4072 matches found
Stored XSS via File Upload in star7th/showdoc
Description Stored XSS via uploading file in .properties format. Proof of Concept filename="test.properties" alert1 Steps to Reproduce 1. Login into showdoc.com.cn. 2. Navigate to file library https://www.showdoc.com.cn/attachment/index 3. In the File Library page, click the Upload button and...
Stored XSS via File Upload
Description Stored XSS via uploading file in .m3u8a format. Proof of Concept filename="poc.m3u8a" alert1 Steps to Reproduce 1.Login into showdoc.com.cn.\ 2.Navigate to file library https://www.showdoc.com.cn/attachment/index\ 3.In the File Library page, click the Upload button and choose the...
Stored XSS via File Upload
Description \ Stored XSS via uploading file in .md format. Proof of Concept filename="poc.md" alert1 Steps to Reproduce 1.Login into showdoc.com.cn.\ 2.Navigate to file library https://www.showdoc.com.cn/attachment/index\ 3.In the File Library page, click the Upload button and choose the poc.md...
? before the @ sign allows one to bypass whitelists
Description ? before the @ sign in HTTP URLs allows one to bypass whitelists Proof of Concept Convince NodeJS HTTP client to make a request to 127.0.0.1 bypassing a google.com whitelist. const parse = require'parse-url' const http = require'http' const url = parse"http://[email protected]" if...
Stored XSS viva cshtm file upload
Description This is a bypass of the report:https://huntr.dev/bounties/8702e2bf-4af2-4391-b651-c8c89e7d089e/. Here the upload functionality allows the malicious files with the extension .cshtm which leads to Stored XSS. Proof of Concept 1.First, open your text file/notepad and paste the below...
Stored XSS viva axd and cshtml file upload in star7th/showdoc
Description This is a bypass of the report: https://huntr.dev/bounties/3eb5a8f9-24e3-4eae-a212-070b2fbc237e/ & https://huntr.dev/bounties/6127739d-f4f2-44cd-ae3d-e3ccb7f0d7b5/. Here the upload functionality allows the malicious files with the extension .cshtml and .axd which leads to Stored XSS...
File Upload Restriction Bypass leading to Stored XSS Vulnerability
Description File Upload Restriction Bypass leading to Stored XSS Vulnerability, by leveraging file extension vbhtm, vbhtml, soap, even any extension ends with html e.g. aahtml, bbhtml Proof of Concept Step 1 Access https://www.showdoc.com.cn/attachment/index Step 2 Prepare a file with content bel...
Stored XSS due to Unrestricted File Upload
Description Stored XSS via uploading files in .xsd, .asa and .aspx already mentioned in previous report formats. Proof of Concept For .xsd filename="poc.xsd" alert1 For .asa and .aspx filename="poc.asa" alert1 Steps to Reproduce 1.Login into showdoc.com.cn.\ 2.Navigate to file library...
Stored XSS due to Unrestricted File Upload
Description Stored XSS via uploading files in .xsl format. Proof of Concept filename="poc.xsl" alert1 Steps to Reproduce 1.Login into showdoc.com.cn.\ 2.Navigate to file library https://www.showdoc.com.cn/attachment/index\ 3.In the File Library page, click the Upload button and choose the poc.xsl...
Malicious usage of '+' in protocol can lead to whitelist bypasses
Description Malicious usage of '+' in protocol can lead to whitelist bypasses. Proof of Concept The following PoC shows how if parse-url is used to check the resource of a URL against a whitelist, we can bypass a whitelist check for google.com, and then convince the standard HTTP client in NodeJS...
Stored XSS due to Unrestricted File Upload
Description Stored XSS via uploading files in .aspx format. Proof of Concept filename="poc.aspx" alert1 Steps to Reproduce 1.Login into showdoc.com.cn.\ 2.Navigate to file library https://www.showdoc.com.cn/attachment/index\ 3.In the File Library page, click the Upload button and choose the...
Unrestricted Upload of File with Dangerous Type
Description This is a bypass of report https://huntr.dev/bounties/3eb5a8f9-24e3-4eae-a212-070b2fbc237e/. The upload feature allows the files with the extension .html which leads to Stored XSS. Proof of Concept - Step 1: Login into showdoc.com.cn. - Step 2: Go to...
Stored XSS via file upload
Description Hello Team, \ This is a bypass to the report in https://huntr.dev/bounties/6127739d-f4f2-44cd-ae3d-e3ccb7f0d7b5/. \ The upload feature allows the files with the extension .xxhtml which leads to Stored XSS. Proof of Concept filename="poc.xxhtml" alert1 Steps to Reproduce 1.Login into...
The microweber application allows large characters to insert in the input field "post title" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request.
