Lucene search
K

4072 matches found

Huntr
Huntr
added 2023/07/05 10:42 a.m.20 views

Use of predictable RNG for password generation

Description pkp-lib implements a password-generation function with the following line of code being integral to its functionality: PHP for ... $password .= mtrand1, 4 == 4 ? $numbersmtrand0, strlen$numbers - 1 : $lettersmtrand0, strlen$letters - 1; This relies upon mtrandlow, high; to generate a...

5.1CVSS6.9AI score0.00605EPSS
Exploits1References2
Huntr
Huntr
added 2023/07/04 7:34 p.m.20 views

Out of bounds read in VobSub loader

Description The gpac VobSub parser takes a FILE handle and attempts to load the information from that file into its memory. The main focus of this report revolves around the first few lines of the function and how they make some assumptions about buffer sizes that allows for an out-of-bounds read...

3.3CVSS7AI score0.00325EPSS
Exploits1
Huntr
Huntr
added 2023/07/03 1:47 p.m.12 views

Improper Control of Generation of Code

Description Kimai Plugin EasyBackupBundle allows admins to edit mysql commands from the configuration tab, an attacker can append arbitrary commands to achieve code execution. This can be also extended to an arbitrary file read while specifying filenames such as /etc/passwd in backup. Proof of...

7.4AI score
Exploits0
Huntr
Huntr
added 2023/07/02 7:14 p.m.17 views

youtube service is vulnerable to XSS vulnerability

Description If an attacker is able to insert a div with attributes on a page where the youtube service is enabled, they can craft a width attribute that would allow them to execute arbitrary JS on the page. Other attributes like theme or controls are also vulnerable to this. Proof of Concept html...

4.9CVSS7.4AI score0.00469EPSS
Exploits1
Huntr
Huntr
added 2023/07/01 7:37 p.m.30 views

Fossbilling is Vulnerable to HTML Injection During the Generation of Invoices, Which Leads To An Open Redirect Vulnerability.

Description FOSSBilling suffers from a lack of sanitization in the handling of admin input values. This issue manifests when clients attempt to generate invoices for their orders. Specifically, in the PDF generation of invoices, the company name, editable through the admin portal, is included. An...

4.3CVSS6.9AI score0.00646EPSS
Exploits0References2
Huntr
Huntr
added 2023/07/01 2:48 p.m.24 views

attackers with role "USER" can create tags

Description It seems that the users with role ""USER" has no permission with creating tags, but we do not enforce it. Ohers operation, like edit and delete has no problem. Proof of Concept pull the latest docker and setup answer 1 create a user with name "normaluser", whose role is "USER" 2 admin...

4CVSS6.7AI score0.00538EPSS
Exploits1
Huntr
Huntr
added 2023/07/01 3:22 a.m.24 views

Reflected XSS in date

Description There is a reflective XSS on the FOSSBilling admin screen. Proof of Concept By accessing the following URL, it is possible to execute any script on the browser of the logged-in administrator user. URL:...

5.8CVSS6.6AI score0.00884EPSS
Exploits1References1
Huntr
Huntr
added 2023/06/30 10:50 a.m.16 views

CSV Injection while export users

1 admin add a client, or a client signup. 2 the client logins and edit himeself 3 the client change his COMPANY as "=1+cmd|'/C calc'!A0" 4 admin go to export the client as a csv file 5 admin open the csv and we can see that the calculator is opened. see...

6CVSS6.8AI score0.00526EPSS
Exploits0
Huntr
Huntr
added 2023/06/30 5:41 a.m.20 views

CSV Injection while export users

1 admin add a user, or a user signup. 2 the user logins and edit himeself 3 the user change his realname as "=1+cmd|'/C calc'!A0" 4 admin go to export the users as a csv file 5 admin open the csv and we can see that the calculator is opened. see https://owasp.org/www-community/attacks/CSVInjectio...

