4072 matches found
Regular expression Denial of Service - ReDoS
Description A regular expression denial of service ReDoS vulnerability has been identified in the Hugging Face Transformers library's configuration file resolution mechanism. The vulnerability exists in the getconfigurationfile function, which uses the vulnerable regular expression pattern...
XML Entity Expansion vulnerability in Sitemap parser
Description There is an XML entity expansion billion laughs vulnerability in the sitemap parser. When accessing a malicious Sitemap XML, this results in a Denial of Service. Vulnerable class: import urllib.request import xml.etree.ElementTree as ET from typing import List from...
Unauthenticated Stored XSS via dangerouslySetInnerHTML
An UNAUTHENTICATED attacker can achieve stored cross-site scripting XSS by injecting malicious JavaScript the v1/runs/ingest if he adds an empty citations field to trigger a code path where dangerouslySetInnerHTML is used to render the attacker controlled text. This vulnerability allows the...
A DoS attack occurred in run-llama/llama_index due to inappropriate secure coding measures
Description A DoS vulnerability has been identified in the KnowledgeBaseWebReader class of the run-llama/llamaindex project, and this issue has been reported see the link below: Huntr Report : https://huntr.com/bounties/27883f22-35ff-49df-aaa5-05031c7d6ad8 However, due to the developer's...
Bug Bounty Report: Command Injection Vulnerability in subprocess Call
This report is not public...
Denial of Service(DOS) in LangChainLLM due to missing exception handler.
Summary The streamcomplete method of the LangChainLLM class executes the llm using a thread and retrieves the result of the llm via the getresponsegen method of the StreamingGeneratorCallbackHandler class. During this process, getresponsegen recursively detects the onllmerror and onllmend events...
AutoGPT SSTI Vulnerability Leading to Remote Code Execution (RCE)
Summary AutoGPT, an open-source AI tool that automates task execution, is vulnerable to a Server-Side Template Injection SSTI that could lead to arbitrary command execution. The vulnerability arises from the improper handling of user-supplied format strings in the AgentOutputBlock implementation,...
A SQL Injection in DuckDB via prompt can lead to RCE
Target Link Description sql = f""" SELECT ftsmainself.tablename.matchbm25self.nodeidcolumn, 'query' AS score, self.nodeidcolumn, self.textcolumn FROM self.tablename WHERE score IS NOT NULL ORDER BY score DESC LIMIT self.similaritytopk; """ The duckdbretriever performs "search using string" and...
Arbitrary File Overwrite & RCE via Tarfile Path Traversal
Description The DJL package utilizes an untar function, for example, when downloading and saving models. Additionally, the untar function overwrites existing files. Therefore, the untar method includes the following two security measures to prevent misuse of its functionality. 1. Security measure...
Improper access of prompt data by another user.
Description Another user can able to see the prompts data of a particular users. Proof of Concept let promptid be the prompt id of user 1 visit http://127.0.0.1:8080/prompts/promptid from another users user 2 session user 2 can see the user 1 promptid's data. Previously it was reported by some on...
Improper Access Control Allows deleting other users' reminders
Description Because the report I reported before was exploited on the public, I created a new report to exploit on the local machine The vulnerability allows users to delete other users' prompts on the system via the groupid parameter Proof of Concept const deletePromptController = async req, res...
Not limitation of upload file size, lead to server crash
Description librechat use multer, which is a middleware which handles streaming multipart fileupload. If use in memory storagemulter by default, can do not limit the upload file size, when handling big file, server will crash for out of memory. Attacker with no privilege can exploit this. Proof o...
Denial of service by tracking large images
This report is not public...
SSRF due to insufficient patch of CVE-2024-5822
This report is not public...
(Blind) Stored XSS through the debug_log.html generated by the Latex Proof-Reading Module
This report is not public...
Denial of service cause by unhandled exception
Description In javascript express, if async router handler throw an exception, the whole server will crash. In librechat, middleware checkBan is not surrounded by try catch block. This middleware, under some crafted payload, will throw exception and cause server crash. This poc can be exploited b...
Denial of Service(DOS) in KnowledgeBaseWebReader
Target Target Description KnowledgeBaseWebReader class recursively calls getarticleurls method. If the attacker can control a url variable to contain the root URL, it can lead to infinite recursive calls involving the same root URL repeatedly. This would cause a Denial of Service DoS scenario,...
