4072 matches found
Open Redirection
Description Open redirect security flaw an attacker to redirect the victims of the application into malicious sites Proof of Concept Request POST /create-table/ HTTP/1.1 Host: 127.0.0.1:8080 User-Agent: Mozilla/5.0 X11; Linux x8664; rv:78.0 Gecko/20100101 Firefox/78.0 Accept:...
stored xss
Description Stored XSS is a vulnerability in which the attacker can execute arbitrary javascript code in the victim's browser. The XSS payload is stored in a webpage and it gets executed whenever someone visits that webpage Proof of Concept 1. A low-priv user create a page with the following...
csrf bug to remove a bookmark
Description CSRF bug to remove bookmark Proof of Concept There is no csrf token check during bookmark remove .\ Let say there is two user 1. user-A -- victim \ 2. user-B -- attacker \ STEP ======== 1. user-A create bookmark and lets bookmark id is 123\ 2. Now user-B attacker send a link...
Bypass previous fix
Description Bypass previous report fix Proof of Concept it checks if returnurl starts with / . So, it can be bypasssed using //google.com . 1. Login in the demo instance https://demo.linkding.link/ 2. Go to https://demo.linkding.link/bookmarks/3/remove?returnurl=//google.com 3. You will be...
Null Pointer Dereference Caused Segmentation Fault
Description Null pointer dereference caused segmentation fault Proof of Concept version ./bin/gcc/MP4Box -version MP4Box - GPAC version 2.1-DEV-rev65-g718843df4-master c 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters:...
Old sessions are not blocked by the login enable function.
Description If you disable logic function of an user, that user can still login by using their old session. Proof of Concept Step 1: login to dashboard by a normal account. Step 2: use a diffrent browser to login as admin Step 3: make the normal account in step 1 unable to login. Step 4: return t...
use after free in mrb_vm_exec
While fuzzing mruby I found a use after free in mruby compiled with ASAn. Proof of Concept uaf5.rb rb...
unchecked size in _load_bmp leads to RAM exhaustion in version 3.10
Description Via a maliciously crafted bmp file with modified dx and dy header field values it is possible to trick the application into allocating huge buffer sizes like 64 Gigabyte upon reading the file from disk or from a virtual buffer. Version This does affect the newest Version of Cimg which...
User after free in mrb_vm_exec
While fuzzing mruby I found a use after free in mruby compiled with ASAn. Proof of Concept uaf1.rb rb var1 = -0 var2 = 1.0 var3 = 1 var4 = +0 var3 = methods.groupby || var3 = methods.groupby || var3 = methods.groupby || var3 = methods.groupby || var3 = methods.groupby || var3 = methods.groupby ||...
Stored XSS in "Name", "Group Name" & "Title"
Description The application allows img tag & src attribute in "Name","Title" & "Group Name" fields for which attackers can perform stored cross-site scripting. Proof of Concept 1.Login to the application and go to profile. 2.Now in the "Name" input field paste the below payload and click on "SAVE...
Stored XSS in Tooltip
Description The Classes in Data Objects have the Tooltip field. It is vulnerable to XSS attack. Proof of Concept STEP1: login https://demo.pimcore.fun/admin/ STEP2: Settings-Data Objects-Classes. Then choose an item, like product Data-AccessoryPart AP-compatibleTo。 STEP3: add payload in tooltip...
SQL injection through marking blog comments on bulk as spam
Description the comments ids aren't checked and vulnerable for SQL injection Proof of Concept...
Open Redirect on login
Description Although https://github.com/go-gitea/gitea/pull/9678 protects against most open redirects there is an unfortunate flaw in its logic due to browser behaviour when presented with Locations that have backslashes in them Proof of Concept...
Heap Buffer Overflow in parseDragons
Description heap buffer overflow in parseDragons function. ASAN report: ================================================================= ==2541037==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000065578 at pc 0x7f45488bde0d bp 0x7ffc08551b50 sp 0x7ffc085512f8 READ of size 4 at...
Stored XSS via upload file
Description In document feature, you can upload a file .ofd which can have xss Proof of Concept // xss.ofd alert1 Step 1: Go to Support - Documents Step 2: Click Create Documents Step 3: At the Download type, choose Internal. Upload file xss.ofd above. Step 4: Go to that file link, such as:...
Open redirect vulnerability via endpoint authorize_and_redirect/?redirect=
Description Posthog application is vulnerable to open redirect which can be exploited by adding authorizeandredirect/?redirect=https://evil.com endpoint. Proof of Concept 1.Open the link https://app.posthog.com/login?next=/authorizeandredirect/%3Fredirect%3Dhttps%25253A%25252F%25252Fevil.com...
Heap Buffer Overflow in iterate_chained_fixups
Description heap buffer overflow in iteratechainedfixups function. ASAN report: ================================================================= ==2540511==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000065710 at pc 0x7f5b64ccb878 bp 0x7ffeab141380 sp 0x7ffeab141370 READ of siz...
Use After Free in new_object
Description Heap use after free in newobject function. ASAN report: ================================================================= ==2514600==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020000401d0 at pc 0x00000230a00e bp 0x7ffcfdbe1dd0 sp 0x7ffcfdbe1dc8 READ of size 2 at...
