heap-buffer-overflow in function utfc_ptr2len

Description Heap-based Buffer Overflow in function utfcptr2len at mbyte.c:2145 Vim Version git log commit ebfec1c531f32d424bb2aca6e7391ef3bfcbfe20 HEAD - master, tag: v9.0.1234, origin/master, origin/HEAD Both POCs also apply to v9.0.1262: git log commit f2e30d0c448b9754d0d4daa901b51fbbf4c30747...

Heap Use After Free in function ins_compl_get_exp

Description Heap Use After Free in function inscomplgetexp at insexpand.c:3846 vim version git log commit 7193323b7796c05573f3aa89d422e848feb3a8dc HEAD - master, tag: v9.0.1223, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pochuaf01s.dat -c :qa!...

IDOR vulnerability allowing to update another user's annotations

Description IDOR vulnerability was discovered in wallabag. Proof of Concept 1. Login as a victim. 2. Create an entry and an annotation. In this case the annotation's ID is 3. 3. Login as an attacker. 4. Send the following request. request http PUT /annotations/3 HTTP/1.1 Host: localhost:8000...

Stored HTML Injection

Dear Ladies and Gentlemen, First of all thank you for your time and effort reading my Report. While doing the Penetration Test i was able to identify a stored XSS in the Username. When an admin or another Users try to set up a new account and set his name to alert‘1’ the Javascript will run and...

No Password Policy at all during Registration and and Password Change allows Account Takeover Exploitation

Dear Ladies and Gentlemen, First of all thank you for your time and effort reading my Report. While doing the Penetration Test i was able to weak Password Policy while Registration and Passwort changing allowing an attacker to easily exploit an account Takeover Vulnerability. This is due no...

Arbitrary txt files deletion (authenticated)

Description The file sources/export.queries.php can be exploited by any authenticated user to remove arbitrary txt files. If the system administrator configured the base path for the teampass-seckey.txt to be /var/teampass, as shown in the official example, it is possible to remove it causing a...

HTML-Injection

Dear Ladies and Gentlemen, First of all thank you for your time and effort reading my Report. While doing the Penetration Test i was able to identify an reflected HTML-Injection. The Process of the Vulnerability: 1. Login 2. Go to https://roy.demo.phpmyfaq.de/admin/?action=tags 3. Type any kind o...

CSRF leading to remove Administrators users

Description remove function is vulnerable to CSRF lead to remove any Administrators users GET /admin/permissions/remove/?domid=2&daid=15 Proof of Concept 1/ visit /admin/domains/1/ 2/ delete button to remove permission is vulnerable to CSRF...

Stored/Reflected XSS when add new domain

Description there is an XSS vulnerability that malicious script is injected directly in list of domain Proof of Concept 1//go to admin/domains/ 2/ click add to add a new domain 3/ in name section add this payload " and you can see payload executed POC...

Cookie without “Secure “ and “ HttpOnly ” flag attribute

Description HttpOnly and Secure attribute is not set for session cookies in the application. Proof of Concept https://drive.google.com/file/d/1ZAanmAbOn-jSf6ZMS5JIQKUzJ78fUrea/view?usp=sharing...

Email enumeration via sending a magic sign in link functionality

Description The sending a magic sign in link functionality is vulnerable to an email enumeration attack. Proof of Concept If you enter registered email, you will get Login Link Sent! message. If you enter non-registered email, you will get Unknown email address. message...

Stored HTML Injection

Team, I hope you are all doing well. . I wanted to bring to your attention a potential vulnerability on the website https://mainnet.demo.btcpayserver.org/account/apikeys. . During my research, I discovered that the api key label field is vulnerable to a stored HTML injection attack. Proof of...

File Upload Type Validation Error

Description The application does not properly validate the file type or extension during the upload process, allowing any authenticated user to bypass it . StepsTOReproduce - Navigate to this URL:https://demo.bumsys.org/settings/shop-list/ - Click on action button to edit the Profile - Click on...

SSL certificate verification disabled

Description When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived...

heap-buffer-overflow in same_leader and utfc_ptr2len

Description Heap-based Buffer Overflow in function sameleader at textformat.c:558 Heap-based Buffer Overflow in function utfcptr2len at mbyte.c:2138 Vim Version git log commit f97a295ccaa9803367f3714cdefce4e2283c771d HEAD - master, tag: v9.0.1221, origin/master, origin/HEAD Able to replicate the...

Improper authorization

Description In phpIPAM 1.5.1, an unauthenticated user could download the list of high-usage IP subnets that contains sensitive information such as a subnet description, IP ranges, and usage rates via findfullsubnets.php endpoint. The bug lies in the fact that findfullsubnets.php does not verify i...

