4072 matches found
Cross-Site Request Forgery (CSRF) in dolibarr/dolibarr
✍️ Description Attacker can delete any Exports for any user with CSRF vulnerability when the Admin or SuperAdmin or an authorized user click on PoC.html file, it is enough to attacker know the Export's names on server. I convert the...
Session Fixation in filegator/filegator
✍️ Description the password reset function is vulnerable to session fixation bug, it's a small low hanging bug 🕵️♂️ Proof of Concept open filegator and login with similar accounts in multiple browsers. change the password of the user in one browser and reload the other login session. we can see...
Cross-site Scripting (XSS) - Stored in polonel/trudesk
💥 BUG Stored xss using fullname 💥 IMPACT There is no xss filter present . Using this stored xss external user can attack admin and can execute arbitary javascript code in vicitm account . TESTED VERSION ========== trudesk 1.1.5 💥 STEP TO REPRODUCE 1. First goto...
Code Injection in adobe/himl
Description himl is a hierarchical config using yaml in Python, which is vulnerable to Arbitary Code Execution. Vulnerability Vulnerable to YAML deserialization attack caused by unsafe loading. Proof of Concept Installation bash pip install himl Run exploit.py import os os.system'pip install himl...
Code Injection in ewels/multiqc
Description MultiQC Aggregate results from bioinformatics analyses across many samples into a single report. Vulnerability Vulnerable to YAML deserialization attack caused by unsafe loading. Proof of Concept Installation bash pip3 install multiqc Run exploit.py import os os.system'pip3 install...
in microweber/microweber
Description microweber/microweber is vulnerable to Arbitrary File Upload. Effective controls have not been implemented to restrict users from uploading malicious content to the web server. Files containing code like .php, .exe and etc can be uploaded successfully. Steps To Reproduce-: 1. Login in...
Prototype Pollution in starcounter-jack/json-patch
Description fast-json-patch is vulnerable to Prototype Pollution. This package allowing for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE. Proof of Concept 1. Create the following PoC file: js // poc.js let fastjsonpatch = require"fast-json-patch"; functio...
in seleniumhq/selenium
Description Selenium is an umbrella project encapsulating a variety of tools and libraries enabling web browser automation. Selenium specifically provides infrastructure for the W3C WebDriver specification — a platform and language-neutral coding interface compatible with all major web browsers...
Cross-site Scripting (XSS) - Stored in arachnys/cabot
Description Executed Persistent stored XSS in cabot check settings, as well as the address field. As per CVEs present Stored XSS is a High Severity bug. Proof of Concept 1. setup cabot to reproduce the vulnerability 2. create an account now login to the account 3. Go to checks Create and navigate...
Code Injection in z4nzu/hackingtool
Description The hackingtool by Z4nzu is a pool of pentest tools that is useful to hackers to do fast hacking from information gathering to web attacks to wireless hacking and much more which are provided in terminal UI. It is built using python3. However it uses os.system command in various place...
Command Injection in quobject/aws-cli-js
Overview The issue occurs because a user input is formatted inside a command that will be executed without any check. The issue arises here. Proof of Concept Credit: Mik317 1. Create the following PoC file: js // poc.js var awsCli = require"aws-cli-js"; var Options = awsCli.Options; var Aws =...
Open Redirect
Description There is an open redirect in the endpoint /project/switch/project due to the use of symfony's redirect function from a user controlled input. Proof of Concept php $targetPath = $request-query-get'targetPath', false; if $targetPath return $this-redirect$targetPath;...
Reflected XSS in /admin/index.php
Description Description I noticed, your website is very secure. But you overlooked a flaw XSS Proof of Concept 1. Step 1: Access the demo website 2. Step 2: Access admin/index.php?action=ngductung"img src/onerror="alert'XSS' 3. Step 3: Detect XSS Video PoC...
NULL Pointer Dereference
Environment Windows 10 22H2 19045.3448 Version I checked against the latest trunk as of 09/19/23 at commit 3a126babc77dd5af4cd8fb0c45d8c0eb172c7b8c and the current release 4.12.0. Description This is a null pointer dereference that causes the IE driver to crash when selenium gets the cookies from...
Relative path traversal
Description The endpoint /system/data-exports/:filename is intended to export AnythingLLM data zip file for download based on a specified filename parameter. However, a critical security vulnerability arises due to insufficient validation and sanitization of the request.params.filename parameter...
stack-overflow in gf_bt_check_line scene_manager/loader_bt.c:408
Description stack-overflow in MP4Box Version $ ./bin/gcc/MP4Box -version MP4Box - GPAC version 2.3-DEV-revrelease c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC:...
Out of Bounds Read in MPEG12_ParseSeqHdr media_tools/mpeg2_ps.c
Description Out of Bounds Read in MP4Box. Version $ ./bin/gcc/MP4Box -version MP4Box - GPAC version 2.3-DEV-revrelease c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC:...
