4072 matches found
Cross-Site Request Forgery (CSRF) in kestasjk/webdiplomacy
✍️ Description CSRF bug to watch a game 🕵️♂️ Proof of Concept no csrf token checking during watch game.\ Bellow request is vulnerable to csrf attack POST /redirect.php HTTP/1.1 Host: webdiplomacy.net User-Agent: Mozilla/5.0 X11; Ubuntu; Linux x8664; rv:88.0 Gecko/20100101 Firefox/88.0 Accept:...
Cross-Site Request Forgery (CSRF) in kestasjk/webdiplomacy
✍️ Description CSRF bug when disabling notice 🕵️♂️ Proof of Concept no csrf token checking during enable/desable notice .\ Bellow request is vulnerable to csrf attack POST /index.php HTTP/1.1 Host: webdiplomacy.net User-Agent: Mozilla/5.0 X11; Ubuntu; Linux x8664; rv:88.0 Gecko/20100101...
Code Injection in causefx/organizr
✍️ Description The "version": "v6.4.1", is vulnerable to code injection, Affected versions of this package are vulnerable to Arbitrary Code Execution. If the $langpath parameter is passed unfiltered from user input, it can be set to a UNC path, and if an attacker is also able to persuade the serve...
Cross-Site Request Forgery (CSRF) in dolibarr/dolibarr
✍️ Description In Bank section the POS part, you don't protect resources from delete with CSRF attacks and then I able to delete/close arbitrary POS cash desk control entities only with knowing their ids. 🕵️♂️ Proof of Concept // PoC.html history.pushState'', '', '/' 💥 Impact This vulnerability is...
Cross-Site Request Forgery (CSRF) in spiral-project/ihatemoney
✍️ Description CSRF bug to delete project 🕵️♂️ Proof of Concept 1. goto https://ihatemoney.org/ and create a new project and project-name is XXXX .\ Now bellow request is vulnerable to csrf attack which will delete the whole project \ https://ihatemoney.org/xxxx/delete 💥 Impact Attacker can...
Use of a Broken or Risky Cryptographic Algorithm in boxbilling/boxbilling
✍️ Description The function mtrand is used to generate ticket hashes at the reference shown, this function is cryptographically flawed due to its nature being one pseudorandomness, an attacker can take advantage of the cryptographically insecure nature of this function to disclose critical...
Cross-site Scripting (XSS) - Stored in chatwoot/chatwoot
✍️ Description XSS via file upload in profile settings 🕵️♂️ Proof of Concept open chatwoot ,login to your profile , go to profile settings upload SVG file with XSS payload and update profile open the avatar in new page, XSS will be triggered 💥 Impact custom javascript code is executed...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager
✍️ Description I found a stored XSS in your project which is lead by adding Application/Leases notes. 🕵️♂️ Proof of Concept Steps to reproduce: 1. Create a Application/Leases. 2. Enter " in the notes. 3. Save and you will see XSS. 💥 Impact This vulnerability is capable of stored XSS...
Cross-Site Request Forgery (CSRF) in bigprof-software/online-rental-property-manager
💥 BUG csrf to turn off maintanance-mode 💥 VERSION TESTED latest version as of 4/7/21 💥 STEP TO REPRODUCE 1. just visit http://localhost/online-rental/app/admin/ajax-maintenance-mode.php?status=off and it will turn-off maintenance-mode if already enabled.\ Here no csrf token is checking...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager
✍️ Description Stored XSS in anonymous user name due to improper sanitization of user input 🕵️♂️ Proof of Concept Steps to reproduce: 1. Go to http://192.168.43.130:8081/app//admin/pageSettings.php and click on pre-configured users. 2. Edit anonymous username to xss" 3. Save it and visit...
