4072 matches found
File Protocol Spoofing
Description parse-url misinterpreting the file:// protocol when trying to match git urls. The following payload is certainly valid file protocol but is interpreted as ssh protocol. file:///etc/passwd?http://a:1:1 Proof of Concept // PoC.js const fs = require'fs'; var parseURL = require"parse-url"...
Open Redirect
📝 Description The redirect get variable in login page isn't properly checked. Currently, it check if url.scheme and url.netloc are empty using urllib. py parsed = urlparseredirecturl check if redirect url is valid if parsed.scheme != "" or parsed.netloc != "": logger.warning f"Got an invalid...
Cross-site Scripting (XSS) - Stored in Space Name
Description Cross-site Scripting XSS - Stored in space name. Because space name is not HTML encoded, "Confirm action" modal pops up then the script is executed. Proof of Concept Step 1: Create a new Space and fill in name with this payload: "alert1. Step 2: Send an invite to victim then save. Ste...
Bypassing SVG content cleaning lead to Stored XSS
Description the application is accepting SVG files as an image and applies a sanitize on the SVG content to avoid XSS attacks using the following snippet of code php else if $ext === 'svg' if isfile$filePath $sanitizer = new \enshrined\svgSanitize\Sanitizer; // Load the dirty svg $dirtySVG =...
Integer Overflow in function lsr_translate_coords
Description Integer Overflow in function lsrtranslatecoords at laser/lsrdec.c:853 gpac version git log commit ea3af7c8242d1a82657dc3a518df5a5b1b5e27ed HEAD - master, origin/master, origin/HEAD Author: Romain Bouqueau Date: Tue Jun 28 19:25:58 2022 +0200 POC ./MP4Box -bt ./pocintof1s.dat...
Heap Use After Free in function Q_IsTypeOn
Description Heap Use After Free in function QIsTypeOn at src/bifs/unquantize.c:169 gpac version git log commit ea3af7c8242d1a82657dc3a518df5a5b1b5e27ed HEAD - master, origin/master, origin/HEAD Author: Romain Bouqueau Date: Tue Jun 28 19:25:58 2022 +0200 POC ./MP4Box -bt ./pochuaf1s.dat...
Heap Use After Free in function ex_diffgetput
Description Heap Use After Free in function exdiffgetput at diff.c:2790 vim version git log commit 75417d960bd17a5b701cfb625b8864dacaf0cc39 HEAD - master, tag: v9.0.0001, origin/master, origin/HEAD POC ./afl/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pochuaf3s.dat -c :qa!...
Stack-based Buffer Overflow in function spell_dump_compl
Description Stack-based Buffer Overflow in function spelldumpcompl at spell.c:4038 vim version git log commit 75417d960bd17a5b701cfb625b8864dacaf0cc39 HEAD - master, tag: v9.0.0001, origin/master, origin/HEAD POC ./afl/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pocsbo1s.dat -c :qa!...
Integer Overflow in function del_typebuf
Description Integer Overflow in function deltypebuf at getchar.c:1204 vim version git log commit 75417d960bd17a5b701cfb625b8864dacaf0cc39 HEAD - master, tag: v9.0.0001, origin/master, origin/HEAD POC ./afl/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pocintof1s.dat -c :qa!...
Out-of-bounds Read in function ins_bytes
Description Out-of-bounds Read in function insbytes at change.c:968 vim version git log commit 9610f94510220c783328e1857af87a6ae7bc20b4 HEAD - master, tag: v9.0.0014, origin/master, origin/HEAD POC ./afl/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pocobr4s.dat -c :qa!...
Heap-based Buffer Overflow in function utfc_ptr2len
Description Heap-based Buffer Overflow in function utfcptr2len at mbyte.c:2113 vim version git log commit 75417d960bd17a5b701cfb625b8864dacaf0cc39 HEAD - master, tag: v9.0.0001, origin/master, origin/HEAD POC ./afl/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pochbor3s.dat -c :qa!...
