Unauthenticated OS Command Injection in stamparm/maltrail

Description Maltrail /tmp/bbq'...

Jquery UI 1.13.1 in use which is vulnerable to CVE-2022-31160

Description Jquery UI 1.13.1 in use which is vulnerable to CVE-2022-31160 Proof of Concept 1 Go to https://demo.limesurvey.org/tmp/assets/15bf41ab/jquery-ui.min.js and note that jquery-ui 1.13.1 is in use. 2 Check...

Privilege Escalation admin user to root user

Description "admin" user has sudo rights and can gain root access. By default sudo installation "admin" group has root rights. "admin" user created by hestia installation and this user is also in "admin" group. if the attackers access "admin" user, can gain root access. Proof of Concept...

Lodash 4.17.15 in use which is vulnerable to CVE-2020-8203

Description Lodash 4.17.15 in use which is vulnerable to CVE-2020-8203 Proof of Concept 1 Go to https://localhost/Cockpit/modules/App/assets/vendor/lodash.js?ver=2.3.9-1676855050 and note that lodash version is 4.17.15 2 Go to https://localhost/Cockpit/ 3 Open Web Devloper tools Ctrl+Shift+I usin...

Cross-Site Request Forgery (CSRF) in pterodactyl/panel

Description Attacker is able to logout a user if a logged in user visits attacker website. Impact This vulnerability is capable of forging user to unintentional logout. Test Tested on Firefox, Chrome and Safari. Fix You use POST instead of GET. To expand: One way ANY could be abused here is that ...

ZeroTierOne for windows local privilege escalation because of incorrect directory privilege

Description When administrators install zerotierone for windows, it will install ZeroTierOneService, the ImagePath of it is C:\ProgramData\ZeroTier\One\zerotier-onex64.exe，however, the permission of C:\ProgramData\ZeroTier\One\ is incorrect, an attacker with low privilege can get system privilege...

CKeditor 4.20.2 in use which is vulnerable to CVE-2023-28439

Description CKeditor 4.20.2 in use which is vulnerable to CVE-2023-28439 Proof of Concept 1 Go to https://demo.limesurvey.org/tmp/assets/a89a2fb4/ckeditor.js and note that version:"4.20.2" 2 Go to https://github.com/LimeSurvey/LimeSurvey/blob/master/assets/packages/ckeditor/ckeditor.js to verify...

Inefficient Regular Expression Complexity in axios/axios

✍️ Description A ReDoS regular expression denial of service flaw was found in the axios package. An attacker that is able to provide crafted input to the trim function may cause an application to consume an excessive amount of CPU. Similar attack ref: https://nvd.nist.gov/vuln/detail/CVE-2020-7753...

Unauthenticated, Stored XSS to RCE via SNMP Trap

Description LibreNMS offers the ability to handle SNMP traps as documented here. One of the SNMP trap handlers called HPFault creates an event with the message "Fault - Unhandled ..." when receiving a trap with an unknown type. The type of this event is set to the received, unknown type, which is...

Server Side Request Forgery via location header

Description It is possible to bypass current SSRF checks using a redirection via the location header. Proof of Concept 1. Mock a redirect endpoint using https://beeceptor.com/ 2. Add Location: http://localhost:1122as a response header and set the status code to 301 3. Listen on port 1122 4. Acces...

Stored XSS Via Markdown payload at HackerOne Settings

Description Rengine supports automatic vulnerability reporting to hackerone the module included a feature to customize the report using a markdown editor. Although it was blocking some malicious payloads, the Cross-Site Scripting was found exploitable via a special payload. Proof of Concept 1. Go...

BoxBilling <=4.22.1.5 - Authenticated Unrestricted File Upload - RCE

Description BoxBilling was vulnerable to Unrestricted File Upload. In order to exploit the vulnerability, an attacker must have a valid authenticated session as admin on the CMS. With at least 1 order of product an attacker can upload malicious file to hidden API endpoint that contain a webshell...

