4072 matches found
Broken Access Control in Vote/Friend Function
Description Unauthorized conduct by modifying, closing/re open a poll created by someone else. Delete friend of other account via id Proof of Concept Step 1: Use account 1 to create a poll\ \ account 2 not have perrmison edit/close/open on poll \ Step 2: Intercept request when account 1 edit,...
Stored XSS in Edit user member profile
Description When making changes to update information, there is a country parameter to insert the xss payload Step 1 : Update user Personal information Proof of Concept // PoC request: // payload: "alertString.fromCharCode88,83 POST /pbboard/index.php?page=usercp&control=1&info=1&start=1 HTTP/1.1...
Users who joined later can see the data of deleted users
Proof of Concept 1 admin create a user, named as user1 2 user1 login and create Inlong Group 3 admin delete user1 4 admin create aonther user, whose name is also user1 5 user1 login and can see the Inlong Group created by old user1...
Reflected XSS on Sidekiq through multiples endpoints via GET parameter "period"
Description Reflected XSS attacks, also known as non-persistent attacks, occur when a malicious script is reflected off of a web application to the victim's browser. Proof of Concept There must have been a metrics during the default value of the period parameter. You simply have to set the payloa...
Unrestricted File Upload with Dangerous Type to XSS
Description In upload logo website not validate extension and content of file when upload logo. It can upload a svg contain XSS payload\ Allowed file extensions: not have svg Proof of Concept POST /projectsend/options.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x6...
Bypass check length at Add Folder feature lead to XSS in module=evvtgendoc
Description I found Stored XSS on https://demo.corebos.com/index.php?action=index&module=evvtgendoc after I was Add Folder Proof of Concept Step 1: Go to Documents function https://demo.corebos.com/index.php?action=index&module=Documents , click Add Folder. Step 2: Intercept request by Burpsuite...
IDOR make one user can stop, start , delete, edit others' source
Proof of Concept 1 user1 create a source with id =1 2 user2 create a source with id =2 3 user1 delete the source with post DELETE /inlong/manager/api/source/delete/1?sourceType= HTTP/1.1 4 user1 repalce the 1 as 2, and find that he can sucess delete user2' source...
IDOR make users can withdraw other's application
Proof of Concept 1 user1 submit a application with id = 8, user2 submit a application with id = 9 2 user1 withdraw the application , using burpsuite get the post, which can be like :POST /inlong/manager/api/workflow/cancel/8 HTTP/1.1 3 change 8 as 9 and we can find that user2's application is...
Multiple Stored XSS via mail parameter
Description In PhpMyFaq, while submitting a question, the mail parameter is accepting unsanitized user input which leads to Stored XSS vulnerability, executing on Admin Panel /admin/?action=question. Proof of Concept 1. Go to https://roy.demo.phpmyfaq.de/index.php?action=ask&categoryid=0 1. Fill ...
Insufficient Session Expiration
Description User session are still vaild when users is deleted or password is changed Proof of Concept 1 user1 login in browser1 2 admin delete user1 in browser2 3 user1 can still do anyting...
Weak Password Implimentation
Description: We can change the password with just 1 character when we use change password function. Proof of Concept When you change password, just press any character and then submit. You will see "Your password has been changed"...
CSRF leading to delete Client API in API clients management
Description wallabag was discovered to contain a Cross-Site Request Forgery CSRF which allows attackers to arbitrarily delete API key via client/delete/id Proof of Concept history.pushState'', '', '/'; document.forms0.submit;...
Reflected XSS in /library/custom_template/share_template.php
Description There exist a reflected XSS in /library/customtemplate/sharetemplate.php in the 'listid' parameter. Proof of Concept http://openemr.local/library/customtemplate/sharetemplate.php?listid=1;alert1;function%20xif1a=a:a:1 fix properly sanitize the listid parameter...
Reflected XSS in interface/forms/eye_mag/js/eye_base.php
Description There exist a reflected XSS in /interface/forms/eyemag/js/eyebase.php in the 'providerID' parameter. Proof of Concept http://openemr.local/interface/forms/eyemag/js/eyebase.php?providerID=%3Cimg%20src=x%20onerror=alert1;%3E fix properly sanitize the providerID parameter...
XSS in Translations
Description XSS Vulnerability found in Translationslanguage. Proof Of Concept: POC.png Steps To Reproduce : 1. Go to https://11.x-dev.pimcore.fun/admin/ and login. 2. In the left menu bar, go to Settings Admin Translation and click on Add button to add a new record. 3. Now click on translate. Add...
Stored cross site scripting vulnerability in operator any getter in pimcore grid configuration
Description Stored cross site scripting vulnerability in operator any getter in pimcore grid configuration. Proof of Concept 1. Login to the demo account https://11.x-dev.pimcore.fun/admin/login 2. On left side menu go to document -- perspective -- cdp...
Bypass Stored XSS in Catalog
Login in URL : https://demo.pimcore.fun/admin 2. Go to File - Perspectives - Catalog 3. Click in tab Properties - footer - Open 4. click any Find & Order - Edit 5. in tab Basic, inject payload to : Prameters, Anchor in tab Advanced, inject payload to: Class For more understanding please check...
