No rate limit on main Login page lead to account takeover

Hi Team, Summary: As a best practice a login page should have a rate limit to avoid any kind of brute force. Aslo The password policy used in the account creation and password change pages is weak, allowing to set a password of only 1 character...

Heap-based Buffer Overflow in function compile_lock_unlock in vim/vim

Description Heap-based Buffer Overflow in function compilelockunlock at vim/src/vim9cmds.c:196 vim version git log commit 326c5d36e7cb8526330565109c17b4a13ff790ae grafted, HEAD - master, tag: v9.0.0194, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -X -Z -e -s -S poc2hboM.dat -c :qa!...

Use After Free in function string_quote

Description Use After Free in function stringquote at vim/src/strings.c:777 vim version git log commit c9b6570fab46bf2c246a954cfb8c0d95fe2746b3 grafted, HEAD - master, tag: v9.0.0203, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /home/fuzz/test/poc1uaf.da...

Out-of-bounds read in function check_vim9_unlet in vim/vim

Description Out-of-bounds read in function checkvim9unlet at vim/src/vim9cmds.c:95 Vim version git log commit 326c5d36e7cb8526330565109c17b4a13ff790ae grafted, HEAD - master, tag: v9.0.0194, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -X -Z -e -s -S /home/fuzz/test/hbo1min.dat -c :q...

Stored XSS vulnerability when importing RSS Feeds from external source

Description YetiForceCRM allows user create RSS Feeds without purifying the link field of the input data properly from external source. An attacker can take advantage of this vulnerability to perform an XML Injection attack that leads to stored cross-site scripting XSS on the target server. Proof...

2FA Bypass in Cockpit Content Platform ≤ v2.2.1

Description 2FA secret is disclosed in JWT token after user logs into his account in Cockpit Content Platform ≤ v2.2.1 allowing attacker to bypass the 2FA code. Proof of Concept 1.Login with your admin account and enable 2FA in your account and logout. 2.Go to...

cross site scripting - reflected

The reflected XSS vulnerability occurs to a flaw in the cleanxsstags function called in new.php of Gnuboard 5. 1. Open the https://sir.kr/bbs/new.php?darkmode=%22%3E%3Cscript%3Ealertdocument.domain%3C/script%3E 2. payload executing...

UI Redressing

Description Clickjacking is a portmanteau of two words ‘click’ and ‘hijacking’. It refers to hijacking user’s click for malicious intent. In it, an attacker embeds the vulnerable site in an transparent iframe in attacker’s own website and overlays it with objects such as button using CSS skills...

Path traversal on administrative account

Description Relative path traversal in DNN.Platform at log download functionality. Administrative account can download any system file. This could allow direct read access to files that are not meant to be accessible directly by the platform. Proof of Concept Login as administrative user. Payload...

Weak Password Change Mechanism

Description The user password change page, doesn't require knowledge of the existing password. Proof of Concept 1. 1 - Log in as a normal user 2. 2 - Go to the User Dashboard page and click Password. 3. 3 - Set a any new password. 4. 4 - The password is changed successfully...

Modify other people's articles by modifying the data package

Description The program does not check whether the originator of the request has this permission. I can modify the content of other people's articles and even modify the content by capturing data packets, even if I am not the owner of the article, even if I do not have permission in this respect...

IDOR allows to create new collection or modify a existing one

Description A normal user can create a new collection with the provided book ids or add new books to an existing collection, whose operations should be only executed by the administrator. \ \ This is possible due to an missing administrative role check in the /api/collection/update-for-series API...

Unauthenticated reading list item deletion

Description A unauthenticated user can delete any book item of any user reading list in the system without any authentication or authorization verification, via the /api/readinglist/delete-item API endpoint. Proof of Concept 1 - Send the following request, where x is the target readingListId and ...

Stored XSS on Admin Translations

Description Key/Name field in Admin Translation Settings is vulnerable to XSS. Proof of Concept 1 - Go to Settings, Admin Translations. 2 - Click on Add, and put the XSS payload: " on Name then save 3 - XSS popup will be triggered. Both Stable and Dev versions are vulnerable. Video PoC...

Unauthenticated book download and view details

Description A unauthenticated user can download, view the details and resources, and retrieve individual pages of any book in the system without any kind of authorization or authentication verification. \ \ Unauthenticated book operations list: 1 - Download any book via the /api/reader/pdf...

Stored XSS on Categories

Description Title parameter in the body of POST request when creating/editing a category is vulnerable to stored XSS. Proof of Concept 1 - Go to https://demo.microweber.org/demo/admin/view:content/action:categories 2 - Create a category or edit an existing one. 3 - Modify the title to an XSS...

Hostname Spoofing

Description parse-url parses following https url incorrectly, identifies its protocol as ssh, and its host name is parsed incorrectly either. https://www.google.com:[email protected]:x node -e 'const parseUrl=require"parse-url";console.logparseUrl"https://www.google.com:[email protected]:x"' protocols:...

