4072 matches found
DOM XSS on lab.flipper.net via the "channel" or "version" parameters
Description Hi ! The Web Platform for the Flipper is vulnerable to DOM XSS via the channel and version parameters. This occurs because when the user clicks on Choose firmware the values are passed directly to innerHTML without parsing. Proof of Concept 1. 1 The user access the following URL :...
Stored Cross-site scripting
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Proof of Concept Visit: http:///phpmyfaq/admin/?action=meta Click button Add template meta data Inject payload in field Page type: "alert"XSS"...
Weak Password Requirement
Description We can change password with just 1 character when we use change password function. Proof of Concept When you change password, just press an charactor and then submit. Your password has been changed...
Moderators can perform Time based SQL injection attack.
The API endpoint /api/chat/users/setenabled POST is vulnerable to a Time based blind SQL injection attack via body parameter ‘userId’. It allows a Moderator to read, modify or delete the entries in the sqlite database. Moderator can leak the streamkey to access admin dashboard. Proof of concept...
No password confirmation on sensitive action like email change
Description It is important to implement password checks on sensitive features like email change Proof of Concept 1 Go to https://rdiffweb-demo.ikus-soft.com/login/ 2 Use the credentials admin , admin123 and login into your account 3 Navigate to the endpoint...
No Limit in "title" length while adding SSH key , results in memory consumption/DOS attack
Description There must be a fixed length for user input parameters like "title" while adding SSH key. Allowing users to enter long strings may result in a DOS attack or memory corruption Proof of Concept 1Go to https://rdiffweb-demo.ikus-soft.com/prefs/sshkeys endpoint . 2Click on add SSH key...
Stored Cross-Site Scripting (XSS)
Description There is insufficient input validation in the title of user notifications. Proof of Concept Steps to reproduce: 1. Log in to an admin account 2. Hover over the username & click on Notifications 3. Create a new notification with the Title alertdocument.location and an arbitrary message...
The settings of repositories is vulnerable to CSRF
Description The malicious user can change the settings of repository by sending the URL to the victim. Proof of Concept 1.Login into the application https://rdiffweb-demo.ikus-soft.com/settings/admin/test-encoding . 2.Go to test-encoding. 3.Check that the value of remove older is forever. 4.Open...
Cookie is persisting in the browser which leads to Session Fixation
Description After logging in and logging out, the application continues to use the preauthentication cookies. The cookies are same after closing the browser and after password change .And also same cookies are reassigning for another user's login which can leads to session fixation. Proof of...
Session_id without Secure attribute
Description User's session id with secure attribute is false. This vulnerability makes user's cookies can be sent to the server with an unencrypted request over the HTTP protocol. Proof of Concept Open the browser and get access to the minarca website, for this scenario I have used the demo/test...
Password can be set extremely weak
Description In this scenario, I use the demo website. It allows us to add more user to test. With password, we can set it 1 Or any charater. There is no policy for password or no password checking. Moreover, it also allows us to change password and the new password also can be set with password...
Stored Cross-Site Scripting (XSS)
Description Input fields allowing Markdown Input are vulnerable to XSS. This requires Superadmin permissions though. Proof of Concept Steps to reproduce: 1. Log in to the admin account 2. Go to Admin - General Settings 3. Enter the Payload in the Login Note and Dashboard Message fields. 4. Go to...
User Enumeration via Response Timing
Description There is a significant timing difference in the login functionality for valid and invalid usernames. Proof of Concept 1. Attempt a Login with a valid user and an invalid user and observe the difference in the response time Here is a small test script alternatively we can see the...
Privilage escalation allows user with read access only to edit admin portal and take actions
Overview of the Vulnerability Authentication and session management controls can be bypassed in a variety of ways including, calling an internal post-authentication page, modifying the given URL parameters, by manipulating the form, or by counterfeiting sessions. The authentication method for thi...
Persistent Cross Site Scripting - WidgetsManagement Module - Settings
Description The application uses Purifier to avoid the Cross Site Scripting attack. However, On WidgetsManagement module from Settings, the "title"parameter is not validated and it's used directly without any encoding or validation on Vitger/dashboards/ChartFilter.tpl. It allows attacker to injec...
Persistent Cross Site Scripting - BusinessHours Module - Settings
Description The application uses Purifier to avoid the Cross Site Scripting attack. However, On BusinessHours module from Settings, the type of name parameter is "Text" but it is not validated and it's used directly without any encoding or validation on EditViewBlocks.tpl. It allows attacker to...
Previously created sessions continue being valid after MFA activation [namelessmc.com]
Description 1. Hello Team I found one issue related to your 2FA system on https://namelessmc.com/user/settings/?do=enabletfa&s=2 Vulnerability Type: 1. Improper Access Control - Generic STEP TO REPRODUCE: 1. 1- access the same account on https://namelessmc.com/ in two devices 2. 2- on device 'A' ...
