4072 matches found
Session Fixation in chatwoot/chatwoot
✍️ Description The application is vulnerable to Session Fixation vulnerability even after a user changes its password the old sessions on other devices persist. 🕵️♂️ Proof of Concept 1. open chatwoot and login to your account on multiple browsers 2. change the password of the account on one of...
in projectsend/projectsend
💥 BUG create client even when self client registration is disabled 💥 IMPACT any user can create create client even when self client registration is disabled 💥 STEP TO REPRODUCE 1. From admin account goto http://localhost/projectsend2/options.php?section=clients and disabled client registration....
in alovoa/alovoa
✍️ Description It is possible to set a weak password with no compliance with the register form checks that state "Your password needs to be at least 7 characters long and must contain characters and numbers." If a user bypasses the frontend checks, he will be able to register a completely weak...
Cross-site Scripting (XSS) - Generic in bigprof-software/online-invoicing-system
✍️ Description A cross-site scripting XSS allows remote attackers to inject JavaScript via the "p0-start" Parameter 🕵️♂️ Proof of Concept You can find installation instructions here: https://bigprof.com/appgini/applications/online-invoicing-system Vulnerable Parameter: p0-start p1-start & p2-start...
Code Injection in donmccurdy/expression-eval
✍️ Description Althrough we have decleared in the README.MD that do not use this package with user-provided inputs, but after i exam some project with this project, i found that many developers still use in that way, which may lead to some serious security problem. So I think that we still need to...
Code Injection in sodadata/soda-sql
Description soda-sql Metric collection, data testing and monitoring for SQL accessible data, which is vulnerable to Arbitary Code Execution. Vulnerability Vulnerable to YAML deserialization attack caused by unsafe loading. Proof of Concept Installation bash pip3 install soda-sql Run exploit.py...
Path Traversal in mucommander/mucommander
:book: Description mucommander A lightweight, cross-platform file manager with a dual-pane interface. This package is vulnerable for zip-slip. https://github.com/mucommander/mucommander https://www.mucommander.com/ :recycle: Steps To Reproduce-: 0 download and run latest release from...
Code Injection in swooningfish/ffmpeg-web-gui
Description The ffmpeg-web-gui project is a simple video converter written in PHP which uses the ffmpeg command to convert videos in HTML formats. The issue arises at the following line: https://github.com/swooningfish/ffmpeg-web-gui/blob/master/upload-and-convert.phpL176. The arbitrary command...
Code Injection in keymetrics/vizion
Overview The issue is an RCE triggerable via the module. This is possible because in the https://github.com/keymetrics/vizion/blob/master/lib/git/git.jsL228 line, the git reset --hard command is concatenated with a unsanitized input: js var command = cliCommandargs.folder, "git reset --hard " +...
Authorization Bypass in SearchModelVersions Allows Any Authenticated User to Enumerate All Model Versions Regardless of Permissions
Summary MLflow's SearchModelVersions REST API endpoint GET /api/2.0/mlflow/model-versions/search and GraphQL query mlflowSearchModelVersions lack per-model authorization checks when basic auth is enabled. Any authenticated user can enumerate ALL model versions across ALL registered models,...
new 3 SEGV in MP4Box
Description new 3 SEGV in MP4Box Version $ ./MP4Box -version MP4Box - GPAC version 2.3-DEV-rev566-g50c2ab06f-master Platform $ uname -a Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic 3322.04.1-Ubuntu SMP PREEMPTDYNAMIC Thu Sep 7 10:33:52 UTC 2 x8664 x8664 x8664 GNU/Linux Reproduce ./MP4Box -das...
2 stack-buffer-overflow in MP4Box
Description 2 stack-buffer-overflow in MP4Box Version $ ./MP4Box -version MP4Box - GPAC version 2.3-DEV-rev566-g50c2ab06f-master Platform $ uname -a Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic 3322.04.1-Ubuntu SMP PREEMPTDYNAMIC Thu Sep 7 10:33:52 UTC 2 x8664 x8664 x8664 GNU/Linux Reproduce...
CSRF Delete Categories
Description CSRF Delete Categories Proof of Concept 1 .Attack sends fake requests to users history.pushState'', '', '/'; document.forms0.submit; 2 .User clicks, deletes unwanted Categories Payload Poc https://drive.google.com/file/d/12cCzI-b9KLCRlND6MmjM6j-DJfTJiIt/view?usp=sharing Video Poc...
SSRF vulnerability in the vrite
Description This vulnerability can be used to leak remote server information, bypass CDN like cloudflare. Also it can be used to the SSRF attack. Proof of Concept Here we can use it to leak the real IP of the https://app.vrite.io. GET /proxy?url=https://your-vps-ip.nip.io/ HTTP/2 Host: app.vrite....
