No limit in length of "Fullname" parameter results in DOS attack /memory corruption

Proof of Concept 1Go to https://rdiffweb-dev.ikus-soft.com/prefs/general endpoint . 2You will see a field called "Fullname" 3Here you will see that there is no limit for the "Fullname" parameter that allows a user to to set a very long string as long as 1 million characters . 4This may possibly...

Attacker is able to bypass 2FA verification during 2FA disable due to application logic flaw

Description An attacker is able to bypass 2FA verification during 2FA disable function of user and restrict user from accessing his account due to a application logic flaw Proof of Concept First of all let us consider a scenario where a user has left his account open on a public device library or...

No notification triggered on sensitive actions like 2FA enable/disable

Description 2FA enable/disable is a sensitive action . As the application triggers a notification on all sensitive actions like email change/password reset , 2FA is also an important security feature to be notified about Proof of Concept 1 Go to https://rdiffweb-dev.ikus-soft.com/prefs/mfa 2 Do a...

Session does not expire on password reset

Description On changing password both session using which user changes password and old sessions in any other browser or device does not expire and remains active Proof of Concept 1.Go to https://rdiffweb-dev.ikus-soft.com/login/ and login into same account using browser A and B 2.From Browser B...

No rate limit on email triggering during "resend email" action results in email flooding or a spam attack or a financial loss to the company itself

Description When a user is setting up 2FA , a verification code will be sent to the registered email . There is no rate limit on email triggering that will result in an email flood / does attack or will also increase the expenses on your mail server as an attacker can send 1 million emails throug...

Hyperlink injection leads to redirect victim to malicious website

Description Hyperlink Injection it’s when attacker injecting a malicious link when sending an email invitation Proof of Concept 1 Go to https://rdiffweb-dev.ikus-soft.com/prefs/general 2 Set your full name as "Your account has been hacked please visit evil.com" 3 Save changes 4 Perform any activi...

Xss vulnerability in Button module

Steps 1.Visit https://demo.microweber.org 2.Click option 'Modules' in the left list 3.Click and go into the 'Button' 4.Click the 'edit url' and Enter the following javascript alert1 Proof of Concept Video javascript https://1drv.ms/v/s!Ai0UEGpMIb9scRgdvmX1sBCQu4A...

Stored XSS in Django Admin Portal

Description Django-treebeard suffers from a stored XSS in the TreeAdmin class when certain preconditions are met. The XSS it's triggered when a privileged user visit a page in the django admin portal. In order to successfully exploit this vulnerable, three pre-conditions should occur: 1. 1 a Djan...

Add Client function is vulnerable to stored HTML injection

Description HTML Injection also termed as “virtual defacements” is one of the most simple and the most common vulnerability that arises when the web-page fails to sanitize the user-supplied input or validates the output, which thus allows the attacker to craft his payloads and injects the malicio...

CSV Injection in CSV files generated by the backend

Description Formula Elements are not sanitized before adding to CSV reports. This leads to CSV formula injection. Proof of Concept Steps to reproduce: 1. Log in to Snipe-IT & create a new Asset with arbitrary values. For the Asset Tag enter =1+1 Screenshot 1 2. Got to Reports - Custom Asset Repor...

Use After Free in function did_set_string_option

Description Use After Free in function didsetstringoption at optionstr.c:2456. vim version git log commit 8279af514ca7e5fd3c31cf13b0864163d1a0bfeb grafted, HEAD - master, tag: v9.0.0598, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S...

Stored Cross-Site Scripting (XSS) in via direct link to attachments

Description The XSS is related to this previous report. The fix to prevent XSS in uploaded attachments is insufficient, as there is no mitigation when accessing attachments via a direct link. Proof of Concept Steps to reproduce: 1. Log in to Inventree 2. Click on Parts. Add a new Category and...

Bypassing application logic to set a blank password

Description As you many observe that rdiffweb strictly has a password policy where it prompts out that the password should be between 8 and 128 characters . But the application does not filter blank spaces used in a password Proof of Concept 1 Go to https://rdiffweb-demo.ikus-soft.com/prefs/gener...

No password confirmation on sensitive action like email change

Description It is important to implement password checks on sensitive features like email change Proof of Concept 1 Go to https://rdiffweb-demo.ikus-soft.com/login/ 2 Use the credentials admin , admin123 and login into your account 3 Navigate to the endpoint...

Stored XSS

Description openemr has a feature to customize the "Text in the login box " , due to a bad sanitization it allows to put some html tag like "form" scheme which allows to execute javascript code. 1. login as user glpi/glpi admin user 2. go to HOME-SETUP-GENERAL...

Stack-based Buffer Overflow in function win_redr_ruler

Description Stack Buffer Overflow in function winredrruler at drawscreen.c:799 . vim version git log commit ec1238b4068d0d6d9d02ac1a8e61720224a1be73 grafted, HEAD - master, tag: v9.0.0582, origin/master, origin/HEAD Proof of Concept poc download url:...

