4072 matches found
Username field are not unique to users allowing exploitation of primary key logic by creating same name with different combinations & unauthorized access
Description The username fields while creating a user Role is same which should not be the case, the username should be made unique. Proof of Concept 1. Login to Demo account at https://rdiffweb-demo.ikus-soft.com/login/ 2. Enter the username and password as admin: admin123 respectively. 3. visit...
Cookie without Secure attribute
Description At the moment, memossession has the value false at secure flag. Proof of Concept 1. Access to web demo https://demo.usememos.com/ 2. Use browser's dev tool to check the cookie, we can see there is a memossession having value false at Secure...
Html Injection in Activity
Description Html injection in Activity and just only need html payload in workflow and fire in Activity list Proof of Concept 1. navigate to dashboard and workflow settings 2. insert new workflow with this payload test 3. open the activity list POC:...
Cross-site scripting
Description memos allow users to upload file and make it public to others. But if the file is html with below content, xss attack can happen. Proof of Concept // PoC.js alert"warning";...
SQL Injection inside instance name leads to Remote Code Execution
📜 Description SQL injection SQLi is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other...
Account Takeover
Description A malicious actor can setup a website on vercel.app with the vercel.app domain, after that, they can change the subdomain to something containing modrinth, This will allow a open redirect on https://api.modrinth.com/v2/auth/init?url=ATTACKERURL, allowing stealing the github token whic...
Virual defacement allows attacker to display any message of his choice
Description This attack involves injecting malicious data into a page of a web application to feed misleading information to users of the application. This kind of attack is known as virtual defacement because the actual content hosted on the target's web server is not modified. The defacement is...
Reflected XSS via rp4wp_parent
Description The rp4wpparent value is echoed without encoding, leading to reflected XSS. Proof of Concept Install wordpress, install the "Related Posts for WordPress" plugin, then visit the following URL, where localhost is the server hosting the app:...
Error page is default and leak error information
Description Information is leak in error page and this can support for other vulnerabilities. Proof of Concept Whenever trying to input anything meaningless after the link https://rdiffweb-demo.ikus-soft.com/ the error page will appear. Example: https://rdiffweb-demo.ikus-soft.com/...
Session_id without Secure attribute
Description User's session id with secure attribute is false. This vulnerability makes user's cookies can be sent to the server with an unencrypted request over the HTTP protocol. Proof of Concept Open the browser and access to the website, in this scenario I use the demo website. Check the cooki...
Account Takeover
Description hacker can invite any user to team and with the bug i report it before can accept the invitation ..... hacker can add user in group to give them new permission in team...... when hacker visit the team can see private info for victim as and the hash password many token and more...
User Enumeration via Response Timing
Description There is a significant timing difference in the login functionality of the Nakama Console for valid and invalid email addresses or usernames. Proof of Concept 1. Login to the Nakama Console as admin and create a User [email protected] 2. Logout 3. Attempt a Login with an incorrect passwor...
Cross Site Scripting (reflected) on fee_sheet_ajax.php
Description When testing the app for XSS we found out that the feesheetajax.php endpoint is actually vulnerable to an XSS exploit. PoC 1. visit https:///interface/forms/feesheet/review/feesheetajax.php?task=retrieve&mode=encounters&prevencounter=%3Cimg%20src%3da%20onerror%3dalertdocument.cookie%3...
Insufficient Session Expiration
Description Insufficient Session Expiration is when a website permits an attacker to reuse old session credentials or session IDs for authorization. Proof of Concept Steps to reproduce 1- Login into http://127.0.0.1:5000/login/ OctoPrint. 2- Open browser in the incognito tab or open another brows...
Weak Password Change Mechanism
Description When setting a new user password it does not require knowledge of the original password Current password not required Proof of Concept 1. Log in as a regular user 2. Navigate: https://book.dansmonorage.blue/preferences/password 3. Enter any password string...
Documents in trash accessible by Viewer role
Description Once a document is archived or deletec, there is no way to access it through the UI or the Document link. But, the API gives the file information and content. This is same with archived files. Proof of Concept 1. Give a user Viewer role. 2. Visit https://your.getoutline.com/trash or...
Cross-site scripting - Stored via upload ".xlr" file
Description In file upload function, the server allow upload .xlr file with contain some javascript code lead to XSS. Proof of Concept REQUEST POST /demo/plupload HTTP/1.1 Host: demo.microweber.org Cookie: laravelsession=r768Tqzv8h0fkjgvKdofhxgmjcorT6pwuqMKJkIb;...
Allows large characters in change password filling
Description The titra application allows large characters to insert in the input field "password" at password change feature which can allow attackers to cause a Denial of Service DoS via a crafted HTTP request. Proof of Concept 1. Login and go to profile or https://app.titra.io/profile 2. Using...
