Improper Validation of Array Index

This vulnerability is of type Improper Validation of Array Index. The bug exists in latest stable release radare2-5.6.6 and lastest master branch 8317a34b7e4ab731e230dcdd81adc9323c5b518b, updated in April 03, 2022. Specifically, the vulnerable code located at libr/bin/format/ne/ne.c and the bug's...

Cross Site Scripting via Improper Input Validation (Based on CRLF)

Description The parse-url The 6.0.0 version of the parser does not remove \r, \n characters between protocols. This causes spoofing of the javascript protocol itself. Proof of Concept javascript const parseUrl = require"parse-url"; const express = require'express'; const app = express; parsed =...

Heap-based Buffer Overflow in libr/bin/format/ne/ne.c

This vulnerability is of type heap-buffer-overflow. And after quick investigation I think it is very likely to be successfully exploited to remote code execution. The bug exists in latest stable release radare2-5.6.6 and lastest master branch 8317a34b7e4ab731e230dcdd81adc9323c5b518b, updated in...

Heap buffer overflow in libr/bin/format/mach0/mach0.c

This vulnerability is of type heap-buffer-overflow. And after quick investigation I think it is very likely to be successfully exploited to remote code execution. The bug exists in latest stable release radare2-5.6.6 and lastest master branch 8317a34b7e4ab731e230dcdd81adc9323c5b518b, updated in...

Unauthenticated Path Traversal via /api/upload

Description While reviewing FUXA, research found it is possible to upload arbitrary files into arbitrary locations via the "/api/upload" endpoint. Even when authentication in enabled, it was found this endpoint does not validate a user's session. In addition, the function behind this endpoint...

SSRF filter bypass port 80, 433

Description To exploit vulnerability, someone must pass a "base" parameters with a url multi-port to bypass filter check. Proof of Concept GET /index.php/cobrowse/proxycss/1?base=http://evil:8888:80/&css=index.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:99...

XSS via Embedded SVG in SVG Diagram Format

Description It is possible to embed SVG images in diagrams. When those are exported or used in a diagram in SVG format, the content of the embedded SVG image is included inline. This means the SVG markup gets inserted directly into the markup of the enclosing SVG. Since the SVG content is not...

Stored XSS

Description Stored XSS via domain argument : Proof of Concept run this command ./GoogleDorker.py -d '"' visit created file...

identify registered user

Description There is a response during password reset which allow to identify if email address is registered or not Proof of Concept 1. Signup to https://cloud.heroiclabs.com/ using a email like [email protected] . \ 2. Now goto https://cloud.heroiclabs.com/recover and put a dummy email address...

unprivileged user can see user details like email,role etc

Description view-only user can see user details like email,role etc.\ I see there is different type user role in nakama. Based on role user have some limit .But this bug is a privilege escalation bug Proof of Concept 1. From super admin account add a new user called user-B with view-only...

Stored XSS viva .svg file upload

Description The application allows .svg files to upload which leads to stored XSS. Proof of Concept 1.Download the payload XSS.svg from below drive link and go to "Files". 2.Now click on "Add file" and upload the downloaded payload. 3.Then see the uploaded file details and open the file path once...

Formula Injection/CSV Injection due to Improper Neutralization of Formula Elements in CSV File

Description Formula Injection/CSV Injection in "Firstname" & "Lastname" due to Improper Neutralization of Formula Elements in CSV File. Proof of Concept 1.Go to a Preferences from the user account and in Personal info of "Firstname" & "Lastname" insert the below payloads. 2.Payloads:-...

Out-of-bounds read

Description Out-of-bounds OOB read vulnerability exists in analop function in Radare2 5.6.7 Version bash radare2 5.6.7 27722 @ linux-x86-64 git.5.6.6 commit: e876eef2a2f758157dd6028fb01809bcedacf00f build: 2022-04-0107:03:35 Proof of Concept bash radare2 -q -A poc poc ASAN bash ==2143069==ERROR:...

NULL Pointer Dereference in mrb_vm_exec with super

Description NULL Pointer Dereference in mrbvmexec with super Proof of Concept o13 = Comparable.initialize||0x7f.instanceeval do super rescue caller 0..1.sortby do break end end // PoC.js ./mruby 1.rb Result ASAN:DEADLYSIGNAL =================================================================...

CSRF on update cart functionality

I found a CSRF Vulnerability in the update cart functionality where there is no csrf token being validated While updating the cart as the authenticated user Vulnerable Request: POST /demo/api/updatecart HTTP/1.1 Host: demo.microweber.org Cookie:...

Article comment storage XSS

Description The code does not filter the input content, resulting in the insertion of: " The administrator views the comment list in the background and triggers XSS, which can be used to obtain the administrator cookie Proof of Concept POST /comment/index HTTP/1.1 Host: demo.jizhicms.cn User-Agen...

Divulge user password

Description The administrator can obtain the website user registration password hash Proof of Concept // PoC Log in to the background and access: http://demo.jizhicms.cn/admin.php/Member/index.html?ajax=1&page=1&limit=10&isshow=&start=&end=&username=% Package return：...

