4072 matches found
Improper privilege management - Anyone can view room settings.
Description Hi bigbluebutton maintainers, I would like to report an improper privilege management, this allows anyone to view any room settings. Proof of Concept 1. To demonstrate the vulnerability, I've created a room https://demo.bigbluebutton.org/gl/hoa-j4s-sxx-5gn 2. Run this curl command to...
Application Level DoS:
Description Hey, when I attempt to change the password, I noticed that you haven't kept any password boundary. You need to limit password length. Hashing a large amount of data can cause significant resource consumption on behalf of the server and would be an easy target for an Application-level...
Cross site Request Forgery in running schedule by using GET method.
Description There is a CRSF in autolab source code in running scheduler due to usage of GET method. Proof of Concept 1. Install a local instance of autolab 2. Go to /courses//schedulers and create a schedule 3. Access the link courses//schedulers//run and see that the schedulers is running...
Stored XSS due to the setting text/xml mime type for xml files
Description Hi, The patch for the previous XSS vulnerability Cross-site scripting - Reflected via upload .xml file looks incomplete. It just will set the mime type to text/xml for XML files to avoid XSS, However, this one can be also used to perform XSS too. Since an XML file can contain HTML...
Set cookie for different domain
Description It is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header. Proof of Concept php true; $client-request"GET", "https://.free.beeceptor.com/setcookie"; $cookies = $client-getConfig'cookies'-toArray; printr$cookies; ? You can us...
Reflected Cross site scripting
Description When a user add new product with a supplier, supplier reference field is responsible to rxss Proof of Concept 1. Navigate to http://localhost/invoices/EditProducto?code=1&action=save-ok and goto supplier tab 2. Click on Add and in "Supplier reference" field add hey...
Google Storage Bucket Takeover which is getting used in github repository "github.com/wardviaene/kubernetes-course"
Description wardviaene have a opensource project for kubernetes-course In the project, there is a README file which is contains installation instruction of helm. Those instructions are suggesting to download helm binary from a google bucket which was not registered on GCP. So I was able to takeov...
Cross Site Request Forgery in Release all grades feature
Description Hi there, there is a Cross site request Forgery in your Release all grades feature. This is due to the release all grades action is using GET request method. Cross-Site Request Forgery CSRF is an attack that forces an end user to execute unwanted actions on a web application in which...
Cross-site scripting - Stored via upload xml file
Description When user upload file with XML extension in white-list, server will stored XML file at assets/PortalNotesFiles/, so we can direct access and execute javascript code. Proof of Concept POST /rosariosis/Modules.php?modname=SchoolSetup/PortalNotes.php&modfunc=update HTTP/1.1 Host:...
identify registered user
Description There is a response during password reset which allow to identify if email address is registered or not Proof of Concept 1. Signup to https://cloud.heroiclabs.com/ using a email like [email protected] . \ 2. Now goto https://cloud.heroiclabs.com/recover and put a dummy email address...
CSRF on update cart functionality
I found a CSRF Vulnerability in the update cart functionality where there is no csrf token being validated While updating the cart as the authenticated user Vulnerable Request: POST /demo/api/updatecart HTTP/1.1 Host: demo.microweber.org Cookie:...
Divulge user password
Description The administrator can obtain the website user registration password hash Proof of Concept // PoC Log in to the background and access: http://demo.jizhicms.cn/admin.php/Member/index.html?ajax=1&page=1&limit=10&isshow=&start=&end=&username=% Package return:...
Stored xss bug to hijack admin account
Description Using this xss lower level user can change his role to super-admin and can hijack admin account Proof of Concept 1. First from super-admin account goto http://localhost/silverstripe/admin/security/RootUsers and add user-B as content authors .\ also give user-B only permisssion to page...
Stored XSS via upload file
Description In document feature, you can upload a file .ofd which can have xss Proof of Concept // xss.ofd alert1 Step 1: Go to Support - Documents Step 2: Click Create Documents Step 3: At the Download type, choose Internal. Upload file xss.ofd above. Step 4: Go to that file link, such as:...
Multiple Open redirect
Description There exist multiple open redirect in the get parameter returnurl . I found it in bookmarks//edit , bookmarks//remove, bookmarks//archive, bookmarks//unarchive, bookmarks/bulkedit Proof of Concept 1. Login in the demo instance https://demo.linkding.link/ 2. Go to...
Improper Input Validation
Description If hostname is not entered as in the following PoC, Open Redirect and SSRF occur because hostname is empty. Proof of Concept javascript // PoC : http:@127.0.0.1 const parseUrl = require"parse-url" const http = require"http" url = parseUrl"http:@127.0.0.1" console.logurl...
