4072 matches found
session fixation
Description A session fixation attack allows an attacker to hijack a legitimate user session. The attack investigates a flaw in how the online application handles the session ID, especially the susceptible web application. Proof of Concept...
Stored XSS while creating a new post
Description After login to portal create a new post and type the following text with XSS payload Proof of Concept 1. Login to portal. 2. create a post with xss paylaod 3. save it Payload 09;& Poc: !alt textlogo logo: https://i.imgur.com/SHDZRWt.png !alt textlogo1 logo1:...
CSRF allows attacker to post on behalf of victim
Description Cross-Site Request Forgery CSRF is an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated. CSRF attacks exploit the trust a Web application has in an authenticated user. Proof of Concept 1 Go to...
Archive any private memos + Delete any Shortcut + Edit any Shortcut from other users
Description User can archive any private memos, Delete any Shortcut and Edit any Shortcut from other users via api PATCH /api/memo/8 HTTP/1.1 "id":8,"rowStatus":"ARCHIVED" PATCH /api/shortcut/2 HTTP/1.1 "id":2,"title":"shortahihix","payload":"" DELETE /api/shortcut/2 Proof of Concept Login to...
Unsanitized input returned in response is conducive to XSS exploitation
Description During the initial installation process it was identified that the "Create user" form that collects user data, does not properly sanitize the data entry and then prints them on the screen with an error message without any apparent validation, thus allowing the insertion of HTML or...
Blind Stored XSS in administration panel
Description Blind stored XSS : any visitor user without any privilege can create "Proposal for a new FAQ" at the following URL https://roy.demo.phpmyfaq.de/index.php?action=add&cat=0 and add XSS payload in "Your question" input field allows any anonymous visitor can steal admin cookies also...
AddressSanitizer: heap-buffer-overflow in alloc.c 246:11
Description ================================================================= ==19339==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000001015 at pc 0x0000004872d8 bp 0x7ffdef721150 sp 0x7ffdef720910 WRITE of size 2 at 0x606000001015 thread T0 Detaching after fork from child proce...
Stack-Based Buffer Overflow in gf_sg_proto_field_is_sftime_offset
Description Stack-Based Buffer Overflow in gfsgprotofieldissftimeoffset at vrmlproto.c:1295. version git log commit 05eaac875354682942b70c790bcd62cb5f4cc825 grafted, HEAD - master, origin/master, origin/HEAD Author: Jean Le Feuvre Date: Mon Nov 14 18:07:45 2022 +0100 fixed msvc warnings ./MP4Box...
Use After Free in function bt_quickfix
Description Use After Free in function at buffer.c:5715 . vim version git log commit 3f0092c141824356b55b11cd3985baaf4df65334 grafted, HEAD - master, tag: v9.0.0777, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S poc13huaf.dat -c :qa!...
XSS at https://viewer.diagrams.net/
Description The application uses a parameter to specify a url on the refresh and the back button, assigning it to location.href without sanitizing Proof of Concept Go to:...
Desktop APP XSS to RCE
📝 Description Bypass disabled plugins configuration According to its default configuration, drawio desktop disables the use of custom plugin and must be using --enable-plugins to enable it. In addition, draw.io allows you to configure the application mainly the interface using a json file...
Improper Authentication
Description There are two permissions not working correctly: The Licenses - View and Modify License Files & the Self - Create API Keys permission. License Files Files can be uploaded to licenses. There is a permission for users called View and Modify License Files. However, this permission is...
Weak Password Requirements
Description The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts. Proof of Concept Steps to reproduce 1. Login to admin account. 2. Drom user account setup create a new user. 3. Full the form username user3 and...
NULL Pointer Dereference in function sug_filltree
Description NULL Pointer Dereference in function sugfilltree at vim/src/spellfile.c:5600. vim version git log commit 4875d6ab068f09df88d24d81de40dcd8d56e243d grafted, HEAD - master, tag: v9.0.0224, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -X -Z -e -s -S /home/fuzz/test/poc2null.d...
