Lucene search
K

4072 matches found

Huntr
Huntr
•added 2022/05/18 4:44 a.m.•6 views

Stored XSS

Description Stored XSS in ListAgenciaTransporte module in facturascripts is triggered when clicking the scrolling middle mouse button. Proof of Concept 1.Create a new non-admin account 2.Login and goto http://localhost/invoices/EditAgenciaTransporte 3.Add new user with website link to...

6.1AI score
Exploits0References1
Huntr
Huntr
•added 2022/05/18 3:8 a.m.•69 views

SSRF in embed2 servlet via redirects

Description Embed2Servlet uses url.OpenConnection in https://github.com/jgraph/drawio/blob/7a68ebe22a64fe722704e9c4527791209fee2034/src/main/java/com/mxgraph/online/EmbedServlet2.javaL400 which follows redirects by default. However, the redirections are not being checked, hence it is possible to...

5CVSS7.5AI score0.01686EPSS
Exploits1
Huntr
Huntr
•added 2022/05/17 6:8 p.m.•37 views

Weak Password Policy

Description I would like to let you know about the password management issue. Proof of Concept 1- Go to your Profile or https://docker.trudesk.io/profile 2- Give a password as simple as 12345678. You can see you will be password has been changed and there is no strong enforcement...

7.5CVSS9.3AI score0.02095EPSS
Exploits1References1
Huntr
Huntr
•added 2022/05/17 3:56 p.m.•10 views

Stored Cross Site Scripting on "Add user" field

Steps to reproduce: 1. Go to settings-- Access controls -- Add user 2. Payload = """ 3. Add XSS payload as username and create a new user 4. After creating the user, click on delete button and the XSS will be triggered POC Screenshot:...

0.3AI score
Exploits0
Huntr
Huntr
•added 2022/05/16 7:24 p.m.•29 views

The trudesk application allows large characters to insert in the input field "Name" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. in polonel / trudesk

Proof of Concept 1 - Go to Profile or https://docker.trudesk.io/profile 2 - and fill name input field with huge characters Payload :- https://drive.google.com/file/d/17-SH8ZaTqBTQGugpbh2SQtTKnJOL9NIK/view?usp=sharing Video POC :-...

4CVSS2.4AI score0.00977EPSS
Exploits1References2
Huntr
Huntr
•added 2022/05/16 6:27 p.m.•9 views

Application Level DoS:

Description Hey, when I attempt to change the password, I noticed that you haven't kept any password boundary. You need to limit password length. Hashing a large amount of data can cause significant resource consumption on behalf of the server and would be an easy target for an Application-level...

7.2AI score
Exploits0References1
Huntr
Huntr
•added 2022/05/16 6:8 p.m.•9 views

Application Level DoS:

Description Hey, when I attempt to change the password, I noticed that you haven't kept any password boundary. You need to limit password length. Hashing a large amount of data can cause significant resource consumption on behalf of the server and would be an easy target for an Application-level...

7.2AI score
Exploits0References1
Huntr
Huntr
•added 2022/05/16 5:45 p.m.•10 views

Insufficient Session Expiration

Description If the admin changes the password of a user and if the user already login so application failed to invalidate the session after changing the password as a result changing the password doesn't destroy the other sessions which are logged in with old passwords. Proof of Concept 1.Login...

7.1AI score0.02432EPSS
Exploits1References1
Huntr
Huntr
•added 2022/05/16 1:43 p.m.•39 views

Out-of-bounds write in function vim_regsub_both

Description Out-of-bounds write in function vimregsubboth at regexp.c:1954 vim version git log commit 5a8fad32ea9c075f045b37d6c7739891d458f82b HEAD - master, tag: v8.2.4962, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/pocobws.dat -c :qa!...

4.6CVSS7.5AI score0.00489EPSS
Exploits1
Huntr
Huntr
•added 2022/05/16 12:53 p.m.•40 views

Infinite recursive function calls result in stack overflow

Description When providing certain input, the program will enter an infinite loop where it continually calls: getexprregister - cmdlinehandlebackslashkey - getcmdline - getcmdlineint - cmdlinehandlebackslashkey - getexprregister - etc. GDB shell Thread debugging using libthreaddb enabled Using ho...

4.3CVSS0.5AI score0.01159EPSS
Exploits1
Huntr
Huntr
•added 2022/05/16 11:20 a.m.•21 views

Buffer Over-read in function get_one_sourceline

Description Buffer Over-read in function getonesourceline at scriptfile.c:1976 vim version git log commit 5a8fad32ea9c075f045b37d6c7739891d458f82b HEAD - master, tag: v8.2.4962, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/poch6s.dat -c :qa...

