4072 matches found
No password brute-force protection on login page
Description The login page doesn't have any protection against a brute-force password attack, which allows an attacker to try every possible password combination without any restriction. Proof of Concept 1. 1 - Send a login request of the target user POST http://localhost:3000/api/access-tokens...
Cross-site Scripting - Reflected
Description The pricelevel parameter in openemr is vulnerable to reflected XSS Proof of Concept 1. Open the web browser to access the website 2. Access the url: http://openemr.vn/interface/forms/feesheet/review/feesheetoptionsajax.php?pricelevel=%3Cimg%20src%3da%20onerror%3dalertdocument.cookie%3...
Path Traversal
Description Via the /attachments/:id/download/thumbnails/:filename endpoint, an authenticated user can access any arbitrary file in the system through a path traversal vulnerability in the filename parameter. \ \ The filename parameter is not sanitized and its used to craft the path of the target...
Weak password policy on account creation/password update
Description The password policy used in the account creation and password change pages is weak, allowing to set a password of only 1 character. Proof of Concept Case 1 - Account Creation 1. 1 - Login as admin and go to the users page. 2. 2 - Create a new user and set 1 as the password and click i...
CSRF vulnerability exists in modifying user information (including password)
Description Csrf vulnerability in user information modification page Proof of Concept In \app\home\c\UserController $re = M'member'-update'id'=$this-member'id',$w; $member = M'member'-find'id'=$this-member'id'; unset$member'pass'; $SESSION'member' = arraymerge$SESSION'member',$member;...
Segmentation Fault in SFS_Expression
It can cause Denial-of-service attack. Version root@ubuntu:/gpac/.git cat refs/heads/master 0102c5d4db7fdbf08b5b591b2a6264de33867a07 system stack size default root@ubuntu:/gpac/bin/gcc ulimit -s 8192 POC Download POC Execute root@ubuntu:/gpac/bin/gcc ./MP4Box -info -disox -dump-chap-ogg -dump-cov...
Reflected XSS on conversion filter function
Description Fava v1.22 have a conversion filter function on income statement dashboard which allow user to perform XSS due to improper validation on filter conversion. Proof of Concept 1 Navigate to Fava demo instance https://fava.pythonanywhere.com/example-beancount-file/incomestatement/. 2 Filt...
Format string modifiers in card label
Description When adding a new video device with v4l2loopback-ctl that contains a card label with format string modifiers the kernel driver interprets these when querying the device capabilities, thus leaking kernel memory stack contents. The vulnerability requires the attacker to have access to t...
No password brute-force protection on login page
Description The login page doesn't have any protection against a brute-force password attack, which allows an attacker to try every possible combination without any restriction. Proof of Concept 1. 1 - Send a login request of the target user POST /api/auth/token HTTP/1.1 Host: localhost:9091...
Full Read Server-Side Request Forgery (SSRF)
Description In the recipe edit page, is possible to upload an image directly or via an URL provided by the user. The function that handles the fetching and saving of the image via the URL doesn't have any URL verification, which allows to fetch internal services. \ \ Furthermore, after the resour...
Path traversal in unjs/storage leads to code injection due to unsanitzed code generation
Path Traversal A path traversal vulnerability exists within unjs/unstorage when using the file system storage driver. This vulnerability can be exploited when the user has control over the key name. By creating key names containing sequences of ../ or ..: we can navigate the file system. We are...
Unauthenticated Cross Site Scripting - Reflected
Description Please enter a description of the vulnerability. Proof of Concept XSS POC: Local Host : http://192.168.0.109:81/?PagePrincipale/rss&id=1%27%3Cscript%3Ealert1122%3C/script%3E Vendor Domain: https://yeswiki.net/?AccueiL/rss&id=1%27%3Cscript%3Ealert1122%3C/script%3E Attached POC Images:...
UnAuthenticated SQL Injection
Proof of Concept POC: Vendor Domain Print version: https://yeswiki.net/?AccueiL/rss&id=1%27+and+extractvalue0x0a,concat0x0a,select+version--+- Print Database: https://yeswiki.net/?AccueiL/rss&id=1%27+and+extractvalue0x0a,concat0x0a,select+database--+- Print User:...
Cross-site scripting - Stored via upload ".xml" file
Description In file upload function, the server allow upload .xml file with contain some javascript code lead to XSS. Proof of Concept REQUEST POST /?PageTitre/ajaxupload&qqfile=index.xml HTTP/1.1 Host: localhost:8081 User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:104.0 Gecko/20100101...
Improper Input Validation Leads to Privilege Escalation and Denial of Service
Description Improper input validation allows an attacker to privilege escalation and can make crash nginx server. There is no input validation in the v-add-web-domain-redirectL82, and "v-redirect-custom" input on the "Edit Web Domain" page, inputs are written directly to the...
Password Reset token returned in Respose to Account takeover.
Description Password Reset token returned in Respose. Then you can set an arbitrary password with the following url: url //auth/reset-password?token=token Proof of Concept...
