4072 matches found
Improper Authorization in publify/publify
Description I found an IDOR in publify But I don't know this is intended or not ? If we assume that admins or publishers want to upload a media file and don't want to publish it and keep it private until the publish date there is a IDOR vulnerability here. for example I upload a .gif file and thi...
in bookstackapp/bookstack
Description Bookstack does not use secure Cache-Control headers. Proof of Concept 1: Login to application 2: View a shelf 3: Logout 4: Press the back button of the opened tab to still see that you can view the information about books previous page of your shelf. Impact This issue is capable of...
Cross-Site Request Forgery (CSRF) in pkp/pkp-lib
Description Higher severity CSRF in PKP-LIB plugins ImportExport is vulnerable to CSRF in terms of file uploads and file imports, an attacker can import arbitrary users into the platform, 1: POST /index.php/e/management/importexport/plugin/UserImportExportPlugin/uploadImportXML 2: GET...
Improper Access Control in cortezaproject/corteza-server
Hi, Old unused Password reset tokens are not getting expired after using the new one. Suppose I am an attacker and I got access to the recovery email option of victim account. I logged in to victim recovery email suppose that is [email protected]. Then I used the forget password option. I will get o...
in cortezaproject/corteza-server
Description --------------- There is no rate limit sent unlimited email victim or any email address Proof of Concept ---------------------- There is no rate limit return-password , attacker to send unlimited email to victim or any email address. POST /auth/request-password-reset HTTP/1.1 Host:...
in livehelperchat/livehelperchat
Description Sensitive data on the application can be exposed after the user logout Proof of Concept 1 Login to the application demo.livehelperchat.com/siteadmin/ 2 Go to page like My Account , or Any other page 3 Click logout 4 Click browser back button Impact When a user logs out without closing...
in collectiveaccess/pawtucket2
Description With ref to this report: https://www.huntr.dev/bounties/9708c444-2cf2-4aed-8188-1dc7def05ba1/, should replicate over proper cache-control Proof of Concept Example of sensitive 1 Login to application dashboard 2 Go to lightbox page 3 Click logout. 4 Click go back button to see group...
in firefly-iii/firefly-iii
Description There is no rate limit sent unlimited email victim or any email address Proof of Concept There is no rate limit return-password , attacker to send unlimited email to victim or any email address. POST /password/email HTTP/2 Host: demo.firefly-iii.org Cookie:...
Cross-site Scripting (XSS) - Reflected in collectiveaccess/providence
Description: Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites Proof of Concept // PoC.js POC --...
in fisharebest/webtrees
Description There is not rate limit protection , Rate limit bypass sent unlimited email victim or any email address. Proof of Concept There is no rate limit password-request , attacker to send unlimited email to victim or any email address. POST...
in zikula/core
Description Sensitive data on the application can be exposed after the user logs Proof of Concept // PoC 1 Login to the application 2 Goto page like My Account 3 Click logout 4 Click browser back button Impact When a user logs out without closing the browser someone can view the information insid...
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in filegator/filegator
Description Secure flag is not implemented on the application Proof of Concept https://ibb.co/nLTbftm Impact The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies...
in amirsanni/mini-inventory-and-sales-management-system
Description It is possible to enumerate registered emails using forgot password functionality as application is showing the different response when email exists and does not exists Proof of Concept Impact The product behaves differently or sends different responses under different circumstances i...
Cross-Site Request Forgery (CSRF) in collectiveaccess/providence
Description I have found more endpoints which allow edit/duplicate were not protected from CSRF, the following endpoints are: 1: Edit Global Value in Pawtucket. 2: Change object type. 3: Duplicate object. 4: Duplicate items in the set and add to another set. Proof of Concept Via GET requests: 1...
Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition
Description CSRF allows enable/disable bots CSRF allows flush chatbox Proof of Concept After logging in to unit3d.site, Access this link: https://unit3d.site/dashboard/chat/bots/2/disable, https://unit3d.site/dashboard/chat/bots/2/enable See that the chat bot is disabled/enabled correspondingly...
Cross-site Scripting (XSS) - Stored in tsolucio/corebos
Description Stored XSS in Subject in To Dos Proof of Concept // PoC Request POST /corebos/index.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:93.0 Gecko/20100101 Firefox/93.0 Accept:...
Inefficient Regular Expression Complexity in alvations/sacremoses
✍️ Description The sacremoses package is vulnerable to ReDoS regular expression denial of service. An attacker that is able to provide a crafted text as input to the hasnumericonly function may cause an application to consume an excessive amount of CPU. Below pinned line using vulnerable regex...
Cross-site Scripting (XSS) - Stored in zikula/core
Description Stored XSS in Blocks Module when Create new block with Block type ZikulaBlocksModule/Xslt Proof of Concept POST /blocks/admin/block/edit/8 HTTP/2 Host: demo.ziku.la Cookie: zsid=5idn7q9udrp7mgirikmdlep45d User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:93.0 Gecko/20100101...
