4072 matches found
Multiple Authenticated Remote Code Execution Vulnerabilities in Admin Panel
Description An attacker with administrative privileges in the openEMR application can execute arbitrary code on the server remote code execution RCE. This was tested in openEMR version 7.0.0 1 but also affects previous versions of openEMR. Proof of Concept First of all, start a netcat listener on...
User can get details of the comments that were deleted
Description When a user creates a new record he can add a comment on it. The user is also able to delete the comments after which the user wont be having access to that comment like replying, checking what the comment was. This vulnerability allows any user to see what the deleted comment was and...
Bypass IP detection to brute-force password in ikus060/rdiffweb
Description In login API, by default, the IP address will be blocked when the user tries to login incorrectly more than 5 times but we can bypass this mechanism by abuse X-Forwarded-For header to bypass IP dectection and perform password brute-force. Proof of Concept POST /login/ HTTP/1.1 Host:...
Reflected XSS via "stufftype" parameter
Description The value for the stufftype parameter is reflected in the web context without proper filtering in place resulting in possibility to execute malicious javascript code. Testing Environment 1. Windows OS 2. Firefox Browser Proof of Concept 1. Visit...
Unauthenticated reading list item deletion
Description A unauthenticated user can delete any book item of any user reading list in the system without any authentication or authorization verification, via the /api/readinglist/delete-item API endpoint. Proof of Concept 1 - Send the following request, where x is the target readingListId and ...
Cross-site Scripting ( XSS) - Reflected
Description Please enter a description of the vulnerability. File pts-core/phoromatic/publichtml/public.php line 258 of public.php sends unvalidated data to a web browser, which can result in the browser executing malicious code. Proof of Concept GET /test"alert1 HTTP/1.1 Host: localhost:8670...
Stored XSS in Part Revision
Description The application inventree is vulnerable to Stored XSS in part revision field. Proof of Concept Video PoC Link: https://drive.google.com/file/d/1ZobGHiFXbhPG0agsH8mcg8VMsrjSuUP/view?usp=sharing...
Unvalidated Follow redirects
Description There is some kind of vulnerability class in the following redirect feature, And Guzzle is also affected by this kind of vulnerability. If the developer wants to get a URL from a third-party host and the third-party URL is also redirected to another URL, then the first crafted cookies...
Null pointer dereference at chafa-pixops.c:95
Description Null pointer dereference in hpjansson/chafa at chafa-pixops.c:95. Build export CFLAGS="-g -O0 -lpthread -fsanitize=address" export CXXFLAGS="-g -O0 -lpthread -fsanitize=address" export LDFLAGS="-fsanitize=address" ./autogen.sh ./configure --disable-shared make POC ./chafa POC POC ASAN...
SQL Injection
Description A SQL Injection in rqlite store Proof of Concept use example code go package main import "io" "log" "net/http" "github.com/alexedwards/scs/rqlitestore" "github.com/alexedwards/scs/v2" "github.com/rqlite/gorqlite" var sessionManager scs.SessionManager func main // Establish connection ...
Subdomain Takeover of https://test.diagrams.net/
First of all, I apologize for reporting it here because I noticed that they have a program with huntr but only for DrawIO source code. Since I discovered this vulnerability I decided to ethically disclose it here instead of leaving it vulnerable. I found a subdomain of diagrams.net that was...
Account Takeover
Description In this case i found that api endpoint Leaking password and username. Proof of Concept 1. An Admin add a new secretary with access to providers 2. Secretary send a post request to https://demo.easyappointments.org/index.php/backendapi/ajaxgetcalendarappointments endpoint 3. If selecte...
Authenticated RCE through /admin/settings/email endpoint
Description Craftcms is vulnerable to Command Injection on the email settings, on the /admin/settings/email endpoint. An attacker can send a POST request with a specially crafted transportTypescraft\mail\transportadapters\Sendmailcommand= parameter to inject arbitrary commands that will be execut...
Html Injection
Description https://app.diagrams.net/ is vulnerable to html Injection by uploading a html file Proof of Concept 1. Goto https://app.diagrams.net/ and create a new html file with form field's and add this file in project 2. Now goto fileembedhtml and click on create after that click on preview pag...
Cross-site scripting - Stored via upload `.xsig` file
Description When user upload a file with .xsig extension and direct access this file, the server response with Content-type: text/html lead to processing XSIG as HTML file. Proof of Concept POST /facturascripts/EditAttachedFile?code=1&action=save-ok HTTP/1.1 Host: localhost User-Agent: Mozilla/5....
Improper handling of large integer values
Description In create Fee function, improper handling of large integer values in mount field value. Proof of Concept POST /demonstration/Modules.php?modname=StudentBilling/StudentFees.php HTTP/1.1 Host: www.rosariosis.org Cookie: RosarioSIS=kja39eaq6q73envhk6eo8300vgumn2612c5huvue08vgh66faog1...
