4073 matches found
Unrestricted Upload of File with Dangerous Type
Description Malicious user can bypass checking and upload .phtm or .php6 file which leads to stored XSS. Proof of Concept - Step 1: Login as admin at https://demo.microweber.org/demo/admin/ - Step 2: Go to Websites setting and Edit any page https://demo.microweber.org/demo/admin/page/24/edit -...
Heap-based Buffer Overflow
Description Heap overflow occurs in winlbrchartabsize. commit :592f6250017c31c8996325403e511f4502077ba5 Proof of Concept poc $ echo -ne "c2UgZW5jb2Rpbmc9aXNvODg1OQpub3JtOnNlIAEbCnNlIHZhcnRhYnN0b3A9NDAwCm5vcm0waTAw CQQ=" | base64 -d poc Valgrind $ /valgrind/vg-in-place -s /vim-debug/src/vim -u NON...
Heap-based Buffer Overflow
Description heap-buffer-overflow /home/ubuntu/fuzz/radare2/libr/include/rendian.h:176 in rreadle32 Environment Distributor ID: Ubuntu Description: Ubuntu 20.04 LTS Release: 20.04 Codename: focal radare2 5.6.3 27472 @ linux-x86-64 git.5.6.2 commit: d24dbb9fbb0b398a6a739847008ccef3ea7e687c ASAN...
Cross-site Scripting (XSS) - Reflected
Description The user-controlled GET domain parameter in index.php is unsanitized resulting in Reflected Cross-Site Scripting. Proof of Concept Endpoint: GET https://HOST/edit/web/ // File: /web/edit/web/index.phpL28 // List domain $vdomain = $GET'domain'; // User controllable parameter if...
Cross-site Scripting (XSS) - Reflected in phoronix-test-suite/phoronix-test-suite
Description Hi, i found a Reflected XSS vulnerability POST based XSS + no CSRF token in phoronix test suite, Results tab. Proof of Concept Install a local instance of phoronix create a Search results form like this: // PoC.html history.pushState'', '', '/' document.forms0.submit; // and send to...
Cross-site Scripting (XSS) - Reflected in phpipam/phpipam
Description Cross-Site Scripting vulnerability which allows attackers to execute arbitrary javascript code in the browser of a victim which affected import Data set feature via a spreadSheet file upload. Proof of Concept Endpoint 1 POST http://HOST/app/admin/import-export/import-vlan-preview.php ...
in radareorg/radare2
NULL pointer dereference in loadbuffer radare2 suffers from a NULL pointer dereference error in loadbuffer of binxnukernelcache.c Environment date Fri Jan 28 11:03:53 PST 2022 uname -ms Linux x8664 ./radare2 -v radare2 5.5.5 27531 @ linux-x86-64 git.5.5.4 commit:...
Business Logic Errors in crater-invoice/crater
Description It is found that comapny currency can not be changed since the field is disabled as shown in the screenshot but it can be changed by tampering the parameter. Proof of Concept Actual Request POST /api/v1/company/settings HTTP/1.1 Host: demo.craterapp.com User-Agent: Mozilla/5.0 Windows...
Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat
Description Stored XSS is found in SettingsLive help configurationIncoming Webhooks. When a user creates a new webhook under the NAME field and puts a payload constructor.constructor'alert1', the input gets stored, and every time the user visits, the payload gets executed. Proof of Concept...
in follow-redirects/follow-redirects
BUG ====== Cookie header leaked to third party site and it allow to hijack victim account SUMMURY ============ When fetching a remote url with Cookie if it get Location response header then it will follow that url and try to fetch that url with provided cookie . So cookie is leaked here to...
None in vim/vim
Description A use after free vulnerability has been found in vim 8.2.3931 commit hash febb78fa1798e0f95983b3f7881419a754886df5. The bug has been reproduced on Ubuntu 20.04 with gcc 9.3.0. Proof of Concept After building vim with gcc and ASAN run vim with the following session file: $ echo -ne...
