4057 matches found
Stored XSS - XSS in RSS link
Description An Administrator can import a malicious RSS feed that contains Cross Site Scripting XSS payloads inside RSS links. The administrator can then make the RSS feed available to all users of the software. Victims who wish to visit an RSS content will execute the Javascript code in a new ta...
DOM XSS on lab.flipper.net via the "channel" or "version" parameters
Description Hi ! The Web Platform for the Flipper is vulnerable to DOM XSS via the channel and version parameters. This occurs because when the user clicks on Choose firmware the values are passed directly to innerHTML without parsing. Proof of Concept 1. 1 The user access the following URL :...
No Rate Limit On migrate-email Endpoint Leads to Brute-force Attack
The migrate-email endpoint is requiring Email, Username, and Password parameter. This endpoint contain authentication functionality that doesn't have any protection from brute-force attack, which allows an attacker to try every possible password combination without any restriction. CWE-307:...
User Enumeration
Description The migrate-email endpoint is requiring Email, Username, and Password parameter. The Username parameter value will be queried to userManager.Users and will returning data to user variable, if user variable contain null value, the application will return bad request with "Invalid...
Stored XSS - Entity name not sanitize in Ticket creation page
Description An Administrator can set a Cross-Site Scripting XSS payload inside an entity name. This XSS will be executed on the Ticket Creation page Menu - Assistance - Create Ticket. Proof of Concept 1. Set an XSS in Entity name 2. Go to the "Create Ticket" page 3. XSS is excuted...
Dev Server XSS
Description The developer server unsafely renders the stack trace within errors. This can be manipulated by sending a specially crafted request. Root Cause The error-dev.vuetemplate, within @nuxt\ui-templates uses the v-html directive to render the stacktrace section of the error. vue This would...
Stored Cross Site Scripting (Network Maps Editor functionality)
Description Hello Team, Hope you are doing well. I have found a stored cross-site scripting vulnerability in the network maps edit functionality. What is stored cross site scripting attack? Stored XSS, occurs when user supplied input is stored and then rendered within a web page. Typical entry...
Path Traversal – Reading Certain File Extensions
BigBlueButton 2.5.6 is vulnerable to a path traversal vulnerability, that allows an attacker with a valid starting folder path, to traverse and read other files without authentication, assuming the files have certain extensions txt, swf, svg, png. PoC: 1- Submit a request to...
Reflected Cross Site Scripting in Search Functionality of Module Library
Description Hello Team, Hope you are doing well. I have found a reflected cross site scripting vulnerability in search functionality present in the module library section. What is reflected cross site scripting? Reflected cross-site scripting or XSS arises when an application receives data in an...
Unauthenticated, Stored XSS to RCE via SNMP Trap
Description LibreNMS offers the ability to handle SNMP traps as documented here. One of the SNMP trap handlers called HPFault creates an event with the message "Fault - Unhandled ..." when receiving a trap with an unknown type. The type of this event is set to the received, unknown type, which is...
Html Injection Stored in edit customers
Description HTML Injection is a vulnerability in which the attacker can inject malicious html content in the webpage. Proof of Concept 1. Open tab Edit Customers, click Edit customer 2. Inject this payload at field Name: TEST TEST TEST. And then click Save 3. Go to the profile page of this...
Path Traversal - Download remote files by exploiting the backup functionality (Authenticated)
Description The vulnerability found in the backup system allows an Administrator of the CMS to download any files on the remote file system not only backup files by exploiting a "Path Traversal". The vulnerability does not require any user interaction and is very simple to exploit. Proof of Conce...
Stored Cross-Site Scripting (XSS)
Description There is insufficient input validation in the pop-up notifications. Proof of Concept Steps to reproduce: 1. Log in to an admin account 2. Click on Services - Services Templates 3. Create a new Service Template with the Name alertdocument.location 4. The XSS is triggered when the...
Stored Cross-site scripting
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Proof of Concept Visit: http:///phpmyfaq/admin/?action=meta Click button Add template meta data Inject payload in field Page type: "alert"XSS"...
Weak Password Requirement
Description We can change password with just 1 character when we use change password function. Proof of Concept When you change password, just press an charactor and then submit. Your password has been changed...
Reflect Cross Site Scripting when search
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Proof of Concept 1. Go to your web phpmyfaq and visit http:///phpmyfaq/index.php?search= 2. inject payload to param search: 1af"+onclick='alert...
Stored XSS
Description webcalendar has a feature to add event and display the location of it. This feature lead to stored xss everytime a user open the calendar or the event detail page. Proof of Concept 1. 1- login as user 2. 2- create an event 3. 3- insert the payload on "location" field 4. 4- Save 5. 5- ...
