4072 matches found
Improper Authorization lead a user add an arbitrary agent into Team
Description A Vulnerability in edit team function lead an user add another user via ID to Team, alternatively know the email of every user in Chatwoot Step to reproduce - login to the app -navigate to the Team setting: https://app.chatwoot.com/app/accounts/id/settings/teams/list -Create new or ed...
Account Takeover
Hello team, while i was testing on https://book.dansmonorage.blue/login i noticed that there is no ratelimit protection on POST login form, so an attacker can takeover the account by brute forcing the password field Steps to reproduce: 1. go to https://book.dansmonorage.blue/login 2. Enter...
Cross-site scripting - Stored via upload ".pages" file
Description In file upload function, the server allow upload .pages file with contain some javascript code lead to XSS. Proof of Concept REQUEST: POST /demo/plupload HTTP/1.1 Host: demo.microweber.org Cookie: laravelsession=r768Tqzv8h0fkjgvKdofhxgmjcorT6pwuqMKJkIb;...
Full Read Server-Side Request Forgery (SSRF)
🔒️ Requirements Privileges: None. 📝 Description The avatarUrl post parameter from /api/users.update and /api/teams.update api endpoint isn't sanitize and permit to get a full read SSRF exploitation. When updating user's or team's avatar, even if from client side we can only change it by uploading...
Integer Overflow in function del_typebuf
Description Integer Overflow in function deltypebuf at getchar.c:1204 vim version git log commit 75417d960bd17a5b701cfb625b8864dacaf0cc39 HEAD - master, tag: v9.0.0001, origin/master, origin/HEAD POC ./afl/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pocintof1s.dat -c :qa!...
Out-of-bound read in function msg_outtrans_attr
Description Out-of-bound read in function msgouttransattr at message.c:1551 Version commit 8eba2bd291b347e3008aa9e565652d51ad638cfa HEAD - master, tag: v8.2.5151 Proof of Concept ./vim/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S pocvim01 -c :qa!...
Buffer Over-read in function put_on_cmdline
Description Buffer Over-read in function putoncmdline at exgetln.c:3540 vim version git log commit e366ed4f2c6fa8cb663f1b9599b39d57ddbd8a2a HEAD - master, tag: v8.2.5136, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/pocbor2s.dat -c :qa!...
Out-of-bounds Read in function suggest_trie_walk
Description Out-of-bounds Read in function suggesttriewalk at spellsuggest.c:1437 vim version git log commit 83497f875881973df772cc4cc593766345df6c4a HEAD - master, tag: v8.2.5105, origin/master, origin/HEAD POC root@fuzz-vm0-187:/home/fuzz/fuzz/vim/afl/src ./vim -u NONE -i NONE -n -m -X -Z -e -s...
Unrestricted File Upload in Part Attachment
Description The application inventree allows users to upload any file in part attachment allowing attacker to render files such as HTML in the browser. Proof of Concept Video PoC Link: https://drive.google.com/file/d/1vurBkHegeYCwbXopE5Yhyb702rYgG9FM/view?usp=sharing...
Refelect XSS in neorazorx/facturascripts
Description /facturascripts/EditCuenta can input the taint data without sanitization by the parameter description Proof of Concept POST /facturascripts/EditCuenta HTTP/1.1 Host: 127.0.0.1 Content-Length: 1115 Cache-Control: max-age=0 sec-ch-ua: "NotA:Brand";v="8", "Chromium";v="101"...
Heap-based Buffer Overflow in function utf_head_off
Description Heap-based Buffer Overflow in function utfheadoff at mbyte.c:3872 vim Version git log commit 68e64d2c1735f2a39afa8a0475ae29bedb116684 HEAD - master, tag: v8.2.5006, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S poch6s.dat -c :qa!...
UI REDRESSING
Description The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. Proof of Concept 1. Go to this URL:...
