4072 matches found
No rate limit on "resend email feature" while enable or disable 2FA from /prefs/mfa endpoint
Description When a user is setting up 2FA , a verification code will be sent to the registered email . There is no rate limit on email triggering that will result in an email flood / does attack or will also increase the expenses on your mail server as an attacker can send 1 million emails throug...
Stored XSS in multiple menus
Description The demo website is affected of stored XSS at multiple menus. Proof of Concept 01 1. Access to the demo website http://demos4.softaculous.com/ 2. Login with admin user they provide, press on menu Uploader, in Uploader tab, try to upload whichever file then choose Media manager tab. 3...
Stored XSS in Search
Description Stored XSS is a type of XSS that stores malicious code on the application. The demo website is affected of it. Proof of Concept 1. Access to the demo website https://demo.usememos.com/ 2. At "Any thoughts....", write XSS Payload and save it. In this scenario, I used payload: " 3. Now,...
Privilege vulnerability at API Change Password
Description There is a vulnerability at API Change password. I use API PATCH /api/user/x to get user's information and change their password. With x is the user's id, which are numbers in ascending or descending order Proof of Concept 1. Access to the demo website https://demo.usememos.com/ 2. Us...
Cookie without Secure attribute
Description At the moment, memossession has the value false at secure flag. Proof of Concept 1. Access to web demo https://demo.usememos.com/ 2. Use browser's dev tool to check the cookie, we can see there is a memossession having value false at Secure...
A user can update information / password from other users
Description A user neither admin nor host can modify nickname, username and email from other users without permission, being a normal user. Steps to Reproduce 1. Login as user A here, called "ileana.maricel", HOST role. 2. In another browser login as user B called "ileana.mariceel", USER role. Co...
A user can edit private memos from other users
Description It is possible for a user to edit private memos from other users and also change their visibility, making them public. Also the user could change the visibility from Public to Private or viceversa. Steps to Reproduce 1. Log in as a user A here called "ile.maricel". 2. In another brows...
Lack of sanitisation of characters in SSH key name could allow attacker to inject a hyperlink injection
Description Lack of sanitisation of characters in SSH key name could allow attacker to inject a hyperlink injection that could allow attacker to redirect victim to malicious websites Proof of Concept 1 Go to https://rdiffweb-dev.ikus-soft.com/prefs/sshkeys 2 Add SSH key 3 Enter the name evil.com ...
Hyperlink injection through access token name
Description Hyperlink Injection it’s when attacker injecting a malicious link when sending an email invitation. Hyperlink injection in the email can lead to phishing via email directly to users. Proof of Concept 1 Go to https://rdiffweb-dev.ikus-soft.com/prefs/tokens 2 Create a new access token...
No notification triggered on sensitive actions like adding SSH key
Description Adding SSH key is a sensitive action . As the application triggers a notification on all sensitive actions like email change/password reset , SSH key is also an important security feature to be notified about Proof of Concept 1 Go to https://rdiffweb-dev.ikus-soft.com/prefs/sshkeys 2 ...
Session cookie without 'HttpOnly' Flag
Description All versions of daloRADIUS prior to the master branch transmit the session cookie i.e. PHPSESSID without setting the HttpOnly flag. Proof of Concept $ curl --head http:///login.php HTTP/1.1 200 OK Date: Tue, 20 Dec 2022 14:11:38 GMT Server: Apache Set-Cookie:...
XSS by uploading svg files
Description Hi there, Your project has a function of uploading files.That is the section named "Resource".But it does not filter the content of the uploaded files. If we upload an svg file containing malicious data and a user accesses it, xss will be triggered. Video Please visit my video link...
Unsanitized input returned in response is conducive to XSS exploitation
Description During the initial installation process it was identified that the "Create user" form that collects user data, does not properly sanitize the data entry and then prints them on the screen with an error message without any apparent validation, thus allowing the insertion of HTML or...
Cross-site scripting - Stored via upload `.svg` file in
Description When user upload a file with .svg extension and direct access this file, the server response with Content-type: image/svg+xml lead to processing SVG as HTML file Proof of Concept POST /api/resource HTTP/2 Host: demo.usememos.com Cookie:...
Stored XSS via SVG File
Description usememos has a feature to upload file and display it. By uploading a crafted SVG files, the users can perform Stored XSS attack with the image direct link. Copy the following code and save as filename.svg. Proof of Concept filename.svg alertdocument.location; 1. Login as user 2. creat...
