4057 matches found
Reflected XSS in Application Logger module
Description pimcore is vulnerable to Reflected XSS at From and To fields when searching in the Application Logger module. Payload " Proof of Concept 1.Go to https://demo.pimcore.fun/admin/ and login. 2.In the left menu bar, go to Tools - Application Logger. 3.In the Application Logger tab, on the...
heap-buffer-overflow in utf_ptr2char
Description Heap-buffer-overflow in utfptr2char at mbyte.c:1825. vim version git log commit f0300fc7b81e63c2584dc3a763dedea4184d17e5 grafted, HEAD - master, tag: v9.0.1365, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S poc8hbo.dat -c :qa...
Access Control Vulnerability in Admin Address Book
Description An Access Control Vulnerability allows a low level user in the web application to view and edit information for all other users in the Admin Address Book. Proof of Concept Step 1. Login to the openemr web application as a low level user Ex: Receptionist in openemr demo \ Step 2. Trave...
Stored xss in print generate and preview pdf
HI Team, In pimcore dev url https://11.x-dev.pimcore.fun/admin/ I found one stored xss in generate and preview pdf . The author field and title field is vulnerable to xss Step to reproduce 1. Login to dev url https://11.x-dev.pimcore.fun/admin/ 2. add a print container page in documents 3. Insert...
Stored XSS in Notification and Data Management
Description Please enter a description of the vulnerability. Proof of Concept 1. Go to a survey and to Settings = Notifications and data. 2. Turn off Inherit option for Send basic notification email to: or Send basic notification email to: 3. Enter the following payload: " and Save...
IDOR Vulnerability Allow Low-Level User Logout Everyone Includes Admin
Description IDOR vulnerability allow low level user to log out everyone in the system by changing the user ID. Proof of Concept Step 1: Login in as admin Step 2: Go to user and add an user. Set role to Default. Step 3: Login as the new user. Step 4: Logout the user GET...
Stored XSS in the Redirects module
Description pimcore is vulnerable to Stored XSS at Expiry field in the Redirects module. Payload " Step to reproduce/Proof of Concept 1.Go to https://demo.pimcore.fun/admin/ and login. 2.In the left menu bar, go to Tools - Redirects. 3.In the Redirects tab, click Add button, input any text into t...
SQL Injection in 'core/ajax/ajax_data.php'
Description There exists an SQL injection affecting the customerid parameter located in the file core/ajax/ajaxdata.php Let's take a look at the following code: https://github.com/unilogies/bumsys/blob/9dc2de204116297a7e528c38bc3b1e89bf40f907/core/ajax/ajaxdata.phpL537 sql where stockproductid =...
SQL Injection leads to code execution
Description This vulnerability allows the attacker to leverage a SQL injection attack in the database backup functionality to write arbitrary data to an arbitrary file on disk anywhere where the user can write. This includes the webroot in a default installation allowing the attack to place a web...
Local file inclusion leading to RCE
Description The api handling endpoint allows for a local file inclusion that can lead to remote code execution. It requires a valid api token which can be obtained via a database backup with account access, a number of different sql injections with account access, or stolen from a user. Proof of...
Vulnerable javascript dependency used in adminsidepanel.js
Description The adminsidepanel.js used Vue.js v2.6.10, which contains the vulnerable vue-server-renderer's dependency of serialize-javascript. Proof of Concept 1.Go to https://demo.limesurvey.org/tmp/assets/cb9c5d96/build.min/js/adminsidepanel.js and search for Vue.js v2.6.10 term. We can note th...
Missing Authorization Check Allows Impersonated Secure Messages
Description Due to the lack of an authorization check when sending secure messages, an attacker with access to a low level patient account in the portal can impersonate other users when sending secure messages. This would allow a malicious actor to impersonate high-level users...
CSRF leading to edit admin accounts
Description GET /admin/accounts/id/edit/?activetab=default page is vulnerable to a CSRF attack. Proof of Concept Login as admin. try to edit admin accounts example id=4 Open the following file in the browser. history.pushState'', '', '/'; document.forms0.submit;...
UI REDRESSING
Description The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with Steps To Reproduce 1. Create a New HTML file as shown in below i....
Improper Authorization
Description During testing, it was observed that sending a GET request to the following endpoint: /api/v2/parameters/core/ returns sensitive information without any authentication or authorization. Request GET /api/v2/parameters/core/ HTTP/1.1 Host: demo.modoboa.org User-Agent: 7h3h4ckv157 Accept...
Authorization Token Never Expires
Description The vulnerability is related to the Authorization header used for user login. After logging out, the token in the Authorization header remains valid and does not expire. Additionally, the token has an excessively long duration of 10 hours, as confirmed by a request. This vulnerability...
Unauthenticated OS Command Injection in stamparm/maltrail
Description Maltrail /tmp/bbq'...
Bypass IP detection lead to perform brute-force attack
Description In login function, by default, the IP address will be blocked when the user tries to login incorrectly more than 3 times but we can bypass this mechanism by abuse X-Forwarded-For header to bypass IP dectection and perform password brute-force. Proof of Concept POST...
