4072 matches found
HTML injection Leads to Open redirection
Description HTML Injection Leads to Open Redirection is a dangerous web security issue. Attackers inject malicious HTML code into vulnerable websites, allowing them to execute harmful scripts in users' browsers. This may lead to unauthorized actions on users' behalf and redirect them to malicious...
Stored XSS via SVG Upload
Description By uploading an SVG file containing JavaScript code in the file upload function on the administrator screen, it is possible to execute any script on the browser of the accessing user. Proof of Concept Log in to the administrator screen, access the Assets page, and upload the SVG file...
Session is still valid after changing password
Description The application does not delete the old login session on the server side after changing the password. This poses a risk when a user uses a public computer and an attacker captures the login session. Even if the user has changed the password, the login session is still taken over by th...
Formula Injection vulnerability in CSV export feature
Description The admidio application is vulnerable to Formula Injection/CSV injection via the Firstname, Lastname input fields. These vulnerabilities allow unauthenticated attackers to execute arbitrary code via a a crafted excel file. Proof of Concept 1. Create a member with role Associations boa...
CSRF on /api/graphql query executing the mutations through GET requests
Description Mutations are saveRecord or createProcess queries used in Graphql. SuiteCRM prevents CSRF in this functionality by sending a POST request with a X-Xsrf-Token header. the bug here is that, when we send a GET request, the backend does not expect the X-Xsrf-Token header. Using this, an...
Html Injection to Open redirect
Description Step to reproduce. 1. https://demo.easyappointments.org/index.php/backend/index open this and click on create meet. 2. On first name add Open redirect payload save it. click me...
Heap Use-After-Free in GPAC MP4Box's ogg_stream_clear Function When Processing OGG Files
A heap use-after-free vulnerability has been discovered in GPAC MP4Box's oggstreamclear function when processing OGG files. The vulnerability occurs due to improper handling of memory allocations and deallocations while processing OGG files. This leads to the use of previously freed memory, causi...
Stored XSS in Properties Parameter
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a differen...
XSS via Client Side Template Injection
Description Hi Team! First, when creating an app and in the "display title" if you change it to 7'7, and you get it, you can see your name become 49. I think it might be a remote code execution vulnerability via server side template injection, but there is a length limit : By changing Display Tit...
CSV Injection in CSV files generated by the backend
1 First the admin create the event and publish it. 2 unauthenticated users go to the reservation page 3 unauthenticated users fill the fisrst name and last name as "=1+cmd|'/C calc'!A0" 4 admin download all the attendees' data as csv. 5 admin open the csv file and the calculator is opened. see th...
Captcha Bypass due to invalidation of previous tokens
Description An attacker can create bypass the captcha mechanism and create multiple accounts directly Proof of Concept 1: Sign up with a new name in the application, fill the captcha and intercept the request of the submit. The request will look something like this POST...
off-by-one error in function gf_text_get_utf8_line filters/load_text.c
Version MP4Box - GPAC version 2.3-DEV-rev40-g3602a5ded-master c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC: https://doi.org/10.1145/1291233.1291452 GPAC Configuration:...
Dropdown Menu Manipulation leads to stored HTML Injection
Hello In the Cronjob we can change the Interval Time the Dropdown Menu "minutes" to a stored HTML Injection. The Vulnerabilities are 2: 1. First thing the Dropdown Menu should be fixed and nobody can alter or change anything which we will do 2. Second we can implement a stored HTML Injection with...
important E-Mail Input Field bypassed allowing Account Lockout and Takeover
Dear Ladies and Gentlemen, First of all, thank you for your time and effort in reading my Report. While doing the Penetration Test my Brother Josef Hassan [email protected] and I were able to Account Lockout Vulnerability by bypassing the Input of the E-Mail Address. The Process of...
Account Takeover via reset password
Description Password recovery leads to Account Take Over due to reset code leakage. Proof of Concept Create an acount in https://meta.answer.dev/ and verify mail, then log out. Go to password recovery https://meta.answer.dev/users/account-recovery, insert your email and capture the server respons...
IDOR vulnerability allowing to update another user's annotations
Description IDOR vulnerability was discovered in wallabag. Proof of Concept 1. Login as a victim. 2. Create an entry and an annotation. In this case the annotation's ID is 3. 3. Login as an attacker. 4. Send the following request. request http PUT /annotations/3 HTTP/1.1 Host: localhost:8000...
Email enumeration via sending a magic sign in link functionality
Description The sending a magic sign in link functionality is vulnerable to an email enumeration attack. Proof of Concept If you enter registered email, you will get Login Link Sent! message. If you enter non-registered email, you will get Unknown email address. message...
