4072 matches found
SQL INJECTION
Summary The user can submit an SQL query directly to the database, gaining access without providing appropriate credentials. Attackers can then view, export, modify, and delete confidential information; change passwords and other authentication information; and possibly gain access to other syste...
Lack of Maximum Characters Length Validation on `Assignment Title` Input
Hello, Description The Assignment Title input is not being validated against a large number of characters added in it's value. This allows to initiate large number of characters and very big text inside the page. Proof of Concept 1. Navigate to Assignments section:...
IDOR leads to delete messages in Message Center of others.
Description I observed that users can delete messages in other's Message Center by changing deleteid parameter to deleteid value of message which belongs to other. Step: - Login with Physician account and determine deleteid of messages in Physician's Message Center - Login with Clinician account....
No password brute-force protection on login page
Description The login page doesn't have any protection against a brute-force password attack, which allows an attacker to try every possible password combination without any restriction. Proof of Concept 1. 1 - Send a login request of the target user POST http://localhost:3000/api/access-tokens...
UnAuthenticated SQL Injection
Proof of Concept POC: Vendor Domain Print version: https://yeswiki.net/?AccueiL/rss&id=1%27+and+extractvalue0x0a,concat0x0a,select+version--+- Print Database: https://yeswiki.net/?AccueiL/rss&id=1%27+and+extractvalue0x0a,concat0x0a,select+database--+- Print User:...
Cross-site Scripting via link creation bypass filter javascript scheme
Description The markdown's link creation feature allows inserting paths containing javascript scheme bypass filter javascript scheme via add https scheme prefix, so this flaw lead to XSS vulnerability. The payload used is the following: Proof of Concept Step to reproduct 1. Create new document 2...
Cross-Site Request Forgery (CSRF)
Description An attacker is able to download data from a user via the CSV Export function. The export will include all the books on your shelves, books you have reviewed, and books with reading activity. Vulnerable URL https://bookwyrm.social/preferences/export/file Proof of Concept...
Email enumeration via Reset password page
Description Through the Reset password page, an attacker can know that if an email exists or not; just by observing the notification in the response page. So, once the attacker knows that an email exists, he can launch a brute force attack against it. If an email exists: The notification will be ...
Stored XSS in profile settings.
Description Stored XSS via "Website" box in Profile Settings. Proof of Concept Go to profile settings, put the following payload in the "website" box : google.com" Save, and see the xss triggered !...
Reflected XSS in type url parameter
Description The application has a reflected xss vulnerability in the url parameter type. Proof of Concept // PoC.js var payload = "alertdocument.cookie...
Multiple user creation with the same email Id via existing verification bypass
Hello team, while i was checking on the nakama dashboard as an Administrator i noticed that we can bypass the existing verification and create multiple user with same email id Steps to reproduce: 1. Open the dashboard as an adminuser and go to the user management form http://site.com//users 2...
Stored Cross-site Scripting (XSS) via SVG file upload in courses.
Description An attacker can upload and store a malicious SVG file in work forms and execute client side JavaScript code when opened. Replication Steps and Proof of Concept We create a file named file.svg containing the following: // We upload the file in an active work assignment inside any cours...
Register users in spite of Allow User Registration disabled
Description Attacker can register a user in spite of the Allow User Registration is disable by default. Proof of Concept 1. Go to /captcha, get the captcha value and cookie. 2. Send POST request to /api/v1/public/account/create with the value of captcha and cookie in step 1. //POST...
Cross-site Scripting (XSS) - Reflected
Description The listmonk application is vulnerable to reflected XSS in Partial SQL expression to query subscriber attributes. Proof of Concept 1.Go to "Subscribers" - "All subscribers" - "Advanced" 2.Put this payload: " in the input filed. 3.Now click on Query then XSS will pop-up Video POC...
Improper Access Control (IDOR)
Description Any user even user without account can view any student photos through student's id. Proof of Concept Access this URL https://www.rosariosis.org/demonstration/assets/StudentPhotos/2021/studentid.jpg - Attacker can see a student personal photo even without school's account student's id...
Cross-site scripting - Stored via upload ".cad" file
Description When user upload file with .cad extension in white-list, server will stored .cad file at userfiles/media/default/, so we can direct access. Becase when access this file, server not reponse with Content-type header, so this file can execute javascript code as Content-type: text/html...
Cross-site Scripting (XSS) - Stored via htm file upload
Description rosariosis is vulnerable to Stored XSS in the File upload in Assignments by uploading an htm file with the javascript code inside. Proof-of-Concept phish.htm Test Upload File Test upload alert1 Step to reproduce From attacker side student 1.Login to the demo environment by student...
Insecure Storage of Sensitive Information
Description When the user uploads his profile picture, the uploaded image’s EXIF Geolocation Data does not get stripped. As a result, anyone can get sensitive information of Scoold users like their Geolocation, their Device information like Device Name, Version, Software & Software version used,...
Remote access to another's conversation based on their email address
System: - Chatwoot 2.4.1, self-hosted - User identity validation is enabled - Each client has a unique identifier and a corresponding valid hmac Description User B can impersonate User A and access his chat history by filling in user A's email address in the setUser despite that the two users do...
no spoofing protection on email domain (No Valid SPF Records.)
