Buffer Over-read in function find_next_quote

Description Buffer Over-read in function findnextquote at textobject.c:1663 POC ./vim -u NONE -X -Z -e -s -S ./poch4s.dat -c :qa! ================================================================= ==1740874==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000741a at pc 0x0000010f50...

Heap-based Buffer Overflow in function skip_string

Description Heap-based Buffer Overflow in function skipstring at cindent.c:92 vim version git log commit 5a8fad32ea9c075f045b37d6c7739891d458f82b HEAD - master, tag: v8.2.4962, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/poch7s.dat -c :qa!...

Cross-site Scripting (XSS) - Stored

Description The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of Concept Add Item,And name is payload alertlocation...

Authenticated RCE through /admin/settings/email endpoint

Description Craftcms is vulnerable to Command Injection on the email settings, on the /admin/settings/email endpoint. An attacker can send a POST request with a specially crafted transportTypescraft\mail\transportadapters\Sendmailcommand= parameter to inject arbitrary commands that will be execut...

Formula Injection/CSV Injection due to Improper Neutralization of Formula Elements in CSV File

Description Formula Injection/CSV Injection in "For what?" , "For whom?" & "How much?" due to Improper Neutralization of Formula Elements in CSV File. Proof of Concept 1.Visit https://ihatemoney.org/ and start your demo application then click on add new bill at the top right. In the field of "wha...

Stored xss bug

Description stored xss bug Proof of Concept I created a repository on try.gitea.io and uploaded a pdf file containing xss vector. https://try.gitea.io/cokeBeer/test/src/branch/main/poc.pdf Just click the "Raw" button The xss vector will be triggered Fix Suggestion prohibit viewing pdf directly by...

Html Injection

Description https://app.diagrams.net/ is vulnerable to html Injection by uploading a html file Proof of Concept 1. Goto https://app.diagrams.net/ and create a new html file with form field's and add this file in project 2. Now goto fileembedhtml and click on create after that click on preview pag...

0 quantity orders are allowed

Description In the case of commodity purchases, the quantity is 0. Orders should not be allowed to be created, consuming meaningless resource behavior, and the order quantity should always be =1 Proof of Concept...

Reflected XSS on ticket filter function

Description Ticket management filter in Trudesk v1.2.0 allow user to perform XSS due to improper validation on filter attribute such as "status", "ticket type", "assignee" and etc. Proof of Concept 1 Login to Trudesk with role user privilege 2 Tickets - Filter ticket 3 Filter for ticket status po...

Users Account Pre-Takeover or Users Account Takeover.

Team, May you all be well on your side of the screen. : While Doing some research on the https://microweber.org, I was able to find a Pre-Account Takeover vulnerability. Kindly check the proof of concept video & reproduction steps for better understanding. Proof of concept: I have uploaded the bo...

Cross site scripting

Description 1. Login as teacher 2.Create a new assignment at https://www.rosariosis.org/demonstration/Modules.php?modname=Grades/Assignments.php&assignmenttypeid=3&assignmentid=new 3. Add this payload in discription 4. Save this assigment 5. You will see a prompt...

RCE due to a dependency confusion

Description Hi team, I hope you are well. I found a dependency confusion vulnerability in this repo. When I analyzed your repo, I found a Makefile which install a dependency : https://github.com/bits-and-blooms/bloom/blob/25ba46ef8744ddeba999dcd048dbb8b0fa87edb3/MakefileL188 go get...

RCE due to a dependency confusion

Description Hi team, I hope you are well. I found a dependency confusion vulnerability in this repo. When I analyzed your repo, I found a Makefile which install a dependency : https://github.com/openziti/ziti/blob/271614d50df5535cf99ad0882649ae0ef7bb88a2/ziti/MakefileL155 go get...

Cross-site Scripting (XSS) in create space function

Description Reflected cross-site scripting or XSS arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way. Proof of Concept 1.Login as normal user. 2.Access subdomain /space/create/create. 3.Input name, color, description,...

Cross-site scripting - Stored via upload `.xsig` file

Description When user upload a file with .xsig extension and direct access this file, the server response with Content-type: text/html lead to processing XSIG as HTML file. Proof of Concept POST /facturascripts/EditAttachedFile?code=1&action=save-ok HTTP/1.1 Host: localhost User-Agent: Mozilla/5....

Cross-site Scripting (XSS) via Cookie Value

Description The is an XSS could be trigger via cookie value. Cross-site Scripting XSS refers to client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS occurs when a web application makes use of unvalidated or unencoded...

Denial of service

Affected commit 49b8cef31f01c0d88d874e17714dff1fa5b85df0 Proof of Concept ruby= raise SystemStackError.new BasicObject.new Expected: Raise exception without abort the software Case output: bash= root:/mruby/mruby/bin ./mruby poc.rb poc.rb:1: can't convert BasicObject into String TypeError Aborted...