4.6CVSS6.8AI score0.00373EPSS
Exploits0
Huntr
Huntr
•added 2022/05/16 10:58 a.m.•22 views

heap-use-after-free in function find_pattern_in_path

Description heap-use-after-free in function findpatterninpath at search.c:3683 vim version git log commit 5a8fad32ea9c075f045b37d6c7739891d458f82b HEAD - master, tag: v8.2.4962, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/pochuafs.dat -c...

6.8CVSS7AI score0.01097EPSS
Exploits1
Huntr
Huntr
•added 2022/05/16 3:45 a.m.•7 views

Regex check failed leads to CORS bypass

Description ProxyServlet will call getCorsDomain to get value and set it to Access-Control-Allow-Origin. This check only allow accept sharing with .draw.io, .diagrams.net and .quipelements.com. However, I found that regex to match must not start with ^ leads to bypass. Proof of Concept Step 1: Ca...

0.2AI score
Exploits0
Huntr
Huntr
•added 2022/05/15 4:27 p.m.•26 views

Stored XSS on drawio

Sumary Draw io has a feature to put links on a text, due to a bad sanitization it allows to put javascript:// scheme on a anchor tag which allows to execute javascript code Steps to reproduce 1. Create a text box and set word size to 50 2. Click with the rigth button and "Edit link" 3. Put...

3.5CVSS1.4AI score0.00579EPSS
Exploits1References2
Huntr
Huntr
•added 2022/05/15 4:25 p.m.•11 views

SSRF via IPv6 address 2

Description While searching online, I found that https://stackoverflow.com/questions/53764109/is-there-a-java-api-that-will-identify-the-ipv6-address-fd00-as-local-private also states fc00 / fd00 are also private IPv6 range that are weirdly not covered by INetAddress, meaning that it has to be do...

0.3AI score
Exploits0
Huntr
Huntr
•added 2022/05/15 1:54 p.m.•24 views

Use After Free

Description Use After Free in gpac Proof of Concept MP4Box -bt POC1 POC1 is here ASAN ==74043==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000003fd0 at pc 0x7f0c5374e845 bp 0x7ffcfc56f2b0 sp 0x7ffcfc56f2a8 READ of size 8 at 0x604000003fd0 thread T0 0 0x7f0c5374e844 in...

7.5CVSS8.4AI score0.00972EPSS
Exploits1
Huntr
Huntr
•added 2022/05/15 12:39 p.m.•243 views

Server Side Request Forgery via location header

Description It is possible to bypass current SSRF checks using a redirection via the location header. Proof of Concept 1. Mock a redirect endpoint using https://beeceptor.com/ 2. Add Location: http://localhost:1122as a response header and set the status code to 301 3. Listen on port 1122 4. Acces...

5CVSS7.6AI score0.01698EPSS
Exploits1References1
Huntr
Huntr
•added 2022/05/15 10:43 a.m.•61 views

The publify application allows large characters to insert in the input field "First name and Last name" on the profile field which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request in publify / publify

Description The publify application allows large characters to insert in the input field "First name and Last name" which can allow attackers to cause a Denial of Service DoS via a crafted HTTP request Proof of Concept 1 - go to your profile https://demo-publify.herokuapp.com/admin/profiles 2 -...

7.5CVSS2.2AI score0.30778EPSS
Exploits1References2
Huntr
Huntr
•added 2022/05/15 9:49 a.m.•27 views

Allowing long password leads to denial of service in polonel/trudesk

Description The trudesk application allows to sending a very long password 10000000 characters it's possible to cause a denial of service attack on the server. This may lead to the website becoming unavailable or unresponsive. Usually, this problem is caused by a vulnerable password hashing...

4CVSS0.1AI score0.00907EPSS
Exploits1References1
Huntr
Huntr
•added 2022/05/15 7:16 a.m.•7 views

Cross-Site Request Forgery (CSRF)

Summary: Cross-Site Request Forgery CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. ... If the victim is an administrative account, CSRF can compromise the entire web application. Steps To Reproduce: 1.Create a...

