4072 matches found
Cross-site scripting - Reflected XSS caused by error logs in neorazorx/facturascripts
Description There are two fields that can insert the XSS payload by the error log. 1. http://127.0.0.1/facturascripts/EditBalance, the codbalance field 2. http://127.0.0.1/facturascripts/EditSettings, the tipoidfiscal field in Fiscal Id Both fields require 1 and 25 numbers or letters, no spaces,...
Bypass Restriction and File Upload Leads to XSS Stored - TXT to HTML
Description Unrestricted file upload allowed the attacker to manipulate the request and bypass the protection of HTML files using a text file, XSS Stored was obtained when uploading the HTML file. Proof of Concept POST /admin/resources/upload HTTP/1.1 Host: demo-publify.herokuapp.com Cookie:...
The trudesk application allows large characters to insert in the input field "Full Name" on the signup field which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request
POC: 1. go to signup form: http://127.0.0.1:8118/signup 2. Fill the Full Name input field with huge charactersmore than lakhs or crores 3. After created the account, check the admin panel: http://127.0.0.1:8118/accounts, go to Accounts -- customers 4. The admin panel will be flooded with our...
NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729
Description NULL Pointer Dereference in function vimregexecstring at regexp.c:2729 allows attackers to cause a denial of service application crash via a crafted input. POC ./vim -u NONE -X -Z -e -s -S ./pocn.dat -c :qa! Segmentation fault pocn.dat GDB ─── Output/messages...
Dom xss leads to account takeover
Description The endpoint of login allows Javascript payload to execute which leads to XSS pop-up Proof of Concept Send this link to admin http://127.0.0.1:2222/login/?redirect=javascript:alertdocument.cookie When he will open it and try to login XSS will popup. Image POC...
Stored XSS due to no sanitization in the filename
Description The organizr application doesn't sanitize malicious javascript payload which leads to stored XSS and can also perform to the takeover admin account. Proof of Concept 1.Login with Co-admin account and go to "Settings" - "Image Manager" and upload any small size jpeg image and intercept...
Heap Buffer Overflow in parseDragons
Description heap buffer overflow in parseDragons function. ASAN report: ================================================================= ==2541037==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000065578 at pc 0x7f45488bde0d bp 0x7ffc08551b50 sp 0x7ffc085512f8 READ of size 4 at...
Obscure Email Vulnerability allow anyone to signup with target email id without proper verification and Allowing malicious domain on username input field leads to business logic error by victim response fetching via email and force a user to download any file hacker want on behalf of [email protected].
Description This vulnerability is a result of an interaction between two different ways of handling e-mail addresses. Gmail ignores dots in addresses, so [email protected] is the same as [email protected] is the same as [email protected]. with this vulnerability attacker ca...
Stored XSS via File Upload
Description \ Stored XSS via uploading file in .md format. Proof of Concept filename="poc.md" alert1 Steps to Reproduce 1.Login into showdoc.com.cn.\ 2.Navigate to file library https://www.showdoc.com.cn/attachment/index\ 3.In the File Library page, click the Upload button and choose the poc.md...
Accounting User Can Download Patient Reports in openemr
Vulnerability Type Insecure Direct Object Reference Affected URL https://localhost/openemr/interface/patientfile/report/customreport.php Affected Parameters “Issue7” Authentication Required? Yes Issue Summary Non-privilege users accounting & front-office can download patient reports containing...
Heap-based Buffer Overflow in vim/vim
Description Heap-buffer-overflow on write in vim This issue was created to separate this one and was fixed with Patch 8.2.4218. Proof of Concept Steps to reproduce: echo -n bm9ybTBRgFBTMP8wMDCysDAwMDAwMDAwMDAwMDAw/zD/g7IwMDAwMDAwMDAwjjAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAD | base64 -d heapowpoc2 vim ...
Improper Authorization in janeczku/calibre-web
Description With default settings, low-level users will not have permission to edit the sort order of books in private shelf of another user. However, due to incorrect checking, the application does not work as intended. Proof of Concept - Step 1: Login with admin account and go to...
