4058 matches found
SSRF via IPv6 address 2
Description While searching online, I found that https://stackoverflow.com/questions/53764109/is-there-a-java-api-that-will-identify-the-ipv6-address-fd00-as-local-private also states fc00 / fd00 are also private IPv6 range that are weirdly not covered by INetAddress, meaning that it has to be do...
Use After Free
Description Use After Free in gpac Proof of Concept MP4Box -bt POC1 POC1 is here ASAN ==74043==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000003fd0 at pc 0x7f0c5374e845 bp 0x7ffcfc56f2b0 sp 0x7ffcfc56f2a8 READ of size 8 at 0x604000003fd0 thread T0 0 0x7f0c5374e844 in...
Server Side Request Forgery via location header
Description It is possible to bypass current SSRF checks using a redirection via the location header. Proof of Concept 1. Mock a redirect endpoint using https://beeceptor.com/ 2. Add Location: http://localhost:1122as a response header and set the status code to 301 3. Listen on port 1122 4. Acces...
The publify application allows large characters to insert in the input field "First name and Last name" on the profile field which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request in publify / publify
Description The publify application allows large characters to insert in the input field "First name and Last name" which can allow attackers to cause a Denial of Service DoS via a crafted HTTP request Proof of Concept 1 - go to your profile https://demo-publify.herokuapp.com/admin/profiles 2 -...
Allowing long password leads to denial of service in polonel/trudesk
Description The trudesk application allows to sending a very long password 10000000 characters it's possible to cause a denial of service attack on the server. This may lead to the website becoming unavailable or unresponsive. Usually, this problem is caused by a vulnerable password hashing...
Cross-Site Request Forgery (CSRF)
Summary: Cross-Site Request Forgery CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. ... If the victim is an administrative account, CSRF can compromise the entire web application. Steps To Reproduce: 1.Create a...
Path Traversal in WellKnownServlet
Description The WellKnownServlet is vulnerable to path traversal. This allows reading local files. For example the files in WEB-INF that contain secrets and API keys can be read. https://github.com/jgraph/drawio/blob/v18.0.4/src/main/java/com/mxgraph/online/WellKnownServlet.javaL40-L66 java Strin...
Leakage of third-party OAuth token via redirect
Description The application allows the usage of third-parties to store the files, such as Google Drive, Github, Gitlab, etc. It's possible to bypass the protection of the redirect parameter and redirect the user and the OAuth token to an attacker controlled site. Proof of Concept 1. An attacker...
The trudesk application allows large characters to insert in the input field "Full Name" on the signup field which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request
POC: 1. go to signup form: http://127.0.0.1:8118/signup 2. Fill the Full Name input field with huge charactersmore than lakhs or crores 3. After created the account, check the admin panel: http://127.0.0.1:8118/accounts, go to Accounts -- customers 4. The admin panel will be flooded with our...
Html Injection lead to cross site scripting
Description Hi i Found a way to inject html in user's email. So in this case if a attacker set name of victim as html form it will be rendered by your system and then the render html will be sent to the victim Proof of Concept 1. Goto https://paraio.com/signup/ and in name field add this payload...
Local file inclusion
Description https://app.diagrams.net/embed2.js?&fetch= is used to fetch data and i tried to perform ssrf by extracting google cloud metadata but was unable to do but i am still able to fetch server files like /etc/passwd. Proof of Concept 1. Visit https://app.diagrams.net/embed2.js?&fetch= 2. Ent...
xss using .xsig file
Description xss using .xsig file Proof of Concept 1. Save this file as test.xsig file and upload it to http://localhost/ListAttachedFile 2. now view this file in chrome browser and see xss is executed...
xss bypass of https://huntr.dev/bounties/4bc8f164-faf8-4096-aa00-e439fa976876/
Description xss bypass of https://huntr.dev/bounties/4bc8f164-faf8-4096-aa00-e439fa976876/ TESTED BROWSER google chrome Proof of Concept this bug has been fixed by setting text/xml content-type .\ But this can also be bypassed . Save bellow file as test.xml . Upload this and view the file and see...
NULL Pointer Dereference in function vim_regexec_string
Description NULL Pointer Dereference in function vimregexecstring at regexp.c:2733 allows attackers to cause a denial of service application crash via a crafted input. vim version git log commit 31ad32a325cc31f0f2bdd530c68bfb856a2187c5 HEAD - master, tag: v8.2.4949, origin/master, origin/HEAD...
xss vi filename
Description xss using filename Proof of Concept 1. First download this file https://github.com/ranjit-git/poc/blob/master/xss%22'%3E%3Cimg%20src%3Dx%20onerror%3Dalert123%3E.jpeg%3E.jpeg in your system . Dont change the filename . \ Filename like xss"'.jpeg will be created in linux system . In...
Buffer Over-read in function grab_file_name
Description Buffer Over-read in function grabfilename at findfile.c:1947 vim version git log commit 31ad32a325cc31f0f2bdd530c68bfb856a2187c5 HEAD - master, tag: v8.2.4949, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/poch5s.dat -c :qa!...
