4072 matches found
Cross-Site Request Forgery (CSRF) in devcode-it/openstamanager
βοΈ Description Attacker able to disable any Personal Data module if users visit attacker site. π΅οΈββοΈ Proof of Concept 1.Open the PoC.html In Firefox or safari. 2.now you can check that Personal data module with id value equal to 1 have been disabled. // PoC.html history.pushState'', '', '/'...
Open Redirect in erudika/scoold
βοΈ Description There is an open redirect vulnerability in the following URL: https://live.scoold.com/signin?returnto=https://google.com π΅οΈββοΈ Proof of Concept Step to reproduce 1. open above URL 2. login in the applicaiton 3. you redirect to google.com π₯ Impact That causes a redirection to an...
Session Fixation in projectsend/projectsend
βοΈ Description Project Send contains a Session Fixation Vulnerability. This vulnerability is one that can allow an attacker to fixate find or set another personβs session identifier. This most commonly happens when session tokens are now refreshed or renewed when they should be. It looks like the...
Cross-Site Request Forgery (CSRF) in francoisjacquet/rosariosis
βοΈ Description When you don't set the SameSite attribute of cookies the browsers have special act in front of this issue.I mean set default value on it chrome and chromium based browsers set the attribute "Lax" that mean if you do add/delete/alter operation in a get HTTP request then your site mor...
Cross-Site Request Forgery (CSRF) in changeweb/unifiedtransform
βοΈ Description When you don't set the SameSite attribute of cookies the browsers have special act in front of this issue.I mean set default value on it chrome and chromium based browsers set the attribute "Lax" that mean if you do add/delete/alter operation in a get HTTP request then your site mor...
Business Logic Errors in pimcore/pimcore
βοΈ Description Pimcore is vulnerable to Business Logic error through negative products amount. π΅οΈββοΈ Proof of Concept HTML content: HTML 1. Save the above content into an HTML file. 2. Open the HTML file on the browser and click on Submit button. 3. Check out the total price. PoC video. π₯ Impact It...
Cross-Site Request Forgery (CSRF) in kestasjk/webdiplomacy
βοΈ Description CSRF bug to watch a game π΅οΈββοΈ Proof of Concept no csrf token checking during watch game.\ Bellow request is vulnerable to csrf attack POST /redirect.php HTTP/1.1 Host: webdiplomacy.net User-Agent: Mozilla/5.0 X11; Ubuntu; Linux x8664; rv:88.0 Gecko/20100101 Firefox/88.0 Accept:...
Cross-Site Request Forgery (CSRF) in kestasjk/webdiplomacy
βοΈ Description CSRF bug when disabling notice π΅οΈββοΈ Proof of Concept no csrf token checking during enable/desable notice .\ Bellow request is vulnerable to csrf attack POST /index.php HTTP/1.1 Host: webdiplomacy.net User-Agent: Mozilla/5.0 X11; Ubuntu; Linux x8664; rv:88.0 Gecko/20100101...
Code Injection in causefx/organizr
βοΈ Description The "version": "v6.4.1", is vulnerable to code injection, Affected versions of this package are vulnerable to Arbitrary Code Execution. If the $langpath parameter is passed unfiltered from user input, it can be set to a UNC path, and if an attacker is also able to persuade the serve...
Cross-Site Request Forgery (CSRF) in dolibarr/dolibarr
βοΈ Description In Bank section the POS part, you don't protect resources from delete with CSRF attacks and then I able to delete/close arbitrary POS cash desk control entities only with knowing their ids. π΅οΈββοΈ Proof of Concept // PoC.html history.pushState'', '', '/' π₯ Impact This vulnerability is...
Cross-Site Request Forgery (CSRF) in spiral-project/ihatemoney
βοΈ Description CSRF bug to delete project π΅οΈββοΈ Proof of Concept 1. goto https://ihatemoney.org/ and create a new project and project-name is XXXX .\ Now bellow request is vulnerable to csrf attack which will delete the whole project \ https://ihatemoney.org/xxxx/delete π₯ Impact Attacker can...
Use of a Broken or Risky Cryptographic Algorithm in boxbilling/boxbilling
βοΈ Description The function mtrand is used to generate ticket hashes at the reference shown, this function is cryptographically flawed due to its nature being one pseudorandomness, an attacker can take advantage of the cryptographically insecure nature of this function to disclose critical...
