4072 matches found
Untrusted Pointer Dereference
Description Null Pointer Dereference in gpac Proof of Concept Version: /fuzzing/gpac/gpac/bin/gcc/MP4Box -version MP4Box - GPAC version 2.1-DEV-rev15-g6c0f4ff03-master c 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters:...
Improper Preservation of Permissions
Git repository found Description: Git metadata directory .git was found in this folder. An attacker can extract sensitive information by requesting the hidden metadata directory that version control tool Git creates. The metadata directories are used for development purposes to keep track of...
Out-of-bounds Read
Description OOB read occurs in mrbarypush. commit : 5d9239c2c4644fa8a59d9f5159b4950569dd5e0e Proof of Concept poc $ echo -ne "WzpfXVswLDAsMCwwLDAsMCwwLDAsMCwwLDAsMCwwLDBdPTpO" | base64 -d poc ASAN $ ./bin/mruby poc AddressSanitizer:DEADLYSIGNAL...
Cross-site Scripting (XSS) - Stored
Description Stored cross-site scripting also known as second-order or persistent XSS arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way. Proof of Concept Steps to Reproduce:- = Install the WebApp and Setup it =...
in mruby/mruby
Description commit ecb28f4bf463483cf914c799d086b0cfff997aee Proof of Concept sh ā” root@pocas ī° /fuzz/mruby2 ī° ī master ± ī° echo "P2MKWyoqMCwqKjgsbTowXQSAPRpbAAB7" | base64 -d poc1 ā” root@pocas ī° /fuzz/mruby2 ī° ī master ± ī° ./bin/mruby poc1 AddressSanitizer:DEADLYSIGNAL...
Exposure of Sensitive Information to an Unauthorized Actor in librenms/librenms
LibreNMS v22.1.0 allows users with the normal role/level to view/access the alert transport details. The alert transport may expose sensitive information to an actor that is not explicitly authorized to have access to that information which are supposedly accessible by the Administrator only. Pro...
Cross-site Scripting (XSS) - Reflected in cortezaproject/corteza-server
Description The logout function doesn't clean/filter value of "back" parameter before reflecting into html code leading to Reflected XSS vulnerability. Proof of Concept Visit URL: https://latest.cortezaproject.org/auth/logout?back=%22%3E%3Cscript%3Ealertorigin%3C/script%3E%3C%22 Poc:...
Cross-site Scripting (XSS) - Stored in s-cart/s-cart
Description Stored XSS in S-Cart Version 6.8.3 affecting Product and Category module. Proof of Concept Product version: S-Cart Version 6.8.3 core 6.8.10 , https://github.com/s-cart/s-cart/releases/tag/v6.8.3 Vulnerability 1: Stored XSS In Product module 1 Endpoint: POST...
Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat
Description Livehelperchat is vulnerable to stored cross site scripting. Proof of Concept 1 . Login to the demo account 2 . Go to settings -- Live help configuration --Visual settings for the visitor -- widget theme --new -- name field 3 . Add payload in name field and click save 4 . Go to settin...
Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat
Description Stored XSS is found in SettingsLive help configurationPersonal Themestatic content. Under the NAME field put a payload constructor.constructor'alert1' while creating content, and you will see that the input gets stored, and every time the user visits, the payload gets executed. Proof ...
None in radareorg/radare2
Description This vulnerability is of type use-after-free. And after quick investigation I think it is very likely to be successfully exploited to remote code execution. The bug exists in latest stable release radare2-5.5.4 and lastest master branch ed2030b79e68986bf04f3a6279463ab989fe400f, update...
Improper Privilege Management in liukuo362573/yishaadmin
Description Hi there yishaadmin maintainer team, I would like to report an improper privilege management in yishaadmin source code. The link /admin/ToolManage/Server/GetServerJson requires no authentication and accessible for everyone, which returns server info like RAM, CPU usage. Proof of Conce...
Improper Access Control in snipe/snipe-it
Description A user with no rights for API tokens can view the page where API tokens can be generated and can generate API tokens. Proof of Concept - Create a user with no permission for anything i.e. everything on deny. - Log in with this user to the web application. - Visit...
Inefficient Regular Expression Complexity in idank/explainshell
Description In the latest version of explainshell ebc5e9f2 I discovered regular expression that is vulnerable to ReDoS Regular Expression Denial of Service Proof of Concept PoC based on code in explainshell/options.py Python import logging import re if name == "main":...
Cross-Site Request Forgery (CSRF) in splitbrain/dokuwiki
Description Auditing the AJAX endpoints revealed that some endpoints which perform state-changes do not have CSRF protection. Proof of Concept POST /lib/exe/ajax.php?call=draftdel&id=start Impact This vulnerability is capable of tricking users to delete their own drafts...
Cross-site Scripting (XSS) - Stored in yetiforcecompany/yetiforcecrm
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a differen...
Cross-Site Request Forgery (CSRF) in livehelperchat/livehelperchat
Description CSRF in switching between enable and disable of the following: - Dark/bright - Auto uppercase sentences - Do not scroll to the bottom on chat open - Auto preload previous visitor chat messages - Load previous message on scroll - New messages - New chats - Online - Based on activity -...