Improper Privilege Management in bigprof-software/online-rental-property-manager
💥 BUG privilege escalation bug to add residenceandrental to a applicant . 💥 IMPACT unprivileged user can add residenceandrental to a applicant 💥 STEP TO REPRODUCE 1. From admin account goto http://localhost/online-rental/app/admin/pageViewMembers.php and add new user called user-B .\ Now revoke...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager
💥 BUG xss via Applications/Leases 💥 VERSION TESTED latest version as of 1/7/21 💥 IMPACT xss allow to execute arbitary javascript in vicitm account 💥 STEP TO REPRODUCE 1. goto http://localhost/online-rental/app/applicationsleasesview.php and create a new application .\ During creation put bellow...
in w7corp/easywechat
✍️ Description The method encryptsensitiveinformation in BaseClient.php uses the RSA algorithm without OAEP padding, thereby making the encryption weak. In order to use RSA securely, the OAEP padding mode Optimal Asymmetric Encryption Padding must be used. This category was derived from the Cigita...
OS Command Injection in sofianehamlaoui/lockdoor-framework
✍️ Description Command Injection due to unsanitized variable named algo 🕵️♂️ Proof of Concept 💥 Impact CI with the highest privilege...
in phpservermon/phpservermon
✍️ Description The program creates a cookie without setting the secure flag to true. Modern web browsers support a secure flag for each cookie. If the flag is set, the browser will only send the cookie over HTTPS. Sending cookies over an unencrypted channel can expose them to network sniffing...
in phpservermon/phpservermon
✍️ Description The random number generator implemented by mtrand cannot withstand a cryptographic attack. Insecure randomness errors occur when a function that can produce predictable values is used as a source of randomness in security-sensitive context. In this case the function that generates...
Heap-based Buffer Overflow in rup0rt/pcapfix
Description A heap over flow was found in pcapfix in function fixpcapng in pcapng.c at line 216 Test version : 1.1.6 2fe168e Test env: gcc 9.3.0 ubuntu 20.04 x86-64 Proof of Concept CFLAGS="-fsanitize=address" make ./pcapfix poc poc is attatched in reference link c ==603793==ERROR:...
Cross-site Scripting (XSS) - Stored in thoughtbot/administrate
💥 BUG Stored xss using unsanitize url 💥 IMPACT There is no url scheme sanitization, allow to provide javascript protocol in url which cause xss 💥 PAYLOAD javascript:alertdocument.domain 💥 STEP TO REPRODUCE tested in demo version https://administrate-demo.herokuapp.com/admin.\ 1. Plz check this 1...
Cross-site Scripting (XSS) - Stored in polonel/trudesk
💥 BUG Stored xss using ticket content in markdown 💥 IMPACT There is no xss filter present . Using this stored xss external user can attack admin and can execute arbitary javascript code in vicitm account . TESTED VERSION ========== trudesk 1.1.5 💥 STEP TO REPRODUCE 1. First goto...
in flarum/framework
✍️ Description Avatar URL from OAuth registration is passed to Intervention Image's ImageManager::make function without any validation on URL. Since ImageManager::make allows relative path to read file, it is possible to inject arbitrary inputs like storage/somefile.jpg or even absolute paths like...
Heap-based Buffer Overflow in rup0rt/pcapfix
✍️ Description Whilst testing pcapfix built from commit 5c2965 with Clang 13 +ASan on Ubuntu 20.04.2 LTS, we discovered a PCAPNG file which triggers a heap-buffer-overflow during a memcpy operation. 🕵️♂️ Proof of Concept echo "Cg0NCgAAAADT1MOysvgUAAAAAEpaggAAoPWPsvgUAAAAAAAAAAAA" | base64 -d...
Heap-based Buffer Overflow in squell/id3
✍️ Description When running the id3 app built from commit 51e738 with Clang 13 +ASan on Ubuntu 20.04.2 against the test data file encoding.tag, a heap-buffer-overflow is triggered at https://github.com/squell/id3/blob/51e738e7575c54fd7fdd54c931a155b25c3f2d30/id3v2.cL104. static ulong ul4uchar n4...
Stack-based Buffer Overflow in falconchristmas/fpp
✍️ Description Hi, There is a stack based buffer overflow in https://github.com/FalconChristmas/fpp/blob/f4a1621c8be15a41305269830b700a2b5443aa0f/src/fpp.cL177 : c else ifstrcmpargv1,"--log-mask" == 0 && argc 2 char newMask128; strcpynewMask, argv2;//overflow // argv2 is copied into newMask using...