7.5CVSS6.2AI score0.00677EPSS
Exploits0
Huntr
Huntr
added 2023/06/29 10:57 p.m.6 views

Broken Access Control on Private Message Function

Description There is 2 issues I found in one function. A = admin B = user1 C = attacker. Scenario 1: A send private message to B with subject "testing". B or C can change the subject, this will disturb Integrity of the messages as long as they know the UUID messages. Scenario 2: A send private...

6.9AI score
Exploits0
Huntr
Huntr
added 2023/06/29 9:40 p.m.14 views

Open Redirect via deskDomain

Description This vulnerability occurs because the desired domain value can be inserted into the A tag through deskDomain manipulation. javascript if window.location.hash != null && window.location.hash.substring0, 9 == 'TICKETS' try var temp = JSON.parsedecodeURIComponent...

7AI score
Exploits0
Huntr
Huntr
added 2023/06/29 4:45 p.m.23 views

Reflected XSS

Description An attacker can steal the session token of any user by exploiting reflected XSS. Proof of Concept Send GET request to any of the below links. http://target/templates/pages/debugpanel.php?id=xss"alertdocument.cookie http://target/templates/pages/debugpanel.php?id=xss"alert'xss' Send PO...

5.8CVSS6.9AI score0.01293EPSS
Exploits1
Huntr
Huntr
added 2023/06/29 12:18 p.m.8 views

XSS Reflected via import file funtion

Description The application does import data from the file without cleaning the data inside before processing, resulting in javascript code that can be injected and triggered when the victim executes the function. Proof of Concept Step1: The attacker creates a .csv file containing a payload to...

6.6AI score
Exploits0
Huntr
Huntr
added 2023/06/29 11:30 a.m.17 views

Stored XSS via user's Full Name

Description The user's full name is rendered as HTML during user deletion. This enables an user to add Javascript code in the username which when can be executed in admin's webpage during user deletion. Proof of Concept - Login as a normal user and change the Full name to: javascript "...

6.3AI score
Exploits0References1
Huntr
Huntr
added 2023/06/29 8:52 a.m.9 views

Unauthorized access to Survey menu entries

Description The application is not properly verifying the authorization of users accessing survey menu entries. Proof of Concept 1. Login as a user with limited privilege. In my case the user permission is set as follows and has no access to surveys. 2. Visit...

6.7AI score
Exploits0References1
Huntr
Huntr
added 2023/06/29 8:45 a.m.15 views

SQL injection in searchArticles function

Description The searchArticles function in the KB module makes a call to the getSimpleResultSet function, with the perpage parameter taken from the user without sanitizing before entering the query, leading to the attacker being able to manipulate the query. Proof of Concept GET...

7.5CVSS6.8AI score0.00922EPSS
Exploits1
Huntr
Huntr
added 2023/06/29 8:12 a.m.7 views

Reflected XSS via "importFormat" parameter

Description Please enter a description of the vulnerability. Proof of Concept - Login as administrator or any user with access to User import/export feature. - Visit the following URL...

6.9AI score
Exploits0References1
Huntr
Huntr
added 2023/06/29 4:11 a.m.14 views

Remote Code Execution via File upload

Description In the theme settings function, any file can be uploaded without any filter, resulting in an arbitrary php file being uploaded. Proof of Concept POST /admin/theme/huraga HTTP/1.1 Host: localhost Content-Type: multipart/form-data;...

6.5CVSS6.9AI score0.00889EPSS
Exploits1References1
Huntr
Huntr
added 2023/06/29 3:32 a.m.12 views

CSRF in Question Themes function

Description The web application is vulnerable to CSRF in the toggle visibility of question themes. Proof of Concept Step 1: Login as user who has permission to access themes function. Step 2: Host an HTML trap page and send the URL to the victim history.pushState'', '', '/'; document.forms0.submi...

6.8AI score
Exploits0
Huntr
Huntr
added 2023/06/28 10:17 p.m.8 views

The user can put their survey in the survey groups even though this survey group is not in public mode

Description The user can put their survey in the survey groups even though this survey group is not in public mode Proof of Concept Step 1: The survey group SG03 isn't in public mode \ Step 2: In the "Survey groups" tab, User2 with only survey permission only sees the survey group Default \ Step ...

