4072 matches found
libde265 1.0.8, was discovered to contain a heap-buffer-overflow in put_epel_16_fallback (fallback-motion.cc)
Description libde265 1.0.8, was discovered to contain a heap-buffer-overflow in putepel16fallback fallback-motion.cc ENV - Version : 1.0.8 - Commit : 45904e5667c5bf59c67fcdc586dfba110832894c - OS : Ubuntu 18.04 - Configure : cmake -DCMAKEBUILDTYPE=Debug -DCMAKECXXCOMPILER=clang++-10...
SQL injection in ElementController.php
Description The property parameter is append to the sql query directly, which leads to a sql injection problem. if you set a wrong value. you can see the error from log. then you can check the result. after injection Proof of Concept // PoC.js "body":...
Server Side Template Injection
Description Grav is vulnerable to Server Side Template Injection via Twig. According to a previous vulnerability report, Twig should not render dangerous functions by default, such as system. PoC video. Proof of Concept Payload: 'cat\x20/etc/passwd'|filter'system' 1. With an authenticated user,...
Bootstrap Tables XSS vulnerability with Table Export plug-in when exportOptions: htmlContent is true
Description Hello and thank you for the wonderful library! We use it extensively in our app. However, I think we've identified an XSS vulnerability in the Export plug-in. If you set the exportOptions in your Bootstrap Table to true, then you can force arbitrary Javascript to execute see the...
NULL Pointer Dereference in r_bin_ne_get_entrypoints function
Description A NULL pointer deference vulnerability in rbinnegetentrypoints function due to a missing check before using the pointer. Version bash radare2 5.6.7 27746 @ linux-x86-64 git.5.6.6 commit: 2b77b277d67ce061ee6ef839e7139ebc2103c1e3 build: 2022-04-0614:41:37 POC bash radare2 -q -A poc poc...
Out-of-bounds read in `r_bin_ne_get_relocs` function
Description Out-of-bounds OOB read vulnerability exists in rbinnegetrelocs function in Radare2 5.6.7 due to a missing check on the index value. Version bash radare2 5.6.7 27746 @ linux-x86-64 git.5.6.6 commit: 2b77b277d67ce061ee6ef839e7139ebc2103c1e3 build: 2022-04-0614:41:37 Proof of Concept bas...
Out-of-bounds Read in mrb_get_args
Out-of-bounds Read in mrbgetargs in mruby/mruby Affected commit 3cf291f72224715942beaf8553e42ba8891ab3c6 Proof of Concept ruby= 0..% = 0,0,0,0,0,0,0,0,0,0,0,0,0, = 0 Below is the output from mruby ASAN build: bash= AddressSanitizer:DEADLYSIGNAL...
FULL read SSRF
Description there is two bypass method for previous fixes of SSRF in gogs The first is to utilize SSRF attack with a DNS rebinding feature. The second is to use redirection to a localhost URL. Proof of Concept 1- go to the webhooks section and create a gogs webhook. 2- enter an URL that redirects...
heap-use-after-free
Description Whilst experimenting with radare2, built from version 5.6.6, we are able to induce a vulnerability at reg.c:101 in function rreggetnameidx , using radare2 as a harness. 99: RAPI int rreggetnameidxconst char type 100: rreturnvaliffail type, -1; //use-after-free here 101: if type0 &&...
XSS vulnerability with default `onCellHtmlData` function
Description If you can jam some nasty code into a table-cell, you can force this script to perform arbitrary javascript when someone tries to export the table using this library. An example used against us was: " It looks like, if you don't specify an onCellHtmlData function, the default one is...
