4072 matches found
DOM-based Cross-Site Scripting (XSS) in OpenEMR 7.0.0 and below at White list files
Description We would like to report the vulnerability we found during software testing. The OpenEMR 7.0.0 latest version and below version; Open Source electronic health records and medical practice management application; has DOM-based Cross-Site Scripting XSS vulnerability in the...
Reflected Cross Site Scripting in OpenEMR 7.0.0 and below at backup
Description We would like to report the vulnerability we found during software testing. The OpenEMR 7.0.0 latest version and below version Open Source electronic health records and medical practice management application has Reflected Cross Site Scripting vulnerability in the formstatus parameter...
[Bypass] Cross-site Scriptin (XSS) via file upload
šļø Requirements Privileges: User. š Description I found a bypass to this report by uploading the file with "public": true, parameter. This is due to the fact that AWS bucket public folder does not auto download files when we access them. šµļøāāļø Proof of Concept Step 1: Go your outline home and...
Reflected XSS in Username
Description If a regular user's username is set to a XSS payload, and then that same XSS payload is placed in the q query parameter of /scp/ajax.php/users/local, then reflected XSS is achieved. This XSS can lead to complete takeover of the osTicket instance. Proof of Concept Set a user's username...
Heap Use After Free in function ex_diffgetput
Description Heap Use After Free in function exdiffgetput at diff.c:2790 vim version git log commit 75417d960bd17a5b701cfb625b8864dacaf0cc39 HEAD - master, tag: v9.0.0001, origin/master, origin/HEAD POC ./afl/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pochuaf3s.dat -c :qa!...
UI REDRESSING
Description The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. Proof of Concept 1 Go to this URL:...
Account Takeover via Webhook Handlebars + API Reset Password
Description Through the Webhook functionality, the attacker is able to use Handlebars to capture sensitive user data. Capturing the emailverificationtoken, which through the API I found the PasswordForget function, enabling account takeover via password reset. Steps 1. - Create Table 2. - Select...
Bypass filter - Stored XSS in Resources
Description Website does incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of concept javaSCRIPTalertorigin Steps to reproduce it works on Firefox not in chromium based browsers 1.Go to...
Run malicious JS code with other kinds of encoding
Description We can Run malicious JS code With special escaping characters for ASCII chars that start with \x and also all Unicodes start with \u, like the followings : CR == \x0d and \u000d LF == \x0a and \u000a TAB == \t and \u0009 and \x09 So there can be many characters that we can't filter al...
Use-After-Free in function hash_new_from_values
Description Use-After-Free in function hashnewfromvalues at vm.c:1167 mruby version git log commit ac79849fde3381e001c3274fbcdda20a5c9cb22b HEAD - master, origin/master, origin/HEAD Author: Yukihiro "Matz" Matsumoto Date: Fri May 20 09:59:23 2022 +0900 Build export CFLAGS="-g -O0 -lpthread...
Session Fixation
šļø Requirements None. š Description The updateUser function does not reset user's session. šµļøāāļø Proof of Concept Use two browsers and on the first, update the second user's session to delete his privileges. Going to the second, you and refreshing the page, you will that the user have lost his...
Use After Free
Description Use After Free in gpac Proof of Concept MP4Box -bt POC1 POC1 is here ASAN ==74043==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000003fd0 at pc 0x7f0c5374e845 bp 0x7ffcfc56f2b0 sp 0x7ffcfc56f2a8 READ of size 8 at 0x604000003fd0 thread T0 0 0x7f0c5374e844 in...
Html Injection lead to cross site scripting
Description Hi i Found a way to inject html in user's email. So in this case if a attacker set name of victim as html form it will be rendered by your system and then the render html will be sent to the victim Proof of Concept 1. Goto https://paraio.com/signup/ and in name field add this payload...
Account Takeover
Description Hi there i found that forget password functionality can be manipulated and this lead to account takeover. So even if an attacker can takeover low access user to admin accounts. In this bug server is vulnerable to php type juggling attack Proof of Concept 1. While registering app for...
