4072 matches found
Exposure of Sensitive Information Lead To Admin Account Take Over
Description The AP officers account is authorized to Backup and Restore the Database, Due to this he/she can download the backup and see the password hash of the System Administrator account, The weak hash MD5 of the password can be easily cracked and get the admin password. Proof of Concept Step...
NULL Pointer Dereference in function sug_filltree
Description NULL Pointer Dereference in function sugfilltree at vim/src/spellfile.c:5600. vim version git log commit 4875d6ab068f09df88d24d81de40dcd8d56e243d grafted, HEAD - master, tag: v9.0.0224, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -X -Z -e -s -S /home/fuzz/test/poc2null.d...
Cross-site Scripting (XSS) - Stored
Description The application uses Purify to avoid the Cross Site Scripting attack. However, On ApiAddress module from Settings, the customFields is not validated and it's used directly without any encoding or validation on ApiConfigModal.tpl. It allows attacker to inject arbitrary Javascript code ...
Use After Free in function find_var_also_in_script
Description Use After Free in function findvaralsoinscript at vim/src/evalvars.c:3174 vim version git log commit 887748742deae3d6de7aa0fdbb042afe1ccf5e7a grafted, HEAD - master, tag: v9.0.0222, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -X -Z -e -s -S /home/fuzz/test/poc3huaf.dat -...
Stored XSS in 'Table name' field via Database information function
Description When the administrator uses the Database information function, malicious code will be accidentally called and executed through two cases: 1. 1 An internal attacker local with access right to the database could insert malicious content into the table name field by creating a table in t...
Insufficient Session Expiration
Description Insufficient Session Expiration is when a website permits an attacker to reuse old session credentials or session IDs for authorization. Proof of Concept Steps to reproduce 1- Login into http://127.0.0.1:5000/login/ OctoPrint. 2- Open browser in the incognito tab or open another brows...
NULL Pointer Dereference in function generate_loadvar
Description NULL Pointer Dereference in function generateloadvar at vim9compile.c:1165 allows attackers to cause a denial of service application crash via a crafted input. vim version git log commit e1f3fd1d02e3f5fe6d2b6d82687c6846b8e500f8 HEAD - master, origin/master, origin/HEAD Author: Bram...
Unrestricted File Upload Allowed due to Flawed Move File Functionality
Description Hello Team, Hope you are doing good. Due to misconfiguration in move file functionality an attacker could easily change the file extension of the uploaded malicious file disguised as .gcode file. Steps: 1 . Upload a .gcode file & intercept the request as shown in the screenshots. 2...
Improper Authorization lead a user add an arbitrary agent into Team
Description A Vulnerability in edit team function lead an user add another user via ID to Team, alternatively know the email of every user in Chatwoot Step to reproduce - login to the app -navigate to the Team setting: https://app.chatwoot.com/app/accounts/id/settings/teams/list -Create new or ed...
Heap-based Buffer Overflow in function latin_ptr2len
Description Heap-based Buffer Overflow in function latinptr2len at vim/src/mbyte.c:1088 . vim version git log commit 249e1b903a9c0460d618f6dcc59aeb8c03b24b20 grafted, HEAD - master, tag: v9.0.0213, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -X -Z -e -s -S poc4hbo.dat -c :qa!...
Buffer Over-read in function utf_head_off
Description Buffer Over-read in function utfheadoff at vim/src/mbyte.c:3872 vim version git log commit 249e1b903a9c0460d618f6dcc59aeb8c03b24b20 grafted, HEAD - master, tag: v9.0.0213, origin/master, origin/HEAD Proof of Concept ./vim/src/vim -u NONE -X -Z -e -s -S poc3hbo.dat -c :qa!...
use after free in function generate_PCALL
Description Use After Free in function generatePCALL at vim/src/vim9instr.c:1606 vim version git log commit 249e1b903a9c0460d618f6dcc59aeb8c03b24b20 grafted, HEAD - master, tag: v9.0.0213, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -X -Z -e -s -S poc2huaf.dat -c :qa!...
DoS via Collaborative Document
Description An attacker can send an enormous payload via the WebSockets collaborative document feature, without any proper size restriction, leading to the unresponsiveness of every user browser that visits the target document, and even worse, if the payload is bigger enough, in the demonstration...
Cross-site Scripting (XSS) - Stored on Translations
Description Translations are vulnerable to Cross-Site Scripting. Steps to reproduce 1 - Go to Website - Settings 2 - Click on Languages 3 - Fill any field to be translated with an XSS payload : ". 4 - XSS popup will appear. Proof of concept...
No rate limit on main Login page lead to account takeover
Hi Team, Summary: As a best practice a login page should have a rate limit to avoid any kind of brute force. Aslo The password policy used in the account creation and password change pages is weak, allowing to set a password of only 1 character...
Heap-based Buffer Overflow in function compile_lock_unlock in vim/vim
Description Heap-based Buffer Overflow in function compilelockunlock at vim/src/vim9cmds.c:196 vim version git log commit 326c5d36e7cb8526330565109c17b4a13ff790ae grafted, HEAD - master, tag: v9.0.0194, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -X -Z -e -s -S poc2hboM.dat -c :qa!...
