Lucene search
+L
HuntrMost viewed

4074 matches found

Huntr
Huntr
added 2021/04/19 2:36 p.m.14 views

Cross-site Scripting (XSS) - Generic in mailtrain-org/mailtrain

✍️ Description Stored xss via campaign file upload 🕵️‍♂️ Proof of Concept 1. First goto http://localhost:3000/campaigns and open a campaign . 2.Now in linux create a file with bellow name. 3. Now upload the created file in the above capaign http://localhost:3000/campaigns/1/files and see xss is...

1.8AI score
Exploits0
Huntr
Huntr
added 2021/03/26 12:57 p.m.14 views

Code Injection in storybookjs/telejson

✍️ Description telejson is a library for teleporting rich data to another place. The telejson.reviver which is used to parse string data back to json structure can be abused to execute arbitrary code when the lazyEval option is set to false i.e., disabled. The root cause is the attackers can...

2.1AI score
Exploits0
Huntr
Huntr
added 2021/03/23 10:12 p.m.14 views

Cross-site Scripting (XSS) - Generic in forkcms/forkcms

✍️ Description A cross-site scripting XSS issue in the Fork version 5.9.3 allows remote attackers to inject JavaScript via the "publishontime" Parameter 🕵️‍♂️ Proof of Concept Vulnerable Parameter: publishontime XSS payload: 17:59'"&%alert1 Steps to reproduce issue 1- Login to Fork admin panel 2-...

1.2AI score
Exploits0
Huntr
Huntr
added 2021/02/19 12:0 a.m.14 views

Code Injection in dimodimchev/access-control

Description Access-Control package is vulnerable to Arbitary Code Execution due to insecure yaml desearilization. Vulnerability Vulnerable to YAML deserialization attack caused by unsafe loading. Proof of Concept steps to reproduce: python import os os.system'git clone...

1.3AI score
Exploits0
Huntr
Huntr
added 2021/01/28 12:0 a.m.14 views

Prototype Pollution in fabiospampinato/plain-object-merge

Description plain-object-merge is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: javascript // poc.js const merge = require'plain-object-merge' console.log'Before: ' + .polluted merge, JSON.parse'"proto": "polluted": true' console.log'After: ' + .polluted 2...

1.7AI score
Exploits0
Huntr
Huntr
added 2021/01/26 12:0 a.m.14 views

Prototype Pollution in alexandervu/dot-prop-opt

Description dot-prop-opt is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: javascript // poc.js const set = require'dot-prop-opt' console.log'Before: ' + .polluted set, 'proto.polluted', true console.log'After: ' + .polluted 2. Execute the following commands...

1.6AI score
Exploits0
Huntr
Huntr
added 2021/01/07 12:0 a.m.14 views

Code Injection in spotify/postgresql-metrics

Description Tool that extracts and provides metrics on your PostgreSQL database Vulnerability discription unsafe loading of data by the yaml.load function leading to Arbitrary code execution. Proof of Concept Vulnerable code part python readconfigdict = yaml.loadf...

1.4AI score
Exploits0
Huntr
Huntr
added 2021/01/07 12:0 a.m.14 views

Prototype Pollution in x-extends/xe-utils

Description xe-utils is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: javascript // poc.js const set = require'xe-utils' console.log'Before: ', .polluted set, 'proto.polluted', true console.log'After: ', .polluted 2. Execute the following commands in the...

1.6AI score
Exploits0
Huntr
Huntr
added 2020/12/21 12:0 a.m.14 views

Prototype Pollution in badopcode/nodash

Description ts-nodash is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: // poc.js var merge = require"ts-nodash".Merge const payload = JSON.parse'"proto":"polluted":"Yes! Its Polluted"'; var obj = console.log"Before : " + .polluted; mergeobj, payload;...

2AI score
Exploits0
Huntr
Huntr
added 2020/09/08 12:0 a.m.14 views

Prototype Pollution in acstll/deep-get-set

Description deep-set-get is a Set and get values on objects via dot-notation strings. This package is vulnerable to prototype pollution. POC const deep = require'deep-get-set'; deep,'proto','polluted',true; console.logpolluted;...

