4072 matches found
Path Traversal vulnerability on the endpoint '/info/refs'
Summary It seems "gogs" suffers from a Path Traversal which may lead a malicious user to access another legitimate user's git config files or issue a couple of git commands on its behalf. Steps to reproduce and Proof of Concept 1. I created two users sim4n6 and sim4n62. 2. From sim4n6 dashboard...
Heap-based Buffer Overflow in function vim_regsub_both
Description Heap-based Buffer Overflow in function vimregsubboth at regexp.c:1954 vim version git log commit 4d97a565ae8be0d4debba04ebd2ac3e75a0c8010 HEAD - master, tag: v8.2.5037, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/pocobw5s.dat -...
Buffer Over-read in function utf_ptr2char
Description Buffer Over-read in function utfptr2char at mbyte.c:1794 vim version git log commit 31d9948e3a2529c2f619d56bdb48291dc261233d HEAD - master, tag: v8.2.5026, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/poch10ns.dat -c :qa!...
NULL Pointer Dereference in function vim_regexec_string
Description NULL Pointer Dereference in function vimregexecstring at regexp.c:2733 allows attackers to cause a denial of service application crash via a crafted input. vim version git log commit 31ad32a325cc31f0f2bdd530c68bfb856a2187c5 HEAD - master, tag: v8.2.4949, origin/master, origin/HEAD...
Heap-based Buffer Overflow
Description Heap-based Buffer Overflow in msp430op Environment radare2 5.6.9 0 @ linux-x86-64 git. commit: 5.6.9 build: 2022-05-0112:17:49 Build export CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan" CXXFLAGS="-fsanitize=address -static-libasan" LDFLAGS="-fsanitize=address...
Null pointer dereference in libr/bin/format/mach0/mach0.c in radareorg/radare2
This vulnerability is of type heap-buffer-overflow. And after quick investigation I think it is very likely to be successfully exploited to remote code execution. The bug exists in latest stable release radare2-5.6.8 and lastest master branch 5a9e0a19ba07e35382776fed9da2649ac824f526, updated in M...
file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write
Description file.copy operations in GruntJS are vulnerable to a TOC-TOU race condition leading to arbitrary file write when an attacker can create a symlink just after deletion of the dest symlink by repeatedly calling ln -s /etc/shadow2 dest/shadow2 in a while loop but right before the symlink i...
Stored XSS viva .svg file upload
Description The application allows .svg files to upload which leads to stored XSS Proof of Concept 1.Download the payload from this link:- https://drive.google.com/file/d/1c1BP5bxXBxtwLfRJTrEPgMWK1yVFDF2R/view?usp=sharing 2.Login to the application with Co-admin account and go to "Settings" -...
SSRF on index.php/cobrowse/proxycss/
Description Live Helper Chat is vulnerable to SSRF on the /index.php/cobrowse/proxycss endpoint. It's possible to make internal requests and see the response as an authenticated user, it's also possible to make an request with any protocol using goppher://. Proof of Concept 1. Request...
heap buffer overflow in get_one_sourceline
Description When fuzzing vim commit 471b3aed3 I discovered a heap buffer overflow. I'm using ubuntu 20.04 with clang 13 Proof of Concept Here is the minimized poc bash norm300gr0 so How to build bash LD=lld AS=llvm-as AR=llvm-ar RANLIB=llvm-ranlib CC=clang CXX=clang++ CFLAGS="-fsanitize=address"...
stored xss
Description Stored XSS is a vulnerability in which the attacker can execute arbitrary javascript code in the victim's browser. The XSS payload is stored in a webpage and it gets executed whenever someone visits that webpage Proof of Concept 1. A low-priv user create a page with the following...
Stored XSS Leads To Session Hijacking
Description Hello everyone, During my testing on openemr at the demo available here https://demo.openemr.io/openemr, I found a Stored XSS on filename at Uploading Documents Templates which is found on Administration tab, what makes this Stored XSS really severe is the ability of stealing session...