SQL injection search function
Description Please enter a description of the vulnerability. Link POC: https://drive.google.com/drive/folders/1oFZPVrJ7lID7tDArO8spsMy1VYr4oOb?usp=sharing Proof of Concept Step 1: login https://demo.pimcore.fun/admin/ Step 2: user search function and intercept request with burp Step 3: Exploit ti...
Cross-Site Scripting (Stored/Persistent) in Categories
Description • The application is vulnerable to Cross-Site Scripting XSS attacks. This occurs when web applications do not properly validate user-supplied inputs before including them in dynamic web pages. • By intercepting the HTTP Request using Burp-suite tool before submitting into the webpage,...
XSS in button home page
Description vuln was find in File/Documents/Home , any button in page Proof of Concept 1. Login in URL : https://demo.pimcore.fun/admin 2. Go to File - Open Documents - Home 3. click any button in page - Edit Link 4. in tab Advanced, inject payload to : Attributes key="value" For more understandi...
LFI in module invoice-print and print
The parameter page and invoiceType is not properly sanitize leads to Local file inclusion POC : http://demo.bumsys.org/invoice-print/?invoiceType=../../theme/rui/print&msg=; POC : http://demo.bumsys.org/print/?page=../../theme/rui/invoice-print&msg=;...
IDOR on save email configuration leads to account takeover
Description An attacker with a low privileged account on the latest GLPI version could change other user´s email when saving his own user preferences. After that, if "Forgot password" is enabled via email, an attacker will be able to retrieve victim´s forgot password link to the modified email to...
Stored XSS in Customer Support
Description Attacker can send xss payload in Customer Support Proof of Concept Request Payload: POST /xhr/?module=customer-support&page=addCaseReply HTTP/1.1 Host: demo.bumsys.org Cookie: 80e72166c3164cd4e1f55b5348364ee4f8bc0d12=655mqrm2v9uhktlqpke0h026d4; eid=1; currencySymbol=%E0%A7%B3;...
Improper Neutralization of Input in paperWidth param During Web Page Generation
Module : print and invoice-print Parameter : paperWidth Attacker would be able to close the tag and can inject html tags POC : http://demo.bumsys.org/print?&paperWidth=;%3C/style%3E%3Cbody+onpageshow=alertdocument.domain%3E POC :...
Insecure Business Logic - Client Side Enforcement Bypass on User Account Deletion
Description The application enforces account deletion on the client-side with a popup that states the admin account cannot be deleted. Additionally, regular users do not have an option in the interface to delete their own account. An administrative and regular-privileged user are able to bypass...
Captcha Bypass due to invalidation of previous tokens
Description An attacker can create bypass the captcha mechanism and create multiple accounts directly Proof of Concept 1: Sign up with a new name in the application, fill the captcha and intercept the request of the submit. The request will look something like this POST...
Stored XSS in Sitename
Description There is a presence of stored xss in username, which directly gets rendered whenever the page is opened. Proof of Concept 1: use the below command to clone the repo in your machine git clone https://github.com/answerdev/answer.git 2: Navigate inside the repo cd answer 3: Use...
Observable Response Discrepancy in Password Reset Functionality
Description The password reset functionality leaks information pertaining to use accounts. Where an invalid account is utilized, the application responds that the account could not be found. Where an account is valid, the application responds with a reason "base.success" when intercepted, or that...
Observable Timing Discrepancy in Login Portal
Description An observable discrepancy in response times is present in the login portal. When brute forcing valid email accounts, the timing on a valid account is significantly higher than that of an invalid user account. This is likely due to the use of Bcrypt's compare function being utilized by...
Admin Able To Perform Operations On Themselves By Interacting With API
Description When setting a password through /admin/users URI, the admin is not allowed to set their own new password through this URI. If they attempt to do so, they receive an error stating Forbidden to operate on yourself. But this is easily bypassable by interacting with the API: if you set a...
Stored HTML injection and Potential Cross Site Scripting in pixelfed ≤ 0.11.4
Description pixelfed ≤ 0.11.4 is affected by HTML injection and Potential Cross Site Scripting vulnerability. Steps to Reproduce: 1.Choose any server from https://pixelfed.org/servers and go to registration page. 2.Enter your username, email, password and enter following payload on "Name" paramet...
Captcha Bypass on login
Description So if we login incorrectly multiple times, we get captcha. Each captcha has "captchaid" and solve "captchacode" For example: "captchacode":"8awt" "captchaid":"7nToXDrT6SkJ2BJxKG1u" You can use same captcha code and captcha id in login without any problem Captcha is generated with -...
XSS
Description HTML injection in user profile Vulnerability is in: http://34.245.133.152:9080/users/settings/profile - About Me Proof of Concept Request: PUT /answer/api/v1/user/info HTTP/1.1 Host: localhost:9080 Content-Length: 213 sec-ch-ua: "Not ABrand";v="24", "Chromium";v="110" Content-Type:...
