4072 matches found
Buffer Over-read
Description Buffer Over-read in hpjansson/chafa at xwd-loader.c:185 Build export CFLAGS="-g -O0 -lpthread -fsanitize=address" export CXXFLAGS="-g -O0 -lpthread -fsanitize=address" export LDFLAGS="-fsanitize=address" ./autogen.sh ./configure --disable-shared make POC ./tools/chafa/chafa ./poc.png...
Improper Access Control (IDOR)
Description Any user even user without account can view any student photos through student's id. Proof of Concept Access this URL https://www.rosariosis.org/demonstration/assets/StudentPhotos/2021/studentid.jpg - Attacker can see a student personal photo even without school's account student's id...
Reflected XSS
Description hello team, i found a reflected xss in /rtxcomplete/nodeslike via callback parameter Proof of Concept https://arax.rtx.ai/rtxcomplete/nodeslike?=1651210002052&callback=%3CScRiPt%20%3Ealertdocument.domain%3C/ScRiPt%3E&limit=15&word=1...
Reflected XSS
Description Hello , i found an authenticated reflected xss via path fragment this was exploitable through trusting user input in url path fragement , please note : if you wrote a different payload you need to URL Encode the payload twice Proof of Concept Enter this url :...
Cross-site Scripting (XSS) in Error Page
Description The is an XSS could be trigger via error page through invalid file name. Proof of Concept 1.Login as Admin. 2.Upload new file with name .svg 3.Save - Fatal Error Page show up and the xss will be trigger...
DOM XSS in microweber ver 1.2.15
Description Hi there, on your latest version docker images 3463db62a01f, vulnerable to DOM XSS. Proof of Concept...
Blind command injection
Description Hello , its my first report in huntr.dev fast code review : file https://github.com/yogeshojha/rengine/blob/master/web/api/views.pyL820 class CMSDetectorAPIView: def getself, request: req = self.request url = req.queryparams.get'url' savedb = True if 'savedb' in req.queryparams else...
Use after free in append_command
✍️ Description When fuzzing vim commit fc78a0369 works with latest build and latest commit 202b4bd3a per this time of this report with clang 13 and ASan, I discovered a buffer overflow. Proof of Concept Here is the poc bash...
Heap buffer overflow in vim_strncpy find_word
✍️ Description When fuzzing vim commit fc78a0369 works with latest build and latest commit 202b4bd3a per this time of this report with clang 13 and ASan, I discovered a buffer overflow. Proof of Concept Here is the poc bash...
Reflected XSS
Description Bypass XSS filter on /module/ Proof of Concept https://demo.microweber.org/demo/module/?module=admin%2Fmodules%2Fmanage&id=x"draggable="true"ondragexit=alert1&class=x&fromurl=x Drag something around to trigger the XSS. Might only work in FireFox. How to fix This is still CVE-2022-1439...
Cross-site scripting - DOM via view file function
Description In Modules - Files, when click a file will have a popup and in URL will append select-file= fragment, so this fragment in url lead to XSS-DOM. Proof of Concept...
Reflected XSS in microweber
Description Hi there, In your latest version 1.2.15 docker here https://registry.hub.docker.com/r/microweber/microweber, i found an reflected xss endpoint: http://localhost/admin/view:content/action:settings?group=template&template param: template payload: shopmag"alertdocument.cookie Proof of...
Cross-site scripting - Stored via upload ".msg" file
Description When user upload file with .msg extension in white-list, but when access this file, server not reponse with Content-type header, so this file can execute javascript code as Content-type: text/html Proof of Concept POST /microweber/plupload HTTP/1.1 Host: localhost User-Agent:...
Cross-site Scripting (XSS) - Stored
Description The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of Concept - it works on firefox not in chromium based browsers - login as admin - go to...
Cross-site Scripting (XSS)
Proof of Concept Steps to reproduce: Naviagate the below URL URL: https://demo.contao.org/contao/" Here Some Image POC Attached...
Improper Access Control (IDOR)
Description Improper Access Control IDOR could leak admin information. Proof of Concept 1.Login as admin, edit a role to give permission show a user information - save 2.Login as an user with that role - go to url http://my.facturascripts.site/EditUser?code=admin&action=export&option=PDF - Can se...
Thirdparty site authorization header leak
Description mechanize library is used to manipulate the URL of web pages and crawl the contents of web pages. mechanize does not filter the request header after redirecting. It will also transfer the authentication and cookie request header of the first request to the service after redirecting,...
Buffer Over-read in function utfc_ptr2len
Description Buffer Over-read in function utfcptr2len at mbyte.c:2113 vim version git log commit 5a8fad32ea9c075f045b37d6c7739891d458f82b HEAD - master, tag: v8.2.4962, origin/master, origin/HEAD POC ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/poch8s.dat -c :qa!...
