Heap-based Buffer Overflow

Description Heap-based buffer overflow in coresymbolication:272 Environment radare2 5.6.9 0 @ linux-x86-64 git. commit: 5.6.9 build: 2022-04-1923:49:49 Build export CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan" CXXFLAGS="-fsanitize=address -static-libasan" LDFLAGS="-fsanitize=address...

Open Redirect

Description Url redirection at the endpoint /login?next= which leads to redirect admin to malicious domain Proof of Concept Send this link to adminhttp://localhost:3000/login?next=http://evil.com When he will open it and try to login the url will redirect to /evil.com POC VIDEO...

Dom xss leads to account takeover

Description The endpoint of login allows Javascript payload to execute which leads to XSS pop-up Proof of Concept Send this link to admin http://127.0.0.1:2222/login/?redirect=javascript:alertdocument.cookie When he will open it and try to login XSS will popup. Image POC...

A null pointer reference in libmobi.

Description The vulnerability at src/index.cL 1054, function mobitrieinsertinfl. At line 1063 shown as below, function mobigetcncxstringflat uses len as parameter, len got from t.tagvalues. While at line 1060, program doesn’t check the initial value of tagvaluescount, when the for loop begins wit...

Relative Path Traversal vulnerability in StaticDir server

Description There is a relative path traversal vulnerability in the serve module of the extra crate. An attacker can simply request a relative path and access files outside of the configured directory root. Proof of Concept With a static folder in the project directory: rs // main.rs use...

Improper Access Control on view student list

Description lavsms system provide a feature for teachers to view any student in the systems. The problem is when student also can view the student's list. They also can download the list in pdf or excel. Proof of Concept 1. GET http://lavsms.test/students/list/id Step to reproduce 1. Login as...

Command Injection vulnerability in [email protected]

Command Injection vulnerability in [email protected] git-interface describes itself as a Interface to work with a git repository in node.js Resources: Project's GitHub source code: https://github.com/yarkeev/git-interface Project's npm package: https://www.npmjs.com/package/git-interface I'm...

SQL injection vulnerability in ARAX-UI Synonym Lookup functionality

Description The /rtxcomplete/nodeslike endpoint in the ARAX-UI application at https://arax.rtx.ai is vulnerable to SQL injection. It is possible to include a malicious SQL payload in the word query parameter for this endpoint that would allow an attacker to dump the database, make modifications t...

API Privilege Escalation

Description Privilege escalation occurs when a user gets access to more resources or functionality than they are normally allowed, and such elevation or changes should have been prevented by the application. This is usually caused by a flaw in the application. On Easy!Appointments API authorizati...

Unrestricted Image Upload

Description When testing file upload function in Organizr 2.1.1830, there are improvement on image upload features in Image Manager. But user can bypass it by identify double extension file type method Proof of Concept 1 Login and go to Settings - Image Manager 2 Upload file with double extension...

Use of Out-of-range Pointer Offset

Description This issue occur in the version 8.2.4739 Proof of Concept ➜ vim git:master ✗ echo -n AO8A9C4K/QAKaWZ7e3t7e30tPigzKSg/PWEpezAsMSYKaWZ7e2Z7eyAtPig/PVk8ezAsMTB9Yb7dMH1hvt17MRAALS6zNQAAAAr/AF0KgAr1 | base64 -d POC1 ➜ vim git:master ✗ ./src/vim -u NONE -i NONE -n -X -Z -e -m -s -S POC1 -c...

Unrestructed file upload

Description I found unrestricted file upload leads to xss, vulnerability can be exploited by uploading a crafted payload inside a file. Then, the vulnerability can be triggered when the user previews the files content. Proof of Concept unrestricted file upload payload...

