Lucene search
K

4072 matches found

Huntr
Huntr
added 2022/07/12 7:7 a.m.111 views

Email Verification Bypass Leads To Account Takeover

Hello maintainer, i noticed that there is no ratelimit protetcion on https://book.dansmonorage.blue/confirm-email endpoint, so we can perform bruteforce attack Steps to reproduce: 1. Create a acount with victims email id 2. When the account is created, its ask for email confirmation via...

7.5CVSS0.9AI score0.11382EPSS
Exploits4
Huntr
Huntr
added 2022/07/12 4:18 a.m.30 views

Account Takeover

Hello team, while i was testing on https://book.dansmonorage.blue/login i noticed that there is no ratelimit protection on POST login form, so an attacker can takeover the account by brute forcing the password field Steps to reproduce: 1. go to https://book.dansmonorage.blue/login 2. Enter...

7.5CVSS7.3AI score0.01357EPSS
Exploits1
Huntr
Huntr
added 2022/07/11 4:6 p.m.6 views

Accept weak password in reset-password function

Description Step to reproduce: 1. Go to https://book.dansmonorage.blue/password-reset. 2. Type your email and recieve reset password link. 3. Enter a as new password and success. Proof of Concept POST /password-reset/D4VUXDL5 HTTP/2 Host: book.dansmonorage.blue Cookie:...

0.4AI score
Exploits0References1
Huntr
Huntr
added 2022/07/11 3:37 p.m.194 views

Open redirect when login successfully

Description Open redirect when login successfully via next parameter Proof of Concept POST /login?next=https://www.google.com/open-redirect HTTP/2 Host: book.dansmonorage.blue Cookie: csrftoken=EUjtgvt3A20lSHYbTxBvfAxQi5gNHHzeI7Bda1HOGnWCioMA6cwQqYWXv8ONog4k User-Agent: Mozilla/5.0 Windows NT 10....

1.9AI score
Exploits0References1
Huntr
Huntr
added 2022/07/11 9:6 a.m.14 views

Cross-Site Request Forgery (CSRF)

Description An attacker is able to download data from a user via the CSV Export function. The export will include all the books on your shelves, books you have reviewed, and books with reading activity. Vulnerable URL https://bookwyrm.social/preferences/export/file Proof of Concept...

0.9AI score
Exploits0
Huntr
Huntr
added 2022/07/11 3:51 a.m.19 views

Weak policy at Change password function

Description BookWyrm uses weak password policy when allows user to change password with just 1 character through the change password function. Steps to reproduce 1.Login then go to the Change password page https://book.dansmonorage.blue/preferences/password 2.Enter a character for example: 1 in t...

0.2AI score
Exploits0
Huntr
Huntr
added 2022/07/09 7:40 p.m.16 views

Weak Password Change Mechanism

Description When setting a new user password it does not require knowledge of the original password Current password not required Proof of Concept 1. Log in as a regular user 2. Navigate: https://book.dansmonorage.blue/preferences/password 3. Enter any password string...

7.2AI score
Exploits0References2
Huntr
Huntr
added 2022/07/09 5:47 p.m.11 views

Business logic error: Not able to access newly created admin account with the username admin with the password

Hello team, recently I found that I'm able to create dual admin via the same username, by creating a dual admin account we maybe not be able login the newly created admin user-named account. 2. For example, the default username and password of nakama dashboard will be admin & password 3. After...

0.7AI score
Exploits0References1
Huntr
Huntr
added 2022/07/09 3:40 p.m.19 views

Stored XSS in

Description Hello, I have found that an XSS payload has been executed in the name of note field, and I wanted to make a report about it, just please note that in the Occurrences I left it empty because I don't know anything about it, and please see the video attached in POC to know more about it...

3.5CVSS4.6AI score0.0039EPSS
Exploits1
Huntr
Huntr
added 2022/07/08 5:16 p.m.53 views

Bypass IP detection to brute-force password

Description In login API, by default, the IP address will be blocked when the user tries to login incorrectly more than 5 times but we can bypass this mechanism by abuse X-Forwarded-For header to bypass IP dectection and perform password brute-force. Proof of Concept POST /demo/api/userlogin...

