Stored XSS while creating a new post

Description After login create a new post and type the following text with XSS payload XSS in create post then click post that will be executed. Proof of Concept XSS in create post tete...

Account takeover via changing password

Description after login with normal user go to Settings then change password ,you will find the following request PATCH /api/user/104 HTTP/2 Host: demo.usememos.com Cookie:...

Cron execution command field allows attackers with admin privilege to execute OS command as root

Description - Cron execution command value is written into cronfile without any security protection mechanism. - If an attacker gained admin access, he/she can run OS command as root. Proof of Concept 1/ Navigate to http://webserver/froxlor/adminsettings.php?page=overview&part=crond 2/ In the Cro...

Stored XSS in admin panel (users page)

Description Stored XSS in admin panel in users page via inject XSS payload in Name input field by any user to affect the admin panel Proof of Concept https://drive.google.com/file/d/1EsYq3R6GRAdEbpZxp2RwQwGr4G8fJGB7/view?usp=sharing...

Attributes are not properly handled leading to XSS

Description Attribute names and the class attribute values are not properly handled leading to XSS where a user can control either: + A class value + An attribute name. While this may not seem like a important security issue this weakness is not documented. One would assume the behaviour would...

SNMP location XSS vulnerability

Description By including some HTML in the "Location" field of the snmpd configuration of a managed device, an attacker can inject HTML into the LibreNMS "Devices" tab, which then gets rendered when the page is viewed. EDIT: I'm having difficulties developing a proper exploit for this beyond the...

Stored XSS in Week View Plugin

Description Stored cross-site scripting vulnerabilities arise when user input is stored and later embedded into the application's responses in an unsafe way. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of an...

Stored XSS in FAQ comments

Description Stored XSS in FAQ comments by any visitor or anonymous user that alerted in admin panel in comments page also it stored in the FAQ page itself via injecting XSS payload in "Name " and "Message" input fields . Proof of Concept...

Multiple Blind SQL Injection Vulnerabilities in Reports

Description SQL injection typically allows an attacker to extract the entire database from the vulnerable website, including user information, encrypted passwords, and business data. This can subsequently lead to mass compromise of user accounts, data being encrypted and held to ransom, or stolen...

Blind Stored XSS in admin panel (open question page)

Description Blind stored XSS via any unauthorized or anonymous visitor user without any privileges can inject XSS payload in "Add question" page in "Your Name" input field then it will be executed in admin panel in Open Question page Proof of Concept...

Blind Stored XSS in administration panel

Description Blind stored XSS : any visitor user without any privilege can create "Proposal for a new FAQ" at the following URL https://roy.demo.phpmyfaq.de/index.php?action=add&cat=0 and add XSS payload in "Your question" input field allows any anonymous visitor can steal admin cookies also...

Stored XSS in Roles

Description Stored cross-site scripting vulnerabilities arise when user input is stored and later embedded into the application's responses in an unsafe way. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of an...

Bypass All Captchas in the application

Description Bypass Captcha while adding a new Proposal for a new FAQ or Add question ,And send unlimited request without submit captcha code. Proof of Concept https://drive.google.com/file/d/140CMe4FLFLBmIUUbI8706bZ4zs4d7N/view?usp=sharing...

XSS in Integration URL

Description XSS vulnerability in integration URL that could execute javascript when clicking on the URL Proof of Concept 1. navigate to the panel dashboard 2. add or edit integration and insert the URL of integration with this payload javascript:alert1 POC:...

Cross site scripting vulnerability in pimcore

Description Cross site scripting vulnerability in pimcore/pimcore "title field " in data objects Proof of Concept 1. Login with dev account https://11.x-dev.pimcore.fun/admin/?dc=1670962076&perspective= 2. Go to setting -- data objects -- classes -- events 3. Click media under genaral settings 4...

Reflect XSS Which can help in any CSRF Vulnerability

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Proof of Concept Below HTML code for trigger XSS with POST method XSS POC By AggressiveUser history.pushState'', '', '/' Below BurpSuite POC YO...

Stored XSS on User Management, Category, Add New FAQ, Add News and Configuration

Description Improper validation on user input in Add Category module, Add New FAQ module, Add News and edit Configuration in phpMyFAQ v3.1.9 allow user to execute malicious javascript payload which lead to vulnerability Stored XSS Proof of Concept - Login to demo instance...

