4072 matches found
Use of predictable RNG for password generation
Description pkp-lib implements a password-generation function with the following line of code being integral to its functionality: PHP for ... $password .= mtrand1, 4 == 4 ? $numbersmtrand0, strlen$numbers - 1 : $lettersmtrand0, strlen$letters - 1; This relies upon mtrandlow, high; to generate a...
Out of bounds read in VobSub loader
Description The gpac VobSub parser takes a FILE handle and attempts to load the information from that file into its memory. The main focus of this report revolves around the first few lines of the function and how they make some assumptions about buffer sizes that allows for an out-of-bounds read...
Improper Control of Generation of Code
Description Kimai Plugin EasyBackupBundle allows admins to edit mysql commands from the configuration tab, an attacker can append arbitrary commands to achieve code execution. This can be also extended to an arbitrary file read while specifying filenames such as /etc/passwd in backup. Proof of...
youtube service is vulnerable to XSS vulnerability
Description If an attacker is able to insert a div with attributes on a page where the youtube service is enabled, they can craft a width attribute that would allow them to execute arbitrary JS on the page. Other attributes like theme or controls are also vulnerable to this. Proof of Concept html...
Fossbilling is Vulnerable to HTML Injection During the Generation of Invoices, Which Leads To An Open Redirect Vulnerability.
Description FOSSBilling suffers from a lack of sanitization in the handling of admin input values. This issue manifests when clients attempt to generate invoices for their orders. Specifically, in the PDF generation of invoices, the company name, editable through the admin portal, is included. An...
attackers with role "USER" can create tags
Description It seems that the users with role ""USER" has no permission with creating tags, but we do not enforce it. Ohers operation, like edit and delete has no problem. Proof of Concept pull the latest docker and setup answer 1 create a user with name "normaluser", whose role is "USER" 2 admin...
Reflected XSS in date
Description There is a reflective XSS on the FOSSBilling admin screen. Proof of Concept By accessing the following URL, it is possible to execute any script on the browser of the logged-in administrator user. URL:...
CSV Injection while export users
1 admin add a client, or a client signup. 2 the client logins and edit himeself 3 the client change his COMPANY as "=1+cmd|'/C calc'!A0" 4 admin go to export the client as a csv file 5 admin open the csv and we can see that the calculator is opened. see...
CSV Injection while export users
1 admin add a user, or a user signup. 2 the user logins and edit himeself 3 the user change his realname as "=1+cmd|'/C calc'!A0" 4 admin go to export the users as a csv file 5 admin open the csv and we can see that the calculator is opened. see https://owasp.org/www-community/attacks/CSVInjectio...
Broken Access Control on Private Message Function
Description There is 2 issues I found in one function. A = admin B = user1 C = attacker. Scenario 1: A send private message to B with subject "testing". B or C can change the subject, this will disturb Integrity of the messages as long as they know the UUID messages. Scenario 2: A send private...
Open Redirect via deskDomain
Description This vulnerability occurs because the desired domain value can be inserted into the A tag through deskDomain manipulation. javascript if window.location.hash != null && window.location.hash.substring0, 9 == 'TICKETS' try var temp = JSON.parsedecodeURIComponent...
Reflected XSS
Description An attacker can steal the session token of any user by exploiting reflected XSS. Proof of Concept Send GET request to any of the below links. http://target/templates/pages/debugpanel.php?id=xss"alertdocument.cookie http://target/templates/pages/debugpanel.php?id=xss"alert'xss' Send PO...
XSS Reflected via import file funtion
Description The application does import data from the file without cleaning the data inside before processing, resulting in javascript code that can be injected and triggered when the victim executes the function. Proof of Concept Step1: The attacker creates a .csv file containing a payload to...
Stored XSS via user's Full Name
Description The user's full name is rendered as HTML during user deletion. This enables an user to add Javascript code in the username which when can be executed in admin's webpage during user deletion. Proof of Concept - Login as a normal user and change the Full name to: javascript "...
Unauthorized access to Survey menu entries
Description The application is not properly verifying the authorization of users accessing survey menu entries. Proof of Concept 1. Login as a user with limited privilege. In my case the user permission is set as follows and has no access to surveys. 2. Visit...
SQL injection in searchArticles function
Description The searchArticles function in the KB module makes a call to the getSimpleResultSet function, with the perpage parameter taken from the user without sanitizing before entering the query, leading to the attacker being able to manipulate the query. Proof of Concept GET...
Reflected XSS via "importFormat" parameter
Description Please enter a description of the vulnerability. Proof of Concept - Login as administrator or any user with access to User import/export feature. - Visit the following URL...