Heap-based Buffer Overflow in function cmdline_erase_chars
Description Heap-based Buffer Overflow in function cmdlineerasechars at exgetln.c:1085 POC ./vim -u NONE -X -Z -e -s -S ./poch1.dat -c :qa! ================================================================= ==3840814==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b00000087f at pc...
NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729
Description NULL Pointer Dereference in function vimregexecstring at regexp.c:2729 allows attackers to cause a denial of service application crash via a crafted input. POC ./vim -u NONE -X -Z -e -s -S ./pocn.dat -c :qa! Segmentation fault pocn.dat GDB ─── Output/messages...
Cross-site scripting - Stored via upload ".cad" file
Description When user upload file with .cad extension in white-list, server will stored .cad file at userfiles/media/default/, so we can direct access. Becase when access this file, server not reponse with Content-type header, so this file can execute javascript code as Content-type: text/html...
Multiple Store XSS via upload svg file and the file name of attachment
Description Hi There, facturascripts is vulnerable to store XSS by upload svg file, and the filename Step to produce with svg file Login as admin or any account has role Admin-Library, access Admin - library - New and upload file svg with content: alertdocument.cookie; save this. XSS will be...
Stored XSS on Import Targets
Description Hello, When a XSS payload is used as the Add or Import Targets file name, it executes it hence stored XSS is possible. Proof of Concept Name a file .txt Import the file at /target/add/target You can see it being executed...
Refelect XSS in facturascripts
Description facturascripts is vulnerable to XSS in fsNick parameter Proof of Concept save this code as poc.html history.pushState'', '', '/' document.forms0.submit; open file with your browser - xss trigger...
Cross-site Scripting (XSS) - Stored via htm file upload
Description rosariosis is vulnerable to Stored XSS in the File upload in Assignments by uploading an htm file with the javascript code inside. Proof-of-Concept phish.htm Test Upload File Test upload alert1 Step to reproduce From attacker side student 1.Login to the demo environment by student...
Cross-site Scripting (XSS) - Reflected
Description Reflected cross-site scripting or XSS arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way. Proof of Concept Turn on debugger mode. Add path /?alertorigin to any endpoint - script will be reflected, executed...
NULL Pointer Dereference in function mobi_build_opf_metadata at opf.c:1161
Description NULL Pointer Dereference in function mobibuildopfmetadata at opf.c:1161 allows attackers to cause a denial of service application crash via a crafted input file Build git clone https://github.com/bfabiszewski/libmobi.git cd libmobi export CFLAGS="-g -O0 -lpthread -fsanitize=address"...
Cross-site Scripting (XSS) - Stored via xHTML file upload
Description rosariosis is vulnerable to Stored XSS in the File upload in Assignments by uploading an xHTML file with the javascript code inside. Proof of Concept phish.xhtml alertdocument.domain; Step to reproduce From attacker side student 1.Login to the demo environment by student account...
Insecure Storage of Sensitive Information
Description When the user uploads his profile picture, the uploaded image’s EXIF Geolocation Data does not get stripped. As a result, anyone can get sensitive information of Scoold users like their Geolocation, their Device information like Device Name, Version, Software & Software version used,...
Small Space of Random Values
Description The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks. Vulnerable code snippet $password = $staff'USERNAME' . rand 1000, 9999 ;...
Cross-site Scripting (XSS)
Proof of Concept 1 Login to the webapplication 2 Navigate to the below URL URL :- https://demo.livehelperchat.com/siteadmin/system/languages/updated/true/sa/HEXX%22%3E%3Ca%20onmouseover=alert11122%3EDEXX%3Ca Below some image POC...
Cross-site Scripting (XSS) - Stored via HTML file upload
Description rosariosis is vulnerable to Stored XSS in the File upload in Assignments by uploading an HTML file with the javascript code inside. Proof-of-Concept phish.html Test Upload File Test upload alert1 Step to reproduce From attacker side student 1.Login to the demo environment by student...
Buffer Over-read
Description Stack-based Buffer Overflow at index.c:991 Build git clone https://github.com/bfabiszewski/libmobi.git cd libmobi export CFLAGS="-g -O0 -lpthread -fsanitize=address" export CXXFLAGS="-g -O0 -lpthread -fsanitize=address" export LDFLAGS="-fsanitize=address" ./autogen.sh ./configure...
Buffer Over-read at parse_rawml.c:1416
Description Heap-based Buffer Overflow at parserawml.c:1416 Build git clone https://github.com/bfabiszewski/libmobi.git cd libmobi export CFLAGS="-g -O0 -lpthread -fsanitize=address" export CXXFLAGS="-g -O0 -lpthread -fsanitize=address" export LDFLAGS="-fsanitize=address" ./autogen.sh ./configure...
