4072 matches found
Run malicious JS code with other kinds of encoding
Description We can Run malicious JS code With special escaping characters for ASCII chars that start with \x and also all Unicodes start with \u, like the followings : CR == \x0d and \u000d LF == \x0a and \u000a TAB == \t and \u0009 and \x09 So there can be many characters that we can't filter al...
Use-After-Free in function hash_new_from_values
Description Use-After-Free in function hashnewfromvalues at vm.c:1167 mruby version git log commit ac79849fde3381e001c3274fbcdda20a5c9cb22b HEAD - master, origin/master, origin/HEAD Author: Yukihiro "Matz" Matsumoto Date: Fri May 20 09:59:23 2022 +0900 Build export CFLAGS="-g -O0 -lpthread...
Session Fixation
šļø Requirements None. š Description The updateUser function does not reset user's session. šµļøāāļø Proof of Concept Use two browsers and on the first, update the second user's session to delete his privileges. Going to the second, you and refreshing the page, you will that the user have lost his...
Use After Free
Description Use After Free in gpac Proof of Concept MP4Box -bt POC1 POC1 is here ASAN ==74043==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000003fd0 at pc 0x7f0c5374e845 bp 0x7ffcfc56f2b0 sp 0x7ffcfc56f2a8 READ of size 8 at 0x604000003fd0 thread T0 0 0x7f0c5374e844 in...
Html Injection lead to cross site scripting
Description Hi i Found a way to inject html in user's email. So in this case if a attacker set name of victim as html form it will be rendered by your system and then the render html will be sent to the victim Proof of Concept 1. Goto https://paraio.com/signup/ and in name field add this payload...
Account Takeover
Description Hi there i found that forget password functionality can be manipulated and this lead to account takeover. So even if an attacker can takeover low access user to admin accounts. In this bug server is vulnerable to php type juggling attack Proof of Concept 1. While registering app for...
Arbitrary Code Execution through Sanitizer Bypass
Description The sanitizer function of the drawio core library which is responsible to sanitize various parts of a diagram of potentially dangerous HTML/JavaScript code can be bypassed. It is vulnerable to mutation XSS payloads, which allows escaping from the sanitizer. This allows arbitrary code...
Cross-site scripting - Reflected in Create Subaccount
Description Cross-site scripting - Reflected in Create Subaccount via codsubcuenta parameter. Proof of Concept POST /facturascripts/EditSubcuenta HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:100.0 Gecko/20100101 Firefox/100.0 Accept:...
Stored XSS via upload plugin functionality in zip format
Description Cross-site scripting XSS is a common attack vector that injects malicious code into a vulnerable web application. Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Here...
Heap-based Buffer Overflow
Description Heap-based buffer overflow in coresymbolication:272 Environment radare2 5.6.9 0 @ linux-x86-64 git. commit: 5.6.9 build: 2022-04-1923:49:49 Build export CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan" CXXFLAGS="-fsanitize=address -static-libasan" LDFLAGS="-fsanitize=address...
API Privilege Escalation
Description Privilege escalation occurs when a user gets access to more resources or functionality than they are normally allowed, and such elevation or changes should have been prevented by the application. This is usually caused by a flaw in the application. On Easy!Appointments API authorizati...
Cross-site Scripting (XSS) - Stored
Description Stored Cross-Site Scripting XSS vulnerability due to the lack of content validation and output encoding. This vulnerability can be exploited by uploading a crafted payload inside a document. Then, the vulnerability can be triggered when the user previews the document“s content. Proof ...
Server Side Template Injection
Description Grav is vulnerable to Server Side Template Injection via Twig. According to a previous vulnerability report, Twig should not render dangerous functions by default, such as system. PoC video. Proof of Concept Payload: 'cat\x20/etc/passwd'|filter'system' 1. With an authenticated user,...