Cross-site Scripting (XSS) - Stored in zikula-modules/mediamodule
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Proof of Concept // PoC.js Steps to reproduce : 1 -- Go to link -- https://demo.ziku.la/media/media/create/paste/url 2 -- Inject Payload in...
in zoujingli/thinkadmin
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Proof of Concept: please Note that this leads also to a verbose error that shows credentials of the owner . Ex : Link --...
in khodakhah/nodcms
Description Violation of secure design principles Proof of Concept step 1: click on login page and login into account. step 2: we can see dashboard and further options inside the application step 3: logout from application step 4: directly visit the url: https://demo.nodcms.com/admin/ step 5:...
Sensitive Cookie Without 'HttpOnly' Flag in babybuddy/babybuddy
Description HttpOnly flag not mentioned Proof of Concept step to reproduce below show request GET /login/?next=/google.com HTTP/1.1 Host: demo.baby-buddy.net User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:92.0 Gecko/20100101 Firefox/92.0 Accept:...
in babybuddy/babybuddy
Description Violation of secure design principles Proof of Concept step 1: login to account and logout step 2: click back button in browser step 3:check rightt corner of there we can see user profile option step 4: click on that application settings is getting listed PoC image attached as link...
in babybuddy/babybuddy
Description Weak password implementation Proof of Concept step 1: login into account step 2: goto settings http://demo.baby-buddy.net/user/password/ step 3: change password admin to 12 and save changes step 4: we can see updated message application is allowing to set weak password. poc of image i...
Cross-site Scripting (XSS) - Stored in mineweb/minewebcms
Description A malicious actor is able to add new Notification with a malicious payload, and upon the user receives the notification, the malicious payload is being executed. Proof of Concept - 1; Log in with any user, who is able to submit notifications - 2; Create a new notification at...
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in babybuddy/babybuddy
Description Secure flag is not implemented on the application Proof of Concept https://drive.google.com/file/d/1zWCQRRZl42kEbqrs0QS4hXyUdjnBRf/view Impact The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The...
Path Traversal in pheditor/pheditor
Description A path traversal attack also known as directory traversal aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash ../” sequences and its variations or by using absolute file paths, it may be...
Cross-site Scripting (XSS) - Reflected in area17/twill
Description The Application is vulnerable to reflected cross-site scripting attack. URL: /contact/offices/ Parameter: offset Proof of Concept Open the following URL in the browser for POC...
Cross-Site Request Forgery (CSRF) in e107inc/e107
✍️ Description Attacker or malicious user is able to change search setting if a logged in user visits attacker website. because lack of CSRF token 🕵️♂️ Proof of Concept 1.when you logged in open this POC.html in a browser 2.you can check unintentionally some settings changed //POC.html...
Cross-Site Request Forgery (CSRF) in glpi-project/glpi
✍️ Description Hello dear glpi team I found one more CSRF vulnerability in following directory: Home/Setup/General/performance 🕵️♂️ Proof of Concept 1.fisrt user already should be logged in In Firefox or safari. 2.Open the PoC.html and click on submit button Also it can be auto-submit 3.Here...
Improper Access Control in alanaktion/mchostpanel
✍️ Description The php file install.php creates an admin account using POST parameter user, pass, dir, ram, port without any access control enforced nor check if the admin account has been created nor check if the file .installed exists before account creation. It is possible for any network user...
Improper Privilege Management in microweber/microweber
✍️ Description A simple user without Super Admin access is able to add further users to the system. 🕵️♂️ Proof of Concept BurpSuite or proxy utility is required - 1;Simply add a simple User roled user USER A . - 2; Log in with USER A - 3; Obtain the X-Csrf-Token and the Cookie value of USER A - 4;...
Open Redirect in wwbn/avideo
✍️ Description There is an open redirect vulnerability in the following URL: https://demo.avideo.com/signUp?redirectUri=https://google.com/ 🕵️♂️ Proof of Concept text Step to reproduce 1. open above URL 2. signup in the application 3. you redirect to google.com 💥 Impact That causes a redirection...
Cross-Site Request Forgery (CSRF) in forkcms/forkcms
✍️ Description Attacker is able to logout a user if a logged in user visits attacker website. 🕵️♂️ Proof of Concept 1.when you logged in open this POC.html in a browser 2.you can check unintentionally you logged out //POC.html history.pushState'', '', '/' document.forms0.submit; 💥 Impact This...
Cross-Site Request Forgery (CSRF) in imran300/inventory
✍️ Description You didn't set any CSRF protection for deleting a user. 🕵️♂️ Proof of Concept // PoC.html history.pushState'', '', '/' document.forms0.submit; After that admin open the PoC.html file the user with id 7 will be deleted. 💥 Impact This vulnerability is capable of delete any user with...