Code Injection in sofianehamlaoui/lockdoor-framework
✍️ Description Multiple Command injection in infogathering.py file due to lack of sanitization. 🕵️♂️ Proof of Concept Payload : id Video: https://drive.google.com/file/d/1uozVKKHL1LSMvFW7ehX3eIoxsWFLCes1/view?usp=sharing 💥 Impact tools ask for root to run so every command injected will run as root...
Improper Privilege Management in dolibarr/dolibarr
💥 BUG unprivileged user can modify directory 💥 STEP TO REPRODUCE 1. From admin account add user B as normal user .\ Now dont give any permission for DMS/ECM module for user B .\ So, user B should not see any DMS/ECM details .\ \ 2. Now from admin account goto...
in utmsigep/member-directory
✍️ Description Entering unintended values during the member creation flow causes unusual database state, unhandled exceptions/stack trace disclosure and denial of service due to continuous page crashes. 🕵️♂️ Proof of Concept - Select a member-status/group - Create New Member - Enter an invalid...
Path Traversal in demon1a/discord-recon
✍️ Description Scanning internal git directories leaks using Improper input validation in truffleHog function urlHost = urlparseargument.netloc if urlHost != "github.com" and urlHost != "gitlab.com": await ctx.send"You're trying to scan unallowed URL, please use a github/gitlab URL." return The...
Heap-based Buffer Overflow in axiomatic-systems/bento4
✍️ Description heap-buffer-overflow 🕵️♂️ Proof of Concept Verification steps: 1.Get the source code of Bento4 2.Compile the Bento4 bash $ cd Bento4 $ mkdir checkbuild && cd checkbuild $ cmake ../ -DCMAKECCOMPILER=clang -DCMAKECXXCOMPILER=clang++ -DCMAKECFLAGS="-fsanitize=address"...
in cythron/tweango
✍️ Description Django secret key is pushed into Github repository. This is used to sign Json objects, create hashes and generate Csrf tokens. 🕵️♂️ Proof of Concept https://stackoverflow.com/questions/15170637/effects-of-changing-djangos-secret-key/15383766?noredirect=1comment2174349415383766 💥...
Cross-site Scripting (XSS) - Reflected in thecoshman/http
✍️ Description The web server is vulnerable to Cross-site scripting. An attacker can host a file with an XSS payload as the file name. When a user visits the web server address, the javascript will be executed in the browser. This is due to improper sanitization. 🕵️♂️ Proof of Concept - Create a...
Cross-site Scripting (XSS) - Stored in forkcms/forkcms
✍️ Description The forkcms is vulnerable to XSS through image name edition. 🕵️♂️ Proof of Concept 1. With an authenticated user, access http://localhost/private/en/medialibrary/mediaitemindex. 2. Click on New media. 3. Upload any image and then click on Back to overview. 4. With the image...
Improper Privilege Management in chatwoot/chatwoot
✍️ Description Privilege escalation to view all conversation 🕵️♂️ Proof of Concept 1. First goto https://app.chatwoot.com/app/accounts/4534/settings/agents/list from admin account and add a user B as agent . 2. now goto https://app.chatwoot.com/app/accounts/4534/settings/inboxes/list and add a...
Code Injection in storybookjs/telejson
✍️ Description telejson is a library for teleporting rich data to another place. The telejson.reviver which is used to parse string data back to json structure can be abused to execute arbitrary code when the lazyEval option is set to false i.e., disabled. The root cause is the attackers can...
Code Injection in dimodimchev/access-control
Description Access-Control package is vulnerable to Arbitary Code Execution due to insecure yaml desearilization. Vulnerability Vulnerable to YAML deserialization attack caused by unsafe loading. Proof of Concept steps to reproduce: python import os os.system'git clone...
Code Injection in tensorspeech/tensorflowtts
✍️ Description TensorFlowTTS provides real-time state-of-the-art speech synthesis architectures such as Tacotron-2, Melgan, Multiband-Melgan, FastSpeech, FastSpeech2 based-on TensorFlow 2. With Tensorflow 2, we can speed-up training/inference progress, optimizer further by using fake-quantize awar...
Prototype Pollution in alexandervu/dot-prop-opt
Description dot-prop-opt is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: javascript // poc.js const set = require'dot-prop-opt' console.log'Before: ' + .polluted set, 'proto.polluted', true console.log'After: ' + .polluted 2. Execute the following commands...