2AI score
Exploits0
Huntr
Huntr
added 2020/09/08 12:0 a.m.14 views

Prototype Pollution in whitfin/dot-notes-js

Overview dot-notes is a Two way conversions between objects and dot/bracket notation. This package are vulnerable to Prototype Pollution via. the create function. Proof of Concept const dots = require'dot-notes'; dots.create, 'proto.polluted', true; console.logpolluted;...

4.9AI score
Exploits0
Huntr
Huntr
added 2020/08/17 12:0 a.m.14 views

Path Traversal in youngerheart/nodeserver

Overview nodeserver is a Achieve node server's domain name resolution and web application's router, this package is vulnerable to Directory Traversal, which may allow access to sensitive files and data on the server. For example, requesting the following URL: /../../etc/passwd would result in...

4.3AI score
Exploits0References1
Huntr
Huntr
added 2020/08/06 12:0 a.m.14 views

Command Injection in sh0ji/git-tags-remote

Overview git-tags-remote is a Get remote repository tags, this package is vulnerable to Command Injection. The package fails to sanitize the repository input and passes it directly to an exec call on the get function . This can allow attackers to execute arbitrary code in the system if the...

4.1AI score
Exploits0References1
Huntr
Huntr
added 2020/04/21 12:0 a.m.14 views

Code Injection in sidorares/node-wrk

Description The wrk module is vulnerable against RCE since a command is crafted using user inputs not validated and then executed, leading to arbitrary command injection POC 1. Create the following PoC file: js // poc.js var wrk = require'wrk'; wrk threads: 1, connections: 's','aaa', duration:...

1.8AI score
Exploits0
Huntr
Huntr
added 2026/02/26 3:6 p.m.13 views

CWE-346: CORS Origin Validation Bypass via `re.match()` in `allow_origin_pat`

This report is not public...

8.8CVSS6.4AI score0.00197EPSS
Exploits1
Huntr
Huntr
added 2026/02/23 3:32 a.m.13 views

Git Argument Injection via Reference Field in GitHubRepository Block

This report is not public...

8.5CVSS7.3AI score0.00298EPSS
Exploits0
Huntr
Huntr
added 2026/02/20 6:3 p.m.13 views

Hardcoded trust_remote_code=True in Model Implementations Bypasses User Security Control

This report is not public...

8.8CVSS5.8AI score0.00747EPSS
Exploits0
Huntr
Huntr
added 2026/02/14 2:13 a.m.13 views

Authentication Bypass on FastAPI Routes (Job API, OTel API) When Basic Auth Enabled

Summary When MLflow is started with authentication enabled --app-name basic-auth and served via uvicorn ASGI, the FastAPI permission middleware only enforces authentication on /gateway/ routes. All other FastAPI routes -- including the Job API /ajax-api/3.0/jobs/ and the OpenTelemetry trace...

8.6CVSS6AI score0.01502EPSS
Exploits1
Huntr
Huntr
added 2026/02/10 4:29 p.m.13 views

SSRF in MLflow via user-controlled webhook URL parameter

Description A Server-Side Request Forgery SSRF vulnerability exists in the webhook creation functionality of MLflow. The createwebhook handler accepts a user-controlled url parameter and stores it without any validation. When webhooks are tested or triggered, the sendwebhookrequest function sends...

7.1CVSS7.3AI score0.0037EPSS
Exploits1
Huntr
Huntr
added 2026/01/16 8:47 a.m.13 views

H2O-3 PostgreSQL Driver RCE - Bypassing CVE-2025-6544 Mitigation

Description A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The current security mitigation implemented in H2O-3 relies on a parameter blacklist mechanism that exclusively targets MySQL JDBC...

9.8CVSS6.9AI score0.00938EPSS
Exploits2
Huntr
Huntr
added 2025/02/15 8:25 a.m.13 views

A malicious manifests can lead to DoS due to unchecked array bound access via network in ollama/ollama

This report is not public...

