Stored cross site scripting vulnerability in operator any getter in pimcore grid configuration

Description Stored cross site scripting vulnerability in operator any getter in pimcore grid configuration. Proof of Concept 1. Login to the demo account https://11.x-dev.pimcore.fun/admin/login 2. On left side menu go to document -- perspective -- cdp...

Bypass Stored XSS in Catalog

Login in URL : https://demo.pimcore.fun/admin 2. Go to File - Perspectives - Catalog 3. Click in tab Properties - footer - Open 4. click any Find & Order - Edit 5. in tab Basic, inject payload to : Prameters, Anchor in tab Advanced, inject payload to: Class For more understanding please check...

Stored cross site scripting vulnerability in Save grid option in pimcore dashboard

Description Stored cross site scripting vulnerability in Save grid option in pimcore dashboard. Proof of Concept 1. Login to the demo account https://11.x-dev.pimcore.fun/admin/login 2. On left side menu go to document -- perspective -- cdp https://11.x-dev.pimcore.fun/admin/?perspective=CDP 3. i...

AWS credentials exposure

Description app.diagrams.net allow the insertion of PlantUML objects. This feature is using an old and misconfigured version of PlantUML 1.2022.6, therefore, it is possible to exploit dangerous functions such as %getenv to read environment variables in the machine where PlantUML is running. I was...

Stored XSS on Multiple Edit Page

Description A stored XSS with alert on Editing page. \ I clone repo from master branch and build with docker. Footer show: Version: 1.3.4 Proof of Concept Request image Request raw: POST /api/saveedit HTTP/1.1 Host: 192.168.125.131 User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:109.0...

Improper Restriction of Rendered UI Layers or Frames

Description The osTicket uses an incorrect method to validate the src attribute of the iframe tag. Although it appears that osTicket restricts domains through a whitelist, attackers can easily bypass this restriction. Proof of Concept This iframe is going to render www.youtube.com.attacker's serv...

XML External Entity (XXE) injection in sympy

Description Sympy is an open source platform that a computer algebra system written in pure Python . Sympy is vulnerable to an XML External Entity XXE injection in the applyxsl functionality of Sympy due to the usage of etree.XML. Proof of Concept // PoC.py from sympy.utilities.mathml import...

Information leakage in EXIF data of images

Description EXIF stands for Exchangeable Image File Format and the EXIF data contains information such as the camera model and make, shutter speed, aperture, focal length, ISO number, date, time and much more. It can also store GPS coordinates of the location where an image was shot. Proof of...

Multiple XSS on update funtions with module select options and search form

Description XSS vulnerability occurs in forms have select and search Proof of Concept POST /bumsys/xhr/?module=peoples&page=updateCustomer HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:109.0 Gecko/20100101 Firefox/111.0 Accept: / Accept-Language:...

Input validation and money transfer vulnerability with negative number

Description I transfer money from account1 to account2. According to the scenario, account 1 will be deducted, and account 2 will add money. But account1 was add, account was sub. If I use a negative number and its value exceeds the account balance, the money will still be added to the transfer...

Multiple XSS in Create/Update Funtion Version 1.4.3 and 1.5.0-dev.2

Description Stored XSS on create/update service, categories, settings. I was test on 1.4.3 demo site and 1.5.0-dev2 Proof of Concept Install\ I install from develope branch. When finish install footer display version v1.5.0-dev.2\ The time I run and commit below on image is the latest\ \ webUI\ ...

Reflected XSS in LimeSurvey

Description There is a XSS in Lime Survey. The $GET'keyword' is not sanitized : echo $GET'keyword'; Proof of Concept We can read cookie contents :...

Local File Read Bypass in mlflow/mlflow

Description This is a bypass to the following submission which was assigned CVE-2023-1177. Proof of Concept Start the server or UI it works on both identically mlflow ui --host 127.0.0.1:5000 1. Create a Model named "AJAX-API". curl -i -s -k -X $'POST' -H $'Host: 127.0.0.1:5000' -H $'User-Agent:...

