4072 matches found
Cross-site Scripting (XSS) - Reflected
Description The time parameter in fava is vulnerable to reflected XSS Proof of Concept 1. 1.Open the web browser to access the fava webpage. 2. 2.Access the url:...
Idor Lead to Archive Users
Description In this case a attacker can be able to archive any user of any targeted organization Proof of Concept 1. Attacker create new organization OrgA 2. Attacker add any user to his organization OrgA And archive the user 3. Capture this request in burp suite 4. victim is user of organization...
SSRF via Plugin SMTP
Description The SMTP plugin doesn't have verification or validation, allowing the attacker to make requests to internal servers and get the contents. Reproduce 1. Go to Team & Settings 2. App Store SMTP 3. Configure and intercept Test request 4. Change Host/Port to internal address, example:...
IDOR in Messages function
Description An user can view other users' private messages, join the conversation, delete messages if they know messages uuid Proof of Concept 1. A send B a priavte messages/email 2. C can view messages, join the conversation, delete messages if C know messages uuid...
UI REDRESSING
Description The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. Proof of Concept Go to this URL:...
stored xss
Description Stored XSS, also known as persistent XSS, is the more damaging than non-persistent XSS. It occurs when a malicious script is injected directly into a vulnerable web application. Proof of Concept 1Go to this website: https://titra.io/ 2Click on add Track button 3In the Task field enter...
Reflected XSS in Results tab
Description Please enter a description of the vulnerability. Proof of Concept 1. Install a local instance of phoronix 2. Run a benchmark 3. When the test is complete, for example the result id is xxxxx 4. Acess...
Generation of Error Message Containing Sensitive Information
Description The software generates an error message that includes sensitive information about its environment, users, or associated data. Proof of Concept When logging in, the login page will tell you whether or not a username exists which is a vulnerability since it can be paired with the lack o...
UI Redressing
Description The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. Proof of Concept 1. Go to this URL:...
Weak Password Policy
Description This page is using a weak password. Acunetix was able to guess the credentials required to access this page. A weak password is short, common, a system default, or something that could be rapidly guessed by executing a brute force attack using a subset of all possible passwords, such ...
Account Takeover via Webhook Handlebars + API Reset Password
Description Through the Webhook functionality, the attacker is able to use Handlebars to capture sensitive user data. Capturing the emailverificationtoken, which through the API I found the PasswordForget function, enabling account takeover via password reset. Steps 1. - Create Table 2. - Select...
chafa <= 4bac1466 is vulnerable to an out of bounds read vulnerability.
chafa = 4bac1466 is vulnerable to an out of bounds read vulnerability. Building Build chafa with ASANaddress sanitizer sh $ git rev-parse HEAD 4bac14668535c09f6f47552bbd1566097dab4bf8 $ export CFLAGS="-g -O0 -fsanitize=address"; export CXXFLAGS="-g -O0 -fsanitize=address"; export CC=$which...
Cross Site Scripting via Improper Input Validation
Description The parse-url The 5.0.8 version of the parser does not check url characters between protocols. This causes spoofing of the javascript protocol itself. Proof of Concept javascript const parseUrl = require"parse-url"; const express = require'express'; const app = express; parsed =...
Bypass filter - Stored XSS in Resources
Description Website does incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of concept javaSCRIPTalertorigin Steps to reproduce it works on Firefox not in chromium based browsers 1.Go to...
https://huntr.dev/bounties/582cb14b-b2a8-4064-91c5-b580ff69ba07/ fix bypass; XSS via improper input validation of \t and lone \n character
Description I read this report https://huntr.dev/bounties/582cb14b-b2a8-4064-91c5-b580ff69ba07/ and noticed \t and lone \n is also missing from the filter list in the regex URL replace/\r?\n|\r/gm, "" All instances of \r \n and \t should be cleaned, but the filter list only checks for \r\n or \r...
Run malicious JS code with other kinds of encoding
Description We can Run malicious JS code With special escaping characters for ASCII chars that start with \x and also all Unicodes start with \u, like the followings : CR == \x0d and \u000d LF == \x0a and \u000a TAB == \t and \u0009 and \x09 So there can be many characters that we can't filter al...
Bypass of last fix
Description last fix can be bypass because in this line we should consider the case \r\r or even \r too. Proof of Concept javascript const http = require"http"; const parseUrl = require"parse-url"; const url = parseUrl'jav\r\r\rascript://%0aalert1'; console.logurl const server =...
