4072 matches found
Cross-site Scripting (XSS) - Stored in pimcore/pimcore
✍️ Description pimcore is a Open Source Data & Experience Management Platform PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce this package is vulnerable for Stored XSS thru gender tag 🕵️♂️ Proof of Concept 💥 Impact This vulnerability is capable of stored xss 📍 Location Gender.phpL21...
Cross-site Scripting (XSS) - Stored in sylius/sylius
✍️ Description Open Source eCommerce Platform on Symfony this package vulnerable for stored xss thru svg files 🕵️♂️ Proof of Concept https://i.imgur.com/UNqIg8l.mp4 💥 Impact This vulnerability is capable of XSS...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager
✍️ Description I found a stored XSS in your project which is lead by adding Units description. 🕵️♂️ Proof of Concept Steps to reproduce: 1. Create a Unit. 2. Enter " in the description. 3. Save and you will see XSS. 💥 Impact This vulnerability is capable of stored XSS...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager
💥 BUG Stored xss via signup page 💥 VERSION TESTED latest version as of 4/7/21 💥 IMPACT xss allow to execute arbitary javascript in vicitm account 💥 STEP TO REPRODUCE 1. goto http://localhost/online-rental/app/admin/pageSettings.php and click on Sign Up tab . Here allow signup.\ now put bellow xss...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system
✍️ Description There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the Address field as tested on the latest release. 🕵️♂️ Proof of Concept Step to reproduce: Go to /admin/pageSettings.php?search-settings=smtp and the payload: ""@x.y in the "Senders...
Cross-Site Request Forgery (CSRF) in bigprof-software/online-rental-property-manager
✍️ Description The app/admin/pageDeleteMember.php?memberID= does not have a CSRF protection. This could be used by attackers to trick the admin to delete a member from their system. 🕵️♂️ Proof of Concept For this attack to work, a logged in admin, should visit the POC page...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager
✍️ Description Stored xss via employmentandincomehistoryview 🕵️♂️ Proof of Concept plz check this 1 minute video to reproduce the bug https://drive.google.com/file/d/1wmBmdvdHTLORNc9det4HYj1Dtfd97Y/view?usp=sharing...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager
✍️ Description Stored xss in pageTransferOwnership.php where sourceMemberID parameter leads to xss which gets stored in pageViewRecords.php 🕵️♂️ Proof of Concept Steps to reproduce: 1. Go to admin account 2. Visit URL /app/admin/pageTransferOwnership.php?sourceGroupID=2&sourceMemberID="alert1 💥...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager
✍️ Description There is a stored xss in member profile in the full name 🕵️♂️ Proof of Concept Steps to Reproduce: 1. Create a member account. 2. Login into the member account. 3. Enter the s"' payload in the Full Name field. 4. Update the profile and You will see an alert. 💥 Impact Stored XSS...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system
✍️ Description There is a Stored XSS in the online invoicing system which could be exploited by any user who has permission to add the invoice. when a comment is added during the creation of invoices by any user then due to improper sanitization XSS payload gets triggered. 🕵️♂️ Proof of Concept...
Command Injection in sofianehamlaoui/lockdoor-framework
✍️ Description Unsanitized user input leads to command injection. 🕵️♂️ Proof of Concept // PoC whatweb CI https://drive.google.com/file/d/1mrYiu7oTaAm2qjLDKz23VMUkiujafTh/view?usp=sharing 💥 Impact command run as root. So an attacker could do potential damage to the machine...
in hascheksolutions/opentrashmail
✍️ Description Attackers can control the filesystem path argument to readfile at api.php line 35 for ?email= parameter, which allows them to access or modify otherwise protected files. Analysis Trace: 1. application take unsensitized input at: $email = strtolower$REQUEST'email'; 2. Assigning user...
