4072 matches found
Cross-Site Request Forgery (CSRF) in gunet/openeclass
Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging users to unintentional logout. More details One way GET could be abused here i...
Session Fixation in admidio/admidio
Description Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application. When authenticating a user, it doesn't assign a new session...
Session Fixation in tsolucio/corebos
Description Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application. When authenticating a user, it doesn't assign a new session...
Open Redirect in collectiveaccess/providence
Description I found a new way to bypass the Open Redirect with the "redirect" parameter on the login page. Vulnerable parameter redirect Payload https://demo.collectiveaccess.org.example.com Proof of Concept Send users the following login link...
Cross-Site Request Forgery (CSRF) in baijunyao/laravel-bjyblog
Description Attacker is able to logout a user if a logged in user visits attacker website. Impact This vulnerability is capable of forging user to unintentional logout. Test Tested on Edge, firefox, chrome and safari. Fix You should use POST instead of GET. To expand: One way GET could be abused...
Heap-based Buffer Overflow in hoene/libmysofa
Description The variable st-filtlen in the function speexresamplerresetmem is not checked to see if it is 0 before it is used, and after subtracting one, it becomes 0xffffffff, causing heap overflow Proof of Concept src/mysofa2json -c poc ==30201==ERROR: AddressSanitizer: heap-buffer-overflow on...
Session Fixation in tsolucio/corebos
Description I created a user with username test then I log in with test in the same time on another session I delete the user test as an admin. but the user test that already logged in before that admin delete it is able to do anything that he could do before. you should kick out the users after...
Cross-site Scripting (XSS) - Reflected in pkp/omp
✍️ Description i was able to perform a Reflected XSS against your website/repository. The Reflected XSS vulnerability occurs when the data provided by the attacker is not sanitized by the server, and then reflected "normal" pages returned to other users in the course of regular browsing. Proof of...
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in publify/publify
Description Session cookie publifyblogsession is not marked with 'Secure' Proof of Concept Login to demo page https://demo-publify.herokuapp.com/ Open Firefox developer option - storage - check secure option Below link shows POC https://i.ibb.co/j3K5YDg/Screenshot-45.png...
in mruby/mruby
Description NULL Pointer Dereference on mrbfullgc Proof of Concept // PoC.js def lambda = super lambda = @a ... ; lambda Result /asan/mruby/bin/mruby crash.rb AddressSanitizer:DEADLYSIGNAL ================================================================= ==354==ERROR: AddressSanitizer: SEGV on...
in craigk5n/webcalendar
Description it can be possible to perform a clickjacking attack due to the lack of frame restrictions. The application does not set the response header X-Frame-Options: DENY. Proof of Concept Clickjack test page save the script as clickjacking .html and page will render in iframes...
in netdisco/netdisco
Description it can be possible to perform a clickjacking attack due to the lack of frame restrictions. The application does not set the response header X-Frame-Options: DENY. Proof of Concept Clickjack test page save the script as clickjacking .html and page will render in iframes below link show...
Improper Authorization in blair2004/nexopos-4x
Description No authorization in downloading customer export file. Proof of Concept 1. Access this link in browser without logging in: http://v4.nexopos.com/export/customers-list.csv 2. See that you can download customer list file without logging in. Impact This vulnerability is capable of exposur...
Cross-site Scripting (XSS) - Reflected in opensourcepos/opensourcepos
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites Proof of Concept // PoC POST Request: https://demo.opensourcepos.org/messages/send/ Data:...
Open Redirect in collectiveaccess/providence
Description Open Redirect on Login with parameter ?redirect= Proof of Concept // PoC.request POST /system/Auth/DoLogin HTTP/1.1 Host: demo.collectiveaccess.org Cookie: cademo=ea7632ab-0ad8-4b0f-939f-9e292f232ff6; CAcademouilocale=enUS User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:93...
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in spiral-project/ihatemoney
Description Secure flag is not implemented on the application Proof of Concept https://drive.google.com/file/d/10p4ejCFsLA6LO32nPNTRKqZjlqVHVpUf/view?usp=sharing Impact The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP...
Session Fixation in alovoa/alovoa
Description On changing password both session using which user changes password and old sessions in any other browser or device does not expire and remains active. Proof of Concept STEPS TO REPRODUCE: 1. Log in to Browser A and make sure to check 'stay logged in to this device' checkbox while...
Inefficient Regular Expression Complexity in faisalman/ua-parser-js
Description Hello my dear I found another inefficient regular expression in ua-parser-js that have a Polynomial execution time not exponential but still dangerous. Proof of Concept I create two payloads that you can compare the execution times between them in Regexr provided links. payload 1...
Cross-Site Request Forgery (CSRF) in justingit/dada-mail
✍️ Description Attacker able to Delete All Data in Tracker plugin with CSRF attack. In CSRF attacks it is necessary that a user logged into your application and just going to a malicious website and after that only with a redirection attacker can perform attack on unprotected endpoint, this means...
