4072 matches found
segmentation fault in regexp.c:1788
Description SIGSEGV raised on regtilde function at regexp.c. As the function processes the tainted string inside the poc file, constant calls to the alloc function with ever-increasing size actually exhausts memory and the process terminates. At last negative size value is assigned. Version $ git...
Bootstrap-switch 3.3.2 in use which is vulnerable to XSS
Description Bootstrap-switch 3.3.2 in use which is vulnerable to XSS Proof of Concept 1 Go to https://demo.limesurvey.org/tmp/assets/12fba870/js/bootstrap-switch.min.js and note that Bootstrap-switch is using 3.3.2 2 Check...
XSS on external links bypass filters
Description I recently found a bypass for external links that allows an attacker to inject javascript into external links Proof of Concept As an admin user Go to /front/link.form.php?id=1 Using a special character before the javascript:alert1 this bypasses the filters and the protocol still works...
Stored HTML Injection inside the >>> Request payment >>> Request Customer Data Checkout >>> Request shipping address
Team, I hope you are all doing well. . I wanted to bring to your attention a potential vulnerability on the website https://mainnet.demo.btcpayserver.org/stores/6YSiuoN6q1yF2ucWZvWojBuVJAJzXxFFUn9cw8iNPPMC/payment-requests/edit/ec575d56-6b8e-41bd-8b9a-bdcda9c5daad. . During my research, I...
XSS in Library Description and Synopsis
Description The 'description' and 'synopsis' fields of libraries are vulnerable to stored XSS injection. If a user sets the synopsis or description of a library to ''"' they can set a stored XSS payload that fires whenever someone visits the /libraries page. Normally libraries are only editable b...
Stored XSS in "Import" Module
Description When loading a CSV or XLSX file to preview before importing Step 4, no sanitization of the first line label, allows authenticated attacker to inject malicious XSS payload into the to import file, and store it on the target webserver. If any admin reuse the malicious uploaded importing...
Jquery UI 1.13.1 in use which is vulnerable to CVE-2022-31160
Description Jquery UI 1.13.1 in use which is vulnerable to CVE-2022-31160 Proof of Concept 1 Go to https://demo.limesurvey.org/tmp/assets/15bf41ab/jquery-ui.min.js and note that jquery-ui 1.13.1 is in use. 2 Check...
Race Condition Vulnerability can Leads to Up Vote Stealing
Description I tested in the live production site https://meta.answer.dev/. There are up vote / down vote functions in answerdev. An attacker can increase or decrease votes by using race condition vulnerability. Proof of Concept 1. Go to an question and press up vote or down vote. 2. PoC will show...
Lodash 4.17.15 in use which is vulnerable to CVE-2020-8203
Description Lodash 4.17.15 in use which is vulnerable to CVE-2020-8203 Proof of Concept 1 Go to https://localhost/Cockpit/modules/App/assets/vendor/lodash.js?ver=2.3.9-1676855050 and note that lodash version is 4.17.15 2 Go to https://localhost/Cockpit/ 3 Open Web Devloper tools Ctrl+Shift+I usin...
SQL Injection at /front/report.dynamic.php
Description A SQL Injection vulnerability allow to guest user with reports view like "Technician" to extract all data from database and some cases write a webshell on the server. This vulnerability occurs because an insecure concatenation is taking place on this function:...
division zero
Description division by zero in fuction scrolldown at move.c:1739 version git log commit ea62cee85e9e77ec86edd9843926dadb69978753 HEAD - master, tag: v9.0.1327, origin/master, origin/HEAD Author: Bram Moolenaar Date: Sun Feb 19 18:36:41 2023 +0000 patch 9.0.1327: cursor in wrong position below li...
Lack of brute force protection
Issue Description • A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until an attacker discover the one correct combination that works. Steps to Reproduce: '1. First capture login request with BurpSuite,...
Authentication Bypass for users with MD5 password hash
Setup - OS: Ubuntu 22.04.2 LTS - Froxlor: 2.0.12 - PHP: 8.1.2 Description Froxlor still supports logins for passwords that are stored as MD5 hash in the database. The hash comparison is done with "==" instead of "===" which causes a type confusion vulnerability in PHP. For some MD5 hashes it is...
Insufficient Session Expiration
Description Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization. When handling sessions, web developers can rely either on server tokens or generate session identifiers within the application. Each session should...
XSS in /admin/domains when filtering a specific tag
Description Reflected XSS happens when filtering a specific tag in the Domains page and changing the "domfilter" URL query parameter to the malicious string. Proof of Concept 1 - Login as a domain admin 2 - Go to the Domains page 3 - Click on one of the existing tags 4 - Change the domfilter quer...