Improper Access Control in bookstackapp/bookstack
Description A logged-in user with no privileges OR guest user if public access enabled can access the /search/users/select AJAX endpoint meant for admins to manage audit logs, to dump all usernames existing in the Bookstack database. This can also be used to harvest email belonging to a user...
Cross-site Scripting (XSS) - Stored in vanessa219/vditor
Description the editor has XSS vulnerability Proof of Concept payload: Open the editorhttps://ld246.com/guide/markdown, enter the payload, and trigger the XSS vulnerability demo pic : https://drive.google.com/file/d/1fl07CUXSS0DyvjtuftslMnyr2uGZ8F7/view?usp=sharing Impact This vulnerability has t...
Cross-site Scripting (XSS) - Reflected in admidio/admidio
Description The Reflected XSS vulnerability occurs because redirect.php does not properly validate the value of the url parameter. Using javascript: throws an error in parsing the url. But I bypassed it using javascript://%0A. Proof of Concept txt 1. Open the...
Cross-Site Request Forgery (CSRF) in star7th/showdoc
Description You set the strict flag only for one of your cookies named cookietoken but in Team management attacker still can delete or add teams with CSRF vulnerability as the cookie with name PHPSESSID don't have strict flag. Proof of Concept 1.replace 38046 with the team id 2.open poc.html and...
in star7th/showdoc
Description Logged in by LDAP will lead to a weak-password initializationļ¼ php isExist$username ; if!$userInfo D"User"-register$ldapuser,$ldapuser.time; //ćregister with a weak password, such as : tom/tom1637248826ć $rs2=ldapbind$ldapconn, $dn , $password;//ćwhen the LDAP password is WRONGļ¼no...
Cross-Site Request Forgery (CSRF) in snipe/snipe-it
Description CSRF in custom field settings Proof of Concept /fields/1/fieldset/1/disassociate" /fields/required/3/3" /fields/optional/3/3" Impact This vulnerability is capable of trick admin user to modify custom forms...
Cross-site Scripting (XSS) - Stored in pimcore/pimcore
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Proof of Concept 1-- Go Asset Metadata Class Definitions - Create another one or just edit aprevious one . 2 -- In the Name input Inject any XS...
Cross-Site Request Forgery (CSRF) in pimcore/demo
Description Pimcore is vulnerable to Cross-site request forgery. It is possible to add arbitrary products to the victim's cart. Proof of Concept 1: Open https://demo.pimcore.fun/en/cart/add-to-cart?id=12 on a browser. 2: Check out the cart with Jaguar E-Type product. Impact Attackers might fool...
Cross-Site Request Forgery (CSRF) in opensourcepos/opensourcepos
Description You have not set any CSRF protection for receivings/deleteitem/itemid endpoint. Proof of Concept //PoC.html history.pushState'', '', '/'...
in pheditor/pheditor
Description With your new fix in https://github.com/pheditor/pheditor/commit/69a79e3ba7f4a9f844cf5919c14a953e4a0d1867, it is basically impossible to change the password now because you forgot to add in the CSRF token in the reset password functionality, hence the password cannot be changed from...
Code Injection in collectiveaccess/providence
Description client side injection Proof of Concept open the https://demo.collectiveaccess.org/find/QuickSearch/Index click on search input the code in search bar clickme https://i.ibb.co/tmB0K64/client.png Impact This vulnerability is injecting malicious code into application...
Cross-Site Request Forgery (CSRF) in collectiveaccess/providence
Description No CSRF token and GET requests allowed in Data and Metadata imports Proof of Concept 1. Login as administrator 2. Create a directory called test in /import directory and put a CSV file inside 3. On the browser with administrator cookies, visit...
in weseek/growi
āļø Description In following endpoint don't check the authorization of users and any user can delete other users comments /api/comments.remove the body of request is like this : "commentid" : "61393bb36970d0000c62b3cf" , "csrf" : any user receive all commentid and can easily replace other users...
Cross-site Scripting (XSS) - Stored in chocobozzz/peertube
āļø Description We can upload a SVG image and then send the url of that to other users and when they open the link we can get their complete session keys as the session keys stored in local storage and with Javascript easily can be stolen by attackers. šµļøāāļø Proof of Concept 1.Go to...
Improper Privilege Management in chatwoot/chatwoot
āļø Description A user without collaborator access to an Inbox is able to reveal the messages from it, by guessing the ID of the Inbox. šµļøāāļø Proof of Concept - 1; With an Administrator user, create an Inbox email type - 2; Only add the Administrator itself to the list of collaborators in the Inbox...
Cross-Site Request Forgery (CSRF) in star7th/showdoc
āļø Description With CSRF vulnerability Attacker able to delete any member to of any item if users visit attacker website. We can bypass the CSRF Protection if we put our payload on a iframe or a html file and send them to victim as after that the Origin header will be set to null and we can bypass...
in leantime/leantime
āļø Description In the source code of the application, the Secret Hash value and the initialization vector is being hardcoded. šµļøāāļø Proof of Concept In the following code snippet, we can see the hard-coded secret hash and IV. private $encryptionMethod = 'AES-256-CBC'; private $secrethash =...
