4072 matches found
XSS via Mathematical Typesetting
🔒️ Requirements Feature: Extras Mathematical Typesetting enabled. User interaction: Access vulnerable page || diagram and wheel click on a link. 📝 Description The Mathematical Typesetting feature allows to use inline content such as AsciiMath or LaTeX. Using it allows you to create a tag via \href...
HTML Injection vulnerability in create tag functionality
Vulnerability Details In the Microweber CMS, While doing a live edit on to the application, we have the option to create a new global tag in the application. While creating a global tag, the "Tag Name" input field doesn't properly get sanitized and it's vulnerable to HTML Injection vulnerability...
Use After Free in function qf_fill_buffer
Description Use After Free in function qffillbuffer at vim/src/quickfix.c:4790 vim version git log commit adce965162dd89bf29ee0e5baf53652e7515762c HEAD - master, tag: v9.0.0246, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -X -Z -e -s -S /home/fuzz/test/poc5huaf.dat -c :qa!...
2FA Bypass in Cockpit Content Platform ≤ v2.2.1
Description 2FA secret is disclosed in JWT token after user logs into his account in Cockpit Content Platform ≤ v2.2.1 allowing attacker to bypass the 2FA code. Proof of Concept 1.Login with your admin account and enable 2FA in your account and logout. 2.Go to...
OS Command Injection user to admin
Summary Arbitrary commands can be injected when installing DokuWiki. Description Authenticated as "User" role users can inject commands. Injected commands are running as "admin" user. Prerequisite 1. Any user access 2. php 7.4 must be installed in order to install dokuwiki only admin can install...
The NocoDB application allows large characters to insert in the input field "New Project" on the create field which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request
Proof of Concept Go to http://localhost:8080/dashboard//projects Click on New project and create Fill the "Enter project name" field with huge characters, more than 1 lakh Copy the below payload and put it in the input fields and click on continue. You will see the application accepts large...
Client-Side RCE and Stored XSS via Unsafe Deserialization of Diagrams
Description The deserialization mechanism of diagram files is based on an XML like structure. When it is read, internal objects are created and properties on those can be set. Furthermore it allows calling any top-level constructor function and cloning of top level XML/HTML nodes. This has the...
Formula Injection/CSV Injection due to Improper Neutralization of Formula Elements in CSV File
Description Formula Injection/CSV Injection in "Task" due to Improper Neutralization of Formula Elements in CSV File. Proof of Concept 1. Click on plus track button 2. Under the task input field enter the payloads =1+1 3. Now enter the work hour as 2 4. Then click on save 5. Now go to details and...
Use After Free in function find_pattern_in_path
Description Use After Free in function findpatterninpath at search.c:3653 vim version git log commit 4c3d21acaa09d929e6afe10288babe1d0af3de35 HEAD - master, tag: v8.2.5014, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/poch16s.dat -c :qa!...
Allocation of Resources Without Limits in
Steps to reproduce: 1. As an admin, start a new conversation with any membernormal user 2. If the membernormal user reply with a text of huge characters, more than crores, etcthe admin may not able to access the dash board and its get started lagging, because the server get DOS POC Screenshot: PO...
Account Takeover
Description Hi I found a way to takeover user's account Proof of Concept 1.Victim A is a member of a organization orgA 2.Attacker create a new account with orgB 3.Invite victimA to orgB 4.Since an admin can access invitation link attacker copy this link and set new password using this link 5.Now...
Allowing long password leads to denial of service
Description The Organizr application allows to sending a very long password 10000000 characters it's possible to cause a denial of service attack on the server. This may lead to the website becoming unavailable or unresponsive. Usually, this problem is caused by a vulnerable password hashing...
Heap-based Buffer Overflow in function cmdline_erase_chars
Description Heap-based Buffer Overflow in function cmdlineerasechars at exgetln.c:1085 POC ./vim -u NONE -X -Z -e -s -S ./poch1.dat -c :qa! ================================================================= ==3840814==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b00000087f at pc...
