4072 matches found
stored XSS in the Category Field Name
Hello, After all XSS Mitigations, I detected a XSS Bypass Possibility in the Naming of the category. Let's see : ----------------- A stored XSS through this Payload Thank you for watching :...
Stored XSS on Configuration Version
Description In a form version that appears to have no validation, it means that the website or application is not properly checking user inputs for malicious code before storing it in the database. This lack of validation allows an attacker to inject their own malicious script, which can then be...
Complex xss to bypass protection
Description 1.First we login as a normal user, and then comment under a question, the content of the comment is 2.Then we login as an administrator user. And find the comment we just submitted, the administrator can click the edit button.Then the administrator Click "Save edits" without any...
Privilege Escalation in the Cockpit CMS
Description Hi, during my analyses I realized that it is possible to perform a privilege escalation by intercepting the request and changing the roles from "user" to "admin" becoming the application's administrator. Proof of Concept poc:...
Session Fixation in https://demo.froxlor.org/
Description The session ID not rotating even after relogin POC 1. Change the PHPSESSID=newsessionchanged and then login 2. Use the same session into new browser and as you can see logged into the account 3. you can try logout and login again the PHPSESSID doesn't change. Video POC:...
Improper Restriction of Rendered UI Layers or Frames
Description It can be possible to perform a clickjacking attack due to the lack of frame restrictions. The application does not set the response header X-Frame-Options: DENY. Proof of Concept http://localhost:8000/admin/ Response headers http HTTP/1.1 200 OK Server: gunicorn Date: Tue, 24 Jan 202...
No notification triggered on sensitive actions like adding SSH key
Description Adding SSH key is a sensitive action . As the application triggers a notification on all sensitive actions like email change/password reset , SSH key is also an important security feature to be notified about Proof of Concept 1 Go to https://rdiffweb-dev.ikus-soft.com/prefs/sshkeys 2 ...
XSS Stored inside Standard Interface Help Link href attribute
📜 Description Cross-site scripting XSS is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. The persistent or stored XSS vulnerability is a more devastating variant of a...
Improper Name Validation in Upload Document Form
Description The name of any uploaded document can be manipulated using the destination parameter, to include new line characters in its name, breaking the execution of JS code in "New Documents" section from "Miscellaneous" menu, that will be blank until the document is removed from DB. Proof of...
Session does not expire on password reset
Description On changing password both session using which user changes password and old sessions in any other browser or device does not expire and remains active Proof of Concept 1.Go to https://rdiffweb-dev.ikus-soft.com/login/ and login into same account using browser A and B 2.From Browser B...
Reflected XSS via rp4wp_parent
Description The rp4wpparent value is echoed without encoding, leading to reflected XSS. Proof of Concept Install wordpress, install the "Related Posts for WordPress" plugin, then visit the following URL, where localhost is the server hosting the app:...
Multiple user accounts via same email and username
Description Nakama console does not validate uppercase/lowercase letters when creating a new user. This can be abused to create multiple user accounts with same email and username. Proof of Concept HTTP Request 1 request POST /v2/console/user HTTP/1.1 Host: 192.168.1.16:7351 Authorization: Bearer...
Improper Input Validation
Description At the team updatehttps://ripob47346.getoutline.com/api/team.update and user updatehttps://ripob47346.getoutline.com/api/users.update functions, avatarUrl was not verified as a correct url. The user can enter arbitrary values. Proof of Concept /api/team.update /api/users.update Result...
User Enumeration via Response Timing
Description There is a significant timing difference in the login functionality of the Nakama Console for valid and invalid email addresses or usernames. Proof of Concept 1. Login to the Nakama Console as admin and create a User [email protected] 2. Logout 3. Attempt a Login with an incorrect passwor...
cross site scripting - reflected
The reflected XSS vulnerability occurs to a flaw in the cleanxsstags function called in new.php of Gnuboard 5. 1. Open the https://sir.kr/bbs/new.php?darkmode=%22%3E%3Cscript%3Ealertdocument.domain%3C/script%3E 2. payload executing...
Cross-Site Request Forgery
Description The administrative /api/users registration endpoint is vulnerable to an Cross-Site Request Forgery attack due the lack of any kind of anti-CSRF token verification. Proof of Concept 1. 1 - An authenticated administrator visits an attacker-controllable website, in this case the PoC file...
No password brute-force protection on login page
Description The login page doesn't have any protection against a brute-force password attack, which allows an attacker to try every possible combination without any restriction. Proof of Concept 1. 1 - Send a login request of the target user POST /api/auth/token HTTP/1.1 Host: localhost:9091...
