4072 matches found
SQL injection in Data Objects function
Description Log in as an admin, go to Data Objects function, and perform a sort action. Observer the request on Burpsuite and injection point is the 'sort' parameter Proof of Concept POC request that makes the application sleep for 5 seconds Data Objects function payload:...
Reflected XSS
Description An attacker can steal the session token of any user by exploiting reflected XSS. Proof of Concept Send GET request to any of the below links. http://target/templates/pages/debugpanel.php?id=xss"alertdocument.cookie http://target/templates/pages/debugpanel.php?id=xss"alert'xss' Send PO...
Downloadable product type lacks order status check
Description There is a vulnerability in fossbilling where upgrading non-active orders is prevented, but it is possible to still do so through the upgrade API...
Stored XSS in many configuration fields
Description Paste the XSS payload into the configuration fields. And I think there are many fields to configure that can be vulnerable to Stored XSS vulnerabilities, such as configuration fields in Options, MFA, API, Emails,... hope you check it too. Proof of Concept...
Markdown injection into github comment
Description Users can donate for builds by tipping [email protected]. There's a github action that will thank the user in a comment. The name is not sanitized and by using one such as the following, attackers can inject their own markdown into the comment. foo The "" breaks out of the context,...
Stack-overflow in function xml_sax_parse at src/utils/xml_parser.c
Description Stack-overflow in MP4Box. Version shell MP4Box - GPAC version 2.3-DEV-rev263-g2afa05f4d-master c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC:...
Local File Inclusion (LFI)
Description The vulnerability in the code is a Local File Inclusion LFI vulnerability. It allows an attacker to read arbitrary files on the server by exploiting a flaw in the code that allows the attacker to manipulate the "InternalPath" parameter in a request to include files from the server's...
LFI in Model Version REST API creation
Description By creating a model version through the REST API endpoint api/2.0/mlflow/registered-models/create and specifying a relative path redirection to the source argument, local server files can be accessed on the tracking server when a subsequent REST API v1.1 call is made to...
Cross site scripting on the login page
Description Cross-site Scripting XSS refers to client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS occurs when a web application makes use of unvalidated or unencoded user input within the output it generates. URL...
XSS @ records
Description The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of Concept Code 1: $recordLang = Filter::filterInputINPUTPOST, 'lang', FILTERUNSAFERAW; $tags =...
cross site scripting
Pimcore is vulnerable to Cross site scripting vulnerability in classes module...
Stored XSS in the Redirects module
Description pimcore is vulnerable to Stored XSS at Expiry field in the Redirects module. Payload " Step to reproduce/Proof of Concept 1.Go to https://demo.pimcore.fun/admin/ and login. 2.In the left menu bar, go to Tools - Redirects. 3.In the Redirects tab, click Add button, input any text into t...
Lack of brute force protection
Issue Description • A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until an attacker discover the one correct combination that works. Steps to Reproduce: '1. First capture login request with BurpSuite,...
heap-buffer-overflow in function adts_dmx_process filters/reframe_adts.c
Version MP4Box - GPAC version 2.3-DEV-rev44-gbe9f8d395-master c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC: https://doi.org/10.1145/1291233.1291452 GPAC Configuration:...
Two Stored XSS in Instructions and User Widget
Stored XSS 1 Description 1 The santinizer founction noxsshtml$html can be bypassed since it missed to ban the tag of in $bannedelements = 'script', 'iframe', 'embed';. By this missing, the logged admin can maliciously inject xss payloads like in the backend database using the point POST...
Stored XSS
Description answer has a feature to customize the "Site Name" during installation or in the settings page , due to a bad sanitization it allows to put arbitrary html code which allows to execute javascript code. Everytime a user enter in the website, the xss is triggered. Injected payload...
Vulnerable to clickjacking
Description Vulnerable to clickjacking Proof of Concept 1 Create an iframe.html with below contents The iframe element 2 Open with firefox and note that the frame is loaded which is potential to clickjacking due to missing x-frame-options security headers...
Html Injection in Contributors
Description Html injection in Contributors and just only need html payload in Display Name and fire in Contributors list Proof of Concept 1. Login to squidex 2. Create an app with random name. 2. Go to Edit Profile then Edit users display name with html payload = Sanket722 3. Go to...
Restrictive composer.json makes Dompdf vulnerable to URI validation failure on SVG parsing
Description The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing tags with uppercase letters. This might lead to arbitrary object unserialize on PHP tags, in src/Image/Cache.php: if $type === "svg" $parser = xmlparsercreate"utf-8"; xmlparsersetoption$parser,...