Cross-Site Request Forgery (CSRF)
Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept PoC.html history.pushState'', '', '/' document.forms0.submit;...
Idor disclose other user's appointment
Description:- In this case an idor allow an attacker to view portal user's appointments Proof of Concept 1.Goto http://demo.openemr.io/openemr/portal/home.php and then goto my profile my appointment 2.Click on edit appointment button and capture the request in burp suite 3. Change eid parameter t...
Cross site script
Description In this case a patient is able to execute js scripts in admin's session. further exploitation could lead to admin account takeover Steps to Repro:- 1. Login here https://demo.openemr.io/openemr/portal 2. Goto my documents and create new insurance form 3. Add this payload to any select...
No Protection against Bruteforce attacks on Login page
Description Wger Workout Manager does not limit unsuccessful login attempts allowing Brute Forcing. Proof of Concept Steps to Reproduce: 1. Register a new user 2. Logout 3. Send a login request with an incorrect password 4. Capture the login request 5. Replay the login request with a different...
Improper Input Validation
Description Input validation is a frequently-used technique for checking potentially dangerous inputs in order to ensure that the inputs are safe for processing within the code, or when communicating with other components. When software does not validate input properly, an attacker is able to cra...
Null Pointer Dereference Caused Segmentation Fault
Description Null pointer dereference caused segmentation fault. This can cause Denial-of -service attack. version smlijun@ubuntu:/gpacasan/bin/gcc$ ./MP4Box -version MP4Box - GPAC version 2.1-DEV-rev243-gf87b12b32-master c 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Plea...
Privilege Escalation admin user to root user
Description "admin" user has sudo rights and can gain root access. By default sudo installation "admin" group has root rights. "admin" user created by hestia installation and this user is also in "admin" group. if the attackers access "admin" user, can gain root access. Proof of Concept...
Reflected XSS in fava application
Description The "querystring" parameter of fava application is vulnerable to reflected XSS for which a attacker can modify any information that the user is able to modify. Proof of Concept 1.Open the url:...
OS Command Injection user to admin
Summary Arbitrary commands can be injected when installing DokuWiki. Description Authenticated as "User" role users can inject commands. Injected commands are running as "admin" user. Prerequisite 1. Any user access 2. php 7.4 must be installed in order to install dokuwiki only admin can install...
DOM-based Cross-Site Scripting (XSS) in OpenEMR 7.0.0 and below at White list files
Description We would like to report the vulnerability we found during software testing. The OpenEMR 7.0.0 latest version and below version; Open Source electronic health records and medical practice management application; has DOM-based Cross-Site Scripting XSS vulnerability in the...
Cross-Site Request Forgery (CSRF)
Description CSRF is still possible on the Leads module Detailed Video is attached Proof of concept. Tested from: Firefox URL of Demo : https://demo.corebos.com/index.php?module=Leads&action=index&record=&relmodule=Leads Proof of Concept Video Link : https://vimeo.com/732211543 Steps Involved 1...
Non-Privilege user can view Patient's Amendments
Description We would like to report the vulnerability we found during software testing. The OpenEMR 7.0.0 latest version Open-Source electronic health records and medical practice management application has Insecure direct object reference IDOR to function “Patient’s Amendments”, and it never bee...
Cross-site Scripting via link creation bypass filter javascript scheme
Description The markdown's link creation feature allows inserting paths containing javascript scheme bypass filter javascript scheme via add https scheme prefix, so this flaw lead to XSS vulnerability. The payload used is the following: Proof of Concept Step to reproduct 1. Create new document 2...
Unauthorized to create and edit Amendments function
Description We would like to report the vulnerability we found during software testing. The OpenEMR 7.0.0 latest version Open Source electronic health records and medical practice management application has unauthorized create and edit on “Patient/dashboard/Amendments” with function...
Send message in chat function with any username
Description In chat function, username is not validated. We can change username to any value we want which not match with logged in user. Exploitation steps: 1. Login with Phil1 account Patient account. 2. Send message via Burpsuite proxy 3. Modify username to any value you want I user "n00b" 4. ...
heap-buffer-overflow occurs in function eval_string ./vim/src/typval.c:2226
Description heap-buffer-overflow occurs in evalstring ./vim/src/typval.c:2226, it should be allocated more memory at ./vim/src/typval.c:2126 vim version git log commit 5154a8880034b7bb94186d37bcecc6ee1a96f732 HEAD - master, tag: v9.0.0057, origin/master, origin/HEAD Proof of Concept Poc ./vim -u...
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Description The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session Proof of Concept PHPSESSID:"ID" Created:"Tue, 19 Jul 2022 13:15:32 GMT" Domain:"demo.pimcore.fun" Expires / Max-Age:"Sessio...
Reflected Cross Site Scripting in OpenEMR 7.0.0 and below at backup
Description We would like to report the vulnerability we found during software testing. The OpenEMR 7.0.0 latest version and below version Open Source electronic health records and medical practice management application has Reflected Cross Site Scripting vulnerability in the formstatus parameter...
Blind SSRF on the RSS Feed
A normal user can add an RSS Feed with an internal URL which could lead to a blind SSRF issue by using local URLs...
Insecure Direct Object References when creating a list
Description Insecure direct object references when creating a list allows one user to create a new list on behalf of another. Proof of Concept POST /list HTTP/2 Host: bookwyrm.social Cookie: djangolanguage=None; csrftoken=I5lj4znBJ9B5HnT3FAsII67G1EISidIKGlsIz5ElN9kmlDwucM2hGKx0Fy4gM8vj;...
xss via improper parsing of javascript: url
Description A URL like javascript://example.com%0aalert1 will get incorrectly recognised as a file: protocol. It has nothing to do with escaping as the common characters such as &, , if parsed.protocol !== "javascript" res.send"CLICK ME!" app.listen9999;...
[Bypass] Cross-site Scriptin (XSS) via file upload
🔒️ Requirements Privileges: User. 📝 Description I found a bypass to this report by uploading the file with "public": true, parameter. This is due to the fact that AWS bucket public folder does not auto download files when we access them. 🕵️♂️ Proof of Concept Step 1: Go your outline home and...
Cross-Site Request Forgery (CSRF)
Description I found a possible Cross-Site Request Forgery CSRF vulnerability in Login Form. Login CSRF is a type of attack where the attacker can force the user to log in to the attacker’s account on a website and thus reveal information about what the user is doing while logged in. Proof of...
Insecure direct object references in "review" function
Description Insecure direct object references in review a book function allows one user to create a comment on behalf of another. Proof of Concept POST /post/review HTTP/2 Host: book.dansmonorage.blue Cookie: csrftoken=bYsdqkQkkbYXZYRVd8AynhYxG1rBb2AoOfAO76XCYmgzXK3A266EpZamGcKL0pN5;...
Heap-based Buffer Overflow in function ins_compl_infercase_gettext()
Description Heap-based Buffer Overflow in function inscomplinfercasegettext at src/insexpand.c:645 vim version commit 3a393790a4fd7a5edcafbb55cd79438b6e641714 Author: Dominique Pelle Date: Thu Jul 14 17:40:49 2022 +0100 patch 9.0.0053: E1281 not tested with the old regexp engine Problem: E1281 no...
Undefined behavior in diff_write_buffer()
Description Undefined behavior. commit hash: 99af91e5820c78a196c9272cd8ce5aa5be7bf374 It may occur heap-buffer-overflow. Proof of Concept Download POC file POC GDB gdb-peda$ r -u NONE -i NONE -n -m -X -Z -e -s -S undefinedpoc -c :qa! 0000089bd31 in diffwritebuffer buf=0x62500000f100, din= at...
Cross-site Scripting (XSS)
Description ihatemoney is vulnerable to Cross-Site Scripting XSS when inviting people via email. Steps to reproduce 1.Go to https://ihatemoney.org/ and try out the demo. 2.In the bottom left, click on Invite people. 3.In the Send via Emails section, input the payload: into the People to notify...
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Description The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. Proof of Concept Link: https://postimg.cc/1nBBXZr5 Remediation If possible, you should set the Secure flag for these cooki...
LFI / Path Traversal allows attacker to read any file in the working directory
Description The file upload functionality allows a user to attach a file to a paste. When an attacker views the attached file he can alter the path e.g. via burpsuit and read any file in the working directory via the relative path. This also accounts for private pastes. The attacker needs...
Insecure redirect when submit invalid form
Description When submit invalid form, the server will redirect to url which obtain via Referrer header. Proof of Concept POST /create-shelf HTTP/2 Host: book.dansmonorage.blue Cookie: csrftoken=ZpIuGbCcxOyhta5bki4N46N7vknEAcpaG3881kcMAfWKBEYKEiLEeSc3Sr4lUTVa; djangolanguage=en-us;...
Insecure direct object references in `create-shelf` function
Description Insecure direct object references in create-shelf function allows one user to create a shelf on behalf of another. Proof of Concept POST /create-shelf HTTP/2 Host: book.dansmonorage.blue Cookie: csrftoken=ZpIuGbCcxOyhta5bki4N46N7vknEAcpaG3881kcMAfWKBEYKEiLEeSc3Sr4lUTVa;...
Cross-site Scripting (XSS) - Reflected
Description Hi team, I found XSS at /module/. Proof of Concept Pop up POC: Reflected POC: Full request payload: POST /demo/module/ HTTP/1.1 Host: demo.microweber.org User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:102.0 Gecko/20100101 Firefox/102.0 Accept: / Accept-Language: en-US,en;q=0....
stackexchange uses an unpached version of jQuery < 3.4.0 which exposes it to prototype pollution
Description By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses...
Email enumeration via Resend link page
Description Through the Resend link page, an attacker can know that if an email exists or not; just by observing the notification in the response page. So, once the attacker knows that an email exists, he can launch a brute force attack against it. If an email exists: There is no notification and...