4072 matches found
Privilege vulnerability at API Change Password
Description There is a vulnerability at API Change password. I use API PATCH /api/user/x to get user's information and change their password. With x is the user's id, which are numbers in ascending or descending order Proof of Concept 1. Access to the demo website https://demo.usememos.com/ 2. Us...
Reflect XSS Which can help in any CSRF Vulnerability
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Proof of Concept Below HTML code for trigger XSS with POST method XSS POC By AggressiveUser history.pushState'', '', '/' Below BurpSuite POC YO...
Server Side Request Forgery Via DNS Rebinding
Description Appsmith below v1.8.1 was discovered to allow attackers to execute an authenticated Server-Side Request Forgery SSRF via DNS Rebinding technique to hit AWS internal metadata endpoint and for retrieving data. Proof of Concept...
Mass Assignment in Self Controller Leads To Vertical Privillege Escalation
Description Hello there, y'all! How are you doing? Hope you are doing great! I was testing Budibase and noticed that the api endpoint /api/global/self, which is used for different purposes updating an user's name or their password, always receives an entire object containing most of the attribute...
Persistent Cross-site Scripting - SlaPolicy Module - Settingss
Description The application uses Purifier to avoid the Cross Site Scripting attack. However, On SlaPolicy module from Settings, the type of recordModel-name parameter is "Text" but it is not validated and it's used directly without any encoding or validation on SlaPolicy/EditViewBlocks.tpl. It...
NULL Pointer Dereference in function generate_loadvar
Description NULL Pointer Dereference in function generateloadvar at vim9compile.c:1165 allows attackers to cause a denial of service application crash via a crafted input. vim version git log commit e1f3fd1d02e3f5fe6d2b6d82687c6846b8e500f8 HEAD - master, origin/master, origin/HEAD Author: Bram...
Cross-site Scripting (XSS) - Reflected
Description Hi team, I found XSS at /module/. Proof of Concept Pop up POC: Reflected POC: Full request payload: POST /demo/module/ HTTP/1.1 Host: demo.microweber.org User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:102.0 Gecko/20100101 Firefox/102.0 Accept: / Accept-Language: en-US,en;q=0....
Stored xss in "users name","functions name","storage buckets name" and in "database collections name"
Description Appwrite application allows malicious javascript payload to inject in users name,functions name,storage buckets name and in database collections name which leads to Stored XSS. Proof of Concept 1.Login to the application 2.Go to the "users name","functions name","storage buckets name"...
Improper Access Control in Crabtyper API
Description The API program allows any user to create languages and snippets, as well as delete them. This allows a malicious actor to add offensive snippets which could appear to any user, and also allows anyone to completely take down the service by removing all snippets. This is due to...
Contextual Code Execution
Description The main function uses the eval function which can lead to contextual code execution, allowing an attacker to gain access to a system and execute commands with the privileges of the running program by setting NUITKAPYTHONPATH, NUITKANAMESPACES or NUITKAPTHIMPORTED to a malicious paylo...
Bypass filter - Stored XSS in Resources
Description Website does incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. This fix for this bug https://huntr.dev/bounties/dcf87c0b-6188-4817-8798-ef1e2581b15a/ can be bypassed using bellow payload...
The publify application allows large characters to insert in the input field "title name and post field" on the article field which can allow attackers to cause a Denial of Service (DoS)
Description Please enter a description of the vulnerability. Proof of Concept 1 - Create New article https://demo-publify.herokuapp.com/admin/content/new 2 - Fill the title name and post field with huge characters, more than 1 lakh Copy the below payload and put it in the input fields and click o...
heap-buffer-overflow in mobi_get_attribute_value
Description heap-buffer-overflow /home/ubuntu/libmobi-public/src/parserawml.c:357 in mobigetattributevalue Environment Distributor ID: Ubuntu Description: Ubuntu 20.04 LTS Release: 20.04 Codename: focal mobitool build: Apr 29 2022 20:52:30 gcc 9.3.0 libmobi: 0.10 Build export CC=gcc CXX=g++...
Improper access control could make any user export all user of website
Description A user who has to change their password after logging in can export the website's user data. Proof of Concept Step 1: login to website by admin account and change password of a user. Check the box "Force password change upon next login" and save. Step 2: login to website by the accoun...
Out-of-bounds Read in r_bin_ne_get_entrypoints function
Description Out-of-bounds OOB read vulnerability exists in rbinnegetentrypoints function in Radare2 5.6.7 Version bash radare2 5.6.7 27777 @ linux-x86-64 git.5.6.6 commit: 0c4af43def68ce29f7a74847bb1b7286da155200 build: 2022-04-1008:53:32 Analysis The vulnerability exists due to the invalid type...
Leaking password protected articles content due to improper access control
Description Any user who can publish their article can protect it using a password before publishing. So, a valid password to the article is required to view the contents of the article. But when a request is made to article /2022/04/10/ the UI show it requires a password to view content. But the...
