4072 matches found
Multiple Reflected Cross-Site Scripting in Messages Module
Description The first occurrence affects messages.php file. The parameter stage was not properly encoded before being printed as HTML. This occurs when go parameter is set to setup value. The second instance affects save.php file. There was a POST parameter called parameter in JSON format that wa...
Origin validation Bypass
In the following python script py if request.method in 'POST', 'PUT', 'PATCH', 'DELETE': origin = request.headers.get'Origin', None if origin and not origin.startswithrequest.base: raise cherrypy.HTTPError403, 'Unexpected Origin header' Explanation: In the above lines of code, The origin is being...
Stored Cross Site Scripting (XSS) in parameter rp4wp[heading_text]
Description The Related Posts for WordPress plugin is vulnerable to stored XSS, specifically in the rp4wpheadingtext parameter because the user input is not properly sanitized, allowing the insertion of JavaScript code that can exploit the vulnerability. Proof of Concept 1 - Install and activate...
Password Reset Poisoning
Description Elgg uses the HTTP Host-Header in a password reset request to generate the password reset link that is sent to the user in an email without any filters or checks. This allows an attacker to craft a password reset request using a manipulated host header, resulting in reset-token leakag...
Insufficient Session Expiration
Description Active sessions are not invalidated after a password change or after an admin resets the user's password. Proof of Concept Steps to reproduce: 1. Log in to Elgg with any user 2. Do the same in another browser or a private window, such that there are two different active sessions 3...
Php Remote file Inclusion and RCE
Description flatpresshas a feature to upload file "uploader" and display from "media manager". By uploading PHP files, the users can perform Php Remote file Inclusion attack and gain RCE. Copy the following code and save as test.Php note the uppercase. Proof of Concept test.Php test 1. login to...
Stored XSS via SVG File
Description flatpresshas a feature to upload file "uploader" and display from "media manager". By uploading SVG files, the users can perform Stored XSS attack. Copy the following code and save as filename.svg. Proof of Concept alertdocument.domain 1. login to...
Using application logic to create an email spam attack
Description On every 3 invalid attempts the application sends a new code to the email associate with the account . An attacker can misuse this functionality of the code to create a spam attack Proof of Concept Pre-Requisites: 2FA must be enabled for your account 1 Go to...
2 FA bypass
Description An attacker is able to bypass 2FA due to a logic flaw on the application Proof of Concept 1 Go to https://rdiffweb-dev.ikus-soft.com/prefs/general 2 Your account is set to [email protected] as primary email 3 Go to https://rdiffweb-dev.ikus-soft.com/prefs/mfa and click on "Enable 2FA" 4 A...
Stored XSS and possible RCE/LFI in case of misconfiguration
Description phpmyfaq has a feature to restore from a backup the entire application. An attacker with admin grant can export the configuration and re-upload the same file bypassing all the backend sanitization and controls. Proof of Concept XSS 1. - login as admin 2. - go to backup page 3. - Creat...
XSS on external links
Description This vulnerability allow for an administrator to create an evil external link. Proof of Concept As an admin user - Go to http://172.16.128.131/front/link.form.php?id=1 - Create an external link and put has value for the link javascript:alert1 - Assign this link to budgets example As a...
SSRF in feeds
Description By looking at this URL : https://github.com/glpi-project/glpi/security/advisories/GHSA-rqgx-gqhp-x8vv, I understand that a SSRF was possible in the URL of the RSS feed, and in fact, this has been fix. Howerver, I found a bypass to CVE-2022-36112. Proof of Concept To trigger the bug,...
Path Traversal (CWE-22) leak sensitive data
Description Path Traversal successful exploitation could allow an attacker to traverse the file system to access files or directories that are outside of the restricted directory on the remote server. Proof of Concept Note: If you can not see the poc image , you can follow this link...
Weak password policy : Old password can be set as new password
Description Rdiffweb has a weak password implementation , where a new password set by the user can be same to the old password Proof of Concept 1 Go to https://rdiffweb-demo.ikus-soft.com/prefs/general end point 2 Change your password Set your new password similar to old password you will notice...
No limit in length of "Token name" parameter results in DOS attack /memory corruption
Proof of Concept 1Go to https://rdiffweb-dev.ikus-soft.com/prefs/tokens endpoint . 2You will see a field called "Token name" 3Here you will see that there is no limit for the "Token name" parameter that allows a user to to set a very long string as long as 1 million characters . 4This may possibl...
No limit in length of "Fullname" parameter results in DOS attack /memory corruption
Proof of Concept 1Go to https://rdiffweb-dev.ikus-soft.com/prefs/general endpoint . 2You will see a field called "Fullname" 3Here you will see that there is no limit for the "Fullname" parameter that allows a user to to set a very long string as long as 1 million characters . 4This may possibly...
Attacker is able to bypass 2FA verification during 2FA disable due to application logic flaw
Description An attacker is able to bypass 2FA verification during 2FA disable function of user and restrict user from accessing his account due to a application logic flaw Proof of Concept First of all let us consider a scenario where a user has left his account open on a public device library or...
