4072 matches found
Cross-site Scripting (XSS) - Stored in knadh/listmonk
✍️ Description Stored xss 🕵️♂️ Proof of Concept Check this recorded video https://drive.google.com/file/d/1wlbisKCbYUZprOkAGzWGRQm0f-LDRD/view?usp=sharing 💥 Impact xss...
Cross-site Scripting (XSS) - Generic in boxbilling/boxbilling
✍️ Description Xss via support ticket 🕵️♂️ Proof of Concept login into your boxbilling account and create support ticket . put bellow xss payload in support ticket click-me Now save the link and click the and see xss is executed Video Poc--...
Cross-site Scripting (XSS) - Generic in chatwoot/chatwoot
SUMMURY i contacted the company directly , but they told me submit the bug through huntr ✍️ Description Stored xss .Agent can make cross site scripting against admin VIDEO POC https://drive.google.com/file/d/1vWXiFKbsqVhMUS4kgpz50wSNsFTo9Ny/view?usp=sharing 🕵️♂️ Proof of Concept STEP TO REPRODUCE...
Cross-site Scripting (XSS) - Generic in bigprof-software/online-invoicing-system
✍️ Description A cross-site scripting XSS issue in the Fork version 5.9.3 allows remote attackers to inject JavaScript via the "filtereritem" Parameter 🕵️♂️ Proof of Concept You can find installation instructions here: https://bigprof.com/appgini/applications/online-invoicing-system Vulnerable...
Prototype Pollution in sttk/fav-prop.set-deep
Description @fav/prop.set-deep is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: javascript // poc.js var setDeep = require"@fav/prop.set-deep" var obj = ; console.log"Before: " + .polluted; setDeepobj, "proto", "polluted", "Yes, its polluted"...
Prototype Pollution in cronvel/tree-kit
Description tree-kit is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: javascript // poc.js const dotPath = require'tree-kit' console.log"Before: ", .polluted dotPath.set, 'proto.polluted', true console.log"After: ", .polluted 2. Execute the following comman...
in catalyst-team/catalyst
Description Catalyst is a PyTorch framework for Deep Learning research and development. It focuses on reproducibility, rapid experimentation, and codebase reuse so you can create something new rather than write another regular train loop. This package was vulnerable to Arbitrary code execution vi...
Prototype Pollution in patrickleet/expand-keys
Description expand-keys is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: // poc.js var expandKeys = require"expand-keys" console.log"Before : " + .polluted; expandKeys"proto.polluted": "Yes! Its Polluted" console.log"After : " + .polluted; 2. Execute the...
Code Injection in ultralytics/yolov5
Description Arbitrary Code Excecution in ultralytics/yolov5. Yolov5 is a Object Detection model from Ultralytics. Ultralytics is a U.S.-based particle physics and AI startup with over 6 years of expertise supporting government, academic and business clients. Ultralytics offer a wide range of visi...
Prototype Pollution in okunishinishi/node-objnest
Description objnest is vulnerable to Prototype Pollution. This package allowing for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE. Proof of Concept 1. Create the following PoC file: js // poc.js var objnest = require"objnest" console.log"Before : " +...
Code Injection in swig/swig
Description SWIG is a compiler that integrates C and C++ with languages including Perl, Python, Tcl, Ruby, PHP, Java, C, D, Go, Lua, Octave, R, Scheme Guile, MzScheme/Racket, Scilab, Ocaml. SWIG can also export its parse tree into XML. One of the python tools of swig include a mkdist.py script...
Code Injection in courajs/node-svn
Description The svn module is vulnerable against RCE since a command is crafted using user inputs not validated and then executedading to arbitrary command injection POC 1. Create the following PoC file: js // poc.js var SVN = require'svn'; var svn = new SVN'./workingcopy'; svn.info"test; touch...
Code Injection in heroku/heroku-exec-util
Description The heroku-exec-util module is vulnerable against RCE since a command is crafted using user inputs not validated and then executed, leading to arbitrary command injection POC 1. Create the following PoC file: js // poc.js var heu = require'heroku-exec-util'; heu.sshargs:,'test; touch...
Command Injection in joeyism/node-git-lib
Overview The issue occurs because a user input is formatted inside a command that will be executed without any check. Proof of Concept Credit: Mik317 1. Create the following PoC file: js // poc.js var git = require"git-lib"; git .add"test;touch HACKED;" .thenfunction / successfully added /...
Command Injection in ionicabizau/node-gry
Overview The issue occurs because a user input is formatted inside a command that will be executed without any check. Proof of Concept Credit: Mik317 1. Create the following PoC file: js // poc.js const Repo = require"gry"; var myRepo = new Repo"."; myRepo.pull"test; touch HACKED; ", function...
Cross-Site Request Forgery (CSRF) in tuhinshubhra/extanalysis
Overview The ExtAnalysis project is vulnerable against various CSRFs, that could lead to loss of functionalities and placement of malicious files in arbitrary directories without knowledge of the victim. Proof of Concept Credit: Mik317 1. Download the git project and run the server through the...