XSS affecting "Logs" Page
Description A review of organizr's logging system found it is possible for an unauthenticated threat actor to inject arbitrary JavaScript into the "Logs" page found within the administrator dashboard. In a default installation organizr is set to log failed login attempts. In these attempts, the...
heap-buffer-overflow
Description Whilst experimenting with radare2, built from version 5.6.6, we are able to induce a vulnerability at bindyldcache.c:125 in function va2pa , using radare2 as a harness. 118: static ut64 va2pauint64t addr, ut32 nmaps, cachemapt maps, RBuffer cachebuf, ut64 slide, ut32 offset, ut32 left...
heap-buffer-overflow in mrb_vm_exec in mruby/mruby
Affected commit: 3cf291f72224715942beaf8553e42ba8891ab3c6 Proof of Concept ruby= v10 = 0 v15 = "" v16 = srand1337 v20 = protectedmethods.fill|| v20 = Array.instanceeval|| method method privatemethods.zip rescue GC.start removemethod removemethod privatemethods.sample rescue Float v16.v15.v10 resc...
XSS in livehelperchat
Description LiveHelperChat is vulnerable to XSS in /cobrowse/checkmirrorchanges/ in it response the url parameter to json content while response content type is html. SETP1: set the url in following request POST /cobrowse/storenodemap/hash/174QXubVQ2cHdPR5xt5vNLBWVRnRwNu6MBWHoxRs3/?url= HTTP/1.1...
Improper Validation of Array Index
This vulnerability is of type Improper Validation of Array Index. The bug exists in latest stable release radare2-5.6.6 and lastest master branch 8317a34b7e4ab731e230dcdd81adc9323c5b518b, updated in April 03, 2022. Specifically, the vulnerable code located at libr/bin/format/ne/ne.c and the bug's...
Cross Site Scripting via Improper Input Validation (Based on CRLF)
Description The parse-url The 6.0.0 version of the parser does not remove \r, \n characters between protocols. This causes spoofing of the javascript protocol itself. Proof of Concept javascript const parseUrl = require"parse-url"; const express = require'express'; const app = express; parsed =...
Heap-based Buffer Overflow in libr/bin/format/ne/ne.c
This vulnerability is of type heap-buffer-overflow. And after quick investigation I think it is very likely to be successfully exploited to remote code execution. The bug exists in latest stable release radare2-5.6.6 and lastest master branch 8317a34b7e4ab731e230dcdd81adc9323c5b518b, updated in...
Heap buffer overflow in libr/bin/format/mach0/mach0.c
This vulnerability is of type heap-buffer-overflow. And after quick investigation I think it is very likely to be successfully exploited to remote code execution. The bug exists in latest stable release radare2-5.6.6 and lastest master branch 8317a34b7e4ab731e230dcdd81adc9323c5b518b, updated in...
Unauthenticated Path Traversal via /api/upload
Description While reviewing FUXA, research found it is possible to upload arbitrary files into arbitrary locations via the "/api/upload" endpoint. Even when authentication in enabled, it was found this endpoint does not validate a user's session. In addition, the function behind this endpoint...
SSRF filter bypass port 80, 433
Description To exploit vulnerability, someone must pass a "base" parameters with a url multi-port to bypass filter check. Proof of Concept GET /index.php/cobrowse/proxycss/1?base=http://evil:8888:80/&css=index.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:99...
XSS via Embedded SVG in SVG Diagram Format
Description It is possible to embed SVG images in diagrams. When those are exported or used in a diagram in SVG format, the content of the embedded SVG image is included inline. This means the SVG markup gets inserted directly into the markup of the enclosing SVG. Since the SVG content is not...
Stored XSS
Description Stored XSS via domain argument : Proof of Concept run this command ./GoogleDorker.py -d '"' visit created file...
identify registered user
Description There is a response during password reset which allow to identify if email address is registered or not Proof of Concept 1. Signup to https://cloud.heroiclabs.com/ using a email like [email protected] . \ 2. Now goto https://cloud.heroiclabs.com/recover and put a dummy email address...
unprivileged user can see user details like email,role etc
Description view-only user can see user details like email,role etc.\ I see there is different type user role in nakama. Based on role user have some limit .But this bug is a privilege escalation bug Proof of Concept 1. From super admin account add a new user called user-B with view-only...
Stored XSS viva .svg file upload
Description The application allows .svg files to upload which leads to stored XSS. Proof of Concept 1.Download the payload XSS.svg from below drive link and go to "Files". 2.Now click on "Add file" and upload the downloaded payload. 3.Then see the uploaded file details and open the file path once...