What Is SPF/TXT Records? An SPF record is a type of Domain Name Service DNS record that identifies which mail servers are permitted to send email on behalf of your domain. The purpose of an SPF record is to prevent spammers from sending messages with forged From addresses at your domain. Checking...
librenms alert-rules Stored XSS
Description Please enter a description of the vulnerability. 1 . Go to http://SERVER/device-group and Create New-device Group 2 . Input Name parameter following XSS payload and save payload 1 3 . Go to http://SERVER/alert-rules and add Rule. You can choose the Device group that contains XSS paylo...
libde265 1.0.8, was discovered to contain a heap-use-after-free in put_qpel_fallback
Description libde265 1.0.8, was discovered to contain a heap-use-after-free in putqpelfallback fallback-motion.cc ENV - Version : 1.0.8 - Commit : 45904e5667c5bf59c67fcdc586dfba110832894c - OS : Ubuntu 18.04 - Configure : cmake -DCMAKEBUILDTYPE=Debug -DCMAKECXXCOMPILER=clang++-10...
Open Redirect (Bypass Of #59d7c660-744c-4fee-88b7-6117b6846aea)
Description Hello everyone, I found an Open Redirect on linkding on remove a bookmark functionality, it is a bypass of a previously submitted report, when users are tricked into visiting the vulnerable link, they will immediately redirected to arbitrary hosts. Proof of Concept - Just visit the...
ReDoS in is-it-check
✍️ Description It allows causing a denial of service when checking crafted invalid URLs. 🕵️♂️ Proof of Concept // PoC.js var isItCheck = require"is-it-check" isItCheck.url'H'+'.A8'.repeat40...
Untrusted Search Path
Description A current working directory type of DLL hijacking vulnerability is found in all executbales in ventoy-1.0.70-windows.zip, including: 1 Ventoy2Disk.exe 2 VentoyPlugson.exe 3 VentoyVlnk.exe Proof of Concept Step 1 : Craft a malicious x86 dll named as "TextShaping.dll" and place in the...
protocol spoofing
Description I found a vulnerability that incorrectly parses the protocol when using a javascript scheme. javascript location.href = 'javasript:https://google.com/%0aalert1' First, you can check that the above URL executes the script normally through the above code. txt - node.js ❯ node -e...
NULL Pointer Dereference
Description NULL Pointer Dereference in MP4BOX Command MP4Box -info POC6 POC6 is here. ASAN result iso file Unknown box type url@ in parent dref iso file Unknown box type traj in parent moov iso file Unknown box type 80rak in parent moov iso file Incomplete box mdat - start 11495 size 901165 iso...
in mruby/mruby
Description commit 4e8ab145da52c3cfb0bd4b823df8041dcc52f454 Author: Yukihiro "Matz" Matsumoto Date: Tue Feb 8 13:03:51 2022 +0900 Proof of Concept sh $ echo -ne "e30KWyoqMCxtOjBdBHM9MDYudGl0ZXN7My7+////c3slXSN7W11lYWsKYj17fQpbKiowLG06MF3/...
Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat
Description LiveHelperChat is vulnerable to Stored XSS at the Message field in the Personal canned message tab of the User account page. Payload constructor.constructor'alert1' Steps to reproduce 1.Login then go to User account page https://demo.livehelperchat.com/siteadmin/user/account 2.Switch ...
in vim/vim
Description Floating point error in tabstopfromto. commit : 7676c158798a7c90f500cab2c12af0d47bad6026 Proof of Concept $ echo -ne "bm9ybTBvMDD/MDAwMDAwMDAwMDAwMDAwMDAwMApzaWwhbm9ybRZjMDAwCQpmdSBSZXRhYihnLG4p Cm8KZXhlInJldCJhOm4KZW5kZgpjYWwgbCgiIixSZXRhYigwLDQpCnNlIHRhYnN0b3A9NTAwMDAw...
Open Redirect in alanaktion/phproject
Description Bypass open redirect protection Proof of Concept patch for this report https://huntr.dev/bounties/1183df1a-5243-42f9-a263-267b92444b03/ easily can be bypassed Bypass url https://demo.phproject.org/login?to=//example.com...
Improper Authentication in liukuo362573/yishaadmin
Description Hi there, there is another improper authorization at /admin/SystemManage/LogOperate/GetFormJson, this will allow anyone to view yishaadmin log without logging in. Proof of Concept 1. Access the link http://106.14.124.170/admin/SystemManage/LogOperate/GetFormJson?id=405689053455847424...
Cross-site Scripting (XSS) - Generic in projectsend/projectsend
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a differen...
Cross-site Scripting (XSS) - Stored in convos-chat/convos
Description I found a way to bypass the Stored XSS via uploading File with format .svg when chatting in private conversation. Since you have filtered the content of the svg file as below: state $RULES = svg = qr Steps to Reproduce 1.After login, go to any private conversation. 2.In the chat bar,...
