DDOS attack by uploading a few hundred large files

Description can normal user upload the photo to the profile not allowed photo more than 2 MB i can upload photo more allowed limit Proof of Concept https://drive.google.com/file/d/1jh0n9kOoFvW-esHgpOtPeURTYjSIhDm/view?usp=sharing...

Session does not expire on logout

Description Existing session is not invalidated on actions like logout. The fact that the session key is valid for 1 year makes it more dangerous. Proof of Concept 1. Login to planka 2. Record the session token 3. Logout 4. Replay an authenticated request with the recorded token. The actions will...

Improper Input Validation

Description At the team updatehttps://ripob47346.getoutline.com/api/team.update and user updatehttps://ripob47346.getoutline.com/api/users.update functions, avatarUrl was not verified as a correct url. The user can enter arbitrary values. Proof of Concept /api/team.update /api/users.update Result...

CSRF on deleting an API key

Description An attacker can send a crafted link to a Froxlor admin. The admin, after clicking on the link and logging in, will redirect to the API key deletion endpoint, which is a GET request. This will result in deleting the API key with the specified id from the attacker. Proof of Concept 1...

Use After Free in function get_next_valid_entry

Description Use After Free in function getnextvalidentry at vim/src/quickfix.c:2709. vim version git log commit 2bd9dbc19fc67395cfa1226dda7326071ab22464 HEAD - master, tag: v9.0.0270, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /home/test/poc/poc6huaf.da...

Firefox XSS when redirecting to untrusted URL

Description When redirecting server side using navigateTo with untrusted user data and with external links set to true, XSS can be triggered on Firefox probably other browsers too. This is due to h3 expecting JSON stringfy to sanitize HTML and nuxt3 also assuming that to be true by using the...

Stored Cross-Site Scripting (XSS)

Description It is possible to upload HTML files containing JavaScript Payload to the FileStorage as a low-privilege user with the corresponding permissions. When opening the HTML file via an indirect link, the JavaScript Code is executed. Proof of Concept Steps to reproduce: 1. Login to the backe...

User Enumeration via Response Timing

Description There is a significant timing difference in the login functionality for valid and invalid usernames. Proof of Concept 1. Attempt a Login with a valid user and an invalid user and observe the difference in the response time Here is a small test script alternatively we can see the...

ZipSlip Symlink variant allows to read any file within OctoPrint Box

Using the ZipSlip symlink variant, it is possible to steal any file from the OctoPrint remote server via an upload of a maliciously crafted archive as a language pack and download the stolen files within a backup archive. To set up the Octoprint web application, we used the dockerized version bas...

Login bruteforce

Description According to the fix of the previous report, the login page has a rate limit mechanism to block the user’s IP when many attempts are made. The endpoint, for example, /v2/console/status only returns the content when who made the request has the correct rights. However, this request is...

Floating point exception

Description Floating point exception in udiv commit : b83285697888abbcb2286462da070d49f413ab24 Proof of Concept ruby 1 63.pow1, 0 ASAN Output ================================================================= ==747==ERROR: AddressSanitizer: FPE on unknown address 0x5626e07f6dba pc 0x5626e07f6dba b...

Insufficient Session Expiration

Description The Nakama Console session is not invalidated when the user is deleted. Proof of Concept Steps to reproduce: 1. Log in to the Nakama Console as admin and create a user [email protected] 2. In a separate browser or private window log in to the account [email protected] 3. In the admin session,...

User Enumeration via Response Timing

Description There is a significant timing difference in the login functionality of the Nakama Console for valid and invalid email addresses or usernames. Proof of Concept 1. Login to the Nakama Console as admin and create a User [email protected] 2. Logout 3. Attempt a Login with an incorrect passwor...

Privilage escalation allows user with read access only to edit admin portal and take actions

Overview of the Vulnerability Authentication and session management controls can be bypassed in a variety of ways including, calling an internal post-authentication page, modifying the given URL parameters, by manipulating the form, or by counterfeiting sessions. The authentication method for thi...

Use After Free in function qf_fill_buffer

Description Use After Free in function qffillbuffer at vim/src/quickfix.c:4790 vim version git log commit adce965162dd89bf29ee0e5baf53652e7515762c HEAD - master, tag: v9.0.0246, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -X -Z -e -s -S /home/fuzz/test/poc5huaf.dat -c :qa!...

Session Fixation

Description The session is not invalidated after a password change. Proof of Concept Open Snipe-IT in the browser and login. Do the same in a private window such that there are two sessions. Change the password in one of the two sessions and observe that the second session is not invalidated...

Reflected XSS via "stufftype" parameter

Description The value for the stufftype parameter is reflected in the web context without proper filtering in place resulting in possibility to execute malicious javascript code. Testing Environment 1. Windows OS 2. Firefox Browser Proof of Concept 1. Visit...

Reflected XSS via "stuffid" parameter

Description The value for the stuffid parameter is reflected in the web context without proper filtering in place resulting in possibility to execute malicious javascript code. Testing Environment 1. Windows OS 2. Firefox Browser Proof of Concept 1. Visit...

