Lucene search
K

4072 matches found

Huntr
Huntr
added 2022/10/06 3:51 p.m.22 views

Multiple Reflected Cross-Site Scripting in Messages Module

Description The first occurrence affects messages.php file. The parameter stage was not properly encoded before being printed as HTML. This occurs when go parameter is set to setup value. The second instance affects save.php file. There was a POST parameter called parameter in JSON format that wa...

5.8CVSS6.5AI score0.00639EPSS
Exploits1
Huntr
Huntr
added 2022/10/06 9:26 a.m.24 views

Origin validation Bypass

In the following python script py if request.method in 'POST', 'PUT', 'PATCH', 'DELETE': origin = request.headers.get'Origin', None if origin and not origin.startswithrequest.base: raise cherrypy.HTTPError403, 'Unexpected Origin header' Explanation: In the above lines of code, The origin is being...

7.5CVSS0.1AI score0.00317EPSS
Exploits0
Huntr
Huntr
added 2022/10/05 2:49 p.m.23 views

Stored Cross Site Scripting (XSS) in parameter rp4wp[heading_text]

Description The Related Posts for WordPress plugin is vulnerable to stored XSS, specifically in the rp4wpheadingtext parameter because the user input is not properly sanitized, allowing the insertion of JavaScript code that can exploit the vulnerability. Proof of Concept 1 - Install and activate...

4.9CVSS5.5AI score0.01113EPSS
Exploits1
Huntr
Huntr
added 2022/10/04 1:47 p.m.18 views

Password Reset Poisoning

Description Elgg uses the HTTP Host-Header in a password reset request to generate the password reset link that is sent to the user in an email without any filters or checks. This allows an attacker to craft a password reset request using a manipulated host header, resulting in reset-token leakag...

7.2AI score
Exploits0References1
Huntr
Huntr
added 2022/10/04 1:44 p.m.11 views

Insufficient Session Expiration

Description Active sessions are not invalidated after a password change or after an admin resets the user's password. Proof of Concept Steps to reproduce: 1. Log in to Elgg with any user 2. Do the same in another browser or a private window, such that there are two different active sessions 3...

1.9AI score
Exploits0References1
Huntr
Huntr
added 2022/10/04 1:34 p.m.132 views

Php Remote file Inclusion and RCE

Description flatpresshas a feature to upload file "uploader" and display from "media manager". By uploading PHP files, the users can perform Php Remote file Inclusion attack and gain RCE. Copy the following code and save as test.Php note the uppercase. Proof of Concept test.Php test 1. login to...

7.5CVSS9.6AI score0.35435EPSS
Exploits1
Huntr
Huntr
added 2022/10/04 1:9 p.m.29 views

Stored XSS via SVG File

Description flatpresshas a feature to upload file "uploader" and display from "media manager". By uploading SVG files, the users can perform Stored XSS attack. Copy the following code and save as filename.svg. Proof of Concept alertdocument.domain 1. login to...

4.9CVSS5.8AI score0.00535EPSS
Exploits1
Huntr
Huntr
added 2022/10/03 12:40 p.m.20 views

Using application logic to create an email spam attack

Description On every 3 invalid attempts the application sends a new code to the email associate with the account . An attacker can misuse this functionality of the code to create a spam attack Proof of Concept Pre-Requisites: 2FA must be enabled for your account 1 Go to...

7.5CVSS0.6AI score0.00345EPSS
Exploits0
Huntr
Huntr
added 2022/10/03 12:22 p.m.10 views

2 FA bypass

Description An attacker is able to bypass 2FA due to a logic flaw on the application Proof of Concept 1 Go to https://rdiffweb-dev.ikus-soft.com/prefs/general 2 Your account is set to [email protected] as primary email 3 Go to https://rdiffweb-dev.ikus-soft.com/prefs/mfa and click on "Enable 2FA" 4 A...

0.3AI score
Exploits0
Huntr
Huntr
added 2022/10/03 11:10 a.m.215 views

Stored XSS and possible RCE/LFI in case of misconfiguration

Description phpmyfaq has a feature to restore from a backup the entire application. An attacker with admin grant can export the configuration and re-upload the same file bypassing all the backend sanitization and controls. Proof of Concept XSS 1. - login as admin 2. - go to backup page 3. - Creat...

