XSS in user supplied title

Issue The useHead function does not sanitize tags inserted in each property, including the title property. Context The useHead repository is a wrapper around vueuse/head which wraps unjs/unhead which wraps harlan-zw/zhead. The possibility of XSS is not described as being a vulnerability in the ro...

Default account creation on all installation methods

Description The credentials of the administrator user console installation are set by default. Additionally in both the console installation and the gui installation a janedoe account is created with default credentials...

CSS injection using component islands and useHead

Description After a component island render, the resulting head is regex'd for tags. This regex is not very robust and can be tricked, allowing for CSS injection. Proof of Concept app.vue vue Nuxt 3 Playground const title = ref nuxt.config.ts ts export default defineNuxtConfig experimental:...

Stored XSS

Description A Cross-Site Scripting XSS vulnerability exists in Dolibarr before 16.0.4 via the ticket creation flow. Exploitation requires that an admin change the value of the box using "onbeforeinput" event. In the worst case, the victim who inadvertently triggers the attack is a highly privileg...

Out of Range Pointer offset in mb_charlen of mbyte.c

Description Out of Range Pointer offset in mbcharlen of mbyte.c Vim Version git log commit 78012f55faf7444e554c0a97a589d99fa215bea9 HEAD - master, tag: v9.0.1275, origin/master, origin/HEAD POC ./vim -u NONE -X -Z -e -s -S poc01.dat -c ':qa!' Segmentation Fault GDB gdb ./vim gdb run -u NONE -X -Z...

Html Injection in Contributors

Description Html injection in Contributors and just only need html payload in Display Name and fire in Contributors list Proof of Concept 1. Login to squidex 2. Create an app with random name. 2. Go to Edit Profile then Edit users display name with html payload = Sanket722 3. Go to...

GET based CSRF on delete user functionality

Description The /account/delete functionality is vulnerable to CSRF. In this way, an attacker can trick the victim to delete his own account just clicking on the link. Steps to reproduce - Login with a user - Now go here: https://app.wallabag.it/account/delete - The account is now deleted without...

Remote Code Execution in "Import Settings" feature

Description Due to Improper data validation in "Import Settings" feature, an authenticated attacker can send crafted settings with malicious payload inside "system.croncmdline" value. Step to reproduce Requirement: PHP code must be executed on attacker machine - Step 1: Attacker run web server an...

IDOR Vulnerability Allows add tag entry user other

Description IDOR Vulnerability Allows add tag entry user other, allows adding tags to any user, since there is no user authentication. And not limiting the input causes the entry interface to break Proof of Concept Step 1. User A manages entry id 6 Step 2. User B manages entry id 7 Step 3. Login...

Phar Deserialization of Untrusted Data

Description snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the fileexists function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitra...

XSS via postMessage to deface any website and account takeover

Description Hey Chatwoot team, while looking for vulnerabilities I found a critical XSS which allow us to XSS/Deface any website which uses the chat, this can be automated to attack thousands of websites Vulnerable Code Inside this function...

Stored Cross Site Scripting in the username

Description Stored XSS occurs when an attacker injects malicious code into a website, which is then stored on the server. In this case, the malicious code is being stored as the user's username. When someone accesses the shared page, the website retrieves the user's username from the server and...

DynamicPHPCode Filtering Bypass leads to Remote Code Execution

Description The "Websites" module in Dolibarr CRM version 6.0.3 and below has "checkPHPCode" function check to ensure that the page not contains any malicious function. However, this funtion only check by using match word searching, that allows malicious authenticated user can bypass by using...

Restrictive composer.json makes Dompdf vulnerable to URI validation failure on SVG parsing

Description The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing tags with uppercase letters. This might lead to arbitrary object unserialize on PHP tags, in src/Image/Cache.php: if $type === "svg" $parser = xmlparsercreate"utf-8"; xmlparsersetoption$parser,...

xss bypass the sanitize

Description hi,@maintainer.The filter you use to clean xss is unsafe.Please choose an xss filter with a large number of users and a high evaluation Proof of Concept 1.Login to the forum as any user. 2.Send dangerous messages to admin users. 3.The value of the Message is below click me 4.Admin use...

Heap Buffer Overflow in function gf_isom_box_size at src/isomedia/box_funcs.c:1997

Description Heap Buffer Overflow in function gfisomboxsize at src/isomedia/boxfuncs.c:1997 gpac version git log commit bbca869177585aaca8eb66d8541079e6f364798e HEAD - master, origin/master, origin/HEAD Author: jeanlf Date: Wed Jan 18 11:40:30 2023 +0100 fixed potentially missing last packets in...

Xss in compose mail functionaility

Description Reflected cross-site scripting or XSS arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way. Proof of Concept - Step1: login as normal user. - step2: click on webmail and click on compose. - step3: now enter "...

