4057 matches found
SQL injection in searchArticles function
Description The searchArticles function in the KB module makes a call to the getSimpleResultSet function, with the perpage parameter taken from the user without sanitizing before entering the query, leading to the attacker being able to manipulate the query. Proof of Concept GET...
Reflected XSS via "importFormat" parameter
Description Please enter a description of the vulnerability. Proof of Concept - Login as administrator or any user with access to User import/export feature. - Visit the following URL...
Remote Code Execution via File upload
Description In the theme settings function, any file can be uploaded without any filter, resulting in an arbitrary php file being uploaded. Proof of Concept POST /admin/theme/huraga HTTP/1.1 Host: localhost Content-Type: multipart/form-data;...
CSRF in Question Themes function
Description The web application is vulnerable to CSRF in the toggle visibility of question themes. Proof of Concept Step 1: Login as user who has permission to access themes function. Step 2: Host an HTML trap page and send the URL to the victim history.pushState'', '', '/'; document.forms0.submi...
The user can put their survey in the survey groups even though this survey group is not in public mode
Description The user can put their survey in the survey groups even though this survey group is not in public mode Proof of Concept Step 1: The survey group SG03 isn't in public mode \ Step 2: In the "Survey groups" tab, User2 with only survey permission only sees the survey group Default \ Step ...
Improper Authorization in add role function leads to privilege escalation
Description The application improperly performs user authorization, resulting in a user with the user management role being able to modify their own permissions or those of others. Proof of Concept Step1: The highest-level administrator or an administrator with the permission to create roles...
Incorrect Authorization to Stored XSS in Import User Role function
Description The application incorrectly checks user permissions, enabling the attacker to use the 'import file user roles' functionality, which contains a payload for executing JavaScript code, without requiring any specific privileges. Proof of Concept Step1: Even without the privilege to manage...
Vulnerable CKEditor used on version 4.2.9
Description When attaching image on mail feature, the upload using ckeditor vulnerable version that lead to RCE. Proof of Concept 1. Go to messages, 2. Write email 3. add image 4. Upload the php file. 5. access the uploaded php file in /admmyfiles/mail/images/ // PoC.js Content-Disposition:...
Cross-Site Request Forgery lead to lock and unlock Album
Description Attacker able to lock or unlock any album with this CSRF attack. Proof of Concept 1. Admin already should be logged in browser 2. Open the CSRF.html document.forms0.submit; The album b9131a9d-577e-4f06-b87e-5af30714b25b will be unlock Acknowledge Tran Van Nhan from bl4ckh0l3 of Galaxy...
Stored XSS on Survey "Notification and data function"
Description Users with edit and update survey permission can perform an XSS Proof of Concept Log in with any user with this permission Update the "Send basic admin notification email to" field with this value test" Access the survey and the payload will be triggerred...
Improper Authorization in Export role function
Description The application controls user rights incorrectly, leading to the attacker being able to collect sensitive information. Proof of Concept Step1: The administrator user accesses the user role management function and performs the 'export role' operation. Step2: Upon observation, a HTTP...
IDOR in Group members
Description By manipulating the ugid, user who is not in group can view the members list of the group Proof of Concept Step 1: Go to User Group function, see that this user can only view this two groups. Step 2: Click on View a group, manipulate the ugid, confirm that this user can view the Group...
Stored XSS in label function
Description By Injecting the payloads to the fields dataToSend, users who visited "Label sets list" screen maybe compromises Proof of Concept Step 1: Login as a user who has permission to edit the Label. Go to the label function and view a label Step 2: Inject the payload to the Code field as the...
Stored XSS in Title
Description Spina's admin screen has an embedded XSS in the title of the page. By embedding arbitrary JavaScript code in the function of Paguri, arbitrary scripts can be executed on the browser when the administrator user who accessed the page deletes the page. Proof of Concept Step 1. Access the...
Exposure version installed on the system
Description Users can check the version of Admidio installed on the system. Proof of Concept Go to http:///admprogram/modules/preferences/updatecheck.php?mode=2 Acknowledge Tran Van Nhan from bl4ckh0l3 of GalaxyOne...
CSRF in the delete notification function
Description The web application is vulnerable to CSRF in the delete notification function. Proof of Concept Step 1: See that user demo has some notifications. Step 2: Host an HTML trap page and send the URL to the victim history.pushState'', '', '/' document.forms0.submit; And the malicious URL...
IDOR in notification function
Description By manipulating the notId, a user can view the notification of other users Proof of Concept Step 1: Login as user demo, click on a notification and see that the notification has a notId as 227. Step 2: Open another browser and login as user. Step 3: Access the URL to view the...
