Lucene search
K

4072 matches found

Huntr
Huntr
added 2022/04/08 12:20 p.m.18 views

libde265 1.0.8, was discovered to contain a heap-buffer-overflow in put_epel_16_fallback (fallback-motion.cc)

Description libde265 1.0.8, was discovered to contain a heap-buffer-overflow in putepel16fallback fallback-motion.cc ENV - Version : 1.0.8 - Commit : 45904e5667c5bf59c67fcdc586dfba110832894c - OS : Ubuntu 18.04 - Configure : cmake -DCMAKEBUILDTYPE=Debug -DCMAKECXXCOMPILER=clang++-10...

7.5AI score
Exploits0
Huntr
Huntr
added 2022/04/08 12:3 p.m.28 views

SQL injection in ElementController.php

Description The property parameter is append to the sql query directly, which leads to a sql injection problem. if you set a wrong value. you can see the error from log. then you can check the result. after injection Proof of Concept // PoC.js "body":...

5CVSS1.5AI score0.05455EPSS
Exploits1
Huntr
Huntr
added 2022/04/07 9:45 p.m.23 views

Server Side Template Injection

Description Grav is vulnerable to Server Side Template Injection via Twig. According to a previous vulnerability report, Twig should not render dangerous functions by default, such as system. PoC video. Proof of Concept Payload: 'cat\x20/etc/passwd'|filter'system' 1. With an authenticated user,...

6.5CVSS2.1AI score0.10385EPSS
Exploits2References1
Huntr
Huntr
added 2022/04/07 2:42 p.m.49 views

Bootstrap Tables XSS vulnerability with Table Export plug-in when exportOptions: htmlContent is true

Description Hello and thank you for the wonderful library! We use it extensively in our app. However, I think we've identified an XSS vulnerability in the Export plug-in. If you set the exportOptions in your Bootstrap Table to true, then you can force arbitrary Javascript to execute see the...

3.5CVSS0.6AI score0.00717EPSS
Exploits1References1
Huntr
Huntr
added 2022/04/06 7:52 p.m.33 views

NULL Pointer Dereference in r_bin_ne_get_entrypoints function

Description A NULL pointer deference vulnerability in rbinnegetentrypoints function due to a missing check before using the pointer. Version bash radare2 5.6.7 27746 @ linux-x86-64 git.5.6.6 commit: 2b77b277d67ce061ee6ef839e7139ebc2103c1e3 build: 2022-04-0614:41:37 POC bash radare2 -q -A poc poc...

4.3CVSS1AI score0.00668EPSS
Exploits1
Huntr
Huntr
added 2022/04/06 7:17 p.m.24 views

Out-of-bounds read in `r_bin_ne_get_relocs` function

Description Out-of-bounds OOB read vulnerability exists in rbinnegetrelocs function in Radare2 5.6.7 due to a missing check on the index value. Version bash radare2 5.6.7 27746 @ linux-x86-64 git.5.6.6 commit: 2b77b277d67ce061ee6ef839e7139ebc2103c1e3 build: 2022-04-0614:41:37 Proof of Concept bas...

6.4CVSS7.7AI score0.00766EPSS
Exploits1
Huntr
Huntr
added 2022/04/06 6:40 p.m.27 views

Out-of-bounds Read in mrb_get_args

Out-of-bounds Read in mrbgetargs in mruby/mruby Affected commit 3cf291f72224715942beaf8553e42ba8891ab3c6 Proof of Concept ruby= 0..% = 0,0,0,0,0,0,0,0,0,0,0,0,0, = 0 Below is the output from mruby ASAN build: bash= AddressSanitizer:DEADLYSIGNAL...

7.5CVSS2.3AI score0.01476EPSS
Exploits1
Huntr
Huntr
added 2022/04/06 3:10 p.m.40 views

FULL read SSRF

Description there is two bypass method for previous fixes of SSRF in gogs The first is to utilize SSRF attack with a DNS rebinding feature. The second is to use redirection to a localhost URL. Proof of Concept 1- go to the webhooks section and create a gogs webhook. 2- enter an URL that redirects...

4.3CVSS6.6AI score0.01193EPSS
Exploits1
Huntr
Huntr
added 2022/04/06 2:16 a.m.26 views

heap-use-after-free

Description Whilst experimenting with radare2, built from version 5.6.6, we are able to induce a vulnerability at reg.c:101 in function rreggetnameidx , using radare2 as a harness. 99: RAPI int rreggetnameidxconst char type 100: rreturnvaliffail type, -1; //use-after-free here 101: if type0 &&...

