4072 matches found
Cross site scripting on setting module
Description pimcore is vulnerable to XSS in translate module. Proof of Concept Step to Reproduce. 1. Go to https://11.x-dev.pimcore.fun/admin/ and login. 2. In the left menu bar, go to Settings - Document Types and click on Add button to add a new record. 3. Now click on translate. Add XSS payloa...
Broken Access Control on "http://localhost/api/user" endpoint
Description Able to create an Admin account from normal User account. Steps 1.Navigate to https://localhost/. 2.Then click on login and then register, fill the form and click Register. 3.Now login with a newly created user account with intercepting the traffics in burp. 4.Turn on the burp interce...
Remote Code Execution Vulnerability Through Unrestrict File Write
Description In the import setting function, in the file Froxlor\lib\Froxlor\SImExporter.php php fileputcontents$imgfilename, $imgdata; if functionexists'finfoopen' $finfo = finfoopenFILEINFOMIMETYPE; $mimetype = finfofile$finfo, $imgfilename; finfoclose$finfo; else $mimetype =...
Missing Authorization Check Allows Impersonated Secure Messages
Description Due to the lack of an authorization check when sending secure messages, an attacker with access to a low level patient account in the portal can impersonate other users when sending secure messages. This would allow a malicious actor to impersonate high-level users...
Cross-Site Scripting (Stored/Persistent) in Categories
Description ⢠The application is vulnerable to Cross-Site Scripting XSS attacks. This occurs when web applications do not properly validate user-supplied inputs before including them in dynamic web pages. ⢠By intercepting the HTTP Request using Burp-suite tool before submitting into the webpage,...
XSS in button home page
Description vuln was find in File/Documents/Home , any button in page Proof of Concept 1. Login in URL : https://demo.pimcore.fun/admin 2. Go to File - Open Documents - Home 3. click any button in page - Edit Link 4. in tab Advanced, inject payload to : Attributes key="value" For more understandi...
XSS
Description HTML injection in user profile Vulnerability is in: http://34.245.133.152:9080/users/settings/profile - About Me Proof of Concept Request: PUT /answer/api/v1/user/info HTTP/1.1 Host: localhost:9080 Content-Length: 213 sec-ch-ua: "Not ABrand";v="24", "Chromium";v="110" Content-Type:...
Broken Access Control
Vulnerability Broken Access Control Issue Description: ⢠Access control is the way how a web application grants access to content and functions to some users and not others. ⢠These checks are performed after authentication and govern what āauthorizedā users are allowed to do. ⢠Jeffrey discovere...
Cross-site Scripting (XSS) - Stored
Description 1. https://11.x-dev.pimcore.fun/admin/ 2. Go to Settings - Thumbnails - Video Thumbnails 3. Click the button Add Media Segment 4. Write : " and then click ok...
Unauthorized Rest Api owned by Joomla(officially accepted)
Description Joomla has provided the Rest API since version 4.0. These apis need to provide authentication information when accessing, but if public is added to the request parameters when accessing the api. Then any unauthenticated user can directly access Proof of Concept Api can directly obtain...
User with only "edit" can delete post and somethimes can add post
Description If you create a user with edit-only user rights, they should not be able to perform delete or add actions. This is really an admin error, because users with edit permissions can delete posts, and in the case of FAQs, they can also add posts. Proof of Concept 1.Create new user with edi...
stored HTML-Injection in the Comments Part
i was able to detect a stored HTML Injection by answering available questions. Lets see : ------------ AHMED HASSAN STORED HTML INJECTION 1 will now answer a question Comment sent lets see the stored HTML Injection As you can see the stored HTML Injection is working. Thanks for watching...
The XSS playload injected in "Display Name" parameter in creating Contacts are vulnerable to Cross-Site Scripting (Stored/Persistent)
Description The XSS playload injected in "Display Name" parameter in creating Contacts are vulnerable to Cross-Site Scripting Stored/Persistent. Steps to Reproduce: 1. First is go to the user dashboard then contacts: https://demo.modoboa.org/contacts// 2. Then Add new contact, enter the payload...
Stored XSS in Site Name
Description Stored Cross-site Scripting XSS vulnerability in Site name of answerdev/answer Proof of Concept 1. Log in then 2. Admin --- Setting --- General 3. Enter below payload at Site Name For More Understanding please check POC:...
Remote Code Execution in "Import Settings" feature
Description Due to Improper data validation in "Import Settings" feature, an authenticated attacker can send crafted settings with malicious payload inside "system.croncmdline" value. Step to reproduce Requirement: PHP code must be executed on attacker machine - Step 1: Attacker run web server an...
IDOR Vulnerability Allows add tag entry user other
Description IDOR Vulnerability Allows add tag entry user other, allows adding tags to any user, since there is no user authentication. And not limiting the input causes the entry interface to break Proof of Concept Step 1. User A manages entry id 6 Step 2. User B manages entry id 7 Step 3. Login...
