4072 matches found
Cross-Site Request Forgery (CSRF) in microweber/microweber
Description Attacker is able to logout a user if a logged in user visits attacker website. Impact This vulnerability is capable of forging user to unintentional logout. Test Tested on Edge, firefox, chrome and safari. Fix You should use POST instead of GET ANY. To expand: One way GET could be...
in v2fly/v2ray-core
Description Good afternoon. While looking at your code, we discovered an off-by-one index comparison against length may lead to out-of-bounds read flaw in your v2ray-core repository. Indexing operations on arrays, slices or strings should use an index at most one less than the length. If the inde...
Cross-site Scripting (XSS) - Generic in snipe/snipe-it
Description XSS in bulk audit function via the asset tag parameter Proof of Concept 1: Go to http:///hardware/bulkaudit feature 2: Use alertdocument.domain as "Asset Tag" parameter 3: Click "Audit", the XSS should be triggered via the message Asset Tag ASSETTAG not found. Impact This vulnerabilit...
Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii
Description Attacker is able to logout a user if a logged in user visits attacker website. Impact This vulnerability is capable of forging user to unintentional logout. Test Tested on Edge, firefox, chrome and safari. Fix You should use POST instead of GET/ANY. To expand: One way GET/ANY could be...
Cross-site Scripting (XSS) - Stored in getgrav/grav
Description Grav is vulnerable to XSS. It is possible to use instead of : in tags. Proof of Concept Payload: HTML CLICK HERE 1: Edit a page with the payload user with low privileges. 2: Check out the target page and click on CLICK HERE. PoC video. Impact This vulnerability is capable of executing...
Cross-Site Request Forgery (CSRF) in pkp/pkp-lib
Description Missing CSRF token in role stage assignment, save language settings, and task notification 1: http://10.0.2.15/index.php/e/$$$call$$$/grid/settings/roles/user-group-grid/unassign-stage?stageId=1&userGroupId=5 2:...
in stanfordnlp/corenlp
✍️ Description The Stanford CoreNLP package provides a set of natural language analysis tools written in Java, is using a vulnerable XML External Entity XXE. An attacker that is able to provide a crafted XML file as input to the getTextContentFromTagsFromFile function in the "XMLUtils.java" file...
in dompdf/dompdf
Description DomPDF is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the filegetcontents function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate...
Cross-site Scripting (XSS) - Reflected in engintron/engintron
✍️ Description Cross-site Scripting XSS refers to client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS occurs when a web application makes use of unvalidated or unencoded user input within the output it generates. The...
Sensitive Cookie Without 'HttpOnly' Flag in pi-hole/adminlte
✍️ Description Please enter a description of the vulnerability. The cookie persistentlogin is set without httponly flag 🕵️♂️ Proof of Concept Enable remember me during Login POST /admin/index.php?login HTTP/1.1 Host: 192.168.159.138 Content-Length: 30 Cache-Control: max-age=0...
Improper Privilege Management in circuitverse/circuitverse
✍️ Description subscribe to any private project 🕵️♂️ Proof of Concept There is two different user called user-A and user-B.\ 1. User-A created a private project .\ 2. Now User-B sent bellow request to subscribe to above private project PUT /commontator/threads/496401/subscribe HTTP/2 Host:...
Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii
✍️ Description Attacker able to Remove budgeted amount with CSRF attack. It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your application. In CSRF...
Cross-Site Request Forgery (CSRF) in glpi-project/glpi
✍️ Description Attacker able to delete any document from Processing problem with CSRF attack because there is any CSRF protection for related endpoint. It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege use...
Open Redirect in ionicabizau/parse-url
✍️ Description parse-url mishandles certain uses of backslash such as https:/\ and interprets the URI as a relative path. Browsers accept backslashes after the protocol, and treat it as a normal slash, while parse-url sees it as a relative path. Which will lead to SSRF attacks, open redirects, or...
Improper Access Control in bramp/myip
✍️ Description Google Maps API key is enabled without proper referer restrictions is found in your repo. It can be embeded to anyone's website and if the billing account is active, it will incur charges on your account. If Google Maps is not used in your project, then all the following APIs should...
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in sebhildebrandt/systeminformation
✍️ Description The systeminformation package is vulnerable to Improper Input Validation through versions function. 🕵️♂️ Proof of Concept javascript // PoC.js const si = require'systeminformation'; si.versionstoString : = console.log"This is a PoC" ; 💥 Impact This vulnerability allows attackers to...
Cross-site Scripting (XSS) - Generic in netlify/netlify-cms
Description netlify-cms-widget-markdown is vulnerable to Cross-Site Scripting XSS. Steps To Reproduce 1. Use the application or use the demo https://cms-demo.netlify.com//collections/posts/new 2. Switch to markdown mode in edtior. 3. Insert the xss payload in to the editorbody 4. XSS payload will...
in conradirwin/em-imap
Overview em-imap is a gem that allows you to connect to an IMAP4rev1 server in a non-blocking fashion. Affected versions of this package are vulnerable to Man-in-the-Middle MitM. The hostname in a TLS server certificate is not verified. An attacker can acquire the identity of a trusted server and...
