Lucene search
K

4072 matches found

Huntr
Huntr
added 2023/03/06 6:28 p.m.25 views

XSS via Client Side Template Injection

Description Hi Team! First, when creating an app and in the "display title" if you change it to 7'7, and you get it, you can see your name become 49. I think it might be a remote code execution vulnerability via server side template injection, but there is a length limit : By changing Display Tit...

4.9CVSS6.4AI score0.00351EPSS
Exploits1
Huntr
Huntr
added 2023/03/06 7:55 a.m.26 views

CSV Injection in CSV files generated by the backend

1 First the admin create the event and publish it. 2 unauthenticated users go to the reservation page 3 unauthenticated users fill the fisrst name and last name as "=1+cmd|'/C calc'!A0" 4 admin download all the attendees' data as csv. 5 admin open the csv file and the calculator is opened. see th...

6.8CVSS8.5AI score0.00913EPSS
Exploits1
Huntr
Huntr
added 2023/03/05 8:17 p.m.17 views

Server Side Template Injection

Description alf-event is vulnerable to Server Side Template Injection via angular Proof of Concept VIDEO: With an authenticated user, access the admin panel. Create a organization and then Go to users and create new user having username 77 in that organization Now login with this username and you...

5.8CVSS7.1AI score0.01089EPSS
Exploits1References2
Huntr
Huntr
added 2023/03/05 1:52 p.m.7 views

SQL Injection

Description In '/core/ajax/ajaxselect2.phpL989' php "istrash = 0 and datebatchexpirydate = curdate and batchnumber LIKE '". $search ."%'" $search from: php $search = isset$GET'q' ? $GET'q' : ""; no sanitize. Poc http GET /info/?module=select2&page=batchList&q=1'union/%23&pid=1/select+111,222%23...

7.1AI score
Exploits0
Huntr
Huntr
added 2023/03/05 6:38 a.m.22 views

Store XSS in Question Tag

Description Attackers can use this vulnerability to attack users/admins in the community, take over user/admins accounts, etc... Proof of Concept 1、Register and log in as a user, add new questions and add tags 2、Insert the following payload in the tag description html 3、Post a question 4、When oth...

4.9CVSS5.5AI score0.0062EPSS
Exploits1
Huntr
Huntr
added 2023/03/04 2:13 p.m.19 views

Remote Code Execution Vulnerability Through Unrestrict File Write

Description In the import setting function, in the file Froxlor\lib\Froxlor\SImExporter.php php fileputcontents$imgfilename, $imgdata; if functionexists'finfoopen' $finfo = finfoopenFILEINFOMIMETYPE; $mimetype = finfofile$finfo, $imgfilename; finfoclose$finfo; else $mimetype =...

6.5CVSS8.4AI score0.73247EPSS
Exploits1References1
Huntr
Huntr
added 2023/03/03 10:14 p.m.42 views

Blind LFI in register-model/get?name=

Description A blind LFI exists in /ajax-api/2.0/mlflow/registered-models/get?name= The response from the server is different depending on if the file exists on the local file system or not. When the arbitrary local file exists, the server responds with 500 INTERNAL SERVER ERROR and when it doesn'...

1.7CVSS4.7AI score0.00578EPSS
Exploits1
Huntr
Huntr
added 2023/03/03 5:15 p.m.29 views

LFI/RFI in MLflow

Description Local and Remote File Include in MLflow Proof of Concept Start the server or UI it works on both identically bash mlflow ui --host 127.0.0.1:5001 Create a model bash curl -i -s -k -X $'POST' \ -H $'Host: 127.0.0.1:5001' -H $'User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15;...

7.5CVSS8.9AI score0.69468EPSS
Exploits2
Huntr
Huntr
added 2023/03/03 4:55 p.m.24 views

RCE using bad deserialization

Description Qwik provides an extended serialization mechanism for exchanging data between the client and server. This allows for the serialization and deserialization of Date, Regex, Signal, Function and many other useful data types. The Function deserializer can be accessed using the...

7.5CVSS9.1AI score0.01149EPSS
Exploits1References5
Huntr
Huntr
added 2023/03/03 4:7 p.m.28 views

null pointer dereference in class_object_index at vim9class.c:1356

Description null pointer dereference in classobjectindex at vim9class.c:1356 variable cl in classobjectindex at vim9class.c:1254 is NULL at last, reference to cl refers to NULL Version $ git log commit c727b19e9f1df36e44321d933334c7b4961daa54 HEAD - master, tag: v9.0.1374, origin/master,...