6.9AI score
Exploits0
Huntr
Huntr
added 2023/06/28 6:36 p.m.7 views

Improper Authorization in add role function leads to privilege escalation

Description The application improperly performs user authorization, resulting in a user with the user management role being able to modify their own permissions or those of others. Proof of Concept Step1: The highest-level administrator or an administrator with the permission to create roles...

6.7AI score
Exploits0
Huntr
Huntr
added 2023/06/28 5:28 p.m.11 views

Incorrect Authorization to Stored XSS in Import User Role function

Description The application incorrectly checks user permissions, enabling the attacker to use the 'import file user roles' functionality, which contains a payload for executing JavaScript code, without requiring any specific privileges. Proof of Concept Step1: Even without the privilege to manage...

6.9AI score
Exploits0
Huntr
Huntr
added 2023/06/28 5:0 p.m.110 views

Vulnerable CKEditor used on version 4.2.9

Description When attaching image on mail feature, the upload using ckeditor vulnerable version that lead to RCE. Proof of Concept 1. Go to messages, 2. Write email 3. add image 4. Upload the php file. 5. access the uploaded php file in /admmyfiles/mail/images/ // PoC.js Content-Disposition:...

5.8CVSS7AI score0.00835EPSS
Exploits1
Huntr
Huntr
added 2023/06/28 4:37 p.m.11 views

Cross-Site Request Forgery lead to lock and unlock Album

Description Attacker able to lock or unlock any album with this CSRF attack. Proof of Concept 1. Admin already should be logged in browser 2. Open the CSRF.html document.forms0.submit; The album b9131a9d-577e-4f06-b87e-5af30714b25b will be unlock Acknowledge Tran Van Nhan from bl4ckh0l3 of Galaxy...

6.9AI score
Exploits0
Huntr
Huntr
added 2023/06/28 12:48 p.m.6 views

Stored XSS on Survey "Notification and data function"

Description Users with edit and update survey permission can perform an XSS Proof of Concept Log in with any user with this permission Update the "Send basic admin notification email to" field with this value test" Access the survey and the payload will be triggerred...

6.8AI score
Exploits0
Huntr
Huntr
added 2023/06/28 12:9 p.m.14 views

Improper Authorization in Export role function

Description The application controls user rights incorrectly, leading to the attacker being able to collect sensitive information. Proof of Concept Step1: The administrator user accesses the user role management function and performs the 'export role' operation. Step2: Upon observation, a HTTP...

6.8AI score
Exploits0
Huntr
Huntr
added 2023/06/28 9:47 a.m.5 views

IDOR in Group members

Description By manipulating the ugid, user who is not in group can view the members list of the group Proof of Concept Step 1: Go to User Group function, see that this user can only view this two groups. Step 2: Click on View a group, manipulate the ugid, confirm that this user can view the Group...

6.8AI score
Exploits0
Huntr
Huntr
added 2023/06/28 8:28 a.m.10 views

Stored XSS in label function

Description By Injecting the payloads to the fields dataToSend, users who visited "Label sets list" screen maybe compromises Proof of Concept Step 1: Login as a user who has permission to edit the Label. Go to the label function and view a label Step 2: Inject the payload to the Code field as the...

6.9AI score
Exploits0
Huntr
Huntr
added 2023/06/28 3:50 a.m.15 views

Stored XSS in Title

Description Spina's admin screen has an embedded XSS in the title of the page. By embedding arbitrary JavaScript code in the function of Paguri, arbitrary scripts can be executed on the browser when the administrator user who accessed the page deletes the page. Proof of Concept Step 1. Access the...

4.3CVSS6.4AI score0.00565EPSS
Exploits1References1
Huntr
Huntr
added 2023/06/27 5:32 p.m.13 views

Exposure version installed on the system

Description Users can check the version of Admidio installed on the system. Proof of Concept Go to http:///admprogram/modules/preferences/updatecheck.php?mode=2 Acknowledge Tran Van Nhan from bl4ckh0l3 of GalaxyOne...

