4072 matches found
Android Manifest Misconfiguration Leading to Task Hijacking
Description Task hijacking allows malicious apps to inherit permissions of vulnerable apps and is usually used for phishing login credentials of victims. This vulnerability applies to all Android versions before Android 11. Steps To Reproduce: 1. Victim installs malicious app 1. Victim starts...
Insecure Storage of Sensitive Information in chatwoot/chatwoot
BUG ======== Stored xss via referer url allow to hijack victim access-token STEP TO REPRODUCE =================== 1. From admin account goto https://app.chatwoot.com/app/accounts/42689/settings/inboxes/list and create a inbox of type website .\ Now get you configuration script from this inbox and...
Open Redirect on "returnUrl=" parameter
Description Hello Team while testing the "returnUrl=" parameter on login page it was not vulnerable, but I found another way to get Open Redirect with that parameter Proof of Concept Here is the Video POC of this vulnerability...
Stored XSS via image markdown
Description The site allows creating markdown to get an image from a link, from which we can use it to generate XSS. Proof of Concept Payload: markdown Video: Youtube Only works on Google Chrome...
Cross-site Scripting (XSS) - Stored in yeswiki/yeswiki
Description Stored XSS when Add a new entry for Forum Proof of Concept // PoC.req POST /doryphore/?BazaR&vue=saisir&action=saisirfiche&id=2 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:96.0 Gecko/20100101 Firefox/96.0 Accept:...
Information leakage in EXIF data of images
Description EXIF stands for Exchangeable Image File Format and the EXIF data contains information such as the camera model and make, shutter speed, aperture, focal length, ISO number, date, time and much more. It can also store GPS coordinates of the location where an image was shot. Proof of...
Prototype Pollution in silentmatt/expr-eval
βοΈ Description With speficific input attckers can define properties on prototype, which will lead to prototype pollution. Need node version=12.0.0, which introduce Object.fromEntries π΅οΈββοΈ Proof of Concept // PoC.js const Parser = require'expr-eval'; const o = ; console.log"o.a=", o.a; // o.a=...
Cross-site Scripting (XSS) - Generic in apexcharts/apexcharts.js
Description apexcharts is vulnerable to Cross-Site Scripting XSS. Proof of Concept 1. Install the package by following this instruction https://apexcharts.com/docs/installation/ or try the live sandbox here https://codepen.io/apexcharts/pen/xYqyYm 2. Edit JS and insert the XSS payload below in th...
Blind SSRF on the RSS Feed
A normal user can add an RSS Feed with an internal URL which could lead to a blind SSRF issue by using local URLs...
Prototype Pollution in react-atomic/react-atomic-organism
Description set-object-value is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: // poc.js var setObjectValue = require"set-object-value" var obj = console.log"Before : " + .polluted; setObjectValueobj, 'proto','polluted', 'Yes! Its Polluted'; console.log"Afte...
Vulnerable javascript dependency used in adminsidepanel.js
Description The adminsidepanel.js used Vue.js v2.6.10, which contains the vulnerable vue-server-renderer's dependency of serialize-javascript. Proof of Concept 1.Go to https://demo.limesurvey.org/tmp/assets/cb9c5d96/build.min/js/adminsidepanel.js and search for Vue.js v2.6.10 term. We can note th...
SSRF via Import URL
Description While importing CSV and Excel file via an URL, the server does not validate requests properly that's how the attacker can able to make requests to internal servers and access the contents. Proof of Concept 1. Go to any project 2. From Dashboard, click on Add / Import CSV or Microsoft...
Server-Side Request Forgery (SSRF)
Description The fixes for CVE-2022-0767 & CVE-2022-0766 only address loopback/localhost IP addresses, this is an issue as other internal endpoints may be accessible to an attacker one of the most popular examples is 169.254.169.254 which is the AWS metadata address Proof of Concept The same as...
Account Takeover and Persistence due to the Oauth Misconfiguration
Team, May you all be well on your side of the screen. : . While Doing some research on thehttps://cal.com/, I was able to find a Pre-Account Takeover vulnerability. Proof of concept: . I have created a video demonstration of the vulnerability and uploaded it to my Google Drive. . The link for the...
Inefficient Regular Expression Complexity
Description Inefficient regular expression complexity regex when trying to match Potentially Trustworthy could lead to a denial of service attack. With a formed payload 'http://' + 'a.a.'.repeati + 'a', 76 characters payload could take 42642 ms time execution. Proof of Concept // PoC.js import...
Password Reset link hijacking via Host Header Poisoning
Description LinkStack uses the Host header when sending out password reset links. This allows an attacker to insert a malicious host header, leading to password reset link / token leakage. Tested on a default Docker Compose installation of LinkStack https://github.com/LinkStackOrg/linkstack-docke...
SSRF via Plugin SMTP
Description The SMTP plugin doesn't have verification or validation, allowing the attacker to make requests to internal servers and get the contents. Reproduce 1. Go to Team & Settings 2. App Store SMTP 3. Configure and intercept Test request 4. Change Host/Port to internal address, example:...
in star7th/showdoc
Description There is a filter to prevent upload php, HTML, svg filetype in the code snippet from line 115 to line 122 in AttachmentController.class.php: if strstrstriptagsstrtolower$uploadFile'name', ".php" || strstrstriptagsstrtolower$uploadFile'name', ".htm" ||...