Out-of-bounds read in `r_bin_ne_get_relocs` function
Description Out-of-bounds OOB read vulnerability exists in rbinnegetrelocs function in Radare2 5.6.7 due to a missing check on the index value. Version bash radare2 5.6.7 27746 @ linux-x86-64 git.5.6.6 commit: 2b77b277d67ce061ee6ef839e7139ebc2103c1e3 build: 2022-04-0614:41:37 Proof of Concept bas...
heap-buffer-overflow
Description Whilst experimenting with radare2, built from version 5.6.6, we are able to induce a vulnerability at bindyldcache.c:125 in function va2pa , using radare2 as a harness. 118: static ut64 va2pauint64t addr, ut32 nmaps, cachemapt maps, RBuffer cachebuf, ut64 slide, ut32 offset, ut32 left...
SQL injection through marking blog comments on bulk as spam
Description the comments ids aren't checked and vulnerable for SQL injection Proof of Concept...
Stored XSS viva .webmv file upload
Description The application allows .webmv files to upload which lead to stored XSS Proof of Concept 1.First, open your text file/notepad and paste the below payload and save it as XSS.webmv: alert1337 alertdocument.domain alertdocument.location alert'XSSbySamprit Das' 2.Then go to...
Stored XSS due to Unrestricted File Upload
Description Stored XSS via uploading files in .aspx format. Proof of Concept filename="poc.aspx" alert1 Steps to Reproduce 1.Login into showdoc.com.cn.\ 2.Navigate to file library https://www.showdoc.com.cn/attachment/index\ 3.In the File Library page, click the Upload button and choose the...
Unrestricted Upload of File with Dangerous Type
Description This is a bypass of report https://huntr.dev/bounties/3eb5a8f9-24e3-4eae-a212-070b2fbc237e/. The upload feature allows the files with the extension .html which leads to Stored XSS. Proof of Concept - Step 1: Login into showdoc.com.cn. - Step 2: Go to...
hostname spoofing via Improper Input Validation
Description When to use the parse-url, If user put the https://google.comhashvalue as argument, parse-url doesn't parse the hash value and parses hostname and hash together as hostname. http://localhost/hashvalue and http://localhosthashvalue are the same.. txt - new URL of node ⯠node -e...
Multiple Stored Cross-site Scripting (XSS) Vulnerabilities in Shop's Other Settings, Shop's Autorespond E-mail Settings and Shops' Payments Methods
Description 1 Checkout URL and Custom order id parameters are vulnerable to stored XSS, which are located in Shop Settings other settings Advanced 2 From e-mail address and From name parameters are vulnerable to stored XSS, which are located in Shop Settings Autorespond E-mail settings check your...
File upload filter bypass leading to stored XSS
Description A User can upload .a-zhtml file e.g. ahtml, bhtml, chtml, ddhtml, AS LONG AS it ends with html with XSS payload. Upon upload, a URL with malicious html can be accessed and javascript will be executed. Proof of Concept taking chtml as example Step 1 Login to the demo portal with admin...
XSS on dynamic_text module
Description There is XSS vulnerability on dynamictext module. Proof of Concept Visit - https://demo.microweber.org/demo/admin/view:modules/loadmodule:dynamictext Impact Below Post request was used to upload XSS payload POST /demo/api/savedynamictext HTTP/1.1 Host: demo.microweber.org Cookie:...
Abusing Backup/Restore feature to achieve Remote Code Execution
Description Admin can use Backup modules to upload a malicious PHP file, which can lead to RCE. Proof of Concept + Log in as admin, navigate to Modules - Backup: https://demo.microweber.org/demo/admin/view:modules/loadmodule:adminbackup + Prepare a malicious PHP file, in this case info2.php +...
Denial of Service
Description R2 will hang for several crafted binaries. Proof of Concept bash printf "%s" "AAA4AAAAAB4=" | base64 -d /tmp/a printf "%s" "z/rt/gwAAAEuAAB//wAAAACe2QEaAAAG+s8yAOH/AQAAAA==" | base64 -d /tmp/a printf "%s"...
in mruby/mruby
Description OOB read and OOB write in mrbarypush. commit : 903c5f978a2966465d8d5c6dfac55a977d134287 Proof of Concept bash $ echo -ne "bAticjWSUkRPTkxZC2I9e30MWyohMCxtOjAwLG06MF09MXxbKiEwLG0wXQo=" |base64 -d poc ASAN $ ./bin/mruby ./poc AddressSanitizer:DEADLYSIGNAL...
