4057 matches found
Delete all note of all user in application
Description A user with login permission can delete all notes of the whole application via API DELETE https://demo.usememos.com/api/memo/$idnote Proof of Concept Link: https://drive.google.com/file/d/1P0MvqadCdTo1yxK9VBkm5ntwBvJMSZa8/view?usp=sharing...
Bypass client side restrictions leads to IDOR on creating appointment.
Description When creating an appointment, a Patient can completely bypass the client side restrictions, and not only can create an appointment in every date he wants, it can also set the duration of the appointment as long as he wants but most important of everything, he can tamper the formpid an...
Patient ability to rewrite it's own documents leads to HTML injection
Description It looks like through the PUT request, a Patient can rewrite it's own document via the fullDocument JSON parameter. In this way a malicious user patient can't override the document form and rewrite his own, also injecting valid HTML code that the Doctor would be able to see. Proof of...
An user can delete other user's post
Description As the title, an attacker can delete other user's post via post id can be bruteforce Here is video poc: https://drive.google.com/file/d/18QucWYwkpO9kVPMqNzSQ-ptwrZGk-UP9/view?usp=sharelink Proof of Concept DELETE /api/memo/$1026$ HTTP/2 Host: demo.usememos.com Cookie:...
Stored HTML injection in Patient chat functionality
Description I've found out that it is possible to inject HTML code in Patient Chat functionality, which allows malicious code to be stored there and potentially affect the other chat users Proof of Concept - Login from the patient portal. I've used the demo instance here:...
Stored XSS in notes Title
Description Stored XSS Vulnerability was found while a user creates a new Note & Enter the Name for the Note. The Title of the Note gets directly rendered at "Note Map" Functionality which is leading to HTML injection and Cross site scripting stored & reflected every time the user opens the note...
Path Traversal when upload file
metersphere allow users to upload file, but not check the file name. Poc can be found in the link...
Stored XSS in the module named "Website settings"
Description Our engineer found security problems when testing our website. And I have tested the demo website you provided. I found that there is indeed an xss vulnerability. I hope you can check and provide a fix as soon as possible.Thanks. \\ The reason for the vulnerability is that you have...
Reset API any user via IDOR
Description Reset API any user without taking action from him via IDOR Proof of Concept 1- Create a user 2- Go to setting 3- Open Burp Suite to object to the requisition 4- Click on it Reset API 5- Note that the endpoint is in the request PATCH/api/user/102 6- When the number that is in endpoint...
Delete any post for all users via IDOR
Description Delete any post for all users via IDOR Proof of Concept 1- Post anything 2- Open Burp Suite to intercept the request 3- When deleting the post, we will notice that there is DELETE /api/memo/1010 in the request, Here the post id will be 1010 4- This number can be changed and any post y...
Stored XSS in resource file uploading
Description The Resources upload feature does not restrict the type of uploaded file. An attacker can upload an html file and the browser still renders it. The CSP is set to default-src 'self' to prevent inline script execution. However, this can be easily bypassed by uploading a .js file then...
File Deletion Detected
Description Vulnerability allows deleting files in the server, affect the logic of the source code or disrupt the program to make the original way of operation Proof of Concept B1. Login and access to admin.php?p=uploader&action=mediamanager B2. Delete 1 uploaded file B3. Change parameter...
Stored XSS via XML File
Description When user upload a file with .xml extension and direct access this file, the server response with Content-type: image/svg+xml lead to processing XML as HTML file POC POST /flatpress-master/admin.php?p=uploader&action=default HTTP/1.1 Host: localhost Content-Length: 639 Origin:...
Archive any post (public / private) using IDOR
Description It was observed that we can archive any users post using archive option by changing the post id. 1 Created user with lolwa username. 2 Posted a post and identified it's post id 1007. 3 Now get the post id from demo user i.e 1006. 4 Now click on archive for post id 1007 from user lolwa...
IDOR results in deletion of others public & private memos
Description What is IDOR Insecure Direct Object Reference? Insecure direct object references are common, potentially devastating vulnerabilities resulting from broken access control in web applications. IDOR bugs allow an attacker to maliciously interact with a web application by manipulating a...
Users can edit and delete all other user shortcuts
Description Users can edit and delete all other user shortcuts Proof of Concept Step 1. Log in as user A and make a shortcuts Step 2. View shortcut information including: ID, rowStatus, title, payload... For ex: user A creates a shortcut with ID 10 Step 3. Log in as user B and make a shortcuts...
CSRF allows attacker to add malicious tags to vitim account
Description Cross-Site Request Forgery CSRF is an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated. CSRF attacks exploit the trust a Web application has in an authenticated user Proof of Concept 1 Go to...
