Lucene search
K

4072 matches found

Huntr
Huntr
added 2022/12/28 1:22 p.m.30 views

CSRF to add shortcuts to victim account

Description Cross-Site Request Forgery CSRF is an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated. CSRF attacks exploit the trust a Web application has in an authenticated user Proof of Concept 1 Go to...

3.5CVSS0.7AI score0.00528EPSS
Exploits1
Huntr
Huntr
added 2022/12/28 4:5 a.m.62 views

IDOR to delete user resources

Description Insecure direct object references IDOR are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly. Proof of Concept 1 Login into your account at demo.usememos.com 2 Turn on your burpsuite proxy 3 Go to the resources...

4CVSS6.8AI score0.00578EPSS
Exploits1
Huntr
Huntr
added 2022/12/28 3:49 a.m.21 views

IDOR to delete memo from archives

Description Insecure direct object references IDOR are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly. Proof of Concept 1 Login into your account at demo.usememos.com 2 Turn on your burpsuite proxy 3 Go to archived memos ...

4CVSS0.00534EPSS
Exploits1
Huntr
Huntr
added 2022/12/28 3:41 a.m.42 views

IDOR to archive victims memo

Description Insecure direct object references IDOR are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly. Proof of Concept 1 Login into your account at demo.usememos.com 2 Turn on your burpsuite proxy 3 Click on the three do...

4CVSS0.00534EPSS
Exploits1
Huntr
Huntr
added 2022/12/27 9:37 p.m.26 views

Stored XSS while creating a new post

Description After login to portal create a new post and type the following text with XSS payload Proof of Concept 1. Login to portal. 2. create a post with xss paylaod 3. save it Payload 09;& Poc: !alt textlogo logo: https://i.imgur.com/SHDZRWt.png !alt textlogo1 logo1:...

4.9CVSS5.6AI score0.00766EPSS
Exploits1
Huntr
Huntr
added 2022/12/27 7:16 p.m.22 views

Able to assign HOST role to new User

Description As per the functionality we only can add user role as a "USER" in account Due to the no server side valaditon on "role" parameter , we can add new member as a "HOST" role with all HOST users privilege Proof of Concept 1. while adding new user intercept the request in burp 2. change th...

6.5CVSS6.1AI score0.00421EPSS
Exploits1
Huntr
Huntr
added 2022/12/27 6:24 p.m.22 views

NULL Pointer Dereference

Environment bash Distributor ID: Debian Description: Debian GNU/Linux bookworm/sid Release: n/a Codename: bookworm Version I checked against the latest release as of 12/27/22 version 5.8.0 and the current master branch at commit 031da1be8f6c9aa55f6e4e76df962d2c85dc32e8 . Description This...

5CVSS2AI score0.00698EPSS
Exploits1
Huntr
Huntr
added 2022/12/27 3:38 p.m.27 views

Cross Site Request Forgery in Create a Memo Functionality (POST /api/memo)

Description I have discovered in Memos a CSRF Vulnerability in Create a Memo Functionality POST /api/memo. I have identified that it is possible to manipulate the actions of authenticated users by tricking them into clicking on a malicious link or visiting a malicious website while they are logge...

4.3CVSS0.6AI score0.00328EPSS
Exploits1References2
Huntr
Huntr
added 2022/12/26 7:12 p.m.14 views

Stored XSS via title, subtitle, footer and post title and content

Description The site is vulnerable to Stored XSS via Blog title, Blog subtitle and Blog footer. Proof of Concept - Login as Admin - Go to Administration Area - Option Set n the 3 fields a payload like this: alertdocument.domain Now go to the blog, and you'll see that 3 payloads actually fires: Al...

4.3CVSS5.1AI score0.00532EPSS
Exploits1
Huntr
Huntr
added 2022/12/26 11:6 a.m.29 views

Stored XSS with CSP bypass through JS file upload

Description I've seen here: https://github.com/usememos/memos/blob/main/server/resource.goL268 that has been implemented the CSP with "default-src 'self'" configuration. This configuration can be bypassed if I'm able to upload a js file, and then call it from another files while they both resides...

