4072 matches found
Improper Privilege Management in bigprof-software/online-rental-property-manager
💥 BUG privilege escalation bug to add applications/leases to a applicant . 💥 IMPACT unprivileged user can add applications/leases to a applicant 💥 STEP TO REPRODUCE 1. From admin account goto http://localhost/online-rental/app/admin/pageViewMembers.php and add new user called user-B .\ Now revoke...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager
✍️ Description Stored xss in membership profile. 🕵️♂️ Proof of Concept Steps to Reproduce: 1. Create a member account. 2. Login into the member account. 3. Enter the s"' payload in the State field. 4. Update the profile and You will see an alert. 💥 Impact This vulnerability is capable of Stored XSS...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system
✍️ Description There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the Full name field as tested on latest release. 🕵️♂️ Proof of Concept Steps to Reproduce: 1. Create a user account. 2. Login into the user account. 3. Enter the s"' payload in the Full...
Cross-site Scripting (XSS) - Reflected in bigprof-software/online-invoicing-system
✍️ Description /app/admin/pageTransferOwnership.php with sourceMemberID parameter is vulnerable to Reflected XSS. Line 216 of pageTransferOwnership.php sends unvalidated data to a web browser, which can result in the browser executing malicious code. In this case the data is sent at builtinecho in...
Cross-site Scripting (XSS) - Stored in combodo/itop
💥 BUG stored xss via problem title 💥 STEP TO REPRODUCE Plz check this 1 minute video to reproduce https://drive.google.com/file/d/1n7ni3y5LNkK2ntrTTvVNLNOEmf2iKReO/view?usp=sharing 💥 Impact I see there is many different type of role base user . So, user who has permission to create problem can ma...
in w7corp/easywechat
✍️ Description Insecure randomness errors occur when a function that can produce predictable values is used as a source of randomness in security-sensitive context. This code uses the rand function to generate "unique" identifiers for the receipt pages it generates. In this case the function that...
Command Injection in sofianehamlaoui/lockdoor-framework
✍️ Description CI in Spaghetti function when it asks for custom agent. 🕵️♂️ Proof of Concept // PoC https://drive.google.com/file/d/11ljFoTHfge9tA2p9uezV9s1PvM62VC/view?usp=sharing 💥 Impact command run as root. So an attacker could do potential damage to the machine...
Command Injection in sofianehamlaoui/lockdoor-framework
✍️ Description Unsanitized user input leads to command injection 🕵️♂️ Proof of Concept POC screenshot: https://drive.google.com/file/d/1zShz68hGd5zcpB1fpk4KVv5TDS6-vXT/view?usp=sharing 💥 Impact command run as root. So an attacker could do potential damage to the machine...
Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat
✍️ Description The questionary section of livehelperchat can be modified listing new question . However, the template is used incorrectly resulting in a CSTI injection which leads to stored XSS. 🕵️♂️ Proof of Concept Install the livechat Go on...
Open Redirect in kalcaddle/kodexplorer
✍️ Description Open redirection via SVG file uplaod which redirects users to different site. 🕵️♂️ Proof of Concept Steps to reproduce: 1. download and upload the file https://drive.google.com/file/d/1yt4-5lgFS7ZGJog1uXAQ5rMxKGgVq/view?usp=sharing 2. View the file. 💥 Impact This vulnerability is...
Heap-based Buffer Overflow in rup0rt/pcapfix
✍️ Description Whilst testing the 'devel' branch of pcapfix, specifically commit fb723ccompiled with clang-13 and -fsanitize=address on Ubuntu 20.04.2 LTS, we discovered a POC which triggers a heap-buffer-overflow. 🕵️♂️ Proof of Concept git clone https://github.com/Rup0rt/pcapfix cd pcapfix...
Improper Privilege Management in mailtrain-org/mailtrain
BUG Lower level user can revoke access from a campaign for admin . IMPACT Admin will not be able to access perticular campaign .\ This happen when lower level user added admin to a campaign and them removed him . STEP TO REPRODUCE 1. From admin account goto http://localhost:3000/users and add a...
Cross-site Scripting (XSS) - Stored in volmarg/personal-management-system
✍️ Description Stored xss 🕵️♂️ Proof of Concept plz check this 1 minute video to reproduce the bug https://drive.google.com/file/d/1vYCGJtEZrIihtpioiD25RPRaX5YnKJMN/view?usp=sharing 💥 Impact xss attack...
