4072 matches found
UI REDRESSING
Description Clickjacking is a portmanteau of two words ‘click’ and ‘hijacking’. It refers to hijacking user’s click for malicious intent. In it, an attacker embeds the vulnerable site in an transparent iframe in attacker’s own website and overlays it with objects such as button using CSS skills...
Stored XSS via Deserialization of Stylesheets
Description Diagram files can contain stylesheets which basically consist of key value pairs that influence the appearance of digram elements. When adding a stylesheet mxStylesheet element it is possible to execute JavaScript code when used in combination with the internal include element. Usuall...
use after free in skipwhite
Description When fuzzing vim commit 1d97db3d9 works with latest build and latest commit 3760bfddc per this time of this report, I discovered a use after free. Proof of Concept Here is the minimized poc bash spe!fl norm0z= norm0yy no0 Psvc sil!norm0 norm0 How to build bash LD=lld AS=llvm-as...
Out-of-bounds write in function append_command
Description Out-of-bounds write in function appendcommand at exdocmd.c:3447 vim version git log commit bfaa24f95343af9c058696644375d04e660f1b00 HEAD - master, tag: v8.2.5052, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pocobw6s.dat -c :qa!...
Local Command Injection Post-Installation of Dependencies
Description grav version x";touch pwned "/user/plugins/problems sh: 1: cd: can't cd to x SUCCESS cloned https://github.com/getgrav/grav-plugin-error - x";touch pwned "/user/plugins/error sh: 1: cd: can't cd to x SUCCESS cloned https://github.com/getgrav/grav-plugin-markdown-notices - x";touch pwn...
Use of Uninitialized Function Pointer
Description When providing a crafted input binary to radare2, the context-readaddr function pointer is never initialized before use. This is due to the switch statement responsible for the assignment not finding a matching value for its switch cases. Calling function c static bool...
Cross-site Scripting (XSS)
Proof of Concept 1 Login to the webapplication 2 Navigate to the below URL URL :- https://demo.livehelperchat.com/siteadmin/system/languages/updated/true/sa/HEXX%22%3E%3Ca%20onmouseover=alert11122%3EDEXX%3Ca Below some image POC...
Out-of-bounds Read in r_bin_java_bootstrap_methods_attr_new function
Description Out-of-bounds OOB read vulnerability exists in rbinjavabootstrapmethodsattrnew function in Radare2 5.6.9. This is similar with CVE-2022-0518 and CVE-2022-0521. Version radare2 5.6.9 27745 @ linux-x86-64 git.conti commit: 14189710859c27981adb4c2c2aed2863c1859ec5 build: 2022-04-2311:05:...
Stored Cross Site Scripting vulnerability in the checked_out_to parameter
Description The checkedoutto is not escaped, which leads to a XSS problem. Proof of Concept 1. 1.Login to the demo account 2. 2.Report-Depreciation Report 3. 3.Choose a Asset and goto Assets menu and check it out. new a location which is '" and check the asset to this location 4. 4.Return to...
Use of Out-of-range Pointer Offset
Description This issue occur in the version 8.2.4739 Proof of Concept ➜ vim git:master ✗ echo -n AO8A9C4K/QAKaWZ7e3t7e30tPigzKSg/PWEpezAsMSYKaWZ7e2Z7eyAtPig/PVk8ezAsMTB9Yb7dMH1hvt17MRAALS6zNQAAAAr/AF0KgAr1 | base64 -d POC1 ➜ vim git:master ✗ ./src/vim -u NONE -i NONE -n -X -Z -e -m -s -S POC1 -c...
Heap-based Buffer Overflow in libr/bin/format/ne/ne.c
This vulnerability is of type heap-buffer-overflow. And after quick investigation I think it is very likely to be successfully exploited to remote code execution. The bug exists in latest stable release radare2-5.6.6 and lastest master branch 8317a34b7e4ab731e230dcdd81adc9323c5b518b, updated in...
