4072 matches found
XSS in /demo/module/?module=HERE
Description Reflected XSS in /demo/module/?module= bypass of fix for CVE-2022-1439 Proof of Concept In this report I showed an XSS and while one of the filter evasion mechanisms was fixed, the root cause persists to allow other payloads. As I mentioned there are event handlers which are unblocked...
SQL injection in GridHelperService.php
Description In line 786, we can see $conditionFilters = $filterField . ' ' . $operator . ' ' . $value;. The three variables joins to a string, and the variables come from the request parameter.Maybe line 793 is vulnerable too. The code comes from prepareAssetListingForGrid function. The function ...
Cross-site Scripting (XSS) - Stored
Description pimcore datahub is vulnerable to Stored XSS in multiple places including: 1 the Pricing Rule of Online Shop in EcommerceFrameworkBundle. Whenever an admin user access Pricing Rule, a stored XSS will be triggered. 2 Image Thumbnails in Settings. Whenever an admin user access Image...
Static Code Injection
Description The Microweber application allows HTML tags in the "First name", "Last name" and "Phone number" which can be exploited by Injecting HTML payloads. Proof of Concept 1.While buying product we need to fill contact information form. 2.Insert your html code in code block. e.g., Hurry Up!Go...
Cross-site Scripting (XSS) - Stored
Description Autolab is vulnerable to stored cross-site-scripting in the upload files functionality in courses feature, this can be used to execute XSS attack against the victim who is a student/teacher. Steps to Reproduce PoC 1 login to autolab 2 go to...
Open Redirect
Description bypass https://huntr.dev/bounties/f53d5c42-c108-40b8-917d-9dad51535083/ urijs fix CVE-2022-0613 , however attacker can bypass to exploit this issue Proof of Concept // PoC.js var URI = require'urijs'; var url = new URI"https::\\github.com/foo/bar"; console.logurl; output: URI string:...
Improper Access Control (IDOR)
Description Dolibarr v14.0.5 allows improper access control issues in the userphoto modulepart. The impact could lead to data exposure as the attached files and documents may contain sensitive information of relevant parties such as contacts, suppliers, invoices, orders, stocks, agenda, accountin...
NULL Pointer Dereference
Description Null pointer dereferencing occurs in finducmd. commit : cdf717283ca70b18f20b8a2cefe7957083280c6f Proof of Concept $ echo -ne "dGFiZQpzaWwwbm9ybTBxL2cJOkkb" | base64 -d poc Valgrind $ /valgrind/vg-in-place -s ./src/vim-u NONE -i NONE -n -X -Z -e -m -s -S poc -c ":qa!" ==1411416==...
Use of Out-of-range Pointer Offset
Description Using out-of-range Pointer Offset occurs in unixexpandpath. commit : e89bfd212b21c227f026e467f882c62cdd6e642d Proof of Concept $ echo -ne "c2UgbWwgd2ljCnRj+42NjaYq" | base64 -d poc valgrind $ /valgrind/vg-in-place -s /vim-debug/src/vim.debug -u NONE -i NONE -n -X -Z -e -m -s -S poc -c...
Improper Authorization in webmin/webmin
Description The /cron/saveallow.cgi endpoint is accessible to any authenticated low privilege users resulting in controlling user access to cron jobs. They could allow and deny other users access to cron jobs affecting the Scheduled Cron Jobs module. Proof of Concept Affected Endpoint: GET...
Improper Access Control in zulip/zulip
Description According to the current design of the application, when the user wants to get value of apikey, API /json/fetchapikey will require password to authentication. However, the application exists another API routed at /json/users/me/apikey/regenerate that allows regenerating apikey value a...
in unshiftio/url-parse
Description Incorrect conversion of @ in protocol in the href leads to improper validation of hostname. Proof of Concept Url-parse is not able to verify broken protocol. This will allow to bypass hostname validation. parse = require'url-parse' console.logparse"http:@/127.0.0.1" Now imagine if the...
