4072 matches found
Stored XSS via SVG File
Description By uploading SVG files, the users can perform Stored XSS attack. Payload Copy the following code and save as filename.svg. alertdocument.domain Proof of Concept 1 Login as admin. 2 upload the payload injected SVG file at...
Hiperlink injection in email
BUG ========= Hiperlink injection in email SUMMURY ============= There is no character length limit in user fullname . So, user can set fullname to large number character and also can put link url . DETAILS =============== 1. goto admin account profile and change fullname to bellow Hi, You have...
Open Redirect
Description The Greenlight end-user interface is vulnerable to Open Redirect vulnerability in Login page due to unchecked the value of returnto cookie. Proof of Concept Original request example POST /gl/u/login HTTP/1.1 Host: demo.bigbluebutton.org Cookie:...
Stored XSS in Task field
Description The application Titra is vulnerable to Stored XSS in Task field. Steps To Reproduce 1. Click on add Track button 2. In the Task field enter the payload " 3. click save 4. Now Click on Details 5. XSS will be triggered Image PoC...
Stored XSS in Project Name
Description The application Titra is vulnerable to Stored XSS in Project name field. Steps To Reproduce 1. Click on Edit button 2. Under the Project Name enter the paylaod " 3. Click on save. 4. Now navigate to details the XSS will be triggered. Image PoC...
Stored XSS in "Tab Image" and "Group Image"
Description The organizr application allows malicious javascript payload in the "Tab Image" and "Group Image" for which its leads to stored XSS. Proof of Concept 1 1.Login to the co-admin account and go to "Settings" - "Tab Editor". 2.Now click on "Tabs" - "Add New Tab" and filled all the details...
Cross-site Scripting (XSS) - Stored
Description The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of Concept Add Item,And name is payload alertlocation...
Reflected XSS
Description Hello , i found an authenticated reflected xss via path fragment this was exploitable through trusting user input in url path fragement , please note : if you wrote a different payload you need to URL Encode the payload twice Proof of Concept Enter this url :...
Buffer Over-read
Description Stack-based Buffer Overflow at index.c:991 Build git clone https://github.com/bfabiszewski/libmobi.git cd libmobi export CFLAGS="-g -O0 -lpthread -fsanitize=address" export CXXFLAGS="-g -O0 -lpthread -fsanitize=address" export LDFLAGS="-fsanitize=address" ./autogen.sh ./configure...
Store XSS in title parameter executing at EditUser Page & EditProducto page
Description Cross-site scripting XSS is a common attack vector that injects malicious code into a vulnerable web application. Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Proof ...
SQL injection vulnerability in ARAX-UI Synonym Lookup functionality
Description The /rtxcomplete/nodeslike endpoint in the ARAX-UI application at https://arax.rtx.ai is vulnerable to SQL injection. It is possible to include a malicious SQL payload in the word query parameter for this endpoint that would allow an attacker to dump the database, make modifications t...
unchecked size in _load_bmp leads to RAM exhaustion in version 3.10
Description Via a maliciously crafted bmp file with modified dx and dy header field values it is possible to trick the application into allocating huge buffer sizes like 64 Gigabyte upon reading the file from disk or from a virtual buffer. Version This does affect the newest Version of Cimg which...
Stored XSS viva .properties file upload
Description The application allows .properties files to upload which lead to stored XSS Proof of Concept 1.First, open your text file/notepad and paste the below payload and save it as XSS.properties: alert1337 alertdocument.domain alertdocument.location alert'XSSbySamprit Das' 2.Then go to...
Stored XSS due to Unrestricted File Upload
Description Stored XSS via uploading files in .xsd, .asa and .aspx already mentioned in previous report formats. Proof of Concept For .xsd filename="poc.xsd" alert1 For .asa and .aspx filename="poc.asa" alert1 Steps to Reproduce 1.Login into showdoc.com.cn.\ 2.Navigate to file library...
Cross-site Scripting (XSS) - Stored
Description pimcore datahub is vulnerable to Stored XSS in the Unique Indetifier of the function of "Add a new configuration" in Datahub. Whenever an admin user access data hub, a stored XSS will be triggered. Proof of Concept Step 1: Go to https://demo.pimcore.fun/admin/ and login. Step 2: Click...
Improper Authorization and possible DoS when using PAM Auth
Description When bareos versions after 18.2 are build and configured for PAM authentification it skips checking authorization completely. Expired accounts and accounts with expired passwords can still login. Further after wrong authentication or the code returns without releasing the PAM handle,...
Improper Authorization
Description When configuring saltstack to authentificate via the salt.auth.pam module. The authorization of a account validity is missing. Therefore expired accounts, or accounts with expired passwords, can still login. Proof of Concept Configure salt with salt.auth.pam and run it with an expired...
Business Logic Errors
Description Product status of product is unpublished has been deleted by admin in Trash folder but user can still add to cart and make purchases Proof of Concept Step 1: Admin go to Shop Products: Unpublish product and Delete product Step 2: User add product to cart by request POST...
