Lucene search
K

4072 matches found

Huntr
Huntr
•added 2022/09/20 8:24 a.m.•16 views

Reflected XSS via rp4wp_parent

Description The rp4wpparent value is echoed without encoding, leading to reflected XSS. Proof of Concept Install wordpress, install the "Related Posts for WordPress" plugin, then visit the following URL, where localhost is the server hosting the app:...

0.5AI score
Exploits0
Huntr
Huntr
•added 2022/09/20 1:45 a.m.•22 views

Use After Free in function movemark

Description Use After Free in function movemark at mark.c:234. vim version git log commit bcd6924245c0e73d8be256282656c06aaf91f17c grafted, HEAD - master, tag: v9.0.0507, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /home/fuzz/test/poc10huaf.dat -c :qa!...

4.4CVSS7.8AI score0.00464EPSS
Exploits1
Huntr
Huntr
•added 2022/09/19 2:51 p.m.•21 views

The settings of repositories is vulnerable to CSRF

Description The malicious user can change the settings of repository by sending the URL to the victim. Proof of Concept 1.Login into the application https://rdiffweb-demo.ikus-soft.com/settings/admin/test-encoding . 2.Go to test-encoding. 3.Check that the value of remove older is forever. 4.Open...

4.3CVSS0.2AI score0.00319EPSS
Exploits1
Huntr
Huntr
•added 2022/09/19 1:36 p.m.•13 views

User can get details of the comments that were deleted

Description When a user creates a new record he can add a comment on it. The user is also able to delete the comments after which the user wont be having access to that comment like replying, checking what the comment was. This vulnerability allows any user to see what the deleted comment was and...

0.4AI score
Exploits0
Huntr
Huntr
•added 2022/09/19 12:10 a.m.•23 views

Privilege escalation from admin and normal user to super admin

Description Lavsms provides 5 types of roles. But the issue is admin can escalate to the super admin role for himself as well as for other un-privileged users too even lower than the admin role. Proof of Concept 1. POST /users/id with custom payload via API Testing tool like postman/Insomnia. Ste...

1AI score
Exploits0
Huntr
Huntr
•added 2022/09/18 11:50 a.m.•29 views

User's session persist after permanently deleting his account

Description If a user is logged in, and an admin decided to delete his account permanently, the user is still able to perform his normal actions until his session gets expired. If a logged in user with admin role is deleted permanently, he's still able to delete other admins permanently, and if...

6.5CVSS1.5AI score0.00385EPSS
Exploits0
Huntr
Huntr
•added 2022/09/18 11:31 a.m.•232 views

BoxBilling <=4.22.1.5 - Authenticated Unrestricted File Upload - RCE

Description BoxBilling was vulnerable to Unrestricted File Upload. In order to exploit the vulnerability, an attacker must have a valid authenticated session as admin on the CMS. With at least 1 order of product an attacker can upload malicious file to hidden API endpoint that contain a webshell...

5.8CVSS0.1AI score0.44002EPSS
Exploits7References2
Huntr
Huntr
•added 2022/09/18 8:54 a.m.•21 views

Cookie is persisting in the browser which leads to Session Fixation

Description After logging in and logging out, the application continues to use the preauthentication cookies. The cookies are same after closing the browser and after password change .And also same cookies are reassigning for another user's login which can leads to session fixation. Proof of...

7.5CVSS0.9AI score0.00727EPSS
Exploits1References1
Huntr
Huntr
•added 2022/09/17 1:20 p.m.•10 views

User can read any series without permission

Description A normal user can access any series without permission if they have access to at least one library. Version Tested on latest release 0.5.6.0 and on docker image 'kizaing/kavita:latest', with image pulled on September 17, 12:30 UTC Digest:...

Exploits0
Huntr
Huntr
•added 2022/09/16 2:49 p.m.•19 views

CSRF leads to disabling notifications in users profile

Description Periodic updates of repositories were sent as notifications to the user's email and here GET request sent to the server for modifying repository notifications settings is accepted by the server, which can lead to disabling notifications through a CSRF attack. Proof of Concept Replace...

4.3CVSS0.9AI score0.00316EPSS
Exploits1References1
Huntr
Huntr
•added 2022/09/16 9:43 a.m.•24 views

Stored XSS via SVG File

Description By uploading SVG files, the users can perform Stored XSS attack. Copy the following code and save as filename.svg. Proof of Concept alertdocument.domain 1 Login as user with upload permission. 2 upload the payload injected SVG file at https://demo.inventree.org/order/sales-order/3/ 3...

