4072 matches found
Idor Lead to Delete exported data file
Description In this case attacker is able to delete requested export data file Steps to repro:- 1.Create 2 accounts 2.Login in both account and goto export section and create new export in both account 3.Delete acc1's exported file and capture this request in burp suite and change the id of this...
Heap Use After Free in function Q_IsTypeOn
Description Heap Use After Free in function QIsTypeOn at src/bifs/unquantize.c:169 gpac version git log commit ea3af7c8242d1a82657dc3a518df5a5b1b5e27ed HEAD - master, origin/master, origin/HEAD Author: Romain Bouqueau Date: Tue Jun 28 19:25:58 2022 +0200 POC ./MP4Box -bt ./pochuaf1s.dat...
Reflected Xss using url based payload
Description Hi there i found that url parameter is not verified by server so an attacker can use javascript schema to run xss on user's browser Proof of Concept 1. Visit this page http://localhost/invoices/EditPageOption?code=ListProducto-new&url=javascript:prompt2 2. Click on back button PoC:-...
A heap-buffer-overflow in mobi_decode_infl in index.c
Description A heap-buffer-overflow in mobidecodeinfl in index.c Env Distributor ID: Ubuntu Description: Ubuntu 20.04 LTS Release: 20.04 Codename: focal mobitool build: May 3 2022 20:46:07 clang Ubuntu Clang 11.1.0 libmobi: 0.10 Build export CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasa...
Cross-site Scripting (XSS) - Reflected
Description Reflected cross-site scripting or XSS arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way. Proof of Concept Turn on debugger mode. Add path /?alertorigin to any endpoint - script will be reflected, executed...
Stored Cross Site Scripting
Vulnerability Type Stored Cross Site-Scripting XSS Affected URL https://localhost/openemr-6.0.0/interface/new/newcomprehensivesave.php Affected Parameters “formfname” “formlname” Authentication Required? Yes Issue Summary A stored XSS vulnerability found in “/interface/new/newcomprehensivesave.ph...
There is a Unrestricted Upload of File vulnerability in ShowDoc v2.10.3
Description There is a Unrestricted Upload of File vulnerability in AdminUpdateController.class.php in ShowDoc v2.10.3 Proof of Concept POST /showdoc-2.10.3/server/index.php?s=/api/adminUpdate/download HTTP/1.1 Host: 10.211.55.5 Content-Length: 66 Accept: application/json, text/plain, / User-Agen...
The grav application allows large characters to insert in the input field "Full Name" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request
Proof of Concept: 1. Go to http://site/admin/accounts/users/testuser 2. There will a Full name input field 3. Add more than 1 lakhs+ characters to the Full name field 4. You will see the application accepts large characters and if we will increase the characters then it can lead to Dos. POC Image...
Stored XSS viva cshtm file upload
Description This is a bypass of the report:https://huntr.dev/bounties/8702e2bf-4af2-4391-b651-c8c89e7d089e/. Here the upload functionality allows the malicious files with the extension .cshtm which leads to Stored XSS. Proof of Concept 1.First, open your text file/notepad and paste the below...
Stored XSS due to Unrestricted File Upload
Description Stored XSS via uploading files in .xsl format. Proof of Concept filename="poc.xsl" alert1 Steps to Reproduce 1.Login into showdoc.com.cn.\ 2.Navigate to file library https://www.showdoc.com.cn/attachment/index\ 3.In the File Library page, click the Upload button and choose the poc.xsl...
Insufficient Granularity of Access Control
Description There are no rate limits and reuse of captcha is allowed resulting in reuse of same captcha to issue notifications to administrator Proof of Concept Capture the newsletter subscription flow in burp and continue with entering email & captcha until below POST form request is captured...
Open Redirect on Rudloff/alltube
Description Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain...
Cross-site Scripting (XSS) - Stored
Stored-xss is possible when adding a rule. Create a new Alert Rule like below and adjust the query like below with the following payload " Save the rule and see a xss-pop up...
Heap-based Buffer Overflow in mruby/mruby
Description Heap Overflow occurs in mrbfsend. commit : 38b164ace7d6ae1c367883a3d67d7f559783faad Proof of Concept $ echo -ne "c2VuZCJzZW5kIiwic2VuZCIsInNlbmQiLCJzZW5kIiwic2VuZCIsInNlbmQiLCJzZW5kIiwic2Vu ZCIsInNlbmQiLCJzZW5kIiwic2VuZCIsInNlbmQiLCJzZW5kIiwic2VuZCIsInNlbmQiCg==" | base64 -d poc ASAN ...
Cross-site Scripting (XSS) - DOM in tastyigniter/tastyigniter
Description TastyIgniter provides a professional and reliable platform for restaurants wanting to offer online food ordering and table reservation to their customers. this is vulnerable for stored xss Proof of Concept Impact This vulnerability is capable of Stored XSS...
in radareorg/radare2
Description This vulnerability is of out-of-bound read which accesses the address beyond/past the buffer. The bug exists in latest stable release radare2-5.5.4 and lastest master branch ed2030b79e68986bf04f3a6279463ab989fe400f, updated in Jan 22, 2022. Specifically, the vulnerable code and the...