DOM XSS in microweber ver 1.2.15
Description Hi there, on your latest version docker images 3463db62a01f, vulnerable to DOM XSS. Proof of Concept...
NULL Pointer Dereference
Description NULL pointer dereference in rbinnegetsegments Environment Distributor ID: Ubuntu Description: Ubuntu 20.04 LTS Release: 20.04 Codename: focal radare2 5.6.7 0 @ linux-x86-64 git. commit: 5.6.7 Build export CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan"...
Heap buffer overflow in libr/bin/format/mach0/mach0.c
This vulnerability is of type heap-buffer-overflow. And after quick investigation I think it is very likely to be successfully exploited to remote code execution. The bug exists in latest stable release radare2-5.6.6 and lastest master branch 8317a34b7e4ab731e230dcdd81adc9323c5b518b, updated in...
NULL Pointer Dereference in mrb_vm_exec with super
Description NULL Pointer Dereference in mrbvmexec with super Proof of Concept o13 = Comparable.initialize||0x7f.instanceeval do super rescue caller 0..1.sortby do break end end // PoC.js ./mruby 1.rb Result ASAN:DEADLYSIGNAL =================================================================...
SQL injection in RecyclebinController.php
Description From the code we can see that in line 122, the value is append to the sql query directly. The value can be from line 109. And from filter parameter . so we can use the value data to inject the database. if we set a wrong value. we can see the sql error from the log file . Proof of...
Non-Privilege User Can Created New Rule and Lead to Stored Cross Site Scripting
Vulnerability Type Stored Cross Site-Scripting XSS Affected URL https://localhost/openemr-6.0.0/ /interface/super/rules/index.php?action=edit!submitsummary Affected Parameters “fldtitle” Authentication Required? Yes Issue Summary Non-privilege users accounting, front-office can create new rule an...
Stored XSS via File Upload
Description Stored XSS via uploading file in .m3u8a format. Proof of Concept filename="poc.m3u8a" alert1 Steps to Reproduce 1.Login into showdoc.com.cn.\ 2.Navigate to file library https://www.showdoc.com.cn/attachment/index\ 3.In the File Library page, click the Upload button and choose the...
Prototype Pollution
Description fullPage utils are available to developers using window.fputils. They can use these utils for their own use-case other than fullPage as well. However, one of the utils deepExtend is vulnerable to Prototype Pollution vulnerability. Javascript is "prototype" language which means when a...
Weak Password Recovery Mechanism for Forgotten Password
Description: There is no rate limit sent unlimited email victim or any email address. Proof of Concept: There is no rate limit return-password , attacker to send unlimited email to victim or any email address. Impact: Attacker can sent unlimited email to any mail address . Solution: Add 'throttle...
NULL Pointer Dereference
Description NULL pointer dereference in binsymbols.c Environment bash Distributor ID: Ubuntu Description: Ubuntu 20.04 LTS Release: 20.04 Codename: focal radare2 5.6.3 27472 @ linux-x86-64 git.5.6.2 commit: d24dbb9fbb0b398a6a739847008ccef3ea7e687c POC radare2 -AA -qq ./poc poc ASAN...
Cross-site Scripting (XSS) - Stored
Description Stored XSS is a vulnerability in which the attacker can execute arbitrary javascript code in the victim's browser. The XSS payload is stored in a webpage and it gets executed whenever someone visits that webpage. I used &10 Line Feed character in the href attribute of tag to bypass th...
Cross-site Scripting (XSS) - Generic
Description The user-controlled GET user parameter in index.php is unsanitized resulting in Cross-Site Scripting. Proof of Concept Endpoint: GET https://HOST/edit/user File: /web/edit/user/index.phpL11 // Check user argument if empty$GET'user' header"Location: /list/user/"; exit; Request...
in mruby/mruby
Description There is a NULL Pointer Dereference in aryconcat array.c:301. This bug has been found on mruby lastest commit hash ecb28f4bf463483cf914c799d086b0cfff997aee on Ubuntu 20.04 for x8664/amd64. Proof of Concept The crash is not reproducible in a debug build, so a release build config must ...