Heap-based Buffer Overflow in rup0rt/pcapfix
Description A heap over flow was found in pcapfix in function fixpcapng in pcapng.c at line 1571 Test version : 1.1.6 2fe168e Test env: gcc 9.3.0 ubuntu 20.04 x86-64 Proof of Concept CFLAGS="-fsanitize=address" make ./pcapfix poc poc is attatched in reference link c ==618350==ERROR:...
Server-Side Request Forgery (SSRF) in kalcaddle/kodexplorer
✍️ Description SSRF via SVG due to improper processing of SVG files. 🕵️♂️ Proof of Concept Payload: https://drive.google.com/file/d/1q-GHJ01p8Ssok1GWN-QxSznBy1JGvY8x/view?usp=sharing Download and upload it on the server and run the server on port 8000 and then view the file. 💥 Impact This...
None in babybuddy/babybuddy
✍️ Description Improper restriction at login portal which lets an attacker brute force user's accounts. 🕵️♂️ Proof of Concept Video POC: https://drive.google.com/file/d/1udzAGroSqDbEqPRYlUzv7bHgHq7oMNuk/view?usp=sharing You will get 200 for incorrect as it opens the same page for login and 302...
in kestasjk/webdiplomacy
✍️ Description It can be possible to perform a clickjacking attack due to the lack of frame restrictions. The file https://github.com/kestasjk/webDiplomacy/blob/07de41f21192b0b611af343bc0d880c1de78d194/header.php does not set the response header X-Frame-Options: DENY. This issue can be found from...
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
✍️ Description Reflected XSS in shutdownRemoteFPP.php when a user asked to provide an IP in URL, resulting in XSS 🕵️♂️ Proof of Concept https://drive.google.com/file/d/1RXF4AO1j7OFfr7RhU1ZM0yPftd0qsxHt/view?usp=sharing payload: alert111 💥 Impact This vulnerability is capable of Reflected XSS...
Cross-site Scripting (XSS) - Stored in typecho/typecho
💥 BUG Stored xss against higher level user 💥 IMPACT I see there is no xss protection in post writing ,allow to execute javascript command .\ There is many type of role like admin,contributor etc .\ So, here contributor user can write a post with xss payload and when admin open this post then xss ...
Classic Buffer Overflow in falconchristmas/fpp
✍️ Description Hi, There are multiple .bss buffer overflows in https://github.com/FalconChristmas/fpp/blob/f4a1621c8be15a41305269830b700a2b5443aa0f/src/fpp.cL64 : c char command8192; char response256; // int main int argc, char argv memsetcommand, 0, sizeofcommand; SetupDomainSocket; ifargc1 //...
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
✍️ Description Hi, In https://github.com/FalconChristmas/fpp/blob/123cdf2eb11062766da333a7a4d85bc0bf620e47/www/virtualdisplay.phpL14 you create a variable canvasWidth that will be used and reflected multiple times without sanitizing user input : php Later in the script : another PHP file will be...
Heap-based Buffer Overflow in mcfriend99/bird
✍️ Description Heap-based Write Violation. Certain input programs can result in write access violations by the syntax checker component of the interpreter. One such program writes 23 bytes onto the heap outside of bounds and may result in arbitrary code execution and memory leaks. 🕵️♂️ Proof of...
Improper Privilege Management in dolibarr/dolibarr
💥 BUG unprivileged user can download file of a agenda 💥 IMPACT user dont have access to specific agenda but still can download file uploaded to this agenda . 💥 TESTED VERSION dolibarr 14.0.0-beta 💥 STEP TO REPRODUCE 1. First goto admin account and add user B as normal user .\ Now give user B...
Cross-site Scripting (XSS) - Stored in dolibarr/dolibarr
✍️ Description dolibarr is vulnerable to XSS. It is possible to upload SVG files containing JavaScript code. 🕵️♂️ Proof of Concept SVG file content: html alertdocument.domain; 1. With an authenticated user, access http://localhost/societe/card.php?action=create&leftmenu=. 2. Write any content in...