Arbitrary Code Execution through Sanitizer Bypass
Description The sanitizer function of the drawio core library which is responsible to sanitize various parts of a diagram of potentially dangerous HTML/JavaScript code can be bypassed. It is vulnerable to mutation XSS payloads, which allows escaping from the sanitizer. This allows arbitrary code...
Stored XSS via upload plugin functionality in zip format
Description Cross-site scripting XSS is a common attack vector that injects malicious code into a vulnerable web application. Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Here...
Heap-based Buffer Overflow
Description Heap-based buffer overflow in coresymbolication:272 Environment radare2 5.6.9 0 @ linux-x86-64 git. commit: 5.6.9 build: 2022-04-1923:49:49 Build export CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan" CXXFLAGS="-fsanitize=address -static-libasan" LDFLAGS="-fsanitize=address...
API Privilege Escalation
Description Privilege escalation occurs when a user gets access to more resources or functionality than they are normally allowed, and such elevation or changes should have been prevented by the application. This is usually caused by a flaw in the application. On Easy!Appointments API authorizati...
Cross-site Scripting (XSS) - Stored
Description Stored Cross-Site Scripting XSS vulnerability due to the lack of content validation and output encoding. This vulnerability can be exploited by uploading a crafted payload inside a document. Then, the vulnerability can be triggered when the user previews the document“s content. Proof ...
Server Side Template Injection
Description Grav is vulnerable to Server Side Template Injection via Twig. According to a previous vulnerability report, Twig should not render dangerous functions by default, such as system. PoC video. Proof of Concept Payload: 'cat\x20/etc/passwd'|filter'system' 1. With an authenticated user,...
Out-of-bounds read in `r_bin_ne_get_relocs` function
Description Out-of-bounds OOB read vulnerability exists in rbinnegetrelocs function in Radare2 5.6.7 due to a missing check on the index value. Version bash radare2 5.6.7 27746 @ linux-x86-64 git.5.6.6 commit: 2b77b277d67ce061ee6ef839e7139ebc2103c1e3 build: 2022-04-0614:41:37 Proof of Concept bas...
heap-buffer-overflow
Description Whilst experimenting with radare2, built from version 5.6.6, we are able to induce a vulnerability at bindyldcache.c:125 in function va2pa , using radare2 as a harness. 118: static ut64 va2pauint64t addr, ut32 nmaps, cachemapt maps, RBuffer cachebuf, ut64 slide, ut32 offset, ut32 left...
SQL injection through marking blog comments on bulk as spam
Description the comments ids aren't checked and vulnerable for SQL injection Proof of Concept...
Stored XSS viva .webmv file upload
Description The application allows .webmv files to upload which lead to stored XSS Proof of Concept 1.First, open your text file/notepad and paste the below payload and save it as XSS.webmv: alert1337 alertdocument.domain alertdocument.location alert'XSSbySamprit Das' 2.Then go to...
Stored XSS viva .properties file upload
Description The application allows .properties files to upload which lead to stored XSS Proof of Concept 1.First, open your text file/notepad and paste the below payload and save it as XSS.properties: alert1337 alertdocument.domain alertdocument.location alert'XSSbySamprit Das' 2.Then go to...
Stored XSS due to Unrestricted File Upload
Description Stored XSS via uploading files in .aspx format. Proof of Concept filename="poc.aspx" alert1 Steps to Reproduce 1.Login into showdoc.com.cn.\ 2.Navigate to file library https://www.showdoc.com.cn/attachment/index\ 3.In the File Library page, click the Upload button and choose the...
