4072 matches found
NDIS Packet Buffer Overflow Due To Allocation/Copy Inconsistencies
Description Reading driver source code is a challenge because despite things appearing to be a vulnerability, there might be a single overlooked comment in MSDN's documentation for an obscure function that ensures that something isn't a vulnerability - in light of this challenge, I'm going to wal...
Heap-based Buffer Overflow in function utf_ptr2char
Description Heap-based Buffer Overflow in function utfptr2char at mbyte.c:1794 vim version git log commit e366ed4f2c6fa8cb663f1b9599b39d57ddbd8a2a HEAD - master, tag: v8.2.5136, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/pochbo3s.dat -c...
Username can be enumerated by password reset endpoint
Description The error message on /password/reset/1 can indicate whether the username exists in the instance. I believe this is a valid issue for the following reason: 1. /password/reset after submitting the username on this page, the server always returns success no matter whether the username...
UI Redressing
Description The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. Proof of Concept 1. Go to this URL:...
Cross-site Scripting (XSS) - Stored
Description Titra is vulnerable to Stored XSS in the Task field when creating a new task in a project. Steps to reproduce 1.In the Overview tab, click on New project button. 2.Enter a project name and click Save. 3.Move to the Tasks tab in that project and click on New Task button. 4.In the Task...
NULL Pointer Dereference in function _appendStartNsEvents
Description NULL Pointer Dereference in function vimappendStartNsEvents at src/lxml/iterparse.pxi:435 allows attackers to cause a denial of service or application crash. Proof of Concept python from io import StringIO from lxml import etree firstinput = """ """ secondinput = """ """ def...
Lack of Character Limit in Notes Sections Leads to Denial of Service
Description The InvenTree application allows for the inclusion of notes for various objects in the application. The notes functionality does not include a character limit. An attacker can submit an infinite number of characters into the notes section, which causes a denial of service and increase...
Password Reset Allows For User Email Enumeration
Description The password reset function at the login page responds to valid and invalid emails in the application. Submitting an invalid email result in "The e-mail address is not assigned to any user account." A valid response results in a message stating an email has been sent. Proof of Concept...
Privilege Escalation via edit response body
Description Recently, i found a business logic vulnerabity and this vulnerability allow reader user perform privilege escalation on allaccess user. Because before user perform any function, client-side will perform OPTIONS request to view user permission with specify function via response body. I...
Reflected XSS on /editor_tools/module
Description Reflected XSS with filter bypass on /editortools/module using type= parameter. Proof of Concept https://demo.microweber.org/demo/editortools/module?type="alert"xss" The value of the "type" parameter is injected into the source code of the page at line 38. Since the value of the "type"...
SSRF via Improper Input Validation
Description Hostname is not detected because of improper handling of username and password. Based on real cases Proof of Concept shell ❯ node -e 'const parseUrl = require"parse-url"; console.logparseUrl"http://google:com:@@localhost"' protocols: 'http' , protocol: 'http', port: null, resource:...
Improper Access Control in Crabtyper API
Description The API program allows any user to create languages and snippets, as well as delete them. This allows a malicious actor to add offensive snippets which could appear to any user, and also allows anyone to completely take down the service by removing all snippets. This is due to...
Disabling Account Multi Factor Authentication (MFA) Does Not Require Authenticator Token or Credentials
Description The application does not require a valid MFA authenticator token, user credentials, or other mechanism to disable MFA on an account. Proof of Concept 1. In an account with MFA enabled, go to User Settings 2. Click on Remove multifactor 3. Select the response when the window pops up 4...
InvenTree Deploys a Weak Password Change Mechanism
Description When setting a new user password, InvenTree does not require knowledge of the original password or using another form of authentication. Proof of Concept 1. Log in as a regular user 2. Go to the account settings link 3. Select Set Password 4. Enter any 8-character password string this...
Inefficient Regular Expression Complexity potentially leads to Denial of Service
Description Inefficient Regular Expression Complexity of url regex could lead to a denial of service attack. This report bypasses the fix in issue 300 by a well-formed payload '//a.b' + 'c1'.repeati + 'a'. With only 36 characters payload could take 18672 ms time execution. Proof of Concept js //...
The NocoDB application allows large characters to insert in the input field "New Project" on the create field which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request
Proof of Concept Go to http://localhost:8080/dashboard//projects Click on New project and create Fill the "Enter project name" field with huge characters, more than 1 lakh Copy the below payload and put it in the input fields and click on continue. You will see the application accepts large...
Heap-based Buffer Overflow in function get_lisp_indent
Description Heap-based Buffer Overflow in function getlispindent at indent.c:1994 vim version git log commit 83497f875881973df772cc4cc593766345df6c4a HEAD - master, tag: v8.2.5105, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/pochbo2s.dat -...
