https://huntr.dev/bounties/582cb14b-b2a8-4064-91c5-b580ff69ba07/ fix bypass; XSS via improper input validation of \t and lone \n character

Description I read this report https://huntr.dev/bounties/582cb14b-b2a8-4064-91c5-b580ff69ba07/ and noticed \t and lone \n is also missing from the filter list in the regex URL replace/\r?\n|\r/gm, "" All instances of \r \n and \t should be cleaned, but the filter list only checks for \r\n or \r...

Run malicious JS code with other kinds of encoding

Description We can Run malicious JS code With special escaping characters for ASCII chars that start with \x and also all Unicodes start with \u, like the followings : CR == \x0d and \u000d LF == \x0a and \u000a TAB == \t and \u0009 and \x09 So there can be many characters that we can't filter al...

Bypass of last fix

Description last fix can be bypass because in this line we should consider the case \r\r or even \r too. Proof of Concept javascript const http = require"http"; const parseUrl = require"parse-url"; const url = parseUrl'jav\r\r\rascript://%0aalert1'; console.logurl const server =...

Client-Side RCE and Stored XSS via Unsafe Deserialization of Diagrams

Description The deserialization mechanism of diagram files is based on an XML like structure. When it is read, internal objects are created and properties on those can be set. Furthermore it allows calling any top-level constructor function and cloning of top level XML/HTML nodes. This has the...

Stored XSS via Deserialization of Stylesheets

Description Diagram files can contain stylesheets which basically consist of key value pairs that influence the appearance of digram elements. When adding a stylesheet mxStylesheet element it is possible to execute JavaScript code when used in combination with the internal include element. Usuall...

use after free in skipwhite

Description When fuzzing vim commit 1d97db3d9 works with latest build and latest commit 3760bfddc per this time of this report, I discovered a use after free. Proof of Concept Here is the minimized poc bash spe!fl norm0z= norm0yy no0 Psvc sil!norm0 norm0 How to build bash LD=lld AS=llvm-as...

Incorrect use of privileged APIs to steal victim's account

Description When user can edit their profile -- Incorrect use of privileged APIs to steal victim's account Proof of Concept 1. Login with hacker's account, get the request when edit profile 2. Replace the endpoint and email with victim's one 3. Send the request. POC video:...

Bypass to Remote Command Execution in uploading repository file

Description I find a bypass for CVE-2022-0415 and previous fixs. In the fix of CVE-2022-0415, gogs filter /.git/ by strings.HasSuffix and strings.Contains. However, use /.Git/ can bypass this and upload successfully Proof of Concept Create a repository in Gogs, upload a file config to the...

Regular Expression Denial of Service (ReDoS)

Description Affected versions of the package are vulnerable to Regular Expression Denial of Service ReDoS attacks for any string input controlled by the user. An attacker can provide a specially crafted input to the default function moment, which nearly matches the pattern being matched. This wil...

buffer size confusion

Description an attempt to write 2000 into a buffer of 10 bytes, while SSLread does not add a zero at the end. Proof of Concept cpp define BUFFSIZE 2000 ... char buf10; SSLreadssl,buf,BUFFSIZE; int virtualIP = atoibuf;...

Failure to strip Authentication header on HTTP downgrade

The Guzzle redirect middleware fails to strip the Authorization header when a redirect downgrades from https to http. The middleware currently only checks if the host has changed...

Cross-site scripting - Reflected XSS caused by error logs in neorazorx/facturascripts

Description There are two fields that can insert the XSS payload by the error log. 1. http://127.0.0.1/facturascripts/EditBalance, the codbalance field 2. http://127.0.0.1/facturascripts/EditSettings, the tipoidfiscal field in Fiscal Id Both fields require 1 and 25 numbers or letters, no spaces,...

Contextual Code Execution

Description The main function uses the eval function which can lead to contextual code execution, allowing an attacker to gain access to a system and execute commands with the privileges of the running program by setting NUITKAPYTHONPATH, NUITKANAMESPACES or NUITKAPTHIMPORTED to a malicious paylo...

Stored XSS in Task field

Description The application Titra is vulnerable to Stored XSS in Task field. Steps To Reproduce 1. Click on add Track button 2. In the Task field enter the payload " 3. click save 4. Now Click on Details 5. XSS will be triggered Image PoC...

Stored XSS in Project Name

Description The application Titra is vulnerable to Stored XSS in Project name field. Steps To Reproduce 1. Click on Edit button 2. Under the Project Name enter the paylaod " 3. Click on save. 4. Now navigate to details the XSS will be triggered. Image PoC...

Insufficient Session Expiration

Description The application NocoDB failed to invalidate the session after changing the password and In this scenario changing the password doesn't destroy the other sessions which are logged in with old passwords. Proof of Concept Login same account in two different browsers. Try to change the...

