4072 matches found
HTML Injection Leads To Open Redirect
Description HTML injection is possible in the Installation title parameter, which leads to Open Redirect when clicked. Proof of Concept Open Redirect 1. Login as Admin 2. Navigate to settings 3. Edit the Installation title and set it to: Click Me 4. Save Changes 5. Click the Click Me text on the...
SQL injection in Calendar.php
Description In Calendar.php line 498-513, web server get values parameter as a part of sql query without sanitize, so attacker can be manipulated sql query, which is executed by web server...
IDOR 漏洞使得攻击者可以在一个组织内任意添加、删除、修改工作空间
Proof of Concept 1 系统中存在两个组织,team1和team2 2 用户user1是 team1 的管理员, 不是team2的管理员 3 用户1在team1中创建工作空间,名为workspace1. 4 用户1使用burpsuit拦截请求,在请求中将team1的ID换成team2的ID 5 查看请求,结果显示成功,用户1可以在team2中任意创建工作空间。 复现视频:https://1drv.ms/v/s!Avwg5C1eKVA4gispbgvOYQkvQ9KP?e=4yimBo...
Stored XSS in the adminlog functionality.
Description There is a stored XSS in the 'adminlog' functionality. E.g. the page http://phpmyfaq.local/admin/?action=adminlog shows failed login attempts. If a user with the username 'alert1;' tries to log in, it gets logged and displayed on the adminlog unsanitized. Proof of Concept 1. visit...
Sensitive Cookie Without 'HttpOnly' Flag in froxlor/froxlor
✍️ Description HTTPOnly attribute is not set for session cookies in the application. 🕵️♂️ Proof of Concept 💥 Impact When a cookie doesn’t have an HttpOnly flag, it can be accessed through JavaScript, which means that an XSS could lead to cookies being stolen. These include session cookies that can...
Prototype Pollution in mariocasciaro/object-path
Overview object-path is a tiny JavaScript utility to access deep properties using a path for Node and the Browser Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be...
No Rate Limit On Reset Password
Description A rate limiting algorithm is used to check if the user session or IP address has to be limited based on the information in the session cache. In case a client made too many requests within a given time frame, HTTP servers can respond with status code 429: Too Many Requests. wikipedia ...
Weak password at demo website version 3.1.9
Description The demo website is now version 3.1.9 but still affected of weak password requirement. Proof of Concept 1. Login to the demo website with any users. 2. Use "Change password" function, set the new password is number 1. 3. It's successful, try to re-login to check it...
XSS via Embedded SVG in SVG Diagram Format
Description It is possible to embed SVG images in diagrams. When those are exported or used in a diagram in SVG format, the content of the embedded SVG image is included inline. This means the SVG markup gets inserted directly into the markup of the enclosing SVG. Since the SVG content is not...
Code Injection in microsoft/nni
Description Arbitrary Code Excecution in microsoft/nni. An open source AutoML toolkit for automate machine learning lifecycle, including feature engineering, neural architecture search, model compression and hyper-parameter tuning. Technical Description This package was vulnerable to Arbitrary co...
Path Traversal (CWE-22) leak sensitive data
Description Path Traversal successful exploitation could allow an attacker to traverse the file system to access files or directories that are outside of the restricted directory on the remote server. Proof of Concept Note: If you can not see the poc image , you can follow this link...
Bypass IP detection to brute-force password
Description In login API, by default, the IP address will be blocked when the user tries to login incorrectly more than 5 times but we can bypass this mechanism by abuse X-Forwarded-For header to bypass IP dectection and perform password brute-force. Proof of Concept POST /demo/api/userlogin...
Leakage of third-party OAuth token via redirect
Description The application allows the usage of third-parties to store the files, such as Google Drive, Github, Gitlab, etc. It's possible to bypass the protection of the redirect parameter and redirect the user and the OAuth token to an attacker controlled site. Proof of Concept 1. An attacker...
in liquibase/liquibase
Description The XMLChangeLogSAXParser function makes use of SAXParser generated from a SAXParserFactory with no FEATURESECUREPROCESSING set, allowing for XXE attacks. In...
The microweber application allows large characters to insert in the input field "post title" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request.
Proof of Concept 1. Go to add post http://site.com/admin/post/create 2. click on create new post 3. There will a option called post title 4. Fill the input field with huge characters, more than 1 lakh 5. Copy the below payload and put it in the input fields and click on continue. 6. You will see...
Server-Side Request Forgery (SSRF)
Description The fix for my previous report CVE-2022-0767 is still incomplete and could be bypassed via IPV4/IPV4 embedding : ssrf-ipv4ipv6.etclab.top will resolve to 0:0:0:0:0:ffff:127.0.0.1 Proof of Concept POST /admin/book/1 HTTP/1.1 Host: 127.0.0.1:8083 User-Agent: Mozilla/5.0 Windows NT 10.0;...
