4073 matches found
Reflected XSS on the Products Modules
Description coreBOS is vulnerable with Reflected XSS on the Products modules. The HTML tag can be escaped with " character and the attacker can be able to perform the Reflected XSS Proof of Concept 1. Login to coreBOS 1. Go to...
Improper path sanitization allows remote read of sensitive system resources
In pufferpanel/files.go there is an EnsureAccess method that accepts a source string and prefix argument. This function attempts to validate that the path being requested is within the scope of the server's operating directory. However, there is a logic bug in this function that improperly passes...
Username can be enumerated by password reset endpoint
Description The error message on /password/reset/1 can indicate whether the username exists in the instance. I believe this is a valid issue for the following reason: 1. /password/reset after submitting the username on this page, the server always returns success no matter whether the username...
Stored XSS in Supplier Company Description
Description The application inventree is vulnerable to Stored XSS in supplier company description field. Proof of Concept Video PoC Link: https://drive.google.com/file/d/115LLo4rxW7RzWd7hevbSFAlf-V83OUhU/view?usp=sharing...
stored xss
Description Stored XSS, also known as persistent XSS, is the more damaging than non-persistent XSS. It occurs when a malicious script is injected directly into a vulnerable web application. Proof of Concept 1Go to this website: https://titra.io/ 2Click on add Track button 3In the Task field enter...
Failure to strip Authentication header on HTTP downgrade
The Guzzle redirect middleware fails to strip the Authorization header when a redirect downgrades from https to http. The middleware currently only checks if the host has changed...
Cross-site Scripting (XSS) - Stored
Description The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of Concept - it works on firefox not in chromium based browsers - login as admin - go to...
Improper privilege management - Anyone can view room settings.
Description Hi bigbluebutton maintainers, I would like to report an improper privilege management, this allows anyone to view any room settings. Proof of Concept 1. To demonstrate the vulnerability, I've created a room https://demo.bigbluebutton.org/gl/hoa-j4s-sxx-5gn 2. Run this curl command to...
Application Level DoS:
Description Hey, when I attempt to change the password, I noticed that you haven't kept any password boundary. You need to limit password length. Hashing a large amount of data can cause significant resource consumption on behalf of the server and would be an easy target for an Application-level...
Cross site Request Forgery in running schedule by using GET method.
Description There is a CRSF in autolab source code in running scheduler due to usage of GET method. Proof of Concept 1. Install a local instance of autolab 2. Go to /courses//schedulers and create a schedule 3. Access the link courses//schedulers//run and see that the schedulers is running...
Stored XSS due to the setting text/xml mime type for xml files
Description Hi, The patch for the previous XSS vulnerability Cross-site scripting - Reflected via upload .xml file looks incomplete. It just will set the mime type to text/xml for XML files to avoid XSS, However, this one can be also used to perform XSS too. Since an XML file can contain HTML...
Set cookie for different domain
Description It is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header. Proof of Concept php true; $client-request"GET", "https://.free.beeceptor.com/setcookie"; $cookies = $client-getConfig'cookies'-toArray; printr$cookies; ? You can us...
Reflected Cross site scripting
Description When a user add new product with a supplier, supplier reference field is responsible to rxss Proof of Concept 1. Navigate to http://localhost/invoices/EditProducto?code=1&action=save-ok and goto supplier tab 2. Click on Add and in "Supplier reference" field add hey...
Google Storage Bucket Takeover which is getting used in github repository "github.com/wardviaene/kubernetes-course"
Description wardviaene have a opensource project for kubernetes-course In the project, there is a README file which is contains installation instruction of helm. Those instructions are suggesting to download helm binary from a google bucket which was not registered on GCP. So I was able to takeov...
Cross Site Request Forgery in Release all grades feature
Description Hi there, there is a Cross site request Forgery in your Release all grades feature. This is due to the release all grades action is using GET request method. Cross-Site Request Forgery CSRF is an attack that forces an end user to execute unwanted actions on a web application in which...
Cross-site scripting - Stored via upload xml file
Description When user upload file with XML extension in white-list, server will stored XML file at assets/PortalNotesFiles/, so we can direct access and execute javascript code. Proof of Concept POST /rosariosis/Modules.php?modname=SchoolSetup/PortalNotes.php&modfunc=update HTTP/1.1 Host:...
identify registered user
Description There is a response during password reset which allow to identify if email address is registered or not Proof of Concept 1. Signup to https://cloud.heroiclabs.com/ using a email like [email protected] . \ 2. Now goto https://cloud.heroiclabs.com/recover and put a dummy email address...