A heap-buffer-overflow in mobi_decode_infl in index.c

Description A heap-buffer-overflow in mobidecodeinfl in index.c Env Distributor ID: Ubuntu Description: Ubuntu 20.04 LTS Release: 20.04 Codename: focal mobitool build: May 3 2022 20:46:07 clang Ubuntu Clang 11.1.0 libmobi: 0.10 Build export CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasa...

Server-Side Request Forgery in scout

Description Server-Side Request Forgery in remotecors Proof of Concept GET /remote/cors/http://:8888 HTTP/1.1 Host: localhost:8000 User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:100.0 Gecko/20100101 Firefox/100.0 Accept:...

Improper Access Control

Description The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor. Proof of Concept Unauthorized actors can access critical pages directly. - InstallDatabase.php - diagnostic.php...

Cross-site Scripting (XSS) - Stored

Description The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of Concept - it works on firefox not in chromium based browsers - login as admin - go to...

Improper File Deletion

Description A student uploaded a file when submitting an assignment. Then, if a teacher deletes that assignment, the attachment is still remained on the server and if anyone has the link to that file, he can access to it to view or download it. Steps to reproduce Login to the demo environment by...

Improper handling of large integer values

Description In create Fee function, improper handling of large integer values in mount field value. Proof of Concept POST /demonstration/Modules.php?modname=StudentBilling/StudentFees.php HTTP/1.1 Host: www.rosariosis.org Cookie: RosarioSIS=kja39eaq6q73envhk6eo8300vgumn2612c5huvue08vgh66faog1...

Arbitrary Code Execution through Sanitizer Bypass

Description The sanitizer function of the drawio core library which is responsible to sanitize various parts of a diagram of potentially dangerous HTML/JavaScript code can be bypassed. It is vulnerable to mutation XSS payloads, which allows escaping from the sanitizer. This allows arbitrary code...

Stack buffer overflow in RTSP packet parsing

Description A malicious RTSP server can trigger a stack buffer overflow via an RTSP packet with an excessively long content-length due to no bounds check when copying into a fixed sized buffer. Proof of Concept poc.py is available here terminal 1 python3 poc.py 31337 terminal 2 ./configure...

Store XSS

Description Phishing and stealing users through vulnerabilities and accessing users' personal information Proof of Concept POST /admin/enhavo/article/article/update/5?viewid=6 HTTP/1.1 Host: demo.enhavo.com User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:56.0 Gecko/20100101 Firefox/56.0...

Stored XSS Via Markdown payload at HackerOne Settings

Description Rengine supports automatic vulnerability reporting to hackerone the module included a feature to customize the report using a markdown editor. Although it was blocking some malicious payloads, the Cross-Site Scripting was found exploitable via a special payload. Proof of Concept 1. Go...

Improper file deletion

Description When a user created with a profile picture and deleted after some time the profile picture of that user is still remain on the server even after deleting the user's account Proof of Concept 1. Create a new student with a profile picture 2. Delete this user 3. And visit this url...

Cross-site Scripting (XSS) - Reflected

Description The listmonk application is vulnerable to reflected XSS in Partial SQL expression to query subscriber attributes. Proof of Concept 1.Go to "Subscribers" - "All subscribers" - "Advanced" 2.Put this payload: " in the input filed. 3.Now click on Query then XSS will pop-up Video POC...

Stored XSS in "campaigns"

Description The listmonk application is vulnerable to stored XSS in the "Name" input filed for "campaigns" for which when a user tried to delete the "campaigns" XSS gets triggered. Proof of Concept 1.Go to "Campaigns" - "All campaigns" - "New" 2.Put this payload: in the "Name" input field and fil...

Heap-buffer-overflow in mobi_search_links_kf7

Description heap-buffer-overflow /home/ubuntu/libmobi-public/src/parserawml.c:110 in mobisearchlinkskf7 Environment Distributor ID: Ubuntu Description: Ubuntu 20.04 LTS Release: 20.04 Codename: focal mobitool build: Apr 29 2022 20:52:30 gcc 9.3.0 libmobi: 0.10 Build export CC=gcc CXX=g++...

Cross-site scripting - Reflected via upload `.xml` file

Description When user upload a file with .xml extension and direct access this file, the server response with Content-type: text/html lead to processing XML as HTML file. Proof of Concept POST /facturascripts/EditAttachedFile?code=1&action=save-ok HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0...