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
✍️ Description A reflected XSS is possible because you echo user controlled content without sanitization in https://github.com/FalconChristmas/fpp/blob/40a636c6e38442e3674db0b85fdfc5ed8a79b823/www/changebranch.phpL25 php $branch = $GET'branch'; $command = "sudo /opt/fpp/scripts/gitbranch "...
Exposure of Sensitive Information to an Unauthorized Actor in tl-its-umich-edu/my-learning-analytics
✍️ Description Django secret key is exposed into the Dockerfile. This is used to sign JSON objects, create hashes and generate CSRF tokens. 🕵️♂️ Proof of Concept https://stackoverflow.com/questions/15170637/effects-of-changing-djangos-secret-key/15383766?noredirect=1comment2174349415383766 💥...
in dolibarr/dolibarr
💥 BUG unprivileged user can modify subject of a ticket 💥 IMPACT user with read-only permission can modify ticket subject 💥 TESTED VERSION dolibarr 14.0.0-beta 💥 STEP TO REPRODUCE 1. First goto admin account and add user B as normal user .\ Now give user B bellow permission for Ticket module ....
Prototype Pollution in imrefazekas/assign.js
Description assign.js is vulnerable to Prototype Pollution. This package allowing for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE. Proof of Concept 1. Create the following PoC file: js // poc.js var Assigner = require"assign.js" var assigner = new Assign...
Authorization bypass on all trace endpoints when auth is enabled
Description When MLflow runs with auth enabled, the trace API endpoints don't have authorization validators registered. The beforerequest handler checks each request against BEFOREREQUESTHANDLERS — experiments, runs, models all have entries there, but traces have zero entries. When no validator i...
Arbitrary code execution via malicious logging configuration (dictConfig factory injection)
Kedro v1.2.0 passes user-controlled YAML config to logging.config.dictConfig without validation. The factory key enables arbitrary callable instantiation, achieving RCE at startup. kedro/framework/project/init.py, ProjectLogging: loggingconfig = Pathpath.readtextencoding="utf-8"...
Path Traversal in DiskIOStore via Unsanitized Layer Names in Keras 3
Description A logic flaw in the Keras 3 v3.0.0+ model saving and loading library handles internal asset paths insecurely. Specifically, the DiskIOStore.make method in keras/src/saving/savinglib.py uses user-provided layer names to construct directory paths without sanitizing for parent directory...
Git argument injection in deployment pull steps via unsanitized commit_sha enables RCE on workers
Description Prefect's GitRepository storage class passes user-controlled commitsha values as positional arguments to git commands without a -- separator. The commitsha parameter accepts arbitrary strings with no format validation no hex check, no length check. This allows injection of git flags...
Arbitrary File Read via Log Symlink following in FileTaskHandler
This report is not public...
Unbounded Classification Output Sorting Leads to Remote Denial-of-Service in Triton Inference Server
This report is not public...
Remote code execution via transformers_utils/get_config
This report is not public...
Stored Cross-Site Scripting (XSS) via SAML IdP XML Injection
An attacker can achieve stored cross-site scripting XSS by injecting malicious JavaScript into the SAML IdP XML metadata. This metadata is used to generate the SAML login redirect URL, which is ultimately set as the value of window.location.href. This vulnerability allows the attacker to execute...
Lack of unique constraint validation allows overwriting evaluators
Description The application allows the creation of evaluators without enforcing a unique constraint on the combination of projectId and slug. This allows an attacker to overwrite existing data by submitting a POST request with the same slug as an existing evaluator. Since the backend lacks databa...
Integer Overflow In /v2/repository/models/<model_name>/load
This report is not public...
High-Severity Command Injection Vulnerability in run_BingBertSquad.sh
This report is not public...
SSRF Vulnerabilities found in Search and Github Integration AutoGPT Blocks
Hi, AutoGPT developers! Summary I have identified several Server-Side Request Forgery SSRF vulnerabilities in the default agent blocks provided by the AutoGPT platform. These vulnerabilities could lead to severe security issues, including credential leakage e.g., GitHub tokens, internal network...
Admin account takeover through weak Pseudo-Random number generator used in generating password reset codes
This report is not public...
Missing check_access in lollms_binding_infos
This report is not public...