Stored XSS and possible RCE/LFI in case of misconfiguration

Description phpmyfaq has a feature to restore from a backup the entire application. An attacker with admin grant can export the configuration and re-upload the same file bypassing all the backend sanitization and controls. Proof of Concept XSS 1. - login as admin 2. - go to backup page 3. - Creat...

Using vulnerable dependencies in package.json

Description 1. Hello team, The Showdoc is using a axios 0.17.1 dependency that is vulnerable to:👇 1. CVE-2021-3749 Regular Expression Denial of Service ReDoS 2. CVE-2020-28168 Server-Side Request Forgery SSRF 3. CVE-2019-10742 Denial of Service DoS Path to the file:...

Open redirect when login successfully

Description Open redirect when login successfully via next parameter Proof of Concept POST /login?next=https://www.google.com/open-redirect HTTP/2 Host: book.dansmonorage.blue Cookie: csrftoken=EUjtgvt3A20lSHYbTxBvfAxQi5gNHHzeI7Bda1HOGnWCioMA6cwQqYWXv8ONog4k User-Agent: Mozilla/5.0 Windows NT 10....

Bypass to Remote Command Execution in uploading repository file

Description I find a bypass for CVE-2022-0415 and previous fixs. In the fix of CVE-2022-0415, gogs filter /.git/ by strings.HasSuffix and strings.Contains. However, use /.Git/ can bypass this and upload successfully Proof of Concept Create a repository in Gogs, upload a file config to the...

Regular Expression Denial of Service (ReDoS)

Description Affected versions of the package are vulnerable to Regular Expression Denial of Service ReDoS attacks for any string input controlled by the user. An attacker can provide a specially crafted input to the default function moment, which nearly matches the pattern being matched. This wil...

There is an RCE vulnerability

Description - There is an RCE vulnerability in qmpaas/leadshop https://github.com/qmpaas/leadshop v1.4.15. An attacker can access the file leadshop.php and call any existing function through GET to control the target host. The vulnerability is in the leadshop/web/leadshop.php27-61 file public...

Inefficient Regular Expression Complexity in fb55/nth-check

Description I would like to report a Regular Expression Denial of Service ReDoS vulnerability in nth-check. It allows cause a denial of service when parsing crafted invalid CSS nth-checks. The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern \s?:+-?\s\d+? with quantified...

Template injection in connection test endpoint leads to RCE

Description Please enter a description of the vulnerability. Proof of Concept Run a local docker instance sh sudo docker run -p 3000:3000 --name sqlpad -d --env SQLPADADMIN=admin --env SQLPADADMINPASSWORD=admin sqlpad/sqlpad:latest Navigate to http://localhost:3000/ Click on Connections-Add...

Bypass open redirect protection

Description I could bypass the open redirect protection on the application after parsing the redirect function using the following payload http://[email protected]/ and the payload with the link in the following...

EXIF Geolocation Data Not Stripped From Uploaded Images (vulnerability)

Vulnerability name: EXIF Geolocation Data Not Stripped From Uploaded Images vulnerability Description:- When the user uploads his profile picture, the uploaded image’s EXIF Geolocation Data does not get stripped. As a result, anyone can get sensitive information of microweber users like their...

Pre-auth RCE

Description An unauthenticated attacker can execute arbitrary python code by abusing js2py functionality. Also, due to the lack of CSRF protection, a victim can be tricked to execute arbitrary python code. Proof of Concept Run the command below and touch /tmp/pwnd gets executed. bash curl -i -s -...

Cross-site Scripting (XSS) - Stored via xHTML file upload

Description rosariosis is vulnerable to Stored XSS in the File upload in Assignments by uploading an xHTML file with the javascript code inside. Proof of Concept phish.xhtml alertdocument.domain; Step to reproduce From attacker side student 1.Login to the demo environment by student account...