Cross-site scripting - Reflected in Create Subaccount

Description Cross-site scripting - Reflected in Create Subaccount via codsubcuenta parameter. Proof of Concept POST /facturascripts/EditSubcuenta HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:100.0 Gecko/20100101 Firefox/100.0 Accept:...

heap-buffer-overflow in mobi_get_attribute_value

Description heap-buffer-overflow /home/ubuntu/libmobi-public/src/parserawml.c:357 in mobigetattributevalue Environment Distributor ID: Ubuntu Description: Ubuntu 20.04 LTS Release: 20.04 Codename: focal mobitool build: Apr 29 2022 20:52:30 gcc 9.3.0 libmobi: 0.10 Build export CC=gcc CXX=g++...

Cross-site Scripting (XSS) - Stored

Description I am able to bypass the fix in the report https://huntr.dev/bounties/4f7be1e2-b844-4def-af9f-136dcce1c349/ which caused the XSS vulnerability. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page...

Exposure of Sensitive Information to an Unauthorized Actor

Description Attacker can be able to download file from system. Proof of Concept 1.Login as student - Go to GRADES - Assignments - Submit a file to a random assignment - save. 2.Attacker with or without account can be able to download through this URL...

Buffer Over-read

Description Buffer Over-read in hpjansson/chafa at xwd-loader.c:185 Build export CFLAGS="-g -O0 -lpthread -fsanitize=address" export CXXFLAGS="-g -O0 -lpthread -fsanitize=address" export LDFLAGS="-fsanitize=address" ./autogen.sh ./configure --disable-shared make POC ./tools/chafa/chafa ./poc.png...

Improper Access Control (IDOR)

Description Any user even user without account can view any student photos through student's id. Proof of Concept Access this URL https://www.rosariosis.org/demonstration/assets/StudentPhotos/2021/studentid.jpg - Attacker can see a student personal photo even without school's account student's id...

Reflected XSS

Description hello team, i found a reflected xss in /rtxcomplete/nodeslike via callback parameter Proof of Concept https://arax.rtx.ai/rtxcomplete/nodeslike?=1651210002052&callback=%3CScRiPt%20%3Ealertdocument.domain%3C/ScRiPt%3E&limit=15&word=1...

Reflected XSS

Description Hello , i found an authenticated reflected xss via path fragment this was exploitable through trusting user input in url path fragement , please note : if you wrote a different payload you need to URL Encode the payload twice Proof of Concept Enter this url :...

Cross-site Scripting (XSS) in Error Page

Description The is an XSS could be trigger via error page through invalid file name. Proof of Concept 1.Login as Admin. 2.Upload new file with name .svg 3.Save - Fatal Error Page show up and the xss will be trigger...

DOM XSS in microweber ver 1.2.15

Description Hi there, on your latest version docker images 3463db62a01f, vulnerable to DOM XSS. Proof of Concept...

Blind command injection

Description Hello , its my first report in huntr.dev fast code review : file https://github.com/yogeshojha/rengine/blob/master/web/api/views.pyL820 class CMSDetectorAPIView: def getself, request: req = self.request url = req.queryparams.get'url' savedb = True if 'savedb' in req.queryparams else...

Use after free in append_command

✍️ Description When fuzzing vim commit fc78a0369 works with latest build and latest commit 202b4bd3a per this time of this report with clang 13 and ASan, I discovered a buffer overflow. Proof of Concept Here is the poc bash...

Heap buffer overflow in vim_strncpy find_word

✍️ Description When fuzzing vim commit fc78a0369 works with latest build and latest commit 202b4bd3a per this time of this report with clang 13 and ASan, I discovered a buffer overflow. Proof of Concept Here is the poc bash...

Reflected XSS

Description Bypass XSS filter on /module/ Proof of Concept https://demo.microweber.org/demo/module/?module=admin%2Fmodules%2Fmanage&id=x"draggable="true"ondragexit=alert1&class=x&fromurl=x Drag something around to trigger the XSS. Might only work in FireFox. How to fix This is still CVE-2022-1439...

Cross-site scripting - DOM via view file function

Description In Modules - Files, when click a file will have a popup and in URL will append select-file= fragment, so this fragment in url lead to XSS-DOM. Proof of Concept...

Reflected XSS in microweber

Description Hi there, In your latest version 1.2.15 docker here https://registry.hub.docker.com/r/microweber/microweber, i found an reflected xss endpoint: http://localhost/admin/view:content/action:settings?group=template&template param: template payload: shopmag"alertdocument.cookie Proof of...

Cross-site scripting - Stored via upload ".msg" file

Description When user upload file with .msg extension in white-list, but when access this file, server not reponse with Content-type header, so this file can execute javascript code as Content-type: text/html Proof of Concept POST /microweber/plupload HTTP/1.1 Host: localhost User-Agent:...

Cross-site Scripting (XSS) - Stored

Description The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of Concept - it works on firefox not in chromium based browsers - login as admin - go to...