Improper Authorization in saleor/saleor
Title GraphQL traversal due to missing permission checks Description orders and customers fields allow to access each other via nodes edges. However, connections don't check user's permissions, which allows, for instance, a staff with just Customers permissions get full information about the orde...
Code Injection in microweber/microweber
Description HTML Injection is a vulnerability in which the attacker can inject malicious html content in the webpage. Proof of Concept 1 Admin has enabled Comments module, so that people can comment on a blog post. 2 Attacker post the following comment: SOMETHING+SOMETHING Now, observe the change...
in netristv/ws-scrcpy
Description read file From server Proof of Concept GET /../../../../../../../../../../../../etc/passwd HTTP/1.1 Host: xxxx Impact test on ws-scrcpy-0.7,this is The latest version...
None in vim/vim
✍️ Description When fuzzing vim commit 021ef351c works with latest build and latest commit 04b7b4b per this time of this report v8.2.3728, I discovered a use after free. This crash triggered with only clang 10 and ASan. And I'm testing with clang 13 it doesn't crash so I assume this crash doesn't...
Heap-based Buffer Overflow in vim/vim
✍️ Description When fuzzing vim commit 3c19b5050 works with latest build and latest commit 65259b5c6 per this time of this report v8.2.3635 with clang 12 and ASan, I discovered a heap buffer overflow. Proof of Concept Here is the poc download link bash...
in dompdf/dompdf
Description The Scenario 3 you described in this report https://huntr.dev/bounties/0bdddc12-ff67-4815-ab9f-6011a974f48e/ actually opens up the ability to bypass chroot checks. Proof of Concept 1: Make sure you install Dompdf from GitHub https://github.com/dompdf/dompdf/ and include the following...
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in openfun/openedx-docker
Description Secure flag is not implemented on the application Proof of Concept https://drive.google.com/file/d/10vEIf77qf1ejR14lL5GZCMn9bZmmbIBd/view?usp=sharing Impact The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP...
Sensitive Cookie Without 'HttpOnly' Flag in azuracast/azuracast
✍️ Description HTTPOnly attribute is not set for session cookies in the application. 🕵️♂️ Proof of Concept 💥 Impact When a cookie doesn’t have an HttpOnly flag, it can be accessed through JavaScript, which means that an XSS could lead to cookies being stolen. These include session cookies that can...
XSS in Upload file PDF in pimcore/pimcore
Description pimcore is vulnerable to XSS at Filedata field in Document Upload Payload Payload File: https://drive.google.com/file/d/1tDcOcuzyJrFnT7RH-VmVq6XwXC1yh-AF/view?usp=sharing URL URL: https://11.x-dev.pimcore.fun/admin/asset/add-asset?parentId=379&dir=&allowOverwrite=0 Proof of Concept St...
Insecure Business Logic - Client Side Enforcement Bypass on User Account Deletion
Description The application enforces account deletion on the client-side with a popup that states the admin account cannot be deleted. Additionally, regular users do not have an option in the interface to delete their own account. An administrative and regular-privileged user are able to bypass...
Captcha Bypass on login
Description So if we login incorrectly multiple times, we get captcha. Each captcha has "captchaid" and solve "captchacode" For example: "captchacode":"8awt" "captchaid":"7nToXDrT6SkJ2BJxKG1u" You can use same captcha code and captcha id in login without any problem Captcha is generated with -...
No Protection Against Bruteforce Attacks on Login Page in
Description Modoboa does not restrict or limit unsuccessful login attempts allowing an attacker to brute force the password of a known user Proof of Concept Steps to Reproduce: Capture login request with BurpSuite Send to Intruder Replay the login request with a different password value utilizing...
stored Blind XSS in Admin Panel through FAQ-Proposal leads to Admin Full Account Takeover
Hello. Vulnerability: Blind XSS in Admin Panel while generating Report 1. Without beeing logged in the Application 2. Go to FAQ-Proposal - put an XSS Payload like alert'1' in the question Field 4. Send the Proposal ------ 4. Admin will login 5. The Proposal will pop up in the Category you specifi...
