4072 matches found
Reflected XSS - Accounting Module - Maintenance - Cleanup Stale Sessions
Description A reflected cross-site scripting XSS vulnerability exists within acct-maintenance-cleanup.php, which allows a malicious user to execute arbitrary JavaScript code. Proof of Concept 1. Navigate to /acct-maintenance-cleanup.php and enter the following payload alert1within the username...
Out-of-bounds Read in function build_stl_str_hl
Out-of-bounds Read in function buildstlstrhl at buffer.c:4350 vim version git log commit ea720aea851e645f4c8ec3b20afb27c7ca38184c HEAD - master, tag: v9.0.1137, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pochor01s.dat -c :qa!...
Admin is able to ARCHIVE OWN Account leads to Deactivate ADMIN Account
Description As fer the Flow Admin can't ARCHIVE OWN account . i was able to ARCHIVE ADMIN OWN Account by intercept the request and change ID Value to Admin. which leads to ARCHIVED the ADMIN Account , :/ Please Restored it Might Be possible to DELETE Admin Account too , after ARCHIVE Account it's...
IDOR allows to see, update and delete other users shortcuts
Description Even if the endpoint /api/shortcut allow to see the list of your own shortcuts, it is possible to access, modify and delete other users shortcut accessing directly through the IDs. Proof of Concept - Login with one user, and create a shortcut, let's consider it now has the ID 1 - Logi...
Access all Private Memos by unauthorized user
Description After login , I create a new memo and post it then i tried to edit it So in editing POST request you can find the memo id in POST data and in the URL if you change it to any private memo you can access it Also you can change the private memo visibility status and content . Proof of...
Privilege vulnerability at API Change Password
Description There is a vulnerability at API Change password. I use API PATCH /api/user/x to get user's information and change their password. With x is the user's id, which are numbers in ascending or descending order Proof of Concept 1. Access to the demo website https://demo.usememos.com/ 2. Us...
Reflect XSS Which can help in any CSRF Vulnerability
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Proof of Concept Below HTML code for trigger XSS with POST method XSS POC By AggressiveUser history.pushState'', '', '/' Below BurpSuite POC YO...
Server Side Request Forgery Via DNS Rebinding
Description Appsmith below v1.8.1 was discovered to allow attackers to execute an authenticated Server-Side Request Forgery SSRF via DNS Rebinding technique to hit AWS internal metadata endpoint and for retrieving data. Proof of Concept...
Stack-based Buffer Overflow in function win_redr_ruler
Description Stack Buffer Overflow in function winredrruler at drawscreen.c:799 . vim version git log commit ec1238b4068d0d6d9d02ac1a8e61720224a1be73 grafted, HEAD - master, tag: v9.0.0582, origin/master, origin/HEAD Proof of Concept poc download url:...
Mass Assignment in Self Controller Leads To Vertical Privillege Escalation
Description Hello there, y'all! How are you doing? Hope you are doing great! I was testing Budibase and noticed that the api endpoint /api/global/self, which is used for different purposes updating an user's name or their password, always receives an entire object containing most of the attribute...
Null Dereference in vim_regcomp()
Description: Null Dereference in vimregcomp at vim/src/regexp.c:2716 Vim Version: git log commit 8f7116caddc6f0725cf1211407d97645c4eb7b65 HEAD - master, origin/master, origin/HEAD Proof of Concept: $ git clone https://github.com/vim/vim.git $ cd vim/ && ./configure && make && cd src/ $ echo "call...
Persistent Cross-site Scripting - SlaPolicy Module - Settingss
Description The application uses Purifier to avoid the Cross Site Scripting attack. However, On SlaPolicy module from Settings, the type of recordModel-name parameter is "Text" but it is not validated and it's used directly without any encoding or validation on SlaPolicy/EditViewBlocks.tpl. It...
NULL Pointer Dereference in function generate_loadvar
Description NULL Pointer Dereference in function generateloadvar at vim9compile.c:1165 allows attackers to cause a denial of service application crash via a crafted input. vim version git log commit e1f3fd1d02e3f5fe6d2b6d82687c6846b8e500f8 HEAD - master, origin/master, origin/HEAD Author: Bram...
Stored XSS vulnerability when importing RSS Feeds from external source
Description YetiForceCRM allows user create RSS Feeds without purifying the link field of the input data properly from external source. An attacker can take advantage of this vulnerability to perform an XML Injection attack that leads to stored cross-site scripting XSS on the target server. Proof...
Cross-site Scripting (XSS) - Reflected
Description Hi team, I found XSS at /module/. Proof of Concept Pop up POC: Reflected POC: Full request payload: POST /demo/module/ HTTP/1.1 Host: demo.microweber.org User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:102.0 Gecko/20100101 Firefox/102.0 Accept: / Accept-Language: en-US,en;q=0....
Stored xss in "users name","functions name","storage buckets name" and in "database collections name"
Description Appwrite application allows malicious javascript payload to inject in users name,functions name,storage buckets name and in database collections name which leads to Stored XSS. Proof of Concept 1.Login to the application 2.Go to the "users name","functions name","storage buckets name"...