Use After Free in function string_quote
Description Use After Free in function stringquote at vim/src/strings.c:777 vim version git log commit c9b6570fab46bf2c246a954cfb8c0d95fe2746b3 grafted, HEAD - master, tag: v9.0.0203, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /home/fuzz/test/poc1uaf.da...
Out-of-bounds read in function check_vim9_unlet in vim/vim
Description Out-of-bounds read in function checkvim9unlet at vim/src/vim9cmds.c:95 Vim version git log commit 326c5d36e7cb8526330565109c17b4a13ff790ae grafted, HEAD - master, tag: v9.0.0194, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -X -Z -e -s -S /home/fuzz/test/hbo1min.dat -c :q...
Stored XSS vulnerability when importing RSS Feeds from external source
Description YetiForceCRM allows user create RSS Feeds without purifying the link field of the input data properly from external source. An attacker can take advantage of this vulnerability to perform an XML Injection attack that leads to stored cross-site scripting XSS on the target server. Proof...
2FA Bypass in Cockpit Content Platform ≤ v2.2.1
Description 2FA secret is disclosed in JWT token after user logs into his account in Cockpit Content Platform ≤ v2.2.1 allowing attacker to bypass the 2FA code. Proof of Concept 1.Login with your admin account and enable 2FA in your account and logout. 2.Go to...
cross site scripting - reflected
The reflected XSS vulnerability occurs to a flaw in the cleanxsstags function called in new.php of Gnuboard 5. 1. Open the https://sir.kr/bbs/new.php?darkmode=%22%3E%3Cscript%3Ealertdocument.domain%3C/script%3E 2. payload executing...
UI Redressing
Description Clickjacking is a portmanteau of two words ‘click’ and ‘hijacking’. It refers to hijacking user’s click for malicious intent. In it, an attacker embeds the vulnerable site in an transparent iframe in attacker’s own website and overlays it with objects such as button using CSS skills...
Path traversal on administrative account
Description Relative path traversal in DNN.Platform at log download functionality. Administrative account can download any system file. This could allow direct read access to files that are not meant to be accessible directly by the platform. Proof of Concept Login as administrative user. Payload...
Weak Password Change Mechanism
Description The user password change page, doesn't require knowledge of the existing password. Proof of Concept 1. 1 - Log in as a normal user 2. 2 - Go to the User Dashboard page and click Password. 3. 3 - Set a any new password. 4. 4 - The password is changed successfully...
Modify other people's articles by modifying the data package
Description The program does not check whether the originator of the request has this permission. I can modify the content of other people's articles and even modify the content by capturing data packets, even if I am not the owner of the article, even if I do not have permission in this respect...
IDOR allows to create new collection or modify a existing one
Description A normal user can create a new collection with the provided book ids or add new books to an existing collection, whose operations should be only executed by the administrator. \ \ This is possible due to an missing administrative role check in the /api/collection/update-for-series API...
Unauthenticated reading list item deletion
Description A unauthenticated user can delete any book item of any user reading list in the system without any authentication or authorization verification, via the /api/readinglist/delete-item API endpoint. Proof of Concept 1 - Send the following request, where x is the target readingListId and ...
Stored XSS on Admin Translations
Description Key/Name field in Admin Translation Settings is vulnerable to XSS. Proof of Concept 1 - Go to Settings, Admin Translations. 2 - Click on Add, and put the XSS payload: " on Name then save 3 - XSS popup will be triggered. Both Stable and Dev versions are vulnerable. Video PoC...
Unauthenticated book download and view details
Description A unauthenticated user can download, view the details and resources, and retrieve individual pages of any book in the system without any kind of authorization or authentication verification. \ \ Unauthenticated book operations list: 1 - Download any book via the /api/reader/pdf...
Stored XSS on Categories
Description Title parameter in the body of POST request when creating/editing a category is vulnerable to stored XSS. Proof of Concept 1 - Go to https://demo.microweber.org/demo/admin/view:content/action:categories 2 - Create a category or edit an existing one. 3 - Modify the title to an XSS...
Hostname Spoofing
Description parse-url parses following https url incorrectly, identifies its protocol as ssh, and its host name is parsed incorrectly either. https://www.google.com:[email protected]:x node -e 'const parseUrl=require"parse-url";console.logparseUrl"https://www.google.com:[email protected]:x"' protocols:...
Previously created sessions continue being valid after MFA activation [namelessmc.com]
Description 1. Hello Team I found one issue related to your 2FA system on https://namelessmc.com/user/settings/?do=enabletfa&s=2 Vulnerability Type: 1. Improper Access Control - Generic STEP TO REPRODUCE: 1. 1- access the same account on https://namelessmc.com/ in two devices 2. 2- on device 'A' ...
