4072 matches found
Exposure of Sensitive Information to an Unauthorized Actor in microweber/microweber
Description Any unauthorized/unauthenticated actor can find the PII data of all the users registered in the application. PII - Personally Identifiable Information leaked by this application is first name, last name, email id, picture, username, isadmin status Proof of Concept 1 Visit...
Exposure of Sensitive Information to an Unauthorized Actor in polonel/trudesk
Description When you delete a conversation, the server responds with sensitive data including user IDs and emails among other data. The endpoint that's contacted in order to delete a conversation is /api/v1/messages/conversation/. A user with low level privileges such as a customer account could...
Cross-site Scripting (XSS) - Reflected in livehelperchat/livehelperchat
Description The application does not escape special characters, and the $msgPArent or $Result'additionalpostmessage' variables can lead to reflected XSS Proof of Concept https://demo.livehelperchat.com/chat/chatwidgetchat/444/123/theme/1/cstarted/123";;alert'xss';" Impact XSS can have huge...
in polonel/trudesk
Description When logging in, the login page will tell you whether or not a username exists which is a vulnerability since it can be paired with the lack of rate limitation when logging in in order to help an attacker find out which accounts exist & then brute force those accounts' login...
Cross-site Scripting (XSS) - Stored in pimcore/pimcore
Description XSS in Classification Store included panels like Collections, Groups, Key,... in the store Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web...
Cross-site Scripting (XSS) - Stored in pimcore/web2print-tools
Description Stored XSS in the Description of the Favorite Output Channel Configurations. Steps to reproduce 1.Go to https://demo.pimcore.fun/admin/ and login. 2.In the left menu bar, click the Settings icon then choose Favorite Output Channel Configurations, the Favorite Output Channel...
Cross-Site Request Forgery (CSRF) in splitbrain/dokuwiki
Description Although security token is present in the delete draft POST request. It is not being checked in the backend by checkSecurityToken CSRF checks. Proof of Concept 1: As a logged-in user create a draft page, on the data/cache directory of the server run the command to confirm a draft has...
Cross-Site Request Forgery (CSRF) in yetiforcecompany/yetiforcecrm
Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging users to unintentional logout. More details One way GET could be abused here i...
Cross-Site Request Forgery (CSRF) in pimcore/pimcore
Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging users to unintentional logout. More details One way GET could be abused here i...
Improper Privilege Management in dotcms/core
Description Hello team, I found a SSTI that allow me to get Full Privilege Escalation system user 1. While editing a template we have total access to the User and UserModel classes via $user 2. One of the UserModel methods is called setUserId 3. If we call setUserId and pass "system" as parameter...
Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition
Description Very low severity CSRF in /comments/thanks/id Proof of Concept CLICK ME! Impact This vulnerability is capable of tricking users to send quick thanks. Can potentially trick users to infringe rate limits and get themselves banned via a repeated CSRF attack if admins choose to set...
Improper Access Control in bookstackapp/bookstack
Description A user with API access can view any attachment which they do not have read access to because read permissions are not being checked at the API attachments read controller. Proof of Concept 1: From default installation give the "Public" role access to system API 2: Upload attachment...
Cross-site Scripting (XSS) - Stored in snipe/snipe-it
Description Cross site scripting vulnerability in checkout page in notes field Proof of Concept 1.Login to the demo page. 2. Go to accessories , select any product and add payload in the checkout notes 3. click save and open the product xss will trigger payload = " Impact This vulnerability is...
Cross-Site Request Forgery (CSRF) in star7th/showdoc
Description An attacker is able to create a new group for any item if users visit the attacker's website. Furthermore, the user-id "uid" is also exposed via the JSON response. We can bypass the CSRF Protection if we put our payload on an iframe or an HTML file and then send them to the victim...
CRLF Injection in phpservermon/phpservermon
Description misconfig of nginx lead to crlf injection In nginx, $uri is url decoded, which will decode %0d%0a to CRLF. code: return 301 http://$uri; Proof of Concept A request to: http://www.test.com/%0d%0afakeheader:123%0d%0a%0d%0afakecontent Impact CRLF Injection allows an attacker to inject...
Cross-Site Request Forgery (CSRF) in kevinpapst/kimai2
Description CSRF related to duplicate action. the duplication occurs first before redirecting to edit form Proof of Concept GET /en/admin/teams/id/duplicate GET /en/admin/project/id/duplicate Impact This vulnerability is capable of tricking admin users to duplicate teams Note This is probably all...
Open Redirect in star7th/showdoc
Description Open Redirect at login page due to unchecked "redirect" parameter. Vulnerable parameter redirect Payload /%09/google.com Proof of Concept Send users the following login link https://www.showdoc.com.cn/user/login?redirect=/%09/google.com After users use their registered account to logi...
