4072 matches found
Sensitive Cookie Without 'HttpOnly' Flag in filegator/filegator
Description HTTPOnly attribute is not set for session cookies in the application. Proof of Concept https://ibb.co/R950Vxj Impact When a cookie doesn’t have an HttpOnly flag, it can be accessed through JavaScript, which means that an XSS could lead to cookies being stolen. These include session...
Incomplete fix for SSRF in CVE-2023-4651
Description The fix commit a6bf758de0b3242b0c0e4b47a588aae0c94305b0 for CVE-2023-4651 is not complete. Only ip based URLs are blocked. Proof of Concept Clone the latest repo and install. On server, listen for 1234 on localhost. Use http://localhost:1234/ as URL for image upload. Observe a hit on...
Theft of Arbitrary Files due to execution of attacker scripts from BashAssociation.kt
Description Tested on Build87 of the Inure application. It was discovered that the application had an exported activity app.simple.inure.activities.association.BashAssociation which accepted intent data via the file scheme + text/x-shellscript mime type and executed the commands contained within...
Local File Read Bypass in mlflow/mlflow
Description This is a bypass to the following submission which was assigned CVE-2023-1177. Proof of Concept Start the server or UI it works on both identically mlflow ui --host 127.0.0.1:5000 1. Create a Model named "AJAX-API". curl -i -s -k -X $'POST' -H $'Host: 127.0.0.1:5000' -H $'User-Agent:...
arbitrary file read
Description An authenticated attacker can abuse import-server-files with a path traversal to download an arbitrary file from the server Collaborator: @ub3rsick Proof of Concept 1. 1- to trigger the request for SSRF: go to files - assets - select a folder - right click - add asset - import from...
NULL Pointer Dereference in function utfc_ptr2len
Description NULL Pointer Dereference in function utfcptr2len at mbyte.c.c:2145 allows attackers to cause a denial of service application crash via a crafted input. vim version commit 0caaf1e46511f7a92e036f05e6aa9d5992540117 HEAD - master, tag: v9.0.1293, origin/master, origin/HEAD Author: Yegappa...
RCE due to Improper Authorization in 'Add Extension' functionality
Description The application does not properly implement authorization checks in the add extension functionality and allows a low-privileged user to upload extensions. Since no approval/verification is required to create an account in the application, any unauthenticated attacker can create a...
Out-of-bounds read in function gchar_cursor
Description Out-of-bounds read in function gcharcursor at misc1.c:532 vim version git log commit 68e64d2c1735f2a39afa8a0475ae29bedb116684 HEAD - master, tag: v8.2.5006, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/poch11s.dat -c :qa!...
Buffer Over-read in function grab_file_name
Description Buffer Over-read in function grabfilename at findfile.c:1947 vim version git log commit 31ad32a325cc31f0f2bdd530c68bfb856a2187c5 HEAD - master, tag: v8.2.4949, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/poch5s.dat -c :qa!...
Heap buffer overflow in vim_strncpy find_word
✍️ Description When fuzzing vim commit fc78a0369 works with latest build and latest commit 202b4bd3a per this time of this report with clang 13 and ASan, I discovered a buffer overflow. Proof of Concept Here is the poc bash...
Improper handling of Length parameter
Description There was no restriction on the amount of text that can be inserted into a user's name field. When the text size was large enough the service resulted in a momentary outage in our non-production environment not high availability. An internal reproduction showed isolated disruption but...
Stored XSS in the "Username" & "Email" input fields leads to account takeover of Admin & Co-admin users
Description The application Organizr allows malicious javascript in the "Username" & "Email" input fields for which an attacker can able to take over the account of Admin & Co-admin users. Proof of Concept 1.During "Signup" put the below payloads in the "Username" & "Email" input fields. 2.Now ru...
