Lucene search
K
HuntrMost viewed

4072 matches found

Huntr
Huntr
added 2023/09/03 4:9 p.m.11 views

Store XSS in Survey menus

Description I noticed, your website is very secure. But you overlooked a flaw Store DOM XSS . Proof of Concept Detail: 1 .Login vs admin demo account and access Configuration 2 .Go to Survey menus == Survey menus entries 3 .Add new menu entry and insert payload in to GET data method...

6.3AI score
Exploits0
Huntr
Huntr
added 2023/08/22 1:11 a.m.11 views

Authentication cookie without Secure flag

Description Access and login to the website. Press F12 on your keyboard or right-click on the website to open dev-tool. At Application tab, choose Cookies and there are some sensitive cookies without Secure flag. Proof of Concept Link photo:...

6.8AI score
Exploits0
Huntr
Huntr
added 2023/08/21 5:28 p.m.11 views

Improper Authorization in Import Question function

Description The Import Question function does not check user permissions, allowing users to import questions into any survey without requiring authorization Proof of Concept Step 1: We have user1 who has no permissions Step 2: User1 performs importing questions into the survey by creating a reque...

7.2AI score
Exploits0
Huntr
Huntr
added 2023/08/18 12:19 p.m.11 views

Stored XSS

Description Due to insufficient validation of uploaded files - bad actors can upload malicious SVG file with XSS payload. That leads to Stored XSS. Because accessToken cookie has valid HttpOnly flag, can not take victims cookie there in this way, but please keep in mind that XSS in general is abo...

6.1AI score
Exploits0References3
Huntr
Huntr
added 2023/08/18 2:13 a.m.11 views

Stored Cross-site Scripting

Description Stored XSS attack, the attacker typically injects malicious code, such as JavaScript, into a web form or other input field on a vulnerable web application. This code is then stored on the server and may be displayed to other users who visit the affected page, allowing the attacker to...

7AI score
Exploits0
Huntr
Huntr
added 2023/08/15 6:18 a.m.11 views

Weak Password Requirements

Weak password requirements are password policies that are too lax and allow users to create passwords that are easy to guess or crack. This can make it easier for attackers to gain unauthorized access to accounts and systems. It was discovered that the validation takes place only on the client si...

7.4AI score
Exploits0References1
Huntr
Huntr
added 2023/08/13 3:14 p.m.11 views

Reflected XSS in LimeSurvey via userid parameter

Description The userid parameter in the 'Delete Confirm' feature in user management is rendered directly into the webpage without proper handling. This allows users to inject malicious HTML/JavaScript code into the webpage that can be executed in the admin or privileged user's context. Proof of...

6.8AI score
Exploits0
Huntr
Huntr
added 2023/08/11 2:1 p.m.11 views

privilege escalation bug to creation survey-group with others group as parent

BUG ======= privilege escalation bug to creation survey-group with others group as parent\ ACCOUNT ============= 1. user-A -- superadmin\ 2. user-B -- normal user\ user-B has only create permission in survey-group . does not have view permission in survey group\ as user-B does not have view...

7.7AI score
Exploits0
Huntr
Huntr
added 2023/08/05 10:21 p.m.11 views

HTML Injection - real Aptabase emails

Description Due to lack of validation Name field during registration, bad actor can send emails with HTML injected code to the victims. Proof of Concept Payload example: Jameees Repro steps: Go to https://eu.aptabase.com/auth/register and for field 'Name' use payload with HTML. Open email from...

7AI score
Exploits0References2
Huntr
Huntr
added 2023/08/05 4:49 a.m.11 views

Stored XSS in Page Title

Description At the latest version, the page title has been escaped and cannot trigger the XSS payload. However, by login to a user with other privileges, I see that It's still not escaped yet. Proof of Concept Step 1: Login as Admin, create a page in site1 with the title "test and see that the pa...

