heap-buffer-overflow in vim_strrchr

Description heap based buffer overflow in vimstrrchr at strings.c:682 Vim Version git log commit ea83c194625e51c28a2796eba9ba87b0b9ab23e0 HEAD - master, tag: v9.0.1414, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S POCvimstrrchr -c :qa!...

Stored XSS in Properties Parameter

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a differen...

Stored XSS in Admin Panel

Description The admin panel admin.php does not properly sanitize the text in the "Site Name" field, allowing a user with admin access to inject arbitrary HTML. This is in a similar vein to CVE-2022-4733 but still exists as of version 7.0.1-dev. Proof of Concept 1. Log in as a user with admin...

strong Password Policy Bypass through removing a specific Parameter and setting the Passwort to 1

Hello, i was able to detect another password security issue. While changing the password the attacker can use the proxy and submit for example password as 1. Altough there is a passwort policy restriction but i managed to bypass that. Let me show you : The Password is now 2 lets change it to HACK...

Store XSS in create tag

Description Feature create tag permit attacker injection html tag and execute it. Proof of Concept 1. Add question 2. Create tag with payload in description: 3. Post your question 4. Go to link http:///tags//timeline and click created. Payload executed. POC...

Broken Access Control on "http://localhost/api/user" endpoint

Description Able to create an Admin account from normal User account. Steps 1.Navigate to https://localhost/. 2.Then click on login and then register, fill the form and click Register. 3.Now login with a newly created user account with intercepting the traffics in burp. 4.Turn on the burp interce...

2FA Bypass by Brute Force

Description Currently there are no restrictions on attempts to enter the correct 2FA code. In contrast to the first step of the authentication username + password the fields of lastloginfail and loginfailcount in the database aren't updated. An attacker can bypass the 2FA by simple brute force of...

Session Fixation Vulnerability

Description It was noticed that the easyappointments application is vulnerable to Session Fixation vulnerability. The application does not generate a new easession cookie after the user authenticate successfully into the application. A malicious user is able to create a new session cookie value a...

Autenticated Stored Cross-Site Scripting (XSS)

Description Login to the admin account. Use the following URL http://192.168.0.211/admin.php?action=files or navigate to pages - manage files. Upload the XSS payload with “.html” extension. Intercept the request with Burp Suite. Modify the Content-Type to application/x-php and forward the request...

Authentication Remote Code Execution

Description Found authenticated Remote Code Execution RCE on pluck 4.7.15 While reading the source code found blacklisted extension are mentioned in the file data/inc/files.php at line 44 and 45. File upload function validating the file extension is match any one of the following extension .php,...

XSS in Predefined Asset Metadata module in Settings

Description While testing the pimcore application, I found that it is vulnerable to XSS vulnerability in Predefined Asset Metadata module in Settings, specifically at Name field. Proof of Concept 1.Go to https://11.x-dev.pimcore.fun/admin/ then login. 2.Go to Settings - Predefined Asset Metadata...

Reflected XSS in Predefined Properties module in Settings

Description During testing the pimcore application, I found that it is vulnerable to XSS vulnerability in Predefined Properties module in Settings, specifically at Name field. Proof of Concept 1.Go to https://11.x-dev.pimcore.fun/admin/ then login. 2.Go to Settings - Predefined Properties and add...

Cross Site Scripting (XSS) in Assets

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a differen...

Access Control Vulnerability in Prescription Controller

Description An Access Control Vulnerability allows a low level user in the web application to view, create, and edit prescriptions for all users. Proof of Concept Step 1. Login to the openemr web application as a low level user Ex: Receptionist in openemr demo \ Step 2. Travel to a page that will...

XSS @ records

Description The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of Concept Code 1: $recordLang = Filter::filterInputINPUTPOST, 'lang', FILTERUNSAFERAW; $tags =...

CSV Injection in CSV files generated by the backend

1 login in https://demo.limesurvey.org/index.php 2 the demo admin create a user with name "=1+cmd|'/C calc'!A0". 4 other users login and download all the users' data as csv. 5 other users open the csv file with execl in windows, notice that choose ";" as separator as. 6 we can see that the...

Instropection query is enabled on demo.pimcore.fun

Description Introspection is enabled on the demo.pimcore.fun. demo site has graphql feature for users but via that graphql endpoint attacker can run the instropection queries. which makes the vulnerable. Proof of Concept Just visit the link...