Heap Buffer Overflow in function gf_isom_box_size at src/isomedia/box_funcs.c:1997
Description Heap Buffer Overflow in function gfisomboxsize at src/isomedia/boxfuncs.c:1997 gpac version git log commit bbca869177585aaca8eb66d8541079e6f364798e HEAD - master, origin/master, origin/HEAD Author: jeanlf Date: Wed Jan 18 11:40:30 2023 +0100 fixed potentially missing last packets in...
Cross Site Scripting (XSS) in Model\DataObject\Data\UrlSlug
Description Cross Site Scripting XSS in Model\DataObject\Data\UrlSlug of pimcore/pimcore Proof of Concept 1. Login in stable account URL : https://demo.pimcore.fun/admin 2. Go to System Data --- UrlSlug 3. Enter Payload in UrlSlug with starting with "/" slash. For more understanding please check...
Unauthenticated CSRF to XSS on login page
Description The user-email parameter is vulnerable to XSS on the login page. In this way it is possible to make execute Javascript code on an unauthenticated user. To exploid the vulnerability, since the it is a POST request, it's necessary an HTML poc in order to trigger a CSRF on the login form...
Admin TakeOver
Description The endpoint /api/v2/token/ allows an unauthorized user to perform brute-forcing and the app doesn't block the request which not having any SESSION COOKIE or even CSRF token Request POST /api/v2/token/ HTTP/1.1 Host: demo.modoboa.org User-Agent: Mozilla/5.0 X11; Linux x8664; rv:109.0...
Function of modifying userinfo has storage xss vulnerability
Description This vulnerability allows a malicious user to submit malicious html code on the profile page, causing the identity token to be stolen as soon as another user/administrator accesses the profile page, resulting in the account being taken over by someone else Proof of Concept step1. Log ...
Cookie Session Not Expiring Even After Deleting the users
Description The session is not expiring in another browser if we delete the user. Proof of Concept 1. Create two users with an admin role for the POC 2. Login in two different browsers Firefox user A and Chrome user B respectively 3. Go the settings-users and delete user B from user A Firefox...
Stored XSS via blog author parameter on admin.php?p=config
Description The blog author parameter is unsanitized on the page admin.php?p=config. In this way is possible to inject arbitrary javascript code Proof of Concept - Login as regular user - Go to http://localhost/flatpress/admin.php?p=config - Set as blog author "alertdocument.domain - Refresh page...
Bypassing filters to trigger XSS while creating memos
Description Stored cross-site scripting also known as second-order or persistent XSS arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way. Payload: " Proof of Concept 1 Go to https://demo.usememos.com/ and login...
Stored XSS in notes Title
Description Stored XSS Vulnerability was found while a user creates a new Note & Enter the Name for the Note. The Title of the Note gets directly rendered at "Note Map" Functionality which is leading to HTML injection and Cross site scripting stored & reflected every time the user opens the note...
Stored XSS in resource file uploading
Description The Resources upload feature does not restrict the type of uploaded file. An attacker can upload an html file and the browser still renders it. The CSP is set to default-src 'self' to prevent inline script execution. However, this can be easily bypassed by uploading a .js file then...
CSRF allows attacker to add malicious tags to vitim account
Description Cross-Site Request Forgery CSRF is an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated. CSRF attacks exploit the trust a Web application has in an authenticated user Proof of Concept 1 Go to...
Denial of Service
Description There is no limit of "Nickname" content length while updating your information that lead to Denial of Service by entering huge number of characters if you insert the following POST request "email": "[email protected]", "id": 104, "nickname":...
Full account takeover
Description Account take over via changing email and username and displayed name, After login you and open your settings you can update information ,There is an IDOR here that allows me to change any user email and username and displayed name Proof of Concept...
No rate limit on "resend email feature" while enable or disable 2FA from /prefs/mfa endpoint
Description When a user is setting up 2FA , a verification code will be sent to the registered email . There is no rate limit on email triggering that will result in an email flood / does attack or will also increase the expenses on your mail server as an attacker can send 1 million emails throug...
Stored XSS in Roles
Description Stored cross-site scripting vulnerabilities arise when user input is stored and later embedded into the application's responses in an unsafe way. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of an...
Cross site scripting vulnerability in pimcore
Description Cross site scripting vulnerability in pimcore/pimcore "title field " in data objects Proof of Concept 1. Login with dev account https://11.x-dev.pimcore.fun/admin/?dc=1670962076&perspective= 2. Go to setting -- data objects -- classes -- events 3. Click media under genaral settings 4...
Stored XSS on User Management, Category, Add New FAQ, Add News and Configuration
Description Improper validation on user input in Add Category module, Add New FAQ module, Add News and edit Configuration in phpMyFAQ v3.1.9 allow user to execute malicious javascript payload which lead to vulnerability Stored XSS Proof of Concept - Login to demo instance...
