4072 matches found
STORED XSS in Journal-> Sections
Description Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XS...
Improper input validation leads to arbitrary file deletion
Description The /process endpoint of the python API in collector/api.py exposes an endpoint waiting for a POST request with a parameter named filename : py @api.route"/process", methods="POST" def processfile: content = request.json targetfilename = content.get"filename" printf"Processing...
XSS Vulnerabilities in Search Functionality and Course Tags
Description 1. XSS via Image Error in Search Box: - This vulnerability allows an attacker to execute a Cross-Site Scripting XSS attack through the search functionality of the web application. When a user performs a search, the application attempts to display an image related to the search query...
Store DOM XSS in FAQ
Description I noticed, your website is very secure. But you overlooked a flaw XSS Proof of Concept 1 .Login vs admin demo account and access admin page. 2 .Create a category, Question with payload: haidoalertdocument.domain 3 .Select FAQ status published and Sticky 4 .Back to the homepage, detect...
Cookie without Secure flag
Description Access and login to the website. Press F12 on your keyboard or right-click on the website to open dev-tool. At Application tab, choose Cookies and there are some sensitive cookies without Secure flag. Proof of Concept...
CSRF Logout
Description Bad actor can send to victims link ie. obfuscated with payload /signout and when victims will use it - can change the state of user logged in/logged out. Proof of Concept Payload: https://eu.aptabase.com/api/auth/signout Repro steps: As logged in user https://eu.aptabase.com/ open new...
Stored HTML injection
Description Stored HTML Injection: A Hidden Web Threat. Learn how attackers exploit input fields to inject malicious code into web applications, jeopardizing user data and site integrity. Discover crucial prevention measures to safeguard against this insidious vulnerability. Step to reproduce 1...
Cross-site Scripting (Stored XSS)
Description For any role that has permission to execute function assets, i can add a new asset. Even though the site only allows uploading images and gifs, I can still upload an html file by modifying the magic number and that leads to XSS. Proof of Concept 1. Link PoC:...
Pre-Auth SQLi leading to RCE in Social Media Skeleton v1.0
Summary A SQL Injection vulnerability exists in Social Media Skeleton v1.0 via the username and password parameters in admin/login.php. Not to be confused with login.php, which properly escapes special characters. Issue Description SQL injection SQLi is a code injection technique used to attack...
Session Fixation Vulnerability
Description The application does not generate a new PHPSESSID cookie after the user authenticates successfully. A malicious user is able to create a new session cookie value and injects it to a victim pre-authenticaiton. After the victim logs in, the injected cookie becomes valid, giving the...
URL Restriction Bypass
Description In attempting to fix a previous issue, the PATTERNUSERINFO regular expression was changed. This change introduced another way to bypass the URL allowlist by introducing non-alphanumeric characters into the user information part of the URL. Proof of Concept Run PlantUML with...
we still can order the product even it is disabled
Description I am writing to report a potential security vulnerability that was uncovered in your platform. Specifically, we discovered that your product purchase functionality can still be accessed via API even after the product has been disabled and is no longer available for sale. Proof of...
Create multiple user with the same username (Race Condition)
Description Administrator users can create multiple users with the same username which breaks the logic of the web application. Proof of Concept Step 1: At AdministrationUser ManagementManager User Screen, click on "New Local User" button Step 2: Fill in all the required fields, notice that the...
Reflected Cross-Site Scripting when restoring a backup
Description A XSS vulnerability has been identified when an administrator restores a backup from a file. When using a specially crafted file, it's possible to trigger an error that will be displayed on the web page. Since the error message contains the invalid part of the file, any JavaScript cod...
Stored XSS on items in Folder in nilsteampassnet/teampass lead to ATO
Description Stored XSS on items in Folder in nilsteampassnet/teampass lead to ATO Proof of Concept POC on my Drive video: https://drive.google.com/file/d/1OsksHJxcaNNABIoabLAwAKCu37S2VyT/view?usp=sharing...
Stored XSS
Description I tested the demo site you provided. I see that there is an XSS vulnerability. I hope you can check and provide a fix as soon as possible. Proof of Concept link video PoC https://drive.google.com/file/d/186jNX2EJWaIaknmOmwBhQ663SSzv289/view?usp=sharing Step 1.Go to my preferences and...
OS Command Injection via Type Confusion in Scan and Preview Parameters
Description Scanservjs has a RESTful API that provides endpoints for interacting with scanners using the SANE library. There are two APIs for scanning an image and generating a preview image that call out to Process.spawn, invoking a scanimage command as a subprocess of the server, and passing...
Cross-site Scripting (XSS) - Stored in tsolucio/corebos
Description There is a taint path can store payload into the database. visit http://127.0.0.1/corebos-master/index.php?action=PickList&module=PickList and click Add Item, the Add new entries here: can be tainted. Although there has a front limitation, but we can bypass it by modifying the request...
