4072 matches found
Users Account Pre-Takeover or Users Account Takeover.
Team, May you all be well on your side of the screen. : While Doing some research on the https://microweber.org, I was able to find a Pre-Account Takeover vulnerability. Kindly check the proof of concept video & reproduction steps for better understanding. Proof of concept: I have uploaded the bo...
Cross-site Scripting (XSS) - Stored in pimcore/pimcore
Description The pimcore/pimcore package is an open source platform that provides PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce services. stored xss vulnerability occurs when you change the value of Abbreviation, Longname, Converter Service at "Settings" = "Data Objects" = "Quantity Value" in the...
in janeczku/calibre-web
Description A user can see the name of private shelves from other users when trying to remove a book of those shelves. Proof of Concept The file shelf.py in its line 221 exposes the name of the shelf when the user tries to remove a book from a shelf which is not his. log.warning"You are not allow...
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in azuracast/azuracast
✍️ Description The secure flag is not set for appsession cookie in the application. 🕵️♂️ Proof of Concept PoC Image: https://i.ibb.co/v1y0Fdv/cookie-flag.png 💥 Impact If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP...
Path Traversal in mailtrain-org/mailtrain
✍️ Description A path traversal also known as directory traversal is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data, credentials for back-end systems, and sensitive operating...
Prototype Pollution in grpc/grpc-node
Description grpc native core package is vulnerable to Prototype Pollution. This package allowing for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE. Proof of Concept 1. Create the following PoC file: js // poc.js var grpc =require'grpc'...
Prototype Pollution in dominictarr/libnested
Description libnested is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: // poc.js var libnested = require"libnested" var obj = console.log"Before : " + .polluted; libnested.setobj, 'proto','polluted', 'Yes! Its Polluted'; console.log"After : " + .polluted; 2...
Prototype Pollution in b-heilman/bmoor
Description bmoor is vulnerable to Prototype Pollution. This package allowing for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE. Proof of Concept 1. Create the following PoC file: js // poc.js const bmoor = require'bmoor'; var obj = console.log"Before : " ...
Blind LFI in register-model/get?name=
Description A blind LFI exists in /ajax-api/2.0/mlflow/registered-models/get?name= The response from the server is different depending on if the file exists on the local file system or not. When the arbitrary local file exists, the server responds with 500 INTERNAL SERVER ERROR and when it doesn'...
XSS in RSS Description Link
Description An Administrator can import a malicious RSS feed that contains Cross Site Scripting XSS payloads inside RSS links. Victims who wish to visit an RSS content and click on the link will execute the Javascript. Proof of Concept 1. Create a malicious RSS feeds The XSS payload is inside ite...
Cross Site Scripting (XSS) Reflected
Description Reflected cross-site scripting or XSS arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way. Proof of Concept 1. i open this page...
Out-of-bounds write in function vim_regsub_both
Description Out-of-bounds write in function vimregsubboth at regexp.c:1954 vim version git log commit 4c3d21acaa09d929e6afe10288babe1d0af3de35 HEAD - master, tag: v8.2.5014, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/pocobw2s.dat -c :qa!...
Stored xss bug
Description stored xss bug Proof of Concept I created a repository on try.gitea.io and uploaded a pdf file containing xss vector. https://try.gitea.io/cokeBeer/test/src/branch/main/poc.pdf Just click the "Raw" button The xss vector will be triggered Fix Suggestion prohibit viewing pdf directly by...
Stored XSS viva .ofd file upload
Description The application allows .ofd files to upload which lead to stored XSS Proof of Concept 1.First, open your text file/notepad and paste the below payload and save it as XSS.ofd: alert1337 alertdocument.domain alertdocument.location alert'XSSbySamprit Das' 2.Then go to...
Host Header injection in password Reset
Description The password reset uses $SERVER'HTTPHOST' to generate the password without any checks or filtering. Allowing a malicious attacker to generate a fake password reset link to steal password reset tokens which may lead to account takeover Impact Account Takeover...
Exposure of Sensitive Information to an Unauthorized Actor in eventsource/eventsource
Exposure of Sensitive Information to an Unauthorized Actor in EventSource/eventsource Reported on Feb 6th 2022 | Timothee Desurmont Vulnerability type: CWE-200 Bug Cookies & Authorisation headers are leaked to external sites. Description When fetching an url with a link to an external site...
Cross-Site Request Forgery (CSRF) in crater-invoice/crater
Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging users to unintentional logout. More details One way GET could be abused here i...
in attendize/attendize
Description: There is no rate limit sent unlimited email victim or any email address. Proof of Concept: There is no rate limit return-password , attacker to send unlimited email to victim or any email address. Impact: Attacker can sent unlimited email to any mail address . Solution: Add 'throttle...
