4072 matches found
Formula Injection Part Description
Description Formula Injection/CSV Injection in inventree due to Improper Neutralization of Formula Elements in CSV File. Proof of Concept Video PoC link: https://drive.google.com/file/d/1mfBTUDS1iZ4uJfBpc568WgpdZdN5f/view?usp=sharing...
Cross-site Scripting (XSS) - Reflected
Description The time parameter in fava is vulnerable to reflected XSS Proof of Concept 1. 1.Open the web browser to access the fava webpage. 2. 2.Access the url:...
Path traversal leads to arbitrary file deletions and file writes
Description Deploy and run gogs in Windows. Proof of Concept 1.Create a repository in Gogs, upload a file named test to the repository on the web page, The content of the file is as follows: xml 1111 2.The attacker can remove any files. http request: POST...
Incorrect Behavior Make Crash and Can not Access Account
Description Incorrect Behavior Make Crash and Can not Access Account Proof of Concept 1. Send a test message and get the request, send it to Repeater 2. Replace the value of owner and cId with the id of two victims 3. Send the request...
heap-use-after-free in function find_pattern_in_path
Description heap-use-after-free in function findpatterninpath at search.c:3683 vim version git log commit 5a8fad32ea9c075f045b37d6c7739891d458f82b HEAD - master, tag: v8.2.4962, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/pochuafs.dat -c...
xss using .xsig file
Description xss using .xsig file Proof of Concept 1. Save this file as test.xsig file and upload it to http://localhost/ListAttachedFile 2. now view this file in chrome browser and see xss is executed...
chafa: NULL Pointer Dereference in function gif_internal_decode_frame at libnsgif.c:599 allows attackers to cause a denial of service (crash) via a crafted input file.
Steps to reproduce the issue git clone https://github.com/hpjansson/chafa.git cd chafa export CFLAGS="-g -O0" export CXXFLAGS="-g -O0" ./autogen.sh ./configure --disable-shared make ./tools/chafa/chafa ./poc.gif gdb --args ./tools/chafa/chafa ./poc.gif...
Inf loop
Description A inf loop security issue in gpac/gpac Proof of Concept The issue occurs in code: src/mediatools/avilib.cL1974, when the gpac avidmx filter parses the AVI format file. choose a simple AVI format file, the data's header is as follows in xxd mode $ xxd ./1.avi | head -n 2 00000000: 5249...
Path Traversal due to `send_file` call
A path traversal attack also known as directory traversal aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash ../” sequences and its variations or by using absolute file paths, it may be possible to...
CRHTLF can lead to invalid protocol extraction potentially leading to XSS
Description \r, \n, \t characters in the URI can lead to XSS as URI.js will fail to extract javascript: protocol from a URI. See Section 4.4 Step 3 "Remove all ASCII tab or newline from input." of the WHATWG URL spec. Proof of Concept const parse = require'urijs' const express = require'express'...
The microweber application allows large characters to insert in the input field "fist & last name" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. in microweber/microweber
Proof of Concept 1. Go to http://127.0.0.1/admin/view:modules/loadmodule:users/action:profile 2. Click on edit profile 3. Fill the first name & last name field with huge characters, more than 1 lakh 4. Copy the below payload and put it in the input fields and click on continue. 5. You will see th...
SSL verification omitted in OAuth2 credential flow
Description Pulsar uses Curl to send HTTPS requests and typically uses the tlsAllowInsecure global variable derived from isTlsAllowInsecureConnection to determine whether SSL verification¹ should be enabled/disabled². In the linked occurances, those checks do not occur and SSL verification is...
Integer Overflow or Wraparound
Description The microweber application allows large characters to insert in the input field like "Town, ZIP, State, Address, and Additional Info field" which can allow attackers to cause a Denial of Service DoS via a crafted HTTP request. Proof of Concept 1.Buy a product and in the Shipping metho...
hostname spoofing via javascript
Description If use parse-url for security check on url, it is dangerous because hostname spoofing through JavaScript scheme is possible. It also occurred in url.parse of node.js in 2018, and node.js acknowledged the vulnerability for this. So Node.js has patched it, and there are cases where a CV...
Cross-site Scripting (XSS) - Reflected
Description There is a Reflected cross site scripting issue chained using these endpoints: 1 /admin/content/0/edit 2 /apiqqalert1fca4/page Proof of Concept 1. Login to https://demo.microweber.org 2. Now visit https://demo.microweber.org/demo/admin/content/0/edit 3. Now open this url in same tab o...
Improper Authorization in librenms/librenms
Description LibreNMS v22.1.0 allows users with the normal role/level to interact with the plugin setting resulting in the users could take action such as switching on/off any installed plugins which are supposedly accessible by the Administrator only. Proof of Concept Affected endpoints: 1 GET...
Improper Privilege Management in snipe/snipe-it
Description Unprivilege user can create maintainance for asset Proof of Concept 1. Create regular user and set DENY to all permissions in asset models.\ 2. Login as the user and sent bellow request to create maintainance for asset await fetch"https://demo.snipeitapp.com/hardware/maintenances",...
