4072 matches found
Heap-based Buffer Overflow in function ml_append_int
Description Heap-based Buffer Overflow in function mlappendint at memline.c:2951 vim version git log commit 043d7b2c84cda275354aa023b5769660ea70a168 HEAD - master, tag: v9.0.1182, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pochbo02s.dat -c :qa!...
No Protection Against Bruteforce Attacks on Login Page
Description Twake does not limit unsuccessfull login attempts allowing an attacker to brute force the password of an administrator or regular user. Proof of Concept Steps to reproduce Because Twake does not rate limit authentication attempts an attacker could either bruteforce both the login and...
Dom XSS in Add Question
Description Evil users can attack other users or administrator users through this vulnerability, causing other users/administrator user accounts to be taken over Proof of Concept step1. Add a normal user and log in step2. Add a new question and insert xss payload in the body Step3. Login admin us...
Function of modifying userinfo has storage xss vulnerability
Description This vulnerability allows a malicious user to submit malicious html code on the profile page, causing the identity token to be stolen as soon as another user/administrator accesses the profile page, resulting in the account being taken over by someone else Proof of Concept step1. Log ...
Froxlor 2.0.6 Remote Command Execution via Arbitrary File Write and Server Side Template Injection
Description Froxlor 2.0.6 Stable is suffering from Remote Command Execution that was achieved by chaining two bugs, the first one is an arbitrary file write on the logging feature, which allows an authenticated attacker to point the log file to any writable path even if it was the web server...
XSS via markdown syntax
Description Hi,Maintainer,thanks for reading.I am glad to report a secure problem to you. I found that your forum allows users to use markdown syntax to post articles and comments, but there is no corresponding protection means, which is unsafe. Any user can post dangerous content, like the...
Site-wide CSRF (Bypass Strict Cookie) leave to Website Takeover
I reported this vulnerability once a long time ago, but you still haven't fixed it. I report back to remind you need to fix it. Description At the api/hooks.unfurl, when sending a post request containing a param challenge, the server will return the value of that param, which inadvertently leave ...
Stored XSS
Description /collector page is vulnerable to stored XSS. PoC 1. Open the following file in the browser: html history.pushState'', '', '/' document.forms0.submit; 2. Login as user. 3. Go to http://localhost:9666/collector 4. Click XSS alertXSS...
Stored XSS in Add new question
Description Stored cross-site scripting also known as second-order or persistent XSS arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way. steps 1-log in as an admin user first. 2-go to :...
Mootools-more 1.6.0 is use which is potential vulnerable to CVE-2021-20088
Description Mootools-more 1.6.0 is use which is potential vulnerable to CVE-2021-20088 Proof of Concept https://github.com/BlackFan/client-side-prototype-pollution/blob/master/pp/mootools-more.md...
session fixation
Description A session fixation attack allows an attacker to hijack a legitimate user session. The attack investigates a flaw in how the online application handles the session ID, especially the susceptible web application. Proof of Concept...
Stored XSS Via SVG File Upload
XSS Via SVG File Upload When uploading an image file to a bug report, you're able to upload .svg files which aren't properly sanitized before they are rendered, so any embedded Javascript will execute. Steps To Reproduce 1. Create a bug report 2. Upload a SVG attachment with a Javascript payload...
Insecure Temporary File
Description transformers package is using the deprecated function tempfile.mktemp which is not secure. Because a different process may create a file with this name in the time between the call to mktemp and the subsequent attempt to create the file by the first process. Functions that create...
Cookie Session Not Expiring Even After Deleting the users
Description The session is not expiring in another browser if we delete the user. Proof of Concept 1. Create two users with an admin role for the POC 2. Login in two different browsers Firefox user A and Chrome user B respectively 3. Go the settings-users and delete user B from user A Firefox...
Improper String/Integer Input Validation Leads to the Crashing of Site
Description If you give the string input in the Start/End time field, then the application will stop working. Proof of Concept 1. Go to "Settings-General-Reconnection" 2. Change activated to "on" 3. On every input fields place any string for example put: "test" 4. Click on save and refresh 5. The...
Stored XSS by link markdown
Description The site allows link markdown but does not validate, resulting in XSS. Proof of Concept Create new memo with payload Click me! Hold Ctrl and click to Click me!, a alert with content is domain name appear...
Stored XSS via markdown link
Description Markdown editor doesn't sanitize user's input, leads to stored XSS Proof of Concept a Reproduce 1.Login to https://demo.usememos.com/ 2.Create new memo with content a 3.Ctrl+left click this link, javascript code has been executed...
