4072 matches found
CSRF in Payment Types
Description CSRF in Payment Types Proof of Concept 1 .Attacker send form fake to user history.pushState'', '', '/'; document.forms0.submit; 2 .User click , edited unwanted payment types Video Poc https://drive.google.com/file/d/1jI4bW5BJXGdJ7kICI-K1Kmg5y2EPw7f0/view?usp=sharing Payload Poc...
Root takeover via signature spoofing
Description When an app requests "CMDBECOMEMANAGER" via prctl, couple of checks done before promoting uid as root manager. Main check relies on requester's signature. Signature control is done in checkv2signature function in kernel\apksign.c, this function accepts both V2 and V3 signatures...
Heap OOB Read
Environment bash Distributor ID: Debian Description: Debian GNU/Linux bookworm/sid Version I checked against the latest release as of 10/08/23 the current master branch at commit 50c2ab06f45a3101d73d6f317e98f041809f4923 . Description This AddressSanitizer output is indicating an OOB read of inval...
SQL injection in slug parameter
Description The /api/workspace/:slug endpoint exposes a critical SQL injection vulnerability in the slug parameter. This vulnerability arises due to the insecure handling of user-supplied data slug in the construction of a SQL query. An attacker can exploit this vulnerability by crafting a...
authorized Admin Account Takeover
Description The icms2 contains a flaw in its admin account management functionality, specifically in the process of changing and resetting passwords for administrators. Through careful analysis and testing, it was observed that an authenticated administrator has the capability to change the...
HTML injection Leads to Open redirection
Description HTML Injection Leads to Open Redirection is a dangerous web security issue. Attackers inject malicious HTML code into vulnerable websites, allowing them to execute harmful scripts in users' browsers. This may lead to unauthorized actions on users' behalf and redirect them to malicious...
Stored XSS via SVG Upload
Description By uploading an SVG file containing JavaScript code in the file upload function on the administrator screen, it is possible to execute any script on the browser of the accessing user. Proof of Concept Log in to the administrator screen, access the Assets page, and upload the SVG file...
Session is still valid after changing password
Description The application does not delete the old login session on the server side after changing the password. This poses a risk when a user uses a public computer and an attacker captures the login session. Even if the user has changed the password, the login session is still taken over by th...
Formula Injection vulnerability in CSV export feature
Description The admidio application is vulnerable to Formula Injection/CSV injection via the Firstname, Lastname input fields. These vulnerabilities allow unauthenticated attackers to execute arbitrary code via a a crafted excel file. Proof of Concept 1. Create a member with role Associations boa...
CSRF on /api/graphql query executing the mutations through GET requests
Description Mutations are saveRecord or createProcess queries used in Graphql. SuiteCRM prevents CSRF in this functionality by sending a POST request with a X-Xsrf-Token header. the bug here is that, when we send a GET request, the backend does not expect the X-Xsrf-Token header. Using this, an...
Html Injection to Open redirect
Description Step to reproduce. 1. https://demo.easyappointments.org/index.php/backend/index open this and click on create meet. 2. On first name add Open redirect payload save it. click me...
Heap Use-After-Free in GPAC MP4Box's ogg_stream_clear Function When Processing OGG Files
A heap use-after-free vulnerability has been discovered in GPAC MP4Box's oggstreamclear function when processing OGG files. The vulnerability occurs due to improper handling of memory allocations and deallocations while processing OGG files. This leads to the use of previously freed memory, causi...
Stored XSS in Properties Parameter
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a differen...
Access Control Vulnerability in Prescription Controller
Description An Access Control Vulnerability allows a low level user in the web application to view, create, and edit prescriptions for all users. Proof of Concept Step 1. Login to the openemr web application as a low level user Ex: Receptionist in openemr demo \ Step 2. Travel to a page that will...
XSS via Client Side Template Injection
Description Hi Team! First, when creating an app and in the "display title" if you change it to 7'7, and you get it, you can see your name become 49. I think it might be a remote code execution vulnerability via server side template injection, but there is a length limit : By changing Display Tit...
CSV Injection in CSV files generated by the backend
1 First the admin create the event and publish it. 2 unauthenticated users go to the reservation page 3 unauthenticated users fill the fisrst name and last name as "=1+cmd|'/C calc'!A0" 4 admin download all the attendees' data as csv. 5 admin open the csv file and the calculator is opened. see th...
