4072 matches found
Infinite recursive function calls result in stack overflow
Description When providing certain input, the program will enter an infinite loop where it continually calls: getexprregister - cmdlinehandlebackslashkey - getcmdline - getcmdlineint - cmdlinehandlebackslashkey - getexprregister - etc. GDB shell Thread debugging using libthreaddb enabled Using ho...
FULL read SSRF
Description there is two bypass method for previous fixes of SSRF in gogs The first is to utilize SSRF attack with a DNS rebinding feature. The second is to use redirection to a localhost URL. Proof of Concept 1- go to the webhooks section and create a gogs webhook. 2- enter an URL that redirects...
Remote Command Execution in uploading repository file
Description When uploading a file to the repository in Gogs, the treepath parameter is not been validated. The attacker can set treepath=/.git/ to upload file into the .git directory. Rewrite .git/config file and set core.sshCommand, which leads to remote command execution vulnerability. Proof of...
NULL Pointer Dereference
Description There is a NULL Pointer Dereference in mrbvmexec vm.c:1929. This bug has been found on mruby lastest commit hash c2f7ed514dfa0fcae2e7e72d51f25be3d3d6d72c on Ubuntu 20.04 for x8664/amd64. Proof of Concept 1- Clone repo and build with ASAN using MRUBYCONFIG=buildconfig/clang-asan.rb rak...
Authorization Bypass Through User-Controlled Key
Description url-parse is unable to find the correct hostname when no port number is provided in the url. Payload: http://example.com: Proof of Concept javascript var Url = require'url-parse'; var PAYLOAD = "http://example.com:"; // Expected hostname: example.com // Actual hostname by url-parse:...
Static Code Injection in playframework/play-samples
Description "play-samples" project uses the vulnerable log4j library 2.17.0. This can cause potential RCE vulnerability on the project. Vulnerability: CVE-2021-44832 Remote Code Execution. Another reference from Apache for CVE-2021-44832. You should upgrade the log4j library to latest version...
Cross-site Scripting (XSS) - Stored in chatwoot/chatwoot
Steps To Reproduce: 1. 1. Navigate to the campaigns section 2. 2. Click on "Create a ongoing campaign" 3. 3. Fill title, message, inbox and URL 4. 4. Then click on "Create" and intercept it 5. 5. Change your url's value to javascript:alert1 for example "url" : "https://google.com" to "url" :...
Command Injection in parse-community/parse-server
Description This is a Remote Code Execution vulnerability in the Parse Server. This vulnerability affects the Parse Server in the default configuration with MongoDB, probably a similar attack can affect the PostgreSQL storage as well. The main weakness that leads to RCE is the Prototype Pollution...
OS Command Injection in ohmyzsh/ohmyzsh
Description In Oh My Zsh, there is a function called omzurldecode, which is used to decode URLs. Since this function is using eval with user inputs without any sanitization, it's possible to inject arbitrary commands into the eval context, which allows an attacker to achieve the command injection...
Sensitive Cookie Without 'HttpOnly' Flag in pkp/ojs
✍️ Description HTTPOnly attribute is not set for session cookies "OJSSID" in the application. Proof of Concept Check this for POC: Image Impact When a cookie doesn’t have an HttpOnly flag, it can be accessed through JavaScript, which means that an XSS could lead to cookies being stolen. These...
in hestiacp/hestiacp
✍️ Description $SESSION"token" is a csrf token which is a md5 hash generated based on system time. It has been discovered that $SESSION"token" compares with $GET"token" using comparison operator != in file index.php. This might cause unexpected behavior due to type juggling. It is possible to...
Cross-site Scripting (XSS) - Stored in bookstackapp/bookstack
✍️ Description There is html tag filtration problem in "book page" egit leading to stored XSS. By design "bad" tags and attributes stripped on client side when editing pageobvious bypass by editing request intercepted via burp and on server side addition filter applied, however this filter can be...