Stored XSS in Tooltip
Description The Classes in Data Objects have the Tooltip field. It is vulnerable to XSS attack. Proof of Concept STEP1: login https://demo.pimcore.fun/admin/ STEP2: Settings-Data Objects-Classes. Then choose an item, like product Data-AccessoryPart AP-compatibleTo。 STEP3: add payload in tooltip...
Reflected Cross Site Scripting
Vulnerability Type Reflected Cross Site-Scripting XSS Affected URL https://localhost/openemr-6.0.0/interface/main/calendar/index.php Affected Parameters “newname” Authentication Required? Yes Issue Summary A reflected XSS vulnerability found in “/interface/main/calendar/index.php” that allows Adm...
URL Confusion When Scheme Not Supplied
Description This is a URL confusion vulnerability. When parsing a URL without a scheme and with excessive slashes, like ///www.example.com, URI.js will parse the hostname as null and the path as /www.example.com. Such behaviour is different from that exhibited by browsers, which will parse...
Stored xss in showdoc through file upload
Description Hi. This is a bypass to the report in https://huntr.dev/bounties/df347aa9-ed9b-4f75-af99-c83b8aad3bcf/ . It fails to check for files with the extension .shtml which leads to stored xss Proof of Concept // poc.shtml adsasdadsdsa alert1 Impact Stored Xss...
Server-Side Request Forgery (SSRF)
Description Alltube takes URL from the query parameter and directly uses it in the youtube-dl command, It makes any unauthenticated attacker can perform an SSRF attack and pass internal hostnames in the URL parameter and obtain information about that service from the response. Proof of Concept GE...
Denial of Service
Description A malformed mdmp file causes a DoS attack and leads to resource exhaustion. Proof of Concept bash printf "%s" "TURNUJOnkwAA9f8AIwAAAAAAAAAA4FJj5gADAAAAGwAAAAAEAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAA" | base64 -d /tmp/a strace r2 /tmp/a This hangs and leads to resource exhaustion...
in gravitl/netmaker
Description Netmaker is an applicaton that enable easly deployment of a mesh vpn based on Wiregaurd. To authenticate and manage users throughout the application, it is used JWT tokens. The secret key used to sign these tokens is hard-coded in the code, which means they can be faked. So, an attack...
in vim/vim
Description Stack Pointer $RSP is corrupted at function eval7t in eval.c during calling eval3, eval4, eval5, eval6, eval7... continuously while parsing too many brackets. vim version : 8.2.4195 latest commit hash : 79a6e25b79cdb35e00d8b364516103eb358d8cc7 Proof of Concept $ echo -ne...
Cross-Site Request Forgery (CSRF) in microweber/microweber
Description CSRF issues deleting the content of the website since it is having no CSRF token validation. Request POST /demo/api/content/delete HTTP/1.1 Host: demo.microweber.org User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:96.0 Gecko/20100101 Firefox/96.0 Accept: / Accept-Language:...
in microweber/microweber
Description Sensitive information as part of the error is getting disclosed during the upload of an unrestricted file. Steps to Reproduce Instance 1 1. Log in to the application https://demo.microweber.org 2. Add a new post and upload an SVG file and you will see an error message getting Popped o...
Cross-site Scripting (XSS) - Stored in pimcore/pimcore
Description The pimcore/pimcore package is an open source platform that provides PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce services. stored xss vulnerability occurs when you add media query at "Settings" = "Thumbnails" = "Video Thumbnails" in the pimcore service. Proof of Concept txt XSS POC...
in vim/vim
Description A heap-based OOB read of size 1 occurs when a user tries to open a vim session file specified below. This happens regardless of any command line options that could be specified to restrict vim, such -Z and -m. This bug has been found on default vim build lastest commit hash...
Improper Access Control in snipe/snipe-it
Description Regular users with DENY set to all models permissions can still view model information via the /models/id/clone endpoint due to no authorize'view' permission being set. Proof of Concept 1: Create regular user and set DENY to all permissions in asset models. 2: Login as the user 3:...