Cross-site Scripting (XSS)
Description ihatemoney is vulnerable to Cross-Site Scripting XSS when inviting people via email. Steps to reproduce 1.Go to https://ihatemoney.org/ and try out the demo. 2.In the bottom left, click on Invite people. 3.In the Send via Emails section, input the payload: into the People to notify...
Weak Password Change Mechanism
Description When setting a new user password it does not require knowledge of the original password Current password not required Proof of Concept 1. Log in as a regular user 2. Navigate: https://book.dansmonorage.blue/preferences/password 3. Enter any password string...
Uncontrolled Memory Allocation in function lodepng_realloc
Description Uncontrolled Memory Allocation in function lodepngrealloc at lodepng/lodepng.c:86 Version git log commit 06bb36ae2c9b9074e9736a2e25845a2e789cc4e6 HEAD - master, origin/master, origin/HEAD Author: Hans Petter Jansson Date: Fri Jul 1 01:06:00 2022 +0200 POC ./tools/chafa/chafa...
Threaded Race Condition in Authentication Allows Bypass of Authentication Attempt Restrictions
Description A threaded race condition exists in how the application handles authentication attempts in the application. The application recognizes and protects against single-threaded attempts with a five-attempt lockout function. By increasing threads in an authentication brute force attack it i...
Zammad's Misconfigured Rack_Attack.rb Does Not Appropriately Protect Against Brute Force Attacks
Description Zammad relies on the rackattack.rb file to defend the application against various brute force attacks, including forgotten password requests, ticket submissions, etc. The currently utilized RackAttack.rb file's configuration attempts to prevent password reset requests per IP to 3 per...
NDIS Packet Buffer Overflow Due To Allocation/Copy Inconsistencies
Description Reading driver source code is a challenge because despite things appearing to be a vulnerability, there might be a single overlooked comment in MSDN's documentation for an obscure function that ensures that something isn't a vulnerability - in light of this challenge, I'm going to wal...
Privilege Escalation via edit response body
Description Recently, i found a business logic vulnerabity and this vulnerability allow reader user perform privilege escalation on allaccess user. Because before user perform any function, client-side will perform OPTIONS request to view user permission with specify function via response body. I...
Allows large characters in change password filling
Description The titra application allows large characters to insert in the input field "password" at password change feature which can allow attackers to cause a Denial of Service DoS via a crafted HTTP request. Proof of Concept 1. Login and go to profile or https://app.titra.io/profile 2. Using...
Sensitive header uncleared on same-host, cross-port redirect
Description Sensitive headers are uncleared on cross-port redirect Proof of Concept poc.php 'http://10.0.2.4', ;...
Reflected XSS in Results tab
Description Please enter a description of the vulnerability. Proof of Concept 1. Install a local instance of phoronix 2. Run a benchmark 3. When the test is complete, for example the result id is xxxxx 4. Acess...
chafa <= 4bac1466 is vulnerable to an out of bounds read vulnerability.
chafa = 4bac1466 is vulnerable to an out of bounds read vulnerability. Building Build chafa with ASANaddress sanitizer sh $ git rev-parse HEAD 4bac14668535c09f6f47552bbd1566097dab4bf8 $ export CFLAGS="-g -O0 -fsanitize=address"; export CXXFLAGS="-g -O0 -fsanitize=address"; export CC=$which...
buffer size confusion
Description an attempt to write 2000 into a buffer of 10 bytes, while SSLread does not add a zero at the end. Proof of Concept cpp define BUFFSIZE 2000 ... char buf10; SSLreadssl,buf,BUFFSIZE; int virtualIP = atoibuf;...
Able to create an user with a long password as well as long username
Issue Description: Any admin may able to create and allocate user the credentials but when admin creates a user account where as the fields with the first name , last name and password has no defined length limit where as this scenario causes the application level DOS to the snipe-it What's the...
RCE due to a dependency confusion
Description Hi team, I hope you are well. I found a dependency confusion vulnerability in this repo. When I analyzed your repo, I found a Makefile which install a dependency : https://github.com/openziti/ziti/blob/271614d50df5535cf99ad0882649ae0ef7bb88a2/ziti/MakefileL155 go get...
Cross-site Scripting (XSS) in create space function
Description Reflected cross-site scripting or XSS arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way. Proof of Concept 1.Login as normal user. 2.Access subdomain /space/create/create. 3.Input name, color, description,...
Server-Side Request Forgery in scout
Description Server-Side Request Forgery in remotecors Proof of Concept GET /remote/cors/http://:8888 HTTP/1.1 Host: localhost:8000 User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:100.0 Gecko/20100101 Firefox/100.0 Accept:...
Cross-site Scripting (XSS) in Error Page
Description The is an XSS could be trigger via error page through invalid file name. Proof of Concept 1.Login as Admin. 2.Upload new file with name .svg 3.Save - Fatal Error Page show up and the xss will be trigger...
