4072 matches found
Reflected XSS via rp4wp_parent
Description The rp4wpparent value is echoed without encoding, leading to reflected XSS. Proof of Concept Install wordpress, install the "Related Posts for WordPress" plugin, then visit the following URL, where localhost is the server hosting the app:...
Use After Free in function movemark
Description Use After Free in function movemark at mark.c:234. vim version git log commit bcd6924245c0e73d8be256282656c06aaf91f17c grafted, HEAD - master, tag: v9.0.0507, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /home/fuzz/test/poc10huaf.dat -c :qa!...
The settings of repositories is vulnerable to CSRF
Description The malicious user can change the settings of repository by sending the URL to the victim. Proof of Concept 1.Login into the application https://rdiffweb-demo.ikus-soft.com/settings/admin/test-encoding . 2.Go to test-encoding. 3.Check that the value of remove older is forever. 4.Open...
User can get details of the comments that were deleted
Description When a user creates a new record he can add a comment on it. The user is also able to delete the comments after which the user wont be having access to that comment like replying, checking what the comment was. This vulnerability allows any user to see what the deleted comment was and...
Privilege escalation from admin and normal user to super admin
Description Lavsms provides 5 types of roles. But the issue is admin can escalate to the super admin role for himself as well as for other un-privileged users too even lower than the admin role. Proof of Concept 1. POST /users/id with custom payload via API Testing tool like postman/Insomnia. Ste...
User's session persist after permanently deleting his account
Description If a user is logged in, and an admin decided to delete his account permanently, the user is still able to perform his normal actions until his session gets expired. If a logged in user with admin role is deleted permanently, he's still able to delete other admins permanently, and if...
BoxBilling <=4.22.1.5 - Authenticated Unrestricted File Upload - RCE
Description BoxBilling was vulnerable to Unrestricted File Upload. In order to exploit the vulnerability, an attacker must have a valid authenticated session as admin on the CMS. With at least 1 order of product an attacker can upload malicious file to hidden API endpoint that contain a webshell...
Cookie is persisting in the browser which leads to Session Fixation
Description After logging in and logging out, the application continues to use the preauthentication cookies. The cookies are same after closing the browser and after password change .And also same cookies are reassigning for another user's login which can leads to session fixation. Proof of...
User can read any series without permission
Description A normal user can access any series without permission if they have access to at least one library. Version Tested on latest release 0.5.6.0 and on docker image 'kizaing/kavita:latest', with image pulled on September 17, 12:30 UTC Digest:...
CSRF leads to disabling notifications in users profile
Description Periodic updates of repositories were sent as notifications to the user's email and here GET request sent to the server for modifying repository notifications settings is accepted by the server, which can lead to disabling notifications through a CSRF attack. Proof of Concept Replace...
Stored XSS via SVG File
Description By uploading SVG files, the users can perform Stored XSS attack. Copy the following code and save as filename.svg. Proof of Concept alertdocument.domain 1 Login as user with upload permission. 2 upload the payload injected SVG file at https://demo.inventree.org/order/sales-order/3/ 3...
Cross Site Request Forgery in Admin area leads to deletion of repositories and users
Description Server accepts the GET request for deleting repositories and users which can lead to CSRF attack on repositories'. Proof of Concept Open the below URL after logging in to the admin account in demo site. For deleting Repository : Replace "replace-here" with a repo name...
Remote Code Execution (RCE) via Arbitrary File Write and Path Traversal
Description Immich constructs the path, filename, and file extension of uploaded files from improperly sanitized user input. Therefore, the upload function is vulnerable to a path traversal attack leading to arbitrary file write. This can lead to RCE by overwriting JavaScript files. Proof of...
Full Account Takeover via Improper Authorization
Description Immich does not check for admin privileges when setting account passwords. This allows any user to set the password for any account, thus allowing privilege escalation by admin account takeover. Proof of Concept Steps to reproduce: 1. Login to a non admin account 2. Obtain all user...
Stored Cross-Site Scripting (XSS) on Schedule Maintenance "Title" parameter
Description Stored Cross-Site Scripting XSS vulnerability in LibreNMS v22.8.0 allows attackers to execute arbitrary javascript code in the browser affected from function of "Schedule Maintenance" in "Title" parameter. Proof of Concept 1 - Click "Alerts" Click "Schedule Maintenance" from the...
Formula injection via Full Name
šļø Requirements Privilege: user. š Description It is possible for a user to change his name by whatever he wants from /profile/settings. In addition, an administrator can get reports about users from Reports Agents. So, a user could change his full name by a formula and abuse formula injection...
Reflected XSS In User/Roles Function
Description URL: https://demo.pimcore.fun/admin/ In Setting select User/Roles and select User. After created user, move to Workspace tab and inject payload XSS at Documents, Assets and Data Objects. XSS payload will be trigger. Besides, Workspace in Roles Also having the same situation. Can you...
