4057 matches found
Formula injection via Full Name
🔒️ Requirements Privilege: user. 📝 Description It is possible for a user to change his name by whatever he wants from /profile/settings. In addition, an administrator can get reports about users from Reports Agents. So, a user could change his full name by a formula and abuse formula injection...
Reflected XSS In User/Roles Function
Description URL: https://demo.pimcore.fun/admin/ In Setting select User/Roles and select User. After created user, move to Workspace tab and inject payload XSS at Documents, Assets and Data Objects. XSS payload will be trigger. Besides, Workspace in Roles Also having the same situation. Can you...
CSRF resulting in Account Takeover
Description Hello everyone, Rdiffweb offers a profile section where the admin user can change his informations such as the username, the email etc..., when the admin changes his username and his email; the following POST requests is sent: POST /prefs/general HTTP/1.1 Host:...
Cross Site Request Forgery in profile's "SSH Keys" leads to unauthorized access to the system
Description While adding SSH public keys to the profile, the server accepts the GET request which results in adding an SSH public key to the profile and leads to unauthorised access to the system and backups. Proof of Concept Open the below url after logging in to the demo site.SSH Public key wil...
Use After Free in function getcmdline_int
Description Use After Free in function getcmdlineint at vim/src/exgetln.c:2547. vim version git log commit 470a14140bc06f1653edf26ab0b3c9b801080353 grafted, HEAD - master, tag: v9.0.0461, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S...
Bypass IP detection to brute-force password in ikus060/rdiffweb
Description In login API, by default, the IP address will be blocked when the user tries to login incorrectly more than 5 times but we can bypass this mechanism by abuse X-Forwarded-For header to bypass IP dectection and perform password brute-force. Proof of Concept POST /login/ HTTP/1.1 Host:...
Heap-based Buffer Overflow in function utfc_ptr2len
Description Heap-based Buffer Overflow in function utfcptr2len at vim/src/mbyte.c:2125. vim version git log commit 470a14140bc06f1653edf26ab0b3c9b801080353 grafted, HEAD - master, tag: v9.0.0461, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S...
Stored XSS
Description openemr has a feature to customize the "User Manual Link Override" , due to a bad sanitization it allows to put javascript:// scheme which allows to execute javascript code. Proof of Concept 1. login with admin 2. go on Global Settings - Branding 3. Edit User Manual Link Override Fiel...
DoS attack in the HTTP decompression
Description Tulip is able to decompress compressed HTTP payloads. It does not check for decompression bomb. Using brotli, an attacker can send a HTTP paquet to a team vulnbox containing a brotli payload of 8.3KB. When decompressing this payload, it expands to 10GiB on the machine running the...
XSS via Mathematical Typesetting
🔒️ Requirements Feature: Extras Mathematical Typesetting enabled. User interaction: Access vulnerable page || diagram and wheel click on a link. 📝 Description The Mathematical Typesetting feature allows to use inline content such as AsciiMath or LaTeX. Using it allows you to create a tag via \href...
Password Can be set to very weak
Description For testing the issue, I have used the demo website. In edit user profile section we can set New Password to 1 Or any character. There is no policy for password or no password checking. Moreover, it also allows us to change password and the new password also can be set with weak...
Session_id without Secure attribute
Description User's session id with secure attribute is false. This vulnerability makes user's cookies can be sent to the server with an unencrypted request over the HTTP protocol. Proof of Concept Open the browser and get access to the minarca website, for this scenario I have used the demo/test...
User Enumeration via Response Timing
Description There is a significant timing difference in the login functionality for valid and invalid usernames. Proof of Concept Steps to reproduce: 1. Attempt a Login with a valid user and an invalid user and observe the difference in the response time Here is a small test script alternatively ...
Exposure of "Forgot Password" Token on Threads Controller Leads to Account Takeover
Description Hello there! Hope you are doing great! I kept looking for issues that are similar to CVE-2022-3019, and ended up finding one more, it's in the Thread entity, and I found it by looking at the /api/threads/:appid/all endpoint. It retrieves sensitive information about every user that's i...
Mass Assignment in Self Controller Leads To Vertical Privillege Escalation
Description Hello there, y'all! How are you doing? Hope you are doing great! I was testing Budibase and noticed that the api endpoint /api/global/self, which is used for different purposes updating an user's name or their password, always receives an entire object containing most of the attribute...
Password can be set extremely weak
Description In this scenario, I use the demo website. It allows us to add more user to test. With password, we can set it 1 Or any charater. There is no policy for password or no password checking. Moreover, it also allows us to change password and the new password also can be set with password...
Error page is default and leak error information
Description Information is leak in error page and this can support for other vulnerabilities. Proof of Concept Whenever trying to input anything meaningless after the link https://rdiffweb-demo.ikus-soft.com/ the error page will appear. Example: https://rdiffweb-demo.ikus-soft.com/...