Improper Access Control (IDOR)
Description Improper Access Control IDOR could leak admin information. Proof of Concept 1.Login as admin, edit a role to give permission show a user information - save 2.Login as an user with that role - go to url http://my.facturascripts.site/EditUser?code=admin&action=export&option=PDF - Can se...
Windows-Specific Relative Path Traversal vulnerability in StaticDir server
Description The fix released in version 0.19.1 does not completely fix the relative path traversal vulnerability on Windows hosts. An attacker can access files outside of the configured directory root. This is due to Windows supporting the \ character as a path separator. Proof of Concept With a...
Unrestricted Image Upload
Description When testing file upload function in Organizr 2.1.1830, there are improvement on image upload features in Image Manager. But user can bypass it by identify double extension file type method Proof of Concept 1 Login and go to Settings - Image Manager 2 Upload file with double extension...
DoS due to unrestricted hashing
Description The application accepts strings of any size as passwords and processes hashes the string to check in the database if the user exists, for example upon login. Being the hashing process resource-intensive, it can be possible to cause Denial of Service without particular processing power...
Multiple Idor
Description There are multiple idors i found. In bookmarks//edit, bookmarks//remove, bookmarks//archive, bookmarks//unarchive. It gets the object provided in the bookmarkid without checking if the owner of the object is the current user. Proof of Concept 1. Go to...
The microweber application allows large characters to insert in the input field "Leave comment" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. in microweber/microweber in microweber/microweber
Proof of Concept 1. Go to http://site/admin/view:content/action:posts 2. Create a page and enable to add comment option 3. Go to that page and there will a option called "Leave a comment" 4. Copy the below payload and put it in the "Leave a comment" field post a comment 5. Go to...
Multiple Open Redirect
Description In the /user/login endpoint, it doesnt check the value of the next parameter when the user is logged in and pass it directly to redirect which result to open redirect. The bug also exist in /user/logout, /user/register, /user/login, /user/resend-activation. Proof of Concept 1. Go to...
Uncaught Exception
Description The application is not able to handle errors, leading to expose of internal files paths. Vulnerable POC Url: https://demo.microweber.org/demo/api/saveedit Vulnerable Endpoint: demo/api/saveedit Vulnerable Parameter: database64= Request Method: POST Proof of Concept 1. Send a POST...
Improper Privilege Management in rhizome-conifer/conifer
Description In admincontroller.py file, all APIs will perform user permission checks using adminview function to avoid access from low-level users. However, this does not apply to API /api/v1/admin/defaults. Anonymous users can change maxsize configuration which prevents other users from creating...
in mruby/mruby
Description Using out of range pointer occurs in entrydeletedp. commit : ad3ce7b41c4375f818d02a24e6a09cbc790048c9 Proof of Concept $ echo -ne "MC5TJDAsKir9PTAsdjowLHY6MA==" | base64 -d poc ASAN $ ./bin/mruby.asan poc AddressSanitizer:DEADLYSIGNAL...
Business Logic Errors in dolibarr/dolibarr
Description Dolibarr is vulnerable to Business Logic Errors in the Weight, Length x Width x Height, Area, Volume fields of a Product since these values can be negative numbers. Proof of Concept 1.After login, in the top menu bar, click Products 2.In the left menu bar, click List to view the list ...
Cross-site Scripting (XSS) - Stored in mautic/mautic
Description When installing Mautic both via UI or CLI the first and last name of the admin account are not sanitised before being stored in the database. This results in a possible stored XSS possibility, as those fields are displayed and re-used without any sanitisation. During install the raw...
Exposure of Sensitive Information to an Unauthorized Actor in sscarduzio/elasticsearch-readonlyrest-plugin
Description elasticsearch-readonlyrest-plugin is using TLS. There are many serious vulnerabilities in early TLS that left unaddressed put organizations at risk of being breached. The widespread POODLE and BEAST exploits are just a couple of examples of how attackers have taken advantage of...
in ionicabizau/parse-url
Description urldomain validation bypass Proof of Concept parse-url not able verify urldomain properly when basic authentication is given .This allow to bypass hostname validation . Lets username is admin and password is password123@ and hostname is 127.0.0.1 . so the url will be...
Cross-Site Request Forgery (CSRF) in gunet/openeclass
Description No CSRF is provided when deleting messages. Proof of Concept The attacker could delete a specific message as they are generated consecutively and brute forcing it. history.pushState'', '', '/' or the could just delete all the messages: history.pushState'', '', '/' Impact Combining thi...
Cross-site Scripting (XSS) - Stored in admidio/admidio
Description When editing your profile, you can create social media links. However, the stored XSS vulnerability using the autofocus and onfocus attributes occurs because the double-quote is not URL-encoded in the input value of the social media link. Proof of Concept txt 1. Open the...
in gpac/gpac
Description A null pointer dereference was discovered in BDCheckSFTimeOffset. The vulnerability causes a segmentation fault and application crash. Version: ./MP4Box -version MP4Box - GPAC version 1.1.0-DEV-revUNKNOWNREV c 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Pleas...