Heap-based Buffer Overflow

Description Heap-based Buffer Overflow in rreadle32 Environment radare2 5.6.7 0 @ linux-x86-64 git. commit: 5.6.7 build: 2022-04-1215:06:26 Build export CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan" CXXFLAGS="-fsanitize=address -static-libasan" LDFLAGS="-fsanitize=address...

global heap buffer overflow in skip_range

✍️ Description When fuzzing vim commit f420ff244 v8.2.4747 with clang 13 and ASan, I discovered a global buffer overflow. Proof of Concept Here is the minified poc bash r 0norm0V:^ How to build bash LD=lld AS=llvm-as AR=llvm-ar RANLIB=llvm-ranlib CC=clang CXX=clang++ CFLAGS="-fsanitize=address"...

DoS due to unrestricted hashing

Description The application accepts strings of any size as passwords and processes hashes the string to check in the database if the user exists, for example upon login. Being the hashing process resource-intensive, it can be possible to cause Denial of Service without particular processing power...

SQL injection in GridHelperService.php

Description In line 786, we can see $conditionFilters = $filterField . ' ' . $operator . ' ' . $value;. The three variables joins to a string, and the variables come from the request parameter.Maybe line 793 is vulnerable too. The code comes from prepareAssetListingForGrid function. The function ...

NULL Pointer Dereference

Description NULL pointer dereference in rbinnegetsegments Environment Distributor ID: Ubuntu Description: Ubuntu 20.04 LTS Release: 20.04 Codename: focal radare2 5.6.7 0 @ linux-x86-64 git. commit: 5.6.7 Build export CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan"...

Improper access control could make any user export all user of website

Description A user who has to change their password after logging in can export the website's user data. Proof of Concept Step 1: login to website by admin account and change password of a user. Check the box "Force password change upon next login" and save. Step 2: login to website by the accoun...

librenms alert-rules Stored XSS

Description Please enter a description of the vulnerability. 1 . Go to http://SERVER/device-group and Create New-device Group 2 . Input Name parameter following XSS payload and save payload 1 3 . Go to http://SERVER/alert-rules and add Rule. You can choose the Device group that contains XSS paylo...

librenms bills Description & Notes Stored XSS

Description Please enter a description of the vulnerability. Proof of Concept 1. Login 2. go to http://librenms/bills 3. Click to Create Bill 4. Add Description or Notes "" // PoC.js payload1 payload2 POST /bills/ HTTP/1.1 Host: 192.168.0.4 Connection: keep-alive Content-Length: 310 Cache-Control...

Open Redirect

Description An Open Redirect vulnerability enables attacker to redirect the victims/users to malicious websites. The bug exists due to improper fix of https://huntr.dev/bounties/bac0b763-730c-4c4b-8b20-eb4926928cf3/. By using double / it is possible to bypass the check for http at the beggining o...

file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write

Description file.copy operations in GruntJS are vulnerable to a TOC-TOU race condition leading to arbitrary file write when an attacker can create a symlink just after deletion of the dest symlink by repeatedly calling ln -s /etc/shadow2 dest/shadow2 in a while loop but right before the symlink i...

Stored XSS on add Group Name

Description XSS found on function add Group Name on User Management module at Organizr 2.1.1810. Proof of Concept 1 Go to User Management - Manage Group 2 Add new group 3 Insert payload on "Group Name" field then Add Group Payload 1 "alert"xss-here"; Screenshot 1 xss-triger 2 version 3 document...

Stored xss bug

Description stored xss bug Proof of Concept create a public repo and create a issue .\ now in issue upload a html file with xss payload inside.\ When any user view the repo and click the attachment link then xss is executed .\ you can upload...

stored xss due to unsantized anchor url

BUG ====== stored xss due to unsantized anchor url SUMMURY ========= using fullpage.js you can create a anchor tag . But when put href in anchor then it does not sanitize the url which allow to break context of anchor element and can add our new element . I see main javascript or other javascript...

Cross-site Scripting (XSS) - Stored

Description Stored Cross-Site Scripting XSS vulnerability due to the lack of content validation and output encoding. This vulnerability can be exploited by uploading a crafted payload inside a document. Then, the vulnerability can be triggered when the user previews the document´s content. Proof ...

