4072 matches found
Server-Side Request Forgery (SSRF) in gogs/gogs
✍️ Description In 2018, this issue was created to address a SSRF vulnerability in gogs wherein an attacker could have gogs send requests to network-internal hosts - a patch for this was released see diff and no queries about the SSRF issue seem to have been raised again since from what I can tell...
Cross-site Scripting (XSS) - Generic in boxbilling/boxbilling
✍️ Description Cross site scripting via redirect url 🕵️♂️ Proof of Concept goto your boxbilling account and visit http://mysite.com/boxbilling/index.php?url=/bb-admin/extension/settings/redirect . here put xss paylaod xss"' in the redirect url field After saved you can see xss is executed Video...
Cross-site Scripting (XSS) - Stored in monicahq/monica
Description HTML codes can be entered and successfully run in the journal session of Monica, which allows an attacker to trigger XSS query's like causing a persistant stored XSS in the journal session. files at monica/2. Fix Suggestion Sanitize the input / escape the xss charecters or else escape...
Path Traversal in marcbachmann/node-html-pdf
Overview html-pdf is a Html to pdf converter in Node.js, this package is vulnerable to Arbitrary File Read. The package fails to sanitize the HTML input, allowing attackers to exfiltrate server files by supplying malicious HTML code. XHR requests in the HTML code are executed by the server. Input...
Multiple Self-XSS Vulnerabilites
Description Multiple Self-XSS Vulnerabilities are triggered at multiple endpoints. http://localhost:8083/edit/server/ There is a bug in web/templates/pages/editserver.php file. Attacker can control $vtimezone. php ', theme: '', language: '', hasSmtpRelay: , remoteBackupEnabled: , backupType: '',...
heap-use-after-free in mp4_mux_process_fragmented filters/mux_isom.c:6634
Description heap-use-after-free in MP4Box. Version $ ./bin/gcc/MP4Box -version MP4Box - GPAC version 2.3-DEV-revrelease c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC:...
division by zero in scene_manager/swf_svg.c, filters/dasher.c , filters/mux_isom.c and scene_manager/swf_parse.c
Description division by zero in MP4Box. Version $ ./bin/gcc/MP4Box -version MP4Box - GPAC version 2.3-DEV-revrelease c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC:...
Cross-site Scripting (XSS) - Stored
Description 1. Go to Setting Server == Choose Configuare. 2. Continue to choose backup == Remote Backup. 3. Inject the payload into the fields host,port,username... Proof of Concept link ProC : https://drive.google.com/file/d/1DcCMP9lT93HYNO3RzGllCVu3Mgk7yfK/view?usp=sharing Payload payload = "im...
Store XSS in module name "admin/controllers/edit/comments/comments_list"
Description I noticed that you filtered the comment very carefully. But there are still some parts you missed Proof of Concept 1.Login with admin 2.go to "https://demo.instantcms.io/admin/controllers/edit/comments/commentslist" 3.Select 1 comment and insert payload 4.Click save , and store xss...
attackers with role "USER" can create tags
Description It seems that the users with role ""USER" has no permission with creating tags, but we do not enforce it. Ohers operation, like edit and delete has no problem. Proof of Concept pull the latest docker and setup answer 1 create a user with name "normaluser", whose role is "USER" 2 admin...
heap-buffer-overflow in function id3dmx_flush filters/reframe_mp3.c
Description Heap-buffer-overflow in MP4Box. Version bash MP4Box - GPAC version 2.3-DEV-revrelease c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC:...
OOB read from unchecked return
Environment bash Distributor ID: Debian Description: Debian GNU/Linux bookworm/sid Version I checked against the latest release as of 05/29/23 the current master branch at commit 4f810869b06b5d7b0cb73d166864dfb4b1e900f6 . Description This AddressSanitizer output is indicating a read on an unknown...
privilege escalation with least config
Description User can privilege escalation to admin role which least config Proof of Concept login in https://11.x-dev.pimcore.fun/admin/ and add a new users in settings - users with have access Permissions - users after that login in a new user and come settings - users - new user update new rule...
Weak Password policy on account registration
Description It was observed that application allows to create account with Blank spaces as password Proof of Concept 1. Go to https://meta.answer.dev/users/register 2. Create account with 10 blank spaces as password Result: Application allows to create user account with blank spaces as password...
Stored XSS via Markdown Comment
Description Register one account on blog, if account was actived, it can be comment. \ We can commment with markdown.\ When another user clicks on the comment there may be an XSS alert. I git clone project and build with docker. Latest commit is: 07a1ded08eb4e0c6979f6aeebc35f3864ba250a7\ \ Proof ...
