4072 matches found
Stored Cross Site Scripting
Vulnerability Type Stored Cross Site-Scripting XSS Affected URL https://localhost/openemr-6.0.0/ /controller.php?practicesettings&documentcategory&action=addnode&parentid=XX Affected Parameter “name” Method POST Authentication Required? Yes Issue Summary A stored XSS vulnerability found in ”...
Cross-site Scripting (XSS) - Stored
Description pimcore datahub is vulnerable to Stored XSS in multiple places including: 1 Field-Collections in Data Objects 2 Objectbricks in Data Objects Proof of Concept for both 1 & 2 Step 1: Go to https://10.x-dev.pimcore.fun/admin/ and login. Step 2: Click Settings Data Objects Field-Collectio...
Code Injection
Description Improper php function sanitization, lead to an ability to inject arbitrary PHP code and run arbitrary commands on file system. In the function "doleval" in file "dolibarr/htdocs/core/lib/functions.lib.php" dangerous PHP functions are sanitized using "strreplace" and can be bypassed...
Cross-site Scripting (XSS) - Reflected
Description The endpoint https://demo.microweber.org/demo/admin/post/id/edit is vulnerable to cross site scripting. The "Edit source" field is affected. Proof of Concept 1. Login into https://demo.microweber.org 2. Navigate to https://demo.microweber.org/demo/admin/post/25/edit 3. click EditSourc...
Use multiple time the one-time coupon
Description I create a coupon only for one user and a one-time use coupon. Then create two users, and both of them can use the coupon, but only one of them should be able to use the coupon. Proof of Concept first, create a one-time and one-user coupon code that, e.g. is aaaaa. the attacker has tw...
CRLF Injection leads to Stack Trace Exposure due to lack of filtering at https://demo.microweber.org/
Description The Introduction of a New Line Character lets the attacker the stack trace at demo.microweber.org/ This Attack becomes more significant because of its Less complication. The Stack trace discloses following information : 1. Backend Response code. 2. The Versions of Backend Laravel...
Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat
Description LiveHelperChat is vulnerable to Stored XSS at the Company name field customercompanynameValueParam parameter in the Copyright settings tab of the Chat configuration page. Payload constructor.constructor'alert1' Steps to reproduce 1.Login then go to Chat configuration page...
Improper Privilege Management in snipe/snipe-it
Description It was found that if a user is not having access to supplier module, he can access and view the supplier content. Proof of Concept 1. Create two users, one admin and one normal user 2. A normal user is not having access to the supplier module. 3. But by enumeration the normal user vie...
None in radareorg/radare2
Description This vulnerability is of type Expired Pointer Dereference or specifically, use-after-free. The bug exists in latest stable release radare2-5.5.4 and lastest master branch ed2030b79e68986bf04f3a6279463ab989fe400f, updated in Jan 22, 2022. Specifically, the vulnerable code located at...
Cross-site Scripting (XSS) - Stored in pimcore/pimcore
Description stored xss vulnerability occurs when you change the value of Group at "Settings" = "Thumbnalis" = "Video Thumbnails" in the pimcore service. Proof of Concept txt XSS POC : " 1. Open the https://10.x-dev.pimcore.fun/admin/login?perspective= 2. After login, Go to "Settings" = "Thumbnali...
in hazelcast/hazelcast
Description The AbstractXmlConfigRootTagRecognizer function makes use of SAXParser generated from a SAXParserFactory with no FEATURESECUREPROCESSING set, allowing for XXE attacks. In...
in radareorg/radare2
Description This vulnerability is of out-of-bound read. The bug exists in latest stable release radare2-5.5.4. Specifically, the vulnerable code is picked out as follows: // libr/util/buf.c line 631 RAPI void rbuffiniRBuffer b ... // the pointer address of b-methods is broken if...
Cross-Site Request Forgery (CSRF) in pterodactyl/panel
Description Following state-changing endpoints are vulnerable to CSRF: 1: GET /admin/nodes/view/1/settings/token auto-generates token when token not generated yet 2: GET /admin/settings/mail/test The X-CSRF-Token header for the API request is not validated on backend, should be a POST request to...
in flatcore/flatcore-cms
Title: race condition vs Temporary File Upload Description flatCore-CMS is vulnerable to Race condition while dealing uploading gallery Codes at https://github.com/flatCore/flatCore-CMS/blob/main/acp/core/files.uploadgallery.phpL31 php ifarraykeyexists'file',$FILES && $FILES'file''error' == 0...
Heap-based Buffer Overflow in vim/vim
✍️ Description Hello, we hope this message finds you well during these challenging times. Whilst testing vim built from commit deba5e with Ubuntu clang version 12.0.0-3ubuntu120.04.3 and Address Sanitizer, we discovered crafted input which triggers a heap-buffer-overflow, WRITE of size 15. Please...