Improper Access Control in Crabtyper API
Description The API program allows any user to create languages and snippets, as well as delete them. This allows a malicious actor to add offensive snippets which could appear to any user, and also allows anyone to completely take down the service by removing all snippets. This is due to...
Contextual Code Execution
Description The main function uses the eval function which can lead to contextual code execution, allowing an attacker to gain access to a system and execute commands with the privileges of the running program by setting NUITKAPYTHONPATH, NUITKANAMESPACES or NUITKAPTHIMPORTED to a malicious paylo...
Bypass filter - Stored XSS in Resources
Description Website does incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. This fix for this bug https://huntr.dev/bounties/dcf87c0b-6188-4817-8798-ef1e2581b15a/ can be bypassed using bellow payload...
The publify application allows large characters to insert in the input field "title name and post field" on the article field which can allow attackers to cause a Denial of Service (DoS)
Description Please enter a description of the vulnerability. Proof of Concept 1 - Create New article https://demo-publify.herokuapp.com/admin/content/new 2 - Fill the title name and post field with huge characters, more than 1 lakh Copy the below payload and put it in the input fields and click o...
Cross-site scripting - Reflected in Create Subaccount
Description Cross-site scripting - Reflected in Create Subaccount via codsubcuenta parameter. Proof of Concept POST /facturascripts/EditSubcuenta HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:100.0 Gecko/20100101 Firefox/100.0 Accept:...
heap-buffer-overflow in mobi_get_attribute_value
Description heap-buffer-overflow /home/ubuntu/libmobi-public/src/parserawml.c:357 in mobigetattributevalue Environment Distributor ID: Ubuntu Description: Ubuntu 20.04 LTS Release: 20.04 Codename: focal mobitool build: Apr 29 2022 20:52:30 gcc 9.3.0 libmobi: 0.10 Build export CC=gcc CXX=g++...
Improper access control could make any user export all user of website
Description A user who has to change their password after logging in can export the website's user data. Proof of Concept Step 1: login to website by admin account and change password of a user. Check the box "Force password change upon next login" and save. Step 2: login to website by the accoun...
Out-of-bounds Read in r_bin_ne_get_entrypoints function
Description Out-of-bounds OOB read vulnerability exists in rbinnegetentrypoints function in Radare2 5.6.7 Version bash radare2 5.6.7 27777 @ linux-x86-64 git.5.6.6 commit: 0c4af43def68ce29f7a74847bb1b7286da155200 build: 2022-04-1008:53:32 Analysis The vulnerability exists due to the invalid type...
Leaking password protected articles content due to improper access control
Description Any user who can publish their article can protect it using a password before publishing. So, a valid password to the article is required to view the contents of the article. But when a request is made to article /2022/04/10/ the UI show it requires a password to view content. But the...
SQL injection through marking blog comments on bulk as spam
Description the comments ids aren't checked and vulnerable for SQL injection Proof of Concept...
Stored XSS viva axd and cshtml file upload in star7th/showdoc
Description This is a bypass of the report: https://huntr.dev/bounties/3eb5a8f9-24e3-4eae-a212-070b2fbc237e/ & https://huntr.dev/bounties/6127739d-f4f2-44cd-ae3d-e3ccb7f0d7b5/. Here the upload functionality allows the malicious files with the extension .cshtml and .axd which leads to Stored XSS...
Multiple Stored Cross-site Scripting (XSS) Vulnerabilities in Shop's Other Settings, Shop's Autorespond E-mail Settings and Shops' Payments Methods
Description 1 Checkout URL and Custom order id parameters are vulnerable to stored XSS, which are located in Shop Settings other settings Advanced 2 From e-mail address and From name parameters are vulnerable to stored XSS, which are located in Shop Settings Autorespond E-mail settings check your...
Improper Authorization
Description When Gogs is build and configured for PAM authentification it skips checking authorization completely. Therefore expired accounts and accounts with expired passwords can still login. Proof of Concept You can expire an account with chage -E0 and still login. Impact Since disabling an...
Cross-site Scripting (XSS) - Reflected
Description Hi, The endpoint https://demo.microweber.org/demo/admin/page is vulnerable to Cross Site Scripting. Proof of Concept 1. just navigate to the poc url:...
in microweber/microweber
Description Sensitive information as part of the error is getting disclosed while viewing comments from "loadmodule:commentssearch=" Proof of Concept 1. Login to https://demo.microweber.org 2. Visit https://demo.microweber.org/demo/admin/view:modules/loadmodule:commentssearch= 3. Now enter anythi...
Cross-site Scripting (XSS) - Stored in librenms/librenms
Description Stored XSS in create/modify Transport Groups, Add/Edit Service and Edit Service Template Proof of Concept Payload: ' PoC image: Xss payload in create/modify Transport Groups Xss payload in Add/Edit Service Xss payload in Edit Service Template XSS will fire-up by user visiting: 1...