Client-Side RCE and Stored XSS via Unsafe Deserialization of Diagrams
Description The deserialization mechanism of diagram files is based on an XML like structure. When it is read, internal objects are created and properties on those can be set. Furthermore it allows calling any top-level constructor function and cloning of top level XML/HTML nodes. This has the...
Stored XSS via Deserialization of Stylesheets
Description Diagram files can contain stylesheets which basically consist of key value pairs that influence the appearance of digram elements. When adding a stylesheet mxStylesheet element it is possible to execute JavaScript code when used in combination with the internal include element. Usuall...
use after free in skipwhite
Description When fuzzing vim commit 1d97db3d9 works with latest build and latest commit 3760bfddc per this time of this report, I discovered a use after free. Proof of Concept Here is the minimized poc bash spe!fl norm0z= norm0yy no0 Psvc sil!norm0 norm0 How to build bash LD=lld AS=llvm-as...
Incorrect use of privileged APIs to steal victim's account
Description When user can edit their profile -- Incorrect use of privileged APIs to steal victim's account Proof of Concept 1. Login with hacker's account, get the request when edit profile 2. Replace the endpoint and email with victim's one 3. Send the request. POC video:...
Bypass to Remote Command Execution in uploading repository file
Description I find a bypass for CVE-2022-0415 and previous fixs. In the fix of CVE-2022-0415, gogs filter /.git/ by strings.HasSuffix and strings.Contains. However, use /.Git/ can bypass this and upload successfully Proof of Concept Create a repository in Gogs, upload a file config to the...
Regular Expression Denial of Service (ReDoS)
Description Affected versions of the package are vulnerable to Regular Expression Denial of Service ReDoS attacks for any string input controlled by the user. An attacker can provide a specially crafted input to the default function moment, which nearly matches the pattern being matched. This wil...
buffer size confusion
Description an attempt to write 2000 into a buffer of 10 bytes, while SSLread does not add a zero at the end. Proof of Concept cpp define BUFFSIZE 2000 ... char buf10; SSLreadssl,buf,BUFFSIZE; int virtualIP = atoibuf;...
Failure to strip Authentication header on HTTP downgrade
The Guzzle redirect middleware fails to strip the Authorization header when a redirect downgrades from https to http. The middleware currently only checks if the host has changed...
Cross-site scripting - Reflected XSS caused by error logs in neorazorx/facturascripts
Description There are two fields that can insert the XSS payload by the error log. 1. http://127.0.0.1/facturascripts/EditBalance, the codbalance field 2. http://127.0.0.1/facturascripts/EditSettings, the tipoidfiscal field in Fiscal Id Both fields require 1 and 25 numbers or letters, no spaces,...
Contextual Code Execution
Description The main function uses the eval function which can lead to contextual code execution, allowing an attacker to gain access to a system and execute commands with the privileges of the running program by setting NUITKAPYTHONPATH, NUITKANAMESPACES or NUITKAPTHIMPORTED to a malicious paylo...
Stored XSS in Task field
Description The application Titra is vulnerable to Stored XSS in Task field. Steps To Reproduce 1. Click on add Track button 2. In the Task field enter the payload " 3. click save 4. Now Click on Details 5. XSS will be triggered Image PoC...
Stored XSS in Project Name
Description The application Titra is vulnerable to Stored XSS in Project name field. Steps To Reproduce 1. Click on Edit button 2. Under the Project Name enter the paylaod " 3. Click on save. 4. Now navigate to details the XSS will be triggered. Image PoC...
Insufficient Session Expiration
Description The application NocoDB failed to invalidate the session after changing the password and In this scenario changing the password doesn't destroy the other sessions which are logged in with old passwords. Proof of Concept Login same account in two different browsers. Try to change the...
Account takeover due to stored XSS in "Project Title"
Description The Project "Title" of the NocoDB application is vulnerable to stored xss which can leads to admin account takeover. Proof of Concept Login with low privileged users and Click on "New Project" then click on "Create" Now write the payload and again click on "Create" Then login from sup...
Out-of-bounds write in function append_command
Description Out-of-bounds write in function appendcommand at exdocmd.c:3447 vim version git log commit bfaa24f95343af9c058696644375d04e660f1b00 HEAD - master, tag: v8.2.5052, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pocobw6s.dat -c :qa!...
Formula Injection/CSV Injection due to Improper Neutralization of Formula Elements in CSV File
Description Formula Injection/CSV Injection in "Task" due to Improper Neutralization of Formula Elements in CSV File. Proof of Concept 1. Click on plus track button 2. Under the task input field enter the payloads =1+1 3. Now enter the work hour as 2 4. Then click on save 5. Now go to details and...
