4072 matches found
Stored Cross Site Scripting (Network Maps Editor functionality)
Description Hello Team, Hope you are doing well. I have found a stored cross-site scripting vulnerability in the network maps edit functionality. What is stored cross site scripting attack? Stored XSS, occurs when user supplied input is stored and then rendered within a web page. Typical entry...
No limit in length of "Fullname" parameter results in DOS attack /memory corruption
Proof of Concept 1Go to https://rdiffweb-dev.ikus-soft.com/prefs/general endpoint . 2You will see a field called "Fullname" 3Here you will see that there is no limit for the "Fullname" parameter that allows a user to to set a very long string as long as 1 million characters . 4This may possibly...
CSRF leads to disabling notifications in users profile
Description Periodic updates of repositories were sent as notifications to the user's email and here GET request sent to the server for modifying repository notifications settings is accepted by the server, which can lead to disabling notifications through a CSRF attack. Proof of Concept Replace...
Full Account Takeover via Improper Authorization
Description Immich does not check for admin privileges when setting account passwords. This allows any user to set the password for any account, thus allowing privilege escalation by admin account takeover. Proof of Concept Steps to reproduce: 1. Login to a non admin account 2. Obtain all user...
Password Reset Poisoning
Description Humhub uses the HTTP Host-Header in a password reset request to generate the password reset link that is sent to the user in an email without any filters or checks. This allows an attacker to craft a password reset request using a manipulated host header, resulting in reset-token...
BufferOverflow
Description Buffer Overflow is most commonly found in languages such as C and C ++, where there is the need for prior definition of the memory size of the buffer to be used. The program calls a gets function, which does not checks against overflowing the size assigned to buffer. As a result, it...
Clickjacking Leads To User Deletion
Hello team, on notrinoserp there is no clickjacking protection implemented x-frame-options, so an attacker can perform clickjacking attack, and in this case im able to delete user account via this vulnerability from the admin account, here is the POC: Exploit Script: iframe position:relative;...
Unrestricted File Upload Allowed due to Flawed Move File Functionality
Description Hello Team, Hope you are doing good. Due to misconfiguration in move file functionality an attacker could easily change the file extension of the uploaded malicious file disguised as .gcode file. Steps: 1 . Upload a .gcode file & intercept the request as shown in the screenshots. 2...
Account Takeover [namelessmc.com]
Description: 1. Hello team, while i was testing on https://namelessmc.com/login/ i noticed that there is no ratelimit protection on POST login form, so an attacker can takeover the account by brute forcing the password field Steps to reproduce: 1. 1- go to https://namelessmc.com/login/ 2. 2- Ente...
Segmentation Fault in SFS_Expression
It can cause Denial-of-service attack. Version root@ubuntu:/gpac/.git cat refs/heads/master 0102c5d4db7fdbf08b5b591b2a6264de33867a07 system stack size default root@ubuntu:/gpac/bin/gcc ulimit -s 8192 POC Download POC Execute root@ubuntu:/gpac/bin/gcc ./MP4Box -info -disox -dump-chap-ogg -dump-cov...
Cross-site scripting - Stored via upload ".xml" file
Description In file upload function, the server allow upload .xml file with contain some javascript code lead to XSS. Proof of Concept REQUEST POST /?PageTitre/ajaxupload&qqfile=index.xml HTTP/1.1 Host: localhost:8081 User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:104.0 Gecko/20100101...
Email enumeration via Resend link page
Description Through the Resend link page, an attacker can know that if an email exists or not; just by observing the notification in the response page. So, once the attacker knows that an email exists, he can launch a brute force attack against it. If an email exists: There is no notification and...
Weak policy at Change password function
Description BookWyrm uses weak password policy when allows user to change password with just 1 character through the change password function. Steps to reproduce 1.Login then go to the Change password page https://book.dansmonorage.blue/preferences/password 2.Enter a character for example: 1 in t...
Stored XSS in
Description Hello, I have found that an XSS payload has been executed in the name of note field, and I wanted to make a report about it, just please note that in the Occurrences I left it empty because I don't know anything about it, and please see the video attached in POC to know more about it...
Application allows large characters to insert in the input field "Add new table" on the create field which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request in
Proof of Concept Go to http://localhost:8080/dashboard//projects Select any created project and go to the project section. Click on the "ADD/IMPORT" section and click on "add new table" Create Fill the "table name" field with huge characters, more than 1 lakh Copy the below payload and put it in...
Heap-based Buffer Overflow in function utfc_ptr2len
Description Heap-based Buffer Overflow in function utfcptr2len at mbyte.c:2113 vim version git log commit 75417d960bd17a5b701cfb625b8864dacaf0cc39 HEAD - master, tag: v9.0.0001, origin/master, origin/HEAD POC ./afl/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pochbor3s.dat -c :qa!...
Global overflow in pppdump leads to RCE
Global overflow vulnerability in pppdump A global overflow vulnerability is present in the pppdump utility of the ppp repo which may lead to code execution. Specifically when the -p flag is given for enabling the pppmodeon the pppdump command, a malicious crafted pppdump file can trigger a global...