4.9CVSS5.8AI score0.00601EPSS
Exploits1
Huntr
Huntr
•added 2022/09/16 8:1 a.m.•24 views

Cross Site Request Forgery in Admin area leads to deletion of repositories and users

Description Server accepts the GET request for deleting repositories and users which can lead to CSRF attack on repositories'. Proof of Concept Open the below URL after logging in to the admin account in demo site. For deleting Repository : Replace "replace-here" with a repo name...

4.3CVSS1AI score0.00331EPSS
Exploits1References1
Huntr
Huntr
•added 2022/09/15 11:31 p.m.•31 views

Remote Code Execution (RCE) via Arbitrary File Write and Path Traversal

Description Immich constructs the path, filename, and file extension of uploaded files from improperly sanitized user input. Therefore, the upload function is vulnerable to a path traversal attack leading to arbitrary file write. This can lead to RCE by overwriting JavaScript files. Proof of...

0.5AI score
Exploits0References1
Huntr
Huntr
•added 2022/09/15 11:27 p.m.•19 views

Full Account Takeover via Improper Authorization

Description Immich does not check for admin privileges when setting account passwords. This allows any user to set the password for any account, thus allowing privilege escalation by admin account takeover. Proof of Concept Steps to reproduce: 1. Login to a non admin account 2. Obtain all user...

1.9AI score
Exploits0References1
Huntr
Huntr
•added 2022/09/15 3:29 p.m.•17 views

Stored Cross-Site Scripting (XSS) on Schedule Maintenance "Title" parameter

Description Stored Cross-Site Scripting XSS vulnerability in LibreNMS v22.8.0 allows attackers to execute arbitrary javascript code in the browser affected from function of "Schedule Maintenance" in "Title" parameter. Proof of Concept 1 - Click "Alerts" Click "Schedule Maintenance" from the...

4.9CVSS5.2AI score0.00551EPSS
Exploits2
Huntr
Huntr
•added 2022/09/15 2:24 p.m.•12 views

Formula injection via Full Name

šŸ”’ļø Requirements Privilege: user. šŸ“ Description It is possible for a user to change his name by whatever he wants from /profile/settings. In addition, an administrator can get reports about users from Reports Agents. So, a user could change his full name by a formula and abuse formula injection...

6.6AI score
Exploits0
Huntr
Huntr
•added 2022/09/15 3:57 a.m.•23 views

Reflected XSS In User/Roles Function

Description URL: https://demo.pimcore.fun/admin/ In Setting select User/Roles and select User. After created user, move to Workspace tab and inject payload XSS at Documents, Assets and Data Objects. XSS payload will be trigger. Besides, Workspace in Roles Also having the same situation. Can you...

4.3CVSS5AI score0.00658EPSS
Exploits1
Huntr
Huntr
•added 2022/09/14 10:43 p.m.•12 views

CSRF resulting in Account Takeover

Description Hello everyone, Rdiffweb offers a profile section where the admin user can change his informations such as the username, the email etc..., when the admin changes his username and his email; the following POST requests is sent: POST /prefs/general HTTP/1.1 Host:...

6.8AI score
Exploits0
Huntr
Huntr
•added 2022/09/14 9:51 a.m.•37 views

Cross Site Request Forgery in profile's "SSH Keys" leads to unauthorized access to the system

Description While adding SSH public keys to the profile, the server accepts the GET request which results in adding an SSH public key to the profile and leads to unauthorised access to the system and backups. Proof of Concept Open the below url after logging in to the demo site.SSH Public key wil...

6.8CVSS8.6AI score0.00539EPSS
Exploits1References1
Huntr
Huntr
•added 2022/09/14 9:33 a.m.•30 views

Use After Free in function getcmdline_int

Description Use After Free in function getcmdlineint at vim/src/exgetln.c:2547. vim version git log commit 470a14140bc06f1653edf26ab0b3c9b801080353 grafted, HEAD - master, tag: v9.0.0461, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S...

