4072 matches found
Generation of Error Message Containing Sensitive Information
Description The software generates an error message that includes sensitive information about its environment, users, or associated data. Proof of Concept 1. The forgot password feature will tell you whether or not a username exists which is a vulnerability since it can be paired with the lack of...
Stored XSS in Supplier Company Name
Description The application inventree is vulnerable to Stored XSS in supplier company name field. Proof of Concept Video PoC Link: https://drive.google.com/file/d/1KDrwbWkftO-cNrd-4XSoNh27Z3vqiMR/view?usp=sharing...
Reflected XSS in param 'activetab' and param 'code'
Description We can insert XSS payload at http://localhost/facturascripts/ListAlbaranProveedor, the 'activetab' parameter. Proof of Concept GET...
UI Redressing
Description The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. Proof of Concept 1. Go to this URL:...
Weak Password Policy
Description This page is using a weak password. Acunetix was able to guess the credentials required to access this page. A weak password is short, common, a system default, or something that could be rapidly guessed by executing a brute force attack using a subset of all possible passwords, such ...
proxying Big files leads to potential DOS [/proxy]
Description consider following script and put drawiodockerinstace your address and also bigfileaddress should be serve a big image file 250 MB exploit.py python from multiprocessing import Process import requests def fun: try:...
Cross-site Scripting (XSS) - Reflected
Description I find Relected XSS in search function. Proof of Concept 1.Login with admin or teacher account 2.Access this url:...
xss bypass
Description xss check bypassed Proof of Concept The fix for this bug https://huntr.dev/bounties/2adf903d-cab1-4ca8-8236-b6315f0fdaba/ can be bypassed using bellow payload jAvAsCriPt://sadas.com/%0aalert11;//...
SSRF via IPv6 address 2
Description While searching online, I found that https://stackoverflow.com/questions/53764109/is-there-a-java-api-that-will-identify-the-ipv6-address-fd00-as-local-private also states fc00 / fd00 are also private IPv6 range that are weirdly not covered by INetAddress, meaning that it has to be do...
Cross-site scripting and open redirect vulnerability on Rock RMS Login Page
Description The Rock RMS login page has a returnUrl parameter that is used to set window.location.href when the user has successfully logged in. An attacker can include a malicious JavaScript payload using a link crafted with the payload in the returnUrl parameter, such as 'javascript:...', that ...
Cross-site Scripting (XSS) - Reflected
Description Reflected cross-site scripting or XSS arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way. Proof of Concept 1.Login as admin administrator / administrator. 2.Access this URL...
Cross-site scripting - Reflected via upload `.xml` file
Description When user upload a file with .xml extension and direct access this file, the server response with Content-type: text/html lead to processing XML as HTML file. Proof of Concept POST /facturascripts/EditAttachedFile?code=1&action=save-ok HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0...
Thirdparty site authorization header leak
Description mechanize library is used to manipulate the URL of web pages and crawl the contents of web pages. mechanize does not filter the request header after redirecting. It will also transfer the authentication and cookie request header of the first request to the service after redirecting,...
Cross-site scripting - Reflected via mime-type file upload
Description When user upload file with extension not in white-list, server will throw error attach with mime-type of file upload user can controll without sanitize. Proof of Concept POST /rosariosis/Modules.php?modname=SchoolSetup/PortalNotes.php&modfunc=update HTTP/1.1 Host: localhost:8080...
Relative Path Traversal vulnerability in StaticDir server
Description There is a relative path traversal vulnerability in the serve module of the extra crate. An attacker can simply request a relative path and access files outside of the configured directory root. Proof of Concept With a static folder in the project directory: rs // main.rs use...
Open Redirect
Description An Open Redirect vulnerability enables attacker to redirect the victims/users to malicious websites. The bug exists due to improper fix of https://huntr.dev/bounties/bac0b763-730c-4c4b-8b20-eb4926928cf3/. By using double / it is possible to bypass the check for http at the beggining o...
Cross Site Scripting via Improper Input Validation (Based on CRLF)
Description The parse-url The 6.0.0 version of the parser does not remove \r, \n characters between protocols. This causes spoofing of the javascript protocol itself. Proof of Concept javascript const parseUrl = require"parse-url"; const express = require'express'; const app = express; parsed =...
Stored XSS
Description Stored XSS via domain argument : Proof of Concept run this command ./GoogleDorker.py -d '"' visit created file...
Use of cryptographically weak random number generator for password generation
Description Umbraco has a GeneratePassword function that is used to generate passwords that should be unpredictable, this function uses the .NET Random class which isn't cryptographically secure. Impact This vulnerability is capable of allowing attackers to predict generated passwords and use the...
