4072 matches found
Inefficient Regular Expression Complexity in nltk/nltk
✍️ Description The nltk package is vulnerable to ReDoS regular expression denial of service. An attacker that is able to provide as an input to the readcomparisonblock function in the file "nltk/corpus/reader/comparativesents.py" may cause an application to consume an excessive amount of CPU. Belo...
Cross-Site Request Forgery (CSRF) in livehelperchat/livehelperchat
✍️ Description csrf bug to create a group chatlist 🕵️♂️ Proof of Concept There is no csrf token checking during creating a group-chatlist.\ Bellow request is vulnerable to csrf attack document.getElementById"myForm".submit 💥 Impact csrf bug to create a group chatlist...
Server-Side Request Forgery (SSRF) in erudika/scoold
✍️ Description Affected URL is vulnerable to Server-Side Request Forgery SSRF. An attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address. 🕵️♂️ Proof of Concept @GetMapping"", "/id/" public String get@PathVariablerequired = false...
Cross-Site Request Forgery (CSRF) in glpi-project/glpi
✍️ Description Attacker able to change any task state from changes/tickets/problems with CSRF attack because there is any CSRF protection for related endpoint. It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low...
in star7th/showdoc
✍️ Description The referenced code contains a hard-coded salt that is used for all passwords, ideally - a unique salt should be generated for each password and then would be stored alongside it as oppose to the constant one that is used for all passwords in the showdoc repository. 🕵️♂️ Proof of...
in star7th/showdoc
✍️ Description The referenced code block computes a MD5 hash based on a string "rgrsfsrfsrf", the current time, and a random number. The string used is static and does not appear to change, therefore I'm not sure why it is there in the first place as it does not provide any additional security...
Cross-Site Request Forgery (CSRF) in devcode-it/openstamanager
✍️ Description Attacker able to delete any Personal Data if users visit attacker site. 🕵️♂️ Proof of Concept 1.Open the PoC.html In Firefox or safari. 2.now you can check that Personal data with idrecord value equal to 2 have been deleted. // PoC.html history.pushState'', '', '/'...
in amirsanni/mini-inventory-and-sales-management-system
💥 BUG unprivileged user can update stoke 💥 STEP TO REPDOUCE 1. From admin account goto https://1410inc.xyz/mini-inventory-and-sales-management-system/administrators and add new user callled user-B with basic role .\ 2. Now goto user-B account and here user-B cant see any item.\ Now user-B execute...
Server-Side Request Forgery (SSRF) in chatwoot/chatwoot
✍️ Description SSRF via SVG file upload 🕵️♂️ Proof of Concept create a new inbox, change its avatar to an SVG file with SSRF payload in it. and open the image in a new tab. 💥 Impact Host redirect...
in hascheksolutions/opentrashmail
✍️ Description Hi, there is a local file inclusion vulnerability in opentrashmail. In https://github.com/HaschekSolutions/opentrashmail/blob/master/web/api.phpL23 : php ?php define'DS', DIRECTORYSEPARATOR; define'ROOT', dirnameFILE; // $action = strtolower$REQUEST'a'; $email =...
in thisistherk/fast_obj
✍️ Description Whilst experimenting with the test code built from commit d97389 with Clang 11 +UBSan on Ubuntu 20.04.2 LTS, we discovered an OBJ file which produces a signed integer overflow and a pointer overflow followed by a SIGSEGV 🕵️♂️ Proof of Concept echo...
Heap-based Buffer Overflow in strukturag/libde265
✍️ Description heap-buffer-overflow of decctx.cc in function readspsNAL 🕵️♂️ Proof of Concept Verification steps: 1.Get the source code of Bento4 2.Compile the Bento4 bash $ ./autogen.sh $ export CFLAGS="-g -lpthread -fsanitize=address" $ export CXXFLAGS="-g -lpthread -fsanitize=address" $...