Improper Validation of Array Index
This vulnerability is of type Improper Validation of Array Index. The bug exists in latest stable release radare2-5.6.6 and lastest master branch 8317a34b7e4ab731e230dcdd81adc9323c5b518b, updated in April 03, 2022. Specifically, the vulnerable code located at libr/bin/format/ne/ne.c and the bug's...
HTTP Request Smuggling
Summary Due to several violations of the HTTP standard as defined in RFC7230, Waitress is vulnerable to HTTP request smuggling when used with an upstream proxy that exhibits nonstandard behaviour. Each issue is explained in the Occurrences section below...
Server-Side Request Forgery (SSRF)
Description Bypass of this report: https://huntr.dev/bounties/499688c4-6ac4-4047-a868-7922c3eab369/ Proof of Concept Blacklist does not check for 0.0.0.0 PAYLOAD: http://0.0.0.0 This payload will be resolved to localhost python import socket from urllib.parse import urlparse PAYLOAD =...
Cross-site Scripting (XSS) - Stored in pimcore/pimcore
Description Cross site scripting vulnerability in pimcore,pimcore field, it is fixed in this commit 832c34 , but still it is executing xss .Icon field in events and news Proof of Concept 1 . Login to the demo account https://10.x-dev.pimcore.fun/admin/ 2. Go to settings --data objects -- classes ...
Stack-based Buffer Overflow in vim/vim
Description Stack overflow occurs in spellsuggest.c. commit : 44db8213d38c39877d2148eff6a72f4beccfb94e Proof of Concept $ echo -ne "bm9ybRZzMDAwRzAw/TAwMDAwMDAwMDAwMApzaWwwbm9ybS4udnpHLi4uLi4uLi4uLi4uLi4uLnZ2 ekcwICAgICB2IHo9" | base64 -d minimizedpoc Valgrind $ ./vg-in-place -s...
Improper Access Control in janeczku/calibre-web
Description With default settings, low-level users will not have permission to read name of private shelf shelf create by another user and not in public mode. However, due to incorrect HTML render, the application does not work as intended. Proof of Concept - Step 1: Login with admin account and ...
in vim/vim
Description A heap-based OOB read of size 4 occurs when a user tries to open a vim session file specified below. This happens regarless of any command line options that could be specified to restrict vim, such -Z and -m. This bug has been found on default vim build in Ubuntu 20.04 for x8664/amd64...
Heap-based Buffer Overflow in hoene/libmysofa
Description There are some heap-buffer-overflows in mysofa2json of libmysofa. They are in function loudness, mysofacheck and readOHDRHeaderMessageDataLayout. System info Ubuntu 20.04.3 LTS clang 12.0.1 libmysofa github master branch commit 0cb89cb Command to Reproduce build libmysofa with...
Inefficient Regular Expression Complexity in validatorjs/validator.js
Description I would like to report a Regular Expression Denial of Service ReDoS vulnerability in validator. It allows cause a denial of service when calling function 'rtrim'. The ReDoS vulnerability is mainly due to the regex /\s+$/g and can be exploited with the following code. Proof of Concept ...
None in vim/vim
✍️ Description Team, trust you are doing well. As part of continues fuzzing VIM v8.2.3425 in persistence mode, I found a heap use-after-free nvreplace. 🕵️♂️ Proof of Concept Affected version: VIM v8.2.3425 Tested on: Linux s157903 4.15.0-106-generic 107-Ubuntu SMP Thu Jun 4 11:27:52 UTC 2020 x8664...
Session is not expiring after password resetting
Description Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs, in this case the session is not getting expired after the password change Proof of Concept 1. Open http://localhost:8188/studio/profile in 2 browsers I use Firefox a...
segmentation fault in function f_fullcommand
Description segmentation fault in function ffullcommand at exdocmd.c:4101 Proof of Concept valgrind ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pocseg -c :qa! ==14662== Memcheck, a memory error detector ==14662== Copyright C 2002-2017, and GNU GPL'd, by Julian Seward et al. ==14662== Using...
