4072 matches found
Cross-Site Request Forgery (CSRF) in snipe/snipe-it
Description I found some low/medium level CSRFs on nice snipe-it application Proof of Concepts change the state of Requestable Assets : // PoC.html history.pushState'', '', '/' restore a hardware : // PoC.html history.pushState'', '', '/'...
Session Fixation in pheditor/pheditor
Description PHPEditor session are not regenerated after every login leading to possible session fixation attacks local attack vector Proof of Concept 1. Open two browsers Browser 1: Attacker, Browser 2: Victim 2. Visit https://PHP-EDITOR/phpeditor.php server and copy cookie from Browser 1 3. Past...
Improper Access Control in collectiveaccess/pawtucket2
Description An attacker can join any user group in the Pawtucket2 interface as the URLs are not being randomised Proof of Concept Any attacker can join the Administrator group using: http://PAWTUCKETURL/pawtucket/index.php/LoginReg/joinGroup/groupid/2 An attacker can join any group by incrementin...
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in blair2004/nexopos-4x
Description Session cookie nexopossession is not marked as Secure Proof of Concept 1. Open demo page https://v4.nexopos.com/sign-in using firefox; login using demo account 2. Go to Developer tool - Storage - Cookie and see that nexopossession has Secure = False...
in flarum/framework
Description Sensitive Data can be exposed even after logouting the application due to ui wrong action Proof of Concept 1 login to the application dashboard as admin https://demo.flarum.site/admin/ 2 Goto Any pages dashboard,permissions etc 3 Click logout 4 Click browser back button 5 Will Re-ente...
Open Redirect in jonschoning/espial
Description Open Redirect at add url with parameter ?next= Proof of Concept // PoC.request POST /api/add HTTP/2 Host: esp.ae8.org Cookie:...
Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition
Description Attacker is able to run staff commands. Proof of Concept When you logged in open this POC.html in a browser. You can run staff only tools. history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging user to unintentional run staff only tools...
Cross-site Scripting (XSS) - Generic in tsolucio/corebos
Description Generic XSS in RSS content allows for the arbitrary execution of JavaScript Proof of Concept // PoC Request Add RSS Feed POST /corebos/index.php?module=Rss&action=RssAjax&file=Popup&directmode=ajax&rssurl=http://127.0.0.1:9999/rss.xml HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0...
in osticket/osticket
Description The URL parser incorrectly parses the URL given IFrame src attributes. An attacker is able to inject iframe elements linking to arbitrary domains which can be viewed by admins, bypassing the embedded domain whitelist. Proof of Concept will render malicious-server site rather than...
Open Redirect in zikula/core
Description Open Redirect on Login with parameter ?returnUrl= Proof of Concept POST /login?returnUrl=https://google.com HTTP/2 Host: demo.ziku.la Cookie: zsid=b6g4qa64983t2tg073uh1e1rjm User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:93.0 Gecko/20100101 Firefox/93.0 Accept:...
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in ledgersmb/ledgersmb
Description Secure flag is not implemented on the application Proof of Concept https://drive.google.com/file/d/1ESnBKwFef8D42A2VD3W59vXMLdWhCxS9/view?usp=sharing Impact The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP...
Cross-site Scripting (XSS) - Stored in zoujingli/thinkadmin
Description Stored xss via name Proof of Concept 1. First goto https://v6.thinkadmin.top/admin.html/admin/base.html?type=datea&spm=m-2-4-8 and edit a data and put bellow xss payload in Data name field . xss"' Now see xss is executed VIEDO...
Cross-site Scripting (XSS) - DOM in mineweb/minewebcms
βοΈ Description A malicious actor is able to add a malicious payload as a new Navigation Bar Link Title, and after every time any users visit the main root page of the website, the XSS payload is executed and the session of whoever visits the site is compromised. π΅οΈββοΈ Proof of Concept 1; Create a...
Cross-Site Request Forgery (CSRF) in e107inc/e107
βοΈ Description Attacker or malicious user is able to change URL configuration if a logged in user visits attacker website. because lack of CSRF token π΅οΈββοΈ Proof of Concept 1.when you logged in open this POC.html in a browser 2.you can check unintentionally your search URL changed form /search.php...
Cross-Site Request Forgery (CSRF) in ikus060/rdiffweb
βοΈ Description Hello dear Rdiffweb team. I found a CSRF vulnerability on following endpoint that attackers able to Delete users with PoC.html π΅οΈββοΈ Proof of Concept 1. user with right privileges should be logged in Firefox or Safari. 2. Users go to a website that contain PoC.html 3.after visiting...
in hestiacp/hestiacp
βοΈ Description External Control of File Name or Path is a type of security flaw in which users can access resources from restricted locations on a file system. It is commonly called path traversal. If an attacker performs a path traversal attack successfully, they could potentially view sensitive...
Path Traversal in pokeapi/pokeapi
βοΈ Description A path traversal attack also known as directory traversal aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with βdot-dot-slash ../β sequences and its variations or by using absolute file paths, it may be...