OS Command Injection in sztheory/exifcleaner
✍️ Description Command Injection using XSS via EXIF Data. The application displays the image metadata in HTML format without removing malicious tags, therefore an XSS attack can be performed. bash exiftool -Comment='OverJT' MYIMAGE.png Being an application made in electron, it allows to easily...
Prototype Pollution in trenskow/keyd
Description keyd is vulnerable to Prototype Pollution. This package fails to restrict access to prototypes of objects, allowing for modification of prototype behavior using a proto payload, which may result in Sensitive Information Disclosure/Denial of ServiceDoS/Remote Code Execution. Proof of...
Prototype Pollution in elcharitas/js-dot
Description Prototype Pollution in js-dot Proof of Concept 1. Create the following PoC file: // poc.js var jsDot = require"js-dot" var obj = console.log"Before : " + .polluted; jsDot.setobj,"proto.polluted","Yes! Its Polluted"; console.log"After : " + .polluted; 2. Execute the following commands ...
Business Logic Errors in braitsch/node-login
Description node-login is a template for quickly building login systems on top of Node.js & MongoDB. The business logic which updates account details fails to verify if the provied email is associated with another account. Proof of Concept 1. Navigate to /signup and Create two accounts with data...
Code Injection in jadonk/bonescript
Overview BoneScript is a node.js library for physical computing on embedded Linux, starting with support for BeagleBone. Affected versions of this package are vulnerable to Command Injection. It is possible to inject arbitrary commands by using a semicolon char in the setDate function. Proof of...
Cross-site Scripting (XSS) - Generic in dolibarr/dolibarr
Overview dolibarr is a modern and easy to use web software to manage your business. This package is vulnerable to Cross-site Scripting XSS. The module renders user-uploaded html files in the browser when the attachment parameter is removed from the direct download URL...
Denial of Service in nescalante/urlregex
Overview urlregex No-dependency URL validation for Node and the browser. This package is vulnerable to Regular Expression Denial of Service ReDoS. An attacker providing a long string in String.test can cause a Denial of Service attack. PoC node const urlRegex = require"urlregex"; const isValid =...
Code Injection in domharrington/node-gitlog
Description The gitlogplus module is vulnerable against an arbitrary command injection issue which is made possible since some user-inputs are executed inside a command which doesn't have validations of any kind. POC 1. Create the following PoC file: js // poc.js var git = require'gitlogplus';...
Code Injection in easy-team/node-tool-utils
Description The node-tool-utils module is vulnerable against RCE since a command is crafted using user inputs not validated and then executedading to arbitrary command injection POC 1. Create the following PoC file: js // poc.js const tool = require'node-tool-utils'; tool.checkPortUsed"test; touc...
Code Injection in rapidfacture/pdf-toolz
Description The pdf-toolz module is vulnerable against arbitrary command injection due to the fact some inputs given by the user are unsafely processed and executed. POC 1. Create the following PoC file: js // poc.js var pdf = require'pdf-toolz/PDF2Image'; pdf.pdfToImage"a", "test; touch HACKED; ...
Infinite Loop Denial of Service via Circular Dependencies in Functional Model Deserialization
Description A vulnerability in keras.src.models.functional.functionalfromconfig allows a Denial of Service DoS attack via an infinite loop. When reconstructing a Functional model from a configuration e.g., via keras.models.loadmodel, the deserialization logic fails to detect or break out of...
leaked all users names from a user without known permissions
Description - From any user account without authority go to /admin/users page to view employee information but can leak all employee names that exist on the platform. - The vulnerabilities occurred in the 3 features : delete, set active state, assign role in page /admin/users and...
stack-buffer-overflow in gf_text_get_utf8_line
Description stack-buffer-overflow in gftextgetutf8line at filters/loadtext.c:381. Version git log commit 7edc40feef23efd8c9948292d269eae76fa475af HEAD - master, origin/master, origin/HEAD Author: jeanlf Date: Thu Oct 12 16:58:53 2023 +0200 ./bin/gcc/MP4Box -version MP4Box - GPAC version...
privilege escalation bug to edit survey
BUG ======== normal user can edit any survey AFFTED VERSION ============ 6.2.10 SUMMRUY ========== normal user has view permiision in survey . But still that user can edit the survey by adding that survey to his own group . STEP TO REPRODUCE ================= 1. There is already a superadminuser-...
post body leaked to third party site when 303 redirect happen
BUG ======= post body leaked to third party site when 303 redirect happen SUMMURY ============ as per specification provided https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections during redirection of 303 POST request, body should be lost and request method should be GET .\ \ check the...