Insecure Storage of Sensitive Information
Vulnerability name: EXIF Geolocation Data Not Stripped From Uploaded Images vulnerability Description:- When the user uploads his profile picture, the uploaded image’s EXIF Geolocation Data does not get stripped. As a result, anyone can get sensitive information of microweber users like their...
URL Restriction Bypass
Description The validation of URLs contains flaws that allow bypassing security restrictions that are applied in the security profiles of PlantUML. There are two different flaws through which validation mechanisms can be circumvented. In the examples images are loaded to showcase the bypass...
in sergix44/xbackbone
✍️ Description According to 1 we have : The secure attribute is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure attribute is to prevent cookies from being observed by unauthorized parties due to the...
XSS with CSP bypass leads to diagrams backdoor
🔒️ Requirements The user must go on a link and remove a square. In the following section, I'll give PoCs only for chromium based browsers 📝 Description 📦 Load plugins by default Thanks to the ?p= parameter, it is possible to enforce the user to load built-in plugins without warning for a specific...
Full account takeover
POC: Step 1: Use a normal user account Step 2: Change user password in edit profile function Step 3: Enter data fields that change normally Step 4: Use burp suite to intercept requests to update profile Step 5: Change id from 2 to id 1 and send request The result of logging in with the new userna...
Null Pointer Dereference Caused Segmentation Fault
Description Null pointer dereference caused segmentation fault. This can cause Denial-of -service attack. version smlijun@ubuntu:/gpacasan/bin/gcc$ ./MP4Box -version MP4Box - GPAC version 2.1-DEV-rev243-gf87b12b32-master c 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Plea...
Cross-site scripting - DOM
Description DOM XSS with filter bypass on /demo/module/ using type parameter without authentication. Proof of Concept...
RCE in the Desktop App because of Unsafe Link Handling
Description URLs or links in a diagram are passed to shell.openExternal without additional validation. This is a dangerous function and can be exploited when URLs with arbitrary schemes are passed to it. It allows code execution through various methods, as described in detail here: -...
global heap buffer overflow in skip_range
✍️ Description When fuzzing vim commit f420ff244 v8.2.4747 with clang 13 and ASan, I discovered a global buffer overflow. Proof of Concept Here is the minified poc bash r 0norm0V:^ How to build bash LD=lld AS=llvm-as AR=llvm-ar RANLIB=llvm-ranlib CC=clang CXX=clang++ CFLAGS="-fsanitize=address"...
Bootstrap Tables XSS vulnerability with Table Export plug-in when exportOptions: htmlContent is true
Description Hello and thank you for the wonderful library! We use it extensively in our app. However, I think we've identified an XSS vulnerability in the Export plug-in. If you set the exportOptions in your Bootstrap Table to true, then you can force arbitrary Javascript to execute see the...
Heap-based Buffer Overflow in allinurl/goaccess
Description Good evening, I hope you're doing well during these challenging times. During recent research, we discovered a heap-buffer-overflow vulnerability impacting countinvalid on line 555 of src/gstorage.c. It appears that this is caused by an excessive number of invalid log strings combined...
Prototype Pollution in kriszyp/json-schema
Description A constructed payload sent to validate will lead to prototype pollution. Proof of Concept // PoC.js const validate = require"json-schema"; const instance = JSON.parse "$schema": "type": "object", "properties": "proto": "type": "object", "properties": "polluted": "type": "string",...
Cross-Site Request Forgery Vulnerability in Logout Functionality
Description Logout CSRF is a security vulnerability where an attacker forces a user to unknowingly log out of their session by tricking them into triggering a logout request through a malicious website or link. GET http://localhost:8080/logout Proof of Concept history.pushState'', '', '/'...
STORED XSS in File Upload
Description In the file upload, I can't upload files with extension like html,php,.. but I can upload a file with extension "inc" and that leads to stored XSS. Proof of Concept https://drive.google.com/file/d/1eDE63KXbZLYraDus6hSXwiTaLDVx9ut/view?usp=sharing...
Open Redirect using Host header Injection
Description A web server commonly hosts several web applications on the same IP address, referring to each application via the virtual host. In an incoming HTTP request, web servers often dispatch the request to the target virtual host based on the value supplied in the Host header. Without prope...
Full Read Server-Side Request Forgery (SSRF)
Description Via the /api/upload/upload-by-url endpoint is possible to upload an image via an URL provided by the user. The function that handles this upload, doesn't verify or validate the provided URL, allowing to fetch internal services. \ \ Furthermore, after the resource is fetched, there is ...
Insufficient Session Expiration After Password Change
Description During my test, I found that in Cockpit v 2.1.2, the application was not validating the request after password change. This allows attacker to update user account details even after admin changes password. Steps to Reproduce : 1. Login with your account and click on click on "Account...
Unrestricted XML Files Leads to Stored XSS
Description The web Application restricts upload files by blacklist extensions. It's not safe for the application to prevent the attack, there are many extension can cause an attack to user and web application. By uploading XML files, the users can perform an Stored XSS attack Proof of Concept 1...
