4072 matches found
User can share/use/create prompts not permission
Description Users can share/use/create prompts without being granted permission by the admin. This can break application logic and permissions. Proof of Concept 1. Go to acount admin disable function share/use/create prompt. 2. share/use/create prompts with normal user. POST /api/prompts HTTP/1.1...
IDOR in Group members
Description By manipulating the ugid, user who is not in group can view the members list of the group Proof of Concept Step 1: Go to User Group function, see that this user can only view this two groups. Step 2: Click on View a group, manipulate the ugid, confirm that this user can view the Group...
Stored XSS on user "Write private message" function
Description An attacker can inject malicious executable scripts into the code of the message field. Proof of Concept Log in as a Member user, access Messages - Write private message function for sending admin a message.COde Insert this payload into the message field testscriptprompt'1'/script the...
Sensitive Cookie Without HttpOnly Flag
Description 1/ Access and login to the demo website: https://demo.fossbilling.org/ 2/ Press F12 on your keyboard or right-click on the website to open dev-tool. 3/ At Application tab, choose Cookies and there is BOXCLR sensitive cookie without HttpOnly flag. Proof of Concept Link image:...
SQL Injection in '/module/accounts/ajax.php'
Description There exists an SQL injection affecting the 'order'0'dir', start and length parameters located in the file /module/accounts/ajax.php Let's take a look at the following code: https://github.com/unilogies/bumsys/blob/9dc2de204116297a7e528c38bc3b1e89bf40f907/module/accounts/ajax.phpL1503...
Reflected XSS in any wordnet URL
Description A reflected XSS can be achieved by simply creating a URL such as: http://localhost:8000/alert1.html Proof of Concept nltk.app.wordnetapp.app Then hit http://localhost:8000/alert1.html in the browser...
Add Client function is vulnerable to stored HTML injection
Description HTML Injection also termed as āvirtual defacementsā is one of the most simple and the most common vulnerability that arises when the web-page fails to sanitize the user-supplied input or validates the output, which thus allows the attacker to craft his payloads and injects the malicio...
Allows large characters in change password
Description The commafeedapplication allows large characters to insert in the input field "password" at password change feature which can allow attackers to cause a Denial of Service DoS via a crafted HTTP request. Proof of Concept 1. Login and go to profile 2. Go to password change feature 3. Fi...
Cross Site Scripting via Improper Input Validation
Description The parse-url The 5.0.8 version of the parser does not check url characters between protocols. This causes spoofing of the javascript protocol itself. Proof of Concept javascript const parseUrl = require"parse-url"; const express = require'express'; const app = express; parsed =...
UI REDRESSING
Description The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. Proof of Concept Go to this URL:...
Denial of Service on embed2 servlet
Description The application stores a 5MB file in a hashmap variable using a user input as a key, with a large number of requests its possible to increase the memory usage of the application and deny the access to embed2.js stencils resource Proof of Concept import requests...
0 quantity orders are allowed
Description In the case of commodity purchases, the quantity is 0. Orders should not be allowed to be created, consuming meaningless resource behavior, and the order quantity should always be =1 Proof of Concept...
Stored XSS in "campaigns"
Description The listmonk application is vulnerable to stored XSS in the "Name" input filed for "campaigns" for which when a user tried to delete the "campaigns" XSS gets triggered. Proof of Concept 1.Go to "Campaigns" - "All campaigns" - "New" 2.Put this payload: in the "Name" input field and fil...
Stored XSS on Import Targets
Description Hello, When a XSS payload is used as the Add or Import Targets file name, it executes it hence stored XSS is possible. Proof of Concept Name a file .txt Import the file at /target/add/target You can see it being executed...
Classic Buffer Overflow in john
Description For 1Password Cloud Keychain plugin, the length of inputs are not properly checked. Then inputs are copied to fixed length buffers. For example, creating a salt with a larger length allow a buffer overflow. Proof of Concept Using the cloudkeychain.hash file: $ ./run/john...
Cross-site Scripting (XSS) - Stored in pimcore/customer-data-framework
Description stored xss vulnerability occurs when you change the value of Description at "Customer Management Framework" = "Customer automation rules" = "New Customers" = "Description" in the pimcore service. Proof of Concept txt XSS POC : 1. Open the https://10.x-dev.pimcore.fun/admin/ 2. After...
in mybatis/generator
Description The isConfigFile function makes use of SAXParser generated from a SAXParserFactory with no FEATURESECUREPROCESSING set, allowing for XXE attacks. In...
in vim/vim
Description Untrusted Pointer Dereference leading to a segmentation fault Segmentation fault in vimregexecmulti at regexp.c:2896 Proof of Concept ./vim -u NONE -X -Z -e -s -S POC1 -c ':qa! POC1https://drive.google.com/file/d/1VOS93VSakO96z2rnvIdWDYRM9KAEIgC/view?usp=sharing bt Program received...