Cross-site Scripting (XSS) - Stored in chatwoot/chatwoot
βοΈ Description XSS via file upload in profile settings π΅οΈββοΈ Proof of Concept open chatwoot ,login to your profile , go to profile settings upload SVG file with XSS payload and update profile open the avatar in new page, XSS will be triggered π₯ Impact custom javascript code is executed...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager
βοΈ Description I found a stored XSS in your project which is lead by adding Application/Leases notes. π΅οΈββοΈ Proof of Concept Steps to reproduce: 1. Create a Application/Leases. 2. Enter " in the notes. 3. Save and you will see XSS. π₯ Impact This vulnerability is capable of stored XSS...
Cross-Site Request Forgery (CSRF) in bigprof-software/online-rental-property-manager
π₯ BUG csrf to turn off maintanance-mode π₯ VERSION TESTED latest version as of 4/7/21 π₯ STEP TO REPRODUCE 1. just visit http://localhost/online-rental/app/admin/ajax-maintenance-mode.php?status=off and it will turn-off maintenance-mode if already enabled.\ Here no csrf token is checking...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager
βοΈ Description Stored XSS in anonymous user name due to improper sanitization of user input π΅οΈββοΈ Proof of Concept Steps to reproduce: 1. Go to http://192.168.43.130:8081/app//admin/pageSettings.php and click on pre-configured users. 2. Edit anonymous username to xss" 3. Save it and visit...
Improper Privilege Management in bigprof-software/online-rental-property-manager
π₯ BUG privilege escalation bug to add residenceandrental to a applicant . π₯ IMPACT unprivileged user can add residenceandrental to a applicant π₯ STEP TO REPRODUCE 1. From admin account goto http://localhost/online-rental/app/admin/pageViewMembers.php and add new user called user-B .\ Now revoke...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager
π₯ BUG xss via Applications/Leases π₯ VERSION TESTED latest version as of 1/7/21 π₯ IMPACT xss allow to execute arbitary javascript in vicitm account π₯ STEP TO REPRODUCE 1. goto http://localhost/online-rental/app/applicationsleasesview.php and create a new application .\ During creation put bellow...
in w7corp/easywechat
βοΈ Description The method encryptsensitiveinformation in BaseClient.php uses the RSA algorithm without OAEP padding, thereby making the encryption weak. In order to use RSA securely, the OAEP padding mode Optimal Asymmetric Encryption Padding must be used. This category was derived from the Cigita...
OS Command Injection in sofianehamlaoui/lockdoor-framework
βοΈ Description Command Injection due to unsanitized variable named algo π΅οΈββοΈ Proof of Concept π₯ Impact CI with the highest privilege...
in phpservermon/phpservermon
βοΈ Description The program creates a cookie without setting the secure flag to true. Modern web browsers support a secure flag for each cookie. If the flag is set, the browser will only send the cookie over HTTPS. Sending cookies over an unencrypted channel can expose them to network sniffing...
in phpservermon/phpservermon
βοΈ Description The random number generator implemented by mtrand cannot withstand a cryptographic attack. Insecure randomness errors occur when a function that can produce predictable values is used as a source of randomness in security-sensitive context. In this case the function that generates...
Heap-based Buffer Overflow in rup0rt/pcapfix
Description A heap over flow was found in pcapfix in function fixpcapng in pcapng.c at line 216 Test version : 1.1.6 2fe168e Test env: gcc 9.3.0 ubuntu 20.04 x86-64 Proof of Concept CFLAGS="-fsanitize=address" make ./pcapfix poc poc is attatched in reference link c ==603793==ERROR:...
Cross-site Scripting (XSS) - Stored in thoughtbot/administrate
π₯ BUG Stored xss using unsanitize url π₯ IMPACT There is no url scheme sanitization, allow to provide javascript protocol in url which cause xss π₯ PAYLOAD javascript:alertdocument.domain π₯ STEP TO REPRODUCE tested in demo version https://administrate-demo.herokuapp.com/admin.\ 1. Plz check this 1...