Use of Out-of-range Pointer Offset
Description This issue occur in the v8.2.4428 version. Proof of Concept sh $ echo "dnMgIDPKKSAwMGNtZGxicmVh4OvbmfsA3ykA3/8wAMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAhAAAA AAAAAODr3/f/fwAAAAAAAAAAAPZRIwAAAAAAa3N5bWxpbmsgCmJcJlx6cypcenMqQGU=" | base64 -d poc $ /valgrind/vg-in-place -s ./src/vim -u NONE -i NON...
Unrestricted Upload of File with Dangerous Type
Description In recent Crater version bed05fc2 tag: 6.0.4 privileged user can upload PHP file as expense receipt. Proof of Concept POST /api/v1/expenses/59/upload/receipts HTTP/1.1 Host: 172.17.0.1:8888 User-Agent: Mozilla/5.0 X11; Linux x8664; rv:98.0 Gecko/20100101 Firefox/98.0 Accept: /...
Improper Access Control in salesagility/suitecrm
Description In SuiteCRM v7.12.4, affecting Users Module, any user with the User Type as Regular User could modify other users profiles via the update profile section. The prerequisite of this attack is by knowing the user record ID and username User Name respectively. The user records ID can be...
OS Command Injection in microweber/microweber
Description OS command injection also known as shell injection is a web security vulnerability that allows an attacker to execute arbitrary operating system OS commands on the server that is running an application, and typically fully compromise the application and all its data. Very often, an...
None in vim/vim
Description Use After Free in enterbuffer function. commit : 5703310e640c4b142a16a3ea4f45317565ae8c32 Proof of Concept bash $ echo -ne "ZnUgUigpCiAgdGFiIGxvcAogIGxldCBsOj1nCiAgZQEKbGYKZW5kZgoKY2FsIGFzYWwoIiIsUigp KQpjYWwgYXNhbCgiIixSKCkpCmNhbCBhc2FsKCIiLFIoKSkKYnchCg==" | base64 -d poc ASAN $...
Heap-based Buffer Overflow in vim/vim
Description Heap Overflow in exretab. This issue was created to separate the previous issue. This bug has already been fixed with patch 8.2.4245. Proof of Concept $ echo -ne "bm9ybTBvMDAwMDAwMDAwMDAwMDAwMDAwMDD/MJMwMDAKc2lsIW5vcm0WYxwwMAkwCmZ1IFJldGFi...
None in vim/vim
Description Use after free occurs in skipwhite function charset.c:1474. commit : 166788c657f4b1090a31ea37a023b1f2c78790c8 Proof of Concept $ echo -ne "ZnUgUmUwYTAoZyxuKQp+CnMvCnIwIzAKZW5kZgpzL1wlJykvXD1hMDAwKDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwLCBSZTBhMCgnJywwMDApMDA=" | base64 -d...
Insecure Temporary File in mlflow/mlflow
Description mlflow package is using the deprecated function tempfile.mktemp which is not secure. Because a different process may create a file with this name in the time between the call to mktemp and the subsequent attempt to create the file by the first process. Impact Availability will get...
in unshiftio/url-parse
Description Improperly handeling username and password . And unable to detect the hostname . Proof of Concept url-parse not able verify basic authentication credential and also wrongly verifying hostname .This allow to bypass hostname validation .\ Lets username is admin and password is...
Heap-based Buffer Overflow in vim/vim
Description A Heap-based Buffer Overflow has been found in vim commit 2f0936c Proof of Concept base64 poc ZGVmIEZpcnN0RnVuY3Rpb24oKQogIGRlZiBTZWNvbmRGdW5vbmUKJCAgCiAgIGVuZGRCQkJCCmVu ZGRlZgojIEN/////bGUgYWxsZWZ8QkJCQgplbmRkZWYKIyBDb21waWxlIGFsbCBmdW5jdGlvbnMK ZGVmY29tcGlsZQo=...
Cross-site Scripting (XSS) - Reflected in livehelperchat/livehelperchat
Description The htmlspecialchars function does not escape special characters like single quote, and the $prefix parameter can lead to reflected XSS Proof of Concept https://demo.livehelperchat.com/siteadmin/user/avatarbuilder/1?=1640314779051&prefix=123%27;;%20alert%27xss%27;// Impact XSS can hav...