Prototype Pollution in automattic/mongoose
✍️ Description Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Mongoose supports both promises and callbacks. mongoose.Schema is subject to prototype pollution due to the recursively calling of Schema.prototype.add function to add new items into the...
Cross-site Scripting (XSS) - Generic in ciur/papermerge
:book: Description Papermerge is an open source document management system DMS primarily designed for archiving and retrieving your digital documents. Instead of having piles of paper documents all over your desk, office or drawers - you can quickly scan them and configure your scanner to directl...
Prototype Pollution in yargs/y18n
Description y18n is vulnerable to Prototype Pollution. This package allowing for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE. Proof of Concept 1. Create the following PoC file: js // poc.js const y18n = require'y18n'; var obj = console.log"Before : " +...
No rate limit on sending magic link to sign-in
Description It was observed that rate limit is not being implemented on sending magic link , which allows an attacker to spam the victims mailbox. Affected URL : https://app.vrite.io/api/v1/auth.sendMagicLink?batch=1 Proof of Concept 1. Visit - https://app.vrite.io/auth 2. select option "continue...
heap-buffer-overflow in utf_ptr2char
Description Heap-buffer-overflow in utfptr2char at mbyte.c:1825. vim version git log commit f0300fc7b81e63c2584dc3a763dedea4184d17e5 grafted, HEAD - master, tag: v9.0.1365, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S poc8hbo.dat -c :qa...
Authentication Bypass for users with MD5 password hash
Setup - OS: Ubuntu 22.04.2 LTS - Froxlor: 2.0.12 - PHP: 8.1.2 Description Froxlor still supports logins for passwords that are stored as MD5 hash in the database. The hash comparison is done with "==" instead of "===" which causes a type confusion vulnerability in PHP. For some MD5 hashes it is...
File Upload Type Validation Error
Description The application does not properly validate the file type or extension during the upload process, allowing any authenticated user to bypass it . StepsTOReproduce - Navigate to this URL:https://demo.bumsys.org/settings/shop-list/ - Click on action button to edit the Profile - Click on...
XSS at app.diagrams.net
Description The application allows the "use" tag to pass on dompurify, which leads to XSS. A strange behaviour bypasses the csp on app.diagrams.net when it has a "?" before the "U" import. Proof of Concept POC diagram: use...
Heap-based buffer overflow in function ins_compl_add
Description Heap-based buffer overflow in function inscompladd at insexpand.c:751 Version commit b8329db36a886355e6e9cb9986a3668fef78c438 HEAD - master, tag: v9.0.0044 Proof of Concept guest@elk:/trung$ valgrind ./vimlatest/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc/poc42min -c :qa!...
Multiple Reflected XSS Vulnerabilities in error handlers
Description Multiple routing error handlers are vulnerable to reflected XSS. Proof of Concept Deploy trilium server and access to these endpoint will execute the alert js function. http://localhost:8080/custom/%3Cscript%3Ealert1%3C/script%3E...
Session tokens are not invalidated on logout
Description The session cookie is not invalidated on logout so, it can be used after logout as well. Proof of Concept Login to the Nakama console. Intercept the request. Below is a sample request: http GET /v2/console/user HTTP/1.1 Host: localhost:7351 Accept: application/json, text/plain, /...
SQL injetction
Description SQL injection exists in the camptocamp/terraboard. Among all APIs there is an API routed to /api/search/attribute, whose corresponding method is api.SearchAttribute. In the api.SearchAttribute method, the program takes the request parameters and passes them into the db.SearchAttribute...
Out-of-bounds write in function vim_regsub_both
Description Out-of-bounds write in function vimregsubboth at regexp.c:1954 vim version git log commit 5a8fad32ea9c075f045b37d6c7739891d458f82b HEAD - master, tag: v8.2.4962, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/pocobws.dat -c :qa!...