CSRF allows attacker to post on behalf of victim
Description Cross-Site Request Forgery CSRF is an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated. CSRF attacks exploit the trust a Web application has in an authenticated user. Proof of Concept 1 Go to...
CSP passby via js file
Description Hi,Maintainter You submitted a fix in the latest version 0.9.0 with commit c07b4a.But after many tests, I found that this is still not 100% safe.You have set a very simple csp , which can be bypassed. Video link link...
Stored XSS while adding a memo
Description Stored cross-site scripting also known as second-order or persistent XSS arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way. Proof of Concept Payload: " 1 Go to https://demo.usememos.com/ and login...
Stored XSS in memos while creating
Description After login create a new memo with the following XSS payload " and click save that will make alert Proof of Concept "...
Archive any private memos + Delete any Shortcut + Edit any Shortcut from other users
Description User can archive any private memos, Delete any Shortcut and Edit any Shortcut from other users via api PATCH /api/memo/8 HTTP/1.1 "id":8,"rowStatus":"ARCHIVED" PATCH /api/shortcut/2 HTTP/1.1 "id":2,"title":"shortahihix","payload":"" DELETE /api/shortcut/2 Proof of Concept Login to...
View any content private memos from other users
Description User can view any content from private private memos from other users via api PATCH /api/memo/8 HTTP/1.1 "id":8,"rowStatus":"ARCHIVED" Proof of Concept Login to website in brower 1 with user A. Login to website in brower 2 with user B. Example: User B have private nemo with id 8. With...
Access all Private Memos by unauthorized user
Description After login , I create a new memo and post it then i tried to edit it So in editing POST request you can find the memo id in POST data and in the URL if you change it to any private memo you can access it Also you can change the private memo visibility status and content . Proof of...
Denial of Service
Description There is no limit of "Nickname" content length while updating your information that lead to Denial of Service by entering huge number of characters if you insert the following POST request "email": "[email protected]", "id": 104, "nickname":...
Full account takeover
Description Account take over via changing email and username and displayed name, After login you and open your settings you can update information ,There is an IDOR here that allows me to change any user email and username and displayed name Proof of Concept...
Application allows to add same SSH key among different users
Description With SSH keys, you can connect to Rdiffweb without supplying your username and personal access token at each visit. Rdiffweb allows the same SSH key to be used by multiple users . For Example: User A has used SSH key '1' , the same key can be used by User B , User C . The application ...
Weak password at demo website version 3.1.9
Description The demo website is now version 3.1.9 but still affected of weak password requirement. Proof of Concept 1. Login to the demo website with any users. 2. Use "Change password" function, set the new password is number 1. 3. It's successful, try to re-login to check it...
Reflected XSS in any wordnet URL
Description A reflected XSS can be achieved by simply creating a URL such as: http://localhost:8000/alert1.html Proof of Concept nltk.app.wordnetapp.app Then hit http://localhost:8000/alert1.html in the browser...
Email exposure of users to an authorized user
Description Hello, this is an endpoint that leaks all the information of the users like names, email, role, and OpenID to an authenticated user Steps to reproduce 1 build the web app 2 either you host it locally or on a server 3 try to add users with their data 4 visite...
Reset API any user via IDOR
Description Reset API any user without taking action from him via IDOR Proof of Concept 1- Create a user 2- Go to setting 3- Open Burp Suite to object to the requisition 4- Click on it Reset API 5- This is the body request "id":101,"resetOpenId":true 6- When changing the "id", for example "102",...
Username field are not unique to users allowing exploitation of primary key logic by creating same name with different combinations & unauthorized access
Description The username fields while creating a user Role is same which should not be the case, the username should be made unique. Proof of Concept 1. Login to Demo account at https://rdiffweb-demo.ikus-soft.com/login/ 2. Enter the username and password as admin: admin123 respectively. 3. visit...
Link Preload XSS bypass
Description Link preloads still do not effectively confirm if the requested link is external. This is a bypass to the fix for CVE-2022-4414. Root Cause The getPayloadURL function was adapted after the disclosure to use the browsers built in URL parser to properly check for a valid URL. This is a...
Critical Account Takeover and Privilege Escalation
Description Critical account takeover and privilege escalation vulnerability allow a low privilege user to take over admin account by using change password functionality. In a normal user, select change password Change the user ID to 1 as it is the admin account user ID Admin account is taken ove...