SQL Injection in salesagility/suitecrm
Description In SuiteCRM v7.12.4, a malicious user can inject SQL query in order to affect the execution of predefined SQL commands impacting database leakage. Proof of Concept The $POST'record'1 parameter is controllable by a user and it is concatenated into SQL query 2 without validating them...
in vim/vim
Description Using out of range pointer offset occurs in enterbuffer. commit : b247e0622ef16b7819f5dadefd3e3f0a803b4021 This case is created to correct the previous issue. Proof of Concept $ echo -ne "ZnUgUigpCnRhYjBsb3AKZTAKbGYKZW5kZgpjYWwgUigpCm5vcm0XFjAKY2FsIFIoKQpidw==" | base64 -d mpoc Valgri...
the function deepFromFlat of underscore.deep is vulnerable to prototype pollution
Prototype Pollution in Clever/underscore.deep Reported on Feb 2nd 2022 | Timothee Desurmont Description Vulnerability type: CWE-1321 Version 0.5.1 of underscore.deep is vulnerable to prototype pollution; the function deepFromFlat in underscore.deep.js do not check if the attribute resolves to the...
Heap-based Buffer Overflow in radareorg/radare2
Description This vulnerability is of out-of-bound read which accesses the address beyond/past the buffer. The bug exists in latest stable release radare2-5.5.4 and lastest master branch ed2030b79e68986bf04f3a6279463ab989fe400f, updated in Jan 22, 2022. Specifically, the vulnerable code is located...
Cross-site Scripting (XSS) - Reflected in icecoder/icecoder
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into websites. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execut...
SQL Injection in pimcore/pimcore
Description The storeId parameter does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injection. Proof of Concept 1. Add items to Classification Store: Key definition, Group,... 2. Injection boolean base:...
None in radareorg/radare2
Description This vulnerability is of use-after-free. The bug exists in latest stable release radare2-5.5.4. Specifically, the vulnerable code is picked out as follows libr/io/iobank.c: // ./libr/io/iobank.c line 229 // the entry-data is a freed pointer address while entry && riosubmapto RIOSubMap...
Cross-site Scripting (XSS) - Stored in pimcore/pimcore
Description The pimcore/pimcore package is an open source platform that provides PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce services. stored xss vulnerability occurs when you change the rule name in the admin dev page. Proof of Concept txt XSS POC : 1. Open the...
Cross-site Scripting (XSS) - Stored in pimcore/pimcore
Description pimcore is vulnerable to Stored Cross-Site Scripting in the name field via the import functionality. Steps to reproduce: 1. Navigate to settings -- Data Objects -- Objectbricks 2. ave the following data as JSON file and import it: json "classDefinitions": , "key": null, "parentClass":...
Business Logic Errors in pimcore/pimcore
Description The application is vulnerable to Business Logic error through negative cart amount. Proof of Concept Step 1: Login to the application https://10.x-dev.pimcore.fun/admin/login?perspective= Step 2: Navigate to Online shop - Pricing Rules - Voucher Discount - Actions Step 3: Enter Negati...
in bookstackapp/bookstack
Description During reading recent BookStack source code 31665410 I discovered no uploaded file type and size check. Authenticated user with attachment create role can upload any type file. One of possibilities is to upload phishing page and get administrators credentials. Proof of Concept POST...
Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii
Description No CSRF in duplicate rule, and modifying the order of the rule group Proof of Concept Click Me! Click Me! Click Me! Impact This vulnerability is capable of tricking admin users to duplicate rule and modifying order of rule groups Permalinks selected with reference to this report:...
in star7th/showdoc
Description - CWE: CWE-288:Authentication Bypass Using an Alternate Path or Channel - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L , CVSS Score: 8.3High - Credit:Qianxin, Network Security Department, Product-Safety Team Unc1e In showdoc, there is a SSO process , DOC is shown in...
Server-Side Request Forgery (SSRF) in appwrite/appwrite
Description An authenticated SSRF vulnerability exists in appwrite's webhooks / tasks feature. The gopher:// protocol can be used to cause code execution on the Redis server that comes along with appwrite. The attacker must know the IP address of the redis-server which can be done by creating...
in firefly-iii/firefly-iii
Description file upload vulnerability in application Proof of Concept step to reproduce 1login to application 2 goto https://demo.firefly-iii.org/create-from-bill/1 3 upload file any kind of file application accept Reference PoC 1 https://i.ibb.co/9wWRnsf/Screenshot-12.png...
SQL Injection in opensourcepos/opensourcepos
✍️ Description The Application is vulnerable to blind SQL Injection 🕵️♂️ Proof of Concept URL: https://dev.opensourcepos.org/attributes/search?sort=1 Vulnerable Parameter: sort SQLMap POC --- Parameter: sort GET Type: boolean-based blind Title: Boolean-based blind - Parameter replace original...
Cross-site Scripting (XSS) - Stored in namelessmc/nameless
✍️ Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into websites. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will...
Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii
✍️ Description Attacker able to delete Total available budget with CSRF attack. It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your application. In...