Cross-site Scripting (XSS) - Stored
Description I found a Stored XSS vulnerability at admin page: https://demo.microweber.org/demo/admin/view:settingsoptiongroup=files Proof of Concept Step 1: Go to Settings Website settings Files Step 2: Create new folder with folder name : // Request --------------------------------------- POST...
Improper Access Control in publify/publify
Description Article in draft mode can only be accessed by admins who have permission to manage article. Anonymous users can't view but can leave comments on article in draft mode. The cause of the vulnerability is that the draft article is setting to comment enabled and createcomment function onl...
Improper Access Control in liukuo362573/yishaadmin
Description https://www.github.com/liukuo362573/yishaadmin has an endpoint "/admin/File/DeleteFile" that allows deleting files without authentication. Root-cause Server doesn't check user's permission when attacker access the endpoint. After that, server will directly call delete function with th...
Server-Side Request Forgery (SSRF) in chocobozzz/peertube
Description First of all, Thanks to my friend Haxatron for his excellent report I read the fix commit, and I found out that the code only Checked the IP addresses and didn't check the domain names that refer to a private IP address Steps to reproduce first, set up a local server at 127.0.0.2:8000...
Exposure of Sensitive Information to an Unauthorized Actor in httpie/httpie
Description All cookies saved to session storage are supercookies. Proof of Concept in /etc/hosts 127.0.0.1 host1.example.com 127.0.0.1 host2.example.net headers-helper.rpy; run with twist web --resource-script= and it'll run on 8080 from pprint import pformat from twisted.web.resource import...
in radareorg/radare2
Description This vulnerability is of out-of-bound read which is caused by negative buffer index. The bug exists in latest stable release radare2-5.5.4 and lastest master branch ed2030b79e68986bf04f3a6279463ab989fe400f, updated in Jan 22, 2022. Specifically, the vulnerable code is highlighted out ...
in livehelperchat/livehelperchat
Description LiveHelperChat is vulnerable to Insecure Direct Object Reference / IDOR vulnerability. The system's authorization functionality does not prevent one user from deleting another user by modifying the userid identifying the user. Each user has a userid 1,2,3,.... A malicious authorized...
in detekt/detekt
Description The read function makes use of SAXParser generated from a SAXParserFactory with no FEATURESECUREPROCESSING set, allowing for XXE attacks. In...
in skylot/jadx
Description parseXml function in ExportGradleProject is not secured against XXE because it does not include the disallow-doctype-decl attribute, therefore JADX is vulnerable to XXE when parsing a malicious Android Manifest when exporting Android app to Gradle. In...
Exposure of Sensitive Information to an Unauthorized Actor in feross/simple-get
BUG ====== Cookie header leaked to third party site and it allow to hijack victim account SUMMURY ============ When fetching a remote url with Cookie if it get Location response header then it will follow that url and try to fetch that url with provided cookie . So cookie is leaked here to...
Cross-site Scripting (XSS) - DOM in karma-runner/karma
Description DOM-based XSS is a vulnerability in which the attacker can inject arbitrary javascript code in any DOM sink that supports dynamic code execution. In our case, source is query parameter returnurl and sink is location.href. Proof of Concept 1 Start karma server and visit the following...
None in vim/vim
Description A Heap-based Buffer Overflow has been found in vim commit a909c48 Proof of Concept base64 poc ZGVmIEZpcnN0RnVuY3Rpb24oKQogIGRlZiBTZWNvbmRGdW5jdGlvbihKICA9CiAgIyBOb2lzCiAg IyBvbmUKICAgCiAgIGVuZGRlZnxCQkJCCmVuZGRlZgojIENvbXBpbGUgYWxsIGZ1bmN0aW9ucwpk ZWZjb21waWxlCg==...
Exposure of Sensitive Information to an Unauthorized Actor in scrapy/scrapy
BUG ====== Cookie header leaked to third party site and it allow to hijack victim account SUMMURY ============= When you crawling a site with cookie and it received Location header to redirect then scrappy send all cookie to this redirect url even if this is different domain . But every browser...
Exposure of Sensitive Information to an Unauthorized Actor in hoppscotch/hoppscotch
Description Steal authorization token via xss and hijack attack Proof of Concept Using this attack , attacker can hijack account by stealing authorization header . I see there is team based collaboration exists ,so one user can hack other user account using this bug . STEP -------- First host...
Cross-Site Request Forgery (CSRF) in patrowl/patrowlmanager
Description Hi there, there is a CSRF in duplicating rule due to the usage of GET method. Proof of Concept 1. Install a local instance of PatrowlManager 2. Go to list rule and create a new rule 3. Access this link http://localhost:8083/rules/api/v1/alerting/duplicate/1 and see that the rule is...
