4072 matches found
DOM-based Cross-site Scripting (DXSS) Vulnerability
Description Two CalendarXP products have DXSS vulnerability in common parts of HTML files. CalendarXP FlatCalendarXP through 10.0.1 has DXSS vulnerability in iflateng.htm and nflateng.htm, and CalendarXP PopCalendarXP through 10.0.1 has DXSS vulnerability in ipopeng.htm and npopeng.htm. Proof of...
heap-buffer-overflow in gf_isom_box_write_header
Description heap-buffer-overflow in gfisomboxwriteheader at isomedia/boxfuncs.c:408. version info git log commit 68064e10172675e0853d6f429fb2055112835602 grafted, HEAD - master, origin/master, origin/HEAD Author: jeanlf Date: Fri Nov 18 10:36:10 2022 +0100 fixed build without http2 support ./MP4B...
Stored Cross-Site Scripting (XSS) in via direct link to attachments
Description The XSS is related to this previous report. The fix to prevent XSS in uploaded attachments is insufficient, as there is no mitigation when accessing attachments via a direct link. Proof of Concept Steps to reproduce: 1. Log in to Inventree 2. Click on Parts. Add a new Category and...
UI Discrepancy in Password
Description There is UI discrepancy in the user password section in nakama console. The UI presents the following message to the user for a short password: "Password is required, must be 8 chars or longer and consist of at least a capital letter, a small letter and a number". However, the backend...
Weak password policy on account creation/password update
Description The password policy used in the account creation and password change pages is weak, allowing to set a password of only 1 character. Proof of Concept Case 1 - Account Creation 1. 1 - Login as admin and go to the users page. 2. 2 - Create a new user and set 1 as the password and click i...
Cross-Site Request Forgery (CSRF)
Description I found a possible Cross-Site Request Forgery CSRF vulnerability in Login Form. Login CSRF is a type of attack where the attacker can force the user to log in to the attacker’s account on a website and thus reveal information about what the user is doing while logged in. Proof of...
Regular Expression Denial of Service (ReDoS)
Description I would like to report a Regular Expression Denial of Service ReDoS vulnerability in parse-url. It allows cause a denial of service when calling function parse-url. The ReDoS vulnerability is mainly due to the regex /git@|https?://\w.@+/|:,\w,-,,/+.git0,1/0,1/ and can be...
File Protocol Spoofing
Description parse-url misinterpreting the file:// protocol when trying to match git urls. The following payload is certainly valid file protocol but is interpreted as ssh protocol. file:///etc/passwd?http://a:1:1 Proof of Concept // PoC.js const fs = require'fs'; var parseURL = require"parse-url"...
Improper storage of authorization cookie on HTTPs pages
The authorization cookie used by the panel pufferauth is stored in the browser without using HttpOnly or Secure flags on the cookie...
Cross-site Scripting (XSS) - Stored
Description Titra is vulnerable to Stored XSS in the Task field when creating a new task in a project. Steps to reproduce 1.In the Overview tab, click on New project button. 2.Enter a project name and click Save. 3.Move to the Tasks tab in that project and click on New Task button. 4.In the Task...
Weak Password Policy
Description You can change your password in profile to a weak password. Proof of Concept 1. Login and go to your Profile 2. Use the password change feature or https://app.titra.io/changePwd 3. Enter your current password, fill the "Password" and "Password again" with 1 You can see your password h...
Stored XSS in Customer Company Name
Description The application inventree is vulnerable to Stored XSS in customer company name field. Proof of Concept Video PoC Link: https://drive.google.com/file/d/11tKQzqKFobDEuqigsQYIdQhMnqSLIBsi/view?usp=sharing...
xss bypass of https://huntr.dev/bounties/4bc8f164-faf8-4096-aa00-e439fa976876/
Description xss bypass of https://huntr.dev/bounties/4bc8f164-faf8-4096-aa00-e439fa976876/ TESTED BROWSER google chrome Proof of Concept this bug has been fixed by setting text/xml content-type .\ But this can also be bypassed . Save bellow file as test.xml . Upload this and view the file and see...
xss filter bypass
Description xss check bypass Proof of Concept i see you you fixed https://huntr.dev/bounties/31aba7c9-edcf-44bf-9fd8-ca15d1fa53c8/ by using if !empty$this-web && !filtervar$this-web, FILTERVALIDATEURL .\ But this can be bypassed easily and cause xss .\ FILTERVALIDATEURL can be bypassed using url...
Stored Xss
Description Hi i found stored xss due to website field Proof of Concept 1. Create a new non-admin account 2. Login and goto http://localhost/invoices/EditAgenciaTransporte add new user with website link to "javascript:confirmdocument.domain" 3. Save user and navigate to http://localhost/invoices/...
Cross-site Scripting (XSS) - Stored
Description The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of Concept - it works on firefox not in chromium based browsers - login as admin - go to...
