Stored XSS by link markdown

Description The site allows link markdown but does not validate, resulting in XSS. Proof of Concept Create new memo with payload Click me! Hold Ctrl and click to Click me!, a alert with content is domain name appear...

Stored XSS via markdown link

Description Markdown editor doesn't sanitize user's input, leads to stored XSS Proof of Concept a Reproduce 1.Login to https://demo.usememos.com/ 2.Create new memo with content a 3.Ctrl+left click this link, javascript code has been executed...

IDOR allowing to see other users' entries

Description The exporting entry functionality is vulnerable to an IDOR attack. Proof of Concept 1. Create a new entry as an existing user. Let's say the entry's id is 1. 1. Create a new user and login as them. 1. Go to http://localhost:8000/export/1.txt...

CSRF leading to delete account

Description wallabag was discovered to contain a Cross-Site Request Forgery CSRF which allows attackers to arbitrarily delete user accounts via /account/delete. Proof of Concept 1. Create a new user. 2. Login as the new user. 3. Open the following HTML file in the browser. html history.pushState'...

Lack of Input Sanitazion lead to RCE

Description This vulnerability occur because there is no sanitation on user controlled input during the update configuration process. The input later , written to another .php file and this could lead to RCE. Proof of Concept 1. Go to Config then go to Mail Settings 2. Change the From Email Addre...

Heap-based Buffer Overflow in function msg_puts_printf

Description Heap-based Buffer Overflow in function msgputsprintf at message.c:3058 vim version git log commit ea720aea851e645f4c8ec3b20afb27c7ca38184c HEAD - master, tag: v9.0.1137, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pochbo01s.dat -c :qa!...

Out-of-bounds Write in function do_string_sub

Out-of-bounds Write in function dostringsub at eval.c:7338 vim version git log commit ea720aea851e645f4c8ec3b20afb27c7ca38184c HEAD - master, tag: v9.0.1137, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pochow01s.dat -c :qa!...

Out-of-bounds Read in function build_stl_str_hl

Out-of-bounds Read in function buildstlstrhl at buffer.c:4350 vim version git log commit ea720aea851e645f4c8ec3b20afb27c7ca38184c HEAD - master, tag: v9.0.1137, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pochor01s.dat -c :qa!...

XSS via upload pdf file

Description Hi there, It's my pleasure to submit a report to you again to maintain the safety of the project.Most users can upload files in the module named 'Resources' .We can upload pdf files.But uploading malicious pdf files will cause xss vulnerability which will cause great harm to users of...

Unrestricted Logging Filename Lead to RCE

Description This vulnerability occur because there is no filename restriction for saving logging file. In this case attacker can set the filename to existing php file and append php code on it by manipulating the logged input. Proof of Concept 1. Log in using operator account, in this case i try ...

Cookie without Secure attribute

Description The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. Proof of Concept http HTTP/1.1 200 OK Content-Type: application/json Content-Length: 107 Vary: Accept-Encoding Set-Cookie:...

ANSI Escape Sequence Injection

Description Injection of escape sequences opens up the possibility for concealing / modifying viewed data, and code execution as some esc seqs feed data back to stdin. Proof of Concept poc So far, the places I managed to find a successful injection are: - when running id from the file name - func...

Stored XSS using two files

Description I uploaded two files first = js , second = html the first was js files with malicious script and get it's url and i added it to the second one as source for the script tag Proof of Concept // test.js alert"xss"; and assume its url = https://demo.usememos.com/o/r/9/test.js // test.html...

Stored XSS via `.pages` File in

Description When user upload a file with .pages extension and direct access this file, the server response with Content-type: application/octet-stream lead to processing .pages as HTML file. I only discovered this file extension doing more research on XSS Proof of Concept POST...

JwtSigKey hardcoded causes the k8s cluster to take over

Description The jwt authentication function of kubepi = v1.6.2 uses hard-coded Jwtsigkeys, resulting in the same Jwtsigkeys for all online projects. This means that an attacker can forge any jwt token to take over the administrator account of any online project. Further use the administrator to...

Improper Restriction of Rendered UI Layers or Frames

Description It can be possible to perform a clickjacking attack due to the lack of frame restrictions. The application does not set the response header X-Frame-Options: DENY. Proof of Concept...

Pre-auth RCE

Description An unauthenticated attacker can execute arbitrary python code by abusing js2py functionality. Also, due to the lack of CSRF protection, a victim can be tricked to execute arbitrary python code. Proof of Concept Run the command below and touch /tmp/pwnd gets executed. bash curl -i -s -...

Stored XSS via blog author parameter on admin.php?p=config

Description The blog author parameter is unsanitized on the page admin.php?p=config. In this way is possible to inject arbitrary javascript code Proof of Concept - Login as regular user - Go to http://localhost/flatpress/admin.php?p=config - Set as blog author "alertdocument.domain - Refresh page...

