4072 matches found
Code Injection in swooningfish/ffmpeg-web-gui
Description The ffmpeg-web-gui project is a simple video converter written in PHP which uses the ffmpeg command to convert videos in HTML formats. The issue arises at the following line: https://github.com/swooningfish/ffmpeg-web-gui/blob/master/upload-and-convert.phpL176. The arbitrary command...
Code Injection in keymetrics/vizion
Overview The issue is an RCE triggerable via the module. This is possible because in the https://github.com/keymetrics/vizion/blob/master/lib/git/git.jsL228 line, the git reset --hard command is concatenated with a unsanitized input: js var command = cliCommandargs.folder, "git reset --hard " +...
Authorization Bypass in SearchModelVersions Allows Any Authenticated User to Enumerate All Model Versions Regardless of Permissions
Summary MLflow's SearchModelVersions REST API endpoint GET /api/2.0/mlflow/model-versions/search and GraphQL query mlflowSearchModelVersions lack per-model authorization checks when basic auth is enabled. Any authenticated user can enumerate ALL model versions across ALL registered models,...
new 3 SEGV in MP4Box
Description new 3 SEGV in MP4Box Version $ ./MP4Box -version MP4Box - GPAC version 2.3-DEV-rev566-g50c2ab06f-master Platform $ uname -a Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic 3322.04.1-Ubuntu SMP PREEMPTDYNAMIC Thu Sep 7 10:33:52 UTC 2 x8664 x8664 x8664 GNU/Linux Reproduce ./MP4Box -das...
2 stack-buffer-overflow in MP4Box
Description 2 stack-buffer-overflow in MP4Box Version $ ./MP4Box -version MP4Box - GPAC version 2.3-DEV-rev566-g50c2ab06f-master Platform $ uname -a Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic 3322.04.1-Ubuntu SMP PREEMPTDYNAMIC Thu Sep 7 10:33:52 UTC 2 x8664 x8664 x8664 GNU/Linux Reproduce...
CSRF Delete Categories
Description CSRF Delete Categories Proof of Concept 1 .Attack sends fake requests to users history.pushState'', '', '/'; document.forms0.submit; 2 .User clicks, deletes unwanted Categories Payload Poc https://drive.google.com/file/d/12cCzI-b9KLCRlND6MmjM6j-DJfTJiIt/view?usp=sharing Video Poc...
SSRF vulnerability in the vrite
Description This vulnerability can be used to leak remote server information, bypass CDN like cloudflare. Also it can be used to the SSRF attack. Proof of Concept Here we can use it to leak the real IP of the https://app.vrite.io. GET /proxy?url=https://your-vps-ip.nip.io/ HTTP/2 Host: app.vrite....
Improper validation of intent data received in TextViewerActivity allows opening of arbitrary files in hamza417/inure
Description Tested on Build89 of the Inure application. It was discovered that the application had an exported activity .activities.association.TextViewerActivity which accepted intent data via the file scheme + text/ mime type and opened the associated files from provided URI data string. The...
Store XSS in FAQ Multisites
Description I noticed, your website is very secure. But you overlooked a flaw XSS Proof of Concept 1 .Login vs admin demo account and access admin page. 2 .Go to Configuration == FAQ Multisites 3 . Edit Instance URL with payload: javascript:alertdocument.domain 4 .Edit Instance path with payload:...
left shift of negative value in scene_manager/swf_parse.c:213:12
Description left shift of negative value in MP4Box Version $ ./bin/gcc/MP4Box -version MP4Box - GPAC version 2.3-DEV-revrelease c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC...
Account takeover via password reset
Description An attacker could predict all future password reset tokens due to the use of RandomStringUtils.randomAlphanumeric in PasswordService. An attacker could crack the random number generator RNG seed from a password reset token, then perform password resets on their and the victim’s...
Session Fixation
Description Session fixation allows an attacker to impersonate a user by abusing an authenticated session ID SID. This attack can occur when a web application: •Fails to supply a new, unique SID to a user following a successful authentication •Allows a user to provide the SID to be used after...
Pre-Auth SQLi leading to RCE in Social Media Skeleton v1.0
Summary A SQL Injection vulnerability exists in Social Media Skeleton v1.0 via the username and password parameters in admin/login.php. Not to be confused with login.php, which properly escapes special characters. Issue Description SQL injection SQLi is a code injection technique used to attack...
Stored XSS in Preview title
Description There is accumulated XSS in the preview title of the page. Proof of Concept Step 1. Log in to the administrator screen and create a new page. Step 2. Insert "Browse preview" from "Add new block" and specify Payload in "Preview title". Step 3. When you access the preview screen in the...
CWE-521: Weak Password Requirements
Description Users at this moment can set really weak password like 123. Proof of Concept Go to register page and set really weak password like 123, see allowed - registered in. For example, go to https://sandbox.openedx.org/register?next=/dashboard , type '1' see info 'This password is too short...