Cross-Site Request Forgery (CSRF) in babybuddy/babybuddy
✍️ Description You don't check CSRF token in following endpoint /timers/add/quick/ with PoC.html attacker able to add quick timers. 🕵️♂️ Proof of Concept // PoC.html history.pushState'', '', '/' 💥 Impact This vulnerability is capable of ad quick timers...
in yiisoft/yii2
✍️ Description Insecure randomness errors occur when a function that can produce predictable values is used as a source of randomness in security-sensitive context. In this case the function that generates weak random numbers is mtrand in BaseMailer.php at line 346. 🕵️♂️ Proof of Concept ?php echo...
Cross-site Scripting (XSS) - Stored in aimeos/aimeos-core
✍️ Description Integrated online shop based on Laravel 6 LTS and the Aimeos e-commerce framework this webapp is vulnerabel for stored xss thru filename 🕵️♂️ Proof of Concept 💥 Impact This vulnerability is capable stored XSS...
Path Traversal in kalcaddle/kodexplorer
✍️ Description I have confirmed a file transversal vulnerability on any server running Kodexplorer, Malicious user can read any file 🕵️♂️ Proof of Concept First setup local installation of kodExplorer. If the server is running with root permission:...
Code Injection in microsoft/qlib
Description Arbitrary Code Excecution in microsoft/qlib. Qlib is an AI-oriented quantitative investment platform, which aims to realize the potential, empower the research, and create the value of AI technologies in quantitative investment. Technical Description This package was vulnerable to...
Prototype Pollution in ionicabizau/obj-unflatten
Description obj-unflatten convert flatten objects in nested ones. This package is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: javascript // poc.js const unflatten = require'obj-unflatten' console.log'Before: ' + .polluted unflatten'proto.polluted':...
Exposure of Sensitive Information to an Unauthorized Actor in traduora/traduora
Description Username Enumeration in traduora. Proof of Concept 1. setup traduora to reproduce the vulnerability 2. go to sign in page http://localhost:8080/login 3. Append non registered user email and password it shows Error,resource not found 4. when Appending correct username and fake password...
Prototype Pollution in kvz/locutus
Description phpjs is a community built PHP binding in JavaScript. This package is vulnerable to Prototype Pollution via parsestr. Proof of Concept const phpjs = require'phpjs'; phpjs.parsestr"protopolluted=true",; console.logpolluted;...
Denial of Service in gajus/url-regexp
Overview RegExp object to match and validate URLs. Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS. An attacker providing a long URL to validate or replace function will cause a Denial of Service attack. PoC node var regex = require"url-regexp";...
Path traversal, lead to remote code execution
Description clearml's safeextract is actually NOT secure. It fails to properly handle symbolic links and hard links. When these links point to files outside the TAR archive, it can lead to arbitrary file writes, potentially resulting in remote code execution. Due to a change in th...
Heap OOB Read
Environment bash Distributor ID: Debian Description: Debian GNU/Linux bookworm/sid Version I checked against the latest release as of 10/08/23 the current master branch at commit 50c2ab06f45a3101d73d6f317e98f041809f4923 . Description This AddressSanitizer output is indicating an OOB read of inval...
Heap OOB Read
Environment bash Distributor ID: Debian Description: Debian GNU/Linux bookworm/sid Version I checked against the latest release as of 09/28/23 the current master branch at commit c5603fa8de0e7d4460718e28f90989ffdf925494 . Description This AddressSanitizer output is indicating an OOB read of inval...
heap-buffer-overflow in function swf_def_font scene_manager/swf_parse.c:1449
Description Heap-buffer-overflow in MP4Box. Version $ ./bin/gcc/MP4Box -version MP4Box - GPAC version 2.3-DEV-revrelease c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC:...
Dom XSS in module "Search IPv4"
Description 1 .Access to IPv4 search function 2 .Enter the payload in the IPv4 field to perform the search Payload : "alertdocument.cookie 3 .Enter the search button and the payload will be executed Poc Video poc https://drive.google.com/file/d/1A-zwXxsA-7GHa0iGfRGQc61JkOb-4A38/view?usp=sharing...
Misconfiguration in message sending function
Description Web application misconfiguration in messaging function. This vulnerability results in a user's messages being automatically sent to all other users. This results in the user's information potentially being exposed Proof of Concept link video Poc...
Cross-site Scripting (Stored XSS)
Description For any role that has permission to execute function assets, i can upload a html file and that leads to XSS. Proof of Concept 1. Link PoC: https://docs.google.com/document/d/1pZAi6PZiBmN3yNsBmY8Z9Qd3hv-8zPHUh69h-i1rvA/edit?usp=sharing 2. Link video PoC:...
Reflected XSS in date
Description There is a reflective XSS on the FOSSBilling admin screen. Proof of Concept By accessing the following URL, it is possible to execute any script on the browser of the logged-in administrator user. URL:...
DOM Cross Site Scripting and openredirect
Vulnerable Endpoint: https://demo.saleor.io/default-channel/en-US/account/login/?next=javascript:alert1 Description: 1. Hello team, Recently i found that, on saleor React storefront dashboard there is a DOM XSS and open-redirect vulnerability Steps to reproduce XSS: 1. Go to the above mentioned...