Memory leaks in function vim_strsave
Description Memory leaks in function vimstrsave at strings.c:27 vim version git log commit 83497f875881973df772cc4cc593766345df6c4a HEAD - master, tag: v8.2.5105, origin/master, origin/HEAD POC root@fuzz-vm0-187:/home/fuzz/fuzz/vim/afl/src ./vim -u NONE -i NONE -n -m -X -Z -e -s -S...
Buffer Over-read in function current_quote
Description Buffer Over-read in function currentquote at textobject.c:1801 vim version git log commit 83497f875881973df772cc4cc593766345df6c4a HEAD - master, tag: v8.2.5105, origin/master, origin/HEAD POC root@fuzz-vm0-187:/home/fuzz/fuzz/vim/afl/src ./vim -u NONE -i NONE -n -m -X -Z -e -s -S...
Out-of-bounds Read in function suggest_trie_walk
Description Out-of-bounds Read in function suggesttriewalk at spellsuggest.c:1437 vim version git log commit 83497f875881973df772cc4cc593766345df6c4a HEAD - master, tag: v8.2.5105, origin/master, origin/HEAD POC root@fuzz-vm0-187:/home/fuzz/fuzz/vim/afl/src ./vim -u NONE -i NONE -n -m -X -Z -e -s...
Out-of-bounds write in function vim_regsub_both
Description Out-of-bounds write in function vimregsubboth at regexp.c:1973 vim version git log commit 83497f875881973df772cc4cc593766345df6c4a HEAD - master, tag: v8.2.5105, origin/master, origin/HEAD POC root@fuzz-vm0-187:/home/fuzz/fuzz/vim/afl/src ./vim -u NONE -i NONE -n -m -X -Z -e -s -S...
Cross site Scripting By injecting iframe
Description Cross site scripting using iframe Proof of Concept 1.Goto https://demo.inventree.org/company/manufacturers/ 2.Create new Manufracturer 3.In Add notes Section add this payload and save 4.Visit this address https://demo.inventree.org/company/ID POC :- Visit this url...
Possible prototype pollution in Schema.path
Description Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Affected versions of this package are vulnerable to Prototype Pollution. The Schema.path function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows...
curl_auth not cleared on downgrade
Description Guzzle recently fixed a vulnerability related to "Authorization" handling on downgrade here - https://github.com/guzzle/guzzle/security/advisories/GHSA-w248-ffj2-4v5q. However, there also exists another code path, for which Guzzle uses a Authorization header located when it uses diges...
SSRF via Import URL
Description While importing CSV and Excel file via an URL, the server does not validate requests properly that's how the attacker can able to make requests to internal servers and access the contents. Proof of Concept 1. Go to any project 2. From Dashboard, click on Add / Import CSV or Microsoft...
Forward credential header to attacker host
Description Some Admins set the "Authorization" header with the help of a reverse proxy to restrict initial access to the Drawio application server. In this kind of setup, the "Authorization" header should always be sent to the reverse proxy, and the reverse proxy will forward it to Drawio But Th...
Multiple user creation with the same email Id via existing verification bypass
Hello team, while i was checking on the nakama dashboard as an Administrator i noticed that we can bypass the existing verification and create multiple user with same email id Steps to reproduce: 1. Open the dashboard as an adminuser and go to the user management form http://site.com//users 2...
Stored Cross-site Scripting (XSS) via SVG file upload in courses.
Description An attacker can upload and store a malicious SVG file in work forms and execute client side JavaScript code when opened. Replication Steps and Proof of Concept We create a file named file.svg containing the following: // We upload the file in an active work assignment inside any cours...
Allows large characters in change password filling
Description The titra application allows large characters to insert in the input field "password" at password change feature which can allow attackers to cause a Denial of Service DoS via a crafted HTTP request. Proof of Concept 1. Login and go to profile or https://app.titra.io/profile 2. Using...
Allows large characters in password filling
Description The titra application allows large characters to insert in the input field "password" which can allow attackers to cause a Denial of Service DoS via a crafted HTTP request. Proof of Concept 1. Register a new account or go to https://app.titra.io/join?email= 2. Fill a normal email, fil...
Weak Password Policy
Description You can change your password in profile to a weak password. Proof of Concept 1. Login and go to your Profile 2. Use the password change feature or https://app.titra.io/changePwd 3. Enter your current password, fill the "Password" and "Password again" with 1 You can see your password h...
Generation of Error Message Containing Sensitive Information
Description The software generates an error message that includes sensitive information about its environment, users, or associated data. Proof of Concept 1. The forgot password feature will tell you whether or not a username exists which is a vulnerability since it can be paired with the lack of...
Stored XSS in Supplier Company Name
Description The application inventree is vulnerable to Stored XSS in supplier company name field. Proof of Concept Video PoC Link: https://drive.google.com/file/d/1KDrwbWkftO-cNrd-4XSoNh27Z3vqiMR/view?usp=sharing...
