4072 matches found
Store XSS in Survey menus
Description I noticed, your website is very secure. But you overlooked a flaw Store DOM XSS . Proof of Concept Detail: 1 .Login vs admin demo account and access Configuration 2 .Go to Survey menus == Survey menus entries 3 .Add new menu entry and insert payload in to GET data method...
Authentication cookie without Secure flag
Description Access and login to the website. Press F12 on your keyboard or right-click on the website to open dev-tool. At Application tab, choose Cookies and there are some sensitive cookies without Secure flag. Proof of Concept Link photo:...
Improper Authorization in Import Question function
Description The Import Question function does not check user permissions, allowing users to import questions into any survey without requiring authorization Proof of Concept Step 1: We have user1 who has no permissions Step 2: User1 performs importing questions into the survey by creating a reque...
Stored XSS
Description Due to insufficient validation of uploaded files - bad actors can upload malicious SVG file with XSS payload. That leads to Stored XSS. Because accessToken cookie has valid HttpOnly flag, can not take victims cookie there in this way, but please keep in mind that XSS in general is abo...
Stored Cross-site Scripting
Description Stored XSS attack, the attacker typically injects malicious code, such as JavaScript, into a web form or other input field on a vulnerable web application. This code is then stored on the server and may be displayed to other users who visit the affected page, allowing the attacker to...
Weak Password Requirements
Weak password requirements are password policies that are too lax and allow users to create passwords that are easy to guess or crack. This can make it easier for attackers to gain unauthorized access to accounts and systems. It was discovered that the validation takes place only on the client si...
Reflected XSS in LimeSurvey via userid parameter
Description The userid parameter in the 'Delete Confirm' feature in user management is rendered directly into the webpage without proper handling. This allows users to inject malicious HTML/JavaScript code into the webpage that can be executed in the admin or privileged user's context. Proof of...
privilege escalation bug to creation survey-group with others group as parent
BUG ======= privilege escalation bug to creation survey-group with others group as parent\ ACCOUNT ============= 1. user-A -- superadmin\ 2. user-B -- normal user\ user-B has only create permission in survey-group . does not have view permission in survey group\ as user-B does not have view...
HTML Injection - real Aptabase emails
Description Due to lack of validation Name field during registration, bad actor can send emails with HTML injected code to the victims. Proof of Concept Payload example: Jameees Repro steps: Go to https://eu.aptabase.com/auth/register and for field 'Name' use payload with HTML. Open email from...
Stored XSS in Page Title
Description At the latest version, the page title has been escaped and cannot trigger the XSS payload. However, by login to a user with other privileges, I see that It's still not escaped yet. Proof of Concept Step 1: Login as Admin, create a page in site1 with the title "test and see that the pa...
Incorrect Authorization to Stored XSS in Import User Role function
Description The application incorrectly checks user permissions, enabling the attacker to use the 'import file user roles' functionality, which contains a payload for executing JavaScript code, without requiring any specific privileges. Proof of Concept Step1: Even without the privilege to manage...
Cross-Site Request Forgery lead to lock and unlock Album
Description Attacker able to lock or unlock any album with this CSRF attack. Proof of Concept 1. Admin already should be logged in browser 2. Open the CSRF.html document.forms0.submit; The album b9131a9d-577e-4f06-b87e-5af30714b25b will be unlock Acknowledge Tran Van Nhan from bl4ckh0l3 of Galaxy...
Able to edit users owned by other administration users
Description Exploiting a vulnerability 'Take ownership' of any user, thereby being able to edit all users. Proof of Concept Step 1: We have user1 owned by admin1. \ Step 2: By doing the 'Take ownership' action, the user1 is now owned by admin2 \ \ Step 3: Now, admin2 is able to edit user1, and ev...
Stored XSS in the delete confirmation popup
Description The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of Concept Step1: The user with the privilege to create group creates a new group by passing a payload into...
The app allows to set new password same as old password
Description 1/ Access and login to the demo website: https://demo.openitcockpit.io 2/ At changing password function, set new password as same as old password. 3/ Logout and re-login to check, it's successful. Proof of Concept Link video PoC:...
Privilege Escalation Vulnerability in Product Upgrade Module
Description Our product upgrade module contained a privilege escalation vulnerability that would allow an unauthorized user to upgrade to a product they were not authorized to. After an administrator had Product 1 can upgrde as Product2 , but not Product3, a user could use Burpsuite to intercept...
Integer Overflow in tjexample.c
Description The tjexample.c example program uses tjAlloc function to allocate the output buffer of the JPEG buffer. tjAlloc uses malloc which takes a sizet number of bytes an unsigned integer. However, tjAlloc itself takes the number of bytes as a signed integer:...