SSRF in editor's proxy via IPv6 link-local address
Description The proxy server does not check for link-local IPv6 addresses In https://github.com/jgraph/drawio/blob/dev/src/main/java/com/mxgraph/online/ProxyServlet.javaL255L257, it checks for local IP addresses. It is missing the link-local IPv6 address check -...
Improper Control of a Resource Through its Lifetime in the input field "Bookmark Tabs"
Description The Organizr application allows large characters to insert in the input field "Bookmark Tabs" which can allow attackers to cause a Denial of Service DoS via a crafted HTTP request. Proof of Concept 1.Login to the application 2.Go to "Tab Editor" - "Bookmark Tabs". 3.Click on the +...
xss filter bypass
Description xss check bypass Proof of Concept i see you you fixed https://huntr.dev/bounties/31aba7c9-edcf-44bf-9fd8-ca15d1fa53c8/ by using if !empty$this-web && !filtervar$this-web, FILTERVALIDATEURL .\ But this can be bypassed easily and cause xss .\ FILTERVALIDATEURL can be bypassed using url...
The microweber application allows large characters to insert in the input field "Email" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request
POC: 1. Go to home page http://127.0.0.1/ and there will a option to signup with email and phone number with 3 check box 2. Screenshot: -- https://ibb.co/F3tPVWY 3. Fill the email parameter with huge characters 4. when the admin check the notification http://127.0.0.1/admin/notification it will b...
Cross Site Request Forgery at refreshing watch list for courses
Description Hi there autolab maintainers, there is a CRSF in autolab source code in refreshing watch list due to usage of GET method. Proof of Concept 1. Install a local instance of autolab and create a course 2. Access the link /courses//metrics/refreshwatchlistinstances and see that any...
RCE in the Desktop App because of Unsafe Link Handling
Description URLs or links in a diagram are passed to shell.openExternal without additional validation. This is a dangerous function and can be exploited when URLs with arbitrary schemes are passed to it. It allows code execution through various methods, as described in detail here: -...
SSRF on /proxy
Description draw.io is vulnerable to SSRF on the /proxy endpoint. It's trivial to bypass the protections on checkUrlParameter. Proof of Concept 1. Make a request to proxy?url=http%3a//0:8080/ GET /proxy?url=http%3a//0:8080/ HTTP/1.1 Host: 127.0.0.1:8080 sec-ch-ua: "NotA:Brand";v="8",...
SSRF via Unvalidated Redirects in ProxyServlet
Description Through the ProxyServlet external content can be retrieved. This can be done by providing a URL in the url query parameter. There are a few restrictions in place, especially internal hosts are forbidden. The validation of the url parameter looks as follows:...
Improper Privilege Management API V2
Description There are some api v2 doesn't check permission allow attackers to retrieve/edit information ticket,account,group,department,team,ElasticSearch Proof of Concept Get users list 1. Login. 2. Go to /api/v2/accounts?type=all. 3. Users list return. Create user with admin role 1. Get the adm...
Able to create an user with a long password as well as long username
Issue Description: Any admin may able to create and allocate user the credentials but when admin creates a user account where as the fields with the first name , last name and password has no defined length limit where as this scenario causes the application level DOS to the snipe-it What's the...
Unrestricted File Upload and Path Traversal in upload image
Description The uploadImage function in accountsController take file path and extension from users . An attacker can change the path and extension to upload dangerous file to anywhere in server. Proof of Concept 1. Login 2. Upload profile image 3. Capture request, modify username and filename POS...
Register users in spite of Allow User Registration disabled
Description Attacker can register a user in spite of the Allow User Registration is disable by default. Proof of Concept 1. Go to /captcha, get the captcha value and cookie. 2. Send POST request to /api/v1/public/account/create with the value of captcha and cookie in step 1. //POST...
Cross-site scripting and open redirect vulnerability on Rock RMS Login Page
Description The Rock RMS login page has a returnUrl parameter that is used to set window.location.href when the user has successfully logged in. An attacker can include a malicious JavaScript payload using a link crafted with the payload in the returnUrl parameter, such as 'javascript:...', that ...
Account Takeover
Description In this case i found that api endpoint Leaking password and username. Proof of Concept 1. An Admin add a new secretary with access to providers 2. Secretary send a post request to https://demo.easyappointments.org/index.php/backendapi/ajaxgetcalendarappointments endpoint 3. If selecte...
Allocation of Resources Without Limits in "Bookmark Categories"
Description The Organizr application allows large characters to insert in the input field "Bookmark Categories" which can allow attackers to cause a Denial of Service DoS via a crafted HTTP request. Proof of Concept 1.Login to the application 2.Go to "Tab Editor" - "Categories" - "Bookmark...
Uncontrolled Resource Consumption in "Category Editor"
Description The Organizr application allows large characters to insert in the input field "Category Editor" which can allow attackers to cause a Denial of Service DoS via a crafted HTTP request. Proof of Concept 1.Login to the application 2.Go to "Tab Editor" - "Categories" . 3.Click on the +...
Allowing long password leads to denial of service
Description The Organizr application allows to sending a very long password 10000000 characters it's possible to cause a denial of service attack on the server. This may lead to the website becoming unavailable or unresponsive. Usually, this problem is caused by a vulnerable password hashing...
