4072 matches found
SQL injection in PortalNotes
Description In PortalNotes.php, web server get values parameter as a part of sql query without sanitize, so attacker can be manipulated sql query, which is executed by web server. Proof of Concept POST /rosariosis/Modules.php?value=123 HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 Windows...
Cross-site scripting - Reflected via mime-type file upload
Description When user upload file with extension not in white-list, server will throw error attach with mime-type of file upload user can controll without sanitize. Proof of Concept POST /rosariosis/Modules.php?modname=SchoolSetup/PortalNotes.php&modfunc=update HTTP/1.1 Host: localhost:8080...
XSS in /demo/module/?module=HERE
Description Reflected XSS in /demo/module/?module= bypass of fix for CVE-2022-1439 Proof of Concept In this report I showed an XSS and while one of the filter evasion mechanisms was fixed, the root cause persists to allow other payloads. As I mentioned there are event handlers which are unblocked...
Remote access to another's conversation based on their email address
System: - Chatwoot 2.4.1, self-hosted - User identity validation is enabled - Each client has a unique identifier and a corresponding valid hmac Description User B can impersonate User A and access his chat history by filling in user A's email address in the setUser despite that the two users do...
Sed Injection Vulnerability
Description In Hestia Control Panel 1.5.11, several v-scripts shell scripts have sed injection vulnerabilities. By chaining these vulnerabilities, an authenticated remote attacker with low privileges can execute arbitrary code under root context. Sed injection vulnerabilities exist in the followi...
Stored XSS via upload plugin functionality in zip format
Description Cross-site scripting XSS is a common attack vector that injects malicious code into a vulnerable web application. Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Here...
heap-use-after-free
Description Whilst experimenting with radare2, built from version 5.6.8, we are able to induce a vulnerability at newrbtree.c:411 in function rrbnodenext , using radare2 as a harness. 409: RAPI RRBNode rrbnodenextRRBNode node 410: rreturnvaliffail node, NULL; //use-after-free here 411: if...
Reflected XSS on demo.microweber.org/demo/module/
Description Reflected XSS with filter bypass on /demo/module/ using module= & style= parameters. Proof of Concept https://demo.microweber.org/demo/module/?module='ontransitionend=alert1'"tabindex=1&style=transition:outline%200.001s&id=x&data-show-ui=admin&class=x&fromurl=https://demo.microweber.o...
Cross-site Scripting (XSS) - Generic
Description The Stream URL of octoprint application allowing xss payload to execute for which its leads to Cross-site Scripting XSS Proof of Concept Login to the application Now go to settings - Webcam & Timelapse - Stream URL and insert the payload " in the Stream URL and click on "Test" You wil...
no spoofing protection on email domain (No Valid SPF Records.)
What Is SPF/TXT Records? An SPF record is a type of Domain Name Service DNS record that identifies which mail servers are permitted to send email on behalf of your domain. The purpose of an SPF record is to prevent spammers from sending messages with forged From addresses at your domain. Checking...
Store XSS in title parameter executing at EditUser Page & EditProducto page
Description Cross-site scripting XSS is a common attack vector that injects malicious code into a vulnerable web application. Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Proof ...
Out-of-bounds Read in mrb_obj_is_kind_of in
Out-of-bounds Read in mrbobjiskindof in mruby/mruby Affected commit 791635a8d1ad9aad98aae0a36a91e092e4d71944 Proof of Concept ruby= Math.initialize do $4 prepend dup 4.instanceexec|| super end Below is the output from mruby ASAN build: bash= AddressSanitizer:DEADLYSIGNAL...
Windows-Specific Relative Path Traversal vulnerability in StaticDir server
Description The fix released in version 0.19.1 does not completely fix the relative path traversal vulnerability on Windows hosts. An attacker can access files outside of the configured directory root. This is due to Windows supporting the \ character as a path separator. Proof of Concept With a...
chafa: NULL Pointer Dereference in function gif_internal_decode_frame at libnsgif.c:599 allows attackers to cause a denial of service (crash) via a crafted input file.