Cross-Site Request Forgery (CSRF) in imran300/inventory
✍️ Description You didn't set any CSRF protection for activating a user. 🕵️♂️ Proof of Concept // PoC.html history.pushState'', '', '/' document.forms0.submit; After that admin open the PoC.html file the user with id 7 will be activated. 💥 Impact This vulnerability is capable of activate any user...
Forced Browsing in slackero/phpwcms
✍️ Description A malicious actor is able to reveal the list and details of newsletter subscribers. 🕵️♂️ Proof of Concept - Method 1; This method requires a proxy utility, like BurpSuite. - With an administrator user, create some subscribers on the newsletters under CommunicationNewsletter...
Cross-site Scripting (XSS) - Stored in pimcore/pimcore
✍️ Description pimcore is a Open Source Data & Experience Management Platform PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce this package is vulnerable for Stored XSS thru SEO menu 🕵️♂️ Proof of Concept 💥 Impact This vulnerability is capable of...
Cross-site Scripting (XSS) - Stored in pimcore/pimcore
✍️ Description pimcore is a Open Source Data & Experience Management Platform PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce this package is vulnerable for Stored XSS thru adding customer 🕵️♂️ Proof of Concept 💥 Impact This vulnerability is capable of XSS...
Cross-site Scripting (XSS) - Stored in yogeshojha/rengine
✍️ Description When a XSS payload is used as the name of a gf pattern, it executes. 🕵️♂️ Proof of Concept 1. Name a file .json 2. Import the file as a gf pattern at https://127.0.0.1/scanEngine/toolsettings 3. Click on the uploaded gf pattern. 💥 Impact The impact is same as any other Stored XSS...
SQL Injection in opensourcepos/opensourcepos
✍️ Description The Application is vulnerable to blind SQL Injection 🕵️♂️ Proof of Concept URL: https://dev.opensourcepos.org/giftcards/search?sort=1 Vulnerable Parameter: sort SQLMap POC --- Parameter: sort GET Type: boolean-based blind Title: Boolean-based blind - Parameter replace original value...
Cross-Site Request Forgery (CSRF) in namelessmc/nameless
✍️ Description Attacker able to disable any widget with CSRF attack. It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your application. In CSRF attacks...
Cross-Site Request Forgery (CSRF) in namelessmc/nameless
✍️ Description Attacker able to delete any reaction with CSRF attack. It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your application. In CSRF attack...
Cross-site Scripting (XSS) - Stored in namelessmc/nameless
✍️ Description stored xss via forum 🕵️♂️ Proof of Concept 1. First goto http://localhost/nameless/index.php?route=/panel/forums/&action=new and create a forum.\ During creation put bellow xss paylaod in forum icon.\ xss"' 2. Now save it .\ 3. Now goto above forum url...
Cross-Site Request Forgery (CSRF) in namelessmc/nameless
✍️ Description csrf bug to follow a topic 🕵️♂️ Proof of Concept i see everywhere is csrf token checking . But in this case csrf token checking is missing .\ Bellow url is vulnerable to csrf attack to follow a topic . http://localhost/nameless/index.php?route=/forum/topic/1/&action=follow 💥 Impact...
Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat
✍️ Description stored xss XMP configuration 🕵️♂️ Proof of Concept Plz check this 1 minute video to reproduce the bug https://drive.google.com/file/d/1j1b5XDv2v73539J5MYwxYDe0IPt9yS3f/view?usp=sharing 💥 Impact xss bug allow to execute arbitary javascript code...
Cross-Site Request Forgery (CSRF) in neorazorx/facturascripts
✍️ Description Attacker able to change any role with CSRF attack. It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your application. In CSRF attacks it...
Cross-Site Request Forgery (CSRF) in erikdubbelboer/phpredisadmin
✍️ Description The Import functionality in the application is vulnerable to CSRF attacks. 🕵️♂️ Proof of Concept history.pushState'', '', '/' 💥 Impact This vulnerability can let an attacker import data to the database without the knowledge/interaction of the user...
in erikdubbelboer/phpredisadmin
✍️ Description It can be possible to perform a clickjacking attack due to the lack of frame restrictions. The application does not set the response header X-Frame-Options: DENY. 🕵️♂️ Proof of Concept 💥 Impact According to PortSwigger references, it is possible for a page controlled by an attacker...
Cross-site Scripting (XSS) - Stored in janeczku/calibre-web
💥 BUG stored xss via book description 💥 STEP TO REPRODUCE Lets there is two user Admin and user-B . user-B has edit permission in book.\ \ 1. Now goto user-B account and visit http://localhost:8083/admin/book/12 and edit the metadata .\ During edit put bellow xss payload in book Description field...