Tabnabbing via window.opener [bookwyrm.social]
Description: 1. Hello @bookwyrm-social I found a tabnabbing vulnerability. attack is possible due to taget=blank or Tab nabbing via window.opener. VISIT:- https://bookwyrm.social/ SUMMARY: 1. I was browsing the site and found a tabnabbing vulnerability . As per the observation I found that attack...
Cross-site Scripting (XSS) - Stored in chatwoot/chatwoot
Title Stored XSS in customattributes Description Relying on frontend URI check without verifying it on the backend allows to inject arbitrary JS code. Steps to reproduce 1. 1. Create a custom attribute, set its type to Link 2. 2. Navigate to any conversation, click on the right sidebar. 3. 3...
Cross-site Scripting (XSS) - Reflected in swiftyspiffy/twitch-token-generator
✍️ Description An almost XSS exists in this repository that, if not for the WAF used on https://twitchtokengenerator.com; would have resulted in reflected XSS. Despite this, it is possible to inject HTML onto the page, making some attack scenarios possible. 🕵️♂️ Proof of Concept - Navigate to...
Prototype Pollution in jquense/yup
Description yup is vulnerable to Prototype Pollution. This package allowing for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE. Proof of Concept 1. Create the following PoC file: js // poc.js let yup = require'yup'; const payload =...
Command Injection through bash -c
This report is not public...
heap-buffer-overflow in /radare2/shlr/java/code.c:211:21 in java_print_opcode
Description heap-buffer-overflow in /radare2/shlr/java/code.c:211:21 in javaprintopcode Version $ r2 -v radare2 5.8.9 31339 @ linux-x86-64 birth: git.5.8.8-691-gb2de2288d8 2023-10-1701:18:28 commit: b2de2288d8299f89288c503fc2ce22381b61aba0 Platform $ uname -a Linux user-GE40-2PC-Dragon-Eyes...
heap-buffer-overflow in function utfc_ptr2len
Description Heap-based Buffer Overflow in function utfcptr2len at mbyte.c:2145 Vim Version git log commit ebfec1c531f32d424bb2aca6e7391ef3bfcbfe20 HEAD - master, tag: v9.0.1234, origin/master, origin/HEAD Both POCs also apply to v9.0.1262: git log commit f2e30d0c448b9754d0d4daa901b51fbbf4c30747...
IDOR to archive victims memo
Description Insecure direct object references IDOR are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly. Proof of Concept 1 Login into your account at demo.usememos.com 2 Turn on your burpsuite proxy 3 Click on the three do...
IDOR results in deletion of others public & private memos
Description What is IDOR Insecure Direct Object Reference? Insecure direct object references are common, potentially devastating vulnerabilities resulting from broken access control in web applications. IDOR bugs allow an attacker to maliciously interact with a web application by manipulating a...
Out-of-bounds write in function vim_regsub_both
Description Out-of-bounds write in function vimregsubboth at regexp.c:1973 vim version git log commit 83497f875881973df772cc4cc593766345df6c4a HEAD - master, tag: v8.2.5105, origin/master, origin/HEAD POC root@fuzz-vm0-187:/home/fuzz/fuzz/vim/afl/src ./vim -u NONE -i NONE -n -m -X -Z -e -s -S...
SSRF in /service endpoint
Description The problem came from this line of code I ran docker-drawio with following command : docker run -it --rm --name="draw" -e EXPORTURL=http://somesite.com -p 8080:8080 -p 8443:8443 jgraph/drawio if the drawio EXPORTURL is set to an address without any / after the primary Hostname like...
Cross-site Scripting (XSS) - Stored in kunstmaan/kunstmaanbundlescms
Description In kunstmaan / kunstmaanbundlescms, menu form slug field is vulnerable to cross site scripting Proof of Concept 1. login to demo page 2. go to pages, open any page 3. go to menu , in slug feild place the payload and save, it will trigger. payload : " Impact This vulnerability is capab...
Cross-site Scripting (XSS) - Stored in knadh/listmonk
💥 BUG Stored xss via file upload 💥 SUMMURY uploaded file extension only checked in client-side javascript. It must be also checked in server side so that user cant upload html file instead of image . 💥 STEP TO REPRODUCE 1. From your account goto http://localhost:9000/campaigns/media and upload a...
Server-Side Request Forgery (SSRF) in frenchbread/private-ip
✍️ Description Private-ip is an NPM module that is used to check if the input IP address is private or not, so as to prevent SSRF attacks. It has 12k downloads every week on NPM However, I found that by crafting a malicious IP, an attacker can easily bypass this check. 🕵️♂️ Proof of Concept First...
SSRF Blind in the image upload module via url
Description Web application with the function of uploading images through a link provided by the user . This access error leads to RCE and scanning of intranet ports Proof of Concept Link video Poc https://drive.google.com/file/d/17fksa8odZAqCuqRQbOCutc9I7eoNun-/view?usp=sharing Steps 1 . Use a...