Use After Free in function qf_get_curlist
Description Use After Free in function qfgetcurlist at quickfix.c:1932 . vim version git log commit bf72e0c67f26ea7c8fd941fdd1533c24c7b6cb43 grafted, HEAD - master, tag: v9.0.0792, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /home/fuzz/test/poc14huaf.dat...
Blind SSRF When Inserting a Presentation
Description BigBlueButton was found that it allows for URLs provided by the clients to be directly invoked, without checking the validity of the URL. An attacker will be able to request to services on the local host, and even utilize a FILE URL although an exception happens due to an incorrect ca...
Floating point exception in function num_divide at eval
Floating point exception in function numdivide at eval.c:70...
Use After Free in function bt_quickfix
Description Use After Free in function at buffer.c:5715 . vim version git log commit 3f0092c141824356b55b11cd3985baaf4df65334 grafted, HEAD - master, tag: v9.0.0777, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S poc13huaf.dat -c :qa!...
Account Takeover
Description A malicious actor can setup a website on vercel.app with the vercel.app domain, after that, they can change the subdomain to something containing modrinth, This will allow a open redirect on https://api.modrinth.com/v2/auth/init?url=ATTACKERURL, allowing stealing the github token whic...
heap-buffer-overflow in function inc at misc2.c
Description heap-buffer-overflow in function inc at misc2.c:356:6 vim version shell git log commit ba43e76fcd5b2da57dbaa4d9a555793fe8ac344e HEAD - master, tag: v9.0.0747, origin/master, origin/HEAD Proof of Concept shell ./src/vim -u NONE -X -Z -e -s -S ./poc -c ':qa!'...
Denial of Service in proxy by redirecting to own host
Description It is possible to partially interrupt the proxy in the backend by redirecting to the same URL again. Proof of Concept On a server or API mocking website implement a rule that will redirect all requests to the following URL: https://diagrams.net/proxy?url=https://attacker.com...
Server Side Request Forgery Via DNS Rebinding
Description Appsmith below v1.8.1 was discovered to allow attackers to execute an authenticated Server-Side Request Forgery SSRF via DNS Rebinding technique to hit AWS internal metadata endpoint and for retrieving data. Proof of Concept...
Moderators can perform Time based SQL injection attack.
The API endpoint /api/chat/users/setenabled POST is vulnerable to a Time based blind SQL injection attack via body parameter ‘userId’. It allows a Moderator to read, modify or delete the entries in the sqlite database. Moderator can leak the streamkey to access admin dashboard. Proof of concept...
heap-buffer-overflow in function skipwhite
Description heap-buffer-overflow in function skipwhite at charset.c:1706:12 vim version shell git log commit 56564964e6d0956c29687e8a10cb94fe42f5c097 HEAD - master, tag: v9.0.0719, origin/master, origin/HEAD Proof of Concept shell /home/mist/fuzz/vim/vim/src/vim -u NONE -X -Z -e -s -S poc1 -c :qa...
POST Based Reflected Cross Site Scripting in installation page
Description The installation page in Elgg ≤ v4.3.3 is vulnerable to Cross-Site Scripting attack via 'dataroot' parameter. Steps to Reproduce 1. Freshly install the Elgg in your web-server and proceed to "Database Installation Page". 2. Enter the following payload in "Data Directory" field and fil...
Multiple SQL Injections
Description User input is inserted directly into a SQL query in multiple places when duplicating contacts/leads. Proof of Concept For a PoC, we are going to use Leads, although the other vulnerabilities will probably work analagously. Since the input is not directly displayed to the user, we will...
Reflected Cross-Site Scripting due to Improper Sanitization
Description User Input that is reflected in a JavaScript Context is not properly sanitized. The User Input is reflected inside of a single-quoted string and single-quotes are encoded. However, there is an issue with the entity removing HTML tags that prevents single-quotes from being encoded. Thi...
Deserialization of arbitrary data leads to RCE
Description LibreNMS includes support for monitoring applications, one of which is memcached. When polling for memcached, the data returned by the agent to the LibreNMS server is not verified before it is deserialized. Because LibreNMS has quite a few dependencies, it is easy to find a working...
Broken Access Controls in Patient Files
Description An authenticated user without document access has the ability to direct access any document in the system by using a url similar to this http://domain/openemr/controller.php?document&retrieve&patientid=2&documentid=19. The autoincrement identifier was also susceptible of being...
File Upload Type Validation Error
Description The upload functionality does not properly validate the file content-type, allowing any authenticated user to bypass this security check by adding a valid signature p.e. GIF89 and sending any invalid content-type. This could allow an authenticated attacker to upload HTML files with JS...
Improper Name Validation in Upload Document Form
Description The name of any uploaded document can be manipulated using the destination parameter, to include new line characters in its name, breaking the execution of JS code in "New Documents" section from "Miscellaneous" menu, that will be blank until the document is removed from DB. Proof of...