Stored XSS Leads To Session Hijacking
Description Hello everyone, During my testing on openemr at the demo available here https://demo.openemr.io/openemr, I found a Stored XSS on filename at Uploading Documents Templates which is found on Administration tab, what makes this Stored XSS really severe is the ability of stealing session...
Stored Cross Site Scripting
Vulnerability Type Stored Cross Site-Scripting XSS Affected URL https://localhost/openemr-6.0.0/interface/new/newcomprehensivesave.php Affected Parameters “formfname” “formlname” Authentication Required? Yes Issue Summary A stored XSS vulnerability found in “/interface/new/newcomprehensivesave.ph...
Reflected Cross Site Scripting
Vulnerability Type Reflected Cross Site-Scripting XSS Affected URL https://localhost/openemr-6.0.0/interface/main/calendar/index.php Affected Parameters “newname” Authentication Required? Yes Issue Summary A reflected XSS vulnerability found in “/interface/main/calendar/index.php” that allows Adm...
Non-Privilege User Can Created New Rule and Lead to Stored Cross Site Scripting
Vulnerability Type Stored Cross Site-Scripting XSS Affected URL https://localhost/openemr-6.0.0/ /interface/super/rules/index.php?action=edit!submitsummary Affected Parameters “fldtitle” Authentication Required? Yes Issue Summary Non-privilege users accounting, front-office can create new rule an...
Obscure Email Vulnerability allow anyone to signup with target email id without proper verification and Allowing malicious domain on username input field leads to business logic error by victim response fetching via email and force a user to download any file hacker want on behalf of [email protected].
Description This vulnerability is a result of an interaction between two different ways of handling e-mail addresses. Gmail ignores dots in addresses, so [email protected] is the same as [email protected] is the same as [email protected]. with this vulnerability attacker ca...
Path Traversal due to `send_file` call
A path traversal attack also known as directory traversal aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash ../” sequences and its variations or by using absolute file paths, it may be possible to...
There is a Unrestricted Upload of File vulnerability in ShowDoc v2.10.3
Description There is a Unrestricted Upload of File vulnerability in AdminUpdateController.class.php in ShowDoc v2.10.3 Proof of Concept POST /showdoc-2.10.3/server/index.php?s=/api/adminUpdate/download HTTP/1.1 Host: 10.211.55.5 Content-Length: 66 Accept: application/json, text/plain, / User-Agen...
Sensitive Data Exposure Due To Insecure Storage Of Profile Image
Description When the user uploads his profile picture, the uploaded image’s EXIF Geolocation Data does not get stripped. As a result, anyone can get sensitive information of trudesk users like their Geolocation, their Device information like Device Name, Version, Software & Software version used,...
Stored XSS viva .svg file upload
Description The application allows .svg files to upload which lead to stored XSS Proof of Concept 1.Download the payload from this link:- https://drive.google.com/file/d/1c1BP5bxXBxtwLfRJTrEPgMWK1yVFDF2R/view?usp=sharing and upload it on your profile. 2.Now open the path of the uploaded image...
ReDoS in is-it-check
✍️ Description It allows causing a denial of service when checking crafted invalid URLs. 🕵️♂️ Proof of Concept // PoC.js var isItCheck = require"is-it-check" isItCheck.url'H'+'.A8'.repeat40...
ReDoS in is-it-check
✍️ Description It allows causing a denial of service when checking crafted invalid emails. 🕵️♂️ Proof of Concept // PoC.js var isItCheck = require"is-it-check" isItCheck.email'@A.'+ '0.0.'.repeat40+'A'...
The microweber application allows large characters to insert in the input field "Coupons" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request.
Proof of Concept 1.Go to "Settings" click on "Coupons" and Add a new Coupons 2.Go to this drive link:- https://drive.google.com/file/d/1CcVCHWbvMk07IZ5v4dojrdJbC43ufhh/view?usp=sharing copy the payload and paste it on the "Code" input field 3.You will see the application accepts large characters...
Multiple Idor
Description There are multiple idors i found. In bookmarks//edit, bookmarks//remove, bookmarks//archive, bookmarks//unarchive. It gets the object provided in the bookmarkid without checking if the owner of the object is the current user. Proof of Concept 1. Go to...
Multiple Open redirect
Description There exist multiple open redirect in the get parameter returnurl . I found it in bookmarks//edit , bookmarks//remove, bookmarks//archive, bookmarks//unarchive, bookmarks/bulkedit Proof of Concept 1. Login in the demo instance https://demo.linkding.link/ 2. Go to...
Using vulnerable dependencies in package.json
Description 1. Hello team, The Showdoc is using a axios 0.17.1 dependency that is vulnerable to:👇 1. CVE-2021-3749 Regular Expression Denial of Service ReDoS 2. CVE-2020-28168 Server-Side Request Forgery SSRF 3. CVE-2019-10742 Denial of Service DoS Path to the file:...
stored xss in uploaded photo checkbox
Description xss code injection possible in endpoint "/api/savemedia " it accepts parameter "src" so if appended "%22onclick=%22alert'helo js executed';" and send request then xss alert will execute when clicking on checkbox of uploaded blank photo Proof of Concept 1. login as admin 2. open websit...