4.4CVSS7.7AI score0.00475EPSS
Exploits1
Huntr
Huntr
•added 2022/09/14 3:41 a.m.•13 views

Bypass IP detection to brute-force password in ikus060/rdiffweb

Description In login API, by default, the IP address will be blocked when the user tries to login incorrectly more than 5 times but we can bypass this mechanism by abuse X-Forwarded-For header to bypass IP dectection and perform password brute-force. Proof of Concept POST /login/ HTTP/1.1 Host:...

0.1AI score
Exploits0References1
Huntr
Huntr
•added 2022/09/14 2:8 a.m.•28 views

Heap-based Buffer Overflow in function utfc_ptr2len

Description Heap-based Buffer Overflow in function utfcptr2len at vim/src/mbyte.c:2125. vim version git log commit 470a14140bc06f1653edf26ab0b3c9b801080353 grafted, HEAD - master, tag: v9.0.0461, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S...

4.4CVSS7.8AI score0.00501EPSS
Exploits1
Huntr
Huntr
•added 2022/09/13 11:19 p.m.•24 views

Stored XSS

Description openemr has a feature to customize the "User Manual Link Override" , due to a bad sanitization it allows to put javascript:// scheme which allows to execute javascript code. Proof of Concept 1. login with admin 2. go on Global Settings - Branding 3. Edit User Manual Link Override Fiel...

4.3CVSS1.3AI score0.00582EPSS
Exploits1
Huntr
Huntr
•added 2022/09/13 3:53 p.m.•11 views

DoS attack in the HTTP decompression

Description Tulip is able to decompress compressed HTTP payloads. It does not check for decompression bomb. Using brotli, an attacker can send a HTTP paquet to a team vulnbox containing a brotli payload of 8.3KB. When decompressing this payload, it expands to 10GiB on the machine running the...

Exploits0
Huntr
Huntr
•added 2022/09/13 2:52 p.m.•34 views

XSS via Mathematical Typesetting

šŸ”’ļø Requirements Feature: Extras Mathematical Typesetting enabled. User interaction: Access vulnerable page || diagram and wheel click on a link. šŸ“ Description The Mathematical Typesetting feature allows to use inline content such as AsciiMath or LaTeX. Using it allows you to create a tag via \href...

5.8CVSS0.8AI score0.0061EPSS
Exploits1
Huntr
Huntr
•added 2022/09/13 9:56 a.m.•19 views

Password Can be set to very weak

Description For testing the issue, I have used the demo website. In edit user profile section we can set New Password to 1 Or any character. There is no policy for password or no password checking. Moreover, it also allows us to change password and the new password also can be set with weak...

7.5CVSS0.2AI score0.01032EPSS
Exploits1
Huntr
Huntr
•added 2022/09/13 9:10 a.m.•21 views

Session_id without Secure attribute

Description User's session id with secure attribute is false. This vulnerability makes user's cookies can be sent to the server with an unencrypted request over the HTTP protocol. Proof of Concept Open the browser and get access to the minarca website, for this scenario I have used the demo/test...

5CVSS0.6AI score0.00508EPSS
Exploits1References1
Huntr
Huntr
•added 2022/09/11 12:43 p.m.•24 views

User Enumeration via Response Timing

Description There is a significant timing difference in the login functionality for valid and invalid usernames. Proof of Concept Steps to reproduce: 1. Attempt a Login with a valid user and an invalid user and observe the difference in the response time Here is a small test script alternatively ...

0.7AI score
Exploits0References1
Huntr
Huntr
•added 2022/09/10 8:56 p.m.•32 views

Exposure of "Forgot Password" Token on Threads Controller Leads to Account Takeover

Description Hello there! Hope you are doing great! I kept looking for issues that are similar to CVE-2022-3019, and ended up finding one more, it's in the Thread entity, and I found it by looking at the /api/threads/:appid/all endpoint. It retrieves sensitive information about every user that's i...

3.3CVSS0.6AI score0.0082EPSS
Exploits2
Huntr
Huntr
•added 2022/09/10 8:51 p.m.•25 views

Mass Assignment in Self Controller Leads To Vertical Privillege Escalation

Description Hello there, y'all! How are you doing? Hope you are doing great! I was testing Budibase and noticed that the api endpoint /api/global/self, which is used for different purposes updating an user's name or their password, always receives an entire object containing most of the attribute...

