4072 matches found
CSRF Lost cart availability to all customer
Description The absence of input validation in the update cart form Qty feature causes the feature to become an error / blank by simply changing the number to a string. In order to occur in all users the role of CSRF is required so that Severity user interaction is required. So you could say thes...
SMTP server credentials are returned
Description The vulnerability discovered in the Calibre-Web application is a security flaw in the management of email configurations that allows the SMTP server credentials to be viewed by an account with editing permission. This could allow a malicious user with access to the administrative...
Reflected XSS in Path Traversal detector
Description Azuracast has a feature that block all Path Traversal tentative good job implementing it. But when azuracast block an attack reflect the path without sanitize the output PathTraversalDetected.php. It is possibile to do attack like Reflected XSS or HTML injection. Step to reproduce 1. ...
XSS Stored in Caption Image
Description Hello team, I found an xss stored in the caption field as demonstrated in the gif below. Proof of Concept...
XSS Stored in perspective name
Description Hello team, I found an xss stored when adding a perspective name as shown in the gif below Proof of Concept...
Path Traversal in code
Description The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' doubled triple dot slash sequences that can resolve to a location that is outside of that directory. Proof of Concept Code that has the...
Simple graph bed system has deserialization vulnerability and weak type comparison vulnerability
Description Simple graph bed has deserialization vulnerability and weak type comparison vulnerability Proof of Concept As you can see on line 129 below, there is a deserialization point and it is cookie passed The user controlled auth complex value in the cookie is given to the browsercookie...
CSS injection using component islands and useHead
Description After a component island render, the resulting head is regex'd for tags. This regex is not very robust and can be tricked, allowing for CSS injection. Proof of Concept app.vue vue Nuxt 3 Playground const title = ref nuxt.config.ts ts export default defineNuxtConfig experimental:...
XSS via markdown syntax
Description Hi,Maintainer,thanks for reading.I am glad to report a secure problem to you. I found that your forum allows users to use markdown syntax to post articles and comments, but there is no corresponding protection means, which is unsafe. Any user can post dangerous content, like the...
XSS in Workflow Comment
Description XSS Vulnerability in Workflow Comment that user can insert javascript payload in comment Proof of Concept 1. navigate to dashboard and workflow settings 2. open the commend in side-bar and insert like this payload test POC:...
Filepath of page components of deploying system leaks in source code
Description When building your Nuxt application, the source file path of all page components is written in the entry.js file and is thus human readable to everyone. This could lead to unwanted side effects, as in revealing the structure of the system which was used to build the application or...
Authenticated SQL Injection in OpenSIS Classic v9.0 and earlier
Description SQL injection in OpenSIS Classic v9.0 and earlier allows remote authenticated attackers to execute SQL code via the id parameter in MassScheduleModal.php leading to full database information disclosure. Version At the time of reporting, the most up-to-date version of the master branch...
Stored XSS in kiwiTCMS
Description Stored XSS, also known as persistent XSS, is the more damaging of the XSS. It occurs when a malicious script is injected directly into a vulnerable web application. Due to a sanitization problem it is possible to perform a Stored XSS. The problem is that the upload function permit...
Stored cross site scripting
Hi Team, I have found a stored cross-site scripting vulnerability in the Create event section. Description What is stored cross site scripting attack? Stored XSS, occurs when user supplied input is stored and then rendered within a web page. Typical entry points for stored XSS are: message forums...
Stored Cross-Site Scripting (XSS)
Description There is insufficient input validation in the pop-up notifications. Proof of Concept Steps to reproduce: 1. Log in to an admin account 2. Click on Services - Services Templates 3. Create a new Service Template with the Name alertdocument.location 4. The XSS is triggered when the...
Use After Free in function qf_get_curlist
Description Use After Free in function qfgetcurlist at quickfix.c:1932 . vim version git log commit bf72e0c67f26ea7c8fd941fdd1533c24c7b6cb43 grafted, HEAD - master, tag: v9.0.0792, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /home/fuzz/test/poc14huaf.dat...
Denial of Service in proxy by redirecting to own host
Description It is possible to partially interrupt the proxy in the backend by redirecting to the same URL again. Proof of Concept On a server or API mocking website implement a rule that will redirect all requests to the following URL: https://diagrams.net/proxy?url=https://attacker.com...
