4072 matches found
SQL Injection in Custom Fields
Description SQL injection when updating custom fields in the admin panel. Malicious web admins can use POST /app/admin/custom-fields/edit-result.php with parameters fieldType=set&fieldSize='1' CHARACTER SET utf8; SELECT sleep3; to execute the inserted SQL command SELECT sleep3; and thus result th...
Stored XSS in "DATA IMPORTS" module
Description Due to improper data sanitization and validation in "DATA IMPORTS" module allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected. Payload In this PoC, I can inject into "Address" and "City" fields when importing new user by using the...
Stored XSS
Description answer has a feature to customize the "Site Name" during installation or in the settings page , due to a bad sanitization it allows to put arbitrary html code which allows to execute javascript code. Everytime a user enter in the website, the xss is triggered. Injected payload...
RCE by Server Side Template Injection
Description Hi, During my testing, I discovered that it is possible to inject code into the system through the "first name" field. This vulnerability allows for server-side template injection, which can lead to arbitrary code execution. The impact of this vulnerability is potentially significant...
File Upload lead to Stored XSS bypass csp
Description Stored cross-site scripting also known as second-order or persistent XSS arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way. 1-Login to your application and create a Store called “Test” make all the...
Stored XSS in server settings when upload branding
Description An attacker can upload an arbitrary file with a content type starting with image/ Proof of Concept POST /server/theme HTTP/1.1 Host: localhost:14142 Content-Length: 1077 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="89", ";Not A Brand";v="99" sec-ch-ua-mobile: ?0...
heap-buffer-overflow in function gf_m2ts_process_tdt_tot media_tools/mpegts.c
Version ./MP4Box -version MP4Box - GPAC version 2.3-DEV-rev40-g3602a5ded-master c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC: https://doi.org/10.1145/1291233.1291452 GPAC...
Vulnerable to clickjacking
Description Vulnerable to clickjacking Proof of Concept 1 Create an iframe.html with below contents The iframe element 2 Open with firefox and note that the frame is loaded which is potential to clickjacking due to missing x-frame-options security headers...
NULL Pointer Dereference in function utfc_ptr2len
Description NULL Pointer Dereference in function utfcptr2len at mbyte.c.c:2145 allows attackers to cause a denial of service application crash via a crafted input. vim version commit 0caaf1e46511f7a92e036f05e6aa9d5992540117 HEAD - master, tag: v9.0.1293, origin/master, origin/HEAD Author: Yegappa...
Stored XSS on Tag
Description Evil users can attack other users or administrator users through this vulnerability, causing other users/administrator user accounts to be taken over Proof of Concept step 1. Create new tag Step 2: Enter XSS payload to Description tag Step 3: Go to http://127.0.0.1/questions Step 4:...
Stored DOM-based Cross-site Scripting in Tags Functionality
Description A stored, DOM-based cross-site scripting vulnerability exists in answer version 1.0.4 within the question tagging functionality. Steps Step 1. Log in. Step 2. Proceed to create a new question. Populate the Title and Body input. Step 3. Click on the Add tag button, shown in the followi...
Stored XSS Bypass While add a new Comment
Description Stored XSS bypass in add comments function if you try to inject XSS payload like that won't work ,So I found a bypass that able to bypass cloudflare with the following payload or and click enter to add newline and click "add comment" func cc CommentController AddCommentctx gin.Context...
Stored XSS in Site Name
Description Stored Cross-site Scripting XSS vulnerability in Site name of answerdev/answer Proof of Concept 1. Log in then 2. Admin --- Setting --- General 3. Enter below payload at Site Name For More Understanding please check POC:...
Complex xss to bypass protection
Description 1.First we login as a normal user, and then comment under a question, the content of the comment is 2.Then we login as an administrator user. And find the comment we just submitted, the administrator can click the edit button.Then the administrator Click "Save edits" without any...
Privilege Escalation in the Cockpit CMS
Description Hi, during my analyses I realized that it is possible to perform a privilege escalation by intercepting the request and changing the roles from "user" to "admin" becoming the application's administrator. Proof of Concept poc:...
XSS in user supplied title
Issue The useHead function does not sanitize tags inserted in each property, including the title property. Context The useHead repository is a wrapper around vueuse/head which wraps unjs/unhead which wraps harlan-zw/zhead. The possibility of XSS is not described as being a vulnerability in the ro...
Default account creation on all installation methods
Description The credentials of the administrator user console installation are set by default. Additionally in both the console installation and the gui installation a janedoe account is created with default credentials...
CSS injection using component islands and useHead
Description After a component island render, the resulting head is regex'd for tags. This regex is not very robust and can be tricked, allowing for CSS injection. Proof of Concept app.vue vue Nuxt 3 Playground const title = ref nuxt.config.ts ts export default defineNuxtConfig experimental:...