3.5CVSS0.00711EPSS
Exploits1
Huntr
Huntr
•added 2022/09/09 8:2 a.m.•20 views

Password can be set extremely weak

Description In this scenario, I use the demo website. It allows us to add more user to test. With password, we can set it 1 Or any charater. There is no policy for password or no password checking. Moreover, it also allows us to change password and the new password also can be set with password...

6.5CVSS1.1AI score0.00785EPSS
Exploits1
Huntr
Huntr
•added 2022/09/09 7:39 a.m.•17 views

Error page is default and leak error information

Description Information is leak in error page and this can support for other vulnerabilities. Proof of Concept Whenever trying to input anything meaningless after the link https://rdiffweb-demo.ikus-soft.com/ the error page will appear. Example: https://rdiffweb-demo.ikus-soft.com/...

5CVSS0.2AI score0.00684EPSS
Exploits1
Huntr
Huntr
•added 2022/09/09 6:57 a.m.•17 views

Session_id without Secure attribute

Description User's session id with secure attribute is false. This vulnerability makes user's cookies can be sent to the server with an unencrypted request over the HTTP protocol. Proof of Concept Open the browser and access to the website, in this scenario I use the demo website. Check the cooki...

5CVSS1AI score0.00556EPSS
Exploits1
Huntr
Huntr
•added 2022/09/08 5:37 p.m.•20 views

html injection on https://demo.microweber.org/demo/search.php?keywords=

Description hello team, I found an HTML injection on https://demo.microweber.org/demo/search.php?keywords= Proof of Concept https://demo.microweber.org/demo/search.php?keywords=ABC%3Cdiv%20style=%22%3E%3Cmarquee%3E%3Ch1%3Eyou%20are%20been%20hacked%20%3C/h1%3E%3C/marquee%3E...

5.8CVSS0.01395EPSS
Exploits1
Huntr
Huntr
•added 2022/09/08 10:22 a.m.•34 views

HTML Injection vulnerability in create tag functionality

Vulnerability Details In the Microweber CMS, While doing a live edit on to the application, we have the option to create a new global tag in the application. While creating a global tag, the "Tag Name" input field doesn't properly get sanitized and it's vulnerable to HTML Injection vulnerability...

5.8CVSS0.3AI score0.00565EPSS
Exploits1References1
Huntr
Huntr
•added 2022/09/07 8:21 a.m.•22 views

Null Pointer Dereference Caused Segmentation Fault

Description Null pointer dereference caused segmentation fault. This can cause Denial-of -service attack. Proof of Concept MP4Box -bt POC2 POC2 is here ASAN iso file Unknown box type 0000 in parent moov iso file Unknown box type 0000 in parent moov iso file Unknown box type 0000 in parent moov is...

1.3AI score
Exploits0
Huntr
Huntr
•added 2022/09/07 6:53 a.m.•23 views

Buffer Over Read in gf_utf8_wcslen

Description Buffer Over Read in function gfutf8wcslen at gpac/src/utils/utf.c:442 . gpac version git log commit fc4749f9ce8d6ddf50d1f1104366cdacede14d33 grafted, HEAD - master, origin/master, origin/HEAD Author: Aurelien David Date: Mon Aug 1 06:44:34 2022 -0700 fix quickjs build on osx 10.12 222...

4.4CVSS7.6AI score0.00409EPSS
Exploits1
Huntr
Huntr
•added 2022/09/07 4:46 a.m.•23 views

UI REDRESSING

Description Clickjacking is a portmanteau of two words ā€˜click’ and ā€˜hijacking’. It refers to hijacking user’s click for malicious intent. In it, an attacker embeds the vulnerable site in an transparent iframe in attacker’s own website and overlays it with objects such as button using CSS skills...

6.8CVSS1AI score0.00933EPSS
Exploits1References3
Huntr
Huntr
•added 2022/09/06 10:15 p.m.•39 views

XSS at app.diagrams.net

Description The application allows the "use" tag to pass on dompurify, which leads to XSS. A strange behaviour bypasses the csp on app.diagrams.net when it has a "?" before the "U" import. Proof of Concept POC diagram: use...

5.8CVSS5.7AI score0.00518EPSS
Exploits1References1
Huntr
Huntr
•added 2022/09/06 10:8 p.m.•19 views

Password Reset Poisoning

Description Humhub uses the HTTP Host-Header in a password reset request to generate the password reset link that is sent to the user in an email without any filters or checks. This allows an attacker to craft a password reset request using a manipulated host header, resulting in reset-token...