2 FA bypass
Description An attacker is able to bypass 2FA due to a logic flaw on the application Proof of Concept 1 Go to https://rdiffweb-dev.ikus-soft.com/prefs/general 2 Your account is set to [email protected] as primary email 3 Go to https://rdiffweb-dev.ikus-soft.com/prefs/mfa and click on "Enable 2FA" 4 A...
XSS on external links
Description This vulnerability allow for an administrator to create an evil external link. Proof of Concept As an admin user - Go to http://172.16.128.131/front/link.form.php?id=1 - Create an external link and put has value for the link javascript:alert1 - Assign this link to budgets example As a...
User can read any series without permission
Description A normal user can access any series without permission if they have access to at least one library. Version Tested on latest release 0.5.6.0 and on docker image 'kizaing/kavita:latest', with image pulled on September 17, 12:30 UTC Digest:...
Login bruteforce
Description According to the fix of the previous report, the login page has a rate limit mechanism to block the user’s IP when many attempts are made. The endpoint, for example, /v2/console/status only returns the content when who made the request has the correct rights. However, this request is...
Insufficient Session Expiration
Description The Nakama Console session is not invalidated when the user is deleted. Proof of Concept Steps to reproduce: 1. Log in to the Nakama Console as admin and create a user [email protected] 2. In a separate browser or private window log in to the account [email protected] 3. In the admin session,...
Send message to blocked user
Description In this case if a userA block userB. UserB is still able to send private message to user A Proof of Concept 1.USerA block userB 2.UserB send direct request to message endpoint with userA''s userID Poc POST https://bookwyrm.social/post/direct Host: bookwyrm.social User-Agent: Mozilla/5...
Idor when creating group
Description Insecure direct object references when creating a list allows one user to create a new list on behalf of another. Proof of Concept POST /user/[email protected]/groups HTTP/2 Host: bookwyrm.social Cookie: csrftoken=; djangolanguage=None; sessionid= User-Agent: Mozilla/5.0 Windows N...
CSRF vulnerability exists in modifying user information (including password)
Description Csrf vulnerability in user information modification page Proof of Concept In \app\home\c\UserController $re = M'member'-update'id'=$this-member'id',$w; $member = M'member'-find'id'=$this-member'id'; unset$member'pass'; $SESSION'member' = arraymerge$SESSION'member',$member;...
Path traversal in unjs/storage leads to code injection due to unsanitzed code generation
Path Traversal A path traversal vulnerability exists within unjs/unstorage when using the file system storage driver. This vulnerability can be exploited when the user has control over the key name. By creating key names containing sequences of ../ or ..: we can navigate the file system. We are...
Unauthenticated Cross Site Scripting - Reflected
Description Please enter a description of the vulnerability. Proof of Concept XSS POC: Local Host : http://192.168.0.109:81/?PagePrincipale/rss&id=1%27%3Cscript%3Ealert1122%3C/script%3E Vendor Domain: https://yeswiki.net/?AccueiL/rss&id=1%27%3Cscript%3Ealert1122%3C/script%3E Attached POC Images:...
Cross site script
Description In this case a patient is able to execute js scripts in admin's session. further exploitation could lead to admin account takeover Steps to Repro:- 1. Login here https://demo.openemr.io/openemr/portal 2. Goto my documents and create new insurance form 3. Add this payload to any select...
Insecure direct object references in "review" function
Description Insecure direct object references in review a book function allows one user to create a comment on behalf of another. Proof of Concept POST /post/review HTTP/2 Host: book.dansmonorage.blue Cookie: csrftoken=bYsdqkQkkbYXZYRVd8AynhYxG1rBb2AoOfAO76XCYmgzXK3A266EpZamGcKL0pN5;...
LFI / Path Traversal allows attacker to read any file in the working directory
Description The file upload functionality allows a user to attach a file to a paste. When an attacker views the attached file he can alter the path e.g. via burpsuit and read any file in the working directory via the relative path. This also accounts for private pastes. The attacker needs...
Insecure redirect when submit invalid form
Description When submit invalid form, the server will redirect to url which obtain via Referrer header. Proof of Concept POST /create-shelf HTTP/2 Host: book.dansmonorage.blue Cookie: csrftoken=ZpIuGbCcxOyhta5bki4N46N7vknEAcpaG3881kcMAfWKBEYKEiLEeSc3Sr4lUTVa; djangolanguage=en-us;...