Cross-site Scripting (XSS) - Stored in snipe/snipe-it
Description Multiple Stored XSS at 'snipeitram3' and 'snipeitcpu4' in the multipart message of POST request when creating a new Asset or editing an existed Asset. Proof of Concept POST /hardware HTTP/1.1 Host: develop.snipeitapp.com Connection: close Content-Length: 2560 Cache-Control: max-age=0...
in misp/misp-maltego
Description misconfigurations of nginx lead to a path traversal vulnerability. Proof of Concept Do a request to /munin../ can get any file under /var/cache/munin/ Impact An attacker can access files on the web server to which they should not have access...
in stanfordnlp/corenlp
Description The Stanford CoreNLP package provides a set of natural language analysis tools written in Java, is using a vulnerable XML External Entity XXE. An attacker that is able to provide a crafted XML file as input to the readDocument function in the "DomReader.java" file may allow an attacke...
in snipe/snipe-it
Description There is no rate limit sent unlimited email victim or any email address Proof of Concept There is no rate limit return-password , attacker to send unlimited email to victim or any email address. POST /password/email HTTP/1.1 Host: demo.snipeitapp.com Connection: close Content-Length: ...
in cortezaproject/corteza-server
Setup the application on your local system. Steps: -------- 1. Login in application and navigate to the settings, where change the user password and capture the request in burp suit. 2. Now logout from application and copy the Authorization token. 3. After logout the authorization token must be...
in fisharebest/webtrees
✍️ Description A malicious actor, either logged in as an admin or after intercepting a request, is able to modify the path argument in the delete-path route, and can arbitrarily delete index.php or config.ini.php, rendering the site unusable. 🕵️♂️ Proof of Concept 1; An admin should navigate to...
in bfabiszewski/libmobi
✍️ Description Overview This vulnerability is of out-of-bound read, which lets attackers read memory information beyond the buffer size. Possibly, attackers can use this to do DOS Denial of Service attack or ALSR bypass by reading sensitive memory address information to all applications which use...
Inefficient Regular Expression Complexity in prismjs/prism
✍️ Description The prismjs package is vulnerable to ReDoS regular expression denial of service. An attacker that is able to provide a crafted HTML comment as input may cause an application to consume an excessive amount of CPU. Below pinned line using vulnerable regex. 🕵️♂️ Proof of Concept...
in weseek/growi
✍️ Description You should check and validate the password when users registering, any user able to use a weak password like aaaaaa also you don't have any rate limit for incorrect passwords that cause to easily perform Bruteforce attacks against your users that have weak passwords. 💥 Impact This...
Cross-site Scripting (XSS) - Reflected in th3-822/rapidleech
✍️ Description Cross-site Scripting XSS refers to client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS occurs when a web application makes use of unvalidated or unencoded user input within the output it generates. The...
Prototype Pollution in clientio/joint
✍️ Description jointjs package is vulnerable to Prototype Pollution. A type confusion vulnerability can lead to a bypass of CVE-2020-28480 when the path components used in the path parameter are arrays. In particular, the condition key === "proto" returns false if key is "proto". This is because...
Cross-site Scripting (XSS) - Reflected in pi-hole/adminlte
✍️ Description Reflected XSS on any POST parameters with a correct token on /admin/settings.php When field is not in the defined list , $debug value is set to true , and the $POST is dumped without filtering 🕵️♂️ Proof of Concept 1. Login as admin 2. Settings - Flush log 3. replace field with XSS...
Prototype Pollution in vincit/objection.js
✍️ Description objection package is vulnerable to Prototype Pollution. 🕵️♂️ Proof of Concept Create the following PoC file: // poc.js var set = require"objection/lib/utils/objectUtils" let obj = console.log"Before: " + .polluted setobj, 'proto', 'polluted', 'Yes! Its Polluted' console.log"After: "...
Cross-site Scripting (XSS) - Reflected in znixbtw/panel-v2
✍️ Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into websites. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will...
Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition
✍️ Description Attacker is able to enable a user notification if a logged in user visits attacker website. 🕵️♂️ Proof of Concept 1. when you logged in open this POC.html in a browser 2. you can check your notification is enable history.pushState'', '', '/' document.forms0.submit; 💥 Impact This...
in phpmailer/phpmailer
✍️ Description validateAddress function used to validate email addresses, uses calluserfunc to call the callable from the name of callable provided to the function as an argument $patternselect. But if no argument is passed, the function sets "php" as default value to $patternselect variable on...
