Writeup Exploits

64,419 exploits tracked across all sources.

Sort: Activity Stars
CVE-2024-39686 WRITEUP CRITICAL
fishaudio/bert-vits2 < 2.3 - OS Command Injection via data_dir Parameter
Bert-VITS2 is the VITS2 Backbone with multilingual bert. User input supplied to the data_dir variable is used directly in a command executed with subprocess.run(cmd, shell=True) in the bert_gen function, which leads to arbitrary command execution. This affects fishaudio/Bert-VITS2 2.3 and earlier.
CVSS 9.8
CVE-2024-39687 WRITEUP HIGH
Fedify < 0.9.2, 0.10.0, 0.11.0 - Server-Side Request Forgery via ActivityPub Resource Resolution
Fedify is a TypeScript library for building federated server apps powered by ActivityPub and other standards. At present, when Fedify needs to retrieve an object or activity from a remote activitypub server, it makes a HTTP request to the `@id` or other resources present within the activity it has received from the web. This activity could reference an `@id` that points to an internal IP address, allowing an attacker to send request to resources internal to the fedify server's network. This applies to not just resolution of documents containing activities or objects, but also to media URLs as well. Specifically this is a Server Side Request Forgery attack. Users should upgrade to Fedify version 0.9.2, 0.10.1, or 0.11.1 to receive a patch for this issue.
CVSS 7.2
CVE-2024-39688 WRITEUP MEDIUM
fish.audio bert-vits2 < 2.3 - Path Traversal and Arbitrary File Write via data_dir Variable
Bert-VITS2 is the VITS2 Backbone with multilingual bert. User input supplied to the data_dir variable is concatenated with other folders and used to open a new file in the generate_config function, which leads to a limited file write. The issue allows for writing /config/config.json file in arbitrary directory on the server. If a given directory path doesn’t exist, the application will return an error, so this vulnerability could also be used to gain information about existing directories on the server. This affects fishaudio/Bert-VITS2 2.3 and earlier.
CVSS 6.5
CVE-2024-39689 WRITEUP HIGH
certifi 2021.5.30-2024.7.4 - Insufficient Verification of Data Authenticity via GLOBALTRUST Root Certificates
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.5.30 and prior to 2024.7.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.7.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being removed pursuant to an investigation which identified "long-running and unresolved compliance issues."
CVSS 7.5
CVE-2024-39691 WRITEUP MEDIUM
matrix-appservice-irc < 2.0.1 - Information Disclosure via Homeserver Timestamp Manipulation
matrix-appservice-irc is a Node.js IRC bridge for the Matrix messaging protocol. The fix for GHSA-wm4w-7h2q-3pf7 / CVE-2024-32000 included in matrix-appservice-irc 2.0.0 relied on the Matrix homeserver-provided timestamp to determine whether a user has access to the event they're replying to when determining whether or not to include a truncated version of the original event in the IRC message. Since this value is controlled by external entities, a malicious Matrix homeserver joined to a room in which a matrix-appservice-irc bridge instance (before version 2.0.1) is present can fabricate the timestamp with the intent of tricking the bridge into leaking room messages the homeserver should not have access to. matrix-appservice-irc 2.0.1 drops the reliance on `origin_server_ts` when determining whether or not an event should be visible to a user, instead tracking the event timestamps internally. As a workaround, it's possible to limit the amount of information leaked by setting a reply template that doesn't contain the original message.
CVSS 4.3
CVE-2024-39694 WRITEUP MEDIUM
Duende IdentityServer 6.0.0-6.0.4, 6.1.0-6.1.7, 6.2.0-6.2.4, 6.3.0-6.3.9, 7.0.0-7.0.5 Open Redirect
Duende IdentityServer is an OpenID Connect and OAuth 2.x framework for ASP.NET Core. It is possible for an attacker to craft malicious Urls that certain functions in IdentityServer will incorrectly treat as local and trusted. If such a Url is returned as a redirect, some browsers will follow it to a third-party, untrusted site. Note: by itself, this vulnerability does **not** allow an attacker to obtain user credentials, authorization codes, access tokens, refresh tokens, or identity tokens. An attacker could however exploit this vulnerability as part of a phishing attack designed to steal user credentials. This vulnerability is fixed in 7.0.6, 6.3.10, 6.2.5, 6.1.8, and 6.0.5. Duende.IdentityServer 5.1 and earlier and all versions of IdentityServer4 are no longer supported and will not be receiving updates. If upgrading is not possible, use `IUrlHelper.IsLocalUrl` from ASP.NET Core to validate return Urls in user interface code in the IdentityServer host.