Proof of Concept 1. Go to add post http://site.com/admin/post/create 2. click on create new post 3. There will a option called post title 4. Fill the input field with huge characters, more than 1 lakh 5. Copy the below payload and put it in the input fields and click on continue. 6. You will see...
Heap-based Buffer Overflow occurs in vim
Description Heap-based Buffer Overflow occurs in suggesttrychange. commit : d0b7bfa95798f5ec743d8afffbffb83aeac823da Proof of Concept $ echo -ne "c2UgZW5jb2Rpbmc9aXNvODg1OQpub3JtMFIwMDAwMDAwMDAwMApzaWwwbm9ybRYwCmZ1IFIoKQpz aWwhbm9ybRZpMDAwMDApCmNhbCBSKCkKbm9ybTF6PQplbmRmCmNhbCBSKCk=" | base64 -d...
Arbitrary file deletion in Gitea
Description When user delete the LFS data in Gitea, the oid parameter is not been validated. The attacker can make an oid whose prefix is .... to traverse directory and delete any files on the server. Proof of Concept Create a repository on Gitea. e.g. foo/bar Send a POST request with your Gitea...
Unrestricted XML Files Leads to Stored XSS
Description The web Application restricts upload files by blacklist extensions. It's not safe for the application to prevent the attack, there are many extension can cause an attack to user and web application. By uploading XML files, the users can perform an Stored XSS attack Proof of Concept 1...
Stored xss in showdoc through file upload
Description Hi. This is a bypass to the report in https://huntr.dev/bounties/df347aa9-ed9b-4f75-af99-c83b8aad3bcf/ . It fails to check for files with the extension .shtml which leads to stored xss Proof of Concept // poc.shtml adsasdadsdsa alert1 Impact Stored Xss...
Stored XSS in organisation name field
Description Upon a user creates a new organisation and invites members, by opening the invitation, the XSS payload is being executed. Proof of Concept Just simply create an organisation with the following name: XSSalert1. After saving the organisation, the XSS payload is being executed. Impact In...
Template injection in connection test endpoint leads to RCE
Description Please enter a description of the vulnerability. Proof of Concept Run a local docker instance sh sudo docker run -p 3000:3000 --name sqlpad -d --env SQLPADADMIN=admin --env SQLPADADMINPASSWORD=admin sqlpad/sqlpad:latest Navigate to http://localhost:3000/ Click on Connections-Add...
Reflected XSS
Description Privacy Consent in ForkCMS v 5.11.0 Setting unsanitized user input resulting in Reflected XSS. Proof of Concept Endpoint 1 http://IP/private/en/settings/index Step 1 Login to ForkCMS 2 Go to Settings - General 3 Insert payload on "Technical Name" user input at "Privacy Consent" panel...
hostname spoofing via Improper Input Validation
Description When to use the parse-url, If user put the https://google.comhashvalue as argument, parse-url doesn't parse the hash value and parses hostname and hash together as hostname. http://localhost/hashvalue and http://localhosthashvalue are the same.. txt - new URL of node ❯ node -e...
Multiple Stored Cross-site Scripting (XSS) Vulnerabilities in Shop's Other Settings, Shop's Autorespond E-mail Settings and Shops' Payments Methods
Description 1 Checkout URL and Custom order id parameters are vulnerable to stored XSS, which are located in Shop Settings other settings Advanced 2 From e-mail address and From name parameters are vulnerable to stored XSS, which are located in Shop Settings Autorespond E-mail settings check your...
Insecure deserialization of not validated module file
Description In recent Crater version 18507ddb tag: 6.0.6 highly privileged user can upload malicious module file and run insecure deserialization, which can lead to remote code execution. Proof of Concept 1. Prepare PHAR file - php --define phar.readonly=0 phar.php PHP data = $data; function...
Host Header injection in password Reset
Description The password reset uses $SERVER'HTTPHOST' to generate the password without any checks or filtering. Allowing a malicious attacker to generate a fake password reset link to steal password reset tokens which may lead to account takeover Impact Account Takeover...
Remote Command Execution in uploading repository file
Description When uploading a file to the repository in Gogs, the treepath parameter is not been validated. The attacker can set treepath=/.git/ to upload file into the .git directory. Rewrite .git/config file and set core.sshCommand, which leads to remote command execution vulnerability. Proof of...
File upload filter bypass leading to stored XSS
Description A User can upload .a-zhtml file e.g. ahtml, bhtml, chtml, ddhtml, AS LONG AS it ends with html with XSS payload. Upon upload, a URL with malicious html can be accessed and javascript will be executed. Proof of Concept taking chtml as example Step 1 Login to the demo portal with admin...
Stored Cross Site Scripting
Vulnerability Type Stored Cross Site-Scripting XSS Affected URL https://localhost/openemr-6.0.0/ /controller.php?practicesettings&documentcategory&action=addnode&parentid=XX Affected Parameter “name” Method POST Authentication Required? Yes Issue Summary A stored XSS vulnerability found in ”...