The microweber application allows large characters to insert in the input field "SKU" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. in microweber/microweber
Go to add post http://site.com/admin/product/create click on create new product There will a option called SKU Fill the input field with huge characters, more than 1 lakh Copy the below payload and put it in the input fields and click on continue. You will see the application accepts large...
Malicious usage of '+' in protocol can lead to whitelist bypasses
Description Malicious usage of '+' in protocol can lead to whitelist bypasses. Proof of Concept The following PoC shows how if parse-url is used to check the resource of a URL against a whitelist, we can bypass a whitelist check for google.com, and then convince the standard HTTP client in NodeJS...
in microweber/microweber
Description There is no input field length in update username where any user can able to add large number of characters like imagine we can add more 5000+ character on to the update name field . Steps to Reproduce Visit the particular URL Vulnerable-link Where there is a functionality to update o...
Heap-based Buffer Overflow in gpac/gpac
Description Heap-based Buffer Overflow in gpac Proof of Concept Version: MP4Box - GPAC version 1.1.0-DEV-rev1762-g90a145735-master c 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929...
in snipe/snipe-it
Description unprivileged user can get supplier Proof of Concept 1. Create regular user and set DENY to all permissions in asset and supplier models.\ 2. Login as the user and sent bellow request to get supplier await fetch"https://demo.snipeitapp.com/api/v1/suppliers/selectlist?page=1",...
Cross-site Scripting (XSS) - Reflected in effgarces/bookedscheduler
Setup the Booked Scheduler locally.URL like the following. http://192.168.5.5/phpsch/ Attcker 2. Login as valid user. 3. Make an reservation from the dashboard. 4. Open the information you reserved.URL like the following http://192.168.5.5/Web/reservation.php?rn=62020af2eee4d833634703 5. The...
Cross-site Scripting (XSS) - Stored in alanaktion/phproject
Description Stored Cross-Site Scripting XSS vulnerability due to the lack of content validation and output encoding. Then, the vulnerability can be triggered when the user previews the documentΒ΄s content. Proof of Concept login and navigate task Dependencies This task depends on: This task is a...
Improper Access Control in mautic/mautic
Description I couldn't find a suitable vulnerability type for this kind of issue, so this may be incorrect the default .htaccess file has some restrictions in the access to PHP files. Deny access via HTTP requests to all PHP files. Order deny,allow Deny from all ... Except those whitelisted bello...
in gpac/gpac
Description Null Pointer Dereference in afrtboxread Proof of Concept echo AAAAEW1ldGFzXSAAAABkaXIAAAAAYWZydHRzdnB5dG/oAwBtAGwAAm0= | base64 -d poc gdb output bash pwndbg r -bt poc Starting program: /run/shm/gpac/bin/gcc/MP4Box -bt poc ERROR: Could not find ELF base! Thread debugging using...
Cross-site Scripting (XSS) - Reflected in navigatecms/navigate-cms
Description Cross-Site Scripting is vulnerability which allows attackers to execute arbitrary javascript code in the browser of victim. Proof of Concept Parameter: id Payload: alertdocument.cookie Affected endpoints: On Firefox browser, visit: 1...
in microweber/microweber
Description In the Microweber CMS, there are two endpoints that can be used together to get local file inclusion vulnerability. 1. /api/BackupV2/upload?src=/etc/passwd 2. /api/BackupV2/download?file=passwd When logged in as administrator, we can upload any readable file from the operating system...
Use of a Broken or Risky Cryptographic Algorithm in x360ce/x360ce
Description The password-generation algorithm used in the function NewPassword simply adds bias to the output password instead of making it easier to remember. Proof of Concept - Use the NewPassword function a large amount of times and store the output. - Look at the frequency of each character o...
in x360ce/x360ce
Description x360ce uses the .NET Random and Guid classes to generate random numbers/bytes that are used for sensitive purposes . Proof of Concept None provided. Impact This vulnerability is capable of allowing attackers to predict sensitive information on x360ce's backend see the 'occurances'...
None in gpac/gpac
Description Use After Free in gpac Proof of Concept Version: MP4Box - GPAC version 1.1.0-DEV-rev1647-gb6f68145e-master c 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC:...
Stack-based Buffer Overflow in gpac/gpac
Description Stack-based Buffer Overflow in gpac Proof of Concept MP4Box -bt POC3 POC3is here gdb Program received signal SIGABRT, Aborted. 0x0000000000b68d4b in raise LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA...
Cross-site Scripting (XSS) - Stored in cyrisxd/love-lock-card
Description Currenty, adding a "+ to the password, or a DOM element to the title, you can inject scripts into HA. I know that this library is meant to be not-secure by design, as stated in the README, and that if someone can update the Lovelance dashboard he can probably execute JS code in other...