XSS via postMessage to deface any website and account takeover
Description Hey Chatwoot team, while looking for vulnerabilities I found a critical XSS which allow us to XSS/Deface any website which uses the chat, this can be automated to attack thousands of websites Vulnerable Code Inside this function...
Prototype Pollution in tandrewnichols/safe-obj
Description safe-obj is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: javascript // poc.js var safeObj = require"safe-obj" var obj = ; console.log"Before: " + .polluted safeObj.expandobj, "proto.polluted", true console.log"After: " + .polluted 2. Execute th...
Cross-site scripting - Stored via upload `.svg` file in
Description When user upload a file with .svg extension and direct access this file, the server response with Content-type: image/svg+xml lead to processing SVG as HTML file Proof of Concept POST /api/resource HTTP/2 Host: demo.usememos.com Cookie:...
Cross-site Scripting (XSS) - Reflected in gnuboard/gnuboard5
Description The reflected XSS vulnerability occurs to a flaw in the cleanxsstags function called in memo.php of Gnuboard 5. This cleanxsstags is a Sanitizer that removes XSS-vulnerable tags and attributes. However, it can bypass Sanitizer by using a newline character. %0A, %0D, ETC Proof of Conce...
Integer overflow in realloc call
Description Integer overflow in realloc and memcpy calls in coreanalgraphlabel. In the process of concatenating source lines based on DWARF data, the resulting size 32bit signed int can overflow. The sizes of the realloc and memcpy calls differ, and potentially can lead to writes in an unintended...
SSRF in embed2 servlet via redirects
Description Embed2Servlet uses url.OpenConnection in https://github.com/jgraph/drawio/blob/7a68ebe22a64fe722704e9c4527791209fee2034/src/main/java/com/mxgraph/online/EmbedServlet2.javaL400 which follows redirects by default. However, the redirections are not being checked, hence it is possible to...
Reflected XSS on demo.microweber.org/demo/module/
Description Reflected XSS with filter bypass on /demo/module/ using module= & style= parameters. Proof of Concept https://demo.microweber.org/demo/module/?module='ontransitionend=alert1'"tabindex=1&style=transition:outline%200.001s&id=x&data-show-ui=admin&class=x&fromurl=https://demo.microweber.o...
Stored XSS Via SVG File Upload
XSS Via SVG File Upload When uploading an image file to a bug report, you're able to upload .svg files which aren't properly sanitized before they are rendered, so any embedded Javascript will execute. Steps To Reproduce 1. Create a bug report 2. Upload a SVG attachment with a Javascript payload...
Out-of-bound read in function msg_outtrans_special
Description Out-of-bound read in function msgouttransspecial at message.c:1716 Version commit c101abff4c6756db4f5e740fde289decb9452efa HEAD - master, tag: v8.2.5164 Proof of Concept guest@elk:/trung$ valgrind ./vimlatest/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc/poc4min2 -c :qa! ==23509=...
File Upload Bypass Leads to Remote Code Execution (RCE)
Description Vulnerable file upload functionality that users can upload files. Although almost all files with extensions like php, phtml, etc. have been prevented, an attacker can still upload phps files and remote code execute . Condition The Apache server which is hosting the web application nee...
in dompdf/dompdf
Description Improper restriction of external entities XXE in DomPDF's SVG parser allows it to perform an SSRF even if isRemoteEnabled set to false or even cause a deserialization attack in the SVG parser this time. Proof of Concept Payload 1 - SSRF only allowurlfopen required This embeds Google...
Stored XSS - XSS in RSS link
Description An Administrator can import a malicious RSS feed that contains Cross Site Scripting XSS payloads inside RSS links. The administrator can then make the RSS feed available to all users of the software. Victims who wish to visit an RSS content will execute the Javascript code in a new ta...
Mutation Stored XSS at homepage
Description bookwyrm HTML input sanitizer is vulnerable to Mutation XSS. The payload could be stored and displayed on the homepage of the website path /feed or /discovery making it widely affects all users and the main website. Proof of Concept Edit a book description: // PoC Access to the /feed...
Heap-based Buffer Overflow in vim/vim
βοΈ Description While testing vim built from commit ddfc051 with Ubuntu clang version 12.0.0-3ubuntu120.04.3 and Address Sanitizer, we discovered crafted input which triggers a heap-buffer-overflow, READ of size 1. π΅οΈββοΈ Proof of Concept 1. git clone https://github.com/vim/vim LD=lld AS=llvm-as...
AppImage Vim loads libc.so.6 from pwd
Description The appimage distribution of vim loads libc.so.6 from the current directory of the user. An attacker with control of files in a directory where the user uses vim could execute arbritrary code. Proof of Concept Proof of concept will use a malicious libc.so.6 generated with below patch ...
