Broken Access Control

Vulnerability Broken Access Control Issue Description: • Access control is the way how a web application grants access to content and functions to some users and not others. • These checks are performed after authentication and govern what ‘authorized’ users are allowed to do. • Jeffrey discovere...

Reflected XSS in send2friend.php

Description There is a reflected XSS in send2friend because the 'artlang' parameter is not sanitized. Proof of Concept visit http://phpmyfaq.local/?action=send2friend&artlang=aaaa"%3E%3Cscript%3Ealert1;%3C/script%3E Fix sanitize the '$faqLanguage' variable in...

stored xss

Description stored xss bug SUMMURY here i uses demo installation https://demo.limesurvey.org/ in firefox browser Proof of Concept login into any user account who has permission to view the survey and visit url...

reflected xss

Description reflected xss SUMMURY here i uses demo instalation https://demo.limesurvey.org/ in firefox browser Proof of Concept login into user account and visit...

Stored XSS From Visitor to Acc Takeover

Description Using X-Forwarded-For Header Visitor can manipulate ip to trigger xss Proof of Concept 1.Visit any url and Add Header X-Forward-For: 127.0.0.1" 2.If admin check in dashboard xss will trigger Check This image...

Stored Cross-Site Scripting in survey administrator name

Description The administrator name field in Survey settings has a Stored Cross-Site scripting vulnerability as it does not sanitize the user input administrator name. A user can enter the javascript payload "alertdocument.cookie in the Administrator name field and the XSS executes in the...

Folder in webmail mailbox is vulnerable to Cross-Site Scripting (Reflective)

Issue Description • Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request that, if issued by another application user, will cause...

Cross-site Scripting (XSS) - Stored

Description 1. https://11.x-dev.pimcore.fun/admin/ 2. Go to Settings - Thumbnails - Video Thumbnails 3. Click the button Add Media Segment 4. Write : " and then click ok...

Stored XSS in the adminlog functionality.

Description There is a stored XSS in the 'adminlog' functionality. E.g. the page http://phpmyfaq.local/admin/?action=adminlog shows failed login attempts. If a user with the username 'alert1;' tries to log in, it gets logged and displayed on the adminlog unsanitized. Proof of Concept 1. visit...

HTML injection leads to Open Redirect

Description Hello, I have located an html injection in the symbol field: Steps : 1 - log in as administrator 2 - Go to Options 3 - Go to Currencies 4 - Insert the html code in the symbol field and by inserting the following payload i was able to redirect the user to a malicious site. CLICK ME Pro...

heap-buffer-overflow in function adts_dmx_process filters/reframe_adts.c

Version MP4Box - GPAC version 2.3-DEV-rev44-gbe9f8d395-master c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC: https://doi.org/10.1145/1291233.1291452 GPAC Configuration:...

Unauthorized Rest Api owned by Joomla(officially accepted)

Description Joomla has provided the Rest API since version 4.0. These apis need to provide authentication information when accessing, but if public is added to the request parameters when accessing the api. Then any unauthenticated user can directly access Proof of Concept Api can directly obtain...

User with only "edit" can delete post and somethimes can add post

Description If you create a user with edit-only user rights, they should not be able to perform delete or add actions. This is really an admin error, because users with edit permissions can delete posts, and in the case of FAQs, they can also add posts. Proof of Concept 1.Create new user with edi...

Captcha Bypass allows sending unlimited Comments

Hello, I identified a CAPTCHA Bypass after trying many Posts in the Comments Section. Lets see : --------- sent successfully! let's see the comments Comments are available The Question Form is also vulnerable for Captcha Bypass please check it also too. Thank you...

XSS Stored in the email address

Description Hello, I have located an xss stored by performing the following step: 1 - Go to tools 2 - GDPR Data Extractor 3 - Insert the payload into the email address 4 - click in send emails Proof of Concept...

stored HTML-Injection in the Comments Part

i was able to detect a stored HTML Injection by answering available questions. Lets see : ------------ AHMED HASSAN STORED HTML INJECTION 1 will now answer a question Comment sent lets see the stored HTML Injection As you can see the stored HTML Injection is working. Thanks for watching...