Stored XSS in Supplier Company Description
Description The application inventree is vulnerable to Stored XSS in supplier company description field. Proof of Concept Video PoC Link: https://drive.google.com/file/d/115LLo4rxW7RzWd7hevbSFAlf-V83OUhU/view?usp=sharing...
Stored XSS in Customer Company Description
Description The application inventree is vulnerable to Stored XSS in customer company description field. Proof of Concept Video PoC Link: https://drive.google.com/file/d/19l7W3MMeTdhQzroutdDBBIdIVLGhQtw1/view?usp=sharing...
Stored XSS in Customer Company Name
Description The application inventree is vulnerable to Stored XSS in customer company name field. Proof of Concept Video PoC Link: https://drive.google.com/file/d/11tKQzqKFobDEuqigsQYIdQhMnqSLIBsi/view?usp=sharing...
Weak policy at Change password function
Description We can register an normal account with = 8 characters password. But we ccan change password with just 1 character when we use change password function Proof of Concept https://drive.google.com/file/d/1D-IDqrMiaBGLnZaZY9L3u-S4u-MoGxPc/view?usp=sharing...
A stored XSS in dolibarr/htdocs/admin/accountant.php
Description I found a stored XSS in the admin/accountant.php, the field town, name, Accountant code can escape the double quote. In the path 'dolibarr/htdocs/main.inc.php' has a WAF, we can not inject any the javascript onxxx event. However, in the path...
Stored Cross-Site Scripting
Description A stored cross-site scripting vulnerability exists within the Gallery View comments functionality. Replication Steps and PoC Preconditions PC1. A project exists. PC2. A table with a sheet containing data exists in the project. PC3. A gallery view exists. PC4. A user with the editor ro...
Cross Site Scripting via Improper Input Validation
Description The parse-url The 5.0.8 version of the parser does not check :// character between protocols. This causes spoofing of the javascript protocol itself. Additionally, protocol spoofing does not occur in url-parse, new URL, and url.parse other than parse-url. Proof of Concept const parseU...
Unrestricted File Upload in Part Attachment
Description The application inventree allows users to upload any file in part attachment allowing attacker to render files such as HTML in the browser. Proof of Concept Video PoC Link: https://drive.google.com/file/d/1vurBkHegeYCwbXopE5Yhyb702rYgG9FM/view?usp=sharing...
Formula Injection Part Description
Description Formula Injection/CSV Injection in inventree due to Improper Neutralization of Formula Elements in CSV File. Proof of Concept Video PoC link: https://drive.google.com/file/d/1mfBTUDS1iZ4uJfBpc568WgpdZdN5f/view?usp=sharing...
Stored XSS in Part Revision
Description The application inventree is vulnerable to Stored XSS in part revision field. Proof of Concept Video PoC Link: https://drive.google.com/file/d/1ZobGHiFXbhPG0agsH8mcg8VMsrjSuUP/view?usp=sharing...
Stored XSS in Part IPN
Description The application inventree is vulnerable to Stored XSS in part IPN field. Proof of Concept Video PoC link: https://drive.google.com/file/d/1HEy7XS89FlzVSPFGilowBrBDMPAfCs/view?usp=sharing...
Stored XSS in Part Parameter
Description The application inventree is vulnerable to Stored XSS in part parameter field. Proof of Concept Video PoC link: https://drive.google.com/file/d/19MiGIB3Q1VzdmMBttCKiEtFKR34z-2/view?usp=sharing...
Stored XSS in Part Description
Description The application inventree is vulnerable to Stored XSS in part description field. Proof of Concept Video PoC link: https://drive.google.com/file/d/1ZFgWiVpalxZ8zGeDrErezjZCQjB3VP-w/view?usp=sharing...
heap-buffer-overflow in dex_parse
Description There exists a heap based out of bounds read vulnerability in dexparse c setinteger yrle16tohmapitem-type, dex-object, "maplist.mapitem%i.type", i; Reproduction Build the fuzz target with address sanitizer enabled + optional libfuzzer and run the test case from here $ git rev-parse HE...
Chatwoot's Misconfigured Rack_Attack.rb Does Not Appropriately Protect Against Brute Force Attacks
Description Chatwoot relies on the rackattack.rb file to defend the application against various brute force attacks. The Chatwoot application fails to prevent brute force attacks against the listed paths when strings are appended to the end of POST directory names. Some protection still exists,...
Sensitive header uncleared on same-host, cross-port redirect
Description Sensitive headers are uncleared on cross-port redirect Proof of Concept poc.php 'http://10.0.2.4', ;...
Reflected XSS in param 'activetab' and param 'code'
Description We can insert XSS payload at http://localhost/facturascripts/ListAlbaranProveedor, the 'activetab' parameter. Proof of Concept GET...