Cross-site Scripting (XSS)

Proof of Concept Steps to reproduce: Naviagate the below URL URL: https://demo.contao.org/contao/" Here Some Image POC Attached...

Improper Access Control (IDOR)

Description Improper Access Control IDOR could leak admin information. Proof of Concept 1.Login as admin, edit a role to give permission show a user information - save 2.Login as an user with that role - go to url http://my.facturascripts.site/EditUser?code=admin&action=export&option=PDF - Can se...

Thirdparty site authorization header leak

Description mechanize library is used to manipulate the URL of web pages and crawl the contents of web pages. mechanize does not filter the request header after redirecting. It will also transfer the authentication and cookie request header of the first request to the service after redirecting,...

Buffer Over-read in function utfc_ptr2len

Description Buffer Over-read in function utfcptr2len at mbyte.c:2113 vim version git log commit 5a8fad32ea9c075f045b37d6c7739891d458f82b HEAD - master, tag: v8.2.4962, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/poch8s.dat -c :qa!...

Heap-based Buffer Overflow in function cmdline_erase_chars

Description Heap-based Buffer Overflow in function cmdlineerasechars at exgetln.c:1085 POC ./vim -u NONE -X -Z -e -s -S ./poch1.dat -c :qa! ================================================================= ==3840814==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b00000087f at pc...

NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729

Description NULL Pointer Dereference in function vimregexecstring at regexp.c:2729 allows attackers to cause a denial of service application crash via a crafted input. POC ./vim -u NONE -X -Z -e -s -S ./pocn.dat -c :qa! Segmentation fault pocn.dat GDB ─── Output/messages...

Cross-site scripting - Stored via upload ".cad" file

Description When user upload file with .cad extension in white-list, server will stored .cad file at userfiles/media/default/, so we can direct access. Becase when access this file, server not reponse with Content-type header, so this file can execute javascript code as Content-type: text/html...

Multiple Store XSS via upload svg file and the file name of attachment

Description Hi There, facturascripts is vulnerable to store XSS by upload svg file, and the filename Step to produce with svg file Login as admin or any account has role Admin-Library, access Admin - library - New and upload file svg with content: alertdocument.cookie; save this. XSS will be...

Stored XSS on Import Targets

Description Hello, When a XSS payload is used as the Add or Import Targets file name, it executes it hence stored XSS is possible. Proof of Concept Name a file .txt Import the file at /target/add/target You can see it being executed...

Refelect XSS in facturascripts

Description facturascripts is vulnerable to XSS in fsNick parameter Proof of Concept save this code as poc.html history.pushState'', '', '/' document.forms0.submit; open file with your browser - xss trigger...

Cross-site Scripting (XSS) - Stored via htm file upload

Description rosariosis is vulnerable to Stored XSS in the File upload in Assignments by uploading an htm file with the javascript code inside. Proof-of-Concept phish.htm Test Upload File Test upload alert1 Step to reproduce From attacker side student 1.Login to the demo environment by student...

Cross-site Scripting (XSS) - Reflected

Description Reflected cross-site scripting or XSS arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way. Proof of Concept Turn on debugger mode. Add path /?alertorigin to any endpoint - script will be reflected, executed...

NULL Pointer Dereference in function mobi_build_opf_metadata at opf.c:1161

Description NULL Pointer Dereference in function mobibuildopfmetadata at opf.c:1161 allows attackers to cause a denial of service application crash via a crafted input file Build git clone https://github.com/bfabiszewski/libmobi.git cd libmobi export CFLAGS="-g -O0 -lpthread -fsanitize=address"...

Cross-site Scripting (XSS) - Stored via xHTML file upload

Description rosariosis is vulnerable to Stored XSS in the File upload in Assignments by uploading an xHTML file with the javascript code inside. Proof of Concept phish.xhtml alertdocument.domain; Step to reproduce From attacker side student 1.Login to the demo environment by student account...

Insecure Storage of Sensitive Information

Description When the user uploads his profile picture, the uploaded image’s EXIF Geolocation Data does not get stripped. As a result, anyone can get sensitive information of Scoold users like their Geolocation, their Device information like Device Name, Version, Software & Software version used,...

Small Space of Random Values

Description The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks. Vulnerable code snippet $password = $staff'USERNAME' . rand 1000, 9999 ;...

Cross-site Scripting (XSS)

Proof of Concept 1 Login to the webapplication 2 Navigate to the below URL URL :- https://demo.livehelperchat.com/siteadmin/system/languages/updated/true/sa/HEXX%22%3E%3Ca%20onmouseover=alert11122%3EDEXX%3Ca Below some image POC...

Cross-site Scripting (XSS) - Stored via HTML file upload

Description rosariosis is vulnerable to Stored XSS in the File upload in Assignments by uploading an HTML file with the javascript code inside. Proof-of-Concept phish.html Test Upload File Test upload alert1 Step to reproduce From attacker side student 1.Login to the demo environment by student...

