4072 matches found
Reflected XSS in URL path of '/admin/controllers/edit/activity/perms/'
Description /admin/controllers/edit/activity/perms/ takes input from the URL directly without sufficient sanitization leading to a Reflected XSS. A valid admin session is required, without it, the user will be brought to the login page instead of the affected page. Proof of Concept 1. Login as an...
Unrestricted Upload File leads to Remote Code Execution
Description The upload file function is vulnerable that user can upload the file with other extensions .php, .phps, ... by using Magic Bytes technique. However, the .htaccess has almost prevented all the files with extensions such as php, phps, phtml, ... The attacker still can upload the hphp fi...
Sensitive Cookie Without Secure Flag
Description Access and login to the demo website: https://demo.openitcockpit.io/ Press F12 on your keyboard or right-click on the website to open dev-tool. At Application tab, choose Cookies and there are some sensitive cookies without Secure flag. CookieAuth, csrfToken Proof of Concept Link imag...
HTML Injection in Folder Name
Description The folder name does not sanitize folder name and due to missing output encoding, HTML user-input is rendered in the webpage during folder deletion. Proof of Concept 1. Login to Teampass as any user. 2. Go to Folders tab. 3. Create a new folder with HTML tag in the Label. Example: HTM...
用户可以将自己添加到任意的组织中
Proof of Concept 1 用户1属于组织team1,并不属于team2 2 用户1修改自己的profile 3 在界面上,用户1修改自己的组织时只能看到team1 4 但是我们用burpsuite拦截请求,将请求中的team1的ID换成team2 5 继续执行,发现可以执行成功 6 原因是虽然我们在界面上保证了team2不可见,但服务端没检查user1是否可以选择team2 复现视频:https://1drv.ms/v/s!Avwg5C1eKVA4girUgKWl9SQX543P?e=N1ZU47...
Stored HTML Injection in Item Label
Description If two users have the same folder access, malicious users can create an item where its label field is vulnerable to HTML injection. When other users see that item, it may force them to redirect to the attacker's website or capture their data using a form. Proof of Concept...
Pre-Auth Path traversal in pimcore_log, leading potential DOS
Description A path traversal vulnerability exists in the CMS, which allows an attacker to overwrite or modify sensitive files by manipulating the pimcorelog parameter. This can lead to potential denial of service---key file overwrite. Proof of Concept - As a prequisition, pimcore must be installe...
Multiple path traversals on Windows hosts
Description validatepathissafe function in file /mlflow/server/handlers.py, introduced in PR 7891 on Feb 24th, 2023 does not account for Windows absolute path format, and thus can be bypassed on MLFlow servers, running on Windows hosts, exposing them to a number of high-impact directory traversal...
Cross-site scripting (XSS) stored in href bypasses filter using data wrapper
Description The XSS Cross-Site Scripting vulnerability found in the Caliber-Web application allows an attacker to inject malicious JavaScript code into a href via a data wrapper, containing a base64-encoded payload. This vulnerability specifically occurs in a book's Tag editing functionality. By...
Stored XSS
Description Stored XSS attack is possible. Proof of Concept Step 1: Go to the login URL https://demo.easyappointments.org/index.php/user/login and login as an admin. Step 2: Click on Users tab and then click on Add button to create a new user with the following credentials. Credentials: First Nam...
Stored cross site scripting vulnerability in thorsten/phpmyfaq
Description Stored cross site scripting vulnerability in "name" field in add question module. This allows attacker to stolen user cookies. Proof of Concept 1 . Login to the demo account https://roy.demo.phpmyfaq.de/ 2 . Login as demo user 3 . Click add question 4 . Add payload in "Your Name"...
IDOR make users can withdraw other's application
Proof of Concept 1 user1 submit a application with id = 8, user2 submit a application with id = 9 2 user1 withdraw the application , using burpsuite get the post, which can be like :POST /inlong/manager/api/workflow/cancel/8 HTTP/1.1 3 change 8 as 9 and we can find that user2's application is...
Weak Password Implimentation
Description: We can change the password with just 1 character when we use change password function. Proof of Concept When you change password, just press any character and then submit. You will see "Your password has been changed"...
Reflected XSS in interface/forms/eye_mag/js/eye_base.php
Description There exist a reflected XSS in /interface/forms/eyemag/js/eyebase.php in the 'providerID' parameter. Proof of Concept http://openemr.local/interface/forms/eyemag/js/eyebase.php?providerID=%3Cimg%20src=x%20onerror=alert1;%3E fix properly sanitize the providerID parameter...
Bypass Stored XSS in Catalog
Login in URL : https://demo.pimcore.fun/admin 2. Go to File - Perspectives - Catalog 3. Click in tab Properties - footer - Open 4. click any Find & Order - Edit 5. in tab Basic, inject payload to : Prameters, Anchor in tab Advanced, inject payload to: Class For more understanding please check...