Stored XSS through post comment body

Description The body of the comment is vulnerable to Stored XSS Proof of Concept - Create a post - Comment on it, and insert alertdocument.domain in the body...

Send any message to any to any private channel

Description A user can add any message to a private channel that is not in that channel. This error is because the web application did not check if the sender userid is in that private channel. Proof of Concept Login to website in brower 1 with user A. Login to website in brower 2 with user B. Us...

Get based CSRF on Reset OP Cache functionality

Description The functionality to reset the OPCache is vulnerable to CSRF. In fact, it would be a good practice to implement a CSRF token in URL if the GET functionality is meant to trigger an action, instead of only retrieving data. Alternatively, it can be turned in a POST request, which I can s...

Reseller role allowed to access to admin functionalities

Description The reseller user can access to some admin functionality just directly accessing to it by URL, even though the menu shouldn't allow it. Proof of Concept - Go to https://v2.demo.froxlor.org - Login as reseller1 - Point to: https://v2.demo.froxlor.org/adminopcacheinfo.php?page=showinfo...

Authenticated HTMLi via theme parameter on /lib/ajax.php

Description The theme parameter is vulnerable to HTMLi on /lib/ajax.php endpoint Proof of Concept - go to https://v2.demo.froxlor.org - Login with a user - Go to https://v2.demo.froxlor.org/lib/ajax.php?action=newsfeed&theme=%3C/br%3E%3Ch1%3EHTMLi%20by%20leorac%3C/h1%3E%3Cbr%3E - You'll see the...

Reflected Cross Site Scripting

Description User can be input malicious js in param action in url http://localhost//stats.php?action=injecthere&userid=1 and send link to other user can be steal cookie of other user. Param action not input validation from user on line 71 in file...

HTTP Query String Injection

Description The application does not properly sanitize query string parameters in the cloudflare-kv-http,github and http drivers. In the case of the github and http drivers there is no immediate vulnerability, however a slight risk is presented. When a user controls a key within the...

Bypass Stored XSS while creating a new post

Description After login to portal create a new post and type the following text with XSS payload bypass of this fix Proof of Concept Login to portal. create a post with xss paylaod save it POC: https://drive.google.com/file/d/1WkQpGyQGKBS-9To5mludqkkL7VOp9Au/view?usp=sharelink Bypass Payload //X/...

Admin is able to ARCHIVE OWN Account leads to Deactivate ADMIN Account

Description As fer the Flow Admin can't ARCHIVE OWN account . i was able to ARCHIVE ADMIN OWN Account by intercept the request and change ID Value to Admin. which leads to ARCHIVED the ADMIN Account , :/ Please Restored it Might Be possible to DELETE Admin Account too , after ARCHIVE Account it's...

privilege escalation : Low access user can view Admin PRIVATE POST by using PIN functionality

Description Due to the privilege escalation issue Low access user can view Admin PRIVATE POST by abusing PIN functionality. PIN functionality is used to pin any post in TOP , by using the Low user Attacker can View the other & high privilege user PRIVATE POST , as per the flow its not PINNING any...

Bypassing filters to trigger XSS while creating memos

Description Stored cross-site scripting also known as second-order or persistent XSS arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way. Payload: " Proof of Concept 1 Go to https://demo.usememos.com/ and login...

RCE in Wordnet Browser

Description A user who visits a malicious link with wordnet browser open will execute code on system Proof of Concept Visit http://localhost:8000/lookupgASVKwAAAAAAAACMBXBvc2l4lIwGc3lzdGVtlJOUjBB0b3VjaCAvdG1wL1BXTkVElIWUUpQu The base64 is created from import pickle import sys import base64...

Local File Read through Improper Filename Validation

Description This vulnerability occur because there is no filename validation on logoimagelogin and logoimageheader on import and export function. Attacker can use path traversal payload to leak local file such as /etc/passwd or froxlor config file. Proof of Concept 1. Go to import function on...

CSRF allows attacker trigger admin add HOST user lead to takeover memos application

Description This vuln allow attacker trigger admin submitting a malicious request to create new user with any role. Proof of Concept 1. Attacker create malicious script with csrf payload and upload it to attacker server httpx://attacker.server/csrf.html 2. Attacker send this link to memos admin 3...

Add any thoughts via CSRF

Description An attacker can add any user thoughts via a CSRF attack When you send a link to the victim and click on it, any thoughts will be added Proof of Concept 1- When the attacker adds any thoughts, it then intercepts the request 2- Take this request to generate a CSRF PoC history.pushState'...