Inefficient Regular Expression Complexity potentially leads to Denial of Service in
Description Inefficient regular expression complexity of lowercase and uppercase regex could lead to a denial of service attack. With a formed payload 'a' + 'a'.repeati + 'A', only 32 characters payload could take 29443 ms time execution when testing lowercase. The same issue happens with...
Heap-based buffer overflow in function inc
Description Heap-based buffer overflow in function inc at misc2.c:344 Version commit 8eba2bd291b347e3008aa9e565652d51ad638cfa HEAD, tag: v8.2.5151 Proof of Concept guest@elk:/trung$ valgrind ./vimlatest/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc/poc80min3 -c :qa! ==6151== Memcheck, a memo...
Failure to invalidate session after password change
Description The application does not invalidate session after the password is changed which can enable attacker to continue using the compromised session. Proof of Concept 1Login to the same accounts in two different browsers https://demo.bigbluebutton.org/gl 2Change password in the 1st browser a...
Global overflow in pppdump leads to RCE
Global overflow vulnerability in pppdump A global overflow vulnerability is present in the pppdump utility of the ppp repo which may lead to code execution. Specifically when the -p flag is given for enabling the pppmodeon the pppdump command, a malicious crafted pppdump file can trigger a global...
Bypass open redirect protection
Description I could bypass the open redirect protection on the application after parsing the redirect function using the following payload http://[email protected]/ and the payload with the link in the following...
Arbitrary template creation leading to Authenticated Remote Code Execution
Description Arbitrary File Write Reproduction Steps: 1. As a low privileged user, Create a new recipe and click on the "+" to add a New Asset. 2. Select a file, then proxy the request that will create the asset. 3. Update the values in the POST request to the ones shown below: POST...
Multiple Reflected XSS Vulnerabilities in error handlers
Description Multiple routing error handlers are vulnerable to reflected XSS. Proof of Concept Deploy trilium server and access to these endpoint will execute the alert js function. http://localhost:8080/custom/%3Cscript%3Ealert1%3C/script%3E...
Stored Cross-Site Scripting vulnerability in Recipe Instructions allows Admin session hijacking
Description A low privilege user can insert malicious JavaScript code into the Recipe Instructions which will execute in another person's browser that visits the recipe. Proof of Concept Reproduction Steps: 1. As a lower privileged user login to the Mealie web application. 2. Create a recipe and...
Out-of-bound read in function msg_outtrans_special
Description Out-of-bound read in function msgouttransspecial at message.c:1716 Version commit c101abff4c6756db4f5e740fde289decb9452efa HEAD - master, tag: v8.2.5164 Proof of Concept guest@elk:/trung$ valgrind ./vimlatest/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc/poc4min2 -c :qa! ==23509=...
Reflected XSS in type url parameter
Description The application has a reflected xss vulnerability in the url parameter type. Proof of Concept // PoC.js var payload = "alertdocument.cookie...
Stored xss in "users name","functions name","storage buckets name" and in "database collections name"
Description Appwrite application allows malicious javascript payload to inject in users name,functions name,storage buckets name and in database collections name which leads to Stored XSS. Proof of Concept 1.Login to the application 2.Go to the "users name","functions name","storage buckets name"...
Threaded Race Condition in Authentication Allows Bypass of Authentication Attempt Restrictions
Description A threaded race condition exists in how the application handles authentication attempts in the application. The application recognizes and protects against single-threaded attempts with a five-attempt lockout function. By increasing threads in an authentication brute force attack it i...
Out-of-bound write in function parse_command_modifiers
Description Out-of-bounds write in function parsecommandmodifiers at exdocmd.c:3123 Version commit c101abff4c6756db4f5e740fde289decb9452efa HEAD - master, tag: v8.2.5164 Proof of Concept guest@elk:/trung$ ./vim3/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc/poc4min -c :qa!...
