4072 matches found
Stored XSS
Description Stored XSS in ListAgenciaTransporte module in facturascripts is triggered when clicking the scrolling middle mouse button. Proof of Concept 1.Create a new non-admin account 2.Login and goto http://localhost/invoices/EditAgenciaTransporte 3.Add new user with website link to...
SSRF in embed2 servlet via redirects
Description Embed2Servlet uses url.OpenConnection in https://github.com/jgraph/drawio/blob/7a68ebe22a64fe722704e9c4527791209fee2034/src/main/java/com/mxgraph/online/EmbedServlet2.javaL400 which follows redirects by default. However, the redirections are not being checked, hence it is possible to...
Weak Password Policy
Description I would like to let you know about the password management issue. Proof of Concept 1- Go to your Profile or https://docker.trudesk.io/profile 2- Give a password as simple as 12345678. You can see you will be password has been changed and there is no strong enforcement...
Stored Cross Site Scripting on "Add user" field
Steps to reproduce: 1. Go to settings-- Access controls -- Add user 2. Payload = """ 3. Add XSS payload as username and create a new user 4. After creating the user, click on delete button and the XSS will be triggered POC Screenshot:...
The trudesk application allows large characters to insert in the input field "Name" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. in polonel / trudesk
Proof of Concept 1 - Go to Profile or https://docker.trudesk.io/profile 2 - and fill name input field with huge characters Payload :- https://drive.google.com/file/d/17-SH8ZaTqBTQGugpbh2SQtTKnJOL9NIK/view?usp=sharing Video POC :-...
Application Level DoS:
Description Hey, when I attempt to change the password, I noticed that you haven't kept any password boundary. You need to limit password length. Hashing a large amount of data can cause significant resource consumption on behalf of the server and would be an easy target for an Application-level...
Application Level DoS:
Description Hey, when I attempt to change the password, I noticed that you haven't kept any password boundary. You need to limit password length. Hashing a large amount of data can cause significant resource consumption on behalf of the server and would be an easy target for an Application-level...
Insufficient Session Expiration
Description If the admin changes the password of a user and if the user already login so application failed to invalidate the session after changing the password as a result changing the password doesn't destroy the other sessions which are logged in with old passwords. Proof of Concept 1.Login...
Out-of-bounds write in function vim_regsub_both
Description Out-of-bounds write in function vimregsubboth at regexp.c:1954 vim version git log commit 5a8fad32ea9c075f045b37d6c7739891d458f82b HEAD - master, tag: v8.2.4962, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/pocobws.dat -c :qa!...
Infinite recursive function calls result in stack overflow
Description When providing certain input, the program will enter an infinite loop where it continually calls: getexprregister - cmdlinehandlebackslashkey - getcmdline - getcmdlineint - cmdlinehandlebackslashkey - getexprregister - etc. GDB shell Thread debugging using libthreaddb enabled Using ho...
Buffer Over-read in function get_one_sourceline
Description Buffer Over-read in function getonesourceline at scriptfile.c:1976 vim version git log commit 5a8fad32ea9c075f045b37d6c7739891d458f82b HEAD - master, tag: v8.2.4962, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/poch6s.dat -c :qa...
heap-use-after-free in function find_pattern_in_path
Description heap-use-after-free in function findpatterninpath at search.c:3683 vim version git log commit 5a8fad32ea9c075f045b37d6c7739891d458f82b HEAD - master, tag: v8.2.4962, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/pochuafs.dat -c...
Regex check failed leads to CORS bypass
Description ProxyServlet will call getCorsDomain to get value and set it to Access-Control-Allow-Origin. This check only allow accept sharing with .draw.io, .diagrams.net and .quipelements.com. However, I found that regex to match must not start with ^ leads to bypass. Proof of Concept Step 1: Ca...
Stored XSS on drawio
Sumary Draw io has a feature to put links on a text, due to a bad sanitization it allows to put javascript:// scheme on a anchor tag which allows to execute javascript code Steps to reproduce 1. Create a text box and set word size to 50 2. Click with the rigth button and "Edit link" 3. Put...
SSRF via IPv6 address 2
Description While searching online, I found that https://stackoverflow.com/questions/53764109/is-there-a-java-api-that-will-identify-the-ipv6-address-fd00-as-local-private also states fc00 / fd00 are also private IPv6 range that are weirdly not covered by INetAddress, meaning that it has to be do...
Use After Free
Description Use After Free in gpac Proof of Concept MP4Box -bt POC1 POC1 is here ASAN ==74043==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000003fd0 at pc 0x7f0c5374e845 bp 0x7ffcfc56f2b0 sp 0x7ffcfc56f2a8 READ of size 8 at 0x604000003fd0 thread T0 0 0x7f0c5374e844 in...
Server Side Request Forgery via location header
Description It is possible to bypass current SSRF checks using a redirection via the location header. Proof of Concept 1. Mock a redirect endpoint using https://beeceptor.com/ 2. Add Location: http://localhost:1122as a response header and set the status code to 301 3. Listen on port 1122 4. Acces...