Unauthenticated Path Traversal
Description A unauthenticated user can read and download files of the application system by abusing the filename parameter, of the /api/image/cover-uploadendpoint, that is not properly sanitized. Proof of Concept 1 - Send the following request, where the filename has the relative path of the targ...
No password brute-force protection on login page
Description The login page doesn't have any protection against a brute-force password attack, which allows an attacker to try every possible password combination without any restriction. Proof of Concept 1. 1- Send a login request of the target user POST http://localhost:5000/api/account/login...
IDOR in password change page leads to administrative account takeover
Description The password change function doesn't properly handle the Change Password role, allowing to any user, that has this role enabled, to change the password of any user in the system, including the administrator account. Proof of Concept 1. 1 - Log in as a normal user that can change its o...
Full Read Server-Side Request Forgery (SSRF)
Description Via the /api/upload/upload-by-url endpoint is possible to upload an image via an URL provided by the user. The function that handles this upload, doesn't verify or validate the provided URL, allowing to fetch internal services. \ \ Furthermore, after the resource is fetched, there is ...
Account Takeover [namelessmc.com]
Description: 1. Hello team, while i was testing on https://namelessmc.com/login/ i noticed that there is no ratelimit protection on POST login form, so an attacker can takeover the account by brute forcing the password field Steps to reproduce: 1. 1- go to https://namelessmc.com/login/ 2. 2- Ente...
Insufficient Session Expiration After Password Change
Description During my test, I found that in Cockpit v 2.1.2, the application was not validating the request after password change. This allows attacker to update user account details even after admin changes password. Steps to Reproduce : 1. Login with your account and click on click on "Account...
Send message to blocked user
Description In this case if a userA block userB. UserB is still able to send private message to user A Proof of Concept 1.USerA block userB 2.UserB send direct request to message endpoint with userA''s userID Poc POST https://bookwyrm.social/post/direct Host: bookwyrm.social User-Agent: Mozilla/5...
Tabnabbing via window.opener [bookwyrm.social]
Description: 1. Hello @bookwyrm-social I found a tabnabbing vulnerability. attack is possible due to taget=blank or Tab nabbing via window.opener. VISIT:- https://bookwyrm.social/ SUMMARY: 1. I was browsing the site and found a tabnabbing vulnerability . As per the observation I found that attack...
Stored XSS via image markdown
Description The site allows creating markdown to get an image from a link, from which we can use it to generate XSS. Proof of Concept Payload: markdown Video: Youtube Only works on Google Chrome...
Cross-Site Request Forgery
Description The administrative /api/users registration endpoint is vulnerable to an Cross-Site Request Forgery attack due the lack of any kind of anti-CSRF token verification. Proof of Concept 1. 1 - An authenticated administrator visits an attacker-controllable website, in this case the PoC file...
Denial of Service via Attachment Upload
Description An attacker can upload an attachment without any size limitation which leads to an exception and the crash of the application. Proof of Concept 1. 1 - Log in and select and project and card. 2. 2 - Upload a file, in this case, a 5GB file. Used sample file. 3. 3 - After some seconds th...
Lack of Maximum Characters Length Validation on `Assignment Title` Input
Hello, Description The Assignment Title input is not being validated against a large number of characters added in it's value. This allows to initiate large number of characters and very big text inside the page. Proof of Concept 1. Navigate to Assignments section:...
Remote Code Execution due to code injection
Description RCE in CP ADMIN site structure it needs admin privilege Because of the typo in the sanitization. Anyone who has admin privilege can edit “site structure”, bypass it and execute php code. And we can execute system or other system function by php, so that's a RCE vulnerability. And next...
parser bypass and make SSRF attack
parse-url inproperly detecting protocol,resource and Pathname . This allow to bypass protocol check . Also this bug make ssrf check bypass\ \ lets check normal url result for parse-url import parseUrl from "parse-url"; console.logparseUrl"http://nnnn@localhost:808/?id=xss" protocols: 'http' ,...
Idor when creating group
Description Insecure direct object references when creating a list allows one user to create a new list on behalf of another. Proof of Concept POST /user/[email protected]/groups HTTP/2 Host: bookwyrm.social Cookie: csrftoken=; djangolanguage=None; sessionid= User-Agent: Mozilla/5.0 Windows N...
User can do all actives with other's signature (view, get, create, update, delete,...)
Description I observed that users can view any user's signature by changing their user parameter to other's user parameter. By the same way users can create/delete/update other's signature in create signature function. View/Get other's signature: 1. Login to an account I use account receptionist...
IDOR leads to delete messages in Message Center of others.
Description I observed that users can delete messages in other's Message Center by changing deleteid parameter to deleteid value of message which belongs to other. Step: - Login with Physician account and determine deleteid of messages in Physician's Message Center - Login with Clinician account....
Weak password policy on account creation/password update
Description The password policy used in the account creation and password change pages is weak, allowing to set a password of only 1 character. Proof of Concept Case 1 - Account Creation 1. 1 - Login as admin and go to the users page. 2. 2 - Create a new user and set 1 as the password and click i...