2AI score
Exploits0References3
Huntr
Huntr
•added 2022/05/14 10:1 p.m.•37 views

Path Traversal in WellKnownServlet

Description The WellKnownServlet is vulnerable to path traversal. This allows reading local files. For example the files in WEB-INF that contain secrets and API keys can be read. https://github.com/jgraph/drawio/blob/v18.0.4/src/main/java/com/mxgraph/online/WellKnownServlet.javaL40-L66 java Strin...

5CVSS7.5AI score0.0215EPSS
Exploits1
Huntr
Huntr
•added 2022/05/14 7:29 p.m.•53 views

Leakage of third-party OAuth token via redirect

Description The application allows the usage of third-parties to store the files, such as Google Drive, Github, Gitlab, etc. It's possible to bypass the protection of the redirect parameter and redirect the user and the OAuth token to an attacker controlled site. Proof of Concept 1. An attacker...

5.8CVSS6.7AI score0.01125EPSS
Exploits1
Huntr
Huntr
•added 2022/05/14 1:35 p.m.•38 views

The trudesk application allows large characters to insert in the input field "Full Name" on the signup field which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request

POC: 1. go to signup form: http://127.0.0.1:8118/signup 2. Fill the Full Name input field with huge charactersmore than lakhs or crores 3. After created the account, check the admin panel: http://127.0.0.1:8118/accounts, go to Accounts -- customers 4. The admin panel will be flooded with our...

5CVSS2.4AI score0.00986EPSS
Exploits1References2
Huntr
Huntr
•added 2022/05/14 12:55 p.m.•24 views

Html Injection lead to cross site scripting

Description Hi i Found a way to inject html in user's email. So in this case if a attacker set name of victim as html form it will be rendered by your system and then the render html will be sent to the victim Proof of Concept 1. Goto https://paraio.com/signup/ and in name field add this payload...

4.3CVSS0.00917EPSS
Exploits1
Huntr
Huntr
•added 2022/05/14 12:37 p.m.•46 views

Local file inclusion

Description https://app.diagrams.net/embed2.js?&fetch= is used to fetch data and i tried to perform ssrf by extracting google cloud metadata but was unable to do but i am still able to fetch server files like /etc/passwd. Proof of Concept 1. Visit https://app.diagrams.net/embed2.js?&fetch= 2. Ent...

5CVSS7.4AI score0.0164EPSS
Exploits1
Huntr
Huntr
•added 2022/05/14 6:25 a.m.•22 views

xss using .xsig file

Description xss using .xsig file Proof of Concept 1. Save this file as test.xsig file and upload it to http://localhost/ListAttachedFile 2. now view this file in chrome browser and see xss is executed...

7.1AI score
Exploits0
Huntr
Huntr
•added 2022/05/14 5:56 a.m.•8 views

xss bypass of https://huntr.dev/bounties/4bc8f164-faf8-4096-aa00-e439fa976876/

Description xss bypass of https://huntr.dev/bounties/4bc8f164-faf8-4096-aa00-e439fa976876/ TESTED BROWSER google chrome Proof of Concept this bug has been fixed by setting text/xml content-type .\ But this can also be bypassed . Save bellow file as test.xml . Upload this and view the file and see...

7.2AI score
Exploits0
Huntr
Huntr
•added 2022/05/14 3:25 a.m.•32 views

NULL Pointer Dereference in function vim_regexec_string

Description NULL Pointer Dereference in function vimregexecstring at regexp.c:2733 allows attackers to cause a denial of service application crash via a crafted input. vim version git log commit 31ad32a325cc31f0f2bdd530c68bfb856a2187c5 HEAD - master, tag: v8.2.4949, origin/master, origin/HEAD...

1.9CVSS1.2AI score0.00517EPSS
Exploits1References2
Huntr
Huntr
•added 2022/05/13 7:54 p.m.•12 views

xss vi filename

Description xss using filename Proof of Concept 1. First download this file https://github.com/ranjit-git/poc/blob/master/xss%22'%3E%3Cimg%20src%3Dx%20onerror%3Dalert123%3E.jpeg%3E.jpeg in your system . Dont change the filename . \ Filename like xss"'.jpeg will be created in linux system . In...

0.4AI score
Exploits0
Huntr
Huntr
•added 2022/05/13 6:14 p.m.•36 views

Buffer Over-read in function grab_file_name

Description Buffer Over-read in function grabfilename at findfile.c:1947 vim version git log commit 31ad32a325cc31f0f2bdd530c68bfb856a2187c5 HEAD - master, tag: v8.2.4949, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/poch5s.dat -c :qa!...