Multiple XSS Vulnerabilities in Queue Condition

Description Cross-Site Scripting XSS vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request that, if issued by another application user, will cause JavaScript code...

Authenticated Reflected XSS on ajax/common.tabs.php

Description There is a reflected XSS vulnerability on ajax/common.tabs.php due to the KnowBase tab not escaping the start parameter properly probably because it's not reflected inside quotes. There was some work into getting the exploit working, due to JQuery's $ not being defined and causing a...

Cross-site Scripting (XSS) - Stored

✍️ DESCRIPTION The activatetemplate parameter at line 16 of the templates.php file will be rendered at line 31 of file the dashboard.php page, without using the htmloutput function. 💥 STEP TO REPRODUCE - Login to your admin account, then visit the URL...

XSS in Workflow Comment

Description XSS Vulnerability in Workflow Comment that user can insert javascript payload in comment Proof of Concept 1. navigate to dashboard and workflow settings 2. open the commend in side-bar and insert like this payload test POC:...

Html Injection in Activity

Description Html injection in Activity and just only need html payload in workflow and fire in Activity list Proof of Concept 1. navigate to dashboard and workflow settings 2. insert new workflow with this payload test 3. open the activity list POC:...

Unauthenticated Remote Command Execution on corebos due to exposed install files.

Description While analysing corebos source-code, I found a file that looked interesting: - install/MigrationDbBackup.php This file contains the following snippet of code: php ?php /+ The contents of this file are subject to the vtiger CRM Public License Version 1.0 "License"; You may not use this...

Filepath of page components of deploying system leaks in source code

Description When building your Nuxt application, the source file path of all page components is written in the entry.js file and is thus human readable to everyone. This could lead to unwanted side effects, as in revealing the structure of the system which was used to build the application or...

Cross Site Scripting (XSS) Reflected

Description Reflected cross-site scripting or XSS arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way. Proof of Concept https://github.com/phpipam/phpipam/blob/master/app/subnets/mail-notify-subnet.php look in line 94-9...

Sensitive system information disclosure

Description An unauthenticated user can gather information on the remote system just by visiting the following endpoints: + /library/exten-radiusserverinfo.php which reveals pieces of information such as system uptime, CPU load, etc. + /library/exten-serverinfo.php which reveals if mysql and/or...

XSS in Markdown Events

Description XSS Vulnerability in the Events and Markdown features Proof of Concept 1. Login to the dashboard 2. Insert or Edit Events in the Description and Link 3. Payload like that Link Link POC: https://drive.google.com/file/d/1WiNd8lgEjmSpUe4b0LCoKyFw47nsw45s/view?usp=sharing...

Html Injection in Groups

Description Insert XSS payload in groups fieldsName, Description Proof of Concept 1. login to the dashboard 2. navigate to groups 3. insert Name and Description aaaaatest POC: https://drive.google.com/file/d/1ZsxN-zKoyuiosrgfG8a9Z1sFe9mde-8/view?usp=sharing...

Reflected XSS in Organizations Search

Description Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request that, if issued by another application user, will cause JavaScrip...

Reflected XSS in Advanced Ticket Search

Description Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request that, if issued by another application user, will cause JavaScrip...

Lack of CSRF Token in Logout

Description we haven't csrf token in logout basically this is not really issue but in rdiffweb we have logically redirect user to last source like logout method. in this case attacker can chain two requestlogout,login that lead to dos Proof of Concept 1. send get logout request and get sessionid...

Insufficient Upload Filtering

Description The upload filter in Ampache 5.5.5 is insufficient and does not prevent authenticated users from uploading files with malicious extensions, which can lead to remote code execution RCE depending on the local server configuration. This vulnerability assumes several things which has been...

XSS Stored in Email

Description It was discovered that it is possible to inject a malicious payload into the email address field, resulting in a stored XSS vulnerability. Proof of Concept 1. Access to emails parameters /scp/emails.php 2. create an account with the following email address Payload...

Path traversal vulnerability found

Description please check this link https://demos4.softaculous.com/FlatPressfgbu50zqaa/fp-content/ Proof of Concept https://prnt.sc/0UGovVLWcKo7...

