4072 matches found
Markdown injection into github comment
Description Users can donate for builds by tipping [email protected]. There's a github action that will thank the user in a comment. The name is not sanitized and by using one such as the following, attackers can inject their own markdown into the comment. foo The "" breaks out of the context,...
Reflected XSS Vulnerability at `_detail/?lang` parameter
Description Reflected XSS vulnerability allows attackers to exploit the trust placed by a web application in user-supplied input, such as query parameters or form fields. In this case, the vulnerability was found in the following URL: https://www.dokuwiki.org/detail/?lang=1"alertdocument.domain...
NULL Pointer Dereference in function xml_sax_append_string
Description NULL Pointer Dereference In utils/xmlparser.c:963 Environment No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 20.04 LTS Release: 20.04 Codename: focal Version MP4Box - GPAC version 2.3-DEV-rev293-g56eed04c2-master c 2000-2023 Telecom Paris distributed under LG...
Stored XSS on item name - Bypass of (CVE-2023-2516)
Description first create two user accounts and grant them permission to access a same folder. In one of the accounts, generate a new item within the folder. Paste the payload XSS into this field, then save the item. Once saved, click on the item to activate an XSS alert. This is the bypass of...
OOB Write ops.c
Environment bash Distributor ID: Debian Description: Debian GNU/Linux bookworm/sid Version I checked against the master branch at commit 50809a45ebde327cb6fdcc727d7466e926aed713 . Description This AddressSanitizer output is indicating a write to the 0x7fd0c2103000 address, this is because the...
Stored XSS on FolderName Affecting other users and admin.
Description If two users have same folder permission, malicious users can rename the folder with XSS payload, which will affect the other user, and admin. Payload: "img src=x onerror=alert1 Proof of Concept https://drive.google.com/file/d/1ukzcFocVAnd8WKEEo7-zE4iEMVLKUnXt/view...
SQL injection in some Admin Sort functions
Description SQL injection due to unsanitized concatenating strings into ORDER BY clause, 'sort' parameter Proof of Concept Log in as an admin, go to Admin Translations or Application Logger functions, and perform a sort action Observer the request on Burpsuite and injection point is the 'sort'...
SQL Injection in the "Users" function of Piwigo
Description Authenticated admin can perform an SQL injection attack by abusing the "Users" function. Proof of Concept - Log in as an admin and access the 'Users' function. - Observe the request on Burp suite POST /piwigo/ws.php?format=json&method=pwg.users.getList. - Manipulate the 'order' or...
Partial Local file inclusion
Description An authenticated user can extend the range of the web application's folder context and can dig out to OS level. To reproduce the issue, please authenticate to the web application, and simply open the following URL in the browser:...
Stored XSS Via SVG Upload
Description I've found a Stored XSS via uploading SVG file with the following content: Proof of Concept https://drive.google.com/file/d/16HC08PPqAHZuubz-1IMJYZSETpTQZOzA/view?usp=sharing...
Divide By Zero FPE
Environment bash Distributor ID: Debian Description: Debian GNU/Linux bookworm/sid Release: n/a Codename: bookworm Version I checked against the latest release as of 05/18/23 the current master branch at commit a6ae93532ea5615c876c81a6580badbfa01d4383 . Description This AddressSanitizer output is...
OOB Read segfault
Environment bash Distributor ID: Debian Description: Debian GNU/Linux bookworm/sid Release: n/a Codename: bookworm Version I checked against the latest release as of 05/18/23 the current master branch at commit a6ae93532ea5615c876c81a6580badbfa01d4383 . Description This AddressSanitizer output is...
File Path Traversal Vulnerability
Description in the file adminautoupdate.php php elseif $page == 'extract' if isset$POST'send' && $POST'send' == 'send' $toExtract = isset$POST'archive' ? $POST'archive' : null; $localArchive = Froxlor::getInstallDir . '/updates/' . $toExtract; $log-logActionFroxlorLogger::ADMACTION, LOGNOTICE,...
NULL Pointer Dereference
Description NULL Pointer Dereference In gfisomfragmentaddsampleex isomedia/moviefragments.c:2883 Environment No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 20.04 LTS Release: 20.04 Codename: focal Build sudo CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan"...
Stack-overflow in function xml_sax_parse at src/utils/xml_parser.c
Description Stack-overflow in MP4Box. Version shell MP4Box - GPAC version 2.3-DEV-rev263-g2afa05f4d-master c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC:...
Possible URL spoofing on wildcard path
Description H3 provides the getRequestURL utility using the new URLa, b constructor. When variable a is attacker-controlled the origin of the resulting URL can be modified. Proof of Concept js // index.js import listen from "listhen"; import createApp, createRouter, eventHandler, toNodeListener,...
Cross-site Scripting in Preview function bypass CSP
Description In text.js plugins, the user have Extract Text from the graph, so this function will extract all text and as we can see, the user can preview text above and since the server doesn't clean up the text before rendering, it results in XSS. Proof of Concept html ' Step to reproduce Drag a...