Cross-site Scripting (XSS) - Stored in polonel/trudesk
π₯ BUG Stored xss using ticket content in markdown π₯ IMPACT There is no xss filter present . Using this stored xss external user can attack admin and can execute arbitary javascript code in vicitm account . TESTED VERSION ========== trudesk 1.1.5 π₯ STEP TO REPRODUCE 1. First goto...
in flarum/framework
βοΈ Description Avatar URL from OAuth registration is passed to Intervention Image's ImageManager::make function without any validation on URL. Since ImageManager::make allows relative path to read file, it is possible to inject arbitrary inputs like storage/somefile.jpg or even absolute paths like...
Heap-based Buffer Overflow in rup0rt/pcapfix
βοΈ Description Whilst testing pcapfix built from commit 5c2965 with Clang 13 +ASan on Ubuntu 20.04.2 LTS, we discovered a PCAPNG file which triggers a heap-buffer-overflow during a memcpy operation. π΅οΈββοΈ Proof of Concept echo "Cg0NCgAAAADT1MOysvgUAAAAAEpaggAAoPWPsvgUAAAAAAAAAAAA" | base64 -d...
Heap-based Buffer Overflow in squell/id3
βοΈ Description When running the id3 app built from commit 51e738 with Clang 13 +ASan on Ubuntu 20.04.2 against the test data file encoding.tag, a heap-buffer-overflow is triggered at https://github.com/squell/id3/blob/51e738e7575c54fd7fdd54c931a155b25c3f2d30/id3v2.cL104. static ulong ul4uchar n4...
Stack-based Buffer Overflow in falconchristmas/fpp
βοΈ Description Hi, There is a stack based buffer overflow in https://github.com/FalconChristmas/fpp/blob/f4a1621c8be15a41305269830b700a2b5443aa0f/src/fpp.cL177 : c else ifstrcmpargv1,"--log-mask" == 0 && argc 2 char newMask128; strcpynewMask, argv2;//overflow // argv2 is copied into newMask using...
Code Injection in sofianehamlaoui/lockdoor-framework
βοΈ Description Multiple Command injection in infogathering.py file due to lack of sanitization. π΅οΈββοΈ Proof of Concept Payload : id Video: https://drive.google.com/file/d/1uozVKKHL1LSMvFW7ehX3eIoxsWFLCes1/view?usp=sharing π₯ Impact tools ask for root to run so every command injected will run as root...
Improper Privilege Management in dolibarr/dolibarr
π₯ BUG unprivileged user can modify directory π₯ STEP TO REPRODUCE 1. From admin account add user B as normal user .\ Now dont give any permission for DMS/ECM module for user B .\ So, user B should not see any DMS/ECM details .\ \ 2. Now from admin account goto...
in utmsigep/member-directory
βοΈ Description Entering unintended values during the member creation flow causes unusual database state, unhandled exceptions/stack trace disclosure and denial of service due to continuous page crashes. π΅οΈββοΈ Proof of Concept - Select a member-status/group - Create New Member - Enter an invalid...
Path Traversal in demon1a/discord-recon
βοΈ Description Scanning internal git directories leaks using Improper input validation in truffleHog function urlHost = urlparseargument.netloc if urlHost != "github.com" and urlHost != "gitlab.com": await ctx.send"You're trying to scan unallowed URL, please use a github/gitlab URL." return The...
Heap-based Buffer Overflow in axiomatic-systems/bento4
βοΈ Description heap-buffer-overflow π΅οΈββοΈ Proof of Concept Verification stepsοΌ 1.Get the source code of Bento4 2.Compile the Bento4 bash $ cd Bento4 $ mkdir checkbuild && cd checkbuild $ cmake ../ -DCMAKECCOMPILER=clang -DCMAKECXXCOMPILER=clang++ -DCMAKECFLAGS="-fsanitize=address"...
in cythron/tweango
βοΈ Description Django secret key is pushed into Github repository. This is used to sign Json objects, create hashes and generate Csrf tokens. π΅οΈββοΈ Proof of Concept https://stackoverflow.com/questions/15170637/effects-of-changing-djangos-secret-key/15383766?noredirect=1comment2174349415383766 π₯...
Cross-site Scripting (XSS) - Reflected in thecoshman/http
βοΈ Description The web server is vulnerable to Cross-site scripting. An attacker can host a file with an XSS payload as the file name. When a user visits the web server address, the javascript will be executed in the browser. This is due to improper sanitization. π΅οΈββοΈ Proof of Concept - Create a...