Path Traversal in uploadAttachment
POC : see https://1drv.ms/v/s!Avwg5C1eKVA4gl3LF2hgRyVNrSqk?e=DHbHKF We also contact the Maintainer through email lujie.ac.cn...
Dos via Document Comments
Description An attacker can abuse the document comment functionality, handled by the /api/comments.create API endpoint, since there is not size check or validation of the comment contents, which allows an attacker to send a comment with almost an unlimited number of characters1MB max POST size...
Stored XSS at Search page
Description Create new item with XSS payload. Then go to Search page, XSS vulnerability will be trigger. Proof of Concept https://drive.google.com/file/d/1OB11FmQvy2-qRI9r1BlavKUxJ4kaMjp/view?usp=sharing Acknowledge Tran Van Nhan from bl4ckh0l3 of GalaxyOne...
Reflected XSS in /editor_tools/rte_image_editor
Description Reflected Cross-Site Scripting Vulnerability in types GET parameter on the /editortools/rteimageeditor endpoint Proof of Concept in File microweber/userfiles/modules/microweber/toolbar/editortools/rteimageeditor/index.php on Line 15, we can observe the source $GET'types' being saved...
Stored XSS
Description: The application contains a stored XSS vulnerability, which allows an attacker to inject and execute malicious scripts within the application. The vulnerability occurs due to improper input validation and output encoding mechanisms, which fail to adequately sanitize and encode...
DOM Cross Side Scripting
Description Hello team, Recently i found that, DOM XSS on profile language field there is a DOM XSS Proof of Concept Video poc: https://screencast-o-matic.com/watch/c01067VBWlV Step: 1. Login as simple user 2. Click on settings and select profile tab. 3. Click on change language as 'english' and...
Secret information exfiltration by hard coding twitter API keys
Description Secret information used for API calls was embedded in the microweber source code. PoC It's hardcoded in the source code below. - https://github.com/microweber/microweber/blob/master/userfiles/modules/twitterfeed/functions.php php $oauthaccesstoken =...
Remote Command Execution by Improper Escaping of Output
Description Improper Encoding or Escaping of Output in Froxlor export configuration. Hackers can use it to create a json file with PHP code inside then trigger the code by set php-fpm to process .json extension. php foreach $POST'system' as $sysdaemon $params'system' = $sysdaemon; $paramscontent ...
Confidential information provided to user with no permissions
Description Unauthorized users are able to obtain sensitive information about the system's runtime environment, features they have no permissions to access, etc. Proof of Concept 1. create a new user without any permissions attached 2. do NOT assign any permissions to the user 2. do NOT add any...
Stored XSS on user "Write private message" function
Description An attacker can inject malicious executable scripts into the code of the message field. Proof of Concept Log in as a Member user, access Messages - Write private message function for sending admin a message.COde Insert this payload into the message field testscriptprompt'1'/script the...
Stored XSS on user "Category report" function
Description An attacker can inject malicious executable scripts into the code of the Name field Proof of Concept Log in as an admin or any member with the right access to the Category report - Configuration function. Insert this payload into the "Name" field General role assignment" autofocus...
Cross site scripting in Admidio 4.2.9 via headline parameter
Description Cross-site Scripting XSS refers to client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS occurs when a web application makes use of unvalidated or unencoded user input within the output it generates. Proof...
Broken Authentication
Description I tested the demo site you provided. I see that there is an Broken Authentication vulnerability in Administration: CPU stats API. The Administration: CPU stats API does not validated user permissions. Proof of Concept link video PoC https://screenpal.com/watch/c01F1bVBmX1 Step 1. In t...
Stored XSS on user "Edit own profile" function
Description An attacker can inject malicious executable scripts into the code of the Social media field Proof of Concept Log in as a Member user, access My profile - Edit own profile function, insert this payload to any field " autofocus onfocus=promptdocument.domain then click Save. Access the...
Improper handling of input value leads to Remote Code Execution or Denial of Service
Description Some value in some input field was directly inserted into a file called "tp.config.php", an attacker can inject malicious PHP code to perform a remote code execution attack. Proof of Concept Go to Settings - MFA - Duo Security function, input this payload: ',; phpinfo; ?// on the...
Able to edit users owned by other administration users
Description Exploiting a vulnerability 'Take ownership' of any user, thereby being able to edit all users. Proof of Concept Step 1: We have user1 owned by admin1. \ Step 2: By doing the 'Take ownership' action, the user1 is now owned by admin2 \ \ Step 3: Now, admin2 is able to edit user1, and ev...