Account takeover due to stored XSS in "Project Title"

Description The Project "Title" of the NocoDB application is vulnerable to stored xss which can leads to admin account takeover. Proof of Concept Login with low privileged users and Click on "New Project" then click on "Create" Now write the payload and again click on "Create" Then login from sup...

Out-of-bounds write in function append_command

Description Out-of-bounds write in function appendcommand at exdocmd.c:3447 vim version git log commit bfaa24f95343af9c058696644375d04e660f1b00 HEAD - master, tag: v8.2.5052, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pocobw6s.dat -c :qa!...

Formula Injection/CSV Injection due to Improper Neutralization of Formula Elements in CSV File

Description Formula Injection/CSV Injection in "Task" due to Improper Neutralization of Formula Elements in CSV File. Proof of Concept 1. Click on plus track button 2. Under the task input field enter the payloads =1+1 3. Now enter the work hour as 2 4. Then click on save 5. Now go to details and...

Stored XSS in Name

Description The application Titra is vulnerable to Stored XSS in user's name field. Proof of Concept Go to profile and under the name put the payload " Video POC: https://drive.google.com/file/d/1MHPloy-i2hsxaLuuVn46oUZVpFm6Nywf/view?usp=sharing...

Bypass filter - Stored XSS in Resources

Description Website does incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. This fix for this bug https://huntr.dev/bounties/dcf87c0b-6188-4817-8798-ef1e2581b15a/ can be bypassed using bellow payload...

Path Traversal vulnerability on the endpoint '/info/refs'

Summary It seems "gogs" suffers from a Path Traversal which may lead a malicious user to access another legitimate user's git config files or issue a couple of git commands on its behalf. Steps to reproduce and Proof of Concept 1. I created two users sim4n6 and sim4n62. 2. From sim4n6 dashboard...

Unrestricted Upload of File with any dangerous extension

Description Unrestricted Upload of File with any extension Proof of Concept 1. Create a ticket 2. Upload a file with any dangerous extension 3. Intercept the request in Burp Suite, replace the Content-Type with image/jpeg POC video:...

Path traversal leads to arbitrary file deletions and file writes

Description Deploy and run gogs in Windows. Proof of Concept 1.Create a repository in Gogs, upload a file named test to the repository on the web page, The content of the file is as follows: xml 1111 2.The attacker can remove any files. http request: POST...

Stored XSS in Resources

Description Website does incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Steps to reproduce it works on Firefox not in chromium based browsers 1.Go to https://www.rosariosis.org/demonstration/ and login with...

Path Traversal via Files Manager

Description Please enter a description of the vulnerability. Steps to reproduce 1.Login to admin panel and go to Modules - Files http://localhost/microweber/admin/view:modules/loadmodule:files 2.Click any file, the url will have the following format:...

OS Command Injection

Description A OS Command Injection in rancher continuous delivery panel, add repository function Proof of Concept first install a rancher in docker and login. Go to continuous delivery panel and click add repository button.\ set repository url as --upload-pack=$touch /tmp/poc, and click Create...

Weak Password Requirements

Description Weak password policy leads to successful bruteforce attack Steps to reproduce 1.Go to http://localhost:8083/login and login with default credentials admin/admin123 2.Go to http://localhost:8083/me and change password to 123 3. Noticed that password has been changed successful...

OS Command Injection in file editor

Description Deploy and run gogs. Proof of Concept 1. Create a repository and upload a file named config to the repository repo6. The content of the file is as follows: xml core repositoryformatversion = 0 filemode = true bare = false logallrefupdates = true ignorecase = true precomposeunicode =...

Improper Restriction of Excessive Authentication Attempts in login feature

Description No rate limiting in login form leads to bruteforce attack Steps to reproduce 1.Go to http://localhost:/login 2.Login with wrong credentials 3.Capture POST request with Burp Suite and Send to Intruder 4.Create 100 null payloads and start attack 5.Noticed that all request return 200...

Cross site script

Description 1.Create a new recipe. 2.Edit this recipe and add this payload 3.Save the recipe and reload the recipe page...

classic overflow on the stack, with the ability to intercept control.

Description if arguments longer than 1024 were passed to program iusql, we get a classic stack overflow. Proof of Concept I removed the docking check to reduce POC, this check did not show overflow protection git clone https://github.com/lurcher/unixODBC.git 123 sed -i 's/^.if .phEnv, phDbc !=...

Cross-site Scripting (XSS) - Stored

Description Stored Cross-Site Scripting XSS vulnerability due to the lack of content validation and output encoding. Proof of Concept 1.Access demo website https://demo.syspass.org and login with an account. 2.Create new account, in URL/IP field - input https://google.com"...

Use After Free in function utf_ptr2char

Description Use After Free in function utfptr2char at mbyte.c:1794 vim version git log commit be99042b03edf7b8156c9adbc23516bfcf2cec0f HEAD - master, tag: v8.2.5044, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pochuaf2s.dat -c :qa!...