Name Field and all other required Fields Bypass while doing FAQ Proposals
Dear Ladies and Gentlemen, I was able to identify in the Process of sending a FAQ Proposal a Username and all other required Fields Bypass Vulnerability. The Attacker can bypass all the required fields by sending a space at any required field like name, text, answer or question which is a require...
Unrestricted Logging Filename Lead to RCE
Description This vulnerability occur because there is no filename restriction for saving logging file. In this case attacker can set the filename to existing php file and append php code on it by manipulating the logged input. Proof of Concept 1. Log in using operator account, in this case i try ...
Stored XSS via `.pages` File in
Description When user upload a file with .pages extension and direct access this file, the server response with Content-type: application/octet-stream lead to processing .pages as HTML file. I only discovered this file extension doing more research on XSS Proof of Concept POST...
NULL Pointer Dereference
Environment bash Distributor ID: Debian Description: Debian GNU/Linux bookworm/sid Release: n/a Codename: bookworm Version I checked against the latest release as of 12/27/22 version 5.8.0 and the current master branch at commit 031da1be8f6c9aa55f6e4e76df962d2c85dc32e8 . Description This...
Patient ability to rewrite it's own documents leads to HTML injection
Description It looks like through the PUT request, a Patient can rewrite it's own document via the fullDocument JSON parameter. In this way a malicious user patient can't override the document form and rewrite his own, also injecting valid HTML code that the Doctor would be able to see. Proof of...
Stored XSS in multiple menus
Description The demo website is affected of stored XSS at multiple menus. Proof of Concept 01 1. Access to the demo website http://demos4.softaculous.com/ 2. Login with admin user they provide, press on menu Uploader, in Uploader tab, try to upload whichever file then choose Media manager tab. 3...
Stored XSS while creating a new post
Description After login create a new post and type the following text with XSS payload XSS in create post then click post that will be executed. Proof of Concept XSS in create post tete...
Stored XSS in FAQ comments
Description Stored XSS in FAQ comments by any visitor or anonymous user that alerted in admin panel in comments page also it stored in the FAQ page itself via injecting XSS payload in "Name " and "Message" input fields . Proof of Concept...
Multiple XSS Vulnerabilities in Queue Condition
Description Cross-Site Scripting XSS vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request that, if issued by another application user, will cause JavaScript code...
Unauthenticated Remote Command Execution on corebos due to exposed install files.
Description While analysing corebos source-code, I found a file that looked interesting: - install/MigrationDbBackup.php This file contains the following snippet of code: php ?php /+ The contents of this file are subject to the vtiger CRM Public License Version 1.0 "License"; You may not use this...
Sensitive system information disclosure
Description An unauthenticated user can gather information on the remote system just by visiting the following endpoints: + /library/exten-radiusserverinfo.php which reveals pieces of information such as system uptime, CPU load, etc. + /library/exten-serverinfo.php which reveals if mysql and/or...
Path traversal vulnerability found
Description please check this link https://demos4.softaculous.com/FlatPressfgbu50zqaa/fp-content/ Proof of Concept https://prnt.sc/0UGovVLWcKo7...
SQL Injection - SQL as a service (No-auth)
Description The GLPI's plugin named glpi-archimapcontains an ajax route named getconfig.php which allows a user to retrieve the plugin configuration. However, this route is accessible by everyone because there is no authentication check. Moreover, the attacker can inject his own SQL queries and g...
Dev mode Path traversal
Description Vite is misconfigured within nuxt to permit any file to be retrieved from the file system. Root Cause Vite configuration has strict set to false. Exploitation Requirements: + Server must be running in developer mode Vulnerability can be exploited using paths like the following...
Reflect Cross Site Scripting when search
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Proof of Concept 1. Go to your web phpmyfaq and visit http:///phpmyfaq/index.php?search= 2. inject payload to param search: 1af"+onclick='alert...
File Upload Type Validation Error
Description The upload functionality does not properly validate the file content-type, allowing any authenticated user to bypass this security check by adding a valid signature p.e. GIF89 and sending any invalid content-type. This could allow an authenticated attacker to upload HTML files with JS...
Stored Cross Site Scripting (XSS) in parameter rp4wp[heading_text]
Description The Related Posts for WordPress plugin is vulnerable to stored XSS, specifically in the rp4wpheadingtext parameter because the user input is not properly sanitized, allowing the insertion of JavaScript code that can exploit the vulnerability. Proof of Concept 1 - Install and activate...
