Lucene search
K

4072 matches found

Huntr
Huntr
added 2023/05/27 9:52 a.m.22 views

Markdown injection into github comment

Description Users can donate for builds by tipping [email protected]. There's a github action that will thank the user in a comment. The name is not sanitized and by using one such as the following, attackers can inject their own markdown into the comment. foo The "" breaks out of the context,...

7AI score
Exploits0
Huntr
Huntr
added 2023/05/27 5:43 a.m.13 views

Reflected XSS Vulnerability at `_detail/?lang` parameter

Description Reflected XSS vulnerability allows attackers to exploit the trust placed by a web application in user-supplied input, such as query parameters or form fields. In this case, the vulnerability was found in the following URL: https://www.dokuwiki.org/detail/?lang=1"alertdocument.domain...

6.3AI score
Exploits0References1
Huntr
Huntr
added 2023/05/26 9:13 a.m.13 views

NULL Pointer Dereference in function xml_sax_append_string

Description NULL Pointer Dereference In utils/xmlparser.c:963 Environment No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 20.04 LTS Release: 20.04 Codename: focal Version MP4Box - GPAC version 2.3-DEV-rev293-g56eed04c2-master c 2000-2023 Telecom Paris distributed under LG...

4.3CVSS6.6AI score0.00375EPSS
Exploits1References1
Huntr
Huntr
added 2023/05/26 5:57 a.m.21 views

Stored XSS on item name - Bypass of (CVE-2023-2516)

Description first create two user accounts and grant them permission to access a same folder. In one of the accounts, generate a new item within the folder. Paste the payload XSS into this field, then save the item. Once saved, click on the item to activate an XSS alert. This is the bypass of...

4.9CVSS6.3AI score0.00683EPSS
Exploits2References1
Huntr
Huntr
added 2023/05/26 5:17 a.m.28 views

OOB Write ops.c

Environment bash Distributor ID: Debian Description: Debian GNU/Linux bookworm/sid Version I checked against the master branch at commit 50809a45ebde327cb6fdcc727d7466e926aed713 . Description This AddressSanitizer output is indicating a write to the 0x7fd0c2103000 address, this is because the...

4.4CVSS6.8AI score0.00624EPSS
Exploits1
Huntr
Huntr
added 2023/05/26 5:15 a.m.16 views

Stored XSS on FolderName Affecting other users and admin.

Description If two users have same folder permission, malicious users can rename the folder with XSS payload, which will affect the other user, and admin. Payload: "img src=x onerror=alert1 Proof of Concept https://drive.google.com/file/d/1ukzcFocVAnd8WKEEo7-zE4iEMVLKUnXt/view...

5.8CVSS6.4AI score0.00841EPSS
Exploits1References1
Huntr
Huntr
added 2023/05/26 3:7 a.m.26 views

SQL injection in some Admin Sort functions

Description SQL injection due to unsanitized concatenating strings into ORDER BY clause, 'sort' parameter Proof of Concept Log in as an admin, go to Admin Translations or Application Logger functions, and perform a sort action Observer the request on Burpsuite and injection point is the 'sort'...

5.8CVSS7.2AI score0.00738EPSS
Exploits1
Huntr
Huntr
added 2023/05/25 5:24 p.m.18 views

SQL Injection in the "Users" function of Piwigo

Description Authenticated admin can perform an SQL injection attack by abusing the "Users" function. Proof of Concept - Log in as an admin and access the 'Users' function. - Observe the request on Burp suite POST /piwigo/ws.php?format=json&method=pwg.users.getList. - Manipulate the 'order' or...

8.5AI score
Exploits0
Huntr
Huntr
added 2023/05/25 9:47 a.m.10 views

Partial Local file inclusion

Description An authenticated user can extend the range of the web application's folder context and can dig out to OS level. To reproduce the issue, please authenticate to the web application, and simply open the following URL in the browser:...

6.8AI score
Exploits0
Huntr
Huntr
added 2023/05/23 7:15 p.m.26 views

Stored XSS Via SVG Upload

Description I've found a Stored XSS via uploading SVG file with the following content: Proof of Concept https://drive.google.com/file/d/16HC08PPqAHZuubz-1IMJYZSETpTQZOzA/view?usp=sharing...

