Improper Input Validation Leads to Privilege Escalation and Denial of Service

Description Improper input validation allows an attacker to privilege escalation and can make crash nginx server. There is no input validation in the v-add-web-domain-redirectL82, and "v-redirect-custom" input on the "Edit Web Domain" page, inputs are written directly to the...

Password Reset token returned in Respose to Account takeover.

Description Password Reset token returned in Respose. Then you can set an arbitrary password with the following url: url //auth/reset-password?token=token Proof of Concept...

Cross-Site Request Forgery (CSRF)

Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept PoC.html history.pushState'', '', '/' document.forms0.submit;...

Idor disclose other user's appointment

Description:- In this case an idor allow an attacker to view portal user's appointments Proof of Concept 1.Goto http://demo.openemr.io/openemr/portal/home.php and then goto my profile my appointment 2.Click on edit appointment button and capture the request in burp suite 3. Change eid parameter t...

Cross site script

Description In this case a patient is able to execute js scripts in admin's session. further exploitation could lead to admin account takeover Steps to Repro:- 1. Login here https://demo.openemr.io/openemr/portal 2. Goto my documents and create new insurance form 3. Add this payload to any select...

No Protection against Bruteforce attacks on Login page

Description Wger Workout Manager does not limit unsuccessful login attempts allowing Brute Forcing. Proof of Concept Steps to Reproduce: 1. Register a new user 2. Logout 3. Send a login request with an incorrect password 4. Capture the login request 5. Replay the login request with a different...

Improper Input Validation

Description Input validation is a frequently-used technique for checking potentially dangerous inputs in order to ensure that the inputs are safe for processing within the code, or when communicating with other components. When software does not validate input properly, an attacker is able to cra...

Null Pointer Dereference Caused Segmentation Fault

Description Null pointer dereference caused segmentation fault. This can cause Denial-of -service attack. version smlijun@ubuntu:/gpacasan/bin/gcc$ ./MP4Box -version MP4Box - GPAC version 2.1-DEV-rev243-gf87b12b32-master c 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Plea...

Privilege Escalation admin user to root user

Description "admin" user has sudo rights and can gain root access. By default sudo installation "admin" group has root rights. "admin" user created by hestia installation and this user is also in "admin" group. if the attackers access "admin" user, can gain root access. Proof of Concept...

Reflected XSS in fava application

Description The "querystring" parameter of fava application is vulnerable to reflected XSS for which a attacker can modify any information that the user is able to modify. Proof of Concept 1.Open the url:...

OS Command Injection user to admin

Summary Arbitrary commands can be injected when installing DokuWiki. Description Authenticated as "User" role users can inject commands. Injected commands are running as "admin" user. Prerequisite 1. Any user access 2. php 7.4 must be installed in order to install dokuwiki only admin can install...

DOM-based Cross-Site Scripting (XSS) in OpenEMR 7.0.0 and below at White list files

Description We would like to report the vulnerability we found during software testing. The OpenEMR 7.0.0 latest version and below version; Open Source electronic health records and medical practice management application; has DOM-based Cross-Site Scripting XSS vulnerability in the...

Cross-Site Request Forgery (CSRF)

Description CSRF is still possible on the Leads module Detailed Video is attached Proof of concept. Tested from: Firefox URL of Demo : https://demo.corebos.com/index.php?module=Leads&action=index&record=&relmodule=Leads Proof of Concept Video Link : https://vimeo.com/732211543 Steps Involved 1...

Non-Privilege user can view Patient's Amendments

Description We would like to report the vulnerability we found during software testing. The OpenEMR 7.0.0 latest version Open-Source electronic health records and medical practice management application has Insecure direct object reference IDOR to function “Patient’s Amendments”, and it never bee...

Cross-site Scripting via link creation bypass filter javascript scheme

Description The markdown's link creation feature allows inserting paths containing javascript scheme bypass filter javascript scheme via add https scheme prefix, so this flaw lead to XSS vulnerability. The payload used is the following: Proof of Concept Step to reproduct 1. Create new document 2...

Unauthorized to create and edit Amendments function

Description We would like to report the vulnerability we found during software testing. The OpenEMR 7.0.0 latest version Open Source electronic health records and medical practice management application has unauthorized create and edit on “Patient/dashboard/Amendments” with function...

Send message in chat function with any username

Description In chat function, username is not validated. We can change username to any value we want which not match with logged in user. Exploitation steps: 1. Login with Phil1 account Patient account. 2. Send message via Burpsuite proxy 3. Modify username to any value you want I user "n00b" 4. ...

heap-buffer-overflow occurs in function eval_string ./vim/src/typval.c:2226

Description heap-buffer-overflow occurs in evalstring ./vim/src/typval.c:2226, it should be allocated more memory at ./vim/src/typval.c:2126 vim version git log commit 5154a8880034b7bb94186d37bcecc6ee1a96f732 HEAD - master, tag: v9.0.0057, origin/master, origin/HEAD Proof of Concept Poc ./vim -u...

