4058 matches found
Stored XSS via upload file
Description In document feature, you can upload a file .ofd which can have xss Proof of Concept // xss.ofd alert1 Step 1: Go to Support - Documents Step 2: Click Create Documents Step 3: At the Download type, choose Internal. Upload file xss.ofd above. Step 4: Go to that file link, such as:...
Open redirect vulnerability via endpoint authorize_and_redirect/?redirect=
Description Posthog application is vulnerable to open redirect which can be exploited by adding authorizeandredirect/?redirect=https://evil.com endpoint. Proof of Concept 1.Open the link https://app.posthog.com/login?next=/authorizeandredirect/%3Fredirect%3Dhttps%25253A%25252F%25252Fevil.com...
Heap Buffer Overflow in iterate_chained_fixups
Description heap buffer overflow in iteratechainedfixups function. ASAN report: ================================================================= ==2540511==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000065710 at pc 0x7f5b64ccb878 bp 0x7ffeab141380 sp 0x7ffeab141370 READ of siz...
Use After Free in new_object
Description Heap use after free in newobject function. ASAN report: ================================================================= ==2514600==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020000401d0 at pc 0x00000230a00e bp 0x7ffcfdbe1dd0 sp 0x7ffcfdbe1dc8 READ of size 2 at...
Stored XSS Leads To Session Hijacking
Description Hello everyone, During my testing on openemr at the demo available here https://demo.openemr.io/openemr, I found a Stored XSS on filename at Uploading Documents Templates which is found on Administration tab, what makes this Stored XSS really severe is the ability of stealing session...
Stored Cross Site Scripting
Vulnerability Type Stored Cross Site-Scripting XSS Affected URL https://localhost/openemr-6.0.0/interface/new/newcomprehensivesave.php Affected Parameters “formfname” “formlname” Authentication Required? Yes Issue Summary A stored XSS vulnerability found in “/interface/new/newcomprehensivesave.ph...
Reflected Cross Site Scripting
Vulnerability Type Reflected Cross Site-Scripting XSS Affected URL https://localhost/openemr-6.0.0/interface/main/calendar/index.php Affected Parameters “newname” Authentication Required? Yes Issue Summary A reflected XSS vulnerability found in “/interface/main/calendar/index.php” that allows Adm...
Non-Privilege User Can Created New Rule and Lead to Stored Cross Site Scripting
Vulnerability Type Stored Cross Site-Scripting XSS Affected URL https://localhost/openemr-6.0.0/ /interface/super/rules/index.php?action=edit!submitsummary Affected Parameters “fldtitle” Authentication Required? Yes Issue Summary Non-privilege users accounting, front-office can create new rule an...
Obscure Email Vulnerability allow anyone to signup with target email id without proper verification and Allowing malicious domain on username input field leads to business logic error by victim response fetching via email and force a user to download any file hacker want on behalf of [email protected].
Description This vulnerability is a result of an interaction between two different ways of handling e-mail addresses. Gmail ignores dots in addresses, so [email protected] is the same as [email protected] is the same as [email protected]. with this vulnerability attacker ca...
Path Traversal due to `send_file` call
A path traversal attack also known as directory traversal aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash ../” sequences and its variations or by using absolute file paths, it may be possible to...
There is a Unrestricted Upload of File vulnerability in ShowDoc v2.10.3
Description There is a Unrestricted Upload of File vulnerability in AdminUpdateController.class.php in ShowDoc v2.10.3 Proof of Concept POST /showdoc-2.10.3/server/index.php?s=/api/adminUpdate/download HTTP/1.1 Host: 10.211.55.5 Content-Length: 66 Accept: application/json, text/plain, / User-Agen...
Sensitive Data Exposure Due To Insecure Storage Of Profile Image
Description When the user uploads his profile picture, the uploaded image’s EXIF Geolocation Data does not get stripped. As a result, anyone can get sensitive information of trudesk users like their Geolocation, their Device information like Device Name, Version, Software & Software version used,...