CSRF resulting in Account Takeover
Description Hello everyone, Rdiffweb offers a profile section where the admin user can change his informations such as the username, the email etc..., when the admin changes his username and his email; the following POST requests is sent: POST /prefs/general HTTP/1.1 Host:...
Cross Site Request Forgery in profile's "SSH Keys" leads to unauthorized access to the system
Description While adding SSH public keys to the profile, the server accepts the GET request which results in adding an SSH public key to the profile and leads to unauthorised access to the system and backups. Proof of Concept Open the below url after logging in to the demo site.SSH Public key wil...
Use After Free in function getcmdline_int
Description Use After Free in function getcmdlineint at vim/src/exgetln.c:2547. vim version git log commit 470a14140bc06f1653edf26ab0b3c9b801080353 grafted, HEAD - master, tag: v9.0.0461, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S...
Bypass IP detection to brute-force password in ikus060/rdiffweb
Description In login API, by default, the IP address will be blocked when the user tries to login incorrectly more than 5 times but we can bypass this mechanism by abuse X-Forwarded-For header to bypass IP dectection and perform password brute-force. Proof of Concept POST /login/ HTTP/1.1 Host:...
Heap-based Buffer Overflow in function utfc_ptr2len
Description Heap-based Buffer Overflow in function utfcptr2len at vim/src/mbyte.c:2125. vim version git log commit 470a14140bc06f1653edf26ab0b3c9b801080353 grafted, HEAD - master, tag: v9.0.0461, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S...
Stored XSS
Description openemr has a feature to customize the "User Manual Link Override" , due to a bad sanitization it allows to put javascript:// scheme which allows to execute javascript code. Proof of Concept 1. login with admin 2. go on Global Settings - Branding 3. Edit User Manual Link Override Fiel...
DoS attack in the HTTP decompression
Description Tulip is able to decompress compressed HTTP payloads. It does not check for decompression bomb. Using brotli, an attacker can send a HTTP paquet to a team vulnbox containing a brotli payload of 8.3KB. When decompressing this payload, it expands to 10GiB on the machine running the...
XSS via Mathematical Typesetting
šļø Requirements Feature: Extras Mathematical Typesetting enabled. User interaction: Access vulnerable page || diagram and wheel click on a link. š Description The Mathematical Typesetting feature allows to use inline content such as AsciiMath or LaTeX. Using it allows you to create a tag via \href...
Password Can be set to very weak
Description For testing the issue, I have used the demo website. In edit user profile section we can set New Password to 1 Or any character. There is no policy for password or no password checking. Moreover, it also allows us to change password and the new password also can be set with weak...
Session_id without Secure attribute
Description User's session id with secure attribute is false. This vulnerability makes user's cookies can be sent to the server with an unencrypted request over the HTTP protocol. Proof of Concept Open the browser and get access to the minarca website, for this scenario I have used the demo/test...
User Enumeration via Response Timing
Description There is a significant timing difference in the login functionality for valid and invalid usernames. Proof of Concept Steps to reproduce: 1. Attempt a Login with a valid user and an invalid user and observe the difference in the response time Here is a small test script alternatively ...
Exposure of "Forgot Password" Token on Threads Controller Leads to Account Takeover
Description Hello there! Hope you are doing great! I kept looking for issues that are similar to CVE-2022-3019, and ended up finding one more, it's in the Thread entity, and I found it by looking at the /api/threads/:appid/all endpoint. It retrieves sensitive information about every user that's i...
Mass Assignment in Self Controller Leads To Vertical Privillege Escalation
Description Hello there, y'all! How are you doing? Hope you are doing great! I was testing Budibase and noticed that the api endpoint /api/global/self, which is used for different purposes updating an user's name or their password, always receives an entire object containing most of the attribute...
Password can be set extremely weak
Description In this scenario, I use the demo website. It allows us to add more user to test. With password, we can set it 1 Or any charater. There is no policy for password or no password checking. Moreover, it also allows us to change password and the new password also can be set with password...
Error page is default and leak error information
Description Information is leak in error page and this can support for other vulnerabilities. Proof of Concept Whenever trying to input anything meaningless after the link https://rdiffweb-demo.ikus-soft.com/ the error page will appear. Example: https://rdiffweb-demo.ikus-soft.com/...
Session_id without Secure attribute
Description User's session id with secure attribute is false. This vulnerability makes user's cookies can be sent to the server with an unencrypted request over the HTTP protocol. Proof of Concept Open the browser and access to the website, in this scenario I use the demo website. Check the cooki...
html injection on https://demo.microweber.org/demo/search.php?keywords=
Description hello team, I found an HTML injection on https://demo.microweber.org/demo/search.php?keywords= Proof of Concept https://demo.microweber.org/demo/search.php?keywords=ABC%3Cdiv%20style=%22%3E%3Cmarquee%3E%3Ch1%3Eyou%20are%20been%20hacked%20%3C/h1%3E%3C/marquee%3E...
