4072 matches found
Cross-site Scripting (XSS) - Stored in polonel/trudesk
๐ฅ BUG Stored xss bug using file upload against admin . ๐ฅ SUMMURY Here trudesk only allow to upload image file but it can be bypassed and attacker can upload html file . As html file can serve any javascript code ,so attacker can execute any javascript code in vicitm trudesk account . ๐ฅ IMPACT low...
Prototype Pollution in yeikos/js.merge
Overview merge is used to merge multiple objects into one object. Affected versions of this package are vulnerable to Prototype Pollution via the merge.recursive function. It can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all object...
Job API exposed without authorization
This report is not public...
NULL Pointer Dereference in function gf_filter_pck_new_alloc_internal
Description NULL Pointer Dereference in function gffilterpcknewallocinternal at filtercore/filterpck.c:108. Version git log commit 5692dc729491805e0e5f55c21d50ba1e6b19e88e HEAD - master, origin/master, origin/HEAD Author: Aurelien David Date: Wed Oct 11 13:24:46 2023 +0200 ac3dmx: add remain size...
CWE-476 leads to potential OOB Read
Environment bash Distributor ID: Debian Description: Debian GNU/Linux bookworm/sid Version I checked against the master branch as of 09/25 at commit f109bf93c9402e4e3122a7ae7846e6feae4fa222 . Description This AddressSanitizer output is indicating a OOB read that is semi-controllable, but is...
heap-buffer-overflow in function vim_regsub_both
Description heap-buffer-overflow in vimregsubboth at regexp.c:2482 Version git log commit e073a8b79f1d3398b27f35b7920746b564a169e9 HEAD - master, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S vimregsubbothpoc -c :qa! helplang=en readonly...
Cross-Site Scripting ( XSS) Via file upload
Description I tested the demo site you provided. I see that there is a file upload vulnerability which can lead to XSS. Hope you check and find a solution as soon as possible. Proof of Concept link video Poc https://drive.google.com/file/d/1LAcTulbfhGJfCmWdIel9e-SkuoQbDq/view?usp=sharing Steps 1...
heap-buffer-overflow in function avi_read media_tools/avilib.c:67 in gpac/gpac
Description Heap-buffer-overflow in MP4Box. Version $ ./bin/gcc/MP4Box -version MP4Box - GPAC version 2.3-DEV-revrelease c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC:...
HTML Injection
Description I think your website is quite secure. But you overlooked the HTML Injection vulnerability ID:WSTG-CLNT-03 of OWASP. Proof of Concept 1 .Login with demo account 2 .Access the link https://demo.librenms.org/search/search=ipv4 and insert the payload search=test/b 3 .Hit enter, html...
Heap-based Buffer Overflow
Description heap-buffer-overflow p/bf/plugin.c:176 in decode Environment radare2 5.8.9 31000 @ linux-x86-64 commit: 95b648f0907e91e10d55fc48147a7dae99029c5b Build export CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan" CXXFLAGS="-fsanitize=address -static-libasan"...
XSS vulnerabilities via various embeds
Description JSFiddle, Gliffy, Otter and Tldraw embeds lack sufficient input validation. Every one of them can be abused to achieve a stored XSS on a main application domain. This XSS triggers for everyone viewing the document. Proof of Concept PoC file is different for each vulnerable embed. See...
Reflected XSS in /editor_tools/rte_image_editor
Description Reflected Cross-Site Scripting Vulnerability in types GET parameter on the /editortools/rteimageeditor endpoint Proof of Concept in File microweber/userfiles/modules/microweber/toolbar/editortools/rteimageeditor/index.php on Line 15, we can observe the source $GET'types' being saved...
OOB Write ops.c
Environment bash Distributor ID: Debian Description: Debian GNU/Linux bookworm/sid Version I checked against the master branch at commit 50809a45ebde327cb6fdcc727d7466e926aed713 . Description This AddressSanitizer output is indicating a write to the 0x7fd0c2103000 address, this is because the...
NULL Pointer Dereference
Description NULL Pointer Dereference In gfisomfragmentaddsampleex isomedia/moviefragments.c:2883 Environment No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 20.04 LTS Release: 20.04 Codename: focal Build sudo CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan"...
XSS to RCE found in Trilium
Vulnerability Type Remote Code Execution RCE Authentication Required? No Affected Location - Search Notes Search Ancestor Output - Jump to Note Search Note Output - New Tab Search Notes Output Issue Summary The application contains a vulnerability where HTML characters within the title name of...
sql injection
Description multiple sql injections due to unsanitized concatenating strings into where clause Collaborator: @ub3rsick Proof of Concept - assets controller 1- to trigger the request for sqli: go to files - assets - select a folder - right click - download as zip 2- replay the request to...