6.2AI score
Exploits0References1
Huntr
Huntr
added 2023/05/18 6:5 a.m.20 views

Divide By Zero FPE

Environment bash Distributor ID: Debian Description: Debian GNU/Linux bookworm/sid Release: n/a Codename: bookworm Version I checked against the latest release as of 05/18/23 the current master branch at commit a6ae93532ea5615c876c81a6580badbfa01d4383 . Description This AddressSanitizer output is...

5CVSS6.7AI score0.00639EPSS
Exploits1
Huntr
Huntr
added 2023/05/18 5:57 a.m.13 views

OOB Read segfault

Environment bash Distributor ID: Debian Description: Debian GNU/Linux bookworm/sid Release: n/a Codename: bookworm Version I checked against the latest release as of 05/18/23 the current master branch at commit a6ae93532ea5615c876c81a6580badbfa01d4383 . Description This AddressSanitizer output is...

6.4CVSS6.7AI score0.00706EPSS
Exploits1
Huntr
Huntr
added 2023/05/18 3:34 a.m.16 views

File Path Traversal Vulnerability

Description in the file adminautoupdate.php php elseif $page == 'extract' if isset$POST'send' && $POST'send' == 'send' $toExtract = isset$POST'archive' ? $POST'archive' : null; $localArchive = Froxlor::getInstallDir . '/updates/' . $toExtract; $log-logActionFroxlorLogger::ADMACTION, LOGNOTICE,...

5.8CVSS6.9AI score0.01216EPSS
Exploits1
Huntr
Huntr
added 2023/05/18 3:23 a.m.28 views

NULL Pointer Dereference

Description NULL Pointer Dereference In gfisomfragmentaddsampleex isomedia/moviefragments.c:2883 Environment No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 20.04 LTS Release: 20.04 Codename: focal Build sudo CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan"...

7.5CVSS6.8AI score0.00652EPSS
Exploits1
Huntr
Huntr
added 2023/05/17 1:13 p.m.22 views

Stack-overflow in function xml_sax_parse at src/utils/xml_parser.c

Description Stack-overflow in MP4Box. Version shell MP4Box - GPAC version 2.3-DEV-rev263-g2afa05f4d-master c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC:...

1.9CVSS6.9AI score0.00387EPSS
Exploits1References1
Huntr
Huntr
added 2023/05/15 8:54 a.m.16 views

Possible URL spoofing on wildcard path

Description H3 provides the getRequestURL utility using the new URLa, b constructor. When variable a is attacker-controlled the origin of the resulting URL can be modified. Proof of Concept js // index.js import listen from "listhen"; import createApp, createRouter, eventHandler, toNodeListener,...

6.9AI score
Exploits0
Huntr
Huntr
added 2023/05/13 4:52 p.m.8 views

Cross-site Scripting in Preview function bypass CSP

Description In text.js plugins, the user have Extract Text from the graph, so this function will extract all text and as we can see, the user can preview text above and since the server doesn't clean up the text before rendering, it results in XSS. Proof of Concept html ' Step to reproduce Drag a...

6.9AI score
Exploits0References1
Huntr
Huntr
added 2023/05/13 2:34 p.m.17 views

Stored cross-site scripting via RSS feed

Description Due to the improper handling of RSS titles in inc/parser/xhtml.php, a malicious RSS feed can be used to inject arbitrary HTML elements into the page, resulting in cross-site scripting. inc/parser/xhtml.php line 1292-1294 javascript else $this-doc .= ' '.$item-gettitle; Proof of Concep...

6.6AI score
Exploits0
Huntr
Huntr
added 2023/05/13 2:12 p.m.22 views

用户可以将自己添加到任意的组织中

Proof of Concept 1 用户1属于组织team1,并不属于team2 2 用户1修改自己的profile 3 在界面上,用户1修改自己的组织时只能看到team1 4 但是我们用burpsuite拦截请求,将请求中的team1的ID换成team2 5 继续执行,发现可以执行成功 6 原因是虽然我们在界面上保证了team2不可见,但服务端没检查user1是否可以选择team2 复现视频:https://1drv.ms/v/s!Avwg5C1eKVA4girUgKWl9SQX543P?e=N1ZU47...

5.5CVSS7AI score0.00657EPSS
Exploits1
Huntr
Huntr
added 2023/05/13 2:7 p.m.55 views

IDOR 漏洞使得攻击者可以在一个组织内任意添加、删除、修改工作空间

Proof of Concept 1 系统中存在两个组织,team1和team2 2 用户user1是 team1 的管理员, 不是team2的管理员 3 用户1在team1中创建工作空间,名为workspace1. 4 用户1使用burpsuit拦截请求,在请求中将team1的ID换成team2的ID 5 查看请求,结果显示成功,用户1可以在team2中任意创建工作空间。 复现视频:https://1drv.ms/v/s!Avwg5C1eKVA4gispbgvOYQkvQ9KP?e=4yimBo...