4.9CVSS5.6AI score0.00498EPSS
Exploits1References1
Huntr
Huntr
added 2022/12/26 10:37 a.m.34 views

An attacker can be post message in other memos page

Description An attacker can be post malicious content to other user's memos page via POST request, attacker just add an creatorID into body request and send it with Burpsuite Here is video poc: https://drive.google.com/file/d/1dNKo-ybfguam4YdvmluYujN2nkTG5D9G/view?usp=sharelink Proof of Concept...

5CVSS0.2AI score0.00772EPSS
Exploits1
Huntr
Huntr
added 2022/12/26 9:7 a.m.19 views

Broken Access Controls in Pratice settings

Description We observed that a receptionist user can add a Pharmacy in the Pratice Settings section, although this area is restricted to receptionist users. Proof of Concept REQUEST: POST /openemr/controller.php?practicesettings&pharmacy&action=edit HTTP/1.1 Host: demo.openemr.io Cookie: OpenEMR=...

4CVSS6.4AI score0.0061EPSS
Exploits1References1
Huntr
Huntr
added 2022/12/26 8:45 a.m.25 views

IDOR allows to see, update and delete other users shortcuts

Description Even if the endpoint /api/shortcut allow to see the list of your own shortcuts, it is possible to access, modify and delete other users shortcut accessing directly through the IDs. Proof of Concept - Login with one user, and create a shortcut, let's consider it now has the ID 1 - Logi...

5.5CVSS1.5AI score0.00568EPSS
Exploits1References1
Huntr
Huntr
added 2022/12/26 7:36 a.m.24 views

Get all file in resource of any user and Delete any file of any user via IDOR

Description Easily GET information of all files uploaded by all users in Resources via API https://demo.usememos.com/api/resource/$idresource method GET Easily DELETE of all files uploaded by all users in Resources via API https://demo.usememos.com/api/resource/$idresource method DELETE Proof of...

6.5CVSS0.6AI score0.00811EPSS
Exploits1
Huntr
Huntr
added 2022/12/26 6:56 a.m.22 views

Unauthorized Attacker Can Change Visibility Status of Victim's Memos

An attacker can make a private memo into a public memo in order to view it. All the attacker needs to know is the memo ID and they can make a PATCH request to /api/memo/ with the following request data: "id":,"visibility":"PUBLIC","resourceIdList": Then the attacker can visit the memo URL & view...

5CVSS1.1AI score0.0059EPSS
Exploits1
Huntr
Huntr
added 2022/12/26 6:45 a.m.30 views

Delete all note of all user in application

Description A user with login permission can delete all notes of the whole application via API DELETE https://demo.usememos.com/api/memo/$idnote Proof of Concept Link: https://drive.google.com/file/d/1P0MvqadCdTo1yxK9VBkm5ntwBvJMSZa8/view?usp=sharing...

5.5CVSS0.00761EPSS
Exploits1
Huntr
Huntr
added 2022/12/26 6:22 a.m.22 views

Bypass client side restrictions leads to IDOR on creating appointment.

Description When creating an appointment, a Patient can completely bypass the client side restrictions, and not only can create an appointment in every date he wants, it can also set the duration of the appointment as long as he wants but most important of everything, he can tamper the formpid an...

5.5CVSS6.9AI score0.00795EPSS
Exploits1
Huntr
Huntr
added 2022/12/26 5:33 a.m.22 views

Patient ability to rewrite it's own documents leads to HTML injection

Description It looks like through the PUT request, a Patient can rewrite it's own document via the fullDocument JSON parameter. In this way a malicious user patient can't override the document form and rewrite his own, also injecting valid HTML code that the Doctor would be able to see. Proof of...

5.5CVSS6.8AI score0.00559EPSS
Exploits1
Huntr
Huntr
added 2022/12/26 4:45 a.m.29 views

An user can delete other user's post

Description As the title, an attacker can delete other user's post via post id can be bruteforce Here is video poc: https://drive.google.com/file/d/18QucWYwkpO9kVPMqNzSQ-ptwrZGk-UP9/view?usp=sharelink Proof of Concept DELETE /api/memo/$1026$ HTTP/2 Host: demo.usememos.com Cookie:...