Previously created sessions continue being valid after MFA activation [namelessmc.com]

Description 1. Hello Team I found one issue related to your 2FA system on https://namelessmc.com/user/settings/?do=enabletfa&s=2 Vulnerability Type: 1. Improper Access Control - Generic STEP TO REPRODUCE: 1. 1- access the same account on https://namelessmc.com/ in two devices 2. 2- on device 'A' ...

Unauthenticated Path Traversal

Description A unauthenticated user can read and download files of the application system by abusing the filename parameter, of the /api/image/cover-uploadendpoint, that is not properly sanitized. Proof of Concept 1 - Send the following request, where the filename has the relative path of the targ...

No password brute-force protection on login page

Description The login page doesn't have any protection against a brute-force password attack, which allows an attacker to try every possible password combination without any restriction. Proof of Concept 1. 1- Send a login request of the target user POST http://localhost:5000/api/account/login...

IDOR in password change page leads to administrative account takeover

Description The password change function doesn't properly handle the Change Password role, allowing to any user, that has this role enabled, to change the password of any user in the system, including the administrator account. Proof of Concept 1. 1 - Log in as a normal user that can change its o...

Full Read Server-Side Request Forgery (SSRF)

Description Via the /api/upload/upload-by-url endpoint is possible to upload an image via an URL provided by the user. The function that handles this upload, doesn't verify or validate the provided URL, allowing to fetch internal services. \ \ Furthermore, after the resource is fetched, there is ...

Account Takeover [namelessmc.com]

Description: 1. Hello team, while i was testing on https://namelessmc.com/login/ i noticed that there is no ratelimit protection on POST login form, so an attacker can takeover the account by brute forcing the password field Steps to reproduce: 1. 1- go to https://namelessmc.com/login/ 2. 2- Ente...

Insufficient Session Expiration After Password Change

Description During my test, I found that in Cockpit v 2.1.2, the application was not validating the request after password change. This allows attacker to update user account details even after admin changes password. Steps to Reproduce : 1. Login with your account and click on click on "Account...

Send message to blocked user

Description In this case if a userA block userB. UserB is still able to send private message to user A Proof of Concept 1.USerA block userB 2.UserB send direct request to message endpoint with userA''s userID Poc POST https://bookwyrm.social/post/direct Host: bookwyrm.social User-Agent: Mozilla/5...

Tabnabbing via window.opener [bookwyrm.social]

Description: 1. Hello @bookwyrm-social I found a tabnabbing vulnerability. attack is possible due to taget=blank or Tab nabbing via window.opener. VISIT:- https://bookwyrm.social/ SUMMARY: 1. I was browsing the site and found a tabnabbing vulnerability . As per the observation I found that attack...

Stored XSS via image markdown

Description The site allows creating markdown to get an image from a link, from which we can use it to generate XSS. Proof of Concept Payload: markdown Video: Youtube Only works on Google Chrome...

Cross-Site Request Forgery

Description The administrative /api/users registration endpoint is vulnerable to an Cross-Site Request Forgery attack due the lack of any kind of anti-CSRF token verification. Proof of Concept 1. 1 - An authenticated administrator visits an attacker-controllable website, in this case the PoC file...

Denial of Service via Attachment Upload

Description An attacker can upload an attachment without any size limitation which leads to an exception and the crash of the application. Proof of Concept 1. 1 - Log in and select and project and card. 2. 2 - Upload a file, in this case, a 5GB file. Used sample file. 3. 3 - After some seconds th...

Lack of Maximum Characters Length Validation on `Assignment Title` Input

Hello, Description The Assignment Title input is not being validated against a large number of characters added in it's value. This allows to initiate large number of characters and very big text inside the page. Proof of Concept 1. Navigate to Assignments section:...

Remote Code Execution due to code injection

Description RCE in CP ADMIN site structure it needs admin privilege Because of the typo in the sanitization. Anyone who has admin privilege can edit “site structure”, bypass it and execute php code. And we can execute system or other system function by php, so that's a RCE vulnerability. And next...

parser bypass and make SSRF attack

parse-url inproperly detecting protocol,resource and Pathname . This allow to bypass protocol check . Also this bug make ssrf check bypass\ \ lets check normal url result for parse-url import parseUrl from "parse-url"; console.logparseUrl"http://nnnn@localhost:808/?id=xss" protocols: 'http' ,...

Idor when creating group

Description Insecure direct object references when creating a list allows one user to create a new list on behalf of another. Proof of Concept POST /user/[email protected]/groups HTTP/2 Host: bookwyrm.social Cookie: csrftoken=; djangolanguage=None; sessionid= User-Agent: Mozilla/5.0 Windows N...

User can do all actives with other's signature (view, get, create, update, delete,...)

Description I observed that users can view any user's signature by changing their user parameter to other's user parameter. By the same way users can create/delete/update other's signature in create signature function. View/Get other's signature: 1. Login to an account I use account receptionist...

IDOR leads to delete messages in Message Center of others.

