4072 matches found
heap-buffer-overflow in vim_strrchr
Description heap based buffer overflow in vimstrrchr at strings.c:682 Vim Version git log commit ea83c194625e51c28a2796eba9ba87b0b9ab23e0 HEAD - master, tag: v9.0.1414, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S POCvimstrrchr -c :qa!...
SQL Injection
Description In '/core/ajax/ajaxselect2.phpL989' php "istrash = 0 and datebatchexpirydate = curdate and batchnumber LIKE '". $search ."%'" $search from: php $search = isset$GET'q' ? $GET'q' : ""; no sanitize. Poc http GET /info/?module=select2&page=batchList&q=1'union/%23&pid=1/select+111,222%23...
stored xss
Description stored xss bug SUMMURY here i uses demo installation https://demo.limesurvey.org/ in firefox browser Proof of Concept login into any user account who has permission to view the survey and visit url...
reflected xss
Description reflected xss SUMMURY here i uses demo instalation https://demo.limesurvey.org/ in firefox browser Proof of Concept login into user account and visit...
XSS in user supplied title
Issue The useHead function does not sanitize tags inserted in each property, including the title property. Context The useHead repository is a wrapper around vueuse/head which wraps unjs/unhead which wraps harlan-zw/zhead. The possibility of XSS is not described as being a vulnerability in the ro...
Xss in compose mail functionaility
Description Reflected cross-site scripting or XSS arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way. Proof of Concept - Step1: login as normal user. - step2: click on webmail and click on compose. - step3: now enter "...
Stored XSS in Week View Plugin
Description Stored cross-site scripting vulnerabilities arise when user input is stored and later embedded into the application's responses in an unsafe way. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of an...
Weak Password Implimentation
Description: We can change the password with just 1 character when we use change password function. Proof of Concept When you change password, just press any character and then submit. You will see "Your password has been changed"...
XSS in dp.la
Description dpla-frontend which is a frontend application of dp.la is vulnerable to XSS. Proof of Concept...
Path Traversal – Reading Certain File Extensions
BigBlueButton 2.5.6 is vulnerable to a path traversal vulnerability, that allows an attacker with a valid starting folder path, to traverse and read other files without authentication, assuming the files have certain extensions txt, swf, svg, png. PoC: 1- Submit a request to...
Incorrect API design lead to Site wide CSRF
Description By design, the api body only accepts is json values. But we can send with non-json values, beside, api accept auth from accessToken in Cookie. All of that leads to many other consequences, typically csrf. Example: CSRF - promote normal user to admin Origin Body id:...
Reflected XSS via "idlist" parameter
Description The value for the idlist parameter is reflected in the web context without proper filtering in place resulting in possibility to execute malicious javascript code. Testing Environment 1. Windows OS 2. Firefox Browser Proof of Concept 1. Visit...
UI Redressing
Description Clickjacking is a portmanteau of two words ‘click’ and ‘hijacking’. It refers to hijacking user’s click for malicious intent. In it, an attacker embeds the vulnerable site in an transparent iframe in attacker’s own website and overlays it with objects such as button using CSS skills...
Cross-Site Request Forgery (CSRF)
Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept PoC.html history.pushState'', '', '/' document.forms0.submit;...
Open Redirect
📝 Description The redirect get variable in login page isn't properly checked. Currently, it check if url.scheme and url.netloc are empty using urllib. py parsed = urlparseredirecturl check if redirect url is valid if parsed.scheme != "" or parsed.netloc != "": logger.warning f"Got an invalid...
curl_auth not cleared on downgrade
Description Guzzle recently fixed a vulnerability related to "Authorization" handling on downgrade here - https://github.com/guzzle/guzzle/security/advisories/GHSA-w248-ffj2-4v5q. However, there also exists another code path, for which Guzzle uses a Authorization header located when it uses diges...
Stored XSS in Customer Company Description
Description The application inventree is vulnerable to Stored XSS in customer company description field. Proof of Concept Video PoC Link: https://drive.google.com/file/d/19l7W3MMeTdhQzroutdDBBIdIVLGhQtw1/view?usp=sharing...
Generation of Error Message Containing Sensitive Information
Description The software generates an error message that includes sensitive information about its environment, users, or associated data. Proof of Concept When logging in, the login page will tell you whether or not a username exists which is a vulnerability since it can be paired with the lack o...