Reflected XSS via "idlist" parameter

Description The value for the idlist parameter is reflected in the web context without proper filtering in place resulting in possibility to execute malicious javascript code. Testing Environment 1. Windows OS 2. Firefox Browser Proof of Concept 1. Visit...

NULL Pointer Dereference in function do_mouse

Description NULL Pointer Dereference in function domouse at vim/src/mouse.c:496 . vim version git log commit 171c683237149262665135c7d5841a89bb156f53 HEAD - master, tag: v9.0.0242, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -X -Z -e -s -S /home/fuzz/test/poc3null.dat -c :qa!...

Exposure of "Forgot Password" Token on Comments Controller Leads to Account Takeover

Hello there! Hope you are doing great! Description While digging into your app's source code, I noticed that the getComment function, that can be found on CommentController, had an IDOR, but when I went to an actual instance of Tooljet and tested it, I noticed that it's way worse than that! 😱 Thi...

Prototype pollution

Description submerge is vulnerable to Prototype Pollution. This package fails to restrict access to prototypes of objects, allowing for modification of prototype behavior using a proto payload, which may result in Sensitive Information Disclosure/Denial of ServiceDoS/Remote Code Execution. Proof ...

DoS via Client Email Update

Description An unauthenticated user, via the Inbox Website Widget, can update its contact email information, whose field doesn't have any proper size restriction or limitation in place, allowing to set as email an unlimited number of characters. \ \ Because of this an attacker can send an enormou...

Clickjacking Leads To User Deletion

Hello team, on notrinoserp there is no clickjacking protection implemented x-frame-options, so an attacker can perform clickjacking attack, and in this case im able to delete user account via this vulnerability from the admin account, here is the POC: Exploit Script: iframe position:relative;...

clickjacking attack

Description clickjacking bug.\ I see there is no x-frame-options header set . So, the erp url can be loaded in iframe tag . which allow clickjacking attack Proof of Concept same this bellow code in html file and open this html url is browser . STUDY METERIAL...

Weak Password Change Mechanism

Description The user password change page, doesn't require knowledge of the existing password. Proof of Concept 1. - Log in as a normal user 2. - Go to the User Dashboard page and click User Settings. 3. - Set a any new password. 4. - Click confirm 5. - The password is changed successfully...

XSS on URL recorder

Description Hi Team , I found XSS vulnerability in url recorder https://conifer.rhizome.org/"USERNAME"/default-collection/ Proof of Concept Image : https://ibb.co/dBr0QQr...

Persistent Cross Site Scripting - WidgetsManagement Module - Settings

Description The application uses Purifier to avoid the Cross Site Scripting attack. However, On WidgetsManagement module from Settings, the "title"parameter is not validated and it's used directly without any encoding or validation on Vitger/dashboards/ChartFilter.tpl. It allows attacker to injec...

Persistent Cross Site Scripting - BusinessHours Module - Settings

Description The application uses Purifier to avoid the Cross Site Scripting attack. However, On BusinessHours module from Settings, the type of name parameter is "Text" but it is not validated and it's used directly without any encoding or validation on EditViewBlocks.tpl. It allows attacker to...

Persistent Cross Site Scripting - LayoutEditor Module - Settings

Description The application uses Purifier to avoid the Cross Site Scripting attack. However, On LayoutEditor module from Settings, the type of fieldModel-label parameter is "Text" but it is not validated and it's used directly without any encoding or validation on LayoutEditor/EditField.tpl. It...

Persistent Cross-site Scripting - SlaPolicy Module - Settingss

Description The application uses Purifier to avoid the Cross Site Scripting attack. However, On SlaPolicy module from Settings, the type of recordModel-name parameter is "Text" but it is not validated and it's used directly without any encoding or validation on SlaPolicy/EditViewBlocks.tpl. It...

Persistent Cross Site Scripting - Workflow Module - Settings

Description The application uses Purifier to avoid the Cross Site Scripting attack. However, On Workflow module from Settings, the type of workflowModel-summary parameter is not defined and validated, it's used directly without any encoding or validation on Workflows/Step1.tpl and...

Full account takeover

POC: Step 1: Use a normal user account Step 2: Change user password in edit profile function Step 3: Enter data fields that change normally Step 4: Use burp suite to intercept requests to update profile Step 5: Change id from 2 to id 1 and send request The result of logging in with the new userna...

Use After Free in function vim_vsnprintf_typval

Description Use After Free in function vimvsnprintftypval at vim/src/strings.c:2299. vim version git log commit 9e043181ad51536f23d069e719d6f6b96c4c0ec0 grafted, HEAD - master, tag: v9.0.0226, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -X -Z -e -s -S /home/fuzz/test/poc4huaf.dat -c...

Weak Password Requirements

Description The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts. Proof of Concept Steps to reproduce 1. Login to admin account. 2. Drom user account setup create a new user. 3. Full the form username user3 and...