Incomplete Fix for CVE-2025-10279: get_or_create_nfs_tmp_dir() Still Creates World-Writable (0o777) Directories Enabling Local Code Execution
Description Description CVE-2025-10279 huntr bounty 01d3b81e identified that MLflow's getorcreatetmpdir created temporary directories with world-writable permissions 0o777, enabling local attackers to tamper with model artifacts and achieve arbitrary code execution. The fix PR 17544, commit...
memcpy-param-overlap in MP4Box
Description memcpy-param-overlap in MP4Box Version $ ./MP4Box -version MP4Box - GPAC version 2.3-DEV-rev566-g50c2ab06f-master Platform $ uname -a Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic 3322.04.1-Ubuntu SMP PREEMPTDYNAMIC Thu Sep 7 10:33:52 UTC 2 x8664 x8664 x8664 GNU/Linux Asan 32mDashe...
Admin account TakeOver
Description The endpoint api/system/update-env allows any authenticated users to change env variables of the back-end process : js process.envenvKey = value; The envKey value comes from here : js const envKey, checks = KEYMAPPINGkey; One of the value in the KEYMAPPING dictionnary is : js JWTSecre...
Pre-Auth SQLi leading to RCE in Social Media Skeleton v1.0
Summary A SQL Injection vulnerability exists in Social Media Skeleton v1.0 via the username and password parameters in admin/login.php. Not to be confused with login.php, which properly escapes special characters. Issue Description SQL injection SQLi is a code injection technique used to attack...
Open Redirect via deskDomain
Description This vulnerability occurs because the desired domain value can be inserted into the A tag through deskDomain manipulation. javascript if window.location.hash != null && window.location.hash.substring0, 9 == 'TICKETS' try var temp = JSON.parsedecodeURIComponent...
Remote Code Execution via File upload
Description In the theme settings function, any file can be uploaded without any filter, resulting in an arbitrary php file being uploaded. Proof of Concept POST /admin/theme/huraga HTTP/1.1 Host: localhost Content-Type: multipart/form-data;...
Improper Authorization in Export role function
Description The application controls user rights incorrectly, leading to the attacker being able to collect sensitive information. Proof of Concept Step1: The administrator user accesses the user role management function and performs the 'export role' operation. Step2: Upon observation, a HTTP...
Stored XSS
Description: The application contains a stored XSS vulnerability, which allows an attacker to inject and execute malicious scripts within the application. The vulnerability occurs due to improper input validation and output encoding mechanisms, which fail to adequately sanitize and encode...
Confidential information provided to user with no permissions
Description Unauthorized users are able to obtain sensitive information about the system's runtime environment, features they have no permissions to access, etc. Proof of Concept 1. create a new user without any permissions attached 2. do NOT assign any permissions to the user 2. do NOT add any...
Stored XSS vulnerability
Description The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of Concept 1 Step1: The user has the right to access and perform the creation of surveys, with the payload...
Reflected XSS Vulnerability at `_detail/?lang` parameter
Description Reflected XSS vulnerability allows attackers to exploit the trust placed by a web application in user-supplied input, such as query parameters or form fields. In this case, the vulnerability was found in the following URL: https://www.dokuwiki.org/detail/?lang=1"alertdocument.domain...
NULL Pointer Dereference in function xml_sax_append_string
Description NULL Pointer Dereference In utils/xmlparser.c:963 Environment No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 20.04 LTS Release: 20.04 Codename: focal Version MP4Box - GPAC version 2.3-DEV-rev293-g56eed04c2-master c 2000-2023 Telecom Paris distributed under LG...
Potential XSS in content script via StackOverflow about_me
Description Alby has a feature called "batteries", which makes tipping on third party sites easier, e.g. by detecting lightning network addresses and so donating using the extensions becomes easy. One of those sites is stackoverflow. The alby extension will use the stackoverflow/stackexchange API...
SQL injection in SegmentAssignmentController.php
Description An administrator user can use the inheritableSegments feature to execute his own blind SQL queries. Proof of Concept The vulnerable php code is in src/Controller/Admin/SegmentAssignmentController.php, on method inheritableSegments: The parameter type is not escaped and is added on the...
AWS credentials exposure
Description app.diagrams.net allow the insertion of PlantUML objects. This feature is using an old and misconfigured version of PlantUML 1.2022.6, therefore, it is possible to exploit dangerous functions such as %getenv to read environment variables in the machine where PlantUML is running. I was...
XSS in Quantity Value of Data Objects module in Settings
Description pimcore is vulnerable to XSS at Abbreviation and Longname fields in Quantity Value of Data Objects module in Settings. Payload " Proof of Concept 1.Go to https://11.x-dev.pimcore.fun/admin/ and login. 2.In the left menu bar, go to Settings - Data Objects - Quantity Value. 3.In the...