Use of Uninitialized Variable in vim/vim
Greetings, A Stack Buffer Overflow issue was discovered in Vim. The POC file is reduced to the absolute minimum to reproduce the problem. Please see sanitizer output and the "trimmed" POC file link below. System info OS version : Ubuntu 20.04.2 LTS + Clang 12 with ASan Vim Version : master2446ec9...
Cross-site Scripting (XSS) - Stored in shopware/shopware
Description Stored XSS when add media file with format .svg allows for arbitrary execution of JavaScript Proof of Concept // PoC.req POST /shopware/backend/mediaManager/upload?albumID=-10 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:94.0 Gecko/20100101...
Cross-site Scripting (XSS) - Stored in osticket/osticket
Description As it is written on github profile, osTicket is a widely-used open source support ticket system. During source code research I discovered bad uploaded file type check, which is controlled by user. Unauthenticated user can upload malicious html/js file. FROM OWASP:: Cross-Site Scriptin...
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in khodakhah/nodcms
Description Implement both Secure flag and httponly flag in the application. Proof of Concept Impact The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from bein...
Cross-site Scripting (XSS) - Stored in aimeos/aimeos-laravel
✍️ Description Integrated online shop based on Laravel 6 LTS and the Aimeos e-commerce framework this webapp is vulnerabel for stored xss thru filename 🕵️♂️ Proof of Concept 💥 Impact This vulnerability is capable admin ac takeover , XSS...
in polonel/trudesk
💥 BUG Unprivileged user can subscribs others to a ticket 💥 IMPACT user with lower level permission can subscribe others to a ticket 💥 STEP TO REPRODUCE 1. First from admin goto http://localhost:8118/teams and create a team called team2.\ Now goto http://localhost:8118/accounts/agents and add new...
Improper Privilege Management in chatwoot/chatwoot
✍️ Description Privilege escalation bug to add agent in a inbox 🕵️♂️ Proof of Concept 1. First goto https://app.chatwoot.com/app/accounts/4534/settings/agents/list from admin account and add a user B as agent . 2. now goto https://app.chatwoot.com/app/accounts/4534/settings/inboxes/list and add a...
Command Injection in zaach/jison
Overview jison is a package that provides an API for creating parsers in JavaScript. Affected versions of this package are vulnerable to Command Injection. Arbitrary OS shell command execution is possible through a crafted command-line argument...
Reflected xss in installation space parameter
Description Cross-Site Scripting XSS is a type of security vulnerability that occurs when an attacker injects malicious code, usually in the form of scripts, into a web application. This code is then executed by unsuspecting users who visit the affected web page. in this case the path of...
Fossbilling is Vulnerable to HTML Injection During the Generation of Invoices, Which Leads To An Open Redirect Vulnerability.
Description FOSSBilling suffers from a lack of sanitization in the handling of admin input values. This issue manifests when clients attempt to generate invoices for their orders. Specifically, in the PDF generation of invoices, the company name, editable through the admin portal, is included. An...
Directory listing in multiple endpoints
Description Teampass has directory listing by default for various endpoints that eventually discloses application-specific and user data and files. Proof of Concept Visit the following endpoint without logging in to the application. Sensitive - https://127.0.0.1/includes configs -...
XSS @ Stop Words
Description The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of Concept Code 1: $ajaxAction = Filter::filterInputINPUTGET, 'ajaxaction', FILTERUNSAFERAW; $instanceId =...
Stored xss in print generate and preview pdf
HI Team, In pimcore dev url https://11.x-dev.pimcore.fun/admin/ I found one stored xss in generate and preview pdf . The author field and title field is vulnerable to xss Step to reproduce 1. Login to dev url https://11.x-dev.pimcore.fun/admin/ 2. add a print container page in documents 3. Insert...