6.8CVSS6.9AI score0.02098EPSS
Exploits1
Huntr
Huntr
•added 2022/05/13 5:50 p.m.•37 views

SSRF in editor's proxy via IPv6 link-local address

Description The proxy server does not check for link-local IPv6 addresses In https://github.com/jgraph/drawio/blob/dev/src/main/java/com/mxgraph/online/ProxyServlet.javaL255L257, it checks for local IP addresses. It is missing the link-local IPv6 address check -...

2.1CVSS0.3AI score0.00514EPSS
Exploits1
Huntr
Huntr
•added 2022/05/13 3:38 p.m.•12 views

Improper Control of a Resource Through its Lifetime in the input field "Bookmark Tabs"

Description The Organizr application allows large characters to insert in the input field "Bookmark Tabs" which can allow attackers to cause a Denial of Service DoS via a crafted HTTP request. Proof of Concept 1.Login to the application 2.Go to "Tab Editor" - "Bookmark Tabs". 3.Click on the +...

1.5AI score
Exploits0References1
Huntr
Huntr
•added 2022/05/13 2:45 p.m.•7 views

xss filter bypass

Description xss check bypass Proof of Concept i see you you fixed https://huntr.dev/bounties/31aba7c9-edcf-44bf-9fd8-ca15d1fa53c8/ by using if !empty$this-web && !filtervar$this-web, FILTERVALIDATEURL .\ But this can be bypassed easily and cause xss .\ FILTERVALIDATEURL can be bypassed using url...

7.2AI score
Exploits0
Huntr
Huntr
•added 2022/05/13 9:10 a.m.•12 views

The microweber application allows large characters to insert in the input field "Email" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request

POC: 1. Go to home page http://127.0.0.1/ and there will a option to signup with email and phone number with 3 check box 2. Screenshot: -- https://ibb.co/F3tPVWY 3. Fill the email parameter with huge characters 4. when the admin check the notification http://127.0.0.1/admin/notification it will b...

2.5AI score
Exploits0References1
Huntr
Huntr
•added 2022/05/13 8:25 a.m.•12 views

Cross Site Request Forgery at refreshing watch list for courses

Description Hi there autolab maintainers, there is a CRSF in autolab source code in refreshing watch list due to usage of GET method. Proof of Concept 1. Install a local instance of autolab and create a course 2. Access the link /courses//metrics/refreshwatchlistinstances and see that any...

1.5AI score
Exploits0
Huntr
Huntr
•added 2022/05/13 6:4 a.m.•49 views

RCE in the Desktop App because of Unsafe Link Handling

Description URLs or links in a diagram are passed to shell.openExternal without additional validation. This is a dangerous function and can be exploited when URLs with arbitrary schemes are passed to it. It allows code execution through various methods, as described in detail here: -...

6.8CVSS8.7AI score0.01361EPSS
Exploits1References1
Huntr
Huntr
•added 2022/05/13 1:30 a.m.•129 views

SSRF on /proxy

Description draw.io is vulnerable to SSRF on the /proxy endpoint. It's trivial to bypass the protections on checkUrlParameter. Proof of Concept 1. Make a request to proxy?url=http%3a//0:8080/ GET /proxy?url=http%3a//0:8080/ HTTP/1.1 Host: 127.0.0.1:8080 sec-ch-ua: "NotA:Brand";v="8",...

5CVSS7.5AI score0.08667EPSS
Exploits1References2
Huntr
Huntr
•added 2022/05/12 8:3 p.m.•29 views

SSRF via Unvalidated Redirects in ProxyServlet

Description Through the ProxyServlet external content can be retrieved. This can be done by providing a URL in the url query parameter. There are a few restrictions in place, especially internal hosts are forbidden. The validation of the url parameter looks as follows:...

5CVSS0.05372EPSS
Exploits1
Huntr
Huntr
•added 2022/05/12 3:10 p.m.•29 views

Improper Privilege Management API V2

Description There are some api v2 doesn't check permission allow attackers to retrieve/edit information ticket,account,group,department,team,ElasticSearch Proof of Concept Get users list 1. Login. 2. Go to /api/v2/accounts?type=all. 3. Users list return. Create user with admin role 1. Get the adm...

6.5CVSS1.5AI score0.02393EPSS
Exploits1
Huntr
Huntr
•added 2022/05/12 11:40 a.m.•16 views

Able to create an user with a long password as well as long username

Issue Description: Any admin may able to create and allocate user the credentials but when admin creates a user account where as the fields with the first name , last name and password has no defined length limit where as this scenario causes the application level DOS to the snipe-it What's the...