User Account Deletion and more via Clickjacking
Description As nakama console is not restricted from being loaded in an iframe, clickjacking attack is possible. Proof of Concept 1. Login to nakama console. 2. Save the following as an .html file and open it in the browser to see that the page loads into an iframe. html :"...
UI REDRESSING
Description The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. Proof of Concept Go to this URL:...
Regex check failed leads to CORS bypass
Description ProxyServlet will call getCorsDomain to get value and set it to Access-Control-Allow-Origin. This check only allow accept sharing with .draw.io, .diagrams.net and .quipelements.com. However, I found that regex to match must not start with ^ leads to bypass. Proof of Concept Step 1: Ca...
Cross-Site Request Forgery (CSRF)
Summary: Cross-Site Request Forgery CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. ... If the victim is an administrative account, CSRF can compromise the entire web application. Steps To Reproduce: 1.Create a...
Denial of service
Affected commit 49b8cef31f01c0d88d874e17714dff1fa5b85df0 Proof of Concept ruby= raise SystemStackError.new BasicObject.new Expected: Raise exception without abort the software Case output: bash= root:/mruby/mruby/bin ./mruby poc.rb poc.rb:1: can't convert BasicObject into String TypeError Aborted...
Exposure of Sensitive Information to an Unauthorized Actor
Description Attacker can be able to download file from system. Proof of Concept 1.Login as student - Go to GRADES - Assignments - Submit a file to a random assignment - save. 2.Attacker with or without account can be able to download through this URL...
Cross-site scripting - Stored via upload ".msg" file
Description When user upload file with .msg extension in white-list, but when access this file, server not reponse with Content-type header, so this file can execute javascript code as Content-type: text/html Proof of Concept POST /microweber/plupload HTTP/1.1 Host: localhost User-Agent:...
HTML Injection in Subscan view
Description HTML code is executed in the Subscan feature Proof of Concept 1. Add a scan engine: HTMLInjection 2. Go to "subdomains" for a target and add a Subscan using the scan engine. 3. Initiate a Subscan 4. View the subscan...
unprivileged user can see user details like email,role etc
Description view-only user can see user details like email,role etc.\ I see there is different type user role in nakama. Based on role user have some limit .But this bug is a privilege escalation bug Proof of Concept 1. From super admin account add a new user called user-B with view-only...
Article comment storage XSS
Description The code does not filter the input content, resulting in the insertion of: " The administrator views the comment list in the background and triggers XSS, which can be used to obtain the administrator cookie Proof of Concept POST /comment/index HTTP/1.1 Host: demo.jizhicms.cn User-Agen...
Open Redirect
Description parse-url parses the url as https://google.com::/test, and if two or more colons are inserted in the port part, the port is parsed as one hostname. txt - node - url.parse ❯ node -e 'console.logrequire"url".parse"https://google.com::/test"' Url protocol: 'https:', slashes: true, auth:...
Improper Access Control in alanaktion/phproject
Description The application has a vulnerability that allows anonymous users to download files on the server. In addition, when authenticated user deletes a file in an issue, the file is only unlinked, not completely deleted on the server. That results in anonymous users being able to download the...
in delgan/loguru
Description Loguru is vulnerable to log injection on all logging methods as it is possible to inject newlines "\n" which will create a new log entry in the logfile. This can lead to attackers tampering with logs and a loss of integrity of the log files as a result Proof of Concept from loguru...
Cross-site Scripting (XSS) - Stored in pimcore/data-hub
Description The pimcore/pimcore package is an open source platform that provides PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce services. stored xss vulnerability occurs when you change the value of Group at "Datahub" in the pimcore service. Proof of Concept XSS POC : " txt 1. Open the...
Cross-site Scripting (XSS) - Reflected in gibbonedu/core
Description There's a reflected xss in the tab parameter in both the student dashboard and the staff dashboard Proof of Concept Visit http://localhost/gibon/index.php?tab=asd%3C/script%3E%3Csvg/onload=alert1%3E Impact This vulnerability is result to xss which then can be used to achieve more thin...
in jesusfreke/smali
Description The loadResourceIds function makes use of SAXParser generated from a SAXParserFactory with no FEATURESECUREPROCESSING set, allowing for XXE attacks. In...