CVSS 4.7
CVE-2024-39697 WRITEUP HIGH
phonenumber 0.3.4-0.3.5 - Denial of Service via Malformed Phone Number String
phonenumber is a library for parsing, formatting and validating international phone numbers. Since 0.3.4, the phonenumber parsing code may panic due to a panic-guarded out-of-bounds access on the phonenumber string. In a typical deployment of rust-phonenumber, this may get triggered by feeding a maliciously crafted phonenumber, e.g. over the network, specifically strings of the form `+dwPAA;phone-context=AA`, where the "number" part potentially parses as a number larger than 2^56. This vulnerability is fixed in 0.3.6.
CVSS 8.6
CVE-2024-39700 WRITEUP CRITICAL
JupyterLab < 4.3.0 - Remote Code Execution via GitHub Actions Workflow
JupyterLab extension template is a `copier` template for JupyterLab extensions. Repositories created using this template with `test` option include `update-integration-tests.yml` workflow which has an RCE vulnerability. Extension authors hosting their code on GitHub are urged to upgrade the template to the latest version. Users who made changes to `update-integration-tests.yml`, accept overwriting of this file and re-apply your changes later. Users may wish to temporarily disable GitHub Actions while working on the upgrade. We recommend rebasing all open pull requests from untrusted users as actions may run using the version from the `main` branch at the time when the pull request was created. Users who are upgrading from template version prior to 4.3.0 may wish to leave out proposed changes to the release workflow for now as it requires additional configuration.
CVSS 9.9
CVE-2024-39828 WRITEUP MEDIUM
R74n Sandboxels 1.9-1.9.5 - Cross-Site Scripting via Modified Saved-Game File
R74n Sandboxels 1.9 through 1.9.5 allows XSS via a message in a modified saved-game file. This was fixed in a hotfix to 1.9.5 on 2024-06-29.
CVSS 6.1
CVE-2024-39909 WRITEUP MEDIUM
KubeClarity < 2.23.1 - SQL Injection via packageID Parameter
KubeClarity is a tool for detection and management of Software Bill Of Materials (SBOM) and vulnerabilities of container images and filesystems. A time/boolean SQL Injection is present in the following resource `/api/applicationResources` via the following parameter `packageID`. As it can be seen in backend/pkg/database/id_view.go, while building the SQL Query the `fmt.Sprintf` function is used to build the query string without the input having first been subjected to any validation. This vulnerability is fixed in 2.23.1.
CVSS 6.5
CVE-2024-39914 WRITEUP CRITICAL
fogproject < 1.5.10.34 - Command Injection via Filename Parameter
FOG is a cloning/imaging/rescue suite/inventory management system. Prior to 1.5.10.34, packages/web/lib/fog/reportmaker.class.php in FOG was affected by a command injection via the filename parameter to /fog/management/export.php. This vulnerability is fixed in 1.5.10.34.
CVSS 9.8
CVE-2024-39918 WRITEUP MEDIUM
url-to-png < 2.1.2 - Path Traversal via ImageId Parameter
@jmondi/url-to-png is an open source URL to PNG utility featuring parallel rendering using Playwright for screenshots and with storage caching via Local, S3, or CouchDB. Input of the `ImageId` in the code is not sanitized and may lead to path traversal. This allows an attacker to store an image in an arbitrary location that the server has permission to access. This issue has been addressed in version 2.1.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS 4.3
CVE-2024-39943 WRITEUP CRITICAL
rejetto HFS < 0.52.10 - Authenticated OS Command Injection via df Command Execution
rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they have Upload permissions). This occurs because a shell is used to execute df (i.e., with execSync instead of spawnSync in child_process in Node.js).
CVSS 9.9
CVE-2024-40094 WRITEUP MEDIUM
graphql-java < 19.11 - Denial of Service via Introspection Query
GraphQL Java (aka graphql-java) before 21.5 does not properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service via introspection queries. 20.9 and 19.11 are also fixed versions.
CVSS 5.3
CVE-2024-40110 WRITEUP CRITICAL
Sourcecodester Poultry Farm Management System v1.0 - RCE
Sourcecodester Poultry Farm Management System v1.0 contains an Unauthenticated Remote Code Execution (RCE) vulnerability via the productimage parameter at /farm/product.php.