No notification triggered on sensitive actions like 2FA enable/disable
Description 2FA enable/disable is a sensitive action . As the application triggers a notification on all sensitive actions like email change/password reset , 2FA is also an important security feature to be notified about Proof of Concept 1 Go to https://rdiffweb-dev.ikus-soft.com/prefs/mfa 2 Do a...
Session does not expire on password reset
Description On changing password both session using which user changes password and old sessions in any other browser or device does not expire and remains active Proof of Concept 1.Go to https://rdiffweb-dev.ikus-soft.com/login/ and login into same account using browser A and B 2.From Browser B...
No rate limit on email triggering during "resend email" action results in email flooding or a spam attack or a financial loss to the company itself
Description When a user is setting up 2FA , a verification code will be sent to the registered email . There is no rate limit on email triggering that will result in an email flood / does attack or will also increase the expenses on your mail server as an attacker can send 1 million emails throug...
Hyperlink injection leads to redirect victim to malicious website
Description Hyperlink Injection it’s when attacker injecting a malicious link when sending an email invitation Proof of Concept 1 Go to https://rdiffweb-dev.ikus-soft.com/prefs/general 2 Set your full name as "Your account has been hacked please visit evil.com" 3 Save changes 4 Perform any activi...
Xss vulnerability in Button module
Steps 1.Visit https://demo.microweber.org 2.Click option 'Modules' in the left list 3.Click and go into the 'Button' 4.Click the 'edit url' and Enter the following javascript alert1 Proof of Concept Video javascript https://1drv.ms/v/s!Ai0UEGpMIb9scRgdvmX1sBCQu4A...
Stored XSS in Django Admin Portal
Description Django-treebeard suffers from a stored XSS in the TreeAdmin class when certain preconditions are met. The XSS it's triggered when a privileged user visit a page in the django admin portal. In order to successfully exploit this vulnerable, three pre-conditions should occur: 1. 1 a Djan...
Add Client function is vulnerable to stored HTML injection
Description HTML Injection also termed as “virtual defacements” is one of the most simple and the most common vulnerability that arises when the web-page fails to sanitize the user-supplied input or validates the output, which thus allows the attacker to craft his payloads and injects the malicio...
CSV Injection in CSV files generated by the backend
Description Formula Elements are not sanitized before adding to CSV reports. This leads to CSV formula injection. Proof of Concept Steps to reproduce: 1. Log in to Snipe-IT & create a new Asset with arbitrary values. For the Asset Tag enter =1+1 Screenshot 1 2. Got to Reports - Custom Asset Repor...
Use After Free in function did_set_string_option
Description Use After Free in function didsetstringoption at optionstr.c:2456. vim version git log commit 8279af514ca7e5fd3c31cf13b0864163d1a0bfeb grafted, HEAD - master, tag: v9.0.0598, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S...
Stored Cross-Site Scripting (XSS) in via direct link to attachments
Description The XSS is related to this previous report. The fix to prevent XSS in uploaded attachments is insufficient, as there is no mitigation when accessing attachments via a direct link. Proof of Concept Steps to reproduce: 1. Log in to Inventree 2. Click on Parts. Add a new Category and...
Bypassing application logic to set a blank password
Description As you many observe that rdiffweb strictly has a password policy where it prompts out that the password should be between 8 and 128 characters . But the application does not filter blank spaces used in a password Proof of Concept 1 Go to https://rdiffweb-demo.ikus-soft.com/prefs/gener...
No password confirmation on sensitive action like email change
Description It is important to implement password checks on sensitive features like email change Proof of Concept 1 Go to https://rdiffweb-demo.ikus-soft.com/login/ 2 Use the credentials admin , admin123 and login into your account 3 Navigate to the endpoint...
Stored XSS
Description openemr has a feature to customize the "Text in the login box " , due to a bad sanitization it allows to put some html tag like "form" scheme which allows to execute javascript code. 1. login as user glpi/glpi admin user 2. go to HOME-SETUP-GENERAL...
Stack-based Buffer Overflow in function win_redr_ruler
Description Stack Buffer Overflow in function winredrruler at drawscreen.c:799 . vim version git log commit ec1238b4068d0d6d9d02ac1a8e61720224a1be73 grafted, HEAD - master, tag: v9.0.0582, origin/master, origin/HEAD Proof of Concept poc download url:...
No Limit in "title" length while adding SSH key , results in memory consumption/DOS attack
Description There must be a fixed length for user input parameters like "title" while adding SSH key. Allowing users to enter long strings may result in a DOS attack or memory corruption Proof of Concept 1Go to https://rdiffweb-demo.ikus-soft.com/prefs/sshkeys endpoint . 2Click on add SSH key...
Stored Cross-Site Scripting (XSS) in the parameters "host", "desc", "group" and "newgroup" of the section "Webmin Servers Index"
Description In Webmin version 2.001 it was identified in the "Webmin Servers Index" section that the data collected from the user in the "host", "desc", "group" and "newgroup" parameters is not properly sanitized thus allowing potential attackers to insert JavaScript code that enables exploitatio...
