4072 matches found
XSS via Client Side Template Injection
Description Hi Team! First, when creating an app and in the "display title" if you change it to 7'7, and you get it, you can see your name become 49. I think it might be a remote code execution vulnerability via server side template injection, but there is a length limit : By changing Display Tit...
CSV Injection in CSV files generated by the backend
1 First the admin create the event and publish it. 2 unauthenticated users go to the reservation page 3 unauthenticated users fill the fisrst name and last name as "=1+cmd|'/C calc'!A0" 4 admin download all the attendees' data as csv. 5 admin open the csv file and the calculator is opened. see th...
Server Side Template Injection
Description alf-event is vulnerable to Server Side Template Injection via angular Proof of Concept VIDEO: With an authenticated user, access the admin panel. Create a organization and then Go to users and create new user having username 77 in that organization Now login with this username and you...
SQL Injection
Description In '/core/ajax/ajaxselect2.phpL989' php "istrash = 0 and datebatchexpirydate = curdate and batchnumber LIKE '". $search ."%'" $search from: php $search = isset$GET'q' ? $GET'q' : ""; no sanitize. Poc http GET /info/?module=select2&page=batchList&q=1'union/%23&pid=1/select+111,222%23...
Store XSS in Question Tag
Description Attackers can use this vulnerability to attack users/admins in the community, take over user/admins accounts, etc... Proof of Concept 1、Register and log in as a user, add new questions and add tags 2、Insert the following payload in the tag description html 3、Post a question 4、When oth...
Remote Code Execution Vulnerability Through Unrestrict File Write
Description In the import setting function, in the file Froxlor\lib\Froxlor\SImExporter.php php fileputcontents$imgfilename, $imgdata; if functionexists'finfoopen' $finfo = finfoopenFILEINFOMIMETYPE; $mimetype = finfofile$finfo, $imgfilename; finfoclose$finfo; else $mimetype =...
Blind LFI in register-model/get?name=
Description A blind LFI exists in /ajax-api/2.0/mlflow/registered-models/get?name= The response from the server is different depending on if the file exists on the local file system or not. When the arbitrary local file exists, the server responds with 500 INTERNAL SERVER ERROR and when it doesn'...
LFI/RFI in MLflow
Description Local and Remote File Include in MLflow Proof of Concept Start the server or UI it works on both identically bash mlflow ui --host 127.0.0.1:5001 Create a model bash curl -i -s -k -X $'POST' \ -H $'Host: 127.0.0.1:5001' -H $'User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15;...
RCE using bad deserialization
Description Qwik provides an extended serialization mechanism for exchanging data between the client and server. This allows for the serialization and deserialization of Date, Regex, Signal, Function and many other useful data types. The Function deserializer can be accessed using the...
null pointer dereference in class_object_index at vim9class.c:1356
Description null pointer dereference in classobjectindex at vim9class.c:1356 variable cl in classobjectindex at vim9class.c:1254 is NULL at last, reference to cl refers to NULL Version $ git log commit c727b19e9f1df36e44321d933334c7b4961daa54 HEAD - master, tag: v9.0.1374, origin/master,...
Storage xss vulnerability exists in simple graph beds
Description Storage xss vulnerability exists in simple graph beds,By constructing a malicious svg code that directs the administrator to click, the cookie is stolen Proof of Concept Make the svg file as follows alertdocument.cookie; You can steal administrator cookies,No login required to upload...
Simple graph bed system has deserialization vulnerability and weak type comparison vulnerability
Description Simple graph bed has deserialization vulnerability and weak type comparison vulnerability Proof of Concept As you can see on line 129 below, there is a deserialization point and it is cookie passed The user controlled auth complex value in the cookie is given to the browsercookie...
SQL Injection in '/module/accounts/ajax.php'
Description There exists an SQL injection affecting the 'order'0'dir', start and length parameters located in the file /module/accounts/ajax.php Let's take a look at the following code: https://github.com/unilogies/bumsys/blob/9dc2de204116297a7e528c38bc3b1e89bf40f907/module/accounts/ajax.phpL1503...
Full CSRF Bypass
Description The intended way to reach functionality in $module/ajax.php is through the /xhr endpoint. Looking at the following code: https://github.com/unilogies/bumsys/blob/83bd788c21ce390f62e34ab6755a3e61c106418c/core/route.phpL43-L48 php if $pageSlug === "xhr" or $pageSlug === "info" and...
SQL Injection in 'core/ajax/ajax_data.php'
Description There exists an SQL injection affecting the edition parameter located in the file core/ajax/ajaxdata.php php $productEditionFilter = isset$GET"edition" and !empty$GET"edition" ? " productedition = '$GET"edition"' " : " producttype != 'Child' "; We see that $GET"edition" is appended...