7.5CVSS7.7AI score0.00422EPSS
Exploits1
Huntr
Huntr
added 2023/10/12 6:39 p.m.13 views

CSRF in Cancel Reviewer and Reinstate Reviewer

Description CSRF in Cancel Reviewer and Reinstate Reviewer Proof of Concept Link Poc I attach the Poc link below. Thank You. https://drive.google.com/drive/folders/1QA5Kz6w2AgYdFDoDX2hHWK0zHAPoWt?usp=sharing...

7.2AI score0.00264EPSS
Exploits1
Huntr
Huntr
added 2023/09/30 7:44 a.m.13 views

CSRF edit Blacklist settings( YES to NO)

Description CSRF edit Blacklist settings Proof of Concept 1 .For example, the data fields in the Blacklist settings are all set to: YES. 2 .The attacker sends a fake form to the user: history.pushState'', '', '/'; document.forms0.submit; 3 .User Clicked, changed the setting to NO, which the user...

7.1AI score
Exploits0
Huntr
Huntr
added 2023/09/23 5:47 a.m.13 views

Store XSS at Label sets list in (Version 6.2.7)

Description First of all, I apologize for reporting back. I noticed, the latest current version is 6.2.7. XSS vulnerabilities still exist Proof of Concept Detail: 1 .Login and access Label sets list 2 .Create new label set 3 . Insert payload in to Title haido" onclick="alert1 4 .Click save ==...

6.4AI score
Exploits0
Huntr
Huntr
added 2023/08/18 11:29 a.m.13 views

CSRF Logout

Description Bad actor can send to victim link ie. obfuscated with payload /logout and if victim will use it - can change the state of user logged in/logged out. Proof of Concept As logged in user open in new browser tab this site https://app.vrite.io/session/logout Go back to previous tab, refres...

6.8AI score
Exploits0References2
Huntr
Huntr
added 2023/08/11 2:1 p.m.13 views

privilege escalation bug to creation survey-group with others group as parent

BUG ======= privilege escalation bug to creation survey-group with others group as parent\ ACCOUNT ============= 1. user-A -- superadmin\ 2. user-B -- normal user\ user-B has only create permission in survey-group . does not have view permission in survey group\ as user-B does not have view...

7.7AI score
Exploits0
Huntr
Huntr
added 2023/08/05 2:12 p.m.13 views

Multiple Stored XSS Found

Description Stored XSS Cross-Site Scripting is a type of web security vulnerability caused by improper input validation and inadequate data sanitization in a web application. It occurs when an attacker injects malicious scripts usually in the form of HTML or JavaScript into a website's database o...

4.9CVSS6.3AI score0.00407EPSS
Exploits0
Huntr
Huntr
added 2023/07/26 8:40 p.m.13 views

XSS in function navigateTo

Vunerability The check for external links checks if the protocol is script:, which is not a valid protocol and allows the user to provide a valid javascript payload using javascript: protocol. ts if isExternal && parseURLtoPath.protocol === 'script:' throw new Error'Cannot navigate to an URL with...

6.8AI score
Exploits0
Huntr
Huntr
added 2023/07/17 1:50 a.m.13 views

Reflected XSS at upload file

Description 1/ Access to the demo website and login at this case I used user admin 2/ At function upload photo to an album, try upload a file with the name is payload XSS. 3/ The payload will be triggered at error content. Proof of Concept Video PoC:...

7AI score
Exploits0
Huntr
Huntr
added 2023/07/03 1:47 p.m.13 views

Improper Control of Generation of Code

Description Kimai Plugin EasyBackupBundle allows admins to edit mysql commands from the configuration tab, an attacker can append arbitrary commands to achieve code execution. This can be also extended to an arbitrary file read while specifying filenames such as /etc/passwd in backup. Proof of...