Stored XSS via Scan Engine Name
Description Scan Engine name is displayed in different places without validation Proof of Concept 1. Add a scan engine with name: 2. Scan a target, Create scheduled tasks 3. Go to https://127.0.0.1/scan/history/scan Note: Try on a private browser if it doesn't execute on the first. I am not sure...
Stored XSS on add Group Name
Description XSS found on function add Group Name on User Management module at Organizr 2.1.1810. Proof of Concept 1 Go to User Management - Manage Group 2 Add new group 3 Insert payload on "Group Name" field then Add Group Payload 1 "alert"xss-here"; Screenshot 1 xss-triger 2 version 3 document...
Unauthenticated Path Traversal via /api/upload
Description While reviewing FUXA, research found it is possible to upload arbitrary files into arbitrary locations via the "/api/upload" endpoint. Even when authentication in enabled, it was found this endpoint does not validate a user's session. In addition, the function behind this endpoint...
Stored XSS viva .svg file upload
Description The application allows .svg files to upload which leads to stored XSS. Proof of Concept 1.Download the payload XSS.svg from below drive link and go to "Files". 2.Now click on "Add file" and upload the downloaded payload. 3.Then see the uploaded file details and open the file path once...
Stack buffer overflow in XML entity parsing
Description Attempting to parse a XML/SVG file containing an !ENTITY with a sufficiently long name into a fixed sized, stack allocated buffer causes an overflow. Proof of Concept ./bin/gcc/gpac -play ./poc-clean.svg poc-clean.svg available here GDB stack smashing detected : terminated Thread 1...
File upload filter bypass leading to stored XSS
Description A User Can uplaod .cshtml file with XSS payload. Proof of Concept Login to the demo portal with admin creds at https://demo.microweber.org/demo/admin/ Navigate to page create functionality at https://demo.microweber.org/demo/admin/page/create Select the picture upload request in burp...
Improper Access Control in Configuration (Credential store)
Description Pandora FMS v7.0NG.759 allows improper access control in Configuration Credential store where a user with the role of Operator Write could create, delete, view existing keys which are outside the intended role. Proof of Concept Affected endpoint: POST...
Arbitrary Command Injection
Description When creating a strapi app using npxcreate-strapi-app, we can inject arbitrary commands through the template cli argument as per the code in this particular link https://github.com/strapi/strapi/blob/master/packages/generators/app/lib/utils/fetch-npm-template.jsL13, this happens due t...
Cross-site Scripting (XSS) - Stored in helloxz/onenav
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into websites. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execut...
Improper Authorization in chocobozzz/peertube
Description The app doesn't check the status of video when making data changes. Normal users can create new comment or reply comment in private videos. Proof of Concept note: I'm using instance p.lu for testing - Step 1: Login as video test1 and upload private video. Get video ID of private video...
Business Logic Errors in publify/publify
Description It was found that if a user tries to create an article, and want to make that article private, the functionality is not working. Proof of Concept 1. Create an article 2. Click on publish and you will see the option to visibility to make it private, but functionality is not designed...
Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat
Description LiveHelperChat is vulnerable to Stored XSS at the Name and Surname fields in the User account page. Payload constructor.constructor'alert1' Steps to reproduce 1.Login then go to User account page https://demo.livehelperchat.com/siteadmin/user/account 2.In the Name and Surname fields,...
Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat
Description LiveHelperChat is vulnerable to Stored XSS at the Name field in the Admin themes of System configuration. Payload constructor.constructor'alert1' Steps to reproduce 1.Login then go to Setting - Live help configuration tab 2.Click on Admin themes in Visual settings for the admin sectio...
Cross-site Scripting (XSS) - Reflected in pimcore/pimcore
Description Reflected cross site scripting vulnerability in pimpore/pimcore , it is in group field in Field collections and objectbricks in settings module. Proof of Concept 1 .Login to demo account 2 . Go to settings module --data objects --object bricks or Field collection -- edit any one and a...
in gpac/gpac
Description Null Pointer Dereference in gfdumpvrmlfield.isra Proof of Concept MP4Box -bt POC2 POC2 is here. Bt Program received signal SIGSEGV, Segmentation fault. 0x0000000000644ca4 in gfdumpvrmlfield.isra LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA...
Cross-site Scripting (XSS) - Stored in chaskiq/chaskiq
Description When building an app, an XSS vulnerability occurs in the app's name. Proof of Concept txt 1. Go to App Settings 2. Enter " as the name of the app Video : https://www.youtube.com/watch?v=dEFDHHGxzoY Impact Through this vulnerability, an attacker is capable to execute malicious scripts...