Business Logic Error - letting the Name Field blank
Hello, I was able to bypass the restriction for setting an admin username and letting the username via spaces blank. Let's have a look. As you can see the name is with a red star and therefore required to be filled. Now we will add2 spaces and let the username blank and save. As you can see all t...
youtube service is vulnerable to XSS vulnerability
Description If an attacker is able to insert a div with attributes on a page where the youtube service is enabled, they can craft a width attribute that would allow them to execute arbitrary JS on the page. Other attributes like theme or controls are also vulnerable to this. Proof of Concept html...
Stored XSS via user's Full Name
Description The user's full name is rendered as HTML during user deletion. This enables an user to add Javascript code in the username which when can be executed in admin's webpage during user deletion. Proof of Concept - Login as a normal user and change the Full name to: javascript "...
Stored XSS at Search page
Description Create new item with XSS payload. Then go to Search page, XSS vulnerability will be trigger. Proof of Concept https://drive.google.com/file/d/1OB11FmQvy2-qRI9r1BlavKUxJ4kaMjp/view?usp=sharing Acknowledge Tran Van Nhan from bl4ckh0l3 of GalaxyOne...
IDOR in message deletion
Description user can delete others's message. we know the report https://huntr.dev/bounties/24ae402f-220f-41c6-962e-47c26938986e/ , but we find that we do not fix one case. Proof of Concept 1 user1 send admin a greeting card1 2 user2 send admin a greeting card2 3 user1 delete his message related ...
Security vulnerability in product bundling feature
Description Our e-commerce platform offers a bundled sales promotion feature, allowing an administrator to bind the sale of a product to an addon. However, we have identified a security vulnerability that exists in this feature. After an administrator cancels a bundle offer, users can still make...
Stored XSS via file upload in FireFox
Description Upload html file containing XSS payload. Payload ' On opening and refreshing the page, XSS payload executes in Firefox. Proof of Concept https://drive.google.com/file/d/1Irkg0u-8DcEizRSN3xE87ezEWmp0L4j/view?usp=sharing...
we can still send the photo as greeting card even the albums is locked
1 admin create a album and upload a photo 2 member-1 login and send the photo as greeting card to member-2 3 member-1 use burpsuite hijack the request, which can be like POST /admprogram/modules/ecards/ecardsend.php HTTP/1.1...
Stored XSS on user's name
Description Paste the payload XSS into the Name or Last name field. XSS vulnerability will trigger. Proof of Concept https://drive.google.com/file/d/1hoZkCxzTQbcIDy28hKJyjyrOD1Pcaaz0/view?usp=sharing...
Cross-Site Scripting (Stored XSS)
Description With Association's board role, i can add a new web link. But, when i create a link, in Link name input field can insert an onfocus/autofocus attribute because do not processing for double quote. Proof of Concept 1. Login by account with Association's board role 2. Access funtion Web...
File Path Traversal Vulnerability
Description in the file adminautoupdate.php php elseif $page == 'extract' if isset$POST'send' && $POST'send' == 'send' $toExtract = isset$POST'archive' ? $POST'archive' : null; $localArchive = Froxlor::getInstallDir . '/updates/' . $toExtract; $log-logActionFroxlorLogger::ADMACTION, LOGNOTICE,...
Stored cross-site scripting via RSS feed
Description Due to the improper handling of RSS titles in inc/parser/xhtml.php, a malicious RSS feed can be used to inject arbitrary HTML elements into the page, resulting in cross-site scripting. inc/parser/xhtml.php line 1292-1294 javascript else $this-doc .= ' '.$item-gettitle; Proof of Concep...
Stored HTML injection in folderName affecting Admin
Description Here FolderName field is vulnerable to HTML injection, a malicious user could potentially rename a folder with a payload containing malicious code. This could result in an attack on the admin who edits the folder, as the payload could execute upon the admin's interaction with the...
No rate limit on send report functionality results in an email spam
Description There is no rate limit on the send report feature on the https://rdiffweb-dev.ikus-soft.com/prefs/notification endpoint , which allows an attacker to spam the victims mailbox Proof of Concept 1 Go to https://rdiffweb-dev.ikus-soft.com/prefs/notification 2 Click on daily frequency for...
XML.php JSONP hijacking
Description The XML.php file has a JSONP hijacking vulnerability. When a user visits a page carefully crafted by the attacker, the JSON data is obtained and sent to the attacker. Proof of Concept We created an HTML file as a proof of concept to showcase the vulnerability. This HTML file will...
Broken Rate Limiting
Description The request rate limiting feature on the login page can be bypassed. If we look at the code in src/Controller/Frontend/Account/LoginAction.php php $this-rateLimit-checkRequestRateLimit$request, 'login', 30, 5; We see that checkRequestRateLimit is invoked with a restriction of a maxmim...