Cross-site Scripting (XSS) - Reflected in pheditor/pheditor
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into websites. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execut...
Inefficient Regular Expression Complexity in apidoc/apidoc-core
✍️ Description A ReDoS regular expression denial of service flaw was found in the apidoc-core package. An attacker that is able to provide crafted input to the trim function may cause an application to consume an excessive amount of CPU. Similar attack ref:...
Prototype Pollution in mozilla/node-convict
Description convict is vulnerable to Prototype Pollution. This package allowing for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE. Proof of Concept 1. Create the following PoC file: js // poc.js var convict = require"convict"; var obj = ; var config =...
Arbitrary Code Execution via Unsafe torch.load() in Trainer Checkpoint Loading
Summary A critical arbitrary code execution vulnerability exists in HuggingFace Transformers' Trainer class. The loadrngstate method at src/transformers/trainer.py:3059 calls torch.load without the weightsonly=True parameter. While a safeglobals context manager wraps this call, it provides no...
SQL injection and Authentication bypass
Description The validApiKey middleware, which is responsible for verifying API keys provided in the request's Authorization header, is susceptible to SQL injection. This vulnerability can potentially lead to an authentication bypass, granting unauthorized access to API endpoints. NOTE: It's worth...
Store DOM XSS in Edit configuration
Description I noticed, your website is very secure. But you overlooked a flaw XSS Proof of Concept 1 .Login vs admin demo account and access admin page. 2 .Create a category titled "test456". 3 .Go to Configuration == Edit configuration. 4 .Change the "URL of your FAQ" data field with the payload...
Open Redirect on follow/unfollow user's profile action
Description The idea is similar to CVE-2022-1058 https://huntr.dev/bounties/4fb42144-ac70-4f76-a5e1-ef6b5e55dc0d/ . Browsers interpreted \example.com - https://example.com and lead to open redirect Proof of Concept The vulnerable API is lie in follow/unfollow action on user's profile. In order to...
Github token with wide access to Nuxt related repositories leaked in the wild
Description If you visit https://nuxt.com, you will find hardcoded Github token in the source code of the page - ghpYXegsf40mjoFZMPSdntLbrGIBRZYKf0i2FoK. This token has access to multiple repositories under nuxt , nuxtlabs and nuxt-themes Github organisations. https://github.com/nuxt Admin...
heap-buffer-overflow in vim_regsub_both
Description heap based buffer overflow in in vimregsubboth at regexp.c:2473 Vim Version git log commit 1a08a3e2a584889f19b84a27672134649b73da58 HEAD - master, tag: v9.0.1429, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S POCvimregsubboth -c :qa!...
Annotation tool: token forgery using jwt secret to claim super admin role
Although the annotator tool's source code is not directly provided in the repository a docker image is provided. From there it is easy to get access to the source code by either extracting the docker tar image, which can be exported from docker itself, or connecting to the container with an...
Observable Timing Discrepancy in Login Portal
Description An observable discrepancy in response times is present in the login portal. When brute forcing valid email accounts, the timing on a valid account is significantly higher than that of an invalid user account. This is likely due to the use of Bcrypt's compare function being utilized by...
Stored XSS edit Config Link
Description Stored Cross-Site Scripting XSS through hyperlinks refers to a type of security vulnerability that occurs when an attacker injects malicious code into a hyperlink, which is then stored in the application's database or web server. When a user clicks on the infected hyperlink, the...
File Upload lead to Stored XSS bypass csp
Description Stored cross-site scripting also known as second-order or persistent XSS arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way. 1-Login to your application and create a Store called “Test” make all the...
weak Password Policy Directory Protection
Hello, The strong Password Policy is everywhere in place. BUT The Directory Protection Part allows to bypass this strong Password Policy and setting a Password like 1. This is very easy to bruteforce. Lets see : ------ Password is set to 1 and it will get accepted. As you can see the Password got...