Unrestricted Upload of File with Dangerous Type
Description This is a bypass of report https://huntr.dev/bounties/3eb5a8f9-24e3-4eae-a212-070b2fbc237e/. The upload feature allows the files with the extension .html which leads to Stored XSS. Proof of Concept - Step 1: Login into showdoc.com.cn. - Step 2: Go to...
hostname spoofing via Improper Input Validation
Description When to use the parse-url, If user put the https://google.comhashvalue as argument, parse-url doesn't parse the hash value and parses hostname and hash together as hostname. http://localhost/hashvalue and http://localhosthashvalue are the same.. txt - new URL of node ⯠node -e...
File upload filter bypass leading to stored XSS
Description A User can upload .a-zhtml file e.g. ahtml, bhtml, chtml, ddhtml, AS LONG AS it ends with html with XSS payload. Upon upload, a URL with malicious html can be accessed and javascript will be executed. Proof of Concept taking chtml as example Step 1 Login to the demo portal with admin...
XSS on dynamic_text module
Description There is XSS vulnerability on dynamictext module. Proof of Concept Visit - https://demo.microweber.org/demo/admin/view:modules/loadmodule:dynamictext Impact Below Post request was used to upload XSS payload POST /demo/api/savedynamictext HTTP/1.1 Host: demo.microweber.org Cookie:...
Abusing Backup/Restore feature to achieve Remote Code Execution
Description Admin can use Backup modules to upload a malicious PHP file, which can lead to RCE. Proof of Concept + Log in as admin, navigate to Modules - Backup: https://demo.microweber.org/demo/admin/view:modules/loadmodule:adminbackup + Prepare a malicious PHP file, in this case info2.php +...
Cross-site Scripting (XSS) - Stored
Description pimcore datahub is vulnerable to Stored XSS in the Unique Indetifier of the function of "Add a new configuration" in Datahub. Whenever an admin user access data hub, a stored XSS will be triggered. Proof of Concept Step 1: Go to https://demo.pimcore.fun/admin/ and login. Step 2: Click...
Denial of Service
Description R2 will hang for several crafted binaries. Proof of Concept bash printf "%s" "AAA4AAAAAB4=" | base64 -d /tmp/a printf "%s" "z/rt/gwAAAEuAAB//wAAAACe2QEaAAAG+s8yAOH/AQAAAA==" | base64 -d /tmp/a printf "%s"...
Improper Access Control in publify/publify
Description Article in draft mode can only be accessed by admins who have permission to manage article. Anonymous users can't view but can leave comments on article in draft mode. The cause of the vulnerability is that the draft article is setting to comment enabled and createcomment function onl...
in mruby/mruby
Description OOB read and OOB write in mrbarypush. commit : 903c5f978a2966465d8d5c6dfac55a977d134287 Proof of Concept bash $ echo -ne "bAticjWSUkRPTkxZC2I9e30MWyohMCxtOjAwLG06MF09MXxbKiEwLG0wXQo=" |base64 -d poc ASAN $ ./bin/mruby ./poc AddressSanitizer:DEADLYSIGNAL...
Cross-site Scripting (XSS) - Stored in microweber/microweber
Description Stored XSS occurs when changing a user's profile Proof of Concept txt XSS POC : "alertdocument.domain 1. Open the https://demo.microweber.org/demo/admin 2. Go to "Users" "Edit profile" 3. Change the value of "First Name" to XSS PoC 4. Refresh Impact Through this vulnerability, an...
Cross-site Scripting (XSS) - Stored in vanessa219/vditor
Description The Vanessa219/vditor is a markdown editor supported by browsers. When a user creates a link using the markdown syntax, the server does not URL-encode the double-quotes, so the user can escape the href attribute and trigger XSS using the on attribute. Proof of Concept txt XSS PoC : xs...
Cross-site Scripting (XSS) - Stored in pimcore/pimcore
Description pimcore is vulnerable to Stored XSS at Name field in the setting tab of the Global Targeting Rules. Steps to reproduce 1.Go to https://demo.pimcore.fun/admin/ and login. 2.In the left menu bar, click the Marketing icon then choose Personalization / Targeting - Global Targeting Rules...