Cross-site Scripting (XSS) - Stored in pimcore/pimcore
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Proof of Concept // PoC.js Steps to reproduce : 1-- Go over settings -- Data Objects -- Objectbricks. 2-- Click Add or Edit a previous one . 3-...
in elgg/elgg
Hello there! Hope you're having an awesome day :D Actually, it's been a few months since I found this bug, but I had no success in trying to contact you guys, and now I discovered that you're on Huntr. So now I'm sending my report from here : Summary During this week, I was participating at a bug...
PHP Remote File Inclusion in tsolucio/corebos
Description An attacker can use Local File Inclusion LFI to trick the web application into exposing or running files on the web server. An LFI attack may lead to information disclosure, remote code execution, or even Cross-site Scripting XSS. Proof of Concept // PoC.js Link --...
None in glpi-project/glpi
Description We can have list of user of Emplyes in GLPI plateform Proof of Concept Here for example wa are as Intervenant Role. Steps to reproduce : 1. Go to Assistance--Planning 2.In the left of the menu in front of Plannings section, clich on Plus + Button 3. In the Actor Field List we select...
Cross-Site Request Forgery (CSRF) in tsolucio/corebos
Description Hey Corebos team An attacker able to delete a workFlow as there isn't exist any CSRF token for it. //PoC.html history.pushState'', '', '/' document.forms0.submit; after that you open the PoC.html file the workflow with id equal to 27 will be deleted...
Cross-site Scripting (XSS) - Stored in kalcaddle/kodexplorer
✍️ Description XSS via SVG file Upload 🕵️♂️ Proof of Concept upload the svg file with xss payload and open it with browser alertdocument.domain; 💥 Impact Custom JS code execution embedded with in the svg file...
None in firefly-iii/firefly-iii
Improper Restriction of Excessive Authentication Attempts. The software does not implement sufficient measures to prevent multiple failed authentication attempts within in a short time frame, making it more susceptible to brute force attacks. STEPS FOR REPRODUCTION: 1Go to...
Open Redirect in tjenkinson/url-toolkit
✍️ Description url-toolkit mishandles certain uses of backslash such as https:/\ and interprets the URI as a relative path. Browsers accept backslashes after the protocol, and treat it as a normal slash, while url-toolkit sees it as a relative path. Which will lead to SSRF attacks, open redirects,...
Cross-Site Request Forgery (CSRF) in babybuddy/babybuddy
✍️ Description The user/reset-api-key/endpoint does not have a CSRF protection. This could be exploited by an attacker to change the API key without the admin not actually requesting for a change. 🕵️♂️ Proof of Concept For the following attack to work, the admin victim must be logged into their...
in dolibarr/dolibarr
💥 BUG unprivileged user can attach bank to another user. 💥 IMPACT user who dont have any access in "users and groups" can update users bank details 💥 TESTED VERSION dolibarr 14.0.0-beta 💥 STEP TO REPRODUCE 1. First goto admin account and add user B as normal user .\ Now give user B bellow...
Command Injection in azure/ms-rest-nodeauth
✍️ Description the core function execAz which is purposely used for az command can be injected with arbitrary other OS commands. Also the attackers can exploit this vulnerability by calling AzureCliCredentials.setDefaultSubscription"OS command" from the Azure CLI. 🕵️♂️ Proof of Concept // PoC.js...
Prototype Pollution in js-data/js-data
Description js-data is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: // poc.js const js = require"js-data"; const payload = JSON.parse'"proto":"polluted":"Yes! Its Polluted"'; var obj = console.log"Before : " + .polluted; js.utils.deepMixInobj, payload;...
Cross-site Scripting (XSS) - Generic in thirtybees/thirtybees
Description Thirty bees is matured e-commerce solution which once started as a fork of PrestaShop 1.6.1.11 and is still compatible with almost all PS 1.6 modules. Its focus is on stability, correctness and reliability of the rich feature set, to allow merchants to focus on growing their business...
Disabled accounts still work normally
Description Disabled accounts still work normally Proof of Concept The account A is logged in and active. Admin suddenly disabled that account, but account A still works normally. Video Poc https://drive.google.com/file/d/15OHZF71pJyGaU30dQaw6NglkpZEhpOPm/view?usp=sharing...
Dom XSS in module "Search IPv6"
Description 1 .Access to IPv6 search function 2 .Enter the payload in the IPv4 field to perform the search Payload : "alertdocument.cookie 3 .Enter the search button and the payload will be executed Proof of Concept Link video Poc :...
XSS at file uploading
Description In menu Add page, there is a upload file function and xss payload can be injected there. Detail: 1/ Access to the web demo and go to Add page menu. 2/ At upload file function, upload an file with filename is a payload xss. 3/ It will be triggered immediately. Proof of Concept Payload:...
Reflected XSS in URL path of '/admin/controllers/edit/activity/perms/'
Description /admin/controllers/edit/activity/perms/ takes input from the URL directly without sufficient sanitization leading to a Reflected XSS. A valid admin session is required, without it, the user will be brought to the login page instead of the affected page. Proof of Concept 1. Login as an...