Reflected XSS on Sidekiq through multiples endpoints via GET parameter "period"
Description Reflected XSS attacks, also known as non-persistent attacks, occur when a malicious script is reflected off of a web application to the victim's browser. Proof of Concept There must have been a metrics during the default value of the period parameter. You simply have to set the payloa...
Input validation and money transfer vulnerability with negative number
Description I transfer money from account1 to account2. According to the scenario, account 1 will be deducted, and account 2 will add money. But account1 was add, account was sub. If I use a negative number and its value exceeds the account balance, the money will still be added to the transfer...
Stored XSS in name parameter of "Static Routes"
Description During testing, I observed that the name parameter of the "Static Routes" functionality is vulnerable to stored XSS. Proof of Concept 1.Login to https://demo.pimcore.fun/admin/. 2.Now go to Settings - Static Routes - Add and Enter the payload: " inside the name input field. 3.Then cli...
Full CSRF Bypass
Description The intended way to reach functionality in $module/ajax.php is through the /xhr endpoint. Looking at the following code: https://github.com/unilogies/bumsys/blob/83bd788c21ce390f62e34ab6755a3e61c106418c/core/route.phpL43-L48 php if $pageSlug === "xhr" or $pageSlug === "info" and...
CSRF leading to edit admin accounts
Description GET /admin/accounts/id/edit/?activetab=default page is vulnerable to a CSRF attack. Proof of Concept Login as admin. try to edit admin accounts example id=4 Open the following file in the browser. history.pushState'', '', '/'; document.forms0.submit;...
SQL Injection at /front/report.dynamic.php
Description A SQL Injection vulnerability allow to guest user with reports view like "Technician" to extract all data from database and some cases write a webshell on the server. This vulnerability occurs because an insecure concatenation is taking place on this function:...
XSS Stored in the email address
Description Hello, I have located an xss stored by performing the following step: 1 - Go to tools 2 - GDPR Data Extractor 3 - Insert the payload into the email address 4 - click in send emails Proof of Concept...
Stored Cross Site Scripting in the username
Description Stored XSS occurs when an attacker injects malicious code into a website, which is then stored on the server. In this case, the malicious code is being stored as the user's username. When someone accesses the shared page, the website retrieves the user's username from the server and...
No Password Policy at all during Registration and and Password Change allows Account Takeover Exploitation
Dear Ladies and Gentlemen, First of all thank you for your time and effort reading my Report. While doing the Penetration Test i was able to weak Password Policy while Registration and Passwort changing allowing an attacker to easily exploit an account Takeover Vulnerability. This is due no...
Stored/Reflected XSS when add new domain
Description there is an XSS vulnerability that malicious script is injected directly in list of domain Proof of Concept 1//go to admin/domains/ 2/ click add to add a new domain 3/ in name section add this payload " and you can see payload executed POC...
Improper String/Integer Input Validation Leads to the Crashing of Site
Description If you give the string input in the Start/End time field, then the application will stop working. Proof of Concept 1. Go to "Settings-General-Reconnection" 2. Change activated to "on" 3. On every input fields place any string for example put: "test" 4. Click on save and refresh 5. The...
Stored HTML injection in Patient chat functionality
Description I've found out that it is possible to inject HTML code in Patient Chat functionality, which allows malicious code to be stored there and potentially affect the other chat users Proof of Concept - Login from the patient portal. I've used the demo instance here:...
Stored XSS in the module named "Website settings"
Description Our engineer found security problems when testing our website. And I have tested the demo website you provided. I found that there is indeed an xss vulnerability. I hope you can check and provide a fix as soon as possible.Thanks. \\ The reason for the vulnerability is that you have...
Archive any post (public / private) using IDOR
Description It was observed that we can archive any users post using archive option by changing the post id. 1 Created user with lolwa username. 2 Posted a post and identified it's post id 1007. 3 Now get the post id from demo user i.e 1006. 4 Now click on archive for post id 1007 from user lolwa...
Stored XSS in admin panel (users page)
Description Stored XSS in admin panel in users page via inject XSS payload in Name input field by any user to affect the admin panel Proof of Concept https://drive.google.com/file/d/1EsYq3R6GRAdEbpZxp2RwQwGr4G8fJGB7/view?usp=sharing...
Path Traversal that leads to Remote Code Execution via PHP file upload
📜 Description A path traversal attack also known as directory traversal aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash ../” sequences and its variations or by using absolute file paths, it may be...
Stored XSS
Description webcalendar has a feature to add event and display the location of it. This feature lead to stored xss everytime a user open the calendar or the event detail page. Proof of Concept 1. 1- login as user 2. 2- create an event 3. 3- insert the payload on "location" field 4. 4- Save 5. 5- ...
Password Reset Poisoning
Description Elgg uses the HTTP Host-Header in a password reset request to generate the password reset link that is sent to the user in an email without any filters or checks. This allows an attacker to craft a password reset request using a manipulated host header, resulting in reset-token leakag...
