4072 matches found
CSRF to add shortcuts to victim account
Description Cross-Site Request Forgery CSRF is an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated. CSRF attacks exploit the trust a Web application has in an authenticated user Proof of Concept 1 Go to...
IDOR to delete user resources
Description Insecure direct object references IDOR are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly. Proof of Concept 1 Login into your account at demo.usememos.com 2 Turn on your burpsuite proxy 3 Go to the resources...
IDOR to delete memo from archives
Description Insecure direct object references IDOR are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly. Proof of Concept 1 Login into your account at demo.usememos.com 2 Turn on your burpsuite proxy 3 Go to archived memos ...
IDOR to archive victims memo
Description Insecure direct object references IDOR are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly. Proof of Concept 1 Login into your account at demo.usememos.com 2 Turn on your burpsuite proxy 3 Click on the three do...
Stored XSS while creating a new post
Description After login to portal create a new post and type the following text with XSS payload Proof of Concept 1. Login to portal. 2. create a post with xss paylaod 3. save it Payload 09;& Poc: !alt textlogo logo: https://i.imgur.com/SHDZRWt.png !alt textlogo1 logo1:...
Able to assign HOST role to new User
Description As per the functionality we only can add user role as a "USER" in account Due to the no server side valaditon on "role" parameter , we can add new member as a "HOST" role with all HOST users privilege Proof of Concept 1. while adding new user intercept the request in burp 2. change th...
NULL Pointer Dereference
Environment bash Distributor ID: Debian Description: Debian GNU/Linux bookworm/sid Release: n/a Codename: bookworm Version I checked against the latest release as of 12/27/22 version 5.8.0 and the current master branch at commit 031da1be8f6c9aa55f6e4e76df962d2c85dc32e8 . Description This...
Cross Site Request Forgery in Create a Memo Functionality (POST /api/memo)
Description I have discovered in Memos a CSRF Vulnerability in Create a Memo Functionality POST /api/memo. I have identified that it is possible to manipulate the actions of authenticated users by tricking them into clicking on a malicious link or visiting a malicious website while they are logge...
Stored XSS via title, subtitle, footer and post title and content
Description The site is vulnerable to Stored XSS via Blog title, Blog subtitle and Blog footer. Proof of Concept - Login as Admin - Go to Administration Area - Option Set n the 3 fields a payload like this: alertdocument.domain Now go to the blog, and you'll see that 3 payloads actually fires: Al...
Stored XSS with CSP bypass through JS file upload
Description I've seen here: https://github.com/usememos/memos/blob/main/server/resource.goL268 that has been implemented the CSP with "default-src 'self'" configuration. This configuration can be bypassed if I'm able to upload a js file, and then call it from another files while they both resides...
An attacker can be post message in other memos page
Description An attacker can be post malicious content to other user's memos page via POST request, attacker just add an creatorID into body request and send it with Burpsuite Here is video poc: https://drive.google.com/file/d/1dNKo-ybfguam4YdvmluYujN2nkTG5D9G/view?usp=sharelink Proof of Concept...
Broken Access Controls in Pratice settings
Description We observed that a receptionist user can add a Pharmacy in the Pratice Settings section, although this area is restricted to receptionist users. Proof of Concept REQUEST: POST /openemr/controller.php?practicesettings&pharmacy&action=edit HTTP/1.1 Host: demo.openemr.io Cookie: OpenEMR=...
IDOR allows to see, update and delete other users shortcuts
Description Even if the endpoint /api/shortcut allow to see the list of your own shortcuts, it is possible to access, modify and delete other users shortcut accessing directly through the IDs. Proof of Concept - Login with one user, and create a shortcut, let's consider it now has the ID 1 - Logi...
Get all file in resource of any user and Delete any file of any user via IDOR
Description Easily GET information of all files uploaded by all users in Resources via API https://demo.usememos.com/api/resource/$idresource method GET Easily DELETE of all files uploaded by all users in Resources via API https://demo.usememos.com/api/resource/$idresource method DELETE Proof of...
Unauthorized Attacker Can Change Visibility Status of Victim's Memos
An attacker can make a private memo into a public memo in order to view it. All the attacker needs to know is the memo ID and they can make a PATCH request to /api/memo/ with the following request data: "id":,"visibility":"PUBLIC","resourceIdList": Then the attacker can visit the memo URL & view...
Delete all note of all user in application
Description A user with login permission can delete all notes of the whole application via API DELETE https://demo.usememos.com/api/memo/$idnote Proof of Concept Link: https://drive.google.com/file/d/1P0MvqadCdTo1yxK9VBkm5ntwBvJMSZa8/view?usp=sharing...