IDORs with unpredictable IDs are valid vulnerabilities

1 create two workspace: workspace1 and workspace2, and their admin is admin1 and admin2 2 login as user1 and create project1. 4 Using burpsuit to hijack the reqeust, repalce workspace1's workspaceid as workspace2's workspaceid 5 we can find that project1 has a new proejct, even admin2 is not the...

XSS in Conditions tab of Pricing Rules

Description While testing the pimcore application, I found that it is vulnerable to XSS vulnerability in Conditions tab of Pricing Rules, specifically at From and To fields of Date Range section. Proof of Concept 1.Go to https://11.x-dev.pimcore.fun/admin/ then login. 2.On the left menu bar, go t...

arbitrary file read

Description An authenticated attacker can abuse import-server-files with a path traversal to download an arbitrary file from the server Collaborator: @ub3rsick Proof of Concept 1. 1- to trigger the request for SSRF: go to files - assets - select a folder - right click - add asset - import from...

heap-buffer-overflow in vim_regsub_both

Description heap based buffer overflow in in vimregsubboth at regexp.c:2473 Vim Version git log commit 1a08a3e2a584889f19b84a27672134649b73da58 HEAD - master, tag: v9.0.1429, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S POCvimregsubboth -c :qa!...

XSS in Classification Store of Data Objects module in Settings

Description pimcore is vulnerable to XSS at Name field in Classification Store of Data Objects module in Settings. The vulnerability exists in all 3 tabs: Group Collections, Group, Key Definitions. Payload " Proof of Concept 1.Go to https://11.x-dev.pimcore.fun/admin/ and login. 2.In the left men...

XSS in Upload file PDF in pimcore/pimcore

Description pimcore is vulnerable to XSS at Filedata field in Document Upload Payload Payload File: https://drive.google.com/file/d/1tDcOcuzyJrFnT7RH-VmVq6XwXC1yh-AF/view?usp=sharing URL URL: https://11.x-dev.pimcore.fun/admin/asset/add-asset?parentId=379&dir=&allowOverwrite=0 Proof of Concept St...

Stored HTML injection to XSS

Team, I hope you are all doing well. . I wanted to bring to your attention a potential vulnerability on the website https://wearenotloosers.kimai.cloud. . During my research, I discovered that the user name fields are vulnerable to a stored HTML injection attack. . Which is reflecting while...

XSS in Quantity Value of Data Objects module in Settings

Description pimcore is vulnerable to XSS at Abbreviation and Longname fields in Quantity Value of Data Objects module in Settings. Payload " Proof of Concept 1.Go to https://11.x-dev.pimcore.fun/admin/ and login. 2.In the left menu bar, go to Settings - Data Objects - Quantity Value. 3.In the...

XSS in Classes of Data Objects module in Settings

Description pimcore is vulnerable to XSS at fromDate and toDate fields in Classes of Data Objects module in Settings. Payload " Proof of Concept 1.Go to https://11.x-dev.pimcore.fun/admin/ and login. 2.In the left menu bar, go to Settings - Data Objects - Classes and click on any class. 3.In the...

Html Injection to Open redirect

Description Step to reproduce. 1. https://demo.easyappointments.org/index.php/backend/index open this and click on create meet. 2. On first name add Open redirect payload save it. click me...

Cross site scripting on contact module

Step to reproduce 1. Open into https://demo.corebos.com and navigate to settings Users. 2. Add XSS payload into Entity Name. 3. Now navigate to contact Create contact Add contact and click on more information click add opportunity. 4. On Assign to drop menu select XSS payload and save. XSS Payloa...

Improper Access Control which allows one provider to view and edit others provider appointment's details

Description Login using one provider's credential. After login successfully, notice there is POST request to /index.php/backendapi/ajaxgetcalendarappointments which allows the provider to view their own appointments information. However, by changing the recordid parameter to any number start from...