No Limit in "title" length while adding SSH key , results in memory consumption/DOS attack

Description There must be a fixed length for user input parameters like "title" while adding SSH key. Allowing users to enter long strings may result in a DOS attack or memory corruption Proof of Concept 1Go to https://rdiffweb-demo.ikus-soft.com/prefs/sshkeys endpoint . 2Click on add SSH key...

Stored Cross-Site Scripting (XSS) in the parameters "host", "desc", "group" and "newgroup" of the section "Webmin Servers Index"

Description In Webmin version 2.001 it was identified in the "Webmin Servers Index" section that the data collected from the user in the "host", "desc", "group" and "newgroup" parameters is not properly sanitized thus allowing potential attackers to insert JavaScript code that enables exploitatio...

No Limit in length of root directory name , results in memory consumption/DOS attack

Description There must be a fixed length for user input parameters like root directory name. Allowing users to enter long strings may result in a DOS attack or memory corruption Proof of Concept 1Go to https://rdiffweb-demo.ikus-soft.com/admin/users endpoint . 2Click on add user 3Here you will se...

Stored XSS in Notifications

Description It is possible to create a notification with stored XSS which can result in the JavaScript code execution. Notifications can only be created while logged in on user with admin privileges, but once notification is created any user can see it. Proof of Concept Create notification with...

No Limit in length of username , results in memory consumption/DOS attack

Description There must be a fixed length for user input parameters like username. Allowing users to enter long strings may result in a DOS attack or memory corruption Proof of Concept 1Go to https://rdiffweb-demo.ikus-soft.com/admin/users endpoint . 2Click on add user 3Here you will see that ther...

Improper Cache control allows attacker to view sensitive data

Description Due to improper cache control an attacker can view sensitive information even if he is not logged into the account Proof of Concept 1 Go to https://rdiffweb-demo.ikus-soft.com/login/ and login into your account using given credentials 2 Go to...

Stack-based Buffer Overflow in function ex_finally

Description stack-buffer-overflow in exfinally function Proof of Concept https://raw.githubusercontent.com/xiowane/testfile/main/test ASAN console ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /src/results/crashes/test -c :qa! =================================================================...

No rate limit on old password parameter allows attacker to bruteforce the existing password and set a new password

Description There is no rate limit on the password change feature on https://rdiffweb-demo.ikus-soft.com/prefs/general which allows an attacker to bruteforce the old password and set a new password for the account Proof of Concept 1 Go to https://rdiffweb-demo.ikus-soft.com/prefs/general 2 Here y...

No limit in email length may result in a possible DOS attack

Description As per RFC the maximum length allowed for an email address is 255 characters. However, rdiffweb don't validate email length, so you can add email addresses that exceed 255 characters. Through this, if you sign up for an email with a length of 1 million or more and log in, withdraw, or...

Virual defacement allows attacker to display any message of his choice

Description This attack involves injecting malicious data into a page of a web application to feed misleading information to users of the application. This kind of attack is known as virtual defacement because the actual content hosted on the target's web server is not modified. The defacement is...

Use After Free in function process_next_cpt_value

Description Use After Free in function processnextcptvalue at insexpand.c:3227. vim version git log commit 5c645a25bb8e6d766db720a44b9ceeff39d1e92b HEAD - master, tag: v9.0.0538, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /home/fuzz/test/poc11huaf.dat -...

Mass Assignment leads to Stored XSS

Description The application is vulnerable to mass assignment in the User object. A user is able to enable their own account and change their username. The username is not properly sanitized in the admin user overview, leading to a stored XSS attack. Proof of Concept Steps to reproduce: 1. Log in...

Insufficient Session Expiration

Description Active user sessions are not invalidated when that user is disabled. Proof of Concept Steps to reproduce: 1. Log in with an admin account. 2. Create a test user with the user role Normal & enable that user 3. Log in with the test user in a separate browser or private browser window 4...

Multiple Authenticated Remote Code Execution Vulnerabilities in Admin Panel

Description An attacker with administrative privileges in the openEMR application can execute arbitrary code on the server remote code execution RCE. This was tested in openEMR version 7.0.0 1 but also affects previous versions of openEMR. Proof of Concept First of all, start a netcat listener on...

Stored Cross-Site Scripting (XSS)

Description There is insufficient input validation in the pop-up notifications. Proof of Concept Steps to reproduce: 1. Log in to an admin account 2. Click on Ports - Manage Groups 3. Create a new Port Group with the Name alertdocument.location and an arbitrary Description 4. The XSS is triggered...

Stored Cross-Site Scripting (XSS)

Description There is insufficient input validation in the title of user notifications. Proof of Concept Steps to reproduce: 1. Log in to an admin account 2. Hover over the username & click on Notifications 3. Create a new notification with the Title alertdocument.location and an arbitrary message...

CSRF to change the email id

Description The change email ID is vulnerable to CSRF. The attacker can change the email ID of the user. Proof of Concept 1.Login into the application https://rdiffweb-demo.ikus-soft.com. 2.Open the URL...

