4072 matches found
Privilege Escalation from customer to root
Privilege Escalation from Customer to Root First of all, sorry for the formatting of the report, but this platform is a mess. I can't attach any PoC files added chapters at the end of the report instead, can't attach any screenshots, nor provide a report as PDF. And btw markdown is only partly...
File Upload Type Validation Error lead to Stored XSS
Description Stored cross-site scripting also known as second-order or persistent XSS arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way. STEPSTOREPRODUCE 1. Login to your application and create a Store called...
important E-Mail Input Field bypassed allowing Account Lockout and Takeover
Dear Ladies and Gentlemen, First of all, thank you for your time and effort in reading my Report. While doing the Penetration Test my Brother Josef Hassan [email protected] and I were able to Account Lockout Vulnerability by bypassing the Input of the E-Mail Address. The Process of...
Stored/Reflected XSS in identities leads chained store XSS in logs
Description The XSS playload injected in the identities to create a new account leads to stored and reflected XSS in identities page and also in the logs page. Steps to Reproduce 1. Go to admin/identities 2.Enter the payload in the username, first name and last name as these fields are not...
Multiple stored XSS
Description Hello! Found multiple stored XSS. PoCs "About me" XSS Insert this code in "About me" http://host/users/settings/profile Website title XSS go to /admin/general, edit 'Site Name' adding the following payload alert"XSS ATTACK!" The script will be executed every time you reload the page...
Account Takeover via reset password
Description Password recovery leads to Account Take Over due to reset code leakage. Proof of Concept Create an acount in https://meta.answer.dev/ and verify mail, then log out. Go to password recovery https://meta.answer.dev/users/account-recovery, insert your email and capture the server respons...
FusionCMS (FusionGen) Takeover account - Predictable Key and Password Generation in Password Recovery Feature
Description It was discovered that the password recovery feature on the website is vulnerable to predictable key and password generation. An attacker is able to predict the key used in the password recovery process and the generated password itself by using a specific PHP command and the user's...
Anti-CSRF mechanism is not present
Description The application is vulnerable to a CSRF attack. Proof of Concept 1. Login as admin. 2. Open the following HTML file in the browser. This action is equivalent to clicking a link sent by an attacker. trap.html html history.pushState'', '', '/' 3. Click the button. 4. A new user is creat...
Improper Restriction of Rendered UI Layers or Frames
Description It can be possible to perform a clickjacking attack due to the lack of frame restrictions. The application does not set the response header X-Frame-Options: DENY. Proof of Concept http://localhost:8000/admin/ Response headers http HTTP/1.1 200 OK Server: gunicorn Date: Tue, 24 Jan 202...
stored HTML-Injection in the FAQ-Proposal
Dear Ladies and Gentlemen, First of all, thank you for your time and effort in reading my Report. While doing the Penetration Test my Brother Josef Hassan [email protected] and I were able to identify another stored HTML-Injection Vulnerability in the FAQ-Proposal Form. The Process of the...
stored HTML-Injection throuth the Question Form
Dear Ladies and Gentlemen, First of all, thank you for your time and effort in reading my Report. While doing the Penetration Test my Brother Josef Hassan [email protected] and I were able to identify another stored HTML-Injection Vulnerability in the Question Form. The Process of the...
stored XSS through Question sending
Dear Ladies and Gentlemen, First of all, thank you for your time and effort in reading my Report. While doing the Penetration Test my Brother Ahmed Hassan [email protected] and I were able to identify another stored XSS Cross-Site-Scripting Injection Vulnerability. The Process of the...
Stored XSS - allows stealing Admin and Users Cookies
Dear Ladies and Gentlemen, First of all thank you for your time and effort in reading my Report. While doing the Penetration Test my Brother Ahmed Hassan [email protected] and I were able to identify a stored XSS Cross-Site-Scripting Vulnerability. The Process of the Vulnerability: Login ...
Divide By Zero in function adjust_skipcol
Description Divide By Zero in function adjustskipcol at move.c:1978 vim version git log commit 7193323b7796c05573f3aa89d422e848feb3a8dc HEAD - master, tag: v9.0.1223, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pocdbz01s.dat -c :qa! Floating point exception GDB gdb...
No permission user can increase his role to administrator
Description No permission user can increase his role to administrator Proof of Concept Hey,i am new on this platform : Steps: - login your administrator account, go to people, and create a user with zero permission you can create permission group with zero permission - then login your restricted...
heap-buffer-overflow in function utfc_ptr2len
Description Heap-based Buffer Overflow in function utfcptr2len at mbyte.c:2145 Vim Version git log commit ebfec1c531f32d424bb2aca6e7391ef3bfcbfe20 HEAD - master, tag: v9.0.1234, origin/master, origin/HEAD Both POCs also apply to v9.0.1262: git log commit f2e30d0c448b9754d0d4daa901b51fbbf4c30747...
