4072 matches found
Local File Inclusion (LFI)
Description The vulnerability in the code is a Local File Inclusion LFI vulnerability. It allows an attacker to read arbitrary files on the server by exploiting a flaw in the code that allows the attacker to manipulate the "InternalPath" parameter in a request to include files from the server's...
File Upload Path Validation Error
Description An administrator user can use the easyUpload function to create files in any path of the system where the application has write permissions. This vulnerability arises because the application is using user input to build the file path and does not properly validate this input. Proof of...
Stored XSS in the module named "Create Case"
Description I tested the demo site you provided. I see that there is an XSS vulnerability. I hope you can check and provide a fix as soon as possible. You have almost filtered out all possible cases of XSS, but I noticed that there is still 1 case that you left out. by using this xss command: Pro...
Bypass change password policy
Description I tested your demo site and discovered a vulnerability that could bypass password length and password complexity validation in your account's password change function. Proof of Concept link video PoC https://drive.google.com/file/d/1r2TAeFdLAeEREUccDoE86Yacavv79VR/view?usp=sharing...
Stored XSS
Description I tested the demo site you provided. I see that there is an XSS vulnerability. I hope you can check and provide a fix as soon as possible. Proof of Concept link video PoC https://drive.google.com/file/d/186jNX2EJWaIaknmOmwBhQ663SSzv289/view?usp=sharing Step 1.Go to my preferences and...
Stored XSS in the module named "Dashboard"
Description I tested the demo site you provided. I see that there is an XSS vulnerability. I hope you can check and provide a fix as soon as possible. Proof of Concept link video PoC https://drive.google.com/file/d/19lzyLY20fn0WdgRxsIrIRSfkrq36j7s5/view?usp=sharing Steps 1.Login as administrator...
Stored XSS on items in Folder
Description first create two user accounts and grant them permission to access a same folder. In one of the accounts, generate a new item within the folder. Paste the payload XSS into this field, then save the item. Once saved, click on the item to activate an XSS alert. To confirm the success of...
OS Command Injection via Type Confusion in Scan and Preview Parameters
Description Scanservjs has a RESTful API that provides endpoints for interacting with scanners using the SANE library. There are two APIs for scanning an image and generating a preview image that call out to Process.spawn, invoking a scanimage command as a subprocess of the server, and passing...
Cross-site scripting (XSS) stored in href bypasses filter using data wrapper
Description The XSS Cross-Site Scripting vulnerability found in the Caliber-Web application allows an attacker to inject malicious JavaScript code into a href via a data wrapper, containing a base64-encoded payload. This vulnerability specifically occurs in a book's Tag editing functionality. By...
SMTP server credentials are returned
Description The vulnerability discovered in the Calibre-Web application is a security flaw in the management of email configurations that allows the SMTP server credentials to be viewed by an account with editing permission. This could allow a malicious user with access to the administrative...
Uncaught exception in document parsing functions
Description The parseDocument and parseAllDocuments functions should never throw according to the documentation. However, when these functions are fed an invalid input with a lot ≥80 of carriage return characters \r, an exception is thrown, which originates in the prettifyError function. Proof of...
Cross-site Scripting (XSS) - Stored
Description The stored XSS vulnerability found in the caliber-web application is a security flaw that allows an attacker to execute malicious code in a user's browser. The vulnerability affects the "/ajax/pathchooser/" endpoint and is present in the "path" parameter, which is sent via the GET...
Broken Rate Limiting
Description The request rate limiting feature on the login page can be bypassed. If we look at the code in src/Controller/Frontend/Account/LoginAction.php php $this-rateLimit-checkRequestRateLimit$request, 'login', 30, 5; We see that checkRequestRateLimit is invoked with a restriction of a maxmim...
Session is not expiring after password reset
Description 1. Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization, in this case the session is not getting expired after the password change Steps to reproduce : 1. Open...
LFI in Model Version REST API creation
Description By creating a model version through the REST API endpoint api/2.0/mlflow/registered-models/create and specifying a relative path redirection to the source argument, local server files can be accessed on the tracking server when a subsequent REST API v1.1 call is made to...
Reflected XSS in Path Traversal detector
Description Azuracast has a feature that block all Path Traversal tentative good job implementing it. But when azuracast block an attack reflect the path without sanitize the output PathTraversalDetected.php. It is possibile to do attack like Reflected XSS or HTML injection. Step to reproduce 1. ...
Account TakeOver Due to Improper Handling of JWT Tokens
Description I have discovered a vulnerability where any user can modify another user's data including password simply by intercepting and changing the access token of the JWT using https://token.dev. The system does not verify whether the JWT token was issued by the server or not, allowing it to...