Time-Based Blind SQL injection leads to database extraction
Proof of Concept Login your account. then copy the coope and paste on below raw request POST /ajaxtable.php HTTP/1.1 Host: demo.librenms.org User-Agent: Mozilla/5.0 Windows NT 10.0; rv:78.0 Gecko/20100101 Firefox/78.0 Content-Length: 221 Accept: / Accept-Language: en-US,en;q=0.5 Content-Type:...
IDOR to delete user resources
Description Insecure direct object references IDOR are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly. Proof of Concept 1 Login into your account at demo.usememos.com 2 Turn on your burpsuite proxy 3 Go to the resources...
No rate limit on main Login page lead to account takeover
Hi Team, Summary: As a best practice a login page should have a rate limit to avoid any kind of brute force. Aslo The password policy used in the account creation and password change pages is weak, allowing to set a password of only 1 character...
Command Injection in facebook/create-react-app
description react-dev-utils includes some utilities used by Create React App. The function getProcessForPort in react-dev-utils is vulnerable to command injection. PoC Create a .js file with the content below and run it, then the file pzhou@shu can be illegally created. var getProcessForPort =...
Cross-site Scripting (XSS) - Generic in ciur/papermerge-js
:star2: Description - Papermerge is an open source document management system DMS primarily designed for archiving and retrieving your digital documents. Instead of having piles of paper documents all over your desk, office or drawers. In The Admin Upload Function. Users Are Able To Trigger...
The publify application allows large characters to insert in the input field "First name and Last name" on the profile field which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request in publify / publify
Description The publify application allows large characters to insert in the input field "First name and Last name" which can allow attackers to cause a Denial of Service DoS via a crafted HTTP request Proof of Concept 1 - go to your profile https://demo-publify.herokuapp.com/admin/profiles 2 -...
Cross-site Scripting (XSS) - Reflected in gnuboard/gnuboard5
Description https://github.com/gnuboard/gnuboard5/blob/v5.4.22/mobile/shop/lg/mispwapurl.phpL7 has no filtering for the variable. So, Attackers can trigger Reflected XSS via $GET'LGDOID' Proof of Concept /mobile/shop/lg/mispwapurl.php?LGDOID=%3Cscript%3Ealert1%3C/script%3E Impact Attacker can...
Exposure of Sensitive Information to an Unauthorized Actor in ionicabizau/parse-url
Description First Assume this example var parseUrl = require"parse-url" parseUrl"http://[email protected]:[email protected]/path/name?foo=bar&bar=42some-hash" that return : protocols: "http" protocol: "http" port: null resource: "[email protected]" user: "" pathname:...
Restricted shell escape in RVIM
Description A shell escape vulnerability has been discovered in the restricted version of Vim rvim. This vulnerability allows an attacker to execute arbitrary code with the privileges of the user running Vim. Proof of Concept The shell escape vulnerability in the restricted version of Vim rvim is...
Cross-site Scripting (XSS) - Stored in idempiere/idempiere
βοΈ Description Stored xss via svg file upload π΅οΈββοΈ Proof of Concept you can upload this svg file https://github.com/ranjit-git/poc/blob/master/evilsvgfile.svg .\ Check this 1 minute video to reproduce the bug https://drive.google.com/file/d/1nKXfSUjU5vDEMMY6cAmRs6d3MCPoj0uv/view?usp=sharing π₯...
Email Address Manipulation Vulnerability
Description During testing of phpmyfaq, it was discovered that the application does not properly validate email addresses when updating user profiles. This vulnerability allows an attacker to manipulate their email address and change it to another email address that is already registered in the...
SVG Sanitization Bypass - XSS
Description In imgproxy application, we bypassed the svg sanitization function. In this way, attacker can craft malicious svg file and run javascript on the application. Proof of Concept Here is the content of the malicious svg file. After that you can call this svg file like below...
Segmentation Fault caused by MP4Box -lsr
Version: MP4Box -version MP4Box - GPAC version 2.1-DEV-rev48-gf6d6225a9-master c 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io/ MINI build encoders, decoders, audio and video output disabled Please cite our work in your research: GPAC Filters:...
Code Injection in timstudd/node-wkhtmltoimage
Description The wkhtmltoimage module is vulnerable against RCE since a command is crafted using user inputs not validated and then executed, leading to arbitrary command injection POC 1. Create the following PoC file: js // poc.js var wkhtmltoimage = require'wkhtmltoimage';...
in phpipam/phpipam
Description The phpIPAM 1.4.5 incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor in the Import/Export feature. A normal user with the role of User could download XLS file of IP addresses, hostfile dump and export system database that...
HTML Injection Leads To Open Redirect
Description HTML injection is possible in the Installation title parameter, which leads to Open Redirect when clicked. Proof of Concept Open Redirect 1. Login as Admin 2. Navigate to settings 3. Edit the Installation title and set it to: Click Me 4. Save Changes 5. Click the Click Me text on the...
SQL injection in Calendar.php
Description In Calendar.php line 498-513, web server get values parameter as a part of sql query without sanitize, so attacker can be manipulated sql query, which is executed by web server...