Allows large characters in password filling
Description The titra application allows large characters to insert in the input field "password" which can allow attackers to cause a Denial of Service DoS via a crafted HTTP request. Proof of Concept 1. Register a new account or go to https://app.titra.io/join?email= 2. Fill a normal email, fil...
A stored XSS in dolibarr/htdocs/admin/accountant.php
Description I found a stored XSS in the admin/accountant.php, the field town, name, Accountant code can escape the double quote. In the path 'dolibarr/htdocs/main.inc.php' has a WAF, we can not inject any the javascript onxxx event. However, in the path...
chafa <= 4bac1466 is vulnerable to an out of bounds read vulnerability.
chafa = 4bac1466 is vulnerable to an out of bounds read vulnerability. Building Build chafa with ASANaddress sanitizer sh $ git rev-parse HEAD 4bac14668535c09f6f47552bbd1566097dab4bf8 $ export CFLAGS="-g -O0 -fsanitize=address"; export CXXFLAGS="-g -O0 -fsanitize=address"; export CC=$which...
Cross-site Scripting (XSS) - Stored
Description Stored Cross-Site Scripting XSS vulnerability due to the lack of content validation and output encoding. Proof of Concept 1.Access demo website https://demo.syspass.org and login with an account. 2.Create new account, in URL/IP field - input https://google.com"...
Server-Side Request Forgery via upload image gallery
Description Upload image to gallery, the server use filegetcontents function to load image via data scheme url, so attacker can modify this url to any URL like http to send ability request to any URL , and file to read local file, ... Proof of Concept POST /index.php?q=/api/leadmall/gallery...
Able to create an user with a long password as well as long username
Issue Description: Any admin may able to create and allocate user the credentials but when admin creates a user account where as the fields with the first name , last name and password has no defined length limit where as this scenario causes the application level DOS to the snipe-it What's the...
RCE due to a dependency confusion
Description Hi team, I hope you are well. I found a dependency confusion vulnerability in this repo. When I analyzed your repo, I found a Makefile which install a dependency : https://github.com/bits-and-blooms/bloom/blob/25ba46ef8744ddeba999dcd048dbb8b0fa87edb3/MakefileL188 go get...
Server-Side Request Forgery in scout
Description Server-Side Request Forgery in remotecors Proof of Concept GET /remote/cors/http://:8888 HTTP/1.1 Host: localhost:8000 User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:100.0 Gecko/20100101 Firefox/100.0 Accept:...
Refelect XSS in facturascripts
Description facturascripts is vulnerable to XSS in fsNick parameter Proof of Concept save this code as poc.html history.pushState'', '', '/' document.forms0.submit; open file with your browser - xss trigger...
Mass Assignment Leading to (Limited) Password Confirmation Bypasses at UsersController
Description Hello there! Hope you are having an amazing day! 🤗 Just found out, while testing one of diaspora\ open servers, that the /user/edit endpoint has a limited case of "mass assignment", which enables an authenticated user to change their password and disable 2FA or change its secret witho...
Stored xss bug
Description stored xss bug Proof of Concept create a public repo and create a issue .\ now in issue upload a html file with xss payload inside.\ When any user view the repo and click the attachment link then xss is executed .\ you can upload...
Stored Cross Site Scripting vulnerability in Item name parameter
Description Stored cross site scripting vulnerability on Item name parameter in Assest module. Add payload in item name and whenever the user add the item in his requested assest . The alert will trigger. Proof of Concept 1. Login to the demo account 2. Go to Asset functionality , add or edit an...
XSS affecting "Logs" Page
Description A review of organizr's logging system found it is possible for an unauthenticated threat actor to inject arbitrary JavaScript into the "Logs" page found within the administrator dashboard. In a default installation organizr is set to log failed login attempts. In these attempts, the...
Use-After-Free in str_escape in mruby/mruby
Affected commit: 60cf382ff9765e36b21143d79688a3e758b66fd4 Proof of Concept ruby= v11 = '1111111111111111111111111111' v17 = 1=1, 2 = 'b' , '3' = 1 v20 = 1,2,3,4,5,6,7,8,9,10,11,12,13,14.findall do 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17.sortby do Hash.initialize|| .instanceexec do end "".chop d...
Use After Free in op_is_set_bp
Description Heap use after free in opissetbp function. ASAN report: ================================================================= ==2367298==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060000481a0 at pc 0x7f580c10da41 bp 0x7ffd53a17ed0 sp 0x7ffd53a17ec0 READ of size 8 at...
Improper Authorization
Description When Gitea is build and configured for PAM authentification it skips checking authorization completely. Therefore expired accounts and accounts with expired passwords can still login. Proof of Concept You can expire an account with chage -E0 and still login. Impact Since disabling an...
