4072 matches found
Use-After-Free in function hash_new_from_values
Description Use-After-Free in function hashnewfromvalues at vm.c:1167 mruby version git log commit ac79849fde3381e001c3274fbcdda20a5c9cb22b HEAD - master, origin/master, origin/HEAD Author: Yukihiro "Matz" Matsumoto Date: Fri May 20 09:59:23 2022 +0900 Build export CFLAGS="-g -O0 -lpthread...
Local Command Injection Post-Installation of Dependencies
Description grav version x";touch pwned "/user/plugins/problems sh: 1: cd: can't cd to x SUCCESS cloned https://github.com/getgrav/grav-plugin-error - x";touch pwned "/user/plugins/error sh: 1: cd: can't cd to x SUCCESS cloned https://github.com/getgrav/grav-plugin-markdown-notices - x";touch pwn...
SQL injection at exportUsers function
Description SQL injection at exportUsers function via sort query parameter Proof of Concept GET /index.php?q=/api/leadmall/statistical&behavior=exportGoods&sort="updatexmlrand,concatCHAR126,version,CHAR126,null--+-":"asd" HTTP/1.1 Host: demo.leadshop.vip Cookie:...
Server-Side Request Forgery via upload image gallery
Description Upload image to gallery, the server use filegetcontents function to load image via data scheme url, so attacker can modify this url to any URL like http to send ability request to any URL , and file to read local file, ... Proof of Concept POST /index.php?q=/api/leadmall/gallery...
proxying Big files leads to potential DOS [/proxy]
Description consider following script and put drawiodockerinstace your address and also bigfileaddress should be serve a big image file 250 MB exploit.py python from multiprocessing import Process import requests def fun: try:...
Unvalidated Follow redirects
Description There is some kind of vulnerability class in the following redirect feature, And Guzzle is also affected by this kind of vulnerability. If the developer wants to get a URL from a third-party host and the third-party URL is also redirected to another URL, then the first crafted cookies...
Heap-based Buffer Overflow in function vim_regsub_both
Description Heap-based Buffer Overflow in function vimregsubboth at regexp.c:1954 vim version git log commit 4d97a565ae8be0d4debba04ebd2ac3e75a0c8010 HEAD - master, tag: v8.2.5037, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/pocobw5s.dat -...
Out-of-bounds write in function vim_regsub_both
Description Out-of-bounds write in function vimregsubboth at regexp.c:1954 vim version git log commit 4c3d21acaa09d929e6afe10288babe1d0af3de35 HEAD - master, tag: v8.2.5014, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/pocobw2s.dat -c :qa!...
Out of Bounds Read in string_scan_range
Description When providing crafted input, an attacker can cause rread32 within stringscanrange to do an out of bounds read. This causes a segmentation fault, but could also potentially enable information disclosure. What's interesting is there is already a comment stating "may oobread" near this...
Use After Free in function find_pattern_in_path
Description Use After Free in function findpatterninpath at search.c:3653 vim version git log commit 4c3d21acaa09d929e6afe10288babe1d0af3de35 HEAD - master, tag: v8.2.5014, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/poch16s.dat -c :qa!...
Incorrect Behavior Make Crash and Can not Access Account
Description Incorrect Behavior Make Crash and Can not Access Account Proof of Concept 1. Send a test message and get the request, send it to Repeater 2. Replace the value of owner and cId with the id of two victims 3. Send the request...
Null pointer dereference at chafa-pixops.c:95
Description Null pointer dereference in hpjansson/chafa at chafa-pixops.c:95. Build export CFLAGS="-g -O0 -lpthread -fsanitize=address" export CXXFLAGS="-g -O0 -lpthread -fsanitize=address" export LDFLAGS="-fsanitize=address" ./autogen.sh ./configure --disable-shared make POC ./chafa POC POC ASAN...
Null pointer dereference in index.c
Description Null pointer dereference in bfabiszewski/libmobi at index.c:1076. Build export CFLAGS="-g -O0 -lpthread -fsanitize=address" export CXXFLAGS="-g -O0 -lpthread -fsanitize=address" export LDFLAGS="-fsanitize=address" ./autogen.sh ./configure --disable-shared make POC ./mobitool -e -o...
proxying Big files leads to potential DOS
Description consider following script exploit.py put drawiodockerinstace your address and also bigfileaddress should be serve a big image file 250 MB python from multiprocessing import Process import requests def fun: try:...
Stored XSS in "Tab Image" and "Group Image"
Description The organizr application allows malicious javascript payload in the "Tab Image" and "Group Image" for which its leads to stored XSS. Proof of Concept 1 1.Login to the co-admin account and go to "Settings" - "Tab Editor". 2.Now click on "Tabs" - "Add New Tab" and filled all the details...
