4072 matches found
Weak Password Implimentation
Description: We can change the password with just 1 character when we use change password function. Proof of Concept When you change password, just press any character and then submit. You will see "Your password has been changed"...
File Upload Filter Bypass
Description A sanitization filter bypass in plupload.php in MicroweberCMS v1.3.1 allows remote authenticated attackers to upload files outside the restricted location. The target $path for the image is being sanitized here: php $pathrestirct = userfilespath; if isset$REQUEST'path' and...
Authenticated Remote Command Execution on GLPI 10.0.5 due to vulnerable marketplace plugin
Description It was found that GLPI at the current version 10.0.5 is vulnerable to a remote command execution when an attacker has super-user privileges. This is possible due to an attacker being able to download a plugin that contains files that was calling unserialize into $POST'entityrestrict'...
XSS on external links
Description This vulnerability allow for an administrator to create an evil external link. Proof of Concept As an admin user Go to /front/link.form.php?id=1 Create an external link and put has value for the link 'onmouseover="alertdocument.domain" Assign this link to budgets example As a regular...
Limited LFI via Path Traversal
Description A path thraversal vulnerability in SuiteCRM 7.12.8 and earlier allows remote authenticated attackers to include a php file at an arbitrary path via unsanitized request parameters. Details In Suite CRM v7.12.8, SubpanelCreates.php and SubpanelEdit.php trust unsanitized user input to lo...
XSS to LFI in Runcode Feature
Description By default runcode santized document prefix but if html encode to...
Open Redirect using Host header Injection
Description A web server commonly hosts several web applications on the same IP address, referring to each application via the virtual host. In an incoming HTTP request, web servers often dispatch the request to the target virtual host based on the value supplied in the Host header. Without prope...
Integer overflow in realloc call
Description Integer overflow in realloc and memcpy calls in coreanalgraphlabel. In the process of concatenating source lines based on DWARF data, the resulting size 32bit signed int can overflow. The sizes of the realloc and memcpy calls differ, and potentially can lead to writes in an unintended...
Reflect Cross Site Scripting
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Proof of Concept Go to your web phpmyfaq and visit below URL. Exploit URL:...
Authenticated SQL Injection in OpenSIS Classic v9.0 and earlier
Description SQL injection in OpenSIS Classic v9.0 and earlier allows remote authenticated attackers to execute SQL code via the id parameter in MassScheduleModal.php leading to full database information disclosure. Version At the time of reporting, the most up-to-date version of the master branch...
No rate limiting on the reset password page will lead to a DOS attack and inbox flooding for any user
Description I can use this attack to take advantage of the reset password confirmation mechanism and send a large number of emails to anyone simply because I know his email address, as well as perform a DoS attack by draining the resources of the SMTP service and the web server. Proof of Concept ...
Missing CSRF protection
Description Any user can Add Questions on FAQ section -- https://roy.demo.phpmyfaq.de/index.php?action=ask&categoryid=0 This section is vulnerable to CSRF. The aggressor can abuse this without prior knowledge of others'. The successful CSRF will send new questions from the victim's browser Captur...
AddressSanitizer: heap-buffer-overflow in alloc.c 246:11
Description ================================================================= ==19339==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000001015 at pc 0x0000004872d8 bp 0x7ffdef721150 sp 0x7ffdef720910 WRITE of size 2 at 0x606000001015 thread T0 Detaching after fork from child proce...
Unrestricted Upload of file with dangerous type lead to destroying the company's reputation.
Description In upload function i found the function accept a lot of file type and this is very dangerous because may be malicious user upload html file contain any information like go to another site or write message destroying the company's reputation like this site has been hacked by hacker Pro...
An unrestricted upload file lead to a stored XSS via SVG file.
Description During the test, I discovered that the upload function accepted svg files without any sanitization, allowing me to inject javascript code into the svg file and store it, as well as execute the javascript code via the svg file. Proof of Concept // PoC.js...
Cross-site scripting
Description memos allow users to upload file and make it public to others. But if the file is html with below content, xss attack can happen. Proof of Concept // PoC.js alert"warning";...
Stored XSS in kiwiTCMS
Description Stored XSS, also known as persistent XSS, is the more damaging of the XSS. It occurs when a malicious script is injected directly into a vulnerable web application. Due to a sanitization problem it is possible to perform a Stored XSS. The problem is that the upload function permit...