Reflected XSS in multiple parameters
Testing Environment 1. Windows OS 2. Firefox Browser Vulnerable URLs ----...
Command Injection:
Description cookiecutter is a command-line utility that creates projects from cookiecutters. Affected versions of this package are vulnerable to Command Injection via hg argument injection. When calling the cookiecutter function from Python code with the checkout parameter, it is passed to the hg...
Out-of-bound read data in function suggest_trie_walk() abusing array byts
Description Out-of-bound read data in function suggesttriewalk abusing array byts in line spellsuggest.c:1925 Tested version: v8.2.5166 commit f65cc665fa751bad3ffe75f58ce1251d6695949f HEAD - master, tag: v8.2.5166, origin/master, origin/HEAD Author: Bram Moolenaar Date: Sun Jun 26 18:17:50 2022...
Null pointer dereference in function skipwhite
Description Null pointer dereference in function skipwhite at charset.c:1428 Version commit c101abff4c6756db4f5e740fde289decb9452efa HEAD - master, tag: v8.2.5164 Proof of Concept guest@elk:/trung$ valgrind ./vimlatest/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc/poc40min -c :qa! ==32519==...
RCE due to Improper Authorization in 'Add Extension' functionality
Description The application does not properly implement authorization checks in the add extension functionality and allows a low-privileged user to upload extensions. Since no approval/verification is required to create an account in the application, any unauthenticated attacker can create a...
Reflected XSS in "cbSurvey" module
Description Reflected XSS due to bad sanitization of "idstring" parameter in cbSurvey module. Proof of Concept https://demo.corebos.com/index.php?module=cbSurvey&action=cbSurveyAjax&file=MassEdit&mode=ajax&idstring=" onfocus=javascript:alertdocument.domain type=txt autofocus="...
CSRF attack while uploading files on [/plupload] via GET request
Description The application is applying a technique to protect itself from CSRF attacks by sending the CSRF token on the cookies and checking the value on the backend and also check the referer header, the CSRF token is deleted from the cookies if the request comes from another origin and just...
Bypassing CSRF on Multiple Endpoint
Description It's possible to bypass the CSRF protection which is already implemented on the coreBOS CMS. When some request not contain any valid CSRF token, the webpage will be displayed an error like: CSRF Error. The reason this happens is that the page has been open without any interaction for...
Reflected XSS on the Products Modules
Description coreBOS is vulnerable with Reflected XSS on the Products modules. The HTML tag can be escaped with " character and the attacker can be able to perform the Reflected XSS Proof of Concept 1. Login to coreBOS 1. Go to...
Cross-site Scripting (XSS) - Reflected
Description Hi, i found a Reflected XSS vulnerability GET request in /index.php in phoronix test suite, Results tab. Line 45 of index.php sends unvalidated data to a web browser, which can result in the browser executing malicious code. Proof of Concept GET...
Out-of-bound write in function ml_append_int
Description Out-of-bound write in function mlappendint at memline.c:2895 Version commit 8eba2bd291b347e3008aa9e565652d51ad638cfa HEAD, tag: v8.2.5151 Proof of Concept guest@elk:/trung$ valgrind ./vim2/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S /home/guest/trung/poc/poc35min -c ':qa!' ==28900==...
Improper storage of authorization cookie on HTTPs pages
The authorization cookie used by the panel pufferauth is stored in the browser without using HttpOnly or Secure flags on the cookie...
UI REDRESSING
Description The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. Proof of Concept 1 Go to this URL:...
Improper path sanitization allows remote read of sensitive system resources
In pufferpanel/files.go there is an EnsureAccess method that accepts a source string and prefix argument. This function attempts to validate that the path being requested is within the scope of the server's operating directory. However, there is a logic bug in this function that improperly passes...