Heap Use After Free in function ins_compl_get_exp
Description Heap Use After Free in function inscomplgetexp at insexpand.c:3846 vim version git log commit 7193323b7796c05573f3aa89d422e848feb3a8dc HEAD - master, tag: v9.0.1223, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pochuaf01s.dat -c :qa!...
IDOR vulnerability allowing to update another user's annotations
Description IDOR vulnerability was discovered in wallabag. Proof of Concept 1. Login as a victim. 2. Create an entry and an annotation. In this case the annotation's ID is 3. 3. Login as an attacker. 4. Send the following request. request http PUT /annotations/3 HTTP/1.1 Host: localhost:8000...
Stored HTML Injection
Dear Ladies and Gentlemen, First of all thank you for your time and effort reading my Report. While doing the Penetration Test i was able to identify a stored XSS in the Username. When an admin or another Users try to set up a new account and set his name to alert‘1’ the Javascript will run and...
No Password Policy at all during Registration and and Password Change allows Account Takeover Exploitation
Dear Ladies and Gentlemen, First of all thank you for your time and effort reading my Report. While doing the Penetration Test i was able to weak Password Policy while Registration and Passwort changing allowing an attacker to easily exploit an account Takeover Vulnerability. This is due no...
Arbitrary txt files deletion (authenticated)
Description The file sources/export.queries.php can be exploited by any authenticated user to remove arbitrary txt files. If the system administrator configured the base path for the teampass-seckey.txt to be /var/teampass, as shown in the official example, it is possible to remove it causing a...
HTML-Injection
Dear Ladies and Gentlemen, First of all thank you for your time and effort reading my Report. While doing the Penetration Test i was able to identify an reflected HTML-Injection. The Process of the Vulnerability: 1. Login 2. Go to https://roy.demo.phpmyfaq.de/admin/?action=tags 3. Type any kind o...
CSRF leading to remove Administrators users
Description remove function is vulnerable to CSRF lead to remove any Administrators users GET /admin/permissions/remove/?domid=2&daid=15 Proof of Concept 1/ visit /admin/domains/1/ 2/ delete button to remove permission is vulnerable to CSRF...
Stored/Reflected XSS when add new domain
Description there is an XSS vulnerability that malicious script is injected directly in list of domain Proof of Concept 1//go to admin/domains/ 2/ click add to add a new domain 3/ in name section add this payload " and you can see payload executed POC...
Cookie without “Secure “ and “ HttpOnly ” flag attribute
Description HttpOnly and Secure attribute is not set for session cookies in the application. Proof of Concept https://drive.google.com/file/d/1ZAanmAbOn-jSf6ZMS5JIQKUzJ78fUrea/view?usp=sharing...
Email enumeration via sending a magic sign in link functionality
Description The sending a magic sign in link functionality is vulnerable to an email enumeration attack. Proof of Concept If you enter registered email, you will get Login Link Sent! message. If you enter non-registered email, you will get Unknown email address. message...
Stored HTML Injection
Team, I hope you are all doing well. . I wanted to bring to your attention a potential vulnerability on the website https://mainnet.demo.btcpayserver.org/account/apikeys. . During my research, I discovered that the api key label field is vulnerable to a stored HTML injection attack. Proof of...
File Upload Type Validation Error
Description The application does not properly validate the file type or extension during the upload process, allowing any authenticated user to bypass it . StepsTOReproduce - Navigate to this URL:https://demo.bumsys.org/settings/shop-list/ - Click on action button to edit the Profile - Click on...
SSL certificate verification disabled
Description When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived...
heap-buffer-overflow in same_leader and utfc_ptr2len
Description Heap-based Buffer Overflow in function sameleader at textformat.c:558 Heap-based Buffer Overflow in function utfcptr2len at mbyte.c:2138 Vim Version git log commit f97a295ccaa9803367f3714cdefce4e2283c771d HEAD - master, tag: v9.0.1221, origin/master, origin/HEAD Able to replicate the...
Improper authorization
Description In phpIPAM 1.5.1, an unauthenticated user could download the list of high-usage IP subnets that contains sensitive information such as a subnet description, IP ranges, and usage rates via findfullsubnets.php endpoint. The bug lies in the fact that findfullsubnets.php does not verify i...
CSRF leading to delete a user
Description The deleting a user functionality is vulnerable to a CSRF attack. The cause is same with the deleting a domain functionality. Proof of Concept 1. Login as admin. 1. Create a user to be deleted. E.g. the user ID is 2. 1. Open the following file in the browser. html history.pushState'',...
An attacker can view private posts
Description The bookmark saving functionality performs improper authorization check. To exploit this, an attacker is required to know the target post ID. This is done via share link or by less possibly brute-forcing. Proof of Concept 1. victim Create a new post whose visibility is Followers Only...
