Stored XSS in "Tab Image" and "Group Image"

Description The organizr application allows malicious javascript payload in the "Tab Image" and "Group Image" for which its leads to stored XSS. Proof of Concept 1 1.Login to the co-admin account and go to "Settings" - "Tab Editor". 2.Now click on "Tabs" - "Add New Tab" and filled all the details...

Send messenger to another user with any sender account

Description Send messenger to another user with any sender account Proof of Concept 1. Login with account A. 2. When click to the message box of the user Victim X we have the id of this message page in URL, such as https://docker.trudesk.io/messages/628ceabe32b93e62146a7d75 is the URL of message ...

Session tokens are not invalidated on logout

Description The session cookie is not invalidated on logout so, it can be used after logout as well. Proof of Concept Login to the Nakama console. Intercept the request. Below is a sample request: http GET /v2/console/user HTTP/1.1 Host: localhost:7351 Accept: application/json, text/plain, /...

SQL Injection

Description A SQL Injection in rqlite store Proof of Concept use example code go package main import "io" "log" "net/http" "github.com/alexedwards/scs/rqlitestore" "github.com/alexedwards/scs/v2" "github.com/rqlite/gorqlite" var sessionManager scs.SessionManager func main // Establish connection ...

User Account Deletion and more via Clickjacking

Description As nakama console is not restricted from being loaded in an iframe, clickjacking attack is possible. Proof of Concept 1. Login to nakama console. 2. Save the following as an .html file and open it in the browser to see that the page loads into an iframe. html :"...

No Protection against Bruteforce attacks on Login page

Description Nakama Console does not have any limit for the number of unsuccessful login attempts in a very short period of time. Proof of Concept 1. Send a login request. 2. Capture the login request 3. Replay the login request with different password value. HTTP request http POST...

Cross-site Scripting (XSS) - Stored

Description The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of Concept - it works on firefox not in chromium based browsers - login as admin - go to...

Meta Data Is Not Stripped From images

Hey team, while uploading site/page logo as an administrator, The meta data of the image like geolocation, device information, version, name etc is not getting stripped, as a result the attacker can collect all the meta data information of the image by using tools like exif tool, metadata...

Improper Restriction of Excessive Authentication Attempts in login feature

Description No rate-limiting leads to bruteforce attack in login feature Steps to reproduce 1.Go to https://www.rosariosis.org/demonstration/ 2.Login with any username and password 3.Using Burp and send login POST request to Intruder 4.Create 30 null payloads and start attack 5.Login with correct...

Out-of-bounds read in function gchar_cursor

Description Out-of-bounds read in function gcharcursor at misc1.c:532 vim version git log commit 68e64d2c1735f2a39afa8a0475ae29bedb116684 HEAD - master, tag: v8.2.5006, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/poch11s.dat -c :qa!...

Heap-based Buffer Overflow in function utf_head_off

Description Heap-based Buffer Overflow in function utfheadoff at mbyte.c:3872 vim Version git log commit 68e64d2c1735f2a39afa8a0475ae29bedb116684 HEAD - master, tag: v8.2.5006, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S poch6s.dat -c :qa!...

Session Fixation

🔒️ Requirements None. 📝 Description The updateUser function does not reset user's session. 🕵️‍♂️ Proof of Concept Use two browsers and on the first, update the second user's session to delete his privileges. Going to the second, you and refreshing the page, you will that the user have lost his...

The publify application allows large characters to insert in the input field "title name and post field" on the article field which can allow attackers to cause a Denial of Service (DoS)

Description Please enter a description of the vulnerability. Proof of Concept 1 - Create New article https://demo-publify.herokuapp.com/admin/content/new 2 - Fill the title name and post field with huge characters, more than 1 lakh Copy the below payload and put it in the input fields and click o...

Weak Password Policy

Description I would like to let you know about the password management issue. Proof of Concept 1- Go to your Profile or https://demo-publify.herokuapp.com 2- Give a password as simple as 12345678. You can see you will be password has been changed and there is no strong enforcement...

Metadata Is Not Stripped From Images

While uploading an image on https://demo-publify.herokuapp.com/admin/resources as a low privileged user the meta data of the image like geolocation, device information, version, name etc is not getting stripped, as a result the attacker can collect all the meta data information of the image by...

Path Traversal

🔒️ Requirements Privilege: User 📝 Description File path isn't properly sanitized and allow ... 🕵️‍♂️ Proof of Concept Listing other user folder content First, create a user with Read privilege and with specific home folder like /test. Then, Connect to his account and access the home page...