Steps to reproduce the issue git clone https://github.com/hpjansson/chafa.git cd chafa export CFLAGS="-g -O0" export CXXFLAGS="-g -O0" ./autogen.sh ./configure --disable-shared make ./tools/chafa/chafa ./poc.gif gdb --args ./tools/chafa/chafa ./poc.gif...
Heap-based Buffer Overflow
Description Heap-based buffer overflow in coresymbolication:272 Environment radare2 5.6.9 0 @ linux-x86-64 git. commit: 5.6.9 build: 2022-04-1923:49:49 Build export CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan" CXXFLAGS="-fsanitize=address -static-libasan" LDFLAGS="-fsanitize=address...
Open Redirect
Description Url redirection at the endpoint /login?next= which leads to redirect admin to malicious domain Proof of Concept Send this link to adminhttp://localhost:3000/login?next=http://evil.com When he will open it and try to login the url will redirect to /evil.com POC VIDEO...
Dom xss leads to account takeover
Description The endpoint of login allows Javascript payload to execute which leads to XSS pop-up Proof of Concept Send this link to admin http://127.0.0.1:2222/login/?redirect=javascript:alertdocument.cookie When he will open it and try to login XSS will popup. Image POC...
A null pointer reference in libmobi.
Description The vulnerability at src/index.cL 1054, function mobitrieinsertinfl. At line 1063 shown as below, function mobigetcncxstringflat uses len as parameter, len got from t.tagvalues. While at line 1060, program doesn’t check the initial value of tagvaluescount, when the for loop begins wit...
Relative Path Traversal vulnerability in StaticDir server
Description There is a relative path traversal vulnerability in the serve module of the extra crate. An attacker can simply request a relative path and access files outside of the configured directory root. Proof of Concept With a static folder in the project directory: rs // main.rs use...
Improper Access Control on view student list
Description lavsms system provide a feature for teachers to view any student in the systems. The problem is when student also can view the student's list. They also can download the list in pdf or excel. Proof of Concept 1. GET http://lavsms.test/students/list/id Step to reproduce 1. Login as...
Command Injection vulnerability in [email protected]
Command Injection vulnerability in [email protected] git-interface describes itself as a Interface to work with a git repository in node.js Resources: Project's GitHub source code: https://github.com/yarkeev/git-interface Project's npm package: https://www.npmjs.com/package/git-interface I'm...
SQL injection vulnerability in ARAX-UI Synonym Lookup functionality
Description The /rtxcomplete/nodeslike endpoint in the ARAX-UI application at https://arax.rtx.ai is vulnerable to SQL injection. It is possible to include a malicious SQL payload in the word query parameter for this endpoint that would allow an attacker to dump the database, make modifications t...
API Privilege Escalation
Description Privilege escalation occurs when a user gets access to more resources or functionality than they are normally allowed, and such elevation or changes should have been prevented by the application. This is usually caused by a flaw in the application. On Easy!Appointments API authorizati...
Unrestricted Image Upload
Description When testing file upload function in Organizr 2.1.1830, there are improvement on image upload features in Image Manager. But user can bypass it by identify double extension file type method Proof of Concept 1 Login and go to Settings - Image Manager 2 Upload file with double extension...
Use of Out-of-range Pointer Offset
Description This issue occur in the version 8.2.4739 Proof of Concept ➜ vim git:master ✗ echo -n AO8A9C4K/QAKaWZ7e3t7e30tPigzKSg/PWEpezAsMSYKaWZ7e2Z7eyAtPig/PVk8ezAsMTB9Yb7dMH1hvt17MRAALS6zNQAAAAr/AF0KgAr1 | base64 -d POC1 ➜ vim git:master ✗ ./src/vim -u NONE -i NONE -n -X -Z -e -m -s -S POC1 -c...