Cross-site Scripting (XSS) - Stored in chaskiq/chaskiq
Description When creating a link using the editor function, the Stored XSS vulnerability occurs because a javascript scheme can be used. Proof of Concept txt 1. Go to campaigns - Mailing Campaigns - Editor 2. Enter the URL: javascript:alertdocument.domain 3. After, Click the URL Video :...
in michaelrsweet/htmldoc
Description In gifreadimage, in image.cxx, gifreadlzw might return a value greater than 255, which results in an out of bounds read, leading to denial of service. c typedef uchar gifcmapt2563; / ... / static int / I - 0 = success, -1 = failure / gifreadimageFILE fp, / I - Input file / imaget img,...
Cross-Site Request Forgery (CSRF) in splitbrain/dokuwiki
Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' Impact This vulnerability is capable of forging users to unintentional logout. More Detail One way GET could be abused here is that a person competito...
Cross-Site Request Forgery (CSRF) in yeswiki/yeswiki
Description Hey all, so i found that YesWiki doesn't implement any sort of anti-csrf mechanism, i found that the change email function is vulnerable to CSRF attacks which leads to Account Takeover. Proof of Concept Exploitation Scenario: - An attacker sends the above PoC to the victim. - rather...
Open Redirect in ikus060/rdiffweb
Description ikus060/rdiffweb is vulnerable to open redirect at login page. Proof of Concept https://rdiffweb-demo.ikus-soft.com/login/?redirect=https://attacker.com after login to the above url it redirect to attacker .com Impact This vulnerability is capable of redirecting to malicious website...
Cross-Site Request Forgery (CSRF) in kunstmaan/kunstmaanbundlescms
Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging users to unintentional logout. More details One way GET could be abused here i...
Open Redirect in collectiveaccess/providence
Description I find a way to bypass the Open Redirect at the login page with the "redirect" parameter. Vulnerable parameter redirect Payload https://[email protected] Proof of Concept Send users the following login link...
Path Traversal in rhizome-conifer/conifer
Description misconfigurations of nginx lead to a path traversal vulnerability. Proof of Concept An attacker can access files like this: https://conifer.rhizome.org/static/app../admin.py https://conifer.rhizome.org/static/app../config/wr.yaml Impact An attacker can access files on the web server t...
Cross-Site Request Forgery (CSRF) in microweber/microweber
Description There is a CSRF on Delete Cart Item in users side. I get this error "Item not removed from cart" message but the item already will be deleted.message isn't correct and the delete action will be done Proof of Concept // PoC.html history.pushState'', '', '/' after that you click on subm...
SQL Injection in forkcms/forkcms
Description When an authenticated user exports translations, the user calls an URL like this: http://forkcms.site/private/de/locale/export?token=5z0ao1nk4p&type%5B0%5D=lbl&language%5B0%5D=de The parameter type0 and language0 are both vulnerable for SQL injection. Proof of Concept PoC for paramete...
Inefficient Regular Expression Complexity in cfinke/typo.js
Description I would like to report a Regular Expression Denial of Service ReDoS vulnerability in typo-js. It allows causing a denial of service when calling function removeAffixComments. Proof of Concept // PoC.js var Typo = require"typo-js" var emptydict = new Typo; forvar i = 1; i = 50000; i++...
Cross-Site Request Forgery (CSRF) in tsolucio/corebos
Description There is one more low level CSRF : make on/off a task of workflow history.pushState'', '', '/' document.forms0.submit;...
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in tsolucio/corebos
Description Session cookie is not marked with 'Secure' Proof of Concept Login to demo page http://demo.corebos.com/index.php?action=index&module=Home Open Firefox developer option - storage - check secure option...
Session Fixation in microweber/microweber
Description If a usernot admin already logged in the system and then admin inactivated the user, user remain active until he/she logged into the system...
in mruby/mruby
Description SEGV on mrbarypush Proof of Concept 1.times 0 0,o:0 = and 0 Result /asan/mruby/bin/mruby crash.rb AddressSanitizer:DEADLYSIGNAL ================================================================= ==68494==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000011 pc 0x560ae5baa377 ...
in mruby/mruby
Description Please enter a description of the vulnerability. Proof of Concept super super Result /asan/mruby/bin/mruby /crash.rb AddressSanitizer:DEADLYSIGNAL ================================================================= ==18265==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030...