CSRF leading to delete a user

Description The deleting a user functionality is vulnerable to a CSRF attack. The cause is same with the deleting a domain functionality. Proof of Concept 1. Login as admin. 1. Create a user to be deleted. E.g. the user ID is 2. 1. Open the following file in the browser. html history.pushState'',...

An attacker can view private posts

Description The bookmark saving functionality performs improper authorization check. To exploit this, an attacker is required to know the target post ID. This is done via share link or by less possibly brute-forcing. Proof of Concept 1. victim Create a new post whose visibility is Followers Only...

Email enumeration via reset password functionality

Description User enumeration is when a malicious actor can use brute-force techniques to either guess or confirm valid users in a system. The malicious actor is looking for differences in the server's response based on the validity of submitted credentials. The differences can be inside the...

Reflected XSS - Accounting Module - Maintenance - Delete Accounting Records

Description A reflected cross-site scripting XSS vulnerability exists within acct-maintenance-delete.php, which allows a malicious user to execute arbitrary JavaScript code. The vulnerable parameters are username, startdate, and enddate. Proof of Concept 1. Navigate to /acct-maintenance-delete.ph...

SQL Injection in search function

Description In the search function \ \ \ \ With options recentplayed, user input is taken directly into the query without being included in the prepare statement \ \ \ Proof of Concept POST /ampache-5.5.6allphp7.4/public/search.php?type=song HTTP/1.1 Host: localhost:8888 User-Agent: Mozilla/5.0...

File Upload Type Validation Error

Description The upload functionality for updating user profile does not properly validate the file content-type, allowing any authenticated user to bypass this security check by adding a valid signature p.e. GIF89 and sending any invalid content-type. This could allow an authenticated attacker to...

Reflected XSS - Accounting Module - Maintenance - Cleanup Stale Sessions

Description A reflected cross-site scripting XSS vulnerability exists within acct-maintenance-cleanup.php, which allows a malicious user to execute arbitrary JavaScript code. Proof of Concept 1. Navigate to /acct-maintenance-cleanup.php and enter the following payload alert1within the username...

Reflected XSS on msg Parameter

Description Hello Team, Hope you're doing well, There is no sanitization for the user input in msg parameter on the print.php file. Proof of Concept for some reason, I don't know why I can't prove the vulnerability on demo.bumsys.org but here is the PoC payload is:...

heap-use-after-free in gf_odf_vvc_cfg_read_bs

Description heap-use-after-free in gfodfvvccfgreadbs at odf/descriptors.c:1403 Version Author: Lim Wei Cheng ./MP4Box -version MP4Box - GPAC version 2.3-DEV-rev23-g5a733aec7-master c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io same POC can also trigger heap-use-after-fre...

CSRF, Reflected XSS and Stored XSS in add instance function

Description The add instance function allows to creation of an instance from user input but does not have any sanitizing mechanism which results in a Reflected XSS bug. This feature can be made by any user in the system, including guest users. After creating the instance will be saved on the...

SQL injection in API authorization check

Description TeamPass /authorize API endpoint is vulnerable to SQL injection in the login field. It is possible to forge an arbitrary Blowfish hash and use it in the query to bypass the password verification check. Using the same query it is possible to define an arbitrary apikey value too: "login...

HTML Injection in add expense via transaction tab

Steps to reproduce After login into demo account, Go to the transaction page and there your can add or create an expense If your on the write path, while creating or adding an expense there will be description field In the Description field, enter the following payload Y00 and click save Now, you...

CSRF leading to delete a domain

Description GET /admin/domains/id/delete/ page is vulnerable to a CSRF attack. Proof of Concept 1. Login as admin. 2. Create a domain to be deleted. E.g. the domain ID is 4. 3. Open the following file in the browser. html history.pushState'', '', '/' document.forms0.submit;...

A User Can Unblock Themself

Description PUT /api/v1/users/id API doesn't properly check the authorizaion. Proof of Concept 1. admin Enable user registration functionality. 2. user Register new user and login as them. 3. user Create OAuth client. 4. admin Block the new user on admin panel. 5. user Send the following request:...

Path Traversal - Archiving Files to Zip

Description The Tiny File Manager pack files feature is vulnerable to path traversal, which allows an attacker to access files that reside outside the web document root directory. The vulnerability occurs as the "file" parameter is not sanitized properly, thus allowing a malicious user to input...

Race Conditional exists in the collection

Description Ordinary users can use this vulnerability to attack other users' question collection, which can break through a single user's operation of only collecting or canceling the collection, resulting in too many or negative collections Proof of Concept step1 . Open burp, click collection, a...