Cross-site Scripting (XSS) - Stored
Description he software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of Concept - login as an admin - go to...
Cross-site Scripting (XSS) - Stored
Description Stored XSS found due to long name summarize Proof of Concept 1.First, access the latest version of the demo environment. https://www.rosariosis.org/demonstration/index.php 2.Then log in with your teacher account teacher/teacher 3.After logging in, access to add an assignment. 4.Then...
Improper authorization - receptionist can read all Clinic reports
Description Hi there openemr maintainers, I would like to report an improper authorization vulnerability in your source code. Proof of Concept 1. Install openemr in your system and create an admin account and a receptionist account 2. Log in as receptionist and see that you don't see Reports...
Controlled heap buffer overflow in SDP packet parsing
Description A malicious server can trigger an out-of-bounds heap write via a specially crafted SDP packet due to no bounds check when parsing time zone information into the AdjustmentTime and AdjustmentOffset fields of GFSDPTiming. Proof of Concept poc.py is available here terminal 1 python3 poc....
Bypass previous fix
Description Bypass previous report fix Proof of Concept it checks if returnurl starts with / . So, it can be bypasssed using //google.com . 1. Login in the demo instance https://demo.linkding.link/ 2. Go to https://demo.linkding.link/bookmarks/3/remove?returnurl=//google.com 3. You will be...
Cross-site Scripting (XSS) - Stored
Description Email tracking pixel hits store the user agent of the browser / mail client that opens the email. That user agens is not sanitised on input, but also not escaped on output in the template. This allows anonymous users to store XSS payloads in the timeline on their contact page Proof of...
File Descriptor Leak
Possible sensitive files Vulnerability description: A possible sensitive file has been found. This file is not directly linked from the website. This check looks for common sensitive resources like password files, configuration files, log files, include files, statistics data, database dumps. Eac...
Cross-site Scripting (XSS) - Stored in s-cart/core
Description Multiple Stored XSS exists in S-Cart Version 6.8.4 and below leads to cookie stealing of any victim that visits the affected URL. This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie. Proof of Conce...
Heap-based Buffer Overflow in gpac/gpac
Description When fuzzing gpac with clang 10 I found a heap overflow. Proof of Concept pocgffprintf Crash stack trace aldo@vps:/gpac/bin/gcc$ ASANOPTIONS=symbolize=1 ASANSYMBOLIZERPATH=/usr/bin/llvm-symbolizer ./MP4Box -disox -ttxt -2 -dump-chap-ogg -dump-cover -drtp -bt -out /dev/null...
None in gpac/gpac
Description Use After Free in gpac Proof of Concept MP4Box -bt POC4 MP4Box -bt POC5 POC4 is here. POC5 is here. ASAN ==414586==ERROR: AddressSanitizer: heap-use-after-free on address 0x6100000007fc at pc 0x7f7926081250 bp 0x7ffd2e84f4a0 sp 0x7ffd2e84f490 READ of size 4 at 0x6100000007fc thread T0...
in livehelperchat/livehelperchat
Lack of server side validation An admin can delete his/her account by bypassing client side validation 1.Login in application as admin. 2.Nagiate to settings and create another user. 3.Now see the list of user, an admin can only delete other user account rather than his/her. 4.Click on delete and...
Cross-site Scripting (XSS) - Stored in saleor/saleor-dashboard
Description Because the dangerouslySetInnerHTML method is used to output the input value of the DOM, XSS vulnerabilities occur in many logics. Proof of Concept html " Impact Through this vulnerability, an attacker is capable to execute malicious scripts...
Cross-site Scripting (XSS) - Stored in outline/outline
Description outline is a fastest wiki and knowledge base for growing teams. Beautiful, feature rich, and markdown compatible. this package is vulnerable for stored XSS Proof of Concept Or here is the original video Impact This vulnerability is capable of Stored XSS...
Cross-site Scripting (XSS) - Stored in zikula/core
Description When inputting a name for a module category whether editing an existing one or adding a new one, you're able to inject your own Javascript, leading to it being executed. An example payload that you can enter is: xss and then each time that you click the category to expand it, your...
Cross-Site Request Forgery (CSRF) in e107inc/e107
Description Hi there, there is a Cross Site Request Forgery in e107 that allows an attacker to force admin user to repair a plugin. Proof of Concept 1. Install e107 in your system 2. Log in as adminstrator 3. Copy this link and paste to your browser:...
Cross-Site Request Forgery (CSRF) in e107inc/e107
Description Hi e107 team, I would like to report a CSRF in e107 source code. This is in install plugin feature Proof of Concept 1. Install a local instance of e107 2. Login as admin and access this link /e107admin/plugin.php?mode=installed&action=install&path=chatboxmenu 3. See that the pluglin...
Cross-Site Request Forgery (CSRF) in tsolucio/corebos
Description The lack of a CSRF token and validation of the request method gives the attacker the ability to delete DeleteReportFolder Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact The attacker has the ability to delete arbitrary report folders on behalf of the victi...