IDOR Vulnerability Allow the owner of one Organization can update anyother organization
1 first, we create two organizations: org1 and org2. The owner of them is user1 and user2 corresponding. 2 we login as user1 and update the org1, then we use burpsuit to get the post. 3 The first post will check user and we forward it. 4 The second post will edit content of organization and can b...
Cross Site Scripting (XSS) in Assets
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a differen...
XSS on external links bypass filters
Description I recently found a bypass for external links that allows an attacker to inject javascript into external links Proof of Concept As an admin user Go to /front/link.form.php?id=1 Using a special character before the javascript:alert1 this bypasses the filters and the protocol still works...
Phar Deserialization of Untrusted Data
Description snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the fileexists function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitra...
stored HTML-Injection throuth the Question Form
Dear Ladies and Gentlemen, First of all, thank you for your time and effort in reading my Report. While doing the Penetration Test my Brother Josef Hassan [email protected] and I were able to identify another stored HTML-Injection Vulnerability in the Question Form. The Process of the...
CSRF leading to delete a user
Description The deleting a user functionality is vulnerable to a CSRF attack. The cause is same with the deleting a domain functionality. Proof of Concept 1. Login as admin. 1. Create a user to be deleted. E.g. the user ID is 2. 1. Open the following file in the browser. html history.pushState'',...
HTML Injection in add expense via transaction tab
Steps to reproduce After login into demo account, Go to the transaction page and there your can add or create an expense If your on the write path, while creating or adding an expense there will be description field In the Description field, enter the following payload Y00 and click save Now, you...
Stored XSS using two files
Description I uploaded two files first = js , second = html the first was js files with malicious script and get it's url and i added it to the second one as source for the script tag Proof of Concept // test.js alert"xss"; and assume its url = https://demo.usememos.com/o/r/9/test.js // test.html...
privilege escalation : Low access user can view Admin PRIVATE POST by using PIN functionality
Description Due to the privilege escalation issue Low access user can view Admin PRIVATE POST by abusing PIN functionality. PIN functionality is used to pin any post in TOP , by using the Low user Attacker can View the other & high privilege user PRIVATE POST , as per the flow its not PINNING any...
Stored XSS via title, subtitle, footer and post title and content
Description The site is vulnerable to Stored XSS via Blog title, Blog subtitle and Blog footer. Proof of Concept - Login as Admin - Go to Administration Area - Option Set n the 3 fields a payload like this: alertdocument.domain Now go to the blog, and you'll see that 3 payloads actually fires: Al...
Lack of sanitisation of characters in SSH key name could allow attacker to inject a hyperlink injection
Description Lack of sanitisation of characters in SSH key name could allow attacker to inject a hyperlink injection that could allow attacker to redirect victim to malicious websites Proof of Concept 1 Go to https://rdiffweb-dev.ikus-soft.com/prefs/sshkeys 2 Add SSH key 3 Enter the name evil.com ...
Cron execution command field allows attackers with admin privilege to execute OS command as root
Description - Cron execution command value is written into cronfile without any security protection mechanism. - If an attacker gained admin access, he/she can run OS command as root. Proof of Concept 1/ Navigate to http://webserver/froxlor/adminsettings.php?page=overview&part=crond 2/ In the Cro...
Reflected XSS in Advanced Ticket Search
Description Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request that, if issued by another application user, will cause JavaScrip...
Agent can get inbox credentials through api
Description user with agent privileges can get access to sensitive inbox details through api Proof of Concept 1. Create normal user with agent privileges 2. get api key for this user 3. use endpoint https://www.chatwoot.com/developers/api/tag/Inboxes/operation/listAllInboxes 4. if inbox is...
Bypassing application logic to set a blank password
Description As you many observe that rdiffweb strictly has a password policy where it prompts out that the password should be between 8 and 128 characters . But the application does not filter blank spaces used in a password Proof of Concept 1 Go to https://rdiffweb-demo.ikus-soft.com/prefs/gener...
Stored Cross-Site Scripting (XSS) in the parameters "host", "desc", "group" and "newgroup" of the section "Webmin Servers Index"
Description In Webmin version 2.001 it was identified in the "Webmin Servers Index" section that the data collected from the user in the "host", "desc", "group" and "newgroup" parameters is not properly sanitized thus allowing potential attackers to insert JavaScript code that enables exploitatio...
Stored Cross-Site Scripting (XSS)
Description There is insufficient input validation in the pop-up notifications. Proof of Concept Steps to reproduce: 1. Log in to an admin account 2. Click on Ports - Manage Groups 3. Create a new Port Group with the Name alertdocument.location and an arbitrary Description 4. The XSS is triggered...
Secure token is missed when ivalid URL is entered
Description The cookie sessionid does not have secure attribute when the URL is invalid Proof of Concept 1.Login into the application. 2.Send the request https://rdiffweb-demo.ikus-soft.com/browse/admin/MyWindowsLaptop/D/TC3080/test...