Stored XSS
Description A Cross-Site Scripting XSS vulnerability exists in Dolibarr before 16.0.4 via the ticket creation flow. Exploitation requires that an admin change the value of the box using "onbeforeinput" event. In the worst case, the victim who inadvertently triggers the attack is a highly privileg...
Out of Range Pointer offset in mb_charlen of mbyte.c
Description Out of Range Pointer offset in mbcharlen of mbyte.c Vim Version git log commit 78012f55faf7444e554c0a97a589d99fa215bea9 HEAD - master, tag: v9.0.1275, origin/master, origin/HEAD POC ./vim -u NONE -X -Z -e -s -S poc01.dat -c ':qa!' Segmentation Fault GDB gdb ./vim gdb run -u NONE -X -Z...
Html Injection in Contributors
Description Html injection in Contributors and just only need html payload in Display Name and fire in Contributors list Proof of Concept 1. Login to squidex 2. Create an app with random name. 2. Go to Edit Profile then Edit users display name with html payload = Sanket722 3. Go to...
GET based CSRF on delete user functionality
Description The /account/delete functionality is vulnerable to CSRF. In this way, an attacker can trick the victim to delete his own account just clicking on the link. Steps to reproduce - Login with a user - Now go here: https://app.wallabag.it/account/delete - The account is now deleted without...
Remote Code Execution in "Import Settings" feature
Description Due to Improper data validation in "Import Settings" feature, an authenticated attacker can send crafted settings with malicious payload inside "system.croncmdline" value. Step to reproduce Requirement: PHP code must be executed on attacker machine - Step 1: Attacker run web server an...
IDOR Vulnerability Allows add tag entry user other
Description IDOR Vulnerability Allows add tag entry user other, allows adding tags to any user, since there is no user authentication. And not limiting the input causes the entry interface to break Proof of Concept Step 1. User A manages entry id 6 Step 2. User B manages entry id 7 Step 3. Login...
Phar Deserialization of Untrusted Data
Description snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the fileexists function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitra...
XSS via postMessage to deface any website and account takeover
Description Hey Chatwoot team, while looking for vulnerabilities I found a critical XSS which allow us to XSS/Deface any website which uses the chat, this can be automated to attack thousands of websites Vulnerable Code Inside this function...
Stored Cross Site Scripting in the username
Description Stored XSS occurs when an attacker injects malicious code into a website, which is then stored on the server. In this case, the malicious code is being stored as the user's username. When someone accesses the shared page, the website retrieves the user's username from the server and...
DynamicPHPCode Filtering Bypass leads to Remote Code Execution
Description The "Websites" module in Dolibarr CRM version 6.0.3 and below has "checkPHPCode" function check to ensure that the page not contains any malicious function. However, this funtion only check by using match word searching, that allows malicious authenticated user can bypass by using...
Restrictive composer.json makes Dompdf vulnerable to URI validation failure on SVG parsing
Description The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing tags with uppercase letters. This might lead to arbitrary object unserialize on PHP tags, in src/Image/Cache.php: if $type === "svg" $parser = xmlparsercreate"utf-8"; xmlparsersetoption$parser,...
xss bypass the sanitize
Description hi,@maintainer.The filter you use to clean xss is unsafe.Please choose an xss filter with a large number of users and a high evaluation Proof of Concept 1.Login to the forum as any user. 2.Send dangerous messages to admin users. 3.The value of the Message is below click me 4.Admin use...
Heap Buffer Overflow in function gf_isom_box_size at src/isomedia/box_funcs.c:1997
Description Heap Buffer Overflow in function gfisomboxsize at src/isomedia/boxfuncs.c:1997 gpac version git log commit bbca869177585aaca8eb66d8541079e6f364798e HEAD - master, origin/master, origin/HEAD Author: jeanlf Date: Wed Jan 18 11:40:30 2023 +0100 fixed potentially missing last packets in...
Xss in compose mail functionaility
Description Reflected cross-site scripting or XSS arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way. Proof of Concept - Step1: login as normal user. - step2: click on webmail and click on compose. - step3: now enter "...
Cross Site Scripting (XSS) in Model\DataObject\Data\UrlSlug
Description Cross Site Scripting XSS in Model\DataObject\Data\UrlSlug of pimcore/pimcore Proof of Concept 1. Login in stable account URL : https://demo.pimcore.fun/admin 2. Go to System Data --- UrlSlug 3. Enter Payload in UrlSlug with starting with "/" slash. For more understanding please check...
xss bypass the filter
Description hi,@maintainer.The filter you use to clean xss is unsafe.Please choose an xss filter with a large number of users and a high evaluation Video link You can watch my video through this link first. link https://drive.google.com/file/d/1mh9hiDxmybLQGPw-z36qBdsEcEOoPw8/view?usp=sharelink...