Stored XSS in Name
Description The application Titra is vulnerable to Stored XSS in user's name field. Proof of Concept Go to profile and under the name put the payload " Video POC: https://drive.google.com/file/d/1MHPloy-i2hsxaLuuVn46oUZVpFm6Nywf/view?usp=sharing...
Bypass filter - Stored XSS in Resources
Description Website does incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. This fix for this bug https://huntr.dev/bounties/dcf87c0b-6188-4817-8798-ef1e2581b15a/ can be bypassed using bellow payload...
Path Traversal vulnerability on the endpoint '/info/refs'
Summary It seems "gogs" suffers from a Path Traversal which may lead a malicious user to access another legitimate user's git config files or issue a couple of git commands on its behalf. Steps to reproduce and Proof of Concept 1. I created two users sim4n6 and sim4n62. 2. From sim4n6 dashboard...
Unrestricted Upload of File with any dangerous extension
Description Unrestricted Upload of File with any extension Proof of Concept 1. Create a ticket 2. Upload a file with any dangerous extension 3. Intercept the request in Burp Suite, replace the Content-Type with image/jpeg POC video:...
Path traversal leads to arbitrary file deletions and file writes
Description Deploy and run gogs in Windows. Proof of Concept 1.Create a repository in Gogs, upload a file named test to the repository on the web page, The content of the file is as follows: xml 1111 2.The attacker can remove any files. http request: POST...
Stored XSS in Resources
Description Website does incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Steps to reproduce it works on Firefox not in chromium based browsers 1.Go to https://www.rosariosis.org/demonstration/ and login with...
Path Traversal via Files Manager
Description Please enter a description of the vulnerability. Steps to reproduce 1.Login to admin panel and go to Modules - Files http://localhost/microweber/admin/view:modules/loadmodule:files 2.Click any file, the url will have the following format:...
OS Command Injection
Description A OS Command Injection in rancher continuous delivery panel, add repository function Proof of Concept first install a rancher in docker and login. Go to continuous delivery panel and click add repository button.\ set repository url as --upload-pack=$touch /tmp/poc, and click Create...
Weak Password Requirements
Description Weak password policy leads to successful bruteforce attack Steps to reproduce 1.Go to http://localhost:8083/login and login with default credentials admin/admin123 2.Go to http://localhost:8083/me and change password to 123 3. Noticed that password has been changed successful...
OS Command Injection in file editor
Description Deploy and run gogs. Proof of Concept 1. Create a repository and upload a file named config to the repository repo6. The content of the file is as follows: xml core repositoryformatversion = 0 filemode = true bare = false logallrefupdates = true ignorecase = true precomposeunicode =...
Improper Restriction of Excessive Authentication Attempts in login feature
Description No rate limiting in login form leads to bruteforce attack Steps to reproduce 1.Go to http://localhost:/login 2.Login with wrong credentials 3.Capture POST request with Burp Suite and Send to Intruder 4.Create 100 null payloads and start attack 5.Noticed that all request return 200...
Cross site script
Description 1.Create a new recipe. 2.Edit this recipe and add this payload 3.Save the recipe and reload the recipe page...
classic overflow on the stack, with the ability to intercept control.
Description if arguments longer than 1024 were passed to program iusql, we get a classic stack overflow. Proof of Concept I removed the docking check to reduce POC, this check did not show overflow protection git clone https://github.com/lurcher/unixODBC.git 123 sed -i 's/^.if .phEnv, phDbc !=...
Cross-site Scripting (XSS) - Stored
Description Stored Cross-Site Scripting XSS vulnerability due to the lack of content validation and output encoding. Proof of Concept 1.Access demo website https://demo.syspass.org and login with an account. 2.Create new account, in URL/IP field - input https://google.com"...
Use After Free in function utf_ptr2char
Description Use After Free in function utfptr2char at mbyte.c:1794 vim version git log commit be99042b03edf7b8156c9adbc23516bfcf2cec0f HEAD - master, tag: v8.2.5044, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pochuaf2s.dat -c :qa!...
Refelect XSS in neorazorx/facturascripts
Description /facturascripts/EditCuenta can input the taint data without sanitization by the parameter description Proof of Concept POST /facturascripts/EditCuenta HTTP/1.1 Host: 127.0.0.1 Content-Length: 1115 Cache-Control: max-age=0 sec-ch-ua: "NotA:Brand";v="8", "Chromium";v="101"...
Server side request forgery lead to denial of service
Description In this case if a attacker try to load a huge file then server will try to load the file and eventually server use its all memory which will dos the server Proof of Concept 1.Goto...