Xss vulnerability in Button module
Steps 1.Visit https://demo.microweber.org 2.Click option 'Modules' in the left list 3.Click and go into the 'Button' 4.Click the 'edit url' and Enter the following javascript alert1 Proof of Concept Video javascript https://1drv.ms/v/s!Ai0UEGpMIb9scRgdvmX1sBCQu4A...
Improper Cache control allows attacker to view sensitive data
Description Due to improper cache control an attacker can view sensitive information even if he is not logged into the account Proof of Concept 1 Go to https://rdiffweb-demo.ikus-soft.com/login/ and login into your account using given credentials 2 Go to...
Privilege escalation from admin and normal user to super admin
Description Lavsms provides 5 types of roles. But the issue is admin can escalate to the super admin role for himself as well as for other un-privileged users too even lower than the admin role. Proof of Concept 1. POST /users/id with custom payload via API Testing tool like postman/Insomnia. Ste...
Stored XSS via SVG File
Description By uploading SVG files, the users can perform Stored XSS attack. Copy the following code and save as filename.svg. Proof of Concept alertdocument.domain 1 Login as user with upload permission. 2 upload the payload injected SVG file at https://demo.inventree.org/order/sales-order/3/ 3...
Reflected XSS In User/Roles Function
Description URL: https://demo.pimcore.fun/admin/ In Setting select User/Roles and select User. After created user, move to Workspace tab and inject payload XSS at Documents, Assets and Data Objects. XSS payload will be trigger. Besides, Workspace in Roles Also having the same situation. Can you...
Buffer Over Read in gf_utf8_wcslen
Description Buffer Over Read in function gfutf8wcslen at gpac/src/utils/utf.c:442 . gpac version git log commit fc4749f9ce8d6ddf50d1f1104366cdacede14d33 grafted, HEAD - master, origin/master, origin/HEAD Author: Aurelien David Date: Mon Aug 1 06:44:34 2022 -0700 fix quickjs build on osx 10.12 222...
UI REDRESSING
Description Clickjacking is a portmanteau of two words ‘click’ and ‘hijacking’. It refers to hijacking user’s click for malicious intent. In it, an attacker embeds the vulnerable site in an transparent iframe in attacker’s own website and overlays it with objects such as button using CSS skills...
DDOS attack by uploading a few hundred large files
Description can normal user upload the photo to the profile not allowed photo more than 2 MB i can upload photo more allowed limit Proof of Concept https://drive.google.com/file/d/1jh0n9kOoFvW-esHgpOtPeURTYjSIhDm/view?usp=sharing...
Weak Password Change Mechanism
Description The user password change page, doesn't require knowledge of the existing password. Proof of Concept 1. - Log in as a normal user 2. - Go to the User Dashboard page and click User Settings. 3. - Set a any new password. 4. - Click confirm 5. - The password is changed successfully...
Persistent Cross Site Scripting - Workflow Module - Settings
Description The application uses Purifier to avoid the Cross Site Scripting attack. However, On Workflow module from Settings, the type of workflowModel-summary parameter is not defined and validated, it's used directly without any encoding or validation on Workflows/Step1.tpl and...
No Protection against Bruteforce attacks on Login page
Description Wger Workout Manager does not limit unsuccessful login attempts allowing Brute Forcing. Proof of Concept Steps to Reproduce: 1. Register a new user 2. Logout 3. Send a login request with an incorrect password 4. Capture the login request 5. Replay the login request with a different...
[Bypass] Cross-site Scriptin (XSS) via file upload
🔒️ Requirements Privileges: User. 📝 Description I found a bypass to this report by uploading the file with "public": true, parameter. This is due to the fact that AWS bucket public folder does not auto download files when we access them. 🕵️♂️ Proof of Concept Step 1: Go your outline home and...
Stored XSS via SVG File
Description By uploading SVG files, the users can perform Stored XSS attack. Payload Copy the following code and save as filename.svg. alertdocument.domain Proof of Concept 1 Login as admin. 2 upload the payload injected SVG file at...
Open Redirect
Description The Greenlight end-user interface is vulnerable to Open Redirect vulnerability in Login page due to unchecked the value of returnto cookie. Proof of Concept Original request example POST /gl/u/login HTTP/1.1 Host: demo.bigbluebutton.org Cookie:...