4072 matches found
Stored XSS in End page
Description Allows a user who only has the authority to create surveys not the administrator to bypass validation and embed javascript schemes when creating surveys Step to reproduce - Login as administrator 1. Open User management and Create a user with create surveys only permissions. 1. Logout...
Cross Site Scripting in Open Web Analytics on most statistics related pages
Description The makeJson method within the owatemplate class generates a JSON string in an unsafe manner. This method is utilized within the report.tpl file, where it receives parameters from the URL and generates a JSON string using them without properly sanitizing. Proof of Concept The...
REFLECTED XSS "Cross-site Scripting (XSS) "
Description Summary: I have found Reflected XSS at https://www.vim.org/login.php?referrer= Go To : https://www.vim.org/login.php?referrer=%22%3E%3Csvg/onload=prompt/OPENBUGBOUNTY/%3E payload xss : " Proof of Concept // PoC.js var payload =...
Stored HTML injection and Potential Cross Site Scripting in pixelfed ≤ 0.11.4
Description pixelfed ≤ 0.11.4 is affected by HTML injection and Potential Cross Site Scripting vulnerability. Steps to Reproduce: 1.Choose any server from https://pixelfed.org/servers and go to registration page. 2.Enter your username, email, password and enter following payload on "Name" paramet...
Stored XSS in "Import" Module
Description When loading a CSV or XLSX file to preview before importing Step 4, no sanitization of the first line label, allows authenticated attacker to inject malicious XSS payload into the to import file, and store it on the target webserver. If any admin reuse the malicious uploaded importing...
XSS caused by sending information between users
Description The forum allows users to send information. Although the script tag cannot be used, the img tag can also cause xss.And the program can bypass the filtering of the "cookie" string by means of entity encoding. Video link You can watch my video through this link first. link...
SNMP location XSS vulnerability
Description By including some HTML in the "Location" field of the snmpd configuration of a managed device, an attacker can inject HTML into the LibreNMS "Devices" tab, which then gets rendered when the page is viewed. EDIT: I'm having difficulties developing a proper exploit for this beyond the...
An unrestricted upload file lead to a stored XSS via SVG file.
Description During the test, I discovered that the upload function accepted svg files without any sanitization, allowing me to inject javascript code into the svg file and store it, as well as execute the javascript code via the svg file. Proof of Concept // PoC.js...
Cross-site Scripting (XSS) - Stored at discussion title
Description Attacker can inject XSS payload in title when he starts or renames a discussion. The payload will be triggered right after a normal user open that discussion. Proof of Concept 1. Login to your account on https://forum.locker.io 2. Create New Discussions 3. On the Discussions Title,...
XSS stored in Category name
Description If a user inject an XSS payload inside a category name. All users that visit the index page will execute the corresponding XSS payload. Proof of Concept Add a malicious category XSS is executed...
POST Based Reflected Cross Site Scripting in installation page
Description The installation page in Elgg ≤ v4.3.3 is vulnerable to Cross-Site Scripting attack via 'dataroot' parameter. Steps to Reproduce 1. Freshly install the Elgg in your web-server and proceed to "Database Installation Page". 2. Enter the following payload in "Data Directory" field and fil...
Multiple SQL Injections
Description User input is inserted directly into a SQL query in multiple places when duplicating contacts/leads. Proof of Concept For a PoC, we are going to use Leads, although the other vulnerabilities will probably work analagously. Since the input is not directly displayed to the user, we will...
Insufficient Session Expiration
Description Existing sessions are not invalidated after a password change. Proof of Concept Steps to reproduce: 1. Log in to Humhub 2. Do the same in another browser or a private window, such that there are two different active sessions 3. Update the user's password in either of the two sessions ...
Reflected XSS on "DetailViewAjax" via "relation_id" parameter
Description The value of the "relationid" parameter on the "DetailViewAjax" reflects to the source code without any sanitization. So, that leads to XSS which allows cookie stealing. Proof of Concept...
Tabnabbing on spec-disrespecting browsers
Some browsers do not comply with the 2021 HTML specification, meaning that an attacker can redirect the parent window. This applies to links in descriptions // Create a new card // Add https://someevilsite.com to card // Now the site can do the following:...
DoS via Client Email Update
Description An unauthenticated user, via the Inbox Website Widget, can update its contact email information, whose field doesn't have any proper size restriction or limitation in place, allowing to set as email an unlimited number of characters. \ \ Because of this an attacker can send an enormou...