7.5CVSS0.6AI score0.0092EPSS
Exploits1References1
Huntr
Huntr
added 2022/07/08 3:57 p.m.32 views

Heap-based buffer overflow in function vim_iswordp_buf

Description Heap-based buffer overflow in function vimiswordpbuf at charset.c:835 Version commit fee0c4aa99eb0a7a801dade758ce5e04b48c15d1 HEAD - master, origin/master, origin/HEAD Proof of Concept guest@elk:/trung$ valgrind ./vimlatest/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc/poc196min ...

4.4CVSS0.2AI score0.00474EPSS
Exploits1
Huntr
Huntr
added 2022/07/07 5:34 p.m.19 views

Application allows large characters to insert in the input field "Add new table" on the create field which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request in

Proof of Concept Go to http://localhost:8080/dashboard//projects Select any created project and go to the project section. Click on the "ADD/IMPORT" section and click on "add new table" Create Fill the "table name" field with huge characters, more than 1 lakh Copy the below payload and put it in...

4.3CVSS6.8AI score0.04498EPSS
Exploits1References1
Huntr
Huntr
added 2022/07/07 4:56 p.m.49 views

Cross-site scripting - DOM

Description DOM XSS with filter bypass on /demo/module/ using type parameter without authentication. Proof of Concept...

4.3CVSS0.7AI score0.00451EPSS
Exploits1References1
Huntr
Huntr
added 2022/07/06 4:38 p.m.39 views

Heap-based buffer overflow in function ins_compl_add

Description Heap-based buffer overflow in function inscompladd at insexpand.c:751 Version commit b8329db36a886355e6e9cb9986a3668fef78c438 HEAD - master, tag: v9.0.0044 Proof of Concept guest@elk:/trung$ valgrind ./vimlatest/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc/poc42min -c :qa!...

6.8CVSS0.01225EPSS
Exploits1
Huntr
Huntr
added 2022/07/06 3:11 p.m.23 views

Stored XSS via SVG File

Description By uploading SVG files, the users can perform Stored XSS attack. Payload Copy the following code and save as filename.svg. alertdocument.domain Proof of Concept 1 Login as admin. 2 upload the payload injected SVG file at...

4.3CVSS5.1AI score0.00557EPSS
Exploits1
Huntr
Huntr
added 2022/07/06 2:38 p.m.11 views

Improperly Configured rack_attack.rb does not prevent rate limit attacks

Description The lobsters repository depends upon rackattack.rb to prevent rate limit attacks against the /login or the /login/setnewpassword endpoint, allowing for only 4 requests in a minute. However, this can be bypassed by simply appending some strings like /login.turtles to the endpoint. Proo...

1AI score
Exploits0References3
Huntr
Huntr
added 2022/07/06 8:55 a.m.28 views

No Rate Limit On Reset Password Page

Description I have identified that when Reset Password for account , the request has no rate limit which then can be used to loop through one request. This can annoy to the root users sending mass password to one email. A rate limiting algorithm is used to check if the user session or IP-address...

7.4AI score
Exploits0
Huntr
Huntr
added 2022/07/06 5:20 a.m.28 views

Heap-based Buffer Overflow in function ins_compl_add

Description Heap-based Buffer Overflow in function inscompladd at insexpand.c:751 vim version git log commit 324478037923feef1eb8a771648e38ade9e5e05a HEAD - master, tag: v9.0.0042, origin/master, origin/HEAD POC ./afl/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pochbor4s.dat -c :qa!...

6.8CVSS7.7AI score0.01302EPSS
Exploits1
Huntr
Huntr
added 2022/07/06 5:1 a.m.10 views

Cross-Site Request Forgery (CSRF)

Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' document.forms0.submit;...

1.9AI score
Exploits0
Huntr
Huntr
added 2022/07/06 2:15 a.m.32 views

Out-of-bounds Read in function utf_ptr2char

Description Out-of-bounds Read in function utfptr2char at mbyte.c:1794 vim version git log commit 324478037923feef1eb8a771648e38ade9e5e05a HEAD - master, tag: v9.0.0042, origin/master, origin/HEAD POC ./afl/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pocobr5s.dat -c :qa!...