Heap-based Buffer Overflow in croatiacontrolltd/asterix
✍️ Description Whilst experimenting with asterix, built from commit f44cfea, compiled with Clang 10 + ASan on Ubuntu 20.04.2 LTS, we are able to induce a heap-buffer-overflow in DataItemBits::getBits asterix/src/asterix/DataItemBits.cpp:125. Since there is no bounds checking, when the software...
in koel/koel
✍️ Description Koel is lacking any form of rate limiting in the login form, thus allowing an attacker to brute force their way in. 🕵️♂️ Proof of Concept - Spin up an instance of Koel. - Open up burpsuite and capture a login request, send it to intruder, set your options and run. - 401 is shown...
Cross-site Scripting (XSS) - Stored in knadh/listmonk
✍️ Description Hello, I found stored xss on Logs while creating new campaign works with other stuff not only campaign 🕵️♂️ Proof of Concept https://drive.google.com/file/d/1Y5CMQdfzzdWwcCsQ8y85GgWPOilJVOgo/view?usp=sharing sorry for bad quality Payload: asdf" 💥 Impact xss...
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
✍️ Description FalconChristmas/fpp suffer from a XSS vulnerability. In https://github.com/FalconChristmas/fpp/blob/master/www/playlists.phpL15 we see : php var initialPlaylist = ""; XSS is possible because the playlist variable isn't sanitized before reflection in the webpage. 🕵️♂️ Proof of...
Cross-site Scripting (XSS) - Reflected in coppermine-gallery/cpg1.6.x
✍️ Description Coppermine is vulnerable to XSS attacks on /plugins/uploadh5a/help.php because it doesnt sanitize user supplied parameters as shown below. Vulnerable variable: t Method: GET The $styles variable is constructed using the user supplied data, and then is echo in the response. $styles =...
Cross-site Scripting (XSS) - Generic in bigprof-software/online-invoicing-system
✍️ Description A cross-site scripting XSS issue in the Fork version 5.9.3 allows remote attackers to inject JavaScript via the "filtererclient" Parameter 🕵️♂️ Proof of Concept You can find installation instructions here: https://bigprof.com/appgini/applications/online-invoicing-system Vulnerable...
Prototype Pollution in indlekofer/object_set
Description Prototype Pollution in @indlekofer/objectset Proof of Concept 1. Create the following PoC file: // poc.js var objectSet = require"@indlekofer/objectset" var obj = console.log"Before : " + .polluted; objectSet.defaultobj,"proto","polluted","Yes! Its Polluted"; console.log"After : " +...
Code Injection in facebookresearch/parlai
Description ParlAI pronounced “par-lay” is a python framework for sharing, training and testing dialogue models, from open-domain chitchat to VQA Visual Question Answering. Vulnerability description Vulnerable to YAML deserialization attack caused by unsafe loading. Proof of Concept Run exploit.p...
Lambda Layer `safe_mode=None` Guard Bypass — Arbitrary Code Execution via `from_config()`
This report is not public...
XSS via unsanitized `text/vnd.mermaid` output in nbconvert HTML export
This report is not public...
Unauthenticated remote shutdown in nltk.app.wordnet_app
This report is not public...
Improper Origin Validation in MLflow Assistant /ajax-api Endpoints Enables Browser-Mediated Local Command Execution
Description Analyzed project version: MLflow 3.9.0 /version, commit 6e61043b0ff5d845bea479d7e7ea24dcd4b2c629. In MLflow 3.9.0, a new feature called MLflow Assistant was introduced, intended only for local development and designed to integrate with Claude Code accepting requests only from loopback...
XSS in Chat Message Leads to Account Tackover
Description The vulnerability resides in the data persistence layer of the application. The fromdict method in the AppLollmsMessage class acts as a "sink" for raw data. It retrieves the content value from an input dictionary and assigns it directly to the object without any form of sanitization o...