Server-Side Request Forgery (SSRF) in janeczku/calibre-web

Title Blind SSRF via URL fetch Summary calibre-web allows external URL fetching in order to upload a book cover. However, instead of external URL it is possible to point to localhost, which will be reached resulting in blind SSRF. Steps to reproduce 1. 1. As an admin give permissions to upload...

in kalcaddle/kodexplorer

💥 BUG any user can download any file 💥 IMPACT download any kodexplorer uploaded file 💥 STEP TO REPRODUCE 1. First goto your kodexplorer admin account and visit desktop .\ Now upload a txt file called a.txt to desktop .\ 2. Now open another browser and visit...

Exposure of Sensitive Information to an Unauthorized Actor in node-fetch/node-fetch

BUG ====== Cookie header leaked to third party site and it allow to hijack victim account SUMMURY ============ When fetching a remote url with Cookie if it get Location response header then it will follow that url and try to fetch that url with provided cookie . So cookie is leaked here to...

Exposure of Sensitive Information to an Unauthorized Actor in blair2004/nexopos-4x

Description Exposure of server side sensitive information due to unhandled exception in handling request method. Proof of Concept 1. Go to this link http://v4.nexopos.com/api/nexopos/v4/crud/ns.payments-types/4 2. See that the page returns with sensitive server side data. Here is a sample...

Php Remote file Inclusion and RCE

Description flatpresshas a feature to upload file "uploader" and display from "media manager". By uploading PHP files, the users can perform Php Remote file Inclusion attack and gain RCE. Copy the following code and save as test.Php note the uppercase. Proof of Concept test.Php test 1. login to...

SSRF on /proxy

Description draw.io is vulnerable to SSRF on the /proxy endpoint. It's trivial to bypass the protections on checkUrlParameter. Proof of Concept 1. Make a request to proxy?url=http%3a//0:8080/ GET /proxy?url=http%3a//0:8080/ HTTP/1.1 Host: 127.0.0.1:8080 sec-ch-ua: "NotA:Brand";v="8",...

Stored XSS via XML File

Description When user upload a file with .xml extension and direct access this file, the server response with Content-type: image/svg+xml lead to processing XML as HTML file POC POST /flatpress-master/admin.php?p=uploader&action=default HTTP/1.1 Host: localhost Content-Length: 639 Origin:...

Cross-site Scripting (XSS) - Stored in chatwoot/chatwoot

Description In order to render raw HTML in Vue.js you may use v-html attribute, which opens a door for XSS in case of malicious input. Chatwoot actually uses it in several places, such as...

Inefficient Regular Expression Complexity in chalk/ansi-regex

✍️ Description It allows cause a denial of service when matching crafted invalid ANSI escape codes. 🕵️‍♂️ Proof of Concept // PoC.mjs import ansiRegex from 'ansi-regex'; forvar i = 1; i = 50000; i++ var time = Date.now; var attackstr = "\u001B"+";".repeati10000; ansiRegex.testattackstr var timecost...

Bypass All Captchas in the application

Description Bypass Captcha while adding a new Proposal for a new FAQ or Add question ,And send unlimited request without submit captcha code. Proof of Concept https://drive.google.com/file/d/140CMe4FLFLBmIUUbI8706bZ4zs4d7N/view?usp=sharing...

XSS via upload pdf file

Description Hi there, It's my pleasure to submit a report to you again to maintain the safety of the project.Most users can upload files in the module named 'Resources' .We can upload pdf files.But uploading malicious pdf files will cause xss vulnerability which will cause great harm to users of...

Stored XSS Bypass While add a new Comment

Description Stored XSS bypass in add comments function if you try to inject XSS payload like that won't work ,So I found a bypass that able to bypass cloudflare with the following payload or and click enter to add newline and click "add comment" func cc CommentController AddCommentctx gin.Context...

Vulnerable CKEditor used on version 4.2.9

Description When attaching image on mail feature, the upload using ckeditor vulnerable version that lead to RCE. Proof of Concept 1. Go to messages, 2. Write email 3. add image 4. Upload the php file. 5. access the uploaded php file in /admmyfiles/mail/images/ // PoC.js Content-Disposition:...

