4072 matches found
Stack buffer overflow in XML entity parsing
Description Attempting to parse a XML/SVG file containing an !ENTITY with a sufficiently long name into a fixed sized, stack allocated buffer causes an overflow. Proof of Concept ./bin/gcc/gpac -play ./poc-clean.svg poc-clean.svg available here GDB stack smashing detected : terminated Thread 1...
File upload filter bypass leading to stored XSS
Description A User Can uplaod .cshtml file with XSS payload. Proof of Concept Login to the demo portal with admin creds at https://demo.microweber.org/demo/admin/ Navigate to page create functionality at https://demo.microweber.org/demo/admin/page/create Select the picture upload request in burp...
Improper Access Control in Configuration (Credential store)
Description Pandora FMS v7.0NG.759 allows improper access control in Configuration Credential store where a user with the role of Operator Write could create, delete, view existing keys which are outside the intended role. Proof of Concept Affected endpoint: POST...
Arbitrary Command Injection
Description When creating a strapi app using npxcreate-strapi-app, we can inject arbitrary commands through the template cli argument as per the code in this particular link https://github.com/strapi/strapi/blob/master/packages/generators/app/lib/utils/fetch-npm-template.jsL13, this happens due t...
Improper Authorization in chocobozzz/peertube
Description The app doesn't check the status of video when making data changes. Normal users can create new comment or reply comment in private videos. Proof of Concept note: I'm using instance p.lu for testing - Step 1: Login as video test1 and upload private video. Get video ID of private video...
Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat
Description LiveHelperChat is vulnerable to Stored XSS at the Name and Surname fields in the User account page. Payload constructor.constructor'alert1' Steps to reproduce 1.Login then go to User account page https://demo.livehelperchat.com/siteadmin/user/account 2.In the Name and Surname fields,...
Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat
Description LiveHelperChat is vulnerable to Stored XSS at the Name field in the Admin themes of System configuration. Payload constructor.constructor'alert1' Steps to reproduce 1.Login then go to Setting - Live help configuration tab 2.Click on Admin themes in Visual settings for the admin sectio...
Cross-site Scripting (XSS) - Reflected in pimcore/pimcore
Description Reflected cross site scripting vulnerability in pimpore/pimcore , it is in group field in Field collections and objectbricks in settings module. Proof of Concept 1 .Login to demo account 2 . Go to settings module --data objects --object bricks or Field collection -- edit any one and a...
in gpac/gpac
Description Null Pointer Dereference in gfdumpvrmlfield.isra Proof of Concept MP4Box -bt POC2 POC2 is here. Bt Program received signal SIGSEGV, Segmentation fault. 0x0000000000644ca4 in gfdumpvrmlfield.isra LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA...
Cross-site Scripting (XSS) - Stored in chaskiq/chaskiq
Description When building an app, an XSS vulnerability occurs in the app's name. Proof of Concept txt 1. Go to App Settings 2. Enter " as the name of the app Video : https://www.youtube.com/watch?v=dEFDHHGxzoY Impact Through this vulnerability, an attacker is capable to execute malicious scripts...
SQL Injection in dolibarr/dolibarr
Description The searchusers parameter does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injection. Proof of Concept Slow query example: POST /dolibarr-14.0.5/htdocs/compta/sociales/list.php HTTP/1.1 Content-Type:...
Cross-Site Request Forgery (CSRF) in liukuo362573/yishaadmin
Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging users to unintentional logout. More details One way GET could be abused here i...
in slidevjs/slidev
Description Vulnerability: CSS injection and Limited XSS via postMessage While reading the code, I came across packages/client/iframes/monaco/index.ts file, where a message eventListener is being used. The callback function adds the content of message inside tag. This way, the attacker can post a...
Heap-based Buffer Overflow in mruby/mruby
Description Heap Base Buffer Overflow mrbirepcutref Proof of Concept a = a. nil too many irep references RuntimeError ================================================================= ==990==ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000003a6 at pc 0x560e7e6acc2e bp...
Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat
Description The Mobile Options settings does not sanitise and escape the $mboptions'fcmkey' parameter lead to stored XSS Proof of Concept Go to Mobile settings, fill XSS payload into FCM Key field kind of: somekey" Impact XSS can have huge implications for a web application and its users. User...
Business Logic Errors in janeczku/calibre-web
Description There is a possibility to create 2 public phasing shelfs that have the same name, which is a business logic error. Steps To Reproduce 1. Create a shelf with empty name 2. Tick the share with everyone box 3. Create another shelf with empty name 4. Tick the share with everyone box, it...
Cross-Site Request Forgery (CSRF) in star7th/showdoc
Description I found that the CSRF vulnerability that I reported to you before https://huntr.dev/bounties/1d8439e8-b3f7-40f8-8b30-f9cb05ff2bcd/ can still be exploited via the GET request. An attacker is able to do unintentional action in the victim account by tricking other users clicking on the...