Stored Cross Site Scripting vulnerability in Item name parameter

Description Stored cross site scripting vulnerability on Item name parameter in Assest module. Add payload in item name and whenever the user add the item in his requested assest . The alert will trigger. Proof of Concept 1. Login to the demo account 2. Go to Asset functionality , add or edit an...

libde265 1.0.8, was discovered to contain a heap-use-after-free in put_qpel_fallback

Description libde265 1.0.8, was discovered to contain a heap-use-after-free in putqpelfallback fallback-motion.cc ENV - Version : 1.0.8 - Commit : 45904e5667c5bf59c67fcdc586dfba110832894c - OS : Ubuntu 18.04 - Configure : cmake -DCMAKEBUILDTYPE=Debug -DCMAKECXXCOMPILER=clang++-10...

URL Restriction Bypass

Description The validation of URLs contains flaws that allow bypassing security restrictions that are applied in the security profiles of PlantUML. There are two different flaws through which validation mechanisms can be circumvented. In the examples images are loaded to showcase the bypass...

Out-of-bounds Read in r_bin_ne_get_entrypoints function

Description Out-of-bounds OOB read vulnerability exists in rbinnegetentrypoints function in Radare2 5.6.7 Version bash radare2 5.6.7 27777 @ linux-x86-64 git.5.6.6 commit: 0c4af43def68ce29f7a74847bb1b7286da155200 build: 2022-04-1008:53:32 Analysis The vulnerability exists due to the invalid type...

Multiple Stored XSS

Description The organizr application allows malicious javascript payload in multiple-input fields like "Categories", "Bookmark Tabs" and "Bookmark Categories" for which attacker can takeover the admin account. Proof of Concept 1.Login to the co-admin account and go to go to "Settings" - "Tab...

Stored XSS due to no sanitization in the filename

Description The organizr application doesn't sanitize malicious javascript payload which leads to stored XSS and can also perform to the takeover admin account. Proof of Concept 1.Login with Co-admin account and go to "Settings" - "Image Manager" and upload any small size jpeg image and intercept...

Stored XSS viva .svg file upload

Description The application allows .svg files to upload which leads to stored XSS Proof of Concept 1.Download the payload from this link:- https://drive.google.com/file/d/1c1BP5bxXBxtwLfRJTrEPgMWK1yVFDF2R/view?usp=sharing 2.Login to the application with Co-admin account and go to "Settings" -...

Stored XSS in the "Username" & "Email" input fields leads to account takeover of Admin & Co-admin users

Description The application Organizr allows malicious javascript in the "Username" & "Email" input fields for which an attacker can able to take over the account of Admin & Co-admin users. Proof of Concept 1.During "Signup" put the below payloads in the "Username" & "Email" input fields. 2.Now ru...

Leaking password protected articles content due to improper access control

Description Any user who can publish their article can protect it using a password before publishing. So, a valid password to the article is required to view the contents of the article. But when a request is made to article /2022/04/10/ the UI show it requires a password to view content. But the...

ZeroTierOne for windows local privilege escalation because of incorrect directory privilege

Description When administrators install zerotierone for windows, it will install ZeroTierOneService, the ImagePath of it is C:\ProgramData\ZeroTier\One\zerotier-onex64.exe，however, the permission of C:\ProgramData\ZeroTier\One\ is incorrect, an attacker with low privilege can get system privilege...

libde265 1.0.8, was discovered to contain a heap-buffer-overflow in put_epel_16_fallback (fallback-motion.cc)

Description libde265 1.0.8, was discovered to contain a heap-buffer-overflow in putepel16fallback fallback-motion.cc ENV - Version : 1.0.8 - Commit : 45904e5667c5bf59c67fcdc586dfba110832894c - OS : Ubuntu 18.04 - Configure : cmake -DCMAKEBUILDTYPE=Debug -DCMAKECXXCOMPILER=clang++-10...

SQL injection in ElementController.php

Description The property parameter is append to the sql query directly, which leads to a sql injection problem. if you set a wrong value. you can see the error from log. then you can check the result. after injection Proof of Concept // PoC.js "body":...

Server Side Template Injection

Description Grav is vulnerable to Server Side Template Injection via Twig. According to a previous vulnerability report, Twig should not render dangerous functions by default, such as system. PoC video. Proof of Concept Payload: 'cat\x20/etc/passwd'|filter'system' 1. With an authenticated user,...