Cross-site Scripting (XSS) - Reflected in universaloj/uoj-system
βοΈ Description Cross-site Scripting XSS refers to client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS occurs when a web application makes use of unvalidated or unencoded user input within the output it generates. The...
None in fisharebest/webtrees
βοΈ Description Sensitive data including username and email address is passed as query strings through GET request during registration. When the given email or username exists the database at the time of user registration, The application passes the given username and email address through GET...
Inefficient Regular Expression Complexity in nervjs/taro
βοΈ Description A ReDoS regular expression denial of service flaw was found in the @tarojs/helper package. An attacker that is able to provide crafted input as url may cause an application to consume an excessive amount of CPU. π΅οΈββοΈ Proof of Concept Create the following poc.mjs // PoC.mjs import...
Cross-site Scripting (XSS) - Stored in leantime/leantime
βοΈ Description A malicious actor is able to add "new board" with a malicious payload to any target, and upon opening the research menu, the XSS payload is being executed. π΅οΈββοΈ Proof of Concept 1; Log in with a proper roled user 2; Add a new board to the system at research menu on the left 3;...
Command Injection in yogeshojha/rengine
βοΈ Description RCE via the proxy feature of Rengine. Proxies can be added in Rengine for executables like httpx to use in a scan. This functionality can be used to inject a command and run arbitrary code. π΅οΈββοΈ Proof of Concept Add this as the only proxy in the proxy list in the Proxy settings:...
Cross-site Scripting (XSS) - Stored in yogeshojha/rengine
βοΈ Description A malicious actor is able to add "To-do" with a malicious payload to any target, and upon opening the target's summary, the XSS payload is being executed. π΅οΈββοΈ Proof of Concept 1; Create a scan with any domain 2; Start scanning the target 3; Add a "To-do" with any title and with the...
Path Traversal in os4ed/opensis-classic
βοΈ Description The module.php modname parameter in OpenSIS 8.0 is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.; π΅οΈββοΈ Proof of Concept // Modules.php GET /Modules.php?modname=../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1 302...
Cross-Site Request Forgery (CSRF) in namelessmc/nameless
βοΈ Description Attacker able to reset any profile banner with CSRF attack. It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your application. In CSRF...
Cross-Site Request Forgery (CSRF) in neorazorx/facturascripts
βοΈ Description Attacker able to delete any number of customers with CSRF attack. It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your application. In...
Cross-site Scripting (XSS) - Reflected in znixbtw/panel-v2
βοΈ Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into websites. An attacker can use XSS to send a malicious script to an unsuspecting user. The end userβs browser has no way to know that the script should not be trusted, and will...
Cross-site Scripting (XSS) - Stored in imran300/inventory
βοΈ Description Stored xss bug using a xss payload in the employee name when adding a new employee π΅οΈββοΈ Proof of Concept Goto http://localhost/inventory/employees/addemployee and click on add employee and copy paste the following xss payload and paste it in the EMP NAME javascript " Click on safe...
Cross-site Scripting (XSS) - Stored in ampache/ampache
βοΈ Description This is a stored XSS in the mp3 management library. π΅οΈββοΈ Proof of Concept 1. Edit meta data with Audacity: 2. Create a new playlist that contains this file. 3. Mark the album as favorite 1 and then open "Informations" - "Favorites" 2: π₯ Impact By uploading an mp3 with javascript...
Cross-site Scripting (XSS) - Stored in circuitverse/circuitverse
βοΈ Description CircuitVerse is a free, open-source platform which allows users to construct digital logic circuits online this app is vulnerable for XSS thru creating Assignments π΅οΈββοΈ Proof of Concept π₯ Impact This vulnerability is capable of stealing cookies for group members...
Cross-site Scripting (XSS) - Reflected in erudika/scoold
βοΈ Description It occurs when a malicious script is injected directly into a vulnerable web application. Reflected XSS involves the reflecting of a malicious script off of a web application, onto a user's browser. π΅οΈββοΈ Proof of Concept...
Cross-Site Request Forgery (CSRF) in tsolucio/corebos
βοΈ Description Attacker able to delete any Sales Order with CSRF attack because there is any CSRF protection for related endpoint. It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know...
Cross-site Scripting (XSS) - Reflected in forkcms/forkcms
βοΈ Description The forkcms is vulnerable to XSS through the search form π΅οΈββοΈ Proof of Concept 1. Go to http://site.com/search?form=search&qwidget=%22%3E%3Csvg/onload=alertdocument.domain%3E 2. XSS payload will be executed π₯ Impact An attacker can execute JavaScript code in the website...
Cross-Site Request Forgery (CSRF) in sergix44/xbackbone
βοΈ Description following endpoint vulnerable to CSRF: /omeka/system/deleteOrphanFiles Also there is not any different that you run The application in localhost or some real hosts, this is enough to login with a browser that used the browser for online web surfacing too. π΅οΈββοΈ Proof of Concept //...