Cross-Site Request Forgery (CSRF) in
Description CSRF led to change permissions of participant in Edit Assignment sessions. Proof of Concept Payload: https://drive.google.com/file/d/1dHY9CS6R4mKM4F0im5n1aUxFamMEjbAa/view?usp=sharing Video PoC: https://drive.google.com/file/d/1AdDFE-qOF-EvVEJzzXKguMfr6ZkXXEx/view?usp=drivelink...
CSRF on marking an admin task as complete
Description A data altering method is done through a get request in AdminTaskToggleDoneView, making it vulnerable to csrf attack. In django, get request is considered as a safe method and is not protected against csrf. Proof of Concept python class AdminTaskToggleDoneViewLoginRequiredMixin,...
CSRF Edit Locale files
Description CSRF edit Locale files Proof of Concept 1 .Attack sends fake requests to users history.pushState'', '', '/'; document.forms0.submit; 2 .User click, edited unwanted Locale files Payload Poc https://drive.google.com/file/d/1wpgmDoK0fGsiPSKfThVoEWq50pj7sBz5/view?usp=sharing Video Poc...
Stored XSS at LOGO+USER menu
Description Please enter a description of the vulnerability. Proof of Concept login with admin account visit https://demo.instantcms.io/admin/widgets?templatename=modern&scrollto=row-14 navigate to logo+user menu tab insert payload 1" onmouseover = "alert'hackedbytisha' at Parent row Tag CSS clas...
Improper input validation leads to arbitrary file deletion
Description The /process endpoint of the python API in collector/api.py exposes an endpoint waiting for a POST request with a parameter named filename : py @api.route"/process", methods="POST" def processfile: content = request.json targetfilename = content.get"filename" printf"Processing...
Stored xss using journal-name in journal-tab
BUG ======== Stored xss using journal-name in journal-tab ACCOUNT ========== 1. user-A -- superadmin -- Victim -- Firefox browser Normal mode\ 2. user-B -- journal manager -- Attacker -- Firefox browser Container-1\ STEP TO RERPODUCE ====================== 1. From user-A account create a journal...
Reflected Cross-Site Scripting (XSS) vulnerability in the dynamic 404 page
Description When running a Cecil site by cecil serve without a 404.html, Reflected Cross-Site Scripting XSS is possible via the URI path. Proof of Concept Run the following commands: mkdir cecil-404-xss-poc cd cecil-404-xss-poc curl -L https://cecil.app/cecil.phar -o cecil chmod +x cecil ./cecil...
Unverified password change : old password can be used as new password
Description Pimcore Platform v 11.0.7 is not enforcing strict password policy which allow attacker to set old password as new password Proof of Concept 1- go to https://demo.pimcore.com/admin/login 2- login with demo user credentials Username: superuser Password: enterprisedemo 3- Now login and...
Theft of Arbitrary Files due to lack of intent validation and insecure usage of provider paths in TTFViewerActivity.kt
Description Through the use of Oversecured, leading vulnerability scanner for Android and iOS applications, we were able to detect an Theft of Arbitrary Files vulnerability within TTFViewerActivity.kt. Check full issue definition in the image below: Root Cause Analysis The TTFViewerActivity faile...
Input Validation Vulnerability Leading to Denial of Service in LimeSurvey v5.6.34
Vulnerability Summary: LimeSurvey is a widely used open-source online survey system. In version 5.6.34, an input validation vulnerability has been identified, allowing attackers to exploit a vulnerability in surveys containing "file upload" options. This can lead to a denial of service by...