DOM-based Cross-site Scripting (DXSS) Vulnerability
Description Two CalendarXP products have DXSS vulnerability in common parts of HTML files. CalendarXP FlatCalendarXP through 10.0.1 has DXSS vulnerability in iflateng.htm and nflateng.htm, and CalendarXP PopCalendarXP through 10.0.1 has DXSS vulnerability in ipopeng.htm and npopeng.htm. Proof of...
heap-buffer-overflow in gf_isom_box_write_header
Description heap-buffer-overflow in gfisomboxwriteheader at isomedia/boxfuncs.c:408. version info git log commit 68064e10172675e0853d6f429fb2055112835602 grafted, HEAD - master, origin/master, origin/HEAD Author: jeanlf Date: Fri Nov 18 10:36:10 2022 +0100 fixed build without http2 support ./MP4B...
Unauthorized access to settings update, logs , history, delete etc of repositories
Hey, Attack Scenario: Admin setups new user with User privileges and gives access to repos "/" root directory, after a time due to some reason he revoke the privileges of the directory access but user privileged attacker can still edit settings , check logs and view history without having...
Stored XSS - XSS in RSS link href attribute
📜 Description Cross-site scripting XSS is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. The persistent or stored XSS vulnerability is a more devastating variant of a...
Stored cross site scripting
Hi Team, I have found a stored cross-site scripting vulnerability in the Create event section. Description What is stored cross site scripting attack? Stored XSS, occurs when user supplied input is stored and then rendered within a web page. Typical entry points for stored XSS are: message forums...
3 Types of SQLi in `s` param - (Time/Boolean/Error Based)
Description I have found 3 types of SQLi on the s parameter Proof of Concept Time-Based Time-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the database to wait for a specified amount of time in seconds before...
TLS Cookie without `secure` flag at https://roy.demo.phpmyfaq.de
Description The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function. This issue was found in multiple locations under the reported path. Issue background If the secure flag is set...
Cross-site Scripting (XSS) - Stored at discussion title
Description Attacker can inject XSS payload in title when he starts or renames a discussion. The payload will be triggered right after a normal user open that discussion. Proof of Concept 1. Login to your account on https://forum.locker.io 2. Create New Discussions 3. On the Discussions Title,...
Stack-Based Buffer Overflow in gf_sg_proto_field_is_sftime_offset
Description Stack-Based Buffer Overflow in gfsgprotofieldissftimeoffset at vrmlproto.c:1295. version git log commit 05eaac875354682942b70c790bcd62cb5f4cc825 grafted, HEAD - master, origin/master, origin/HEAD Author: Jean Le Feuvre Date: Mon Nov 14 18:07:45 2022 +0100 fixed msvc warnings ./MP4Box...
Path Traversal that leads to Remote Code Execution via PHP file upload
📜 Description A path traversal attack also known as directory traversal aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash ../” sequences and its variations or by using absolute file paths, it may be...
Missing Authentication for Critical Function
Description Generally, when users try to change the password, they are asked to verify the request by entering the old password. For the same reason, verification should be there on changing email. when user changes the email address then the website sends verification mail to the new mail id...
XSS in RSS Description Link
Description An Administrator can import a malicious RSS feed that contains Cross Site Scripting XSS payloads inside RSS links. Victims who wish to visit an RSS content and click on the link will execute the Javascript. Proof of Concept 1. Create a malicious RSS feeds The XSS payload is inside ite...
Agent can get inbox credentials through api
Description user with agent privileges can get access to sensitive inbox details through api Proof of Concept 1. Create normal user with agent privileges 2. get api key for this user 3. use endpoint https://www.chatwoot.com/developers/api/tag/Inboxes/operation/listAllInboxes 4. if inbox is...
xss in live edit
Description when you make website and login as admin if u add user as admin he maybe evil admin n live edit https://demoxss.microweber.net/?editmode=y i start edit as html i see i can write script but didnt pass when u open site as end user then i just try add html tag with events but the sam...
HTML injection possible via LLDP
Description An unmanaged/foreign neighbouring device that is advertising its presence with LLDP can inject malicious HTML code into LibreNMS by setting its System Name TLV to whatever snippet is to be injected. This is assuming that a device that is managed by LibreNMS has LLDP and the...
Unintended API key generation
Description The API keys sections are vulnerable to CSRF. The aggressor can generate the key on the admin's account without prior knowledge of admin credentials. The successful CSRF will generate new keys on the admin's account. Proof of Concept history.pushState'', '', '/' document.forms0.submit...