5.4CVSS0.3AI score0.00918EPSS
Exploits1
Huntr
Huntr
added 2022/10/03 8:29 a.m.10 views

XSS on external links

Description This vulnerability allow for an administrator to create an evil external link. Proof of Concept As an admin user - Go to http://172.16.128.131/front/link.form.php?id=1 - Create an external link and put has value for the link javascript:alert1 - Assign this link to budgets example As a...

0.1AI score
Exploits0
Huntr
Huntr
added 2022/10/02 6:56 p.m.26 views

SSRF in feeds

Description By looking at this URL : https://github.com/glpi-project/glpi/security/advisories/GHSA-rqgx-gqhp-x8vv, I understand that a SSRF was possible in the URL of the RSS feed, and in fact, this has been fix. Howerver, I found a bypass to CVE-2022-36112. Proof of Concept To trigger the bug,...

0.00459EPSS
Exploits0
Huntr
Huntr
added 2022/10/01 4:40 a.m.53 views

Path Traversal (CWE-22) leak sensitive data

Description Path Traversal successful exploitation could allow an attacker to traverse the file system to access files or directories that are outside of the restricted directory on the remote server. Proof of Concept Note: If you can not see the poc image , you can follow this link...

5CVSS2.3AI score0.00997EPSS
Exploits1
Huntr
Huntr
added 2022/09/30 3:4 p.m.15 views

Weak password policy : Old password can be set as new password

Description Rdiffweb has a weak password implementation , where a new password set by the user can be same to the old password Proof of Concept 1 Go to https://rdiffweb-demo.ikus-soft.com/prefs/general end point 2 Change your password Set your new password similar to old password you will notice...

5CVSS4.6AI score0.00672EPSS
Exploits1References1
Huntr
Huntr
added 2022/09/29 7:45 p.m.32 views

No limit in length of "Token name" parameter results in DOS attack /memory corruption

Proof of Concept 1Go to https://rdiffweb-dev.ikus-soft.com/prefs/tokens endpoint . 2You will see a field called "Token name" 3Here you will see that there is no limit for the "Token name" parameter that allows a user to to set a very long string as long as 1 million characters . 4This may possibl...

5CVSS1.4AI score0.00983EPSS
Exploits1
Huntr
Huntr
added 2022/09/29 7:32 p.m.19 views

No limit in length of "Fullname" parameter results in DOS attack /memory corruption

Proof of Concept 1Go to https://rdiffweb-dev.ikus-soft.com/prefs/general endpoint . 2You will see a field called "Fullname" 3Here you will see that there is no limit for the "Fullname" parameter that allows a user to to set a very long string as long as 1 million characters . 4This may possibly...

5CVSS1.9AI score0.00971EPSS
Exploits1
Huntr
Huntr
added 2022/09/29 7:25 p.m.22 views

Attacker is able to bypass 2FA verification during 2FA disable due to application logic flaw

Description An attacker is able to bypass 2FA verification during 2FA disable function of user and restrict user from accessing his account due to a application logic flaw Proof of Concept First of all let us consider a scenario where a user has left his account open on a public device library or...

4.3CVSS1.1AI score0.00809EPSS
Exploits1
Huntr
Huntr
added 2022/09/29 7:7 p.m.15 views

No notification triggered on sensitive actions like 2FA enable/disable

Description 2FA enable/disable is a sensitive action . As the application triggers a notification on all sensitive actions like email change/password reset , 2FA is also an important security feature to be notified about Proof of Concept 1 Go to https://rdiffweb-dev.ikus-soft.com/prefs/mfa 2 Do a...

7.5CVSS1.3AI score0.0075EPSS
Exploits0
Huntr
Huntr
added 2022/09/29 7:0 p.m.16 views

Session does not expire on password reset

Description On changing password both session using which user changes password and old sessions in any other browser or device does not expire and remains active Proof of Concept 1.Go to https://rdiffweb-dev.ikus-soft.com/login/ and login into same account using browser A and B 2.From Browser B...

7.5CVSS7.8AI score0.00876EPSS
Exploits1References1
Huntr
Huntr
added 2022/09/29 6:36 p.m.29 views

No rate limit on email triggering during "resend email" action results in email flooding or a spam attack or a financial loss to the company itself

Description When a user is setting up 2FA , a verification code will be sent to the registered email . There is no rate limit on email triggering that will result in an email flood / does attack or will also increase the expenses on your mail server as an attacker can send 1 million emails throug...