Normal user can set himself or any other user to admin role

Description Improper access to an API endpointAddUserToRole can allow a regular user to escalate his privileges to be an admin Infected code AuthorizeRoles = Roles.User HttpPost public async Task AddUserToRoleFromQuery string username, string role var results = await...

Secure token is missed when ivalid URL is entered

Description The cookie sessionid does not have secure attribute when the URL is invalid Proof of Concept 1.Login into the application. 2.Send the request https://rdiffweb-demo.ikus-soft.com/browse/admin/MyWindowsLaptop/D/TC3080/test...

Reflected XSS via rp4wp_parent

Description The rp4wpparent value is echoed without encoding, leading to reflected XSS. Proof of Concept Install wordpress, install the "Related Posts for WordPress" plugin, then visit the following URL, where localhost is the server hosting the app:...

Use After Free in function movemark

Description Use After Free in function movemark at mark.c:234. vim version git log commit bcd6924245c0e73d8be256282656c06aaf91f17c grafted, HEAD - master, tag: v9.0.0507, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /home/fuzz/test/poc10huaf.dat -c :qa!...

The settings of repositories is vulnerable to CSRF

Description The malicious user can change the settings of repository by sending the URL to the victim. Proof of Concept 1.Login into the application https://rdiffweb-demo.ikus-soft.com/settings/admin/test-encoding . 2.Go to test-encoding. 3.Check that the value of remove older is forever. 4.Open...

User can get details of the comments that were deleted

Description When a user creates a new record he can add a comment on it. The user is also able to delete the comments after which the user wont be having access to that comment like replying, checking what the comment was. This vulnerability allows any user to see what the deleted comment was and...

Privilege escalation from admin and normal user to super admin

Description Lavsms provides 5 types of roles. But the issue is admin can escalate to the super admin role for himself as well as for other un-privileged users too even lower than the admin role. Proof of Concept 1. POST /users/id with custom payload via API Testing tool like postman/Insomnia. Ste...

User's session persist after permanently deleting his account

Description If a user is logged in, and an admin decided to delete his account permanently, the user is still able to perform his normal actions until his session gets expired. If a logged in user with admin role is deleted permanently, he's still able to delete other admins permanently, and if...

BoxBilling <=4.22.1.5 - Authenticated Unrestricted File Upload - RCE

Description BoxBilling was vulnerable to Unrestricted File Upload. In order to exploit the vulnerability, an attacker must have a valid authenticated session as admin on the CMS. With at least 1 order of product an attacker can upload malicious file to hidden API endpoint that contain a webshell...

Cookie is persisting in the browser which leads to Session Fixation

Description After logging in and logging out, the application continues to use the preauthentication cookies. The cookies are same after closing the browser and after password change .And also same cookies are reassigning for another user's login which can leads to session fixation. Proof of...

User can read any series without permission

Description A normal user can access any series without permission if they have access to at least one library. Version Tested on latest release 0.5.6.0 and on docker image 'kizaing/kavita:latest', with image pulled on September 17, 12:30 UTC Digest:...

CSRF leads to disabling notifications in users profile

Description Periodic updates of repositories were sent as notifications to the user's email and here GET request sent to the server for modifying repository notifications settings is accepted by the server, which can lead to disabling notifications through a CSRF attack. Proof of Concept Replace...

Stored XSS via SVG File

Description By uploading SVG files, the users can perform Stored XSS attack. Copy the following code and save as filename.svg. Proof of Concept alertdocument.domain 1 Login as user with upload permission. 2 upload the payload injected SVG file at https://demo.inventree.org/order/sales-order/3/ 3...

Cross Site Request Forgery in Admin area leads to deletion of repositories and users

Description Server accepts the GET request for deleting repositories and users which can lead to CSRF attack on repositories'. Proof of Concept Open the below URL after logging in to the admin account in demo site. For deleting Repository : Replace "replace-here" with a repo name...

Remote Code Execution (RCE) via Arbitrary File Write and Path Traversal

Description Immich constructs the path, filename, and file extension of uploaded files from improperly sanitized user input. Therefore, the upload function is vulnerable to a path traversal attack leading to arbitrary file write. This can lead to RCE by overwriting JavaScript files. Proof of...

Full Account Takeover via Improper Authorization

Description Immich does not check for admin privileges when setting account passwords. This allows any user to set the password for any account, thus allowing privilege escalation by admin account takeover. Proof of Concept Steps to reproduce: 1. Login to a non admin account 2. Obtain all user...

Stored Cross-Site Scripting (XSS) on Schedule Maintenance "Title" parameter

Description Stored Cross-Site Scripting XSS vulnerability in LibreNMS v22.8.0 allows attackers to execute arbitrary javascript code in the browser affected from function of "Schedule Maintenance" in "Title" parameter. Proof of Concept 1 - Click "Alerts" Click "Schedule Maintenance" from the...