Inefficient Regular Expression Complexity in python/cpython
Description In recent cpython version 31ff9671 I discovered regular expression that is vulnerable to ReDoS Regular Expression Denial of Service. Vulnerability exists in EntryPoint class which is used to parse package/module entry-points. Proof of Concept Simplified PoC based on init.py Python...
Cross-site Scripting (XSS) - Reflected in tsolucio/corebos
Description Please enter a description of the vulnerability. coreBOS is vulnerable to Reflected XSS via activitytype in index Proof of Concept 1.After login, click poc url 2.select Activity Type // PoC.js...
Cross-site Scripting (XSS) - Generic in zikula/core
Description In zikula/core cross site scripting vulnerability is present in block module description field Proof of Concept 1. login to the demo account 2. go to blocks https://demo.ziku.la/blocks/admin/view 3. Add payload in title field and save 4 payload = " Impact This vulnerability is capable...
Cross-site Scripting (XSS) - Reflected in zikula/core
Description In zikula/core cross site scripting vulnerability in extension list name field. Proof of Concept 1. login to the demo account 2. go to extensions https://demo.ziku.la/extensions/module/modify/3 3. Add payload in displayname field payload " Impact This vulnerability is capable of stole...
in combodo/itop
Description csrf bug Proof of Concept bellow request is vulnerable to csrf attack history.pushState'', '', '/' document.forms0.submit;...
in janeczku/calibre-web
Description A user with no permissions about public shelves can edit his own private shelf making it public. This vulnerability is called Mass Assignment. Proof of Concept The file shelf.py at line 247 sets as public every shelf to be edited, so if the user injects the parameter ispublic=on in th...
Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition
Description More unprotected CSRF endpoints that allows for state-changing operations. 1: GET /dashboard/moderation/1/approve 2: GET /requests/1/accept 3: GET /requests/1/reject 4: GET /requests/1/unclaim 5: GET /requests/1/reset Proof of Concept CLICK ME! Impact This vulnerability is capable of...
in cortezaproject/corteza-server
Description There's no bound limit to the number of "characters/special characters" in the name field of the user. Vulnerable Field: Full Name By sending a very long string it’s possible to cause a denial a service attack on the server. This may lead to the website becoming unavailable or...
Cross-Site Request Forgery (CSRF) in bookstackapp/bookstack
Description Attacker is able to logout a user if a logged in user visits attacker website. Impact This vulnerability is capable of forging user to unintentional logout. Test Tested on Edge, firefox, chrome and safari. Fix You should use POST instead of GET. To expand: One way GET could be abused...
Cross-site Scripting (XSS) - Stored in forkcms/forkcms
Description When uploading a new theme, the description of a theme can contain JavaScript code. This can be used for Cross-Site-Scripting. Proof of Concept I downloaded the Kompact theme https://github.com/jessedobbelaere/fork-cms-theme-kompact/archive/master.zip, extracted it and changed in...
in appendium/flatpack
Description The flatpack vulnerable to XML External Entity XXE. An attacker that is able to provide a crafted XML file as input to the parse function in the MapParser.java file may allow an attacker to execute XML External Entities XXE. Proof of Concept import java.io.File; import...
in tsolucio/corebos
Description Just like last report of mine there is another improper privilege management that test user can see other users special workflow contents like Tasks just go to this link that belong to admin from another users account...
Cross-site Scripting (XSS) - Reflected in tsolucio/corebos
Description Reflected XSS via upload of malicious SVG file. Proof of Concep 1: Upload SVG file via /corebos/index.php?module=Documents&action=DetailView&viewname=0&start=&record=8460& alertdocument.location; 2: Trigger the reflected XSS by visiting the malicious SVG file stored in the storage...
Cross-site Scripting (XSS) - Reflected in admidio/admidio
Description Have reviewed your fix for double URL encoding here: https://github.com/Admidio/admidio/commit/6b3820a574dc5f52243fbaafdb7089560c99d949 But it can easily be bypassed by triple URL encoding. Note: apparently after applying the above fix from Github on the machine, I cannot use the...
Open Redirect in forkcms/forkcms
Description When a user, who has access to admin page and who is not logged in, opens a page like http://forkcms.site/private/de/authentication?querystring=//google.de/ and the user enters their credentials, the user is redirected to https://google.de. When a user, who has access to admin page an...
Cross-site Scripting (XSS) - Stored in thorsten/phpmyfaq
✍️ Description The persistent or stored XSS vulnerability is a more devastating variant of a cross-site scripting flaw, it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular...
Cross-site Scripting (XSS) - Stored in admidio/admidio
Description Hi, By continuing to look at the project I was able to find a new XSS stored. Although it seems to be filtered in some parts of the site, when sending a photo as a greeting card, it is possible to include an arbitrary payload in the text field leading to a stored XSS. From OWASP :...