None in vim/vim
Description Hello there! Hope you are having an awesome day! 🤗 After I saw the last Rick de Jager's report, I decided to pick up their PoC as a valid input for fuzzing vim on its patch 8.2.3912, and ended up finding a new case of double-free! For testing, I compiled vim with GCC 9.3.0, and my O.S...
Improper Privilege Management in shelljs/shelljs
Details If ShellJS scripts running locally are using ShellJS exec function, local users on the filesystem can read the stdout of the running ShellJS process to disclose sensitive information present in the privileged process. This may leak sensitive information present in the privileged process...
in dotcms/core
Description Hello, dotCMS has an XXE vulnerability in the template design page. To exploit this flaw, a attacker needs the permission to edit and preview templates, and this can be abused to read internal files Video Poc This section of the documentation explain how to use the XMLTool in the...
Cross-site Scripting (XSS) - Stored in elgg/elgg
Analysis Hello guys, how are doing? Hope you're having an awesome day 🤗 Elgg has a functionality for any authenticated user to report pages to the administrators whenever they think that there's something wrong going on with this page. This functionality has an issue, because in order to create a...
Heap-based Buffer Overflow in allinurl/goaccess
Description Good evening and Happy Turkey Day! We are truly thankful for the Open Source Security community this year. Whilst testing goaccess built from commit 9774249, we discovered a crafted log which can trigger a heap-buffer-overflow during a memcmp operation on line 1525 of /src/parser.c...
in bookstackapp/bookstack
Description The dompdf chroot option in Bookstack App is set to basepath, which is the Laravel root folder /var/www/bookstack. An attacker can hence load any image file in the Laravel folder /var/www/bookstack or its subdirectories via PDF exports. Proof of Concept 1: Place an image file in...
Path Traversal in bookstackapp/bookstack
Description A path traversal vulnerability in BookStacks export function allows for the exposure of sensitive files in local or localsecure Laravel filesystems. Proof of Concept 1: Write the following in a new page: 2: Export in contained HTML to find the .htaccess file base64 encoded 3: If the...
Cross-site Scripting (XSS) - Reflected in craigk5n/webcalendar
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into websites. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execut...
Inefficient Regular Expression Complexity in daaku/nodejs-tmpl
✍️ Description It allows cause a denial of service when formatting crafted string. 🕵️♂️ Proof of Concept // PoC.js var tmpl = require"tmpl" forvar i = 1; i = 50000; i++ var time = Date.now; var attackstr = ""+"".repeati10000+"answer"; tmplattackstr, answer: 42 var timecost = Date.now - time;...
Open Redirect in digitalbazaar/forge
✍️ Description parseUrl functionality in node-forge mishandles certain uses of backslash such as https:///\ and interprets the URI as a relative path. Browsers accept backslashes after the protocol, and treat it as a normal slash, while node-forge sees it as a relative path and leads to URL...
in postfixadmin/postfixadmin
✍️ Description uniqid is used as input to MD5 when generating a PFATOKEN I'll refer to this as a session token - the function uniqid is not a CSPRNG but rather is a PRNG meaning that it cannot generate cryptographically reliable/secure values. 🕵️♂️ Proof of Concept Execute the below code: PHP "; ?...
Cross-site Scripting (XSS) - Stored in polonel/trudesk
💥 BUG Stored xss bug using file upload against admin . 💥 SUMMURY Here trudesk only allow to upload image file but it can be bypassed and attacker can upload html file . As html file can serve any javascript code ,so attacker can execute any javascript code in vicitm trudesk account . 💥 IMPACT low...
NULL Pointer Dereference in function gf_filter_pck_new_alloc_internal
Description NULL Pointer Dereference in function gffilterpcknewallocinternal at filtercore/filterpck.c:108. Version git log commit 5692dc729491805e0e5f55c21d50ba1e6b19e88e HEAD - master, origin/master, origin/HEAD Author: Aurelien David Date: Wed Oct 11 13:24:46 2023 +0200 ac3dmx: add remain size...