Cross-site Scripting (XSS) - Generic in librenms/librenms
Description Cross-Site Scripting vulnerability in LibreNMS v22.1.0 which allows attackers to execute arbitrary javascript code which affected Alerts module Alert Transport in Transport name field. Proof of Concept Endpoint: 1 POST http://HOST/ajaxform.php - Parameter name Payload: ' XSS will...
Code Injection in publify/publify
Description The application doesn't check/filter the comments provided by the user before save to database. Attacker can't insert js code to steal admin's data but can insert html code, leads to many information security risks. Proof of Concept - Step 1: Go to...
Cross-site Scripting (XSS) - Stored in ptrofimov/beanstalk_console
Description Stored XSS in parameter 'host' when add server Proof of Concept // PoC.req GET / HTTP/1.1 Host: 127.0.0.1:8088 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:97.0 Gecko/20100101 Firefox/97.0 Accept:...
in vim/vim
Description A heap-based OOB read of size 1 occurs when a user tries to open a vim session file specified below. This happens regardless of any command line options that could be specified to restrict vim, such -Z and -m. This bug has been found on default vim build version 8.2.3931, commit hash...
Cross-site Scripting (XSS) - Stored in meetecho/janus-gateway
Description The stored XSS vulnerability occurs in the chat window because the user's input value is inserted into the web page without verification. javascript to: username, text: result ; textroom.data text: JSON.stringifymessage, error: functionreason bootbox.alertreason; , success: function...
Cross-Site Request Forgery (CSRF) in bookstackapp/bookstack
Description Login CSRF via /register/confirm/token endpoint. Proof of Concept 1: Register account with the same username as our victim, an email confirmation will take place 2: Retrieve token from email. 3: Send a link http://BOOKSTACKAPPURL/register/confirm/token to user. 4: When the user clicks...
Cross-Site Request Forgery (CSRF) in glpi-project/glpi
✍️ Description Attacker able to delete any document from Processing ticket with CSRF attack because there is any CSRF protection for related endpoint. It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user...
Improper Privilege Management in uvdesk/core-framework
✍️ BUG privilege escalation bug to pin a threads 🕵️♂️ Proof of Concept 1. Frist from admin account goto http://localhost/uvdesk/public/en/member/agents and add new user called user B with Agent role .\ Now gives user-B all tikceting permission like can update/add/edit/delete/lock/pin to a ticket...
Improper Privilege Management in cortezaproject/corteza-server
💥 BUG unprivileged user can dismiss other user reminders 💥 IMPACT lower level user can dismiss other user reminders 💥 STEP TO REPRODUCE 1. First from admin goto http://localhost:18080/admin/system/user and add a new user called user B .\ Now give this user crm permission so that user B can create...
Code Injection in trentm/json
✍️ Description json is a 'json' command tool for massaging and processing JSON on the command line. Affected versions of this package are vulnerable to Arbitrary Code Injection via the -d argument. 🕵️♂️ Proof of Concept curl -sL 'https://api.github.com/repos/joyent/node/issues?state=open' |...
Code Injection in unix121/i3wm-themer
Description i3wm-themer is the theme collection manager for i3-wm which is vulnerable to Arbitrary Code Execution. Vulnerability Vulnerable to YAML deserialization attack caused by unsafe loading. Proof of Concept Installation bash git clone https://github.com/unix121/i3wm-themer cd i3wm-themer/...
Prototype Pollution in geta/nestedobjectassign
Description nested-object-assign is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: javascript // poc.js const assign = require'nested-object-assign' console.log'Before: ' + .polluted assign, JSON.parse'"proto": "polluted": true' console.log'After: ' +...