The publify application allows large characters to insert in the input field "First name and Last name" on the profile field which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request in publify / publify
Description The publify application allows large characters to insert in the input field "First name and Last name" which can allow attackers to cause a Denial of Service DoS via a crafted HTTP request Proof of Concept 1 - go to your profile https://demo-publify.herokuapp.com/admin/profiles 2 -...
Allowing long password leads to denial of service in polonel/trudesk
Description The trudesk application allows to sending a very long password 10000000 characters it's possible to cause a denial of service attack on the server. This may lead to the website becoming unavailable or unresponsive. Usually, this problem is caused by a vulnerable password hashing...
Cross-Site Request Forgery (CSRF)
Summary: Cross-Site Request Forgery CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. ... If the victim is an administrative account, CSRF can compromise the entire web application. Steps To Reproduce: 1.Create a...
Path Traversal in WellKnownServlet
Description The WellKnownServlet is vulnerable to path traversal. This allows reading local files. For example the files in WEB-INF that contain secrets and API keys can be read. https://github.com/jgraph/drawio/blob/v18.0.4/src/main/java/com/mxgraph/online/WellKnownServlet.javaL40-L66 java Strin...
Leakage of third-party OAuth token via redirect
Description The application allows the usage of third-parties to store the files, such as Google Drive, Github, Gitlab, etc. It's possible to bypass the protection of the redirect parameter and redirect the user and the OAuth token to an attacker controlled site. Proof of Concept 1. An attacker...
The trudesk application allows large characters to insert in the input field "Full Name" on the signup field which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request
POC: 1. go to signup form: http://127.0.0.1:8118/signup 2. Fill the Full Name input field with huge charactersmore than lakhs or crores 3. After created the account, check the admin panel: http://127.0.0.1:8118/accounts, go to Accounts -- customers 4. The admin panel will be flooded with our...
Html Injection lead to cross site scripting
Description Hi i Found a way to inject html in user's email. So in this case if a attacker set name of victim as html form it will be rendered by your system and then the render html will be sent to the victim Proof of Concept 1. Goto https://paraio.com/signup/ and in name field add this payload...
Local file inclusion
Description https://app.diagrams.net/embed2.js?&fetch= is used to fetch data and i tried to perform ssrf by extracting google cloud metadata but was unable to do but i am still able to fetch server files like /etc/passwd. Proof of Concept 1. Visit https://app.diagrams.net/embed2.js?&fetch= 2. Ent...
xss using .xsig file
Description xss using .xsig file Proof of Concept 1. Save this file as test.xsig file and upload it to http://localhost/ListAttachedFile 2. now view this file in chrome browser and see xss is executed...
xss bypass of https://huntr.dev/bounties/4bc8f164-faf8-4096-aa00-e439fa976876/
Description xss bypass of https://huntr.dev/bounties/4bc8f164-faf8-4096-aa00-e439fa976876/ TESTED BROWSER google chrome Proof of Concept this bug has been fixed by setting text/xml content-type .\ But this can also be bypassed . Save bellow file as test.xml . Upload this and view the file and see...
NULL Pointer Dereference in function vim_regexec_string
Description NULL Pointer Dereference in function vimregexecstring at regexp.c:2733 allows attackers to cause a denial of service application crash via a crafted input. vim version git log commit 31ad32a325cc31f0f2bdd530c68bfb856a2187c5 HEAD - master, tag: v8.2.4949, origin/master, origin/HEAD...
xss vi filename
Description xss using filename Proof of Concept 1. First download this file https://github.com/ranjit-git/poc/blob/master/xss%22'%3E%3Cimg%20src%3Dx%20onerror%3Dalert123%3E.jpeg%3E.jpeg in your system . Dont change the filename . \ Filename like xss"'.jpeg will be created in linux system . In...
Buffer Over-read in function grab_file_name
Description Buffer Over-read in function grabfilename at findfile.c:1947 vim version git log commit 31ad32a325cc31f0f2bdd530c68bfb856a2187c5 HEAD - master, tag: v8.2.4949, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/poch5s.dat -c :qa!...
SSRF in editor's proxy via IPv6 link-local address
Description The proxy server does not check for link-local IPv6 addresses In https://github.com/jgraph/drawio/blob/dev/src/main/java/com/mxgraph/online/ProxyServlet.javaL255L257, it checks for local IP addresses. It is missing the link-local IPv6 address check -...
Improper Control of a Resource Through its Lifetime in the input field "Bookmark Tabs"
Description The Organizr application allows large characters to insert in the input field "Bookmark Tabs" which can allow attackers to cause a Denial of Service DoS via a crafted HTTP request. Proof of Concept 1.Login to the application 2.Go to "Tab Editor" - "Bookmark Tabs". 3.Click on the +...
xss filter bypass
Description xss check bypass Proof of Concept i see you you fixed https://huntr.dev/bounties/31aba7c9-edcf-44bf-9fd8-ca15d1fa53c8/ by using if !empty$this-web && !filtervar$this-web, FILTERVALIDATEURL .\ But this can be bypassed easily and cause xss .\ FILTERVALIDATEURL can be bypassed using url...