NULL Pointer Dereference in r_bin_ne_get_entrypoints function
Description A NULL pointer deference vulnerability in rbinnegetentrypoints function due to a missing check before using the pointer. Version bash radare2 5.6.7 27746 @ linux-x86-64 git.5.6.6 commit: 2b77b277d67ce061ee6ef839e7139ebc2103c1e3 build: 2022-04-0614:41:37 POC bash radare2 -q -A poc poc...
XSS in livehelperchat
Description LiveHelperChat is vulnerable to XSS in /cobrowse/checkmirrorchanges/ in it response the url parameter to json content while response content type is html. SETP1: set the url in following request POST /cobrowse/storenodemap/hash/174QXubVQ2cHdPR5xt5vNLBWVRnRwNu6MBWHoxRs3/?url= HTTP/1.1...
Null Pointer Dereference Caused Segmentation Fault
Description Null pointer dereference caused segmentation fault Proof of Concept version ./bin/gcc/MP4Box -version MP4Box - GPAC version 2.1-DEV-rev65-g718843df4-master c 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters:...
Old sessions are not blocked by the login enable function.
Description If you disable logic function of an user, that user can still login by using their old session. Proof of Concept Step 1: login to dashboard by a normal account. Step 2: use a diffrent browser to login as admin Step 3: make the normal account in step 1 unable to login. Step 4: return t...
Stored XSS via File Upload in star7th/showdoc
Description Stored XSS via uploading file in .properties format. Proof of Concept filename="test.properties" alert1 Steps to Reproduce 1. Login into showdoc.com.cn. 2. Navigate to file library https://www.showdoc.com.cn/attachment/index 3. In the File Library page, click the Upload button and...
Cross-site Scripting (XSS) - Stored
Description Type parameter in the body of POST request triggered by add/edit tax in microweb are vulnerable to stored XSS. 1 Settings Taxes Tax type Proof of Concept Step 1: Access https://demo.microweber.org/?template=dream Step 2: Browse to Settings Taxes Tax type Step 3: Add or Edit current ta...
Cross-site Scripting (XSS) - Stored
Description Iframe tags don't have a sandbox attribute, this makes an attacker able to execute malicious javascript via an iframe and perform phishing attacks. The sandbox attribute will block script execution and prevents the content to navigate its top-level browsing context which will stop thi...
Improper Resolution of Path Equivalence
DESCRIPTION Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain. This behavior can be...
Insecure Storage of Sensitive Information
Description:- When the user uploads his profile picture, the uploaded image’s EXIF Geolocation Data does not get stripped. As a result, anyone can get sensitive information of microweber users like their Geolocation, their Device information like Device Name, Version, Software & Software version...
Cross-site Scripting (XSS) - Reflected in pimcore/data-hub
Description pimcore Datahub is vulnerable to Reflected XSS in the Path of Documents, Assets and Objects in the Security Definition tab Steps to reproduce 1.Go to https://demo.pimcore.fun/admin/ and login. 2.In the left menu bar, click the Datahub icon and click on any existing configuration then ...
Exposure of Sensitive Information to an Unauthorized Actor in pimcore/pimcore
Description XSS Proof of Concept Previous bug https://huntr.dev/bounties/96506857-06bc-4c84-88b7-4f397715bcf6/ is not properly fixed. it can be bypassed using with event handler . https://github.com/pimcore/pimcore/commit/35d1853baf64d6a1d90fd8803e52439da53a3911 its only checking...
Heap-based Buffer Overflow in vim/vim
Description A Heap-based Buffer Overflow has been found in vim commit 3cf21b3 Proof of Concept base64 poc ZggwMDAwMDAwMDAwMDAwMDAwMBkwMDAwCmYIMDAwMDAwMCUlJSUlJSUlJSUlMDAwMDD8CmUlJSUl JSUlJSUlJSUlJQp2cwp2MP8wbwo= /fuzzing/vim/vim/src/vim -u NONE -X -Z -e -s -S ./poc -c :qa! ASan stack trace:...