Cross-site Scripting (XSS) - Stored in openwhyd/openwhyd
Description openwhyd is vulnerable to Stored XSS at the Name field in User Profile. Payload " Steps to reproduce 1.After login, click on the username to go to the Profile page 2.Click Edit Profile button - choose Edit Profile Info 3.In the Name field, input payload "then click Save button 4.Reloa...
Cross-site Scripting (XSS) - Reflected in admidio/admidio
Description Am still able to reproduce the SVG-XSS vulnerability here https://huntr.dev/bounties/96221dff-0d40-4326-9a9e-f66608307980/ on my local system just downloaded the latest release on the website. Think you may have accidentally included SVG files into the whitelist. Proof of Concept POST...
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in frontaccountingerp/fa
āļø Description The secure flag is not set for session cookie "PHPSESSID" in the application. Proof of Concept Check this for POC: Image Impact If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing...
Session Fixation in bytebase/bytebase
Description If admin deciding to deactivate a user and the user already logged in the system before then until user remain in the current session he/she can do anything that can do them before...
in publify/publify
Description There is not Rate limit protection bypass sent unlimited email victim who have account email address. Proof of Concept There is no rate limit users/password, attacker to send unlimited email who have account victim email address. POST /users/password HTTP/1.1 Host:...
Cross-Site Request Forgery (CSRF) in collectiveaccess/providence
Description More AJAX endpoints vulnerable to CSRF. 1: GET http://10.0.2.15/providence/index.php/find/BrowseObjects/createSetFromResult 2: POST http://10.0.2.15/providence/index.php/find/SearchObjects/saveResultsEditorData Proof of Concept 1:...
Cross-Site Request Forgery (CSRF) in collectiveaccess/pawtucket2
Description After taking a look at the application again, I found few more create / update endpoints which should have CSRF protection Proof of Concept http://PAWTUCKET-URL/pawtucket/index.php/Lightbox/saveUserGroup?name=123&description=abc&groupid=...
in khodakhah/nodcms
Description There is no rate limit sent unlimited email victim or any email address Proof of Concept There is no rate limit return-password , attacker to send unlimited email to victim or any email address. POST /en/return-password HTTP/1.1 Host: demo.nodcms.com User-Agent: Mozilla/5.0 Windows NT...
Open Redirect in fisharebest/webtrees
Description I saw this report : https://huntr.dev/bounties/ad4278af-52b7-4c34-8d43-9b829105d499/ and Also your fix commit https://www.github.com/fisharebest/webtrees/commit/551ad4afbcef2a72a6cf6461f1747762180b12c5 then I should say that the fix can be bypassed with such payloads : If the baseurl ...
Cross-site Scripting (XSS) - Reflected in collectiveaccess/providence
Description Reflected XSS in form Search Proof of Concept // PoC.js POST /find/QuickSearch/Index HTTP/1.1 Host: demo.collectiveaccess.org Cookie: cademo=5b9d06b7-3860-477d-9d53-85e6b2b1ae99; CAcademouilocale=enUS User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:93.0 Gecko/20100101...
Cross-site Scripting (XSS) - Stored in evereux/flicket
Description Stored XSS in deleting departments page due to unsanitized input in many places. Proof of Concept 1. Create a new department with name 2. After creating the above department, Click on delete icon next to it and see the pop up. 3. Create a new ticket with title 4. View the ticket and s...
Exposure of Sensitive Information to an Unauthorized Actor in opendatacube/odc-tools
Description Information Disclosure AWS PrincipleID, sourceIPAddress, configurationId and more. Proof of Concept https://raw.githubusercontent.com/opendatacube/odc-tools/develop/apps/dctools/tests/data/sentinel-2-nrt20200821.json Impact Leaks Sensitive Data...
Cross-site Scripting (XSS) - Reflected in sbrl/pepperminty-wiki
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into websites. An attacker can use XSS to send a malicious script to an unsuspecting user. The end userās browser has no way to know that the script should not be trusted, and will execut...
Cross-Site Request Forgery (CSRF) in justingit/dada-mail
āļø Description Attacker able to Send any Mass mailing with CSRF attack. In CSRF attacks it is necessary that a user logged into your application and just going to a malicious website and after that only with a redirection attacker can perform attack on unprotected endpoint, this means only with...