Server-Side Request Forgery (SSRF) in bookstackapp/bookstack
āļø Description User with "Editor" rights can create a special book page containing tag with "src" property pointing to any external or internal resource. Exporting this page using default domPdf will result in firing request from server side. šµļøāāļø Proof of Concept Updating page with malicious...
Cross-Site Request Forgery (CSRF) in star7th/showdoc
āļø Description With CSRF vulnerability Attacker able to add any member to for any item if users visit attacker site. šµļøāāļø Proof of Concept 1.Open the PoC.html In Firefox or safari. 2.now you can check that member with email address [email protected] that already should registered befor have access to...
Cross-Site Request Forgery (CSRF) in dolibarr/dolibarr
āļø Description CSRF bug to set-paid expense-report šµļøāāļø Proof of Concept Here it does not check token parameter for csrf .You can remove token paramater from url. bellow request is vulnerable to csrf attack when set-paid expense report....
Cross-Site Request Forgery (CSRF) in emoncms/emoncms
āļø Description In CSRF attack if your users going to attacker website and click the mallicouse link then they able to steal users cookie, submit unwanted date, .... šµļøāāļø Proof of Concept 1.you login in your account 2.you make a file contain the following html file. 3.open html as victim site...
Open Redirect in ionicabizau/parse-url
āļø Description parse-url improperly handles the user input such as https:/\ and interprets it as a relative path. Backslashes after the protocol are accepted by browsers and treated as normal slashes, but parse-url reads them as the relative path, which could lead to SSRF, open redirects, or other...
Open Redirect in unshiftio/url-parse
āļø Description url-parse mishandles certain uses of backslash such as https:/\ and interprets the URI as a relative path. Browsers accept backslashes after the protocol, and treat it as a normal slash, while url-parse sees it as a relative path. Similar attacks:...
Session Fixation in chatwoot/chatwoot
āļø Description The application is vulnerable to Session Fixation vulnerability even after a user changes its password the old sessions on other devices persist. šµļøāāļø Proof of Concept 1. open chatwoot and login to your account on multiple browsers 2. change the password of the account on one of...
in projectsend/projectsend
š„ BUG create client even when self client registration is disabled š„ IMPACT any user can create create client even when self client registration is disabled š„ STEP TO REPRODUCE 1. From admin account goto http://localhost/projectsend2/options.php?section=clients and disabled client registration....
in alovoa/alovoa
āļø Description It is possible to set a weak password with no compliance with the register form checks that state "Your password needs to be at least 7 characters long and must contain characters and numbers." If a user bypasses the frontend checks, he will be able to register a completely weak...
Code Injection in donmccurdy/expression-eval
āļø Description Althrough we have decleared in the README.MD that do not use this package with user-provided inputs, but after i exam some project with this project, i found that many developers still use in that way, which may lead to some serious security problem. So I think that we still need to...
Code Injection in sodadata/soda-sql
Description soda-sql Metric collection, data testing and monitoring for SQL accessible data, which is vulnerable to Arbitary Code Execution. Vulnerability Vulnerable to YAML deserialization attack caused by unsafe loading. Proof of Concept Installation bash pip3 install soda-sql Run exploit.py...
Path Traversal in mucommander/mucommander
:book: Description mucommander A lightweight, cross-platform file manager with a dual-pane interface. This package is vulnerable for zip-slip. https://github.com/mucommander/mucommander https://www.mucommander.com/ :recycle: Steps To Reproduce-: 0 download and run latest release from...
Code Injection in swooningfish/ffmpeg-web-gui
Description The ffmpeg-web-gui project is a simple video converter written in PHP which uses the ffmpeg command to convert videos in HTML formats. The issue arises at the following line: https://github.com/swooningfish/ffmpeg-web-gui/blob/master/upload-and-convert.phpL176. The arbitrary command...
Code Injection in keymetrics/vizion
Overview The issue is an RCE triggerable via the module. This is possible because in the https://github.com/keymetrics/vizion/blob/master/lib/git/git.jsL228 line, the git reset --hard command is concatenated with a unsanitized input: js var command = cliCommandargs.folder, "git reset --hard " +...
Command Injection in zamotany/logkitty
Overview The issue occurs because a user input is formatted inside a command that will be executed without any check. Proof of Concept Credit: Mik317 1. Check there aren't files called HACKED 2. Execute the following commands in another terminal: bash npm i logkitty Install affected module logkit...
Authorization Bypass in SearchModelVersions Allows Any Authenticated User to Enumerate All Model Versions Regardless of Permissions
Summary MLflow's SearchModelVersions REST API endpoint GET /api/2.0/mlflow/model-versions/search and GraphQL query mlflowSearchModelVersions lack per-model authorization checks when basic auth is enabled. Any authenticated user can enumerate ALL model versions across ALL registered models,...