Uncontrolled Resource Consumption
Description The Organizr application allows large characters to insert in the input field "Username" which can allow attackers to cause a Denial of Service DoS via a crafted HTTP request. Proof of Concept 1.Sign up to the application, capture the request in burp suites, and send it to Repeater...
Heap-based Buffer Overflow
Description Heap-based Buffer Overflow in msp430op Environment radare2 5.6.9 0 @ linux-x86-64 git. commit: 5.6.9 build: 2022-05-0112:17:49 Build export CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan" CXXFLAGS="-fsanitize=address -static-libasan" LDFLAGS="-fsanitize=address...
Cross site Request Forgery in running schedule by using GET method.
Description There is a CRSF in autolab source code in running scheduler due to usage of GET method. Proof of Concept 1. Install a local instance of autolab 2. Go to /courses//schedulers and create a schedule 3. Access the link courses//schedulers//run and see that the schedulers is running...
Stored XSS in application name.
Description Hi there, there is a stored XSS in Oauth application name. Proof of Concept 1. Install a local instance of Autolab. 2. Go to /oauth/applications and create a new application with name . 3. Click on Authorize and see that a pop up appears with user's cookies. Link to POC...
Stored XSS due to the setting text/xml mime type for xml files
Description Hi, The patch for the previous XSS vulnerability Cross-site scripting - Reflected via upload .xml file looks incomplete. It just will set the mime type to text/xml for XML files to avoid XSS, However, this one can be also used to perform XSS too. Since an XML file can contain HTML...
Cross-site Scripting (XSS) - Stored
Description openemr / openemr is vulnerable to Cross-site Scripting XSS - Stored Proof of Concept // Poc alertdocument.cookie steps to reproduce: 1 login open emr patient portal https://demo.openemr.io/openemr/portal/index.php 2 goto my profile in https://demo.openemr.io/openemr/portal/home.php...
Cross-site Scripting (XSS) in Search Fuction with filter
Description The is an XSS could be trigger via search function in number filter. Cross-site Scripting XSS refers to client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS occurs when a web application makes use of...
Set cookie for different domain
Description It is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header. Proof of Concept php true; $client-request"GET", "https://.free.beeceptor.com/setcookie"; $cookies = $client-getConfig'cookies'-toArray; printr$cookies; ? You can us...
NULL Pointer Dereference in function vim_regexec_string at regexp.c:2733
Description NULL Pointer Dereference in function vimregexecstring at regexp.c:2733 allows attackers to cause a denial of service application crash via a crafted input. vim version git log commit b370771bffc8395204f53209b69e35dff95a9237 HEAD - master, tag: v8.2.4922, origin/master, origin/HEAD POC...
Reflected Cross site scripting
Description When a user add new product with a supplier, supplier reference field is responsible to rxss Proof of Concept 1. Navigate to http://localhost/invoices/EditProducto?code=1&action=save-ok and goto supplier tab 2. Click on Add and in "Supplier reference" field add hey...
Account Takeover
Description Hi there i found that forget password functionality can be manipulated and this lead to account takeover. So even if an attacker can takeover low access user to admin accounts. In this bug server is vulnerable to php type juggling attack Proof of Concept 1. While registering app for...
Stored Xss
Description Hi i found stored xss due to website field Proof of Concept 1. Create a new non-admin account 2. Login and goto http://localhost/invoices/EditAgenciaTransporte add new user with website link to "javascript:confirmdocument.domain" 3. Save user and navigate to http://localhost/invoices/...
Null pointer dereference in libr/bin/format/mach0/mach0.c in radareorg/radare2
This vulnerability is of type heap-buffer-overflow. And after quick investigation I think it is very likely to be successfully exploited to remote code execution. The bug exists in latest stable release radare2-5.6.8 and lastest master branch 5a9e0a19ba07e35382776fed9da2649ac824f526, updated in M...
Cross-site Scripting (XSS) - Reflected
Description Reflected cross-site scripting or XSS arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way. Proof of Concept 1.Login as admin administrator / administrator. 2.Access this URL...
Google Storage Bucket Takeover which is getting used in github repository "github.com/wardviaene/kubernetes-course"
Description wardviaene have a opensource project for kubernetes-course In the project, there is a README file which is contains installation instruction of helm. Those instructions are suggesting to download helm binary from a google bucket which was not registered on GCP. So I was able to takeov...
Authentication Bypass Using an Alternate Path or Channel
Steps to reproduce 1. 1. Log into Administrator account 2. 2. Navigate to User section 3. 3. Create a new User, call it testUser pass is 12345678 4. 4. Navigate to Groups section and create a new group, call it testGroup 5. 5. Give a "manage:group" permission for testGroup and assign testUser...
Reflected Xss using url based payload
Description Hi there i found that url parameter is not verified by server so an attacker can use javascript schema to run xss on user's browser Proof of Concept 1. Visit this page http://localhost/invoices/EditPageOption?code=ListProducto-new&url=javascript:prompt2 2. Click on back button PoC:-...