4.4CVSS7.6AI score0.00481EPSS
Exploits1
Huntr
Huntr
added 2022/07/06 2:3 a.m.14 views

Email enumeration via Reset password page

Description Through the Reset password page, an attacker can know that if an email exists or not; just by observing the notification in the response page. So, once the attacker knows that an email exists, he can launch a brute force attack against it. If an email exists: The notification will be ...

0.2AI score
Exploits0
Huntr
Huntr
added 2022/07/06 2:0 a.m.32 views

Heap Use After Free in function skipwhite

Description Heap Use After Free in function skipwhite at charset.c:1428 vim version git log commit 324478037923feef1eb8a771648e38ade9e5e05a HEAD - master, tag: v9.0.0042, origin/master, origin/HEAD POC ./afl/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pochuaf4s.dat -c :qa!...

6.8CVSS0.6AI score0.01207EPSS
Exploits1
Huntr
Huntr
added 2022/07/05 8:43 p.m.12 views

Insufficiently complex hash function used in `useFetch` means return data cannot be trusted

Description The useFetch function uses the ohash library to key requests. This hash function outputs a 32 bit number. Finding a collision for this function is easy. In a situation where useFetch is called more than once, any call after the first that contains untrusted input into any argument is...

6.8AI score
Exploits0References1
Huntr
Huntr
added 2022/07/05 9:46 a.m.11 views

Password Reset Allows For User Email Enumeration

Description The password reset function at the login page responds to valid and invalid emails in the application. Submitting an invalid email result in "The e-mail address is not assigned to any user account." A valid response results in a message stating an email has been sent. Proof of Concept...

0.7AI score
Exploits0References2
Huntr
Huntr
added 2022/07/05 9:41 a.m.5 views

Allows large characters in change password

Description The commafeedapplication allows large characters to insert in the input field "password" at password change feature which can allow attackers to cause a Denial of Service DoS via a crafted HTTP request. Proof of Concept 1. Login and go to profile 2. Go to password change feature 3. Fi...

1.6AI score
Exploits0References3
Huntr
Huntr
added 2022/07/05 9:38 a.m.10 views

Allows large characters in password filling

Description The commafeedapplication allows large characters to insert in the input field "password" which can allow attackers to cause a Denial of Service DoS via a crafted HTTP request. Proof of Concept 1. Register a new account. 2. Fill a normal email, fill the "Password" and "Password agian"...

2AI score
Exploits0References3
Huntr
Huntr
added 2022/07/05 9:35 a.m.11 views

Weak Password Change Mechanism

Description When setting a new user password, commafeeddoes not require knowledge of the original password or using another form of authentication. Proof of Concept 1. Log in as a regular user 2. Go to the profile settings link 3. Select Set Password 4. Enter any 6-character password string this...

1.6AI score
Exploits0References3
Huntr
Huntr
added 2022/07/05 9:30 a.m.22 views

Weak Password Policy

Description This application commafeed is using a weak password policy. Acunetix was able to guess the credentials required to access this page. A weak password is short, common, a system default, or something that could be rapidly guessed by executing a brute force attack using a subset of all...

1.1AI score
Exploits0References2
Huntr
Huntr
added 2022/07/05 9:2 a.m.9 views

UI REDRESSING

Description The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. Proof of Concept Go to this URL:...

0.6AI score
Exploits0References2
Huntr
Huntr
added 2022/07/05 4:2 a.m.76 views

Inefficient Regular Expression Complexity

Description Inefficient regular expression complexity regex when trying to match Potentially Trustworthy could lead to a denial of service attack. With a formed payload 'http://' + 'a.a.'.repeati + 'a', 76 characters payload could take 42642 ms time execution. Proof of Concept // PoC.js import...