Reflected XSS - Accounting Module - Maintenance - Delete Accounting Records
Description A reflected cross-site scripting XSS vulnerability exists within acct-maintenance-delete.php, which allows a malicious user to execute arbitrary JavaScript code. The vulnerable parameters are username, startdate, and enddate. Proof of Concept 1. Navigate to /acct-maintenance-delete.ph...
No Protection Against Bruteforce Attacks on Login Page
Description Twake does not limit unsuccessfull login attempts allowing an attacker to brute force the password of an administrator or regular user. Proof of Concept Steps to reproduce Because Twake does not rate limit authentication attempts an attacker could either bruteforce both the login and...
Improper Restriction of Rendered UI Layers or Frames
Description It can be possible to perform a clickjacking attack due to the lack of frame restrictions. The application does not set the response header X-Frame-Options: DENY. Proof of Concept...
Stored XSS while creating a new post
Description After login to portal create a new post and type the following text with XSS payload Proof of Concept 1. Login to portal. 2. create a post with xss paylaod 3. save it Payload 09;& Poc: !alt textlogo logo: https://i.imgur.com/SHDZRWt.png !alt textlogo1 logo1:...
Attributes are not properly handled leading to XSS
Description Attribute names and the class attribute values are not properly handled leading to XSS where a user can control either: + A class value + An attribute name. While this may not seem like a important security issue this weakness is not documented. One would assume the behaviour would...
Lack of CSRF Token in Logout
Description we haven't csrf token in logout basically this is not really issue but in rdiffweb we have logically redirect user to last source like logout method. in this case attacker can chain two requestlogout,login that lead to dos Proof of Concept 1. send get logout request and get sessionid...
3 Types of SQLi in `s` param - (Time/Boolean/Error Based)
Description I have found 3 types of SQLi on the s parameter Proof of Concept Time-Based Time-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the database to wait for a specified amount of time in seconds before...
XSS and CSP bypass in app.diagrams.net
Description The application reflects an input from the url without sanitizing it. With a csp bypass from apis.google.com its possible to execute javascript code. Proof of Concept...
Link Preload XSS
Description Link preloads do not effectively confirm if the requested link is external. Parser differentials can be used to bypass existing external URL check. Root Cause payload.client.ts contains the following code on link prefetch: ts nuxtApp.hooks.hook'link:prefetch', url = if...
Broken Access Controls in Patient Files
Description An authenticated user without document access has the ability to direct access any document in the system by using a url similar to this http://domain/openemr/controller.php?document&retrieve&patientid=2&documentid=19. The autoincrement identifier was also susceptible of being...
SSRF in feeds
Description By looking at this URL : https://github.com/glpi-project/glpi/security/advisories/GHSA-rqgx-gqhp-x8vv, I understand that a SSRF was possible in the URL of the RSS feed, and in fact, this has been fix. Howerver, I found a bypass to CVE-2022-36112. Proof of Concept To trigger the bug,...
Use After Free in function did_set_string_option
Description Use After Free in function didsetstringoption at optionstr.c:2456. vim version git log commit 8279af514ca7e5fd3c31cf13b0864163d1a0bfeb grafted, HEAD - master, tag: v9.0.0598, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S...
CSRF to change the email id
Description The change email ID is vulnerable to CSRF. The attacker can change the email ID of the user. Proof of Concept 1.Login into the application https://rdiffweb-demo.ikus-soft.com. 2.Open the URL...
Cross-site Scripting (XSS) - Stored
Description The application uses Purify to avoid the Cross Site Scripting attack. However, On ApiAddress module from Settings, the customFields is not validated and it's used directly without any encoding or validation on ApiConfigModal.tpl. It allows attacker to inject arbitrary Javascript code ...
Stored XSS in 'Table name' field via Database information function
Description When the administrator uses the Database information function, malicious code will be accidentally called and executed through two cases: 1. 1 An internal attacker local with access right to the database could insert malicious content into the table name field by creating a table in t...
User can do all actives with other's signature (view, get, create, update, delete,...)
Description I observed that users can view any user's signature by changing their user parameter to other's user parameter. By the same way users can create/delete/update other's signature in create signature function. View/Get other's signature: 1. Login to an account I use account receptionist...
Improper Input Validation Leads to Privilege Escalation and Denial of Service
Description Improper input validation allows an attacker to privilege escalation and can make crash nginx server. There is no input validation in the v-add-web-domain-redirectL82, and "v-redirect-custom" input on the "Edit Web Domain" page, inputs are written directly to the...