Email enumeration via reset password functionality
Description User enumeration is when a malicious actor can use brute-force techniques to either guess or confirm valid users in a system. The malicious actor is looking for differences in the server's response based on the validity of submitted credentials. The differences can be inside the...
Reflected XSS - Accounting Module - Maintenance - Delete Accounting Records
Description A reflected cross-site scripting XSS vulnerability exists within acct-maintenance-delete.php, which allows a malicious user to execute arbitrary JavaScript code. The vulnerable parameters are username, startdate, and enddate. Proof of Concept 1. Navigate to /acct-maintenance-delete.ph...
SQL Injection in search function
Description In the search function \ \ \ \ With options recentplayed, user input is taken directly into the query without being included in the prepare statement \ \ \ Proof of Concept POST /ampache-5.5.6allphp7.4/public/search.php?type=song HTTP/1.1 Host: localhost:8888 User-Agent: Mozilla/5.0...
File Upload Type Validation Error
Description The upload functionality for updating user profile does not properly validate the file content-type, allowing any authenticated user to bypass this security check by adding a valid signature p.e. GIF89 and sending any invalid content-type. This could allow an authenticated attacker to...
Reflected XSS - Accounting Module - Maintenance - Cleanup Stale Sessions
Description A reflected cross-site scripting XSS vulnerability exists within acct-maintenance-cleanup.php, which allows a malicious user to execute arbitrary JavaScript code. Proof of Concept 1. Navigate to /acct-maintenance-cleanup.php and enter the following payload alert1within the username...
Reflected XSS on msg Parameter
Description Hello Team, Hope you're doing well, There is no sanitization for the user input in msg parameter on the print.php file. Proof of Concept for some reason, I don't know why I can't prove the vulnerability on demo.bumsys.org but here is the PoC payload is:...
heap-use-after-free in gf_odf_vvc_cfg_read_bs
Description heap-use-after-free in gfodfvvccfgreadbs at odf/descriptors.c:1403 Version Author: Lim Wei Cheng ./MP4Box -version MP4Box - GPAC version 2.3-DEV-rev23-g5a733aec7-master c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io same POC can also trigger heap-use-after-fre...
CSRF, Reflected XSS and Stored XSS in add instance function
Description The add instance function allows to creation of an instance from user input but does not have any sanitizing mechanism which results in a Reflected XSS bug. This feature can be made by any user in the system, including guest users. After creating the instance will be saved on the...
SQL injection in API authorization check
Description TeamPass /authorize API endpoint is vulnerable to SQL injection in the login field. It is possible to forge an arbitrary Blowfish hash and use it in the query to bypass the password verification check. Using the same query it is possible to define an arbitrary apikey value too: "login...
HTML Injection in add expense via transaction tab
Steps to reproduce After login into demo account, Go to the transaction page and there your can add or create an expense If your on the write path, while creating or adding an expense there will be description field In the Description field, enter the following payload Y00 and click save Now, you...
CSRF leading to delete a domain
Description GET /admin/domains/id/delete/ page is vulnerable to a CSRF attack. Proof of Concept 1. Login as admin. 2. Create a domain to be deleted. E.g. the domain ID is 4. 3. Open the following file in the browser. html history.pushState'', '', '/' document.forms0.submit;...
A User Can Unblock Themself
Description PUT /api/v1/users/id API doesn't properly check the authorizaion. Proof of Concept 1. admin Enable user registration functionality. 2. user Register new user and login as them. 3. user Create OAuth client. 4. admin Block the new user on admin panel. 5. user Send the following request:...
Path Traversal - Archiving Files to Zip
Description The Tiny File Manager pack files feature is vulnerable to path traversal, which allows an attacker to access files that reside outside the web document root directory. The vulnerability occurs as the "file" parameter is not sanitized properly, thus allowing a malicious user to input...
Race Conditional exists in the collection
Description Ordinary users can use this vulnerability to attack other users' question collection, which can break through a single user's operation of only collecting or canceling the collection, resulting in too many or negative collections Proof of Concept step1 . Open burp, click collection, a...
Stored XSS in Your Answer
Description Evil users can attack other users or administrator users through this vulnerability, causing other users/administrator user accounts to be taken over Proof of Concept step1. Insert xss payload in the hyperlink of the question answer javaScript:alertlocalStorage.getItem'alui' step2. An...
SVG Sanitization Bypass - XSS
Description In imgproxy application, we bypassed the svg sanitization function. In this way, attacker can craft malicious svg file and run javascript on the application. Proof of Concept Here is the content of the malicious svg file. After that you can call this svg file like below...
Image upload function has storage xss vulnerability
Description Malicious users can upload files containing malicious html code through this vulnerability, resulting in the theft of identity tokens of other users/administrators accessing related pages and the account being taken over Proof of Concept step1. Log in to a common user account step2...