7.4AI score
Exploits0
Huntr
Huntr
added 2023/06/29 3:32 a.m.13 views

CSRF in Question Themes function

Description The web application is vulnerable to CSRF in the toggle visibility of question themes. Proof of Concept Step 1: Login as user who has permission to access themes function. Step 2: Host an HTML trap page and send the URL to the victim history.pushState'', '', '/'; document.forms0.submi...

6.8AI score
Exploits0
Huntr
Huntr
added 2023/06/26 3:47 p.m.13 views

CSRF in the delete notification function

Description The web application is vulnerable to CSRF in the delete notification function. Proof of Concept Step 1: See that user demo has some notifications. Step 2: Host an HTML trap page and send the URL to the victim history.pushState'', '', '/' document.forms0.submit; And the malicious URL...

6.9AI score
Exploits0
Huntr
Huntr
added 2023/04/30 7:18 a.m.13 views

SQL injection in the delete action of the file add_edit_event.php

Description We have discovered that the SQL injection vulnerability can be exploited through the file /interface/main/calendar/addeditevent.php, allowing an attacker to manipulate the query via the eid parameter provided that Support Multi-Provider Events feature must be enabled. Proof of Concept...

8.1AI score
Exploits0References1
Huntr
Huntr
added 2023/04/04 1:29 p.m.13 views

Stored XSS in Edit user member profile

Description When making changes to update information, there is a country parameter to insert the xss payload Step 1 : Update user Personal information Proof of Concept // PoC request: // payload: "alertString.fromCharCode88,83 POST /pbboard/index.php?page=usercp&control=1&info=1&start=1 HTTP/1.1...

6AI score
Exploits0
Huntr
Huntr
added 2023/03/27 7:16 a.m.13 views

IDORs with unpredictable IDs are valid vulnerabilities

1 create two workspace: workspace1 and workspace2, and their admin is admin1 and admin2 2 login as user1 and create project1. 4 Using burpsuit to hijack the reqeust, repalce workspace1's workspaceid as workspace2's workspaceid 5 we can find that project1 has a new proejct, even admin2 is not the...

6.8AI score
Exploits0
Huntr
Huntr
added 2023/03/27 6:15 a.m.13 views

XSS in Conditions tab of Pricing Rules

Description While testing the pimcore application, I found that it is vulnerable to XSS vulnerability in Conditions tab of Pricing Rules, specifically at From and To fields of Date Range section. Proof of Concept 1.Go to https://11.x-dev.pimcore.fun/admin/ then login. 2.On the left menu bar, go t...

6AI score0.00356EPSS
Exploits1
Huntr
Huntr
added 2023/03/01 8:22 p.m.13 views

SQL Injection in 'core/ajax/ajax_data.php'

Description There exists an SQL injection affecting the edition parameter located in the file core/ajax/ajaxdata.php php $productEditionFilter = isset$GET"edition" and !empty$GET"edition" ? " productedition = '$GET"edition"' " : " producttype != 'Child' "; We see that $GET"edition" is appended...

7.8AI score
Exploits0
Huntr
Huntr
added 2023/02/28 1:53 a.m.13 views

SQL Injection leads to code execution

Description This vulnerability allows the attacker to leverage a SQL injection attack in the database backup functionality to write arbitrary data to an arbitrary file on disk anywhere where the user can write. This includes the webroot in a default installation allowing the attack to place a web...

8.1AI score
Exploits0
Huntr
Huntr
added 2023/02/24 4:32 p.m.13 views

Bypass IP detection lead to perform brute-force attack

Description In login function, by default, the IP address will be blocked when the user tries to login incorrectly more than 3 times but we can bypass this mechanism by abuse X-Forwarded-For header to bypass IP dectection and perform password brute-force. Proof of Concept POST...

7AI score
Exploits0References1
Huntr
Huntr
added 2023/02/22 10:11 a.m.13 views

IDOR on save email configuration leads to account takeover

Description An attacker with a low privileged account on the latest GLPI version could change other user´s email when saving his own user preferences. After that, if "Forgot password" is enabled via email, an attacker will be able to retrieve victim´s forgot password link to the modified email to...