CRHTLF can lead to invalid protocol extraction potentially leading to XSS
Description \r, \n, \t characters in the URI can lead to XSS as URI.js will fail to extract javascript: protocol from a URI. See Section 4.4 Step 3 "Remove all ASCII tab or newline from input." of the WHATWG URL spec. Proof of Concept const parse = require'urijs' const express = require'express'...
Use After Free in op_is_set_bp
Description Heap use after free in opissetbp function. ASAN report: ================================================================= ==2367298==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060000481a0 at pc 0x7f580c10da41 bp 0x7ffd53a17ed0 sp 0x7ffd53a17ec0 READ of size 8 at...
Able to create an account with long password leads to memory corruption / Integer Overflow
I have found that there is a way to create an account with the length of more than 10k or 100k characters where it may leads to Integer overflow and the backend memory can't handle this issue Steps to Reproduce: Now we can create a simple account While creating an account , In the password field ...
Segmentation Fault caused by MP4Box -lsr
Version: MP4Box -version MP4Box - GPAC version 2.1-DEV-rev48-gf6d6225a9-master c 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io/ MINI build encoders, decoders, audio and video output disabled Please cite our work in your research: GPAC Filters:...
The grav application allows large characters to insert in the input field "Full Name" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request
Proof of Concept: 1. Go to http://site/admin/accounts/users/testuser 2. There will a Full name input field 3. Add more than 1 lakhs+ characters to the Full name field 4. You will see the application accepts large characters and if we will increase the characters then it can lead to Dos. POC Image...
Path Traversal
Description A Path Traversal vulnerability exists in Language export function, which allows attacker upload files to an arbitrary location in the server. By adding the special characters on filename, it can lead to a Denial Of Service Attack. Proof of Concept 1. Use the credential, access to the...
URL Confusion When Scheme Not Supplied
Description This is a URL confusion vulnerability. When parsing a URL without a scheme and with excessive slashes, like ///www.example.com, URI.js will parse the hostname as null and the path as /www.example.com. Such behaviour is different from that exhibited by browsers, which will parse...
The microweber application allows large characters to insert in the input field "SKU" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. in microweber/microweber
Go to add post http://site.com/admin/product/create click on create new product There will a option called SKU Fill the input field with huge characters, more than 1 lakh Copy the below payload and put it in the input fields and click on continue. You will see the application accepts large...
The microweber application allows large characters to insert in the input field "Leave comment" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. in microweber/microweber in microweber/microweber
Proof of Concept 1. Go to http://site/admin/view:content/action:posts 2. Create a page and enable to add comment option 3. Go to that page and there will a option called "Leave a comment" 4. Copy the below payload and put it in the "Leave a comment" field post a comment 5. Go to...
No Rate Limit on Copoun Code Functionality
Description The attacker has the ability to send any number of requests to the endpoint due to the absence of rate-limiting. Steps to reproduce - Simply capture the adding coupon request and send it to burp. - Send it to the repeater tab and you will be able to send many requests without blocking...
The microweber application allows large characters to insert in the input field "fist & last name" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. in microweber/microweber
Proof of Concept 1. Go to http://127.0.0.1/admin/view:modules/loadmodule:users/action:profile 2. Click on edit profile 3. Fill the first name & last name field with huge characters, more than 1 lakh 4. Copy the below payload and put it in the input fields and click on continue. 5. You will see th...
Stored XSS viva .webma file upload
Description The application allows .webma files to upload which lead to stored XSS Proof of Concept 1.First, open your text file/notepad and paste the below payload and save it as XSS.webma : alert1337 alertdocument.domain alertdocument.location alert'XSSbySamprit Das' 2.Then go to...
Stored XSS viva .webmv file upload
Description The application allows .webmv files to upload which lead to stored XSS Proof of Concept 1.First, open your text file/notepad and paste the below payload and save it as XSS.webmv: alert1337 alertdocument.domain alertdocument.location alert'XSSbySamprit Das' 2.Then go to...
Stored XSS via File Upload in star7th/showdoc in star7th/showdoc
Description Stored XSS via uploading file in .ofd format. Proof of Concept filename="test.ofd" alert1 Steps to Reproduce 1. Login into showdoc.com.cn. 2. Navigate to file library https://www.showdoc.com.cn/attachment/index 3. In the File Library page, click the Upload button and choose the test.o...
Stored XSS viva .ofd file upload
Description The application allows .ofd files to upload which lead to stored XSS Proof of Concept 1.First, open your text file/notepad and paste the below payload and save it as XSS.ofd: alert1337 alertdocument.domain alertdocument.location alert'XSSbySamprit Das' 2.Then go to...
Stored XSS viva .properties file upload
Description The application allows .properties files to upload which lead to stored XSS Proof of Concept 1.First, open your text file/notepad and paste the below payload and save it as XSS.properties: alert1337 alertdocument.domain alertdocument.location alert'XSSbySamprit Das' 2.Then go to...