Cross-site Scripting (XSS) - Stored in tsolucio/corebos
Description There is a taint path can store payload into the database. visit http://127.0.0.1/corebos-master/index.php?action=PickList&module=PickList and click Add Item, the Add new entries here: can be tainted. Although there has a front limitation, but we can bypass it by modifying the request...
Arbitrary Code Execution in Apache BRPC
Description BRPC is an Industrial-grade RPC framework using C++ Language, which is often used in high performance system such as Search, Storage, Machine learning, Advertisement, Recommendation etc. In server.cpp there are function call to wordexp, it used for expanding path from user input. Due ...
CSRF Leading to reset Boxes
Description Hello everyone, During my testing on LimeSurvey's admin demo, it's found that the Boxes part of the application is vulnerable to CSRF affecting reset boxes functionality meaning that if an admin created some boxes an attacker could trick the admin to reset the boxes by following a lin...
XSS in Seo & Settings tab of Documents in pimcore/pimcore
Description pimcore is vulnerable to XSS at Title field in SEO & Settings tab of Document. Proof of Concept 1.Go to https://demo.pimcore.fun/admin/ and login. 2.In Documents, go to home - click on SEO & Settings icon to go to this tab. 3.In the SEO & Setting tab, input the payload " into the Titl...
CSRF bypass
Description URL parsing with Qwik uses the new URLa, b constructor. A little-known fact about this constructor is that if an attacker controls a they have complete control of the finally resolved URL. For example: const url = new URLattackervalue, "http://localhost" By entering //test.com, we can...
Unable to indicate negative amount in captial
Description Unable to indicate negative amount in captial Proof of Concept 1 Login application 2 Go to Capital Add Capital Fill in amount -999,999,999.00 3 The website indicate an negative amount...
Improper Authorization lead a user can accept his answer as the best answer
Description Login as user A and make a question https://meta.answer.dev/questions/D1C7/how-to-set-my-laptop-auto-start-at-particular-time Login as User B and answer this As normal, User A can vote the answer of User B is best answer But with this vuln, User B can call the api POST...
Stored XSS
Description The Name field in Edit Profile page is vulnerable to Stored XSS. 1. Navigate to https://demo.azuracast.com/ and login 2. Navigate to my account page 3. Click edit profile 4. Change the user name to the below payload 5. Every page of the application will now display an alert pop up on...
CKeditor 4.20.2 in use which is vulnerable to CVE-2023-28439
Description CKeditor 4.20.2 in use which is vulnerable to CVE-2023-28439 Proof of Concept 1 Go to https://demo.limesurvey.org/tmp/assets/a89a2fb4/ckeditor.js and note that version:"4.20.2" 2 Go to https://github.com/LimeSurvey/LimeSurvey/blob/master/assets/packages/ckeditor/ckeditor.js to verify...
(Almost) Arbitary File Read on Development Server
Description I previously disclosed an arbitrary file read due to Vite misconfiguration. This is a similar vulnerability with less impact. Proof of Concept Start any nuxt app in dev. Browse to: + http://localhost:3000/\nuxtvitenode\/module/C:/Windows/System32/calc.exe +...
Improper Error Handling at Rating function
Description Please enter a description of the vulnerability. Navigating rating function http://127.0.0.1:8083/ratings/stored/-1 Change this number to arbitrary characters http://192.168.14.180:8083/ratings/stored/-2 Error occurs allows user to know the path of application file within system...
IDOR make users can delete others' subscription
Proof of Concept 1 user1 create subscription1 2 user2 create subscription2 3 user2 delete subscription2 4 user2 use burpsuite hiajck the request 5 the request URL can be DELETE /inlong/manager/api/consume/delete/2 6 change the request :DELETE /inlong/manager/api/consume/delete/1 1 is the id of...
IDOR make users can bind any cluster
Proof of Concept 1 admin create cluster1, cluster2, clusterTag1 and clusterTag2 2 admin add user1 as owner of cluster1,clusterTag1 3 user1 bind clusterTag1 to cluster1 4 user1 use burpsuite hiajck the request 5 the request content can be "clusterTag":"biaoqia4","bindClusters":1 6 change the reque...
attackers can change the immutable name and type of cluster
Proof of Concept 1 admin creates a cluster 2 admin adds user1 as one owner 3 attack login as user1 4 user1 edit the the cluster 5 user1 finds that the name and type can not be changed. 6 user1 still edits the cluster and using the burpsuit to hijack the request 7 the request content can be like...
attack can change the immutable name and type of nodes
1 admin create a node 2 add user1 as one owner 3 login as user1 4 user1 edit the the node 5 user1 finds that the name and type can not be changed. 6 user1 still edit the node and using the burpsuit to hijack the request 7 the request content can be like...