Remote Code Execution via File upload
Description In the theme settings function, any file can be uploaded without any filter, resulting in an arbitrary php file being uploaded. Proof of Concept POST /admin/theme/huraga HTTP/1.1 Host: localhost Content-Type: multipart/form-data;...
CSRF in Question Themes function
Description The web application is vulnerable to CSRF in the toggle visibility of question themes. Proof of Concept Step 1: Login as user who has permission to access themes function. Step 2: Host an HTML trap page and send the URL to the victim history.pushState'', '', '/'; document.forms0.submi...
The user can put their survey in the survey groups even though this survey group is not in public mode
Description The user can put their survey in the survey groups even though this survey group is not in public mode Proof of Concept Step 1: The survey group SG03 isn't in public mode \ Step 2: In the "Survey groups" tab, User2 with only survey permission only sees the survey group Default \ Step ...
Improper Authorization in add role function leads to privilege escalation
Description The application improperly performs user authorization, resulting in a user with the user management role being able to modify their own permissions or those of others. Proof of Concept Step1: The highest-level administrator or an administrator with the permission to create roles...
Incorrect Authorization to Stored XSS in Import User Role function
Description The application incorrectly checks user permissions, enabling the attacker to use the 'import file user roles' functionality, which contains a payload for executing JavaScript code, without requiring any specific privileges. Proof of Concept Step1: Even without the privilege to manage...
Vulnerable CKEditor used on version 4.2.9
Description When attaching image on mail feature, the upload using ckeditor vulnerable version that lead to RCE. Proof of Concept 1. Go to messages, 2. Write email 3. add image 4. Upload the php file. 5. access the uploaded php file in /admmyfiles/mail/images/ // PoC.js Content-Disposition:...
Cross-Site Request Forgery lead to lock and unlock Album
Description Attacker able to lock or unlock any album with this CSRF attack. Proof of Concept 1. Admin already should be logged in browser 2. Open the CSRF.html document.forms0.submit; The album b9131a9d-577e-4f06-b87e-5af30714b25b will be unlock Acknowledge Tran Van Nhan from bl4ckh0l3 of Galaxy...
Stored XSS on Survey "Notification and data function"
Description Users with edit and update survey permission can perform an XSS Proof of Concept Log in with any user with this permission Update the "Send basic admin notification email to" field with this value test" Access the survey and the payload will be triggerred...
Improper Authorization in Export role function
Description The application controls user rights incorrectly, leading to the attacker being able to collect sensitive information. Proof of Concept Step1: The administrator user accesses the user role management function and performs the 'export role' operation. Step2: Upon observation, a HTTP...
IDOR in Group members
Description By manipulating the ugid, user who is not in group can view the members list of the group Proof of Concept Step 1: Go to User Group function, see that this user can only view this two groups. Step 2: Click on View a group, manipulate the ugid, confirm that this user can view the Group...
Stored XSS in label function
Description By Injecting the payloads to the fields dataToSend, users who visited "Label sets list" screen maybe compromises Proof of Concept Step 1: Login as a user who has permission to edit the Label. Go to the label function and view a label Step 2: Inject the payload to the Code field as the...
Stored XSS in Title
Description Spina's admin screen has an embedded XSS in the title of the page. By embedding arbitrary JavaScript code in the function of Paguri, arbitrary scripts can be executed on the browser when the administrator user who accessed the page deletes the page. Proof of Concept Step 1. Access the...
Exposure version installed on the system
Description Users can check the version of Admidio installed on the system. Proof of Concept Go to http:///admprogram/modules/preferences/updatecheck.php?mode=2 Acknowledge Tran Van Nhan from bl4ckh0l3 of GalaxyOne...
CSRF in the delete notification function
Description The web application is vulnerable to CSRF in the delete notification function. Proof of Concept Step 1: See that user demo has some notifications. Step 2: Host an HTML trap page and send the URL to the victim history.pushState'', '', '/' document.forms0.submit; And the malicious URL...
IDOR in notification function
Description By manipulating the notId, a user can view the notification of other users Proof of Concept Step 1: Login as user demo, click on a notification and see that the notification has a notId as 227. Step 2: Open another browser and login as user. Step 3: Access the URL to view the...
Path Traversal in uploadAttachment
POC : see https://1drv.ms/v/s!Avwg5C1eKVA4gl3LF2hgRyVNrSqk?e=DHbHKF We also contact the Maintainer through email lujie.ac.cn...
Dos via Document Comments
Description An attacker can abuse the document comment functionality, handled by the /api/comments.create API endpoint, since there is not size check or validation of the comment contents, which allows an attacker to send a comment with almost an unlimited number of characters1MB max POST size...