Send messenger to another user with any sender account
Description Send messenger to another user with any sender account Proof of Concept 1. Login with account A. 2. When click to the message box of the user Victim X we have the id of this message page in URL, such as https://docker.trudesk.io/messages/628ceabe32b93e62146a7d75 is the URL of message ...
Session tokens are not invalidated on logout
Description The session cookie is not invalidated on logout so, it can be used after logout as well. Proof of Concept Login to the Nakama console. Intercept the request. Below is a sample request: http GET /v2/console/user HTTP/1.1 Host: localhost:7351 Accept: application/json, text/plain, /...
SQL Injection
Description A SQL Injection in rqlite store Proof of Concept use example code go package main import "io" "log" "net/http" "github.com/alexedwards/scs/rqlitestore" "github.com/alexedwards/scs/v2" "github.com/rqlite/gorqlite" var sessionManager scs.SessionManager func main // Establish connection ...
User Account Deletion and more via Clickjacking
Description As nakama console is not restricted from being loaded in an iframe, clickjacking attack is possible. Proof of Concept 1. Login to nakama console. 2. Save the following as an .html file and open it in the browser to see that the page loads into an iframe. html :"...
No Protection against Bruteforce attacks on Login page
Description Nakama Console does not have any limit for the number of unsuccessful login attempts in a very short period of time. Proof of Concept 1. Send a login request. 2. Capture the login request 3. Replay the login request with different password value. HTTP request http POST...
Cross-site Scripting (XSS) - Stored
Description The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of Concept - it works on firefox not in chromium based browsers - login as admin - go to...
Meta Data Is Not Stripped From images
Hey team, while uploading site/page logo as an administrator, The meta data of the image like geolocation, device information, version, name etc is not getting stripped, as a result the attacker can collect all the meta data information of the image by using tools like exif tool, metadata...
Improper Restriction of Excessive Authentication Attempts in login feature
Description No rate-limiting leads to bruteforce attack in login feature Steps to reproduce 1.Go to https://www.rosariosis.org/demonstration/ 2.Login with any username and password 3.Using Burp and send login POST request to Intruder 4.Create 30 null payloads and start attack 5.Login with correct...
Out-of-bounds read in function gchar_cursor
Description Out-of-bounds read in function gcharcursor at misc1.c:532 vim version git log commit 68e64d2c1735f2a39afa8a0475ae29bedb116684 HEAD - master, tag: v8.2.5006, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/poch11s.dat -c :qa!...
Heap-based Buffer Overflow in function utf_head_off
Description Heap-based Buffer Overflow in function utfheadoff at mbyte.c:3872 vim Version git log commit 68e64d2c1735f2a39afa8a0475ae29bedb116684 HEAD - master, tag: v8.2.5006, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S poch6s.dat -c :qa!...
Session Fixation
🔒️ Requirements None. 📝 Description The updateUser function does not reset user's session. 🕵️♂️ Proof of Concept Use two browsers and on the first, update the second user's session to delete his privileges. Going to the second, you and refreshing the page, you will that the user have lost his...
The publify application allows large characters to insert in the input field "title name and post field" on the article field which can allow attackers to cause a Denial of Service (DoS)
Description Please enter a description of the vulnerability. Proof of Concept 1 - Create New article https://demo-publify.herokuapp.com/admin/content/new 2 - Fill the title name and post field with huge characters, more than 1 lakh Copy the below payload and put it in the input fields and click o...
Weak Password Policy
Description I would like to let you know about the password management issue. Proof of Concept 1- Go to your Profile or https://demo-publify.herokuapp.com 2- Give a password as simple as 12345678. You can see you will be password has been changed and there is no strong enforcement...
Metadata Is Not Stripped From Images
While uploading an image on https://demo-publify.herokuapp.com/admin/resources as a low privileged user the meta data of the image like geolocation, device information, version, name etc is not getting stripped, as a result the attacker can collect all the meta data information of the image by...
Path Traversal
🔒️ Requirements Privilege: User 📝 Description File path isn't properly sanitized and allow ... 🕵️♂️ Proof of Concept Listing other user folder content First, create a user with Read privilege and with specific home folder like /test. Then, Connect to his account and access the home page...
Subdomain Takeover of https://test.diagrams.net/
First of all, I apologize for reporting it here because I noticed that they have a program with huntr but only for DrawIO source code. Since I discovered this vulnerability I decided to ethically disclose it here instead of leaving it vulnerable. I found a subdomain of diagrams.net that was...