Cross-Site Request Forgery (CSRF) in Add Users

Description Hello Team, Create a member functionality is vulnerable for CSRF Attack , by exploiting CSRF vulnerability , attacker can add new Members history.pushState'', '', '/' POC video: https://drive.google.com/file/d/1dN2ug8qjwbz1CGbfuBldwamIFE4BNyH/view?usp=sharing Fix: I just want to sugge...

CSRF to change user language preferences

Description Cross-Site Request Forgery CSRF is an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated. CSRF attacks exploit the trust a Web application has in an authenticated user Proof of Concept 1 Go to...

CSRF to add shortcuts to victim account

Description Cross-Site Request Forgery CSRF is an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated. CSRF attacks exploit the trust a Web application has in an authenticated user Proof of Concept 1 Go to...

IDOR to delete user resources

Description Insecure direct object references IDOR are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly. Proof of Concept 1 Login into your account at demo.usememos.com 2 Turn on your burpsuite proxy 3 Go to the resources...

IDOR to delete memo from archives

Description Insecure direct object references IDOR are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly. Proof of Concept 1 Login into your account at demo.usememos.com 2 Turn on your burpsuite proxy 3 Go to archived memos ...

IDOR to archive victims memo

Description Insecure direct object references IDOR are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly. Proof of Concept 1 Login into your account at demo.usememos.com 2 Turn on your burpsuite proxy 3 Click on the three do...

Stored XSS while creating a new post

Description After login to portal create a new post and type the following text with XSS payload Proof of Concept 1. Login to portal. 2. create a post with xss paylaod 3. save it Payload 09;& Poc: !alt textlogo logo: https://i.imgur.com/SHDZRWt.png !alt textlogo1 logo1:...

Able to assign HOST role to new User

Description As per the functionality we only can add user role as a "USER" in account Due to the no server side valaditon on "role" parameter , we can add new member as a "HOST" role with all HOST users privilege Proof of Concept 1. while adding new user intercept the request in burp 2. change th...

NULL Pointer Dereference

Environment bash Distributor ID: Debian Description: Debian GNU/Linux bookworm/sid Release: n/a Codename: bookworm Version I checked against the latest release as of 12/27/22 version 5.8.0 and the current master branch at commit 031da1be8f6c9aa55f6e4e76df962d2c85dc32e8 . Description This...

Cross Site Request Forgery in Create a Memo Functionality (POST /api/memo)

Description I have discovered in Memos a CSRF Vulnerability in Create a Memo Functionality POST /api/memo. I have identified that it is possible to manipulate the actions of authenticated users by tricking them into clicking on a malicious link or visiting a malicious website while they are logge...

Stored XSS via title, subtitle, footer and post title and content

Description The site is vulnerable to Stored XSS via Blog title, Blog subtitle and Blog footer. Proof of Concept - Login as Admin - Go to Administration Area - Option Set n the 3 fields a payload like this: alertdocument.domain Now go to the blog, and you'll see that 3 payloads actually fires: Al...

Stored XSS with CSP bypass through JS file upload

Description I've seen here: https://github.com/usememos/memos/blob/main/server/resource.goL268 that has been implemented the CSP with "default-src 'self'" configuration. This configuration can be bypassed if I'm able to upload a js file, and then call it from another files while they both resides...

An attacker can be post message in other memos page

Description An attacker can be post malicious content to other user's memos page via POST request, attacker just add an creatorID into body request and send it with Burpsuite Here is video poc: https://drive.google.com/file/d/1dNKo-ybfguam4YdvmluYujN2nkTG5D9G/view?usp=sharelink Proof of Concept...

Broken Access Controls in Pratice settings

Description We observed that a receptionist user can add a Pharmacy in the Pratice Settings section, although this area is restricted to receptionist users. Proof of Concept REQUEST: POST /openemr/controller.php?practicesettings&pharmacy&action=edit HTTP/1.1 Host: demo.openemr.io Cookie: OpenEMR=...

IDOR allows to see, update and delete other users shortcuts

Description Even if the endpoint /api/shortcut allow to see the list of your own shortcuts, it is possible to access, modify and delete other users shortcut accessing directly through the IDs. Proof of Concept - Login with one user, and create a shortcut, let's consider it now has the ID 1 - Logi...

Get all file in resource of any user and Delete any file of any user via IDOR

Description Easily GET information of all files uploaded by all users in Resources via API https://demo.usememos.com/api/resource/$idresource method GET Easily DELETE of all files uploaded by all users in Resources via API https://demo.usememos.com/api/resource/$idresource method DELETE Proof of...

Unauthorized Attacker Can Change Visibility Status of Victim's Memos

An attacker can make a private memo into a public memo in order to view it. All the attacker needs to know is the memo ID and they can make a PATCH request to /api/memo/ with the following request data: "id":,"visibility":"PUBLIC","resourceIdList": Then the attacker can visit the memo URL & view...