Stored XSS in Home Feed via Post Content Lead to Account Takeover
Description A Stored Cross-Site Scripting XSS vulnerability was identified in the social feature of the application. The backend fails to sanitize user-provided content in the post creation endpoint. This allows an attacker to inject and store malicious JavaScript, which is then executed in the...
Improper Access Control via Weak JWT Token Leads to Admin Takeover and Privilege Escalation
Description The application's session management is vulnerable to Authorization Bypass and Vertical Privilege Escalation. During dynamic analysis of the application's authentication flow, I discovered that the JSON Web Tokens JWT are signed with a weak secret key. This allowed me to perform an...
TFSMLayer bypasses `safe_mode=True`, allowing attacker-controlled code execution during model inference
Summary TFSMLayer allows loading attacker-controlled TensorFlow SavedModels when deserializing a .keras model, even when safemode=True the default. While TensorFlow does not execute SavedModel functions during load, the attacker-controlled graph is registered during deserialization and executes...
Unauthenticated File Upload in LollMS
Executive Summary A critical security vulnerability has been identified in LollMS that allows unauthenticated users to upload and process files through the /api/files/extract-text endpoint. This endpoint lacks authentication requirements, contradicting the application's documented "Secure...
Server-Side Request Forgery (SSRF) in LollMS Export Content
Executive Summary A security vulnerability has been identified in LollMS that allows Server-Side Request Forgery SSRF attacks through the /api/files/export-content endpoint. The downloadimagetotemp function downloads images from arbitrary user-controlled URLs without validation, allowing attacker...
Insecure Direct Object Reference (IDOR) in LollMS Friend Request Response
Executive Summary A critical security vulnerability has been identified in LollMS that allows any authenticated user to accept or reject friend requests belonging to other users. The respondrequest function lacks authorization checks, enabling Insecure Direct Object Reference IDOR attacks. Affect...
Apache Arrow IPC cached prebuffer path triggers signed integer overflow UB in read-range coalescing
Description Apache Arrow C++ commit d89c14b5d5203bc403fb62060fdf1ef2c0a49339 contains a signed integer overflow undefined behavior in the IO range coalescing logic, specifically in arrow/cpp/src/arrow/io/interfaces.cc:475 arrow::io::internal::CoalesceReadRanges. The overflow is reachable from...
Arbitrary File Read via FileSystemPathPointer + PlaintextCorpusReader (bypass even if nltk.data.find() is patched
This report is not public...
SQLite Operator-Based SQL Injection Vulnerability in LangGraph
This report is not public...
Brotli decompression bomb DoS
Description urllib3 can not stream brotli-encoded responses properly unlike the way it handles gzip responses. It always loads entire decompressed response body into memory when reading brotli-encoded response, which allows malicious servers to perform DoS attack by responding with decompression...
H2O-3 MySQL JDBC Driver Deserialization Vulnerability_Key-Value Bypass Parameter Inspection
Creator: zack H2O-3 Version: 3.46.0.7、3.47.0.6928 MySQL JDBC Driver Version: 8.0.19 JDK Version: 8u112 Description There is a JDBC deserialization vulnerability in the H2O-3 REST API(POST /99/ImportSQLTable) that does not require authentication. This vulnerability can lead to Remote Code Executio...
Environment Variable XSS in Analytics Component
Description A critical stored Cross-Site Scripting XSS vulnerability exists in the Analytics component of lunary-ai/lunary where the NEXTPUBLICCUSTOMSCRIPT environment variable is directly injected into the DOM using dangerouslySetInnerHTML without any sanitization or validation. This allows...
Regular expression Denial of Service - ReDoS
Description A regular expression denial of service ReDoS vulnerability has been identified in the Hugging Face Transformers library's weight conversion utility. The vulnerability exists in the converttfweightnametoptweightname function, which converts TensorFlow weight names to PyTorch format. Th...
Divide By Zero lead to DOS
This report is not public...