4.3CVSS6.3AI score0.00453EPSS
Exploits1
Huntr
Huntr
added 2023/06/28 5:28 p.m.11 views

Incorrect Authorization to Stored XSS in Import User Role function

Description The application incorrectly checks user permissions, enabling the attacker to use the 'import file user roles' functionality, which contains a payload for executing JavaScript code, without requiring any specific privileges. Proof of Concept Step1: Even without the privilege to manage...

6.9AI score
Exploits0
Huntr
Huntr
added 2023/06/28 4:37 p.m.11 views

Cross-Site Request Forgery lead to lock and unlock Album

Description Attacker able to lock or unlock any album with this CSRF attack. Proof of Concept 1. Admin already should be logged in browser 2. Open the CSRF.html document.forms0.submit; The album b9131a9d-577e-4f06-b87e-5af30714b25b will be unlock Acknowledge Tran Van Nhan from bl4ckh0l3 of Galaxy...

6.9AI score
Exploits0
Huntr
Huntr
added 2023/06/17 5:39 p.m.11 views

Able to edit users owned by other administration users

Description Exploiting a vulnerability 'Take ownership' of any user, thereby being able to edit all users. Proof of Concept Step 1: We have user1 owned by admin1. \ Step 2: By doing the 'Take ownership' action, the user1 is now owned by admin2 \ \ Step 3: Now, admin2 is able to edit user1, and ev...

6.9AI score
Exploits0
Huntr
Huntr
added 2023/06/15 4:56 p.m.11 views

Stored XSS in the delete confirmation popup

Description The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of Concept Step1: The user with the privilege to create group creates a new group by passing a payload into...

6.4AI score
Exploits0
Huntr
Huntr
added 2023/06/14 1:51 a.m.11 views

The app allows to set new password same as old password

Description 1/ Access and login to the demo website: https://demo.openitcockpit.io 2/ At changing password function, set new password as same as old password. 3/ Logout and re-login to check, it's successful. Proof of Concept Link video PoC:...

7.1AI score
Exploits0
Huntr
Huntr
added 2023/06/09 11:33 p.m.11 views

Privilege Escalation Vulnerability in Product Upgrade Module

Description Our product upgrade module contained a privilege escalation vulnerability that would allow an unauthorized user to upgrade to a product they were not authorized to. After an administrator had Product 1 can upgrde as Product2 , but not Product3, a user could use Burpsuite to intercept...

7.1AI score
Exploits0
Huntr
Huntr
added 2023/05/27 3:26 p.m.11 views

Integer Overflow in tjexample.c

Description The tjexample.c example program uses tjAlloc function to allocate the output buffer of the JPEG buffer. tjAlloc uses malloc which takes a sizet number of bytes an unsigned integer. However, tjAlloc itself takes the number of bytes as a signed integer:...

7.2AI score
Exploits0
Huntr
Huntr
added 2023/05/11 3:19 p.m.11 views

Lack of security consideration leads to multiple critical weaknesses

Introduction This report serves more as a suggestion to improve security, rather than fixing any single "vulnerability". I've given examples to demonstrate the impact that neglecting security may have, but these are not the root cause of the issue. Due to the nature of a package, being able to...

8AI score
Exploits0References2
Huntr
Huntr
added 2023/04/19 9:22 p.m.11 views

CSRF Leading to reset Boxes

Description Hello everyone, During my testing on LimeSurvey's admin demo, it's found that the Boxes part of the application is vulnerable to CSRF affecting reset boxes functionality meaning that if an admin created some boxes an attacker could trick the admin to reset the boxes by following a lin...

6.8AI score
Exploits0
Huntr
Huntr
added 2023/03/26 8:2 a.m.11 views

Stored HTML injection to XSS

Team, I hope you are all doing well. . I wanted to bring to your attention a potential vulnerability on the website https://wearenotloosers.kimai.cloud. . During my research, I discovered that the user name fields are vulnerable to a stored HTML injection attack. . Which is reflecting while...