Cross Site Scripting (reflected) on fee_sheet_ajax.php

Description When testing the app for XSS we found out that the feesheetajax.php endpoint is actually vulnerable to an XSS exploit. PoC 1. visit https:///interface/forms/feesheet/review/feesheetajax.php?task=retrieve&mode=encounters&prevencounter=%3Cimg%20src%3da%20onerror%3dalertdocument.cookie%3...

Exposure of Sensitive Information Lead To Admin Account Take Over

Description The AP officers account is authorized to Backup and Restore the Database, Due to this he/she can download the backup and see the password hash of the System Administrator account, The weak hash MD5 of the password can be easily cracked and get the admin password. Proof of Concept Step...

NULL Pointer Dereference in function sug_filltree

Description NULL Pointer Dereference in function sugfilltree at vim/src/spellfile.c:5600. vim version git log commit 4875d6ab068f09df88d24d81de40dcd8d56e243d grafted, HEAD - master, tag: v9.0.0224, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -X -Z -e -s -S /home/fuzz/test/poc2null.d...

Cross-site Scripting (XSS) - Stored

Description The application uses Purify to avoid the Cross Site Scripting attack. However, On ApiAddress module from Settings, the customFields is not validated and it's used directly without any encoding or validation on ApiConfigModal.tpl. It allows attacker to inject arbitrary Javascript code ...

Use After Free in function find_var_also_in_script

Description Use After Free in function findvaralsoinscript at vim/src/evalvars.c:3174 vim version git log commit 887748742deae3d6de7aa0fdbb042afe1ccf5e7a grafted, HEAD - master, tag: v9.0.0222, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -X -Z -e -s -S /home/fuzz/test/poc3huaf.dat -...

Stored XSS in 'Table name' field via Database information function

Description When the administrator uses the Database information function, malicious code will be accidentally called and executed through two cases: 1. 1 An internal attacker local with access right to the database could insert malicious content into the table name field by creating a table in t...

Insufficient Session Expiration

Description Insufficient Session Expiration is when a website permits an attacker to reuse old session credentials or session IDs for authorization. Proof of Concept Steps to reproduce 1- Login into http://127.0.0.1:5000/login/ OctoPrint. 2- Open browser in the incognito tab or open another brows...

NULL Pointer Dereference in function generate_loadvar

Description NULL Pointer Dereference in function generateloadvar at vim9compile.c:1165 allows attackers to cause a denial of service application crash via a crafted input. vim version git log commit e1f3fd1d02e3f5fe6d2b6d82687c6846b8e500f8 HEAD - master, origin/master, origin/HEAD Author: Bram...

Unrestricted File Upload Allowed due to Flawed Move File Functionality

Description Hello Team, Hope you are doing good. Due to misconfiguration in move file functionality an attacker could easily change the file extension of the uploaded malicious file disguised as .gcode file. Steps: 1 . Upload a .gcode file & intercept the request as shown in the screenshots. 2...

Improper Authorization lead a user add an arbitrary agent into Team

Description A Vulnerability in edit team function lead an user add another user via ID to Team, alternatively know the email of every user in Chatwoot Step to reproduce - login to the app -navigate to the Team setting: https://app.chatwoot.com/app/accounts/id/settings/teams/list -Create new or ed...

Heap-based Buffer Overflow in function latin_ptr2len

Description Heap-based Buffer Overflow in function latinptr2len at vim/src/mbyte.c:1088 . vim version git log commit 249e1b903a9c0460d618f6dcc59aeb8c03b24b20 grafted, HEAD - master, tag: v9.0.0213, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -X -Z -e -s -S poc4hbo.dat -c :qa!...

Buffer Over-read in function utf_head_off

Description Buffer Over-read in function utfheadoff at vim/src/mbyte.c:3872 vim version git log commit 249e1b903a9c0460d618f6dcc59aeb8c03b24b20 grafted, HEAD - master, tag: v9.0.0213, origin/master, origin/HEAD Proof of Concept ./vim/src/vim -u NONE -X -Z -e -s -S poc3hbo.dat -c :qa!...

use after free in function generate_PCALL

Description Use After Free in function generatePCALL at vim/src/vim9instr.c:1606 vim version git log commit 249e1b903a9c0460d618f6dcc59aeb8c03b24b20 grafted, HEAD - master, tag: v9.0.0213, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -X -Z -e -s -S poc2huaf.dat -c :qa!...

DoS via Collaborative Document

Description An attacker can send an enormous payload via the WebSockets collaborative document feature, without any proper size restriction, leading to the unresponsiveness of every user browser that visits the target document, and even worse, if the payload is bigger enough, in the demonstration...

Cross-site Scripting (XSS) - Stored on Translations

Description Translations are vulnerable to Cross-Site Scripting. Steps to reproduce 1 - Go to Website - Settings 2 - Click on Languages 3 - Fill any field to be translated with an XSS payload : ". 4 - XSS popup will appear. Proof of concept...