Path Traversal in pimcore/pimcore
Description The application doesn't perform a check/filter against the value of "importFile" parameter at endpoint "/admin/translation/import". After the API is executed, PHP unlink function will proceed to delete the file. Proof of Concept - Step 1: Login as admin at...
Improper Access Control in phpipam/phpipam
Description In phpIPAM 1.4.5, a normal user with the role of User could download or export IP subnets that may contain sensitive information related data such as IP address, IP state, MAC, owner, hostname and device via export-subnet.php endpoint. The bug is the export-subnet.php should verify th...
in vim/vim
Description A heap-based OOB read of size 4 occurs when a user tries to open a vim session file specified below. This happens regardless of any command line options that could be specified to restrict vim, such -Z and -m. This bug has been found on default vim build lastest commit hash...
in mruby/mruby
Description There is a NULL Pointer Dereference in ivfree src/variable.c:232:20. This bug has been found on mruby lastest commit hash 31fa3304049fc406a201a72293cce140f0557dca on Ubuntu 20.04 for x8664/amd64. Proof of Concept 6.times3.times%until-break b= 0,m:0 s=0 Steps to reproduce 1- Clone repo...
Open Redirect in microweber/microweber
Description An Open Redirect vulnerability enables attacker to redirect the victims/users to malicious websites. Proof of Concept 1. Visit https://demo.microweber.org/demo/api/logout?redirectto=https://example.com It will redirect you to example.com Impact Attackers can use it in phishing campaig...
Server-Side Request Forgery (SSRF) in dompdf/dompdf
Description DomPDF uses filegetcontents to obtain HTTP files when allowurlfopen is "On". On default contexts, filegetcontents will redirect whenever served with a 302 response. When developers use DomPDF with isRemoteEnabled set to "true" and allowurlfopen set to "true", but restrict IP addresses...
Cross-site Scripting (XSS) - Stored in yogeshojha/rengine
✍️ Description 'Delete Scheduled Task' confirmation model executes javascript as part of the name of a scan engine. 🕵️♂️ Proof of Concept 1. Name a scan engine as a XSS payload. Example: 2. Schedule a scan for any target using the created scan engine. 3. Try to delete the scheduled task Location...
Cross-site Scripting (XSS) - Reflected in zoujingli/thinkadmin
✍️ Description The Application is Vulnerable to reflected XSS Attack. 🕵️♂️ Proof of Concept Open the following page in the browser as admin. The 商品名称 field is vulnerable to reflected XSS. An alert box is displayed as PoC...
Inefficient Regular Expression Complexity in liriliri/licia
✍️ Description A ReDoS regular expression denial of service flaw was found in the licia package. An attacker that is able to provide crafted input to the trim function may cause an application to consume an excessive amount of CPU. Similar to https://nvd.nist.gov/vuln/detail/CVE-2020-28500 🕵️♂️...
Code Injection in laravel/framework
✍️ Description Function injection in Illuminate\Validation\Rules\RequiredIf can be exploited to generate gadget chains for deserialization vulnerabiltiies. 🕵️♂️ Proof of Concept ?php use Illuminate\Validation\Rules\RequiredIf; require"vendor/autoload.php"; $gadget = serializenew...
Denial of Service in sebhildebrandt/systeminformation
Description systeminformation is vulnerable to Denial of Service. It is possible to overwrite the ping command parameters, which results in too long execution. Proof of Concept Create a .js file with the content below and run it. javascript const si = require'systeminformation'; si.inetLatency"-c...
Denial of Service in locutusjs/locutus
Description locutus is vulnerable to ReDoS. The regular expression at src/php/network/inetpton.js:24 is vulnerable to ReDoS. It is possible to cause increasing slow-downs which lock the event loop by passing strings which have some number of repeating a characters followed by a . character. For...