Unrestructed file upload
Description I found unrestricted file upload leads to xss, vulnerability can be exploited by uploading a crafted payload inside a file. Then, the vulnerability can be triggered when the user previews the files content. Proof of Concept unrestricted file upload payload...
Heap-based Buffer Overflow
Description Heap-based Buffer Overflow in rreadle32 Environment radare2 5.6.7 0 @ linux-x86-64 git. commit: 5.6.7 build: 2022-04-1215:06:26 Build export CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan" CXXFLAGS="-fsanitize=address -static-libasan" LDFLAGS="-fsanitize=address...
global heap buffer overflow in skip_range
✍️ Description When fuzzing vim commit f420ff244 v8.2.4747 with clang 13 and ASan, I discovered a global buffer overflow. Proof of Concept Here is the minified poc bash r 0norm0V:^ How to build bash LD=lld AS=llvm-as AR=llvm-ar RANLIB=llvm-ranlib CC=clang CXX=clang++ CFLAGS="-fsanitize=address"...
DoS due to unrestricted hashing
Description The application accepts strings of any size as passwords and processes hashes the string to check in the database if the user exists, for example upon login. Being the hashing process resource-intensive, it can be possible to cause Denial of Service without particular processing power...
SQL injection in GridHelperService.php
Description In line 786, we can see $conditionFilters = $filterField . ' ' . $operator . ' ' . $value;. The three variables joins to a string, and the variables come from the request parameter.Maybe line 793 is vulnerable too. The code comes from prepareAssetListingForGrid function. The function ...
NULL Pointer Dereference
Description NULL pointer dereference in rbinnegetsegments Environment Distributor ID: Ubuntu Description: Ubuntu 20.04 LTS Release: 20.04 Codename: focal radare2 5.6.7 0 @ linux-x86-64 git. commit: 5.6.7 Build export CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan"...
Improper access control could make any user export all user of website
Description A user who has to change their password after logging in can export the website's user data. Proof of Concept Step 1: login to website by admin account and change password of a user. Check the box "Force password change upon next login" and save. Step 2: login to website by the accoun...
librenms alert-rules Stored XSS
Description Please enter a description of the vulnerability. 1 . Go to http://SERVER/device-group and Create New-device Group 2 . Input Name parameter following XSS payload and save payload 1 3 . Go to http://SERVER/alert-rules and add Rule. You can choose the Device group that contains XSS paylo...
librenms bills Description & Notes Stored XSS
Description Please enter a description of the vulnerability. Proof of Concept 1. Login 2. go to http://librenms/bills 3. Click to Create Bill 4. Add Description or Notes "" // PoC.js payload1 payload2 POST /bills/ HTTP/1.1 Host: 192.168.0.4 Connection: keep-alive Content-Length: 310 Cache-Control...
Open Redirect
Description An Open Redirect vulnerability enables attacker to redirect the victims/users to malicious websites. The bug exists due to improper fix of https://huntr.dev/bounties/bac0b763-730c-4c4b-8b20-eb4926928cf3/. By using double / it is possible to bypass the check for http at the beggining o...
file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write
Description file.copy operations in GruntJS are vulnerable to a TOC-TOU race condition leading to arbitrary file write when an attacker can create a symlink just after deletion of the dest symlink by repeatedly calling ln -s /etc/shadow2 dest/shadow2 in a while loop but right before the symlink i...
Stored XSS on add Group Name
Description XSS found on function add Group Name on User Management module at Organizr 2.1.1810. Proof of Concept 1 Go to User Management - Manage Group 2 Add new group 3 Insert payload on "Group Name" field then Add Group Payload 1 "alert"xss-here"; Screenshot 1 xss-triger 2 version 3 document...
