4072 matches found
LFI/RFI in MLflow
Description Local and Remote File Include in MLflow Proof of Concept Start the server or UI it works on both identically bash mlflow ui --host 127.0.0.1:5001 Create a model bash curl -i -s -k -X $'POST' \ -H $'Host: 127.0.0.1:5001' -H $'User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15;...
Improper Authorization
Description During testing, it was observed that sending a GET request to the following endpoint: /api/v2/parameters/core/ returns sensitive information without any authentication or authorization. Request GET /api/v2/parameters/core/ HTTP/1.1 Host: demo.modoboa.org User-Agent: 7h3h4ckv157 Accept...
Reseller role allowed to access to admin functionalities
Description The reseller user can access to some admin functionality just directly accessing to it by URL, even though the menu shouldn't allow it. Proof of Concept - Go to https://v2.demo.froxlor.org - Login as reseller1 - Point to: https://v2.demo.froxlor.org/adminopcacheinfo.php?page=showinfo...
An user can delete other user's post
Description As the title, an attacker can delete other user's post via post id can be bruteforce Here is video poc: https://drive.google.com/file/d/18QucWYwkpO9kVPMqNzSQ-ptwrZGk-UP9/view?usp=sharelink Proof of Concept DELETE /api/memo/$1026$ HTTP/2 Host: demo.usememos.com Cookie:...
A user can edit private memos from other users
Description It is possible for a user to edit private memos from other users and also change their visibility, making them public. Also the user could change the visibility from Public to Private or viceversa. Steps to Reproduce 1. Log in as a user A here called "ile.maricel". 2. In another brows...
No Rate Limit On migrate-email Endpoint Leads to Brute-force Attack
The migrate-email endpoint is requiring Email, Username, and Password parameter. This endpoint contain authentication functionality that doesn't have any protection from brute-force attack, which allows an attacker to try every possible password combination without any restriction. CWE-307:...
User Enumeration
Description The migrate-email endpoint is requiring Email, Username, and Password parameter. The Username parameter value will be queried to userManager.Users and will returning data to user variable, if user variable contain null value, the application will return bad request with "Invalid...
No rate limit on email triggering during "resend email" action results in email flooding or a spam attack or a financial loss to the company itself
Description When a user is setting up 2FA , a verification code will be sent to the registered email . There is no rate limit on email triggering that will result in an email flood / does attack or will also increase the expenses on your mail server as an attacker can send 1 million emails throug...
User's session persist after permanently deleting his account
Description If a user is logged in, and an admin decided to delete his account permanently, the user is still able to perform his normal actions until his session gets expired. If a logged in user with admin role is deleted permanently, he's still able to delete other admins permanently, and if...
XSS with CSP bypass on WEB instances
📝 Description Drawio WEB instancesn allows https://storage.googleapis.com in CSP script-src, abusing the XSS found in this report, it is possible to bypass the CSP and leak private diagram content. 🕵️♂️ Proof of Concept On the web application side, the javascript execution is protected by the...
Access violation near NULL on destination operand eval.c:2603:37 in segmentation fault
Description Access violation near NULL on destination operand eval.c:2603:37 in segmentation fault Proof of Concept Faulting Frame: eval1 @ 0x0000000000d9e9d2: in /root/vim/src/vim Disassembly: 0x0000000000d9e9bd: mov rax,r14 0x0000000000d9e9c0: shr rax,0x3 0x0000000000d9e9c4: mov al,BYTE PTR...
Heap-based Buffer Overflow in function compile_lock_unlock in vim/vim
Description Heap-based Buffer Overflow in function compilelockunlock at vim/src/vim9cmds.c:196 vim version git log commit 326c5d36e7cb8526330565109c17b4a13ff790ae grafted, HEAD - master, tag: v9.0.0194, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -X -Z -e -s -S poc2hboM.dat -c :qa!...
Stored XSS on Categories
Description Title parameter in the body of POST request when creating/editing a category is vulnerable to stored XSS. Proof of Concept 1 - Go to https://demo.microweber.org/demo/admin/view:content/action:categories 2 - Create a category or edit an existing one. 3 - Modify the title to an XSS...
Heap-based Buffer Overflow in function ins_compl_infercase_gettext()
Description Heap-based Buffer Overflow in function inscomplinfercasegettext at src/insexpand.c:645 vim version commit 3a393790a4fd7a5edcafbb55cd79438b6e641714 Author: Dominique Pelle Date: Thu Jul 14 17:40:49 2022 +0100 patch 9.0.0053: E1281 not tested with the old regexp engine Problem: E1281 no...
Heap-based Buffer Overflow in function ins_compl_add
Description Heap-based Buffer Overflow in function inscompladd at insexpand.c:751 vim version git log commit 324478037923feef1eb8a771648e38ade9e5e05a HEAD - master, tag: v9.0.0042, origin/master, origin/HEAD POC ./afl/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pochbor4s.dat -c :qa!...
Reflected XSS on /api/module
Description Reflected XSS via filter bypass on /api/module using type= parameter. Proof of Concept https://demo.microweber.org/demo/api/module?type=alert"xss"&liveedit=true&fromurl=test The value of the "type" parameter is injected into the source code of the page at line 63. Since the value of t...