CVSS 9.8
CVE-2024-40111 WRITEUP MEDIUM
Automad 2.0.0-alpha.4 - Stored Cross-Site Scripting in Template Body
A persistent (stored) cross-site scripting (XSS) vulnerability has been identified in Automad 2.0.0-alpha.4. This vulnerability enables an attacker to inject malicious JavaScript code into the template body. The injected code is stored within the flat file CMS and is executed in the browser of any user visiting the forum.
CVSS 4.8
CVE-2024-40117 WRITEUP CRITICAL
Solar-Log <v2.8.2 - Privilege Escalation
Incorrect access control in Solar-Log 1000 before v2.8.2 and build 52- 23.04.2013 allows attackers to obtain Administrative privileges via connecting to the web administration server. Not existing for SL 200, 500, 1000 / fixed in 4.2.8 for SL 250, 300, 1200, 2000, SL 50 Gateway / fixed in 5.1.2 / 6.0.0 for SL Base.
CVSS 9.8
CVE-2024-40119 WRITEUP HIGH
Nepstech Wifi Router xpon NTPL-Xpon1GFEVN v.1.0 Firmware V2.0.1 - Cross-Site Request Forgery in Password Change Function
Nepstech Wifi Router xpon (terminal) model NTPL-Xpon1GFEVN v.1.0 Firmware V2.0.1 contains a Cross-Site Request Forgery (CSRF) vulnerability in the password change function, which allows remote attackers to change the admin password without the user's consent, leading to a potential account takeover.
CVSS 8.8
CVE-2024-40318 WRITEUP HIGH
Webkul Qloapps <1.6.0.0 - Code Injection
An arbitrary file upload vulnerability in Webkul Qloapps v1.6.0.0 allows attackers to execute arbitrary code via uploading a crafted file.
CVSS 7.2
CVE-2024-40348 WRITEUP HIGH
bazarr < 1.4.3 - Unauthenticated Path Traversal via /api/swaggerui/static
An issue in the component /api/swaggerui/static of Bazaar v1.4.3 allows unauthenticated attackers to execute a directory traversal.
CVSS 8.2
CVE-2024-40422 WRITEUP CRITICAL
stitionai devika v1 - Path Traversal
The snapshot_path parameter in the /api/get-browser-snapshot endpoint in stitionai devika v1 is susceptible to a path traversal attack. An attacker can manipulate the snapshot_path parameter to traverse directories and access sensitive files on the server. This can potentially lead to unauthorized access to critical system files and compromise the confidentiality and integrity of the system.
CVSS 9.1
CVE-2024-40443 WRITEUP MEDIUM
Simple Laboratory Management System 1.0 - SQL Injection
SQL Injection vulnerability in Simple Laboratory Management System using PHP and MySQL v.1.0 allows a remote attacker to cause a denial of service via the delete_users function in the Useres.php
CVSS 4.3
CVE-2024-40445 WRITEUP HIGH
Forkosh Mime TeX <1.77 - Path Traversal
A directory traversal vulnerability in forkosh Mime TeX before version 1.77 allows attackers on Windows systems to read or append arbitrary files by manipulating crafted input paths.
CVSS 7.3
CVE-2024-40510 WRITEUP HIGH
openPetra 2023.02 - Cross-Site Scripting via serverMCommon.asmx Function
Cross Site Scripting vulnerability in openPetra v.2023.02 allows a remote attacker to obtain sensitive information via the serverMCommon.asmx function.
CVSS 8.2
CVE-2024-40624 WRITEUP CRITICAL
TorrentPier < 2.4.4 - Remote Code Execution via Unsafe Cookie Deserialization
TorrentPier is an open source BitTorrent Public/Private tracker engine, written in php. In `torrentpier/library/includes/functions.php`, `get_tracks()` uses the unsafe native PHP serialization format to deserialize user-controlled cookies. One can use phpggc and the chain Guzzle/FW1 to write PHP code to an arbitrary file, and execute commands on the system. For instance, the cookie bb_t will be deserialized when browsing to viewforum.php. This issue has been addressed in commit `ed37e6e52` which is expected to be included in release version 2.4.4. Users are advised to upgrade as soon as the new release is available. There are no known workarounds for this vulnerability.
CVSS 9.8