Stored cross-site scripting via RSS feed
Description Due to the improper handling of RSS titles in inc/parser/xhtml.php, a malicious RSS feed can be used to inject arbitrary HTML elements into the page, resulting in cross-site scripting. inc/parser/xhtml.php line 1292-1294 javascript else $this-doc .= ' '.$item-gettitle; Proof of Concep...
用户可以将自己添加到任意的组织中
Proof of Concept 1 用户1属于组织team1,并不属于team2 2 用户1修改自己的profile 3 在界面上,用户1修改自己的组织时只能看到team1 4 但是我们用burpsuite拦截请求,将请求中的team1的ID换成team2 5 继续执行,发现可以执行成功 6 原因是虽然我们在界面上保证了team2不可见,但服务端没检查user1是否可以选择team2 复现视频:https://1drv.ms/v/s!Avwg5C1eKVA4girUgKWl9SQX543P?e=N1ZU47...
IDOR 漏洞使得攻击者可以在一个组织内任意添加、删除、修改工作空间
Proof of Concept 1 系统中存在两个组织,team1和team2 2 用户user1是 team1 的管理员, 不是team2的管理员 3 用户1在team1中创建工作空间,名为workspace1. 4 用户1使用burpsuit拦截请求,在请求中将team1的ID换成team2的ID 5 查看请求,结果显示成功,用户1可以在team2中任意创建工作空间。 复现视频:https://1drv.ms/v/s!Avwg5C1eKVA4gispbgvOYQkvQ9KP?e=4yimBo...
Reflected Cross-Site Scripting when restoring a backup
Description A XSS vulnerability has been identified when an administrator restores a backup from a file. When using a specially crafted file, it's possible to trigger an error that will be displayed on the web page. Since the error message contains the invalid part of the file, any JavaScript cod...
Lack of security consideration leads to multiple critical weaknesses
Introduction This report serves more as a suggestion to improve security, rather than fixing any single "vulnerability". I've given examples to demonstrate the impact that neglecting security may have, but these are not the root cause of the issue. Due to the nature of a package, being able to...
privilege escalation with least config
Description User can privilege escalation to admin role which least config Proof of Concept login in https://11.x-dev.pimcore.fun/admin/ and add a new users in settings - users with have access Permissions - users after that login in a new user and come settings - users - new user update new rule...
Potential XSS in content script via StackOverflow about_me
Description Alby has a feature called "batteries", which makes tipping on third party sites easier, e.g. by detecting lightning network addresses and so donating using the extensions becomes easy. One of those sites is stackoverflow. The alby extension will use the stackoverflow/stackexchange API...
Stored XSS on items in Folder in nilsteampassnet/teampass lead to ATO
Description Stored XSS on items in Folder in nilsteampassnet/teampass lead to ATO Proof of Concept POC on my Drive video: https://drive.google.com/file/d/1OsksHJxcaNNABIoabLAwAKCu37S2VyT/view?usp=sharing...
Stored XSS in module name "Edit Link"
Description I noticed that you filtered the input very carefully. But there are still some parts you missed Proof of Concept 1.Login in URL : https://demo.pimcore.fun/admin. 2.Go to "Search Documents" and filter only "Snippet" search and press search. 3.Go to "/en/shared/teasers/Popular Brands"...
Stored HTML injection in folderName affecting Admin
Description Here FolderName field is vulnerable to HTML injection, a malicious user could potentially rename a folder with a payload containing malicious code. This could result in an attack on the admin who edits the folder, as the payload could execute upon the admin's interaction with the...
Stored HTML Injection in Item Label
Description If two users have the same folder access, malicious users can create an item where its label field is vulnerable to HTML injection. When other users see that item, it may force them to redirect to the attacker's website or capture their data using a form. Proof of Concept...
Stored XSS in module name "Search Documents"
Description The search documents function was infected with xss because the title payload was not filtered resulting in xss when searching to /de. Proof of Concept 1.Go to edit page title /de 2.Enter this xss code 3.Go to "Search Documents" and type in "77" search box to find /de -- xss will be...
No rate limit on send report functionality results in an email spam
Description There is no rate limit on the send report feature on the https://rdiffweb-dev.ikus-soft.com/prefs/notification endpoint , which allows an attacker to spam the victims mailbox Proof of Concept 1 Go to https://rdiffweb-dev.ikus-soft.com/prefs/notification 2 Click on daily frequency for...
Stored xss in module FAQ News
Description When admins create a FAQ News they can pass xss to the "text of the record" section Proof of Concept 1.Login to admin account 2.In the CONTENT section, click on FAQ News 3.Add any type of source code and notice select Faq status as published 4.Turn on intercept with burp and click sav...
Cross-site Scripting and CSP Bypass in app.diagrams.net
Description The application allows the user to import a CSV template into the schema, but does not clean the input from the columns resulting in any javascript code being executed. Proof of Concept Example CSV import. Use for comments and for configuration. Paste CSV below. The following names ar...