6.9AI score
Exploits0
Huntr
Huntr
added 2023/06/26 3:47 p.m.12 views

CSRF in the delete notification function

Description The web application is vulnerable to CSRF in the delete notification function. Proof of Concept Step 1: See that user demo has some notifications. Step 2: Host an HTML trap page and send the URL to the victim history.pushState'', '', '/' document.forms0.submit; And the malicious URL...

6.9AI score
Exploits0
Huntr
Huntr
added 2023/06/26 3:32 p.m.10 views

IDOR in notification function

Description By manipulating the notId, a user can view the notification of other users Proof of Concept Step 1: Login as user demo, click on a notification and see that the notification has a notId as 227. Step 2: Open another browser and login as user. Step 3: Access the URL to view the...

6.9AI score
Exploits0
Huntr
Huntr
added 2023/06/26 11:11 a.m.8 views

Path Traversal in uploadAttachment

POC : see https://1drv.ms/v/s!Avwg5C1eKVA4gl3LF2hgRyVNrSqk?e=DHbHKF We also contact the Maintainer through email lujie.ac.cn...

6.9AI score
Exploits0
Huntr
Huntr
added 2023/06/25 9:28 p.m.8 views

Dos via Document Comments

Description An attacker can abuse the document comment functionality, handled by the /api/comments.create API endpoint, since there is not size check or validation of the comment contents, which allows an attacker to send a comment with almost an unlimited number of characters1MB max POST size...

6.7AI score
Exploits0
Huntr
Huntr
added 2023/06/25 5:33 p.m.17 views

Stored XSS at Search page

Description Create new item with XSS payload. Then go to Search page, XSS vulnerability will be trigger. Proof of Concept https://drive.google.com/file/d/1OB11FmQvy2-qRI9r1BlavKUxJ4kaMjp/view?usp=sharing Acknowledge Tran Van Nhan from bl4ckh0l3 of GalaxyOne...

4.9CVSS6.3AI score0.00469EPSS
Exploits1References1
Huntr
Huntr
added 2023/06/25 8:32 a.m.28 views

Reflected XSS in /editor_tools/rte_image_editor

Description Reflected Cross-Site Scripting Vulnerability in types GET parameter on the /editortools/rteimageeditor endpoint Proof of Concept in File microweber/userfiles/modules/microweber/toolbar/editortools/rteimageeditor/index.php on Line 15, we can observe the source $GET'types' being saved...

5.8CVSS5.6AI score0.01061EPSS
Exploits0
Huntr
Huntr
added 2023/06/24 5:14 p.m.14 views

Stored XSS

Description: The application contains a stored XSS vulnerability, which allows an attacker to inject and execute malicious scripts within the application. The vulnerability occurs due to improper input validation and output encoding mechanisms, which fail to adequately sanitize and encode...

6.5AI score
Exploits0
Huntr
Huntr
added 2023/06/23 11:44 a.m.13 views

DOM Cross Side Scripting

Description Hello team, Recently i found that, DOM XSS on profile language field there is a DOM XSS Proof of Concept Video poc: https://screencast-o-matic.com/watch/c01067VBWlV Step: 1. Login as simple user 2. Click on settings and select profile tab. 3. Click on change language as 'english' and...

4.9CVSS6.2AI score0.00514EPSS
Exploits1
Huntr
Huntr
added 2023/06/22 10:11 p.m.32 views

Secret information exfiltration by hard coding twitter API keys

Description Secret information used for API calls was embedded in the microweber source code. PoC It's hardcoded in the source code below. - https://github.com/microweber/microweber/blob/master/userfiles/modules/twitterfeed/functions.php php $oauthaccesstoken =...

5CVSS7.2AI score0.00541EPSS
Exploits0References3
Huntr
Huntr
added 2023/06/22 11:47 a.m.15 views

Remote Command Execution by Improper Escaping of Output

Description Improper Encoding or Escaping of Output in Froxlor export configuration. Hackers can use it to create a json file with PHP code inside then trigger the code by set php-fpm to process .json extension. php foreach $POST'system' as $sysdaemon $params'system' = $sysdaemon; $paramscontent ...