2.6CVSS1.5AI score0.01104EPSS
Exploits1References2
Huntr
Huntr
added 2022/07/04 7:11 p.m.65 views

Mutation Stored XSS at homepage

Description bookwyrm HTML input sanitizer is vulnerable to Mutation XSS. The payload could be stored and displayed on the homepage of the website path /feed or /discovery making it widely affects all users and the main website. Proof of Concept Edit a book description: // PoC Access to the /feed...

4.3CVSS6.3AI score0.0054EPSS
Exploits0References2
Huntr
Huntr
added 2022/07/04 6:32 p.m.10 views

Improper Link Input Validation leads to Cross-site Scripting (XSS)

Description The link input validation is not filtered protocol javascript of href attribute. It allows attackers to inject malicious links to many fields of the website, such as author introduction, user summary, and book description, ... which could execute javascript code XSS. Proof of Concept...

0.7AI score
Exploits0
Huntr
Huntr
added 2022/07/04 5:32 p.m.11 views

Improper handling of parameter lead to listing any directory

Description In file-manager/list API, the server does not handling path parameters properly lead to allow listing any directory. To exploit, use double URL encoding to bypass filter. Proof of Concept GET /demo/api/file-manager/list?path=%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/...

0.8AI score
Exploits0
Huntr
Huntr
added 2022/07/04 2:33 p.m.27 views

Stored Cross-site Scripting (XSS) leads to Account Takeover

🔒️ Requirements - Be able to edit or create documents. - Click of a user on the link. 📝 Description The markdown's link creation feature does not properly sanitize url input, which allows to use error event to execute javascript. Furthermore, due to a lack of HttpOnly flag on sessions cookie, it i...

3.5CVSS5.9AI score0.0065EPSS
Exploits1
Huntr
Huntr
added 2022/07/04 10:37 a.m.8 views

Regular Expression Denial of Service (ReDoS)

Description I would like to report a Regular Expression Denial of Service ReDoS vulnerability in parse-url. It allows cause a denial of service when calling function parse-url. The ReDoS vulnerability is mainly due to the regex /git@|https?://\w.@+/|:,\w,-,,/+.git0,1/0,1/ and can be...

3.4AI score
Exploits0
Huntr
Huntr
added 2022/07/03 2:22 p.m.20 views

Idor Lead to Delete exported data file

Description In this case attacker is able to delete requested export data file Steps to repro:- 1.Create 2 accounts 2.Login in both account and goto export section and create new export in both account 3.Delete acc1's exported file and capture this request in burp suite and change the id of this...

1AI score
Exploits0References1
Huntr
Huntr
added 2022/07/03 10:30 a.m.6 views

Multiple Stored XSS

✍️ Description The persistent or stored XSS vulnerability is a more devastating variant of a cross-site scripting flaw, it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular...

3.8AI score
Exploits0
Huntr
Huntr
added 2022/07/03 4:13 a.m.17 views

Documents in trash accessible by Viewer role

Description Once a document is archived or deletec, there is no way to access it through the UI or the Document link. But, the API gives the file information and content. This is same with archived files. Proof of Concept 1. Give a user Viewer role. 2. Visit https://your.getoutline.com/trash or...

0.3AI score
Exploits0
Huntr
Huntr
added 2022/07/02 8:58 p.m.24 views

Reflected XSS in Username

Description If a regular user's username is set to a XSS payload, and then that same XSS payload is placed in the q query parameter of /scp/ajax.php/users/local, then reflected XSS is achieved. This XSS can lead to complete takeover of the osTicket instance. Proof of Concept Set a user's username...

4.9CVSS5.7AI score0.00673EPSS
Exploits1
Huntr
Huntr
added 2022/07/02 4:58 p.m.14 views

Stored XSS in profile settings.

Description Stored XSS via "Website" box in Profile Settings. Proof of Concept Go to profile settings, put the following payload in the "website" box : google.com" Save, and see the xss triggered !...

1.6AI score
Exploits0
Huntr
Huntr
added 2022/07/02 4:28 p.m.17 views

Cross-site scripting - Stored via upload ".xlr" file

Description In file upload function, the server allow upload .xlr file with contain some javascript code lead to XSS. Proof of Concept REQUEST POST /demo/plupload HTTP/1.1 Host: demo.microweber.org Cookie: laravelsession=r768Tqzv8h0fkjgvKdofhxgmjcorT6pwuqMKJkIb;...