Heap-based Buffer Overflow in function ml_append_int
Description Heap-based Buffer Overflow in function mlappendint at memline.c:2951 vim version git log commit 043d7b2c84cda275354aa023b5769660ea70a168 HEAD - master, tag: v9.0.1182, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pochbo02s.dat -c :qa!...
Out-of-bounds Write in function do_string_sub
Out-of-bounds Write in function dostringsub at eval.c:7338 vim version git log commit ea720aea851e645f4c8ec3b20afb27c7ca38184c HEAD - master, tag: v9.0.1137, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pochow01s.dat -c :qa!...
Reset API any user via IDOR
Description Reset API any user without taking action from him via IDOR Proof of Concept 1- Create a user 2- Go to setting 3- Open Burp Suite to object to the requisition 4- Click on it Reset API 5- This is the body request "id":101,"resetOpenId":true 6- When changing the "id", for example "102",...
XSS Stored in Email
Description It was discovered that it is possible to inject a malicious payload into the email address field, resulting in a stored XSS vulnerability. Proof of Concept 1. Access to emails parameters /scp/emails.php 2. create an account with the following email address Payload...
Cross Site Request Forgery in profile's "SSH Keys" leads to unauthorized access to the system
Description While adding SSH public keys to the profile, the server accepts the GET request which results in adding an SSH public key to the profile and leads to unauthorised access to the system and backups. Proof of Concept Open the below url after logging in to the demo site.SSH Public key wil...
Buffer Over-read in function utf_head_off
Description Buffer Over-read in function utfheadoff at vim/src/mbyte.c:3872 vim version git log commit 249e1b903a9c0460d618f6dcc59aeb8c03b24b20 grafted, HEAD - master, tag: v9.0.0213, origin/master, origin/HEAD Proof of Concept ./vim/src/vim -u NONE -X -Z -e -s -S poc3hbo.dat -c :qa!...
Bypassing SVG content cleaning lead to Stored XSS
Description the application is accepting SVG files as an image and applies a sanitize on the SVG content to avoid XSS attacks using the following snippet of code php else if $ext === 'svg' if isfile$filePath $sanitizer = new \enshrined\svgSanitize\Sanitizer; // Load the dirty svg $dirtySVG =...
Heap-based buffer overflow in function ins_bs
Description Heap-based buffer overflow in function insbs at edit.c:4187 Version commit 8eba2bd291b347e3008aa9e565652d51ad638cfa HEAD, tag: v8.2.5151 Proof of Concept guest@elk:/trung/vim2/src$ valgrind ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /home/guest/trung/poc/poc24 -c :qa! ==5251== Memchec...
Heap-based Buffer Overflow in function get_lisp_indent
Description Heap-based Buffer Overflow in function getlispindent at indent.c:1994 vim version git log commit 83497f875881973df772cc4cc593766345df6c4a HEAD - master, tag: v8.2.5105, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/pochbo2s.dat -...
Weak Password Policy
Description I would like to let you know about the password management issue. Proof of Concept 1- Go to your Profile or https://docker.trudesk.io/profile 2- Give a password as simple as 12345678. You can see you will be password has been changed and there is no strong enforcement...
Path Traversal in WellKnownServlet
Description The WellKnownServlet is vulnerable to path traversal. This allows reading local files. For example the files in WEB-INF that contain secrets and API keys can be read. https://github.com/jgraph/drawio/blob/v18.0.4/src/main/java/com/mxgraph/online/WellKnownServlet.javaL40-L66 java Strin...
SSRF in editor's proxy via IPv6 link-local address
Description The proxy server does not check for link-local IPv6 addresses In https://github.com/jgraph/drawio/blob/dev/src/main/java/com/mxgraph/online/ProxyServlet.javaL255L257, it checks for local IP addresses. It is missing the link-local IPv6 address check -...
Unrestricted File Upload and Path Traversal in upload image
Description The uploadImage function in accountsController take file path and extension from users . An attacker can change the path and extension to upload dangerous file to anywhere in server. Proof of Concept 1. Login 2. Upload profile image 3. Capture request, modify username and filename POS...
