4074 matches found
Cross-site Scripting (XSS) - Generic in mailtrain-org/mailtrain
✍️ Description Stored xss via campaign file upload 🕵️♂️ Proof of Concept 1. First goto http://localhost:3000/campaigns and open a campaign . 2.Now in linux create a file with bellow name. 3. Now upload the created file in the above capaign http://localhost:3000/campaigns/1/files and see xss is...
Code Injection in storybookjs/telejson
✍️ Description telejson is a library for teleporting rich data to another place. The telejson.reviver which is used to parse string data back to json structure can be abused to execute arbitrary code when the lazyEval option is set to false i.e., disabled. The root cause is the attackers can...
Cross-site Scripting (XSS) - Generic in forkcms/forkcms
✍️ Description A cross-site scripting XSS issue in the Fork version 5.9.3 allows remote attackers to inject JavaScript via the "publishontime" Parameter 🕵️♂️ Proof of Concept Vulnerable Parameter: publishontime XSS payload: 17:59'"&%alert1 Steps to reproduce issue 1- Login to Fork admin panel 2-...
Code Injection in dimodimchev/access-control
Description Access-Control package is vulnerable to Arbitary Code Execution due to insecure yaml desearilization. Vulnerability Vulnerable to YAML deserialization attack caused by unsafe loading. Proof of Concept steps to reproduce: python import os os.system'git clone...
Prototype Pollution in fabiospampinato/plain-object-merge
Description plain-object-merge is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: javascript // poc.js const merge = require'plain-object-merge' console.log'Before: ' + .polluted merge, JSON.parse'"proto": "polluted": true' console.log'After: ' + .polluted 2...
Prototype Pollution in alexandervu/dot-prop-opt
Description dot-prop-opt is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: javascript // poc.js const set = require'dot-prop-opt' console.log'Before: ' + .polluted set, 'proto.polluted', true console.log'After: ' + .polluted 2. Execute the following commands...
Code Injection in spotify/postgresql-metrics
Description Tool that extracts and provides metrics on your PostgreSQL database Vulnerability discription unsafe loading of data by the yaml.load function leading to Arbitrary code execution. Proof of Concept Vulnerable code part python readconfigdict = yaml.loadf...
Prototype Pollution in x-extends/xe-utils
Description xe-utils is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: javascript // poc.js const set = require'xe-utils' console.log'Before: ', .polluted set, 'proto.polluted', true console.log'After: ', .polluted 2. Execute the following commands in the...
Prototype Pollution in badopcode/nodash
Description ts-nodash is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: // poc.js var merge = require"ts-nodash".Merge const payload = JSON.parse'"proto":"polluted":"Yes! Its Polluted"'; var obj = console.log"Before : " + .polluted; mergeobj, payload;...
Prototype Pollution in acstll/deep-get-set
Description deep-set-get is a Set and get values on objects via dot-notation strings. This package is vulnerable to prototype pollution. POC const deep = require'deep-get-set'; deep,'proto','polluted',true; console.logpolluted;...
Prototype Pollution in whitfin/dot-notes-js
Overview dot-notes is a Two way conversions between objects and dot/bracket notation. This package are vulnerable to Prototype Pollution via. the create function. Proof of Concept const dots = require'dot-notes'; dots.create, 'proto.polluted', true; console.logpolluted;...
Path Traversal in youngerheart/nodeserver
Overview nodeserver is a Achieve node server's domain name resolution and web application's router, this package is vulnerable to Directory Traversal, which may allow access to sensitive files and data on the server. For example, requesting the following URL: /../../etc/passwd would result in...
Command Injection in sh0ji/git-tags-remote
Overview git-tags-remote is a Get remote repository tags, this package is vulnerable to Command Injection. The package fails to sanitize the repository input and passes it directly to an exec call on the get function . This can allow attackers to execute arbitrary code in the system if the...
Code Injection in sidorares/node-wrk
Description The wrk module is vulnerable against RCE since a command is crafted using user inputs not validated and then executed, leading to arbitrary command injection POC 1. Create the following PoC file: js // poc.js var wrk = require'wrk'; wrk threads: 1, connections: 's','aaa', duration:...
CWE-346: CORS Origin Validation Bypass via `re.match()` in `allow_origin_pat`
This report is not public...
Git Argument Injection via Reference Field in GitHubRepository Block
This report is not public...
Hardcoded trust_remote_code=True in Model Implementations Bypasses User Security Control
This report is not public...
Authentication Bypass on FastAPI Routes (Job API, OTel API) When Basic Auth Enabled
Summary When MLflow is started with authentication enabled --app-name basic-auth and served via uvicorn ASGI, the FastAPI permission middleware only enforces authentication on /gateway/ routes. All other FastAPI routes -- including the Job API /ajax-api/3.0/jobs/ and the OpenTelemetry trace...