Stored XSS in Your Answer

Description Evil users can attack other users or administrator users through this vulnerability, causing other users/administrator user accounts to be taken over Proof of Concept step1. Insert xss payload in the hyperlink of the question answer javaScript:alertlocalStorage.getItem'alui' step2. An...

SVG Sanitization Bypass - XSS

Description In imgproxy application, we bypassed the svg sanitization function. In this way, attacker can craft malicious svg file and run javascript on the application. Proof of Concept Here is the content of the malicious svg file. After that you can call this svg file like below...

Image upload function has storage xss vulnerability

Description Malicious users can upload files containing malicious html code through this vulnerability, resulting in the theft of identity tokens of other users/administrators accessing related pages and the account being taken over Proof of Concept step1. Log in to a common user account step2...

Heap-based Buffer Overflow in function ml_append_int

Description Heap-based Buffer Overflow in function mlappendint at memline.c:2951 vim version git log commit 043d7b2c84cda275354aa023b5769660ea70a168 HEAD - master, tag: v9.0.1182, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pochbo02s.dat -c :qa!...

No Protection Against Bruteforce Attacks on Login Page

Description Twake does not limit unsuccessfull login attempts allowing an attacker to brute force the password of an administrator or regular user. Proof of Concept Steps to reproduce Because Twake does not rate limit authentication attempts an attacker could either bruteforce both the login and...

Dom XSS in Add Question

Description Evil users can attack other users or administrator users through this vulnerability, causing other users/administrator user accounts to be taken over Proof of Concept step1. Add a normal user and log in step2. Add a new question and insert xss payload in the body Step3. Login admin us...

Function of modifying userinfo has storage xss vulnerability

Description This vulnerability allows a malicious user to submit malicious html code on the profile page, causing the identity token to be stolen as soon as another user/administrator accesses the profile page, resulting in the account being taken over by someone else Proof of Concept step1. Log ...

Froxlor 2.0.6 Remote Command Execution via Arbitrary File Write and Server Side Template Injection

Description Froxlor 2.0.6 Stable is suffering from Remote Command Execution that was achieved by chaining two bugs, the first one is an arbitrary file write on the logging feature, which allows an authenticated attacker to point the log file to any writable path even if it was the web server...

XSS via markdown syntax

Description Hi,Maintainer,thanks for reading.I am glad to report a secure problem to you. I found that your forum allows users to use markdown syntax to post articles and comments, but there is no corresponding protection means, which is unsafe. Any user can post dangerous content, like the...

Site-wide CSRF (Bypass Strict Cookie) leave to Website Takeover

I reported this vulnerability once a long time ago, but you still haven't fixed it. I report back to remind you need to fix it. Description At the api/hooks.unfurl, when sending a post request containing a param challenge, the server will return the value of that param, which inadvertently leave ...

Stored XSS

Description /collector page is vulnerable to stored XSS. PoC 1. Open the following file in the browser: html history.pushState'', '', '/' document.forms0.submit; 2. Login as user. 3. Go to http://localhost:9666/collector 4. Click XSS alertXSS...

Stored XSS in Add new question

Description Stored cross-site scripting also known as second-order or persistent XSS arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way. steps 1-log in as an admin user first. 2-go to :...

Mootools-more 1.6.0 is use which is potential vulnerable to CVE-2021-20088

Description Mootools-more 1.6.0 is use which is potential vulnerable to CVE-2021-20088 Proof of Concept https://github.com/BlackFan/client-side-prototype-pollution/blob/master/pp/mootools-more.md...

session fixation

Description A session fixation attack allows an attacker to hijack a legitimate user session. The attack investigates a flaw in how the online application handles the session ID, especially the susceptible web application. Proof of Concept...

Stored XSS Via SVG File Upload

XSS Via SVG File Upload When uploading an image file to a bug report, you're able to upload .svg files which aren't properly sanitized before they are rendered, so any embedded Javascript will execute. Steps To Reproduce 1. Create a bug report 2. Upload a SVG attachment with a Javascript payload...

Insecure Temporary File

Description transformers package is using the deprecated function tempfile.mktemp which is not secure. Because a different process may create a file with this name in the time between the call to mktemp and the subsequent attempt to create the file by the first process. Functions that create...

Cookie Session Not Expiring Even After Deleting the users

Description The session is not expiring in another browser if we delete the user. Proof of Concept 1. Create two users with an admin role for the POC 2. Login in two different browsers Firefox user A and Chrome user B respectively 3. Go the settings-users and delete user B from user A Firefox...

Improper String/Integer Input Validation Leads to the Crashing of Site

Description If you give the string input in the Start/End time field, then the application will stop working. Proof of Concept 1. Go to "Settings-General-Reconnection" 2. Change activated to "on" 3. On every input fields place any string for example put: "test" 4. Click on save and refresh 5. The...