Privilege escalation from user with "add user" to super admin
Description Before I created this submission, I read this report: https://huntr.dev/bounties/258cd498-7275-4b12-ac73-79c9ba3e58e4/. I was afraid that my submission would be a duplicate of that. After reading it carefully, I decided to make a report because my report is not exploiting the backup...
heap-use-after-free in function bt_quickfix
Description heap-use-after-free in function btquickfix at buffer.c:5770 Vim Version git log commit 32ff96ef018eb1a5bea0953648b4892a6ee71658 HEAD - master, tag: v9.0.1307, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S btquickfixpoc -c :qa!...
Out of Range Pointer offset in mb_charlen of mbyte.c
Description Out of Range Pointer offset in mbcharlen of mbyte.c Vim Version git log commit 78012f55faf7444e554c0a97a589d99fa215bea9 HEAD - master, tag: v9.0.1275, origin/master, origin/HEAD POC ./vim -u NONE -X -Z -e -s -S poc01.dat -c ':qa!' Segmentation Fault GDB gdb ./vim gdb run -u NONE -X -Z...
Privilege Escalation from customer to root
Privilege Escalation from Customer to Root First of all, sorry for the formatting of the report, but this platform is a mess. I can't attach any PoC files added chapters at the end of the report instead, can't attach any screenshots, nor provide a report as PDF. And btw markdown is only partly...
Delete all note of all user in application
Description A user with login permission can delete all notes of the whole application via API DELETE https://demo.usememos.com/api/memo/$idnote Proof of Concept Link: https://drive.google.com/file/d/1P0MvqadCdTo1yxK9VBkm5ntwBvJMSZa8/view?usp=sharing...
Delete any post for all users via IDOR
Description Delete any post for all users via IDOR Proof of Concept 1- Post anything 2- Open Burp Suite to intercept the request 3- When deleting the post, we will notice that there is DELETE /api/memo/1010 in the request, Here the post id will be 1010 4- This number can be changed and any post y...
Dev Server XSS
Description The developer server unsafely renders the stack trace within errors. This can be manipulated by sending a specially crafted request. Root Cause The error-dev.vuetemplate, within @nuxt\ui-templates uses the v-html directive to render the stacktrace section of the error. vue This would...
Path Traversal - Download remote files by exploiting the backup functionality (Authenticated)
Description The vulnerability found in the backup system allows an Administrator of the CMS to download any files on the remote file system not only backup files by exploiting a "Path Traversal". The vulnerability does not require any user interaction and is very simple to exploit. Proof of Conce...
No rate limit on email triggering during "resend email" action results in email flooding or a spam attack or a financial loss to the company itself
Description When a user is setting up 2FA , a verification code will be sent to the registered email . There is no rate limit on email triggering that will result in an email flood / does attack or will also increase the expenses on your mail server as an attacker can send 1 million emails throug...
Use After Free in function process_next_cpt_value
Description Use After Free in function processnextcptvalue at insexpand.c:3227. vim version git log commit 5c645a25bb8e6d766db720a44b9ceeff39d1e92b HEAD - master, tag: v9.0.0538, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /home/fuzz/test/poc11huaf.dat -...
Use After Free in function getcmdline_int
Description Use After Free in function getcmdlineint at vim/src/exgetln.c:2547. vim version git log commit 470a14140bc06f1653edf26ab0b3c9b801080353 grafted, HEAD - master, tag: v9.0.0461, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S...
Use After Free in function do_cmdline
Description Use After Free in function docmdline at vim/src/exdocmd.c:1076. vim version git log commit 5d09a401ec393dc930e1104ceb38eab34681de64 HEAD - master, tag: v9.0.0343, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /home/fuzz/test/poc7huaf.dat -c :qa...
NULL Pointer Dereference in function do_mouse
Description NULL Pointer Dereference in function domouse at vim/src/mouse.c:496 . vim version git log commit 171c683237149262665135c7d5841a89bb156f53 HEAD - master, tag: v9.0.0242, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -X -Z -e -s -S /home/fuzz/test/poc3null.dat -c :qa!...