Cross-site Scripting (XSS)
Proof of Concept Steps to reproduce: Naviagate the below URL URL: https://demo.contao.org/contao/" Here Some Image POC Attached...
stored xss due to unsantized anchor url
BUG ====== stored xss due to unsantized anchor url SUMMURY ========= using fullpage.js you can create a anchor tag . But when put href in anchor then it does not sanitize the url which allow to break context of anchor element and can add our new element . I see main javascript or other javascript...
XSS vulnerability with default `onCellHtmlData` function
Description If you can jam some nasty code into a table-cell, you can force this script to perform arbitrary javascript when someone tries to export the table using this library. An example used against us was: " It looks like, if you don't specify an onCellHtmlData function, the default one is...
SSRF filter bypass port 80, 433
Description To exploit vulnerability, someone must pass a "base" parameters with a url multi-port to bypass filter check. Proof of Concept GET /index.php/cobrowse/proxycss/1?base=http://evil:8888:80/&css=index.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:99...
Improper Authorization
Description A low-privilege user I tested it with Editor priv user can create any role in the application. Proof of Concept Make a POST request to /Admin/Roles/Create using low-priv user's cookie and RequestVerificationToken A new role will be created with the specified name. Impact A low-priv us...
Exposure of Sensitive Information to an Unauthorized Actor in node-fetch/node-fetch
Description The Authorization header leaks from same hostname https-http redirect. If https://example.com redirects to http://example.com, then an attacker who can listen in on the wire or perform a MITM attack will be able to receive the Authorization header due to the use of the insecure HTTP...
Heap-based Buffer Overflow in vim/vim
Description 2 Heap-buffer-overflow on write in vim 1 Heap-buffer-overflow on read in vim Heap-buffer-overflow on write in vim 1 Proof of Concept Steps to reproduce: echo -n cmV0ODAwCnMvXHYvCQpzZSBhaQpzaWwwbm9ybTppDQ== | base64 -d heapowpoc1 vim -u NONE -i NONE -n -X -Z -e -m -s -S heapowpoc1 -c...
Improper Authentication in liukuo362573/yishaadmin
Description Hi, I would like to report an improper authentication vulnerability in https://www.github.com/liukuo362573/yishaadmin. Endpoint "/admin/OrganizationManage/User/ExportUserJson" does not require any authentication and return xls file contain users data like username, fullname, email,...
in log4js-node/log4js-node
BUG ======== any unprivileged user can see log file and sensitive information disclosed SUMMURY ============ log4js create log file to store the log . Log may contain many sentsitive information like username,password,token,api-key etc .\ So, this log file should not accessed by other user .\ But...
Heap-based Buffer Overflow in vim/vim
Description Heap-buffer-overflow in vim Command ./vim -u NONE -X -Z -e -s -S minpoc -c :qa! Proof of Concept minpoc is here. bt Program received signal SIGABRT, Aborted. GIraise sig=sig@entry=6 at ../sysdeps/unix/sysv/linux/raise.c:50 50 ../sysdeps/unix/sysv/linux/raise.c: No such file or...
Heap-based Buffer Overflow in vim/vim
Description Greetings, A Heap-based Buffer Overflow issue was discovered in Vim. The POC file is reduced to the absolute minimum to reproduce the problem. Please see sanitizer output and the "trimmed" POC file link below. System info OS version : Ubuntu 20.04.2 LTS + Clang 12 with ASan Vim Versio...
Code Injection in namelessmc/nameless
✍️ Description Code Injection is the general term for attack types which consist of injecting code that is then interpreted/executed by the application. This type of attack exploits poor handling of untrusted data. These types of attacks are usually made possible due to a lack of proper...
Server-Side Request Forgery (SSRF) in apostrophecms/apostrophe
✍️ Description Rendering Of SVG file causes SSRF 🕵️♂️ Proof of Concept /image.jpeg" / upload the svg file with the payload mentioned above change server name and preview it. then check the server for incoming request. 💥 Impact SSRF basic attack - host redirect , further researches of this attack...