1.9CVSS6.1AI score0.00453EPSS
Exploits1
Huntr
Huntr
added 2023/03/02 8:56 a.m.40 views

Storage xss vulnerability exists in simple graph beds

Description Storage xss vulnerability exists in simple graph beds,By constructing a malicious svg code that directs the administrator to click, the cookie is stolen Proof of Concept Make the svg file as follows alertdocument.cookie; You can steal administrator cookies,No login required to upload...

4.9CVSS5.7AI score0.00429EPSS
Exploits1
Huntr
Huntr
added 2023/03/02 6:37 a.m.10 views

Simple graph bed system has deserialization vulnerability and weak type comparison vulnerability

Description Simple graph bed has deserialization vulnerability and weak type comparison vulnerability Proof of Concept As you can see on line 129 below, there is a deserialization point and it is cookie passed The user controlled auth complex value in the cookie is given to the browsercookie...

0.2AI score
Exploits0
Huntr
Huntr
added 2023/03/02 3:19 a.m.4 views

SQL Injection in '/module/accounts/ajax.php'

Description There exists an SQL injection affecting the 'order'0'dir', start and length parameters located in the file /module/accounts/ajax.php Let's take a look at the following code: https://github.com/unilogies/bumsys/blob/9dc2de204116297a7e528c38bc3b1e89bf40f907/module/accounts/ajax.phpL1503...

7.8AI score
Exploits0
Huntr
Huntr
added 2023/03/01 11:9 p.m.17 views

Full CSRF Bypass

Description The intended way to reach functionality in $module/ajax.php is through the /xhr endpoint. Looking at the following code: https://github.com/unilogies/bumsys/blob/83bd788c21ce390f62e34ab6755a3e61c106418c/core/route.phpL43-L48 php if $pageSlug === "xhr" or $pageSlug === "info" and...

6.8CVSS6.8AI score0.0043EPSS
Exploits1
Huntr
Huntr
added 2023/03/01 8:22 p.m.13 views

SQL Injection in 'core/ajax/ajax_data.php'

Description There exists an SQL injection affecting the edition parameter located in the file core/ajax/ajaxdata.php php $productEditionFilter = isset$GET"edition" and !empty$GET"edition" ? " productedition = '$GET"edition"' " : " producttype != 'Child' "; We see that $GET"edition" is appended...

7.8AI score
Exploits0
Huntr
Huntr
added 2023/03/01 4:12 p.m.21 views

Reflected XSS in Application Logger module

Description pimcore is vulnerable to Reflected XSS at From and To fields when searching in the Application Logger module. Payload " Proof of Concept 1.Go to https://demo.pimcore.fun/admin/ and login. 2.In the left menu bar, go to Tools - Application Logger. 3.In the Application Logger tab, on the...

4.3CVSS5.1AI score0.00415EPSS
Exploits1
Huntr
Huntr
added 2023/03/01 1:52 a.m.39 views

heap-buffer-overflow in utf_ptr2char

Description Heap-buffer-overflow in utfptr2char at mbyte.c:1825. vim version git log commit f0300fc7b81e63c2584dc3a763dedea4184d17e5 grafted, HEAD - master, tag: v9.0.1365, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S poc8hbo.dat -c :qa...

4.4CVSS6.9AI score0.00483EPSS
Exploits1
Huntr
Huntr
added 2023/03/01 12:5 a.m.19 views

Access Control Vulnerability in Admin Address Book

Description An Access Control Vulnerability allows a low level user in the web application to view and edit information for all other users in the Admin Address Book. Proof of Concept Step 1. Login to the openemr web application as a low level user Ex: Receptionist in openemr demo \ Step 2. Trave...

5.5CVSS6.6AI score0.00447EPSS
Exploits1
Huntr
Huntr
added 2023/02/28 5:58 p.m.29 views

Stored xss in print generate and preview pdf

HI Team, In pimcore dev url https://11.x-dev.pimcore.fun/admin/ I found one stored xss in generate and preview pdf . The author field and title field is vulnerable to xss Step to reproduce 1. Login to dev url https://11.x-dev.pimcore.fun/admin/ 2. add a print container page in documents 3. Insert...