Store XSS in FAQ Multisites
Description I noticed, your website is very secure. But you overlooked a flaw XSS Proof of Concept 1 .Login vs admin demo account and access admin page. 2 .Go to Configuration == FAQ Multisites 3 . Edit Instance URL with payload: javascript:alertdocument.domain 4 .Edit Instance path with payload:...
left shift of negative value in scene_manager/swf_parse.c:213:12
Description left shift of negative value in MP4Box Version $ ./bin/gcc/MP4Box -version MP4Box - GPAC version 2.3-DEV-revrelease c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC...
Account takeover via password reset
Description An attacker could predict all future password reset tokens due to the use of RandomStringUtils.randomAlphanumeric in PasswordService. An attacker could crack the random number generator RNG seed from a password reset token, then perform password resets on their and the victim’s...
Session Fixation
Description Session fixation allows an attacker to impersonate a user by abusing an authenticated session ID SID. This attack can occur when a web application: •Fails to supply a new, unique SID to a user following a successful authentication •Allows a user to provide the SID to be used after...
Stored XSS in Preview title
Description There is accumulated XSS in the preview title of the page. Proof of Concept Step 1. Log in to the administrator screen and create a new page. Step 2. Insert "Browse preview" from "Add new block" and specify Payload in "Preview title". Step 3. When you access the preview screen in the...
CWE-521: Weak Password Requirements
Description Users at this moment can set really weak password like 123. Proof of Concept Go to register page and set really weak password like 123, see allowed - registered in. For example, go to https://sandbox.openedx.org/register?next=/dashboard , type '1' see info 'This password is too short...
Business Logic Error - letting the Name Field blank
Hello, I was able to bypass the restriction for setting an admin username and letting the username via spaces blank. Let's have a look. As you can see the name is with a red star and therefore required to be filled. Now we will add2 spaces and let the username blank and save. As you can see all t...
youtube service is vulnerable to XSS vulnerability
Description If an attacker is able to insert a div with attributes on a page where the youtube service is enabled, they can craft a width attribute that would allow them to execute arbitrary JS on the page. Other attributes like theme or controls are also vulnerable to this. Proof of Concept html...
Stored XSS via user's Full Name
Description The user's full name is rendered as HTML during user deletion. This enables an user to add Javascript code in the username which when can be executed in admin's webpage during user deletion. Proof of Concept - Login as a normal user and change the Full name to: javascript "...
Stored XSS at Search page
Description Create new item with XSS payload. Then go to Search page, XSS vulnerability will be trigger. Proof of Concept https://drive.google.com/file/d/1OB11FmQvy2-qRI9r1BlavKUxJ4kaMjp/view?usp=sharing Acknowledge Tran Van Nhan from bl4ckh0l3 of GalaxyOne...
IDOR in message deletion
Description user can delete others's message. we know the report https://huntr.dev/bounties/24ae402f-220f-41c6-962e-47c26938986e/ , but we find that we do not fix one case. Proof of Concept 1 user1 send admin a greeting card1 2 user2 send admin a greeting card2 3 user1 delete his message related ...
Users can order Add-Ons Separately
Description I find a requirement that addons must be purchased in conjunction with a product. However, a vulnerability has been discovered where an attacker can modify the product ID during the order process, allowing them to bypass the main product order requirement and directly purchase the...
Stored XSS via file upload in FireFox
Description Upload html file containing XSS payload. Payload ' On opening and refreshing the page, XSS payload executes in Firefox. Proof of Concept https://drive.google.com/file/d/1Irkg0u-8DcEizRSN3xE87ezEWmp0L4j/view?usp=sharing...
we can still send the photo as greeting card even the albums is locked
1 admin create a album and upload a photo 2 member-1 login and send the photo as greeting card to member-2 3 member-1 use burpsuite hijack the request, which can be like POST /admprogram/modules/ecards/ecardsend.php HTTP/1.1...
Stored XSS on user's name
Description Paste the payload XSS into the Name or Last name field. XSS vulnerability will trigger. Proof of Concept https://drive.google.com/file/d/1hoZkCxzTQbcIDy28hKJyjyrOD1Pcaaz0/view?usp=sharing...
Cross-Site Scripting (Stored XSS)
Description With Association's board role, i can add a new web link. But, when i create a link, in Link name input field can insert an onfocus/autofocus attribute because do not processing for double quote. Proof of Concept 1. Login by account with Association's board role 2. Access funtion Web...
File Path Traversal Vulnerability
Description in the file adminautoupdate.php php elseif $page == 'extract' if isset$POST'send' && $POST'send' == 'send' $toExtract = isset$POST'archive' ? $POST'archive' : null; $localArchive = Froxlor::getInstallDir . '/updates/' . $toExtract; $log-logActionFroxlorLogger::ADMACTION, LOGNOTICE,...
Stored cross-site scripting via RSS feed
Description Due to the improper handling of RSS titles in inc/parser/xhtml.php, a malicious RSS feed can be used to inject arbitrary HTML elements into the page, resulting in cross-site scripting. inc/parser/xhtml.php line 1292-1294 javascript else $this-doc .= ' '.$item-gettitle; Proof of Concep...