Lack of security consideration leads to multiple critical weaknesses
Introduction This report serves more as a suggestion to improve security, rather than fixing any single "vulnerability". I've given examples to demonstrate the impact that neglecting security may have, but these are not the root cause of the issue. Due to the nature of a package, being able to...
CSRF Leading to reset Boxes
Description Hello everyone, During my testing on LimeSurvey's admin demo, it's found that the Boxes part of the application is vulnerable to CSRF affecting reset boxes functionality meaning that if an admin created some boxes an attacker could trick the admin to reset the boxes by following a lin...
Stored HTML injection to XSS
Team, I hope you are all doing well. . I wanted to bring to your attention a potential vulnerability on the website https://wearenotloosers.kimai.cloud. . During my research, I discovered that the user name fields are vulnerable to a stored HTML injection attack. . Which is reflecting while...
Cross Site Scripting (XSS) in UrlSlug
Description Please enter a description of the vulnerability. Cross Site Scripting XSS in UrlSlug of pimcore/pimcore Its Different than https://huntr.dev/bounties/75bc7d07-46a7-4ed9-a405-af4fc47fb422/ Proof of Concept 1. Login in stable account URL : https://11.x-dev.pimcore.fun/admin/ 2. Go to...
Improper Neutralization of Input in paperWidth param During Web Page Generation
Module : print and invoice-print Parameter : paperWidth Attacker would be able to close the tag and can inject html tags POC : http://demo.bumsys.org/print?&paperWidth=;%3C/style%3E%3Cbody+onpageshow=alertdocument.domain%3E POC :...
Folder in webmail mailbox is vulnerable to Cross-Site Scripting (Reflective)
Issue Description • Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request that, if issued by another application user, will cause...
Anti-CSRF mechanism is not present
Description The application is vulnerable to a CSRF attack. Proof of Concept 1. Login as admin. 2. Open the following HTML file in the browser. This action is equivalent to clicking a link sent by an attacker. trap.html html history.pushState'', '', '/' 3. Click the button. 4. A new user is creat...
Authenticated Reflected XSS on ajax/common.tabs.php
Description There is a reflected XSS vulnerability on ajax/common.tabs.php due to the KnowBase tab not escaping the start parameter properly probably because it's not reflected inside quotes. There was some work into getting the exploit working, due to JQuery's $ not being defined and causing a...
XSS on external links
Description This vulnerability allow for an administrator to create an evil external link. Proof of Concept As an admin user Go to /front/link.form.php?id=1 Create an external link and put has value for the link 'onmouseover="alertdocument.domain" Assign this link to budgets example As a regular...
Unrestricted Upload of file with dangerous type lead to destroying the company's reputation.
Description In upload function i found the function accept a lot of file type and this is very dangerous because may be malicious user upload html file contain any information like go to another site or write message destroying the company's reputation like this site has been hacked by hacker Pro...
froxlor/froxlor <= 0.10.38.2 - Authenticated Unrestricted File Upload to RCE
Description Unsafe file uploads occur when the web server fails to sufficiently validate the file’s size, type, name, contents, or what restrictions are placed on the file once it has been successfully uploaded. The application fails to validate files that are uploaded, allowing an attacker to...
XSS Stored inside Admin logs
Description If an attacker attempt to login with an XSS payload inside the username, the login attempt will be logged on the admin dashboard. Then, if an admin visits the login logs page, it will execute the XSS. Proof of Concept Login with XSS inside username Admin visits logs...
Reflected Cross Site Scripting in Search Functionality of Module Library
Description Hello Team, Hope you are doing well. I have found a reflected cross site scripting vulnerability in search functionality present in the module library section. What is reflected cross site scripting? Reflected cross-site scripting or XSS arises when an application receives data in an...
Insufficient Session Expiration
Description Active sessions are not invalidated after a password change or after an admin resets the user's password. Proof of Concept Steps to reproduce: 1. Log in to Elgg with any user 2. Do the same in another browser or a private window, such that there are two different active sessions 3...
Stored XSS
Description openemr has a feature to customize the "Text in the login box " , due to a bad sanitization it allows to put some html tag like "form" scheme which allows to execute javascript code. 1. login as user glpi/glpi admin user 2. go to HOME-SETUP-GENERAL...
DoS attack in the HTTP decompression
Description Tulip is able to decompress compressed HTTP payloads. It does not check for decompression bomb. Using brotli, an attacker can send a HTTP paquet to a team vulnbox containing a brotli payload of 8.3KB. When decompressing this payload, it expands to 10GiB on the machine running the...