Stored XSS while creating a new post
Description After login create a new post and type the following text with XSS payload XSS in create post then click post that will be executed. Proof of Concept XSS in create post tete...
Account takeover via changing password
Description after login with normal user go to Settings then change password ,you will find the following request PATCH /api/user/104 HTTP/2 Host: demo.usememos.com Cookie:...
Cron execution command field allows attackers with admin privilege to execute OS command as root
Description - Cron execution command value is written into cronfile without any security protection mechanism. - If an attacker gained admin access, he/she can run OS command as root. Proof of Concept 1/ Navigate to http://webserver/froxlor/adminsettings.php?page=overview&part=crond 2/ In the Cro...
Stored XSS in admin panel (users page)
Description Stored XSS in admin panel in users page via inject XSS payload in Name input field by any user to affect the admin panel Proof of Concept https://drive.google.com/file/d/1EsYq3R6GRAdEbpZxp2RwQwGr4G8fJGB7/view?usp=sharing...
Attributes are not properly handled leading to XSS
Description Attribute names and the class attribute values are not properly handled leading to XSS where a user can control either: + A class value + An attribute name. While this may not seem like a important security issue this weakness is not documented. One would assume the behaviour would...
SNMP location XSS vulnerability
Description By including some HTML in the "Location" field of the snmpd configuration of a managed device, an attacker can inject HTML into the LibreNMS "Devices" tab, which then gets rendered when the page is viewed. EDIT: I'm having difficulties developing a proper exploit for this beyond the...
Stored XSS in Week View Plugin
Description Stored cross-site scripting vulnerabilities arise when user input is stored and later embedded into the application's responses in an unsafe way. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of an...
Stored XSS in FAQ comments
Description Stored XSS in FAQ comments by any visitor or anonymous user that alerted in admin panel in comments page also it stored in the FAQ page itself via injecting XSS payload in "Name " and "Message" input fields . Proof of Concept...
Multiple Blind SQL Injection Vulnerabilities in Reports
Description SQL injection typically allows an attacker to extract the entire database from the vulnerable website, including user information, encrypted passwords, and business data. This can subsequently lead to mass compromise of user accounts, data being encrypted and held to ransom, or stolen...
Blind Stored XSS in admin panel (open question page)
Description Blind stored XSS via any unauthorized or anonymous visitor user without any privileges can inject XSS payload in "Add question" page in "Your Name" input field then it will be executed in admin panel in Open Question page Proof of Concept...
Blind Stored XSS in administration panel
Description Blind stored XSS : any visitor user without any privilege can create "Proposal for a new FAQ" at the following URL https://roy.demo.phpmyfaq.de/index.php?action=add&cat=0 and add XSS payload in "Your question" input field allows any anonymous visitor can steal admin cookies also...
Stored XSS in Roles
Description Stored cross-site scripting vulnerabilities arise when user input is stored and later embedded into the application's responses in an unsafe way. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of an...
Bypass All Captchas in the application
Description Bypass Captcha while adding a new Proposal for a new FAQ or Add question ,And send unlimited request without submit captcha code. Proof of Concept https://drive.google.com/file/d/140CMe4FLFLBmIUUbI8706bZ4zs4d7N/view?usp=sharing...
XSS in Integration URL
Description XSS vulnerability in integration URL that could execute javascript when clicking on the URL Proof of Concept 1. navigate to the panel dashboard 2. add or edit integration and insert the URL of integration with this payload javascript:alert1 POC:...
Cross site scripting vulnerability in pimcore
Description Cross site scripting vulnerability in pimcore/pimcore "title field " in data objects Proof of Concept 1. Login with dev account https://11.x-dev.pimcore.fun/admin/?dc=1670962076&perspective= 2. Go to setting -- data objects -- classes -- events 3. Click media under genaral settings 4...
Reflect XSS Which can help in any CSRF Vulnerability
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Proof of Concept Below HTML code for trigger XSS with POST method XSS POC By AggressiveUser history.pushState'', '', '/' Below BurpSuite POC YO...
Stored XSS on User Management, Category, Add New FAQ, Add News and Configuration
Description Improper validation on user input in Add Category module, Add New FAQ module, Add News and edit Configuration in phpMyFAQ v3.1.9 allow user to execute malicious javascript payload which lead to vulnerability Stored XSS Proof of Concept - Login to demo instance...