No password brute-force protection on login page
Description The login page doesn't have any protection against a brute-force password attack, which allows an attacker to try every possible password combination without any restriction. Proof of Concept 1. 1- Send a login request of the target user POST http://localhost:5000/api/account/login...
Cross-site Scripting - Reflected
Description The pricelevel parameter in openemr is vulnerable to reflected XSS Proof of Concept 1. Open the web browser to access the website 2. Access the url: http://openemr.vn/interface/forms/feesheet/review/feesheetoptionsajax.php?pricelevel=%3Cimg%20src%3da%20onerror%3dalertdocument.cookie%3...
Reflected XSS on conversion filter function
Description Fava v1.22 have a conversion filter function on income statement dashboard which allow user to perform XSS due to improper validation on filter conversion. Proof of Concept 1 Navigate to Fava demo instance https://fava.pythonanywhere.com/example-beancount-file/incomestatement/. 2 Filt...
Full Read Server-Side Request Forgery (SSRF)
Description In the recipe edit page, is possible to upload an image directly or via an URL provided by the user. The function that handles the fetching and saving of the image via the URL doesn't have any URL verification, which allows to fetch internal services. \ \ Furthermore, after the resour...
Idor disclose other user's appointment
Description:- In this case an idor allow an attacker to view portal user's appointments Proof of Concept 1.Goto http://demo.openemr.io/openemr/portal/home.php and then goto my profile my appointment 2.Click on edit appointment button and capture the request in burp suite 3. Change eid parameter t...
Reflected XSS in fava application
Description The "querystring" parameter of fava application is vulnerable to reflected XSS for which a attacker can modify any information that the user is able to modify. Proof of Concept 1.Open the url:...
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Description The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session Proof of Concept PHPSESSID:"ID" Created:"Tue, 19 Jul 2022 13:15:32 GMT" Domain:"demo.pimcore.fun" Expires / Max-Age:"Sessio...
Weak Password Requirements
Description Weak password policy leads to successful bruteforce attack Steps to reproduce 1.Go to http://localhost:8083/login and login with default credentials admin/admin123 2.Go to http://localhost:8083/me and change password to 123 3. Noticed that password has been changed successful...
Out of Bounds Read in string_scan_range
Description When providing crafted input, an attacker can cause rread32 within stringscanrange to do an out of bounds read. This causes a segmentation fault, but could also potentially enable information disclosure. What's interesting is there is already a comment stating "may oobread" near this...
proxying Big files leads to potential DOS
Description consider following script exploit.py put drawiodockerinstace your address and also bigfileaddress should be serve a big image file 250 MB python from multiprocessing import Process import requests def fun: try:...
Path Traversal
🔒️ Requirements Privilege: User 📝 Description File path isn't properly sanitized and allow ... 🕵️♂️ Proof of Concept Listing other user folder content First, create a user with Read privilege and with specific home folder like /test. Then, Connect to his account and access the home page...
Improper Access Control - Articles
Description A low-privileged user can modify and delete admin articles just by changing the value of the articleid parameter. Proof of Concept - Step 1 - Authenticated as an unprivileged user, create a New article - Step 2 - Click Edit article - Step 3 - Intercept requests and Save your article -...
Buffer Over-read in function get_one_sourceline
Description Buffer Over-read in function getonesourceline at scriptfile.c:1976 vim version git log commit 5a8fad32ea9c075f045b37d6c7739891d458f82b HEAD - master, tag: v8.2.4962, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/poch6s.dat -c :qa...
Cross-site Scripting (XSS) - Generic
Description The Stream URL of octoprint application allowing xss payload to execute for which its leads to Cross-site Scripting XSS Proof of Concept Login to the application Now go to settings - Webcam & Timelapse - Stream URL and insert the payload " in the Stream URL and click on "Test" You wil...
A null pointer reference in libmobi.
Description The vulnerability at src/index.cL 1054, function mobitrieinsertinfl. At line 1063 shown as below, function mobigetcncxstringflat uses len as parameter, len got from t.tagvalues. While at line 1060, program doesn’t check the initial value of tagvaluescount, when the for loop begins wit...
librenms bills Description & Notes Stored XSS
Description Please enter a description of the vulnerability. Proof of Concept 1. Login 2. go to http://librenms/bills 3. Click to Create Bill 4. Add Description or Notes "" // PoC.js payload1 payload2 POST /bills/ HTTP/1.1 Host: 192.168.0.4 Connection: keep-alive Content-Length: 310 Cache-Control...