7.1AI score
Exploits0
Huntr
Huntr
added 2023/03/09 2:36 p.m.11 views

Cross Site Scripting (XSS) in UrlSlug

Description Please enter a description of the vulnerability. Cross Site Scripting XSS in UrlSlug of pimcore/pimcore Its Different than https://huntr.dev/bounties/75bc7d07-46a7-4ed9-a405-af4fc47fb422/ Proof of Concept 1. Login in stable account URL : https://11.x-dev.pimcore.fun/admin/ 2. Go to...

6.2AI score
Exploits0References2
Huntr
Huntr
added 2023/02/22 5:11 a.m.11 views

Improper Neutralization of Input in paperWidth param During Web Page Generation

Module : print and invoice-print Parameter : paperWidth Attacker would be able to close the tag and can inject html tags POC : http://demo.bumsys.org/print?&paperWidth=;%3C/style%3E%3Cbody+onpageshow=alertdocument.domain%3E POC :...

0.6AI score
Exploits0
Huntr
Huntr
added 2023/02/16 5:57 p.m.11 views

Folder in webmail mailbox is vulnerable to Cross-Site Scripting (Reflective)

Issue Description • Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request that, if issued by another application user, will cause...

0.2AI score
Exploits0
Huntr
Huntr
added 2023/01/24 12:34 p.m.11 views

Anti-CSRF mechanism is not present

Description The application is vulnerable to a CSRF attack. Proof of Concept 1. Login as admin. 2. Open the following HTML file in the browser. This action is equivalent to clicking a link sent by an attacker. trap.html html history.pushState'', '', '/' 3. Click the button. 4. A new user is creat...

0.5AI score
Exploits0References1
Huntr
Huntr
added 2022/12/12 12:13 p.m.11 views

Authenticated Reflected XSS on ajax/common.tabs.php

Description There is a reflected XSS vulnerability on ajax/common.tabs.php due to the KnowBase tab not escaping the start parameter properly probably because it's not reflected inside quotes. There was some work into getting the exploit working, due to JQuery's $ not being defined and causing a...

0.3AI score
Exploits0References1
Huntr
Huntr
added 2022/11/29 8:3 p.m.11 views

XSS on external links

Description This vulnerability allow for an administrator to create an evil external link. Proof of Concept As an admin user Go to /front/link.form.php?id=1 Create an external link and put has value for the link 'onmouseover="alertdocument.domain" Assign this link to budgets example As a regular...

1.6AI score
Exploits0
Huntr
Huntr
added 2022/11/23 10:3 p.m.11 views

Unrestricted Upload of file with dangerous type lead to destroying the company's reputation.

Description In upload function i found the function accept a lot of file type and this is very dangerous because may be malicious user upload html file contain any information like go to another site or write message destroying the company's reputation like this site has been hacked by hacker Pro...

6.8AI score
Exploits0
Huntr
Huntr
added 2022/11/07 3:22 p.m.11 views

froxlor/froxlor <= 0.10.38.2 - Authenticated Unrestricted File Upload to RCE

Description Unsafe file uploads occur when the web server fails to sufficiently validate the file’s size, type, name, contents, or what restrictions are placed on the file once it has been successfully uploaded. The application fails to validate files that are uploaded, allowing an attacker to...

8.1AI score
Exploits0References2
Huntr
Huntr
added 2022/10/30 11:52 p.m.11 views

XSS Stored inside Admin logs

Description If an attacker attempt to login with an XSS payload inside the username, the login attempt will be logged on the admin dashboard. Then, if an admin visits the login logs page, it will execute the XSS. Proof of Concept Login with XSS inside username Admin visits logs...

1.9AI score
Exploits0References1
Huntr
Huntr
added 2022/10/26 1:41 p.m.11 views

Reflected Cross Site Scripting in Search Functionality of Module Library

Description Hello Team, Hope you are doing well. I have found a reflected cross site scripting vulnerability in search functionality present in the module library section. What is reflected cross site scripting? Reflected cross-site scripting or XSS arises when an application receives data in an...