Multiple XSS Vulnerabilities in Queue Condition
Description Cross-Site Scripting XSS vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request that, if issued by another application user, will cause JavaScript code...
Authenticated Reflected XSS on ajax/common.tabs.php
Description There is a reflected XSS vulnerability on ajax/common.tabs.php due to the KnowBase tab not escaping the start parameter properly probably because it's not reflected inside quotes. There was some work into getting the exploit working, due to JQuery's $ not being defined and causing a...
Cross-site Scripting (XSS) - Stored
✍️ DESCRIPTION The activatetemplate parameter at line 16 of the templates.php file will be rendered at line 31 of file the dashboard.php page, without using the htmloutput function. 💥 STEP TO REPRODUCE - Login to your admin account, then visit the URL...
XSS in Workflow Comment
Description XSS Vulnerability in Workflow Comment that user can insert javascript payload in comment Proof of Concept 1. navigate to dashboard and workflow settings 2. open the commend in side-bar and insert like this payload test POC:...
Html Injection in Activity
Description Html injection in Activity and just only need html payload in workflow and fire in Activity list Proof of Concept 1. navigate to dashboard and workflow settings 2. insert new workflow with this payload test 3. open the activity list POC:...
Unauthenticated Remote Command Execution on corebos due to exposed install files.
Description While analysing corebos source-code, I found a file that looked interesting: - install/MigrationDbBackup.php This file contains the following snippet of code: php ?php /+ The contents of this file are subject to the vtiger CRM Public License Version 1.0 "License"; You may not use this...
Filepath of page components of deploying system leaks in source code
Description When building your Nuxt application, the source file path of all page components is written in the entry.js file and is thus human readable to everyone. This could lead to unwanted side effects, as in revealing the structure of the system which was used to build the application or...
Cross Site Scripting (XSS) Reflected
Description Reflected cross-site scripting or XSS arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way. Proof of Concept https://github.com/phpipam/phpipam/blob/master/app/subnets/mail-notify-subnet.php look in line 94-9...
Sensitive system information disclosure
Description An unauthenticated user can gather information on the remote system just by visiting the following endpoints: + /library/exten-radiusserverinfo.php which reveals pieces of information such as system uptime, CPU load, etc. + /library/exten-serverinfo.php which reveals if mysql and/or...
XSS in Markdown Events
Description XSS Vulnerability in the Events and Markdown features Proof of Concept 1. Login to the dashboard 2. Insert or Edit Events in the Description and Link 3. Payload like that Link Link POC: https://drive.google.com/file/d/1WiNd8lgEjmSpUe4b0LCoKyFw47nsw45s/view?usp=sharing...
Html Injection in Groups
Description Insert XSS payload in groups fieldsName, Description Proof of Concept 1. login to the dashboard 2. navigate to groups 3. insert Name and Description aaaaatest POC: https://drive.google.com/file/d/1ZsxN-zKoyuiosrgfG8a9Z1sFe9mde-8/view?usp=sharing...
Reflected XSS in Organizations Search
Description Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request that, if issued by another application user, will cause JavaScrip...
Reflected XSS in Advanced Ticket Search
Description Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request that, if issued by another application user, will cause JavaScrip...
Lack of CSRF Token in Logout
Description we haven't csrf token in logout basically this is not really issue but in rdiffweb we have logically redirect user to last source like logout method. in this case attacker can chain two requestlogout,login that lead to dos Proof of Concept 1. send get logout request and get sessionid...
Insufficient Upload Filtering
Description The upload filter in Ampache 5.5.5 is insufficient and does not prevent authenticated users from uploading files with malicious extensions, which can lead to remote code execution RCE depending on the local server configuration. This vulnerability assumes several things which has been...
XSS Stored in Email
Description It was discovered that it is possible to inject a malicious payload into the email address field, resulting in a stored XSS vulnerability. Proof of Concept 1. Access to emails parameters /scp/emails.php 2. create an account with the following email address Payload...
Path traversal vulnerability found
Description please check this link https://demos4.softaculous.com/FlatPressfgbu50zqaa/fp-content/ Proof of Concept https://prnt.sc/0UGovVLWcKo7...
No Protection against Bruteforce attacks on Login page
Description Webpage manager does not limit unsuccessful login attempts allowing Brute Forcing. Proof of Concept 1. Register the account. 2. Logout the account and try to login with the different password. 3. Take the request into Burp suite intruder, set the payload list to 30for testing. 4. The...