7AI score
Exploits0References1
Huntr
Huntr
•added 2022/09/06 8:52 p.m.•20 views

Stored Cross Site Scripting (XSS) via "properties" during creating new users

Description From demo url login click people icon at the left bar click "Customers" Click "New Customer" button from page Fill up the "Edit" tab Click "Save" button above Click "Properties" tab From "Add a custom Property" field , add "Test" on the first field Click and select "text" on the secon...

4.9CVSS5.2AI score0.00459EPSS
Exploits2
Huntr
Huntr
•added 2022/09/06 4:6 p.m.•9 views

Insufficient Session Expiration

Description Existing sessions are not invalidated after a password change. Proof of Concept Steps to reproduce: 1. Log in to Humhub 2. Do the same in another browser or a private window, such that there are two different active sessions 3. Update the user's password in either of the two sessions ...

1.2AI score
Exploits0References1
Huntr
Huntr
•added 2022/09/05 10:11 p.m.•26 views

XSS at https://viewer.diagrams.net/

Description The application uses a parameter to specify a url on the refresh and the back button, assigning it to location.href without sanitizing Proof of Concept Go to:...

5.8CVSS0.00518EPSS
Exploits1
Huntr
Huntr
•added 2022/09/05 9:16 a.m.•29 views

XSS with CSP bypass on WEB instances

šŸ“ Description Drawio WEB instancesn allows https://storage.googleapis.com in CSP script-src, abusing the XSS found in this report, it is possible to bypass the CSP and leak private diagram content. šŸ•µļøā€ā™‚ļø Proof of Concept On the web application side, the javascript execution is protected by the...

5.8CVSS5.5AI score0.00508EPSS
Exploits1
Huntr
Huntr
•added 2022/09/04 9:0 p.m.•24 views

Null Dereference in vim_regcomp()

Description: Null Dereference in vimregcomp at vim/src/regexp.c:2716 Vim Version: git log commit 8f7116caddc6f0725cf1211407d97645c4eb7b65 HEAD - master, origin/master, origin/HEAD Proof of Concept: $ git clone https://github.com/vim/vim.git $ cd vim/ && ./configure && make && cd src/ $ echo "call...

1.9CVSS0.5AI score0.00458EPSS
Exploits1
Huntr
Huntr
•added 2022/09/04 8:16 p.m.•27 views

Desktop APP XSS to RCE

šŸ“ Description Bypass disabled plugins configuration According to its default configuration, drawio desktop disables the use of custom plugin and must be using --enable-plugins to enable it. In addition, draw.io allows you to configure the application mainly the interface using a json file...

4.4CVSS7AI score0.01338EPSS
Exploits1
Huntr
Huntr
•added 2022/09/04 1:17 p.m.•16 views

Multiple user accounts via same email and username

Description Nakama console does not validate uppercase/lowercase letters when creating a new user. This can be abused to create multiple user accounts with same email and username. Proof of Concept HTTP Request 1 request POST /v2/console/user HTTP/1.1 Host: 192.168.1.16:7351 Authorization: Bearer...

7AI score
Exploits0
Huntr
Huntr
•added 2022/09/04 12:22 p.m.•8 views

UI Discrepancy in Password

Description There is UI discrepancy in the user password section in nakama console. The UI presents the following message to the user for a short password: "Password is required, must be 8 chars or longer and consist of at least a capital letter, a small letter and a number". However, the backend...

7.2AI score
Exploits0
Huntr
Huntr
•added 2022/09/04 1:11 a.m.•7 views

Incorrect API design lead to Site wide CSRF

Description By design, the api body only accepts is json values. But we can send with non-json values, beside, api accept auth from accessToken in Cookie. All of that leads to many other consequences, typically csrf. Example: CSRF - promote normal user to admin Origin Body id:...

0.8AI score
Exploits0
Huntr
Huntr
•added 2022/09/03 6:32 a.m.•35 views

Use After Free in function do_tag

Description Use After Free in function dotag at vim/src/tag.c:807. vim version ./vim --version VIM - Vi IMproved 9.0 2022 Jun 28, compiled Sep 2 2022 22:56:19 Included patches: 1-363 Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /home/elva/fuzzvim/test/poc8huaf.dat -c :qa!...

4.4CVSS7.7AI score0.00528EPSS
Exploits1
Total number of security vulnerabilities4072