Heap-based buffer overflow in function ins_bs
Description Heap-based buffer overflow in function insbs at edit.c:4187 Version commit 8eba2bd291b347e3008aa9e565652d51ad638cfa HEAD, tag: v8.2.5151 Proof of Concept guest@elk:/trung/vim2/src$ valgrind ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /home/guest/trung/poc/poc24 -c :qa! ==5251== Memchec...
Null pointer dereference in function diff_check
Description Null pointer dereference in function diffcheck at diff.c:1923 Version commit 8eba2bd291b347e3008aa9e565652d51ad638cfa HEAD, tag: v8.2.5151 Proof of Concept guest@elk:/trung/vim2/src$ valgrind ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /home/guest/trung/poc/poc22 -c :qa! ==4357==...
Cross-site Scripting ( XSS) - Reflected
Description Please enter a description of the vulnerability. File pts-core/phoromatic/publichtml/public.php line 258 of public.php sends unvalidated data to a web browser, which can result in the browser executing malicious code. Proof of Concept GET /test"alert1 HTTP/1.1 Host: localhost:8670...
Out-of-bound read in function msg_outtrans_attr
Description Out-of-bound read in function msgouttransattr at message.c:1551 Version commit 8eba2bd291b347e3008aa9e565652d51ad638cfa HEAD - master, tag: v8.2.5151 Proof of Concept ./vim/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S pocvim01 -c :qa!...
Zammad's Misconfigured Rack_Attack.rb Does Not Appropriately Protect Against Brute Force Attacks
Description Zammad relies on the rackattack.rb file to defend the application against various brute force attacks, including forgotten password requests, ticket submissions, etc. The currently utilized RackAttack.rb file's configuration attempts to prevent password reset requests per IP to 3 per...
Open Redirect
Description The Greenlight end-user interface is vulnerable to Open Redirect vulnerability in Login page due to unchecked the value of returnto cookie. Proof of Concept Original request example POST /gl/u/login HTTP/1.1 Host: demo.bigbluebutton.org Cookie:...
Reflected XSS on /api/module
Description Reflected XSS via filter bypass on /api/module using type= parameter. Proof of Concept https://demo.microweber.org/demo/api/module?type=alert"xss"&liveedit=true&fromurl=test The value of the "type" parameter is injected into the source code of the page at line 63. Since the value of t...
Stored XSS in EditEstadoDocumento
Description In facturascripts/EditEstadoDocumento, the field Icon can be injected an XSS payload into it. Proof of Concept // PoC.js POST /facturascripts/EditEstadoDocumento?code=27&action=save-ok HTTP/1.1 Host: 127.0.0.1 Content-Length: 1224 Cache-Control: max-age=0 sec-ch-ua:...
Mastadon's Misconfigured Rack_Attack.rb Does Not Appropriately Protect Against Brute Force Attacks
Description Mastadon relies on the RackAttack.rb file to manage API throttling in the application through the declaration of absolute paths i.e., /auth/signin. By appending random strings of characters to the end of the directory in a POST request it is possible to bypass brute force protections...
UI REDRESSING
Description Clickjacking is a portmanteau of two words ‘click’ and ‘hijacking’. It refers to hijacking user’s click for malicious intent. In it, an attacker embeds the vulnerable site in an transparent iframe in attacker’s own website and overlays it with objects such as button using CSS skills...
Buffer Over-read in function put_on_cmdline
Description Buffer Over-read in function putoncmdline at exgetln.c:3540 vim version git log commit e366ed4f2c6fa8cb663f1b9599b39d57ddbd8a2a HEAD - master, tag: v8.2.5136, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/pocbor2s.dat -c :qa!...
Out-of-bounds Read in function get_lisp_indent
Description Out-of-bounds Read in function getlispindent at indent.c:2083 vim version git log commit e366ed4f2c6fa8cb663f1b9599b39d57ddbd8a2a HEAD - master, tag: v8.2.5136, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/pocobr2s.dat -c :qa!...