Stored XSS at Search page
Description Create new item with XSS payload. Then go to Search page, XSS vulnerability will be trigger. Proof of Concept https://drive.google.com/file/d/1OB11FmQvy2-qRI9r1BlavKUxJ4kaMjp/view?usp=sharing Acknowledge Tran Van Nhan from bl4ckh0l3 of GalaxyOne...
Reflected XSS in /editor_tools/rte_image_editor
Description Reflected Cross-Site Scripting Vulnerability in types GET parameter on the /editortools/rteimageeditor endpoint Proof of Concept in File microweber/userfiles/modules/microweber/toolbar/editortools/rteimageeditor/index.php on Line 15, we can observe the source $GET'types' being saved...
Stored XSS
Description: The application contains a stored XSS vulnerability, which allows an attacker to inject and execute malicious scripts within the application. The vulnerability occurs due to improper input validation and output encoding mechanisms, which fail to adequately sanitize and encode...
DOM Cross Side Scripting
Description Hello team, Recently i found that, DOM XSS on profile language field there is a DOM XSS Proof of Concept Video poc: https://screencast-o-matic.com/watch/c01067VBWlV Step: 1. Login as simple user 2. Click on settings and select profile tab. 3. Click on change language as 'english' and...
Secret information exfiltration by hard coding twitter API keys
Description Secret information used for API calls was embedded in the microweber source code. PoC It's hardcoded in the source code below. - https://github.com/microweber/microweber/blob/master/userfiles/modules/twitterfeed/functions.php php $oauthaccesstoken =...
Remote Command Execution by Improper Escaping of Output
Description Improper Encoding or Escaping of Output in Froxlor export configuration. Hackers can use it to create a json file with PHP code inside then trigger the code by set php-fpm to process .json extension. php foreach $POST'system' as $sysdaemon $params'system' = $sysdaemon; $paramscontent ...
Confidential information provided to user with no permissions
Description Unauthorized users are able to obtain sensitive information about the system's runtime environment, features they have no permissions to access, etc. Proof of Concept 1. create a new user without any permissions attached 2. do NOT assign any permissions to the user 2. do NOT add any...
Stored XSS on user "Write private message" function
Description An attacker can inject malicious executable scripts into the code of the message field. Proof of Concept Log in as a Member user, access Messages - Write private message function for sending admin a message.COde Insert this payload into the message field testscriptprompt'1'/script the...
Stored XSS on user "Category report" function
Description An attacker can inject malicious executable scripts into the code of the Name field Proof of Concept Log in as an admin or any member with the right access to the Category report - Configuration function. Insert this payload into the "Name" field General role assignment" autofocus...
Cross site scripting in Admidio 4.2.9 via headline parameter
Description Cross-site Scripting XSS refers to client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS occurs when a web application makes use of unvalidated or unencoded user input within the output it generates. Proof...
Broken Authentication
Description I tested the demo site you provided. I see that there is an Broken Authentication vulnerability in Administration: CPU stats API. The Administration: CPU stats API does not validated user permissions. Proof of Concept link video PoC https://screenpal.com/watch/c01F1bVBmX1 Step 1. In t...
Stored XSS on user "Edit own profile" function
Description An attacker can inject malicious executable scripts into the code of the Social media field Proof of Concept Log in as a Member user, access My profile - Edit own profile function, insert this payload to any field " autofocus onfocus=promptdocument.domain then click Save. Access the...
Improper handling of input value leads to Remote Code Execution or Denial of Service
Description Some value in some input field was directly inserted into a file called "tp.config.php", an attacker can inject malicious PHP code to perform a remote code execution attack. Proof of Concept Go to Settings - MFA - Duo Security function, input this payload: ',; phpinfo; ?// on the...
Able to edit users owned by other administration users
Description Exploiting a vulnerability 'Take ownership' of any user, thereby being able to edit all users. Proof of Concept Step 1: We have user1 owned by admin1. \ Step 2: By doing the 'Take ownership' action, the user1 is now owned by admin2 \ \ Step 3: Now, admin2 is able to edit user1, and ev...
An agent without permission has the ability to update, add, or delete FAQ items
Description I discovered a vulnerability in the osticket application. When an administrator creates a category and adds some FAQ items, they have the ability to grant update, delete, and add permissions to agents. Once granted access, an agent can login and edit, delete, or add FAQs and record...
Sensitive Cookie Without HttpOnly Flag
Description 1/ Access and login to the demo website: https://demo.fossbilling.org/ 2/ Press F12 on your keyboard or right-click on the website to open dev-tool. 3/ At Application tab, choose Cookies and there is BOXCLR sensitive cookie without HttpOnly flag. Proof of Concept Link image:...