Insecure direct object references in `create-shelf` function
Description Insecure direct object references in create-shelf function allows one user to create a shelf on behalf of another. Proof of Concept POST /create-shelf HTTP/2 Host: book.dansmonorage.blue Cookie: csrftoken=ZpIuGbCcxOyhta5bki4N46N7vknEAcpaG3881kcMAfWKBEYKEiLEeSc3Sr4lUTVa;...
Cross-Site Request Forgery (CSRF)
Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' document.forms0.submit;...
Allows large characters in password filling
Description The commafeedapplication allows large characters to insert in the input field "password" which can allow attackers to cause a Denial of Service DoS via a crafted HTTP request. Proof of Concept 1. Register a new account. 2. Fill a normal email, fill the "Password" and "Password agian"...
Improper Link Input Validation leads to Cross-site Scripting (XSS)
Description The link input validation is not filtered protocol javascript of href attribute. It allows attackers to inject malicious links to many fields of the website, such as author introduction, user summary, and book description, ... which could execute javascript code XSS. Proof of Concept...
UI Redressing
Description The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. Proof of Concept 1. Go to this URL:...
Cross Site Scripting via Improper Input Validation
Description The parse-url The 5.0.8 version of the parser does not check :// character between protocols. This causes spoofing of the javascript protocol itself. Additionally, protocol spoofing does not occur in url-parse, new URL, and url.parse other than parse-url. Proof of Concept const parseU...
Stored XSS in Part Parameter
Description The application inventree is vulnerable to Stored XSS in part parameter field. Proof of Concept Video PoC link: https://drive.google.com/file/d/19MiGIB3Q1VzdmMBttCKiEtFKR34z-2/view?usp=sharing...
heap-buffer-overflow in dex_parse
Description There exists a heap based out of bounds read vulnerability in dexparse c setinteger yrle16tohmapitem-type, dex-object, "maplist.mapitem%i.type", i; Reproduction Build the fuzz target with address sanitizer enabled + optional libfuzzer and run the test case from here $ git rev-parse HE...
IDOR in Messages function
Description An user can view other users' private messages, join the conversation, delete messages if they know messages uuid Proof of Concept 1. A send B a priavte messages/email 2. C can view messages, join the conversation, delete messages if C know messages uuid...
UI REDRESSING
Description The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. Proof of Concept Go to this URL:...
Path Traversal via Files Manager
Description Please enter a description of the vulnerability. Steps to reproduce 1.Login to admin panel and go to Modules - Files http://localhost/microweber/admin/view:modules/loadmodule:files 2.Click any file, the url will have the following format:...
classic overflow on the stack, with the ability to intercept control.
Description if arguments longer than 1024 were passed to program iusql, we get a classic stack overflow. Proof of Concept I removed the docking check to reduce POC, this check did not show overflow protection git clone https://github.com/lurcher/unixODBC.git 123 sed -i 's/^.if .phEnv, phDbc !=...
Server side request forgery lead to denial of service
Description In this case if a attacker try to load a huge file then server will try to load the file and eventually server use its all memory which will dos the server Proof of Concept 1.Goto...
Cross Site Request Forgery in acknowledging Toast
Description Hi there linkding maintainers, I would like to report a Cross site request forgery in acknowledging toast. This is due to the use of GET method. Proof of Concept 1. Install a local instance of linkding 2. Create admin user admin 3. Log in as admin and create a new toast 4. Go back to...
Stored Cross Site Scripting on "Add user" field
Steps to reproduce: 1. Go to settings-- Access controls -- Add user 2. Payload = """ 3. Add XSS payload as username and create a new user 4. After creating the user, click on delete button and the XSS will be triggered POC Screenshot:...
Insufficient Session Expiration
Description If the admin changes the password of a user and if the user already login so application failed to invalidate the session after changing the password as a result changing the password doesn't destroy the other sessions which are logged in with old passwords. Proof of Concept 1.Login...
Cross site scripting
Description 1. Login as teacher 2.Create a new assignment at https://www.rosariosis.org/demonstration/Modules.php?modname=Grades/Assignments.php&assignmenttypeid=3&assignmentid=new 3. Add this payload in discription 4. Save this assigment 5. You will see a prompt...
Improper Access Control
Description The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor. Proof of Concept Unauthorized actors can access critical pages directly. - InstallDatabase.php - diagnostic.php...
Improper File Deletion
Description A student uploaded a file when submitting an assignment. Then, if a teacher deletes that assignment, the attachment is still remained on the server and if anyone has the link to that file, he can access to it to view or download it. Steps to reproduce Login to the demo environment by...