CSRF on update cart functionality
I found a CSRF Vulnerability in the update cart functionality where there is no csrf token being validated While updating the cart as the authenticated user Vulnerable Request: POST /demo/api/updatecart HTTP/1.1 Host: demo.microweber.org Cookie:...
Divulge user password
Description The administrator can obtain the website user registration password hash Proof of Concept // PoC Log in to the background and access: http://demo.jizhicms.cn/admin.php/Member/index.html?ajax=1&page=1&limit=10&isshow=&start=&end=&username=% Package return:...
Stored xss bug to hijack admin account
Description Using this xss lower level user can change his role to super-admin and can hijack admin account Proof of Concept 1. First from super-admin account goto http://localhost/silverstripe/admin/security/RootUsers and add user-B as content authors .\ also give user-B only permisssion to page...
Stored XSS via upload file
Description In document feature, you can upload a file .ofd which can have xss Proof of Concept // xss.ofd alert1 Step 1: Go to Support - Documents Step 2: Click Create Documents Step 3: At the Download type, choose Internal. Upload file xss.ofd above. Step 4: Go to that file link, such as:...
Multiple Open redirect
Description There exist multiple open redirect in the get parameter returnurl . I found it in bookmarks//edit , bookmarks//remove, bookmarks//archive, bookmarks//unarchive, bookmarks/bulkedit Proof of Concept 1. Login in the demo instance https://demo.linkding.link/ 2. Go to...
Improper Input Validation
Description If hostname is not entered as in the following PoC, Open Redirect and SSRF occur because hostname is empty. Proof of Concept javascript // PoC : http:@127.0.0.1 const parseUrl = require"parse-url" const http = require"http" url = parseUrl"http:@127.0.0.1" console.logurl...
Path Traversal in silvanmelchior/RPi_Cam_Web_Interface
Description A path traversal attack also known as directory traversal aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash ../” sequences and its variations or by using absolute file paths, it may be...
Inefficient Regular Expression Complexity in gitpython-developers/gitpython
Description In the latest version of GitPython cd29f07b I discovered regular expression that is vulnerable to ReDoS Regular Expression Denial of Service Proof of Concept PoC based on code in git/remote.py Python import logging import re logging.basicConfigformat='%asctimes - %levelnames:...
in clasp-developers/clasp
Description Clasp uses printf to log errors and useful information, in one instance of this logging - the printf call specifies format operators but lacks the appropriate arguments - leading to unrelated bytes being included in the output. Impact This vulnerability is capable of allowing an...
Cross-site Scripting (XSS) - Stored in bytebase/bytebase
Description Hello there, there is a stored XSS in bytebase SQL editor. Proof of Concept 1. Install bytebase on your system. 2. Go to /sql-editor and create a new query with name 3. Go back to the /sql-editor and go to Queries tab and see that a pop up appears, indicating the XSS payload is...
Cross-site Scripting (XSS) - Reflected in phpipam/phpipam
Description Reflected XSS attacks AKA non-persistent attacks when a malicious script is reflected off of a web application to the victim’s browser. The script is activated through a link, which sends a request to a website with a vulnerability that enables execution of malicious scripts. The...
Open Redirect in alanaktion/phproject
Description Open Redirect in Login page due to unchecked to parameter. Proof of Concept Send users the following link https://demo.phproject.org/login?to=//example.com After users use their registered account to login, they will be redirected to example.com Impact By modifying the URL value to a...
Classic Buffer Overflow in gpac/gpac
Description Buffer Overflow in gpac Proof of Concept Version: MP4Box - GPAC version 1.1.0-DEV-rev1647-gb6f68145e-master c 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC:...
Cross-site Scripting (XSS) - Stored in zikula/core
Description In zikula/core cross site scripting vulnerability is present in block modules block list description field. This commit e453ad not properly santize the input. Proof of Concept login to the demo account go to blocks https://demo.ziku.la/blocks/admin/view Add payload in block list...
Cross-site Scripting (XSS) - Stored in admidio/admidio
Description I can send a message. In the here, I can create a link. But, when i create a link, I can use an onfocus/autofocus attribute after escape the href attribute because do not processing for double quote Proof of Concept txt 1. Open the...