SSRF via Custom Tool Testing
This report is not public...
Denial of service by memory exhaustion
This report is not public...
SSRF via POST /api/proxy
This report is not public...
server crash by zip bomb
This report is not public...
pickle deserialization vulnerability
Description There is a pickle deserialization vulnerability in the Latex English error correction plug-in function of gptacademic, which allows attackers to achieve remote command execution Environment setup 1. wget https://github.com/binary-husky/gptacademic/archive/refs/tags/version3.83.zip 2...
Stored XSS at Guest Lobby
Description Guest Lobby is vulnerable to XSS when users wait to enter the meeting due to inserting unsanitized messages to the element using unsafe innerHTML Proof of Concept 1.Start a new web conference and change Guest policy to "Ask Moderator" role moderator 2.Attacker edit "Message to the...
Serious Security Vulnerability Discovered in Promotion
Description I am writing to report a serious security vulnerability that we have uncovered. Specifically, we have found that promotions applied to certain client groups are still being honored even after the promotions are no longer applicable to those groups. This means that attackers can...
Small Space of Random Values
Description The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks. Vulnerable code snippet $password = $staff'USERNAME' . rand 1000, 9999 ;...
Prototype Pollution in domcloud/dom-portal
Prototype Pollution in dom-portal Reported on Jan 20th 2022 | Timothee Desurmont Description The function unflatten located in domainbio.php could potentially leed to prototype pollution and givie an attacker unprivilladge access to sensitive information. Proof of Concept Create a file called...
Cross-site Scripting (XSS) - Stored in erudika/scoold
Description The Schold is a Q&A/knowledge base platform written in Java. When writing a Q&A, you can use the markdown editor. So I tried to exploit the syntax to try an XSS attack. It seemed to validate javascript: on the backend. So I couldn't use it. However, according to RFC3986, the scheme ca...
Cross-site Scripting (XSS) - Stored in livehelperchat/fbmessenger
Description The application does not escape special characters. The $item-bbcode or $item-name variables can lead to stored XSS Proof of Concept Go to Facebook BBCode List https://demo.livehelperchat.com/siteadmin/fbmessenger/newbbcode and add an item with XSS payload into name or bbcode fields,...
Cross-site Scripting (XSS) - Stored in tsolucio/corebos
Description Stored Cross-Site Scripting XSS vulnerability due to the lack of content validation and output encoding. This vulnerability can be exploited by uploading a crafted payload inside a document. Proof of Concept https://demo.corebos.com/index.php?module=Users&action=index&parenttab=Settin...
in qmpaas/leadshop
Description The vulnerability is in the api/ImageController.php file. When $type is 2, it will enter the logic for uploading video files. However, the function $upload-video that handles video uploads does not detect the file suffix name. This results in arbitrary file uploads. Proof of Concept...
in microweber/microweber
Description I create a coupon only for one user and also is one-time use coupon. then create two user and both of them can use the coupon but only one of them should able to use the coupon...
Cross-Site Request Forgery (CSRF) in pkp/omp
✍️ Description Attacker or malicious user is able to delete any user profile photo if a logged in user visits attacker website. because lack of CSRF token 🕵️♂️ Proof of Concept 1.when you logged in open this POC.html in a browser 2.you can check unintentionally your profile photo deleted...
in pheditor/pheditor
Description This issue allows an attacker to influence calls to the 'unlink' function and delete arbitrary files. https://github.com/pheditor/pheditor is vulnerable to DoS via Arbitrary file deletion. Proof of concept Vuln variable: $POST'path' Snippet: case 'delete': if isset$POST'path' &&...
in kcal-app/kcal
Description There isn't any proper authorization for delete goal action that lead to IDOR vulnerability...
Improper Privilege Management in openemr/openemr
Description A predefined Front desk receptionist have access to the Audit Log Tamper Report function. By default this is a predefined system administrator function, and no other users should be able to access this function. Proof of Concept Log in with a Front desk receptionist user Simply open t...
Cross-Site Request Forgery (CSRF) in amirsanni/mini-inventory-and-sales-management-system
✍️ Description Attacker is able to delete a administrator accounts if a logged in user visits attacker website. 🕵️♂️ Proof of Concept 1.when you logged in open this POC.html in a browserFirefox and Safari 2.you can check unintentionally you delete an administrator account. //POC.html...