Multiple XSS in Create/Update Funtion Version 1.4.3 and 1.5.0-dev.2
Description Stored XSS on create/update service, categories, settings. I was test on 1.4.3 demo site and 1.5.0-dev2 Proof of Concept Install\ I install from develope branch. When finish install footer display version v1.5.0-dev.2\ The time I run and commit below on image is the latest\ \ webUI\ ...
XSS in Predefined Asset Metadata module in Settings
Description While testing the pimcore application, I found that it is vulnerable to XSS vulnerability in Predefined Asset Metadata module in Settings, specifically at Name field. Proof of Concept 1.Go to https://11.x-dev.pimcore.fun/admin/ then login. 2.Go to Settings - Predefined Asset Metadata...
Instropection query is enabled on demo.pimcore.fun
Description Introspection is enabled on the demo.pimcore.fun. demo site has graphql feature for users but via that graphql endpoint attacker can run the instropection queries. which makes the vulnerable. Proof of Concept Just visit the link...
HTML Injection on Settings/Template
Description Found HTML Injection on Template module on Settings. Proof of Concept 1. Login as Administrator and go to Settings. 2. On under Website Settings, go to Template. 3. Specifically, to this URL - https://demo.microweber.org/demo/admin/view:content/action:settings?group=template 4. Then...
RCE using bad deserialization
Description Qwik provides an extended serialization mechanism for exchanging data between the client and server. This allows for the serialization and deserialization of Date, Regex, Signal, Function and many other useful data types. The Function deserializer can be accessed using the...
Stored XSS in Sitename
Description There is a presence of stored xss in username, which directly gets rendered whenever the page is opened. Proof of Concept 1: use the below command to clone the repo in your machine git clone https://github.com/answerdev/answer.git 2: Navigate inside the repo cd answer 3: Use...
division zero
Description division by zero in fuction scrolldown at move.c:1739 version git log commit ea62cee85e9e77ec86edd9843926dadb69978753 HEAD - master, tag: v9.0.1327, origin/master, origin/HEAD Author: Bram Moolenaar Date: Sun Feb 19 18:36:41 2023 +0000 patch 9.0.1327: cursor in wrong position below li...
Stored xss real name
Description In the admin account, there is a feature to add a user. In this feature, a vulnerability was found in the "Your Name" form. Proof of Concept 1.go to https://roy.demo.phpmyfaq.de/admin/?action=user 2.add user with realname alert'123' 3.go to...
CSRF in all endpoints of /lib/ajax.php by Changing the request method to GET
Description I have found a CSRF in all the request in /lib/ajax.php by changing the request to GET and the page is also get errors. So user cannot use any function on the page Proof of Concept 1. Go to https://demo.froxlor.org/ and login as any user. ie. admin 2. Now open...
Stored XSS - allows stealing Admin and Users Cookies
Dear Ladies and Gentlemen, First of all thank you for your time and effort in reading my Report. While doing the Penetration Test my Brother Ahmed Hassan [email protected] and I were able to identify a stored XSS Cross-Site-Scripting Vulnerability. The Process of the Vulnerability: Login ...
Stored HTML Injection
Dear Ladies and Gentlemen, First of all thank you for your time and effort reading my Report. While doing the Penetration Test i was able to identify a stored XSS in the Username. When an admin or another Users try to set up a new account and set his name to alert‘1’ the Javascript will run and...
File Upload Type Validation Error
Description The upload functionality for updating user profile does not properly validate the file content-type, allowing any authenticated user to bypass this security check by adding a valid signature p.e. GIF89 and sending any invalid content-type. This could allow an authenticated attacker to...
Dom XSS in Add Question
Description Evil users can attack other users or administrator users through this vulnerability, causing other users/administrator user accounts to be taken over Proof of Concept step1. Add a normal user and log in step2. Add a new question and insert xss payload in the body Step3. Login admin us...
Mootools-more 1.6.0 is use which is potential vulnerable to CVE-2021-20088
Description Mootools-more 1.6.0 is use which is potential vulnerable to CVE-2021-20088 Proof of Concept https://github.com/BlackFan/client-side-prototype-pollution/blob/master/pp/mootools-more.md...
NULL Pointer Dereference
Environment bash Distributor ID: Debian Description: Debian GNU/Linux bookworm/sid Release: n/a Codename: bookworm Version I checked against the latest release as of 12/27/22 version 5.8.0 and the current master branch at commit 031da1be8f6c9aa55f6e4e76df962d2c85dc32e8 . Description This...
Get all file in resource of any user and Delete any file of any user via IDOR
Description Easily GET information of all files uploaded by all users in Resources via API https://demo.usememos.com/api/resource/$idresource method GET Easily DELETE of all files uploaded by all users in Resources via API https://demo.usememos.com/api/resource/$idresource method DELETE Proof of...
Stored XSS while adding a memo
Description Stored cross-site scripting also known as second-order or persistent XSS arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way. Proof of Concept Payload: " 1 Go to https://demo.usememos.com/ and login...