No Protection against Bruteforce attacks on Login page

Description Webpage manager does not limit unsuccessful login attempts allowing Brute Forcing. Proof of Concept 1. Register the account. 2. Logout the account and try to login with the different password. 3. Take the request into Burp suite intruder, set the payload list to 30for testing. 4. The...

Weak Password Implimentation

Description: We can change the password with just 1 character when we use change password function. Proof of Concept When you change password, just press any character and then submit. You will see "Your password has been changed"...

File Upload Filter Bypass

Description A sanitization filter bypass in plupload.php in MicroweberCMS v1.3.1 allows remote authenticated attackers to upload files outside the restricted location. The target $path for the image is being sanitized here: php $pathrestirct = userfilespath; if isset$REQUEST'path' and...

Authenticated Remote Command Execution on GLPI 10.0.5 due to vulnerable marketplace plugin

Description It was found that GLPI at the current version 10.0.5 is vulnerable to a remote command execution when an attacker has super-user privileges. This is possible due to an attacker being able to download a plugin that contains files that was calling unserialize into $POST'entityrestrict'...

XSS on external links

Description This vulnerability allow for an administrator to create an evil external link. Proof of Concept As an admin user Go to /front/link.form.php?id=1 Create an external link and put has value for the link 'onmouseover="alertdocument.domain" Assign this link to budgets example As a regular...

Limited LFI via Path Traversal

Description A path thraversal vulnerability in SuiteCRM 7.12.8 and earlier allows remote authenticated attackers to include a php file at an arbitrary path via unsanitized request parameters. Details In Suite CRM v7.12.8, SubpanelCreates.php and SubpanelEdit.php trust unsanitized user input to lo...

XSS to LFI in Runcode Feature

Description By default runcode santized document prefix but if html encode to...

Open Redirect using Host header Injection

Description A web server commonly hosts several web applications on the same IP address, referring to each application via the virtual host. In an incoming HTTP request, web servers often dispatch the request to the target virtual host based on the value supplied in the Host header. Without prope...

Integer overflow in realloc call

Description Integer overflow in realloc and memcpy calls in coreanalgraphlabel. In the process of concatenating source lines based on DWARF data, the resulting size 32bit signed int can overflow. The sizes of the realloc and memcpy calls differ, and potentially can lead to writes in an unintended...

Reflect Cross Site Scripting

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Proof of Concept Go to your web phpmyfaq and visit below URL. Exploit URL:...

Authenticated SQL Injection in OpenSIS Classic v9.0 and earlier

Description SQL injection in OpenSIS Classic v9.0 and earlier allows remote authenticated attackers to execute SQL code via the id parameter in MassScheduleModal.php leading to full database information disclosure. Version At the time of reporting, the most up-to-date version of the master branch...

No rate limiting on the reset password page will lead to a DOS attack and inbox flooding for any user

Description I can use this attack to take advantage of the reset password confirmation mechanism and send a large number of emails to anyone simply because I know his email address, as well as perform a DoS attack by draining the resources of the SMTP service and the web server. Proof of Concept ...

Missing CSRF protection

Description Any user can Add Questions on FAQ section -- https://roy.demo.phpmyfaq.de/index.php?action=ask&categoryid=0 This section is vulnerable to CSRF. The aggressor can abuse this without prior knowledge of others'. The successful CSRF will send new questions from the victim's browser Captur...

AddressSanitizer: heap-buffer-overflow in alloc.c 246:11

Description ================================================================= ==19339==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000001015 at pc 0x0000004872d8 bp 0x7ffdef721150 sp 0x7ffdef720910 WRITE of size 2 at 0x606000001015 thread T0 Detaching after fork from child proce...

Unrestricted Upload of file with dangerous type lead to destroying the company's reputation.

Description In upload function i found the function accept a lot of file type and this is very dangerous because may be malicious user upload html file contain any information like go to another site or write message destroying the company's reputation like this site has been hacked by hacker Pro...

An unrestricted upload file lead to a stored XSS via SVG file.

Description During the test, I discovered that the upload function accepted svg files without any sanitization, allowing me to inject javascript code into the svg file and store it, as well as execute the javascript code via the svg file. Proof of Concept // PoC.js...