3.3CVSS6.9AI score0.00676EPSS
Exploits1
Huntr
Huntr
added 2023/05/11 4:41 p.m.18 views

Reflected Cross-Site Scripting when restoring a backup

Description A XSS vulnerability has been identified when an administrator restores a backup from a file. When using a specially crafted file, it's possible to trigger an error that will be displayed on the web page. Since the error message contains the invalid part of the file, any JavaScript cod...

4.3CVSS6.4AI score0.00576EPSS
Exploits1References1
Huntr
Huntr
added 2023/05/11 3:19 p.m.10 views

Lack of security consideration leads to multiple critical weaknesses

Introduction This report serves more as a suggestion to improve security, rather than fixing any single "vulnerability". I've given examples to demonstrate the impact that neglecting security may have, but these are not the root cause of the issue. Due to the nature of a package, being able to...

8AI score
Exploits0References2
Huntr
Huntr
added 2023/05/09 9:45 a.m.24 views

privilege escalation with least config

Description User can privilege escalation to admin role which least config Proof of Concept login in https://11.x-dev.pimcore.fun/admin/ and add a new users in settings - users with have access Permissions - users after that login in a new user and come settings - users - new user update new rule...

6.5CVSS7.2AI score0.00919EPSS
Exploits1
Huntr
Huntr
added 2023/05/07 8:48 p.m.14 views

Potential XSS in content script via StackOverflow about_me

Description Alby has a feature called "batteries", which makes tipping on third party sites easier, e.g. by detecting lightning network addresses and so donating using the extensions becomes easy. One of those sites is stackoverflow. The alby extension will use the stackoverflow/stackexchange API...

6.3AI score
Exploits0
Huntr
Huntr
added 2023/05/07 6:31 p.m.18 views

Stored XSS on items in Folder in nilsteampassnet/teampass lead to ATO

Description Stored XSS on items in Folder in nilsteampassnet/teampass lead to ATO Proof of Concept POC on my Drive video: https://drive.google.com/file/d/1OsksHJxcaNNABIoabLAwAKCu37S2VyT/view?usp=sharing...

6CVSS6.3AI score0.00909EPSS
Exploits1
Huntr
Huntr
added 2023/05/07 5:54 p.m.25 views

Stored XSS in module name "Edit Link"

Description I noticed that you filtered the input very carefully. But there are still some parts you missed Proof of Concept 1.Login in URL : https://demo.pimcore.fun/admin. 2.Go to "Search Documents" and filter only "Snippet" search and press search. 3.Go to "/en/shared/teasers/Popular Brands"...

5.8CVSS6.8AI score0.00478EPSS
Exploits1
Huntr
Huntr
added 2023/05/07 12:53 p.m.17 views

Stored HTML injection in folderName affecting Admin

Description Here FolderName field is vulnerable to HTML injection, a malicious user could potentially rename a folder with a payload containing malicious code. This could result in an attack on the admin who edits the folder, as the payload could execute upon the admin's interaction with the...

6.8CVSS7.1AI score0.01649EPSS
Exploits1References1
Huntr
Huntr
added 2023/05/07 12:40 p.m.22 views

Stored HTML Injection in Item Label

Description If two users have the same folder access, malicious users can create an item where its label field is vulnerable to HTML injection. When other users see that item, it may force them to redirect to the attacker's website or capture their data using a form. Proof of Concept...

4.9CVSS5.8AI score0.00607EPSS
Exploits2References1
Huntr
Huntr
added 2023/05/07 5:31 a.m.19 views

Stored XSS in module name "Search Documents"

Description The search documents function was infected with xss because the title payload was not filtered resulting in xss when searching to /de. Proof of Concept 1.Go to edit page title /de 2.Enter this xss code 3.Go to "Search Documents" and type in "77" search box to find /de -- xss will be...

4.9CVSS6.9AI score0.00493EPSS
Exploits1
Huntr
Huntr
added 2023/05/04 12:20 p.m.17 views

No rate limit on send report functionality results in an email spam

Description There is no rate limit on the send report feature on the https://rdiffweb-dev.ikus-soft.com/prefs/notification endpoint , which allows an attacker to spam the victims mailbox Proof of Concept 1 Go to https://rdiffweb-dev.ikus-soft.com/prefs/notification 2 Click on daily frequency for...