Stored cross site scripting vulnerability in Save grid option in pimcore dashboard
Description Stored cross site scripting vulnerability in Save grid option in pimcore dashboard. Proof of Concept 1. Login to the demo account https://11.x-dev.pimcore.fun/admin/login 2. On left side menu go to document -- perspective -- cdp https://11.x-dev.pimcore.fun/admin/?perspective=CDP 3. i...
AWS credentials exposure
Description app.diagrams.net allow the insertion of PlantUML objects. This feature is using an old and misconfigured version of PlantUML 1.2022.6, therefore, it is possible to exploit dangerous functions such as %getenv to read environment variables in the machine where PlantUML is running. I was...
Stored XSS on Multiple Edit Page
Description A stored XSS with alert on Editing page. \ I clone repo from master branch and build with docker. Footer show: Version: 1.3.4 Proof of Concept Request image Request raw: POST /api/saveedit HTTP/1.1 Host: 192.168.125.131 User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:109.0...
Improper Restriction of Rendered UI Layers or Frames
Description The osTicket uses an incorrect method to validate the src attribute of the iframe tag. Although it appears that osTicket restricts domains through a whitelist, attackers can easily bypass this restriction. Proof of Concept This iframe is going to render www.youtube.com.attacker's serv...
XML External Entity (XXE) injection in sympy
Description Sympy is an open source platform that a computer algebra system written in pure Python . Sympy is vulnerable to an XML External Entity XXE injection in the applyxsl functionality of Sympy due to the usage of etree.XML. Proof of Concept // PoC.py from sympy.utilities.mathml import...
Information leakage in EXIF data of images
Description EXIF stands for Exchangeable Image File Format and the EXIF data contains information such as the camera model and make, shutter speed, aperture, focal length, ISO number, date, time and much more. It can also store GPS coordinates of the location where an image was shot. Proof of...
Multiple XSS on update funtions with module select options and search form
Description XSS vulnerability occurs in forms have select and search Proof of Concept POST /bumsys/xhr/?module=peoples&page=updateCustomer HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:109.0 Gecko/20100101 Firefox/111.0 Accept: / Accept-Language:...
Input validation and money transfer vulnerability with negative number
Description I transfer money from account1 to account2. According to the scenario, account 1 will be deducted, and account 2 will add money. But account1 was add, account was sub. If I use a negative number and its value exceeds the account balance, the money will still be added to the transfer...
Multiple XSS in Create/Update Funtion Version 1.4.3 and 1.5.0-dev.2
Description Stored XSS on create/update service, categories, settings. I was test on 1.4.3 demo site and 1.5.0-dev2 Proof of Concept Install\ I install from develope branch. When finish install footer display version v1.5.0-dev.2\ The time I run and commit below on image is the latest\ \ webUI\ ...
Reflected XSS in LimeSurvey
Description There is a XSS in Lime Survey. The $GET'keyword' is not sanitized : echo $GET'keyword'; Proof of Concept We can read cookie contents :...
Local File Read Bypass in mlflow/mlflow
Description This is a bypass to the following submission which was assigned CVE-2023-1177. Proof of Concept Start the server or UI it works on both identically mlflow ui --host 127.0.0.1:5000 1. Create a Model named "AJAX-API". curl -i -s -k -X $'POST' -H $'Host: 127.0.0.1:5000' -H $'User-Agent:...
IDORs with unpredictable IDs are valid vulnerabilities
1 create two workspace: workspace1 and workspace2, and their admin is admin1 and admin2 2 login as user1 and create project1. 4 Using burpsuit to hijack the reqeust, repalce workspace1's workspaceid as workspace2's workspaceid 5 we can find that project1 has a new proejct, even admin2 is not the...
XSS in Conditions tab of Pricing Rules
Description While testing the pimcore application, I found that it is vulnerable to XSS vulnerability in Conditions tab of Pricing Rules, specifically at From and To fields of Date Range section. Proof of Concept 1.Go to https://11.x-dev.pimcore.fun/admin/ then login. 2.On the left menu bar, go t...
arbitrary file read
Description An authenticated attacker can abuse import-server-files with a path traversal to download an arbitrary file from the server Collaborator: @ub3rsick Proof of Concept 1. 1- to trigger the request for SSRF: go to files - assets - select a folder - right click - add asset - import from...
heap-buffer-overflow in vim_regsub_both
Description heap based buffer overflow in in vimregsubboth at regexp.c:2473 Vim Version git log commit 1a08a3e2a584889f19b84a27672134649b73da58 HEAD - master, tag: v9.0.1429, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S POCvimregsubboth -c :qa!...
XSS in Classification Store of Data Objects module in Settings
Description pimcore is vulnerable to XSS at Name field in Classification Store of Data Objects module in Settings. The vulnerability exists in all 3 tabs: Group Collections, Group, Key Definitions. Payload " Proof of Concept 1.Go to https://11.x-dev.pimcore.fun/admin/ and login. 2.In the left men...