No Limit in length of root directory name , results in memory consumption/DOS attack
Description There must be a fixed length for user input parameters like root directory name. Allowing users to enter long strings may result in a DOS attack or memory corruption Proof of Concept 1Go to https://rdiffweb-demo.ikus-soft.com/admin/users endpoint . 2Click on add user 3Here you will se...
Stored XSS in Notifications
Description It is possible to create a notification with stored XSS which can result in the JavaScript code execution. Notifications can only be created while logged in on user with admin privileges, but once notification is created any user can see it. Proof of Concept Create notification with...
No Limit in length of username , results in memory consumption/DOS attack
Description There must be a fixed length for user input parameters like username. Allowing users to enter long strings may result in a DOS attack or memory corruption Proof of Concept 1Go to https://rdiffweb-demo.ikus-soft.com/admin/users endpoint . 2Click on add user 3Here you will see that ther...
Improper Cache control allows attacker to view sensitive data
Description Due to improper cache control an attacker can view sensitive information even if he is not logged into the account Proof of Concept 1 Go to https://rdiffweb-demo.ikus-soft.com/login/ and login into your account using given credentials 2 Go to...
Stack-based Buffer Overflow in function ex_finally
Description stack-buffer-overflow in exfinally function Proof of Concept https://raw.githubusercontent.com/xiowane/testfile/main/test ASAN console ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /src/results/crashes/test -c :qa! =================================================================...
No rate limit on old password parameter allows attacker to bruteforce the existing password and set a new password
Description There is no rate limit on the password change feature on https://rdiffweb-demo.ikus-soft.com/prefs/general which allows an attacker to bruteforce the old password and set a new password for the account Proof of Concept 1 Go to https://rdiffweb-demo.ikus-soft.com/prefs/general 2 Here y...
No limit in email length may result in a possible DOS attack
Description As per RFC the maximum length allowed for an email address is 255 characters. However, rdiffweb don't validate email length, so you can add email addresses that exceed 255 characters. Through this, if you sign up for an email with a length of 1 million or more and log in, withdraw, or...
Virual defacement allows attacker to display any message of his choice
Description This attack involves injecting malicious data into a page of a web application to feed misleading information to users of the application. This kind of attack is known as virtual defacement because the actual content hosted on the target's web server is not modified. The defacement is...
Use After Free in function process_next_cpt_value
Description Use After Free in function processnextcptvalue at insexpand.c:3227. vim version git log commit 5c645a25bb8e6d766db720a44b9ceeff39d1e92b HEAD - master, tag: v9.0.0538, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /home/fuzz/test/poc11huaf.dat -...
Mass Assignment leads to Stored XSS
Description The application is vulnerable to mass assignment in the User object. A user is able to enable their own account and change their username. The username is not properly sanitized in the admin user overview, leading to a stored XSS attack. Proof of Concept Steps to reproduce: 1. Log in...
Insufficient Session Expiration
Description Active user sessions are not invalidated when that user is disabled. Proof of Concept Steps to reproduce: 1. Log in with an admin account. 2. Create a test user with the user role Normal & enable that user 3. Log in with the test user in a separate browser or private browser window 4...
Multiple Authenticated Remote Code Execution Vulnerabilities in Admin Panel
Description An attacker with administrative privileges in the openEMR application can execute arbitrary code on the server remote code execution RCE. This was tested in openEMR version 7.0.0 1 but also affects previous versions of openEMR. Proof of Concept First of all, start a netcat listener on...
Stored Cross-Site Scripting (XSS)
Description There is insufficient input validation in the pop-up notifications. Proof of Concept Steps to reproduce: 1. Log in to an admin account 2. Click on Ports - Manage Groups 3. Create a new Port Group with the Name alertdocument.location and an arbitrary Description 4. The XSS is triggered...
Stored Cross-Site Scripting (XSS)
Description There is insufficient input validation in the title of user notifications. Proof of Concept Steps to reproduce: 1. Log in to an admin account 2. Hover over the username & click on Notifications 3. Create a new notification with the Title alertdocument.location and an arbitrary message...
CSRF to change the email id
Description The change email ID is vulnerable to CSRF. The attacker can change the email ID of the user. Proof of Concept 1.Login into the application https://rdiffweb-demo.ikus-soft.com. 2.Open the URL...
Normal user can set himself or any other user to admin role
Description Improper access to an API endpointAddUserToRole can allow a regular user to escalate his privileges to be an admin Infected code AuthorizeRoles = Roles.User HttpPost public async Task AddUserToRoleFromQuery string username, string role var results = await...
Secure token is missed when ivalid URL is entered
Description The cookie sessionid does not have secure attribute when the URL is invalid Proof of Concept 1.Login into the application. 2.Send the request https://rdiffweb-demo.ikus-soft.com/browse/admin/MyWindowsLaptop/D/TC3080/test...