Stored XSS in Admin Panel
Description The admin panel admin.php does not properly sanitize the text in the "Site Name" field, allowing a user with admin access to inject arbitrary HTML. This is in a similar vein to CVE-2022-4733 but still exists as of version 7.0.1-dev. Proof of Concept 1. Log in as a user with admin...
Session Fixation Vulnerability
Description It was noticed that the easyappointments application is vulnerable to Session Fixation vulnerability. The application does not generate a new easession cookie after the user authenticate successfully into the application. A malicious user is able to create a new session cookie value a...
XSS in Document Types module in Settings
Description pimcore is vulnerable to XSS at Name field in Document Types module in Settings. Payload " Proof of Concept 1.Go to https://11.x-dev.pimcore.fun/admin/ and login. 2.In the left menu bar, go to Settings - Document Types and click on Add button to add a new record. 3.Edit the New Docume...
null pointer dereference in class_object_index at vim9class.c:1356
Description null pointer dereference in classobjectindex at vim9class.c:1356 variable cl in classobjectindex at vim9class.c:1254 is NULL at last, reference to cl refers to NULL Version $ git log commit c727b19e9f1df36e44321d933334c7b4961daa54 HEAD - master, tag: v9.0.1374, origin/master,...
SQL Injection in 'core/ajax/ajax_data.php'
Description There exists an SQL injection affecting the customerid parameter located in the file core/ajax/ajaxdata.php Let's take a look at the following code: https://github.com/unilogies/bumsys/blob/9dc2de204116297a7e528c38bc3b1e89bf40f907/core/ajax/ajaxdata.phpL537 sql where stockproductid =...
SQL injection search function
Description Please enter a description of the vulnerability. Link POC: https://drive.google.com/drive/folders/1oFZPVrJ7lID7tDArO8spsMy1VYr4oOb?usp=sharing Proof of Concept Step 1: login https://demo.pimcore.fun/admin/ Step 2: user search function and intercept request with burp Step 3: Exploit ti...
Reflected XSS in send2friend.php
Description There is a reflected XSS in send2friend because the 'artlang' parameter is not sanitized. Proof of Concept visit http://phpmyfaq.local/?action=send2friend&artlang=aaaa"%3E%3Cscript%3Ealert1;%3C/script%3E Fix sanitize the '$faqLanguage' variable in...
XSS in hyperlink when create FAQ News
Description Stored Cross-Site Scripting XSS through hyperlinks refers to a type of security vulnerability that occurs when an attacker injects malicious code into a hyperlink, which is then stored in the application's database or web server. When a user clicks on the infected hyperlink, the...
RCE by Server Side Template Injection
Description Hi, During my testing, I discovered that it is possible to inject code into the system through the "first name" field. This vulnerability allows for server-side template injection, which can lead to arbitrary code execution. The impact of this vulnerability is potentially significant...
Stored DOM-based Cross-site Scripting in Tags Functionality
Description A stored, DOM-based cross-site scripting vulnerability exists in answer version 1.0.4 within the question tagging functionality. Steps Step 1. Log in. Step 2. Proceed to create a new question. Populate the Title and Body input. Step 3. Click on the Add tag button, shown in the followi...
SSL certificate verification disabled
Description When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived...
Froxlor 2.0.6 Remote Command Execution via Arbitrary File Write and Server Side Template Injection
Description Froxlor 2.0.6 Stable is suffering from Remote Command Execution that was achieved by chaining two bugs, the first one is an arbitrary file write on the logging feature, which allows an authenticated attacker to point the log file to any writable path even if it was the web server...
Stored XSS by link markdown
Description The site allows link markdown but does not validate, resulting in XSS. Proof of Concept Create new memo with payload Click me! Hold Ctrl and click to Click me!, a alert with content is domain name appear...
Local File Read through Improper Filename Validation
Description This vulnerability occur because there is no filename validation on logoimagelogin and logoimageheader on import and export function. Attacker can use path traversal payload to leak local file such as /etc/passwd or froxlor config file. Proof of Concept 1. Go to import function on...
Stored XSS with CSP bypass through JS file upload
Description I've seen here: https://github.com/usememos/memos/blob/main/server/resource.goL268 that has been implemented the CSP with "default-src 'self'" configuration. This configuration can be bypassed if I'm able to upload a js file, and then call it from another files while they both resides...
Path Traversal when upload file
metersphere allow users to upload file, but not check the file name. Poc can be found in the link...
Cross Site Scripting (XSS) Reflected
Description Reflected cross-site scripting or XSS arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way. Proof of Concept https://github.com/phpipam/phpipam/blob/master/app/subnets/mail-notify-subnet.php look in line 94-9...
Floating point exception in function num_divide at eval
Floating point exception in function numdivide at eval.c:70...