File Upload Type Validation Error lead to Stored XSS
Description Stored cross-site scripting also known as second-order or persistent XSS arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way. STEPSTOREPRODUCE 1. Login to your application and create a Store called...
Email enumeration via reset password functionality
Description User enumeration is when a malicious actor can use brute-force techniques to either guess or confirm valid users in a system. The malicious actor is looking for differences in the server's response based on the validity of submitted credentials. The differences can be inside the...
CSRF to add shortcuts to victim account
Description Cross-Site Request Forgery CSRF is an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated. CSRF attacks exploit the trust a Web application has in an authenticated user Proof of Concept 1 Go to...
Cross-site Scripting (XSS) - Stored
✍️ DESCRIPTION The activatetemplate parameter at line 16 of the templates.php file will be rendered at line 31 of file the dashboard.php page, without using the htmloutput function. 💥 STEP TO REPRODUCE - Login to your admin account, then visit the URL...
Html Injection Reflected in Login Page
Description HTML Injection is a vulnerability in which the attacker can inject malicious html content in the login webpage. Proof of Concept Navigate to: https://demo.froxlor.org/index.php?showmessage=4&customermail=%22%3Cmarquee%3E%3Ch3%3EHTML/INJECTION/HERE%[email protected]...
Authenticated SQL injection via filename & update-instance parameters
There is a SQL injection vulnerability inside saveMeta function in AttachmentAbstract.php. When a file is being uploaded via admin/index.php?action=ajax&ajax=att&ajaxaction=upload endpoint, the filename parameter isn't being sanitized and its later on interpolated into a raw SQL query inside...
Remote Code Execution (RCE) via Arbitrary File Write and Path Traversal
Description Immich constructs the path, filename, and file extension of uploaded files from improperly sanitized user input. Therefore, the upload function is vulnerable to a path traversal attack leading to arbitrary file write. This can lead to RCE by overwriting JavaScript files. Proof of...
use after free in function generate_PCALL
Description Use After Free in function generatePCALL at vim/src/vim9instr.c:1606 vim version git log commit 249e1b903a9c0460d618f6dcc59aeb8c03b24b20 grafted, HEAD - master, tag: v9.0.0213, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -X -Z -e -s -S poc2huaf.dat -c :qa!...
Out-of-bounds read in function check_vim9_unlet in vim/vim
Description Out-of-bounds read in function checkvim9unlet at vim/src/vim9cmds.c:95 Vim version git log commit 326c5d36e7cb8526330565109c17b4a13ff790ae grafted, HEAD - master, tag: v9.0.0194, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -X -Z -e -s -S /home/fuzz/test/hbo1min.dat -c :q...
Heap-based buffer overflow in function inc
Description Heap-based buffer overflow in function inc at misc2.c:344 Version commit 8eba2bd291b347e3008aa9e565652d51ad638cfa HEAD, tag: v8.2.5151 Proof of Concept guest@elk:/trung$ valgrind ./vimlatest/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc/poc80min3 -c :qa! ==6151== Memcheck, a memo...
Null pointer dereference in function skipwhite
Description Null pointer dereference in function skipwhite at charset.c:1428 Version commit c101abff4c6756db4f5e740fde289decb9452efa HEAD - master, tag: v8.2.5164 Proof of Concept guest@elk:/trung$ valgrind ./vimlatest/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc/poc40min -c :qa! ==32519==...
Out-of-bound write in function ml_append_int
Description Out-of-bound write in function mlappendint at memline.c:2895 Version commit 8eba2bd291b347e3008aa9e565652d51ad638cfa HEAD, tag: v8.2.5151 Proof of Concept guest@elk:/trung$ valgrind ./vim2/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S /home/guest/trung/poc/poc35min -c ':qa!' ==28900==...
UI REDRESSING
Description Clickjacking is a portmanteau of two words ‘click’ and ‘hijacking’. It refers to hijacking user’s click for malicious intent. In it, an attacker embeds the vulnerable site in an transparent iframe in attacker’s own website and overlays it with objects such as button using CSS skills...