Path Traversal in silvanmelchior/RPi_Cam_Web_Interface
Description A path traversal attack also known as directory traversal aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash ../” sequences and its variations or by using absolute file paths, it may be...
Inefficient Regular Expression Complexity in gitpython-developers/gitpython
Description In the latest version of GitPython cd29f07b I discovered regular expression that is vulnerable to ReDoS Regular Expression Denial of Service Proof of Concept PoC based on code in git/remote.py Python import logging import re logging.basicConfigformat='%asctimes - %levelnames:...
in clasp-developers/clasp
Description Clasp uses printf to log errors and useful information, in one instance of this logging - the printf call specifies format operators but lacks the appropriate arguments - leading to unrelated bytes being included in the output. Impact This vulnerability is capable of allowing an...
Cross-site Scripting (XSS) - Stored in bytebase/bytebase
Description Hello there, there is a stored XSS in bytebase SQL editor. Proof of Concept 1. Install bytebase on your system. 2. Go to /sql-editor and create a new query with name 3. Go back to the /sql-editor and go to Queries tab and see that a pop up appears, indicating the XSS payload is...
Cross-site Scripting (XSS) - Reflected in phpipam/phpipam
Description Reflected XSS attacks AKA non-persistent attacks when a malicious script is reflected off of a web application to the victim’s browser. The script is activated through a link, which sends a request to a website with a vulnerability that enables execution of malicious scripts. The...
Open Redirect in alanaktion/phproject
Description Open Redirect in Login page due to unchecked to parameter. Proof of Concept Send users the following link https://demo.phproject.org/login?to=//example.com After users use their registered account to login, they will be redirected to example.com Impact By modifying the URL value to a...
Classic Buffer Overflow in gpac/gpac
Description Buffer Overflow in gpac Proof of Concept Version: MP4Box - GPAC version 1.1.0-DEV-rev1647-gb6f68145e-master c 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC:...
Cross-site Scripting (XSS) - Stored in zikula/core
Description In zikula/core cross site scripting vulnerability is present in block modules block list description field. This commit e453ad not properly santize the input. Proof of Concept login to the demo account go to blocks https://demo.ziku.la/blocks/admin/view Add payload in block list...
Cross-site Scripting (XSS) - Stored in admidio/admidio
Description I can send a message. In the here, I can create a link. But, when i create a link, I can use an onfocus/autofocus attribute after escape the href attribute because do not processing for double quote Proof of Concept txt 1. Open the...
Cross-site Scripting (XSS) - Stored in admidio/admidio
Description I can create links using the Web links feature. However, since the input value is not URL-encoded, the onfocus and autofocus properties can be used by escaping the properties of the "A" tag using double quotation marks ". Proof of Concept txt...
in zikula/core
Description When sending test emails, you're able to spam a target email address with as many emails as an attacker wants to a victim's email address due to lack of rate limiting /mailer/config/test I've put together a simple Python script that exploits this and would allow you to send a custom...
Heap-based Buffer Overflow in neomutt/neomutt
Description When connected through imap/imaps with a server, neomutt is prone to a heap buffer overflow when using the auto completion feature. Proof of Concept Prepare client configuration which connects to 127.0.0.1:14300 cat muttrc imap.txt.b64 EOF...
Cross-site Scripting (XSS) - Stored in cacti/cacti
Description Hi there cacti maintainer team, I would like to report a stored XSS in cacti source code. It is due to unsanitized error message in synchronizing aggregates for color. Proof of Concept 1. Install a cacti instance in your local 2. Go to Color and create a color with name 3. Back to col...
in gpac/gpac
Description Null Pointer Dereference in gfutf8wcslen Proof of Concept POC is here. bt Program received signal SIGSEGV, Segmentation fault. ----------------------------------registers----------------------------------- RAX: 0x24 '$' RBX: 0x5555555e2870 -- 0x5555555e2840 -- 0x2000000020000000 '' RC...
Open Redirect in erudika/scoold
Description Hi erudika scoold team, there is an Open redirect in your source code at question url Proof of Concept 1. Go to this link https://pro.scoold.com/questions/space?returnto=https://google.com 2. Observe that you are redirected to google.com Impact This vulnerability is capable of Open...
Cross-Site Request Forgery (CSRF) in laravelio/laravel.io
Description This CSRF is capable of making a user unintentionally subscribe and unsubscribe to a thread. Proof of Concept Visit https://laravel.io/forum/storing-sessions-as-in-a-storage-bucket/subscribe Visit https://laravel.io/forum/storing-sessions-as-in-a-storage-bucket/unsubscribe Impact One...