SSRF in MLflow via user-controlled webhook URL parameter
Description A Server-Side Request Forgery SSRF vulnerability exists in the webhook creation functionality of MLflow. The createwebhook handler accepts a user-controlled url parameter and stores it without any validation. When webhooks are tested or triggered, the sendwebhookrequest function sends...
H2O-3 PostgreSQL Driver RCE - Bypassing CVE-2025-6544 Mitigation
Description A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The current security mitigation implemented in H2O-3 relies on a parameter blacklist mechanism that exclusively targets MySQL JDBC...
A malicious manifests can lead to DoS due to unchecked array bound access via network in ollama/ollama
This report is not public...
CSRF in Cancel Reviewer and Reinstate Reviewer
Description CSRF in Cancel Reviewer and Reinstate Reviewer Proof of Concept Link Poc I attach the Poc link below. Thank You. https://drive.google.com/drive/folders/1QA5Kz6w2AgYdFDoDX2hHWK0zHAPoWt?usp=sharing...
CSRF edit Blacklist settings( YES to NO)
Description CSRF edit Blacklist settings Proof of Concept 1 .For example, the data fields in the Blacklist settings are all set to: YES. 2 .The attacker sends a fake form to the user: history.pushState'', '', '/'; document.forms0.submit; 3 .User Clicked, changed the setting to NO, which the user...
Store XSS at Label sets list in (Version 6.2.7)
Description First of all, I apologize for reporting back. I noticed, the latest current version is 6.2.7. XSS vulnerabilities still exist Proof of Concept Detail: 1 .Login and access Label sets list 2 .Create new label set 3 . Insert payload in to Title haido" onclick="alert1 4 .Click save ==...
CSRF Logout
Description Bad actor can send to victim link ie. obfuscated with payload /logout and if victim will use it - can change the state of user logged in/logged out. Proof of Concept As logged in user open in new browser tab this site https://app.vrite.io/session/logout Go back to previous tab, refres...
privilege escalation bug to creation survey-group with others group as parent
BUG ======= privilege escalation bug to creation survey-group with others group as parent\ ACCOUNT ============= 1. user-A -- superadmin\ 2. user-B -- normal user\ user-B has only create permission in survey-group . does not have view permission in survey group\ as user-B does not have view...
Multiple Stored XSS Found
Description Stored XSS Cross-Site Scripting is a type of web security vulnerability caused by improper input validation and inadequate data sanitization in a web application. It occurs when an attacker injects malicious scripts usually in the form of HTML or JavaScript into a website's database o...
XSS in function navigateTo
Vunerability The check for external links checks if the protocol is script:, which is not a valid protocol and allows the user to provide a valid javascript payload using javascript: protocol. ts if isExternal && parseURLtoPath.protocol === 'script:' throw new Error'Cannot navigate to an URL with...
Reflected XSS at upload file
Description 1/ Access to the demo website and login at this case I used user admin 2/ At function upload photo to an album, try upload a file with the name is payload XSS. 3/ The payload will be triggered at error content. Proof of Concept Video PoC:...
Improper Control of Generation of Code
Description Kimai Plugin EasyBackupBundle allows admins to edit mysql commands from the configuration tab, an attacker can append arbitrary commands to achieve code execution. This can be also extended to an arbitrary file read while specifying filenames such as /etc/passwd in backup. Proof of...
CSRF in Question Themes function
Description The web application is vulnerable to CSRF in the toggle visibility of question themes. Proof of Concept Step 1: Login as user who has permission to access themes function. Step 2: Host an HTML trap page and send the URL to the victim history.pushState'', '', '/'; document.forms0.submi...
CSRF in the delete notification function
Description The web application is vulnerable to CSRF in the delete notification function. Proof of Concept Step 1: See that user demo has some notifications. Step 2: Host an HTML trap page and send the URL to the victim history.pushState'', '', '/' document.forms0.submit; And the malicious URL...
SQL injection in the delete action of the file add_edit_event.php
Description We have discovered that the SQL injection vulnerability can be exploited through the file /interface/main/calendar/addeditevent.php, allowing an attacker to manipulate the query via the eid parameter provided that Support Multi-Provider Events feature must be enabled. Proof of Concept...
Stored XSS in Edit user member profile
Description When making changes to update information, there is a country parameter to insert the xss payload Step 1 : Update user Personal information Proof of Concept // PoC request: // payload: "alertString.fromCharCode88,83 POST /pbboard/index.php?page=usercp&control=1&info=1&start=1 HTTP/1.1...