Format string modifiers in card label
Description When adding a new video device with v4l2loopback-ctl that contains a card label with format string modifiers the kernel driver interprets these when querying the device capabilities, thus leaking kernel memory stack contents. The vulnerability requires the attacker to have access to t...
xss via improper parsing of javascript: url
Description A URL like javascript://example.com%0aalert1 will get incorrectly recognised as a file: protocol. It has nothing to do with escaping as the common characters such as &, , if parsed.protocol !== "javascript" res.send"CLICK ME!" app.listen9999;...
Integer Overflow in function lsr_translate_coords
Description Integer Overflow in function lsrtranslatecoords at laser/lsrdec.c:853 gpac version git log commit ea3af7c8242d1a82657dc3a518df5a5b1b5e27ed HEAD - master, origin/master, origin/HEAD Author: Romain Bouqueau Date: Tue Jun 28 19:25:58 2022 +0200 POC ./MP4Box -bt ./pocintof1s.dat...
Heap-based Buffer Overflow in function utf_ptr2char
Description Heap-based Buffer Overflow in function utfptr2char at mbyte.c:1794 vim version git log commit e366ed4f2c6fa8cb663f1b9599b39d57ddbd8a2a HEAD - master, tag: v8.2.5136, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/pochbo3s.dat -c...
InvenTree Deploys a Weak Password Change Mechanism
Description When setting a new user password, InvenTree does not require knowledge of the original password or using another form of authentication. Proof of Concept 1. Log in as a regular user 2. Go to the account settings link 3. Select Set Password 4. Enter any 8-character password string this...
Stored XSS in Part Description
Description The application inventree is vulnerable to Stored XSS in part description field. Proof of Concept Video PoC link: https://drive.google.com/file/d/1ZFgWiVpalxZ8zGeDrErezjZCQjB3VP-w/view?usp=sharing...
Bypass of last fix
Description last fix can be bypass because in this line we should consider the case \r\r or even \r too. Proof of Concept javascript const http = require"http"; const parseUrl = require"parse-url"; const url = parseUrl'jav\r\r\rascript://%0aalert1'; console.logurl const server =...
Send messenger to another user with any sender account
Description Send messenger to another user with any sender account Proof of Concept 1. Login with account A. 2. When click to the message box of the user Victim X we have the id of this message page in URL, such as https://docker.trudesk.io/messages/628ceabe32b93e62146a7d75 is the URL of message ...
Business Logic error lead to race condition
Description I have found Business logic Bug in para application free User can create more than 1 app even after App limit reached Proof of Concept 1 - Go to https://paraio.com/apps 2 - Create a new app 3- Enter the name of app 4- Intercept the request in burp suite and send into intruder and sele...
Server Side Request Forgery
Description There are two SSRF's in the draw-image-export2 repository, both work on the domain convert.diagrams.net One is a Blind SSRF the other one a Full Response SSRF. Blind SSRF The first one is simple and can be invoked by accessing the following URL:...
Allowing long password leads to denial of service in polonel/trudesk
Description The trudesk application allows to sending a very long password 10000000 characters it's possible to cause a denial of service attack on the server. This may lead to the website becoming unavailable or unresponsive. Usually, this problem is caused by a vulnerable password hashing...
Authentication Bypass Using an Alternate Path or Channel
Steps to reproduce 1. 1. Log into Administrator account 2. 2. Navigate to User section 3. 3. Create a new User, call it testUser pass is 12345678 4. 4. Navigate to Groups section and create a new group, call it testGroup 5. 5. Give a "manage:group" permission for testGroup and assign testUser...
Reflected XSS
Description hello team, i found a reflected xss in /rtxcomplete/nodeslike via callback parameter Proof of Concept https://arax.rtx.ai/rtxcomplete/nodeslike?=1651210002052&callback=%3CScRiPt%20%3Ealertdocument.domain%3C/ScRiPt%3E&limit=15&word=1...
Multiple Store XSS via upload svg file and the file name of attachment
Description Hi There, facturascripts is vulnerable to store XSS by upload svg file, and the filename Step to produce with svg file Login as admin or any account has role Admin-Library, access Admin - library - New and upload file svg with content: alertdocument.cookie; save this. XSS will be...