6.4CVSS6.8AI score0.00405EPSS
Exploits1
Huntr
Huntr
added 2023/05/04 10:32 a.m.19 views

Stored xss in module FAQ News

Description When admins create a FAQ News they can pass xss to the "text of the record" section Proof of Concept 1.Login to admin account 2.In the CONTENT section, click on FAQ News 3.Add any type of source code and notice select Faq status as published 4.Turn on intercept with burp and click sav...

5.8CVSS7.1AI score0.00521EPSS
Exploits0References1
Huntr
Huntr
added 2023/05/04 6:10 a.m.22 views

Cross-site Scripting and CSP Bypass in app.diagrams.net

Description The application allows the user to import a CSV template into the schema, but does not clean the input from the columns resulting in any javascript code being executed. Proof of Concept Example CSV import. Use for comments and for configuration. Paste CSV below. The following names ar...

5.8CVSS7AI score0.00534EPSS
Exploits0References1
Huntr
Huntr
added 2023/05/02 8:25 p.m.9 views

Cross Site Scripting in Open Web Analytics on most statistics related pages

Description The makeJson method within the owatemplate class generates a JSON string in an unsafe manner. This method is utilized within the report.tpl file, where it receives parameters from the URL and generates a JSON string using them without properly sanitizing. Proof of Concept The...

6.9AI score
Exploits0
Huntr
Huntr
added 2023/05/02 2:41 p.m.32 views

all user password hash is disclosed

Proof of Concept login to admin account and then visit https://demo.pimcore.fun/admin/customermanagementframework/customers/detail?id=1016&filteroperator-customer=AND&filteroperator-segments=AND&filtershowSegments0=832&filtershowSegments1=833&filtershowSegments2=874&filterDefinitionid=1 able to...

3.3CVSS7.1AI score0.00547EPSS
Exploits0
Huntr
Huntr
added 2023/05/02 10:27 a.m.22 views

Stored XSS at User-Agent of Headers

Description Stored XSS attack, also known as persistent XSS attack, refers to a type of web application vulnerability where the attacker injects malicious code or script into the web application, typically into a database or other storage mechanism, and later the code/script is delivered to an...

4.9CVSS6.1AI score0.00449EPSS
Exploits1
Huntr
Huntr
added 2023/05/02 9:55 a.m.20 views

Stored XSS bypass in "FAQ"

Description Stored XSS in "Add new FAQ" feature via inject XSS payload in the answer at the following https://roy.demo.phpmyfaq.de/admin/?action=editentry Steps 1- Login as admin and Go to the following URL https://roy.demo.phpmyfaq.de/admin/?action=editentry to add a new faq 2-Enter the "Questio...

5.8CVSS6.6AI score0.00483EPSS
Exploits0
Huntr
Huntr
added 2023/05/02 8:59 a.m.21 views

Reflected XSS at search_query[] query string

Description Reflected XSS Cross-Site Scripting is a common web security vulnerability that can occur when a user inputs malicious Javascript syntax into the search field. The search function allows users to look for content on the website, and the search keywords are appended to the URL query...

5.8CVSS6.6AI score0.0062EPSS
Exploits1
Huntr
Huntr
added 2023/04/30 7:18 a.m.12 views

SQL injection in the delete action of the file add_edit_event.php

Description We have discovered that the SQL injection vulnerability can be exploited through the file /interface/main/calendar/addeditevent.php, allowing an attacker to manipulate the query via the eid parameter provided that Support Multi-Provider Events feature must be enabled. Proof of Concept...

8.1AI score
Exploits0References1
Huntr
Huntr
added 2023/04/30 6:50 a.m.21 views

Pre-Auth Path traversal in pimcore_log, leading potential DOS

Description A path traversal vulnerability exists in the CMS, which allows an attacker to overwrite or modify sensitive files by manipulating the pimcorelog parameter. This can lead to potential denial of service---key file overwrite. Proof of Concept - As a prequisition, pimcore must be installe...

6.5CVSS6.6AI score0.00854EPSS
Exploits1
Huntr
Huntr
added 2023/04/30 1:22 a.m.29 views

Multiple command injections in `mlflow models` CLI action

Description The mlflow cli executable is vulnerable to a command injection attack in mlflow models predict and mlflow models serve actions. The aforementioned actions is defined in file mlflow\models\cli.py, and uses a vulnerable predict and serve methods of a dynamically resolved instance of...