EXIF Geolocation Data Not Stripped From Uploaded Images (vulnerability)

Vulnerability name: EXIF Geolocation Data Not Stripped From Uploaded Images vulnerability Description:- When the user uploads his profile picture, the uploaded image’s EXIF Geolocation Data does not get stripped. As a result, anyone can get sensitive information of microweber users like their...

Controlled heap buffer overflow in SDP packet parsing

Description A malicious server can trigger an out-of-bounds heap write via a specially crafted SDP packet due to no bounds check when parsing time zone information into the AdjustmentTime and AdjustmentOffset fields of GFSDPTiming. Proof of Concept poc.py is available here terminal 1 python3 poc....

Use-After-Free in str_escape in mruby/mruby

Affected commit: 60cf382ff9765e36b21143d79688a3e758b66fd4 Proof of Concept ruby= v11 = '1111111111111111111111111111' v17 = 1=1, 2 = 'b' , '3' = 1 v20 = 1,2,3,4,5,6,7,8,9,10,11,12,13,14.findall do 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17.sortby do Hash.initialize|| .instanceexec do end "".chop d...

Use of cryptographically weak random number generator for password generation

Description Umbraco has a GeneratePassword function that is used to generate passwords that should be unpredictable, this function uses the .NET Random class which isn't cryptographically secure. Impact This vulnerability is capable of allowing attackers to predict generated passwords and use the...

SQL injection in RecyclebinController.php

Description From the code we can see that in line 122, the value is append to the sql query directly. The value can be from line 109. And from filter parameter . so we can use the value data to inject the database. if we set a wrong value. we can see the sql error from the log file . Proof of...

Auth bypass via unproper use of getRequestURL()

Description The wgcloud uses getRequestURL improperly, an attacker could craft an URL that bypasses the auth of wgcloud Normally, when browsering http://ip:9999/wgcloud/dash/main with no auth, you will be redirected to /wgcloud/login/toLogin, but this vuln could bypass this. Proof of Concept curl...

Inf loop

Description A inf loop security issue in gpac/gpac Proof of Concept The issue occurs in code: src/mediatools/avilib.cL1974, when the gpac avidmx filter parses the AVI format file. choose a simple AVI format file, the data's header is as follows in xxd mode $ xxd ./1.avi | head -n 2 00000000: 5249...

Weak secrethash can be brute-forced

Description The secrethash, which the application relies for multiple security measures, can be brute-forced. The hash is quite small, with only 10 characters of only hexadecimal, making 16^10 possilibities 1.099.511.627.776 . The SHA1 of the secret can be obtained via a captcha string and...

SSRF on index.php/cobrowse/proxycss/

Description Live Helper Chat is vulnerable to SSRF on the /index.php/cobrowse/proxycss endpoint. It's possible to make internal requests and see the response as an authenticated user, it's also possible to make an request with any protocol using goppher://. Proof of Concept 1. Request...

Loose comparison causes IDOR on multiple endpoints

Description Live Helper Chat is vulnerable to Type Juggling on the requestPayload'hash'. The application uses a Loose Comparison to check if the user-controlled parameter is equal to an hash, this check is vulnerable because it's possible to pass other Data Types via JSON that causes the if...

heap buffer overflow in get_one_sourceline

Description When fuzzing vim commit 471b3aed3 I discovered a heap buffer overflow. I'm using ubuntu 20.04 with clang 13 Proof of Concept Here is the minimized poc bash norm300gr0 so How to build bash LD=lld AS=llvm-as AR=llvm-ar RANLIB=llvm-ranlib CC=clang CXX=clang++ CFLAGS="-fsanitize=address"...

Use after free in utf_ptr2char

✍️ Description When fuzzing vim commit 9dac9b175, I discovered a use after free. I'm testing on ubuntu 20.04 with clang 13. Proof of Concept Here is the minimized poc bash s/\v/\r /%',600 How to build bash LD=lld AS=llvm-as AR=llvm-ar RANLIB=llvm-ranlib CC=clang CXX=clang++...

Non-Privilege User Can View Patient’s Disclosures

Vulnerability Type Insecure Direct Object Reference Affected URL https://localhost/openemr-6.0.0/ /interface/patientfile/summary/recorddisclosure.php?editlid=X Method GET Parameter editlid Authentication Required? Yes Issue Summary Non-privilege users accounting, front office can view patient’s...

Missing Function Level Access Control

Vulnerability Type Missing Function Level Access Control Affected URL 62 vulnerable instances as listed in Table 1 Authentication Required? Yes Issue Summary Web applications usually only show functionality that a user has the need for and right to use in the UI. However, this is not the case for...

Non Privilege User can Enable or Disable Registered

Vulnerability Type Insecure Direct Object Reference Affected URL https://localhost/openemr-6.0.0/interface/modules/zendmodules/public/Installer/manage Affected Parameters “modAction=enabled” Authentication Required? Yes Issue Summary Non-privilege users accounting & front-office can disable and...