XSS on URL recorder
Description Hi Team , I found XSS vulnerability in url recorder https://conifer.rhizome.org/"USERNAME"/default-collection/ Proof of Concept Image : https://ibb.co/dBr0QQr...
Cross-site Scripting (XSS) - Stored on Translations
Description Translations are vulnerable to Cross-Site Scripting. Steps to reproduce 1 - Go to Website - Settings 2 - Click on Languages 3 - Fill any field to be translated with an XSS payload : ". 4 - XSS popup will appear. Proof of concept...
Modify other people's articles by modifying the data package
Description The program does not check whether the originator of the request has this permission. I can modify the content of other people's articles and even modify the content by capturing data packets, even if I am not the owner of the article, even if I do not have permission in this respect...
Denial of Service via Attachment Upload
Description An attacker can upload an attachment without any size limitation which leads to an exception and the crash of the application. Proof of Concept 1. 1 - Log in and select and project and card. 2. 2 - Upload a file, in this case, a 5GB file. Used sample file. 3. 3 - After some seconds th...
UI REDRESSING
Description The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. Proof of Concept Go to this URL:...
Cross Site Scripting via Improper Input Validation (parser differential)
Description I find that parse-url parses the following URL incorrectly and identifies protocol as ssh: javascript://n.com:-4294967297/?ab=--2509999973799371216494http://user:passser:[email protected]:-4294967297/?a /parseurlfuzz$ node -e 'const parseUrl = require"parse-url";...
xss via svg file
Description xss via svg file Proof of Concept 1. goto your account and create a document under a collection .\ 2. Now edit this document and upload bellow svg file in this document content as image filename--evil.svg alert'Thais app is probably vulnerable to XSS attackss!'; 3. after upload open...
Cross-site Scripting (XSS) - Stored in Space Name
Description Cross-site Scripting XSS - Stored in space name. Because space name is not HTML encoded, "Confirm action" modal pops up then the script is executed. Proof of Concept Step 1: Create a new Space and fill in name with this payload: "alert1. Step 2: Send an invite to victim then save. Ste...
Reflected XSS in multiple parameters
Testing Environment 1. Windows OS 2. Firefox Browser Vulnerable URLs ----...
Command Injection:
Description cookiecutter is a command-line utility that creates projects from cookiecutters. Affected versions of this package are vulnerable to Command Injection via hg argument injection. When calling the cookiecutter function from Python code with the checkout parameter, it is passed to the hg...
Reflected XSS on the Products Modules
Description coreBOS is vulnerable with Reflected XSS on the Products modules. The HTML tag can be escaped with " character and the attacker can be able to perform the Reflected XSS Proof of Concept 1. Login to coreBOS 1. Go to...
Improper path sanitization allows remote read of sensitive system resources
In pufferpanel/files.go there is an EnsureAccess method that accepts a source string and prefix argument. This function attempts to validate that the path being requested is within the scope of the server's operating directory. However, there is a logic bug in this function that improperly passes...
Username can be enumerated by password reset endpoint
Description The error message on /password/reset/1 can indicate whether the username exists in the instance. I believe this is a valid issue for the following reason: 1. /password/reset after submitting the username on this page, the server always returns success no matter whether the username...
Stored XSS in Supplier Company Description
Description The application inventree is vulnerable to Stored XSS in supplier company description field. Proof of Concept Video PoC Link: https://drive.google.com/file/d/115LLo4rxW7RzWd7hevbSFAlf-V83OUhU/view?usp=sharing...
stored xss
Description Stored XSS, also known as persistent XSS, is the more damaging than non-persistent XSS. It occurs when a malicious script is injected directly into a vulnerable web application. Proof of Concept 1Go to this website: https://titra.io/ 2Click on add Track button 3In the Task field enter...
Failure to strip Authentication header on HTTP downgrade
The Guzzle redirect middleware fails to strip the Authorization header when a redirect downgrades from https to http. The middleware currently only checks if the host has changed...
Cross-site Scripting (XSS) - Stored
Description The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of Concept - it works on firefox not in chromium based browsers - login as admin - go to...
Improper privilege management - Anyone can view room settings.
Description Hi bigbluebutton maintainers, I would like to report an improper privilege management, this allows anyone to view any room settings. Proof of Concept 1. To demonstrate the vulnerability, I've created a room https://demo.bigbluebutton.org/gl/hoa-j4s-sxx-5gn 2. Run this curl command to...