4.3CVSS5.3AI score0.00428EPSS
Exploits1
Huntr
Huntr
added 2023/02/28 10:45 a.m.14 views

Stored XSS in Notification and Data Management

Description Please enter a description of the vulnerability. Proof of Concept 1. Go to a survey and to Settings = Notifications and data. 2. Turn off Inherit option for Send basic notification email to: or Send basic notification email to: 3. Enter the following payload: " and Save...

6.7AI score
Exploits0References1
Huntr
Huntr
added 2023/02/28 7:46 a.m.35 views

IDOR Vulnerability Allow Low-Level User Logout Everyone Includes Admin

Description IDOR vulnerability allow low level user to log out everyone in the system by changing the user ID. Proof of Concept Step 1: Login in as admin Step 2: Go to user and add an user. Set role to Default. Step 3: Login as the new user. Step 4: Logout the user GET...

5.5CVSS5.5AI score0.00523EPSS
Exploits1References1
Huntr
Huntr
added 2023/02/28 5:2 a.m.23 views

Stored XSS in the Redirects module

Description pimcore is vulnerable to Stored XSS at Expiry field in the Redirects module. Payload " Step to reproduce/Proof of Concept 1.Go to https://demo.pimcore.fun/admin/ and login. 2.In the left menu bar, go to Tools - Redirects. 3.In the Redirects tab, click Add button, input any text into t...

4.9CVSS5.1AI score0.00349EPSS
Exploits1
Huntr
Huntr
added 2023/02/28 3:4 a.m.28 views

SQL Injection in 'core/ajax/ajax_data.php'

Description There exists an SQL injection affecting the customerid parameter located in the file core/ajax/ajaxdata.php Let's take a look at the following code: https://github.com/unilogies/bumsys/blob/9dc2de204116297a7e528c38bc3b1e89bf40f907/core/ajax/ajaxdata.phpL537 sql where stockproductid =...

4CVSS7.2AI score0.00751EPSS
Exploits1
Huntr
Huntr
added 2023/02/28 1:53 a.m.12 views

SQL Injection leads to code execution

Description This vulnerability allows the attacker to leverage a SQL injection attack in the database backup functionality to write arbitrary data to an arbitrary file on disk anywhere where the user can write. This includes the webroot in a default installation allowing the attack to place a web...

8.1AI score
Exploits0
Huntr
Huntr
added 2023/02/28 1:42 a.m.33 views

Local file inclusion leading to RCE

Description The api handling endpoint allows for a local file inclusion that can lead to remote code execution. It requires a valid api token which can be obtained via a database backup with account access, a number of different sql injections with account access, or stolen from a user. Proof of...

6.5CVSS7.5AI score0.01914EPSS
Exploits1
Huntr
Huntr
added 2023/02/27 9:31 a.m.77 views

Vulnerable javascript dependency used in adminsidepanel.js

Description The adminsidepanel.js used Vue.js v2.6.10, which contains the vulnerable vue-server-renderer's dependency of serialize-javascript. Proof of Concept 1.Go to https://demo.limesurvey.org/tmp/assets/cb9c5d96/build.min/js/adminsidepanel.js and search for Vue.js v2.6.10 term. We can note th...

6.7AI score
Exploits0References3
Huntr
Huntr
added 2023/02/27 3:47 a.m.20 views

Missing Authorization Check Allows Impersonated Secure Messages

Description Due to the lack of an authorization check when sending secure messages, an attacker with access to a low level patient account in the portal can impersonate other users when sending secure messages. This would allow a malicious actor to impersonate high-level users...

5.5CVSS6.3AI score0.0043EPSS
Exploits1
Huntr
Huntr
added 2023/02/26 2:52 p.m.18 views

CSRF leading to edit admin accounts

Description GET /admin/accounts/id/edit/?activetab=default page is vulnerable to a CSRF attack. Proof of Concept Login as admin. try to edit admin accounts example id=4 Open the following file in the browser. history.pushState'', '', '/'; document.forms0.submit;...

5.4CVSS6.4AI score0.00378EPSS
Exploits1
Huntr
Huntr
added 2023/02/25 9:11 a.m.27 views

UI REDRESSING

Description The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with Steps To Reproduce 1. Create a New HTML file as shown in below i....

5.8CVSS6.2AI score0.01411EPSS
Exploits1References2
Huntr
Huntr
added 2023/02/25 3:56 a.m.29 views

Improper Authorization

Description During testing, it was observed that sending a GET request to the following endpoint: /api/v2/parameters/core/ returns sensitive information without any authentication or authorization. Request GET /api/v2/parameters/core/ HTTP/1.1 Host: demo.modoboa.org User-Agent: 7h3h4ckv157 Accept...