XSS in Document Types module in Settings

Description pimcore is vulnerable to XSS at Name field in Document Types module in Settings. Payload " Proof of Concept 1.Go to https://11.x-dev.pimcore.fun/admin/ and login. 2.In the left menu bar, go to Settings - Document Types and click on Add button to add a new record. 3.Edit the New Docume...

EXIF Geolocation Data Not Stripped From brand logo

When the user uploads his logo, the uploaded image’s EXIF Geo-location Data does not get stripped. As a result, anyone can get sensitive information like user's Device ID, Geo Location, System Information, System version, ETC. Step to reproduce: 1. Upload logo with EXIF DATA, or download from her...

cross site scripting

Pimcore is vulnerable to Cross site scripting vulnerability in classes module...

HTML Injection on Settings/Template

Description Found HTML Injection on Template module on Settings. Proof of Concept 1. Login as Administrator and go to Settings. 2. On under Website Settings, go to Template. 3. Specifically, to this URL - https://demo.microweber.org/demo/admin/view:content/action:settings?group=template 4. Then...

XSS Stored in Caption Image

Description Hello team, I found an xss stored in the caption field as demonstrated in the gif below. Proof of Concept...

stored XSS Protection bypass by changing the User Profile Name

Hello, I was able to bypass the XSS Vulnerability i reported before by using this Payload. Lets try first a normal XSS Payload which will not work for example - alert'1' - NOT WOKRING : lets try the bypass payload 1'" XSS Payload fired and its stored - let me show you stored XSS : - it is a store...

weak Password Policy while creating a new User with the Admin Account

Hello, I was able to detect weak Password Policy while allowing an administrator to create a new account. Lets create an account, set the Password to 1 and login with it. As you can see its number 1. When i click set it will not accept We need to specify that the user will change his password aft...

Cross Site Scripting (XSS) in UrlSlug

Description Please enter a description of the vulnerability. Cross Site Scripting XSS in UrlSlug of pimcore/pimcore Its Different than https://huntr.dev/bounties/75bc7d07-46a7-4ed9-a405-af4fc47fb422/ Proof of Concept 1. Login in stable account URL : https://11.x-dev.pimcore.fun/admin/ 2. Go to...

XSS Stored in perspective name

Description Hello team, I found an xss stored when adding a perspective name as shown in the gif below Proof of Concept...

File Upload Bypass Leads to Remote Code Execution (RCE)

Description There is no extension checks during file upload. Attacker may upload file to execute malicious code in the server. Proof of Concept Step 1: Create a file with the content below and save it as evil.php " Step 2: Login to the Cockpit web server Step 3: Go to assets Step 4: Upload Assets...

XSS @ group

Description The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of Concept Code: if $groupAction == 'addsave' && $user-perm-hasPermission$user-getUserId, 'addgroup' $user =...

XSS @ Stop Words

Description The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of Concept Code 1: $ajaxAction = Filter::filterInputINPUTGET, 'ajaxaction', FILTERUNSAFERAW; $instanceId =...

Stored XSS @ updatecategory

Description The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of Concept Code That has a Vulnerability: // Updates an existing category if $action === 'updatecategory' &&...

XSS in Schedule tab of Documents

Description pimcore is vulnerable to XSS at Time field in Schedule tab of Document. Payload " Proof of Concept 1.Go to https://demo.pimcore.fun/admin/ and login. 2.In Documents, go to home - click on Schedule icon to go to this tab. 3.In the Schedule tab, input the payload " into the Time field a...

Path Traversal in code

Description The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' doubled triple dot slash sequences that can resolve to a location that is outside of that directory. Proof of Concept Code that has the...

Stored HTML Injection via Company Name

Description easyappointments present an html injection vulnerability on the company name field on "/index.php/backend/settings" page. Steps: 1. login as admin 2. go to /index.php/backend/settings Page 3. insert the payload in Company Name field 4. go back to the home page and see the result. Proo...

Multiple XSS @ answer/question/tag

Description The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of Concept Posting the Question: func req QuestionAdd Check errFields validator.FormErrorField, err error...

Several CSRFs in Reset Area and Delete Entry Action

Description I find wallabag suffering several Cross-Site Request Forgery CSRF which allows attackers to arbitrarily delete the victim user's annotations, entries and tags by the GET request to /reset/annotations, /reset/entries, /reset/tags, /reset/archived, as well as /delete/Entry ID, in which...

XSS via Client Side Template Injection

Description Hi Team! First, when creating an app and in the "display title" if you change it to 7'7, and you get it, you can see your name become 49. I think it might be a remote code execution vulnerability via server side template injection, but there is a length limit : By changing Display Tit...