Cross Site Scripting (XSS) in Model\DataObject\Data\UrlSlug

Description Cross Site Scripting XSS in Model\DataObject\Data\UrlSlug of pimcore/pimcore Proof of Concept 1. Login in stable account URL : https://demo.pimcore.fun/admin 2. Go to System Data --- UrlSlug 3. Enter Payload in UrlSlug with starting with "/" slash. For more understanding please check...

xss bypass the filter

Description hi,@maintainer.The filter you use to clean xss is unsafe.Please choose an xss filter with a large number of users and a high evaluation Video link You can watch my video through this link first. link https://drive.google.com/file/d/1mh9hiDxmybLQGPw-z36qBdsEcEOoPw8/view?usp=sharelink...

XSS in HTML-Tags

Description Cross site scripting vulnerability in pimcore/pimcore in HTML-Tags of "SEO & Settings" Proof of Concept 1. Login in stable account URL : https://demo.pimcore.fun/admin/?dc=1675166039&perspective= 2. Go to Home --- SEO & Settings 3. Enter Payload in HTML-Tags For More Understanding...

Reflected XSS

Description Reflected Cross-Site Scripting XSS vulnerability in LibreNMS 22.12.0 - Fri Dec 30 2022 10:11:51 GMT+0100 allows attackers to execute arbitrary external javascript code in the browser affected from /ports/group parameter. 1. Login 2. Navigate PoC link Proof of Concept...

XSS caused by sending information between users

Description The forum allows users to send information. Although the script tag cannot be used, the img tag can also cause xss.And the program can bypass the filtering of the "cookie" string by means of entity encoding. Video link You can watch my video through this link first. link...

Session Fixation in https://demo.froxlor.org/

Description The session ID not rotating even after relogin POC 1. Change the PHPSESSID=newsessionchanged and then login 2. Use the same session into new browser and as you can see logged into the account 3. you can try logout and login again the PHPSESSID doesn't change. Video POC:...

CSRF in all endpoints of /lib/ajax.php by Changing the request method to GET

Description I have found a CSRF in all the request in /lib/ajax.php by changing the request to GET and the page is also get errors. So user cannot use any function on the page Proof of Concept 1. Go to https://demo.froxlor.org/ and login as any user. ie. admin 2. Now open...

Open Redirect on "returnUrl=" parameter

Description Hello Team while testing the "returnUrl=" parameter on login page it was not vulnerable, but I found another way to get Open Redirect with that parameter Proof of Concept Here is the Video POC of this vulnerability...

Incorrect Calculation of Buffer Size in function yank_copy_line

Description Incorrect Calculation of Buffer Size in function yankcopyline at register.c:1468 vim version git log commit 657aea7fc47fb919ce76fad64ba0ec55a1af80f1 HEAD - master, tag: v9.0.1249, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pocnsp01s.dat -c :qa!...

weak Password Policy Directory Protection

Hello, The strong Password Policy is everywhere in place. BUT The Directory Protection Part allows to bypass this strong Password Policy and setting a Password like 1. This is very easy to bruteforce. Lets see : ------ Password is set to 1 and it will get accepted. As you can see the Password got...

Language Dropdown Menu Manipulation

Hello It is possible to manipulate the Language Dropdown Menu and change it to anything the attacker wants. Process of the Vulnerability: 1. Login 2. Go Miscellaneous - Email & file templates 3. Add Template - Change & Save and intercept the Request 4. Change the Language to anything you want ---...

SQL Database Error could lead to SQL Injection with internal Path Disclosure

Hello, Through manipulating Parameter i get an SQL Error which can lead to SQL Injection. Plus that there is an internal Path Disclosure. Best regards Ahmed Hassan...

Dropdown Menu Manipulation leads to stored HTML Injection

Hello In the Cronjob we can change the Interval Time the Dropdown Menu "minutes" to a stored HTML Injection. The Vulnerabilities are 2: 1. First thing the Dropdown Menu should be fixed and nobody can alter or change anything which we will do 2. Second we can implement a stored HTML Injection with...

Unauthenticated CSRF to XSS on login page

Description The user-email parameter is vulnerable to XSS on the login page. In this way it is possible to make execute Javascript code on an unauthenticated user. To exploid the vulnerability, since the it is a POST request, it's necessary an HTML poc in order to trigger a CSRF on the login form...

CSRF attack used to change user's email, thus blocking its access to the application.

Description The application lacks protection against Cross-Site Request Forgery CSRF because it fails to verify the implementation of the CSRF Token. For example, if a victim visits the following site crafted by the attacker while logged in at the target application, the browser will issue the...

Admin TakeOver

Description The endpoint /api/v2/token/ allows an unauthorized user to perform brute-forcing and the app doesn't block the request which not having any SESSION COOKIE or even CSRF token Request POST /api/v2/token/ HTTP/1.1 Host: demo.modoboa.org User-Agent: Mozilla/5.0 X11; Linux x8664; rv:109.0...

stored Blind XSS in Admin Panel through FAQ-Proposal leads to Admin Full Account Takeover

Hello. Vulnerability: Blind XSS in Admin Panel while generating Report 1. Without beeing logged in the Application 2. Go to FAQ-Proposal - put an XSS Payload like alert'1' in the question Field 4. Send the Proposal ------ 4. Admin will login 5. The Proposal will pop up in the Category you specifi...