Captcha Bypass due to invalidation of previous tokens
Description An attacker can create bypass the captcha mechanism and create multiple accounts directly Proof of Concept 1: Sign up with a new name in the application, fill the captcha and intercept the request of the submit. The request will look something like this POST...
off-by-one error in function gf_text_get_utf8_line filters/load_text.c
Version MP4Box - GPAC version 2.3-DEV-rev40-g3602a5ded-master c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC: https://doi.org/10.1145/1291233.1291452 GPAC Configuration:...
Dropdown Menu Manipulation leads to stored HTML Injection
Hello In the Cronjob we can change the Interval Time the Dropdown Menu "minutes" to a stored HTML Injection. The Vulnerabilities are 2: 1. First thing the Dropdown Menu should be fixed and nobody can alter or change anything which we will do 2. Second we can implement a stored HTML Injection with...
Account Takeover via reset password
Description Password recovery leads to Account Take Over due to reset code leakage. Proof of Concept Create an acount in https://meta.answer.dev/ and verify mail, then log out. Go to password recovery https://meta.answer.dev/users/account-recovery, insert your email and capture the server respons...
IDOR vulnerability allowing to update another user's annotations
Description IDOR vulnerability was discovered in wallabag. Proof of Concept 1. Login as a victim. 2. Create an entry and an annotation. In this case the annotation's ID is 3. 3. Login as an attacker. 4. Send the following request. request http PUT /annotations/3 HTTP/1.1 Host: localhost:8000...
Email enumeration via sending a magic sign in link functionality
Description The sending a magic sign in link functionality is vulnerable to an email enumeration attack. Proof of Concept If you enter registered email, you will get Login Link Sent! message. If you enter non-registered email, you will get Unknown email address. message...
Reflected XSS - Accounting Module - Maintenance - Delete Accounting Records
Description A reflected cross-site scripting XSS vulnerability exists within acct-maintenance-delete.php, which allows a malicious user to execute arbitrary JavaScript code. The vulnerable parameters are username, startdate, and enddate. Proof of Concept 1. Navigate to /acct-maintenance-delete.ph...
No Protection Against Bruteforce Attacks on Login Page
Description Twake does not limit unsuccessfull login attempts allowing an attacker to brute force the password of an administrator or regular user. Proof of Concept Steps to reproduce Because Twake does not rate limit authentication attempts an attacker could either bruteforce both the login and...
Improper Restriction of Rendered UI Layers or Frames
Description It can be possible to perform a clickjacking attack due to the lack of frame restrictions. The application does not set the response header X-Frame-Options: DENY. Proof of Concept...
Attributes are not properly handled leading to XSS
Description Attribute names and the class attribute values are not properly handled leading to XSS where a user can control either: + A class value + An attribute name. While this may not seem like a important security issue this weakness is not documented. One would assume the behaviour would...
Lack of CSRF Token in Logout
Description we haven't csrf token in logout basically this is not really issue but in rdiffweb we have logically redirect user to last source like logout method. in this case attacker can chain two requestlogout,login that lead to dos Proof of Concept 1. send get logout request and get sessionid...
3 Types of SQLi in `s` param - (Time/Boolean/Error Based)
Description I have found 3 types of SQLi on the s parameter Proof of Concept Time-Based Time-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the database to wait for a specified amount of time in seconds before...
XSS and CSP bypass in app.diagrams.net
Description The application reflects an input from the url without sanitizing it. With a csp bypass from apis.google.com its possible to execute javascript code. Proof of Concept...
Link Preload XSS
Description Link preloads do not effectively confirm if the requested link is external. Parser differentials can be used to bypass existing external URL check. Root Cause payload.client.ts contains the following code on link prefetch: ts nuxtApp.hooks.hook'link:prefetch', url = if...
Broken Access Controls in Patient Files
Description An authenticated user without document access has the ability to direct access any document in the system by using a url similar to this http://domain/openemr/controller.php?document&retrieve&patientid=2&documentid=19. The autoincrement identifier was also susceptible of being...
SSRF in feeds
Description By looking at this URL : https://github.com/glpi-project/glpi/security/advisories/GHSA-rqgx-gqhp-x8vv, I understand that a SSRF was possible in the URL of the RSS feed, and in fact, this has been fix. Howerver, I found a bypass to CVE-2022-36112. Proof of Concept To trigger the bug,...
Use After Free in function did_set_string_option
Description Use After Free in function didsetstringoption at optionstr.c:2456. vim version git log commit 8279af514ca7e5fd3c31cf13b0864163d1a0bfeb grafted, HEAD - master, tag: v9.0.0598, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S...
CSRF to change the email id
Description The change email ID is vulnerable to CSRF. The attacker can change the email ID of the user. Proof of Concept 1.Login into the application https://rdiffweb-demo.ikus-soft.com. 2.Open the URL...
