g POST request, supports a content type that can be exploited (multipart file upload), makes a state change and has no CSRF mitigations in place (samesite flag, CSRF token). It is possible to perform a CSRF attack against a logged in admin account, allowing an attacker that can target a logged in admin of Skills Service to modify the videos, captions, and text of the skill. Version 2.12.6 contains a patch for this issue.
CVSS 4.4
CVE-2024-39683 WRITEUP MEDIUM
ZITADEL 2.53.0-2.53.7 - Unauthorized Exposure of User Sessions via Session Listing
ZITADEL is an open-source identity infrastructure tool. ZITADEL provides users the ability to list all user sessions of the current user agent (browser). Starting in version 2.53.0 and prior to versions 2.53.8, 2.54.5, and 2.55.1, due to a missing check, user sessions without that information (e.g. when created though the session service) were incorrectly listed exposing potentially other user's sessions. Versions 2.55.1, 2.54.5, and 2.53.8 contain a fix for the issue. There is no workaround since a patch is already available.
CVSS 5.7
CVE-2024-39685 WRITEUP CRITICAL
Bert-VITS2 < 2.3 - OS Command Injection via data_dir Parameter
Bert-VITS2 is the VITS2 Backbone with multilingual bert. User input supplied to the data_dir variable is used directly in a command executed with subprocess.run(cmd, shell=True) in the resample function, which leads to arbitrary command execution. This affects fishaudio/Bert-VITS2 2.3 and earlier.
CVSS 9.8