Reflected Cross-Site Scripting in Front Payment CC
Description The frontpaymentcc.php was not properly encoding parameters cardHolderName and zip when the mode AuthorizeNet is sent. The response was a JSON string including unparsed values that will probably be sent using content-type header as text/html, leaving it vulnerable to XSS. Proof of...
Multiple Reflected Cross-Site Scripting in Messages Module
Description The first occurrence affects messages.php file. The parameter stage was not properly encoded before being printed as HTML. This occurs when go parameter is set to setup value. The second instance affects save.php file. There was a POST parameter called parameter in JSON format that wa...
Origin validation Bypass
In the following python script py if request.method in 'POST', 'PUT', 'PATCH', 'DELETE': origin = request.headers.get'Origin', None if origin and not origin.startswithrequest.base: raise cherrypy.HTTPError403, 'Unexpected Origin header' Explanation: In the above lines of code, The origin is being...
Stored Cross Site Scripting (XSS) in parameter rp4wp[heading_text]
Description The Related Posts for WordPress plugin is vulnerable to stored XSS, specifically in the rp4wpheadingtext parameter because the user input is not properly sanitized, allowing the insertion of JavaScript code that can exploit the vulnerability. Proof of Concept 1 - Install and activate...
Password Reset Poisoning
Description Elgg uses the HTTP Host-Header in a password reset request to generate the password reset link that is sent to the user in an email without any filters or checks. This allows an attacker to craft a password reset request using a manipulated host header, resulting in reset-token leakag...
Insufficient Session Expiration
Description Active sessions are not invalidated after a password change or after an admin resets the user's password. Proof of Concept Steps to reproduce: 1. Log in to Elgg with any user 2. Do the same in another browser or a private window, such that there are two different active sessions 3...
Php Remote file Inclusion and RCE
Description flatpresshas a feature to upload file "uploader" and display from "media manager". By uploading PHP files, the users can perform Php Remote file Inclusion attack and gain RCE. Copy the following code and save as test.Php note the uppercase. Proof of Concept test.Php test 1. login to...
Stored XSS via SVG File
Description flatpresshas a feature to upload file "uploader" and display from "media manager". By uploading SVG files, the users can perform Stored XSS attack. Copy the following code and save as filename.svg. Proof of Concept alertdocument.domain 1. login to...
Using application logic to create an email spam attack
Description On every 3 invalid attempts the application sends a new code to the email associate with the account . An attacker can misuse this functionality of the code to create a spam attack Proof of Concept Pre-Requisites: 2FA must be enabled for your account 1 Go to...
2 FA bypass
Description An attacker is able to bypass 2FA due to a logic flaw on the application Proof of Concept 1 Go to https://rdiffweb-dev.ikus-soft.com/prefs/general 2 Your account is set to [email protected] as primary email 3 Go to https://rdiffweb-dev.ikus-soft.com/prefs/mfa and click on "Enable 2FA" 4 A...
Stored XSS and possible RCE/LFI in case of misconfiguration
Description phpmyfaq has a feature to restore from a backup the entire application. An attacker with admin grant can export the configuration and re-upload the same file bypassing all the backend sanitization and controls. Proof of Concept XSS 1. - login as admin 2. - go to backup page 3. - Creat...
XSS on external links
Description This vulnerability allow for an administrator to create an evil external link. Proof of Concept As an admin user - Go to http://172.16.128.131/front/link.form.php?id=1 - Create an external link and put has value for the link javascript:alert1 - Assign this link to budgets example As a...
SSRF in feeds
Description By looking at this URL : https://github.com/glpi-project/glpi/security/advisories/GHSA-rqgx-gqhp-x8vv, I understand that a SSRF was possible in the URL of the RSS feed, and in fact, this has been fix. Howerver, I found a bypass to CVE-2022-36112. Proof of Concept To trigger the bug,...
Path Traversal (CWE-22) leak sensitive data
Description Path Traversal successful exploitation could allow an attacker to traverse the file system to access files or directories that are outside of the restricted directory on the remote server. Proof of Concept Note: If you can not see the poc image , you can follow this link...
Weak password policy : Old password can be set as new password
Description Rdiffweb has a weak password implementation , where a new password set by the user can be same to the old password Proof of Concept 1 Go to https://rdiffweb-demo.ikus-soft.com/prefs/general end point 2 Change your password Set your new password similar to old password you will notice...
No limit in length of "Token name" parameter results in DOS attack /memory corruption
Proof of Concept 1Go to https://rdiffweb-dev.ikus-soft.com/prefs/tokens endpoint . 2You will see a field called "Token name" 3Here you will see that there is no limit for the "Token name" parameter that allows a user to to set a very long string as long as 1 million characters . 4This may possibl...