4CVSS1.1AI score0.00713EPSS
Exploits1
Huntr
Huntr
added 2022/12/25 7:40 p.m.17 views

Stored HTML injection in Patient chat functionality

Description I've found out that it is possible to inject HTML code in Patient Chat functionality, which allows malicious code to be stored there and potentially affect the other chat users Proof of Concept - Login from the patient portal. I've used the demo instance here:...

6.5CVSS6.8AI score0.0062EPSS
Exploits1References1
Huntr
Huntr
added 2022/12/25 9:13 a.m.20 views

Stored XSS in notes Title

Description Stored XSS Vulnerability was found while a user creates a new Note & Enter the Name for the Note. The Title of the Note gets directly rendered at "Note Map" Functionality which is leading to HTML injection and Cross site scripting stored & reflected every time the user opens the note...

4.9CVSS6.2AI score0.00398EPSS
Exploits1References2
Huntr
Huntr
added 2022/12/25 6:43 a.m.27 views

Path Traversal when upload file

metersphere allow users to upload file, but not check the file name. Poc can be found in the link...

6.5CVSS2.6AI score0.00717EPSS
Exploits1References1
Huntr
Huntr
added 2022/12/24 3:28 p.m.17 views

Stored XSS in the module named "Website settings"

Description Our engineer found security problems when testing our website. And I have tested the demo website you provided. I found that there is indeed an xss vulnerability. I hope you can check and provide a fix as soon as possible.Thanks. \\ The reason for the vulnerability is that you have...

4.3CVSS5.4AI score0.00434EPSS
Exploits0
Huntr
Huntr
added 2022/12/24 2:46 p.m.35 views

Reset API any user via IDOR

Description Reset API any user without taking action from him via IDOR Proof of Concept 1- Create a user 2- Go to setting 3- Open Burp Suite to object to the requisition 4- Click on it Reset API 5- Note that the endpoint is in the request PATCH/api/user/102 6- When the number that is in endpoint...

5CVSS1.3AI score0.00702EPSS
Exploits1
Huntr
Huntr
added 2022/12/24 2:22 p.m.29 views

Delete any post for all users via IDOR

Description Delete any post for all users via IDOR Proof of Concept 1- Post anything 2- Open Burp Suite to intercept the request 3- When deleting the post, we will notice that there is DELETE /api/memo/1010 in the request, Here the post id will be 1010 4- This number can be changed and any post y...

6.4CVSS0.7AI score0.00762EPSS
Exploits1
Huntr
Huntr
added 2022/12/24 10:56 a.m.20 views

Stored XSS in resource file uploading

Description The Resources upload feature does not restrict the type of uploaded file. An attacker can upload an html file and the browser still renders it. The CSP is set to default-src 'self' to prevent inline script execution. However, this can be easily bypassed by uploading a .js file then...

4.9CVSS5.7AI score0.00575EPSS
Exploits1
Huntr
Huntr
added 2022/12/24 9:14 a.m.35 views

File Deletion Detected

Description Vulnerability allows deleting files in the server, affect the logic of the source code or disrupt the program to make the original way of operation Proof of Concept B1. Login and access to admin.php?p=uploader&action=mediamanager B2. Delete 1 uploaded file B3. Change parameter...

5.5CVSS7.9AI score0.00711EPSS
Exploits1References1
Huntr
Huntr
added 2022/12/24 8:32 a.m.123 views

Stored XSS via XML File

Description When user upload a file with .xml extension and direct access this file, the server response with Content-type: image/svg+xml lead to processing XML as HTML file POC POST /flatpress-master/admin.php?p=uploader&action=default HTTP/1.1 Host: localhost Content-Length: 639 Origin:...

9.4AI score
Exploits0References2
Huntr
Huntr
added 2022/12/24 7:18 a.m.18 views

Archive any post (public / private) using IDOR

Description It was observed that we can archive any users post using archive option by changing the post id. 1 Created user with lolwa username. 2 Posted a post and identified it's post id 1007. 3 Now get the post id from demo user i.e 1006. 4 Now click on archive for post id 1007 from user lolwa...

5CVSS0.00681EPSS
Exploits1References1
Huntr
Huntr
added 2022/12/23 9:32 p.m.42 views

IDOR results in deletion of others public & private memos

Description What is IDOR Insecure Direct Object Reference? Insecure direct object references are common, potentially devastating vulnerabilities resulting from broken access control in web applications. IDOR bugs allow an attacker to maliciously interact with a web application by manipulating a...