Cross Site Scripting in Open Web Analytics on most statistics related pages
Description The makeJson method within the owatemplate class generates a JSON string in an unsafe manner. This method is utilized within the report.tpl file, where it receives parameters from the URL and generates a JSON string using them without properly sanitizing. Proof of Concept The...
all user password hash is disclosed
Proof of Concept login to admin account and then visit https://demo.pimcore.fun/admin/customermanagementframework/customers/detail?id=1016&filteroperator-customer=AND&filteroperator-segments=AND&filtershowSegments0=832&filtershowSegments1=833&filtershowSegments2=874&filterDefinitionid=1 able to...
Stored XSS at User-Agent of Headers
Description Stored XSS attack, also known as persistent XSS attack, refers to a type of web application vulnerability where the attacker injects malicious code or script into the web application, typically into a database or other storage mechanism, and later the code/script is delivered to an...
Stored XSS bypass in "FAQ"
Description Stored XSS in "Add new FAQ" feature via inject XSS payload in the answer at the following https://roy.demo.phpmyfaq.de/admin/?action=editentry Steps 1- Login as admin and Go to the following URL https://roy.demo.phpmyfaq.de/admin/?action=editentry to add a new faq 2-Enter the "Questio...
Reflected XSS at search_query[] query string
Description Reflected XSS Cross-Site Scripting is a common web security vulnerability that can occur when a user inputs malicious Javascript syntax into the search field. The search function allows users to look for content on the website, and the search keywords are appended to the URL query...
SQL injection in the delete action of the file add_edit_event.php
Description We have discovered that the SQL injection vulnerability can be exploited through the file /interface/main/calendar/addeditevent.php, allowing an attacker to manipulate the query via the eid parameter provided that Support Multi-Provider Events feature must be enabled. Proof of Concept...
Pre-Auth Path traversal in pimcore_log, leading potential DOS
Description A path traversal vulnerability exists in the CMS, which allows an attacker to overwrite or modify sensitive files by manipulating the pimcorelog parameter. This can lead to potential denial of service---key file overwrite. Proof of Concept - As a prequisition, pimcore must be installe...
Multiple command injections in `mlflow models` CLI action
Description The mlflow cli executable is vulnerable to a command injection attack in mlflow models predict and mlflow models serve actions. The aforementioned actions is defined in file mlflow\models\cli.py, and uses a vulnerable predict and serve methods of a dynamically resolved instance of...
Restricted shell escape in RVIM
Description A shell escape vulnerability has been discovered in the restricted version of Vim rvim. This vulnerability allows an attacker to execute arbitrary code with the privileges of the user running Vim. Proof of Concept The shell escape vulnerability in the restricted version of Vim rvim is...
Stored XSS and CSP Bypass in KiwiTCMS
Description Stored XSS, also known as persistent XSS, is the more damaging of the XSS. It occurs when a malicious script is injected directly into a vulnerable web application. Due to a sanitization problem it is possible to perform a Stored XSS. The problem is that the upload function permit...
CSRF Lost cart availability to all customer
Description The absence of input validation in the update cart form Qty feature causes the feature to become an error / blank by simply changing the number to a string. In order to occur in all users the role of CSRF is required so that Severity user interaction is required. So you could say thes...
Multiple path traversals on Windows hosts
Description validatepathissafe function in file /mlflow/server/handlers.py, introduced in PR 7891 on Feb 24th, 2023 does not account for Windows absolute path format, and thus can be bypassed on MLFlow servers, running on Windows hosts, exposing them to a number of high-impact directory traversal...
SQL Injection in expenses/ajax.php & loan-management/ajax.php
Description An administrator user can use different operations and parameters to execute SQL queries. -employeeId on operation addMonthlySalary in expenses/ajax.php. -returnAdvancePaymentEmployee on operation returnAdvancePaymentSubmit, in expenses/ajax.php. -id on operation editLoan in...
XML.php JSONP hijacking
Description The XML.php file has a JSONP hijacking vulnerability. When a user visits a page carefully crafted by the attacker, the JSON data is obtained and sent to the attacker. Proof of Concept We created an HTML file as a proof of concept to showcase the vulnerability. This HTML file will...
XSS in choose time value Classes Data Objects
Description XSS in choose time value Classes Data Object Proof of Concept Login in URL : https://demo.pimcore.fun/admin Go to Settings- Data Objects - Classes - News NE - Dates & Images in tab Dates & Images , inject payload to value time at Specific Settings // PoC payload : " video PoC:...
RCE in developer mode
Description Nuxt contains a test-component-wrapper component. This is used to mount a single component for testing. This component has a dynamic import function which accepts arbitrary user input on the server side. This pattern will almost always lead to an RCE bug. Requirements & Notes The serv...
SQL Injection in ajax_data.php
Description An administrator user can use different operations and parameters to execute SQL queries. -customerId on operations getCustomerPaymentInfo and getCustomerStatementInfo. -empId on operations getEmpSalaryData, getEmpLoanLoanData, getEmployeeAdvancePaymentsData. -companyid on operation...
Weak Password policy on account registration
Description It was observed that application allows to create account with Blank spaces as password Proof of Concept 1. Go to https://meta.answer.dev/users/register 2. Create account with 10 blank spaces as password Result: Application allows to create user account with blank spaces as password...