Cross-site Scripting (XSS) - Stored via HTML file upload
Description rosariosis is vulnerable to Stored XSS in the File upload in Assignments by uploading an HTML file with the javascript code inside. Proof-of-Concept phish.html Test Upload File Test upload alert1 Step to reproduce From attacker side student 1.Login to the demo environment by student...
Buffer Over-read at parse_rawml.c:1416
Description Heap-based Buffer Overflow at parserawml.c:1416 Build git clone https://github.com/bfabiszewski/libmobi.git cd libmobi export CFLAGS="-g -O0 -lpthread -fsanitize=address" export CXXFLAGS="-g -O0 -lpthread -fsanitize=address" export LDFLAGS="-fsanitize=address" ./autogen.sh ./configure...
Out-of-bounds Read in r_bin_java_constant_value_attr_new function
Description Out-of-bounds OOB read vulnerability exists in rbinjavaconstantvalueattrnew function in Radare2 5.6.9. This is similar with CVE-2022-0518 and CVE-2022-0521 Version radare2 5.6.9 27745 @ linux-x86-64 git.conti commit: 14189710859c27981adb4c2c2aed2863c1859ec5 build: 2022-04-2311:05:49...
Out-of-bounds Read in mrb_get_args
Out-of-bounds Read in mrbgetargs in mruby/mruby Affected commit 3cf291f72224715942beaf8553e42ba8891ab3c6 Proof of Concept ruby= 0..% = 0,0,0,0,0,0,0,0,0,0,0,0,0, = 0 Below is the output from mruby ASAN build: bash= AddressSanitizer:DEADLYSIGNAL...
Formula Injection/CSV Injection due to Improper Neutralization of Formula Elements in CSV File
Description Formula Injection/CSV Injection in "Firstname" & "Lastname" due to Improper Neutralization of Formula Elements in CSV File. Proof of Concept 1.Go to a Preferences from the user account and in Personal info of "Firstname" & "Lastname" insert the below payloads. 2.Payloads:-...
Loose comparison causes IDOR on multiple endpoints
Description Live Helper Chat is vulnerable to Type Juggling on the requestPayload'hash'. The application uses a Loose Comparison to check if the user-controlled parameter is equal to an hash, this check is vulnerable because it's possible to pass other Data Types via JSON that causes the if...
Reflected Cross-site Scripting (XSS) Vulnerability
Description hestiacp is vulnerable to Reflected XSS in the Hostname field within Basic Options of the function "Configure Server" in Hestia Control Panel Proof of Concept 1 Access https://demo.hestiacp.com:8083/edit/server/ 2 Click "Configure" 3 Click Basic Options 4 Enter below as payload in the...
Cross-site Scripting (XSS) - Stored
Description pimcore is vulnerable to Stored XSS at Key field in the Navigation & Properties tab of a Document page. Payload " Step to reproduce 1.Go to https://demo.pimcore.fun/admin/ and login. 2.Click on any document Home, de,... in the Documents 3.Go to Navigation & Properties tab, in the Key...
Cross-site Scripting (XSS) - Reflected
Description Can escape the meta tag because the user doesn't escape the double-quote in the $redirectUrl parameter when logging out. Proof of Concept txt https:///demo/api/logout?redirectto=/asdf" Impact Through this vulnerability, an attacker is capable to execute malicious scripts...
Stack-based Buffer Overflow in vim/vim
Description Buffer overflow occurs in gaconcatshortenesc. commit : f5288c589500de0677444af4a428cfbccfccb8ce Proof of Concept poc $ echo -ne "bm9ybTEwMGdy3YAKZnUgUigpCmxldCBsaW5lPWdldGxpbmUoMSkKcmV0dSBsaW5lCmVuZGYKCmNh bGwgYXNzZXJ0X2VxdWFsKDEsUigpKQo=" | base64 -d poc ASAN $ ./src/vim.asan -u NONE...