Buffer Over-read

Description Stack-based Buffer Overflow at index.c:991 Build git clone https://github.com/bfabiszewski/libmobi.git cd libmobi export CFLAGS="-g -O0 -lpthread -fsanitize=address" export CXXFLAGS="-g -O0 -lpthread -fsanitize=address" export LDFLAGS="-fsanitize=address" ./autogen.sh ./configure...

Buffer Over-read at parse_rawml.c:1416

Description Heap-based Buffer Overflow at parserawml.c:1416 Build git clone https://github.com/bfabiszewski/libmobi.git cd libmobi export CFLAGS="-g -O0 -lpthread -fsanitize=address" export CXXFLAGS="-g -O0 -lpthread -fsanitize=address" export LDFLAGS="-fsanitize=address" ./autogen.sh ./configure...

SQL injection in Calendar.php

Description In Calendar.php line 498-513, web server get values parameter as a part of sql query without sanitize, so attacker can be manipulated sql query, which is executed by web server...

HTML Injection in Subscan view

Description HTML code is executed in the Subscan feature Proof of Concept 1. Add a scan engine: HTMLInjection 2. Go to "subdomains" for a target and add a Subscan using the scan engine. 3. Initiate a Subscan 4. View the subscan...

Stored XSS via Scan Engine Name

Description Scan Engine name is displayed in different places without validation Proof of Concept 1. Add a scan engine with name: 2. Scan a target, Create scheduled tasks 3. Go to https://127.0.0.1/scan/history/scan Note: Try on a private browser if it doesn't execute on the first. I am not sure...

Improper handling of Length parameter

Description There was no restriction on the amount of text that can be inserted into a user's name field. When the text size was large enough the service resulted in a momentary outage in our non-production environment not high availability. An internal reproduction showed isolated disruption but...

Cross Site Request Forgery in Release all grades feature

Description Hi there, there is a Cross site request Forgery in your Release all grades feature. This is due to the release all grades action is using GET request method. Cross-Site Request Forgery CSRF is an attack that forces an end user to execute unwanted actions on a web application in which...

Authenticated Reflected XSS

Description Hello Team , I found a Authenticated Reflected XSS when you go here : https://demo.collectiveaccess.org and then login as demo , demo username,password Proof of Concept https://demo.collectiveaccess.org/lookup/DisplayTemplate/Get?table=caobjects&id=21&template=asdasdasdasd alert1xx...

Cross-site Scripting (XSS) - Stored

Description he software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of Concept - login as an admin - go to...

Mass Assignment Leading to (Limited) Password Confirmation Bypasses at UsersController

Description Hello there! Hope you are having an amazing day! 🤗 Just found out, while testing one of diaspora\ open servers, that the /user/edit endpoint has a limited case of "mass assignment", which enables an authenticated user to change their password and disable 2FA or change its secret witho...

Cross-site Scripting (XSS) - Stored

Description Stored XSS found due to long name summarize Proof of Concept 1.First, access the latest version of the demo environment. https://www.rosariosis.org/demonstration/index.php 2.Then log in with your teacher account teacher/teacher 3.After logging in, access to add an assignment. 4.Then...

Cross-site scripting - Stored via upload xml file

Description When user upload file with XML extension in white-list, server will stored XML file at assets/PortalNotesFiles/, so we can direct access and execute javascript code. Proof of Concept POST /rosariosis/Modules.php?modname=SchoolSetup/PortalNotes.php&modfunc=update HTTP/1.1 Host:...

Out-of-bounds Read in r_bin_java_bootstrap_methods_attr_new function

Description Out-of-bounds OOB read vulnerability exists in rbinjavabootstrapmethodsattrnew function in Radare2 5.6.9. This is similar with CVE-2022-0518 and CVE-2022-0521. Version radare2 5.6.9 27745 @ linux-x86-64 git.conti commit: 14189710859c27981adb4c2c2aed2863c1859ec5 build: 2022-04-2311:05:...

Out-of-bounds Read in r_bin_java_constant_value_attr_new function

Description Out-of-bounds OOB read vulnerability exists in rbinjavaconstantvalueattrnew function in Radare2 5.6.9. This is similar with CVE-2022-0518 and CVE-2022-0521 Version radare2 5.6.9 27745 @ linux-x86-64 git.conti commit: 14189710859c27981adb4c2c2aed2863c1859ec5 build: 2022-04-2311:05:49...

Stored Cross Site Scripting vulnerability in the checked_out_to parameter

Description The checkedoutto is not escaped, which leads to a XSS problem. Proof of Concept 1. 1.Login to the demo account 2. 2.Report-Depreciation Report 3. 3.Choose a Asset and goto Assets menu and check it out. new a location which is '" and check the asset to this location 4. 4.Return to...

Improper authorization - receptionist can read all Clinic reports

Description Hi there openemr maintainers, I would like to report an improper authorization vulnerability in your source code. Proof of Concept 1. Install openemr in your system and create an admin account and a receptionist account 2. Log in as receptionist and see that you don't see Reports...