Description I observed that users can delete messages in other's Message Center by changing deleteid parameter to deleteid value of message which belongs to other. Step: - Login with Physician account and determine deleteid of messages in Physician's Message Center - Login with Clinician account....

Weak password policy on account creation/password update

Description The password policy used in the account creation and password change pages is weak, allowing to set a password of only 1 character. Proof of Concept Case 1 - Account Creation 1. 1 - Login as admin and go to the users page. 2. 2 - Create a new user and set 1 as the password and click i...

No password brute-force protection on login page

Description The login page doesn't have any protection against a brute-force password attack, which allows an attacker to try every possible password combination without any restriction. Proof of Concept 1. 1 - Send a login request of the target user POST http://localhost:3000/api/access-tokens...

Cross-site Scripting - Reflected

Description The pricelevel parameter in openemr is vulnerable to reflected XSS Proof of Concept 1. Open the web browser to access the website 2. Access the url: http://openemr.vn/interface/forms/feesheet/review/feesheetoptionsajax.php?pricelevel=%3Cimg%20src%3da%20onerror%3dalertdocument.cookie%3...

Path Traversal

Description Via the /attachments/:id/download/thumbnails/:filename endpoint, an authenticated user can access any arbitrary file in the system through a path traversal vulnerability in the filename parameter. \ \ The filename parameter is not sanitized and its used to craft the path of the target...

Weak password policy on account creation/password update

Description The password policy used in the account creation and password change pages is weak, allowing to set a password of only 1 character. Proof of Concept Case 1 - Account Creation 1. 1 - Login as admin and go to the users page. 2. 2 - Create a new user and set 1 as the password and click i...

CSRF vulnerability exists in modifying user information (including password)

Description Csrf vulnerability in user information modification page Proof of Concept In \app\home\c\UserController $re = M'member'-update'id'=$this-member'id',$w; $member = M'member'-find'id'=$this-member'id'; unset$member'pass'; $SESSION'member' = arraymerge$SESSION'member',$member;...

Segmentation Fault in SFS_Expression

It can cause Denial-of-service attack. Version root@ubuntu:/gpac/.git cat refs/heads/master 0102c5d4db7fdbf08b5b591b2a6264de33867a07 system stack size default root@ubuntu:/gpac/bin/gcc ulimit -s 8192 POC Download POC Execute root@ubuntu:/gpac/bin/gcc ./MP4Box -info -disox -dump-chap-ogg -dump-cov...

Reflected XSS on conversion filter function

Description Fava v1.22 have a conversion filter function on income statement dashboard which allow user to perform XSS due to improper validation on filter conversion. Proof of Concept 1 Navigate to Fava demo instance https://fava.pythonanywhere.com/example-beancount-file/incomestatement/. 2 Filt...

Format string modifiers in card label

Description When adding a new video device with v4l2loopback-ctl that contains a card label with format string modifiers the kernel driver interprets these when querying the device capabilities, thus leaking kernel memory stack contents. The vulnerability requires the attacker to have access to t...

No password brute-force protection on login page

Description The login page doesn't have any protection against a brute-force password attack, which allows an attacker to try every possible combination without any restriction. Proof of Concept 1. 1 - Send a login request of the target user POST /api/auth/token HTTP/1.1 Host: localhost:9091...

Full Read Server-Side Request Forgery (SSRF)

Description In the recipe edit page, is possible to upload an image directly or via an URL provided by the user. The function that handles the fetching and saving of the image via the URL doesn't have any URL verification, which allows to fetch internal services. \ \ Furthermore, after the resour...

Path traversal in unjs/storage leads to code injection due to unsanitzed code generation

Path Traversal A path traversal vulnerability exists within unjs/unstorage when using the file system storage driver. This vulnerability can be exploited when the user has control over the key name. By creating key names containing sequences of ../ or ..: we can navigate the file system. We are...

Unauthenticated Cross Site Scripting - Reflected

Description Please enter a description of the vulnerability. Proof of Concept XSS POC: Local Host : http://192.168.0.109:81/?PagePrincipale/rss&id=1%27%3Cscript%3Ealert1122%3C/script%3E Vendor Domain: https://yeswiki.net/?AccueiL/rss&id=1%27%3Cscript%3Ealert1122%3C/script%3E Attached POC Images:...

UnAuthenticated SQL Injection

Proof of Concept POC: Vendor Domain Print version: https://yeswiki.net/?AccueiL/rss&id=1%27+and+extractvalue0x0a,concat0x0a,select+version--+- Print Database: https://yeswiki.net/?AccueiL/rss&id=1%27+and+extractvalue0x0a,concat0x0a,select+database--+- Print User:...

Cross-site scripting - Stored via upload ".xml" file

Description In file upload function, the server allow upload .xml file with contain some javascript code lead to XSS. Proof of Concept REQUEST POST /?PageTitre/ajaxupload&qqfile=index.xml HTTP/1.1 Host: localhost:8081 User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:104.0 Gecko/20100101...