Business Logic Errors
Description In Dolibarr v14.0.5, any low privileged users could update their login name which should only be updated by admin. Proof of Concept POST /dolibarr/user/card.php?id=2 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:97.0 Gecko/20100101 Firefox/97.0...
Business Logic Errors
Description I found a IDOR vulnerability where we can able to delete their product in the cart by the id parameter Steps to Produce: First add any product in to the cart and checkout In the checkout page , we can see the cart details and we have functionality to delete the product also I gave the...
Cross-site Scripting (XSS) - Stored in helloxz/onenav
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into websites. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execut...
Open Redirect in microweber/microweber
Description An Open Redirect vulnerability enables attacker to redirect the victims/users to malicious websites. The bug exists due to improper fix of https://huntr.dev/bounties/c9d586e7-0fa1-47ab-a2b3-b890e8dc9b25/. By adding an extra slash / the previous fix can be bypassed. Proof of Concept...
Exposure of Sensitive Information to an Unauthorized Actor in transloadit/uppy
Description First thanks to my friend Haxatron for this awsome report I review the @uppy/companion code from the source to the sink, and I figure out a significant issue that makes any SSRF protection Effectless. I put myself as a Developer and started to read the companion document, and then I s...
Business Logic Errors in publify/publify
Description It was found that if a user tries to create an article, and want to make that article private, the functionality is not working. Proof of Concept 1. Create an article 2. Click on publish and you will see the option to visibility to make it private, but functionality is not designed...
Improper Authorization in liukuo362573/yishaadmin
Description When downloading files using the /admin/File/DownloadFile?filePath= URI, you're able to download any file you want, as long as you know the path of the file, even as an unauthenticated user. This means that an unauthenticated user could download the /etc/passwd/ file or any file that...
Improper Privilege Management in liukuo362573/yishaadmin
Description Hi there, there is another improper privilege management in /admin/OrganizationManage/Position/GetFormJson Proof of Concept 1. Access the link http://106.14.124.170:80/admin/OrganizationManage/Position/GetFormJson?id=16508640061130139 2. See that the page return with position data...
Cross-site Scripting (XSS) - Reflected in janeczku/calibre-web
Description There is a reflected XSS vulnerability on the site calibre-web. Proof of Concept 1. go to the calibre e-book management 2. create a new book give the title name 3. and give the title sort name 4. save and go to the website 5.go to Author 6.press one of the books 7. then right click an...
in mruby/mruby
Description There is a NULL Pointer Dereference in preparesingletonclass src/class.c:360:13. This bug has been found on mruby lastest commit hash 171d32c0071d776207174a40a8fa26def3dbb931 on Ubuntu 20.04 for x8664/amd64. Proof of Concept 1.timesb= a=0 0,m:0 c=0=0,nil=nil0 def mend def c.eend Steps...
Cross-Site Request Forgery (CSRF) in livehelperchat/livehelperchat
Description A CSRF issue is found in the SettingsLive help configurationCanned Messages. It was found that no CSRF token validation is getting done as no CSRF token is getting passed with the request. Also while generating statistics, the action is done through GET method with no CSRF token. Two...
Cross-Site Request Forgery (CSRF) in phoronix-test-suite/phoronix-test-suite
Description Hello phoronix test suite maintainer team, there is a Cross site request forgery vulnerability in phoronix test suite. Proof of Concept 1. Install phoronix test suite on your system 2. Create a test suite 3. Open another tab in browser and go to the link /?localsuites/delete/-1.0.0, f...
Improper Access Control in snipe/snipe-it
Description All bulk actions bulk-edit / bulk-delete / form info in asset models do not have access control checks Proof of concept 1: Grant view to Asset Models 2: UI for bulk-edit and bulk-delete is still enabled, proceed. 3: You may bulk-delete / edit any asset model Impact This vulnerability ...
Path Traversal in konloch/bytecode-viewer
Description the.bytecode.club:Bytecode-Viewer is a lightweight user-friendly Java/Android Bytecode Viewer, Decompiler & More. Affected versions of the package are vulnerable to Arbitrary File Write via Archive Extraction AKA "Zip Slip". The vulnerability is exploited using a specially crafted...
Improper Access Control in chocobozzz/peertube
Description Unauthenticated users can obtain the caption of private videos Proof of Concept 1: First, create a private video and upload a caption 2: As an unauthenticated user, logout and visit the /api/v1/videos/1/captions 3: The response should return a lazy-static URL...
Server-Side Request Forgery (SSRF) in rodber/chevereto-free
Description There was some hardening done previously against private IP addresses in the SSRF vulnerability I disclosed in the previous report https://github.com/rodber/chevereto-free/. However the checks can be bypassed by URL redirection. Proof of Concept If http://example.com resolves to a...