7.5CVSS0.1AI score0.00598EPSS
Exploits0
Huntr
Huntr
added 2022/09/29 6:15 p.m.11 views

Hyperlink injection leads to redirect victim to malicious website

Description Hyperlink Injection it’s when attacker injecting a malicious link when sending an email invitation Proof of Concept 1 Go to https://rdiffweb-dev.ikus-soft.com/prefs/general 2 Set your full name as "Your account has been hacked please visit evil.com" 3 Save changes 4 Perform any activi...

5.8CVSS1.1AI score0.00492EPSS
Exploits1References2
Huntr
Huntr
added 2022/09/29 4:11 p.m.23 views

Xss vulnerability in Button module

Steps 1.Visit https://demo.microweber.org 2.Click option 'Modules' in the left list 3.Click and go into the 'Button' 4.Click the 'edit url' and Enter the following javascript alert1 Proof of Concept Video javascript https://1drv.ms/v/s!Ai0UEGpMIb9scRgdvmX1sBCQu4A...

4.9CVSS5.6AI score0.00519EPSS
Exploits1
Huntr
Huntr
added 2022/09/29 1:44 p.m.6 views

Stored XSS in Django Admin Portal

Description Django-treebeard suffers from a stored XSS in the TreeAdmin class when certain preconditions are met. The XSS it's triggered when a privileged user visit a page in the django admin portal. In order to successfully exploit this vulnerable, three pre-conditions should occur: 1. 1 a Djan...

0.2AI score
Exploits0
Huntr
Huntr
added 2022/09/27 7:28 p.m.6 views

Add Client function is vulnerable to stored HTML injection

Description HTML Injection also termed as “virtual defacements” is one of the most simple and the most common vulnerability that arises when the web-page fails to sanitize the user-supplied input or validates the output, which thus allows the attacker to craft his payloads and injects the malicio...

0.7AI score
Exploits0
Huntr
Huntr
added 2022/09/27 11:29 a.m.12 views

CSV Injection in CSV files generated by the backend

Description Formula Elements are not sanitized before adding to CSV reports. This leads to CSV formula injection. Proof of Concept Steps to reproduce: 1. Log in to Snipe-IT & create a new Asset with arbitrary values. For the Asset Tag enter =1+1 Screenshot 1 2. Got to Reports - Custom Asset Repor...

Exploits0References3
Huntr
Huntr
added 2022/09/27 8:53 a.m.26 views

Use After Free in function did_set_string_option

Description Use After Free in function didsetstringoption at optionstr.c:2456. vim version git log commit 8279af514ca7e5fd3c31cf13b0864163d1a0bfeb grafted, HEAD - master, tag: v9.0.0598, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S...

4.4CVSS7.8AI score0.00489EPSS
Exploits1
Huntr
Huntr
added 2022/09/26 11:44 p.m.8 views

Stored Cross-Site Scripting (XSS) in via direct link to attachments

Description The XSS is related to this previous report. The fix to prevent XSS in uploaded attachments is insufficient, as there is no mitigation when accessing attachments via a direct link. Proof of Concept Steps to reproduce: 1. Log in to Inventree 2. Click on Parts. Add a new Category and...

1.3AI score
Exploits0
Huntr
Huntr
added 2022/09/26 6:52 p.m.14 views

Bypassing application logic to set a blank password

Description As you many observe that rdiffweb strictly has a password policy where it prompts out that the password should be between 8 and 128 characters . But the application does not filter blank spaces used in a password Proof of Concept 1 Go to https://rdiffweb-demo.ikus-soft.com/prefs/gener...

4CVSS0.2AI score0.0055EPSS
Exploits1References1
Huntr
Huntr
added 2022/09/26 4:32 p.m.21 views

No password confirmation on sensitive action like email change

Description It is important to implement password checks on sensitive features like email change Proof of Concept 1 Go to https://rdiffweb-demo.ikus-soft.com/login/ 2 Use the credentials admin , admin123 and login into your account 3 Navigate to the endpoint...

7.5CVSS7AI score0.00749EPSS
Exploits0References1
Huntr
Huntr
added 2022/09/26 3:51 p.m.11 views

Stored XSS

Description openemr has a feature to customize the "Text in the login box " , due to a bad sanitization it allows to put some html tag like "form" scheme which allows to execute javascript code. 1. login as user glpi/glpi admin user 2. go to HOME-SETUP-GENERAL...