IDOR allowing to see other users' entries
Description The exporting entry functionality is vulnerable to an IDOR attack. Proof of Concept 1. Create a new entry as an existing user. Let's say the entry's id is 1. 1. Create a new user and login as them. 1. Go to http://localhost:8000/export/1.txt...
CSRF leading to delete account
Description wallabag was discovered to contain a Cross-Site Request Forgery CSRF which allows attackers to arbitrarily delete user accounts via /account/delete. Proof of Concept 1. Create a new user. 2. Login as the new user. 3. Open the following HTML file in the browser. html history.pushState'...
Lack of Input Sanitazion lead to RCE
Description This vulnerability occur because there is no sanitation on user controlled input during the update configuration process. The input later , written to another .php file and this could lead to RCE. Proof of Concept 1. Go to Config then go to Mail Settings 2. Change the From Email Addre...
Heap-based Buffer Overflow in function msg_puts_printf
Description Heap-based Buffer Overflow in function msgputsprintf at message.c:3058 vim version git log commit ea720aea851e645f4c8ec3b20afb27c7ca38184c HEAD - master, tag: v9.0.1137, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pochbo01s.dat -c :qa!...
Out-of-bounds Write in function do_string_sub
Out-of-bounds Write in function dostringsub at eval.c:7338 vim version git log commit ea720aea851e645f4c8ec3b20afb27c7ca38184c HEAD - master, tag: v9.0.1137, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pochow01s.dat -c :qa!...
Out-of-bounds Read in function build_stl_str_hl
Out-of-bounds Read in function buildstlstrhl at buffer.c:4350 vim version git log commit ea720aea851e645f4c8ec3b20afb27c7ca38184c HEAD - master, tag: v9.0.1137, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pochor01s.dat -c :qa!...
XSS via upload pdf file
Description Hi there, It's my pleasure to submit a report to you again to maintain the safety of the project.Most users can upload files in the module named 'Resources' .We can upload pdf files.But uploading malicious pdf files will cause xss vulnerability which will cause great harm to users of...
Unrestricted Logging Filename Lead to RCE
Description This vulnerability occur because there is no filename restriction for saving logging file. In this case attacker can set the filename to existing php file and append php code on it by manipulating the logged input. Proof of Concept 1. Log in using operator account, in this case i try ...
Cookie without Secure attribute
Description The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. Proof of Concept http HTTP/1.1 200 OK Content-Type: application/json Content-Length: 107 Vary: Accept-Encoding Set-Cookie:...
ANSI Escape Sequence Injection
Description Injection of escape sequences opens up the possibility for concealing / modifying viewed data, and code execution as some esc seqs feed data back to stdin. Proof of Concept poc So far, the places I managed to find a successful injection are: - when running id from the file name - func...
Stored XSS using two files
Description I uploaded two files first = js , second = html the first was js files with malicious script and get it's url and i added it to the second one as source for the script tag Proof of Concept // test.js alert"xss"; and assume its url = https://demo.usememos.com/o/r/9/test.js // test.html...
Stored XSS via `.pages` File in
Description When user upload a file with .pages extension and direct access this file, the server response with Content-type: application/octet-stream lead to processing .pages as HTML file. I only discovered this file extension doing more research on XSS Proof of Concept POST...
JwtSigKey hardcoded causes the k8s cluster to take over
Description The jwt authentication function of kubepi = v1.6.2 uses hard-coded Jwtsigkeys, resulting in the same Jwtsigkeys for all online projects. This means that an attacker can forge any jwt token to take over the administrator account of any online project. Further use the administrator to...
Improper Restriction of Rendered UI Layers or Frames
Description It can be possible to perform a clickjacking attack due to the lack of frame restrictions. The application does not set the response header X-Frame-Options: DENY. Proof of Concept...
Pre-auth RCE
Description An unauthenticated attacker can execute arbitrary python code by abusing js2py functionality. Also, due to the lack of CSRF protection, a victim can be tricked to execute arbitrary python code. Proof of Concept Run the command below and touch /tmp/pwnd gets executed. bash curl -i -s -...
Stored XSS via blog author parameter on admin.php?p=config
Description The blog author parameter is unsanitized on the page admin.php?p=config. In this way is possible to inject arbitrary javascript code Proof of Concept - Login as regular user - Go to http://localhost/flatpress/admin.php?p=config - Set as blog author "alertdocument.domain - Refresh page...
Stored XSS through post comment body
Description The body of the comment is vulnerable to Stored XSS Proof of Concept - Create a post - Comment on it, and insert alertdocument.domain in the body...
Send any message to any to any private channel
Description A user can add any message to a private channel that is not in that channel. This error is because the web application did not check if the sender userid is in that private channel. Proof of Concept Login to website in brower 1 with user A. Login to website in brower 2 with user B. Us...