Stored XSS in memos while creating
Description After login create a new memo with the following XSS payload " and click save that will make alert Proof of Concept "...
Session cookie without 'HttpOnly' Flag
Description All versions of daloRADIUS prior to the master branch transmit the session cookie i.e. PHPSESSID without setting the HttpOnly flag. Proof of Concept $ curl --head http:///login.php HTTP/1.1 200 OK Date: Tue, 20 Dec 2022 14:11:38 GMT Server: Apache Set-Cookie:...
XSS in Integration URL
Description XSS vulnerability in integration URL that could execute javascript when clicking on the URL Proof of Concept 1. navigate to the panel dashboard 2. add or edit integration and insert the URL of integration with this payload javascript:alert1 POC:...
Path traversal vulnerability found
Description please check this link https://demos4.softaculous.com/FlatPressfgbu50zqaa/fp-content/ Proof of Concept https://prnt.sc/0UGovVLWcKo7...
Unauthorized access to settings update, logs , history, delete etc of repositories
Hey, Attack Scenario: Admin setups new user with User privileges and gives access to repos "/" root directory, after a time due to some reason he revoke the privileges of the directory access but user privileged attacker can still edit settings , check logs and view history without having...
xss in live edit
Description when you make website and login as admin if u add user as admin he maybe evil admin n live edit https://demoxss.microweber.net/?editmode=y i start edit as html i see i can write script but didnt pass when u open site as end user then i just try add html tag with events but the sam...
Post parameter namespaceMD5 is vulnerable to reflected XSS
Description The POST parameter namespaceMD5 is vulnerable to reflected XSS. Proof of Concept javascript // POST request to /module with parameters and payload namespaceMD5=3389dae361af79b04c9c8e7057f60cc6test''"alertalert&module=settings%2Fgroup%2Flanguageimport&id=mwadminimportlanguagemodalconte...
Origin validation Bypass
In the following python script py if request.method in 'POST', 'PUT', 'PATCH', 'DELETE': origin = request.headers.get'Origin', None if origin and not origin.startswithrequest.base: raise cherrypy.HTTPError403, 'Unexpected Origin header' Explanation: In the above lines of code, The origin is being...
Cross Site Request Forgery in Admin area leads to deletion of repositories and users
Description Server accepts the GET request for deleting repositories and users which can lead to CSRF attack on repositories'. Proof of Concept Open the below URL after logging in to the admin account in demo site. For deleting Repository : Replace "replace-here" with a repo name...
Stored XSS
Description openemr has a feature to customize the "User Manual Link Override" , due to a bad sanitization it allows to put javascript:// scheme which allows to execute javascript code. Proof of Concept 1. login with admin 2. go on Global Settings - Branding 3. Edit User Manual Link Override Fiel...
User Enumeration via Response Timing
Description There is a significant timing difference in the login functionality for valid and invalid usernames. Proof of Concept Steps to reproduce: 1. Attempt a Login with a valid user and an invalid user and observe the difference in the response time Here is a small test script alternatively ...
Reflected XSS via POST
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a differen...
No rate limit via proxy url parameter
Description Hi Drawio Team , Your proxy server has no limit of requests which an attacker can use it as PORT SCANNER. https://app.diagrams.net/proxy?url=IP:PORT&base64=1 Proof of Concept Image from my OWASP ZAP : https://ibb.co/h87hz3N...
Session Fixation
Description The session is not invalidated after a password change. Proof of Concept Open Snipe-IT in the browser and login. Do the same in a private window such that there are two sessions. Change the password in one of the two sessions and observe that the second session is not invalidated...
Persistent Cross Site Scripting - Workflow Module - Settings
Description The application uses Purifier to avoid the Cross Site Scripting attack. However, On Workflow module from Settings, the type of workflowModel-summary parameter is not defined and validated, it's used directly without any encoding or validation on Workflows/Step1.tpl and...
Exposure of Sensitive Information Lead To Admin Account Take Over
Description The AP officers account is authorized to Backup and Restore the Database, Due to this he/she can download the backup and see the password hash of the System Administrator account, The weak hash MD5 of the password can be easily cracked and get the admin password. Proof of Concept Step...
Use After Free in function string_quote
Description Use After Free in function stringquote at vim/src/strings.c:777 vim version git log commit c9b6570fab46bf2c246a954cfb8c0d95fe2746b3 grafted, HEAD - master, tag: v9.0.0203, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /home/fuzz/test/poc1uaf.da...
Hostname Spoofing
Description parse-url parses following https url incorrectly, identifies its protocol as ssh, and its host name is parsed incorrectly either. https://www.google.com:[email protected]:x node -e 'const parseUrl=require"parse-url";console.logparseUrl"https://www.google.com:[email protected]:x"' protocols:...