Rxss in msg parameter
Affected url Affected parameter : msg It appear that html tags are rendered in the page via msg parameter. So I tried tag and it work, so i tried adding event handlers in this case onpageshow=alertdocument.domainand it trigred xss. POC :...
segmentation fault in regexp.c:1788
Description SIGSEGV raised on regtilde function at regexp.c. As the function processes the tainted string inside the poc file, constant calls to the alloc function with ever-increasing size actually exhausts memory and the process terminates. At last negative size value is assigned. Version $ git...
Bootstrap-switch 3.3.2 in use which is vulnerable to XSS
Description Bootstrap-switch 3.3.2 in use which is vulnerable to XSS Proof of Concept 1 Go to https://demo.limesurvey.org/tmp/assets/12fba870/js/bootstrap-switch.min.js and note that Bootstrap-switch is using 3.3.2 2 Check...
XSS on external links bypass filters
Description I recently found a bypass for external links that allows an attacker to inject javascript into external links Proof of Concept As an admin user Go to /front/link.form.php?id=1 Using a special character before the javascript:alert1 this bypasses the filters and the protocol still works...
Stored HTML Injection inside the >>> Request payment >>> Request Customer Data Checkout >>> Request shipping address
Team, I hope you are all doing well. . I wanted to bring to your attention a potential vulnerability on the website https://mainnet.demo.btcpayserver.org/stores/6YSiuoN6q1yF2ucWZvWojBuVJAJzXxFFUn9cw8iNPPMC/payment-requests/edit/ec575d56-6b8e-41bd-8b9a-bdcda9c5daad. . During my research, I...
XSS in Library Description and Synopsis
Description The 'description' and 'synopsis' fields of libraries are vulnerable to stored XSS injection. If a user sets the synopsis or description of a library to ''"' they can set a stored XSS payload that fires whenever someone visits the /libraries page. Normally libraries are only editable b...
Stored XSS in "Import" Module
Description When loading a CSV or XLSX file to preview before importing Step 4, no sanitization of the first line label, allows authenticated attacker to inject malicious XSS payload into the to import file, and store it on the target webserver. If any admin reuse the malicious uploaded importing...
Jquery UI 1.13.1 in use which is vulnerable to CVE-2022-31160
Description Jquery UI 1.13.1 in use which is vulnerable to CVE-2022-31160 Proof of Concept 1 Go to https://demo.limesurvey.org/tmp/assets/15bf41ab/jquery-ui.min.js and note that jquery-ui 1.13.1 is in use. 2 Check...
Race Condition Vulnerability can Leads to Up Vote Stealing
Description I tested in the live production site https://meta.answer.dev/. There are up vote / down vote functions in answerdev. An attacker can increase or decrease votes by using race condition vulnerability. Proof of Concept 1. Go to an question and press up vote or down vote. 2. PoC will show...
Lodash 4.17.15 in use which is vulnerable to CVE-2020-8203
Description Lodash 4.17.15 in use which is vulnerable to CVE-2020-8203 Proof of Concept 1 Go to https://localhost/Cockpit/modules/App/assets/vendor/lodash.js?ver=2.3.9-1676855050 and note that lodash version is 4.17.15 2 Go to https://localhost/Cockpit/ 3 Open Web Devloper tools Ctrl+Shift+I usin...
SQL Injection at /front/report.dynamic.php
Description A SQL Injection vulnerability allow to guest user with reports view like "Technician" to extract all data from database and some cases write a webshell on the server. This vulnerability occurs because an insecure concatenation is taking place on this function:...
division zero
Description division by zero in fuction scrolldown at move.c:1739 version git log commit ea62cee85e9e77ec86edd9843926dadb69978753 HEAD - master, tag: v9.0.1327, origin/master, origin/HEAD Author: Bram Moolenaar Date: Sun Feb 19 18:36:41 2023 +0000 patch 9.0.1327: cursor in wrong position below li...
Lack of brute force protection
Issue Description • A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until an attacker discover the one correct combination that works. Steps to Reproduce: '1. First capture login request with BurpSuite,...
Authentication Bypass for users with MD5 password hash
Setup - OS: Ubuntu 22.04.2 LTS - Froxlor: 2.0.12 - PHP: 8.1.2 Description Froxlor still supports logins for passwords that are stored as MD5 hash in the database. The hash comparison is done with "==" instead of "===" which causes a type confusion vulnerability in PHP. For some MD5 hashes it is...
Insufficient Session Expiration
Description Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization. When handling sessions, web developers can rely either on server tokens or generate session identifiers within the application. Each session should...
XSS in /admin/domains when filtering a specific tag
Description Reflected XSS happens when filtering a specific tag in the Domains page and changing the "domfilter" URL query parameter to the malicious string. Proof of Concept 1 - Login as a domain admin 2 - Go to the Domains page 3 - Click on one of the existing tags 4 - Change the domfilter quer...