Cross-site Scripting (XSS) - Stored
Description The application uses Purify to avoid the Cross Site Scripting attack. However, On ApiAddress module from Settings, the customFields is not validated and it's used directly without any encoding or validation on ApiConfigModal.tpl. It allows attacker to inject arbitrary Javascript code ...
Stored XSS in 'Table name' field via Database information function
Description When the administrator uses the Database information function, malicious code will be accidentally called and executed through two cases: 1. 1 An internal attacker local with access right to the database could insert malicious content into the table name field by creating a table in t...
User can do all actives with other's signature (view, get, create, update, delete,...)
Description I observed that users can view any user's signature by changing their user parameter to other's user parameter. By the same way users can create/delete/update other's signature in create signature function. View/Get other's signature: 1. Login to an account I use account receptionist...
Improper Input Validation Leads to Privilege Escalation and Denial of Service
Description Improper input validation allows an attacker to privilege escalation and can make crash nginx server. There is no input validation in the v-add-web-domain-redirectL82, and "v-redirect-custom" input on the "Edit Web Domain" page, inputs are written directly to the...
Unauthorized to create and edit Amendments function
Description We would like to report the vulnerability we found during software testing. The OpenEMR 7.0.0 latest version Open Source electronic health records and medical practice management application has unauthorized create and edit on “Patient/dashboard/Amendments” with function...
Inefficient Regular Expression Complexity potentially leads to Denial of Service in
Description Inefficient regular expression complexity of lowercase and uppercase regex could lead to a denial of service attack. With a formed payload 'a' + 'a'.repeati + 'A', only 32 characters payload could take 29443 ms time execution when testing lowercase. The same issue happens with...
Failure to invalidate session after password change
Description The application does not invalidate session after the password is changed which can enable attacker to continue using the compromised session. Proof of Concept 1Login to the same accounts in two different browsers https://demo.bigbluebutton.org/gl 2Change password in the 1st browser a...
Cross-site Scripting (XSS) - Reflected
Description Hi, i found a Reflected XSS vulnerability GET request in /index.php in phoronix test suite, Results tab. Line 45 of index.php sends unvalidated data to a web browser, which can result in the browser executing malicious code. Proof of Concept GET...
Out-of-bounds Read in function get_lisp_indent
Description Out-of-bounds Read in function getlispindent at indent.c:2083 vim version git log commit e366ed4f2c6fa8cb663f1b9599b39d57ddbd8a2a HEAD - master, tag: v8.2.5136, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/pocobr2s.dat -c :qa!...
Incorrect use of privileged APIs to steal victim's account
Description When user can edit their profile -- Incorrect use of privileged APIs to steal victim's account Proof of Concept 1. Login with hacker's account, get the request when edit profile 2. Replace the endpoint and email with victim's one 3. Send the request. POC video:...
Insufficient Session Expiration
Description The application NocoDB failed to invalidate the session after changing the password and In this scenario changing the password doesn't destroy the other sessions which are logged in with old passwords. Proof of Concept Login same account in two different browsers. Try to change the...
Metadata Is Not Stripped From Images
While uploading an image on https://demo-publify.herokuapp.com/admin/resources as a low privileged user the meta data of the image like geolocation, device information, version, name etc is not getting stripped, as a result the attacker can collect all the meta data information of the image by...
Stored XSS on drawio
Sumary Draw io has a feature to put links on a text, due to a bad sanitization it allows to put javascript:// scheme on a anchor tag which allows to execute javascript code Steps to reproduce 1. Create a text box and set word size to 50 2. Click with the rigth button and "Edit link" 3. Put...
Reflected XSS on ticket filter function
Description Ticket management filter in Trudesk v1.2.0 allow user to perform XSS due to improper validation on filter attribute such as "status", "ticket type", "assignee" and etc. Proof of Concept 1 Login to Trudesk with role user privilege 2 Tickets - Filter ticket 3 Filter for ticket status po...
Unrestructed file upload
Description I found unrestricted file upload leads to xss, vulnerability can be exploited by uploading a crafted payload inside a file. Then, the vulnerability can be triggered when the user previews the files content. Proof of Concept unrestricted file upload payload...
Heap-based Buffer Overflow
Description Heap-based Buffer Overflow in rreadle32 Environment radare2 5.6.7 0 @ linux-x86-64 git. commit: 5.6.7 build: 2022-04-1215:06:26 Build export CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan" CXXFLAGS="-fsanitize=address -static-libasan" LDFLAGS="-fsanitize=address...