Mass Assignment leads to Stored XSS
Description The application is vulnerable to mass assignment in the User object. A user is able to enable their own account and change their username. The username is not properly sanitized in the admin user overview, leading to a stored XSS attack. Proof of Concept Steps to reproduce: 1. Log in...
Stored Cross-Site Scripting (XSS) on Schedule Maintenance "Title" parameter
Description Stored Cross-Site Scripting XSS vulnerability in LibreNMS v22.8.0 allows attackers to execute arbitrary javascript code in the browser affected from function of "Schedule Maintenance" in "Title" parameter. Proof of Concept 1 - Click "Alerts" Click "Schedule Maintenance" from the...
Password Can be set to very weak
Description For testing the issue, I have used the demo website. In edit user profile section we can set New Password to 1 Or any character. There is no policy for password or no password checking. Moreover, it also allows us to change password and the new password also can be set with weak...
Unauthenticated Path Traversal
Description A unauthenticated user can read and download files of the application system by abusing the filename parameter, of the /api/image/cover-uploadendpoint, that is not properly sanitized. Proof of Concept 1 - Send the following request, where the filename has the relative path of the targ...
Out-of-bound write in function parse_command_modifiers
Description Out-of-bounds write in function parsecommandmodifiers at exdocmd.c:3123 Version commit c101abff4c6756db4f5e740fde289decb9452efa HEAD - master, tag: v8.2.5164 Proof of Concept guest@elk:/trung$ ./vim3/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc/poc4min -c :qa!...
Stored XSS in EditEstadoDocumento
Description In facturascripts/EditEstadoDocumento, the field Icon can be injected an XSS payload into it. Proof of Concept // PoC.js POST /facturascripts/EditEstadoDocumento?code=27&action=save-ok HTTP/1.1 Host: 127.0.0.1 Content-Length: 1224 Cache-Control: max-age=0 sec-ch-ua:...
SSRF via Improper Input Validation
Description Hostname is not detected because of improper handling of username and password. Based on real cases Proof of Concept shell ❯ node -e 'const parseUrl = require"parse-url"; console.logparseUrl"http://google:com:@@localhost"' protocols: 'http' , protocol: 'http', port: null, resource:...
Improper Restriction of Excessive Authentication Attempts in login feature
Description No rate-limiting leads to bruteforce attack in login feature Steps to reproduce 1.Go to https://www.rosariosis.org/demonstration/ 2.Login with any username and password 3.Using Burp and send login POST request to Intruder 4.Create 30 null payloads and start attack 5.Login with correct...
Uncontrolled Resource Consumption in "Category Editor"
Description The Organizr application allows large characters to insert in the input field "Category Editor" which can allow attackers to cause a Denial of Service DoS via a crafted HTTP request. Proof of Concept 1.Login to the application 2.Go to "Tab Editor" - "Categories" . 3.Click on the +...
Stored XSS in application name.
Description Hi there, there is a stored XSS in Oauth application name. Proof of Concept 1. Install a local instance of Autolab. 2. Go to /oauth/applications and create a new application with name . 3. Click on Authorize and see that a pop up appears with user's cookies. Link to POC...
Heap-buffer-overflow in mobi_search_links_kf7
Description heap-buffer-overflow /home/ubuntu/libmobi-public/src/parserawml.c:110 in mobisearchlinkskf7 Environment Distributor ID: Ubuntu Description: Ubuntu 20.04 LTS Release: 20.04 Codename: focal mobitool build: Apr 29 2022 20:52:30 gcc 9.3.0 libmobi: 0.10 Build export CC=gcc CXX=g++...
NULL Pointer Dereference in function mobi_build_opf_metadata at opf.c:1161
Description NULL Pointer Dereference in function mobibuildopfmetadata at opf.c:1161 allows attackers to cause a denial of service application crash via a crafted input file Build git clone https://github.com/bfabiszewski/libmobi.git cd libmobi export CFLAGS="-g -O0 -lpthread -fsanitize=address"...
libde265 1.0.8, was discovered to contain a heap-buffer-overflow in put_epel_16_fallback (fallback-motion.cc)
Description libde265 1.0.8, was discovered to contain a heap-buffer-overflow in putepel16fallback fallback-motion.cc ENV - Version : 1.0.8 - Commit : 45904e5667c5bf59c67fcdc586dfba110832894c - OS : Ubuntu 18.04 - Configure : cmake -DCMAKEBUILDTYPE=Debug -DCMAKECXXCOMPILER=clang++-10...
heap-buffer-overflow in mrb_vm_exec in mruby/mruby
Affected commit: 3cf291f72224715942beaf8553e42ba8891ab3c6 Proof of Concept ruby= v10 = 0 v15 = "" v16 = srand1337 v20 = protectedmethods.fill|| v20 = Array.instanceeval|| method method privatemethods.zip rescue GC.start removemethod removemethod privatemethods.sample rescue Float v16.v15.v10 resc...