Sensitive Cookie Without 'HttpOnly' Flag in yeswiki/yeswiki
Description The software uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. The HttpOnly flag directs compatible browsers to prevent client-side script from accessing cookies. Including the HttpOnly flag in the Set-Cookie HTTP response header helps...
Cross-Site Request Forgery (CSRF) in glpi-project/glpi
✍️ Description Hello dear glpi team I found one more CSRF vulnerability in following directory: Home/Setup/General/performance 🕵️♂️ Proof of Concept 1.fisrt user already should be logged in In Firefox or safari. 2.Open the PoC.html and click on submit button Also it can be auto-submit 3.Here User...
Inefficient Regular Expression Complexity in ramda/ramda
✍️ Description A ReDoS regular expression denial of service flaw was found in the ramda package. An attacker that is able to provide crafted input to the trim function may cause an application to consume an excessive amount of CPU. Similar attack ref: https://nvd.nist.gov/vuln/detail/CVE-2020-7753...
Inefficient Regular Expression Complexity in chatwoot/chatwoot
✍️ Description If we want to use Regex in our match or search or replace or ... functions, we must be sanitize this function's inputs. if an attacker capable to inject any Regex or abuse the bad Regexes that used in our codes, then the ReDoS vulnerability appear and according to "freezing the web ...
SQL Injection in opportunities module
Description During the save of the the opportunity the duplicateparentid is not properly validated and cleaned, which allows for injecting sql. Proof of Concept Add sql injection statement to opportunities duplicateparentid on save request...
Stored XSS in Attachment File Name
Description A stored cross-site scripting vulnerability exists within the file attachment upload functionality. Replication Steps 0x01. As a user with only the "Edit Record" and "Add Attachments" permissions, the user proceeded to edit a FAQ record and clicked "Add new attachment", as seen in the...
Out of Bounds Read in scene_manager/loader_bt.c:478
Description Out of Bounds Read in MP4Box. Version $ ./bin/gcc/MP4Box -version MP4Box - GPAC version 2.3-DEV-revrelease c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC:...
Store XSS in Users
Description I noticed, your website is very secure. But you overlooked a flaw XSS . Proof of Concept Detail: 1 .Login vs admin demo account and access admin page. 2 .Create a users ,insert payload in to Real name test" 3 .Click edit on the user just created, detect XSS Video Poc...
Arbitrary command execution on Windows
Description Opening files from an untrusted directory can lead to execution of arbitrary commands on Windows systems, this is possible by having a malicious file with the same name as a trusted executable, Windows gives priority to the current directory when searching for executables. Several...
Uncaught exception in document parsing functions
Description The parseDocument and parseAllDocuments functions should never throw according to the documentation. However, when these functions are fed an invalid input with a lot ≥80 of carriage return characters \r, an exception is thrown, which originates in the prettifyError function. Proof of...
Heap Use After Free in function ins_compl_get_exp
Description Heap Use After Free in function inscomplgetexp at insexpand.c:3846 vim version git log commit 7193323b7796c05573f3aa89d422e848feb3a8dc HEAD - master, tag: v9.0.1223, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pochuaf01s.dat -c :qa!...
Image upload function has storage xss vulnerability
Description Malicious users can upload files containing malicious html code through this vulnerability, resulting in the theft of identity tokens of other users/administrators accessing related pages and the account being taken over Proof of Concept step1. Log in to a common user account step2...
Authenticated HTMLi via theme parameter on /lib/ajax.php
Description The theme parameter is vulnerable to HTMLi on /lib/ajax.php endpoint Proof of Concept - go to https://v2.demo.froxlor.org - Login with a user - Go to https://v2.demo.froxlor.org/lib/ajax.php?action=newsfeed&theme=%3C/br%3E%3Ch1%3EHTMLi%20by%20leorac%3C/h1%3E%3Cbr%3E - You'll see the...