Cross-site Scripting (XSS) - Reflected
Description Please enter a description of the vulnerability. Proof of Concept xss in function add domain POST /add/web v-custom-doc-domain=alert1 https://drive.google.com/file/d/1EeoOX7Pmn5ptuweine4Cgcy1fyd6qEzJ/view?usp=sharing Impact...
Cross-site Scripting (XSS) - Stored
Description pimcore is vulnerable to Stored XSS at Title field in the SEO & Settings tab of a Document page. Payload " Step to reproduce 1.Go to https://demo.pimcore.fun/admin/ and login. 2.Click on any document Home, de,... in the Documents 3.Go to SEO & Settings tab, in the Title field, input...
Server-Side Request Forgery (SSRF)
Description There is a Blind SSRF in fetching remote images in /uploaddocimg/ endpoint. It's because it does not check hostname before sending HTTP Request to it and only if the content-type be a valid image it will save the response. However, we do not have a full SSRF but there is still a blind...
Cross-site Scripting (XSS) - Stored
Description The application does not escape special characters before output to FE, lead to stored XSS. Proof of Concept 1. Go to Content Menus or Content Items. 2. Add an Item with the title set to XSS payload, e.g: Title" 3. Save Draft or Publish Go to View/Preview Draft. XSS will be triggered...
OS Command Injection in part-db/part-db
Description OS command injection also known as shell injection is a web security vulnerability that allows an attacker to execute arbitrary operating system OS commands on the server that is running an application, and typically fully compromise the application and all its data. Very often, an...
Cross-site Scripting (XSS) - Stored in librenms/librenms
Description Cross-Site Scripting vulnerability in LibreNMS v22.1.0 which allows attackers to execute arbitrary javascript code in the browser of a victim which affected Devices module Add Device in sysName, Hardware and Community fields. Proof of Concept Endpoint: 1 POST http://HOST/addhost...
in snipe/snipe-it
Description An attacker can enumerate users through the response time in the password reset page. When you visit the password reset page, you will be provided with the option to enter your email address. Let's use two different emails, one will be a valid address, and another will be an invalid...
Improper Access Control in liukuo362573/yishaadmin
Description https://www.github.com/liukuo362573/yishaadmin has an endpoint "/admin/File/UploadFile" that allows uploading files without authentication. Root-cause Server doesn't check user's permission when attacker access the endpoint. After that, server will directly call UploadFile function wi...
None in radareorg/radare2
Description Use After Free occurs in riobankmapaddtop. commit : 4d75eeb99a0d913e9b443e7aaf73aa44a323739d Proof of Concept $ echo -ne "VlowMFcwMOEwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwEDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw...
Cross-site Scripting (XSS) - Stored in microweber/microweber
Description There is a reflected XSS in creating and searching tag function . where any user can execute any malicious code results in the cookie stealing or Account takeover vulnerability Steps to Produce: Go to this particular URL URL Click on live edit , Now In the tag section and select the...
in radareorg/radare2
Description This vulnerability is of out-of-bound read which accesses the address beyond/past the buffer. The bug exists in latest stable release radare2-5.5.4 and lastest master branch ed2030b79e68986bf04f3a6279463ab989fe400f, updated in Jan 22, 2022. Specifically, the vulnerable code and the...
in heroiclabs/nakama
Description It is possible to enumerate usernames via the Log-In function. Proof of Concept The login response provides information, whether the username is registered or not in the application. If the user is registered, and wrong password provided, the following information being displayed:...
in pimcore/pimcore
Description The pimcore/pimcore package is an open source platform that provides PIM, MDM, CDP, DAM, DXP/CMS and digital commerce services. You can upload an infinite number of dangerous SVG files in "Settings" = "System Settings" = "Appearance and Branding" of the pimcore service. Then why is it...
Improper Privilege Management in delgan/loguru
BUG ======== unprivileged user can see log file and sensitive information disclosed SUMMURY ============ loguru create log file to store the log . Log may contain many sentsitive information like username,password,token,key etc .\ So, this log file should not accessed by other user .\ But when...
Improper Access Control in chocobozzz/peertube
Description Unauthenticated users can obtain comments on private videos Proof of Concept Vísit the following API link where 123 is the ID of the private video: /api/v1/videos/123/comment-threads Response contains all the comments on that private video. Impact This vulnerability disclosure comment...
Insecure Temporary File in horovod/horovod
Description horovod package is using the deprecated function tempfile.mktemp which is not secure. Because a different process may create a file with this name in the time between the call to mktemp and the subsequent attempt to create the file by the first process. Impact Availability will get...
Cross-site Scripting (XSS) - Stored in pimcore/pimcore
Description Stored cross site scripting vulnerability in report class field on custom report feature. Proof of Concept 1 . Login to dev account https://10.x-dev.pimcore.fun/admin/ 2 . Go to marketing -- custom reports -- Report class :field in left navigation menu 3 . Add payload " in report clas...