6.4CVSS8.9AI score0.43756EPSS
Exploits1References1
Huntr
Huntr
added 2023/02/24 8:30 p.m.21 views

Authorization Token Never Expires

Description The vulnerability is related to the Authorization header used for user login. After logging out, the token in the Authorization header remains valid and does not expire. Additionally, the token has an excessively long duration of 10 hours, as confirmed by a request. This vulnerability...

6.8CVSS8.4AI score0.00775EPSS
Exploits1
Huntr
Huntr
added 2023/02/24 6:1 p.m.2009 views

Unauthenticated OS Command Injection in stamparm/maltrail

Description Maltrail /tmp/bbq'...

3.4AI score
Exploits0
Huntr
Huntr
added 2023/02/24 4:32 p.m.13 views

Bypass IP detection lead to perform brute-force attack

Description In login function, by default, the IP address will be blocked when the user tries to login incorrectly more than 3 times but we can bypass this mechanism by abuse X-Forwarded-For header to bypass IP dectection and perform password brute-force. Proof of Concept POST...

7AI score
Exploits0References1
Huntr
Huntr
added 2023/02/24 10:7 a.m.27 views

SQL injection search function

Description Please enter a description of the vulnerability. Link POC: https://drive.google.com/drive/folders/1oFZPVrJ7lID7tDArO8spsMy1VYr4oOb?usp=sharing Proof of Concept Step 1: login https://demo.pimcore.fun/admin/ Step 2: user search function and intercept request with burp Step 3: Exploit ti...

6.5CVSS8.4AI score0.65115EPSS
Exploits1
Huntr
Huntr
added 2023/02/23 11:49 p.m.20 views

Cross-Site Scripting (Stored/Persistent) in Categories

Description • The application is vulnerable to Cross-Site Scripting XSS attacks. This occurs when web applications do not properly validate user-supplied inputs before including them in dynamic web pages. • By intercepting the HTTP Request using Burp-suite tool before submitting into the webpage,...

4.3CVSS5.3AI score0.00398EPSS
Exploits1References1
Huntr
Huntr
added 2023/02/23 3:1 p.m.20 views

XSS in button home page

Description vuln was find in File/Documents/Home , any button in page Proof of Concept 1. Login in URL : https://demo.pimcore.fun/admin 2. Go to File - Open Documents - Home 3. click any button in page - Edit Link 4. in tab Advanced, inject payload to : Attributes key="value" For more understandi...

4.9CVSS5.6AI score0.00553EPSS
Exploits1
Huntr
Huntr
added 2023/02/23 6:32 a.m.16 views

LFI in module invoice-print and print

The parameter page and invoiceType is not properly sanitize leads to Local file inclusion POC : http://demo.bumsys.org/invoice-print/?invoiceType=../../theme/rui/print&msg=; POC : http://demo.bumsys.org/print/?page=../../theme/rui/invoice-print&msg=;...

0.6AI score
Exploits0
Huntr
Huntr
added 2023/02/22 10:11 a.m.13 views

IDOR on save email configuration leads to account takeover

Description An attacker with a low privileged account on the latest GLPI version could change other user´s email when saving his own user preferences. After that, if "Forgot password" is enabled via email, an attacker will be able to retrieve victim´s forgot password link to the modified email to...

6.6AI score
Exploits0References1
Huntr
Huntr
added 2023/02/22 6:51 a.m.19 views

Stored XSS in Customer Support

Description Attacker can send xss payload in Customer Support Proof of Concept Request Payload: POST /xhr/?module=customer-support&page=addCaseReply HTTP/1.1 Host: demo.bumsys.org Cookie: 80e72166c3164cd4e1f55b5348364ee4f8bc0d12=655mqrm2v9uhktlqpke0h026d4; eid=1; currencySymbol=%E0%A7%B3;...

4.9CVSS5.8AI score0.00479EPSS
Exploits1
Huntr
Huntr
added 2023/02/22 5:11 a.m.11 views

Improper Neutralization of Input in paperWidth param During Web Page Generation

Module : print and invoice-print Parameter : paperWidth Attacker would be able to close the tag and can inject html tags POC : http://demo.bumsys.org/print?&paperWidth=;%3C/style%3E%3Cbody+onpageshow=alertdocument.domain%3E POC :...