Bootstrap Tables XSS vulnerability with Table Export plug-in when exportOptions: htmlContent is true

Description Hello and thank you for the wonderful library! We use it extensively in our app. However, I think we've identified an XSS vulnerability in the Export plug-in. If you set the exportOptions in your Bootstrap Table to true, then you can force arbitrary Javascript to execute see the...

NULL Pointer Dereference in r_bin_ne_get_entrypoints function

Description A NULL pointer deference vulnerability in rbinnegetentrypoints function due to a missing check before using the pointer. Version bash radare2 5.6.7 27746 @ linux-x86-64 git.5.6.6 commit: 2b77b277d67ce061ee6ef839e7139ebc2103c1e3 build: 2022-04-0614:41:37 POC bash radare2 -q -A poc poc...

Out-of-bounds read in `r_bin_ne_get_relocs` function

Description Out-of-bounds OOB read vulnerability exists in rbinnegetrelocs function in Radare2 5.6.7 due to a missing check on the index value. Version bash radare2 5.6.7 27746 @ linux-x86-64 git.5.6.6 commit: 2b77b277d67ce061ee6ef839e7139ebc2103c1e3 build: 2022-04-0614:41:37 Proof of Concept bas...

Out-of-bounds Read in mrb_get_args

Out-of-bounds Read in mrbgetargs in mruby/mruby Affected commit 3cf291f72224715942beaf8553e42ba8891ab3c6 Proof of Concept ruby= 0..% = 0,0,0,0,0,0,0,0,0,0,0,0,0, = 0 Below is the output from mruby ASAN build: bash= AddressSanitizer:DEADLYSIGNAL...

FULL read SSRF

Description there is two bypass method for previous fixes of SSRF in gogs The first is to utilize SSRF attack with a DNS rebinding feature. The second is to use redirection to a localhost URL. Proof of Concept 1- go to the webhooks section and create a gogs webhook. 2- enter an URL that redirects...

heap-use-after-free

Description Whilst experimenting with radare2, built from version 5.6.6, we are able to induce a vulnerability at reg.c:101 in function rreggetnameidx , using radare2 as a harness. 99: RAPI int rreggetnameidxconst char type 100: rreturnvaliffail type, -1; //use-after-free here 101: if type0 &&...

XSS vulnerability with default `onCellHtmlData` function

Description If you can jam some nasty code into a table-cell, you can force this script to perform arbitrary javascript when someone tries to export the table using this library. An example used against us was: " It looks like, if you don't specify an onCellHtmlData function, the default one is...

XSS affecting "Logs" Page

Description A review of organizr's logging system found it is possible for an unauthenticated threat actor to inject arbitrary JavaScript into the "Logs" page found within the administrator dashboard. In a default installation organizr is set to log failed login attempts. In these attempts, the...

heap-buffer-overflow

Description Whilst experimenting with radare2, built from version 5.6.6, we are able to induce a vulnerability at bindyldcache.c:125 in function va2pa , using radare2 as a harness. 118: static ut64 va2pauint64t addr, ut32 nmaps, cachemapt maps, RBuffer cachebuf, ut64 slide, ut32 offset, ut32 left...

heap-buffer-overflow in mrb_vm_exec in mruby/mruby

Affected commit: 3cf291f72224715942beaf8553e42ba8891ab3c6 Proof of Concept ruby= v10 = 0 v15 = "" v16 = srand1337 v20 = protectedmethods.fill|| v20 = Array.instanceeval|| method method privatemethods.zip rescue GC.start removemethod removemethod privatemethods.sample rescue Float v16.v15.v10 resc...

XSS in livehelperchat

Description LiveHelperChat is vulnerable to XSS in /cobrowse/checkmirrorchanges/ in it response the url parameter to json content while response content type is html. SETP1: set the url in following request POST /cobrowse/storenodemap/hash/174QXubVQ2cHdPR5xt5vNLBWVRnRwNu6MBWHoxRs3/?url= HTTP/1.1...