Command Injection in sebhildebrandt/systeminformation
Description systeminformation is vulnerable to Command Injection vulnerability. It is possible to send an array containing OS commands, which bypass the filters. Proof of Concept 1. Create a Javascript file with the content below: javascript const si = require'systeminformation'; const command =...
Prototype Pollution in lukeed/dset
Description dset is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: // poc.js var dset = require"dset" var obj = console.log"Before : " + .polluted; dsetobj, 'proto.polluted', 'Yes! Its Polluted'; console.log"After : " + .polluted; 2. Execute the following...
Prototype Pollution in robinvdvleuten/shvl
Description shvl is vulnerable to Prototype Pollution. This package fails to restrict access to prototypes of objects, allowing for modification of prototype behavior using a proto payload, which may result in Sensitive Information Disclosure/Denial of ServiceDoS/Remote Code Execution. Proof of...
Denial of Service in manolo/gwtupload
Overview com.googlecode.gwtupload:gwtupload is a library for uploading files to web servers, showing a progress bar with real information about the process file size, bytes transferred, etc. Affected versions of this package are vulnerable to Denial of Service DoS. server/UploadServlet.java the...
Code Injection in commenthol/safer-eval
Overview safer-eval is a safer approach for eval in node and browser. Affected versions of this package are vulnerable to Arbitrary Code Execution via generating a RangeError: Maximum call stack size exceeded. Proof of Concept Credit: Jonathan Leitschuh js const theFunction = function const f =...
Arbitrary File Read via Prompt Tag Source Validation Bypass in CreateModelVersion
The createmodelversion handler in mlflow/server/handlers.py uses a client-controlled tag to decide whether to skip source path validation. When a CreateModelVersion request includes the tag mlflow.prompt.isprompt, the helper ispromptrequest returns True, and the entire source validation block...
Heap-use-after-free in function buflist_altfpos in vim
Description Heap-use-after-free in function buflistaltfpos at buffer.c:3703 Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pochuaf -c :qa! ==1404==ERROR: AddressSanitizer: heap-use-after-free on address 0x625000011940 at pc 0x0000004a4dbe bp 0x7ffc6204d090 sp 0x7ffc6204d080 READ of...
RCE in developer mode
Description Nuxt contains a test-component-wrapper component. This is used to mount a single component for testing. This component has a dynamic import function which accepts arbitrary user input on the server side. This pattern will almost always lead to an RCE bug. Requirements & Notes The serv...
XSS in Seo & Settings tab of Documents in pimcore/pimcore
Description pimcore is vulnerable to XSS at Title field in SEO & Settings tab of Document. Proof of Concept 1.Go to https://demo.pimcore.fun/admin/ and login. 2.In Documents, go to home - click on SEO & Settings icon to go to this tab. 3.In the SEO & Setting tab, input the payload " into the Titl...
Incorrect Calculation of Buffer Size in function yank_copy_line
Description Incorrect Calculation of Buffer Size in function yankcopyline at register.c:1468 vim version git log commit 657aea7fc47fb919ce76fad64ba0ec55a1af80f1 HEAD - master, tag: v9.0.1249, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pocnsp01s.dat -c :qa!...
Use After Free in Function qf_buf_add_line( )
Description Hello there! How are you doing? I just used the PoC of this previous report as a valid input for fuzzing, and ended up finding what it seems to be a new case of Use After Free, with a slightly different input. The last commit in which I tested it was...
Stack-based Buffer Overflow in function spell_dump_compl
Description Stack-based Buffer Overflow in function spelldumpcompl at spell.c:4038 vim version git log commit 75417d960bd17a5b701cfb625b8864dacaf0cc39 HEAD - master, tag: v9.0.0001, origin/master, origin/HEAD POC ./afl/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pocsbo1s.dat -c :qa!...