Improper validation of intent data received in TextViewerActivity allows opening of arbitrary files
Description Tested on Build87 of the Inure application. It was discovered that the application had an exported activity .activities.association.TextViewerActivity which accepted intent data via the file scheme + text/ mime type and opened the associated files from provided URI data string. It is...
IDOR in Users Edit screen
Description By manipulating the User ID in the URL, users with low privilege can view the information of any users Proof of Concept Step 1: Login as user1 with author privilege, see that he can only access the edit screen of himself. Click on edit button. Step 2: See the userID in the URL, modify...
Pre-Auth SQLi leading to RCE in Social Media Skeleton v1.0
Summary A SQL Injection vulnerability exists in Social Media Skeleton v1.0 via the username and password parameters in admin/login.php. Not to be confused with login.php, which properly escapes special characters. Issue Description SQL injection SQLi is a code injection technique used to attack...
Server Side Request Forgery (SSRF)
Description It is possible to access the local environment in the Webhook function. Therefore, Blind SSRF makes it possible to perform a port scan against the local environment. Proof of Concept After logging in, access the webhook setting page, specify the URL with the following pattern, and che...
Out of bounds read in VobSub loader
Description The gpac VobSub parser takes a FILE handle and attempts to load the information from that file into its memory. The main focus of this report revolves around the first few lines of the function and how they make some assumptions about buffer sizes that allows for an out-of-bounds read...
CSV Injection while export users
1 admin add a user, or a user signup. 2 the user logins and edit himeself 3 the user change his realname as "=1+cmd|'/C calc'!A0" 4 admin go to export the users as a csv file 5 admin open the csv and we can see that the calculator is opened. see https://owasp.org/www-community/attacks/CSVInjectio...
Stored XSS on item name - Bypass of (CVE-2023-2516)
Description first create two user accounts and grant them permission to access a same folder. In one of the accounts, generate a new item within the folder. Paste the payload XSS into this field, then save the item. Once saved, click on the item to activate an XSS alert. This is the bypass of...
Divide By Zero FPE
Environment bash Distributor ID: Debian Description: Debian GNU/Linux bookworm/sid Release: n/a Codename: bookworm Version I checked against the latest release as of 05/18/23 the current master branch at commit a6ae93532ea5615c876c81a6580badbfa01d4383 . Description This AddressSanitizer output is...
Cross-site Scripting and CSP Bypass in app.diagrams.net
Description The application allows the user to import a CSV template into the schema, but does not clean the input from the columns resulting in any javascript code being executed. Proof of Concept Example CSV import. Use for comments and for configuration. Paste CSV below. The following names ar...
Stored XSS bypass in "FAQ"
Description Stored XSS in "Add new FAQ" feature via inject XSS payload in the answer at the following https://roy.demo.phpmyfaq.de/admin/?action=editentry Steps 1- Login as admin and Go to the following URL https://roy.demo.phpmyfaq.de/admin/?action=editentry to add a new faq 2-Enter the "Questio...
Reflected XSS at search_query[] query string
Description Reflected XSS Cross-Site Scripting is a common web security vulnerability that can occur when a user inputs malicious Javascript syntax into the search field. The search function allows users to look for content on the website, and the search keywords are appended to the URL query...
Stored XSS in the module named "Dashboard"
Description I tested the demo site you provided. I see that there is an XSS vulnerability. I hope you can check and provide a fix as soon as possible. Proof of Concept link video PoC https://drive.google.com/file/d/19lzyLY20fn0WdgRxsIrIRSfkrq36j7s5/view?usp=sharing Steps 1.Login as administrator...
Path Traversal at Slack Image Endpoint
Summary Lightdash version \ Required. 1. Install the Lightdash server & database. \ 2. Connect Lightdash to a dbt project and add some metrics. 3. Create and share insights with your team. 4. Craft...
Cross site scripting vulnerability in throsten /phpmyfaq
Description Cross site scripting vulnerability in throsten /phpmyfaq in tag field at admin dashboard. Proof of Concept 1 . Login to the demo admin account. https://roy.demo.phpmyfaq.de/admin/ 2 . Go to admin dashboard -- Contents -- Add new FaQ --Faq meta data 3 . Add payload in tag field payload...
Stored cross site scripting vulnerability in Save grid option in pimcore dashboard
Description Stored cross site scripting vulnerability in Save grid option in pimcore dashboard. Proof of Concept 1. Login to the demo account https://11.x-dev.pimcore.fun/admin/login 2. On left side menu go to document -- perspective -- cdp https://11.x-dev.pimcore.fun/admin/?perspective=CDP 3. i...
Stored XSS on Multiple Edit Page
Description A stored XSS with alert on Editing page. \ I clone repo from master branch and build with docker. Footer show: Version: 1.3.4 Proof of Concept Request image Request raw: POST /api/saveedit HTTP/1.1 Host: 192.168.125.131 User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:109.0...