SQL injection in Calendar.php
Description In Calendar.php line 498-513, web server get values parameter as a part of sql query without sanitize, so attacker can be manipulated sql query, which is executed by web server...
HTML Injection in Subscan view
Description HTML code is executed in the Subscan feature Proof of Concept 1. Add a scan engine: HTMLInjection 2. Go to "subdomains" for a target and add a Subscan using the scan engine. 3. Initiate a Subscan 4. View the subscan...
Stored XSS via Scan Engine Name
Description Scan Engine name is displayed in different places without validation Proof of Concept 1. Add a scan engine with name: 2. Scan a target, Create scheduled tasks 3. Go to https://127.0.0.1/scan/history/scan Note: Try on a private browser if it doesn't execute on the first. I am not sure...
Improper handling of Length parameter
Description There was no restriction on the amount of text that can be inserted into a user's name field. When the text size was large enough the service resulted in a momentary outage in our non-production environment not high availability. An internal reproduction showed isolated disruption but...
Cross Site Request Forgery in Release all grades feature
Description Hi there, there is a Cross site request Forgery in your Release all grades feature. This is due to the release all grades action is using GET request method. Cross-Site Request Forgery CSRF is an attack that forces an end user to execute unwanted actions on a web application in which...
Authenticated Reflected XSS
Description Hello Team , I found a Authenticated Reflected XSS when you go here : https://demo.collectiveaccess.org and then login as demo , demo username,password Proof of Concept https://demo.collectiveaccess.org/lookup/DisplayTemplate/Get?table=caobjects&id=21&template=asdasdasdasd alert1xx...
Cross-site Scripting (XSS) - Stored
Description he software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof of Concept - login as an admin - go to...
Mass Assignment Leading to (Limited) Password Confirmation Bypasses at UsersController
Description Hello there! Hope you are having an amazing day! 🤗 Just found out, while testing one of diaspora\ open servers, that the /user/edit endpoint has a limited case of "mass assignment", which enables an authenticated user to change their password and disable 2FA or change its secret witho...
Cross-site Scripting (XSS) - Stored
Description Stored XSS found due to long name summarize Proof of Concept 1.First, access the latest version of the demo environment. https://www.rosariosis.org/demonstration/index.php 2.Then log in with your teacher account teacher/teacher 3.After logging in, access to add an assignment. 4.Then...
Cross-site scripting - Stored via upload xml file
Description When user upload file with XML extension in white-list, server will stored XML file at assets/PortalNotesFiles/, so we can direct access and execute javascript code. Proof of Concept POST /rosariosis/Modules.php?modname=SchoolSetup/PortalNotes.php&modfunc=update HTTP/1.1 Host:...
Out-of-bounds Read in r_bin_java_bootstrap_methods_attr_new function
Description Out-of-bounds OOB read vulnerability exists in rbinjavabootstrapmethodsattrnew function in Radare2 5.6.9. This is similar with CVE-2022-0518 and CVE-2022-0521. Version radare2 5.6.9 27745 @ linux-x86-64 git.conti commit: 14189710859c27981adb4c2c2aed2863c1859ec5 build: 2022-04-2311:05:...
Out-of-bounds Read in r_bin_java_constant_value_attr_new function
Description Out-of-bounds OOB read vulnerability exists in rbinjavaconstantvalueattrnew function in Radare2 5.6.9. This is similar with CVE-2022-0518 and CVE-2022-0521 Version radare2 5.6.9 27745 @ linux-x86-64 git.conti commit: 14189710859c27981adb4c2c2aed2863c1859ec5 build: 2022-04-2311:05:49...
Stored Cross Site Scripting vulnerability in the checked_out_to parameter
Description The checkedoutto is not escaped, which leads to a XSS problem. Proof of Concept 1. 1.Login to the demo account 2. 2.Report-Depreciation Report 3. 3.Choose a Asset and goto Assets menu and check it out. new a location which is '" and check the asset to this location 4. 4.Return to...
Improper authorization - receptionist can read all Clinic reports
Description Hi there openemr maintainers, I would like to report an improper authorization vulnerability in your source code. Proof of Concept 1. Install openemr in your system and create an admin account and a receptionist account 2. Log in as receptionist and see that you don't see Reports...
Improper Privilege Management - receptionist can view background services and log for admin
Description Hi there openemr maintainers, I would like to report an improper authorization vulnerability in your source code. Proof of Concept 1. Install openemr in your system and create an admin account and a receptionist account 2. Log in as receptionist and see that you don't see Reports...
Improper authorization - receptionist can read all secure messaging
Description Hi there openemr maintainers, I would like to report an improper authorization vulnerability in your source code. Proof of Concept 1. Install openemr in your system and create an admin account and a receptionist account 2. Use admin account and create a secure message by go to Portal...