IDOR Vulnerability Allow the owner of one Organization can create, edit, delete apikeys that belong to other organization
1 first, we create two organizations: org1 and org2. The owner of them is user1 and user2 corresponding. 2 we login as user1 and create a new API keys 3 using the burpsuit to hack hijack the post. 4 The post and can be like:...
IDOR Vulnerability Allow Low-Level User Logout Everyone Includes Admin
Description IDOR vulnerability allow low level user to log out everyone in the system by changing the user ID. Proof of Concept Step 1: Login in as admin Step 2: Go to user and add an user. Set role to Default. Step 3: Login as the new user. Step 4: Logout the user GET...
Language Dropdown Menu Manipulation
Hello It is possible to manipulate the Language Dropdown Menu and change it to anything the attacker wants. Process of the Vulnerability: 1. Login 2. Go Miscellaneous - Email & file templates 3. Add Template - Change & Save and intercept the Request 4. Change the Language to anything you want ---...
SQL Database Error could lead to SQL Injection with internal Path Disclosure
Hello, Through manipulating Parameter i get an SQL Error which can lead to SQL Injection. Plus that there is an internal Path Disclosure. Best regards Ahmed Hassan...
SQL injection in API authorization check
Description TeamPass /authorize API endpoint is vulnerable to SQL injection in the login field. It is possible to forge an arbitrary Blowfish hash and use it in the query to bypass the password verification check. Using the same query it is possible to define an arbitrary apikey value too: "login...
Reset API any user via IDOR
Description Reset API any user without taking action from him via IDOR Proof of Concept 1- Create a user 2- Go to setting 3- Open Burp Suite to object to the requisition 4- Click on it Reset API 5- Note that the endpoint is in the request PATCH/api/user/102 6- When the number that is in endpoint...
File Deletion Detected
Description Vulnerability allows deleting files in the server, affect the logic of the source code or disrupt the program to make the original way of operation Proof of Concept B1. Login and access to admin.php?p=uploader&action=mediamanager B2. Delete 1 uploaded file B3. Change parameter...
Use After Free in function do_tag
Description Use After Free in function dotag at vim/src/tag.c:807. vim version ./vim --version VIM - Vi IMproved 9.0 2022 Jun 28, compiled Sep 2 2022 22:56:19 Included patches: 1-363 Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /home/elva/fuzzvim/test/poc8huaf.dat -c :qa!...
Open Redirect on login
Description Although https://github.com/go-gitea/gitea/pull/9678 protects against most open redirects there is an unfortunate flaw in its logic due to browser behaviour when presented with Locations that have backslashes in them Proof of Concept...
File Upload Restriction Bypass leading to Stored XSS Vulnerability
Description File Upload Restriction Bypass leading to Stored XSS Vulnerability, by leveraging file extension vbhtm, vbhtml, soap, even any extension ends with html e.g. aahtml, bbhtml Proof of Concept Step 1 Access https://www.showdoc.com.cn/attachment/index Step 2 Prepare a file with content bel...
Insecure deserialization of not validated module file
Description In recent Crater version 18507ddb tag: 6.0.6 highly privileged user can upload malicious module file and run insecure deserialization, which can lead to remote code execution. Proof of Concept 1. Prepare PHAR file - php --define phar.readonly=0 phar.php PHP data = $data; function...
Protocol/Hostname spoofing via Improper Input Validation
Description The uri.js doesn't remove whitespace characters from the beginning of the protocol, so it doesn't parse URLs properly. Several methods, including http.get, location.href, and fetch, strip the whitespace character in front of the protocol before sending the request. Proof of Concept...
Improper Authorization in salesagility/suitecrm
Description In SuiteCRM v7.12.4, affecting Employee Module, any user with the User Type as Regular User could export employee records via /index.php?entryPoint=export endpoint. The prerequisite of this attack is by knowing the user record ID which can be obtained in the employees' section. The...