4.3CVSS5.7AI score0.00797EPSS
Exploits1
Huntr
Huntr
added 2022/04/06 12:1 a.m.39 views

XSS vulnerability with default `onCellHtmlData` function

Description If you can jam some nasty code into a table-cell, you can force this script to perform arbitrary javascript when someone tries to export the table using this library. An example used against us was: " It looks like, if you don't specify an onCellHtmlData function, the default one is...

3.5CVSS5.9AI score0.00723EPSS
Exploits1References1
Huntr
Huntr
added 2022/04/05 11:10 p.m.17 views

XSS affecting "Logs" Page

Description A review of organizr's logging system found it is possible for an unauthenticated threat actor to inject arbitrary JavaScript into the "Logs" page found within the administrator dashboard. In a default installation organizr is set to log failed login attempts. In these attempts, the...

7.3AI score
Exploits0
Huntr
Huntr
added 2022/04/05 1:23 p.m.24 views

heap-buffer-overflow

Description Whilst experimenting with radare2, built from version 5.6.6, we are able to induce a vulnerability at bindyldcache.c:125 in function va2pa , using radare2 as a harness. 118: static ut64 va2pauint64t addr, ut32 nmaps, cachemapt maps, RBuffer cachebuf, ut64 slide, ut32 offset, ut32 left...

4.3CVSS5.8AI score0.008EPSS
Exploits1
Huntr
Huntr
added 2022/04/04 8:2 p.m.18 views

heap-buffer-overflow in mrb_vm_exec in mruby/mruby

Affected commit: 3cf291f72224715942beaf8553e42ba8891ab3c6 Proof of Concept ruby= v10 = 0 v15 = "" v16 = srand1337 v20 = protectedmethods.fill|| v20 = Array.instanceeval|| method method privatemethods.zip rescue GC.start removemethod removemethod privatemethods.sample rescue Float v16.v15.v10 resc...

7.5CVSS7.6AI score0.01109EPSS
Exploits1
Huntr
Huntr
added 2022/04/04 3:25 p.m.34 views

XSS in livehelperchat

Description LiveHelperChat is vulnerable to XSS in /cobrowse/checkmirrorchanges/ in it response the url parameter to json content while response content type is html. SETP1: set the url in following request POST /cobrowse/storenodemap/hash/174QXubVQ2cHdPR5xt5vNLBWVRnRwNu6MBWHoxRs3/?url= HTTP/1.1...

4.3CVSS6.2AI score0.00715EPSS
Exploits1
Huntr
Huntr
added 2022/04/04 8:33 a.m.36 views

Improper Validation of Array Index

This vulnerability is of type Improper Validation of Array Index. The bug exists in latest stable release radare2-5.6.6 and lastest master branch 8317a34b7e4ab731e230dcdd81adc9323c5b518b, updated in April 03, 2022. Specifically, the vulnerable code located at libr/bin/format/ne/ne.c and the bug's...

6.8CVSS7.7AI score0.00827EPSS
Exploits1References1
Huntr
Huntr
added 2022/04/04 8:7 a.m.11 views

Cross Site Scripting via Improper Input Validation (Based on CRLF)

Description The parse-url The 6.0.0 version of the parser does not remove \r, \n characters between protocols. This causes spoofing of the javascript protocol itself. Proof of Concept javascript const parseUrl = require"parse-url"; const express = require'express'; const app = express; parsed =...

0.8AI score
Exploits0References1
Huntr
Huntr
added 2022/04/04 7:11 a.m.31 views

Heap-based Buffer Overflow in libr/bin/format/ne/ne.c

This vulnerability is of type heap-buffer-overflow. And after quick investigation I think it is very likely to be successfully exploited to remote code execution. The bug exists in latest stable release radare2-5.6.6 and lastest master branch 8317a34b7e4ab731e230dcdd81adc9323c5b518b, updated in...

6.8CVSS7.8AI score0.00827EPSS
Exploits1References1
Huntr
Huntr
added 2022/04/04 5:30 a.m.30 views

Heap buffer overflow in libr/bin/format/mach0/mach0.c

This vulnerability is of type heap-buffer-overflow. And after quick investigation I think it is very likely to be successfully exploited to remote code execution. The bug exists in latest stable release radare2-5.6.6 and lastest master branch 8317a34b7e4ab731e230dcdd81adc9323c5b518b, updated in...

6.8CVSS7.8AI score0.00725EPSS
Exploits1References1
Huntr
Huntr
added 2022/04/04 2:31 a.m.16 views

Unauthenticated Path Traversal via /api/upload

Description While reviewing FUXA, research found it is possible to upload arbitrary files into arbitrary locations via the "/api/upload" endpoint. Even when authentication in enabled, it was found this endpoint does not validate a user's session. In addition, the function behind this endpoint...