Dom-based XSS in Website Settings module in Settings

Description pimcore is vulnerable to Dom-based XSS at Name field in Website Settings module in Settings. Payload " Proof of Concept 1.Go to https://11.x-dev.pimcore.fun/admin/ and login. 2.In the left menu bar, go to Settings - Website Settings and input any text into Key field and choose a Type,...

XSS to RCE found in Trilium

Vulnerability Type Remote Code Execution RCE Authentication Required? No Affected Location - Search Notes Search Ancestor Output - Jump to Note Search Note Output - New Tab Search Notes Output Issue Summary The application contains a vulnerability where HTML characters within the title name of...

Null pointer dereference in get_register at register.c:311

--- Description Null pointer dereference in getregister at register.c:311. ycurrent variable is 0 because of name variable. Version $ git log commit 3ea62381c527395ae701715335776f427d22eb7b HEAD - master, tag: v9.0.1425, origin/master, origin/HEAD Author: Amaan Qureshi Date: Thu Mar 23 15:45:46...

ProjectID is disclosed and can be used for IDOR attack

I find that we click "Settings" button, we can see all the project, even the login user does not belong to the project. Using burpsuit to hijack the reqeust, we can obtain project ids. We can use projectid to perform IDOR attack. 1 create two projects: project1 and project2, and their admin is...

sql injection

Description multiple sql injections due to unsanitized concatenating strings into where clause Collaborator: @ub3rsick Proof of Concept - assets controller 1- to trigger the request for sqli: go to files - assets - select a folder - right click - download as zip 2- replay the request to...

Zero-Click Remote Code Execution

Vulnerability Type Remote Code Execution Affected URL http://127.0.0.1/?anyparameter= Affected Parameter Arbitrary GET parameter Authentication Required? No Issue Summary Multiple vulnerabilities discovered in Appium-Desktop that can be chained together to achieve Zero Click Remote Code Execution...

Stored XSS in front/dashboard_helpdesk.php

Description Under the super-admin view, when adding a card to a dashboard, some more parameters are sent when the POST request is made. Those parameters later constitute an HTML div section in the response body. It is possible to modify the request, inject one of those parameters value which will...

Embeding untrusted input inside CSV files leads to Formula Injection/CSV Injection

Description The pimcore application is vulnerable to Formula Injection/CSV Injection via the Firstname, Lastname, Street, Zip & City input fields. These vulnerabilities allow unauthenticated attackers to execute arbitrary code via a crafted excel file. Proof of Concepta 1.Go to...

Cross site scripting on the login page

Description Cross-site Scripting XSS refers to client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS occurs when a web application makes use of unvalidated or unencoded user input within the output it generates. URL...

Annotation tool: token forgery using jwt secret to claim super admin role

Although the annotator tool's source code is not directly provided in the repository a docker image is provided. From there it is easy to get access to the source code by either extracting the docker tar image, which can be exported from docker itself, or connecting to the container with an...

Unhandled SWF Tags in MP4Box: Potential Vulnerability in GPAC

An unhandled series of SWF tags have been identified in the MP4Box software, which is part of the GPAC multimedia framework. These tags are not properly processed, leading to potential vulnerabilities such as denial of service, buffer overflows, or other malicious attacks. POC: ./MP4Box -dash 100...

IDOR Vulnerability Allow the owner of one Organization can create, edit, delete apikeys that belong to other organization

1 first, we create two organizations: org1 and org2. The owner of them is user1 and user2 corresponding. 2 we login as user1 and create a new API keys 3 using the burpsuit to hack hijack the post. 4 The post and can be like:...

IDOR Vulnerability Allow the owner of one Organization can edit, delete and resetpassword users that belong to other organization

1 first, we create two organizations: org1 and org2. The owner of them is user1 and user2 corresponding. 2 we login as user1 and reset itsself password. 3 using the burpsuit to hack hijack the post. 4 The post and can be like: PUT...

IDOR Vulnerability Allow the owner of one Organization can disable users that belong to other oggainzation

1 first, we create two organizations: org1 and org2. The owner of them is user1 and user2 corresponding. 2 we login as user1 and click disable , then we use burpsuit to get the post. 3 The post can be like : POST /admin/api/users/2/enable/false HTTP/1.1 5 we replace user id 2 to 3. 6 check the...