Html Injection in Groups
Description Insert XSS payload in groups fieldsName, Description Proof of Concept 1. login to the dashboard 2. navigate to groups 3. insert Name and Description aaaaatest POC: https://drive.google.com/file/d/1ZsxN-zKoyuiosrgfG8a9Z1sFe9mde-8/view?usp=sharing...
File Upload Filter Bypass
Description A sanitization filter bypass in plupload.php in MicroweberCMS v1.3.1 allows remote authenticated attackers to upload files outside the restricted location. The target $path for the image is being sanitized here: php $pathrestirct = userfilespath; if isset$REQUEST'path' and...
Limited LFI via Path Traversal
Description A path thraversal vulnerability in SuiteCRM 7.12.8 and earlier allows remote authenticated attackers to include a php file at an arbitrary path via unsanitized request parameters. Details In Suite CRM v7.12.8, SubpanelCreates.php and SubpanelEdit.php trust unsanitized user input to lo...
Missing CSRF protection
Description Any user can Add Questions on FAQ section -- https://roy.demo.phpmyfaq.de/index.php?action=ask&categoryid=0 This section is vulnerable to CSRF. The aggressor can abuse this without prior knowledge of others'. The successful CSRF will send new questions from the victim's browser Captur...
Username and email enumeration via Forgot password feature
š Description User enumeration is when a malicious actor can use brute-force techniques to either guess or confirm valid users in a system. The malicious actor is looking for differences in the server's response based on the validity of submitted credentials. The differences can be inside the...
Unauthenticated stored XSS via username & name parameters
There is a stored XSS vulnerability due to improper sanitization of usernames. Vulnerable code User.php line 532: php public function isValidLoginstring $login: bool $login = string$login; if strlen$login loginMinLength || !pregmatch$this-validUsername, $login $this-errors =...
Stored XSS and HTML injection from markdown
Description Stored XSS, also known as persistent XSS, is the more damaging of the XSS. It occurs when a malicious script is injected directly into a vulnerable web application. Due to a sanitization problem it is possible to perform both a Stored XSS and an HTML injection. Thanks to this attack i...
heap-use-after-free in function did_set_spelllang at spell
Description heap-use-after-free in function didsetspelllang at spell.c:2256:19 vim version shell git log -1 commit 03d6e6f42b0deeb02d52c8a48c14abe431370c1c HEAD - master, tag: v9.0.0820, origin/master, origin/HEAD...
Improper Input Validation on emails links
Description In GLPI, users can add their own email addresses to their accounts. However, there is a lack of validation which allows users to add new fields into the mailto: link. Email links support multiple parameters like : - cc - bcc - body - subject - multiple emails email1, email2, ... -...
Reflected Cross-Site Scripting in Front Payment CC
Description The frontpaymentcc.php was not properly encoding parameters cardHolderName and zip when the mode AuthorizeNet is sent. The response was a JSON string including unparsed values that will probably be sent using content-type header as text/html, leaving it vulnerable to XSS. Proof of...
Using application logic to create an email spam attack
Description On every 3 invalid attempts the application sends a new code to the email associate with the account . An attacker can misuse this functionality of the code to create a spam attack Proof of Concept Pre-Requisites: 2FA must be enabled for your account 1 Go to...
Password can be set extremely weak
Description In this scenario, I use the demo website. It allows us to add more user to test. With password, we can set it 1 Or any charater. There is no policy for password or no password checking. Moreover, it also allows us to change password and the new password also can be set with password...
html injection on https://demo.microweber.org/demo/search.php?keywords=
Description hello team, I found an HTML injection on https://demo.microweber.org/demo/search.php?keywords= Proof of Concept https://demo.microweber.org/demo/search.php?keywords=ABC%3Cdiv%20style=%22%3E%3Cmarquee%3E%3Ch1%3Eyou%20are%20been%20hacked%20%3C/h1%3E%3C/marquee%3E...
Stored Cross Site Scripting (XSS) via "properties" during creating new users
Description From demo url login click people icon at the left bar click "Customers" Click "New Customer" button from page Fill up the "Edit" tab Click "Save" button above Click "Properties" tab From "Add a custom Property" field , add "Test" on the first field Click and select "text" on the secon...
Attacker can turn off 2FA of the Admin
Description The attacker can turn off the 2FA of the admin by performing the CSRF attack Steps to reproduce Step 1: Login as admin on the demo product and navigate to https://demo.corebos.com/index.php?module=Utilities&action=integration&op=getconfig2fa&userlist=1 Step 2: Turn on the 2FA and clos...
Bad Sanitization on "vtlib_purify" function leads to XSS
Description The whole project is using "vtlibpurify" for the sanitization of user inputs. It does a good job while stripping HTML tags like etc. However, it allows tag and we can use javascript protocol on the href attribute via changing : character to . So, our final payload is click Proof of...
Non-Privilege user can view Patient's Amendments
Description We would like to report the vulnerability we found during software testing. The OpenEMR 7.0.0 latest version Open-Source electronic health records and medical practice management application has Insecure direct object reference IDOR to function āPatientās Amendmentsā, and it never bee...