Stored XSS in module name "Edit Link"
Description I noticed that you filtered the input very carefully. But there are still some parts you missed Proof of Concept 1.Login in URL : https://demo.pimcore.fun/admin. 2.Go to "Search Documents" and filter only "Snippet" search and press search. 3.Go to "/en/shared/teasers/Popular Brands"...
Account TakeOver Due to Improper Handling of JWT Tokens
Description I have discovered a vulnerability where any user can modify another user's data including password simply by intercepting and changing the access token of the JWT using https://token.dev. The system does not verify whether the JWT token was issued by the server or not, allowing it to...
Multiple XSS on update funtions with module select options and search form
Description XSS vulnerability occurs in forms have select and search Proof of Concept POST /bumsys/xhr/?module=peoples&page=updateCustomer HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:109.0 Gecko/20100101 Firefox/111.0 Accept: / Accept-Language:...
2FA Bypass by Brute Force
Description Currently there are no restrictions on attempts to enter the correct 2FA code. In contrast to the first step of the authentication username + password the fields of lastloginfail and loginfailcount in the database aren't updated. An attacker can bypass the 2FA by simple brute force of...
Access Control Vulnerability in Prescription Controller
Description An Access Control Vulnerability allows a low level user in the web application to view, create, and edit prescriptions for all users. Proof of Concept Step 1. Login to the openemr web application as a low level user Ex: Receptionist in openemr demo \ Step 2. Travel to a page that will...
weak Password Policy while creating a new User with the Admin Account
Hello, I was able to detect weak Password Policy while allowing an administrator to create a new account. Lets create an account, set the Password to 1 and login with it. As you can see its number 1. When i click set it will not accept We need to specify that the user will change his password aft...
File Upload Bypass Leads to Remote Code Execution (RCE)
Description There is no extension checks during file upload. Attacker may upload file to execute malicious code in the server. Proof of Concept Step 1: Create a file with the content below and save it as evil.php " Step 2: Login to the Cockpit web server Step 3: Go to assets Step 4: Upload Assets...
Observable Response Discrepancy in Password Reset Functionality
Description The password reset functionality leaks information pertaining to use accounts. Where an invalid account is utilized, the application responds that the account could not be found. Where an account is valid, the application responds with a reason "base.success" when intercepted, or that...
Captcha Bypass allows sending unlimited Comments
Hello, I identified a CAPTCHA Bypass after trying many Posts in the Comments Section. Lets see : --------- sent successfully! let's see the comments Comments are available The Question Form is also vulnerable for Captcha Bypass please check it also too. Thank you...
XSS in Comment Faq news username parameter
Description Stored Cross-Site Scripting XSS is a type of security vulnerability that occurs when an attacker injects malicious code into a website that is then stored on the server and served to unsuspecting users. This type of XSS is particularly dangerous because it can persist and continue to...
heap-buffer-overflow in function gf_m2ts_process_tdt_tot media_tools/mpegts.c
Version ./MP4Box -version MP4Box - GPAC version 2.3-DEV-rev40-g3602a5ded-master c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC: https://doi.org/10.1145/1291233.1291452 GPAC...
Stored XSS on Tag
Description Evil users can attack other users or administrator users through this vulnerability, causing other users/administrator user accounts to be taken over Proof of Concept step 1. Create new tag Step 2: Enter XSS payload to Description tag Step 3: Go to http://127.0.0.1/questions Step 4:...
stored XSS through Question sending
Dear Ladies and Gentlemen, First of all, thank you for your time and effort in reading my Report. While doing the Penetration Test my Brother Ahmed Hassan [email protected] and I were able to identify another stored XSS Cross-Site-Scripting Injection Vulnerability. The Process of the...
Reflected XSS - Accounting Module - Maintenance - Cleanup Stale Sessions
Description A reflected cross-site scripting XSS vulnerability exists within acct-maintenance-cleanup.php, which allows a malicious user to execute arbitrary JavaScript code. Proof of Concept 1. Navigate to /acct-maintenance-cleanup.php and enter the following payload alert1within the username...
Out-of-bounds Read in function build_stl_str_hl
Out-of-bounds Read in function buildstlstrhl at buffer.c:4350 vim version git log commit ea720aea851e645f4c8ec3b20afb27c7ca38184c HEAD - master, tag: v9.0.1137, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pochor01s.dat -c :qa!...
Admin is able to ARCHIVE OWN Account leads to Deactivate ADMIN Account
Description As fer the Flow Admin can't ARCHIVE OWN account . i was able to ARCHIVE ADMIN OWN Account by intercept the request and change ID Value to Admin. which leads to ARCHIVED the ADMIN Account , :/ Please Restored it Might Be possible to DELETE Admin Account too , after ARCHIVE Account it's...
IDOR allows to see, update and delete other users shortcuts
Description Even if the endpoint /api/shortcut allow to see the list of your own shortcuts, it is possible to access, modify and delete other users shortcut accessing directly through the IDs. Proof of Concept - Login with one user, and create a shortcut, let's consider it now has the ID 1 - Logi...