6.2AI score
Exploits0
Huntr
Huntr
added 2022/10/04 1:44 p.m.11 views

Insufficient Session Expiration

Description Active sessions are not invalidated after a password change or after an admin resets the user's password. Proof of Concept Steps to reproduce: 1. Log in to Elgg with any user 2. Do the same in another browser or a private window, such that there are two different active sessions 3...

1.9AI score
Exploits0References1
Huntr
Huntr
added 2022/09/26 3:51 p.m.11 views

Stored XSS

Description openemr has a feature to customize the "Text in the login box " , due to a bad sanitization it allows to put some html tag like "form" scheme which allows to execute javascript code. 1. login as user glpi/glpi admin user 2. go to HOME-SETUP-GENERAL...

7.2AI score
Exploits0
Huntr
Huntr
added 2022/09/13 3:53 p.m.11 views

DoS attack in the HTTP decompression

Description Tulip is able to decompress compressed HTTP payloads. It does not check for decompression bomb. Using brotli, an attacker can send a HTTP paquet to a team vulnbox containing a brotli payload of 8.3KB. When decompressing this payload, it expands to 10GiB on the machine running the...

Exploits0
Huntr
Huntr
added 2022/08/26 6:0 a.m.11 views

Firefox XSS when redirecting to untrusted URL

Description When redirecting server side using navigateTo with untrusted user data and with external links set to true, XSS can be triggered on Firefox probably other browsers too. This is due to h3 expecting JSON stringfy to sanitize HTML and nuxt3 also assuming that to be true by using the...

6AI score
Exploits0References3
Huntr
Huntr
added 2022/08/24 1:16 p.m.11 views

Floating point exception

Description Floating point exception in udiv commit : b83285697888abbcb2286462da070d49f413ab24 Proof of Concept ruby 1 63.pow1, 0 ASAN Output ================================================================= ==747==ERROR: AddressSanitizer: FPE on unknown address 0x5626e07f6dba pc 0x5626e07f6dba b...

1.3AI score
Exploits0
Huntr
Huntr
added 2022/08/15 2:3 a.m.11 views

DoS via Collaborative Document

Description An attacker can send an enormous payload via the WebSockets collaborative document feature, without any proper size restriction, leading to the unresponsiveness of every user browser that visits the target document, and even worse, if the payload is bigger enough, in the demonstration...

0.6AI score
Exploits0
Huntr
Huntr
added 2022/08/09 12:58 a.m.11 views

Weak Password Change Mechanism

Description The user password change page, doesn't require knowledge of the existing password. Proof of Concept 1. 1 - Log in as a normal user 2. 2 - Go to the User Dashboard page and click Password. 3. 3 - Set a any new password. 4. 4 - The password is changed successfully...

0.9AI score
Exploits0
Huntr
Huntr
added 2022/07/30 3:9 p.m.11 views

Weak password policy on account creation/password update

Description The password policy used in the account creation and password change pages is weak, allowing to set a password of only 1 character. Proof of Concept Case 1 - Account Creation 1. 1 - Login as admin and go to the users page. 2. 2 - Create a new user and set 1 as the password and click i...

0.3AI score
Exploits0
Huntr
Huntr
added 2022/07/26 4:26 a.m.11 views

Password Reset token returned in Respose to Account takeover.

Description Password Reset token returned in Respose. Then you can set an arbitrary password with the following url: url //auth/reset-password?token=token Proof of Concept...

1.5AI score
Exploits0
Huntr
Huntr
added 2022/07/14 6:34 p.m.11 views

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

Description The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. Proof of Concept Link: https://postimg.cc/1nBBXZr5 Remediation If possible, you should set the Secure flag for these cooki...