Cross-site Scripting (XSS) - Stored in microweber/microweber
Description There is a persistent XSS Vulnerability exsists in the checkout page where we can able to execute any javascription in the last name field...
Prototype Pollution in mastodon/mastodon
Description Javascript is "prototype" language which means when a new "object" is created, it carries the predefined properties and methods of an "object" with itself like toString, constructor etc. By using prototype-pollution vulnerability, an attacker can overwrite/create the property of that...
Cross-site Scripting (XSS) - Stored in pimcore/pimcore
Description Pimcore settings module is vulnerable to stored cross site scripting Proof of Concept 1 . Login to dev demo account. https://10.x-dev.pimcore.fun/ 2 . Goto settings --data objects --Add a new class -- add payload in icon field 3 . Click save and close and open that class alert will...
Improper Access Control in janeczku/calibre-web
Description With default settings, low-level users will not have permission to create new shelf with public mode. However, due to incorrect checking, the function does not work as intended. Steps To Reproduce - Step 1: Login with admin account and go to http://hostname:8083/admin/user/new. Create...
Cross-Site Request Forgery (CSRF) in livehelperchat/livehelperchat
Description A CSRF issue is found in the audit configuration under settings. It was found that no CSRF token validation is getting done on the server-side. If we remove the CSRF token and keep the CSRF token field empty, the action is getting performed. Proof of Concept Request POST...
Improper Input Validation in chatwoot/chatwoot
Description This vulnerability impacts all fields sent to Chatwoot. Any field that has an excessive amount of characters in it will cause the agent's page to take an abnormal amount of time to load, often requiring the content to be removed before the page will load. In my example, I put 20000000...
Cross-site Scripting (XSS) - Stored in e107inc/e107
A Stored Cross-Site Scripting XSS using svg exists in e107 version 2.3.1 Date: 12/1/2022 Exploit Author: Trương Hữu Phúc Contact me: + Github: https://github.com/truonghuuphuc + Facebook: https://www.facebook.com/DdosFulzac.auz1/ + Email: [email protected] + Product: e107 + Version: 2.3.1...
Cross-Site Request Forgery (CSRF) in yetiforcecompany/yetiforcecrm
Description Hi there, I would like to report a CSRF vulnerability in yetiforcecompany/yetiforcecrm. This allows an attacker to create a new admin. Even when SameSite: Strict enable, this still can be exploited by an attacker with lowest privilege account E.g. guest. Proof of Concept + These are...
Cross-site Scripting (XSS) - Stored in chaskiq/chaskiq
Description chaskid is a Open Source Messaging Platform for Marketing, Support & Sales this package is vulnerable for xss Proof of Concept Impact This vulnerability is capable of stored XSS...
Cross-site Scripting (XSS) - Stored in orchardcms/orchardcore
Description The application does not escape special characters before output to FE, lead to stored XSS. Proof of Concept 1. Go to Workflows Create Workflow Add Task/Event 2. Set a title with XSS payload, e.g: aa Impact XSS can have huge implications for a web application and its users. User...
Cross-site Scripting (XSS) - Stored in getgrav/grav
Description Stored XSS is a vulnerability in which the attacker can execute arbitrary javascript code in the victim's browser. The XSS payload is stored in a webpage and it gets executed whenever someone visits that webpage. I used &58 instead of : in the href attribute of tag to bypass the xss...
Cross-site Scripting (XSS) - Reflected in keystonejs/keystone
Description On Login Page, There Is A "from=" parameter in URL which is vulnerable to open redirect and which can be escalated to reflected XSS. Proof of Concept 1. Install Keystone 6 On Your System. 2. Go To http://localhost:3000/signin?from=http://evil.com And Login And You'll Be Redirected To...
in mruby/mruby
Description A NULL Pointer Dereference was discovered in mrbclass. The vulnerability causes a segmentation fault and application crash. version 6de0fcb ./mruby -v mruby 3.0.0 2021-03-05 System information Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz Proof of Concept poc base64 poc...
Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat
Description The livehelperchat is an open source live chat service. In this service, general users can chat 1:1 with administrators. When administrators send XSS PoC to general users, XSS occurs in general users' chat rooms. Since XSS PoC is saved in the chat room, XSS occurs even if you access t...
Data Source Name Injection
Description TiDB Importer uses Go MySQL Driver for connecting to MySQL servers. This driver utilizes Data Source Name DSN strings for describing database connections with the following format: username:password@protocoladdress/dbname?param=value The driver has a built-in protection against LOCAL...
Cross-site Scripting (XSS) - Stored in star7th/showdoc
Description Stored XSS via upload attachment with format .svg in File Library. Detail When opening the attachment, some format files will be rendered and loaded on the browser. So it allows executing arbitrary javascript code that was injected into attachment before. Proof of Concept PoC.svg var...
Cross-Site Request Forgery (CSRF) in polonel/trudesk
Description There is a CSRF vulnerability which would allow an attacker to restart the server by simply having a victim with the appropriate privileges visit an attacker's crafted webpage. The vulnerability exists when performing a GET request to the /api/v1/admin/restart endpoint There is also...