1AI score
Exploits0
Huntr
Huntr
added 2022/04/04 1:14 a.m.39 views

SSRF filter bypass port 80, 433

Description To exploit vulnerability, someone must pass a "base" parameters with a url multi-port to bypass filter check. Proof of Concept GET /index.php/cobrowse/proxycss/1?base=http://evil:8888:80/&css=index.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:99...

5.5CVSS0.6AI score0.00571EPSS
Exploits1References1
Huntr
Huntr
added 2022/04/03 2:34 p.m.54 views

XSS via Embedded SVG in SVG Diagram Format

Description It is possible to embed SVG images in diagrams. When those are exported or used in a diagram in SVG format, the content of the embedded SVG image is included inline. This means the SVG markup gets inserted directly into the markup of the enclosing SVG. Since the SVG content is not...

4.3CVSS6.3AI score0.01832EPSS
Exploits1
Huntr
Huntr
added 2022/04/03 6:25 a.m.11 views

Stored XSS

Description Stored XSS via domain argument : Proof of Concept run this command ./GoogleDorker.py -d '"' visit created file...

2.2AI score
Exploits0
Huntr
Huntr
added 2022/04/02 6:39 p.m.9 views

identify registered user

Description There is a response during password reset which allow to identify if email address is registered or not Proof of Concept 1. Signup to https://cloud.heroiclabs.com/ using a email like [email protected] . \ 2. Now goto https://cloud.heroiclabs.com/recover and put a dummy email address...

0.1AI score
Exploits0
Huntr
Huntr
added 2022/04/02 5:27 p.m.7 views

unprivileged user can see user details like email,role etc

Description view-only user can see user details like email,role etc.\ I see there is different type user role in nakama. Based on role user have some limit .But this bug is a privilege escalation bug Proof of Concept 1. From super admin account add a new user called user-B with view-only...

0.3AI score
Exploits0
Huntr
Huntr
added 2022/04/01 6:12 p.m.16 views

Stored XSS viva .svg file upload

Description The application allows .svg files to upload which leads to stored XSS. Proof of Concept 1.Download the payload XSS.svg from below drive link and go to "Files". 2.Now click on "Add file" and upload the downloaded payload. 3.Then see the uploaded file details and open the file path once...

5.9AI score0.00831EPSS
Exploits1References1
Huntr
Huntr
added 2022/04/01 5:54 p.m.27 views

Formula Injection/CSV Injection due to Improper Neutralization of Formula Elements in CSV File

Description Formula Injection/CSV Injection in "Firstname" & "Lastname" due to Improper Neutralization of Formula Elements in CSV File. Proof of Concept 1.Go to a Preferences from the user account and in Personal info of "Firstname" & "Lastname" insert the below payloads. 2.Payloads:-...

6.8CVSS0.1AI score0.0234EPSS
Exploits2References1
Huntr
Huntr
added 2022/04/01 1:11 p.m.29 views

Out-of-bounds read

Description Out-of-bounds OOB read vulnerability exists in analop function in Radare2 5.6.7 Version bash radare2 5.6.7 27722 @ linux-x86-64 git.5.6.6 commit: e876eef2a2f758157dd6028fb01809bcedacf00f build: 2022-04-0107:03:35 Proof of Concept bash radare2 -q -A poc poc ASAN bash ==2143069==ERROR:...

4.3CVSS6.6AI score0.00907EPSS
Exploits1
Huntr
Huntr
added 2022/03/31 4:41 p.m.30 views

NULL Pointer Dereference in mrb_vm_exec with super

Description NULL Pointer Dereference in mrbvmexec with super Proof of Concept o13 = Comparable.initialize||0x7f.instanceeval do super rescue caller 0..1.sortby do break end end // PoC.js ./mruby 1.rb Result ASAN:DEADLYSIGNAL =================================================================...

4.9CVSS1.3AI score0.00363EPSS
Exploits1
Huntr
Huntr
added 2022/03/31 8:9 a.m.9 views

CSRF on update cart functionality

I found a CSRF Vulnerability in the update cart functionality where there is no csrf token being validated While updating the cart as the authenticated user Vulnerable Request: POST /demo/api/updatecart HTTP/1.1 Host: demo.microweber.org Cookie:...

0.4AI score
Exploits0
Huntr
Huntr
added 2022/03/31 7:16 a.m.7 views

Article comment storage XSS

Description The code does not filter the input content, resulting in the insertion of: " The administrator views the comment list in the background and triggers XSS, which can be used to obtain the administrator cookie Proof of Concept POST /comment/index HTTP/1.1 Host: demo.jizhicms.cn User-Agen...