Stack buffer overflow in XML entity parsing

Description Attempting to parse a XML/SVG file containing an !ENTITY with a sufficiently long name into a fixed sized, stack allocated buffer causes an overflow. Proof of Concept ./bin/gcc/gpac -play ./poc-clean.svg poc-clean.svg available here GDB stack smashing detected : terminated Thread 1...

unprivileged user can publish a private file

Description user who dont have any accesss in file can publish the file and then unauthenticated user can download that file Proof of Concept 1. From admin account add a new user called user-B as content Authors .\ Now give user-B permission in page section only .Dont give files permission .\ So,...

Stored xss bug to hijack admin account

Description Using this xss lower level user can change his role to super-admin and can hijack admin account Proof of Concept 1. First from super-admin account goto http://localhost/silverstripe/admin/security/RootUsers and add user-B as content authors .\ also give user-B only permisssion to page...

Open Redirect (Bypass Of #59d7c660-744c-4fee-88b7-6117b6846aea)

Description Hello everyone, I found an Open Redirect on linkding on remove a bookmark functionality, it is a bypass of a previously submitted report, when users are tricked into visiting the vulnerable link, they will immediately redirected to arbitrary hosts. Proof of Concept - Just visit the...

Open Redirection

Description Open redirect security flaw an attacker to redirect the victims of the application into malicious sites Proof of Concept Request POST /create-table/ HTTP/1.1 Host: 127.0.0.1:8080 User-Agent: Mozilla/5.0 X11; Linux x8664; rv:78.0 Gecko/20100101 Firefox/78.0 Accept:...

stored xss

Description Stored XSS is a vulnerability in which the attacker can execute arbitrary javascript code in the victim's browser. The XSS payload is stored in a webpage and it gets executed whenever someone visits that webpage Proof of Concept 1. A low-priv user create a page with the following...

csrf bug to remove a bookmark

Description CSRF bug to remove bookmark Proof of Concept There is no csrf token check during bookmark remove .\ Let say there is two user 1. user-A -- victim \ 2. user-B -- attacker \ STEP ======== 1. user-A create bookmark and lets bookmark id is 123\ 2. Now user-B attacker send a link...

Bypass previous fix

Description Bypass previous report fix Proof of Concept it checks if returnurl starts with / . So, it can be bypasssed using //google.com . 1. Login in the demo instance https://demo.linkding.link/ 2. Go to https://demo.linkding.link/bookmarks/3/remove?returnurl=//google.com 3. You will be...

Null Pointer Dereference Caused Segmentation Fault

Description Null pointer dereference caused segmentation fault Proof of Concept version ./bin/gcc/MP4Box -version MP4Box - GPAC version 2.1-DEV-rev65-g718843df4-master c 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters:...

Old sessions are not blocked by the login enable function.

Description If you disable logic function of an user, that user can still login by using their old session. Proof of Concept Step 1: login to dashboard by a normal account. Step 2: use a diffrent browser to login as admin Step 3: make the normal account in step 1 unable to login. Step 4: return t...

use after free in mrb_vm_exec

While fuzzing mruby I found a use after free in mruby compiled with ASAn. Proof of Concept uaf5.rb rb...

unchecked size in _load_bmp leads to RAM exhaustion in version 3.10

Description Via a maliciously crafted bmp file with modified dx and dy header field values it is possible to trick the application into allocating huge buffer sizes like 64 Gigabyte upon reading the file from disk or from a virtual buffer. Version This does affect the newest Version of Cimg which...

User after free in mrb_vm_exec

While fuzzing mruby I found a use after free in mruby compiled with ASAn. Proof of Concept uaf1.rb rb var1 = -0 var2 = 1.0 var3 = 1 var4 = +0 var3 = methods.groupby || var3 = methods.groupby || var3 = methods.groupby || var3 = methods.groupby || var3 = methods.groupby || var3 = methods.groupby ||...

Stored XSS in "Name", "Group Name" & "Title"

Description The application allows img tag & src attribute in "Name","Title" & "Group Name" fields for which attackers can perform stored cross-site scripting. Proof of Concept 1.Login to the application and go to profile. 2.Now in the "Name" input field paste the below payload and click on "SAVE...

Stored XSS in Tooltip

Description The Classes in Data Objects have the Tooltip field. It is vulnerable to XSS attack. Proof of Concept STEP1: login https://demo.pimcore.fun/admin/ STEP2: Settings-Data Objects-Classes. Then choose an item, like product Data-AccessoryPart AP-compatibleTo。 STEP3: add payload in tooltip...

SQL injection through marking blog comments on bulk as spam

Description the comments ids aren't checked and vulnerable for SQL injection Proof of Concept...

Open Redirect on login

Description Although https://github.com/go-gitea/gitea/pull/9678 protects against most open redirects there is an unfortunate flaw in its logic due to browser behaviour when presented with Locations that have backslashes in them Proof of Concept...

Heap Buffer Overflow in parseDragons

Description heap buffer overflow in parseDragons function. ASAN report： ================================================================= ==2541037==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000065578 at pc 0x7f45488bde0d bp 0x7ffc08551b50 sp 0x7ffc085512f8 READ of size 4 at...