Cross-Site Request Forgery Vulnerability in Logout Functionality
Description Logout CSRF is a security vulnerability where an attacker forces a user to unknowingly log out of their session by tricking them into triggering a logout request through a malicious website or link. The csrftoken for the logout interface is invalid, it is recommended to change it to...
Store XSS in Widgets and pages
Description I noticed that you filtered the comment very carefully. But there are still some parts you missed Proof of Concept 1 .Login with admin 2 .Go to "https://demo.instantcms.io/admin/widgets" 3 . Insert payload in Position name and Title test" onmouseover = "alertdocument.cookie 4 .Click...
Secret information exfiltration by hard coding twitter API keys
Description Secret information used for API calls was embedded in the microweber source code. PoC It's hardcoded in the source code below. - https://github.com/microweber/microweber/blob/master/userfiles/modules/twitterfeed/functions.php php $oauthaccesstoken =...
Desktop APP RCE via saveDraft IPC
🔒️ Requirements The user must load a malicious project. 📝 Description In version 20.3.3 commit 5383c20e947fd772668316e407edc5d5db4850db, the shell=true option is added to a spawn execution. This is really dangerous has it allows a malicious user to execute commands even from attributes. Example: j...
all user password hash is disclosed
Proof of Concept login to admin account and then visit https://demo.pimcore.fun/admin/customermanagementframework/customers/detail?id=1016&filteroperator-customer=AND&filteroperator-segments=AND&filtershowSegments0=832&filtershowSegments1=833&filtershowSegments2=874&filterDefinitionid=1 able to...
Unhandled SWF Tags in MP4Box: Potential Vulnerability in GPAC
An unhandled series of SWF tags have been identified in the MP4Box software, which is part of the GPAC multimedia framework. These tags are not properly processed, leading to potential vulnerabilities such as denial of service, buffer overflows, or other malicious attacks. POC: ./MP4Box -dash 100...
segmentation fault in regexp.c:1788
Description SIGSEGV raised on regtilde function at regexp.c. As the function processes the tainted string inside the poc file, constant calls to the alloc function with ever-increasing size actually exhausts memory and the process terminates. At last negative size value is assigned. Version $ git...
Stored XSS in Email Blacklist Function
Description Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XS...
Divide By Zero in function adjust_skipcol
Description Divide By Zero in function adjustskipcol at move.c:1978 vim version git log commit 7193323b7796c05573f3aa89d422e848feb3a8dc HEAD - master, tag: v9.0.1223, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pocdbz01s.dat -c :qa! Floating point exception GDB gdb...
CSRF allows attacker trigger admin add HOST user lead to takeover memos application
Description This vuln allow attacker trigger admin submitting a malicious request to create new user with any role. Proof of Concept 1. Attacker create malicious script with csrf payload and upload it to attacker server httpx://attacker.server/csrf.html 2. Attacker send this link to memos admin 3...
Users can edit and delete all other user shortcuts
Description Users can edit and delete all other user shortcuts Proof of Concept Step 1. Log in as user A and make a shortcuts Step 2. View shortcut information including: ID, rowStatus, title, payload... For ex: user A creates a shortcut with ID 10 Step 3. Log in as user B and make a shortcuts...
Email exposure of users to an authorized user
Description Hello, this is an endpoint that leaks all the information of the users like names, email, role, and OpenID to an authenticated user Steps to reproduce 1 build the web app 2 either you host it locally or on a server 3 try to add users with their data 4 visite...
XSS by uploading svg files
Description Hi there, Your project has a function of uploading files.That is the section named "Resource".But it does not filter the content of the uploaded files. If we upload an svg file containing malicious data and a user accesses it, xss will be triggered. Video Please visit my video link...
Stored XSS via SVG File
Description usememos has a feature to upload file and display it. By uploading a crafted SVG files, the users can perform Stored XSS attack with the image direct link. Copy the following code and save as filename.svg. Proof of Concept filename.svg alertdocument.location; 1. Login as user 2. creat...