Unrestricted Upload of File with any dangerous extension
Description Unrestricted Upload of File with any extension Proof of Concept 1. Create a ticket 2. Upload a file with any dangerous extension 3. Intercept the request in Burp Suite, replace the Content-Type with image/jpeg POC video:...
No Protection against Bruteforce attacks on Login page
Description Nakama Console does not have any limit for the number of unsuccessful login attempts in a very short period of time. Proof of Concept 1. Send a login request. 2. Capture the login request 3. Replay the login request with different password value. HTTP request http POST...
The trudesk application allows large characters to insert in the input field "Name" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. in polonel / trudesk
Proof of Concept 1 - Go to Profile or https://docker.trudesk.io/profile 2 - and fill name input field with huge characters Payload :- https://drive.google.com/file/d/17-SH8ZaTqBTQGugpbh2SQtTKnJOL9NIK/view?usp=sharing Video POC :-...
SSRF via Unvalidated Redirects in ProxyServlet
Description Through the ProxyServlet external content can be retrieved. This can be done by providing a URL in the url query parameter. There are a few restrictions in place, especially internal hosts are forbidden. The validation of the url parameter looks as follows:...
Improper Privilege Management API V2
Description There are some api v2 doesn't check permission allow attackers to retrieve/edit information ticket,account,group,department,team,ElasticSearch Proof of Concept Get users list 1. Login. 2. Go to /api/v2/accounts?type=all. 3. Users list return. Create user with admin role 1. Get the adm...
Cross-site Scripting (XSS) - Stored
Description openemr / openemr is vulnerable to Cross-site Scripting XSS - Stored Proof of Concept // Poc alertdocument.cookie steps to reproduce: 1 login open emr patient portal https://demo.openemr.io/openemr/portal/index.php 2 goto my profile in https://demo.openemr.io/openemr/portal/home.php...
Buffer Over-read in function utfc_ptr2len
Description Buffer Over-read in function utfcptr2len at mbyte.c:2113 vim version git log commit 5a8fad32ea9c075f045b37d6c7739891d458f82b HEAD - master, tag: v8.2.4962, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/poch8s.dat -c :qa!...
heap-use-after-free
Description Whilst experimenting with radare2, built from version 5.6.8, we are able to induce a vulnerability at newrbtree.c:411 in function rrbnodenext , using radare2 as a harness. 409: RAPI RRBNode rrbnodenextRRBNode node 410: rreturnvaliffail node, NULL; //use-after-free here 411: if...
Command Injection vulnerability in [email protected]
Command Injection vulnerability in [email protected] git-interface describes itself as a Interface to work with a git repository in node.js Resources: Project's GitHub source code: https://github.com/yarkeev/git-interface Project's npm package: https://www.npmjs.com/package/git-interface I'm...
Out-of-bounds read
Description Out-of-bounds OOB read vulnerability exists in analop function in Radare2 5.6.7 Version bash radare2 5.6.7 27722 @ linux-x86-64 git.5.6.6 commit: e876eef2a2f758157dd6028fb01809bcedacf00f build: 2022-04-0107:03:35 Proof of Concept bash radare2 -q -A poc poc ASAN bash ==2143069==ERROR:...
Weak secrethash can be brute-forced
Description The secrethash, which the application relies for multiple security measures, can be brute-forced. The hash is quite small, with only 10 characters of only hexadecimal, making 16^10 possilibities 1.099.511.627.776 . The SHA1 of the secret can be obtained via a captcha string and...
Non Privilege User can Enable or Disable Registered
Vulnerability Type Insecure Direct Object Reference Affected URL https://localhost/openemr-6.0.0/interface/modules/zendmodules/public/Installer/manage Affected Parameters “modAction=enabled” Authentication Required? Yes Issue Summary Non-privilege users accounting & front-office can disable and...
use after free in mrb_vm_exec
While fuzzing mruby I found a use after free in mruby compiled with ASAn. Proof of Concept uaf5.rb rb...
Stored XSS via File Upload in star7th/showdoc in star7th/showdoc
Description Stored XSS via uploading file in .ofd format. Proof of Concept filename="test.ofd" alert1 Steps to Reproduce 1. Login into showdoc.com.cn. 2. Navigate to file library https://www.showdoc.com.cn/attachment/index 3. In the File Library page, click the Upload button and choose the test.o...
Unrestricted Upload of File with Dangerous Type
Description Malicious user can bypass checking and upload .phtm or .php6 file which leads to stored XSS. Proof of Concept - Step 1: Login as admin at https://demo.microweber.org/demo/admin/ - Step 2: Go to Websites setting and Edit any page https://demo.microweber.org/demo/admin/page/24/edit -...
Cross-site Scripting (XSS) - Stored
Description Stored XSS in parameter Name when save Grid Options Proof of Concept // PoC.req POST /admin/object-helper/grid-save-column-config HTTP/1.1 Host: 10.x-dev.pimcore.fun Cookie: PHPSESSID=cef9a977bc8ae8591f7b3b14bcafedf4; pimcoreadminsid=1;...
