4072 matches found
Unhandled SWF Tags in MP4Box: Potential Vulnerability in GPAC
An unhandled series of SWF tags have been identified in the MP4Box software, which is part of the GPAC multimedia framework. These tags are not properly processed, leading to potential vulnerabilities such as denial of service, buffer overflows, or other malicious attacks. POC: ./MP4Box -dash 100...
IDOR Vulnerability Allow the owner of one Organization can create, edit, delete apikeys that belong to other organization
1 first, we create two organizations: org1 and org2. The owner of them is user1 and user2 corresponding. 2 we login as user1 and create a new API keys 3 using the burpsuit to hack hijack the post. 4 The post and can be like:...
IDOR Vulnerability Allow the owner of one Organization can edit, delete and resetpassword users that belong to other organization
1 first, we create two organizations: org1 and org2. The owner of them is user1 and user2 corresponding. 2 we login as user1 and reset itsself password. 3 using the burpsuit to hack hijack the post. 4 The post and can be like: PUT...
IDOR Vulnerability Allow the owner of one Organization can disable users that belong to other oggainzation
1 first, we create two organizations: org1 and org2. The owner of them is user1 and user2 corresponding. 2 we login as user1 and click disable , then we use burpsuit to get the post. 3 The post can be like : POST /admin/api/users/2/enable/false HTTP/1.1 5 we replace user id 2 to 3. 6 check the...
Heap Use-After-Free in GPAC MP4Box's ogg_stream_clear Function When Processing OGG Files
A heap use-after-free vulnerability has been discovered in GPAC MP4Box's oggstreamclear function when processing OGG files. The vulnerability occurs due to improper handling of memory allocations and deallocations while processing OGG files. This leads to the use of previously freed memory, causi...
SIGSEGV at libr/bin/p/bin_coff.c:509 in patch_relocs()
Description radare2 5.8.2 misparses symbol information in COFF files, causing a segmentation fault in patchrelocs at libr/bin/p/bincoff.c:509 Proof of Concept input.bin 00000000: 6603 e846 4058 6458 4036 5858 5858 5868 f..F@XdX@6XXXXXh 00000010: 5858 7063 5858 5840 0038 00de 57ff ffff...
Stored XSS via name parameter of "Predefined Properties"
Description It's observed that the name parameter of the "Predefined Properties" functionality is vulnerable to stored XSS. Proof of Concept 1.Login to https://demo.pimcore.fun/admin/. 2.Now go to Settings - Predefined Properties - Add and Enter the payload: " inside the name input field. 3.Then...
IDOR Vulnerability Allow the owner of one Organization can update anyother organization
1 first, we create two organizations: org1 and org2. The owner of them is user1 and user2 corresponding. 2 we login as user1 and update the org1, then we use burpsuit to get the post. 3 The first post will check user and we forward it. 4 The second post will edit content of organization and can b...
Password reset link not expired
Hi team, I hope you are well today. This is the step: Reset your password with this link https://meta.answer.dev/users/account-recovery I have recognized that links can use many times. Beside https://meta.answer.dev/users/account-activation?code=... active account have the same vulnerability. Ok...
Unauthenticated Access to Users PII
Description A Unauthorized/Unauthenticated Attacker can access PII data of all the Users. Some of the PII leaked are: first name, last name, email, username, IP address, twofactorsecret, twofactorrecoverycodes Proof of Concept http://localhost/api/user It shows you details of all the users...
Stored XSS in name parameter of "Customers Reports"
Description The name parameter of the "Static Routes" functionality is vulnerable to stored XSS. Proof of Concept 1.Login to https://demo.pimcore.fun/admin/. 2.Now go to Marketing - Customers Reports - Add and Enter the name of the new item a-zA-Z-. 3.Then capture the request on the burp suite an...
Stored XSS in name parameter of "Static Routes"
Description During testing, I observed that the name parameter of the "Static Routes" functionality is vulnerable to stored XSS. Proof of Concept 1.Login to https://demo.pimcore.fun/admin/. 2.Now go to Settings - Static Routes - Add and Enter the payload: " inside the name input field. 3.Then cli...
Multiple Stored XSS in name parameter of "Pricing Rules", "Predefined Properties", "Customers Reports" & "Static Routes"
Description The name parameter of the "Pricing Rules", "Predefined Properties", "Customers Reports" & "Static Routes" functionality is vulnerable to Stored XSS. Proof of Concept 1.Login to https://demo.pimcore.fun/admin/. 2.Now go to Online Shop - Pricing Rules - Add and Enter the name of the new...