IDORs with unpredictable IDs are valid vulnerabilities
1 create two workspace: workspace1 and workspace2, and their admin is admin1 and admin2 2 login as user1 and create project1. 4 Using burpsuit to hijack the reqeust, repalce workspace1's workspaceid as workspace2's workspaceid 5 we can find that project1 has a new proejct, even admin2 is not the...
XSS in Conditions tab of Pricing Rules
Description While testing the pimcore application, I found that it is vulnerable to XSS vulnerability in Conditions tab of Pricing Rules, specifically at From and To fields of Date Range section. Proof of Concept 1.Go to https://11.x-dev.pimcore.fun/admin/ then login. 2.On the left menu bar, go t...
SQL Injection in 'core/ajax/ajax_data.php'
Description There exists an SQL injection affecting the edition parameter located in the file core/ajax/ajaxdata.php php $productEditionFilter = isset$GET"edition" and !empty$GET"edition" ? " productedition = '$GET"edition"' " : " producttype != 'Child' "; We see that $GET"edition" is appended...
SQL Injection leads to code execution
Description This vulnerability allows the attacker to leverage a SQL injection attack in the database backup functionality to write arbitrary data to an arbitrary file on disk anywhere where the user can write. This includes the webroot in a default installation allowing the attack to place a web...
Bypass IP detection lead to perform brute-force attack
Description In login function, by default, the IP address will be blocked when the user tries to login incorrectly more than 3 times but we can bypass this mechanism by abuse X-Forwarded-For header to bypass IP dectection and perform password brute-force. Proof of Concept POST...
IDOR on save email configuration leads to account takeover
Description An attacker with a low privileged account on the latest GLPI version could change other user´s email when saving his own user preferences. After that, if "Forgot password" is enabled via email, an attacker will be able to retrieve victim´s forgot password link to the modified email to...
Stored Cross-Site Scripting in survey administrator name
Description The administrator name field in Survey settings has a Stored Cross-Site scripting vulnerability as it does not sanitize the user input administrator name. A user can enter the javascript payload "alertdocument.cookie in the Administrator name field and the XSS executes in the...
DynamicPHPCode Filtering Bypass leads to Remote Code Execution
Description The "Websites" module in Dolibarr CRM version 6.0.3 and below has "checkPHPCode" function check to ensure that the page not contains any malicious function. However, this funtion only check by using match word searching, that allows malicious authenticated user can bypass by using...
xss bypass the filter
Description hi,@maintainer.The filter you use to clean xss is unsafe.Please choose an xss filter with a large number of users and a high evaluation Video link You can watch my video through this link first. link https://drive.google.com/file/d/1mh9hiDxmybLQGPw-z36qBdsEcEOoPw8/view?usp=sharelink...
Anti-CSRF mechanism is not present
Description The application is vulnerable to a CSRF attack. Proof of Concept 1. Login as admin. 2. Open the following HTML file in the browser. This action is equivalent to clicking a link sent by an attacker. trap.html html history.pushState'', '', '/' 3. Click the button. 4. A new user is creat...
No permission user can increase his role to administrator
Description No permission user can increase his role to administrator Proof of Concept Hey,i am new on this platform : Steps: - login your administrator account, go to people, and create a user with zero permission you can create permission group with zero permission - then login your restricted...
Cookie without “Secure “ and “ HttpOnly ” flag attribute
Description HttpOnly and Secure attribute is not set for session cookies in the application. Proof of Concept https://drive.google.com/file/d/1ZAanmAbOn-jSf6ZMS5JIQKUzJ78fUrea/view?usp=sharing...
Cookie without Secure attribute
Description The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. Proof of Concept http HTTP/1.1 200 OK Content-Type: application/json Content-Length: 107 Vary: Accept-Encoding Set-Cookie:...
HTTP Query String Injection
Description The application does not properly sanitize query string parameters in the cloudflare-kv-http,github and http drivers. In the case of the github and http drivers there is no immediate vulnerability, however a slight risk is presented. When a user controls a key within the...
RCE in Wordnet Browser
Description A user who visits a malicious link with wordnet browser open will execute code on system Proof of Concept Visit http://localhost:8000/lookupgASVKwAAAAAAAACMBXBvc2l4lIwGc3lzdGVtlJOUjBB0b3VjaCAvdG1wL1BXTkVElIWUUpQu The base64 is created from import pickle import sys import base64...
No rate limiting on the reset password page will lead to a DOS attack and inbox flooding for any user
Description I can use this attack to take advantage of the reset password confirmation mechanism and send a large number of emails to anyone simply because I know his email address, as well as perform a DoS attack by draining the resources of the SMTP service and the web server. Proof of Concept ...