XSS in the edit HTML
This report is not public...
SSRF via POST /internal/models/download and GET /view REST APIs
This report is not public...
Missing access control on endpoint to list all evaluations in lunary-ai/lunary
Description The /v1/evaluators/ route allows users to fetch all evaluators of a project by sending a GET request. However, the route lacks proper access control, such as middleware to ensure that only users with appropriate roles can access evaluator data. The current implementation: Does not...
RCE & Full Read SSRF & Arbitrary File Read in /web_crawl endpoint
Description The webcrawl function in documentapp.py contains a RCE vulnerability. This function receives the URL parameter, accesses and obtains the HTML content of the URL through Chromium headless, and converts the HTML content into a PDF file. Users can obtain the converted PDF file through th...
Stored XSS in description of theme
Description The attacker can execute JavaScript code through the theme's description. Proof of Concept Step 1 : - Choose any theme to upload i used a copy of vanila theme - Open theme folder and change description tag of config.xml file vanilla Bootstrap Vanilla theme 16/10/2017 LimeSurvey GmbH...
Broken Access Control on Private Message Function
Description There is 2 issues I found in one function. A = admin B = user1 C = attacker. Scenario 1: A send private message to B with subject "testing". B or C can change the subject, this will disturb Integrity of the messages as long as they know the UUID messages. Scenario 2: A send private...
Stored XSS on Survey "Notification and data function"
Description Users with edit and update survey permission can perform an XSS Proof of Concept Log in with any user with this permission Update the "Send basic admin notification email to" field with this value test" Access the survey and the payload will be triggerred...
Stored XSS on user "Category report" function
Description An attacker can inject malicious executable scripts into the code of the Name field Proof of Concept Log in as an admin or any member with the right access to the Category report - Configuration function. Insert this payload into the "Name" field General role assignment" autofocus...
Improper Authorization leads to privilege escalation
Description The application improperly performs user authorization, resulting in a user with the user management role being able to modify their own permissions or those of others. Proof of Concept Step1: The highest-level administrator or an administrator with the permission to create roles...
Cross-site Scripting (XSS) - Stored
Description The stored XSS vulnerability found in the caliber-web application is a security flaw that allows an attacker to execute malicious code in a user's browser. The vulnerability affects the "/ajax/pathchooser/" endpoint and is present in the "path" parameter, which is sent via the GET...
Stored XSS in front/dashboard_helpdesk.php
Description Under the super-admin view, when adding a card to a dashboard, some more parameters are sent when the POST request is made. Those parameters later constitute an HTML div section in the response body. It is possible to modify the request, inject one of those parameters value which will...
Site-wide CSRF (Bypass Strict Cookie) leave to Website Takeover
I reported this vulnerability once a long time ago, but you still haven't fixed it. I report back to remind you need to fix it. Description At the api/hooks.unfurl, when sending a post request containing a param challenge, the server will return the value of that param, which inadvertently leave ...
Stored XSS - Entity name not sanitize in Ticket creation page
Description An Administrator can set a Cross-Site Scripting XSS payload inside an entity name. This XSS will be executed on the Ticket Creation page Menu - Assistance - Create Ticket. Proof of Concept 1. Set an XSS in Entity name 2. Go to the "Create Ticket" page 3. XSS is excuted...
Stored XSS in Django Admin Portal
Description Django-treebeard suffers from a stored XSS in the TreeAdmin class when certain preconditions are met. The XSS it's triggered when a privileged user visit a page in the django admin portal. In order to successfully exploit this vulnerable, three pre-conditions should occur: 1. 1 a Djan...
Accept weak password in reset-password function
Description Step to reproduce: 1. Go to https://book.dansmonorage.blue/password-reset. 2. Type your email and recieve reset password link. 3. Enter a as new password and success. Proof of Concept POST /password-reset/D4VUXDL5 HTTP/2 Host: book.dansmonorage.blue Cookie:...
Multiple Stored XSS
✍️ Description The persistent or stored XSS vulnerability is a more devastating variant of a cross-site scripting flaw, it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular...