Privilege escalation from user with "add user" to super admin

Description Before I created this submission, I read this report: https://huntr.dev/bounties/258cd498-7275-4b12-ac73-79c9ba3e58e4/. I was afraid that my submission would be a duplicate of that. After reading it carefully, I decided to make a report because my report is not exploiting the backup...

stored XSS in the Category Field Name

Hello, After all XSS Mitigations, I detected a XSS Bypass Possibility in the Naming of the category. Let's see : ----------------- A stored XSS through this Payload Thank you for watching :...

stored XSS after XSS Filter Bypass through exporting an HTML-Document

Hello, After mitigation of all submitted XSS Vulnerabilities i was able to detect another XSS and bypass the XSS Filters in the FAQ Site while generating an HTML Export. Lets see : ------------------- This is th XSS Paylaod with XSS Ahmed 2 Only XSS Ahmed 2 will work ! Now lets export in in HTML5...

Stored XSS in Email Blacklist Function

Description Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XS...

heap-use-after-free in function bt_quickfix

Description heap-use-after-free in function btquickfix at buffer.c:5770 Vim Version git log commit 32ff96ef018eb1a5bea0953648b4892a6ee71658 HEAD - master, tag: v9.0.1307, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S btquickfixpoc -c :qa!...

No Protection Against Bruteforce Attacks on Login Page in

Description Modoboa does not restrict or limit unsuccessful login attempts allowing an attacker to brute force the password of a known user Proof of Concept Steps to Reproduce: Capture login request with BurpSuite Send to Intruder Replay the login request with a different password value utilizing...

The XSS playload injected in "Display Name" parameter in creating Contacts are vulnerable to Cross-Site Scripting (Stored/Persistent)

Description The XSS playload injected in "Display Name" parameter in creating Contacts are vulnerable to Cross-Site Scripting Stored/Persistent. Steps to Reproduce: 1. First is go to the user dashboard then contacts: https://demo.modoboa.org/contacts// 2. Then Add new contact, enter the payload...

HTML Injection

Description HTML Injection vulnerability was discovered in Accounting module that allow authenticated user to inject malicious HTML code inside "accountnumber" parameter. Proof of Concept Video...

Broken access control - Someone still can comment in unactive FAQ NEWS

Description when a NEWS FAQ turns on the comments feature and disables post like this settings. Screenshot https://imgur.com/a/9UY4QRf if you create a FAQ news with those settings and view the post, you will notice that the comment section is disabled Screenshot https://imgur.com/a/rY6zJt9 Proof ...

XSS in hyperlink when create FAQ News

Description Stored Cross-Site Scripting XSS through hyperlinks refers to a type of security vulnerability that occurs when an attacker injects malicious code into a hyperlink, which is then stored in the application's database or web server. When a user clicks on the infected hyperlink, the...

XSS in Comment Faq news username parameter

Description Stored Cross-Site Scripting XSS is a type of security vulnerability that occurs when an attacker injects malicious code into a website that is then stored on the server and served to unsuspecting users. This type of XSS is particularly dangerous because it can persist and continue to...

Stored XSS on Configuration Version

Description In a form version that appears to have no validation, it means that the website or application is not properly checking user inputs for malicious code before storing it in the database. This lack of validation allows an attacker to inject their own malicious script, which can then be...

Stored XSS edit Config Link

Description Stored Cross-Site Scripting XSS through hyperlinks refers to a type of security vulnerability that occurs when an attacker injects malicious code into a hyperlink, which is then stored in the application's database or web server. When a user clicks on the infected hyperlink, the...

Stored xss real name

Description In the admin account, there is a feature to add a user. In this feature, a vulnerability was found in the "Your Name" form. Proof of Concept 1.go to https://roy.demo.phpmyfaq.de/admin/?action=user 2.add user with realname alert'123' 3.go to...

Account Takeover and Persistence due to the Oauth Misconfiguration

Team, May you all be well on your side of the screen. : . While Doing some research on thehttps://cal.com/, I was able to find a Pre-Account Takeover vulnerability. Proof of concept: . I have created a video demonstration of the vulnerability and uploaded it to my Google Drive. . The link for the...

Two Stored XSS in Instructions and User Widget

Stored XSS 1 Description 1 The santinizer founction noxsshtml$html can be bypassed since it missed to ban the tag of in $bannedelements = 'script', 'iframe', 'embed';. By this missing, the logged admin can maliciously inject xss payloads like in the backend database using the point POST...

buffer over-read in function mhas_dmx_process filters/reframe_mhas.c

Version ➜ gcc git:master ✗ ./MP4Box -version MP4Box - GPAC version 2.3-DEV-rev40-g3602a5ded-master c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC:...

off-by-one error in function gf_text_get_utf8_line filters/load_text.c

Version MP4Box - GPAC version 2.3-DEV-rev40-g3602a5ded-master c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC: https://doi.org/10.1145/1291233.1291452 GPAC Configuration:...