REFLECTED XSS "Cross-site Scripting (XSS) "
Description Summary: I have found Reflected XSS at https://www.vim.org/login.php?referrer= Go To : https://www.vim.org/login.php?referrer=%22%3E%3Csvg/onload=prompt/OPENBUGBOUNTY/%3E payload xss : " Proof of Concept // PoC.js var payload =...
Cross site scripting on setting module
Description pimcore is vulnerable to XSS in translate module. Proof of Concept Step to Reproduce. 1. Go to https://11.x-dev.pimcore.fun/admin/ and login. 2. In the left menu bar, go to Settings - Document Types and click on Add button to add a new record. 3. Now click on translate. Add XSS payloa...
heap-buffer-overflow in vim_strrchr
Description heap based buffer overflow in vimstrrchr at strings.c:682 Vim Version git log commit ea83c194625e51c28a2796eba9ba87b0b9ab23e0 HEAD - master, tag: v9.0.1414, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S POCvimstrrchr -c :qa!...
Stored XSS in Properties Parameter
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a differen...
Stored XSS in Admin Panel
Description The admin panel admin.php does not properly sanitize the text in the "Site Name" field, allowing a user with admin access to inject arbitrary HTML. This is in a similar vein to CVE-2022-4733 but still exists as of version 7.0.1-dev. Proof of Concept 1. Log in as a user with admin...
strong Password Policy Bypass through removing a specific Parameter and setting the Passwort to 1
Hello, i was able to detect another password security issue. While changing the password the attacker can use the proxy and submit for example password as 1. Altough there is a passwort policy restriction but i managed to bypass that. Let me show you : The Password is now 2 lets change it to HACK...
Store XSS in create tag
Description Feature create tag permit attacker injection html tag and execute it. Proof of Concept 1. Add question 2. Create tag with payload in description: 3. Post your question 4. Go to link http:///tags//timeline and click created. Payload executed. POC...
Broken Access Control on "http://localhost/api/user" endpoint
Description Able to create an Admin account from normal User account. Steps 1.Navigate to https://localhost/. 2.Then click on login and then register, fill the form and click Register. 3.Now login with a newly created user account with intercepting the traffics in burp. 4.Turn on the burp interce...
2FA Bypass by Brute Force
Description Currently there are no restrictions on attempts to enter the correct 2FA code. In contrast to the first step of the authentication username + password the fields of lastloginfail and loginfailcount in the database aren't updated. An attacker can bypass the 2FA by simple brute force of...
Session Fixation Vulnerability
Description It was noticed that the easyappointments application is vulnerable to Session Fixation vulnerability. The application does not generate a new easession cookie after the user authenticate successfully into the application. A malicious user is able to create a new session cookie value a...
Autenticated Stored Cross-Site Scripting (XSS)
Description Login to the admin account. Use the following URL http://192.168.0.211/admin.php?action=files or navigate to pages - manage files. Upload the XSS payload with “.html” extension. Intercept the request with Burp Suite. Modify the Content-Type to application/x-php and forward the request...
Authentication Remote Code Execution
Description Found authenticated Remote Code Execution RCE on pluck 4.7.15 While reading the source code found blacklisted extension are mentioned in the file data/inc/files.php at line 44 and 45. File upload function validating the file extension is match any one of the following extension .php,...
XSS in Predefined Asset Metadata module in Settings
Description While testing the pimcore application, I found that it is vulnerable to XSS vulnerability in Predefined Asset Metadata module in Settings, specifically at Name field. Proof of Concept 1.Go to https://11.x-dev.pimcore.fun/admin/ then login. 2.Go to Settings - Predefined Asset Metadata...
Reflected XSS in Predefined Properties module in Settings
Description During testing the pimcore application, I found that it is vulnerable to XSS vulnerability in Predefined Properties module in Settings, specifically at Name field. Proof of Concept 1.Go to https://11.x-dev.pimcore.fun/admin/ then login. 2.Go to Settings - Predefined Properties and add...
Cross Site Scripting (XSS) in Assets
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a differen...
Access Control Vulnerability in Prescription Controller
Description An Access Control Vulnerability allows a low level user in the web application to view, create, and edit prescriptions for all users. Proof of Concept Step 1. Login to the openemr web application as a low level user Ex: Receptionist in openemr demo \ Step 2. Travel to a page that will...
XSS @ records
Description The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of Concept Code 1: $recordLang = Filter::filterInputINPUTPOST, 'lang', FILTERUNSAFERAW; $tags =...
CSV Injection in CSV files generated by the backend
1 login in https://demo.limesurvey.org/index.php 2 the demo admin create a user with name "=1+cmd|'/C calc'!A0". 4 other users login and download all the users' data as csv. 5 other users open the csv file with execl in windows, notice that choose ";" as separator as. 6 we can see that the...