NLTK – Multiple CorpusReader classes allow Arbitrary File Read via Path Traversal
This report is not public...
Restricted vim sandbox escape
Description Restricted vim doesn't allow executing shell commands but it's possible to bypass this by setting GCONVPATH environment variable. I'm not sure if this can be consider a vulnerability but I decided to report it anyway found this while playing TeamItaly CTF . Proof of Concept Save this...
CSRF in Send Reminder
Description CSRF in Send Reminder Proof of Concept 1 .Attacker sent form fake to victim history.pushState'', '', '/'; document.forms0.submit; 2 .Victim click, execute send reminder unexpected Video Poc https://drive.google.com/file/d/1eibfxIbACA6DWObg2bjZjJBiqTPlwWd/view?usp=sharing...
Stored Cross Site Scripting (XSS)
Description The location endpoint is not sanitized which leads to the Stored Cross Site Scripting XSS Proof of Concept 1. Login as a standard user non-admin Asset page List All https://drive.google.com/file/d/1qymhc6sMe9EeS2bOe4CE2XTAbzFkgHao/view?usp=drivelink 2. Click to open any asset Edit Ass...
Reflected XSS in /admin/index.php
Description Description I noticed, your website is very secure. But you overlooked a flaw XSS Proof of Concept 1. Step 1: Access the demo website 2. Step 2: Access admin/index.php?action=ngductung"img src/onerror="alert'XSS' 3. Step 3: Detect XSS Video PoC...
stored xss using journal-role when user try to export user of any journal
BUG ========== stored xss using journal-role when user try to export user of any journal SUMMURY ========= lower level user can attack higher level user using this xss STEP TO REPRODUCE ================ 1. from Admin account create a journal called "journal-A" .\ \ 2. Admin goto above journal...
Insufficient Session Expiration
Description User's action is still vaild when admin changed privileges. Proof of Concept 1. Admin create user1 and grant all privileges. 2. go into incognito mode and login as user1 then go to user list page. 3. admin create user2 and in user1 browser refresh the page to see user2. 4. Then admin...
SQL Injection in `icms2/install/index.php`
Introduction I'm quite hesitant about reporting this vulnerability. After thinking about it, I knew I needed to provide this information to you!. As described in the documentation https://docs.instantcms.ru/en/manual/instal, at Post-Installation steps, you described that the installation director...
Relative path traversal
Description The endpoint /system/data-exports/:filename is intended to export AnythingLLM data zip file for download based on a specified filename parameter. However, a critical security vulnerability arises due to insufficient validation and sanitization of the request.params.filename parameter...
IDOR Vulnerability Allow Low-Level User change role Everyone Includes Admin
Description By manipulating the userid in API PUT /answer/admin/api/user/role, users with low privilege can change role any users Proof of Concept Step 1: Login as user1 with user privilege Step2: Call API PUT /answer/admin/api/user/role with user privilege , change role everyone includes Admin...
There are 6 NULL Pointer Dereference vulnerabilities in MP4Box
NULL Pointer Dereference in function utils/xmlparser.c:1038 Description NULL Pointer Dereference in function utils/xmlparser.c:1038 Environment No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 20.04 LTS Release: 20.04 Codename: focal Version MP4Box - GPAC version...
Stored XSS in the Cases functionality
Description When creating or editing a case, the web application fails to perform sufficient sanitisation on the description POST parameter, allowing users to inject HTML with malicious JavaScript events. The application does attempt to remove unauthorised elements and events; however, the testin...
Cookie without Secure flag
Description There is a ICMS62EC2566CC4B5 cookie without Secure flag and this is authentication cookie. Proof of Concept Link photo PoC: https://drive.google.com/file/d/1uWsRKMT-KyuRPA01Ra1W3YphQgNmMkuu/view?usp=sharing...
New password can be set as same as the old password
Description The web application allows us to set new password as the old one at Password change function. Detail: 1/ Access to the demo website and go to My profile. 2/ Choose Edit profile, at the Security tab, change the password with the new password and the old password are the same. 3/ Logout...
Unauthenticated Blind SQL Injection in '/tags/autocomplete'
Description The application was found to be vulnerable to an unauthenticated blind SQL injection in the /tags/autocomplete page. The GET parameter term does not sufficiently sanitize input. Proof of Concept 1. Make a GET request to...
Server Side Request Forgery (SSRF)
Description It is possible to access the local environment in the Webhook function. Therefore, Blind SSRF makes it possible to perform a port scan against the local environment. Proof of Concept After logging in, access the webhook setting page, specify the URL with the following pattern, and che...
