4072 matches found
Path Traversal - Archiving Files to Zip
Description The Tiny File Manager pack files feature is vulnerable to path traversal, which allows an attacker to access files that reside outside the web document root directory. The vulnerability occurs as the "file" parameter is not sanitized properly, thus allowing a malicious user to input...
Insecure Temporary File
Description transformers package is using the deprecated function tempfile.mktemp which is not secure. Because a different process may create a file with this name in the time between the call to mktemp and the subsequent attempt to create the file by the first process. Functions that create...
No Protection against Bruteforce attacks on Login page
Description Webpage manager does not limit unsuccessful login attempts allowing Brute Forcing. Proof of Concept 1. Register the account. 2. Logout the account and try to login with the different password. 3. Take the request into Burp suite intruder, set the payload list to 30for testing. 4. The...
CSRF on SSL certificates deletion
📜 Description Cross-site request forgery also known as CSRF is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform using form submissions. It allows an attacker to partly circumvent the same origin policy, which is designed to...
SQL Injection via lang parameter/RCE when PostgreSQL is used
Description There is a SQL injection vulnerability in the lang parameter of phpmyfaq/ajaxservice.php?action=savefaq endpoint. Vulnerable code starts at ajaxservice.php line 369, specifically the isnull$faqId && !isnull$categories'rubrik' part: php if !isnull$author && !isnull$email &&...
Multiple Authenticated Remote Code Execution Vulnerabilities in Admin Panel
Description An attacker with administrative privileges in the openEMR application can execute arbitrary code on the server remote code execution RCE. This was tested in openEMR version 7.0.0 1 but also affects previous versions of openEMR. Proof of Concept First of all, start a netcat listener on...
User can get details of the comments that were deleted
Description When a user creates a new record he can add a comment on it. The user is also able to delete the comments after which the user wont be having access to that comment like replying, checking what the comment was. This vulnerability allows any user to see what the deleted comment was and...
Bypass IP detection to brute-force password in ikus060/rdiffweb
Description In login API, by default, the IP address will be blocked when the user tries to login incorrectly more than 5 times but we can bypass this mechanism by abuse X-Forwarded-For header to bypass IP dectection and perform password brute-force. Proof of Concept POST /login/ HTTP/1.1 Host:...
Reflected XSS via "stufftype" parameter
Description The value for the stufftype parameter is reflected in the web context without proper filtering in place resulting in possibility to execute malicious javascript code. Testing Environment 1. Windows OS 2. Firefox Browser Proof of Concept 1. Visit...
Unauthenticated reading list item deletion
Description A unauthenticated user can delete any book item of any user reading list in the system without any authentication or authorization verification, via the /api/readinglist/delete-item API endpoint. Proof of Concept 1 - Send the following request, where x is the target readingListId and ...
Cross-site Scripting ( XSS) - Reflected
Description Please enter a description of the vulnerability. File pts-core/phoromatic/publichtml/public.php line 258 of public.php sends unvalidated data to a web browser, which can result in the browser executing malicious code. Proof of Concept GET /test"alert1 HTTP/1.1 Host: localhost:8670...
Stored XSS in Part Revision
Description The application inventree is vulnerable to Stored XSS in part revision field. Proof of Concept Video PoC Link: https://drive.google.com/file/d/1ZobGHiFXbhPG0agsH8mcg8VMsrjSuUP/view?usp=sharing...
SQL injection at exportUsers function
Description SQL injection at exportUsers function via sort query parameter Proof of Concept GET /index.php?q=/api/leadmall/statistical&behavior=exportGoods&sort="updatexmlrand,concatCHAR126,version,CHAR126,null--+-":"asd" HTTP/1.1 Host: demo.leadshop.vip Cookie:...
Unvalidated Follow redirects
Description There is some kind of vulnerability class in the following redirect feature, And Guzzle is also affected by this kind of vulnerability. If the developer wants to get a URL from a third-party host and the third-party URL is also redirected to another URL, then the first crafted cookies...
Null pointer dereference at chafa-pixops.c:95
Description Null pointer dereference in hpjansson/chafa at chafa-pixops.c:95. Build export CFLAGS="-g -O0 -lpthread -fsanitize=address" export CXXFLAGS="-g -O0 -lpthread -fsanitize=address" export LDFLAGS="-fsanitize=address" ./autogen.sh ./configure --disable-shared make POC ./chafa POC POC ASAN...
SQL Injection
Description A SQL Injection in rqlite store Proof of Concept use example code go package main import "io" "log" "net/http" "github.com/alexedwards/scs/rqlitestore" "github.com/alexedwards/scs/v2" "github.com/rqlite/gorqlite" var sessionManager scs.SessionManager func main // Establish connection ...
Subdomain Takeover of https://test.diagrams.net/
First of all, I apologize for reporting it here because I noticed that they have a program with huntr but only for DrawIO source code. Since I discovered this vulnerability I decided to ethically disclose it here instead of leaving it vulnerable. I found a subdomain of diagrams.net that was...