Cross-Site Request Forgery (CSRF) in justingit/dada-mail
✍️ Description Attacker able to delete any Draft with CSRF attack. In CSRF attacks it is necessary that a user logged into your application and just going to a malicious website and after that only with a redirection attacker can perform attack on unprotected endpoint, this means only with visitin...
Cross-Site Request Forgery (CSRF) in ikus060/rdiffweb
✍️ Description Hello dear Rdiffweb team. I found a CSRF vulnerability on following endpoint that attackers able to Create a SSH key with PoC.html 🕵️♂️ Proof of Concept 1. User with right privileges should be logged in Firefox or Safari. 2. Users go to a website that contain PoC.html 3.after...
Cross-Site Request Forgery (CSRF) in hzxie/voj
✍️ Description The Update Profile has not any CSRF protection that make attackers able to change the users email and then can lead to account take over with Reset password functionality. 🕵️♂️ Proof of Concept 1.login as a user 2.Open PoC.html file. // PoC.html history.pushState'', '', '/'...
in agentejo/cockpit
✍️ Description Bypass of previous fix 🕵️♂️ Proof of Concept I see you recently fixed local-file-inclusion bug https://huntr.dev/bounties/a65d700c-1561-46c1-a9c2-cba6ed960f94/.\ And the fixed patch is https://github.com/agentejo/cockpit/commit/f1919184998bf9fa7a7db882c98ce1410375e596 .\ But it can...
Improper Authorization in imran300/inventory
✍️ Description A designer user can activate any other users IDOR. 🕵️♂️ Proof of Concept go to this url when logging in as a Designer. localhost:8000/inventory/index.php/Users/activeStatus/10 and then you can see that a user with id 10 will be activated. 💥 Impact This vulnerability is capable of...
Cross-Site Request Forgery (CSRF) in ampache/ampache
✍️ Description csrf bug to disable user 🕵️♂️ Proof of Concept I see during disable a user there is no csrf token is checking .\ 1. First login into admin account .\ 2. Now copy url http://localhost/ampache-develop/public/admin/users.php?action=disable&userid=3 and paste in browser tab and hit...
Cross-Site Request Forgery (CSRF) in aimeos/ai-client-html
✍️ Description Attacker able to add any product in favorites with CSRF attack. In CSRF attacks it is necessary that a user logged into your application and just going to a malicious website and after that only with a redirection attacker can perform attack on unprotected endpoint, this means only...
Cross-Site Request Forgery (CSRF) in namelessmc/nameless
✍️ Description Attacker able to leave any user message with CSRF attack. It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your application. In CSRF...
Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat
✍️ Description here is a Stored XSS on the user profile image uploader via svg file 🕵️♂️ Proof of Concept Step to reproduce: 1. Go to account profile 2. Click the choose file option to update profile image 3. Upload the svg file containing malicious code: or you can download it from :...
in circuitverse/circuitverse
✍️ Description Privilege escalation bug to add comment to any private project 🕵️♂️ Proof of Concept Bellow request is vulnerable to privilege escalation bug POST /commontator/threads/496401/comments HTTP/2 Host: circuitverse.org Cookie: .. User-Agent: Mozilla/5.0 X11; Ubuntu; Linux x8664; rv:90.0...
Cross-Site Request Forgery (CSRF) in myvesta/vesta
✍️ Description Attacker is able to "delete" an element from favorite. this vulnerability happens on some sections. for example on “Firewall” tab list/firewall/ 🕵️♂️ Proof of Concept 1.when you logged in open this POC.html in a browser 2.you can check unintentionally first record deletes from...
Cross-Site Request Forgery (CSRF) in admidio/admidio
✍️ Description Attacker able to delete any event with CSRF attack. It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your application. In CSRF attacks i...
Cross-site Scripting (XSS) - Stored in leantime/leantime
✍️ Description Stored xss bug using a xss payload in the new event title when adding a new event 🕵️♂️ Proof of Concept Goto http://localhost/calendar/addEvent and click on add event and copy paste the following xss payload javascript " Click on safe and see the xss popup with the cookie. 💥 Impact...
Cross-Site Request Forgery (CSRF) in aces/loris
✍️ Description Attacker able to upload any Media with CSRF attack. It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your application. In CSRF attacks i...
Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition
✍️ Description Attacker is able to change a user profile state to hidden if a logged in user visits attacker website. 🕵️♂️ Proof of Concept 1.when you logged in open this POC.html in a browser 2.you can check your profile state changed to hidden history.pushState'', '', '/' document.forms0.submit;...
Cross-Site Request Forgery (CSRF) in devcode-it/openstamanager
✍️ Description Attacker able to create any Contract if users visit attacker site. 🕵️♂️ Proof of Concept 1.Open the PoC.html In Firefox or safari. 2.now you can check a Contract with aaaa name have been created. // PoC.html history.pushState'', '', '/' document.forms0.submit; 💥 Impact This...