Dom-based XSS in Website Settings module in Settings
Description pimcore is vulnerable to Dom-based XSS at Name field in Website Settings module in Settings. Payload " Proof of Concept 1.Go to https://11.x-dev.pimcore.fun/admin/ and login. 2.In the left menu bar, go to Settings - Website Settings and input any text into Key field and choose a Type,...
Zero-Click Remote Code Execution
Vulnerability Type Remote Code Execution Affected URL http://127.0.0.1/?anyparameter= Affected Parameter Arbitrary GET parameter Authentication Required? No Issue Summary Multiple vulnerabilities discovered in Appium-Desktop that can be chained together to achieve Zero Click Remote Code Execution...
Password reset link not expired
Hi team, I hope you are well today. This is the step: Reset your password with this link https://meta.answer.dev/users/account-recovery I have recognized that links can use many times. Beside https://meta.answer.dev/users/account-activation?code=... active account have the same vulnerability. Ok...
Stored XSS @ updatecategory
Description The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of Concept Code That has a Vulnerability: // Updates an existing category if $action === 'updatecategory' &&...
Store XSS in Question Tag
Description Attackers can use this vulnerability to attack users/admins in the community, take over user/admins accounts, etc... Proof of Concept 1、Register and log in as a user, add new questions and add tags 2、Insert the following payload in the tag description html 3、Post a question 4、When oth...
Reflected XSS in Application Logger module
Description pimcore is vulnerable to Reflected XSS at From and To fields when searching in the Application Logger module. Payload " Proof of Concept 1.Go to https://demo.pimcore.fun/admin/ and login. 2.In the left menu bar, go to Tools - Application Logger. 3.In the Application Logger tab, on the...
Broken access control - Someone still can comment in unactive FAQ NEWS
Description when a NEWS FAQ turns on the comments feature and disables post like this settings. Screenshot https://imgur.com/a/9UY4QRf if you create a FAQ news with those settings and view the post, you will notice that the comment section is disabled Screenshot https://imgur.com/a/rY6zJt9 Proof ...
Stored XSS in "DATA IMPORTS" module
Description Due to improper data sanitization and validation in "DATA IMPORTS" module allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected. Payload In this PoC, I can inject into "Address" and "City" fields when importing new user by using the...
Stored XSS in server settings when upload branding
Description An attacker can upload an arbitrary file with a content type starting with image/ Proof of Concept POST /server/theme HTTP/1.1 Host: localhost:14142 Content-Length: 1077 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="89", ";Not A Brand";v="99" sec-ch-ua-mobile: ?0...
heap-use-after-free in gf_odf_vvc_cfg_read_bs
Description heap-use-after-free in gfodfvvccfgreadbs at odf/descriptors.c:1403 Version Author: Lim Wei Cheng ./MP4Box -version MP4Box - GPAC version 2.3-DEV-rev23-g5a733aec7-master c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io same POC can also trigger heap-use-after-fre...
Stored XSS via markdown link
Description Markdown editor doesn't sanitize user's input, leads to stored XSS Proof of Concept a Reproduce 1.Login to https://demo.usememos.com/ 2.Create new memo with content a 3.Ctrl+left click this link, javascript code has been executed...
ANSI Escape Sequence Injection
Description Injection of escape sequences opens up the possibility for concealing / modifying viewed data, and code execution as some esc seqs feed data back to stdin. Proof of Concept poc So far, the places I managed to find a successful injection are: - when running id from the file name - func...
Reflected Cross Site Scripting
Description User can be input malicious js in param action in url http://localhost//stats.php?action=injecthere&userid=1 and send link to other user can be steal cookie of other user. Param action not input validation from user on line 71 in file...
Able to assign HOST role to new User
Description As per the functionality we only can add user role as a "USER" in account Due to the no server side valaditon on "role" parameter , we can add new member as a "HOST" role with all HOST users privilege Proof of Concept 1. while adding new user intercept the request in burp 2. change th...
Unauthorized Attacker Can Change Visibility Status of Victim's Memos
An attacker can make a private memo into a public memo in order to view it. All the attacker needs to know is the memo ID and they can make a PATCH request to /api/memo/ with the following request data: "id":,"visibility":"PUBLIC","resourceIdList": Then the attacker can visit the memo URL & view...
Bypass client side restrictions leads to IDOR on creating appointment.
Description When creating an appointment, a Patient can completely bypass the client side restrictions, and not only can create an appointment in every date he wants, it can also set the duration of the appointment as long as he wants but most important of everything, he can tamper the formpid an...
View any content private memos from other users
Description User can view any content from private private memos from other users via api PATCH /api/memo/8 HTTP/1.1 "id":8,"rowStatus":"ARCHIVED" Proof of Concept Login to website in brower 1 with user A. Login to website in brower 2 with user B. Example: User B have private nemo with id 8. With...
Stored XSS bypass the protection rules
Description Hi there, Someone submitted an xss vulnerability about your project before.And please see "https://huntr.dev/bounties/f353adfb-e5b8-43e7-957a-894670fd4ccd/" for details.You submitted a fix in 7.0.0.2 with commit 4565d8.But after my tests, I found that it was still unsafe. The followin...