Insertion of Sensitive Information Into Debugging Code
Description Laravel debug mode exposes sensitive data, eg: internal source codes, stack traces, sql queries, databases names, tables names, user's cookies, email, phone number, username, laravel version, php version, etc Proof of Concept 1. Login into http://demo.microweber.org 2. Navigate to thi...
Stored XSS - XSS in RSS link href attribute
📜 Description Cross-site scripting XSS is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. The persistent or stored XSS vulnerability is a more devastating variant of a...
Use after free in utf_ptr2char
✍️ Description When fuzzing vim commit 9dac9b175, I discovered a use after free. I'm testing on ubuntu 20.04 with clang 13. Proof of Concept Here is the minimized poc bash s/\v/\r /%',600 How to build bash LD=lld AS=llvm-as AR=llvm-ar RANLIB=llvm-ranlib CC=clang CXX=clang++...
Heap-based Buffer Overflow in vim/vim
Description Heap-buffer-overflow in vim Proof of Concept ./vim -u NONE -X -Z -e -s -S poc3 -c :qa! POC3 is here. Bt ==728741==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000025500 at pc 0x0000008961b2 bp 0x7ffca76ad0b0 sp 0x7ffca76ad0a8 READ of size 1 at 0x621000025500 thread T0...
Improper Authorization in collectiveaccess/pawtucket2
Description Users without any readaccess to a lightbox can still view its contents via incrementing the id Proof of Concept ... http://10.0.2.15/pawtucket/index.php/Lightbox/Present/setid/1 http://10.0.2.15/pawtucket/index.php/Lightbox/Present/setid/2...
Local file inclusion
Description https://app.diagrams.net/embed2.js?&fetch= is used to fetch data and i tried to perform ssrf by extracting google cloud metadata but was unable to do but i am still able to fetch server files like /etc/passwd. Proof of Concept 1. Visit https://app.diagrams.net/embed2.js?&fetch= 2. Ent...
Uncontrolled Resource Consumption
Description The Organizr application allows large characters to insert in the input field "Username" which can allow attackers to cause a Denial of Service DoS via a crafted HTTP request. Proof of Concept 1.Sign up to the application, capture the request in burp suites, and send it to Repeater...
Improper Neutralization of Special Elements Used in a Template Engine
Description The Microweber application allows HTML tags in the "Blog Comments" which can be exploited by Injecting HTML payloads. Proof of Concept 1.Open any blog in which comment is allowed. 2.Insert your html code in code block. e.g., Hurry Up!Go to https://evil.com and get free $1000 in your...
Improper Access Control to Remote Code Execution
Description In Webmin v1.984, affecting File Manager module, any authenticated low privilege user without access rights to the File Manager module could interact with file manager functionalities such as download file from remote URL and change file permission chmod. It is possible to achieve...
Improper Authorization in phpipam/phpipam
Description In phpIPAM 1.4.5, a normal user with the role of Usercould view/read the log files via show-logs.php, errorlogs.php and accesslogs.php endpoints. It is supposedly accessible by the Administrator only. Proof of Concept Tested version: phpIPAM 1.4.5 Affected endpoints: 1 GET/POST...
Cross-site Scripting (XSS) - Stored in forkcms/forkcms
Description XSS in the question asking session feedback page Proof of Concept Hi'" link https://demo.fork-cms.com/private/en/faq/edit?token=u1xyihius6&id=1 paste the payload in the question section and view the question in link Impact custom javascript code execution , session stealing etc...
Cross-site Scripting (XSS) - Stored in snipe/snipe-it
Description Multiple Stored XSS at parameter 'name' when creating a record at features 'Custom Fields', 'Asset Models', 'Suppliers', 'Locations', at Snipe-It 5.2.0 Proof of Concept // PoC.req POST /snipe-it/public/fields HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X...
Code Injection in elwerene/libreoffice-convert
Description The libreoffice-convert module is vulnerable against RCE since a command is crafted using user inputs not validated and then executed, leading to arbitrary command injection POC 1. Create the following PoC file: js // poc.js const libre = require'libreoffice-convert'; libre.convert'',...
Unauthenticated Blind SSRF
Description The Oxeye research team found Owncast vulnerable to an Unauthenticated Blind SSRF vulnerability. This vulnerability may allow an unauthenticated attacker to force the Owncast server to send HTTP requests to arbitrary locations using the GET HTTP method. This vulnerability also allows...
Null pointer dereference in function diff_check
Description Null pointer dereference in function diffcheck at diff.c:1923 Version commit 8eba2bd291b347e3008aa9e565652d51ad638cfa HEAD, tag: v8.2.5151 Proof of Concept guest@elk:/trung/vim2/src$ valgrind ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /home/guest/trung/poc/poc22 -c :qa! ==4357==...
Users Account Pre-Takeover or Users Account Takeover.
Team, May you all be well on your side of the screen. : While Doing some research on the https://microweber.org, I was able to find a Pre-Account Takeover vulnerability. Kindly check the proof of concept video & reproduction steps for better understanding. Proof of concept: I have uploaded the bo...