4072 matches found
Reflected XSS via rp4wp_parent
Description The rp4wpparent value is echoed without encoding, leading to reflected XSS. Proof of Concept Install wordpress, install the "Related Posts for WordPress" plugin, then visit the following URL, where localhost is the server hosting the app:...
Error page is default and leak error information
Description Information is leak in error page and this can support for other vulnerabilities. Proof of Concept Whenever trying to input anything meaningless after the link https://rdiffweb-demo.ikus-soft.com/ the error page will appear. Example: https://rdiffweb-demo.ikus-soft.com/...
Session_id without Secure attribute
Description User's session id with secure attribute is false. This vulnerability makes user's cookies can be sent to the server with an unencrypted request over the HTTP protocol. Proof of Concept Open the browser and access to the website, in this scenario I use the demo website. Check the cooki...
Account Takeover
Description hacker can invite any user to team and with the bug i report it before can accept the invitation ..... hacker can add user in group to give them new permission in team...... when hacker visit the team can see private info for victim as and the hash password many token and more...
User Enumeration via Response Timing
Description There is a significant timing difference in the login functionality of the Nakama Console for valid and invalid email addresses or usernames. Proof of Concept 1. Login to the Nakama Console as admin and create a User [email protected] 2. Logout 3. Attempt a Login with an incorrect passwor...
Cross Site Scripting (reflected) on fee_sheet_ajax.php
Description When testing the app for XSS we found out that the feesheetajax.php endpoint is actually vulnerable to an XSS exploit. PoC 1. visit https:///interface/forms/feesheet/review/feesheetajax.php?task=retrieve&mode=encounters&prevencounter=%3Cimg%20src%3da%20onerror%3dalertdocument.cookie%3...
Insufficient Session Expiration
Description Insufficient Session Expiration is when a website permits an attacker to reuse old session credentials or session IDs for authorization. Proof of Concept Steps to reproduce 1- Login into http://127.0.0.1:5000/login/ OctoPrint. 2- Open browser in the incognito tab or open another brows...
Documents in trash accessible by Viewer role
Description Once a document is archived or deletec, there is no way to access it through the UI or the Document link. But, the API gives the file information and content. This is same with archived files. Proof of Concept 1. Give a user Viewer role. 2. Visit https://your.getoutline.com/trash or...
Cross-site scripting - Stored via upload ".xlr" file
Description In file upload function, the server allow upload .xlr file with contain some javascript code lead to XSS. Proof of Concept REQUEST POST /demo/plupload HTTP/1.1 Host: demo.microweber.org Cookie: laravelsession=r768Tqzv8h0fkjgvKdofhxgmjcorT6pwuqMKJkIb;...
Allows large characters in change password filling
Description The titra application allows large characters to insert in the input field "password" at password change feature which can allow attackers to cause a Denial of Service DoS via a crafted HTTP request. Proof of Concept 1. Login and go to profile or https://app.titra.io/profile 2. Using...
Allows large characters in password filling
Description The titra application allows large characters to insert in the input field "password" which can allow attackers to cause a Denial of Service DoS via a crafted HTTP request. Proof of Concept 1. Register a new account or go to https://app.titra.io/join?email= 2. Fill a normal email, fil...
A stored XSS in dolibarr/htdocs/admin/accountant.php
Description I found a stored XSS in the admin/accountant.php, the field town, name, Accountant code can escape the double quote. In the path 'dolibarr/htdocs/main.inc.php' has a WAF, we can not inject any the javascript onxxx event. However, in the path...
chafa <= 4bac1466 is vulnerable to an out of bounds read vulnerability.
chafa = 4bac1466 is vulnerable to an out of bounds read vulnerability. Building Build chafa with ASANaddress sanitizer sh $ git rev-parse HEAD 4bac14668535c09f6f47552bbd1566097dab4bf8 $ export CFLAGS="-g -O0 -fsanitize=address"; export CXXFLAGS="-g -O0 -fsanitize=address"; export CC=$which...
Cross-site Scripting (XSS) - Stored
Description Stored Cross-Site Scripting XSS vulnerability due to the lack of content validation and output encoding. Proof of Concept 1.Access demo website https://demo.syspass.org and login with an account. 2.Create new account, in URL/IP field - input https://google.com"...
Server-Side Request Forgery via upload image gallery
Description Upload image to gallery, the server use filegetcontents function to load image via data scheme url, so attacker can modify this url to any URL like http to send ability request to any URL , and file to read local file, ... Proof of Concept POST /index.php?q=/api/leadmall/gallery...
Able to create an user with a long password as well as long username
Issue Description: Any admin may able to create and allocate user the credentials but when admin creates a user account where as the fields with the first name , last name and password has no defined length limit where as this scenario causes the application level DOS to the snipe-it What's the...