Broken Access Control
Vulnerability Broken Access Control Issue Description: • Access control is the way how a web application grants access to content and functions to some users and not others. • These checks are performed after authentication and govern what ‘authorized’ users are allowed to do. • Jeffrey discovere...
Reflected XSS in send2friend.php
Description There is a reflected XSS in send2friend because the 'artlang' parameter is not sanitized. Proof of Concept visit http://phpmyfaq.local/?action=send2friend&artlang=aaaa"%3E%3Cscript%3Ealert1;%3C/script%3E Fix sanitize the '$faqLanguage' variable in...
stored xss
Description stored xss bug SUMMURY here i uses demo installation https://demo.limesurvey.org/ in firefox browser Proof of Concept login into any user account who has permission to view the survey and visit url...
reflected xss
Description reflected xss SUMMURY here i uses demo instalation https://demo.limesurvey.org/ in firefox browser Proof of Concept login into user account and visit...
Stored XSS From Visitor to Acc Takeover
Description Using X-Forwarded-For Header Visitor can manipulate ip to trigger xss Proof of Concept 1.Visit any url and Add Header X-Forward-For: 127.0.0.1" 2.If admin check in dashboard xss will trigger Check This image...
Stored Cross-Site Scripting in survey administrator name
Description The administrator name field in Survey settings has a Stored Cross-Site scripting vulnerability as it does not sanitize the user input administrator name. A user can enter the javascript payload "alertdocument.cookie in the Administrator name field and the XSS executes in the...
Folder in webmail mailbox is vulnerable to Cross-Site Scripting (Reflective)
Issue Description • Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request that, if issued by another application user, will cause...
Cross-site Scripting (XSS) - Stored
Description 1. https://11.x-dev.pimcore.fun/admin/ 2. Go to Settings - Thumbnails - Video Thumbnails 3. Click the button Add Media Segment 4. Write : " and then click ok...
Stored XSS in the adminlog functionality.
Description There is a stored XSS in the 'adminlog' functionality. E.g. the page http://phpmyfaq.local/admin/?action=adminlog shows failed login attempts. If a user with the username 'alert1;' tries to log in, it gets logged and displayed on the adminlog unsanitized. Proof of Concept 1. visit...
HTML injection leads to Open Redirect
Description Hello, I have located an html injection in the symbol field: Steps : 1 - log in as administrator 2 - Go to Options 3 - Go to Currencies 4 - Insert the html code in the symbol field and by inserting the following payload i was able to redirect the user to a malicious site. CLICK ME Pro...
heap-buffer-overflow in function adts_dmx_process filters/reframe_adts.c
Version MP4Box - GPAC version 2.3-DEV-rev44-gbe9f8d395-master c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC: https://doi.org/10.1145/1291233.1291452 GPAC Configuration:...
Unauthorized Rest Api owned by Joomla(officially accepted)
Description Joomla has provided the Rest API since version 4.0. These apis need to provide authentication information when accessing, but if public is added to the request parameters when accessing the api. Then any unauthenticated user can directly access Proof of Concept Api can directly obtain...
User with only "edit" can delete post and somethimes can add post
Description If you create a user with edit-only user rights, they should not be able to perform delete or add actions. This is really an admin error, because users with edit permissions can delete posts, and in the case of FAQs, they can also add posts. Proof of Concept 1.Create new user with edi...
Captcha Bypass allows sending unlimited Comments
Hello, I identified a CAPTCHA Bypass after trying many Posts in the Comments Section. Lets see : --------- sent successfully! let's see the comments Comments are available The Question Form is also vulnerable for Captcha Bypass please check it also too. Thank you...
XSS Stored in the email address
Description Hello, I have located an xss stored by performing the following step: 1 - Go to tools 2 - GDPR Data Extractor 3 - Insert the payload into the email address 4 - click in send emails Proof of Concept...
stored HTML-Injection in the Comments Part
i was able to detect a stored HTML Injection by answering available questions. Lets see : ------------ AHMED HASSAN STORED HTML INJECTION 1 will now answer a question Comment sent lets see the stored HTML Injection As you can see the stored HTML Injection is working. Thanks for watching...
Privilege escalation from user with "add user" to super admin
Description Before I created this submission, I read this report: https://huntr.dev/bounties/258cd498-7275-4b12-ac73-79c9ba3e58e4/. I was afraid that my submission would be a duplicate of that. After reading it carefully, I decided to make a report because my report is not exploiting the backup...
stored XSS in the Category Field Name
Hello, After all XSS Mitigations, I detected a XSS Bypass Possibility in the Naming of the category. Let's see : ----------------- A stored XSS through this Payload Thank you for watching :...
stored XSS after XSS Filter Bypass through exporting an HTML-Document
Hello, After mitigation of all submitted XSS Vulnerabilities i was able to detect another XSS and bypass the XSS Filters in the FAQ Site while generating an HTML Export. Lets see : ------------------- This is th XSS Paylaod with XSS Ahmed 2 Only XSS Ahmed 2 will work ! Now lets export in in HTML5...