Stored xss bug
Description stored xss bug Proof of Concept create a public repo and create a issue .\ now in issue upload a html file with xss payload inside.\ When any user view the repo and click the attachment link then xss is executed .\ you can upload...
stored xss due to unsantized anchor url
BUG ====== stored xss due to unsantized anchor url SUMMURY ========= using fullpage.js you can create a anchor tag . But when put href in anchor then it does not sanitize the url which allow to break context of anchor element and can add our new element . I see main javascript or other javascript...
Cross-site Scripting (XSS) - Stored
Description Stored Cross-Site Scripting XSS vulnerability due to the lack of content validation and output encoding. This vulnerability can be exploited by uploading a crafted payload inside a document. Then, the vulnerability can be triggered when the user previews the document´s content. Proof ...
Stored Cross Site Scripting vulnerability in Item name parameter
Description Stored cross site scripting vulnerability on Item name parameter in Assest module. Add payload in item name and whenever the user add the item in his requested assest . The alert will trigger. Proof of Concept 1. Login to the demo account 2. Go to Asset functionality , add or edit an...
libde265 1.0.8, was discovered to contain a heap-use-after-free in put_qpel_fallback
Description libde265 1.0.8, was discovered to contain a heap-use-after-free in putqpelfallback fallback-motion.cc ENV - Version : 1.0.8 - Commit : 45904e5667c5bf59c67fcdc586dfba110832894c - OS : Ubuntu 18.04 - Configure : cmake -DCMAKEBUILDTYPE=Debug -DCMAKECXXCOMPILER=clang++-10...
URL Restriction Bypass
Description The validation of URLs contains flaws that allow bypassing security restrictions that are applied in the security profiles of PlantUML. There are two different flaws through which validation mechanisms can be circumvented. In the examples images are loaded to showcase the bypass...
Out-of-bounds Read in r_bin_ne_get_entrypoints function
Description Out-of-bounds OOB read vulnerability exists in rbinnegetentrypoints function in Radare2 5.6.7 Version bash radare2 5.6.7 27777 @ linux-x86-64 git.5.6.6 commit: 0c4af43def68ce29f7a74847bb1b7286da155200 build: 2022-04-1008:53:32 Analysis The vulnerability exists due to the invalid type...
Multiple Stored XSS
Description The organizr application allows malicious javascript payload in multiple-input fields like "Categories", "Bookmark Tabs" and "Bookmark Categories" for which attacker can takeover the admin account. Proof of Concept 1.Login to the co-admin account and go to go to "Settings" - "Tab...
Stored XSS due to no sanitization in the filename
Description The organizr application doesn't sanitize malicious javascript payload which leads to stored XSS and can also perform to the takeover admin account. Proof of Concept 1.Login with Co-admin account and go to "Settings" - "Image Manager" and upload any small size jpeg image and intercept...
Stored XSS viva .svg file upload
Description The application allows .svg files to upload which leads to stored XSS Proof of Concept 1.Download the payload from this link:- https://drive.google.com/file/d/1c1BP5bxXBxtwLfRJTrEPgMWK1yVFDF2R/view?usp=sharing 2.Login to the application with Co-admin account and go to "Settings" -...
Stored XSS in the "Username" & "Email" input fields leads to account takeover of Admin & Co-admin users
Description The application Organizr allows malicious javascript in the "Username" & "Email" input fields for which an attacker can able to take over the account of Admin & Co-admin users. Proof of Concept 1.During "Signup" put the below payloads in the "Username" & "Email" input fields. 2.Now ru...
Leaking password protected articles content due to improper access control
Description Any user who can publish their article can protect it using a password before publishing. So, a valid password to the article is required to view the contents of the article. But when a request is made to article /2022/04/10/ the UI show it requires a password to view content. But the...
ZeroTierOne for windows local privilege escalation because of incorrect directory privilege
Description When administrators install zerotierone for windows, it will install ZeroTierOneService, the ImagePath of it is C:\ProgramData\ZeroTier\One\zerotier-onex64.exe,however, the permission of C:\ProgramData\ZeroTier\One\ is incorrect, an attacker with low privilege can get system privilege...