CSRF attack while uploading files on [/plupload] via GET request
Description The application is applying a technique to protect itself from CSRF attacks by sending the CSRF token on the cookies and checking the value on the backend and also check the referer header, the CSRF token is deleted from the cookies if the request comes from another origin and just...
Forward credential header to attacker host
Description Some Admins set the "Authorization" header with the help of a reverse proxy to restrict initial access to the Drawio application server. In this kind of setup, the "Authorization" header should always be sent to the reverse proxy, and the reverse proxy will forward it to Drawio But Th...
Weak policy at Change password function
Description We can register an normal account with = 8 characters password. But we ccan change password with just 1 character when we use change password function Proof of Concept https://drive.google.com/file/d/1D-IDqrMiaBGLnZaZY9L3u-S4u-MoGxPc/view?usp=sharing...
Stored Cross-Site Scripting
Description A stored cross-site scripting vulnerability exists within the Gallery View comments functionality. Replication Steps and PoC Preconditions PC1. A project exists. PC2. A table with a sheet containing data exists in the project. PC3. A gallery view exists. PC4. A user with the editor ro...
Idor Lead to Archive Users
Description In this case a attacker can be able to archive any user of any targeted organization Proof of Concept 1. Attacker create new organization OrgA 2. Attacker add any user to his organization OrgA And archive the user 3. Capture this request in burp suite 4. victim is user of organization...
Weak Password Policy
Description I would like to let you know about the password management issue. Proof of Concept 1- Go to your Profile or https://demo-publify.herokuapp.com 2- Give a password as simple as 12345678. You can see you will be password has been changed and there is no strong enforcement...
Formula Injection/CSV Injection due to Improper Neutralization of Formula Elements in CSV File
Description Formula Injection/CSV Injection in "For what?" , "For whom?" & "How much?" due to Improper Neutralization of Formula Elements in CSV File. Proof of Concept 1.Visit https://ihatemoney.org/ and start your demo application then click on add new bill at the top right. In the field of "wha...
A heap-buffer-overflow in mobi_decode_infl in index.c
Description A heap-buffer-overflow in mobidecodeinfl in index.c Env Distributor ID: Ubuntu Description: Ubuntu 20.04 LTS Release: 20.04 Codename: focal mobitool build: May 3 2022 20:46:07 clang Ubuntu Clang 11.1.0 libmobi: 0.10 Build export CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasa...
Buffer Over-read
Description Buffer Over-read in hpjansson/chafa at xwd-loader.c:185 Build export CFLAGS="-g -O0 -lpthread -fsanitize=address" export CXXFLAGS="-g -O0 -lpthread -fsanitize=address" export LDFLAGS="-fsanitize=address" ./autogen.sh ./configure --disable-shared make POC ./tools/chafa/chafa ./poc.png...
ReDoS in is-it-check
✍️ Description It allows causing a denial of service when checking crafted invalid emails. 🕵️♂️ Proof of Concept // PoC.js var isItCheck = require"is-it-check" isItCheck.email'@A.'+ '0.0.'.repeat40+'A'...
The microweber application allows large characters to insert in the input field "Coupons" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request.
Proof of Concept 1.Go to "Settings" click on "Coupons" and Add a new Coupons 2.Go to this drive link:- https://drive.google.com/file/d/1CcVCHWbvMk07IZ5v4dojrdJbC43ufhh/view?usp=sharing copy the payload and paste it on the "Code" input field 3.You will see the application accepts large characters...
stored xss in uploaded photo checkbox
Description xss code injection possible in endpoint "/api/savemedia " it accepts parameter "src" so if appended "%22onclick=%22alert'helo js executed';" and send request then xss alert will execute when clicking on checkbox of uploaded blank photo Proof of Concept 1. login as admin 2. open websit...
Stored XSS via file upload
Description Hello Team, \ This is a bypass to the report in https://huntr.dev/bounties/6127739d-f4f2-44cd-ae3d-e3ccb7f0d7b5/. \ The upload feature allows the files with the extension .xxhtml which leads to Stored XSS. Proof of Concept filename="poc.xxhtml" alert1 Steps to Reproduce 1.Login into...
Use After Free in r_reg_get_name_idx
Description heap use after free in rreggetnameidx. ASAN report: ================================================================= ==1710816==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020001dff50 at pc 0x7fa7c085d87c bp 0x7ffc21731ac0 sp 0x7ffc21731ab0 READ of size 1 at...
Code Injection
Description The attacker can execute commands on the target OS running the operating system by setting the PLTRAINERGPUS when using the Trainer module. Proof of Concept bash $ pip3 install pytorch-lightning python import os from pytorchlightning import Trainer from...
Server-Side Request Forgery (SSRF)
Description The SSRF Protection is incomplete and can be bypassed via an HTTP redirect, the python-requests library will follow redirections by default can be disabled byallowredirects=False. An attacker can set up their HTTP server to respond with a 302 redirect to redirect the request to...