Cross-Site Request Forgery (CSRF) in francoisjacquet/rosariosis
Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging users to unintentional logout. More details One way GET could be abused here i...
in patrowl/patrowlmanager
Description Hi there, I would like to report a vulnerability in the way PatrowlManager handle upload files. This is in Finding - Import feature Proof of Concept 1. Install PatrowlManager on you local system 2. Go to Finding - Import and import a file 3. An import request look like this POST...
Code Injection in quickbox/qb
Description While this is a theoretical finding the code seems to be vulnerable to Remote Code Execution Proof of Concept Description At line 406 you can see the following code: $process = $GET'serviceenable'; This means we can do /dashboard/inc/config.php?serviceenable=ourvalue Now between line...
Cross-site Scripting (XSS) - Stored in patrowl/patrowlmanager
Description PatrOwl is vulnerable to stored XSS in asset group name. The payload will be triggered when someone try to delete the asset group. Proof of Concept https://drive.google.com/file/d/1F7m9g7s6xp-L5QKy5ACOvndWAj8g20s/view?usp=sharing Impact This vulnerability permit to an authenticate use...
Open Redirect in openwhyd/openwhyd
Description This vulnerability was discovered in Here by @mdakh404. However, it is not patched properly and I bypassed with a simple trick. diff r.html = mainTemplate.renderWhydPager; // call the adequate renderer - if r.redirect response.redirectr.redirect; + if r.redirect...
Cross-Site Request Forgery (CSRF) in livehelperchat/livehelperchat
Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging users to unintentional logout. More details One way GET could be abused here i...
Cross-site Scripting (XSS) - Stored in francoisjacquet/rosariosis
Description I found XSS in the file upload function of the message function. Proof of Concept Step 1.First, access the latest version of the demo environment. "Https://www.rosariosis.org/demonstration/index.php" 2.Then log in with your student account. Student: username and password “student“...
Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition
Description More CSRFs, related to warnings feature this time 1: /warnings/id/deactivate 2: /warnings/username/mass-deactivate 3: /warnings/id/restore Proof of Concept CLICK ME! Impact This vulnerability is capable of tricking users to deactivate / restore warnings...
SQL Injection in glpi-project/glpi
Description A user with only the following rights on a sub-entity: - Setup General setup Read + Update - Administration Entity Read + Update is authorized to update "UI options" field from "UI customization" tab of an entity's configuration. This customization option is not correctly escaped,...
Cross-Site Request Forgery (CSRF) in snipe/snipe-it
Description Attacker is able to logout a user if a logged in user visits attacker website. Impact This vulnerability is capable of forging user to unintentional logout. Test Tested on Edge, firefox, chrome and safari. Fix You should use POST instead of GET. To expand: One way GET could be abused...
Cross-site Scripting (XSS) - Stored in tsolucio/corebos
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites Proof of Concept Step to Reproduce: 1 Go to http://demo.corebos.com/index.php?module=Users&action=DetailView&record=1&modechk=prefview 2 add the...
SQL Injection in eventum/eventum
Description Time-Based Blind SQL Injection in eventum 3.10.7 Proof of Concept // PoC.payload // Advanced Search // Parameter: sortby priority0=0&severity0=0&users0=0&category0=0&status0=0&release0=0&rows=5&sortby=prirank AND SELECT 2168 FROM...
in bookstackapp/bookstack
Description The image extension validation service for Base64 image extraction in new Bookstack version is flawed as it uses the vulnerable trim function. This allows attackers to upload malicious files with broken extension, such as pngr, and browsers will interpret broken extension hosted on th...
in zmister2016/mrdoc
description Use of Cryptographically Weak Pseudo-Random Number Generator PRNG in Mrdoc allows an attacker to reset arbitrary user‘s password 1、/admin/sendemailvcode/,check email & generate email & send mail def sendemailvcoderequest: if request.method == 'POST': email = request.POST.get'email',No...
Code Injection in flatcore/flatcore-cms
Description Another code injection payload in linkname. Proof of Concept Insert into linkname $sleep 10 Go to http://FLATCORE-IP/flatCore-CMS/content/cache/cachelastedit.php and see that the page has stopped for 10 seconds. $ escapes the string, switches context to OS commands. Impact Blind RCE a...
Cross-site Scripting (XSS) - Stored in jspark311/buriedunderthenoisefloor
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into websites. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execut...
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in vuestorefront/vue-storefront
✍️ Description The secure flag is not set for session cookie "vsf-commercetools-token" in the application. Proof of Concept Check this for POC: Image Impact If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection,...