7.2AI score
Exploits0
Huntr
Huntr
added 2022/09/25 11:48 a.m.24 views

Stack-based Buffer Overflow in function win_redr_ruler

Description Stack Buffer Overflow in function winredrruler at drawscreen.c:799 . vim version git log commit ec1238b4068d0d6d9d02ac1a8e61720224a1be73 grafted, HEAD - master, tag: v9.0.0582, origin/master, origin/HEAD Proof of Concept poc download url:...

4.4CVSS7.7AI score0.00487EPSS
Exploits1
Huntr
Huntr
added 2022/09/24 11:47 a.m.21 views

No Limit in "title" length while adding SSH key , results in memory consumption/DOS attack

Description There must be a fixed length for user input parameters like "title" while adding SSH key. Allowing users to enter long strings may result in a DOS attack or memory corruption Proof of Concept 1Go to https://rdiffweb-demo.ikus-soft.com/prefs/sshkeys endpoint . 2Click on add SSH key...

5CVSS1.9AI score0.00924EPSS
Exploits1
Huntr
Huntr
added 2022/09/24 7:38 a.m.14 views

Stored Cross-Site Scripting (XSS) in the parameters "host", "desc", "group" and "newgroup" of the section "Webmin Servers Index"

Description In Webmin version 2.001 it was identified in the "Webmin Servers Index" section that the data collected from the user in the "host", "desc", "group" and "newgroup" parameters is not properly sanitized thus allowing potential attackers to insert JavaScript code that enables exploitatio...

1.4AI score
Exploits0
Huntr
Huntr
added 2022/09/24 5:36 a.m.15 views

No Limit in length of root directory name , results in memory consumption/DOS attack

Description There must be a fixed length for user input parameters like root directory name. Allowing users to enter long strings may result in a DOS attack or memory corruption Proof of Concept 1Go to https://rdiffweb-demo.ikus-soft.com/admin/users endpoint . 2Click on add user 3Here you will se...

5CVSS2.6AI score0.00917EPSS
Exploits1
Huntr
Huntr
added 2022/09/23 2:25 p.m.14 views

Stored XSS in Notifications

Description It is possible to create a notification with stored XSS which can result in the JavaScript code execution. Notifications can only be created while logged in on user with admin privileges, but once notification is created any user can see it. Proof of Concept Create notification with...

5.8CVSS1.5AI score0.00451EPSS
Exploits0
Huntr
Huntr
added 2022/09/23 10:30 a.m.28 views

No Limit in length of username , results in memory consumption/DOS attack

Description There must be a fixed length for user input parameters like username. Allowing users to enter long strings may result in a DOS attack or memory corruption Proof of Concept 1Go to https://rdiffweb-demo.ikus-soft.com/admin/users endpoint . 2Click on add user 3Here you will see that ther...

5CVSS1.9AI score0.00701EPSS
Exploits1
Huntr
Huntr
added 2022/09/22 6:9 p.m.23 views

Improper Cache control allows attacker to view sensitive data

Description Due to improper cache control an attacker can view sensitive information even if he is not logged into the account Proof of Concept 1 Go to https://rdiffweb-demo.ikus-soft.com/login/ and login into your account using given credentials 2 Go to...

2.1CVSS0.8AI score0.00493EPSS
Exploits1References1
Huntr
Huntr
added 2022/09/22 3:58 p.m.28 views

Stack-based Buffer Overflow in function ex_finally

Description stack-buffer-overflow in exfinally function Proof of Concept https://raw.githubusercontent.com/xiowane/testfile/main/test ASAN console ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /src/results/crashes/test -c :qa! =================================================================...

4.4CVSS7.6AI score0.00513EPSS
Exploits1References1
Huntr
Huntr
added 2022/09/22 3:37 p.m.33 views

No rate limit on old password parameter allows attacker to bruteforce the existing password and set a new password

Description There is no rate limit on the password change feature on https://rdiffweb-demo.ikus-soft.com/prefs/general which allows an attacker to bruteforce the old password and set a new password for the account Proof of Concept 1 Go to https://rdiffweb-demo.ikus-soft.com/prefs/general 2 Here y...

7.5CVSS0.00441EPSS
Exploits1References1
Huntr
Huntr
added 2022/09/22 2:35 p.m.22 views

No limit in email length may result in a possible DOS attack

Description As per RFC the maximum length allowed for an email address is 255 characters. However, rdiffweb don't validate email length, so you can add email addresses that exceed 255 characters. Through this, if you sign up for an email with a length of 1 million or more and log in, withdraw, or...