Instropection query is enabled on demo.pimcore.fun
Description Introspection is enabled on the demo.pimcore.fun. demo site has graphql feature for users but via that graphql endpoint attacker can run the instropection queries. which makes the vulnerable. Proof of Concept Just visit the link...
XSS in Document Types module in Settings
Description pimcore is vulnerable to XSS at Name field in Document Types module in Settings. Payload " Proof of Concept 1.Go to https://11.x-dev.pimcore.fun/admin/ and login. 2.In the left menu bar, go to Settings - Document Types and click on Add button to add a new record. 3.Edit the New Docume...
EXIF Geolocation Data Not Stripped From brand logo
When the user uploads his logo, the uploaded image’s EXIF Geo-location Data does not get stripped. As a result, anyone can get sensitive information like user's Device ID, Geo Location, System Information, System version, ETC. Step to reproduce: 1. Upload logo with EXIF DATA, or download from her...
cross site scripting
Pimcore is vulnerable to Cross site scripting vulnerability in classes module...
HTML Injection on Settings/Template
Description Found HTML Injection on Template module on Settings. Proof of Concept 1. Login as Administrator and go to Settings. 2. On under Website Settings, go to Template. 3. Specifically, to this URL - https://demo.microweber.org/demo/admin/view:content/action:settings?group=template 4. Then...
XSS Stored in Caption Image
Description Hello team, I found an xss stored in the caption field as demonstrated in the gif below. Proof of Concept...
stored XSS Protection bypass by changing the User Profile Name
Hello, I was able to bypass the XSS Vulnerability i reported before by using this Payload. Lets try first a normal XSS Payload which will not work for example - alert'1' - NOT WOKRING : lets try the bypass payload 1'" XSS Payload fired and its stored - let me show you stored XSS : - it is a store...
weak Password Policy while creating a new User with the Admin Account
Hello, I was able to detect weak Password Policy while allowing an administrator to create a new account. Lets create an account, set the Password to 1 and login with it. As you can see its number 1. When i click set it will not accept We need to specify that the user will change his password aft...
Cross Site Scripting (XSS) in UrlSlug
Description Please enter a description of the vulnerability. Cross Site Scripting XSS in UrlSlug of pimcore/pimcore Its Different than https://huntr.dev/bounties/75bc7d07-46a7-4ed9-a405-af4fc47fb422/ Proof of Concept 1. Login in stable account URL : https://11.x-dev.pimcore.fun/admin/ 2. Go to...
XSS Stored in perspective name
Description Hello team, I found an xss stored when adding a perspective name as shown in the gif below Proof of Concept...
File Upload Bypass Leads to Remote Code Execution (RCE)
Description There is no extension checks during file upload. Attacker may upload file to execute malicious code in the server. Proof of Concept Step 1: Create a file with the content below and save it as evil.php " Step 2: Login to the Cockpit web server Step 3: Go to assets Step 4: Upload Assets...
XSS @ group
Description The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of Concept Code: if $groupAction == 'addsave' && $user-perm-hasPermission$user-getUserId, 'addgroup' $user =...
XSS @ Stop Words
Description The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of Concept Code 1: $ajaxAction = Filter::filterInputINPUTGET, 'ajaxaction', FILTERUNSAFERAW; $instanceId =...
Stored XSS @ updatecategory
Description The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of Concept Code That has a Vulnerability: // Updates an existing category if $action === 'updatecategory' &&...
XSS in Schedule tab of Documents
Description pimcore is vulnerable to XSS at Time field in Schedule tab of Document. Payload " Proof of Concept 1.Go to https://demo.pimcore.fun/admin/ and login. 2.In Documents, go to home - click on Schedule icon to go to this tab. 3.In the Schedule tab, input the payload " into the Time field a...
Path Traversal in code
Description The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' doubled triple dot slash sequences that can resolve to a location that is outside of that directory. Proof of Concept Code that has the...
Stored HTML Injection via Company Name
Description easyappointments present an html injection vulnerability on the company name field on "/index.php/backend/settings" page. Steps: 1. login as admin 2. go to /index.php/backend/settings Page 3. insert the payload in Company Name field 4. go back to the home page and see the result. Proo...
Multiple XSS @ answer/question/tag
Description The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of Concept Posting the Question: func req QuestionAdd Check errFields validator.FormErrorField, err error...
Several CSRFs in Reset Area and Delete Entry Action
Description I find wallabag suffering several Cross-Site Request Forgery CSRF which allows attackers to arbitrarily delete the victim user's annotations, entries and tags by the GET request to /reset/annotations, /reset/entries, /reset/tags, /reset/archived, as well as /delete/Entry ID, in which...