Post parameter namespaceMD5 is vulnerable to reflected XSS
Description The POST parameter namespaceMD5 is vulnerable to reflected XSS. Proof of Concept javascript // POST request to /module with parameters and payload namespaceMD5=3389dae361af79b04c9c8e7057f60cc6test''"alertalert&module=settings%2Fgroup%2Flanguageimport&id=mwadminimportlanguagemodalconte...
froxlor/froxlor <= 0.10.38.2 - Authenticated Unrestricted File Upload to RCE
Description Unsafe file uploads occur when the web server fails to sufficiently validate the file’s size, type, name, contents, or what restrictions are placed on the file once it has been successfully uploaded. The application fails to validate files that are uploaded, allowing an attacker to...
There is an RCE vulnerability
Description - There is an RCE vulnerability in qmpaas/leadshop https://github.com/qmpaas/leadshop v1.4.15. An attacker can access the file leadshop.php and call any existing function through GET to control the target host. The vulnerability is in the leadshop/web/leadshop.php27-61 file public...
XSS in dp.la
Description dpla-frontend which is a frontend application of dp.la is vulnerable to XSS. Proof of Concept...
Username and email enumeration via Forgot password feature
📜 Description User enumeration is when a malicious actor can use brute-force techniques to either guess or confirm valid users in a system. The malicious actor is looking for differences in the server's response based on the validity of submitted credentials. The differences can be inside the...
CSRF on SSL certificates deletion
📜 Description Cross-site request forgery also known as CSRF is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform using form submissions. It allows an attacker to partly circumvent the same origin policy, which is designed to...
Html Injection Reflected in Login Page
Description HTML Injection is a vulnerability in which the attacker can inject malicious html content in the login webpage. Proof of Concept Navigate to: https://demo.froxlor.org/index.php?showmessage=4&customermail=%22%3Cmarquee%3E%3Ch3%3EHTML/INJECTION/HERE%[email protected]...
Authenticated SQL injection via filename & update-instance parameters
There is a SQL injection vulnerability inside saveMeta function in AttachmentAbstract.php. When a file is being uploaded via admin/index.php?action=ajax&ajax=att&ajaxaction=upload endpoint, the filename parameter isn't being sanitized and its later on interpolated into a raw SQL query inside...
XSS and CSP bypass in app.diagrams.net
Description The application reflects an input from the url without sanitizing it. With a csp bypass from apis.google.com its possible to execute javascript code. Proof of Concept...
Unauthenticated stored XSS via username & name parameters
There is a stored XSS vulnerability due to improper sanitization of usernames. Vulnerable code User.php line 532: php public function isValidLoginstring $login: bool $login = string$login; if strlen$login loginMinLength || !pregmatch$this-validUsername, $login $this-errors =...
XSS Stored inside help links onevent attribute
📜 Description Cross-site scripting XSS is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. The persistent or stored XSS vulnerability is a more devastating variant of a...
XSS Stored inside Standard Interface Help Link href attribute
📜 Description Cross-site scripting XSS is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. The persistent or stored XSS vulnerability is a more devastating variant of a...
Application-Wide Stored Cross Site Scripting affecting all Users
Description Hi Team, I have found a stored cross-site scripting vulnerability in the reporting dashboard module. What is stored cross site scripting attack? Stored XSS, occurs when user supplied input is stored and then rendered within a web page. Typical entry points for stored XSS are: message...
SQL Injection inside instance name leads to Remote Code Execution
📜 Description SQL injection SQLi is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other...
SQL Injection via lang parameter/RCE when PostgreSQL is used
Description There is a SQL injection vulnerability in the lang parameter of phpmyfaq/ajaxservice.php?action=savefaq endpoint. Vulnerable code starts at ajaxservice.php line 369, specifically the isnull$faqId && !isnull$categories'rubrik' part: php if !isnull$author && !isnull$email &&...
Stored XSS and HTML injection from markdown
Description Stored XSS, also known as persistent XSS, is the more damaging of the XSS. It occurs when a malicious script is injected directly into a vulnerable web application. Due to a sanitization problem it is possible to perform both a Stored XSS and an HTML injection. Thanks to this attack i...
Unrestricted File Upload
BigBlueButton 2.5.6 is vulnerable to unrestricted file upload, where the insertDocument API call does not validate the given file extension before saving the file, and does not remove it in case of validation failures. PoC: 1- Submit the request to insertDocument, specifying the extension:...