Session_id without Secure attribute
Description User's session id with secure attribute is false. This vulnerability makes user's cookies can be sent to the server with an unencrypted request over the HTTP protocol. Proof of Concept Open the browser and access to the website, in this scenario I use the demo website. Check the cooki...
html injection on https://demo.microweber.org/demo/search.php?keywords=
Description hello team, I found an HTML injection on https://demo.microweber.org/demo/search.php?keywords= Proof of Concept https://demo.microweber.org/demo/search.php?keywords=ABC%3Cdiv%20style=%22%3E%3Cmarquee%3E%3Ch1%3Eyou%20are%20been%20hacked%20%3C/h1%3E%3C/marquee%3E...
HTML Injection vulnerability in create tag functionality
Vulnerability Details In the Microweber CMS, While doing a live edit on to the application, we have the option to create a new global tag in the application. While creating a global tag, the "Tag Name" input field doesn't properly get sanitized and it's vulnerable to HTML Injection vulnerability...
Null Pointer Dereference Caused Segmentation Fault
Description Null pointer dereference caused segmentation fault. This can cause Denial-of -service attack. Proof of Concept MP4Box -bt POC2 POC2 is here ASAN iso file Unknown box type 0000 in parent moov iso file Unknown box type 0000 in parent moov iso file Unknown box type 0000 in parent moov is...
Buffer Over Read in gf_utf8_wcslen
Description Buffer Over Read in function gfutf8wcslen at gpac/src/utils/utf.c:442 . gpac version git log commit fc4749f9ce8d6ddf50d1f1104366cdacede14d33 grafted, HEAD - master, origin/master, origin/HEAD Author: Aurelien David Date: Mon Aug 1 06:44:34 2022 -0700 fix quickjs build on osx 10.12 222...
UI REDRESSING
Description Clickjacking is a portmanteau of two words ‘click’ and ‘hijacking’. It refers to hijacking user’s click for malicious intent. In it, an attacker embeds the vulnerable site in an transparent iframe in attacker’s own website and overlays it with objects such as button using CSS skills...
XSS at app.diagrams.net
Description The application allows the "use" tag to pass on dompurify, which leads to XSS. A strange behaviour bypasses the csp on app.diagrams.net when it has a "?" before the "U" import. Proof of Concept POC diagram: use...
Password Reset Poisoning
Description Humhub uses the HTTP Host-Header in a password reset request to generate the password reset link that is sent to the user in an email without any filters or checks. This allows an attacker to craft a password reset request using a manipulated host header, resulting in reset-token...
Stored Cross Site Scripting (XSS) via "properties" during creating new users
Description From demo url login click people icon at the left bar click "Customers" Click "New Customer" button from page Fill up the "Edit" tab Click "Save" button above Click "Properties" tab From "Add a custom Property" field , add "Test" on the first field Click and select "text" on the secon...
Insufficient Session Expiration
Description Existing sessions are not invalidated after a password change. Proof of Concept Steps to reproduce: 1. Log in to Humhub 2. Do the same in another browser or a private window, such that there are two different active sessions 3. Update the user's password in either of the two sessions ...
XSS at https://viewer.diagrams.net/
Description The application uses a parameter to specify a url on the refresh and the back button, assigning it to location.href without sanitizing Proof of Concept Go to:...
XSS with CSP bypass on WEB instances
📝 Description Drawio WEB instancesn allows https://storage.googleapis.com in CSP script-src, abusing the XSS found in this report, it is possible to bypass the CSP and leak private diagram content. 🕵️♂️ Proof of Concept On the web application side, the javascript execution is protected by the...
Null Dereference in vim_regcomp()
Description: Null Dereference in vimregcomp at vim/src/regexp.c:2716 Vim Version: git log commit 8f7116caddc6f0725cf1211407d97645c4eb7b65 HEAD - master, origin/master, origin/HEAD Proof of Concept: $ git clone https://github.com/vim/vim.git $ cd vim/ && ./configure && make && cd src/ $ echo "call...
Desktop APP XSS to RCE
📝 Description Bypass disabled plugins configuration According to its default configuration, drawio desktop disables the use of custom plugin and must be using --enable-plugins to enable it. In addition, draw.io allows you to configure the application mainly the interface using a json file...
Multiple user accounts via same email and username
Description Nakama console does not validate uppercase/lowercase letters when creating a new user. This can be abused to create multiple user accounts with same email and username. Proof of Concept HTTP Request 1 request POST /v2/console/user HTTP/1.1 Host: 192.168.1.16:7351 Authorization: Bearer...