ReDoS vulnerability in `strip` function
Description The reTrimSpace regex has 2nd degree polynomial inefficiency, leading to a delayed response given a big payload. Proof of Concept import as emoji from "https://deno.land/x/[email protected]/mod.ts"; const input = '\x00' + '\t'.repeat154773 + '\t\x00'; const start = performance.now;...
Account Owner Email Adrress Leakage Lead To Improper Access Control
Description hi team, when i try to create users for on https://public.tenant.kiwitcms.org/admin/auth/user//change/ i see that the users are not properly authenticated. i can create users with the same firstname,lastname, and email. normally, when we create the same users it should error with the...
Stored XSS
Description Stored XSS attack is possible. Proof of Concept Step 1: Go to the login URL https://demo.easyappointments.org/index.php/user/login and login as an admin. Step 2: Click on Users tab and then click on Add button to create a new user with the following credentials. Credentials: First Nam...
Insufficient Filtering Leads to Stored Cross Site Scripting at FAQ
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a differen...
Able to change admin email and password without current password validation.
Description Able to change admin email and password without current password validation. Change the User%5Buid%5D for the User UID of the current admin user. for the example: uid of the current admin is 1. Then change the other info like User%5Bemail%5D,User%5Bpassword%5D and passwordrepeat for...
Path Traversal at Slack Image Endpoint
Summary Lightdash version \ Required. 1. Install the Lightdash server & database. \ 2. Connect Lightdash to a dbt project and add some metrics. 3. Create and share insights with your team. 4. Craft...
Email Address Manipulation Vulnerability
Description During testing of phpmyfaq, it was discovered that the application does not properly validate email addresses when updating user profiles. This vulnerability allows an attacker to manipulate their email address and change it to another email address that is already registered in the...
An outdated dependency leads to to remote command execution vulnerability
Description A few days ago, the vm2 module of nodejs found a sandbox escape vulnerability, which was officially fixed in v3.9.15 However, a fixed vm2 version is hard-coded in the package.jsonv 3.9.11 of the jsreport-core component of jsreport, which makes it impossible to install the latest vm2...
Github token with wide access to Nuxt related repositories leaked in the wild
Description If you visit https://nuxt.com, you will find hardcoded Github token in the source code of the page - ghpYXegsf40mjoFZMPSdntLbrGIBRZYKf0i2FoK. This token has access to multiple repositories under nuxt , nuxtlabs and nuxt-themes Github organisations. https://github.com/nuxt Admin...
Stored Cross Site Scripting at FAQ Answer
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a differen...
SQL injection in SegmentAssignmentController.php
Description An administrator user can use the inheritableSegments feature to execute his own blind SQL queries. Proof of Concept The vulnerable php code is in src/Controller/Admin/SegmentAssignmentController.php, on method inheritableSegments: The parameter type is not escaped and is added on the...
Stored XSS via Markdown Comment
Description Register one account on blog, if account was actived, it can be comment. \ We can commment with markdown.\ When another user clicks on the comment there may be an XSS alert. I git clone project and build with docker. Latest commit is: 07a1ded08eb4e0c6979f6aeebc35f3864ba250a7\ \ Proof ...
Cross site scripting vulnerability in throsten /phpmyfaq
Description Cross site scripting vulnerability in throsten /phpmyfaq in tag field at admin dashboard. Proof of Concept 1 . Login to the demo admin account. https://roy.demo.phpmyfaq.de/admin/ 2 . Go to admin dashboard -- Contents -- Add new FaQ --Faq meta data 3 . Add payload in tag field payload...
Broken Access Control On Item via ID
Description By editing the ID on the request or HTML I can see some information of any item via ID Proof of Concept 1. Create two account with perrmission on two folder and set permission for each user. \ 2. Create item with each user \ 3. View detail a item and change itemid on request view...
Stored XSS on function item with folder
Description Create two account and allow same folder. \ one account create a new item in folder. in description parameter select code view and paste payload XSS.\ Save and click on item will show a alert XSS. Other account login and view folder click on item and see a alert XSS Proof of Concept g...
Stored cross site scripting vulnerability in thorsten/phpmyfaq
Description Stored cross site scripting vulnerability in "name" field in add question module. This allows attacker to stolen user cookies. Proof of Concept 1 . Login to the demo account https://roy.demo.phpmyfaq.de/ 2 . Login as demo user 3 . Click add question 4 . Add payload in "Your Name"...
Attached files under salaries module can be harvested by unauthenticated users
Description File attachment under salaries module can be downloaded and viewed by anyone without authentication by just knowing the full path /assets/FileUploads/2022/staff2/ and the predictable filename contains date YYYY-MM-DD and a random 6 digit number which can be easily enumerated by...
Browser back attack vulnerability
Description rosariosis has a vulnerability that allows user to return to a page containing personally identifiable information PII and sensitive information even after logging out of the application by using the browser's back button. This issue poses a significant risk to the confidentiality of...