Name Field and all other required Fields Bypass while doing FAQ Proposals

Dear Ladies and Gentlemen, I was able to identify in the Process of sending a FAQ Proposal a Username and all other required Fields Bypass Vulnerability. The Attacker can bypass all the required fields by sending a space at any required field like name, text, answer or question which is a require...

Privilege Escalation from customer to root

Privilege Escalation from Customer to Root First of all, sorry for the formatting of the report, but this platform is a mess. I can't attach any PoC files added chapters at the end of the report instead, can't attach any screenshots, nor provide a report as PDF. And btw markdown is only partly...

File Upload Type Validation Error lead to Stored XSS

Description Stored cross-site scripting also known as second-order or persistent XSS arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way. STEPSTOREPRODUCE 1. Login to your application and create a Store called...

important E-Mail Input Field bypassed allowing Account Lockout and Takeover

Dear Ladies and Gentlemen, First of all, thank you for your time and effort in reading my Report. While doing the Penetration Test my Brother Josef Hassan [email protected] and I were able to Account Lockout Vulnerability by bypassing the Input of the E-Mail Address. The Process of...

Stored/Reflected XSS in identities leads chained store XSS in logs

Description The XSS playload injected in the identities to create a new account leads to stored and reflected XSS in identities page and also in the logs page. Steps to Reproduce 1. Go to admin/identities 2.Enter the payload in the username, first name and last name as these fields are not...

Multiple stored XSS

Description Hello! Found multiple stored XSS. PoCs "About me" XSS Insert this code in "About me" http://host/users/settings/profile Website title XSS go to /admin/general, edit 'Site Name' adding the following payload alert"XSS ATTACK!" The script will be executed every time you reload the page...

Account Takeover via reset password

Description Password recovery leads to Account Take Over due to reset code leakage. Proof of Concept Create an acount in https://meta.answer.dev/ and verify mail, then log out. Go to password recovery https://meta.answer.dev/users/account-recovery, insert your email and capture the server respons...

FusionCMS (FusionGen) Takeover account - Predictable Key and Password Generation in Password Recovery Feature

Description It was discovered that the password recovery feature on the website is vulnerable to predictable key and password generation. An attacker is able to predict the key used in the password recovery process and the generated password itself by using a specific PHP command and the user's...

Anti-CSRF mechanism is not present

Description The application is vulnerable to a CSRF attack. Proof of Concept 1. Login as admin. 2. Open the following HTML file in the browser. This action is equivalent to clicking a link sent by an attacker. trap.html html history.pushState'', '', '/' 3. Click the button. 4. A new user is creat...

Improper Restriction of Rendered UI Layers or Frames

Description It can be possible to perform a clickjacking attack due to the lack of frame restrictions. The application does not set the response header X-Frame-Options: DENY. Proof of Concept http://localhost:8000/admin/ Response headers http HTTP/1.1 200 OK Server: gunicorn Date: Tue, 24 Jan 202...

stored HTML-Injection in the FAQ-Proposal

Dear Ladies and Gentlemen, First of all, thank you for your time and effort in reading my Report. While doing the Penetration Test my Brother Josef Hassan [email protected] and I were able to identify another stored HTML-Injection Vulnerability in the FAQ-Proposal Form. The Process of the...

stored HTML-Injection throuth the Question Form

Dear Ladies and Gentlemen, First of all, thank you for your time and effort in reading my Report. While doing the Penetration Test my Brother Josef Hassan [email protected] and I were able to identify another stored HTML-Injection Vulnerability in the Question Form. The Process of the...

stored XSS through Question sending

Dear Ladies and Gentlemen, First of all, thank you for your time and effort in reading my Report. While doing the Penetration Test my Brother Ahmed Hassan [email protected] and I were able to identify another stored XSS Cross-Site-Scripting Injection Vulnerability. The Process of the...

Stored XSS - allows stealing Admin and Users Cookies

Dear Ladies and Gentlemen, First of all thank you for your time and effort in reading my Report. While doing the Penetration Test my Brother Ahmed Hassan [email protected] and I were able to identify a stored XSS Cross-Site-Scripting Vulnerability. The Process of the Vulnerability: Login ...

Divide By Zero in function adjust_skipcol

Description Divide By Zero in function adjustskipcol at move.c:1978 vim version git log commit 7193323b7796c05573f3aa89d422e848feb3a8dc HEAD - master, tag: v9.0.1223, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pocdbz01s.dat -c :qa! Floating point exception GDB gdb...

No permission user can increase his role to administrator

Description No permission user can increase his role to administrator Proof of Concept Hey,i am new on this platform : Steps: - login your administrator account, go to people, and create a user with zero permission you can create permission group with zero permission - then login your restricted...