0.8AI score
Exploits0References2
Huntr
Huntr
added 2022/07/12 11:57 a.m.11 views

stackexchange uses an unpached version of jQuery < 3.4.0 which exposes it to prototype pollution

Description By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses...

2.2AI score0.87218EPSS
Exploits4References2
Huntr
Huntr
added 2022/07/09 5:47 p.m.11 views

Business logic error: Not able to access newly created admin account with the username admin with the password

Hello team, recently I found that I'm able to create dual admin via the same username, by creating a dual admin account we maybe not be able login the newly created admin user-named account. 2. For example, the default username and password of nakama dashboard will be admin & password 3. After...

0.7AI score
Exploits0References1
Huntr
Huntr
added 2022/07/06 2:38 p.m.11 views

Improperly Configured rack_attack.rb does not prevent rate limit attacks

Description The lobsters repository depends upon rackattack.rb to prevent rate limit attacks against the /login or the /login/setnewpassword endpoint, allowing for only 4 requests in a minute. However, this can be bypassed by simply appending some strings like /login.turtles to the endpoint. Proo...

1AI score
Exploits0References3
Huntr
Huntr
added 2022/07/05 9:46 a.m.11 views

Password Reset Allows For User Email Enumeration

Description The password reset function at the login page responds to valid and invalid emails in the application. Submitting an invalid email result in "The e-mail address is not assigned to any user account." A valid response results in a message stating an email has been sent. Proof of Concept...

0.7AI score
Exploits0References2
Huntr
Huntr
added 2022/07/05 9:35 a.m.11 views

Weak Password Change Mechanism

Description When setting a new user password, commafeeddoes not require knowledge of the original password or using another form of authentication. Proof of Concept 1. Log in as a regular user 2. Go to the profile settings link 3. Select Set Password 4. Enter any 6-character password string this...

1.6AI score
Exploits0References3
Huntr
Huntr
added 2022/07/04 5:32 p.m.11 views

Improper handling of parameter lead to listing any directory

Description In file-manager/list API, the server does not handling path parameters properly lead to allow listing any directory. To exploit, use double URL encoding to bypass filter. Proof of Concept GET /demo/api/file-manager/list?path=%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/...

0.8AI score
Exploits0
Huntr
Huntr
added 2022/07/02 2:3 p.m.11 views

Stored XSS via Editing config

Description Hello, I'm reporting several Stored XSS vulnerabilities in same report because huntr.dev now want us to do this. Please consider the vulnerabilities independently. Vuln one : It's possible to inject javascript code in "URL of your FAQ" parameter in admin's edit config form. The...

0.1AI score
Exploits0
Huntr
Huntr
added 2022/07/01 9:28 p.m.11 views

unprivileged user can get document details

Description unprivileged user can see document details of any document . Proof of Concept 1. From admin account add a new user called user-B as member role .\ \ 2. Now from admin account create a private collection and dont share it with any member .Set bellow permisiion for this collection...

0.1AI score
Exploits0
Huntr
Huntr
added 2022/06/28 7:23 a.m.11 views

Arbitrary template creation leading to Authenticated Remote Code Execution

Description Arbitrary File Write Reproduction Steps: 1. As a low privileged user, Create a new recipe and click on the "+" to add a New Asset. 2. Select a file, then proxy the request that will create the asset. 3. Update the values in the POST request to the ones shown below: POST...

0.5AI score
Exploits0
Huntr
Huntr
added 2022/06/16 9:49 a.m.11 views

Inefficient Regular Expression Complexity potentially leads to Denial of Service

Description Inefficient Regular Expression Complexity of url regex could lead to a denial of service attack. This report bypasses the fix in issue 300 by a well-formed payload '//a.b' + 'c1'.repeati + 'a'. With only 36 characters payload could take 18672 ms time execution. Proof of Concept js //...

1.9AI score
Exploits0References1
Total number of security vulnerabilities4072