Server Side Request Forgery (SSRF)
Description There is Blind SSRF on the vocabulary screen in the administrator screen. Proof of Concept Step 1. Log in to the administrator screen and access "Import new vocabulary" from the "vocabulary" page. Step 2. Specify the following Payload in the "Vocabulary URL" field and check that the...
Use of predictable RNG for password generation
Description pkp-lib implements a password-generation function with the following line of code being integral to its functionality: PHP for ... $password .= mtrand1, 4 == 4 ? $numbersmtrand0, strlen$numbers - 1 : $lettersmtrand0, strlen$letters - 1; This relies upon mtrandlow, high; to generate a...
CSV Injection while export users
1 admin add a user, or a user signup. 2 the user logins and edit himeself 3 the user change his realname as "=1+cmd|'/C calc'!A0" 4 admin go to export the users as a csv file 5 admin open the csv and we can see that the calculator is opened. see https://owasp.org/www-community/attacks/CSVInjectio...
SQL Injection in the "Users" function of Piwigo
Description Authenticated admin can perform an SQL injection attack by abusing the "Users" function. Proof of Concept - Log in as an admin and access the 'Users' function. - Observe the request on Burp suite POST /piwigo/ws.php?format=json&method=pwg.users.getList. - Manipulate the 'order' or...
Stored XSS in the module named "Create Case"
Description I tested the demo site you provided. I see that there is an XSS vulnerability. I hope you can check and provide a fix as soon as possible. You have almost filtered out all possible cases of XSS, but I noticed that there is still 1 case that you left out. by using this xss command: Pro...
Stored Cross Site Scripting at FAQ Answer
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a differen...
Cross site scripting vulnerability in throsten /phpmyfaq
Description Cross site scripting vulnerability in throsten /phpmyfaq in tag field at admin dashboard. Proof of Concept 1 . Login to the demo admin account. https://roy.demo.phpmyfaq.de/admin/ 2 . Go to admin dashboard -- Contents -- Add new FaQ --Faq meta data 3 . Add payload in tag field payload...
Broken Access Control On Item via ID
Description By editing the ID on the request or HTML I can see some information of any item via ID Proof of Concept 1. Create two account with perrmission on two folder and set permission for each user. \ 2. Create item with each user \ 3. View detail a item and change itemid on request view...
Bypass check length at Add Folder feature lead to XSS in module=evvtgendoc
Description I found Stored XSS on https://demo.corebos.com/index.php?action=index&module=evvtgendoc after I was Add Folder Proof of Concept Step 1: Go to Documents function https://demo.corebos.com/index.php?action=index&module=Documents , click Add Folder. Step 2: Intercept request by Burpsuite...
Stored cross site scripting vulnerability in operator any getter in pimcore grid configuration
Description Stored cross site scripting vulnerability in operator any getter in pimcore grid configuration. Proof of Concept 1. Login to the demo account https://11.x-dev.pimcore.fun/admin/login 2. On left side menu go to document -- perspective -- cdp...
Cross site scripting on contact module
Step to reproduce 1. Open into https://demo.corebos.com and navigate to settings Users. 2. Add XSS payload into Entity Name. 3. Now navigate to contact Create contact Add contact and click on more information click add opportunity. 4. On Assign to drop menu select XSS payload and save. XSS Payloa...
Unauthenticated Access to Users PII
Description A Unauthorized/Unauthenticated Attacker can access PII data of all the Users. Some of the PII leaked are: first name, last name, email, username, IP address, twofactorsecret, twofactorrecoverycodes Proof of Concept http://localhost/api/user It shows you details of all the users...
Cross site scripting on setting module
Description pimcore is vulnerable to XSS in translate module. Proof of Concept Step to Reproduce. 1. Go to https://11.x-dev.pimcore.fun/admin/ and login. 2. In the left menu bar, go to Settings - Document Types and click on Add button to add a new record. 3. Now click on translate. Add XSS payloa...
Broken Access Control on "http://localhost/api/user" endpoint
Description Able to create an Admin account from normal User account. Steps 1.Navigate to https://localhost/. 2.Then click on login and then register, fill the form and click Register. 3.Now login with a newly created user account with intercepting the traffics in burp. 4.Turn on the burp interce...
Remote Code Execution Vulnerability Through Unrestrict File Write
Description In the import setting function, in the file Froxlor\lib\Froxlor\SImExporter.php php fileputcontents$imgfilename, $imgdata; if functionexists'finfoopen' $finfo = finfoopenFILEINFOMIMETYPE; $mimetype = finfofile$finfo, $imgfilename; finfoclose$finfo; else $mimetype =...
Missing Authorization Check Allows Impersonated Secure Messages
Description Due to the lack of an authorization check when sending secure messages, an attacker with access to a low level patient account in the portal can impersonate other users when sending secure messages. This would allow a malicious actor to impersonate high-level users...