CWE-476 leads to potential OOB Read
Environment bash Distributor ID: Debian Description: Debian GNU/Linux bookworm/sid Version I checked against the master branch as of 09/25 at commit f109bf93c9402e4e3122a7ae7846e6feae4fa222 . Description This AddressSanitizer output is indicating a OOB read that is semi-controllable, but is...
heap-buffer-overflow in function vim_regsub_both
Description heap-buffer-overflow in vimregsubboth at regexp.c:2482 Version git log commit e073a8b79f1d3398b27f35b7920746b564a169e9 HEAD - master, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S vimregsubbothpoc -c :qa! helplang=en readonly...
Cross-Site Scripting ( XSS) Via file upload
Description I tested the demo site you provided. I see that there is a file upload vulnerability which can lead to XSS. Hope you check and find a solution as soon as possible. Proof of Concept link video Poc https://drive.google.com/file/d/1LAcTulbfhGJfCmWdIel9e-SkuoQbDq/view?usp=sharing Steps 1...
heap-buffer-overflow in function avi_read media_tools/avilib.c:67 in gpac/gpac
Description Heap-buffer-overflow in MP4Box. Version $ ./bin/gcc/MP4Box -version MP4Box - GPAC version 2.3-DEV-revrelease c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC:...
Cross-site Scripting (XSS) - Reflected
Description Reflected Cross-Site Scripting XSS vulnerability allows attackers to execute arbitrary external javascript code in the browser. In the application there exists a XSS vulnerability that occurs in the api: Payload: "alertwindow.location GET /system/api/restApiViewer: Passing XSS payload...
Heap-based Buffer Overflow
Description heap-buffer-overflow p/bf/plugin.c:176 in decode Environment radare2 5.8.9 31000 @ linux-x86-64 commit: 95b648f0907e91e10d55fc48147a7dae99029c5b Build export CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan" CXXFLAGS="-fsanitize=address -static-libasan"...
HTML injection Leads to Open redirection
Description HTML Injection Leads to Open Redirection is a dangerous web security issue. Attackers inject malicious HTML code into vulnerable websites, allowing them to execute harmful scripts in users' browsers. This may lead to unauthorized actions on users' behalf and redirect them to malicious...
Stored XSS via SVG Upload
Description By uploading an SVG file containing JavaScript code in the file upload function on the administrator screen, it is possible to execute any script on the browser of the accessing user. Proof of Concept Log in to the administrator screen, access the Assets page, and upload the SVG file...
Reflected XSS in /editor_tools/rte_image_editor
Description Reflected Cross-Site Scripting Vulnerability in types GET parameter on the /editortools/rteimageeditor endpoint Proof of Concept in File microweber/userfiles/modules/microweber/toolbar/editortools/rteimageeditor/index.php on Line 15, we can observe the source $GET'types' being saved...
Improper handling of input value leads to Remote Code Execution or Denial of Service
Description Some value in some input field was directly inserted into a file called "tp.config.php", an attacker can inject malicious PHP code to perform a remote code execution attack. Proof of Concept Go to Settings - MFA - Duo Security function, input this payload: ',; phpinfo; ?// on the...
Local file read through %load_json
Description When ALLOWPLANTUMLINCLUDE is set to false the default settings in the online server, !include processing is turned off, preventing local files from being read. However, other features like %loadjson can still access local files. Since many people will run plantuml-server in its defaul...
SQL injection in some Admin Sort functions
Description SQL injection due to unsanitized concatenating strings into ORDER BY clause, 'sort' parameter Proof of Concept Log in as an admin, go to Admin Translations or Application Logger functions, and perform a sort action Observer the request on Burpsuite and injection point is the 'sort'...
XSS to RCE found in Trilium
Vulnerability Type Remote Code Execution RCE Authentication Required? No Affected Location - Search Notes Search Ancestor Output - Jump to Note Search Note Output - New Tab Search Notes Output Issue Summary The application contains a vulnerability where HTML characters within the title name of...