Unauthorized to create and edit Amendments function
Description We would like to report the vulnerability we found during software testing. The OpenEMR 7.0.0 latest version Open Source electronic health records and medical practice management application has unauthorized create and edit on “Patient/dashboard/Amendments” with function...
Inefficient Regular Expression Complexity potentially leads to Denial of Service in
Description Inefficient regular expression complexity of lowercase and uppercase regex could lead to a denial of service attack. With a formed payload 'a' + 'a'.repeati + 'A', only 32 characters payload could take 29443 ms time execution when testing lowercase. The same issue happens with...
Failure to invalidate session after password change
Description The application does not invalidate session after the password is changed which can enable attacker to continue using the compromised session. Proof of Concept 1Login to the same accounts in two different browsers https://demo.bigbluebutton.org/gl 2Change password in the 1st browser a...
Cross-site Scripting (XSS) - Reflected
Description Hi, i found a Reflected XSS vulnerability GET request in /index.php in phoronix test suite, Results tab. Line 45 of index.php sends unvalidated data to a web browser, which can result in the browser executing malicious code. Proof of Concept GET...
Out-of-bounds Read in function get_lisp_indent
Description Out-of-bounds Read in function getlispindent at indent.c:2083 vim version git log commit e366ed4f2c6fa8cb663f1b9599b39d57ddbd8a2a HEAD - master, tag: v8.2.5136, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/pocobr2s.dat -c :qa!...
Incorrect use of privileged APIs to steal victim's account
Description When user can edit their profile -- Incorrect use of privileged APIs to steal victim's account Proof of Concept 1. Login with hacker's account, get the request when edit profile 2. Replace the endpoint and email with victim's one 3. Send the request. POC video:...
Insufficient Session Expiration
Description The application NocoDB failed to invalidate the session after changing the password and In this scenario changing the password doesn't destroy the other sessions which are logged in with old passwords. Proof of Concept Login same account in two different browsers. Try to change the...
Metadata Is Not Stripped From Images
While uploading an image on https://demo-publify.herokuapp.com/admin/resources as a low privileged user the meta data of the image like geolocation, device information, version, name etc is not getting stripped, as a result the attacker can collect all the meta data information of the image by...
Stored XSS on drawio
Sumary Draw io has a feature to put links on a text, due to a bad sanitization it allows to put javascript:// scheme on a anchor tag which allows to execute javascript code Steps to reproduce 1. Create a text box and set word size to 50 2. Click with the rigth button and "Edit link" 3. Put...
Reflected XSS on ticket filter function
Description Ticket management filter in Trudesk v1.2.0 allow user to perform XSS due to improper validation on filter attribute such as "status", "ticket type", "assignee" and etc. Proof of Concept 1 Login to Trudesk with role user privilege 2 Tickets - Filter ticket 3 Filter for ticket status po...
Unrestructed file upload
Description I found unrestricted file upload leads to xss, vulnerability can be exploited by uploading a crafted payload inside a file. Then, the vulnerability can be triggered when the user previews the files content. Proof of Concept unrestricted file upload payload...
Heap-based Buffer Overflow
Description Heap-based Buffer Overflow in rreadle32 Environment radare2 5.6.7 0 @ linux-x86-64 git. commit: 5.6.7 build: 2022-04-1215:06:26 Build export CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan" CXXFLAGS="-fsanitize=address -static-libasan" LDFLAGS="-fsanitize=address...
Multiple Stored XSS
Description The organizr application allows malicious javascript payload in multiple-input fields like "Categories", "Bookmark Tabs" and "Bookmark Categories" for which attacker can takeover the admin account. Proof of Concept 1.Login to the co-admin account and go to go to "Settings" - "Tab...
heap-use-after-free
Description Whilst experimenting with radare2, built from version 5.6.6, we are able to induce a vulnerability at reg.c:101 in function rreggetnameidx , using radare2 as a harness. 99: RAPI int rreggetnameidxconst char type 100: rreturnvaliffail type, -1; //use-after-free here 101: if type0 &&...
Missing Function Level Access Control
Vulnerability Type Missing Function Level Access Control Affected URL 62 vulnerable instances as listed in Table 1 Authentication Required? Yes Issue Summary Web applications usually only show functionality that a user has the need for and right to use in the UI. However, this is not the case for...
User after free in mrb_vm_exec
While fuzzing mruby I found a use after free in mruby compiled with ASAn. Proof of Concept uaf1.rb rb var1 = -0 var2 = 1.0 var3 = 1 var4 = +0 var3 = methods.groupby || var3 = methods.groupby || var3 = methods.groupby || var3 = methods.groupby || var3 = methods.groupby || var3 = methods.groupby ||...