Heap Use-After-Free in GPAC MP4Box's ogg_stream_clear Function When Processing OGG Files

A heap use-after-free vulnerability has been discovered in GPAC MP4Box's oggstreamclear function when processing OGG files. The vulnerability occurs due to improper handling of memory allocations and deallocations while processing OGG files. This leads to the use of previously freed memory, causi...

SIGSEGV at libr/bin/p/bin_coff.c:509 in patch_relocs()

Description radare2 5.8.2 misparses symbol information in COFF files, causing a segmentation fault in patchrelocs at libr/bin/p/bincoff.c:509 Proof of Concept input.bin 00000000: 6603 e846 4058 6458 4036 5858 5858 5868 f..F@XdX@6XXXXXh 00000010: 5858 7063 5858 5840 0038 00de 57ff ffff...

Stored XSS via name parameter of "Predefined Properties"

Description It's observed that the name parameter of the "Predefined Properties" functionality is vulnerable to stored XSS. Proof of Concept 1.Login to https://demo.pimcore.fun/admin/. 2.Now go to Settings - Predefined Properties - Add and Enter the payload: " inside the name input field. 3.Then...

IDOR Vulnerability Allow the owner of one Organization can update anyother organization

1 first, we create two organizations: org1 and org2. The owner of them is user1 and user2 corresponding. 2 we login as user1 and update the org1, then we use burpsuit to get the post. 3 The first post will check user and we forward it. 4 The second post will edit content of organization and can b...

Password reset link not expired

Hi team, I hope you are well today. This is the step: Reset your password with this link https://meta.answer.dev/users/account-recovery I have recognized that links can use many times. Beside https://meta.answer.dev/users/account-activation?code=... active account have the same vulnerability. Ok...

Unauthenticated Access to Users PII

Description A Unauthorized/Unauthenticated Attacker can access PII data of all the Users. Some of the PII leaked are: first name, last name, email, username, IP address, twofactorsecret, twofactorrecoverycodes Proof of Concept http://localhost/api/user It shows you details of all the users...

Stored XSS in name parameter of "Customers Reports"

Description The name parameter of the "Static Routes" functionality is vulnerable to stored XSS. Proof of Concept 1.Login to https://demo.pimcore.fun/admin/. 2.Now go to Marketing - Customers Reports - Add and Enter the name of the new item a-zA-Z-. 3.Then capture the request on the burp suite an...

Stored XSS in name parameter of "Static Routes"

Description During testing, I observed that the name parameter of the "Static Routes" functionality is vulnerable to stored XSS. Proof of Concept 1.Login to https://demo.pimcore.fun/admin/. 2.Now go to Settings - Static Routes - Add and Enter the payload: " inside the name input field. 3.Then cli...

Multiple Stored XSS in name parameter of "Pricing Rules", "Predefined Properties", "Customers Reports" & "Static Routes"

Description The name parameter of the "Pricing Rules", "Predefined Properties", "Customers Reports" & "Static Routes" functionality is vulnerable to Stored XSS. Proof of Concept 1.Login to https://demo.pimcore.fun/admin/. 2.Now go to Online Shop - Pricing Rules - Add and Enter the name of the new...

REFLECTED XSS "Cross-site Scripting (XSS) "

Description Summary: I have found Reflected XSS at https://www.vim.org/login.php?referrer= Go To : https://www.vim.org/login.php?referrer=%22%3E%3Csvg/onload=prompt/OPENBUGBOUNTY/%3E payload xss : " Proof of Concept // PoC.js var payload =...

Cross site scripting on setting module

Description pimcore is vulnerable to XSS in translate module. Proof of Concept Step to Reproduce. 1. Go to https://11.x-dev.pimcore.fun/admin/ and login. 2. In the left menu bar, go to Settings - Document Types and click on Add button to add a new record. 3. Now click on translate. Add XSS payloa...