XSS in HTML-Tags
Description Cross site scripting vulnerability in pimcore/pimcore in HTML-Tags of "SEO & Settings" Proof of Concept 1. Login in stable account URL : https://demo.pimcore.fun/admin/?dc=1675166039&perspective= 2. Go to Home --- SEO & Settings 3. Enter Payload in HTML-Tags For More Understanding...
Reflected XSS
Description Reflected Cross-Site Scripting XSS vulnerability in LibreNMS 22.12.0 - Fri Dec 30 2022 10:11:51 GMT+0100 allows attackers to execute arbitrary external javascript code in the browser affected from /ports/group parameter. 1. Login 2. Navigate PoC link Proof of Concept...
XSS caused by sending information between users
Description The forum allows users to send information. Although the script tag cannot be used, the img tag can also cause xss.And the program can bypass the filtering of the "cookie" string by means of entity encoding. Video link You can watch my video through this link first. link...
Session Fixation in https://demo.froxlor.org/
Description The session ID not rotating even after relogin POC 1. Change the PHPSESSID=newsessionchanged and then login 2. Use the same session into new browser and as you can see logged into the account 3. you can try logout and login again the PHPSESSID doesn't change. Video POC:...
CSRF in all endpoints of /lib/ajax.php by Changing the request method to GET
Description I have found a CSRF in all the request in /lib/ajax.php by changing the request to GET and the page is also get errors. So user cannot use any function on the page Proof of Concept 1. Go to https://demo.froxlor.org/ and login as any user. ie. admin 2. Now open...
Open Redirect on "returnUrl=" parameter
Description Hello Team while testing the "returnUrl=" parameter on login page it was not vulnerable, but I found another way to get Open Redirect with that parameter Proof of Concept Here is the Video POC of this vulnerability...
Incorrect Calculation of Buffer Size in function yank_copy_line
Description Incorrect Calculation of Buffer Size in function yankcopyline at register.c:1468 vim version git log commit 657aea7fc47fb919ce76fad64ba0ec55a1af80f1 HEAD - master, tag: v9.0.1249, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pocnsp01s.dat -c :qa!...
weak Password Policy Directory Protection
Hello, The strong Password Policy is everywhere in place. BUT The Directory Protection Part allows to bypass this strong Password Policy and setting a Password like 1. This is very easy to bruteforce. Lets see : ------ Password is set to 1 and it will get accepted. As you can see the Password got...
Language Dropdown Menu Manipulation
Hello It is possible to manipulate the Language Dropdown Menu and change it to anything the attacker wants. Process of the Vulnerability: 1. Login 2. Go Miscellaneous - Email & file templates 3. Add Template - Change & Save and intercept the Request 4. Change the Language to anything you want ---...
SQL Database Error could lead to SQL Injection with internal Path Disclosure
Hello, Through manipulating Parameter i get an SQL Error which can lead to SQL Injection. Plus that there is an internal Path Disclosure. Best regards Ahmed Hassan...
Dropdown Menu Manipulation leads to stored HTML Injection
Hello In the Cronjob we can change the Interval Time the Dropdown Menu "minutes" to a stored HTML Injection. The Vulnerabilities are 2: 1. First thing the Dropdown Menu should be fixed and nobody can alter or change anything which we will do 2. Second we can implement a stored HTML Injection with...
Unauthenticated CSRF to XSS on login page
Description The user-email parameter is vulnerable to XSS on the login page. In this way it is possible to make execute Javascript code on an unauthenticated user. To exploid the vulnerability, since the it is a POST request, it's necessary an HTML poc in order to trigger a CSRF on the login form...
CSRF attack used to change user's email, thus blocking its access to the application.
Description The application lacks protection against Cross-Site Request Forgery CSRF because it fails to verify the implementation of the CSRF Token. For example, if a victim visits the following site crafted by the attacker while logged in at the target application, the browser will issue the...
Admin TakeOver
Description The endpoint /api/v2/token/ allows an unauthorized user to perform brute-forcing and the app doesn't block the request which not having any SESSION COOKIE or even CSRF token Request POST /api/v2/token/ HTTP/1.1 Host: demo.modoboa.org User-Agent: Mozilla/5.0 X11; Linux x8664; rv:109.0...
stored Blind XSS in Admin Panel through FAQ-Proposal leads to Admin Full Account Takeover
Hello. Vulnerability: Blind XSS in Admin Panel while generating Report 1. Without beeing logged in the Application 2. Go to FAQ-Proposal - put an XSS Payload like alert'1' in the question Field 4. Send the Proposal ------ 4. Admin will login 5. The Proposal will pop up in the Category you specifi...
Name Field and all other required Fields Bypass while doing FAQ Proposals
Dear Ladies and Gentlemen, I was able to identify in the Process of sending a FAQ Proposal a Username and all other required Fields Bypass Vulnerability. The Attacker can bypass all the required fields by sending a space at any required field like name, text, answer or question which is a require...