5CVSS0.7AI score0.0139EPSS
Exploits1References1
Huntr
Huntr
added 2022/09/22 6:50 a.m.17 views

Virual defacement allows attacker to display any message of his choice

Description This attack involves injecting malicious data into a page of a web application to feed misleading information to users of the application. This kind of attack is known as virtual defacement because the actual content hosted on the target's web server is not modified. The defacement is...

2.8CVSS1.2AI score0.00538EPSS
Exploits1References1
Huntr
Huntr
added 2022/09/22 12:41 a.m.29 views

Use After Free in function process_next_cpt_value

Description Use After Free in function processnextcptvalue at insexpand.c:3227. vim version git log commit 5c645a25bb8e6d766db720a44b9ceeff39d1e92b HEAD - master, tag: v9.0.0538, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /home/fuzz/test/poc11huaf.dat -...

4.4CVSS7.7AI score0.00482EPSS
Exploits1
Huntr
Huntr
added 2022/09/21 7:28 p.m.18 views

Mass Assignment leads to Stored XSS

Description The application is vulnerable to mass assignment in the User object. A user is able to enable their own account and change their username. The username is not properly sanitized in the admin user overview, leading to a stored XSS attack. Proof of Concept Steps to reproduce: 1. Log in...

4.9CVSS5.5AI score0.33968EPSS
Exploits1References1
Huntr
Huntr
added 2022/09/21 7:23 p.m.14 views

Insufficient Session Expiration

Description Active user sessions are not invalidated when that user is disabled. Proof of Concept Steps to reproduce: 1. Log in with an admin account. 2. Create a test user with the user role Normal & enable that user 3. Log in with the test user in a separate browser or private browser window 4...

7.5CVSS0.9AI score0.00598EPSS
Exploits0References1
Huntr
Huntr
added 2022/09/21 7:22 p.m.13 views

Multiple Authenticated Remote Code Execution Vulnerabilities in Admin Panel

Description An attacker with administrative privileges in the openEMR application can execute arbitrary code on the server remote code execution RCE. This was tested in openEMR version 7.0.0 1 but also affects previous versions of openEMR. Proof of Concept First of all, start a netcat listener on...

1.5AI score
Exploits0
Huntr
Huntr
added 2022/09/21 6:20 p.m.14 views

Stored Cross-Site Scripting (XSS)

Description There is insufficient input validation in the pop-up notifications. Proof of Concept Steps to reproduce: 1. Log in to an admin account 2. Click on Ports - Manage Groups 3. Create a new Port Group with the Name alertdocument.location and an arbitrary Description 4. The XSS is triggered...

4.3CVSS0.8AI score0.93343EPSS
Exploits0
Huntr
Huntr
added 2022/09/21 6:16 p.m.21 views

Stored Cross-Site Scripting (XSS)

Description There is insufficient input validation in the title of user notifications. Proof of Concept Steps to reproduce: 1. Log in to an admin account 2. Hover over the username & click on Notifications 3. Create a new notification with the Title alertdocument.location and an arbitrary message...

4.9CVSS1.1AI score0.93712EPSS
Exploits0
Huntr
Huntr
added 2022/09/21 1:58 p.m.26 views

CSRF to change the email id

Description The change email ID is vulnerable to CSRF. The attacker can change the email ID of the user. Proof of Concept 1.Login into the application https://rdiffweb-demo.ikus-soft.com. 2.Open the URL...

3.5CVSS0.3AI score0.00375EPSS
Exploits1
Huntr
Huntr
added 2022/09/20 6:53 p.m.15 views

Normal user can set himself or any other user to admin role

Description Improper access to an API endpointAddUserToRole can allow a regular user to escalate his privileges to be an admin Infected code AuthorizeRoles = Roles.User HttpPost public async Task AddUserToRoleFromQuery string username, string role var results = await...

0.2AI score
Exploits0
Huntr
Huntr
added 2022/09/20 1:41 p.m.14 views

Secure token is missed when ivalid URL is entered

Description The cookie sessionid does not have secure attribute when the URL is invalid Proof of Concept 1.Login into the application. 2.Send the request https://rdiffweb-demo.ikus-soft.com/browse/admin/MyWindowsLaptop/D/TC3080/test...

5CVSS0.7AI score0.00396EPSS
Exploits1
Total number of security vulnerabilities4072