Cross-Site Request Forgery (CSRF) in janeczku/calibre-web
Description CSRF on various endpoints Summary Pretty recently CSRF protection in calibre-web was implemented. However, there are some state-changing endpoints that accept GET requests instead of POST. The most impactful route so far, that allows to completely shutdown the server:...
Improper Authorization in openwhyd/openwhyd
Description This Account Takeover via Dom XSS vulnerability occurs because the backend does not check the value of the redirect parameter in the login logic. javascript if form.fbUid userModel.updatedbUser.id, $set: fbId: form.fbUid, fbTok: form.fbTok, // access token provided on last facebook...
Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat
Description Stored XSS via upload Photo avatar with format .svg in Account data. Detail When opening the attachment, some format files will be rendered and loaded on the browser. So it allows executing arbitrary javascript code that was injected into attachment before. Proof of Concept PoC.svg va...
SQL Injection in wbce/wbce_cms
Description Plaintext administrator password recovery vulnerability due to SQL injection in password reset page. admin/login/forgot/index.php lines 33-34: php $sSql = "SELECT FROM TPusers WHERE email = '" . $email . "'"; $rRow = $database-query$sSql; Due to poor email validation attacker can inje...
Cross-Site Request Forgery (CSRF) in kevinpapst/kimai2
CSRF Set 1 modify invoice status Medium severity Description CSRF in saving invoices / modifying status of invoices pending and cancel only Proof of Concept The following state-changing endpoints are vulnerable to CSRF GET...
in elgg/elgg
Hello Elgg Team, hope you are having an awesome day : Just found an issue on the latest version of Elgg, and apparently the previous versions also have the same flaw. Description There is this endpoint, which is: http://elgg-example-here.com/ajax/form/admin/user/changeemail This endpoint is...
Cross-site Scripting (XSS) - Stored in invoiceninja/invoiceninja
Description In recent InvoiceNinja version 9d7145c in /documents it is possible to store svg file with html/js content, which later can be used to phish other users Proof of Concept POST /documents HTTP/1.1 Host: 172.17.0.1:8888 User-Agent: Mozilla/5.0 X11; Linux x8664; rv:95.0 Gecko/20100101...
Improper Authorization in hdinnovations/unit3d-community-edition
Description 2FA bypass in in chat functions. The "twostep" middleware is not implemented under the vue.php routing. Proof of Concept 1: Login into account with 2FA. Do not complete the 2FA process. 2: See all chat messages at https://UNIT3D-URL/api/chat/messages/1 3: If the CSRF token does not...
Cross-site Scripting (XSS) - DOM in janeczku/calibre-web
Description It is possible to execute XSS payloads when editing book properties, such as uploading a cover or a format. Proof of Concept The file editbooks.js contains the following code: $"btn-upload-cover".on"change", function var filename = $this.val; if filename.substring3, 11 === "fakepath"...
Cross-site Scripting (XSS) - Stored in forkcms/forkcms
Description When uploading a new module, the description of the module can contain JavaScript code. After uploading the new module and looking at the Details page, the JavaScript code would be executed. Proof of Concept - I downloaded this module...
Server-Side Request Forgery (SSRF) in pimcore/pimcore
Description Your demo server is running in a vulnerable Apache server Apache/2.4.38. The attacker can easily exploit SSRF vulnerability just by visiting a crafted URL. The vulnerability has been discovered few days ago and it relies on modproxy module. I know that this vulnerability is not direct...
in zmister2016/mrdoc
Description When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication. Proof of Concept https://github.com/zmister2016/MrDoc/blob/master/appadmin/views.pyL985 ๆฎ้็จๆทไฟฎๆนๅฏ็ @loginrequired @logger.catch def...
SQL Injection in ampache/ampache
Description The application does not validate and escape the client parameter before using it in a SQL statement at getbookmark function in Repository/Model/Bookmark.php file, leading to a SQL Injection The function named getbookmark which called by in 3 functions: bookmarkcreate, bookmarkedit an...
Cross-site Scripting (XSS) - Reflected in mariotti94/webrisc-v
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into websites. An attacker can use XSS to send a malicious script to an unsuspecting user. The end userโs browser has no way to know that the script should not be trusted, and will execut...
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in siwapp/siwapp
Description Secure flag is not implemented on the application Proof of Concept https://drive.google.com/file/d/1IOglL2LBh8CnvJUI0tRJw2wCJ8ugnws/view Impact The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The...
SQL Injection in yeswiki/yeswiki
Description A SQL injection attack consists of insertion or 'injection' of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data Insert/Update/Delete, execute administration operations ...
Server-Side Request Forgery (SSRF) in chevereto/chevereto-free
Description Attackers can make the server perform arbitrary requests to internal IPs as well as use the file:/// protocol to disclose internal image data. Proof of Concept 1: Create a valid image file on the server /path/to/index.png 2: Choose add Image URLs and use a valid URL and click OK. Then...