5CVSS0.6AI score0.00756EPSS
Exploits1References1
Huntr
Huntr
added 2022/12/23 8:13 p.m.32 views

Users can edit and delete all other user shortcuts

Description Users can edit and delete all other user shortcuts Proof of Concept Step 1. Log in as user A and make a shortcuts Step 2. View shortcut information including: ID, rowStatus, title, payload... For ex: user A creates a shortcut with ID 10 Step 3. Log in as user B and make a shortcuts...

4CVSS0.1AI score0.00571EPSS
Exploits1References2
Huntr
Huntr
added 2022/12/23 4:51 p.m.20 views

CSRF allows attacker to add malicious tags to vitim account

Description Cross-Site Request Forgery CSRF is an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated. CSRF attacks exploit the trust a Web application has in an authenticated user Proof of Concept 1 Go to...

4.3CVSS1.4AI score0.00586EPSS
Exploits1
Huntr
Huntr
added 2022/12/23 4:43 p.m.27 views

CSRF allows attacker to post on behalf of victim

Description Cross-Site Request Forgery CSRF is an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated. CSRF attacks exploit the trust a Web application has in an authenticated user. Proof of Concept 1 Go to...

4.3CVSS1AI score0.00346EPSS
Exploits1
Huntr
Huntr
added 2022/12/23 3:56 p.m.20 views

CSP passby via js file

Description Hi,Maintainter You submitted a fix in the latest version 0.9.0 with commit c07b4a.But after many tests, I found that this is still not 100% safe.You have set a very simple csp , which can be bypassed. Video link link...

4.9CVSS5.6AI score0.00498EPSS
Exploits1
Huntr
Huntr
added 2022/12/23 3:49 p.m.24 views

Stored XSS while adding a memo

Description Stored cross-site scripting also known as second-order or persistent XSS arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way. Proof of Concept Payload: " 1 Go to https://demo.usememos.com/ and login...

4.9CVSS5.5AI score0.00601EPSS
Exploits1
Huntr
Huntr
added 2022/12/23 3:37 p.m.24 views

Stored XSS in memos while creating

Description After login create a new memo with the following XSS payload " and click save that will make alert Proof of Concept "...

4.9CVSS1.5AI score0.00652EPSS
Exploits1
Huntr
Huntr
added 2022/12/23 2:51 p.m.27 views

Archive any private memos + Delete any Shortcut + Edit any Shortcut from other users

Description User can archive any private memos, Delete any Shortcut and Edit any Shortcut from other users via api PATCH /api/memo/8 HTTP/1.1 "id":8,"rowStatus":"ARCHIVED" PATCH /api/shortcut/2 HTTP/1.1 "id":2,"title":"shortahihix","payload":"" DELETE /api/shortcut/2 Proof of Concept Login to...

4CVSS4.8AI score0.00507EPSS
Exploits1
Huntr
Huntr
added 2022/12/23 2:27 p.m.22 views

View any content private memos from other users

Description User can view any content from private private memos from other users via api PATCH /api/memo/8 HTTP/1.1 "id":8,"rowStatus":"ARCHIVED" Proof of Concept Login to website in brower 1 with user A. Login to website in brower 2 with user B. Example: User B have private nemo with id 8. With...

4CVSS1.3AI score0.00465EPSS
Exploits1
Huntr
Huntr
added 2022/12/23 1:14 p.m.25 views

Access all Private Memos by unauthorized user

Description After login , I create a new memo and post it then i tried to edit it So in editing POST request you can find the memo id in POST data and in the URL if you change it to any private memo you can access it Also you can change the private memo visibility status and content . Proof of...

5.5CVSS0.1AI score0.00564EPSS
Exploits1
Huntr
Huntr
added 2022/12/23 12:28 p.m.18 views

Denial of Service

Description There is no limit of "Nickname" content length while updating your information that lead to Denial of Service by entering huge number of characters if you insert the following POST request "email": "[email protected]", "id": 104, "nickname":...