Application Level DoS:
Description Hey, when I attempt to change the password, I noticed that you haven't kept any password boundary. You need to limit password length. Hashing a large amount of data can cause significant resource consumption on behalf of the server and would be an easy target for an Application-level...
Application Level DoS:
Description Hey, when I attempt to change the password, I noticed that you haven't kept any password boundary. You need to limit password length. Hashing a large amount of data can cause significant resource consumption on behalf of the server and would be an easy target for an Application-level...
Cross site Request Forgery in running schedule by using GET method.
Description There is a CRSF in autolab source code in running scheduler due to usage of GET method. Proof of Concept 1. Install a local instance of autolab 2. Go to /courses//schedulers and create a schedule 3. Access the link courses//schedulers//run and see that the schedulers is running...
Stored XSS due to the setting text/xml mime type for xml files
Description Hi, The patch for the previous XSS vulnerability Cross-site scripting - Reflected via upload .xml file looks incomplete. It just will set the mime type to text/xml for XML files to avoid XSS, However, this one can be also used to perform XSS too. Since an XML file can contain HTML...
Set cookie for different domain
Description It is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header. Proof of Concept php true; $client-request"GET", "https://.free.beeceptor.com/setcookie"; $cookies = $client-getConfig'cookies'-toArray; printr$cookies; ? You can us...
Reflected Cross site scripting
Description When a user add new product with a supplier, supplier reference field is responsible to rxss Proof of Concept 1. Navigate to http://localhost/invoices/EditProducto?code=1&action=save-ok and goto supplier tab 2. Click on Add and in "Supplier reference" field add hey...
Google Storage Bucket Takeover which is getting used in github repository "github.com/wardviaene/kubernetes-course"
Description wardviaene have a opensource project for kubernetes-course In the project, there is a README file which is contains installation instruction of helm. Those instructions are suggesting to download helm binary from a google bucket which was not registered on GCP. So I was able to takeov...
Cross Site Request Forgery in Release all grades feature
Description Hi there, there is a Cross site request Forgery in your Release all grades feature. This is due to the release all grades action is using GET request method. Cross-Site Request Forgery CSRF is an attack that forces an end user to execute unwanted actions on a web application in which...
Cross-site scripting - Stored via upload xml file
Description When user upload file with XML extension in white-list, server will stored XML file at assets/PortalNotesFiles/, so we can direct access and execute javascript code. Proof of Concept POST /rosariosis/Modules.php?modname=SchoolSetup/PortalNotes.php&modfunc=update HTTP/1.1 Host:...
identify registered user
Description There is a response during password reset which allow to identify if email address is registered or not Proof of Concept 1. Signup to https://cloud.heroiclabs.com/ using a email like [email protected] . \ 2. Now goto https://cloud.heroiclabs.com/recover and put a dummy email address...
CSRF on update cart functionality
I found a CSRF Vulnerability in the update cart functionality where there is no csrf token being validated While updating the cart as the authenticated user Vulnerable Request: POST /demo/api/updatecart HTTP/1.1 Host: demo.microweber.org Cookie:...
Divulge user password
Description The administrator can obtain the website user registration password hash Proof of Concept // PoC Log in to the background and access: http://demo.jizhicms.cn/admin.php/Member/index.html?ajax=1&page=1&limit=10&isshow=&start=&end=&username=% Package return:...
Stored xss bug to hijack admin account
Description Using this xss lower level user can change his role to super-admin and can hijack admin account Proof of Concept 1. First from super-admin account goto http://localhost/silverstripe/admin/security/RootUsers and add user-B as content authors .\ also give user-B only permisssion to page...
Stored XSS via upload file
Description In document feature, you can upload a file .ofd which can have xss Proof of Concept // xss.ofd alert1 Step 1: Go to Support - Documents Step 2: Click Create Documents Step 3: At the Download type, choose Internal. Upload file xss.ofd above. Step 4: Go to that file link, such as:...
Multiple Open redirect
Description There exist multiple open redirect in the get parameter returnurl . I found it in bookmarks//edit , bookmarks//remove, bookmarks//archive, bookmarks//unarchive, bookmarks/bulkedit Proof of Concept 1. Login in the demo instance https://demo.linkding.link/ 2. Go to...
Improper Input Validation
Description If hostname is not entered as in the following PoC, Open Redirect and SSRF occur because hostname is empty. Proof of Concept javascript // PoC : http:@127.0.0.1 const parseUrl = require"parse-url" const http = require"http" url = parseUrl"http:@127.0.0.1" console.logurl...