Cross-Site Request Forgery (CSRF) in francoisjacquet/rosariosis
✍️ Description When you don't set the SameSite attribute of cookies the browsers have special act in front of this issue.I mean set default value on it chrome and chromium based browsers set the attribute "Lax" that mean if you do add/delete/alter operation in a get HTTP request then your site mor...
Cross-Site Request Forgery (CSRF) in emoncms/emoncms
✍️ Description When you don't set the SameSite attribute of cookies the browsers have special act in front of this issue.I mean set default value on it chrome and chromium based browsers set the attribute "Lax" that mean if you do add/delete/alter operation in a get HTTP request then your site mor...
Improper Privilege Management in opensource-socialnetwork/opensource-socialnetwork
💥 BUG unprivileged user can comment to private album . 💥 IMPACT user who does not have permiison in private album still can comment in that album. 💥 STEP TO RERPODUCE There is two user called user-A and user-B.\ 1. First goto user-A account and create a private album . \ Lets album url is...
Cross-Site Request Forgery (CSRF) in dolibarr/dolibarr
✍️ Description CSRF bug to activate all contractline 🕵️♂️ Proof of Concept Here it does not check token parameter for csrf .You can remove token paramater from url. bellow request is vulnerable to csrf attack when activate all contract-line ....
Cross-Site Request Forgery (CSRF) in dolibarr/dolibarr
✍️ Description In HRM -- Expenses reports Directory, you don't protect files built by mass actions to delete with CSRF attacks then attacker able to delete arbitrary reports only with knowing their names. 🕵️♂️ Proof of Concept // PoC.html history.pushState'', '', '/' ...
Cross-Site Request Forgery (CSRF) in dolibarr/dolibarr
✍️ Description Attacker can delete any Product for any user with CSRF vulnerability when the Admin or SuperAdmin or an authorized user click on PoC.html file, it is enough to attacker know the Product id on server. I convert the GET...
Server-Side Request Forgery (SSRF) in erudika/scoold
✍️ Description Possible SSRF in scoold in user profile picture from URL 🕵️♂️ Proof of Concept Steps to reproduce: 1. Create an account and click on the image. 2. Now open the local server or enter any IP:port ex: http://127.0.0.1:8082 3. Now enter the URL and then view the image, you will see get...
Session Fixation in erudika/scoold
✍️ Description Session Fixation vulnerability found in scoold in which it doesn't expire the sessions after password update. 🕵️♂️ Proof of Concept Steps to reproduce: 1. Open the same account in the normal and private tab. 2. Change the password from anyone tab let's say private and then refresh...
Open Redirect in medialize/uri.js
✍️ Description urijs mishandles certain uses of backslash such as https:/\ and interprets the URI as a relative path. Browsers accept backslashes after the protocol, and treat it as a normal slash, while url-parse sees it as a relative path. 🕵️♂️ Proof of Concept 1. Create the following PoC file:...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager
💥 BUG Stored xss via anonymouse-group 💥 VERSION TESTED latest version as of 4/7/21 💥 IMPACT xss allow to execute arbitary javascript in vicitm account 💥 STEP TO REPRODUCE 1. goto http://localhost/online-rental/app/admin/pageSettings.php and click Preconfigured users and groups tab .\ put bellow...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system
✍️ Description There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the Address field as tested on the latest release. 🕵️♂️ Proof of Concept Step To Reproduce: Go to /invoicesview.php and click add new if you already has any item, just click it to edit...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager
✍️ Description Stored XSS in adding properties lead by adding owners first name and second name. 🕵️♂️ Proof of Concept Video POC: https://drive.google.com/file/d/1QbdzPJPHmQPsNl-o43a-Slub4Z3hhNh/view?usp=sharing 💥 Impact This vulnerability is capable of Stored XSS...
Improper Privilege Management in bigprof-software/online-invoicing-system
💥 BUG privilege escalation bug to add invoice to a client . 💥 IMPACT unprivileged user can add invoice to a client 💥 STEP TO REPRODUCE 1. From admin account goto http://localhost/online-invoice2/app/admin/pageViewMembers.php and add new user called user-B .\ Now revoke all acccess from client...
in getgrav/grav
✍️ Description A cookie with an overly broad path can be accessed through other applications on the same domain. 🕵️♂️ Proof of Concept Application deployed at http://real.example.com/grav and the application sets a session ID cookie with path "/" when users log in to the forum. then below code is...
Cross-site Scripting (XSS) - Reflected in projectsend/projectsend
✍️ Description GET parameter ?client= in Line 419 of manage-files.php sends unvalidated data to a web browser, which can result in the browser executing malicious code. In this case the data is sent at builtinecho in manage-files.php at line 419. 🕵️♂️ Proof of Concept Data enters a web application...