Improper Access Control in crater-invoice/crater
Description In recent Crater version faf1ef09 tag: 5.0.6 I discovered, that not authenticated user can download all expense receipts uploaded to any company. Proof of Concept Python import requests for i in range1, 100: r = requests.getf'http://172.17.0.1:8080/expenses/i/download-receipt' if...
Cross-site Scripting (XSS) - Stored in pimcore/customer-data-framework
Description Stored cross site scripting vulnerability in pimcore app, name and description field field is vulnerable to xss in customer automation rules. Proof of Concept 1 .login to the account 2 .go to customers -- customer automation rules -- Add payload in name field. 3 .payload " Impact This...
Improper Privilege Management in patrowl/patrowlmanager
Description Hi there, I would like to report an improper privilege management in PatrowlManager - it's an IDOR. All imports findings file is placed under /media/imports// In that, ownerid is predictable and tmpfile is in format of import, for example: import11639213059582.json This filename is...
in crater-invoice/crater
Description In recent Crater version ed6268aa tag: 5.0.3 lowest privileged user can upload PHP file instead of avatar. Proof of Concept POST /api/v1/me/upload-avatar HTTP/1.1 Host: 172.17.0.1:8888 User-Agent: Mozilla/5.0 X11; Linux x8664; rv:95.0 Gecko/20100101 Firefox/95.0 Accept: /...
in jitsi/jicofo
Description misconfigurations of nginx lead to a path traversal vulnerability. Proof of Concept according to https://github.com/jitsi/jicofo/blob/master/doc/shibboleth.md?plain=1L251 a request to /shibboleth-sp../ can get any file under /usr/share Impact An attacker can access files on the web...
Path Traversal in welliamcao/opsmanage
漏洞 README.md文件中的nginx配置存在安全漏洞,导致恶意攻击者可以任意读取项目中的文件。 POC 对于github上的demo地址,一种可行的攻击方式为: http://42.194.214.22:8000/static../ 可以看到读取到整个项目的文件。如果用户对该项目进行过二开,并在init.sql,conf/中写入了一些敏感信息,可能造成较大危害 影响 攻击者可以读取项目目录下任意文件...
Cross-site Scripting (XSS) - Stored in patrowl/patrowlmanager
Description PatrOwl is vulnerable to stored XSS. Proof of Concept Impact This vulnerability permit to an authenticate user to execute JavaScript on other users Web Browser...
Cross-site Scripting (XSS) - Reflected in tsolucio/corebos
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites Proof of Concept. // PoC.js Link --...
Cross-Site Request Forgery (CSRF) in kunstmaan/kunstmaanbundlescms
Description There is exist multiple high impact CSRF that attacker can delete many part of applications contents. I provide the full list of CSRFs vulnerable endpoints for you. because the number of endpoints are too many I don't put the PoC.html of all of the vulnerable endpoints...
Inefficient Regular Expression Complexity in stylelint/stylelint
Description I would like to report a Regular Expression Denial of Service ReDoS vulnerability in stylelint. It allows causing a denial of service when calling function isKeyframeSelector. Proof of Concept // PoC.js var isKeyframeSelector = require"stylelint/lib/utils/isKeyframeSelector" forvar i ...
in flatcore/flatcore-cms
Description Even with $fcuploadaddons = false, an attacker can still upload files by making the post request Proof of Concept 1 Enable $fcuploadaddons = true. 2 Upload a PHP file, but do not send. 3 Disable $fcuploadaddons = true. 4 Send the file upload request. See that the file is still being...
Cross-site Scripting (XSS) - Stored in leantime/leantime
Description Multiple Stored XSS on featuers 'Milestones' , 'Research', 'Retrospective' at Leantime 2.1.8 Proof of Concept // PoC.req POST /leantime/public/tickets/editMilestone/ HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:94.0 Gecko/20100101 Firefox/94.0...
Cross-site Scripting (XSS) - Stored in fisharebest/webtrees
Description Stored XSS via upload file .svg allows for arbitrary execution of JavaScript Proof of Concept // PoC.req POST /demo-dev/tree/demo/add-media-file/X9222 HTTP/2 Host: dev.webtrees.net Cookie: Secure-WT-ID=63trarcpiic93psog3t8okts4h User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15;...
Cross-Site Request Forgery (CSRF) in kunstmaan/kunstmaanbundlescms
Description Cross site request forgery in Kunstmaan/KunstmaanBundlesCMS Proof of Concept 1. Delete function in "redirects" feature -- vulnarebility is in parameter id document.forms0.submit; Impact In a successful CSRF attack, the attacker causes the victim user to carry out an action...
Use of a Broken or Risky Cryptographic Algorithm in anonaddy/anonaddy
Description MD5 and SHA-1 are popular cryptographic hash algorithms often used to verify the integrity of messages and other data. Recent advances in cryptanalysis have discovered weaknesses in both algorithms. Consequently, MD5 and SHA-1 should no longer be relied upon to verify the authenticity...
in erikdubbelboer/phpredisadmin
Description $response is a salted md5 hash generated based on the concatenated hashed of credentials with other parameters. It has been discovered that $response compares with $data'response' using comparison operator != in file login.inc.php. This might cause unexpected behavior due to type...