Subdomain Takeover of https://test.diagrams.net/

First of all, I apologize for reporting it here because I noticed that they have a program with huntr but only for DrawIO source code. Since I discovered this vulnerability I decided to ethically disclose it here instead of leaving it vulnerable. I found a subdomain of diagrams.net that was...

Improper privilege management - Anyone can view room settings.

Description Hi bigbluebutton maintainers, I would like to report an improper privilege management, this allows anyone to view any room settings. Proof of Concept 1. To demonstrate the vulnerability, I've created a room https://demo.bigbluebutton.org/gl/hoa-j4s-sxx-5gn 2. Run this curl command to...

Buffer Over-read in function utf_ptr2char

Description Buffer Over-read in function utfptr2char at mbyte.c:1794 vim version git log commit 31d9948e3a2529c2f619d56bdb48291dc261233d HEAD - master, tag: v8.2.5026, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/poch10ns.dat -c :qa!...

Cross-site Scripting (XSS) - Reflected

Description I find Relected XSS in search function. Proof of Concept 1.Login with admin or teacher account 2.Access this url:...

Use of Uninitialized Function Pointer

Description When providing a crafted input binary to radare2, the context-readaddr function pointer is never initialized before use. This is due to the switch statement responsible for the assignment not finding a matching value for its switch cases. Calling function c static bool...

categoly Cross-site Scripting (XSS) - Stored

Description The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of Concept 1. Create new user,add category and add XSS payload" onClick="alert1" 2. Search user. 3. Click...

SSRF in /service endpoint

Description The problem came from this line of code I ran docker-drawio with following command : docker run -it --rm --name="draw" -e EXPORTURL=http://somesite.com -p 8080:8080 -p 8443:8443 jgraph/drawio if the drawio EXPORTURL is set to an address without any / after the primary Hostname like...

UI REDRESSING

Description The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. Proof of Concept Go to this URL:...

UI REDRESSING

Description The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. Proof of Concept Go to this URL:...

Allocation of Resources Without Limits in

Steps to reproduce: 1. As an admin, start a new conversation with any membernormal user 2. If the membernormal user reply with a text of huge characters, more than crores, etcthe admin may not able to access the dash board and its get started lagging, because the server get DOS POC Screenshot: PO...

Improper Access Control - Articles

Description A low-privileged user can modify and delete admin articles just by changing the value of the articleid parameter. Proof of Concept - Step 1 - Authenticated as an unprivileged user, create a New article - Step 2 - Click Edit article - Step 3 - Intercept requests and Save your article -...

Bypass Restriction and File Upload Leads to XSS Stored - TXT to HTML

Description Unrestricted file upload allowed the attacker to manipulate the request and bypass the protection of HTML files using a text file, XSS Stored was obtained when uploading the HTML file. Proof of Concept POST /admin/resources/upload HTTP/1.1 Host: demo-publify.herokuapp.com Cookie:...

SQL injetction

Description SQL injection exists in the camptocamp/terraboard. Among all APIs there is an API routed to /api/search/attribute, whose corresponding method is api.SearchAttribute. In the api.SearchAttribute method, the program takes the request parameters and passes them into the db.SearchAttribute...

Account Takeover

Description Hi I found a way to takeover user's account Proof of Concept 1.Victim A is a member of a organization orgA 2.Attacker create a new account with orgB 3.Invite victimA to orgB 4.Since an admin can access invitation link attacker copy this link and set new password using this link 5.Now...

Denial of Service on embed2 servlet

Description The application stores a 5MB file in a hashmap variable using a user input as a key, with a large number of requests its possible to increase the memory usage of the application and deny the access to embed2.js stencils resource Proof of Concept import requests...

UI REDRESSING

Description The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. Proof of Concept 1. Go to this URL:...

Business Logic error lead to race condition

Description I have found Business logic Bug in para application free User can create more than 1 app even after App limit reached Proof of Concept 1 - Go to https://paraio.com/apps 2 - Create a new app 3- Enter the name of app 4- Intercept the request in burp suite and send into intruder and sele...

Server Side Request Forgery

Description There are two SSRF's in the draw-image-export2 repository, both work on the domain convert.diagrams.net One is a Blind SSRF the other one a Full Response SSRF. Blind SSRF The first one is simple and can be invoked by accessing the following URL:...