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

Description The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session Proof of Concept PHPSESSID:"ID" Created:"Tue, 19 Jul 2022 13:15:32 GMT" Domain:"demo.pimcore.fun" Expires / Max-Age:"Sessio...

Reflected Cross Site Scripting in OpenEMR 7.0.0 and below at backup

Description We would like to report the vulnerability we found during software testing. The OpenEMR 7.0.0 latest version and below version Open Source electronic health records and medical practice management application has Reflected Cross Site Scripting vulnerability in the formstatus parameter...

Blind SSRF on the RSS Feed

A normal user can add an RSS Feed with an internal URL which could lead to a blind SSRF issue by using local URLs...

Insecure Direct Object References when creating a list

Description Insecure direct object references when creating a list allows one user to create a new list on behalf of another. Proof of Concept POST /list HTTP/2 Host: bookwyrm.social Cookie: djangolanguage=None; csrftoken=I5lj4znBJ9B5HnT3FAsII67G1EISidIKGlsIz5ElN9kmlDwucM2hGKx0Fy4gM8vj;...

xss via improper parsing of javascript: url

Description A URL like javascript://example.com%0aalert1 will get incorrectly recognised as a file: protocol. It has nothing to do with escaping as the common characters such as &, , if parsed.protocol !== "javascript" res.send"CLICK ME!" app.listen9999;...

[Bypass] Cross-site Scriptin (XSS) via file upload

🔒️ Requirements Privileges: User. 📝 Description I found a bypass to this report by uploading the file with "public": true, parameter. This is due to the fact that AWS bucket public folder does not auto download files when we access them. 🕵️‍♂️ Proof of Concept Step 1: Go your outline home and...

Cross-Site Request Forgery (CSRF)

Description I found a possible Cross-Site Request Forgery CSRF vulnerability in Login Form. Login CSRF is a type of attack where the attacker can force the user to log in to the attacker’s account on a website and thus reveal information about what the user is doing while logged in. Proof of...

Insecure direct object references in "review" function

Description Insecure direct object references in review a book function allows one user to create a comment on behalf of another. Proof of Concept POST /post/review HTTP/2 Host: book.dansmonorage.blue Cookie: csrftoken=bYsdqkQkkbYXZYRVd8AynhYxG1rBb2AoOfAO76XCYmgzXK3A266EpZamGcKL0pN5;...

Heap-based Buffer Overflow in function ins_compl_infercase_gettext()

Description Heap-based Buffer Overflow in function inscomplinfercasegettext at src/insexpand.c:645 vim version commit 3a393790a4fd7a5edcafbb55cd79438b6e641714 Author: Dominique Pelle Date: Thu Jul 14 17:40:49 2022 +0100 patch 9.0.0053: E1281 not tested with the old regexp engine Problem: E1281 no...

Undefined behavior in diff_write_buffer()

Description Undefined behavior. commit hash: 99af91e5820c78a196c9272cd8ce5aa5be7bf374 It may occur heap-buffer-overflow. Proof of Concept Download POC file POC GDB gdb-peda$ r -u NONE -i NONE -n -m -X -Z -e -s -S undefinedpoc -c :qa! 0000089bd31 in diffwritebuffer buf=0x62500000f100, din= at...

Cross-site Scripting (XSS)

Description ihatemoney is vulnerable to Cross-Site Scripting XSS when inviting people via email. Steps to reproduce 1.Go to https://ihatemoney.org/ and try out the demo. 2.In the bottom left, click on Invite people. 3.In the Send via Emails section, input the payload: into the People to notify...

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

Description The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. Proof of Concept Link: https://postimg.cc/1nBBXZr5 Remediation If possible, you should set the Secure flag for these cooki...

LFI / Path Traversal allows attacker to read any file in the working directory

Description The file upload functionality allows a user to attach a file to a paste. When an attacker views the attached file he can alter the path e.g. via burpsuit and read any file in the working directory via the relative path. This also accounts for private pastes. The attacker needs...

Insecure redirect when submit invalid form

Description When submit invalid form, the server will redirect to url which obtain via Referrer header. Proof of Concept POST /create-shelf HTTP/2 Host: book.dansmonorage.blue Cookie: csrftoken=ZpIuGbCcxOyhta5bki4N46N7vknEAcpaG3881kcMAfWKBEYKEiLEeSc3Sr4lUTVa; djangolanguage=en-us;...

Insecure direct object references in `create-shelf` function

Description Insecure direct object references in create-shelf function allows one user to create a shelf on behalf of another. Proof of Concept POST /create-shelf HTTP/2 Host: book.dansmonorage.blue Cookie: csrftoken=ZpIuGbCcxOyhta5bki4N46N7vknEAcpaG3881kcMAfWKBEYKEiLEeSc3Sr4lUTVa;...