An agent without permission has the ability to update, add, or delete FAQ items
Description I discovered a vulnerability in the osticket application. When an administrator creates a category and adds some FAQ items, they have the ability to grant update, delete, and add permissions to agents. Once granted access, an agent can login and edit, delete, or add FAQs and record...
Sensitive Cookie Without HttpOnly Flag
Description 1/ Access and login to the demo website: https://demo.fossbilling.org/ 2/ Press F12 on your keyboard or right-click on the website to open dev-tool. 3/ At Application tab, choose Cookies and there is BOXCLR sensitive cookie without HttpOnly flag. Proof of Concept Link image:...
Stored XSS in the delete confirmation popup
Description The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of Concept Step1: The user with the privilege to create group creates a new group by passing a payload into...
Server-Side Template Injection leads to Remote Code Execution
Description Admin or Staff with "Mass mailer" permission can perform a Server-Side Template Injection attack Proof of Concept Log in as an admin or a staff who has "Mass mailer" permission, edit a message In the "Email content" field, insert the following value and click "Update and preview" %...
Leak Secret tokens by changing baseURL
Description nuxt-api-party allows developers to easily hook up APIs. You can configure API URLs and Credentials to be sent on requests. It is suggested in the documentation that this plugin is capable of handling sensitive data. There is a design flaw that could allow an attacker to extract priva...
Stored XSS on entire Client site
Description Admin or Staff with "System" permission can produce a store XSS on entire Client site Proof of Concept Edit the "Signature" field to this value "FOSSBilling.org - Client Management, Invoice and Support Software"" Then it will trigger in every Client screens Seems like it was rendered ...
The ability to edit groups owned by any user.
Description The edit group function does not check the owner, allowing for the possibility to modify a group without being the owner of that group. Proof of Concept Step 1: We have User1 who owns Group 1 and Group 2; User5 who owns Group 5. Step 2: User1 performs an edit group action and changes...
Desktop APP XSS to RCE
๐๏ธ Requirements The user must load the malicious configuration and click on the buttons. ๐ Description This exploitation relies on several issues which chained together lead to an RCE. In the following subsection, I will try to explain it as best I can. ๐ Not sanitized HTML injection In the...
Improper Authorization leads to privilege escalation
Description The application improperly performs user authorization, resulting in a user with the user management role being able to modify their own permissions or those of others. Proof of Concept Step1: The highest-level administrator or an administrator with the permission to create roles...
Incorrect Authorization leads to delete user
Description The application is experiencing incorrect permission settings, leading to the user with user administration rights being able to delete anyone, including users who are not under their management authority. Proof of Concept Step1:The User Demo super admin creates a user admin with user...
Session Fixation Vulnerability
Description The application does not generate a new PHPSESSID cookie after the user authenticates successfully. A malicious user is able to create a new session cookie value and injects it to a victim pre-authenticaiton. After the victim logs in, the injected cookie becomes valid, giving the...
The user can delete himself
Description Bypassing the conditional check leads to the user can delete himself. Proof of Concept Step 1: The user with id 18834 attempts to delete himself but encounter an error Step 2: By using userid=18834' instead of userid=18834, the user was able to successfully delete himself...
Able to change username that is by default unchangeable
Description The website receives input from the user that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. Proof of Concept Step 1: We have a user with ID 18833 and the...
The app allows to set new password same as old password
Description 1/ Access and login to the demo website: https://demo.openitcockpit.io 2/ At changing password function, set new password as same as old password. 3/ Logout and re-login to check, it's successful. Proof of Concept Link video PoC:...
Sensitive Cookie Without Secure Flag
Description Access and login to the demo website: https://demo.openitcockpit.io/ Press F12 on your keyboard or right-click on the website to open dev-tool. At Application tab, choose Cookies and there are some sensitive cookies without Secure flag. CookieAuth, csrfToken Proof of Concept Link imag...
Sensitive Cookie Without HttpOnly Flag
Description Access and login to the demo website: https://demo.openitcockpit.io/ Press F12 on your keyboard or right-click on the website to open dev-tool. At Application tab, choose Cookies and there is CookieAuth sensitive cookie without HttpOnly flag. Proof of Concept Link image evidence:...
heap-buffer-overflow in function id3dmx_flush filters/reframe_mp3.c
Description Heap-buffer-overflow in MP4Box. Version bash MP4Box - GPAC version 2.3-DEV-revrelease c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC:...