Cross-site Scripting (XSS) - DOM in chatwoot/chatwoot
Title XSS in markdown link-maker Description While chatting with a client, both sides may use markdown. However, neither client's nor Chatwoot inner user's input is verified. Steps to reproduce. Note: this works in Safari and Firefox, not Chrome. I will use Telegram bot. 1. 1. Start a conversatio...
Cross-Site Request Forgery (CSRF) in yourls/yourls
Description 1. Hi there YOURLS team, I would like to report a Cross Site Request forgery vulenrability on YOURLS. Cross-site request forgery also known as CSRF is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows ...
Cross-site Scripting (XSS) - Reflected in pimcore/pimcore
Description pimcore is vulnerable to Reflected XSS via the Search function for Document, Assets and Data Objects. Steps to reproduce 1.Login to pimcore admin. 2.In the left menu bar, click the Search icon then choose Documents, the Search Documents tab will display. 3.Input payload " into the...
Server-Side Request Forgery (SSRF) in snipe/snipe-it
Description Admin users on the external network can perform blind POST-based SSRF issue requests on behalf of the server into the internal network via the Slack Integration Performing portscans 1: Go to Slack Integrations 2: Use http://127.0.0.1:1337 as the Slack Endpoint. See the error message:...
Server-Side Request Forgery (SSRF) in dotcms/core
Description Hi team, I found a SSRF that allow me to access the elasticsearch API and get full response from the querys - As can be read in the following link dotCMS uses elastisearch, with this SSRF we can direct access the elastisearch REST API, - In a cloud environment, it can be possible to...
Cross-site Scripting (XSS) - Stored in django-helpdesk/django-helpdesk
Description Stored XSS via upload 'Attachments' with format .svg or .html Detail When opening the attachment, some format files will be rendered and loaded on the browser. So it allows executing arbitrary javascript code that was injected into attachment before. Proof of Concept // PoC.svg...
Server-Side Request Forgery (SSRF) in osticket/osticket
Description The SSRF vulnerability in OSTickets detailed in CVE-2020-24881 is still unfixed, attackers can still make arbitrary requests via the server to the private network via the PDF print generator although they will not be able to exfiltrate anything other than image data. Proof of Concept ...
Inefficient Regular Expression Complexity in sindresorhus/semver-regex
āļø Description It allows cause a denial of service when formatting crafted invalid semver versions. šµļøāāļø Proof of Concept // PoC.mjs import semverRegex from 'semver-regex'; forvar i = 1; i = 50000; i++ var time = Date.now; var attackstr = '0.0.0-0' + '.-------'.repeati1 + '@';...
Inefficient Regular Expression Complexity in vuelidate/vuelidate
āļø Description A ReDoS regular expression denial of service flaw was found in the @vuelidate/validators package. An attacker that is able to provide crafted input to the urlinput function may cause an application to consume an excessive amount of CPU. šµļøāāļø Proof of Concept Create the following...
in yourls/yourls
āļø Description It can be possible to perform a clickjacking attack due to the lack of frame restrictions. The application does not set the response header X-Frame-Options: DENY. šµļøāāļø Proof of Concept š„ Impact According to PortSwigger references, it is possible for a page controlled by an attacker...
Server-Side Request Forgery (SSRF) in sterlp/svg2png
:book: Description Svg2Png Manage your Icons in SVG and generate the needed PNG into your projects as needed. No "Web Service" needed, just an executable JAR file. this package is vulnerable to XXE. https://github.com/sterlp/svg2png :recycle: Steps To Reproduce-: 0 download and run latest release...
Cross-site Scripting (XSS) - Generic in kekingcn/kkfileview
Description kkFileView this package is vulnerable to Stored Cross-Site Scripting XSS. https://github.com/kekingcn/kkFileView Steps To Reproduce-: stored XSS 1 install https://github.com/kekingcn/kkFileView locally or https://file.keking.cn/index use demo 2 while uploading files for preview use js...