Cross-site scripting

Description memos allow users to upload file and make it public to others. But if the file is html with below content, xss attack can happen. Proof of Concept // PoC.js alert"warning";...

Stored XSS in kiwiTCMS

Description Stored XSS, also known as persistent XSS, is the more damaging of the XSS. It occurs when a malicious script is injected directly into a vulnerable web application. Due to a sanitization problem it is possible to perform a Stored XSS. The problem is that the upload function permit...

DOM-based Cross-site Scripting (DXSS) Vulnerability

Description Two CalendarXP products have DXSS vulnerability in common parts of HTML files. CalendarXP FlatCalendarXP through 10.0.1 has DXSS vulnerability in iflateng.htm and nflateng.htm, and CalendarXP PopCalendarXP through 10.0.1 has DXSS vulnerability in ipopeng.htm and npopeng.htm. Proof of...

heap-buffer-overflow in gf_isom_box_write_header

Description heap-buffer-overflow in gfisomboxwriteheader at isomedia/boxfuncs.c:408. version info git log commit 68064e10172675e0853d6f429fb2055112835602 grafted, HEAD - master, origin/master, origin/HEAD Author: jeanlf Date: Fri Nov 18 10:36:10 2022 +0100 fixed build without http2 support ./MP4B...

Unauthorized access to settings update, logs , history, delete etc of repositories

Hey, Attack Scenario: Admin setups new user with User privileges and gives access to repos "/" root directory, after a time due to some reason he revoke the privileges of the directory access but user privileged attacker can still edit settings , check logs and view history without having...

Stored XSS - XSS in RSS link href attribute

📜 Description Cross-site scripting XSS is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. The persistent or stored XSS vulnerability is a more devastating variant of a...

Stored cross site scripting

Hi Team, I have found a stored cross-site scripting vulnerability in the Create event section. Description What is stored cross site scripting attack? Stored XSS, occurs when user supplied input is stored and then rendered within a web page. Typical entry points for stored XSS are: message forums...

3 Types of SQLi in `s` param - (Time/Boolean/Error Based)

Description I have found 3 types of SQLi on the s parameter Proof of Concept Time-Based Time-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the database to wait for a specified amount of time in seconds before...

TLS Cookie without `secure` flag at https://roy.demo.phpmyfaq.de

Description The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function. This issue was found in multiple locations under the reported path. Issue background If the secure flag is set...

Cross-site Scripting (XSS) - Stored at discussion title

Description Attacker can inject XSS payload in title when he starts or renames a discussion. The payload will be triggered right after a normal user open that discussion. Proof of Concept 1. Login to your account on https://forum.locker.io 2. Create New Discussions 3. On the Discussions Title,...

Stack-Based Buffer Overflow in gf_sg_proto_field_is_sftime_offset

Description Stack-Based Buffer Overflow in gfsgprotofieldissftimeoffset at vrmlproto.c:1295. version git log commit 05eaac875354682942b70c790bcd62cb5f4cc825 grafted, HEAD - master, origin/master, origin/HEAD Author: Jean Le Feuvre Date: Mon Nov 14 18:07:45 2022 +0100 fixed msvc warnings ./MP4Box...

Path Traversal that leads to Remote Code Execution via PHP file upload

📜 Description A path traversal attack also known as directory traversal aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash ../” sequences and its variations or by using absolute file paths, it may be...

Missing Authentication for Critical Function

Description Generally, when users try to change the password, they are asked to verify the request by entering the old password. For the same reason, verification should be there on changing email. when user changes the email address then the website sends verification mail to the new mail id...

XSS in RSS Description Link

Description An Administrator can import a malicious RSS feed that contains Cross Site Scripting XSS payloads inside RSS links. Victims who wish to visit an RSS content and click on the link will execute the Javascript. Proof of Concept 1. Create a malicious RSS feeds The XSS payload is inside ite...

Agent can get inbox credentials through api

Description user with agent privileges can get access to sensitive inbox details through api Proof of Concept 1. Create normal user with agent privileges 2. get api key for this user 3. use endpoint https://www.chatwoot.com/developers/api/tag/Inboxes/operation/listAllInboxes 4. if inbox is...

xss in live edit

Description when you make website and login as admin if u add user as admin he maybe evil admin n live edit https://demoxss.microweber.net/?editmode=y i start edit as html i see i can write script but didnt pass when u open site as end user then i just try add html tag with events but the sam...