The microweber application allows large characters to insert in the input field "Email" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request
POC: 1. Go to home page http://127.0.0.1/ and there will a option to signup with email and phone number with 3 check box 2. Screenshot: -- https://ibb.co/F3tPVWY 3. Fill the email parameter with huge characters 4. when the admin check the notification http://127.0.0.1/admin/notification it will b...
Cross Site Request Forgery at refreshing watch list for courses
Description Hi there autolab maintainers, there is a CRSF in autolab source code in refreshing watch list due to usage of GET method. Proof of Concept 1. Install a local instance of autolab and create a course 2. Access the link /courses//metrics/refreshwatchlistinstances and see that any...
RCE in the Desktop App because of Unsafe Link Handling
Description URLs or links in a diagram are passed to shell.openExternal without additional validation. This is a dangerous function and can be exploited when URLs with arbitrary schemes are passed to it. It allows code execution through various methods, as described in detail here: -...
SSRF on /proxy
Description draw.io is vulnerable to SSRF on the /proxy endpoint. It's trivial to bypass the protections on checkUrlParameter. Proof of Concept 1. Make a request to proxy?url=http%3a//0:8080/ GET /proxy?url=http%3a//0:8080/ HTTP/1.1 Host: 127.0.0.1:8080 sec-ch-ua: "NotA:Brand";v="8",...
SSRF via Unvalidated Redirects in ProxyServlet
Description Through the ProxyServlet external content can be retrieved. This can be done by providing a URL in the url query parameter. There are a few restrictions in place, especially internal hosts are forbidden. The validation of the url parameter looks as follows:...
Improper Privilege Management API V2
Description There are some api v2 doesn't check permission allow attackers to retrieve/edit information ticket,account,group,department,team,ElasticSearch Proof of Concept Get users list 1. Login. 2. Go to /api/v2/accounts?type=all. 3. Users list return. Create user with admin role 1. Get the adm...
Able to create an user with a long password as well as long username
Issue Description: Any admin may able to create and allocate user the credentials but when admin creates a user account where as the fields with the first name , last name and password has no defined length limit where as this scenario causes the application level DOS to the snipe-it What's the...
Unrestricted File Upload and Path Traversal in upload image
Description The uploadImage function in accountsController take file path and extension from users . An attacker can change the path and extension to upload dangerous file to anywhere in server. Proof of Concept 1. Login 2. Upload profile image 3. Capture request, modify username and filename POS...
Register users in spite of Allow User Registration disabled
Description Attacker can register a user in spite of the Allow User Registration is disable by default. Proof of Concept 1. Go to /captcha, get the captcha value and cookie. 2. Send POST request to /api/v1/public/account/create with the value of captcha and cookie in step 1. //POST...
Cross-site scripting and open redirect vulnerability on Rock RMS Login Page
Description The Rock RMS login page has a returnUrl parameter that is used to set window.location.href when the user has successfully logged in. An attacker can include a malicious JavaScript payload using a link crafted with the payload in the returnUrl parameter, such as 'javascript:...', that ...
Account Takeover
Description In this case i found that api endpoint Leaking password and username. Proof of Concept 1. An Admin add a new secretary with access to providers 2. Secretary send a post request to https://demo.easyappointments.org/index.php/backendapi/ajaxgetcalendarappointments endpoint 3. If selecte...
Allocation of Resources Without Limits in "Bookmark Categories"
Description The Organizr application allows large characters to insert in the input field "Bookmark Categories" which can allow attackers to cause a Denial of Service DoS via a crafted HTTP request. Proof of Concept 1.Login to the application 2.Go to "Tab Editor" - "Categories" - "Bookmark...
Uncontrolled Resource Consumption in "Category Editor"
Description The Organizr application allows large characters to insert in the input field "Category Editor" which can allow attackers to cause a Denial of Service DoS via a crafted HTTP request. Proof of Concept 1.Login to the application 2.Go to "Tab Editor" - "Categories" . 3.Click on the +...
Allowing long password leads to denial of service
Description The Organizr application allows to sending a very long password 10000000 characters it's possible to cause a denial of service attack on the server. This may lead to the website becoming unavailable or unresponsive. Usually, this problem is caused by a vulnerable password hashing...
Uncontrolled Resource Consumption
Description The Organizr application allows large characters to insert in the input field "Username" which can allow attackers to cause a Denial of Service DoS via a crafted HTTP request. Proof of Concept 1.Sign up to the application, capture the request in burp suites, and send it to Repeater...
Heap-based Buffer Overflow
Description Heap-based Buffer Overflow in msp430op Environment radare2 5.6.9 0 @ linux-x86-64 git. commit: 5.6.9 build: 2022-05-0112:17:49 Build export CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan" CXXFLAGS="-fsanitize=address -static-libasan" LDFLAGS="-fsanitize=address...
Cross site Request Forgery in running schedule by using GET method.
Description There is a CRSF in autolab source code in running scheduler due to usage of GET method. Proof of Concept 1. Install a local instance of autolab 2. Go to /courses//schedulers and create a schedule 3. Access the link courses//schedulers//run and see that the schedulers is running...