Stored XSS in Email Blacklist Function
Description Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XS...
heap-use-after-free in function bt_quickfix
Description heap-use-after-free in function btquickfix at buffer.c:5770 Vim Version git log commit 32ff96ef018eb1a5bea0953648b4892a6ee71658 HEAD - master, tag: v9.0.1307, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S btquickfixpoc -c :qa!...
No Protection Against Bruteforce Attacks on Login Page in
Description Modoboa does not restrict or limit unsuccessful login attempts allowing an attacker to brute force the password of a known user Proof of Concept Steps to Reproduce: Capture login request with BurpSuite Send to Intruder Replay the login request with a different password value utilizing...
The XSS playload injected in "Display Name" parameter in creating Contacts are vulnerable to Cross-Site Scripting (Stored/Persistent)
Description The XSS playload injected in "Display Name" parameter in creating Contacts are vulnerable to Cross-Site Scripting Stored/Persistent. Steps to Reproduce: 1. First is go to the user dashboard then contacts: https://demo.modoboa.org/contacts// 2. Then Add new contact, enter the payload...
HTML Injection
Description HTML Injection vulnerability was discovered in Accounting module that allow authenticated user to inject malicious HTML code inside "accountnumber" parameter. Proof of Concept Video...
Broken access control - Someone still can comment in unactive FAQ NEWS
Description when a NEWS FAQ turns on the comments feature and disables post like this settings. Screenshot https://imgur.com/a/9UY4QRf if you create a FAQ news with those settings and view the post, you will notice that the comment section is disabled Screenshot https://imgur.com/a/rY6zJt9 Proof ...
XSS in hyperlink when create FAQ News
Description Stored Cross-Site Scripting XSS through hyperlinks refers to a type of security vulnerability that occurs when an attacker injects malicious code into a hyperlink, which is then stored in the application's database or web server. When a user clicks on the infected hyperlink, the...
XSS in Comment Faq news username parameter
Description Stored Cross-Site Scripting XSS is a type of security vulnerability that occurs when an attacker injects malicious code into a website that is then stored on the server and served to unsuspecting users. This type of XSS is particularly dangerous because it can persist and continue to...
Stored XSS on Configuration Version
Description In a form version that appears to have no validation, it means that the website or application is not properly checking user inputs for malicious code before storing it in the database. This lack of validation allows an attacker to inject their own malicious script, which can then be...
Stored XSS edit Config Link
Description Stored Cross-Site Scripting XSS through hyperlinks refers to a type of security vulnerability that occurs when an attacker injects malicious code into a hyperlink, which is then stored in the application's database or web server. When a user clicks on the infected hyperlink, the...
Stored xss real name
Description In the admin account, there is a feature to add a user. In this feature, a vulnerability was found in the "Your Name" form. Proof of Concept 1.go to https://roy.demo.phpmyfaq.de/admin/?action=user 2.add user with realname alert'123' 3.go to...
Account Takeover and Persistence due to the Oauth Misconfiguration
Team, May you all be well on your side of the screen. : . While Doing some research on thehttps://cal.com/, I was able to find a Pre-Account Takeover vulnerability. Proof of concept: . I have created a video demonstration of the vulnerability and uploaded it to my Google Drive. . The link for the...
Two Stored XSS in Instructions and User Widget
Stored XSS 1 Description 1 The santinizer founction noxsshtml$html can be bypassed since it missed to ban the tag of in $bannedelements = 'script', 'iframe', 'embed';. By this missing, the logged admin can maliciously inject xss payloads like in the backend database using the point POST...
buffer over-read in function mhas_dmx_process filters/reframe_mhas.c
Version ➜ gcc git:master ✗ ./MP4Box -version MP4Box - GPAC version 2.3-DEV-rev40-g3602a5ded-master c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC:...
off-by-one error in function gf_text_get_utf8_line filters/load_text.c
Version MP4Box - GPAC version 2.3-DEV-rev40-g3602a5ded-master c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC: https://doi.org/10.1145/1291233.1291452 GPAC Configuration:...
No Rate Limit On Reset Password
Description A rate limiting algorithm is used to check if the user session or IP address has to be limited based on the information in the session cache. In case a client made too many requests within a given time frame, HTTP servers can respond with status code 429: Too Many Requests. wikipedia ...