Bypass Stored XSS while creating a new post
Description After login to portal create a new post and type the following text with XSS payload bypass of this fix Proof of Concept Login to portal. create a post with xss paylaod save it POC: https://drive.google.com/file/d/1WkQpGyQGKBS-9To5mludqkkL7VOp9Au/view?usp=sharelink Bypass Payload //X/...
Authenticated Remote Command Execution on GLPI 10.0.5 due to vulnerable marketplace plugin
Description It was found that GLPI at the current version 10.0.5 is vulnerable to a remote command execution when an attacker has super-user privileges. This is possible due to an attacker being able to download a plugin that contains files that was calling unserialize into $POST'entityrestrict'...
heap-buffer-overflow in function skipwhite
Description heap-buffer-overflow in function skipwhite at charset.c:1706:12 vim version shell git log commit 56564964e6d0956c29687e8a10cb94fe42f5c097 HEAD - master, tag: v9.0.0719, origin/master, origin/HEAD Proof of Concept shell /home/mist/fuzz/vim/vim/src/vim -u NONE -X -Z -e -s -S poc1 -c :qa...
Use After Free in function get_next_valid_entry
Description Use After Free in function getnextvalidentry at vim/src/quickfix.c:2709. vim version git log commit 2bd9dbc19fc67395cfa1226dda7326071ab22464 HEAD - master, tag: v9.0.0270, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /home/test/poc/poc6huaf.da...
Buffer Over-read in function current_quote
Description Buffer Over-read in function currentquote at textobject.c:1801 vim version git log commit 83497f875881973df772cc4cc593766345df6c4a HEAD - master, tag: v8.2.5105, origin/master, origin/HEAD POC root@fuzz-vm0-187:/home/fuzz/fuzz/vim/afl/src ./vim -u NONE -i NONE -n -m -X -Z -e -s -S...
Chatwoot's Misconfigured Rack_Attack.rb Does Not Appropriately Protect Against Brute Force Attacks
Description Chatwoot relies on the rackattack.rb file to defend the application against various brute force attacks. The Chatwoot application fails to prevent brute force attacks against the listed paths when strings are appended to the end of POST directory names. Some protection still exists,...
Stored XSS in Name
Description The application Titra is vulnerable to Stored XSS in user's name field. Proof of Concept Go to profile and under the name put the payload " Video POC: https://drive.google.com/file/d/1MHPloy-i2hsxaLuuVn46oUZVpFm6Nywf/view?usp=sharing...
Use After Free in function utf_ptr2char
Description Use After Free in function utfptr2char at mbyte.c:1794 vim version git log commit be99042b03edf7b8156c9adbc23516bfcf2cec0f HEAD - master, tag: v8.2.5044, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pochuaf2s.dat -c :qa!...
Meta Data Is Not Stripped From images
Hey team, while uploading site/page logo as an administrator, The meta data of the image like geolocation, device information, version, name etc is not getting stripped, as a result the attacker can collect all the meta data information of the image by using tools like exif tool, metadata...
Heap-based Buffer Overflow in function skip_string
Description Heap-based Buffer Overflow in function skipstring at cindent.c:92 vim version git log commit 5a8fad32ea9c075f045b37d6c7739891d458f82b HEAD - master, tag: v8.2.4962, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/poch7s.dat -c :qa!...
Blind command injection
Description Hello , its my first report in huntr.dev fast code review : file https://github.com/yogeshojha/rengine/blob/master/web/api/views.pyL820 class CMSDetectorAPIView: def getself, request: req = self.request url = req.queryparams.get'url' savedb = True if 'savedb' in req.queryparams else...
XSS in /demo/module/?module=HERE
Description Reflected XSS in /demo/module/?module= bypass of fix for CVE-2022-1439 Proof of Concept In this report I showed an XSS and while one of the filter evasion mechanisms was fixed, the root cause persists to allow other payloads. As I mentioned there are event handlers which are unblocked...