RCE due to a dependency confusion
Description Hi team, I hope you are well. I found a dependency confusion vulnerability in this repo. When I analyzed your repo, I found a Makefile which install a dependency : https://github.com/bits-and-blooms/bloom/blob/25ba46ef8744ddeba999dcd048dbb8b0fa87edb3/MakefileL188 go get...
Refelect XSS in facturascripts
Description facturascripts is vulnerable to XSS in fsNick parameter Proof of Concept save this code as poc.html history.pushState'', '', '/' document.forms0.submit; open file with your browser - xss trigger...
Mass Assignment Leading to (Limited) Password Confirmation Bypasses at UsersController
Description Hello there! Hope you are having an amazing day! 🤗 Just found out, while testing one of diaspora\ open servers, that the /user/edit endpoint has a limited case of "mass assignment", which enables an authenticated user to change their password and disable 2FA or change its secret witho...
Stored xss bug
Description stored xss bug Proof of Concept create a public repo and create a issue .\ now in issue upload a html file with xss payload inside.\ When any user view the repo and click the attachment link then xss is executed .\ you can upload...
Stored Cross Site Scripting vulnerability in Item name parameter
Description Stored cross site scripting vulnerability on Item name parameter in Assest module. Add payload in item name and whenever the user add the item in his requested assest . The alert will trigger. Proof of Concept 1. Login to the demo account 2. Go to Asset functionality , add or edit an...
XSS affecting "Logs" Page
Description A review of organizr's logging system found it is possible for an unauthenticated threat actor to inject arbitrary JavaScript into the "Logs" page found within the administrator dashboard. In a default installation organizr is set to log failed login attempts. In these attempts, the...
Use-After-Free in str_escape in mruby/mruby
Affected commit: 60cf382ff9765e36b21143d79688a3e758b66fd4 Proof of Concept ruby= v11 = '1111111111111111111111111111' v17 = 1=1, 2 = 'b' , '3' = 1 v20 = 1,2,3,4,5,6,7,8,9,10,11,12,13,14.findall do 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17.sortby do Hash.initialize|| .instanceexec do end "".chop d...
Use After Free in op_is_set_bp
Description Heap use after free in opissetbp function. ASAN report: ================================================================= ==2367298==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060000481a0 at pc 0x7f580c10da41 bp 0x7ffd53a17ed0 sp 0x7ffd53a17ec0 READ of size 8 at...
Improper Authorization
Description When Gitea is build and configured for PAM authentification it skips checking authorization completely. Therefore expired accounts and accounts with expired passwords can still login. Proof of Concept You can expire an account with chage -E0 and still login. Impact Since disabling an...
Server-Side Request Forgery (SSRF)
Description youtube-downloader takes an URL from the url query parameter, passes it directly to curl and streams the response to the browser. This makes it vulnerable to an SSRF attack if someone passes an URL containing an internal hostname, as it will stream internal resources to the browser...
Business Logic Errors
Description In Dolibarr v14.0.5, any low privileged users could update their login name which should only be updated by admin. Proof of Concept POST /dolibarr/user/card.php?id=2 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:97.0 Gecko/20100101 Firefox/97.0...
Business Logic Errors
Description I found a IDOR vulnerability where we can able to delete their product in the cart by the id parameter Steps to Produce: First add any product in to the cart and checkout In the checkout page , we can see the cart details and we have functionality to delete the product also I gave the...
Cross-site Scripting (XSS) - Stored in helloxz/onenav
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into websites. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execut...
Open Redirect in microweber/microweber
Description An Open Redirect vulnerability enables attacker to redirect the victims/users to malicious websites. The bug exists due to improper fix of https://huntr.dev/bounties/c9d586e7-0fa1-47ab-a2b3-b890e8dc9b25/. By adding an extra slash / the previous fix can be bypassed. Proof of Concept...
Exposure of Sensitive Information to an Unauthorized Actor in transloadit/uppy
Description First thanks to my friend Haxatron for this awsome report I review the @uppy/companion code from the source to the sink, and I figure out a significant issue that makes any SSRF protection Effectless. I put myself as a Developer and started to read the companion document, and then I s...
Business Logic Errors in publify/publify
Description It was found that if a user tries to create an article, and want to make that article private, the functionality is not working. Proof of Concept 1. Create an article 2. Click on publish and you will see the option to visibility to make it private, but functionality is not designed...
Improper Authorization in liukuo362573/yishaadmin
Description When downloading files using the /admin/File/DownloadFile?filePath= URI, you're able to download any file you want, as long as you know the path of the file, even as an unauthenticated user. This means that an unauthenticated user could download the /etc/passwd/ file or any file that...