Cross-site Scripting (XSS) - DOM in hakimel/reveal.js
Description The onmessage event listener in /plugin/notes/speaker-view.html does not check the origin of postMessage before adding the content to the webpage. The vulnerable code allows any origin to postMessage on the browser window and feeds attacker's input to parts using which attacker can...
in gpac/gpac
Description Null Pointer Dereference in gitnboxdel Proof of Concept bash echo -n AAAAEW1ldGEwMDAwMDAwMDAAAABjMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAAAAARZ2l0bjAwMDAwMDAwMA== | base64 -d poc ./MP4Box -bt ./poc...
Improper Access Control in liukuo362573/yishaadmin
Description YiShaAdmin is vulnerable to Improper Access Control via the /admin/SystemManage/LogApi/GetPageListJson endpoint. Anyone can view the Log API of the YiShaAdmin without any authentication. This API contains the sensitive information include: ExecuteURL, ExecuteParam, ExecuteTime,...
None in bobthecow/mustache.php
Description In Mustache.php v2.0.0 through v2.14.0, Sections tag can lead to arbitrary php code execution even if strictcallables is true when section value is controllable. Proof of Concept './cache', 'strictcallables'=true ; echo $m-render' repo phpinfo;// No repos : / repo phpinfo;// ',...
in stanfordnlp/corenlp
Description When a malicious schema XML file is passed to getValidatingXmlParser, the parser is vulnerable to XXE when the SchemaFactory parses the schema XML file. In...
Cross-Site Request Forgery (CSRF) in phoronix-test-suite/phoronix-test-suite
Description Hi there, I would like to report a Cross Site Request Forgery in phoronix source code. Cross-site request forgery also known as CSRF is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to...
Insecure Temporary File in tensorflow/tensorflow
Description tensorflow package is using the deprecated function tempfile.mktemp which is not secure. Because a different process may create a file with this name in the time between the call to mktemp and the subsequent attempt to create the file by the first process. Impact Availability will get...
in livehelperchat/livehelperchat
Description When resetting your password, you're able to enumerate users based on the way that the server responds to your request. If you enter an email that doesn't exist for example: [email protected], then the server will respond with an HTTP 302 FOUND status response code indicated by line 97 o...
Improper Access Control in bookstackapp/bookstack
Description parentChapter permissions are not enforced during sort. Users with only book-update permissions on their own page can move their pages into restricted chapters via modifying the parentChapter id in the sortmap. Users do not need to have access to restricted books / chapter in order to...
Cross-site Scripting (XSS) - Stored in yetiforcecompany/yetiforcecrm
Description I found file upload XSS, Stored Cross-Site Scripting XSS vulnerability due to the lack of content validation and output encoding. Proof of Concept 1. login and navigate to https://gitstable.yetiforce.com/index.php?module=Users&view=PreferenceEdit&record=5 2. Layout photo Add file. 3...
in mruby/mruby
Description NULL Pointer Dereference in mrbfullgc Proof of Concept a = a. nil AddressSanitizer:DEADLYSIGNAL ================================================================= ==21352==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 pc 0x556b44382444 bp 0x7fff4e9961d0 sp...
in chevereto/chevereto-free
Clickjacking is a portmanteau of two words ‘click’ and ‘hijacking’. It refers to hijacking user’s click for malicious intent. In it, an attacker embeds the vulnerable site in an transparent iframe in attacker’s own website and overlays it with objects such as button using CSS skills. This tricks...
Cross-site Scripting (XSS) - Generic in snipe/snipe-it
Description At File Uploads allows for arbitrary execution of JavaScript Step to Reproduct XSS at filename Goto detail of one asset At tab File choose to upload file with filename contain payload: file'name XSS when upload file .svg In list file types are allowed don't have file .svg Goto detail ...
Inefficient Regular Expression Complexity in pksunkara/inflect
✍️ Description The inflect package is vulnerable to ReDoS regular expression denial of service. An attacker that is able to provide a crafted tablename as input to the classify function may cause an application to consume an excessive amount of CPU. Below pinned line using vulnerable regex. 🕵️♂️...
Heap-based Buffer Overflow in mruby/mruby
Description Heap buffer overflow in mruby Proof of Concept // poc.rb %= % .clear ensure begin unless ?n = % :regex or 11 Compile mruby with asan git clone https://github.com/mruby/mruby cd mruby LDFLAGS="-fsanitize=address" CFLAGS="-fsanitize=address -g" make ./bin/mruby poc.rb Result ./bin/mruby...
Prototype Pollution in antfu/utils
Description @antfu/utils is a collection of common JavaScript / TypeScript utils. It is vulnerable to Prototype Pollution on the deepMerge function. This allows for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE. About the vulnerability Prototype Pollution...