6.6AI score
Exploits0References1
Huntr
Huntr
added 2023/02/16 6:53 p.m.13 views

Stored Cross-Site Scripting in survey administrator name

Description The administrator name field in Survey settings has a Stored Cross-Site scripting vulnerability as it does not sanitize the user input administrator name. A user can enter the javascript payload "alertdocument.cookie in the Administrator name field and the XSS executes in the...

5.4AI score
Exploits0
Huntr
Huntr
added 2023/02/02 9:45 a.m.13 views

DynamicPHPCode Filtering Bypass leads to Remote Code Execution

Description The "Websites" module in Dolibarr CRM version 6.0.3 and below has "checkPHPCode" function check to ensure that the page not contains any malicious function. However, this funtion only check by using match word searching, that allows malicious authenticated user can bypass by using...

6.9AI score
Exploits0
Huntr
Huntr
added 2023/01/31 2:55 p.m.13 views

xss bypass the filter

Description hi,@maintainer.The filter you use to clean xss is unsafe.Please choose an xss filter with a large number of users and a high evaluation Video link You can watch my video through this link first. link https://drive.google.com/file/d/1mh9hiDxmybLQGPw-z36qBdsEcEOoPw8/view?usp=sharelink...

0.2AI score
Exploits0
Huntr
Huntr
added 2023/01/24 12:34 p.m.13 views

Anti-CSRF mechanism is not present

Description The application is vulnerable to a CSRF attack. Proof of Concept 1. Login as admin. 2. Open the following HTML file in the browser. This action is equivalent to clicking a link sent by an attacker. trap.html html history.pushState'', '', '/' 3. Click the button. 4. A new user is creat...

0.5AI score
Exploits0References1
Huntr
Huntr
added 2023/01/22 8:32 p.m.13 views

No permission user can increase his role to administrator

Description No permission user can increase his role to administrator Proof of Concept Hey,i am new on this platform : Steps: - login your administrator account, go to people, and create a user with zero permission you can create permission group with zero permission - then login your restricted...

6.8AI score
Exploits0
Huntr
Huntr
added 2023/01/20 9:45 a.m.13 views

Cookie without “Secure “ and “ HttpOnly ” flag attribute

Description HttpOnly and Secure attribute is not set for session cookies in the application. Proof of Concept https://drive.google.com/file/d/1ZAanmAbOn-jSf6ZMS5JIQKUzJ78fUrea/view?usp=sharing...

0.6AI score
Exploits0References2
Huntr
Huntr
added 2023/01/03 6:6 a.m.13 views

Cookie without Secure attribute

Description The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. Proof of Concept http HTTP/1.1 200 OK Content-Type: application/json Content-Length: 107 Vary: Accept-Encoding Set-Cookie:...

5CVSS5.4AI score0.00436EPSS
Exploits1
Huntr
Huntr
added 2022/12/30 12:5 p.m.13 views

HTTP Query String Injection

Description The application does not properly sanitize query string parameters in the cloudflare-kv-http,github and http drivers. In the case of the github and http drivers there is no immediate vulnerability, however a slight risk is presented. When a user controls a key within the...

0.7AI score
Exploits0References2
Huntr
Huntr
added 2022/12/29 1:43 p.m.13 views

RCE in Wordnet Browser

Description A user who visits a malicious link with wordnet browser open will execute code on system Proof of Concept Visit http://localhost:8000/lookupgASVKwAAAAAAAACMBXBvc2l4lIwGc3lzdGVtlJOUjBB0b3VjaCAvdG1wL1BXTkVElIWUUpQu The base64 is created from import pickle import sys import base64...

0.3AI score
Exploits0
Huntr
Huntr
added 2022/11/24 11:35 a.m.13 views

No rate limiting on the reset password page will lead to a DOS attack and inbox flooding for any user

Description I can use this attack to take advantage of the reset password confirmation mechanism and send a large number of emails to anyone simply because I know his email address, as well as perform a DoS attack by draining the resources of the SMTP service and the web server. Proof of Concept ...

7.3AI score
Exploits0
Total number of security vulnerabilities4074