HTML injection possible via LLDP

Description An unmanaged/foreign neighbouring device that is advertising its presence with LLDP can inject malicious HTML code into LibreNMS by setting its System Name TLV to whatever snippet is to be injected. This is assuming that a device that is managed by LibreNMS has LLDP and the...

Unintended API key generation

Description The API keys sections are vulnerable to CSRF. The aggressor can generate the key on the admin's account without prior knowledge of admin credentials. The successful CSRF will generate new keys on the admin's account. Proof of Concept history.pushState'', '', '/' document.forms0.submit...

Post parameter namespaceMD5 is vulnerable to reflected XSS

Description The POST parameter namespaceMD5 is vulnerable to reflected XSS. Proof of Concept javascript // POST request to /module with parameters and payload namespaceMD5=3389dae361af79b04c9c8e7057f60cc6test''"alertalert&module=settings%2Fgroup%2Flanguageimport&id=mwadminimportlanguagemodalconte...

froxlor/froxlor <= 0.10.38.2 - Authenticated Unrestricted File Upload to RCE

Description Unsafe file uploads occur when the web server fails to sufficiently validate the file’s size, type, name, contents, or what restrictions are placed on the file once it has been successfully uploaded. The application fails to validate files that are uploaded, allowing an attacker to...

There is an RCE vulnerability

Description - There is an RCE vulnerability in qmpaas/leadshop https://github.com/qmpaas/leadshop v1.4.15. An attacker can access the file leadshop.php and call any existing function through GET to control the target host. The vulnerability is in the leadshop/web/leadshop.php27-61 file public...

XSS in dp.la

Description dpla-frontend which is a frontend application of dp.la is vulnerable to XSS. Proof of Concept...

Username and email enumeration via Forgot password feature

📜 Description User enumeration is when a malicious actor can use brute-force techniques to either guess or confirm valid users in a system. The malicious actor is looking for differences in the server's response based on the validity of submitted credentials. The differences can be inside the...

CSRF on SSL certificates deletion

📜 Description Cross-site request forgery also known as CSRF is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform using form submissions. It allows an attacker to partly circumvent the same origin policy, which is designed to...

Html Injection Reflected in Login Page

Description HTML Injection is a vulnerability in which the attacker can inject malicious html content in the login webpage. Proof of Concept Navigate to: https://demo.froxlor.org/index.php?showmessage=4&customermail=%22%3Cmarquee%3E%3Ch3%3EHTML/INJECTION/HERE%[email protected]...

Authenticated SQL injection via filename & update-instance parameters

There is a SQL injection vulnerability inside saveMeta function in AttachmentAbstract.php. When a file is being uploaded via admin/index.php?action=ajax&ajax=att&ajaxaction=upload endpoint, the filename parameter isn't being sanitized and its later on interpolated into a raw SQL query inside...

XSS and CSP bypass in app.diagrams.net

Description The application reflects an input from the url without sanitizing it. With a csp bypass from apis.google.com its possible to execute javascript code. Proof of Concept...

Unauthenticated stored XSS via username & name parameters

There is a stored XSS vulnerability due to improper sanitization of usernames. Vulnerable code User.php line 532: php public function isValidLoginstring $login: bool $login = string$login; if strlen$login loginMinLength || !pregmatch$this-validUsername, $login $this-errors =...

XSS Stored inside help links onevent attribute

📜 Description Cross-site scripting XSS is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. The persistent or stored XSS vulnerability is a more devastating variant of a...

XSS Stored inside Standard Interface Help Link href attribute

📜 Description Cross-site scripting XSS is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. The persistent or stored XSS vulnerability is a more devastating variant of a...

Application-Wide Stored Cross Site Scripting affecting all Users

Description Hi Team, I have found a stored cross-site scripting vulnerability in the reporting dashboard module. What is stored cross site scripting attack? Stored XSS, occurs when user supplied input is stored and then rendered within a web page. Typical entry points for stored XSS are: message...

SQL Injection inside instance name leads to Remote Code Execution

📜 Description SQL injection SQLi is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other...

SQL Injection via lang parameter/RCE when PostgreSQL is used

Description There is a SQL injection vulnerability in the lang parameter of phpmyfaq/ajaxservice.php?action=savefaq endpoint. Vulnerable code starts at ajaxservice.php line 369, specifically the isnull$faqId && !isnull$categories'rubrik' part: php if !isnull$author && !isnull$email &&...