Cross-site Scripting (XSS) - Reflected in yourls/yourls
✍️ Description Cross-site Scripting XSS refers to client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS occurs when a web application makes use of unvalidated or unencoded user input within the output it generates. The...
Path Traversal in yogeshojha/rengine
✍️ Description Local File Inclusion through Path Traversal 🕵️♂️ Proof of Concept While logged in into a Rengine instance, go to /api/getFileContents/?nucleitemplate&name=../../../../../../../../etc/passwd. The contents of /etc/passwd are included into the response. 💥 Impact This vulnerability is...
Prototype Pollution in immerjs/immer
✍️ Description immer package is vulnerable to Prototype Pollution. 🕵️♂️ Proof of Concept Create the following PoC file: // poc.js const immer = require"immer"; immer.enablePatches; let obj = ; const patch = op: 'add', path: "proto","polluted", value: "Yes! Its Polluted"; console.log"Before : " +...
Cross-site Scripting (XSS) - Reflected in leantime/leantime
✍️ Description Cross-site scripting XSS vulnerabilities Line 9 of delCanvasItem.tpl.php sends unvalidated data to a web browser, which can result in the browser executing malicious code. 🕵️♂️ Proof of Concept /leancanvas/delCanvasItem/" 💥 Impact The attacker can: Perform any action within the...
Sensitive Cookie Without 'HttpOnly' Flag in glpi-project/glpi
✍️ Description According to 1 we have : HttpOnly is an additional flag included in a Set-Cookie HTTP response header. Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie 💥 Impact This vulnerability is capable of take control...
Cross-Site Request Forgery (CSRF) in zhongshaofa/easyadmin
✍️ Description Attacker able to change any password and username with CSRF attack. It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your application. I...
in frangoteam/fuxa
✍️ Description This endpoint handler performs a file system operation and does not use a rate-limiting mechanism. 🕵️♂️ Proof of Concept fs.writeFileSyncruntime.settings.userSettingsFile, JSON.stringifyreq.body, null, 4; mergeUserSettingsreq.body; res.end; FIx Consider using a rate-limiting...
Cross-Site Request Forgery (CSRF) in dolibarr/dolibarr
✍️ Description Attacker can delete any Exports for any user with CSRF vulnerability when the Admin or SuperAdmin or an authorized user click on PoC.html file, it is enough to attacker know the Export's names on server. I convert the...
Session Fixation in filegator/filegator
✍️ Description the password reset function is vulnerable to session fixation bug, it's a small low hanging bug 🕵️♂️ Proof of Concept open filegator and login with similar accounts in multiple browsers. change the password of the user in one browser and reload the other login session. we can see...
Cross-site Scripting (XSS) - Stored in polonel/trudesk
💥 BUG Stored xss using fullname 💥 IMPACT There is no xss filter present . Using this stored xss external user can attack admin and can execute arbitary javascript code in vicitm account . TESTED VERSION ========== trudesk 1.1.5 💥 STEP TO REPRODUCE 1. First goto...
Code Injection in adobe/himl
Description himl is a hierarchical config using yaml in Python, which is vulnerable to Arbitary Code Execution. Vulnerability Vulnerable to YAML deserialization attack caused by unsafe loading. Proof of Concept Installation bash pip install himl Run exploit.py import os os.system'pip install himl...
Code Injection in ewels/multiqc
Description MultiQC Aggregate results from bioinformatics analyses across many samples into a single report. Vulnerability Vulnerable to YAML deserialization attack caused by unsafe loading. Proof of Concept Installation bash pip3 install multiqc Run exploit.py import os os.system'pip3 install...
in microweber/microweber
Description microweber/microweber is vulnerable to Arbitrary File Upload. Effective controls have not been implemented to restrict users from uploading malicious content to the web server. Files containing code like .php, .exe and etc can be uploaded successfully. Steps To Reproduce-: 1. Login in...
Prototype Pollution in starcounter-jack/json-patch
Description fast-json-patch is vulnerable to Prototype Pollution. This package allowing for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE. Proof of Concept 1. Create the following PoC file: js // poc.js let fastjsonpatch = require"fast-json-patch"; functio...
in seleniumhq/selenium
Description Selenium is an umbrella project encapsulating a variety of tools and libraries enabling web browser automation. Selenium specifically provides infrastructure for the W3C WebDriver specification — a platform and language-neutral coding interface compatible with all major web browsers...
Cross-site Scripting (XSS) - Stored in arachnys/cabot
Description Executed Persistent stored XSS in cabot check settings, as well as the address field. As per CVEs present Stored XSS is a High Severity bug. Proof of Concept 1. setup cabot to reproduce the vulnerability 2. create an account now login to the account 3. Go to checks Create and navigate...
Code Injection in z4nzu/hackingtool
Description The hackingtool by Z4nzu is a pool of pentest tools that is useful to hackers to do fast hacking from information gathering to web attacks to wireless hacking and much more which are provided in terminal UI. It is built using python3. However it uses os.system command in various place...