IDOR make users can delete others' subscription
Proof of Concept 1 user1 create subscription1 2 user2 create subscription2 3 user2 delete subscription2 4 user2 use burpsuite hiajck the request 5 the request URL can be DELETE /inlong/manager/api/consume/delete/2 6 change the request :DELETE /inlong/manager/api/consume/delete/1 1 is the id of...
attackers can change the immutable name and type of cluster
Proof of Concept 1 admin creates a cluster 2 admin adds user1 as one owner 3 attack login as user1 4 user1 edit the the cluster 5 user1 finds that the name and type can not be changed. 6 user1 still edits the cluster and using the burpsuit to hijack the request 7 the request content can be like...
attack can change the immutable name and type of nodes
1 admin create a node 2 add user1 as one owner 3 login as user1 4 user1 edit the the node 5 user1 finds that the name and type can not be changed. 6 user1 still edit the node and using the burpsuit to hijack the request 7 the request content can be like...
Stored XSS on function item with folder
Description Create two account and allow same folder. \ one account create a new item in folder. in description parameter select code view and paste payload XSS.\ Save and click on item will show a alert XSS. Other account login and view folder click on item and see a alert XSS Proof of Concept g...
Multiple Stored XSS via mail parameter
Description In PhpMyFaq, while submitting a question, the mail parameter is accepting unsanitized user input which leads to Stored XSS vulnerability, executing on Admin Panel /admin/?action=question. Proof of Concept 1. Go to https://roy.demo.phpmyfaq.de/index.php?action=ask&categoryid=0 1. Fill ...
Insufficient Session Expiration
Description User session are still vaild when users is deleted or password is changed Proof of Concept 1 user1 login in browser1 2 admin delete user1 in browser2 3 user1 can still do anyting...
CSRF leading to delete Client API in API clients management
Description wallabag was discovered to contain a Cross-Site Request Forgery CSRF which allows attackers to arbitrarily delete API key via client/delete/id Proof of Concept history.pushState'', '', '/'; document.forms0.submit;...
XSS @ group
Description The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of Concept Code: if $groupAction == 'addsave' && $user-perm-hasPermission$user-getUserId, 'addgroup' $user =...
Server Side Template Injection
Description alf-event is vulnerable to Server Side Template Injection via angular Proof of Concept VIDEO: With an authenticated user, access the admin panel. Create a organization and then Go to users and create new user having username 77 in that organization Now login with this username and you...
Stored XSS on Configuration Version
Description In a form version that appears to have no validation, it means that the website or application is not properly checking user inputs for malicious code before storing it in the database. This lack of validation allows an attacker to inject their own malicious script, which can then be...
XSS in HTML-Tags
Description Cross site scripting vulnerability in pimcore/pimcore in HTML-Tags of "SEO & Settings" Proof of Concept 1. Login in stable account URL : https://demo.pimcore.fun/admin/?dc=1675166039&perspective= 2. Go to Home --- SEO & Settings 3. Enter Payload in HTML-Tags For More Understanding...
Reflected XSS
Description Reflected Cross-Site Scripting XSS vulnerability in LibreNMS 22.12.0 - Fri Dec 30 2022 10:11:51 GMT+0100 allows attackers to execute arbitrary external javascript code in the browser affected from /ports/group parameter. 1. Login 2. Navigate PoC link Proof of Concept...
SQL Injection in search function
Description In the search function \ \ \ \ With options recentplayed, user input is taken directly into the query without being included in the prepare statement \ \ \ Proof of Concept POST /ampache-5.5.6allphp7.4/public/search.php?type=song HTTP/1.1 Host: localhost:8888 User-Agent: Mozilla/5.0...
Stored XSS in Add new question
Description Stored cross-site scripting also known as second-order or persistent XSS arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way. steps 1-log in as an admin user first. 2-go to :...
Username field are not unique to users allowing exploitation of primary key logic by creating same name with different combinations & unauthorized access
Description The username fields while creating a user Role is same which should not be the case, the username should be made unique. Proof of Concept 1. Login to Demo account at https://rdiffweb-demo.ikus-soft.com/login/ 2. Enter the username and password as admin: admin123 respectively. 3. visit...
Cookie without Secure attribute
Description At the moment, memossession has the value false at secure flag. Proof of Concept 1. Access to web demo https://demo.usememos.com/ 2. Use browser's dev tool to check the cookie, we can see there is a memossession having value false at Secure...
Html Injection in Activity
Description Html injection in Activity and just only need html payload in workflow and fire in Activity list Proof of Concept 1. navigate to dashboard and workflow settings 2. insert new workflow with this payload test 3. open the activity list POC:...
Cross-site scripting
Description memos allow users to upload file and make it public to others. But if the file is html with below content, xss attack can happen. Proof of Concept // PoC.js alert"warning";...
SQL Injection inside instance name leads to Remote Code Execution
📜 Description SQL injection SQLi is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other...