Stored XSS via SVG File
Description flatpresshas a feature to upload file "uploader" and display from "media manager". By uploading SVG files, the users can perform Stored XSS attack. Copy the following code and save as filename.svg. Proof of Concept alertdocument.domain 1. login to...
No Limit in length of username , results in memory consumption/DOS attack
Description There must be a fixed length for user input parameters like username. Allowing users to enter long strings may result in a DOS attack or memory corruption Proof of Concept 1Go to https://rdiffweb-demo.ikus-soft.com/admin/users endpoint . 2Click on add user 3Here you will see that ther...
Stack-based Buffer Overflow in function ex_finally
Description stack-buffer-overflow in exfinally function Proof of Concept https://raw.githubusercontent.com/xiowane/testfile/main/test ASAN console ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /src/results/crashes/test -c :qa! =================================================================...
Heap-based Buffer Overflow in function utfc_ptr2len
Description Heap-based Buffer Overflow in function utfcptr2len at vim/src/mbyte.c:2125. vim version git log commit 470a14140bc06f1653edf26ab0b3c9b801080353 grafted, HEAD - master, tag: v9.0.0461, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S...
Stored Cross-Site Scripting (XSS)
Description It is possible to upload HTML files containing JavaScript Payload to the FileStorage as a low-privilege user with the corresponding permissions. When opening the HTML file via an indirect link, the JavaScript Code is executed. Proof of Concept Steps to reproduce: 1. Login to the backe...
ZipSlip Symlink variant allows to read any file within OctoPrint Box
Using the ZipSlip symlink variant, it is possible to steal any file from the OctoPrint remote server via an upload of a maliciously crafted archive as a language pack and download the stolen files within a backup archive. To set up the Octoprint web application, we used the dockerized version bas...
Exposure of "Forgot Password" Token on Comments Controller Leads to Account Takeover
Hello there! Hope you are doing great! Description While digging into your app's source code, I noticed that the getComment function, that can be found on CommentController, had an IDOR, but when I went to an actual instance of Tooljet and tested it, I noticed that it's way worse than that! ๐ฑ Thi...
Persistent Cross Site Scripting - LayoutEditor Module - Settings
Description The application uses Purifier to avoid the Cross Site Scripting attack. However, On LayoutEditor module from Settings, the type of fieldModel-label parameter is "Text" but it is not validated and it's used directly without any encoding or validation on LayoutEditor/EditField.tpl. It...
Use After Free in function find_var_also_in_script
Description Use After Free in function findvaralsoinscript at vim/src/evalvars.c:3174 vim version git log commit 887748742deae3d6de7aa0fdbb042afe1ccf5e7a grafted, HEAD - master, tag: v9.0.0222, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -X -Z -e -s -S /home/fuzz/test/poc3huaf.dat -...
Heap-based Buffer Overflow in function latin_ptr2len
Description Heap-based Buffer Overflow in function latinptr2len at vim/src/mbyte.c:1088 . vim version git log commit 249e1b903a9c0460d618f6dcc59aeb8c03b24b20 grafted, HEAD - master, tag: v9.0.0213, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -X -Z -e -s -S poc4hbo.dat -c :qa!...
parser bypass and make SSRF attack
parse-url inproperly detecting protocol,resource and Pathname . This allow to bypass protocol check . Also this bug make ssrf check bypass\ \ lets check normal url result for parse-url import parseUrl from "parse-url"; console.logparseUrl"http://nnnn@localhost:808/?id=xss" protocols: 'http' ,...
No Rate Limit On Reset Password Page
Description I have identified that when Reset Password for account , the request has no rate limit which then can be used to loop through one request. This can annoy to the root users sending mass password to one email. A rate limiting algorithm is used to check if the user session or IP-address...
Stored Cross-site Scripting (XSS) leads to Account Takeover
๐๏ธ Requirements - Be able to edit or create documents. - Click of a user on the link. ๐ Description The markdown's link creation feature does not properly sanitize url input, which allows to use error event to execute javascript. Furthermore, due to a lack of HttpOnly flag on sessions cookie, it i...
Out-of-bounds Read in function ins_bytes
Description Out-of-bounds Read in function insbytes at change.c:968 vim version git log commit 9610f94510220c783328e1857af87a6ae7bc20b4 HEAD - master, tag: v9.0.0014, origin/master, origin/HEAD POC ./afl/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pocobr4s.dat -c :qa!...
Reflected XSS on /editor_tools/module
Description Reflected XSS with filter bypass on /editortools/module using type= parameter. Proof of Concept https://demo.microweber.org/demo/editortools/module?type="alert"xss" The value of the "type" parameter is injected into the source code of the page at line 38. Since the value of the "type"...
Possible prototype pollution in Schema.path
Description Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Affected versions of this package are vulnerable to Prototype Pollution. The Schema.path function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows...