Stored XSS via SVG File

Description By uploading SVG files, the users can perform Stored XSS attack. Payload Copy the following code and save as filename.svg. alertdocument.domain Proof of Concept 1 Login as admin. 2 upload the payload injected SVG file at...

Improperly Configured rack_attack.rb does not prevent rate limit attacks

Description The lobsters repository depends upon rackattack.rb to prevent rate limit attacks against the /login or the /login/setnewpassword endpoint, allowing for only 4 requests in a minute. However, this can be bypassed by simply appending some strings like /login.turtles to the endpoint. Proo...

No Rate Limit On Reset Password Page

Description I have identified that when Reset Password for account , the request has no rate limit which then can be used to loop through one request. This can annoy to the root users sending mass password to one email. A rate limiting algorithm is used to check if the user session or IP-address...

Heap-based Buffer Overflow in function ins_compl_add

Description Heap-based Buffer Overflow in function inscompladd at insexpand.c:751 vim version git log commit 324478037923feef1eb8a771648e38ade9e5e05a HEAD - master, tag: v9.0.0042, origin/master, origin/HEAD POC ./afl/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pochbor4s.dat -c :qa!...

Cross-Site Request Forgery (CSRF)

Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' document.forms0.submit;...

Out-of-bounds Read in function utf_ptr2char

Description Out-of-bounds Read in function utfptr2char at mbyte.c:1794 vim version git log commit 324478037923feef1eb8a771648e38ade9e5e05a HEAD - master, tag: v9.0.0042, origin/master, origin/HEAD POC ./afl/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pocobr5s.dat -c :qa!...

Email enumeration via Reset password page

Description Through the Reset password page, an attacker can know that if an email exists or not; just by observing the notification in the response page. So, once the attacker knows that an email exists, he can launch a brute force attack against it. If an email exists: The notification will be ...

Heap Use After Free in function skipwhite

Description Heap Use After Free in function skipwhite at charset.c:1428 vim version git log commit 324478037923feef1eb8a771648e38ade9e5e05a HEAD - master, tag: v9.0.0042, origin/master, origin/HEAD POC ./afl/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pochuaf4s.dat -c :qa!...

Insufficiently complex hash function used in `useFetch` means return data cannot be trusted

Description The useFetch function uses the ohash library to key requests. This hash function outputs a 32 bit number. Finding a collision for this function is easy. In a situation where useFetch is called more than once, any call after the first that contains untrusted input into any argument is...

Password Reset Allows For User Email Enumeration

Description The password reset function at the login page responds to valid and invalid emails in the application. Submitting an invalid email result in "The e-mail address is not assigned to any user account." A valid response results in a message stating an email has been sent. Proof of Concept...

Allows large characters in change password

Description The commafeedapplication allows large characters to insert in the input field "password" at password change feature which can allow attackers to cause a Denial of Service DoS via a crafted HTTP request. Proof of Concept 1. Login and go to profile 2. Go to password change feature 3. Fi...

Allows large characters in password filling

Description The commafeedapplication allows large characters to insert in the input field "password" which can allow attackers to cause a Denial of Service DoS via a crafted HTTP request. Proof of Concept 1. Register a new account. 2. Fill a normal email, fill the "Password" and "Password agian"...

Weak Password Change Mechanism

Description When setting a new user password, commafeeddoes not require knowledge of the original password or using another form of authentication. Proof of Concept 1. Log in as a regular user 2. Go to the profile settings link 3. Select Set Password 4. Enter any 6-character password string this...

Weak Password Policy

Description This application commafeed is using a weak password policy. Acunetix was able to guess the credentials required to access this page. A weak password is short, common, a system default, or something that could be rapidly guessed by executing a brute force attack using a subset of all...

UI REDRESSING

Description The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. Proof of Concept Go to this URL:...

Inefficient Regular Expression Complexity

Description Inefficient regular expression complexity regex when trying to match Potentially Trustworthy could lead to a denial of service attack. With a formed payload 'http://' + 'a.a.'.repeati + 'a', 76 characters payload could take 42642 ms time execution. Proof of Concept // PoC.js import...

Mutation Stored XSS at homepage

Description bookwyrm HTML input sanitizer is vulnerable to Mutation XSS. The payload could be stored and displayed on the homepage of the website path /feed or /discovery making it widely affects all users and the main website. Proof of Concept Edit a book description: // PoC Access to the /feed...

Improper Link Input Validation leads to Cross-site Scripting (XSS)

Description The link input validation is not filtered protocol javascript of href attribute. It allows attackers to inject malicious links to many fields of the website, such as author introduction, user summary, and book description, ... which could execute javascript code XSS. Proof of Concept...

Improper handling of parameter lead to listing any directory

Description In file-manager/list API, the server does not handling path parameters properly lead to allow listing any directory. To exploit, use double URL encoding to bypass filter. Proof of Concept GET /demo/api/file-manager/list?path=%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/...

Stored Cross-site Scripting (XSS) leads to Account Takeover

🔒️ Requirements - Be able to edit or create documents. - Click of a user on the link. 📝 Description The markdown's link creation feature does not properly sanitize url input, which allows to use error event to execute javascript. Furthermore, due to a lack of HttpOnly flag on sessions cookie, it i...

Regular Expression Denial of Service (ReDoS)

Description I would like to report a Regular Expression Denial of Service ReDoS vulnerability in parse-url. It allows cause a denial of service when calling function parse-url. The ReDoS vulnerability is mainly due to the regex /git@|https?://\w.@+/|:,\w,-,,/+.git0,1/0,1/ and can be...

Idor Lead to Delete exported data file

Description In this case attacker is able to delete requested export data file Steps to repro:- 1.Create 2 accounts 2.Login in both account and goto export section and create new export in both account 3.Delete acc1's exported file and capture this request in burp suite and change the id of this...

Multiple Stored XSS

✍️ Description The persistent or stored XSS vulnerability is a more devastating variant of a cross-site scripting flaw, it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular...

Documents in trash accessible by Viewer role

Description Once a document is archived or deletec, there is no way to access it through the UI or the Document link. But, the API gives the file information and content. This is same with archived files. Proof of Concept 1. Give a user Viewer role. 2. Visit https://your.getoutline.com/trash or...

Reflected XSS in Username

Description If a regular user's username is set to a XSS payload, and then that same XSS payload is placed in the q query parameter of /scp/ajax.php/users/local, then reflected XSS is achieved. This XSS can lead to complete takeover of the osTicket instance. Proof of Concept Set a user's username...

Stored XSS in profile settings.

Description Stored XSS via "Website" box in Profile Settings. Proof of Concept Go to profile settings, put the following payload in the "website" box : google.com" Save, and see the xss triggered !...

Cross-site scripting - Stored via upload ".xlr" file

Description In file upload function, the server allow upload .xlr file with contain some javascript code lead to XSS. Proof of Concept REQUEST POST /demo/plupload HTTP/1.1 Host: demo.microweber.org Cookie: laravelsession=r768Tqzv8h0fkjgvKdofhxgmjcorT6pwuqMKJkIb;...

Cross-site scripting - Stored via upload ".pages" file

Description In file upload function, the server allow upload .pages file with contain some javascript code lead to XSS. Proof of Concept REQUEST: POST /demo/plupload HTTP/1.1 Host: demo.microweber.org Cookie: laravelsession=r768Tqzv8h0fkjgvKdofhxgmjcorT6pwuqMKJkIb;...

Hiperlink injection in email

BUG ========= Hiperlink injection in email SUMMURY ============= There is no character length limit in user fullname . So, user can set fullname to large number character and also can put link url . DETAILS =============== 1. goto admin account profile and change fullname to bellow Hi, You have...

Stored XSS via Editing config

Description Hello, I'm reporting several Stored XSS vulnerabilities in same report because huntr.dev now want us to do this. Please consider the vulnerabilities independently. Vuln one : It's possible to inject javascript code in "URL of your FAQ" parameter in admin's edit config form. The...

Cross Site Scripting via Improper Input Validation (parser differential)

Description I find that parse-url parses the following URL incorrectly and identifies protocol as ssh: javascript://n.com:-4294967297/?ab=--2509999973799371216494http://user:passser:[email protected]:-4294967297/?a /parseurlfuzz$ node -e 'const parseUrl = require"parse-url";...

unprivileged user can get document details

Description unprivileged user can see document details of any document . Proof of Concept 1. From admin account add a new user called user-B as member role .\ \ 2. Now from admin account create a private collection and dont share it with any member .Set bellow permisiion for this collection...

xss via svg file

Description xss via svg file Proof of Concept 1. goto your account and create a document under a collection .\ 2. Now edit this document and upload bellow svg file in this document content as image filename--evil.svg alert'Thais app is probably vulnerable to XSS attackss!'; 3. after upload open...

Full Read Server-Side Request Forgery (SSRF)

🔒️ Requirements Privileges: None. 📝 Description The avatarUrl post parameter from /api/users.update and /api/teams.update api endpoint isn't sanitize and permit to get a full read SSRF exploitation. When updating user's or team's avatar, even if from client side we can only change it by uploading...

user can get document content even after removed

Description Admin can add a member to his personal collection .But if admin removed that user from this collection then that user still can see realtime document update content. Proof of Concept 1. From admin account invite user-B as member role .\ \ 2. From admin account create a private...

Uncontrolled Memory Allocation in function lodepng_realloc

Description Uncontrolled Memory Allocation in function lodepngrealloc at lodepng/lodepng.c:86 Version git log commit 06bb36ae2c9b9074e9736a2e25845a2e789cc4e6 HEAD - master, origin/master, origin/HEAD Author: Hans Petter Jansson Date: Fri Jul 1 01:06:00 2022 +0200 POC ./tools/chafa/chafa...

File Protocol Spoofing

Description parse-url misinterpreting the file:// protocol when trying to match git urls. The following payload is certainly valid file protocol but is interpreted as ssh protocol. file:///etc/passwd?http://a:1:1 Proof of Concept // PoC.js const fs = require'fs'; var parseURL = require"parse-url"...

Open Redirect

📝 Description The redirect get variable in login page isn't properly checked. Currently, it check if url.scheme and url.netloc are empty using urllib. py parsed = urlparseredirecturl check if redirect url is valid if parsed.scheme != "" or parsed.netloc != "": logger.warning f"Got an invalid...

Cross-site Scripting (XSS) - Stored in Space Name

Description Cross-site Scripting XSS - Stored in space name. Because space name is not HTML encoded, "Confirm action" modal pops up then the script is executed. Proof of Concept Step 1: Create a new Space and fill in name with this payload: "alert1. Step 2: Send an invite to victim then save. Ste...

Bypassing SVG content cleaning lead to Stored XSS

Description the application is accepting SVG files as an image and applies a sanitize on the SVG content to avoid XSS attacks using the following snippet of code php else if $ext === 'svg' if isfile$filePath $sanitizer = new \enshrined\svgSanitize\Sanitizer; // Load the dirty svg $dirtySVG =...

Integer Overflow in function lsr_translate_coords

Description Integer Overflow in function lsrtranslatecoords at laser/lsrdec.c:853 gpac version git log commit ea3af7c8242d1a82657dc3a518df5a5b1b5e27ed HEAD - master, origin/master, origin/HEAD Author: Romain Bouqueau Date: Tue Jun 28 19:25:58 2022 +0200 POC ./MP4Box -bt ./pocintof1s.dat...

Heap Use After Free in function Q_IsTypeOn

Description Heap Use After Free in function QIsTypeOn at src/bifs/unquantize.c:169 gpac version git log commit ea3af7c8242d1a82657dc3a518df5a5b1b5e27ed HEAD - master, origin/master, origin/HEAD Author: Romain Bouqueau Date: Tue Jun 28 19:25:58 2022 +0200 POC ./MP4Box -bt ./pochuaf1s.dat...

Heap Use After Free in function ex_diffgetput

Description Heap Use After Free in function exdiffgetput at diff.c:2790 vim version git log commit 75417d960bd17a5b701cfb625b8864dacaf0cc39 HEAD - master, tag: v9.0.0001, origin/master, origin/HEAD POC ./afl/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pochuaf3s.dat -c :qa!...

Stack-based Buffer Overflow in function spell_dump_compl

Description Stack-based Buffer Overflow in function spelldumpcompl at spell.c:4038 vim version git log commit 75417d960bd17a5b701cfb625b8864dacaf0cc39 HEAD - master, tag: v9.0.0001, origin/master, origin/HEAD POC ./afl/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pocsbo1s.dat -c :qa!...

Integer Overflow in function del_typebuf

Description Integer Overflow in function deltypebuf at getchar.c:1204 vim version git log commit 75417d960bd17a5b701cfb625b8864dacaf0cc39 HEAD - master, tag: v9.0.0001, origin/master, origin/HEAD POC ./afl/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pocintof1s.dat -c :qa!...

Out-of-bounds Read in function ins_bytes

Description Out-of-bounds Read in function insbytes at change.c:968 vim version git log commit 9610f94510220c783328e1857af87a6ae7bc20b4 HEAD - master, tag: v9.0.0014, origin/master, origin/HEAD POC ./afl/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pocobr4s.dat -c :qa!...

Heap-based Buffer Overflow in function utfc_ptr2len

Description Heap-based Buffer Overflow in function utfcptr2len at mbyte.c:2113 vim version git log commit 75417d960bd17a5b701cfb625b8864dacaf0cc39 HEAD - master, tag: v9.0.0001, origin/master, origin/HEAD POC ./afl/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pochbor3s.dat -c :qa!...

Inefficient Regular Expression Complexity potentially leads to Denial of Service in

Description Inefficient regular expression complexity of lowercase and uppercase regex could lead to a denial of service attack. With a formed payload 'a' + 'a'.repeati + 'A', only 32 characters payload could take 29443 ms time execution when testing lowercase. The same issue happens with...

Heap-based buffer overflow in function inc

Description Heap-based buffer overflow in function inc at misc2.c:344 Version commit 8eba2bd291b347e3008aa9e565652d51ad638cfa HEAD, tag: v8.2.5151 Proof of Concept guest@elk:/trung$ valgrind ./vimlatest/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc/poc80min3 -c :qa! ==6151== Memcheck, a memo...

Failure to invalidate session after password change

Description The application does not invalidate session after the password is changed which can enable attacker to continue using the compromised session. Proof of Concept 1Login to the same accounts in two different browsers https://demo.bigbluebutton.org/gl 2Change password in the 1st browser a...