Stored XSS viva .svg file upload
Description The application allows .svg files to upload which lead to stored XSS Proof of Concept 1.Download the payload from this link:- https://drive.google.com/file/d/1c1BP5bxXBxtwLfRJTrEPgMWK1yVFDF2R/view?usp=sharing and upload it on your profile. 2.Now open the path of the uploaded image...
ReDoS in is-it-check
✍️ Description It allows causing a denial of service when checking crafted invalid URLs. 🕵️♂️ Proof of Concept // PoC.js var isItCheck = require"is-it-check" isItCheck.url'H'+'.A8'.repeat40...
ReDoS in is-it-check
✍️ Description It allows causing a denial of service when checking crafted invalid emails. 🕵️♂️ Proof of Concept // PoC.js var isItCheck = require"is-it-check" isItCheck.email'@A.'+ '0.0.'.repeat40+'A'...
The microweber application allows large characters to insert in the input field "Coupons" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request.
Proof of Concept 1.Go to "Settings" click on "Coupons" and Add a new Coupons 2.Go to this drive link:- https://drive.google.com/file/d/1CcVCHWbvMk07IZ5v4dojrdJbC43ufhh/view?usp=sharing copy the payload and paste it on the "Code" input field 3.You will see the application accepts large characters...
Multiple Idor
Description There are multiple idors i found. In bookmarks//edit, bookmarks//remove, bookmarks//archive, bookmarks//unarchive. It gets the object provided in the bookmarkid without checking if the owner of the object is the current user. Proof of Concept 1. Go to...
Multiple Open redirect
Description There exist multiple open redirect in the get parameter returnurl . I found it in bookmarks//edit , bookmarks//remove, bookmarks//archive, bookmarks//unarchive, bookmarks/bulkedit Proof of Concept 1. Login in the demo instance https://demo.linkding.link/ 2. Go to...
Using vulnerable dependencies in package.json
Description 1. Hello team, The Showdoc is using a axios 0.17.1 dependency that is vulnerable to:👇 1. CVE-2021-3749 Regular Expression Denial of Service ReDoS 2. CVE-2020-28168 Server-Side Request Forgery SSRF 3. CVE-2019-10742 Denial of Service DoS Path to the file:...
stored xss in uploaded photo checkbox
Description xss code injection possible in endpoint "/api/savemedia " it accepts parameter "src" so if appended "%22onclick=%22alert'helo js executed';" and send request then xss alert will execute when clicking on checkbox of uploaded blank photo Proof of Concept 1. login as admin 2. open websit...
CRHTLF can lead to invalid protocol extraction potentially leading to XSS
Description \r, \n, \t characters in the URI can lead to XSS as URI.js will fail to extract javascript: protocol from a URI. See Section 4.4 Step 3 "Remove all ASCII tab or newline from input." of the WHATWG URL spec. Proof of Concept const parse = require'urijs' const express = require'express'...
Use After Free in op_is_set_bp
Description Heap use after free in opissetbp function. ASAN report: ================================================================= ==2367298==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060000481a0 at pc 0x7f580c10da41 bp 0x7ffd53a17ed0 sp 0x7ffd53a17ec0 READ of size 8 at...
Able to create an account with long password leads to memory corruption / Integer Overflow
I have found that there is a way to create an account with the length of more than 10k or 100k characters where it may leads to Integer overflow and the backend memory can't handle this issue Steps to Reproduce: Now we can create a simple account While creating an account , In the password field ...
Segmentation Fault caused by MP4Box -lsr
Version: MP4Box -version MP4Box - GPAC version 2.1-DEV-rev48-gf6d6225a9-master c 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io/ MINI build encoders, decoders, audio and video output disabled Please cite our work in your research: GPAC Filters:...
The grav application allows large characters to insert in the input field "Full Name" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request
Proof of Concept: 1. Go to http://site/admin/accounts/users/testuser 2. There will a Full name input field 3. Add more than 1 lakhs+ characters to the Full name field 4. You will see the application accepts large characters and if we will increase the characters then it can lead to Dos. POC Image...
Path Traversal
Description A Path Traversal vulnerability exists in Language export function, which allows attacker upload files to an arbitrary location in the server. By adding the special characters on filename, it can lead to a Denial Of Service Attack. Proof of Concept 1. Use the credential, access to the...