UI Discrepancy in Password
Description There is UI discrepancy in the user password section in nakama console. The UI presents the following message to the user for a short password: "Password is required, must be 8 chars or longer and consist of at least a capital letter, a small letter and a number". However, the backend...
Incorrect API design lead to Site wide CSRF
Description By design, the api body only accepts is json values. But we can send with non-json values, beside, api accept auth from accessToken in Cookie. All of that leads to many other consequences, typically csrf. Example: CSRF - promote normal user to admin Origin Body id:...
Use After Free in function do_tag
Description Use After Free in function dotag at vim/src/tag.c:807. vim version ./vim --version VIM - Vi IMproved 9.0 2022 Jun 28, compiled Sep 2 2022 22:56:19 Included patches: 1-363 Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /home/elva/fuzzvim/test/poc8huaf.dat -c :qa!...
Reflected XSS via POST
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a differen...
Attacker can turn off 2FA of the Admin
Description The attacker can turn off the 2FA of the admin by performing the CSRF attack Steps to reproduce Step 1: Login as admin on the demo product and navigate to https://demo.corebos.com/index.php?module=Utilities&action=integration&op=getconfig2fa&userlist=1 Step 2: Turn on the 2FA and clos...
Use After Free in function do_cmdline
Description Use After Free in function docmdline at vim/src/exdocmd.c:1076. vim version git log commit 5d09a401ec393dc930e1104ceb38eab34681de64 HEAD - master, tag: v9.0.0343, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /home/fuzz/test/poc7huaf.dat -c :qa...
Bad Sanitization on "vtlib_purify" function leads to XSS
Description The whole project is using "vtlibpurify" for the sanitization of user inputs. It does a good job while stripping HTML tags like etc. However, it allows tag and we can use javascript protocol on the href attribute via changing : character to . So, our final payload is click Proof of...
Reflected XSS on "DetailViewAjax" via "relation_id" parameter
Description The value of the "relationid" parameter on the "DetailViewAjax" reflects to the source code without any sanitization. So, that leads to XSS which allows cookie stealing. Proof of Concept...
No rate limit via proxy url parameter
Description Hi Drawio Team , Your proxy server has no limit of requests which an attacker can use it as PORT SCANNER. https://app.diagrams.net/proxy?url=IP:PORT&base64=1 Proof of Concept Image from my OWASP ZAP : https://ibb.co/h87hz3N...
BufferOverflow
Description Buffer Overflow is most commonly found in languages such as C and C ++, where there is the need for prior definition of the memory size of the buffer to be used. The program calls a gets function, which does not checks against overflowing the size assigned to buffer. As a result, it...
SQL INJECTION
Summary The user can submit an SQL query directly to the database, gaining access without providing appropriate credentials. Attackers can then view, export, modify, and delete confidential information; change passwords and other authentication information; and possibly gain access to other syste...
Access violation near NULL on destination operand eval.c:2603:37 in segmentation fault
Description Access violation near NULL on destination operand eval.c:2603:37 in segmentation fault Proof of Concept Faulting Frame: eval1 @ 0x0000000000d9e9d2: in /root/vim/src/vim Disassembly: 0x0000000000d9e9bd: mov rax,r14 0x0000000000d9e9c0: shr rax,0x3 0x0000000000d9e9c4: mov al,BYTE PTR...
Stored Cross-Site Scripting (XSS)
Description Input fields allowing Markdown Input are vulnerable to XSS. This requires Superadmin permissions though. Proof of Concept Steps to reproduce: 1. Log in to the admin account 2. Go to Admin - General Settings 3. Enter the Payload in the Login Note and Dashboard Message fields. 4. Go to...
Improper Authentication
Description There are two permissions not working correctly: The Licenses - View and Modify License Files & the Self - Create API Keys permission. License Files Files can be uploaded to licenses. There is a permission for users called View and Modify License Files. However, this permission is...
Use After Free in Function qf_buf_add_line( )
Description Hello there! How are you doing? I just used the PoC of this previous report as a valid input for fuzzing, and ended up finding what it seems to be a new case of Use After Free, with a slightly different input. The last commit in which I tested it was...
Account Takeover
Description hacker can invite any user to team and with the bug i report it before can accept the invitation ..... hacker can add user in group to give them new permission in team...... when hacker visit the team can see private info for victim as and the hash password many token and more...
Tabnabbing on spec-disrespecting browsers
Some browsers do not comply with the 2021 HTML specification, meaning that an attacker can redirect the parent window. This applies to links in descriptions // Create a new card // Add https://someevilsite.com to card // Now the site can do the following:...
DDOS attack by uploading a few hundred large files
Description can normal user upload the photo to the profile not allowed photo more than 2 MB i can upload photo more allowed limit Proof of Concept https://drive.google.com/file/d/1jh0n9kOoFvW-esHgpOtPeURTYjSIhDm/view?usp=sharing...