CSV Injection in CSV files generated by the backend

1 First the admin create the event and publish it. 2 unauthenticated users go to the reservation page 3 unauthenticated users fill the fisrst name and last name as "=1+cmd|'/C calc'!A0" 4 admin download all the attendees' data as csv. 5 admin open the csv file and the calculator is opened. see th...

Server Side Template Injection

Description alf-event is vulnerable to Server Side Template Injection via angular Proof of Concept VIDEO: With an authenticated user, access the admin panel. Create a organization and then Go to users and create new user having username 77 in that organization Now login with this username and you...

SQL Injection

Description In '/core/ajax/ajaxselect2.phpL989' php "istrash = 0 and datebatchexpirydate = curdate and batchnumber LIKE '". $search ."%'" $search from: php $search = isset$GET'q' ? $GET'q' : ""; no sanitize. Poc http GET /info/?module=select2&page=batchList&q=1'union/%23&pid=1/select+111,222%23...

Store XSS in Question Tag

Description Attackers can use this vulnerability to attack users/admins in the community, take over user/admins accounts, etc... Proof of Concept 1、Register and log in as a user, add new questions and add tags 2、Insert the following payload in the tag description html 3、Post a question 4、When oth...

Remote Code Execution Vulnerability Through Unrestrict File Write

Description In the import setting function, in the file Froxlor\lib\Froxlor\SImExporter.php php fileputcontents$imgfilename, $imgdata; if functionexists'finfoopen' $finfo = finfoopenFILEINFOMIMETYPE; $mimetype = finfofile$finfo, $imgfilename; finfoclose$finfo; else $mimetype =...

Blind LFI in register-model/get?name=

Description A blind LFI exists in /ajax-api/2.0/mlflow/registered-models/get?name= The response from the server is different depending on if the file exists on the local file system or not. When the arbitrary local file exists, the server responds with 500 INTERNAL SERVER ERROR and when it doesn'...

LFI/RFI in MLflow

Description Local and Remote File Include in MLflow Proof of Concept Start the server or UI it works on both identically bash mlflow ui --host 127.0.0.1:5001 Create a model bash curl -i -s -k -X $'POST' \ -H $'Host: 127.0.0.1:5001' -H $'User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15;...

RCE using bad deserialization

Description Qwik provides an extended serialization mechanism for exchanging data between the client and server. This allows for the serialization and deserialization of Date, Regex, Signal, Function and many other useful data types. The Function deserializer can be accessed using the...

null pointer dereference in class_object_index at vim9class.c:1356

Description null pointer dereference in classobjectindex at vim9class.c:1356 variable cl in classobjectindex at vim9class.c:1254 is NULL at last, reference to cl refers to NULL Version $ git log commit c727b19e9f1df36e44321d933334c7b4961daa54 HEAD - master, tag: v9.0.1374, origin/master,...

Storage xss vulnerability exists in simple graph beds

Description Storage xss vulnerability exists in simple graph beds,By constructing a malicious svg code that directs the administrator to click, the cookie is stolen Proof of Concept Make the svg file as follows alertdocument.cookie; You can steal administrator cookies,No login required to upload...

Simple graph bed system has deserialization vulnerability and weak type comparison vulnerability

Description Simple graph bed has deserialization vulnerability and weak type comparison vulnerability Proof of Concept As you can see on line 129 below, there is a deserialization point and it is cookie passed The user controlled auth complex value in the cookie is given to the browsercookie...

SQL Injection in '/module/accounts/ajax.php'

Description There exists an SQL injection affecting the 'order'0'dir', start and length parameters located in the file /module/accounts/ajax.php Let's take a look at the following code: https://github.com/unilogies/bumsys/blob/9dc2de204116297a7e528c38bc3b1e89bf40f907/module/accounts/ajax.phpL1503...

Full CSRF Bypass

Description The intended way to reach functionality in $module/ajax.php is through the /xhr endpoint. Looking at the following code: https://github.com/unilogies/bumsys/blob/83bd788c21ce390f62e34ab6755a3e61c106418c/core/route.phpL43-L48 php if $pageSlug === "xhr" or $pageSlug === "info" and...

SQL Injection in 'core/ajax/ajax_data.php'

Description There exists an SQL injection affecting the edition parameter located in the file core/ajax/ajaxdata.php php $productEditionFilter = isset$GET"edition" and !empty$GET"edition" ? " productedition = '$GET"edition"' " : " producttype != 'Child' "; We see that $GET"edition" is appended...