Heap-based Buffer Overflow in mruby/mruby
Description Heap buffer overflow on mrb-vm-exec Proof of Concept // poc.rb 1.timesuntil% ;break Result ./mruby poc.rb ================================================================= ==1451==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000023d9 at pc 0x55b2fc3f1046 bp...
Cross-site Scripting (XSS) - Stored in fisharebest/webtrees
โ๏ธ Description A malicious actor is able to add a malicious payload as a Family Tree Title, and after click the Family Tree nav button from the My Pages Menu, the XSS payload is executed. ๐ต๏ธโโ๏ธ Proof of Concept 1;Create a new family tree, either when logging in after install for the first time, or...
Cross-site Scripting (XSS) - Stored in btcpayserver/btcpayserver
โ๏ธ Description Accept Bitcoin payments. Free, open-source & self-hosted, Bitcoin payment processor this package is vulnerable for xss ๐ต๏ธโโ๏ธ Proof of Concept ๐ฅ Impact This vulnerability is capable of xss...
Cross-site Scripting (XSS) - Stored in leantime/leantime
โ๏ธ Description A malicious actor is able to add new Milestone with a malicious payload, and upon opening the research menu, the XSS payload is being executed. ๐ต๏ธโโ๏ธ Proof of Concept - 1; Log in with a proper roled user - 2; Add a new Milestone to the system at the /tickets/roadmap URI with the +...
Cross-site Scripting (XSS) - Stored in leantime/leantime
โ๏ธ Description A malicious actor is able to add New Project with a malicious payload, and upon opening the research menu, the XSS payload is being executed. ๐ต๏ธโโ๏ธ Proof of Concept 1; Log in with a proper roled user 2; Add a new Project to the system at the /projects/showAll/ URI with the + New...
Cross-Site Request Forgery (CSRF) in combodo/itop
โ๏ธ Description Attacker able to delete Standard SLA with CSRF attack. It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your application. In CSRF attack...
Cross-Site Request Forgery (CSRF) in azuracast/azuracast
โ๏ธ Description Attacker able to enable any Streamer/DJ account section with CSRF attack. It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your...
in getgrav/grav-plugin-admin
โ๏ธ Description It can be possible to perform a clickjacking attack due to the lack of frame restrictions. The application does not set the response header X-Frame-Options: DENY. ๐ต๏ธโโ๏ธ Proof of Concept ๐ฅ Impact According to PortSwigger references, it is possible for a page controlled by an attacker...
Cross-Site Request Forgery (CSRF) in erikdubbelboer/phpredisadmin
โ๏ธ Description The delete key functionality in the application is vulnerable to CSRF attack. ๐ต๏ธโโ๏ธ Proof of Concept history.pushState'', '', '/' ๐ฅ Impact This vulnerability can let an attacker delete data from the database without the knowledge/interaction of the user...
in aquilacms/aquilacms
โ๏ธ Description Unauthenticated API function allows any user to change OR view another user first name, last name, password, and address information. As well, leaked activateAccountToken and resetPassToken can be viewed. ๐ต๏ธโโ๏ธ Proof of Concept The attacker can guess the correct MongoDBobject ID and...
in babybuddy/babybuddy
โ๏ธ Description According to 1 we have : The secure attribute is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure attribute is to prevent cookies from being observed by unauthorized parties due to the...
Cross-Site Request Forgery (CSRF) in changeweb/unifiedtransform
โ๏ธ Description When you don't set the SameSite attribute of cookies the browsers have special act in front of this issue.I mean set default value on it chrome and chromium based browsers set the attribute "Lax" that mean if you do add/delete/alter operation in a get HTTP request then your site mor...
Cross-Site Request Forgery (CSRF) in dolibarr/dolibarr
โ๏ธ Description Attacker able to reopen any Poll in Tools section. ๐ต๏ธโโ๏ธ Proof of Concept // PoC.html https://demo.dolibarr.org/opensurvey/card.php?action=reopen&id=amyra52rg3g4ywzj...
in tagspaces/tagspaces
Vulnerability Code Execution using Reflected Cross Site Scripting โ๏ธ Description Tagspaces is a file organizer that also works as a file manager. When you open a file, it tries to provide a preview of common files like images, code and text files. But if the extension is not known to tagspaces, it...
Server-Side Request Forgery (SSRF) in prasathmani/tinyfilemanager
โ๏ธ Description SSRF to access internal server ๐ต๏ธโโ๏ธ Proof of Concept 1. goto http://localhost/tinyfilemanager/index.php?p=&upload and put internal serveer address and see it will fetch that file Video Poc https://drive.google.com/file/d/1dsTqvuQbGN619Gdncze4tuIH7MsonliT/view?usp=sharing ๐ฅ Impact...
Cross-site Scripting (XSS) - Generic in maxsite/cms
โ๏ธ Description Cross-site scripting also known as XSS is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same origin policy, which is designed to segregate different websites...