Cross-site Scripting (XSS) - Stored in apostrophecms/apostrophe
βοΈ Description : An attacker could upload a specially crafted SVG image containing malicious scripting code. When following a link to this image, the code would be executed. π΅οΈββοΈ Proof of Concept : // PoC.js var payload = ... Link POC using Demo --...
in yiisoft/yii2
βοΈ Description Insecure randomness errors occur when a function that can produce predictable values is used as a source of randomness in security-sensitive context. In this case the function that generates weak random numbers is mtrand in CaptchaAction.php at line 217. π΅οΈββοΈ Proof of Concept ?php...
in alovoa/alovoa
βοΈ Description Affected versions of this package are vulnerable to XML External Entity XXE Injection via the SAML2AssertionValidator method. Access to external entities was not disabled in XML parsing. π΅οΈββοΈ Proof of Concept org.springframework.security spring-security-oauth2-client...
Cross-Site Request Forgery (CSRF) in kestasjk/webdiplomacy
βοΈ Description CSRF bug when creating game π΅οΈββοΈ Proof of Concept no csrf token checking during gamecreate .\ Bellow request is vulnerable to csrf attack POST /gamecreate.php HTTP/1.1 Host: webdiplomacy.net User-Agent: Mozilla/5.0 X11; Ubuntu; Linux x8664; rv:88.0 Gecko/20100101 Firefox/88.0...
Cross-site Scripting (XSS) - DOM in alovoa/alovoa
βοΈ Description It is possible to run JavaScript code in the webpage by DOM unsanitized properties. The function onChangeLocal sets the value of window.location.search directly from the URL, without previous checks. π΅οΈββοΈ Proof of Concept // Vulnerable function in file fragments.html:139 function...
Use of a Broken or Risky Cryptographic Algorithm in panique/huge
βοΈ Description The function mtrand is used to generate password-reset tokens, this function is cryptographically flawed due to its nature being one pseudorandomness, an attacker can take advantage of the cryptographically insecure nature of this function to enumerate password-reset tokens that...
in ethibox/stacks
βοΈ Description Please enter a description of the vulnerability. 1Visit https://github.com/ethibox/stacks/blob/master/wordpress.ymlL47-L50 for the exposed database credentials π₯ Impact This vulnerability is capable of database getting compromised...
Cross-site Scripting (XSS) - Stored in leantime/leantime
βοΈ Description Stored xss bug using a xss payload in the Hypothesis when adding a new Research π΅οΈββοΈ Proof of Concept Goto http://localhost/leancanvas/simpleCanvas and click on add new and copy paste the following xss payload javascript " Click on safe and see the xss popup with the cookie. π₯...
Cross-site Scripting (XSS) - Stored in projectsend/projectsend
βοΈ Description section parameter at Line 331 of email-templates.php sends unvalidated data to a web browser, which can result in the browser executing malicious code. In this case the data is sent at builtinecho in email-templates.php at line 331 π΅οΈββοΈ Proof of Concept Data enters in application...
Cross-site Scripting (XSS) - Stored in devcode-it/openstamanager
βοΈ Description Stored xss through file upload via anagrafiche π΅οΈββοΈ Proof of Concept Go to an existing Anagrafiche or create a new one. Upload a .svg file with the following content: javascript alertdocument.cookie; give a name you want ending with .svg store-xss.svg for example. when you click on...
Cross-Site Request Forgery (CSRF) in bigprof-software/online-invoicing-system
βοΈ Description The /app/admin/pageDeleteMember.php?memberID= does not have a CSRF protection. This could be used by attackers to trick the admin to delete a member from their invoice system. π΅οΈββοΈ Proof of Concept For this attack to work, a logged in admin, should visit the POC page...
OS Command Injection in falconchristmas/fpp
βοΈ Description Application is reading invalidated user input at Line 44 through: $plugin = $pluginInfo'repoName';. Line 57 in plugin.php calls system to execute a command. This might allow an attacker to inject malicious commands. π΅οΈββοΈ Proof of Concept SCREENSHOT:...
in alovoa/alovoa
βοΈ Description Random.setSeed should not be called with a constant integer argument. If a Random object is seeded with a specific value, the values returned by Random.nextInt and similar methods which return or assign values are predictable. π΅οΈββοΈ Proof of Concept Vulnerable code of:...
Heap-based Buffer Overflow in squell/id3
βοΈ Description While testing id3 built from commit 0de713 with Clang 13 +ASan on Ubuntu 20.04.2, we discovered a POC which triggers a heap-buffer-overflow in tag::unbinarize. This particular flaw was discovered with the help of honggfuzz. π΅οΈββοΈ Proof of Concept echo...
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
βοΈ Description Hi, there are 2 potential reflected XSS in https://github.com/FalconChristmas/fpp/blob/123cdf2eb11062766da333a7a4d85bc0bf620e47/www/restartRemoteFPPD.phpL16 : php $ip = $GET'ip'; // if isset$GET'mode' echo "Setting FPPD mode @ $ip\n"; // echo "Restarting FPPD @ $ip\n"; The ip...
Improper Privilege Management in dolibarr/dolibarr
π₯ BUG unprivileged user can see all details of a product π₯ STEP TO REPRODUCE 1. From admin account add user B as normal user .\ Now dont give any permission for Product module for user B .\ So, user B should not see any product details .\ \ 2. Now from admin create a product .\ \ 3. Finally goto...