Improper Privilege Management in liukuo362573/yishaadmin
Description Hi there, there is another improper privilege management in /admin/OrganizationManage/Position/GetFormJson Proof of Concept 1. Access the link http://106.14.124.170:80/admin/OrganizationManage/Position/GetFormJson?id=16508640061130139 2. See that the page return with position data...
Cross-site Scripting (XSS) - Reflected in janeczku/calibre-web
Description There is a reflected XSS vulnerability on the site calibre-web. Proof of Concept 1. go to the calibre e-book management 2. create a new book give the title name 3. and give the title sort name 4. save and go to the website 5.go to Author 6.press one of the books 7. then right click an...
in mruby/mruby
Description There is a NULL Pointer Dereference in preparesingletonclass src/class.c:360:13. This bug has been found on mruby lastest commit hash 171d32c0071d776207174a40a8fa26def3dbb931 on Ubuntu 20.04 for x8664/amd64. Proof of Concept 1.timesb= a=0 0,m:0 c=0=0,nil=nil0 def mend def c.eend Steps...
Cross-Site Request Forgery (CSRF) in livehelperchat/livehelperchat
Description A CSRF issue is found in the SettingsLive help configurationCanned Messages. It was found that no CSRF token validation is getting done as no CSRF token is getting passed with the request. Also while generating statistics, the action is done through GET method with no CSRF token. Two...
Cross-Site Request Forgery (CSRF) in phoronix-test-suite/phoronix-test-suite
Description Hello phoronix test suite maintainer team, there is a Cross site request forgery vulnerability in phoronix test suite. Proof of Concept 1. Install phoronix test suite on your system 2. Create a test suite 3. Open another tab in browser and go to the link /?localsuites/delete/-1.0.0, f...
Improper Access Control in snipe/snipe-it
Description All bulk actions bulk-edit / bulk-delete / form info in asset models do not have access control checks Proof of concept 1: Grant view to Asset Models 2: UI for bulk-edit and bulk-delete is still enabled, proceed. 3: You may bulk-delete / edit any asset model Impact This vulnerability ...
Path Traversal in konloch/bytecode-viewer
Description the.bytecode.club:Bytecode-Viewer is a lightweight user-friendly Java/Android Bytecode Viewer, Decompiler & More. Affected versions of the package are vulnerable to Arbitrary File Write via Archive Extraction AKA "Zip Slip". The vulnerability is exploited using a specially crafted...
Improper Access Control in chocobozzz/peertube
Description Unauthenticated users can obtain the caption of private videos Proof of Concept 1: First, create a private video and upload a caption 2: As an unauthenticated user, logout and visit the /api/v1/videos/1/captions 3: The response should return a lazy-static URL...
Server-Side Request Forgery (SSRF) in rodber/chevereto-free
Description There was some hardening done previously against private IP addresses in the SSRF vulnerability I disclosed in the previous report https://github.com/rodber/chevereto-free/. However the checks can be bypassed by URL redirection. Proof of Concept If http://example.com resolves to a...
Business Logic Errors in tsolucio/corebos
Description The application is vulnerable to Business Logic error through negative product amount. Proof of Concept Step 1: Login into the application https://demo.corebos.com/index.php?action=Login&module=Users Step 2: Navigate to Inventory - Product - Edit any product. Step 3: Now enter an amou...
Cross-site Scripting (XSS) - Stored in snipe/snipe-it
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a differen...
in combodo/itop
Proof of Concept Bellow request is vulnerable to csrf attack history.pushState'', '', '/' document.forms0.submit;...
Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii
Description CSRF in switching transactions link Proof of Concept CLICK ME! Impact This vulnerability is capable of tricking users to switch transaction links...
Cross-Site Request Forgery (CSRF) in kevinpapst/kimai2
Description cross site request forgery vulnerability is present in delete functionality of doctor feature. Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of delete the existing logs...
Path Traversal in bookstackapp/bookstack
Description During reading recent BookStack source code 85dc8d I discovered path traversal vulnerability. Authenticated user can have access to all files stored in storage directory. Proof of Concept GET /uploads/images/..%2f/..%2f/logs/laravel.log HTTP/1.1 Host: 172.17.0.1:8888 User-Agent:...
Cross-Site Request Forgery (CSRF) in area17/twill
Description Attacker is able to logout a user if a logged in user visits attacker website. Impact This vulnerability is capable of forging user to unintentional logout. Test Tested on Edge, firefox, chrome and safari. Fix You should use POST instead of GET. To expand: One way GET could be abused...
in firefly-iii/firefly-iii
Description Firefly 3 allows users to register OAuth clients. However, Firefly allows duplicate client names to be registered into the application. Hence, attackers from a different account assuming registration is enabled can register a client with duplicate client name and trick the user into...