Bypass client side restrictions leads to IDOR on creating appointment.
Description When creating an appointment, a Patient can completely bypass the client side restrictions, and not only can create an appointment in every date he wants, it can also set the duration of the appointment as long as he wants but most important of everything, he can tamper the formpid an...
Patient ability to rewrite it's own documents leads to HTML injection
Description It looks like through the PUT request, a Patient can rewrite it's own document via the fullDocument JSON parameter. In this way a malicious user patient can't override the document form and rewrite his own, also injecting valid HTML code that the Doctor would be able to see. Proof of...
An user can delete other user's post
Description As the title, an attacker can delete other user's post via post id can be bruteforce Here is video poc: https://drive.google.com/file/d/18QucWYwkpO9kVPMqNzSQ-ptwrZGk-UP9/view?usp=sharelink Proof of Concept DELETE /api/memo/$1026$ HTTP/2 Host: demo.usememos.com Cookie:...
Stored HTML injection in Patient chat functionality
Description I've found out that it is possible to inject HTML code in Patient Chat functionality, which allows malicious code to be stored there and potentially affect the other chat users Proof of Concept - Login from the patient portal. I've used the demo instance here:...
Stored XSS in notes Title
Description Stored XSS Vulnerability was found while a user creates a new Note & Enter the Name for the Note. The Title of the Note gets directly rendered at "Note Map" Functionality which is leading to HTML injection and Cross site scripting stored & reflected every time the user opens the note...
Path Traversal when upload file
metersphere allow users to upload file, but not check the file name. Poc can be found in the link...
Stored XSS in the module named "Website settings"
Description Our engineer found security problems when testing our website. And I have tested the demo website you provided. I found that there is indeed an xss vulnerability. I hope you can check and provide a fix as soon as possible.Thanks. \\ The reason for the vulnerability is that you have...
Reset API any user via IDOR
Description Reset API any user without taking action from him via IDOR Proof of Concept 1- Create a user 2- Go to setting 3- Open Burp Suite to object to the requisition 4- Click on it Reset API 5- Note that the endpoint is in the request PATCH/api/user/102 6- When the number that is in endpoint...
Delete any post for all users via IDOR
Description Delete any post for all users via IDOR Proof of Concept 1- Post anything 2- Open Burp Suite to intercept the request 3- When deleting the post, we will notice that there is DELETE /api/memo/1010 in the request, Here the post id will be 1010 4- This number can be changed and any post y...
Stored XSS in resource file uploading
Description The Resources upload feature does not restrict the type of uploaded file. An attacker can upload an html file and the browser still renders it. The CSP is set to default-src 'self' to prevent inline script execution. However, this can be easily bypassed by uploading a .js file then...
File Deletion Detected
Description Vulnerability allows deleting files in the server, affect the logic of the source code or disrupt the program to make the original way of operation Proof of Concept B1. Login and access to admin.php?p=uploader&action=mediamanager B2. Delete 1 uploaded file B3. Change parameter...
Stored XSS via XML File
Description When user upload a file with .xml extension and direct access this file, the server response with Content-type: image/svg+xml lead to processing XML as HTML file POC POST /flatpress-master/admin.php?p=uploader&action=default HTTP/1.1 Host: localhost Content-Length: 639 Origin:...
Archive any post (public / private) using IDOR
Description It was observed that we can archive any users post using archive option by changing the post id. 1 Created user with lolwa username. 2 Posted a post and identified it's post id 1007. 3 Now get the post id from demo user i.e 1006. 4 Now click on archive for post id 1007 from user lolwa...
IDOR results in deletion of others public & private memos
Description What is IDOR Insecure Direct Object Reference? Insecure direct object references are common, potentially devastating vulnerabilities resulting from broken access control in web applications. IDOR bugs allow an attacker to maliciously interact with a web application by manipulating a...
Users can edit and delete all other user shortcuts
Description Users can edit and delete all other user shortcuts Proof of Concept Step 1. Log in as user A and make a shortcuts Step 2. View shortcut information including: ID, rowStatus, title, payload... For ex: user A creates a shortcut with ID 10 Step 3. Log in as user B and make a shortcuts...
CSRF allows attacker to add malicious tags to vitim account
Description Cross-Site Request Forgery CSRF is an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated. CSRF attacks exploit the trust a Web application has in an authenticated user Proof of Concept 1 Go to...
CSRF allows attacker to post on behalf of victim
Description Cross-Site Request Forgery CSRF is an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated. CSRF attacks exploit the trust a Web application has in an authenticated user. Proof of Concept 1 Go to...