Reflected XSS in Application Logger module
Description pimcore is vulnerable to Reflected XSS at From and To fields when searching in the Application Logger module. Payload " Proof of Concept 1.Go to https://demo.pimcore.fun/admin/ and login. 2.In the left menu bar, go to Tools - Application Logger. 3.In the Application Logger tab, on the...
heap-buffer-overflow in utf_ptr2char
Description Heap-buffer-overflow in utfptr2char at mbyte.c:1825. vim version git log commit f0300fc7b81e63c2584dc3a763dedea4184d17e5 grafted, HEAD - master, tag: v9.0.1365, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S poc8hbo.dat -c :qa...
Access Control Vulnerability in Admin Address Book
Description An Access Control Vulnerability allows a low level user in the web application to view and edit information for all other users in the Admin Address Book. Proof of Concept Step 1. Login to the openemr web application as a low level user Ex: Receptionist in openemr demo \ Step 2. Trave...
Stored xss in print generate and preview pdf
HI Team, In pimcore dev url https://11.x-dev.pimcore.fun/admin/ I found one stored xss in generate and preview pdf . The author field and title field is vulnerable to xss Step to reproduce 1. Login to dev url https://11.x-dev.pimcore.fun/admin/ 2. add a print container page in documents 3. Insert...
Stored XSS in Notification and Data Management
Description Please enter a description of the vulnerability. Proof of Concept 1. Go to a survey and to Settings = Notifications and data. 2. Turn off Inherit option for Send basic notification email to: or Send basic notification email to: 3. Enter the following payload: " and Save...
IDOR Vulnerability Allow Low-Level User Logout Everyone Includes Admin
Description IDOR vulnerability allow low level user to log out everyone in the system by changing the user ID. Proof of Concept Step 1: Login in as admin Step 2: Go to user and add an user. Set role to Default. Step 3: Login as the new user. Step 4: Logout the user GET...
Stored XSS in the Redirects module
Description pimcore is vulnerable to Stored XSS at Expiry field in the Redirects module. Payload " Step to reproduce/Proof of Concept 1.Go to https://demo.pimcore.fun/admin/ and login. 2.In the left menu bar, go to Tools - Redirects. 3.In the Redirects tab, click Add button, input any text into t...
SQL Injection in 'core/ajax/ajax_data.php'
Description There exists an SQL injection affecting the customerid parameter located in the file core/ajax/ajaxdata.php Let's take a look at the following code: https://github.com/unilogies/bumsys/blob/9dc2de204116297a7e528c38bc3b1e89bf40f907/core/ajax/ajaxdata.phpL537 sql where stockproductid =...
SQL Injection leads to code execution
Description This vulnerability allows the attacker to leverage a SQL injection attack in the database backup functionality to write arbitrary data to an arbitrary file on disk anywhere where the user can write. This includes the webroot in a default installation allowing the attack to place a web...
Local file inclusion leading to RCE
Description The api handling endpoint allows for a local file inclusion that can lead to remote code execution. It requires a valid api token which can be obtained via a database backup with account access, a number of different sql injections with account access, or stolen from a user. Proof of...
Vulnerable javascript dependency used in adminsidepanel.js
Description The adminsidepanel.js used Vue.js v2.6.10, which contains the vulnerable vue-server-renderer's dependency of serialize-javascript. Proof of Concept 1.Go to https://demo.limesurvey.org/tmp/assets/cb9c5d96/build.min/js/adminsidepanel.js and search for Vue.js v2.6.10 term. We can note th...
Missing Authorization Check Allows Impersonated Secure Messages
Description Due to the lack of an authorization check when sending secure messages, an attacker with access to a low level patient account in the portal can impersonate other users when sending secure messages. This would allow a malicious actor to impersonate high-level users...
CSRF leading to edit admin accounts
Description GET /admin/accounts/id/edit/?activetab=default page is vulnerable to a CSRF attack. Proof of Concept Login as admin. try to edit admin accounts example id=4 Open the following file in the browser. history.pushState'', '', '/'; document.forms0.submit;...
UI REDRESSING
Description The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with Steps To Reproduce 1. Create a New HTML file as shown in below i....
Improper Authorization
Description During testing, it was observed that sending a GET request to the following endpoint: /api/v2/parameters/core/ returns sensitive information without any authentication or authorization. Request GET /api/v2/parameters/core/ HTTP/1.1 Host: demo.modoboa.org User-Agent: 7h3h4ckv157 Accept...
Authorization Token Never Expires
Description The vulnerability is related to the Authorization header used for user login. After logging out, the token in the Authorization header remains valid and does not expire. Additionally, the token has an excessively long duration of 10 hours, as confirmed by a request. This vulnerability...
Unauthenticated OS Command Injection in stamparm/maltrail
Description Maltrail /tmp/bbq'...
Bypass IP detection lead to perform brute-force attack
Description In login function, by default, the IP address will be blocked when the user tries to login incorrectly more than 3 times but we can bypass this mechanism by abuse X-Forwarded-For header to bypass IP dectection and perform password brute-force. Proof of Concept POST...