URL Confusion When Scheme Not Supplied
Description This is a URL confusion vulnerability. When parsing a URL without a scheme and with excessive slashes, like ///www.example.com, URI.js will parse the hostname as null and the path as /www.example.com. Such behaviour is different from that exhibited by browsers, which will parse...
The microweber application allows large characters to insert in the input field "SKU" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. in microweber/microweber
Go to add post http://site.com/admin/product/create click on create new product There will a option called SKU Fill the input field with huge characters, more than 1 lakh Copy the below payload and put it in the input fields and click on continue. You will see the application accepts large...
The microweber application allows large characters to insert in the input field "Leave comment" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. in microweber/microweber in microweber/microweber
Proof of Concept 1. Go to http://site/admin/view:content/action:posts 2. Create a page and enable to add comment option 3. Go to that page and there will a option called "Leave a comment" 4. Copy the below payload and put it in the "Leave a comment" field post a comment 5. Go to...
No Rate Limit on Copoun Code Functionality
Description The attacker has the ability to send any number of requests to the endpoint due to the absence of rate-limiting. Steps to reproduce - Simply capture the adding coupon request and send it to burp. - Send it to the repeater tab and you will be able to send many requests without blocking...
The microweber application allows large characters to insert in the input field "fist & last name" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. in microweber/microweber
Proof of Concept 1. Go to http://127.0.0.1/admin/view:modules/loadmodule:users/action:profile 2. Click on edit profile 3. Fill the first name & last name field with huge characters, more than 1 lakh 4. Copy the below payload and put it in the input fields and click on continue. 5. You will see th...
Stored XSS viva .webma file upload
Description The application allows .webma files to upload which lead to stored XSS Proof of Concept 1.First, open your text file/notepad and paste the below payload and save it as XSS.webma : alert1337 alertdocument.domain alertdocument.location alert'XSSbySamprit Das' 2.Then go to...
Stored XSS viva .webmv file upload
Description The application allows .webmv files to upload which lead to stored XSS Proof of Concept 1.First, open your text file/notepad and paste the below payload and save it as XSS.webmv: alert1337 alertdocument.domain alertdocument.location alert'XSSbySamprit Das' 2.Then go to...
Stored XSS via File Upload in star7th/showdoc in star7th/showdoc
Description Stored XSS via uploading file in .ofd format. Proof of Concept filename="test.ofd" alert1 Steps to Reproduce 1. Login into showdoc.com.cn. 2. Navigate to file library https://www.showdoc.com.cn/attachment/index 3. In the File Library page, click the Upload button and choose the test.o...
Stored XSS viva .ofd file upload
Description The application allows .ofd files to upload which lead to stored XSS Proof of Concept 1.First, open your text file/notepad and paste the below payload and save it as XSS.ofd: alert1337 alertdocument.domain alertdocument.location alert'XSSbySamprit Das' 2.Then go to...
Stored XSS viva .properties file upload
Description The application allows .properties files to upload which lead to stored XSS Proof of Concept 1.First, open your text file/notepad and paste the below payload and save it as XSS.properties: alert1337 alertdocument.domain alertdocument.location alert'XSSbySamprit Das' 2.Then go to...
Stored XSS via File Upload in star7th/showdoc
Description Stored XSS via uploading file in .properties format. Proof of Concept filename="test.properties" alert1 Steps to Reproduce 1. Login into showdoc.com.cn. 2. Navigate to file library https://www.showdoc.com.cn/attachment/index 3. In the File Library page, click the Upload button and...
Stored XSS via File Upload
Description Stored XSS via uploading file in .m3u8a format. Proof of Concept filename="poc.m3u8a" alert1 Steps to Reproduce 1.Login into showdoc.com.cn.\ 2.Navigate to file library https://www.showdoc.com.cn/attachment/index\ 3.In the File Library page, click the Upload button and choose the...