Improper Privilege Management - receptionist can view background services and log for admin

Description Hi there openemr maintainers, I would like to report an improper authorization vulnerability in your source code. Proof of Concept 1. Install openemr in your system and create an admin account and a receptionist account 2. Log in as receptionist and see that you don't see Reports...

Improper authorization - receptionist can read all secure messaging

Description Hi there openemr maintainers, I would like to report an improper authorization vulnerability in your source code. Proof of Concept 1. Install openemr in your system and create an admin account and a receptionist account 2. Use admin account and create a secure message by go to Portal...

SQL injection in PortalNotes

Description In PortalNotes.php, web server get values parameter as a part of sql query without sanitize, so attacker can be manipulated sql query, which is executed by web server. Proof of Concept POST /rosariosis/Modules.php?value=123 HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 Windows...

Cross-site scripting - Reflected via mime-type file upload

Description When user upload file with extension not in white-list, server will throw error attach with mime-type of file upload user can controll without sanitize. Proof of Concept POST /rosariosis/Modules.php?modname=SchoolSetup/PortalNotes.php&modfunc=update HTTP/1.1 Host: localhost:8080...

XSS in /demo/module/?module=HERE

Description Reflected XSS in /demo/module/?module= bypass of fix for CVE-2022-1439 Proof of Concept In this report I showed an XSS and while one of the filter evasion mechanisms was fixed, the root cause persists to allow other payloads. As I mentioned there are event handlers which are unblocked...

Remote access to another's conversation based on their email address

System: - Chatwoot 2.4.1, self-hosted - User identity validation is enabled - Each client has a unique identifier and a corresponding valid hmac Description User B can impersonate User A and access his chat history by filling in user A's email address in the setUser despite that the two users do...

Sed Injection Vulnerability

Description In Hestia Control Panel 1.5.11, several v-scripts shell scripts have sed injection vulnerabilities. By chaining these vulnerabilities, an authenticated remote attacker with low privileges can execute arbitrary code under root context. Sed injection vulnerabilities exist in the followi...

Stored XSS via upload plugin functionality in zip format

Description Cross-site scripting XSS is a common attack vector that injects malicious code into a vulnerable web application. Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Here...

heap-use-after-free

Description Whilst experimenting with radare2, built from version 5.6.8, we are able to induce a vulnerability at newrbtree.c:411 in function rrbnodenext , using radare2 as a harness. 409: RAPI RRBNode rrbnodenextRRBNode node 410: rreturnvaliffail node, NULL; //use-after-free here 411: if...

Reflected XSS on demo.microweber.org/demo/module/

Description Reflected XSS with filter bypass on /demo/module/ using module= & style= parameters. Proof of Concept https://demo.microweber.org/demo/module/?module='ontransitionend=alert1'"tabindex=1&style=transition:outline%200.001s&id=x&data-show-ui=admin&class=x&fromurl=https://demo.microweber.o...

Cross-site Scripting (XSS) - Generic

Description The Stream URL of octoprint application allowing xss payload to execute for which its leads to Cross-site Scripting XSS Proof of Concept Login to the application Now go to settings - Webcam & Timelapse - Stream URL and insert the payload " in the Stream URL and click on "Test" You wil...

no spoofing protection on email domain (No Valid SPF Records.)

What Is SPF/TXT Records? An SPF record is a type of Domain Name Service DNS record that identifies which mail servers are permitted to send email on behalf of your domain. The purpose of an SPF record is to prevent spammers from sending messages with forged From addresses at your domain. Checking...

Store XSS in title parameter executing at EditUser Page & EditProducto page

Description Cross-site scripting XSS is a common attack vector that injects malicious code into a vulnerable web application. Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Proof ...

Out-of-bounds Read in mrb_obj_is_kind_of in

Out-of-bounds Read in mrbobjiskindof in mruby/mruby Affected commit 791635a8d1ad9aad98aae0a36a91e092e4d71944 Proof of Concept ruby= Math.initialize do $4 prepend dup 4.instanceexec|| super end Below is the output from mruby ASAN build: bash= AddressSanitizer:DEADLYSIGNAL...

Windows-Specific Relative Path Traversal vulnerability in StaticDir server

Description The fix released in version 0.19.1 does not completely fix the relative path traversal vulnerability on Windows hosts. An attacker can access files outside of the configured directory root. This is due to Windows supporting the \ character as a path separator. Proof of Concept With a...

chafa: NULL Pointer Dereference in function gif_internal_decode_frame at libnsgif.c:599 allows attackers to cause a denial of service (crash) via a crafted input file.

Steps to reproduce the issue git clone https://github.com/hpjansson/chafa.git cd chafa export CFLAGS="-g -O0" export CXXFLAGS="-g -O0" ./autogen.sh ./configure --disable-shared make ./tools/chafa/chafa ./poc.gif gdb --args ./tools/chafa/chafa ./poc.gif...