SIGSEGV at libr/bin/p/bin_coff.c:509 in patch_relocs()
Description radare2 5.8.2 misparses symbol information in COFF files, causing a segmentation fault in patchrelocs at libr/bin/p/bincoff.c:509 Proof of Concept input.bin 00000000: 6603 e846 4058 6458 4036 5858 5858 5868 f..F@XdX@6XXXXXh 00000010: 5858 7063 5858 5840 0038 00de 57ff ffff...
Reflected XSS in Predefined Properties module in Settings
Description During testing the pimcore application, I found that it is vulnerable to XSS vulnerability in Predefined Properties module in Settings, specifically at Name field. Proof of Concept 1.Go to https://11.x-dev.pimcore.fun/admin/ then login. 2.Go to Settings - Predefined Properties and add...
XSS in Document Types module in Settings
Description pimcore is vulnerable to XSS at Name field in Document Types module in Settings. Payload " Proof of Concept 1.Go to https://11.x-dev.pimcore.fun/admin/ and login. 2.In the left menu bar, go to Settings - Document Types and click on Add button to add a new record. 3.Edit the New Docume...
SQL Injection in 'core/ajax/ajax_data.php'
Description There exists an SQL injection affecting the customerid parameter located in the file core/ajax/ajaxdata.php Let's take a look at the following code: https://github.com/unilogies/bumsys/blob/9dc2de204116297a7e528c38bc3b1e89bf40f907/core/ajax/ajaxdata.phpL537 sql where stockproductid =...
Stored DOM-based Cross-site Scripting in Tags Functionality
Description A stored, DOM-based cross-site scripting vulnerability exists in answer version 1.0.4 within the question tagging functionality. Steps Step 1. Log in. Step 2. Proceed to create a new question. Populate the Title and Body input. Step 3. Click on the Add tag button, shown in the followi...
Account Takeover via reset password
Description Password recovery leads to Account Take Over due to reset code leakage. Proof of Concept Create an acount in https://meta.answer.dev/ and verify mail, then log out. Go to password recovery https://meta.answer.dev/users/account-recovery, insert your email and capture the server respons...
Improper authorization
Description In phpIPAM 1.5.1, an unauthenticated user could download the list of high-usage IP subnets that contains sensitive information such as a subnet description, IP ranges, and usage rates via findfullsubnets.php endpoint. The bug lies in the fact that findfullsubnets.php does not verify i...
Race Conditional exists in the collection
Description Ordinary users can use this vulnerability to attack other users' question collection, which can break through a single user's operation of only collecting or canceling the collection, resulting in too many or negative collections Proof of Concept step1 . Open burp, click collection, a...
session fixation
Description A session fixation attack allows an attacker to hijack a legitimate user session. The attack investigates a flaw in how the online application handles the session ID, especially the susceptible web application. Proof of Concept...
Stored XSS while creating a new post
Description After login to portal create a new post and type the following text with XSS payload Proof of Concept 1. Login to portal. 2. create a post with xss paylaod 3. save it Payload 09;& Poc: !alt textlogo logo: https://i.imgur.com/SHDZRWt.png !alt textlogo1 logo1:...
Stored XSS with CSP bypass through JS file upload
Description I've seen here: https://github.com/usememos/memos/blob/main/server/resource.goL268 that has been implemented the CSP with "default-src 'self'" configuration. This configuration can be bypassed if I'm able to upload a js file, and then call it from another files while they both resides...
Path Traversal when upload file
metersphere allow users to upload file, but not check the file name. Poc can be found in the link...
Blind Stored XSS in administration panel
Description Blind stored XSS : any visitor user without any privilege can create "Proposal for a new FAQ" at the following URL https://roy.demo.phpmyfaq.de/index.php?action=add&cat=0 and add XSS payload in "Your question" input field allows any anonymous visitor can steal admin cookies also...