Cross-site Scripting (XSS) - Stored in convos-chat/convos
Description Stored XSS via upload File with format .svg when chatting in private conversation. Detail When opening the attachment, some format files will be rendered and loaded on the browser. So it allows executing arbitrary javascript code that was injected into attachment before. Proof of...
Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition
Description CSRF to delete user accounts Proof of Concept Impact This vulnerability is capable of tricking admin users to delete user accounts...
Cross-Site Request Forgery (CSRF) in babybuddy/babybuddy
Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging users to unintentional logout. More details One way GET could be abused here i...
None in fcambus/logswan
Description Good morning, I hope you're doing well today. Whilst testing logswan built with Clang12 + ASan on Ubuntu 20.04.3 LTS from commit bcfd41, we discovered a heap-use-after-free situation during a strcmp operation on line 259 of logswan/src/logswan.c. Proof of Concept First... echo...
Cross-site Scripting (XSS) - Stored in krayin/laravel-crm
Description Stored XSS at Name of Tag Detail When rendering grid for Tag, Name value is not filtered before rendering which can trigger XSS Proof of Concept // PoC.req POST /admin/settings/tags/edit/1 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:95.0...
Cross-Site Request Forgery (CSRF) in tsolucio/corebos
Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging users to unintentional logout. More details One way GET could be abused here i...
in combodo/itop
Proof of Concept Bellow request is vulnerable to csrf attack history.pushState'', '', '/' document.forms0.submit;...
PHP Remote File Inclusion in combodo/itop
Description csrf bug Proof of Concept Bellow request is vulnerable to csrf attack history.pushState'', '', '/' input type="hidden" name="class" v...
Cross-Site Request Forgery (CSRF) in galette/galette
Description Hello, Looking at the Galette application, I could observe that it is not protected against CSRF Cross-Site Request Forgery From OWASP : Cross-Site Request Forgery CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently...
Cross-site Scripting (XSS) - Reflected in collectiveaccess/providence
Description Reflected XSS in form Search. After report https://huntr.dev/bounties/b76d075f-f6b2-40f0-b08e-a56e934d7c60/ I have retested the vulnerability and my payload is able to bypass your filter mechanism. The input tag of the search form was escaped by my payload Step to Reproduct Login to...
Sensitive Cookie Without 'HttpOnly' Flag in kasuganosoras/pigeon
Description One or more cookies don't have the HttpOnly flag set. When a cookie is set with the HttpOnly flag, it instructs the browser that the cookie can only be accessed by the server and not by client-side scripts. This is an important security protection for session cookies. Remediation If...
Business Logic Errors in microweber/microweber
Description A fixed price coupon can be applied to get negative price for a product Proof of Concept 1: Create a fixed coupon Example: $200 coupon, $300 minimum 2: Add two products into the cart Example $50 + $300 3: Apply the fixed coupon. 4: Remove the $300 product. Observe that the price is no...
Heap-based Buffer Overflow in zyantific/zydis
Description Hello, we hope you're doing well during these challenging times. Whilst testing zydis built from commit 077b185 with Clang12 + ASan on Ubuntu 18.04, we discovered a crafted PE file that when fed to ZydisPE triggers a heap-buffer-overflow, READ of size 1. Proof of Concept POC Base64...
Cross-site Scripting (XSS) - Stored in archerysec/archerysec
Description The application is vulnerable to a Stored XSS attack. It is possible for an authenticated user to inject a JavaScript payload that will be executed in the web browser of the users viewing the concerned pages. When uploading a Burp scan, the XML field "issueBackground" of a vulnerabili...
Cross-site Scripting (XSS) - Stored in opensourcepos/opensourcepos
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Proof of Concept // PoC.js 1-- Just got https://demo.opensourcepos.org/messages 2-- send a payload on number phone field . 3-- you will get an...
Cross-Site Request Forgery (CSRF) in pkp/pkp-lib
Description No CSRF in upload profile too: /index.php/e/$$$call$$$/tab/user/profile-tab/upload-profile-image. More endpoints: Reordering data: /index.php/e/$$$call$$$/grid/settings/submission-checklist/submission-checklist-grid/save-sequence...
Cross-site Scripting (XSS) - Stored in ampache/ampache
Description ampache has a stored XSS in the View Existing User , an attacker could exploit with the Website attribute to steal the other users' cookie Proof of Concept 1 Visit http://ampache//index.phppreferences.php?tab=account set the Website attribut toe: foo" onmouseover=alertdocument.cookie ...
Cross-Site Request Forgery (CSRF) in bytebase/bytebase
Description all part of application That use POST http method to change or create data are vulnerable to CSRF attacks. for example the PATCH methods are not vulnerable I will show just create a member POC for you and if you want to see other POCs of other endpoint just say me to provide them too ...