Get based CSRF on Reset OP Cache functionality
Description The functionality to reset the OPCache is vulnerable to CSRF. In fact, it would be a good practice to implement a CSRF token in URL if the GET functionality is meant to trigger an action, instead of only retrieving data. Alternatively, it can be turned in a POST request, which I can s...
Reseller role allowed to access to admin functionalities
Description The reseller user can access to some admin functionality just directly accessing to it by URL, even though the menu shouldn't allow it. Proof of Concept - Go to https://v2.demo.froxlor.org - Login as reseller1 - Point to: https://v2.demo.froxlor.org/adminopcacheinfo.php?page=showinfo...
Authenticated HTMLi via theme parameter on /lib/ajax.php
Description The theme parameter is vulnerable to HTMLi on /lib/ajax.php endpoint Proof of Concept - go to https://v2.demo.froxlor.org - Login with a user - Go to https://v2.demo.froxlor.org/lib/ajax.php?action=newsfeed&theme=%3C/br%3E%3Ch1%3EHTMLi%20by%20leorac%3C/h1%3E%3Cbr%3E - You'll see the...
Reflected Cross Site Scripting
Description User can be input malicious js in param action in url http://localhost//stats.php?action=injecthere&userid=1 and send link to other user can be steal cookie of other user. Param action not input validation from user on line 71 in file...
HTTP Query String Injection
Description The application does not properly sanitize query string parameters in the cloudflare-kv-http,github and http drivers. In the case of the github and http drivers there is no immediate vulnerability, however a slight risk is presented. When a user controls a key within the...
Bypass Stored XSS while creating a new post
Description After login to portal create a new post and type the following text with XSS payload bypass of this fix Proof of Concept Login to portal. create a post with xss paylaod save it POC: https://drive.google.com/file/d/1WkQpGyQGKBS-9To5mludqkkL7VOp9Au/view?usp=sharelink Bypass Payload //X/...
Admin is able to ARCHIVE OWN Account leads to Deactivate ADMIN Account
Description As fer the Flow Admin can't ARCHIVE OWN account . i was able to ARCHIVE ADMIN OWN Account by intercept the request and change ID Value to Admin. which leads to ARCHIVED the ADMIN Account , :/ Please Restored it Might Be possible to DELETE Admin Account too , after ARCHIVE Account it's...
privilege escalation : Low access user can view Admin PRIVATE POST by using PIN functionality
Description Due to the privilege escalation issue Low access user can view Admin PRIVATE POST by abusing PIN functionality. PIN functionality is used to pin any post in TOP , by using the Low user Attacker can View the other & high privilege user PRIVATE POST , as per the flow its not PINNING any...
Bypassing filters to trigger XSS while creating memos
Description Stored cross-site scripting also known as second-order or persistent XSS arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way. Payload: " Proof of Concept 1 Go to https://demo.usememos.com/ and login...
RCE in Wordnet Browser
Description A user who visits a malicious link with wordnet browser open will execute code on system Proof of Concept Visit http://localhost:8000/lookupgASVKwAAAAAAAACMBXBvc2l4lIwGc3lzdGVtlJOUjBB0b3VjaCAvdG1wL1BXTkVElIWUUpQu The base64 is created from import pickle import sys import base64...
Local File Read through Improper Filename Validation
Description This vulnerability occur because there is no filename validation on logoimagelogin and logoimageheader on import and export function. Attacker can use path traversal payload to leak local file such as /etc/passwd or froxlor config file. Proof of Concept 1. Go to import function on...
CSRF allows attacker trigger admin add HOST user lead to takeover memos application
Description This vuln allow attacker trigger admin submitting a malicious request to create new user with any role. Proof of Concept 1. Attacker create malicious script with csrf payload and upload it to attacker server httpx://attacker.server/csrf.html 2. Attacker send this link to memos admin 3...
Add any thoughts via CSRF
Description An attacker can add any user thoughts via a CSRF attack When you send a link to the victim and click on it, any thoughts will be added Proof of Concept 1- When the attacker adds any thoughts, it then intercepts the request 2- Take this request to generate a CSRF PoC history.pushState'...
Cross-Site Request Forgery (CSRF) in Add Users
Description Hello Team, Create a member functionality is vulnerable for CSRF Attack , by exploiting CSRF vulnerability , attacker can add new Members history.pushState'', '', '/' POC video: https://drive.google.com/file/d/1dN2ug8qjwbz1CGbfuBldwamIFE4BNyH/view?usp=sharing Fix: I just want to sugge...
CSRF to change user language preferences
Description Cross-Site Request Forgery CSRF is an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated. CSRF attacks exploit the trust a Web application has in an authenticated user Proof of Concept 1 Go to...