Prototype Pollution in a-maged/object-breacher
Description object-breacher is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: javascript // poc.js const set = require'object-breacher' console.log'Before: ' + .polluted set, 'proto.polluted', true console.log'After: '+ .polluted 2. Execute the following...
Prototype Pollution in darrenpaulwright/object-agent
Description object-agent is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: // poc.js import set from 'object-agent'; var obj = console.log"Before : " + .polluted; setobj, 'proto.polluted', 'Yes! Its Polluted'; console.log"After : " + .polluted; 2. Execute th...
Cross-site Scripting (XSS) - Generic in dolibarr/dolibarr
Description The application is vulnerable to html injection in password reset functionality. PoC CLICK ME...
Path Traversal in rwson/server-static
Overview server-static is a static file server, this package is vulnerable to Directory Traversal, which may allow access to sensitive files and data on the server. For example, requesting the following URL: /../../etc/passwd would result in /etc/passwd leaking...
in imsobear/node-browser
Overview node-browser is a wrapper webdriver by Node.js, this package is vulnerable to Man in the Middle MitM attacks due to downloading resources over an insecure protocol. Without a secure connection, it is possible for an attacker to intercept this connection and alter the packages received. I...
Path Traversal in youngerheart/nodeserver
Overview nodeserver is a Achieve node server's domain name resolution and web application's router, this package is vulnerable to Directory Traversal, which may allow access to sensitive files and data on the server. For example, requesting the following URL: /../../etc/passwd would result in...
Cross-site Scripting (XSS) - Generic in dolibarr/dolibarr
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS. Special characters provided as part of the Referer HTTP header. is reflected within htdocs/user/passwordforgotten.php...
Code Injection in vishwanatharondekar/gitlab-cli
Description The git-lab-cli module is vulnerable against RCE since a command is crafted using user inputs not validated and then executedading to arbitrary command injection POC 1. Check there aren't files called HACKED 2. Execute the following commands in another terminal: bash npm i git-lab-cli...
Path Traversal in NLTK Downloader Package Metadata Allows Arbitrary File Write
Description The NLTK downloader does not validate file paths constructed from package metadata before writing downloaded files. A malicious NLTK data server can specify arbitrary paths via the subdir and id attributes in the package index XML, allowing arbitrary file write outside the intended...
Missing Authorization Validation on MLflow MPU Endpoints Leads to Cross-Resource Artifact Overwrite, Model Poisoning, and Cross-Boundary Command Execution on Model Load
Analyzed version: 5af88dc08a54d40dddfc019da9e7f0fd0fcf34e2 git describe: nightly-2300-g5af88dc08, local mlflow.version: 3.10.1.dev0 In --serve-artifacts mode, MLflow exposes MPU endpoints for large-file multipart uploads. However, its authorization logic only covers the /mlflow-artifacts/artifact...
H2O-3 PostgreSQL Driver RCE - Bypassing CVE-2025-6544 Mitigation
Description A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The current security mitigation implemented in H2O-3 relies on a parameter blacklist mechanism that exclusively targets MySQL JDBC...
MLflow Tarfile Path traversal in mlflow/mlflow
Description Vulnerability Report: Unsafe Tar Extraction Path Traversal Due to the lack of path traversal verification in the tar decompression part, it may lead to the possibility of overwriting any file or gaining elevated privileges. This is a non-expected vulnerability. Location File:...
heap-use-after-free in MP4Box
Description heap-use-after-free in MP4Box Version $ ./MP4Box -version MP4Box - GPAC version 2.3-DEV-rev566-g50c2ab06f-master Platform $ uname -a Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic 3322.04.1-Ubuntu SMP PREEMPTDYNAMIC Thu Sep 7 10:33:52 UTC 2 x8664 x8664 x8664 GNU/Linux Asan 33mTTML...
heap-buffer-overflow in ac3dmx_process
Description Heap-buffer-overflow in ac3dmxprocess at filters/reframeac3.c:489. version git log commit 5692dc729491805e0e5f55c21d50ba1e6b19e88e HEAD - master, origin/master, origin/HEAD Author: Aurelien David Date: Wed Oct 11 13:24:46 2023 +0200 ac3dmx: add remain size check fixes 2627 ./MP4Box...