CSP passby via js file
Description Hi,Maintainter You submitted a fix in the latest version 0.9.0 with commit c07b4a.But after many tests, I found that this is still not 100% safe.You have set a very simple csp , which can be bypassed. Video link link...
Stored XSS while adding a memo
Description Stored cross-site scripting also known as second-order or persistent XSS arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way. Proof of Concept Payload: " 1 Go to https://demo.usememos.com/ and login...
Stored XSS in memos while creating
Description After login create a new memo with the following XSS payload " and click save that will make alert Proof of Concept "...
Archive any private memos + Delete any Shortcut + Edit any Shortcut from other users
Description User can archive any private memos, Delete any Shortcut and Edit any Shortcut from other users via api PATCH /api/memo/8 HTTP/1.1 "id":8,"rowStatus":"ARCHIVED" PATCH /api/shortcut/2 HTTP/1.1 "id":2,"title":"shortahihix","payload":"" DELETE /api/shortcut/2 Proof of Concept Login to...
View any content private memos from other users
Description User can view any content from private private memos from other users via api PATCH /api/memo/8 HTTP/1.1 "id":8,"rowStatus":"ARCHIVED" Proof of Concept Login to website in brower 1 with user A. Login to website in brower 2 with user B. Example: User B have private nemo with id 8. With...
Access all Private Memos by unauthorized user
Description After login , I create a new memo and post it then i tried to edit it So in editing POST request you can find the memo id in POST data and in the URL if you change it to any private memo you can access it Also you can change the private memo visibility status and content . Proof of...
Denial of Service
Description There is no limit of "Nickname" content length while updating your information that lead to Denial of Service by entering huge number of characters if you insert the following POST request "email": "[email protected]", "id": 104, "nickname":...
Full account takeover
Description Account take over via changing email and username and displayed name, After login you and open your settings you can update information ,There is an IDOR here that allows me to change any user email and username and displayed name Proof of Concept...
Application allows to add same SSH key among different users
Description With SSH keys, you can connect to Rdiffweb without supplying your username and personal access token at each visit. Rdiffweb allows the same SSH key to be used by multiple users . For Example: User A has used SSH key '1' , the same key can be used by User B , User C . The application ...
Weak password at demo website version 3.1.9
Description The demo website is now version 3.1.9 but still affected of weak password requirement. Proof of Concept 1. Login to the demo website with any users. 2. Use "Change password" function, set the new password is number 1. 3. It's successful, try to re-login to check it...
Reflected XSS in any wordnet URL
Description A reflected XSS can be achieved by simply creating a URL such as: http://localhost:8000/alert1.html Proof of Concept nltk.app.wordnetapp.app Then hit http://localhost:8000/alert1.html in the browser...
Email exposure of users to an authorized user
Description Hello, this is an endpoint that leaks all the information of the users like names, email, role, and OpenID to an authenticated user Steps to reproduce 1 build the web app 2 either you host it locally or on a server 3 try to add users with their data 4 visite...
Reset API any user via IDOR
Description Reset API any user without taking action from him via IDOR Proof of Concept 1- Create a user 2- Go to setting 3- Open Burp Suite to object to the requisition 4- Click on it Reset API 5- This is the body request "id":101,"resetOpenId":true 6- When changing the "id", for example "102",...
Username field are not unique to users allowing exploitation of primary key logic by creating same name with different combinations & unauthorized access
Description The username fields while creating a user Role is same which should not be the case, the username should be made unique. Proof of Concept 1. Login to Demo account at https://rdiffweb-demo.ikus-soft.com/login/ 2. Enter the username and password as admin: admin123 respectively. 3. visit...
Link Preload XSS bypass
Description Link preloads still do not effectively confirm if the requested link is external. This is a bypass to the fix for CVE-2022-4414. Root Cause The getPayloadURL function was adapted after the disclosure to use the browsers built in URL parser to properly check for a valid URL. This is a...
Critical Account Takeover and Privilege Escalation
Description Critical account takeover and privilege escalation vulnerability allow a low privilege user to take over admin account by using change password functionality. In a normal user, select change password Change the user ID to 1 as it is the admin account user ID Admin account is taken ove...
Stored XSS bypass the protection rules
Description Hi there, Someone submitted an xss vulnerability about your project before.And please see "https://huntr.dev/bounties/f353adfb-e5b8-43e7-957a-894670fd4ccd/" for details.You submitted a fix in 7.0.0.2 with commit 4565d8.But after my tests, I found that it was still unsafe. The followin...