Cross-site Scripting (XSS) - Reflected

Description Hi team, I found XSS at /module/. Proof of Concept Pop up POC: Reflected POC: Full request payload: POST /demo/module/ HTTP/1.1 Host: demo.microweber.org User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:102.0 Gecko/20100101 Firefox/102.0 Accept: / Accept-Language: en-US,en;q=0....

stackexchange uses an unpached version of jQuery < 3.4.0 which exposes it to prototype pollution

Description By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses...

Email enumeration via Resend link page

Description Through the Resend link page, an attacker can know that if an email exists or not; just by observing the notification in the response page. So, once the attacker knows that an email exists, he can launch a brute force attack against it. If an email exists: There is no notification and...

Email Verification Bypass Leads To Account Takeover

Hello maintainer, i noticed that there is no ratelimit protetcion on https://book.dansmonorage.blue/confirm-email endpoint, so we can perform bruteforce attack Steps to reproduce: 1. Create a acount with victims email id 2. When the account is created, its ask for email confirmation via...

Account Takeover

Hello team, while i was testing on https://book.dansmonorage.blue/login i noticed that there is no ratelimit protection on POST login form, so an attacker can takeover the account by brute forcing the password field Steps to reproduce: 1. go to https://book.dansmonorage.blue/login 2. Enter...

Accept weak password in reset-password function

Description Step to reproduce: 1. Go to https://book.dansmonorage.blue/password-reset. 2. Type your email and recieve reset password link. 3. Enter a as new password and success. Proof of Concept POST /password-reset/D4VUXDL5 HTTP/2 Host: book.dansmonorage.blue Cookie:...

Open redirect when login successfully

Description Open redirect when login successfully via next parameter Proof of Concept POST /login?next=https://www.google.com/open-redirect HTTP/2 Host: book.dansmonorage.blue Cookie: csrftoken=EUjtgvt3A20lSHYbTxBvfAxQi5gNHHzeI7Bda1HOGnWCioMA6cwQqYWXv8ONog4k User-Agent: Mozilla/5.0 Windows NT 10....

Cross-Site Request Forgery (CSRF)

Description An attacker is able to download data from a user via the CSV Export function. The export will include all the books on your shelves, books you have reviewed, and books with reading activity. Vulnerable URL https://bookwyrm.social/preferences/export/file Proof of Concept...

Weak policy at Change password function

Description BookWyrm uses weak password policy when allows user to change password with just 1 character through the change password function. Steps to reproduce 1.Login then go to the Change password page https://book.dansmonorage.blue/preferences/password 2.Enter a character for example: 1 in t...

Weak Password Change Mechanism

Description When setting a new user password it does not require knowledge of the original password Current password not required Proof of Concept 1. Log in as a regular user 2. Navigate: https://book.dansmonorage.blue/preferences/password 3. Enter any password string...

Business logic error: Not able to access newly created admin account with the username admin with the password

Hello team, recently I found that I'm able to create dual admin via the same username, by creating a dual admin account we maybe not be able login the newly created admin user-named account. 2. For example, the default username and password of nakama dashboard will be admin & password 3. After...

Stored XSS in

Description Hello, I have found that an XSS payload has been executed in the name of note field, and I wanted to make a report about it, just please note that in the Occurrences I left it empty because I don't know anything about it, and please see the video attached in POC to know more about it...

Bypass IP detection to brute-force password

Description In login API, by default, the IP address will be blocked when the user tries to login incorrectly more than 5 times but we can bypass this mechanism by abuse X-Forwarded-For header to bypass IP dectection and perform password brute-force. Proof of Concept POST /demo/api/userlogin...

Heap-based buffer overflow in function vim_iswordp_buf

Description Heap-based buffer overflow in function vimiswordpbuf at charset.c:835 Version commit fee0c4aa99eb0a7a801dade758ce5e04b48c15d1 HEAD - master, origin/master, origin/HEAD Proof of Concept guest@elk:/trung$ valgrind ./vimlatest/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc/poc196min ...

Application allows large characters to insert in the input field "Add new table" on the create field which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request in

Proof of Concept Go to http://localhost:8080/dashboard//projects Select any created project and go to the project section. Click on the "ADD/IMPORT" section and click on "add new table" Create Fill the "table name" field with huge characters, more than 1 lakh Copy the below payload and put it in...

Cross-site scripting - DOM

Description DOM XSS with filter bypass on /demo/module/ using type parameter without authentication. Proof of Concept...

Heap-based buffer overflow in function ins_compl_add

Description Heap-based buffer overflow in function inscompladd at insexpand.c:751 Version commit b8329db36a886355e6e9cb9986a3668fef78c438 HEAD - master, tag: v9.0.0044 Proof of Concept guest@elk:/trung$ valgrind ./vimlatest/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc/poc42min -c :qa!...