No Rate Limit On Reset Password

Description A rate limiting algorithm is used to check if the user session or IP address has to be limited based on the information in the session cache. In case a client made too many requests within a given time frame, HTTP servers can respond with status code 429: Too Many Requests. wikipedia ...

SQL Injection in Custom Fields

Description SQL injection when updating custom fields in the admin panel. Malicious web admins can use POST /app/admin/custom-fields/edit-result.php with parameters fieldType=set&fieldSize='1' CHARACTER SET utf8; SELECT sleep3; to execute the inserted SQL command SELECT sleep3; and thus result th...

Stored XSS in "DATA IMPORTS" module

Description Due to improper data sanitization and validation in "DATA IMPORTS" module allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected. Payload In this PoC, I can inject into "Address" and "City" fields when importing new user by using the...

Stored XSS

Description answer has a feature to customize the "Site Name" during installation or in the settings page , due to a bad sanitization it allows to put arbitrary html code which allows to execute javascript code. Everytime a user enter in the website, the xss is triggered. Injected payload...

RCE by Server Side Template Injection

Description Hi, During my testing, I discovered that it is possible to inject code into the system through the "first name" field. This vulnerability allows for server-side template injection, which can lead to arbitrary code execution. The impact of this vulnerability is potentially significant...

File Upload lead to Stored XSS bypass csp

Description Stored cross-site scripting also known as second-order or persistent XSS arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way. 1-Login to your application and create a Store called “Test” make all the...

Stored XSS in server settings when upload branding

Description An attacker can upload an arbitrary file with a content type starting with image/ Proof of Concept POST /server/theme HTTP/1.1 Host: localhost:14142 Content-Length: 1077 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="89", ";Not A Brand";v="99" sec-ch-ua-mobile: ?0...

heap-buffer-overflow in function gf_m2ts_process_tdt_tot media_tools/mpegts.c

Version ./MP4Box -version MP4Box - GPAC version 2.3-DEV-rev40-g3602a5ded-master c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC: https://doi.org/10.1145/1291233.1291452 GPAC...

Vulnerable to clickjacking

Description Vulnerable to clickjacking Proof of Concept 1 Create an iframe.html with below contents The iframe element 2 Open with firefox and note that the frame is loaded which is potential to clickjacking due to missing x-frame-options security headers...

NULL Pointer Dereference in function utfc_ptr2len

Description NULL Pointer Dereference in function utfcptr2len at mbyte.c.c:2145 allows attackers to cause a denial of service application crash via a crafted input. vim version commit 0caaf1e46511f7a92e036f05e6aa9d5992540117 HEAD - master, tag: v9.0.1293, origin/master, origin/HEAD Author: Yegappa...

Stored XSS on Tag

Description Evil users can attack other users or administrator users through this vulnerability, causing other users/administrator user accounts to be taken over Proof of Concept step 1. Create new tag Step 2: Enter XSS payload to Description tag Step 3: Go to http://127.0.0.1/questions Step 4:...

Stored DOM-based Cross-site Scripting in Tags Functionality

Description A stored, DOM-based cross-site scripting vulnerability exists in answer version 1.0.4 within the question tagging functionality. Steps Step 1. Log in. Step 2. Proceed to create a new question. Populate the Title and Body input. Step 3. Click on the Add tag button, shown in the followi...

Stored XSS Bypass While add a new Comment

Description Stored XSS bypass in add comments function if you try to inject XSS payload like that won't work ,So I found a bypass that able to bypass cloudflare with the following payload or and click enter to add newline and click "add comment" func cc CommentController AddCommentctx gin.Context...

Stored XSS in Site Name

Description Stored Cross-site Scripting XSS vulnerability in Site name of answerdev/answer Proof of Concept 1. Log in then 2. Admin --- Setting --- General 3. Enter below payload at Site Name For More Understanding please check POC:...

Complex xss to bypass protection

Description 1.First we login as a normal user, and then comment under a question, the content of the comment is 2.Then we login as an administrator user. And find the comment we just submitted, the administrator can click the edit button.Then the administrator Click "Save edits" without any...

Privilege Escalation in the Cockpit CMS

Description Hi, during my analyses I realized that it is possible to perform a privilege escalation by intercepting the request and changing the roles from "user" to "admin" becoming the application's administrator. Proof of Concept poc:...