DOM XSS in https://demo.librenms.org/eventlog
Description I noticed, your website is very secure. But you overlooked a flaw XSS Detail: 1 .Login with demo account. 2 .Go to the link: https://demo.librenms.org/eventlog and click Filter 3 .Use burp suite to block proxy and inject payload in eventtype: test%22-alertdocument.cookie// 4 .Check,...
DOM XSS in https://demo.librenms.org/outages
Description I noticed, your website is very secure. But you overlooked a flaw XSS Detail: 1 .Login with demo account. 2 .Go to the link: https://demo.librenms.org/outages and click Filter 3 .Use burp suite to block proxy and inject payload: "alertdocument.cookie 4 .Check, detect xss Proof of...
Insufficient access control in the export functionality for the 'Groups' module exposing user password hashes
Description The web application incorrectly returns sensitive data to authenticated lower privileged users when making requests to export data from the 'Groups' module. This includes information such as the user's email address, password hash and whether two-factor authentication is configured...
Stored Xss in Question field due to lack of sanitization in Link.php
Description Stored XSS Cross-Site Scripting is a type of web application vulnerability that allows an attacker to inject malicious scripts into a website or web application. Unlike reflected XSS, where the malicious script is embedded in a URL and executed immediately, stored XSS involves the...
Stored XSS via Default session expiration time
Description The Default session expiration time feature when submitted HTML/JS tags executes the code in the login page. Proof of Concept Login to Teampass and go to Settings = Options. http://127.0.0.1/index.php?page=options In theDefault session expiration time input field insert an XSS payload...
Stored XSS in module name "Search Documents"
Description The search documents function was infected with xss because the title payload was not filtered resulting in xss when searching to /de. Proof of Concept 1.Go to edit page title /de 2.Enter this xss code 3.Go to "Search Documents" and type in "77" search box to find /de -- xss will be...
Stored xss in module FAQ News
Description When admins create a FAQ News they can pass xss to the "text of the record" section Proof of Concept 1.Login to admin account 2.In the CONTENT section, click on FAQ News 3.Add any type of source code and notice select Faq status as published 4.Turn on intercept with burp and click sav...
XSS in choose time value Classes Data Objects
Description XSS in choose time value Classes Data Object Proof of Concept Login in URL : https://demo.pimcore.fun/admin Go to Settings- Data Objects - Classes - News NE - Dates & Images in tab Dates & Images , inject payload to value time at Specific Settings // PoC payload : " video PoC:...
Stored XSS on items in Folder
Description first create two user accounts and grant them permission to access a same folder. In one of the accounts, generate a new item within the folder. Paste the payload XSS into this field, then save the item. Once saved, click on the item to activate an XSS alert. To confirm the success of...
Cross-site Scripting (XSS) - Stored in tsolucio/corebos
Description There is a taint path can store payload into the database. visit http://127.0.0.1/corebos-master/index.php?action=PickList&module=PickList and click Add Item, the Add new entries here: can be tainted. Although there has a front limitation, but we can bypass it by modifying the request...
(Almost) Arbitary File Read on Development Server
Description I previously disclosed an arbitrary file read due to Vite misconfiguration. This is a similar vulnerability with less impact. Proof of Concept Start any nuxt app in dev. Browse to: + http://localhost:3000/\nuxtvitenode\/module/C:/Windows/System32/calc.exe +...
ReDoS vulnerability in `strip` function
Description The reTrimSpace regex has 2nd degree polynomial inefficiency, leading to a delayed response given a big payload. Proof of Concept import as emoji from "https://deno.land/x/[email protected]/mod.ts"; const input = '\x00' + '\t'.repeat154773 + '\t\x00'; const start = performance.now;...
Attached files under salaries module can be harvested by unauthenticated users
Description File attachment under salaries module can be downloaded and viewed by anyone without authentication by just knowing the full path /assets/FileUploads/2022/staff2/ and the predictable filename contains date YYYY-MM-DD and a random 6 digit number which can be easily enumerated by...