Cross Site Request Forgery in acknowledging Toast

Description Hi there linkding maintainers, I would like to report a Cross site request forgery in acknowledging toast. This is due to the use of GET method. Proof of Concept 1. Install a local instance of linkding 2. Create admin user admin 3. Log in as admin and create a new toast 4. Go back to...

xss bypass

Description xss check bypassed Proof of Concept The fix for this bug https://huntr.dev/bounties/2adf903d-cab1-4ca8-8236-b6315f0fdaba/ can be bypassed using bellow payload jAvAsCriPt://sadas.com/%0aalert11;//...

Stored XSS

Description Stored XSS in ListAgenciaTransporte module in facturascripts is triggered when clicking the scrolling middle mouse button. Proof of Concept 1.Create a new non-admin account 2.Login and goto http://localhost/invoices/EditAgenciaTransporte 3.Add new user with website link to...

SSRF in embed2 servlet via redirects

Description Embed2Servlet uses url.OpenConnection in https://github.com/jgraph/drawio/blob/7a68ebe22a64fe722704e9c4527791209fee2034/src/main/java/com/mxgraph/online/EmbedServlet2.javaL400 which follows redirects by default. However, the redirections are not being checked, hence it is possible to...

Weak Password Policy

Description I would like to let you know about the password management issue. Proof of Concept 1- Go to your Profile or https://docker.trudesk.io/profile 2- Give a password as simple as 12345678. You can see you will be password has been changed and there is no strong enforcement...

Stored Cross Site Scripting on "Add user" field

Steps to reproduce: 1. Go to settings-- Access controls -- Add user 2. Payload = """ 3. Add XSS payload as username and create a new user 4. After creating the user, click on delete button and the XSS will be triggered POC Screenshot:...

The trudesk application allows large characters to insert in the input field "Name" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. in polonel / trudesk

Proof of Concept 1 - Go to Profile or https://docker.trudesk.io/profile 2 - and fill name input field with huge characters Payload :- https://drive.google.com/file/d/17-SH8ZaTqBTQGugpbh2SQtTKnJOL9NIK/view?usp=sharing Video POC :-...

Application Level DoS:

Description Hey, when I attempt to change the password, I noticed that you haven't kept any password boundary. You need to limit password length. Hashing a large amount of data can cause significant resource consumption on behalf of the server and would be an easy target for an Application-level...

Application Level DoS:

Description Hey, when I attempt to change the password, I noticed that you haven't kept any password boundary. You need to limit password length. Hashing a large amount of data can cause significant resource consumption on behalf of the server and would be an easy target for an Application-level...

Insufficient Session Expiration

Description If the admin changes the password of a user and if the user already login so application failed to invalidate the session after changing the password as a result changing the password doesn't destroy the other sessions which are logged in with old passwords. Proof of Concept 1.Login...

Out-of-bounds write in function vim_regsub_both

Description Out-of-bounds write in function vimregsubboth at regexp.c:1954 vim version git log commit 5a8fad32ea9c075f045b37d6c7739891d458f82b HEAD - master, tag: v8.2.4962, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/pocobws.dat -c :qa!...

Infinite recursive function calls result in stack overflow

Description When providing certain input, the program will enter an infinite loop where it continually calls: getexprregister - cmdlinehandlebackslashkey - getcmdline - getcmdlineint - cmdlinehandlebackslashkey - getexprregister - etc. GDB shell Thread debugging using libthreaddb enabled Using ho...

Buffer Over-read in function get_one_sourceline

Description Buffer Over-read in function getonesourceline at scriptfile.c:1976 vim version git log commit 5a8fad32ea9c075f045b37d6c7739891d458f82b HEAD - master, tag: v8.2.4962, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/poch6s.dat -c :qa...

heap-use-after-free in function find_pattern_in_path

Description heap-use-after-free in function findpatterninpath at search.c:3683 vim version git log commit 5a8fad32ea9c075f045b37d6c7739891d458f82b HEAD - master, tag: v8.2.4962, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/pochuafs.dat -c...

Regex check failed leads to CORS bypass

Description ProxyServlet will call getCorsDomain to get value and set it to Access-Control-Allow-Origin. This check only allow accept sharing with .draw.io, .diagrams.net and .quipelements.com. However, I found that regex to match must not start with ^ leads to bypass. Proof of Concept Step 1: Ca...

Stored XSS on drawio

Sumary Draw io has a feature to put links on a text, due to a bad sanitization it allows to put javascript:// scheme on a anchor tag which allows to execute javascript code Steps to reproduce 1. Create a text box and set word size to 50 2. Click with the rigth button and "Edit link" 3. Put...