HTML Injection vulnerability in create tag functionality
Vulnerability Details In the Microweber CMS, While doing a live edit on to the application, we have the option to create a new global tag in the application. While creating a global tag, the "Tag Name" input field doesn't properly get sanitized and it's vulnerable to HTML Injection vulnerability...
Null Pointer Dereference Caused Segmentation Fault
Description Null pointer dereference caused segmentation fault. This can cause Denial-of -service attack. Proof of Concept MP4Box -bt POC2 POC2 is here ASAN iso file Unknown box type 0000 in parent moov iso file Unknown box type 0000 in parent moov iso file Unknown box type 0000 in parent moov is...
Buffer Over Read in gf_utf8_wcslen
Description Buffer Over Read in function gfutf8wcslen at gpac/src/utils/utf.c:442 . gpac version git log commit fc4749f9ce8d6ddf50d1f1104366cdacede14d33 grafted, HEAD - master, origin/master, origin/HEAD Author: Aurelien David Date: Mon Aug 1 06:44:34 2022 -0700 fix quickjs build on osx 10.12 222...
UI REDRESSING
Description Clickjacking is a portmanteau of two words āclickā and āhijackingā. It refers to hijacking userās click for malicious intent. In it, an attacker embeds the vulnerable site in an transparent iframe in attackerās own website and overlays it with objects such as button using CSS skills...
XSS at app.diagrams.net
Description The application allows the "use" tag to pass on dompurify, which leads to XSS. A strange behaviour bypasses the csp on app.diagrams.net when it has a "?" before the "U" import. Proof of Concept POC diagram: use...
Password Reset Poisoning
Description Humhub uses the HTTP Host-Header in a password reset request to generate the password reset link that is sent to the user in an email without any filters or checks. This allows an attacker to craft a password reset request using a manipulated host header, resulting in reset-token...
Stored Cross Site Scripting (XSS) via "properties" during creating new users
Description From demo url login click people icon at the left bar click "Customers" Click "New Customer" button from page Fill up the "Edit" tab Click "Save" button above Click "Properties" tab From "Add a custom Property" field , add "Test" on the first field Click and select "text" on the secon...
Insufficient Session Expiration
Description Existing sessions are not invalidated after a password change. Proof of Concept Steps to reproduce: 1. Log in to Humhub 2. Do the same in another browser or a private window, such that there are two different active sessions 3. Update the user's password in either of the two sessions ...
XSS at https://viewer.diagrams.net/
Description The application uses a parameter to specify a url on the refresh and the back button, assigning it to location.href without sanitizing Proof of Concept Go to:...
XSS with CSP bypass on WEB instances
š Description Drawio WEB instancesn allows https://storage.googleapis.com in CSP script-src, abusing the XSS found in this report, it is possible to bypass the CSP and leak private diagram content. šµļøāāļø Proof of Concept On the web application side, the javascript execution is protected by the...
Null Dereference in vim_regcomp()
Description: Null Dereference in vimregcomp at vim/src/regexp.c:2716 Vim Version: git log commit 8f7116caddc6f0725cf1211407d97645c4eb7b65 HEAD - master, origin/master, origin/HEAD Proof of Concept: $ git clone https://github.com/vim/vim.git $ cd vim/ && ./configure && make && cd src/ $ echo "call...
Desktop APP XSS to RCE
š Description Bypass disabled plugins configuration According to its default configuration, drawio desktop disables the use of custom plugin and must be using --enable-plugins to enable it. In addition, draw.io allows you to configure the application mainly the interface using a json file...
Multiple user accounts via same email and username
Description Nakama console does not validate uppercase/lowercase letters when creating a new user. This can be abused to create multiple user accounts with same email and username. Proof of Concept HTTP Request 1 request POST /v2/console/user HTTP/1.1 Host: 192.168.1.16:7351 Authorization: Bearer...
UI Discrepancy in Password
Description There is UI discrepancy in the user password section in nakama console. The UI presents the following message to the user for a short password: "Password is required, must be 8 chars or longer and consist of at least a capital letter, a small letter and a number". However, the backend...
Incorrect API design lead to Site wide CSRF
Description By design, the api body only accepts is json values. But we can send with non-json values, beside, api accept auth from accessToken in Cookie. All of that leads to many other consequences, typically csrf. Example: CSRF - promote normal user to admin Origin Body id:...
Use After Free in function do_tag
Description Use After Free in function dotag at vim/src/tag.c:807. vim version ./vim --version VIM - Vi IMproved 9.0 2022 Jun 28, compiled Sep 2 2022 22:56:19 Included patches: 1-363 Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /home/elva/fuzzvim/test/poc8huaf.dat -c :qa!...