Cross-site Scripting (XSS) - Stored
Description Stored XSS via upload attachment with format .xml in File Library. Detail When opening the attachment, some format files will be rendered and loaded on the browser. So it allows executing arbitrary javascript code that was injected into attachment before. Proof of Concept PoC.xml...
Improper Access Control
Description It was found that if a user is not having access to the requested items module, a normal user with no access can still access and view the requested content. It is a more detailed explanation of the given report where it was marked as invalid :...
Authorization Bypass Through User-Controlled Key
Description Bypass https://hackerone.com/reports/496293 via \b backspace character. Proof of Concept const parse = require'./index.js' url = parse'\bhttp://google.com' console.logurl Result: slashes: false, protocol: '', hash: '', query: '', pathname: '\bhttp://google.com', auth: '', host: '',...
Improper Access Control in chocobozzz/peertube
Description The app doesn't check the status of video when making data changes. Normal users can rating like or dislike in private videos. Proof of Concept note: I'm using instance p.lu for testing - Step 1: Login as video test1 and upload private video. Get video ID of private video - Step 2: Ca...
Business Logic Errors in microweber/microweber
Description The product is vulnerable to Business Logic error through negative product amount. Proof of Concept Step 1: Login to the application, Navigate to Shops - Products - Add Product Step 2: Fill in all the required details with Pricing parameter as -100 and click on save. Here an item is...
Exposure of Sensitive Information to an Unauthorized Actor in fgribreau/node-request-retry
Exposure of Sensitive Information to an Unauthorized Actor in FGRibreau/node-request-retry Reported on Feb 10 2022 | Timothee Desurmont Vulnerability type: CWE-200 Bug Cookies are leaked to external sites. Description js request$mysite/redirect.php?url=$attacker/, options When fetching a Redirect...
in vim/vim
Description A heap-based OOB read of size 4 occurs when a user tries to open a vim session file specified below. This happens regardless of any command line options that could be specified to restrict vim, such -Z and -m. This bug has been found on default vim build lastest commit hash...
in lquixada/cross-fetch
BUG ====== Cookie header leaked to third party site and it allow to hijack victim account SUMMURY ============ When fetching a remote url with Cookie if it get Location response header then it will follow that url and try to fetch that url with provided cookie . So cookie is leaked here to...
Heap-based Buffer Overflow in vim/vim
✍️ Description When fuzzing vim commit cd2f8f0e0 works with latest build and latest commit 7c0fb8003 per this time of this report v8.2.3811 with clang 13 and ASan, I discovered a heap buffer overflow. Proof of Concept Here is the poc bash ev0- How to build bash LD=lld AS=llvm-as AR=llvm-ar...
Path Traversal in getgrav/grav
Steps: Host the project locally. For example if address is http://127.0.0.1:8088 == visit http://127.0.0.1:8088/system/config/permissions.yaml http://127.0.0.1:8088/system/config/permissions.yaml == you will get the content of permissions.yaml file. Impact: Successful exploitation could allow an...
in adodb/adodb
Description An attacker can inject values into the PostgreSQL connection string by bypassing adodbaddslashes . The function can be bypassed in phppgadmin for example by surrounding the username in quotes and submitting with other parameters injected in between. Proof of Concept I'm going to use...
Heap-based Buffer Overflow in vim/vim
Greetings, A Heap-based Buffer Overflow issue was discovered in Vim. The POC file is reduced to the absolute minimum to reproduce the problem. Please see sanitizer output and the "trimmed" POC file link below. System info OS version : Ubuntu 20.04.2 LTS + Clang 12 with ASan Vim Version :...
in bookstackapp/bookstack
Description The dompdf chroot option in Bookstack App is set to basepath, which is the Laravel root folder /var/www/bookstack. An attacker can hence load any image file in the Laravel folder /var/www/bookstack or its subdirectories via PDF exports. Proof of Concept 1: Place an image file in...
Heap-based Buffer Overflow in vim/vim
When fuzzing vim commit 56858e4ed works with latest build with clang 12 and ASan, I discovered a heap buffer overflow. Proof of Concept Here is minimized poc sh /%.v 5/ c Extract then run crafted file with this command vim -u NONE -X -Z -e -s -S vimpoc1 -c :qa! ASan stack trace: bash...
Prototype Pollution in jonschlinkert/set-value
✍️ Description set-value package is vulnerable to Prototype Pollution. The set function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects. 🕵️♂️ Proof of Concept...
Cross-site Scripting (XSS) - Stored in polonel/trudesk
💥 BUG Stored xss bug using file upload against admin . 💥 SUMMURY Here trudesk only allow to upload image file but it can be bypassed and attacker can upload html file . As html file can serve any javascript code ,so attacker can execute any javascript code in vicitm trudesk account . 💥 IMPACT low...
Prototype Pollution in yeikos/js.merge
Overview merge is used to merge multiple objects into one object. Affected versions of this package are vulnerable to Prototype Pollution via the merge.recursive function. It can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all object...
Job API exposed without authorization
This report is not public...