Out-of-bounds Read in mrb_obj_is_kind_of in
Out-of-bounds Read in mrbobjiskindof in mruby/mruby Affected commit 791635a8d1ad9aad98aae0a36a91e092e4d71944 Proof of Concept ruby= Math.initialize do $4 prepend dup 4.instanceexec|| super end Below is the output from mruby ASAN build: bash= AddressSanitizer:DEADLYSIGNAL...
Sensitive Data Exposure Due To Insecure Storage Of Profile Image
Description When the user uploads his profile picture, the uploaded image’s EXIF Geolocation Data does not get stripped. As a result, anyone can get sensitive information of trudesk users like their Geolocation, their Device information like Device Name, Version, Software & Software version used,...
Able to create an account with long password leads to memory corruption / Integer Overflow
I have found that there is a way to create an account with the length of more than 10k or 100k characters where it may leads to Integer overflow and the backend memory can't handle this issue Steps to Reproduce: Now we can create a simple account While creating an account , In the password field ...
Heap-based Buffer Overflow occurs in vim
Description Heap-based Buffer Overflow occurs in suggesttrychange. commit : d0b7bfa95798f5ec743d8afffbffb83aeac823da Proof of Concept $ echo -ne "c2UgZW5jb2Rpbmc9aXNvODg1OQpub3JtMFIwMDAwMDAwMDAwMApzaWwwbm9ybRYwCmZ1IFIoKQpz aWwhbm9ybRZpMDAwMDApCmNhbCBSKCkKbm9ybTF6PQplbmRmCmNhbCBSKCk=" | base64 -d...
Authorization Bypass Through User-Controlled Key
Description Hello go restful maintainer team, I would like to report a security concerning your CORS Filter feature. Go restful allows user to specify a CORS Filter with a configurable AllowedDomains param - which is an array of domains allowed in CORS policy. However, although there's is already...
Cross-site Scripting (XSS) - Reflected in orchardcms/orchardcore
Description Reflected XSS is found under DesignShortcodeNew Shortcode Proof of Concept POC Video https://drive.google.com/file/d/1yFfa7g8MMUvJrrKTpJXZEHhQLRSZ1Cii/view?usp=sharing Impact Through this vulnerability, an attacker is capable to execute malicious scripts...
Path Traversal in gruntjs/grunt
Description Grunt is a JavaScript task runner, a tool used to automatically perform frequent tasks such as minification, compilation, unit testing, and linting. In GruntJS, file.copy operations in GruntJS are not protected against symlink traversal for both source and destination directories...
Cross-site Scripting (XSS) - Generic in bigbluebutton/bigbluebutton
Description Shared notes panel is vulnerable to XSS when rendering a new note, due to missing username sanitization. Proof of Concept 1. 1.Start a new web conference and share the link with other people 2. 2.A malicious user joins the conference with the following username: 3. 3.As soon as the...
Heap-based Buffer Overflow in vim/vim
Description Greetings, A Heap-based Buffer Overflow issue was discovered in Vim. The POC file is reduced to the absolute minimum to reproduce the problem. Please see sanitizer output and the "trimmed" POC file link below. System info OS version : Ubuntu 20.04.2 LTS + Clang 12 with ASan Vim Versio...
None in vim/vim
Description Greetings, A Use After Free issue was discovered in Vim. The POC file is reduced to the absolute minimum to reproduce the problem. Please see sanitizer output and the "trimmed" POC file link below. System info OS version : Ubuntu 20.04.2 LTS + Clang 12 with ASan Vim Version :...
in chatwoot/chatwoot
Description chatwoot failed to validate the original email when a user changing his/her email address in Profile Setting, An attacker may use the mechanism to forge arbitrary email(especially in trusted domain) Proof of Concept my original email is:[email protected], and I had confirmed it b...
Heap-based Buffer Overflow in vim/vim
Description Whilst testing vim built from commit be01090 with Clang 12 + ASan on Ubuntu 18.04, we discovered crafted input which triggers a bug in how vim draws information on the screen, causing a heap-buffer-overflow, WRITE of size 5 to occur. Proof of Concept The disclosed POC is trimmed down ...