Cross-site Scripting (XSS) - Stored in admidio/admidio
Description I can create links using the Web links feature. However, since the input value is not URL-encoded, the onfocus and autofocus properties can be used by escaping the properties of the "A" tag using double quotation marks ". Proof of Concept txt...
in zikula/core
Description When sending test emails, you're able to spam a target email address with as many emails as an attacker wants to a victim's email address due to lack of rate limiting /mailer/config/test I've put together a simple Python script that exploits this and would allow you to send a custom...
Cross-site Scripting (XSS) - Stored in cacti/cacti
Description Hi there cacti maintainer team, I would like to report a stored XSS in cacti source code. It is due to unsanitized error message in synchronizing aggregates for color. Proof of Concept 1. Install a cacti instance in your local 2. Go to Color and create a color with name 3. Back to col...
Cross-site Scripting (XSS) - Stored in zikula/core
Description When inputting a name for a module category whether editing an existing one or adding a new one, you're able to inject your own Javascript, leading to it being executed. An example payload that you can enter is: xss and then each time that you click the category to expand it, your...
in gpac/gpac
Description Null Pointer Dereference in gfutf8wcslen Proof of Concept POC is here. bt Program received signal SIGSEGV, Segmentation fault. ----------------------------------registers----------------------------------- RAX: 0x24 '$' RBX: 0x5555555e2870 -- 0x5555555e2840 -- 0x2000000020000000 '' RC...
Open Redirect in erudika/scoold
Description Hi erudika scoold team, there is an Open redirect in your source code at question url Proof of Concept 1. Go to this link https://pro.scoold.com/questions/space?returnto=https://google.com 2. Observe that you are redirected to google.com Impact This vulnerability is capable of Open...
Cross-Site Request Forgery (CSRF) in laravelio/laravel.io
Description This CSRF is capable of making a user unintentionally subscribe and unsubscribe to a thread. Proof of Concept Visit https://laravel.io/forum/storing-sessions-as-in-a-storage-bucket/subscribe Visit https://laravel.io/forum/storing-sessions-as-in-a-storage-bucket/unsubscribe Impact One...
Cross-site Scripting (XSS) - Stored in convos-chat/convos
Description Stored XSS via upload File with format .svg when chatting in private conversation. Detail When opening the attachment, some format files will be rendered and loaded on the browser. So it allows executing arbitrary javascript code that was injected into attachment before. Proof of...
Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition
Description CSRF to delete user accounts Proof of Concept Impact This vulnerability is capable of tricking admin users to delete user accounts...
Cross-Site Request Forgery (CSRF) in babybuddy/babybuddy
Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging users to unintentional logout. More details One way GET could be abused here i...
None in fcambus/logswan
Description Good morning, I hope you're doing well today. Whilst testing logswan built with Clang12 + ASan on Ubuntu 20.04.3 LTS from commit bcfd41, we discovered a heap-use-after-free situation during a strcmp operation on line 259 of logswan/src/logswan.c. Proof of Concept First... echo...
Cross-site Scripting (XSS) - Stored in krayin/laravel-crm
Description Stored XSS at Name of Tag Detail When rendering grid for Tag, Name value is not filtered before rendering which can trigger XSS Proof of Concept // PoC.req POST /admin/settings/tags/edit/1 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:95.0...
Cross-Site Request Forgery (CSRF) in tsolucio/corebos
Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging users to unintentional logout. More details One way GET could be abused here i...
in combodo/itop
Proof of Concept Bellow request is vulnerable to csrf attack history.pushState'', '', '/' document.forms0.submit;...
PHP Remote File Inclusion in combodo/itop
Description csrf bug Proof of Concept Bellow request is vulnerable to csrf attack history.pushState'', '', '/' input type="hidden" name="class" v...
Cross-Site Request Forgery (CSRF) in galette/galette
Description Hello, Looking at the Galette application, I could observe that it is not protected against CSRF Cross-Site Request Forgery From OWASP : Cross-Site Request Forgery CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently...
Cross-site Scripting (XSS) - Reflected in collectiveaccess/providence
Description Reflected XSS in form Search. After report https://huntr.dev/bounties/b76d075f-f6b2-40f0-b08e-a56e934d7c60/ I have retested the vulnerability and my payload is able to bypass your filter mechanism. The input tag of the search form was escaped by my payload Step to Reproduct Login to...
Sensitive Cookie Without 'HttpOnly' Flag in kasuganosoras/pigeon
Description One or more cookies don't have the HttpOnly flag set. When a cookie is set with the HttpOnly flag, it instructs the browser that the cookie can only be accessed by the server and not by client-side scripts. This is an important security protection for session cookies. Remediation If...