Firefox XSS when redirecting to untrusted URL
Description When redirecting server side using navigateTo with untrusted user data and with external links set to true, XSS can be triggered on Firefox probably other browsers too. This is due to h3 expecting JSON stringfy to sanitize HTML and nuxt3 also assuming that to be true by using the...
Floating point exception
Description Floating point exception in udiv commit : b83285697888abbcb2286462da070d49f413ab24 Proof of Concept ruby 1 63.pow1, 0 ASAN Output ================================================================= ==747==ERROR: AddressSanitizer: FPE on unknown address 0x5626e07f6dba pc 0x5626e07f6dba b...
DoS via Collaborative Document
Description An attacker can send an enormous payload via the WebSockets collaborative document feature, without any proper size restriction, leading to the unresponsiveness of every user browser that visits the target document, and even worse, if the payload is bigger enough, in the demonstration...
Weak Password Change Mechanism
Description The user password change page, doesn't require knowledge of the existing password. Proof of Concept 1. 1 - Log in as a normal user 2. 2 - Go to the User Dashboard page and click Password. 3. 3 - Set a any new password. 4. 4 - The password is changed successfully...
Weak password policy on account creation/password update
Description The password policy used in the account creation and password change pages is weak, allowing to set a password of only 1 character. Proof of Concept Case 1 - Account Creation 1. 1 - Login as admin and go to the users page. 2. 2 - Create a new user and set 1 as the password and click i...
Password Reset token returned in Respose to Account takeover.
Description Password Reset token returned in Respose. Then you can set an arbitrary password with the following url: url //auth/reset-password?token=token Proof of Concept...
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Description The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. Proof of Concept Link: https://postimg.cc/1nBBXZr5 Remediation If possible, you should set the Secure flag for these cooki...
stackexchange uses an unpached version of jQuery < 3.4.0 which exposes it to prototype pollution
Description By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses...
Business logic error: Not able to access newly created admin account with the username admin with the password
Hello team, recently I found that I'm able to create dual admin via the same username, by creating a dual admin account we maybe not be able login the newly created admin user-named account. 2. For example, the default username and password of nakama dashboard will be admin & password 3. After...
Improperly Configured rack_attack.rb does not prevent rate limit attacks
Description The lobsters repository depends upon rackattack.rb to prevent rate limit attacks against the /login or the /login/setnewpassword endpoint, allowing for only 4 requests in a minute. However, this can be bypassed by simply appending some strings like /login.turtles to the endpoint. Proo...
Password Reset Allows For User Email Enumeration
Description The password reset function at the login page responds to valid and invalid emails in the application. Submitting an invalid email result in "The e-mail address is not assigned to any user account." A valid response results in a message stating an email has been sent. Proof of Concept...
Weak Password Change Mechanism
Description When setting a new user password, commafeeddoes not require knowledge of the original password or using another form of authentication. Proof of Concept 1. Log in as a regular user 2. Go to the profile settings link 3. Select Set Password 4. Enter any 6-character password string this...
Improper handling of parameter lead to listing any directory
Description In file-manager/list API, the server does not handling path parameters properly lead to allow listing any directory. To exploit, use double URL encoding to bypass filter. Proof of Concept GET /demo/api/file-manager/list?path=%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/...
Stored XSS via Editing config
Description Hello, I'm reporting several Stored XSS vulnerabilities in same report because huntr.dev now want us to do this. Please consider the vulnerabilities independently. Vuln one : It's possible to inject javascript code in "URL of your FAQ" parameter in admin's edit config form. The...
unprivileged user can get document details
Description unprivileged user can see document details of any document . Proof of Concept 1. From admin account add a new user called user-B as member role .\ \ 2. Now from admin account create a private collection and dont share it with any member .Set bellow permisiion for this collection...
Arbitrary template creation leading to Authenticated Remote Code Execution
Description Arbitrary File Write Reproduction Steps: 1. As a low privileged user, Create a new recipe and click on the "+" to add a New Asset. 2. Select a file, then proxy the request that will create the asset. 3. Update the values in the POST request to the ones shown below: POST...
Inefficient Regular Expression Complexity potentially leads to Denial of Service
Description Inefficient Regular Expression Complexity of url regex could lead to a denial of service attack. This report bypasses the fix in issue 300 by a well-formed payload '//a.b' + 'c1'.repeati + 'a'. With only 36 characters payload could take 18672 ms time execution. Proof of Concept js //...