Prototype Pollution in mout/mout
Description mout is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: // poc.js var mout = require"mout" var obj = console.log"Before : " + .polluted; mout.object.setobj,'proto.polluted','Yes! Its Polluted'; console.log"After : " + .polluted; 2. Execute the...
heap-use-after-free in function editing_arg_idx
Description heap-use-after-free in function editingargidx at arglist.c:516 Vim Version git log commit 54844857fd6933fa4f6678e47610c4b9c9f7a091 HEAD - master, tag: v9.0.2009, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S editingargidxPOC2 -c :qa!...
RXSS in onpremises version of structurizr
Description During investigation it was found that onpremises api endpoint GET parameter version is vulnerable to XSS injection: /workspace/workspaceid?version=1; Proof of Concept 1. Visit the link provided: http:///workspace/1/?version=1%22;alert1; 2. XSS injected...
File Upload Vulnerability in Categories
Description I noticed, your website is very secure. But you overlooked a flaw File Upload. Proof of Concept Detail: 1 .Login vs admin demo account and access admin page. 2 .Create a category titled "test" and upload a file image. 3 .Using burp suite edit Content-type: image/html and insert payloa...
DOM XSS in https://demo.librenms.org/ports
Description I noticed, your website is very secure. But you overlooked a flaw XSS Detail: 1 .Login with demo account. 2 .Go to the link: https://demo.librenms.org/ports 3 .Insert payload and press enter: test' onclick='alertdocument.cookie 4 .Click on the box hostname or port, detect XSS Proof of...
Reflected xss in installation space parameter
Description Cross-Site Scripting XSS is a type of security vulnerability that occurs when an attacker injects malicious code, usually in the form of scripts, into a web application. This code is then executed by unsuspecting users who visit the affected web page. in this case the path of...
File Upload Bypass Leads to Stored XSS
Description In the file upload feature, the system did not allow uploading files with extensions like html, ... But when uploading files with extension xhtml, it leads to XSS vulnerabilities. Proof of Concept https://drive.google.com/file/d/1MTa4st4POafaUAwn17n7ygpTrF9BXp/view?usp=sharing...
Stored XSS in title
Description There is Stored XSS in the item title of the menu on the administrator screen. Proof of Concept Step 1. Log in to the admin screen and select Add New Item in Menu. Step 2. Specify the following Payload for the item title and save it. Step 3. Once saved, any script can be executed on t...
Cross site scripting in Admidio 4.2.9 via headline parameter
Description Cross-site Scripting XSS refers to client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS occurs when a web application makes use of unvalidated or unencoded user input within the output it generates. Proof...
An outdated dependency leads to to remote command execution vulnerability
Description A few days ago, the vm2 module of nodejs found a sandbox escape vulnerability, which was officially fixed in v3.9.15 However, a fixed vm2 version is hard-coded in the package.jsonv 3.9.11 of the jsreport-core component of jsreport, which makes it impossible to install the latest vm2...
Reflected XSS in /library/custom_template/share_template.php
Description There exist a reflected XSS in /library/customtemplate/sharetemplate.php in the 'listid' parameter. Proof of Concept http://openemr.local/library/customtemplate/sharetemplate.php?listid=1;alert1;function%20xif1a=a:a:1 fix properly sanitize the listid parameter...
Null pointer dereference in get_register at register.c:311
--- Description Null pointer dereference in getregister at register.c:311. ycurrent variable is 0 because of name variable. Version $ git log commit 3ea62381c527395ae701715335776f427d22eb7b HEAD - master, tag: v9.0.1425, origin/master, origin/HEAD Author: Amaan Qureshi Date: Thu Mar 23 15:45:46...
EXIF Geolocation Data Not Stripped From brand logo
When the user uploads his logo, the uploaded image’s EXIF Geo-location Data does not get stripped. As a result, anyone can get sensitive information like user's Device ID, Geo Location, System Information, System version, ETC. Step to reproduce: 1. Upload logo with EXIF DATA, or download from her...