4.3CVSS7AI score0.01195EPSS
Exploits0References1
Huntr
Huntr
added 2023/04/29 9:31 p.m.60 views

Restricted shell escape in RVIM

Description A shell escape vulnerability has been discovered in the restricted version of Vim rvim. This vulnerability allows an attacker to execute arbitrary code with the privileges of the user running Vim. Proof of Concept The shell escape vulnerability in the restricted version of Vim rvim is...

7.9AI score
Exploits0
Huntr
Huntr
added 2023/04/29 1:51 p.m.99 views

Stored XSS and CSP Bypass in KiwiTCMS

Description Stored XSS, also known as persistent XSS, is the more damaging of the XSS. It occurs when a malicious script is injected directly into a vulnerable web application. Due to a sanitization problem it is possible to perform a Stored XSS. The problem is that the upload function permit...

6.2AI score
Exploits0
Huntr
Huntr
added 2023/04/29 1:58 a.m.10 views

CSRF Lost cart availability to all customer

Description The absence of input validation in the update cart form Qty feature causes the feature to become an error / blank by simply changing the number to a string. In order to occur in all users the role of CSRF is required so that Severity user interaction is required. So you could say thes...

6.8AI score
Exploits0References2
Huntr
Huntr
added 2023/04/28 4:7 p.m.22 views

Multiple path traversals on Windows hosts

Description validatepathissafe function in file /mlflow/server/handlers.py, introduced in PR 7891 on Feb 24th, 2023 does not account for Windows absolute path format, and thus can be bypassed on MLFlow servers, running on Windows hosts, exposing them to a number of high-impact directory traversal...

7.5CVSS7AI score0.70736EPSS
Exploits1
Huntr
Huntr
added 2023/04/27 7:6 p.m.15 views

SQL Injection in expenses/ajax.php & loan-management/ajax.php

Description An administrator user can use different operations and parameters to execute SQL queries. -employeeId on operation addMonthlySalary in expenses/ajax.php. -returnAdvancePaymentEmployee on operation returnAdvancePaymentSubmit, in expenses/ajax.php. -id on operation editLoan in...

8.2AI score
Exploits0
Huntr
Huntr
added 2023/04/27 5:51 p.m.17 views

XML.php JSONP hijacking

Description The XML.php file has a JSONP hijacking vulnerability. When a user visits a page carefully crafted by the attacker, the JSON data is obtained and sent to the attacker. Proof of Concept We created an HTML file as a proof of concept to showcase the vulnerability. This HTML file will...

6.9AI score
Exploits0
Huntr
Huntr
added 2023/04/27 10:35 a.m.19 views

XSS in choose time value Classes Data Objects

Description XSS in choose time value Classes Data Object Proof of Concept Login in URL : https://demo.pimcore.fun/admin Go to Settings- Data Objects - Classes - News NE - Dates & Images in tab Dates & Images , inject payload to value time at Specific Settings // PoC payload : " video PoC:...

4.9CVSS6.9AI score0.00503EPSS
Exploits1
Huntr
Huntr
added 2023/04/27 7:52 a.m.37 views

RCE in developer mode

Description Nuxt contains a test-component-wrapper component. This is used to mount a single component for testing. This component has a dynamic import function which accepts arbitrary user input on the server side. This pattern will almost always lead to an RCE bug. Requirements & Notes The serv...

7.5CVSS6.9AI score0.58648EPSS
Exploits2References2
Huntr
Huntr
added 2023/04/26 10:4 p.m.16 views

SQL Injection in ajax_data.php

Description An administrator user can use different operations and parameters to execute SQL queries. -customerId on operations getCustomerPaymentInfo and getCustomerStatementInfo. -empId on operations getEmpSalaryData, getEmpLoanLoanData, getEmployeeAdvancePaymentsData. -companyid on operation...

5.8CVSS8.2AI score0.00891EPSS
Exploits1
Huntr
Huntr
added 2023/04/26 8:12 p.m.24 views

Weak Password policy on account registration

Description It was observed that application allows to create account with Blank spaces as password Proof of Concept 1. Go to https://meta.answer.dev/users/register 2. Create account with 10 blank spaces as password Result: Application allows to create user account with blank spaces as password...

6.5CVSS6.9AI score0.00732EPSS
Exploits1
Total number of security vulnerabilities4072