Stored XSS and HTML injection from markdown

Description Stored XSS, also known as persistent XSS, is the more damaging of the XSS. It occurs when a malicious script is injected directly into a vulnerable web application. Due to a sanitization problem it is possible to perform both a Stored XSS and an HTML injection. Thanks to this attack i...

Unrestricted File Upload

BigBlueButton 2.5.6 is vulnerable to unrestricted file upload, where the insertDocument API call does not validate the given file extension before saving the file, and does not remove it in case of validation failures. PoC: 1- Submit the request to insertDocument, specifying the extension:...

Reflected XSS on multiple locations and parameters

Description The user input is not being sanitized properly on multiple locations and on different parameters leading to XSS. Proof of Concept https://demo.bumsys.org/reports/sales-report/?salesDate=" Payload "...

Reflected Cross Site Scripting leading to session hijacking

Description Basic XSS: XSS Cross-Site Scripting vulnerabilities arise when untrusted data gets interpreted as code in a web context. XSS attacks effectively make the attacker logged in as the target user, with the nasty addition of tricking the user into giving some information such as their...

XSS Stored inside website title

📜 Description Cross-site scripting XSS is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. The persistent or stored XSS vulnerability is a more devastating variant of a...

Cross Site Scripting (XSS) Reflected

Description Reflected cross-site scripting or XSS arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way. Proof of Concept 1. i open this page...

Eve has a Comparison of Incompatible Types that Results in Invalid State

Description A conditional statement that always resolves to False. Proof of Concept // eve/methods/common.py if field in document and documentfield is not None and documentfield is not Always resolves to False : relatedlinks =...

XSS Stored inside Admin logs

Description If an attacker attempt to login with an XSS payload inside the username, the login attempt will be logged on the admin dashboard. Then, if an admin visits the login logs page, it will execute the XSS. Proof of Concept Login with XSS inside username Admin visits logs...

XSS stored in Category name

Description If a user inject an XSS payload inside a category name. All users that visit the index page will execute the corresponding XSS payload. Proof of Concept Add a malicious category XSS is executed...

SQL Injection inside category creation (checkIfCategoryExists)

Description A user with the permission to Add category can abuse this feature to execute his own SQL queries. Proof of Concept Static code analysis The vulnerable php code is : php public function checkIfCategoryExistsarray $categoryData: int $query = sprintf "SELECT name from %sfaqcategories WHE...

heap-use-after-free in function did_set_spelllang at spell

Description heap-use-after-free in function didsetspelllang at spell.c:2256:19 vim version shell git log -1 commit 03d6e6f42b0deeb02d52c8a48c14abe431370c1c HEAD - master, tag: v9.0.0820, origin/master, origin/HEAD...

Reflected XSS on ID parameter

Description Vulnerable code " Proof of Concept https://demo.bumsys.org/xhr/?icheck=false&module=accounts&page=editAccount&id=test"...

Improper Input Validation on emails links

Description In GLPI, users can add their own email addresses to their accounts. However, there is a lack of validation which allows users to add new fields into the mailto: link. Email links support multiple parameters like : - cc - bcc - body - subject - multiple emails email1, email2, ... -...

XSS Stored - Content of tasks are not sanitize

Description If a user inject an XSS payload inside the content of a task. All users that visit the kanban will execute the corresponding XSS payload. Proof of Concept Create XSS in task content XSS is executed...

SQL Injection - SQL as a service (No-auth)

Description The GLPI's plugin named glpi-archimapcontains an ajax route named getconfig.php which allows a user to retrieve the plugin configuration. However, this route is accessible by everyone because there is no authentication check. Moreover, the attacker can inject his own SQL queries and g...

Dev mode Path traversal

Description Vite is misconfigured within nuxt to permit any file to be retrieved from the file system. Root Cause Vite configuration has strict set to false. Exploitation Requirements: + Server must be running in developer mode Vulnerability can be exploited using paths like the following...

Link Preload XSS

Description Link preloads do not effectively confirm if the requested link is external. Parser differentials can be used to bypass existing external URL check. Root Cause payload.client.ts contains the following code on link prefetch: ts nuxtApp.hooks.hook'link:prefetch', url = if...