Blind Stored XSS in admin panel (open question page)
Description Blind stored XSS via any unauthorized or anonymous visitor user without any privileges can inject XSS payload in "Add question" page in "Your Name" input field then it will be executed in admin panel in Open Question page Proof of Concept...
No limit in length of "Token name" parameter results in DOS attack /memory corruption
Proof of Concept 1Go to https://rdiffweb-dev.ikus-soft.com/prefs/tokens endpoint . 2You will see a field called "Token name" 3Here you will see that there is no limit for the "Token name" parameter that allows a user to to set a very long string as long as 1 million characters . 4This may possibl...
Exposure of "Forgot Password" Token on Threads Controller Leads to Account Takeover
Description Hello there! Hope you are doing great! I kept looking for issues that are similar to CVE-2022-3019, and ended up finding one more, it's in the Thread entity, and I found it by looking at the /api/threads/:appid/all endpoint. It retrieves sensitive information about every user that's i...
Undefined behavior in diff_write_buffer()
Description Undefined behavior. commit hash: 99af91e5820c78a196c9272cd8ce5aa5be7bf374 It may occur heap-buffer-overflow. Proof of Concept Download POC file POC GDB gdb-peda$ r -u NONE -i NONE -n -m -X -Z -e -s -S undefinedpoc -c :qa! 0000089bd31 in diffwritebuffer buf=0x62500000f100, din= at...
Heap-based buffer overflow in function vim_iswordp_buf
Description Heap-based buffer overflow in function vimiswordpbuf at charset.c:835 Version commit fee0c4aa99eb0a7a801dade758ce5e04b48c15d1 HEAD - master, origin/master, origin/HEAD Proof of Concept guest@elk:/trung$ valgrind ./vimlatest/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc/poc196min ...
Out-of-bounds Read in function utf_ptr2char
Description Out-of-bounds Read in function utfptr2char at mbyte.c:1794 vim version git log commit 324478037923feef1eb8a771648e38ade9e5e05a HEAD - master, tag: v9.0.0042, origin/master, origin/HEAD POC ./afl/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pocobr5s.dat -c :qa!...
Heap Use After Free in function skipwhite
Description Heap Use After Free in function skipwhite at charset.c:1428 vim version git log commit 324478037923feef1eb8a771648e38ade9e5e05a HEAD - master, tag: v9.0.0042, origin/master, origin/HEAD POC ./afl/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pochuaf4s.dat -c :qa!...
Lack of Character Limit in Notes Sections Leads to Denial of Service
Description The InvenTree application allows for the inclusion of notes for various objects in the application. The notes functionality does not include a character limit. An attacker can submit an infinite number of characters into the notes section, which causes a denial of service and increase...
Path Traversal vulnerability on the endpoint '/info/refs'
Summary It seems "gogs" suffers from a Path Traversal which may lead a malicious user to access another legitimate user's git config files or issue a couple of git commands on its behalf. Steps to reproduce and Proof of Concept 1. I created two users sim4n6 and sim4n62. 2. From sim4n6 dashboard...
Heap-based Buffer Overflow in function vim_regsub_both
Description Heap-based Buffer Overflow in function vimregsubboth at regexp.c:1954 vim version git log commit 4d97a565ae8be0d4debba04ebd2ac3e75a0c8010 HEAD - master, tag: v8.2.5037, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/pocobw5s.dat -...
Buffer Over-read in function utf_ptr2char
Description Buffer Over-read in function utfptr2char at mbyte.c:1794 vim version git log commit 31d9948e3a2529c2f619d56bdb48291dc261233d HEAD - master, tag: v8.2.5026, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/poch10ns.dat -c :qa!...
NULL Pointer Dereference in function vim_regexec_string
Description NULL Pointer Dereference in function vimregexecstring at regexp.c:2733 allows attackers to cause a denial of service application crash via a crafted input. vim version git log commit 31ad32a325cc31f0f2bdd530c68bfb856a2187c5 HEAD - master, tag: v8.2.4949, origin/master, origin/HEAD...