4073 matches found
Use After Free in function movemark
Description Use After Free in function movemark at mark.c:234. vim version git log commit bcd6924245c0e73d8be256282656c06aaf91f17c grafted, HEAD - master, tag: v9.0.0507, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /home/fuzz/test/poc10huaf.dat -c :qa!...
Cookie is persisting in the browser which leads to Session Fixation
Description After logging in and logging out, the application continues to use the preauthentication cookies. The cookies are same after closing the browser and after password change .And also same cookies are reassigning for another user's login which can leads to session fixation. Proof of...
Session_id without Secure attribute
Description User's session id with secure attribute is false. This vulnerability makes user's cookies can be sent to the server with an unencrypted request over the HTTP protocol. Proof of Concept Open the browser and get access to the minarca website, for this scenario I have used the demo/test...
Null Pointer Dereference Caused Segmentation Fault
Description Null pointer dereference caused segmentation fault. This can cause Denial-of -service attack. Proof of Concept MP4Box -bt POC2 POC2 is here ASAN iso file Unknown box type 0000 in parent moov iso file Unknown box type 0000 in parent moov iso file Unknown box type 0000 in parent moov is...
CSRF on deleting an API key
Description An attacker can send a crafted link to a Froxlor admin. The admin, after clicking on the link and logging in, will redirect to the API key deletion endpoint, which is a GET request. This will result in deleting the API key with the specified id from the attacker. Proof of Concept 1...
Persistent Cross Site Scripting - BusinessHours Module - Settings
Description The application uses Purifier to avoid the Cross Site Scripting attack. However, On BusinessHours module from Settings, the type of name parameter is "Text" but it is not validated and it's used directly without any encoding or validation on EditViewBlocks.tpl. It allows attacker to...
Stored XSS on Admin Translations
Description Key/Name field in Admin Translation Settings is vulnerable to XSS. Proof of Concept 1 - Go to Settings, Admin Translations. 2 - Click on Add, and put the XSS payload: " on Name then save 3 - XSS popup will be triggered. Both Stable and Dev versions are vulnerable. Video PoC...
IDOR in password change page leads to administrative account takeover
Description The password change function doesn't properly handle the Change Password role, allowing to any user, that has this role enabled, to change the password of any user in the system, including the administrator account. Proof of Concept 1. 1 - Log in as a normal user that can change its o...
Path Traversal
Description Via the /attachments/:id/download/thumbnails/:filename endpoint, an authenticated user can access any arbitrary file in the system through a path traversal vulnerability in the filename parameter. \ \ The filename parameter is not sanitized and its used to craft the path of the target...
Weak Password Policy
Description This application commafeed is using a weak password policy. Acunetix was able to guess the credentials required to access this page. A weak password is short, common, a system default, or something that could be rapidly guessed by executing a brute force attack using a subset of all...
Out-of-bound read data in function suggest_trie_walk() abusing array byts
Description Out-of-bound read data in function suggesttriewalk abusing array byts in line spellsuggest.c:1925 Tested version: v8.2.5166 commit f65cc665fa751bad3ffe75f58ce1251d6695949f HEAD - master, tag: v8.2.5166, origin/master, origin/HEAD Author: Bram Moolenaar Date: Sun Jun 26 18:17:50 2022...
Mastadon's Misconfigured Rack_Attack.rb Does Not Appropriately Protect Against Brute Force Attacks
Description Mastadon relies on the RackAttack.rb file to manage API throttling in the application through the declaration of absolute paths i.e., /auth/signin. By appending random strings of characters to the end of the directory in a POST request it is possible to bypass brute force protections...
Cross-site Scripting (XSS) - Reflected
Description The time parameter in fava is vulnerable to reflected XSS Proof of Concept 1. 1.Open the web browser to access the fava webpage. 2. 2.Access the url:...
Path traversal leads to arbitrary file deletions and file writes
Description Deploy and run gogs in Windows. Proof of Concept 1.Create a repository in Gogs, upload a file named test to the repository on the web page, The content of the file is as follows: xml 1111 2.The attacker can remove any files. http request: POST...
Incorrect Behavior Make Crash and Can not Access Account
Description Incorrect Behavior Make Crash and Can not Access Account Proof of Concept 1. Send a test message and get the request, send it to Repeater 2. Replace the value of owner and cId with the id of two victims 3. Send the request...
heap-use-after-free in function find_pattern_in_path
Description heap-use-after-free in function findpatterninpath at search.c:3683 vim version git log commit 5a8fad32ea9c075f045b37d6c7739891d458f82b HEAD - master, tag: v8.2.4962, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/pochuafs.dat -c...
xss using .xsig file
Description xss using .xsig file Proof of Concept 1. Save this file as test.xsig file and upload it to http://localhost/ListAttachedFile 2. now view this file in chrome browser and see xss is executed...