Sed Injection Vulnerability

Description In Hestia Control Panel 1.5.11, several v-scripts shell scripts have sed injection vulnerabilities. By chaining these vulnerabilities, an authenticated remote attacker with low privileges can execute arbitrary code under root context. Sed injection vulnerabilities exist in the followi...

Email Verification Bypass Leads To Account Takeover

Hello maintainer, i noticed that there is no ratelimit protetcion on https://book.dansmonorage.blue/confirm-email endpoint, so we can perform bruteforce attack Steps to reproduce: 1. Create a acount with victims email id 2. When the account is created, its ask for email confirmation via...

in dbeaver/dbeaver

✍️ Description The dbeaver is vulnerable to XML External Entity XXE. An attacker that is able to provide a crafted XML file as input to the parseDocument function in the "XMLUtils.java" file may allow an attacker to execute XML External Entities XXE, including exposing the contents of local files...

Sensitive Cookie Without 'HttpOnly' Flag in vuestorefront/vue-storefront

✍️ Description HTTPOnly attribute is not set for session cookies "vsf-commercetools-token" in the application. Proof of Concept Check this for POC: Image Impact When a cookie doesn’t have an HttpOnly flag, it can be accessed through JavaScript, which means that an XSS could lead to cookies being...

Cross-site Scripting (XSS) via Cookie Value

Description The is an XSS could be trigger via cookie value. Cross-site Scripting XSS refers to client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS occurs when a web application makes use of unvalidated or unencoded...

Stored XSS and CSP Bypass in KiwiTCMS

Description Stored XSS, also known as persistent XSS, is the more damaging of the XSS. It occurs when a malicious script is injected directly into a vulnerable web application. Due to a sanitization problem it is possible to perform a Stored XSS. The problem is that the upload function permit...

Open Redirect in gnuboard/gnuboard5

Description php ?php includeonce'./common.php'; $g5'title' = "로그인 검사"; $mbid = isset$POST'mbid' ? trim$POST'mbid' : ''; $mbpassword = isset$POST'mbpassword' ? trim$POST'mbpassword' : ''; runevent'memberlogincheckbefore', $mbid; if !$mbid || !$mbpassword alert'회원아이디나 비밀번호가 공백이면 안됩니다.'; $mb =...

OS Command Injection in file editor

Description Deploy and run gogs. Proof of Concept 1. Create a repository and upload a file named config to the repository repo6. The content of the file is as follows: xml core repositoryformatversion = 0 filemode = true bare = false logallrefupdates = true ignorecase = true precomposeunicode =...

Command Injection in kylefarris/clamscan

Overview clamscan is a Use Node JS to scan files on your server with ClamAV's clamscan binary or clamdscan daemon. This is especially useful for scanning uploaded files provided by un-trusted sources. This package are vulnerable to Command Injection, itt is possible to inject arbitrary commands a...

Android Manifest Misconfiguration Leading to Task Hijacking

Description Task hijacking allows malicious apps to inherit permissions of vulnerable apps and is usually used for phishing login credentials of victims. This vulnerability applies to all Android versions before Android 11. Steps To Reproduce: 1. Victim installs malicious app 1. Victim starts...

Unrestricted file upload leads to stored XSS

Description A user can bypass checking and upload .aspx file which lead to stored XSS. Proof of Concept Log in as admin: https://demo.microweber.org/demo/admin/ Go to Websites Edit a page. Under Pictures, choose Add files Instead of uploading a normal picture, use the below request to upload an...

Code Injection in mateodelnorte/meta-git

Description The meta-git module is vulnerable against command injection since the user-supplied inputs are concatenated with a command which is executed without validation. POC 1. Create a new directory and insert some test files: bash mkdir tests cd tests touch test touch secret touch files 2...

Open Redirect on "returnUrl=" parameter

Description Hello Team while testing the "returnUrl=" parameter on login page it was not vulnerable, but I found another way to get Open Redirect with that parameter Proof of Concept Here is the Video POC of this vulnerability...