Cross-site Scripting (XSS) - Stored in polonel/trudesk
Description There are several areas in the web application that are vulnerable to stored XSS. They include: The chat feature when sending messages /messages/startconversation The name field when creating a department /departments Name field when creating teams /teams You can also exploit the XSS...
Cross-site Scripting (XSS) - Stored in pimcore/web2print-tools
Description Stored XSS in the Description of the Favorite Output Channel Configurations. Steps to reproduce 1.Go to https://demo.pimcore.fun/admin/ and login. 2.In the left menu bar, click the Settings icon then choose Favorite Output Channel Configurations, the Favorite Output Channel...
Business Logic Errors in yetiforcecompany/yetiforcecrm
Description YetiForceCRM application is vulnerable to Business Logic Errors in the Weight of a Product since that value can be a negative number. Proof of Concept 1.After login, in the left menu bar, click Databases - Products 2.Click any product to go to the product details. 3.In the product...
Cross-site Scripting (XSS) - Reflected in yetiforcecompany/yetiforcecrm
Description Application is vulnerable to Reflected cross site scripting attack on create Invoice. Proof of Concept Step 1: Login into the application https://gitstable.yetiforce.com/index.php Step 2: Navigate to Quick Create - Cost Invoice Step 3: Click on Source and enter the XSS Playload in...
Inefficient Regular Expression Complexity in nltk/nltk
Description nltk is vulnerable to ReDoS attack because of ^-?0-9+.0-9+?$ regex. If attacker succeeds to use malicious payload against RegexpTagger used in function getpostagger and maltregextagger, it will cause a nasty DoS. Proof of Concept // PoC.py import re, time pattern =...
Cross-site Scripting (XSS) - Stored in django-helpdesk/django-helpdesk
Description Stored XSS via parameter title when create new ticket Details At the table tickets in admin, when rendering data for column Ticket it allows for arbitrary execution of JavaScript Vulnerability code data: "ticket", render: function data, type, row, meta if type === 'display' data = '' ...
in stanfordnlp/corenlp
Description The Stanford CoreNLP package provides a set of natural language analysis tools written in Java, is using a vulnerable XML External Entity XXE. An attacker that is able to provide a crafted XML file as input to the readDocument function in the "DomReader.java" file may allow an attacke...
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in kcal-app/kcal
Description Implement both Secure flag and httponly flag in the application. Proof of Concept Impact The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from bein...
Inefficient Regular Expression Complexity in nltk/nltk
✍️ Description The nltk package is vulnerable to ReDoS regular expression denial of service. An attacker that is able to provide as an input to the readcomparisonblock function in the file "nltk/corpus/reader/comparativesents.py" may cause an application to consume an excessive amount of CPU. Belo...
Cross-Site Request Forgery (CSRF) in livehelperchat/livehelperchat
✍️ Description csrf bug to create a group chatlist 🕵️♂️ Proof of Concept There is no csrf token checking during creating a group-chatlist.\ Bellow request is vulnerable to csrf attack document.getElementById"myForm".submit 💥 Impact csrf bug to create a group chatlist...
Server-Side Request Forgery (SSRF) in erudika/scoold
✍️ Description Affected URL is vulnerable to Server-Side Request Forgery SSRF. An attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address. 🕵️♂️ Proof of Concept @GetMapping"", "/id/" public String get@PathVariablerequired = false...
Cross-Site Request Forgery (CSRF) in glpi-project/glpi
✍️ Description Attacker able to change any task state from changes/tickets/problems with CSRF attack because there is any CSRF protection for related endpoint. It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low...
in star7th/showdoc
✍️ Description The referenced code contains a hard-coded salt that is used for all passwords, ideally - a unique salt should be generated for each password and then would be stored alongside it as oppose to the constant one that is used for all passwords in the showdoc repository. 🕵️♂️ Proof of...
in star7th/showdoc
✍️ Description The referenced code block computes a MD5 hash based on a string "rgrsfsrfsrf", the current time, and a random number. The string used is static and does not appear to change, therefore I'm not sure why it is there in the first place as it does not provide any additional security...
Cross-Site Request Forgery (CSRF) in devcode-it/openstamanager
✍️ Description Attacker able to delete any Personal Data if users visit attacker site. 🕵️♂️ Proof of Concept 1.Open the PoC.html In Firefox or safari. 2.now you can check that Personal data with idrecord value equal to 2 have been deleted. // PoC.html history.pushState'', '', '/'...
in amirsanni/mini-inventory-and-sales-management-system
💥 BUG unprivileged user can update stoke 💥 STEP TO REPDOUCE 1. From admin account goto https://1410inc.xyz/mini-inventory-and-sales-management-system/administrators and add new user callled user-B with basic role .\ 2. Now goto user-B account and here user-B cant see any item.\ Now user-B execute...
Server-Side Request Forgery (SSRF) in chatwoot/chatwoot
✍️ Description SSRF via SVG file upload 🕵️♂️ Proof of Concept create a new inbox, change its avatar to an SVG file with SSRF payload in it. and open the image in a new tab. 💥 Impact Host redirect...