XSS in Upload file PDF in pimcore/pimcore
Description pimcore is vulnerable to XSS at Filedata field in Document Upload Payload Payload File: https://drive.google.com/file/d/1tDcOcuzyJrFnT7RH-VmVq6XwXC1yh-AF/view?usp=sharing URL URL: https://11.x-dev.pimcore.fun/admin/asset/add-asset?parentId=379&dir=&allowOverwrite=0 Proof of Concept St...
Stored HTML injection to XSS
Team, I hope you are all doing well. . I wanted to bring to your attention a potential vulnerability on the website https://wearenotloosers.kimai.cloud. . During my research, I discovered that the user name fields are vulnerable to a stored HTML injection attack. . Which is reflecting while...
XSS in Quantity Value of Data Objects module in Settings
Description pimcore is vulnerable to XSS at Abbreviation and Longname fields in Quantity Value of Data Objects module in Settings. Payload " Proof of Concept 1.Go to https://11.x-dev.pimcore.fun/admin/ and login. 2.In the left menu bar, go to Settings - Data Objects - Quantity Value. 3.In the...
XSS in Classes of Data Objects module in Settings
Description pimcore is vulnerable to XSS at fromDate and toDate fields in Classes of Data Objects module in Settings. Payload " Proof of Concept 1.Go to https://11.x-dev.pimcore.fun/admin/ and login. 2.In the left menu bar, go to Settings - Data Objects - Classes and click on any class. 3.In the...
Html Injection to Open redirect
Description Step to reproduce. 1. https://demo.easyappointments.org/index.php/backend/index open this and click on create meet. 2. On first name add Open redirect payload save it. click me...
Cross site scripting on contact module
Step to reproduce 1. Open into https://demo.corebos.com and navigate to settings Users. 2. Add XSS payload into Entity Name. 3. Now navigate to contact Create contact Add contact and click on more information click add opportunity. 4. On Assign to drop menu select XSS payload and save. XSS Payloa...
Improper Access Control which allows one provider to view and edit others provider appointment's details
Description Login using one provider's credential. After login successfully, notice there is POST request to /index.php/backendapi/ajaxgetcalendarappointments which allows the provider to view their own appointments information. However, by changing the recordid parameter to any number start from...
Dom-based XSS in Website Settings module in Settings
Description pimcore is vulnerable to Dom-based XSS at Name field in Website Settings module in Settings. Payload " Proof of Concept 1.Go to https://11.x-dev.pimcore.fun/admin/ and login. 2.In the left menu bar, go to Settings - Website Settings and input any text into Key field and choose a Type,...
XSS to RCE found in Trilium
Vulnerability Type Remote Code Execution RCE Authentication Required? No Affected Location - Search Notes Search Ancestor Output - Jump to Note Search Note Output - New Tab Search Notes Output Issue Summary The application contains a vulnerability where HTML characters within the title name of...
Null pointer dereference in get_register at register.c:311
--- Description Null pointer dereference in getregister at register.c:311. ycurrent variable is 0 because of name variable. Version $ git log commit 3ea62381c527395ae701715335776f427d22eb7b HEAD - master, tag: v9.0.1425, origin/master, origin/HEAD Author: Amaan Qureshi Date: Thu Mar 23 15:45:46...
ProjectID is disclosed and can be used for IDOR attack
I find that we click "Settings" button, we can see all the project, even the login user does not belong to the project. Using burpsuit to hijack the reqeust, we can obtain project ids. We can use projectid to perform IDOR attack. 1 create two projects: project1 and project2, and their admin is...
sql injection
Description multiple sql injections due to unsanitized concatenating strings into where clause Collaborator: @ub3rsick Proof of Concept - assets controller 1- to trigger the request for sqli: go to files - assets - select a folder - right click - download as zip 2- replay the request to...
Zero-Click Remote Code Execution
Vulnerability Type Remote Code Execution Affected URL http://127.0.0.1/?anyparameter= Affected Parameter Arbitrary GET parameter Authentication Required? No Issue Summary Multiple vulnerabilities discovered in Appium-Desktop that can be chained together to achieve Zero Click Remote Code Execution...
Stored XSS in front/dashboard_helpdesk.php
Description Under the super-admin view, when adding a card to a dashboard, some more parameters are sent when the POST request is made. Those parameters later constitute an HTML div section in the response body. It is possible to modify the request, inject one of those parameters value which will...
Embeding untrusted input inside CSV files leads to Formula Injection/CSV Injection
Description The pimcore application is vulnerable to Formula Injection/CSV Injection via the Firstname, Lastname, Street, Zip & City input fields. These vulnerabilities allow unauthenticated attackers to execute arbitrary code via a crafted excel file. Proof of Concepta 1.Go to...
Cross site scripting on the login page
Description Cross-site Scripting XSS refers to client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS occurs when a web application makes use of unvalidated or unencoded user input within the output it generates. URL...
Annotation tool: token forgery using jwt secret to claim super admin role
Although the annotator tool's source code is not directly provided in the repository a docker image is provided. From there it is easy to get access to the source code by either extracting the docker tar image, which can be exported from docker itself, or connecting to the container with an...