0.6AI score
Exploits0References1
Huntr
Huntr
added 2022/03/31 5:29 a.m.9 views

Divulge user password

Description The administrator can obtain the website user registration password hash Proof of Concept // PoC Log in to the background and access: http://demo.jizhicms.cn/admin.php/Member/index.html?ajax=1&page=1&limit=10&isshow=&start=&end=&username=% Package return:...

0.1AI score
Exploits0
Huntr
Huntr
added 2022/03/31 2:45 a.m.156 views

EXIF Geolocation Data Not Stripped From Uploaded Images (vulnerability)

Vulnerability name: EXIF Geolocation Data Not Stripped From Uploaded Images vulnerability Description:- When the user uploads his profile picture, the uploaded image’s EXIF Geolocation Data does not get stripped. As a result, anyone can get sensitive information of microweber users like their...

0.3AI score
Exploits0References4
Huntr
Huntr
added 2022/03/30 11:41 p.m.8 views

Controlled heap buffer overflow in SDP packet parsing

Description A malicious server can trigger an out-of-bounds heap write via a specially crafted SDP packet due to no bounds check when parsing time zone information into the AdjustmentTime and AdjustmentOffset fields of GFSDPTiming. Proof of Concept poc.py is available here terminal 1 python3 poc....

2.2AI score
Exploits0
Huntr
Huntr
added 2022/03/30 8:19 p.m.17 views

Use-After-Free in str_escape in mruby/mruby

Affected commit: 60cf382ff9765e36b21143d79688a3e758b66fd4 Proof of Concept ruby= v11 = '1111111111111111111111111111' v17 = 1=1, 2 = 'b' , '3' = 1 v20 = 1,2,3,4,5,6,7,8,9,10,11,12,13,14.findall do 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17.sortby do Hash.initialize|| .instanceexec do end "".chop d...

7.5CVSS9.5AI score0.0168EPSS
Exploits1
Huntr
Huntr
added 2022/03/29 8:12 p.m.10 views

Use of cryptographically weak random number generator for password generation

Description Umbraco has a GeneratePassword function that is used to generate passwords that should be unpredictable, this function uses the .NET Random class which isn't cryptographically secure. Impact This vulnerability is capable of allowing attackers to predict generated passwords and use the...

3.1AI score
Exploits0References1
Huntr
Huntr
added 2022/03/29 4:14 p.m.30 views

SQL injection in RecyclebinController.php

Description From the code we can see that in line 122, the value is append to the sql query directly. The value can be from line 109. And from filter parameter . so we can use the value data to inject the database. if we set a wrong value. we can see the sql error from the log file . Proof of...

5CVSS1.1AI score0.01415EPSS
Exploits1
Huntr
Huntr
added 2022/03/29 2:46 p.m.10 views

Auth bypass via unproper use of getRequestURL()

Description The wgcloud uses getRequestURL improperly, an attacker could craft an URL that bypasses the auth of wgcloud Normally, when browsering http://ip:9999/wgcloud/dash/main with no auth, you will be redirected to /wgcloud/login/toLogin, but this vuln could bypass this. Proof of Concept curl...

1.1AI score
Exploits0References1
Huntr
Huntr
added 2022/03/29 10:15 a.m.22 views

Inf loop

Description A inf loop security issue in gpac/gpac Proof of Concept The issue occurs in code: src/mediatools/avilib.cL1974, when the gpac avidmx filter parses the AVI format file. choose a simple AVI format file, the data's header is as follows in xxd mode $ xxd ./1.avi | head -n 2 00000000: 5249...

4.3CVSS2.8AI score0.00821EPSS
Exploits1
Huntr
Huntr
added 2022/03/29 5:0 a.m.29 views

Weak secrethash can be brute-forced

Description The secrethash, which the application relies for multiple security measures, can be brute-forced. The hash is quite small, with only 10 characters of only hexadecimal, making 16^10 possilibities 1.099.511.627.776 . The SHA1 of the secret can be obtained via a captcha string and...

6.4CVSS0.00547EPSS
Exploits1
Huntr
Huntr
added 2022/03/29 4:18 a.m.32 views

SSRF on index.php/cobrowse/proxycss/

Description Live Helper Chat is vulnerable to SSRF on the /index.php/cobrowse/proxycss endpoint. It's possible to make internal requests and see the response as an authenticated user, it's also possible to make an request with any protocol using goppher://. Proof of Concept 1. Request...