Cross-site Scripting (XSS) - Generic
Description The Stream URL of octoprint application allowing xss payload to execute for which its leads to Cross-site Scripting XSS Proof of Concept Login to the application Now go to settings - Webcam & Timelapse - Stream URL and insert the payload " in the Stream URL and click on "Test" You wil...
chafa: NULL Pointer Dereference in function gif_internal_decode_frame at libnsgif.c:599 allows attackers to cause a denial of service (crash) via a crafted input file.
Steps to reproduce the issue git clone https://github.com/hpjansson/chafa.git cd chafa export CFLAGS="-g -O0" export CXXFLAGS="-g -O0" ./autogen.sh ./configure --disable-shared make ./tools/chafa/chafa ./poc.gif gdb --args ./tools/chafa/chafa ./poc.gif...
Inf loop
Description A inf loop security issue in gpac/gpac Proof of Concept The issue occurs in code: src/mediatools/avilib.cL1974, when the gpac avidmx filter parses the AVI format file. choose a simple AVI format file, the data's header is as follows in xxd mode $ xxd ./1.avi | head -n 2 00000000: 5249...
Path Traversal due to `send_file` call
A path traversal attack also known as directory traversal aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash ../” sequences and its variations or by using absolute file paths, it may be possible to...
CRHTLF can lead to invalid protocol extraction potentially leading to XSS
Description \r, \n, \t characters in the URI can lead to XSS as URI.js will fail to extract javascript: protocol from a URI. See Section 4.4 Step 3 "Remove all ASCII tab or newline from input." of the WHATWG URL spec. Proof of Concept const parse = require'urijs' const express = require'express'...
The microweber application allows large characters to insert in the input field "fist & last name" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. in microweber/microweber
Proof of Concept 1. Go to http://127.0.0.1/admin/view:modules/loadmodule:users/action:profile 2. Click on edit profile 3. Fill the first name & last name field with huge characters, more than 1 lakh 4. Copy the below payload and put it in the input fields and click on continue. 5. You will see th...
SSL verification omitted in OAuth2 credential flow
Description Pulsar uses Curl to send HTTPS requests and typically uses the tlsAllowInsecure global variable derived from isTlsAllowInsecureConnection to determine whether SSL verification¹ should be enabled/disabled². In the linked occurances, those checks do not occur and SSL verification is...
Integer Overflow or Wraparound
Description The microweber application allows large characters to insert in the input field like "Town, ZIP, State, Address, and Additional Info field" which can allow attackers to cause a Denial of Service DoS via a crafted HTTP request. Proof of Concept 1.Buy a product and in the Shipping metho...
hostname spoofing via javascript
Description If use parse-url for security check on url, it is dangerous because hostname spoofing through JavaScript scheme is possible. It also occurred in url.parse of node.js in 2018, and node.js acknowledged the vulnerability for this. So Node.js has patched it, and there are cases where a CV...
Cross-site Scripting (XSS) - Reflected
Description There is a Reflected cross site scripting issue chained using these endpoints: 1 /admin/content/0/edit 2 /apiqqalert1fca4/page Proof of Concept 1. Login to https://demo.microweber.org 2. Now visit https://demo.microweber.org/demo/admin/content/0/edit 3. Now open this url in same tab o...
Improper Authorization in librenms/librenms
Description LibreNMS v22.1.0 allows users with the normal role/level to interact with the plugin setting resulting in the users could take action such as switching on/off any installed plugins which are supposedly accessible by the Administrator only. Proof of Concept Affected endpoints: 1 GET...
Improper Privilege Management in snipe/snipe-it
Description Unprivilege user can create maintainance for asset Proof of Concept 1. Create regular user and set DENY to all permissions in asset models.\ 2. Login as the user and sent bellow request to create maintainance for asset await fetch"https://demo.snipeitapp.com/hardware/maintenances",...
Cross-site Scripting (XSS) - DOM in hakimel/reveal.js
Description The onmessage event listener in /plugin/notes/speaker-view.html does not check the origin of postMessage before adding the content to the webpage. The vulnerable code allows any origin to postMessage on the browser window and feeds attacker's input to parts using which attacker can...
in gpac/gpac
Description Null Pointer Dereference in gitnboxdel Proof of Concept bash echo -n AAAAEW1ldGEwMDAwMDAwMDAAAABjMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAAAAARZ2l0bjAwMDAwMDAwMA== | base64 -d poc ./MP4Box -bt ./poc...
Improper Access Control in liukuo362573/yishaadmin
Description YiShaAdmin is vulnerable to Improper Access Control via the /admin/SystemManage/LogApi/GetPageListJson endpoint. Anyone can view the Log API of the YiShaAdmin without any authentication. This API contains the sensitive information include: ExecuteURL, ExecuteParam, ExecuteTime,...
in stanfordnlp/corenlp
Description When a malicious schema XML file is passed to getValidatingXmlParser, the parser is vulnerable to XXE when the SchemaFactory parses the schema XML file. In...
Cross-Site Request Forgery (CSRF) in phoronix-test-suite/phoronix-test-suite
Description Hi there, I would like to report a Cross Site Request Forgery in phoronix source code. Cross-site request forgery also known as CSRF is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to...