Stored XSS via File Upload
Description \ Stored XSS via uploading file in .md format. Proof of Concept filename="poc.md" alert1 Steps to Reproduce 1.Login into showdoc.com.cn.\ 2.Navigate to file library https://www.showdoc.com.cn/attachment/index\ 3.In the File Library page, click the Upload button and choose the poc.md...
? before the @ sign allows one to bypass whitelists
Description ? before the @ sign in HTTP URLs allows one to bypass whitelists Proof of Concept Convince NodeJS HTTP client to make a request to 127.0.0.1 bypassing a google.com whitelist. const parse = require'parse-url' const http = require'http' const url = parse"http://[email protected]" if...
Stored XSS viva cshtm file upload
Description This is a bypass of the report:https://huntr.dev/bounties/8702e2bf-4af2-4391-b651-c8c89e7d089e/. Here the upload functionality allows the malicious files with the extension .cshtm which leads to Stored XSS. Proof of Concept 1.First, open your text file/notepad and paste the below...
Stored XSS viva axd and cshtml file upload in star7th/showdoc
Description This is a bypass of the report: https://huntr.dev/bounties/3eb5a8f9-24e3-4eae-a212-070b2fbc237e/ & https://huntr.dev/bounties/6127739d-f4f2-44cd-ae3d-e3ccb7f0d7b5/. Here the upload functionality allows the malicious files with the extension .cshtml and .axd which leads to Stored XSS...
File Upload Restriction Bypass leading to Stored XSS Vulnerability
Description File Upload Restriction Bypass leading to Stored XSS Vulnerability, by leveraging file extension vbhtm, vbhtml, soap, even any extension ends with html e.g. aahtml, bbhtml Proof of Concept Step 1 Access https://www.showdoc.com.cn/attachment/index Step 2 Prepare a file with content bel...
Stored XSS due to Unrestricted File Upload
Description Stored XSS via uploading files in .xsd, .asa and .aspx already mentioned in previous report formats. Proof of Concept For .xsd filename="poc.xsd" alert1 For .asa and .aspx filename="poc.asa" alert1 Steps to Reproduce 1.Login into showdoc.com.cn.\ 2.Navigate to file library...
Stored XSS due to Unrestricted File Upload
Description Stored XSS via uploading files in .xsl format. Proof of Concept filename="poc.xsl" alert1 Steps to Reproduce 1.Login into showdoc.com.cn.\ 2.Navigate to file library https://www.showdoc.com.cn/attachment/index\ 3.In the File Library page, click the Upload button and choose the poc.xsl...
Malicious usage of '+' in protocol can lead to whitelist bypasses
Description Malicious usage of '+' in protocol can lead to whitelist bypasses. Proof of Concept The following PoC shows how if parse-url is used to check the resource of a URL against a whitelist, we can bypass a whitelist check for google.com, and then convince the standard HTTP client in NodeJS...
Stored XSS due to Unrestricted File Upload
Description Stored XSS via uploading files in .aspx format. Proof of Concept filename="poc.aspx" alert1 Steps to Reproduce 1.Login into showdoc.com.cn.\ 2.Navigate to file library https://www.showdoc.com.cn/attachment/index\ 3.In the File Library page, click the Upload button and choose the...
Unrestricted Upload of File with Dangerous Type
Description This is a bypass of report https://huntr.dev/bounties/3eb5a8f9-24e3-4eae-a212-070b2fbc237e/. The upload feature allows the files with the extension .html which leads to Stored XSS. Proof of Concept - Step 1: Login into showdoc.com.cn. - Step 2: Go to...
Stored XSS via file upload
Description Hello Team, \ This is a bypass to the report in https://huntr.dev/bounties/6127739d-f4f2-44cd-ae3d-e3ccb7f0d7b5/. \ The upload feature allows the files with the extension .xxhtml which leads to Stored XSS. Proof of Concept filename="poc.xxhtml" alert1 Steps to Reproduce 1.Login into...
The microweber application allows large characters to insert in the input field "post title" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request.
Proof of Concept 1. Go to add post http://site.com/admin/post/create 2. click on create new post 3. There will a option called post title 4. Fill the input field with huge characters, more than 1 lakh 5. Copy the below payload and put it in the input fields and click on continue. 6. You will see...