5.5CVSS0.4AI score0.0094EPSS
Exploits1
Huntr
Huntr
added 2022/03/29 3:46 a.m.27 views

Loose comparison causes IDOR on multiple endpoints

Description Live Helper Chat is vulnerable to Type Juggling on the requestPayload'hash'. The application uses a Loose Comparison to check if the user-controlled parameter is equal to an hash, this check is vulnerable because it's possible to pass other Data Types via JSON that causes the if...

5CVSS0.01231EPSS
Exploits1References1
Huntr
Huntr
added 2022/03/28 3:28 p.m.31 views

heap buffer overflow in get_one_sourceline

Description When fuzzing vim commit 471b3aed3 I discovered a heap buffer overflow. I'm using ubuntu 20.04 with clang 13 Proof of Concept Here is the minimized poc bash norm300gr0 so How to build bash LD=lld AS=llvm-as AR=llvm-ar RANLIB=llvm-ranlib CC=clang CXX=clang++ CFLAGS="-fsanitize=address"...

6.8CVSS7.7AI score0.01267EPSS
Exploits1
Huntr
Huntr
added 2022/03/28 10:45 a.m.46 views

Use after free in utf_ptr2char

✍️ Description When fuzzing vim commit 9dac9b175, I discovered a use after free. I'm testing on ubuntu 20.04 with clang 13. Proof of Concept Here is the minimized poc bash s/\v/\r /%',600 How to build bash LD=lld AS=llvm-as AR=llvm-ar RANLIB=llvm-ranlib CC=clang CXX=clang++...

6.8CVSS7.8AI score0.01462EPSS
Exploits1
Huntr
Huntr
added 2022/03/28 6:36 a.m.27 views

Non-Privilege User Can View Patient’s Disclosures

Vulnerability Type Insecure Direct Object Reference Affected URL https://localhost/openemr-6.0.0/ /interface/patientfile/summary/recorddisclosure.php?editlid=X Method GET Parameter editlid Authentication Required? Yes Issue Summary Non-privilege users accounting, front office can view patient’s...

5.5CVSS0.4AI score0.01013EPSS
Exploits2References1
Huntr
Huntr
added 2022/03/28 6:21 a.m.26 views

Missing Function Level Access Control

Vulnerability Type Missing Function Level Access Control Affected URL 62 vulnerable instances as listed in Table 1 Authentication Required? Yes Issue Summary Web applications usually only show functionality that a user has the need for and right to use in the UI. However, this is not the case for...

5.5CVSS0.1AI score0.00914EPSS
Exploits2References1
Huntr
Huntr
added 2022/03/28 6:1 a.m.28 views

Non Privilege User can Enable or Disable Registered

Vulnerability Type Insecure Direct Object Reference Affected URL https://localhost/openemr-6.0.0/interface/modules/zendmodules/public/Installer/manage Affected Parameters “modAction=enabled” Authentication Required? Yes Issue Summary Non-privilege users accounting & front-office can disable and...

4CVSS0.3AI score0.00863EPSS
Exploits2References1
Huntr
Huntr
added 2022/03/27 4:38 p.m.17 views

Stack buffer overflow in XML entity parsing

Description Attempting to parse a XML/SVG file containing an !ENTITY with a sufficiently long name into a fixed sized, stack allocated buffer causes an overflow. Proof of Concept ./bin/gcc/gpac -play ./poc-clean.svg poc-clean.svg available here GDB stack smashing detected : terminated Thread 1...

3.8AI score
Exploits0
Huntr
Huntr
added 2022/03/27 1:14 p.m.11 views

unprivileged user can publish a private file

Description user who dont have any accesss in file can publish the file and then unauthenticated user can download that file Proof of Concept 1. From admin account add a new user called user-B as content Authors .\ Now give user-B permission in page section only .Dont give files permission .\ So,...

7.1AI score
Exploits0
Huntr
Huntr
added 2022/03/27 11:2 a.m.9 views

Stored xss bug to hijack admin account

Description Using this xss lower level user can change his role to super-admin and can hijack admin account Proof of Concept 1. First from super-admin account goto http://localhost/silverstripe/admin/security/RootUsers and add user-B as content authors .\ also give user-B only permisssion to page...

0.7AI score
Exploits0
Huntr
Huntr
added 2022/03/26 7:29 p.m.14 views

Open Redirect (Bypass Of #59d7c660-744c-4fee-88b7-6117b6846aea)

Description Hello everyone, I found an Open Redirect on linkding on remove a bookmark functionality, it is a bypass of a previously submitted report, when users are tricked into visiting the vulnerable link, they will immediately redirected to arbitrary hosts. Proof of Concept - Just visit the...

1.6AI score
Exploits0
Total number of security vulnerabilities4072