Cross-site Scripting (XSS) - Stored in changeweb/unifiedtransform
✍️ Description Stored Cross Site Scripting in the message/all.blade.php. 🕵️♂️ Proof of Concept As a teacher, click on "My Courses" and then "message students". CKEditor hides the underlying where we can add tag or capture the request in a proxy like burpsuite and edit the HTTP POST request. Select...
Cross-site Scripting (XSS) - Generic in boxbilling/boxbilling
✍️ Description XSS is possible via support ticket reply functionality for admin. It can happen if a client registers with his name as the XSS payload and admin replies with the default greetings. Otherwise admin have to manually enter the payload in reply form. 🕵️♂️ Proof of Concept 1. Register...
Cross-site Scripting (XSS) - Stored in octobercms/library
✍️ Description OctoberCMS uses october/rain library to handle file uploads. Previously it was possible to upload malicious files with HTML content to the CMS via its Media upload feature. This security issue marked as CVE-2020-15249 was fixed in 1.0.469. But it is still possible to upload XML...
Cross-site Scripting (XSS) - Stored in harish81/digidocu
✍️ Description DigiDocu is a CMS written in PHP using Laravel Framework. Laravel uses Blade templating engine which sanitizes the HTML by default. But DigiDocu is trying to render some HTML content without validating the input that comes from the user's profile ie. users can write some HTML using...
Cross-site Scripting (XSS) - Generic in cmason3/jinjafx
:book: Description JinjaFx is a Templating Tool that uses Jinja2 as the templating engine. It is written in Python and is extremely lightweight and hopefully simple - it doesn't require any Python modules that aren't in the base install, with the exception of jinja2 for obvious reasons, this...
Code Injection in heartexlabs/label-studio
Description Label Studio is a swiss army knife of data labeling and annotation tools which is vulnerable to Arbitrary Code Execution. Vulnerability Vulnerable to YAML deserialization attack caused by unsafe loading. Proof of Concept Installation bash pip3 install label-studio Run exploit.py impor...
Prototype Pollution in steveukx/properties
Description properties-reader is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC and INI files: // poc.js var propertiesReader = require'properties-reader'; console.log"Before : " + .polluted console.log"Before : " + .polluted1 var properties =...
privilege escalation bug to edit survey
BUG ======== normal user can edit any survey AFFTED VERSION ============ 6.2.10 SUMMRUY ========== normal user has view permiision in survey . But still that user can edit the survey by adding that survey to his own group . STEP TO REPRODUCE ================= 1. There is already a superadminuser-...
Stored XSS in function Add discussion at the Copyediting section
Description I tested the demo site you provided and I see that there is a stored XSS in function Add discussion Proof of Concept payload: thanh"alert1 Steps 1. Login as any user 2. In the Unassigned section and click view 3. In the Workflow click Copyediting section and Add discussion 4. Insert...
STORED XSS in Journal-> Sections
Description Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XS...
Improper input validation leads to arbitrary file deletion
Description The /process endpoint of the python API in collector/api.py exposes an endpoint waiting for a POST request with a parameter named filename : py @api.route"/process", methods="POST" def processfile: content = request.json targetfilename = content.get"filename" printf"Processing...
XSS Vulnerabilities in Search Functionality and Course Tags
Description 1. XSS via Image Error in Search Box: - This vulnerability allows an attacker to execute a Cross-Site Scripting XSS attack through the search functionality of the web application. When a user performs a search, the application attempts to display an image related to the search query...
Store DOM XSS in FAQ
Description I noticed, your website is very secure. But you overlooked a flaw XSS Proof of Concept 1 .Login vs admin demo account and access admin page. 2 .Create a category, Question with payload: haidoalertdocument.domain 3 .Select FAQ status published and Sticky 4 .Back to the homepage, detect...
Cookie without Secure flag
Description Access and login to the website. Press F12 on your keyboard or right-click on the website to open dev-tool. At Application tab, choose Cookies and there are some sensitive cookies without Secure flag. Proof of Concept...
Unverified password change : old password can be used as new password
Description Pimcore Platform v 11.0.7 is not enforcing strict password policy which allow attacker to set old password as new password Proof of Concept 1- go to https://demo.pimcore.com/admin/login 2- login with demo user credentials Username: superuser Password: enterprisedemo 3- Now login and...
CSRF Logout
Description Bad actor can send to victims link ie. obfuscated with payload /signout and when victims will use it - can change the state of user logged in/logged out. Proof of Concept Payload: https://eu.aptabase.com/api/auth/signout Repro steps: As logged in user https://eu.aptabase.com/ open new...
Stored HTML injection
Description Stored HTML Injection: A Hidden Web Threat. Learn how attackers exploit input fields to inject malicious code into web applications, jeopardizing user data and site integrity. Discover crucial prevention measures to safeguard against this insidious vulnerability. Step to reproduce 1...