Reflected XSS in LimeSurvey
Description There is a XSS in Lime Survey. The $GET'keyword' is not sanitized : echo $GET'keyword'; Proof of Concept We can read cookie contents :...
XSS in Classification Store of Data Objects module in Settings
Description pimcore is vulnerable to XSS at Name field in Classification Store of Data Objects module in Settings. The vulnerability exists in all 3 tabs: Group Collections, Group, Key Definitions. Payload " Proof of Concept 1.Go to https://11.x-dev.pimcore.fun/admin/ and login. 2.In the left men...
Improper Access Control which allows one provider to view and edit others provider appointment's details
Description Login using one provider's credential. After login successfully, notice there is POST request to /index.php/backendapi/ajaxgetcalendarappointments which allows the provider to view their own appointments information. However, by changing the recordid parameter to any number start from...
Stored XSS in name parameter of "Customers Reports"
Description The name parameter of the "Static Routes" functionality is vulnerable to stored XSS. Proof of Concept 1.Login to https://demo.pimcore.fun/admin/. 2.Now go to Marketing - Customers Reports - Add and Enter the name of the new item a-zA-Z-. 3.Then capture the request on the burp suite an...
Store XSS in create tag
Description Feature create tag permit attacker injection html tag and execute it. Proof of Concept 1. Add question 2. Create tag with payload in description: 3. Post your question 4. Go to link http:///tags//timeline and click created. Payload executed. POC...
Stored HTML Injection via Company Name
Description easyappointments present an html injection vulnerability on the company name field on "/index.php/backend/settings" page. Steps: 1. login as admin 2. go to /index.php/backend/settings Page 3. insert the payload in Company Name field 4. go back to the home page and see the result. Proo...
Missing Authorization Check Allows Impersonated Secure Messages
Description Due to the lack of an authorization check when sending secure messages, an attacker with access to a low level patient account in the portal can impersonate other users when sending secure messages. This would allow a malicious actor to impersonate high-level users...
Authorization Token Never Expires
Description The vulnerability is related to the Authorization header used for user login. After logging out, the token in the Authorization header remains valid and does not expire. Additionally, the token has an excessively long duration of 10 hours, as confirmed by a request. This vulnerability...
Insufficient Session Expiration
Description Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization. When handling sessions, web developers can rely either on server tokens or generate session identifiers within the application. Each session should...
Stored XSS From Visitor to Acc Takeover
Description Using X-Forwarded-For Header Visitor can manipulate ip to trigger xss Proof of Concept 1.Visit any url and Add Header X-Forward-For: 127.0.0.1" 2.If admin check in dashboard xss will trigger Check This image...
stored XSS after XSS Filter Bypass through exporting an HTML-Document
Hello, After mitigation of all submitted XSS Vulnerabilities i was able to detect another XSS and bypass the XSS Filters in the FAQ Site while generating an HTML Export. Lets see : ------------------- This is th XSS Paylaod with XSS Ahmed 2 Only XSS Ahmed 2 will work ! Now lets export in in HTML5...
SQL Injection in Custom Fields
Description SQL injection when updating custom fields in the admin panel. Malicious web admins can use POST /app/admin/custom-fields/edit-result.php with parameters fieldType=set&fieldSize='1' CHARACTER SET utf8; SELECT sleep3; to execute the inserted SQL command SELECT sleep3; and thus result th...
Stored XSS
Description A Cross-Site Scripting XSS vulnerability exists in Dolibarr before 16.0.4 via the ticket creation flow. Exploitation requires that an admin change the value of the box using "onbeforeinput" event. In the worst case, the victim who inadvertently triggers the attack is a highly privileg...
GET based CSRF on delete user functionality
Description The /account/delete functionality is vulnerable to CSRF. In this way, an attacker can trick the victim to delete his own account just clicking on the link. Steps to reproduce - Login with a user - Now go here: https://app.wallabag.it/account/delete - The account is now deleted without...
IDOR Vulnerability Allows add tag entry user other
Description IDOR Vulnerability Allows add tag entry user other, allows adding tags to any user, since there is no user authentication. And not limiting the input causes the entry interface to break Proof of Concept Step 1. User A manages entry id 6 Step 2. User B manages entry id 7 Step 3. Login...
CSRF attack used to change user's email, thus blocking its access to the application.
Description The application lacks protection against Cross-Site Request Forgery CSRF because it fails to verify the implementation of the CSRF Token. For example, if a victim visits the following site crafted by the attacker while logged in at the target application, the browser will issue the...
Multiple stored XSS
Description Hello! Found multiple stored XSS. PoCs "About me" XSS Insert this code in "About me" http://host/users/settings/profile Website title XSS go to /admin/general, edit 'Site Name' adding the following payload alert"XSS ATTACK!" The script will be executed every time you reload the page...