Cross-Site Request Forgery (CSRF) to User Privilege Escalation
Description Pandora FMS v7.0NG.759 allows Cross-Site Request Forgery in Bulk operation User operation resulting in elevation of privilege to Administrator group. Detail Version: Pandora FMS v7.0NG.759 - OUM 759 - MR 51 Affected components: Console Proof of Concept Affected Endpoint: POST...
Heap-based Buffer Overflow
Description There is a heap corruption when r2 processes a crafted dyldcache file. Confirmed on the latest release 5.6.2 and the master branch. Proof of Concept bash printf "%s"...
Open Redirect in archivy/archivy
Description The application doesn't check the target website before redirecting leads to Open Redirect vulnerability. Proof of Concept Install local service for testing - Step 1: Go to http://127.0.0.1:5000/login?next=%2F%2fevil.com - Step 2: Enter valid credential, you will be redirect to evil.c...
Exposure of Sensitive Information to an Unauthorized Actor in snipe/snipe-it
Description An attacker can enumerate users through the response message in the password reset page. When you visit the password reset page, you will be provided with the option to enter your email address. Let's use two different emails, one will be a valid address, and another will be an invali...
Improper Authentication in liukuo362573/yishaadmin
Description Hi there yishaadmin maintainer, I would like to report an improper authentication vulnerability in yishaadmin source code. The link /admin/OrganizationManage/User/GetFormJson?id=user-id does not require any authentication and return sensitive user data for anyone like username, gender...
in jsdecena/laracom
Description Hi there, I would like to report a vulnerability that allows a hacker to upload dangerous file type in jsdecena/laracom. Attacker must have an account with permission to Edit Product E.g. Clerk role. Then, he can upload malcious file with extensions such as html, svg,... which leads t...
Cross-site Scripting (XSS) - Stored in crater-invoice/crater
Description There is a vulnerability in the upload avatar functionality of crater invoice which would allow an attacker to upload malicious .SVG files in order to execute Javascript. All that is required is that the victim browse to the link location of the .SVG file Proof of Concept xss.svg:...
Cross-Site Request Forgery (CSRF) in livehelperchat/livehelperchat
Description A CSRF issue is found in the SettingsLive help configurationFile Configuration. It was found that no CSRF token validation is getting done as no CSRF token is getting passed with the request. Proof of Concept Actual Request POST /siteadmin/file/configuration HTTP/1.1 Host:...
Cross-site Scripting (XSS) - Stored in orchardcms/orchardcore
Description The Stored XSS vulnerability occurs because the menu editing function can insert a JavaScript Scheme as the value of the menu's HREF. Proof of Concept txt 1. Go to Content - Menu - Edit 2. Enter javascript:alertdocument.domain as the URL value using the Add or Edit menu function. 3...
Cross-Site Request Forgery (CSRF) in phoronix-test-suite/phoronix-test-suite
Description Hi there, I would like to report another CSRF in phoronix Proof of Concept 1. Install a local instance of phoronix 2. Create a benchmark and note down benchmark id 3. Access the link /?benchmark//&repeat, /?benchmark//&disable and /?benchmark//&remove and see that the benchmark is...
in stanfordnlp/corenlp
Description The TransformXML function makes use of SAXParser generated from a SAXParserFactory with no FEATURESECUREPROCESSING set, allowing for XXE attacks. In...
Cross-site Scripting (XSS) - DOM in mrdoob/three.js
Description DOM-based XSS is a vulnerability in which the attacker can inject arbitrary javascript code in any DOM sink that supports dynamic code execution. In our case, source is window.location.hash and sink is iframe.src Proof of Concept 1 Visit...
Cross-site Scripting (XSS) - Stored in phoronix-test-suite/phoronix-test-suite
Description Hi there phoronix test suite maintainer team. There is a stored XSS in phoronix-test-suite source code. This is in group name. Proof of Concept 1. Install a local instance of phoronix test suite 2. Create an account and log in, then create a group with name . Note that you cannot crea...
Exposure of Sensitive Information to an Unauthorized Actor in microweber/microweber
Description Any unauthorized/unauthenticated actor can find the PII data of all the users registered in the application. PII - Personally Identifiable Information leaked by this application is first name, last name, email id, picture, username, isadmin status Proof of Concept 1 Visit...
Exposure of Sensitive Information to an Unauthorized Actor in polonel/trudesk
Description When you delete a conversation, the server responds with sensitive data including user IDs and emails among other data. The endpoint that's contacted in order to delete a conversation is /api/v1/messages/conversation/. A user with low level privileges such as a customer account could...
Cross-site Scripting (XSS) - Reflected in livehelperchat/livehelperchat
Description The application does not escape special characters, and the $msgPArent or $Result'additionalpostmessage' variables can lead to reflected XSS Proof of Concept https://demo.livehelperchat.com/chat/chatwidgetchat/444/123/theme/1/cstarted/123";;alert'xss';" Impact XSS can have huge...
Data Source Name Injection
Description TiDB Importer uses Go MySQL Driver for connecting to MySQL servers. This driver utilizes Data Source Name DSN strings for describing database connections with the following format: username:password@protocoladdress/dbname?param=value The driver has a built-in protection against LOCAL...