Stored HTML injection in folderName affecting Admin
Description Here FolderName field is vulnerable to HTML injection, a malicious user could potentially rename a folder with a payload containing malicious code. This could result in an attack on the admin who edits the folder, as the payload could execute upon the admin's interaction with the...
No rate limit on send report functionality results in an email spam
Description There is no rate limit on the send report feature on the https://rdiffweb-dev.ikus-soft.com/prefs/notification endpoint , which allows an attacker to spam the victims mailbox Proof of Concept 1 Go to https://rdiffweb-dev.ikus-soft.com/prefs/notification 2 Click on daily frequency for...
XML.php JSONP hijacking
Description The XML.php file has a JSONP hijacking vulnerability. When a user visits a page carefully crafted by the attacker, the JSON data is obtained and sent to the attacker. Proof of Concept We created an HTML file as a proof of concept to showcase the vulnerability. This HTML file will...
SQL Injection in ajax_data.php
Description An administrator user can use different operations and parameters to execute SQL queries. -customerId on operations getCustomerPaymentInfo and getCustomerStatementInfo. -empId on operations getEmpSalaryData, getEmpLoanLoanData, getEmployeeAdvancePaymentsData. -companyid on operation...
Broken Rate Limiting
Description The request rate limiting feature on the login page can be bypassed. If we look at the code in src/Controller/Frontend/Account/LoginAction.php php $this-rateLimit-checkRequestRateLimit$request, 'login', 30, 5; We see that checkRequestRateLimit is invoked with a restriction of a maxmim...
IDOR make users can delete others' subscription
Proof of Concept 1 user1 create subscription1 2 user2 create subscription2 3 user2 delete subscription2 4 user2 use burpsuite hiajck the request 5 the request URL can be DELETE /inlong/manager/api/consume/delete/2 6 change the request :DELETE /inlong/manager/api/consume/delete/1 1 is the id of...
attackers can change the immutable name and type of cluster
Proof of Concept 1 admin creates a cluster 2 admin adds user1 as one owner 3 attack login as user1 4 user1 edit the the cluster 5 user1 finds that the name and type can not be changed. 6 user1 still edits the cluster and using the burpsuit to hijack the request 7 the request content can be like...
attack can change the immutable name and type of nodes
1 admin create a node 2 add user1 as one owner 3 login as user1 4 user1 edit the the node 5 user1 finds that the name and type can not be changed. 6 user1 still edit the node and using the burpsuit to hijack the request 7 the request content can be like...
Stored XSS on function item with folder
Description Create two account and allow same folder. \ one account create a new item in folder. in description parameter select code view and paste payload XSS.\ Save and click on item will show a alert XSS. Other account login and view folder click on item and see a alert XSS Proof of Concept g...
Insufficient Session Expiration
Description User session are still vaild when users is deleted or password is changed Proof of Concept 1 user1 login in browser1 2 admin delete user1 in browser2 3 user1 can still do anyting...
CSRF leading to delete Client API in API clients management
Description wallabag was discovered to contain a Cross-Site Request Forgery CSRF which allows attackers to arbitrarily delete API key via client/delete/id Proof of Concept history.pushState'', '', '/'; document.forms0.submit;...
XSS @ group
Description The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of Concept Code: if $groupAction == 'addsave' && $user-perm-hasPermission$user-getUserId, 'addgroup' $user =...
Server Side Template Injection
Description alf-event is vulnerable to Server Side Template Injection via angular Proof of Concept VIDEO: With an authenticated user, access the admin panel. Create a organization and then Go to users and create new user having username 77 in that organization Now login with this username and you...
Stored XSS on Configuration Version
Description In a form version that appears to have no validation, it means that the website or application is not properly checking user inputs for malicious code before storing it in the database. This lack of validation allows an attacker to inject their own malicious script, which can then be...
XSS in HTML-Tags
Description Cross site scripting vulnerability in pimcore/pimcore in HTML-Tags of "SEO & Settings" Proof of Concept 1. Login in stable account URL : https://demo.pimcore.fun/admin/?dc=1675166039&perspective= 2. Go to Home --- SEO & Settings 3. Enter Payload in HTML-Tags For More Understanding...
Reflected XSS
Description Reflected Cross-Site Scripting XSS vulnerability in LibreNMS 22.12.0 - Fri Dec 30 2022 10:11:51 GMT+0100 allows attackers to execute arbitrary external javascript code in the browser affected from /ports/group parameter. 1. Login 2. Navigate PoC link Proof of Concept...
SQL Injection in search function
Description In the search function \ \ \ \ With options recentplayed, user input is taken directly into the query without being included in the prepare statement \ \ \ Proof of Concept POST /ampache-5.5.6allphp7.4/public/search.php?type=song HTTP/1.1 Host: localhost:8888 User-Agent: Mozilla/5.0...
Stored XSS in Add new question
Description Stored cross-site scripting also known as second-order or persistent XSS arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way. steps 1-log in as an admin user first. 2-go to :...