7AI score
Exploits0
Huntr
Huntr
•added 2022/05/12 11:18 a.m.•37 views

Unrestricted File Upload and Path Traversal in upload image

Description The uploadImage function in accountsController take file path and extension from users . An attacker can change the path and extension to upload dangerous file to anywhere in server. Proof of Concept 1. Login 2. Upload profile image 3. Capture request, modify username and filename POS...

6CVSS0.1AI score0.02205EPSS
Exploits1
Huntr
Huntr
•added 2022/05/12 6:57 a.m.•14 views

Register users in spite of Allow User Registration disabled

Description Attacker can register a user in spite of the Allow User Registration is disable by default. Proof of Concept 1. Go to /captcha, get the captcha value and cookie. 2. Send POST request to /api/v1/public/account/create with the value of captcha and cookie in step 1. //POST...

1.3AI score
Exploits0
Huntr
Huntr
•added 2022/05/12 3:7 a.m.•11 views

Cross-site scripting and open redirect vulnerability on Rock RMS Login Page

Description The Rock RMS login page has a returnUrl parameter that is used to set window.location.href when the user has successfully logged in. An attacker can include a malicious JavaScript payload using a link crafted with the payload in the returnUrl parameter, such as 'javascript:...', that ...

0.6AI score
Exploits0References2
Huntr
Huntr
•added 2022/05/11 8:50 p.m.•13 views

Account Takeover

Description In this case i found that api endpoint Leaking password and username. Proof of Concept 1. An Admin add a new secretary with access to providers 2. Secretary send a post request to https://demo.easyappointments.org/index.php/backendapi/ajaxgetcalendarappointments endpoint 3. If selecte...

0.1AI score
Exploits0
Huntr
Huntr
•added 2022/05/11 8:10 p.m.•12 views

Allocation of Resources Without Limits in "Bookmark Categories"

Description The Organizr application allows large characters to insert in the input field "Bookmark Categories" which can allow attackers to cause a Denial of Service DoS via a crafted HTTP request. Proof of Concept 1.Login to the application 2.Go to "Tab Editor" - "Categories" - "Bookmark...

2AI score
Exploits0References1
Huntr
Huntr
•added 2022/05/11 7:56 p.m.•18 views

Uncontrolled Resource Consumption in "Category Editor"

Description The Organizr application allows large characters to insert in the input field "Category Editor" which can allow attackers to cause a Denial of Service DoS via a crafted HTTP request. Proof of Concept 1.Login to the application 2.Go to "Tab Editor" - "Categories" . 3.Click on the +...

2.1AI score
Exploits0References1
Huntr
Huntr
•added 2022/05/11 7:32 p.m.•32 views

Allowing long password leads to denial of service

Description The Organizr application allows to sending a very long password 10000000 characters it's possible to cause a denial of service attack on the server. This may lead to the website becoming unavailable or unresponsive. Usually, this problem is caused by a vulnerable password hashing...

5CVSS7.6AI score0.01024EPSS
Exploits1References1
Huntr
Huntr
•added 2022/05/11 6:55 p.m.•47 views

Uncontrolled Resource Consumption

Description The Organizr application allows large characters to insert in the input field "Username" which can allow attackers to cause a Denial of Service DoS via a crafted HTTP request. Proof of Concept 1.Sign up to the application, capture the request in burp suites, and send it to Repeater...

5CVSS1.4AI score0.01024EPSS
Exploits1References1
Huntr
Huntr
•added 2022/05/11 10:44 a.m.•32 views

Heap-based Buffer Overflow

Description Heap-based Buffer Overflow in msp430op Environment radare2 5.6.9 0 @ linux-x86-64 git. commit: 5.6.9 build: 2022-05-0112:17:49 Build export CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan" CXXFLAGS="-fsanitize=address -static-libasan" LDFLAGS="-fsanitize=address...

3.6CVSS7.1AI score0.00427EPSS
Exploits1
Huntr
Huntr
•added 2022/05/11 10:39 a.m.•9 views

Cross site Request Forgery in running schedule by using GET method.

Description There is a CRSF in autolab source code in running scheduler due to usage of GET method. Proof of Concept 1. Install a local instance of autolab 2. Go to /courses//schedulers and create a schedule 3. Access the link courses//schedulers//run and see that the schedulers is running...

1.8AI score
Exploits0
Total number of security vulnerabilities4072