5.8CVSS7.3AI score0.00835EPSS
Exploits1
Huntr
Huntr
added 2023/06/19 2:56 p.m.14 views

Confidential information provided to user with no permissions

Description Unauthorized users are able to obtain sensitive information about the system's runtime environment, features they have no permissions to access, etc. Proof of Concept 1. create a new user without any permissions attached 2. do NOT assign any permissions to the user 2. do NOT add any...

4CVSS6.4AI score0.00551EPSS
Exploits1
Huntr
Huntr
added 2023/06/18 10:52 a.m.5 views

Stored XSS on user "Write private message" function

Description An attacker can inject malicious executable scripts into the code of the message field. Proof of Concept Log in as a Member user, access Messages - Write private message function for sending admin a message.COde Insert this payload into the message field testscriptprompt'1'/script the...

6.5AI score
Exploits0
Huntr
Huntr
added 2023/06/18 9:3 a.m.6 views

Stored XSS on user "Category report" function

Description An attacker can inject malicious executable scripts into the code of the Name field Proof of Concept Log in as an admin or any member with the right access to the Category report - Configuration function. Insert this payload into the "Name" field General role assignment" autofocus...

6.5AI score
Exploits0
Huntr
Huntr
added 2023/06/18 7:34 a.m.29 views

Cross site scripting in Admidio 4.2.9 via headline parameter

Description Cross-site Scripting XSS refers to client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS occurs when a web application makes use of unvalidated or unencoded user input within the output it generates. Proof...

6.3AI score
Exploits0References1
Huntr
Huntr
added 2023/06/18 6:48 a.m.10 views

Broken Authentication

Description I tested the demo site you provided. I see that there is an Broken Authentication vulnerability in Administration: CPU stats API. The Administration: CPU stats API does not validated user permissions. Proof of Concept link video PoC https://screenpal.com/watch/c01F1bVBmX1 Step 1. In t...

6.8AI score
Exploits0References1
Huntr
Huntr
added 2023/06/18 3:33 a.m.8 views

Stored XSS on user "Edit own profile" function

Description An attacker can inject malicious executable scripts into the code of the Social media field Proof of Concept Log in as a Member user, access My profile - Edit own profile function, insert this payload to any field " autofocus onfocus=promptdocument.domain then click Save. Access the...

7AI score
Exploits0
Huntr
Huntr
added 2023/06/17 6:9 p.m.27 views

Improper handling of input value leads to Remote Code Execution or Denial of Service

Description Some value in some input field was directly inserted into a file called "tp.config.php", an attacker can inject malicious PHP code to perform a remote code execution attack. Proof of Concept Go to Settings - MFA - Duo Security function, input this payload: ',; phpinfo; ?// on the...

5.8CVSS7.9AI score0.00942EPSS
Exploits1
Huntr
Huntr
added 2023/06/17 5:39 p.m.11 views

Able to edit users owned by other administration users

Description Exploiting a vulnerability 'Take ownership' of any user, thereby being able to edit all users. Proof of Concept Step 1: We have user1 owned by admin1. \ Step 2: By doing the 'Take ownership' action, the user1 is now owned by admin2 \ \ Step 3: Now, admin2 is able to edit user1, and ev...

6.9AI score
Exploits0
Huntr
Huntr
added 2023/06/17 11:1 a.m.7 views

An agent without permission has the ability to update, add, or delete FAQ items

Description I discovered a vulnerability in the osticket application. When an administrator creates a category and adds some FAQ items, they have the ability to grant update, delete, and add permissions to agents. Once granted access, an agent can login and edit, delete, or add FAQs and record...

7.1AI score
Exploits0
Huntr
Huntr
added 2023/06/16 7:0 a.m.5 views

Sensitive Cookie Without HttpOnly Flag

Description 1/ Access and login to the demo website: https://demo.fossbilling.org/ 2/ Press F12 on your keyboard or right-click on the website to open dev-tool. 3/ At Application tab, choose Cookies and there is BOXCLR sensitive cookie without HttpOnly flag. Proof of Concept Link image:...

6.9AI score
Exploits0
Total number of security vulnerabilities4072