Account Takeover
Description In this case i found that api endpoint Leaking password and username. Proof of Concept 1. An Admin add a new secretary with access to providers 2. Secretary send a post request to https://demo.easyappointments.org/index.php/backendapi/ajaxgetcalendarappointments endpoint 3. If selecte...
Authenticated RCE through /admin/settings/email endpoint
Description Craftcms is vulnerable to Command Injection on the email settings, on the /admin/settings/email endpoint. An attacker can send a POST request with a specially crafted transportTypescraft\mail\transportadapters\Sendmailcommand= parameter to inject arbitrary commands that will be execut...
Html Injection
Description https://app.diagrams.net/ is vulnerable to html Injection by uploading a html file Proof of Concept 1. Goto https://app.diagrams.net/ and create a new html file with form field's and add this file in project 2. Now goto fileembedhtml and click on create after that click on preview pag...
Cross-site scripting - Stored via upload `.xsig` file
Description When user upload a file with .xsig extension and direct access this file, the server response with Content-type: text/html lead to processing XSIG as HTML file. Proof of Concept POST /facturascripts/EditAttachedFile?code=1&action=save-ok HTTP/1.1 Host: localhost User-Agent: Mozilla/5....
Improper handling of large integer values
Description In create Fee function, improper handling of large integer values in mount field value. Proof of Concept POST /demonstration/Modules.php?modname=StudentBilling/StudentFees.php HTTP/1.1 Host: www.rosariosis.org Cookie: RosarioSIS=kja39eaq6q73envhk6eo8300vgumn2612c5huvue08vgh66faog1...
Improper Access Control (IDOR)
Description Improper Access Control IDOR could leak admin information. Proof of Concept 1.Login as admin, edit a role to give permission show a user information - save 2.Login as an user with that role - go to url http://my.facturascripts.site/EditUser?code=admin&action=export&option=PDF - Can se...
Windows-Specific Relative Path Traversal vulnerability in StaticDir server
Description The fix released in version 0.19.1 does not completely fix the relative path traversal vulnerability on Windows hosts. An attacker can access files outside of the configured directory root. This is due to Windows supporting the \ character as a path separator. Proof of Concept With a...
Unrestricted Image Upload
Description When testing file upload function in Organizr 2.1.1830, there are improvement on image upload features in Image Manager. But user can bypass it by identify double extension file type method Proof of Concept 1 Login and go to Settings - Image Manager 2 Upload file with double extension...
DoS due to unrestricted hashing
Description The application accepts strings of any size as passwords and processes hashes the string to check in the database if the user exists, for example upon login. Being the hashing process resource-intensive, it can be possible to cause Denial of Service without particular processing power...
Multiple Idor
Description There are multiple idors i found. In bookmarks//edit, bookmarks//remove, bookmarks//archive, bookmarks//unarchive. It gets the object provided in the bookmarkid without checking if the owner of the object is the current user. Proof of Concept 1. Go to...
The microweber application allows large characters to insert in the input field "Leave comment" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. in microweber/microweber in microweber/microweber
Proof of Concept 1. Go to http://site/admin/view:content/action:posts 2. Create a page and enable to add comment option 3. Go to that page and there will a option called "Leave a comment" 4. Copy the below payload and put it in the "Leave a comment" field post a comment 5. Go to...
Multiple Open Redirect
Description In the /user/login endpoint, it doesnt check the value of the next parameter when the user is logged in and pass it directly to redirect which result to open redirect. The bug also exist in /user/logout, /user/register, /user/login, /user/resend-activation. Proof of Concept 1. Go to...
Uncaught Exception
Description The application is not able to handle errors, leading to expose of internal files paths. Vulnerable POC Url: https://demo.microweber.org/demo/api/saveedit Vulnerable Endpoint: demo/api/saveedit Vulnerable Parameter: database64= Request Method: POST Proof of Concept 1. Send a POST...
Improper Privilege Management in rhizome-conifer/conifer
Description In admincontroller.py file, all APIs will perform user permission checks using adminview function to avoid access from low-level users. However, this does not apply to API /api/v1/admin/defaults. Anonymous users can change maxsize configuration which prevents other users from creating...
in mruby/mruby
Description Using out of range pointer occurs in entrydeletedp. commit : ad3ce7b41c4375f818d02a24e6a09cbc790048c9 Proof of Concept $ echo -ne "MC5TJDAsKir9PTAsdjowLHY6MA==" | base64 -d poc ASAN $ ./bin/mruby.asan poc AddressSanitizer:DEADLYSIGNAL...
Business Logic Errors in dolibarr/dolibarr
Description Dolibarr is vulnerable to Business Logic Errors in the Weight, Length x Width x Height, Area, Volume fields of a Product since these values can be negative numbers. Proof of Concept 1.After login, in the top menu bar, click Products 2.In the left menu bar, click List to view the list ...