Cross-site Scripting (XSS) - Stored in microweber/microweber
Description Stored XSS occurs when changing a user's profile Proof of Concept txt XSS POC : "alertdocument.domain 1. Open the https://demo.microweber.org/demo/admin 2. Go to "Users" "Edit profile" 3. Change the value of "First Name" to XSS PoC 4. Refresh Impact Through this vulnerability, an...
Cross-site Scripting (XSS) - Stored in vanessa219/vditor
Description The Vanessa219/vditor is a markdown editor supported by browsers. When a user creates a link using the markdown syntax, the server does not URL-encode the double-quotes, so the user can escape the href attribute and trigger XSS using the on attribute. Proof of Concept txt XSS PoC : xs...
Cross-site Scripting (XSS) - Reflected in icecoder/icecoder
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into websites. An attacker can use XSS to send a malicious script to an unsuspecting user. The end userās browser has no way to know that the script should not be trusted, and will execut...
Cross-site Scripting (XSS) - Stored in pimcore/pimcore
Description pimcore is vulnerable to Stored XSS at Name field in the setting tab of the Global Targeting Rules. Steps to reproduce 1.Go to https://demo.pimcore.fun/admin/ and login. 2.In the left menu bar, click the Marketing icon then choose Personalization / Targeting - Global Targeting Rules...
Cross-site Scripting (XSS) - DOM in chatwoot/chatwoot
Title XSS in markdown link-maker Description While chatting with a client, both sides may use markdown. However, neither client's nor Chatwoot inner user's input is verified. Steps to reproduce. Note: this works in Safari and Firefox, not Chrome. I will use Telegram bot. 1. 1. Start a conversatio...
Cross-Site Request Forgery (CSRF) in yourls/yourls
Description 1. Hi there YOURLS team, I would like to report a Cross Site Request forgery vulenrability on YOURLS. Cross-site request forgery also known as CSRF is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows ...
Cross-site Scripting (XSS) - Reflected in pimcore/pimcore
Description pimcore is vulnerable to Reflected XSS via the Search function for Document, Assets and Data Objects. Steps to reproduce 1.Login to pimcore admin. 2.In the left menu bar, click the Search icon then choose Documents, the Search Documents tab will display. 3.Input payload " into the...
Server-Side Request Forgery (SSRF) in snipe/snipe-it
Description Admin users on the external network can perform blind POST-based SSRF issue requests on behalf of the server into the internal network via the Slack Integration Performing portscans 1: Go to Slack Integrations 2: Use http://127.0.0.1:1337 as the Slack Endpoint. See the error message:...
Server-Side Request Forgery (SSRF) in dotcms/core
Description Hi team, I found a SSRF that allow me to access the elasticsearch API and get full response from the querys - As can be read in the following link dotCMS uses elastisearch, with this SSRF we can direct access the elastisearch REST API, - In a cloud environment, it can be possible to...
Cross-site Scripting (XSS) - Stored in django-helpdesk/django-helpdesk
Description Stored XSS via upload 'Attachments' with format .svg or .html Detail When opening the attachment, some format files will be rendered and loaded on the browser. So it allows executing arbitrary javascript code that was injected into attachment before. Proof of Concept // PoC.svg...
Server-Side Request Forgery (SSRF) in osticket/osticket
Description The SSRF vulnerability in OSTickets detailed in CVE-2020-24881 is still unfixed, attackers can still make arbitrary requests via the server to the private network via the PDF print generator although they will not be able to exfiltrate anything other than image data. Proof of Concept ...