Heap-based Buffer Overflow in vim/vim
Description Heap overflow occurs in exretab. commit : 414acd342f4a66d930da34d419929985b48bd301 Proof of Concept $ echo -ne "ZnUgUihiLG4pCmxldCBvbGRfdGFic3RvcD0mdGFic3RvcApleGUicmV0ImE6bgppZiBhOm4KZXhl J3NlIHRhYnN0b3A9Jy5vbGRfdGFic3RvcAplbApjYWwgbCgiIixSKCcnLDQpCmNhbCBsKCIiLFIo...
in vim/vim
Description Out of bound 1 byte read in vim. commit : 06b77229ca704d00c4f138ed0377556e54d5851f Proof of Concept $ echo -ne "c2lsMG5vcm0WcTAHMA==" | base64 -d minimizedpoc valgrind $ ./vg-in-place -s ./vim -u NONE -i NONE -n -X -Z -e -s -S ./minimizedpoc -c ":qa!" ==3442167== Invalid read of size ...
in crater-invoice/crater
Description In recent Crater version e3f3809f tag: 6.0.1 customer with enabled portal function can upload PHP file instead of avatar. Proof of Concept POST /api/v1/company-name/customer/profile HTTP/1.1 Host: 172.17.0.1:8888 User-Agent: Mozilla/5.0 X11; Linux x8664; rv:97.0 Gecko/20100101...
Cross-site Scripting (XSS) - Reflected in microweber/microweber
Description XSS - Cross-Site Scripting is vulnerability which allows attackers to execute arbitrary javascript code in the browser of victim. PAYLOAD for firefox: a' onafterscriptexecute=alertdocument.domain c='a requires NO user-interaction PAYLOAD for all major browsers: a'...
None in vim/vim
Description intro While fuzzing, I found an edge case in the vim9 compiler for nested functions. It seems like you can make the compiler use the same line twice, by adding another command directly after an enddef token using the | operator. Depending on the inner functions body, this either resul...
SQL Injection in forkcms/forkcms
Description When deleting submissions which belong to a formular made with module FormBuilder, the parameter id is vulnerable for SQL injection. Proof of Concept - Call the URL...
Open Redirect in firefly-iii/firefly-iii
Steps: 1. Login in application and and navigate to bill section and create bill and capture the request. Web applications use different techniques to redirect users to the next page. Apps may use URL query parameters, header values, with JavaScript code, or it may be backend code. In case of this...
in osticket/osticket
Description The forgot password can be abused to leak possible usernames due to different responses returned when a user exists or a user does not. Proof of Concept 1. Go to http://OSTICKET-SERVER/htdocs/osticket/scp/pwreset.php 2. Key in a user which does not exist, the response is: "Unable to...
Cross-site Scripting (XSS) - Reflected in pi-hole/adminlte
✍️ Description Reflected XSS in POST /admin/scripts/pi-hole/php/customcname.php 🕵️♂️ Proof of Concept 1. Login as admin, Go to Local DNS - CNAME Records - Add a new CNAME record 2. Input alert1 in domain field and anything in target domain. 3. The Payload in post body domain is URL encoded, use a...
Prototype Pollution in ionicabizau/obj-unflatten
Description obj-unflatten convert flatten objects in nested ones. This package is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: javascript // poc.js const unflatten = require'obj-unflatten' console.log'Before: ' + .polluted unflatten'proto.polluted':...
CSRF in Payment Types
Description CSRF in Payment Types Proof of Concept 1 .Attacker send form fake to user history.pushState'', '', '/'; document.forms0.submit; 2 .User click , edited unwanted payment types Video Poc https://drive.google.com/file/d/1jI4bW5BJXGdJ7kICI-K1Kmg5y2EPw7f0/view?usp=sharing Payload Poc...
Root takeover via signature spoofing
Description When an app requests "CMDBECOMEMANAGER" via prctl, couple of checks done before promoting uid as root manager. Main check relies on requester's signature. Signature control is done in checkv2signature function in kernel\apksign.c, this function accepts both V2 and V3 signatures...