Cross-site Scripting (XSS) - Stored in mautic/mautic
Description When installing Mautic both via UI or CLI the first and last name of the admin account are not sanitised before being stored in the database. This results in a possible stored XSS possibility, as those fields are displayed and re-used without any sanitisation. During install the raw...
Exposure of Sensitive Information to an Unauthorized Actor in sscarduzio/elasticsearch-readonlyrest-plugin
Description elasticsearch-readonlyrest-plugin is using TLS. There are many serious vulnerabilities in early TLS that left unaddressed put organizations at risk of being breached. The widespread POODLE and BEAST exploits are just a couple of examples of how attackers have taken advantage of...
in ionicabizau/parse-url
Description urldomain validation bypass Proof of Concept parse-url not able verify urldomain properly when basic authentication is given .This allow to bypass hostname validation . Lets username is admin and password is password123@ and hostname is 127.0.0.1 . so the url will be...
Cross-Site Request Forgery (CSRF) in gunet/openeclass
Description No CSRF is provided when deleting messages. Proof of Concept The attacker could delete a specific message as they are generated consecutively and brute forcing it. history.pushState'', '', '/' or the could just delete all the messages: history.pushState'', '', '/' Impact Combining thi...
Cross-site Scripting (XSS) - Stored in admidio/admidio
Description When editing your profile, you can create social media links. However, the stored XSS vulnerability using the autofocus and onfocus attributes occurs because the double-quote is not URL-encoded in the input value of the social media link. Proof of Concept txt 1. Open the...
in gpac/gpac
Description A null pointer dereference was discovered in BDCheckSFTimeOffset. The vulnerability causes a segmentation fault and application crash. Version: ./MP4Box -version MP4Box - GPAC version 1.1.0-DEV-revUNKNOWNREV c 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Pleas...
Cross-Site Request Forgery (CSRF) in francoisjacquet/rosariosis
Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging users to unintentional logout. More details One way GET could be abused here i...
in patrowl/patrowlmanager
Description Hi there, I would like to report a vulnerability in the way PatrowlManager handle upload files. This is in Finding - Import feature Proof of Concept 1. Install PatrowlManager on you local system 2. Go to Finding - Import and import a file 3. An import request look like this POST...
Code Injection in quickbox/qb
Description While this is a theoretical finding the code seems to be vulnerable to Remote Code Execution Proof of Concept Description At line 406 you can see the following code: $process = $GET'serviceenable'; This means we can do /dashboard/inc/config.php?serviceenable=ourvalue Now between line...
Cross-site Scripting (XSS) - Stored in patrowl/patrowlmanager
Description PatrOwl is vulnerable to stored XSS in asset group name. The payload will be triggered when someone try to delete the asset group. Proof of Concept https://drive.google.com/file/d/1F7m9g7s6xp-L5QKy5ACOvndWAj8g20s/view?usp=sharing Impact This vulnerability permit to an authenticate use...
Open Redirect in openwhyd/openwhyd
Description This vulnerability was discovered in Here by @mdakh404. However, it is not patched properly and I bypassed with a simple trick. diff r.html = mainTemplate.renderWhydPager; // call the adequate renderer - if r.redirect response.redirectr.redirect; + if r.redirect...
Cross-Site Request Forgery (CSRF) in livehelperchat/livehelperchat
Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging users to unintentional logout. More details One way GET could be abused here i...
Cross-site Scripting (XSS) - Stored in francoisjacquet/rosariosis
Description I found XSS in the file upload function of the message function. Proof of Concept Step 1.First, access the latest version of the demo environment. "Https://www.rosariosis.org/demonstration/index.php" 2.Then log in with your student account. Student: username and password “student“...
Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition
Description More CSRFs, related to warnings feature this time 1: /warnings/id/deactivate 2: /warnings/username/mass-deactivate 3: /warnings/id/restore Proof of Concept CLICK ME! Impact This vulnerability is capable of tricking users to deactivate / restore warnings...
SQL Injection in glpi-project/glpi
Description A user with only the following rights on a sub-entity: - Setup General setup Read + Update - Administration Entity Read + Update is authorized to update "UI options" field from "UI customization" tab of an entity's configuration. This customization option is not correctly escaped,...
Cross-Site Request Forgery (CSRF) in snipe/snipe-it
Description Attacker is able to logout a user if a logged in user visits attacker website. Impact This vulnerability is capable of forging user to unintentional logout. Test Tested on Edge, firefox, chrome and safari. Fix You should use POST instead of GET. To expand: One way GET could be abused...
Cross-site Scripting (XSS) - Stored in tsolucio/corebos
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites Proof of Concept Step to Reproduce: 1 Go to http://demo.corebos.com/index.php?module=Users&action=DetailView&record=1&modechk=prefview 2 add the...