Cross-site Scripting (XSS) - Stored in admidio/admidio
Description Stored xss Proof of Concept txt onmouseover="alert1"link Video : https://drive.google.com/file/d/1WzArNdgXgjVOS6qsePRvGWIz6ljtxApx/view?usp=sharing Impact Through this vulnerability, an attacker is capable to execute malicious scripts...
Cross-Site Request Forgery (CSRF) in thorsten/phpmyfaq
Description Hi there, another CSRF in clearing search items. Proof of Concept 1. Install a local instance of phpmyfaq. 2. Go to this link /phpmyfaq/admin/?action=truncatesearchterms 3. See that all search terms are deleted. Impact This vulnerability is capable of CSRF...
Cross-Site Request Forgery (CSRF) in thorsten/phpmyfaq
Description Hi there phpmyfaq team, I would like to report a Cross site request Forgery in phpmyfaq. It is in publishing question. Cross-site request forgery also known as CSRF is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to...
in livehelperchat/livehelperchat
Description When updating the geolocation detection configuration, we're given the option to specify a file location of a city database file, this can be used to determine if files exist or not. We are not able to see the contents of the file, but we are indeed able to determine if the file exist...
Cross-Site Request Forgery (CSRF) in pheditor/pheditor
Description Hi there, there is a minor CSRF problem in your logout function, this will force the user to logout without their consent. Proof of Concept 1. Install phpeditor on your system 2. Login as admin 3. Go to this link /pheditor/pheditor.php?logout=1 4. See that you are logged out of...
Cross-site Scripting (XSS) - Stored in getgrav/grav-plugin-admin
Description grav-plugin-admin 1.10.25 has a Stored-XSS vulnerability that is executed when metadata information of a file whose name contains javascript are shown. Proof of Concept 1 - After installing grav+admin browse to http://127.0.0.1/admin/pages/home. 2 - Create a file named as follows:...
Cross-site Scripting (XSS) - Stored in tsolucio/corebos
Description coreBOS is vulnerable to Stored Cross-Site Scripting in the Campaign Type - Campaign Status - Expected Response fields. Request POST /index.php HTTP/1.1 Host: demo.corebos.com User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:95.0 Gecko/20100101 Firefox/95.0 Accept:...
Cross-Site Request Forgery (CSRF) in livehelperchat/livehelperchat
Description I found one more CSRF at Clean cache in the System tab of System configuration via GET request. Proof of Concept CLICK ME! Impact This vulnerability is capable of tricking admin to clear the cache of the system, that can potential lead to a DoS attack. Remediation Use POST request...
Cross-site Scripting (XSS) - Stored in tsolucio/corebos
Description Stored XSS via File upload with format .xml in Product module. When opening the attachment, some format files will be rendered and loaded on the browser. So it allows executing arbitrary JavaScript code that was injected into attachment before. Proof of Concept alertdocument.domain;...
Cross-Site Request Forgery (CSRF) in convos-chat/convos
Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' Impact This vulnerability is capable of forging users to unintentional logout. More Detail One way GET could be abused here is that a person competito...
Cross-Site Request Forgery (CSRF) in splitbrain/dokuwiki
Description DokuWiki is vulnerable to CSRF in enabling / disabling plugin due to missing CSRF token sectok Proof of Concept If a logged-in admin user visits an attacker's website with the following HTML code the LDAP plugin, for example, will be disabled Impact This vulnerability is capable of...
Cross-site Scripting (XSS) - Stored in tsolucio/corebos
Description Stored XSS via upload File with format .svg when creating Document. Detail When opening the attachment, some format files will be rendered and loaded on the browser. So it allows executing arbitrary javascript code that was injected into attachment before. Proof of Concept PoC.svg var...
Cross-site Scripting (XSS) - Stored in tsolucio/corebos
Description It's possible to inject the script on the field: First Name Which is permanently stored. It'll trigger each time refreshing or copying to the new tab. Proof of Concept POST /index.php HTTP/2 Host: demo.corebos.com Cookie: democoreboscom=2fadf4643e2c92731a5bea4397b2d08b;...
Cross-Site Request Forgery (CSRF) in zmister2016/mrdoc
Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging users to unintentional logout. More details One way GET could be abused here i...
in tsolucio/corebos
Description There's no bound limit to the number of characters/special characters in "Add Module - Window Title" Add window -- Modules. javascript:chooseType'Module';fnRemoveWindow;setFilterdocument.getElementById'selmoduleid' Steps to reproduce Step 1. Goto -...