Stored XSS viva axd and cshtml file upload in star7th/showdoc
Description This is a bypass of the report: https://huntr.dev/bounties/3eb5a8f9-24e3-4eae-a212-070b2fbc237e/ & https://huntr.dev/bounties/6127739d-f4f2-44cd-ae3d-e3ccb7f0d7b5/. Here the upload functionality allows the malicious files with the extension .cshtml and .axd which leads to Stored XSS...
Improper Authorization
Description When Gogs is build and configured for PAM authentification it skips checking authorization completely. Therefore expired accounts and accounts with expired passwords can still login. Proof of Concept You can expire an account with chage -E0 and still login. Impact Since disabling an...
Cross-site Scripting (XSS) - Reflected
Description Hi, The endpoint https://demo.microweber.org/demo/admin/page is vulnerable to Cross Site Scripting. Proof of Concept 1. just navigate to the poc url:...
in thexxturboxx/dex2jar
Description This vulnerability is originally reported to pxb1988/dex2jar, but re-sending it again for maintained fork repository as requested. dex2jar is a set of tools to work with android .dex and java .class files. In these tools, there is a tool called "dex2smali", and this tool allows a...
in microweber/microweber
Description Sensitive information as part of the error is getting disclosed while viewing comments from "loadmodule:commentssearch=" Proof of Concept 1. Login to https://demo.microweber.org 2. Visit https://demo.microweber.org/demo/admin/view:modules/loadmodule:commentssearch= 3. Now enter anythi...
Cross-site Scripting (XSS) - Stored in librenms/librenms
Description Stored XSS in create/modify Transport Groups, Add/Edit Service and Edit Service Template Proof of Concept Payload: ' PoC image: Xss payload in create/modify Transport Groups Xss payload in Add/Edit Service Xss payload in Edit Service Template XSS will fire-up by user visiting: 1...
Improper Access Control in librenms/librenms
Description Improper Access Control vulnerability in LibreNMS v22.1.0 allows attackers with the normal role/level to interact with port-groups functionality such as create, edit/modify and delete the existing port group. The port-groups functionality fails to enforce policy such that normal users...
SQL Injection in salesagility/suitecrm
Description In SuiteCRM v7.12.4, a malicious user can inject SQL query in order to affect the execution of predefined SQL commands impacting database leakage. Proof of Concept The $POST'record'1 parameter is controllable by a user and it is concatenated into SQL query 2 without validating them...
in vim/vim
Description Using out of range pointer offset occurs in enterbuffer. commit : b247e0622ef16b7819f5dadefd3e3f0a803b4021 This case is created to correct the previous issue. Proof of Concept $ echo -ne "ZnUgUigpCnRhYjBsb3AKZTAKbGYKZW5kZgpjYWwgUigpCm5vcm0XFjAKY2FsIFIoKQpidw==" | base64 -d mpoc Valgri...
the function deepFromFlat of underscore.deep is vulnerable to prototype pollution
Prototype Pollution in Clever/underscore.deep Reported on Feb 2nd 2022 | Timothee Desurmont Description Vulnerability type: CWE-1321 Version 0.5.1 of underscore.deep is vulnerable to prototype pollution; the function deepFromFlat in underscore.deep.js do not check if the attribute resolves to the...
Heap-based Buffer Overflow in radareorg/radare2
Description This vulnerability is of out-of-bound read which accesses the address beyond/past the buffer. The bug exists in latest stable release radare2-5.5.4 and lastest master branch ed2030b79e68986bf04f3a6279463ab989fe400f, updated in Jan 22, 2022. Specifically, the vulnerable code is located...
SQL Injection in pimcore/pimcore
Description The storeId parameter does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injection. Proof of Concept 1. Add items to Classification Store: Key definition, Group,... 2. Injection boolean base:...
None in radareorg/radare2
Description This vulnerability is of use-after-free. The bug exists in latest stable release radare2-5.5.4. Specifically, the vulnerable code is picked out as follows libr/io/iobank.c: // ./libr/io/iobank.c line 229 // the entry-data is a freed pointer address while entry && riosubmapto RIOSubMap...
Cross-site Scripting (XSS) - Stored in pimcore/pimcore
Description The pimcore/pimcore package is an open source platform that provides PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce services. stored xss vulnerability occurs when you change the rule name in the admin dev page. Proof of Concept txt XSS POC : 1. Open the...
Cross-site Scripting (XSS) - Stored in pimcore/pimcore
Description pimcore is vulnerable to Stored Cross-Site Scripting in the name field via the import functionality. Steps to reproduce: 1. Navigate to settings -- Data Objects -- Objectbricks 2. ave the following data as JSON file and import it: json "classDefinitions": , "key": null, "parentClass":...
Business Logic Errors in pimcore/pimcore
Description The application is vulnerable to Business Logic error through negative cart amount. Proof of Concept Step 1: Login to the application https://10.x-dev.pimcore.fun/admin/login?perspective= Step 2: Navigate to Online shop - Pricing Rules - Voucher Discount - Actions Step 3: Enter Negati...
in bookstackapp/bookstack
Description During reading recent BookStack source code 31665410 I discovered no uploaded file type and size check. Authenticated user with attachment create role can upload any type file. One of possibilities is to upload phishing page and get administrators credentials. Proof of Concept POST...
Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii
Description No CSRF in duplicate rule, and modifying the order of the rule group Proof of Concept Click Me! Click Me! Click Me! Impact This vulnerability is capable of tricking admin users to duplicate rule and modifying order of rule groups Permalinks selected with reference to this report:...
in star7th/showdoc
Description - CWE: CWE-288:Authentication Bypass Using an Alternate Path or Channel - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L , CVSS Score: 8.3High - Credit:Qianxin, Network Security Department, Product-Safety Team Unc1e In showdoc, there is a SSO process , DOC is shown in...
Server-Side Request Forgery (SSRF) in appwrite/appwrite
Description An authenticated SSRF vulnerability exists in appwrite's webhooks / tasks feature. The gopher:// protocol can be used to cause code execution on the Redis server that comes along with appwrite. The attacker must know the IP address of the redis-server which can be done by creating...
in firefly-iii/firefly-iii
Description file upload vulnerability in application Proof of Concept step to reproduce 1login to application 2 goto https://demo.firefly-iii.org/create-from-bill/1 3 upload file any kind of file application accept Reference PoC 1 https://i.ibb.co/9wWRnsf/Screenshot-12.png...
SQL Injection in opensourcepos/opensourcepos
✍️ Description The Application is vulnerable to blind SQL Injection 🕵️♂️ Proof of Concept URL: https://dev.opensourcepos.org/attributes/search?sort=1 Vulnerable Parameter: sort SQLMap POC --- Parameter: sort GET Type: boolean-based blind Title: Boolean-based blind - Parameter replace original...
Cross-site Scripting (XSS) - Stored in namelessmc/nameless
✍️ Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into websites. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will...
Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii
✍️ Description Attacker able to delete Total available budget with CSRF attack. It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your application. In...
Server-Side Request Forgery (SSRF) in gogs/gogs
✍️ Description In 2018, this issue was created to address a SSRF vulnerability in gogs wherein an attacker could have gogs send requests to network-internal hosts - a patch for this was released see diff and no queries about the SSRF issue seem to have been raised again since from what I can tell...
Cross-site Scripting (XSS) - Generic in boxbilling/boxbilling
✍️ Description Cross site scripting via redirect url 🕵️♂️ Proof of Concept goto your boxbilling account and visit http://mysite.com/boxbilling/index.php?url=/bb-admin/extension/settings/redirect . here put xss paylaod xss"' in the redirect url field After saved you can see xss is executed Video...
Cross-site Scripting (XSS) - Stored in monicahq/monica
Description HTML codes can be entered and successfully run in the journal session of Monica, which allows an attacker to trigger XSS query's like causing a persistant stored XSS in the journal session. files at monica/2. Fix Suggestion Sanitize the input / escape the xss charecters or else escape...
Path Traversal in marcbachmann/node-html-pdf
Overview html-pdf is a Html to pdf converter in Node.js, this package is vulnerable to Arbitrary File Read. The package fails to sanitize the HTML input, allowing attackers to exfiltrate server files by supplying malicious HTML code. XHR requests in the HTML code are executed by the server. Input...
Multiple Self-XSS Vulnerabilites
Description Multiple Self-XSS Vulnerabilities are triggered at multiple endpoints. http://localhost:8083/edit/server/ There is a bug in web/templates/pages/editserver.php file. Attacker can control $vtimezone. php ', theme: '', language: '', hasSmtpRelay: , remoteBackupEnabled: , backupType: '',...
heap-buffer-overflow in function swf_def_font scene_manager/swf_parse.c:1449
Description Heap-buffer-overflow in MP4Box. Version $ ./bin/gcc/MP4Box -version MP4Box - GPAC version 2.3-DEV-revrelease c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC:...
heap-use-after-free in mp4_mux_process_fragmented filters/mux_isom.c:6634
Description heap-use-after-free in MP4Box. Version $ ./bin/gcc/MP4Box -version MP4Box - GPAC version 2.3-DEV-revrelease c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC:...
Use After Free in gf_filterpacket_del filter_core/filter.c:38
Description Use After Free in MP4Box. I'm not sure if this is a bug or an exploitable vulnerability. Since it was a double-free crash, I classified it as a UAF vulnerability type. Version $ ./bin/gcc/MP4Box -version MP4Box - GPAC version 2.3-DEV-revrelease c 2000-2023 Telecom Paris distributed...
division by zero in scene_manager/swf_svg.c, filters/dasher.c , filters/mux_isom.c and scene_manager/swf_parse.c
Description division by zero in MP4Box. Version $ ./bin/gcc/MP4Box -version MP4Box - GPAC version 2.3-DEV-revrelease c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC:...
Store XSS in module name "admin/controllers/edit/comments/comments_list"
Description I noticed that you filtered the comment very carefully. But there are still some parts you missed Proof of Concept 1.Login with admin 2.go to "https://demo.instantcms.io/admin/controllers/edit/comments/commentslist" 3.Select 1 comment and insert payload 4.Click save , and store xss...