Cross-Site Request Forgery (CSRF) in microweber/microweber
āļø Description Attacker able to delete any user if knows the user id parameter value. šµļøāāļø Proof of Concept Here after running PoC.html and you will see that the user with id 3 has been deleted. //PoC.html history.pushState'', '', '/' document.forms0.submit; š„ Impact Here a user with id value 3...
Cross-site Scripting (XSS) - Reflected in phoronix-test-suite/phoronix-test-suite
āļø Description Cross-site Scripting XSS refers to client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS occurs when a web application makes use of unvalidated or unencoded user input within the output it generates. The...
Session Fixation in agentejo/cockpit
āļø Description A malicious actor with access to the computer is able to reveal the loaded site's actual session identifier value from the stored cookie. Since upon login, this value does not change, the attacker can gain access via session hijacking, when the target logs in on the compromised...
Prototype Pollution in liriliri/licia
āļø Description licia package is vulnerable to Prototype Pollution. The safeSet function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects. šµļøāāļø Proof of Concept...
Cross-Site Request Forgery (CSRF) in namelessmc/nameless
āļø Description Attacker able to delete any custom page with CSRF attack. It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your application. In CSRF...
Cross-Site Request Forgery (CSRF) in neorazorx/facturascripts
āļø Description Attacker able to delete any number of Accounting Reports with CSRF attack. It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your...
Cross-site Scripting (XSS) - Reflected in slackero/phpwcms
āļø Description Reflected xss šµļøāāļø Proof of Concept 'HTTP-REFERER: '.echoempty$ref ? 'unknown' : $ref; š„ Impact xss bug...
Cross-Site Request Forgery (CSRF) in admidio/admidio
āļø Description Attacker able to delete any Link with CSRF attack. It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your application. In CSRF attacks it...
Cross-Site Request Forgery (CSRF) in admidio/admidio
āļø Description Attacker able to unlock/lock any album with CSRF attack. It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your application. In CSRF...
Cross-Site Request Forgery (CSRF) in sergix44/xbackbone
āļø Description following endpoint vulnerable to CSRF: /omeka/upload/1/unpublish Also there is not any different that you run The application in localhost or some real hosts, this is enough to login with a browser that used the browser for online web surfacing too. šµļøāāļø Proof of Concept // PoC.html...
Cross-Site Request Forgery (CSRF) in easysoft/zentaopms
āļø Description When you don't set the SameSite attribute of cookies the browsers have special act in front of this issue.I mean set default value on it chrome and chromium based browsers set the attribute "Lax" that mean if you do add/delete/alter operation in a get HTTP request then your site mor...
Cross-Site Request Forgery (CSRF) in boxbilling/boxbilling
āļø Description CSRF on changing password of an admin account. There is no token or anti csrf implemented. šµļøāāļø Proof of Concept Create a .html file poc.html for example and copy paste the following code in it. Change localhost to ur domain or ip address. javascript CSRF PoC send this file to a...
Improper Privilege Management in bigprof-software/online-rental-property-manager
š„ BUG privilege escalation bug to add applications/leases to a applicant . š„ IMPACT unprivileged user can add applications/leases to a applicant š„ STEP TO REPRODUCE 1. From admin account goto http://localhost/online-rental/app/admin/pageViewMembers.php and add new user called user-B .\ Now revoke...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager
āļø Description Stored xss in membership profile. šµļøāāļø Proof of Concept Steps to Reproduce: 1. Create a member account. 2. Login into the member account. 3. Enter the s"' payload in the State field. 4. Update the profile and You will see an alert. š„ Impact This vulnerability is capable of Stored XSS...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system
āļø Description There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the Full name field as tested on latest release. šµļøāāļø Proof of Concept Steps to Reproduce: 1. Create a user account. 2. Login into the user account. 3. Enter the s"' payload in the Full...
Cross-site Scripting (XSS) - Reflected in bigprof-software/online-invoicing-system
āļø Description /app/admin/pageTransferOwnership.php with sourceMemberID parameter is vulnerable to Reflected XSS. Line 216 of pageTransferOwnership.php sends unvalidated data to a web browser, which can result in the browser executing malicious code. In this case the data is sent at builtinecho in...
Cross-site Scripting (XSS) - Stored in combodo/itop
š„ BUG stored xss via problem title š„ STEP TO REPRODUCE Plz check this 1 minute video to reproduce https://drive.google.com/file/d/1n7ni3y5LNkK2ntrTTvVNLNOEmf2iKReO/view?usp=sharing š„ Impact I see there is many different type of role base user . So, user who has permission to create problem can ma...
in w7corp/easywechat
āļø Description Insecure randomness errors occur when a function that can produce predictable values is used as a source of randomness in security-sensitive context. This code uses the rand function to generate "unique" identifiers for the receipt pages it generates. In this case the function that...