Formula Injection/CSV Injection due to Improper Neutralization of Formula Elements in CSV File
Description Formula Injection/CSV Injection in "Firstname" & "Lastname" due to Improper Neutralization of Formula Elements in CSV File. Proof of Concept 1.Go to a Preferences from the user account and in Personal info of "Firstname" & "Lastname" insert the below payloads. 2.Payloads:-...
Out-of-bounds read
Description Out-of-bounds OOB read vulnerability exists in analop function in Radare2 5.6.7 Version bash radare2 5.6.7 27722 @ linux-x86-64 git.5.6.6 commit: e876eef2a2f758157dd6028fb01809bcedacf00f build: 2022-04-0107:03:35 Proof of Concept bash radare2 -q -A poc poc ASAN bash ==2143069==ERROR:...
NULL Pointer Dereference in mrb_vm_exec with super
Description NULL Pointer Dereference in mrbvmexec with super Proof of Concept o13 = Comparable.initialize||0x7f.instanceeval do super rescue caller 0..1.sortby do break end end // PoC.js ./mruby 1.rb Result ASAN:DEADLYSIGNAL =================================================================...
CSRF on update cart functionality
I found a CSRF Vulnerability in the update cart functionality where there is no csrf token being validated While updating the cart as the authenticated user Vulnerable Request: POST /demo/api/updatecart HTTP/1.1 Host: demo.microweber.org Cookie:...
Article comment storage XSS
Description The code does not filter the input content, resulting in the insertion of: " The administrator views the comment list in the background and triggers XSS, which can be used to obtain the administrator cookie Proof of Concept POST /comment/index HTTP/1.1 Host: demo.jizhicms.cn User-Agen...
Divulge user password
Description The administrator can obtain the website user registration password hash Proof of Concept // PoC Log in to the background and access: http://demo.jizhicms.cn/admin.php/Member/index.html?ajax=1&page=1&limit=10&isshow=&start=&end=&username=% Package return:...
EXIF Geolocation Data Not Stripped From Uploaded Images (vulnerability)
Vulnerability name: EXIF Geolocation Data Not Stripped From Uploaded Images vulnerability Description:- When the user uploads his profile picture, the uploaded image’s EXIF Geolocation Data does not get stripped. As a result, anyone can get sensitive information of microweber users like their...
Controlled heap buffer overflow in SDP packet parsing
Description A malicious server can trigger an out-of-bounds heap write via a specially crafted SDP packet due to no bounds check when parsing time zone information into the AdjustmentTime and AdjustmentOffset fields of GFSDPTiming. Proof of Concept poc.py is available here terminal 1 python3 poc....
Use-After-Free in str_escape in mruby/mruby
Affected commit: 60cf382ff9765e36b21143d79688a3e758b66fd4 Proof of Concept ruby= v11 = '1111111111111111111111111111' v17 = 1=1, 2 = 'b' , '3' = 1 v20 = 1,2,3,4,5,6,7,8,9,10,11,12,13,14.findall do 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17.sortby do Hash.initialize|| .instanceexec do end "".chop d...
Use of cryptographically weak random number generator for password generation
Description Umbraco has a GeneratePassword function that is used to generate passwords that should be unpredictable, this function uses the .NET Random class which isn't cryptographically secure. Impact This vulnerability is capable of allowing attackers to predict generated passwords and use the...
SQL injection in RecyclebinController.php
Description From the code we can see that in line 122, the value is append to the sql query directly. The value can be from line 109. And from filter parameter . so we can use the value data to inject the database. if we set a wrong value. we can see the sql error from the log file . Proof of...
Auth bypass via unproper use of getRequestURL()
Description The wgcloud uses getRequestURL improperly, an attacker could craft an URL that bypasses the auth of wgcloud Normally, when browsering http://ip:9999/wgcloud/dash/main with no auth, you will be redirected to /wgcloud/login/toLogin, but this vuln could bypass this. Proof of Concept curl...