5CVSS0.1AI score0.00678EPSS
Exploits1
Huntr
Huntr
added 2022/12/23 12:9 p.m.20 views

Full account takeover

Description Account take over via changing email and username and displayed name, After login you and open your settings you can update information ,There is an IDOR here that allows me to change any user email and username and displayed name Proof of Concept...

6.5CVSS0.5AI score0.00911EPSS
Exploits1
Huntr
Huntr
added 2022/12/23 5:33 a.m.19 views

Application allows to add same SSH key among different users

Description With SSH keys, you can connect to Rdiffweb without supplying your username and personal access token at each visit. Rdiffweb allows the same SSH key to be used by multiple users . For Example: User A has used SSH key '1' , the same key can be used by User B , User C . The application ...

7.5CVSS9.1AI score0.00827EPSS
Exploits1
Huntr
Huntr
added 2022/12/23 1:43 a.m.53 views

Weak password at demo website version 3.1.9

Description The demo website is now version 3.1.9 but still affected of weak password requirement. Proof of Concept 1. Login to the demo website with any users. 2. Use "Change password" function, set the new password is number 1. 3. It's successful, try to re-login to check it...

7.5CVSS9.2AI score0.00643EPSS
Exploits0
Huntr
Huntr
added 2022/12/23 12:6 a.m.5 views

Reflected XSS in any wordnet URL

Description A reflected XSS can be achieved by simply creating a URL such as: http://localhost:8000/alert1.html Proof of Concept nltk.app.wordnetapp.app Then hit http://localhost:8000/alert1.html in the browser...

6.1AI score
Exploits0
Huntr
Huntr
added 2022/12/22 7:59 p.m.32 views

Email exposure of users to an authorized user

Description Hello, this is an endpoint that leaks all the information of the users like names, email, role, and OpenID to an authenticated user Steps to reproduce 1 build the web app 2 either you host it locally or on a server 3 try to add users with their data 4 visite...

4CVSS0.4AI score0.00773EPSS
Exploits1
Huntr
Huntr
added 2022/12/22 5:40 p.m.36 views

Reset API any user via IDOR

Description Reset API any user without taking action from him via IDOR Proof of Concept 1- Create a user 2- Go to setting 3- Open Burp Suite to object to the requisition 4- Click on it Reset API 5- This is the body request "id":101,"resetOpenId":true 6- When changing the "id", for example "102",...

7.5CVSS0.5AI score0.00731EPSS
Exploits1
Huntr
Huntr
added 2022/12/22 1:52 p.m.18 views

Username field are not unique to users allowing exploitation of primary key logic by creating same name with different combinations & unauthorized access

Description The username fields while creating a user Role is same which should not be the case, the username should be made unique. Proof of Concept 1. Login to Demo account at https://rdiffweb-demo.ikus-soft.com/login/ 2. Enter the username and password as admin: admin123 respectively. 3. visit...

5.8CVSS7AI score0.0113EPSS
Exploits1
Huntr
Huntr
added 2022/12/22 8:33 a.m.34 views

Link Preload XSS bypass

Description Link preloads still do not effectively confirm if the requested link is external. This is a bypass to the fix for CVE-2022-4414. Root Cause The getPayloadURL function was adapted after the disclosure to use the browsers built in URL parser to properly check for a valid URL. This is a...

5.8CVSS6.1AI score0.00528EPSS
Exploits1References1
Huntr
Huntr
added 2022/12/22 8:7 a.m.15 views

Critical Account Takeover and Privilege Escalation

Description Critical account takeover and privilege escalation vulnerability allow a low privilege user to take over admin account by using change password functionality. In a normal user, select change password Change the user ID to 1 as it is the admin account user ID Admin account is taken ove...

4.2AI score
Exploits0
Huntr
Huntr
added 2022/12/22 2:29 a.m.22 views

Stored XSS bypass the protection rules

Description Hi there, Someone submitted an xss vulnerability about your project before.And please see "https://huntr.dev/bounties/f353adfb-e5b8-43e7-957a-894670fd4ccd/" for details.You submitted a fix in 7.0.0.2 with commit 4565d8.But after my tests, I found that it was still unsafe. The followin...

4.3CVSS7AI score0.00526EPSS
Exploits1
Total number of security vulnerabilities4072