Refelect XSS in neorazorx/facturascripts

Description /facturascripts/EditCuenta can input the taint data without sanitization by the parameter description Proof of Concept POST /facturascripts/EditCuenta HTTP/1.1 Host: 127.0.0.1 Content-Length: 1115 Cache-Control: max-age=0 sec-ch-ua: "NotA:Brand";v="8", "Chromium";v="101"...

Server side request forgery lead to denial of service

Description In this case if a attacker try to load a huge file then server will try to load the file and eventually server use its all memory which will dos the server Proof of Concept 1.Goto...

Use-After-Free in function hash_new_from_values

Description Use-After-Free in function hashnewfromvalues at vm.c:1167 mruby version git log commit ac79849fde3381e001c3274fbcdda20a5c9cb22b HEAD - master, origin/master, origin/HEAD Author: Yukihiro "Matz" Matsumoto Date: Fri May 20 09:59:23 2022 +0900 Build export CFLAGS="-g -O0 -lpthread...

Local Command Injection Post-Installation of Dependencies

Description grav version x";touch pwned "/user/plugins/problems sh: 1: cd: can't cd to x SUCCESS cloned https://github.com/getgrav/grav-plugin-error - x";touch pwned "/user/plugins/error sh: 1: cd: can't cd to x SUCCESS cloned https://github.com/getgrav/grav-plugin-markdown-notices - x";touch pwn...

SQL injection at exportUsers function

Description SQL injection at exportUsers function via sort query parameter Proof of Concept GET /index.php?q=/api/leadmall/statistical&behavior=exportGoods&sort="updatexmlrand,concatCHAR126,version,CHAR126,null--+-":"asd" HTTP/1.1 Host: demo.leadshop.vip Cookie:...

Server-Side Request Forgery via upload image gallery

Description Upload image to gallery, the server use filegetcontents function to load image via data scheme url, so attacker can modify this url to any URL like http to send ability request to any URL , and file to read local file, ... Proof of Concept POST /index.php?q=/api/leadmall/gallery...

proxying Big files leads to potential DOS [/proxy]

Description consider following script and put drawiodockerinstace your address and also bigfileaddress should be serve a big image file 250 MB exploit.py python from multiprocessing import Process import requests def fun: try:...

Unvalidated Follow redirects

Description There is some kind of vulnerability class in the following redirect feature, And Guzzle is also affected by this kind of vulnerability. If the developer wants to get a URL from a third-party host and the third-party URL is also redirected to another URL, then the first crafted cookies...

Heap-based Buffer Overflow in function vim_regsub_both

Description Heap-based Buffer Overflow in function vimregsubboth at regexp.c:1954 vim version git log commit 4d97a565ae8be0d4debba04ebd2ac3e75a0c8010 HEAD - master, tag: v8.2.5037, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/pocobw5s.dat -...

Out-of-bounds write in function vim_regsub_both

Description Out-of-bounds write in function vimregsubboth at regexp.c:1954 vim version git log commit 4c3d21acaa09d929e6afe10288babe1d0af3de35 HEAD - master, tag: v8.2.5014, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/pocobw2s.dat -c :qa!...

Out of Bounds Read in string_scan_range

Description When providing crafted input, an attacker can cause rread32 within stringscanrange to do an out of bounds read. This causes a segmentation fault, but could also potentially enable information disclosure. What's interesting is there is already a comment stating "may oobread" near this...

Use After Free in function find_pattern_in_path

Description Use After Free in function findpatterninpath at search.c:3653 vim version git log commit 4c3d21acaa09d929e6afe10288babe1d0af3de35 HEAD - master, tag: v8.2.5014, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/poch16s.dat -c :qa!...

Incorrect Behavior Make Crash and Can not Access Account

Description Incorrect Behavior Make Crash and Can not Access Account Proof of Concept 1. Send a test message and get the request, send it to Repeater 2. Replace the value of owner and cId with the id of two victims 3. Send the request...

Null pointer dereference at chafa-pixops.c:95

Description Null pointer dereference in hpjansson/chafa at chafa-pixops.c:95. Build export CFLAGS="-g -O0 -lpthread -fsanitize=address" export CXXFLAGS="-g -O0 -lpthread -fsanitize=address" export LDFLAGS="-fsanitize=address" ./autogen.sh ./configure --disable-shared make POC ./chafa POC POC ASAN...

Null pointer dereference in index.c

Description Null pointer dereference in bfabiszewski/libmobi at index.c:1076. Build export CFLAGS="-g -O0 -lpthread -fsanitize=address" export CXXFLAGS="-g -O0 -lpthread -fsanitize=address" export LDFLAGS="-fsanitize=address" ./autogen.sh ./configure --disable-shared make POC ./mobitool -e -o...

proxying Big files leads to potential DOS

Description consider following script exploit.py put drawiodockerinstace your address and also bigfileaddress should be serve a big image file 250 MB python from multiprocessing import Process import requests def fun: try:...