Stored XSS bypass the protection rules
Description Hi there, Someone submitted an xss vulnerability about your project before.And please see "https://huntr.dev/bounties/f353adfb-e5b8-43e7-957a-894670fd4ccd/" for details.You submitted a fix in 7.0.0.2 with commit 4565d8.But after my tests, I found that it was still unsafe. The followin...
No rate limit on "resend email feature" while enable or disable 2FA from /prefs/mfa endpoint
Description When a user is setting up 2FA , a verification code will be sent to the registered email . There is no rate limit on email triggering that will result in an email flood / does attack or will also increase the expenses on your mail server as an attacker can send 1 million emails throug...
Stored XSS in multiple menus
Description The demo website is affected of stored XSS at multiple menus. Proof of Concept 01 1. Access to the demo website http://demos4.softaculous.com/ 2. Login with admin user they provide, press on menu Uploader, in Uploader tab, try to upload whichever file then choose Media manager tab. 3...
Stored XSS in Search
Description Stored XSS is a type of XSS that stores malicious code on the application. The demo website is affected of it. Proof of Concept 1. Access to the demo website https://demo.usememos.com/ 2. At "Any thoughts....", write XSS Payload and save it. In this scenario, I used payload: " 3. Now,...
Privilege vulnerability at API Change Password
Description There is a vulnerability at API Change password. I use API PATCH /api/user/x to get user's information and change their password. With x is the user's id, which are numbers in ascending or descending order Proof of Concept 1. Access to the demo website https://demo.usememos.com/ 2. Us...
Cookie without Secure attribute
Description At the moment, memossession has the value false at secure flag. Proof of Concept 1. Access to web demo https://demo.usememos.com/ 2. Use browser's dev tool to check the cookie, we can see there is a memossession having value false at Secure...
A user can update information / password from other users
Description A user neither admin nor host can modify nickname, username and email from other users without permission, being a normal user. Steps to Reproduce 1. Login as user A here, called "ileana.maricel", HOST role. 2. In another browser login as user B called "ileana.mariceel", USER role. Co...
A user can edit private memos from other users
Description It is possible for a user to edit private memos from other users and also change their visibility, making them public. Also the user could change the visibility from Public to Private or viceversa. Steps to Reproduce 1. Log in as a user A here called "ile.maricel". 2. In another brows...
Lack of sanitisation of characters in SSH key name could allow attacker to inject a hyperlink injection
Description Lack of sanitisation of characters in SSH key name could allow attacker to inject a hyperlink injection that could allow attacker to redirect victim to malicious websites Proof of Concept 1 Go to https://rdiffweb-dev.ikus-soft.com/prefs/sshkeys 2 Add SSH key 3 Enter the name evil.com ...
Hyperlink injection through access token name
Description Hyperlink Injection it’s when attacker injecting a malicious link when sending an email invitation. Hyperlink injection in the email can lead to phishing via email directly to users. Proof of Concept 1 Go to https://rdiffweb-dev.ikus-soft.com/prefs/tokens 2 Create a new access token...
No notification triggered on sensitive actions like adding SSH key
Description Adding SSH key is a sensitive action . As the application triggers a notification on all sensitive actions like email change/password reset , SSH key is also an important security feature to be notified about Proof of Concept 1 Go to https://rdiffweb-dev.ikus-soft.com/prefs/sshkeys 2 ...
Session cookie without 'HttpOnly' Flag
Description All versions of daloRADIUS prior to the master branch transmit the session cookie i.e. PHPSESSID without setting the HttpOnly flag. Proof of Concept $ curl --head http:///login.php HTTP/1.1 200 OK Date: Tue, 20 Dec 2022 14:11:38 GMT Server: Apache Set-Cookie:...
XSS by uploading svg files
Description Hi there, Your project has a function of uploading files.That is the section named "Resource".But it does not filter the content of the uploaded files. If we upload an svg file containing malicious data and a user accesses it, xss will be triggered. Video Please visit my video link...
Unsanitized input returned in response is conducive to XSS exploitation
Description During the initial installation process it was identified that the "Create user" form that collects user data, does not properly sanitize the data entry and then prints them on the screen with an error message without any apparent validation, thus allowing the insertion of HTML or...
Cross-site scripting - Stored via upload `.svg` file in
Description When user upload a file with .svg extension and direct access this file, the server response with Content-type: image/svg+xml lead to processing SVG as HTML file Proof of Concept POST /api/resource HTTP/2 Host: demo.usememos.com Cookie:...
Stored XSS via SVG File
Description usememos has a feature to upload file and display it. By uploading a crafted SVG files, the users can perform Stored XSS attack with the image direct link. Copy the following code and save as filename.svg. Proof of Concept filename.svg alertdocument.location; 1. Login as user 2. creat...