Improper privilege management - Anyone can view room settings.
Description Hi bigbluebutton maintainers, I would like to report an improper privilege management, this allows anyone to view any room settings. Proof of Concept 1. To demonstrate the vulnerability, I've created a room https://demo.bigbluebutton.org/gl/hoa-j4s-sxx-5gn 2. Run this curl command to...
Buffer Over-read in function utf_ptr2char
Description Buffer Over-read in function utfptr2char at mbyte.c:1794 vim version git log commit 31d9948e3a2529c2f619d56bdb48291dc261233d HEAD - master, tag: v8.2.5026, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/poch10ns.dat -c :qa!...
Cross-site Scripting (XSS) - Reflected
Description I find Relected XSS in search function. Proof of Concept 1.Login with admin or teacher account 2.Access this url:...
Use of Uninitialized Function Pointer
Description When providing a crafted input binary to radare2, the context-readaddr function pointer is never initialized before use. This is due to the switch statement responsible for the assignment not finding a matching value for its switch cases. Calling function c static bool...
categoly Cross-site Scripting (XSS) - Stored
Description The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of Concept 1. Create new user,add category and add XSS payload" onClick="alert1" 2. Search user. 3. Click...
SSRF in /service endpoint
Description The problem came from this line of code I ran docker-drawio with following command : docker run -it --rm --name="draw" -e EXPORTURL=http://somesite.com -p 8080:8080 -p 8443:8443 jgraph/drawio if the drawio EXPORTURL is set to an address without any / after the primary Hostname like...
UI REDRESSING
Description The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. Proof of Concept Go to this URL:...
UI REDRESSING
Description The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. Proof of Concept Go to this URL:...
Allocation of Resources Without Limits in
Steps to reproduce: 1. As an admin, start a new conversation with any membernormal user 2. If the membernormal user reply with a text of huge characters, more than crores, etcthe admin may not able to access the dash board and its get started lagging, because the server get DOS POC Screenshot: PO...
Improper Access Control - Articles
Description A low-privileged user can modify and delete admin articles just by changing the value of the articleid parameter. Proof of Concept - Step 1 - Authenticated as an unprivileged user, create a New article - Step 2 - Click Edit article - Step 3 - Intercept requests and Save your article -...
Bypass Restriction and File Upload Leads to XSS Stored - TXT to HTML
Description Unrestricted file upload allowed the attacker to manipulate the request and bypass the protection of HTML files using a text file, XSS Stored was obtained when uploading the HTML file. Proof of Concept POST /admin/resources/upload HTTP/1.1 Host: demo-publify.herokuapp.com Cookie:...
SQL injetction
Description SQL injection exists in the camptocamp/terraboard. Among all APIs there is an API routed to /api/search/attribute, whose corresponding method is api.SearchAttribute. In the api.SearchAttribute method, the program takes the request parameters and passes them into the db.SearchAttribute...
Account Takeover
Description Hi I found a way to takeover user's account Proof of Concept 1.Victim A is a member of a organization orgA 2.Attacker create a new account with orgB 3.Invite victimA to orgB 4.Since an admin can access invitation link attacker copy this link and set new password using this link 5.Now...
Denial of Service on embed2 servlet
Description The application stores a 5MB file in a hashmap variable using a user input as a key, with a large number of requests its possible to increase the memory usage of the application and deny the access to embed2.js stencils resource Proof of Concept import requests...
UI REDRESSING
Description The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. Proof of Concept 1. Go to this URL:...
Business Logic error lead to race condition
Description I have found Business logic Bug in para application free User can create more than 1 app even after App limit reached Proof of Concept 1 - Go to https://paraio.com/apps 2 - Create a new app 3- Enter the name of app 4- Intercept the request in burp suite and send into intruder and sele...
Server Side Request Forgery
Description There are two SSRF's in the draw-image-export2 repository, both work on the domain convert.diagrams.net One is a Blind SSRF the other one a Full Response SSRF. Blind SSRF The first one is simple and can be invoked by accessing the following URL:...
Cross Site Request Forgery in acknowledging Toast
Description Hi there linkding maintainers, I would like to report a Cross site request forgery in acknowledging toast. This is due to the use of GET method. Proof of Concept 1. Install a local instance of linkding 2. Create admin user admin 3. Log in as admin and create a new toast 4. Go back to...
xss bypass
Description xss check bypassed Proof of Concept The fix for this bug https://huntr.dev/bounties/2adf903d-cab1-4ca8-8236-b6315f0fdaba/ can be bypassed using bellow payload jAvAsCriPt://sadas.com/%0aalert11;//...