Inf loop
Description A inf loop security issue in gpac/gpac Proof of Concept The issue occurs in code: src/mediatools/avilib.cL1974, when the gpac avidmx filter parses the AVI format file. choose a simple AVI format file, the data's header is as follows in xxd mode $ xxd ./1.avi | head -n 2 00000000: 5249...
Weak secrethash can be brute-forced
Description The secrethash, which the application relies for multiple security measures, can be brute-forced. The hash is quite small, with only 10 characters of only hexadecimal, making 16^10 possilibities 1.099.511.627.776 . The SHA1 of the secret can be obtained via a captcha string and...
SSRF on index.php/cobrowse/proxycss/
Description Live Helper Chat is vulnerable to SSRF on the /index.php/cobrowse/proxycss endpoint. It's possible to make internal requests and see the response as an authenticated user, it's also possible to make an request with any protocol using goppher://. Proof of Concept 1. Request...
Loose comparison causes IDOR on multiple endpoints
Description Live Helper Chat is vulnerable to Type Juggling on the requestPayload'hash'. The application uses a Loose Comparison to check if the user-controlled parameter is equal to an hash, this check is vulnerable because it's possible to pass other Data Types via JSON that causes the if...
heap buffer overflow in get_one_sourceline
Description When fuzzing vim commit 471b3aed3 I discovered a heap buffer overflow. I'm using ubuntu 20.04 with clang 13 Proof of Concept Here is the minimized poc bash norm300gr0 so How to build bash LD=lld AS=llvm-as AR=llvm-ar RANLIB=llvm-ranlib CC=clang CXX=clang++ CFLAGS="-fsanitize=address"...
Use after free in utf_ptr2char
✍️ Description When fuzzing vim commit 9dac9b175, I discovered a use after free. I'm testing on ubuntu 20.04 with clang 13. Proof of Concept Here is the minimized poc bash s/\v/\r /%',600 How to build bash LD=lld AS=llvm-as AR=llvm-ar RANLIB=llvm-ranlib CC=clang CXX=clang++...
Non-Privilege User Can View Patient’s Disclosures
Vulnerability Type Insecure Direct Object Reference Affected URL https://localhost/openemr-6.0.0/ /interface/patientfile/summary/recorddisclosure.php?editlid=X Method GET Parameter editlid Authentication Required? Yes Issue Summary Non-privilege users accounting, front office can view patient’s...
Missing Function Level Access Control
Vulnerability Type Missing Function Level Access Control Affected URL 62 vulnerable instances as listed in Table 1 Authentication Required? Yes Issue Summary Web applications usually only show functionality that a user has the need for and right to use in the UI. However, this is not the case for...
Non Privilege User can Enable or Disable Registered
Vulnerability Type Insecure Direct Object Reference Affected URL https://localhost/openemr-6.0.0/interface/modules/zendmodules/public/Installer/manage Affected Parameters “modAction=enabled” Authentication Required? Yes Issue Summary Non-privilege users accounting & front-office can disable and...
Stack buffer overflow in XML entity parsing
Description Attempting to parse a XML/SVG file containing an !ENTITY with a sufficiently long name into a fixed sized, stack allocated buffer causes an overflow. Proof of Concept ./bin/gcc/gpac -play ./poc-clean.svg poc-clean.svg available here GDB stack smashing detected : terminated Thread 1...
unprivileged user can publish a private file
Description user who dont have any accesss in file can publish the file and then unauthenticated user can download that file Proof of Concept 1. From admin account add a new user called user-B as content Authors .\ Now give user-B permission in page section only .Dont give files permission .\ So,...
Stored xss bug to hijack admin account
Description Using this xss lower level user can change his role to super-admin and can hijack admin account Proof of Concept 1. First from super-admin account goto http://localhost/silverstripe/admin/security/RootUsers and add user-B as content authors .\ also give user-B only permisssion to page...
Open Redirect (Bypass Of #59d7c660-744c-4fee-88b7-6117b6846aea)
Description Hello everyone, I found an Open Redirect on linkding on remove a bookmark functionality, it is a bypass of a previously submitted report, when users are tricked into visiting the vulnerable link, they will immediately redirected to arbitrary hosts. Proof of Concept - Just visit the...