Cross-site Scripting (XSS) - Stored in forkcms/forkcms
βοΈ Description The forkcms is vulnerable to XSS through image name edition. π΅οΈββοΈ Proof of Concept 1. With an authenticated user, access http://localhost/private/en/medialibrary/mediaitemindex. 2. Click on New media. 3. Upload any image and then click on Back to overview. 4. With the image...
Improper Privilege Management in chatwoot/chatwoot
βοΈ Description Privilege escalation to view all conversation π΅οΈββοΈ Proof of Concept 1. First goto https://app.chatwoot.com/app/accounts/4534/settings/agents/list from admin account and add a user B as agent . 2. now goto https://app.chatwoot.com/app/accounts/4534/settings/inboxes/list and add a...
Code Injection in storybookjs/telejson
βοΈ Description telejson is a library for teleporting rich data to another place. The telejson.reviver which is used to parse string data back to json structure can be abused to execute arbitrary code when the lazyEval option is set to false i.e., disabled. The root cause is the attackers can...
Code Injection in dimodimchev/access-control
Description Access-Control package is vulnerable to Arbitary Code Execution due to insecure yaml desearilization. Vulnerability Vulnerable to YAML deserialization attack caused by unsafe loading. Proof of Concept steps to reproduce: python import os os.system'git clone...
Code Injection in tensorspeech/tensorflowtts
βοΈ Description TensorFlowTTS provides real-time state-of-the-art speech synthesis architectures such as Tacotron-2, Melgan, Multiband-Melgan, FastSpeech, FastSpeech2 based-on TensorFlow 2. With Tensorflow 2, we can speed-up training/inference progress, optimizer further by using fake-quantize awar...
Prototype Pollution in alexandervu/dot-prop-opt
Description dot-prop-opt is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: javascript // poc.js const set = require'dot-prop-opt' console.log'Before: ' + .polluted set, 'proto.polluted', true console.log'After: ' + .polluted 2. Execute the following commands...
Prototype Pollution in a-maged/object-breacher
Description object-breacher is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: javascript // poc.js const set = require'object-breacher' console.log'Before: ' + .polluted set, 'proto.polluted', true console.log'After: '+ .polluted 2. Execute the following...
Prototype Pollution in darrenpaulwright/object-agent
Description object-agent is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: // poc.js import set from 'object-agent'; var obj = console.log"Before : " + .polluted; setobj, 'proto.polluted', 'Yes! Its Polluted'; console.log"After : " + .polluted; 2. Execute th...
Cross-site Scripting (XSS) - Generic in dolibarr/dolibarr
Description The application is vulnerable to html injection in password reset functionality. PoC CLICK ME...
Path Traversal in rwson/server-static
Overview server-static is a static file server, this package is vulnerable to Directory Traversal, which may allow access to sensitive files and data on the server. For example, requesting the following URL: /../../etc/passwd would result in /etc/passwd leaking...
Cross-site Scripting (XSS) - Generic in dolibarr/dolibarr
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS. Special characters provided as part of the Referer HTTP header. is reflected within htdocs/user/passwordforgotten.php...
Code Injection in vishwanatharondekar/gitlab-cli
Description The git-lab-cli module is vulnerable against RCE since a command is crafted using user inputs not validated and then executedading to arbitrary command injection POC 1. Check there aren't files called HACKED 2. Execute the following commands in another terminal: bash npm i git-lab-cli...
Path Traversal in NLTK Downloader Package Metadata Allows Arbitrary File Write
Description The NLTK downloader does not validate file paths constructed from package metadata before writing downloaded files. A malicious NLTK data server can specify arbitrary paths via the subdir and id attributes in the package index XML, allowing arbitrary file write outside the intended...
Missing Authorization Validation on MLflow MPU Endpoints Leads to Cross-Resource Artifact Overwrite, Model Poisoning, and Cross-Boundary Command Execution on Model Load
Analyzed version: 5af88dc08a54d40dddfc019da9e7f0fd0fcf34e2 git describe: nightly-2300-g5af88dc08, local mlflow.version: 3.10.1.dev0 In --serve-artifacts mode, MLflow exposes MPU endpoints for large-file multipart uploads. However, its authorization logic only covers the /mlflow-artifacts/artifact...