SQL injection search function
Description Please enter a description of the vulnerability. Link POC: https://drive.google.com/drive/folders/1oFZPVrJ7lID7tDArO8spsMy1VYr4oOb?usp=sharing Proof of Concept Step 1: login https://demo.pimcore.fun/admin/ Step 2: user search function and intercept request with burp Step 3: Exploit ti...
Cross-Site Scripting (Stored/Persistent) in Categories
Description • The application is vulnerable to Cross-Site Scripting XSS attacks. This occurs when web applications do not properly validate user-supplied inputs before including them in dynamic web pages. • By intercepting the HTTP Request using Burp-suite tool before submitting into the webpage,...
XSS in button home page
Description vuln was find in File/Documents/Home , any button in page Proof of Concept 1. Login in URL : https://demo.pimcore.fun/admin 2. Go to File - Open Documents - Home 3. click any button in page - Edit Link 4. in tab Advanced, inject payload to : Attributes key="value" For more understandi...
LFI in module invoice-print and print
The parameter page and invoiceType is not properly sanitize leads to Local file inclusion POC : http://demo.bumsys.org/invoice-print/?invoiceType=../../theme/rui/print&msg=; POC : http://demo.bumsys.org/print/?page=../../theme/rui/invoice-print&msg=;...
IDOR on save email configuration leads to account takeover
Description An attacker with a low privileged account on the latest GLPI version could change other user´s email when saving his own user preferences. After that, if "Forgot password" is enabled via email, an attacker will be able to retrieve victim´s forgot password link to the modified email to...
Stored XSS in Customer Support
Description Attacker can send xss payload in Customer Support Proof of Concept Request Payload: POST /xhr/?module=customer-support&page=addCaseReply HTTP/1.1 Host: demo.bumsys.org Cookie: 80e72166c3164cd4e1f55b5348364ee4f8bc0d12=655mqrm2v9uhktlqpke0h026d4; eid=1; currencySymbol=%E0%A7%B3;...
Improper Neutralization of Input in paperWidth param During Web Page Generation
Module : print and invoice-print Parameter : paperWidth Attacker would be able to close the tag and can inject html tags POC : http://demo.bumsys.org/print?&paperWidth=;%3C/style%3E%3Cbody+onpageshow=alertdocument.domain%3E POC :...
Insecure Business Logic - Client Side Enforcement Bypass on User Account Deletion
Description The application enforces account deletion on the client-side with a popup that states the admin account cannot be deleted. Additionally, regular users do not have an option in the interface to delete their own account. An administrative and regular-privileged user are able to bypass...
Captcha Bypass due to invalidation of previous tokens
Description An attacker can create bypass the captcha mechanism and create multiple accounts directly Proof of Concept 1: Sign up with a new name in the application, fill the captcha and intercept the request of the submit. The request will look something like this POST...
Stored XSS in Sitename
Description There is a presence of stored xss in username, which directly gets rendered whenever the page is opened. Proof of Concept 1: use the below command to clone the repo in your machine git clone https://github.com/answerdev/answer.git 2: Navigate inside the repo cd answer 3: Use...
Observable Response Discrepancy in Password Reset Functionality
Description The password reset functionality leaks information pertaining to use accounts. Where an invalid account is utilized, the application responds that the account could not be found. Where an account is valid, the application responds with a reason "base.success" when intercepted, or that...
Observable Timing Discrepancy in Login Portal
Description An observable discrepancy in response times is present in the login portal. When brute forcing valid email accounts, the timing on a valid account is significantly higher than that of an invalid user account. This is likely due to the use of Bcrypt's compare function being utilized by...
Admin Able To Perform Operations On Themselves By Interacting With API
Description When setting a password through /admin/users URI, the admin is not allowed to set their own new password through this URI. If they attempt to do so, they receive an error stating Forbidden to operate on yourself. But this is easily bypassable by interacting with the API: if you set a...
Stored HTML injection and Potential Cross Site Scripting in pixelfed ≤ 0.11.4
Description pixelfed ≤ 0.11.4 is affected by HTML injection and Potential Cross Site Scripting vulnerability. Steps to Reproduce: 1.Choose any server from https://pixelfed.org/servers and go to registration page. 2.Enter your username, email, password and enter following payload on "Name" paramet...
Captcha Bypass on login
Description So if we login incorrectly multiple times, we get captcha. Each captcha has "captchaid" and solve "captchacode" For example: "captchacode":"8awt" "captchaid":"7nToXDrT6SkJ2BJxKG1u" You can use same captcha code and captcha id in login without any problem Captcha is generated with -...
XSS
Description HTML injection in user profile Vulnerability is in: http://34.245.133.152:9080/users/settings/profile - About Me Proof of Concept Request: PUT /answer/api/v1/user/info HTTP/1.1 Host: localhost:9080 Content-Length: 213 sec-ch-ua: "Not ABrand";v="24", "Chromium";v="110" Content-Type:...
Rxss in msg parameter
Affected url Affected parameter : msg It appear that html tags are rendered in the page via msg parameter. So I tried tag and it work, so i tried adding event handlers in this case onpageshow=alertdocument.domainand it trigred xss. POC :...