A user can update information / password from other users
Description A user neither admin nor host can modify nickname, username and email from other users without permission, being a normal user. Steps to Reproduce 1. Login as user A here, called "ileana.maricel", HOST role. 2. In another browser login as user B called "ileana.mariceel", USER role. Co...
Hyperlink injection through access token name
Description Hyperlink Injection it’s when attacker injecting a malicious link when sending an email invitation. Hyperlink injection in the email can lead to phishing via email directly to users. Proof of Concept 1 Go to https://rdiffweb-dev.ikus-soft.com/prefs/tokens 2 Create a new access token...
Html Injection Stored in edit customers
Description HTML Injection is a vulnerability in which the attacker can inject malicious html content in the webpage. Proof of Concept 1. Open tab Edit Customers, click Edit customer 2. Inject this payload at field Name: TEST TEST TEST. And then click Save 3. Go to the profile page of this...
Deserialization of arbitrary data leads to RCE
Description LibreNMS includes support for monitoring applications, one of which is memcached. When polling for memcached, the data returned by the agent to the LibreNMS server is not verified before it is deserialized. Because LibreNMS has quite a few dependencies, it is easy to find a working...
Multiple Reflected Cross-Site Scripting in Messages Module
Description The first occurrence affects messages.php file. The parameter stage was not properly encoded before being printed as HTML. This occurs when go parameter is set to setup value. The second instance affects save.php file. There was a POST parameter called parameter in JSON format that wa...
Attacker is able to bypass 2FA verification during 2FA disable due to application logic flaw
Description An attacker is able to bypass 2FA verification during 2FA disable function of user and restrict user from accessing his account due to a application logic flaw Proof of Concept First of all let us consider a scenario where a user has left his account open on a public device library or...
No limit in email length may result in a possible DOS attack
Description As per RFC the maximum length allowed for an email address is 255 characters. However, rdiffweb don't validate email length, so you can add email addresses that exceed 255 characters. Through this, if you sign up for an email with a length of 1 million or more and log in, withdraw, or...
Use After Free in function movemark
Description Use After Free in function movemark at mark.c:234. vim version git log commit bcd6924245c0e73d8be256282656c06aaf91f17c grafted, HEAD - master, tag: v9.0.0507, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /home/fuzz/test/poc10huaf.dat -c :qa!...
Null Pointer Dereference Caused Segmentation Fault
Description Null pointer dereference caused segmentation fault. This can cause Denial-of -service attack. Proof of Concept MP4Box -bt POC2 POC2 is here ASAN iso file Unknown box type 0000 in parent moov iso file Unknown box type 0000 in parent moov iso file Unknown box type 0000 in parent moov is...
CSRF on deleting an API key
Description An attacker can send a crafted link to a Froxlor admin. The admin, after clicking on the link and logging in, will redirect to the API key deletion endpoint, which is a GET request. This will result in deleting the API key with the specified id from the attacker. Proof of Concept 1...
Stored XSS on Admin Translations
Description Key/Name field in Admin Translation Settings is vulnerable to XSS. Proof of Concept 1 - Go to Settings, Admin Translations. 2 - Click on Add, and put the XSS payload: " on Name then save 3 - XSS popup will be triggered. Both Stable and Dev versions are vulnerable. Video PoC...
IDOR in password change page leads to administrative account takeover
Description The password change function doesn't properly handle the Change Password role, allowing to any user, that has this role enabled, to change the password of any user in the system, including the administrator account. Proof of Concept 1. 1 - Log in as a normal user that can change its o...
Path Traversal
Description Via the /attachments/:id/download/thumbnails/:filename endpoint, an authenticated user can access any arbitrary file in the system through a path traversal vulnerability in the filename parameter. \ \ The filename parameter is not sanitized and its used to craft the path of the target...
Weak Password Policy
Description This application commafeed is using a weak password policy. Acunetix was able to guess the credentials required to access this page. A weak password is short, common, a system default, or something that could be rapidly guessed by executing a brute force attack using a subset of all...
Out-of-bound read data in function suggest_trie_walk() abusing array byts
Description Out-of-bound read data in function suggesttriewalk abusing array byts in line spellsuggest.c:1925 Tested version: v8.2.5166 commit f65cc665fa751bad3ffe75f58ce1251d6695949f HEAD - master, tag: v8.2.5166, origin/master, origin/HEAD Author: Bram Moolenaar Date: Sun Jun 26 18:17:50 2022...
Mastadon's Misconfigured Rack_Attack.rb Does Not Appropriately Protect Against Brute Force Attacks
Description Mastadon relies on the RackAttack.rb file to manage API throttling in the application through the declaration of absolute paths i.e., /auth/signin. By appending random strings of characters to the end of the directory in a POST request it is possible to bypass brute force protections...
Formula Injection Part Description
Description Formula Injection/CSV Injection in inventree due to Improper Neutralization of Formula Elements in CSV File. Proof of Concept Video PoC link: https://drive.google.com/file/d/1mfBTUDS1iZ4uJfBpc568WgpdZdN5f/view?usp=sharing...