Improper Access Control in chocobozzz/peertube
Description Unauthenticated users can obtain comments on private videos Proof of Concept Vísit the following API link where 123 is the ID of the private video: /api/v1/videos/123/comment-threads Response contains all the comments on that private video. Impact This vulnerability disclosure comment...
Insecure Temporary File in tensorflow/tensorflow
Description tensorflow package is using the deprecated function tempfile.mktemp which is not secure. Because a different process may create a file with this name in the time between the call to mktemp and the subsequent attempt to create the file by the first process. Impact Availability will get...
in livehelperchat/livehelperchat
Description When resetting your password, you're able to enumerate users based on the way that the server responds to your request. If you enter an email that doesn't exist for example: [email protected], then the server will respond with an HTTP 302 FOUND status response code indicated by line 97 o...
Improper Access Control in bookstackapp/bookstack
Description parentChapter permissions are not enforced during sort. Users with only book-update permissions on their own page can move their pages into restricted chapters via modifying the parentChapter id in the sortmap. Users do not need to have access to restricted books / chapter in order to...
Cross-site Scripting (XSS) - Stored in yetiforcecompany/yetiforcecrm
Description I found file upload XSS, Stored Cross-Site Scripting XSS vulnerability due to the lack of content validation and output encoding. Proof of Concept 1. login and navigate to https://gitstable.yetiforce.com/index.php?module=Users&view=PreferenceEdit&record=5 2. Layout photo Add file. 3...
in mruby/mruby
Description NULL Pointer Dereference in mrbfullgc Proof of Concept a = a. nil AddressSanitizer:DEADLYSIGNAL ================================================================= ==21352==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 pc 0x556b44382444 bp 0x7fff4e9961d0 sp...
in chevereto/chevereto-free
Clickjacking is a portmanteau of two words ‘click’ and ‘hijacking’. It refers to hijacking user’s click for malicious intent. In it, an attacker embeds the vulnerable site in an transparent iframe in attacker’s own website and overlays it with objects such as button using CSS skills. This tricks...
Cross-site Scripting (XSS) - Generic in snipe/snipe-it
Description At File Uploads allows for arbitrary execution of JavaScript Step to Reproduct XSS at filename Goto detail of one asset At tab File choose to upload file with filename contain payload: file'name XSS when upload file .svg In list file types are allowed don't have file .svg Goto detail ...
Inefficient Regular Expression Complexity in pksunkara/inflect
✍️ Description The inflect package is vulnerable to ReDoS regular expression denial of service. An attacker that is able to provide a crafted tablename as input to the classify function may cause an application to consume an excessive amount of CPU. Below pinned line using vulnerable regex. 🕵️♂️...
Heap-based Buffer Overflow in mruby/mruby
Description Heap buffer overflow in mruby Proof of Concept // poc.rb %= % .clear ensure begin unless ?n = % :regex or 11 Compile mruby with asan git clone https://github.com/mruby/mruby cd mruby LDFLAGS="-fsanitize=address" CFLAGS="-fsanitize=address -g" make ./bin/mruby poc.rb Result ./bin/mruby...
Prototype Pollution in antfu/utils
Description @antfu/utils is a collection of common JavaScript / TypeScript utils. It is vulnerable to Prototype Pollution on the deepMerge function. This allows for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE. About the vulnerability Prototype Pollution...
Cross-site Scripting (XSS) - Reflected in yourls/yourls
✍️ Description Cross-site Scripting XSS refers to client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS occurs when a web application makes use of unvalidated or unencoded user input within the output it generates. The...
Sensitive Cookie Without 'HttpOnly' Flag in pi-hole/adminlte
✍️ Description Please enter a description of the vulnerability. The cookie persistentlogin is set without httponly flag 🕵️♂️ Proof of Concept Enable remember me during Login POST /admin/index.php?login HTTP/1.1 Host: 192.168.159.138 Content-Length: 30 Cache-Control: max-age=0...
Path Traversal in yogeshojha/rengine
✍️ Description Local File Inclusion through Path Traversal 🕵️♂️ Proof of Concept While logged in into a Rengine instance, go to /api/getFileContents/?nucleitemplate&name=../../../../../../../../etc/passwd. The contents of /etc/passwd are included into the response. 💥 Impact This vulnerability is...
Prototype Pollution in immerjs/immer
✍️ Description immer package is vulnerable to Prototype Pollution. 🕵️♂️ Proof of Concept Create the following PoC file: // poc.js const immer = require"immer"; immer.enablePatches; let obj = ; const patch = op: 'add', path: "proto","polluted", value: "Yes! Its Polluted"; console.log"Before : " +...
Cross-site Scripting (XSS) - Reflected in leantime/leantime
✍️ Description Cross-site scripting XSS vulnerabilities Line 9 of delCanvasItem.tpl.php sends unvalidated data to a web browser, which can result in the browser executing malicious code. 🕵️♂️ Proof of Concept /leancanvas/delCanvasItem/" 💥 Impact The attacker can: Perform any action within the...