Heap-based Buffer Overflow in vim/vim
Description Heap-buffer-overflow on read in yankcopyline This issue was created to separate this one and was fixed with Patch 8.2.4219. Proof of Concept Steps to reproduce: echo -n c2lsIW5vcm0wbxSA/zAWenk= | base64 -d heapowpoc3 vim -u NONE -i NONE -n -X -Z -e -m -s -S heapowpoc3 -c :qa! Sanitize...
Cross-site Scripting (XSS) - Stored in vanessa219/vditor
Description The Vanessa219/vditor is a markdown editor supported by browsers. If the user passes javascript:alertdocument.domain as the URL value when creating a link using the markdown syntax, there is no sanitizing process and the link is created as it is. Proof of Concept txt XSS PoC : xss 1...
Heap-based Buffer Overflow in vim/vim
Description Greetings, A Heap-based Buffer Overflow issue was discovered in Vim. The POC file is reduced to the absolute minimum to reproduce the problem. Please see sanitizer output and the "trimmed" POC file link below. System info OS version : Ubuntu 20.04.2 LTS + Clang 12 with ASan Vim Versio...
Heap-based Buffer Overflow in vim/vim
Description Team, trust you are doing well. As part of continues fuzzing VIM v8.2.3582 15d9890eee53afc61eb0a03b878a19cb5672f732 in persistence mode, I found a heap use-after-free mlappendint. Proof of Concept Affected version: v8.2.3582 Tested on: Linux s157903 4.15.0-106-generic 107-Ubuntu SMP T...
Path Traversal in rust-compress/rc-zip
:book: Description rc-zip Pure rust zip & zip64 reading and writing. this package is vulnerable for zip-slip https://github.com/rust-compress/rc-zip https://crates.io/crates/rc-zip :recycle: Steps To Reproduce-: 0 download and run latest release from https://github.com/rust-compress/rc-zip 1 run ...
Heap BoF in trunc_string()
Environment bash Distributor ID: Debian Description: Debian GNU/Linux bookworm/sid Version I checked against the master branch as of 09/25 at commit 6ee7b521fa7531ef356ececc8be7575c3800f872 . Description Heap BoF in the file /src/message.c in the function truncstring at line 356. Snippet c bufe -...
Local file inclusion leading to RCE
Description The api handling endpoint allows for a local file inclusion that can lead to remote code execution. It requires a valid api token which can be obtained via a database backup with account access, a number of different sql injections with account access, or stolen from a user. Proof of...
CSRF to change user language preferences
Description Cross-Site Request Forgery CSRF is an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated. CSRF attacks exploit the trust a Web application has in an authenticated user Proof of Concept 1 Go to...
An attacker can be post message in other memos page
Description An attacker can be post malicious content to other user's memos page via POST request, attacker just add an creatorID into body request and send it with Burpsuite Here is video poc: https://drive.google.com/file/d/1dNKo-ybfguam4YdvmluYujN2nkTG5D9G/view?usp=sharelink Proof of Concept...
Link Preload XSS bypass
Description Link preloads still do not effectively confirm if the requested link is external. This is a bypass to the fix for CVE-2022-4414. Root Cause The getPayloadURL function was adapted after the disclosure to use the browsers built in URL parser to properly check for a valid URL. This is a...
TLS Cookie without `secure` flag at https://roy.demo.phpmyfaq.de
Description The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function. This issue was found in multiple locations under the reported path. Issue background If the secure flag is set...
XSS via Mathematical Typesetting
🔒️ Requirements Feature: Extras Mathematical Typesetting enabled. User interaction: Access vulnerable page || diagram and wheel click on a link. 📝 Description The Mathematical Typesetting feature allows to use inline content such as AsciiMath or LaTeX. Using it allows you to create a tag via \href...
HTML Injection vulnerability in create tag functionality
Vulnerability Details In the Microweber CMS, While doing a live edit on to the application, we have the option to create a new global tag in the application. While creating a global tag, the "Tag Name" input field doesn't properly get sanitized and it's vulnerable to HTML Injection vulnerability...