0.1AI score
Exploits0References1
Huntr
Huntr
added 2022/07/02 4:15 p.m.30 views

Cross-site scripting - Stored via upload ".pages" file

Description In file upload function, the server allow upload .pages file with contain some javascript code lead to XSS. Proof of Concept REQUEST: POST /demo/plupload HTTP/1.1 Host: demo.microweber.org Cookie: laravelsession=r768Tqzv8h0fkjgvKdofhxgmjcorT6pwuqMKJkIb;...

3.5CVSS0.1AI score0.005EPSS
Exploits1References1
Huntr
Huntr
added 2022/07/02 3:56 p.m.22 views

Hiperlink injection in email

BUG ========= Hiperlink injection in email SUMMURY ============= There is no character length limit in user fullname . So, user can set fullname to large number character and also can put link url . DETAILS =============== 1. goto admin account profile and change fullname to bellow Hi, You have...

0.3AI score
Exploits0
Huntr
Huntr
added 2022/07/02 2:3 p.m.11 views

Stored XSS via Editing config

Description Hello, I'm reporting several Stored XSS vulnerabilities in same report because huntr.dev now want us to do this. Please consider the vulnerabilities independently. Vuln one : It's possible to inject javascript code in "URL of your FAQ" parameter in admin's edit config form. The...

0.1AI score
Exploits0
Huntr
Huntr
added 2022/07/02 6:53 a.m.9 views

Cross Site Scripting via Improper Input Validation (parser differential)

Description I find that parse-url parses the following URL incorrectly and identifies protocol as ssh: javascript://n.com:-4294967297/?ab=--2509999973799371216494http://user:passser:[email protected]:-4294967297/?a /parseurlfuzz$ node -e 'const parseUrl = require"parse-url";...

0.2AI score
Exploits0
Huntr
Huntr
added 2022/07/01 9:28 p.m.11 views

unprivileged user can get document details

Description unprivileged user can see document details of any document . Proof of Concept 1. From admin account add a new user called user-B as member role .\ \ 2. Now from admin account create a private collection and dont share it with any member .Set bellow permisiion for this collection...

0.1AI score
Exploits0
Huntr
Huntr
added 2022/07/01 7:25 p.m.9 views

xss via svg file

Description xss via svg file Proof of Concept 1. goto your account and create a document under a collection .\ 2. Now edit this document and upload bellow svg file in this document content as image filename--evil.svg alert'Thais app is probably vulnerable to XSS attackss!'; 3. after upload open...

0.4AI score
Exploits0
Huntr
Huntr
added 2022/07/01 6:42 p.m.29 views

Full Read Server-Side Request Forgery (SSRF)

🔒️ Requirements Privileges: None. 📝 Description The avatarUrl post parameter from /api/users.update and /api/teams.update api endpoint isn't sanitize and permit to get a full read SSRF exploitation. When updating user's or team's avatar, even if from client side we can only change it by uploading...

6.9AI score
Exploits0
Huntr
Huntr
added 2022/07/01 6:26 p.m.15 views

user can get document content even after removed

Description Admin can add a member to his personal collection .But if admin removed that user from this collection then that user still can see realtime document update content. Proof of Concept 1. From admin account invite user-B as member role .\ \ 2. From admin account create a private...

0.8AI score
Exploits0
Huntr
Huntr
added 2022/07/01 4:47 a.m.16 views

Uncontrolled Memory Allocation in function lodepng_realloc

Description Uncontrolled Memory Allocation in function lodepngrealloc at lodepng/lodepng.c:86 Version git log commit 06bb36ae2c9b9074e9736a2e25845a2e789cc4e6 HEAD - master, origin/master, origin/HEAD Author: Hans Petter Jansson Date: Fri Jul 1 01:06:00 2022 +0200 POC ./tools/chafa/chafa...

1.6AI score
Exploits0
Total number of security vulnerabilities4072