0.6AI score
Exploits0
Huntr
Huntr
added 2023/02/22 3:1 a.m.37 views

Insecure Business Logic - Client Side Enforcement Bypass on User Account Deletion

Description The application enforces account deletion on the client-side with a popup that states the admin account cannot be deleted. Additionally, regular users do not have an option in the interface to delete their own account. An administrative and regular-privileged user are able to bypass...

5.5CVSS5.5AI score0.0075EPSS
Exploits1References1
Huntr
Huntr
added 2023/02/22 1:21 a.m.26 views

Captcha Bypass due to invalidation of previous tokens

Description An attacker can create bypass the captcha mechanism and create multiple accounts directly Proof of Concept 1: Sign up with a new name in the application, fill the captcha and intercept the request of the submit. The request will look something like this POST...

7.5CVSS8.9AI score0.00837EPSS
Exploits1
Huntr
Huntr
added 2023/02/22 12:43 a.m.23 views

Stored XSS in Sitename

Description There is a presence of stored xss in username, which directly gets rendered whenever the page is opened. Proof of Concept 1: use the below command to clone the repo in your machine git clone https://github.com/answerdev/answer.git 2: Navigate inside the repo cd answer 3: Use...

4.9CVSS5.6AI score0.00519EPSS
Exploits1
Huntr
Huntr
added 2023/02/21 10:3 p.m.24 views

Observable Response Discrepancy in Password Reset Functionality

Description The password reset functionality leaks information pertaining to use accounts. Where an invalid account is utilized, the application responds that the account could not be found. Where an account is valid, the application responds with a reason "base.success" when intercepted, or that...

5CVSS5.5AI score0.00639EPSS
Exploits1References1
Huntr
Huntr
added 2023/02/21 9:57 p.m.31 views

Observable Timing Discrepancy in Login Portal

Description An observable discrepancy in response times is present in the login portal. When brute forcing valid email accounts, the timing on a valid account is significantly higher than that of an invalid user account. This is likely due to the use of Bcrypt's compare function being utilized by...

5CVSS5.5AI score0.00639EPSS
Exploits1References1
Huntr
Huntr
added 2023/02/21 9:12 p.m.16 views

Admin Able To Perform Operations On Themselves By Interacting With API

Description When setting a password through /admin/users URI, the admin is not allowed to set their own new password through this URI. If they attempt to do so, they receive an error stating Forbidden to operate on yourself. But this is easily bypassable by interacting with the API: if you set a...

4.7CVSS4.8AI score0.00644EPSS
Exploits1
Huntr
Huntr
added 2023/02/21 4:37 p.m.9 views

Stored HTML injection and Potential Cross Site Scripting in pixelfed ≤ 0.11.4

Description pixelfed ≤ 0.11.4 is affected by HTML injection and Potential Cross Site Scripting vulnerability. Steps to Reproduce: 1.Choose any server from https://pixelfed.org/servers and go to registration page. 2.Enter your username, email, password and enter following payload on "Name" paramet...

6.7AI score
Exploits0References2
Huntr
Huntr
added 2023/02/21 12:49 p.m.37 views

Captcha Bypass on login

Description So if we login incorrectly multiple times, we get captcha. Each captcha has "captchaid" and solve "captchacode" For example: "captchacode":"8awt" "captchaid":"7nToXDrT6SkJ2BJxKG1u" You can use same captcha code and captcha id in login without any problem Captcha is generated with -...

5CVSS5.8AI score0.00614EPSS
Exploits1
Huntr
Huntr
added 2023/02/21 12:9 p.m.20 views

XSS

Description HTML injection in user profile Vulnerability is in: http://34.245.133.152:9080/users/settings/profile - About Me Proof of Concept Request: PUT /answer/api/v1/user/info HTTP/1.1 Host: localhost:9080 Content-Length: 213 sec-ch-ua: "Not ABrand";v="24", "Chromium";v="110" Content-Type:...

4.9CVSS6AI score0.00522EPSS
Exploits1
Huntr
Huntr
added 2023/02/21 7:28 a.m.15 views

Rxss in msg parameter

Affected url Affected parameter : msg It appear that html tags are rendered in the page via msg parameter. So I tried tag and it work, so i tried adding event handlers in this case onpageshow=alertdocument.domainand it trigred xss. POC :...

1.6AI score
Exploits0
Total number of security vulnerabilities4072