Reflected XSS in "cbSurvey" module
Description Reflected XSS due to bad sanitization of "idstring" parameter in cbSurvey module. Proof of Concept https://demo.corebos.com/index.php?module=cbSurvey&action=cbSurveyAjax&file=MassEdit&mode=ajax&idstring=" onfocus=javascript:alertdocument.domain type=txt autofocus="...
Cross site script
Description 1.Create a new recipe. 2.Edit this recipe and add this payload 3.Save the recipe and reload the recipe page...
Stored XSS
Description Stored XSS in ListAgenciaTransporte module in facturascripts is triggered when clicking the scrolling middle mouse button. Proof of Concept 1.Create a new non-admin account 2.Login and goto http://localhost/invoices/EditAgenciaTransporte 3.Add new user with website link to...
Cross-site Scripting (XSS) - Stored
Description The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of Concept - it works on firefox not in chromium based browsers - login as admin - go to...
Reflected XSS
Description Privacy Consent in ForkCMS v 5.11.0 Setting unsanitized user input resulting in Reflected XSS. Proof of Concept Endpoint 1 http://IP/private/en/settings/index Step 1 Login to ForkCMS 2 Go to Settings - General 3 Insert payload on "Technical Name" user input at "Privacy Consent" panel...
Improper Input Validation
Description There is a lack of input length validation in phone number field at the checkout product where any user may able to add more than 5000+ character which shouldn't be allowed . Our expected result should be only 255 character should be allowed Steps to Reproduce In the Shop , checkout...
Improper Access Control in liangliangyy/djangoblog
Description "formvalid" function in comments/views.py file performs the task of saving user comments. However, this function doesn't check the status of article, so users can leave comments on draft article or public article with commentstatus is off. Proof of Concept - Step 1: Login as admin in...
Improper Authorization in bytebase/bytebase
Description Hello bytebase team, there is an improper privilege management in bytebase source code. This allows a user to view another user inbox. Proof of Concept 1. Install bytebase, create new user user1and user2 2. Login as user1, go to this link /api/inbox?user=user-id and change user-id to ...
Static Code Injection in gibbonedu/core
Description The file export.php accepts a directory in the q parameter. We can upload a txt file in the server with our php exploit on it and pass its location in the q parameter, then the php exploit in the uploaded txt file will be executed Proof of Concept 1. Upload a txt file. Inside the txt...
in mybatis/generator
Description The isConfigFile function makes use of SAXParser generated from a SAXParserFactory with no FEATURESECUREPROCESSING set, allowing for XXE attacks. In...
in jetbrains/kotlin
Description The ModuleXmlParser.parse function makes use of SAXParser generated from a SAXParserFactory with no FEATURESECUREPROCESSING set, allowing for XXE attacks. In...
Type Confusion in lirantal/daloradius
Description During the comparisons of different variables, PHP will automatically convert the data into a common, comparable type. This makes it possible to compare the number 12 to the string '12' or check whether or not a string is empty by using a comparison like $string == True. This, however...
Cross-Site Request Forgery (CSRF) in e107inc/e107
Description Hi there e107 team, there is another CSRF on your downloading plugins feature Proof of Concept 1. Install a local instance of e107. 2. Log in as admin 3. Access this link...
Cross-site Scripting (XSS) - Stored in admidio/admidio
Description When adding a menu after logging in with an administrator account, there is no verification of the URL value, so the XSS payload is stored in the DB. After that, when you click the saved menu, XSS is triggered. If an administrator adds a menu, normal users can click it too. Proof of...
Cross-site Scripting (XSS) - Reflected in openwhyd/openwhyd
Description openwhyd is vulnerable to Reflected XSS vulnerability via the redirect parameter at login page. Payload alertdocument.cookie Vulnerable URL https://openwhyd.org/login?redirect=alertdocument.cookie Proof of Concept Send users the following login link...
Cross-site Scripting (XSS) - Reflected in yeswiki/yeswiki
Description Hey all, i found that the search function of YesWiki integrates the searched term into a value attribute inside an input tag, for example if i do a search on sneaky for example, it will put the term sneaky inside a value attribute: html now if i add a double quote to the searched term...
Cross-Site Request Forgery (CSRF) in gunet/openeclass
Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging users to unintentional logout. More details One way GET could be abused here i...