Desktop APP XSS to RCE
🔒️ Requirements The user must load the malicious configuration and click on the buttons. 📝 Description This exploitation relies on several issues which chained together lead to an RCE. In the following subsection, I will try to explain it as best I can. 💉 Not sanitized HTML injection In the...
Session is not expiring after password reset
Description 1. Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization, in this case the session is not getting expired after the password change Steps to reproduce : 1. Open...
heap-buffer-overflow in same_leader and utfc_ptr2len
Description Heap-based Buffer Overflow in function sameleader at textformat.c:558 Heap-based Buffer Overflow in function utfcptr2len at mbyte.c:2138 Vim Version git log commit f97a295ccaa9803367f3714cdefce4e2283c771d HEAD - master, tag: v9.0.1221, origin/master, origin/HEAD Able to replicate the...
Get based CSRF on Reset OP Cache functionality
Description The functionality to reset the OPCache is vulnerable to CSRF. In fact, it would be a good practice to implement a CSRF token in URL if the GET functionality is meant to trigger an action, instead of only retrieving data. Alternatively, it can be turned in a POST request, which I can s...
Account takeover via changing password
Description after login with normal user go to Settings then change password ,you will find the following request PATCH /api/user/104 HTTP/2 Host: demo.usememos.com Cookie:...
Buffer Over-read in function find_next_quote
Description Buffer Over-read in function findnextquote at textobject.c:1663 POC ./vim -u NONE -X -Z -e -s -S ./poch4s.dat -c :qa! ================================================================= ==1740874==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000741a at pc 0x0000010f50...
Use after free in append_command
✍️ Description When fuzzing vim commit fc78a0369 works with latest build and latest commit 202b4bd3a per this time of this report with clang 13 and ASan, I discovered a buffer overflow. Proof of Concept Here is the poc bash...
Reflected XSS
Description Bypass XSS filter on /module/ Proof of Concept https://demo.microweber.org/demo/module/?module=admin%2Fmodules%2Fmanage&id=x"draggable="true"ondragexit=alert1&class=x&fromurl=x Drag something around to trigger the XSS. Might only work in FireFox. How to fix This is still CVE-2022-1439...
Stored XSS viva .svg file upload
Description The application allows .svg files to upload which lead to stored XSS Proof of Concept 1.Download the payload from this link:- https://drive.google.com/file/d/1c1BP5bxXBxtwLfRJTrEPgMWK1yVFDF2R/view?usp=sharing and upload it on your profile. 2.Now open the path of the uploaded image...
Improper Authorization
Description When configuring cobbler-web to authentificate via PAM. The authorization of a account validity is missing. Therefore expired accounts can still login. Proof of Concept Enable authnpam in the modules.conf Create a testuser to login $ useradd expireduser $ passwd expireduser 12345 $...
Path Traversal in prasathmani/tinyfilemanager
Description A Path Traversal vulnerability exists in Tiny File Manager, which allows the upload of files to an arbitrary location in the server. This flaw derives from the way that the file upload/creation is handled when a file with the same name already exists in the target directory. Affected...
in pytorchlightning/pytorch-lightning
Description There is untrusted YAML Deserialization vulnerability on PyTorchLightning Github repository. PyTorchLightning's saving.py core.saving.loadhparamsfromyaml functionality is calling "yaml.UnsafeLoader" from pyyaml Python library which is not secure method. Because of that, maliciously...
Privilege Escalation to admin from any other users
Description By default, hestiacp creates a default fpm configuration that runs php-fpm service as the www-data user common socket. Also another php-fpm service runs from admin user and www-data group unix-socket. That allows any user upload php-file into /tmp dir, then run that script from...
Storage xss vulnerability exists in simple graph beds
Description Storage xss vulnerability exists in simple graph beds,By constructing a malicious svg code that directs the administrator to click, the cookie is stolen Proof of Concept Make the svg file as follows alertdocument.cookie; You can steal administrator cookies,No login required to upload...
Lack of Input Sanitazion lead to RCE
Description This vulnerability occur because there is no sanitation on user controlled input during the update configuration process. The input later , written to another .php file and this could lead to RCE. Proof of Concept 1. Go to Config then go to Mail Settings 2. Change the From Email Addre...
Heap-based Buffer Overflow in function msg_puts_printf
Description Heap-based Buffer Overflow in function msgputsprintf at message.c:3058 vim version git log commit ea720aea851e645f4c8ec3b20afb27c7ca38184c HEAD - master, tag: v9.0.1137, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pochbo01s.dat -c :qa!...
NULL Pointer Dereference in function _appendStartNsEvents
Description NULL Pointer Dereference in function vimappendStartNsEvents at src/lxml/iterparse.pxi:435 allows attackers to cause a denial of service or application crash. Proof of Concept python from io import StringIO from lxml import etree firstinput = """ """ secondinput = """ """ def...