Inefficient Regular Expression Complexity in sindresorhus/semver-regex
āļø Description It allows cause a denial of service when formatting crafted invalid semver versions. šµļøāāļø Proof of Concept // PoC.mjs import semverRegex from 'semver-regex'; forvar i = 1; i = 50000; i++ var time = Date.now; var attackstr = '0.0.0-0' + '.-------'.repeati1 + '@';...
Inefficient Regular Expression Complexity in vuelidate/vuelidate
āļø Description A ReDoS regular expression denial of service flaw was found in the @vuelidate/validators package. An attacker that is able to provide crafted input to the urlinput function may cause an application to consume an excessive amount of CPU. šµļøāāļø Proof of Concept Create the following...
in yourls/yourls
āļø Description It can be possible to perform a clickjacking attack due to the lack of frame restrictions. The application does not set the response header X-Frame-Options: DENY. šµļøāāļø Proof of Concept š„ Impact According to PortSwigger references, it is possible for a page controlled by an attacker...
Server-Side Request Forgery (SSRF) in sterlp/svg2png
:book: Description Svg2Png Manage your Icons in SVG and generate the needed PNG into your projects as needed. No "Web Service" needed, just an executable JAR file. this package is vulnerable to XXE. https://github.com/sterlp/svg2png :recycle: Steps To Reproduce-: 0 download and run latest release...
Cross-site Scripting (XSS) - Generic in kekingcn/kkfileview
Description kkFileView this package is vulnerable to Stored Cross-Site Scripting XSS. https://github.com/kekingcn/kkFileView Steps To Reproduce-: stored XSS 1 install https://github.com/kekingcn/kkFileView locally or https://file.keking.cn/index use demo 2 while uploading files for preview use js...
Code Injection in apolloauto/apollo
Description Arbitrary Code Excecution in genprotofile.py in ApolloAuto/Apollo. An open autonomous driving platform. Technical Description This package was vulnerable to Arbitrary code execution due to a use of a known vulnerable function load in yaml. fix is to be done genprotofile.py Exploit cod...
Cross-site Scripting (XSS) - Generic in s-cart/core
Description s-cart is a free e-commerce website project for businesses, built on the Laravel framework. this package is vulnerable to Stored Cross-Site Scripting XSS. https://github.com/s-cart/s-cart https://s-cart.org/about.html Steps To Reproduce-: 1 install https://github.com/s-cart/s-cart...
Store XSS when Add Reviewer
Description Store XSS when Add Reviewer Proof of Concept Payload: TESTalertdocument.domain Video Poc https://drive.google.com/file/d/16o4w6V-uCpkshFXYBb-pZRflpl7N3Sy4/view?usp=sharing...
Improper Authorization allows opening of arbitrary files
Description Tested on Build94 of the Inure application. It was discovered that the application had an exported activity .activities.association.TextViewerActivity which accepted intent data via the file scheme + text/ mime type and opened the associated files from provided URI data string. The...
Store XSS in Mail Setup
Description I noticed, your website is very secure. But you overlooked a flaw XSS . Proof of Concept Detail: 1 .Login vs admin demo account and access admin page. 2 .Go to Configuration == Mail setup. 3 .Insert payload into Password: test"alertdocument.domain 4 .Click save configuration == detect...
heap-use-after-free in mp4_mux_process_fragmented filters/mux_isom.c:6634
Description heap-use-after-free in MP4Box. Version $ ./bin/gcc/MP4Box -version MP4Box - GPAC version 2.3-DEV-revrelease c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC:...
signed integer overflow in filters/mux_isom.c:5716:20
Description The signed integer overflow in MP4Box, and the program will eventually crash due to double-free,. It is uncertain whether the signed integer overflow is directly related to double-free Version $ ./bin/gcc/MP4Box -version MP4Box - GPAC version 2.3-DEV-revrelease c 2000-2023 Telecom Par...
NULL Pointer Dereference in media_tools/mpeg2_ps.c, media_tools/avilib.c and filters/dasher.c
Description NULL Pointer Dereference in MP4Box. Version $ ./bin/gcc/MP4Box -version MP4Box - GPAC version 2.3-DEV-revrelease c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC:...