Accounting User Can Download Patient Reports in openemr
Vulnerability Type Insecure Direct Object Reference Affected URL https://localhost/openemr/interface/patientfile/report/customreport.php Affected Parameters “Issue7” Authentication Required? Yes Issue Summary Non-privilege users accounting & front-office can download patient reports containing...
XSS on dynamic_text module
Description There is XSS vulnerability on dynamictext module. Proof of Concept Visit - https://demo.microweber.org/demo/admin/view:modules/loadmodule:dynamictext Impact Below Post request was used to upload XSS payload POST /demo/api/savedynamictext HTTP/1.1 Host: demo.microweber.org Cookie:...
SSL certificate verification disabled
Description This report is strange, partially because the existence of this code has been acknowledged without any alarm about its security implications, and also because a pull request that would fix the vulnerability opened as a bug patch has been open for over two years! Having SSL certificate...
SSL verification omitted in OAuth2 credential flow
Description Pulsar uses Curl to send HTTPS requests and typically uses the tlsAllowInsecure global variable derived from isTlsAllowInsecureConnection to determine whether SSL verification¹ should be enabled/disabled². In the linked occurances, those checks do not occur and SSL verification is...
HTTP Request Smuggling
Summary Due to several violations of the HTTP standard as defined in RFC7230, Waitress is vulnerable to HTTP request smuggling when used with an upstream proxy that exhibits nonstandard behaviour. Each issue is explained in the Occurrences section below...
Unrestricted Upload of File with Dangerous Type
Description Malicious user can bypass checking and upload .phtm or .php6 file which leads to stored XSS. Proof of Concept - Step 1: Login as admin at https://demo.microweber.org/demo/admin/ - Step 2: Go to Websites setting and Edit any page https://demo.microweber.org/demo/admin/page/24/edit -...
Integer Overflow or Wraparound
Description The microweber application allows large characters to insert in the input field like "Town, ZIP, State, Address, and Additional Info field" which can allow attackers to cause a Denial of Service DoS via a crafted HTTP request. Proof of Concept 1.Buy a product and in the Shipping metho...
Insufficient Session Expiration
Description The application failed to invalidate the session after changing the password and In this scenario changing the password doesn't destroy the other sessions which are logged in with old passwords. Proof of Concept 1.Login same account in two different browsers. 2.Try to change the...
Server-Side Request Forgery (SSRF)
Description The fixes for CVE-2022-0767 & CVE-2022-0766 only address loopback/localhost IP addresses, this is an issue as other internal endpoints may be accessible to an attacker one of the most popular examples is 169.254.169.254 which is the AWS metadata address Proof of Concept The same as...
File upload filter bypass leading to stored XSS
Description A User Can uplaod .cshtml file with XSS payload. Proof of Concept Login to the demo portal with admin creds at https://demo.microweber.org/demo/admin/ Navigate to page create functionality at https://demo.microweber.org/demo/admin/page/create Select the picture upload request in burp...
Abusing Backup/Restore feature to achieve Remote Code Execution
Description Admin can use Backup modules to upload a malicious PHP file, which can lead to RCE. Proof of Concept + Log in as admin, navigate to Modules - Backup: https://demo.microweber.org/demo/admin/view:modules/loadmodule:adminbackup + Prepare a malicious PHP file, in this case info2.php +...
Cross-site Scripting (XSS) - Stored
Description Type parameter in the body of POST request triggered by add/edit tax in microweb are vulnerable to stored XSS. 1 Settings Taxes Tax type Proof of Concept Step 1: Access https://demo.microweber.org/?template=dream Step 2: Browse to Settings Taxes Tax type Step 3: Add or Edit current ta...
Unrestricted file upload leads to stored XSS
Description A user can bypass checking and upload .aspx file which lead to stored XSS. Proof of Concept Log in as admin: https://demo.microweber.org/demo/admin/ Go to Websites Edit a page. Under Pictures, choose Add files Instead of uploading a normal picture, use the below request to upload an...
Reflected Cross-site Scripting (XSS) Vulnerability
Description hestiacp is vulnerable to Reflected XSS in the Hostname field within Basic Options of the function "Configure Server" in Hestia Control Panel Proof of Concept 1 Access https://demo.hestiacp.com:8083/edit/server/ 2 Click "Configure" 3 Click Basic Options 4 Enter below as payload in the...
Open Redirect
Description parse-url parses the url as https://google.com::/test, and if two or more colons are inserted in the port part, the port is parsed as one hostname. txt - node - url.parse ❯ node -e 'console.logrequire"url".parse"https://google.com::/test"' Url protocol: 'https:', slashes: true, auth:...
Cross-site Scripting (XSS) - Stored
Description pimcore datahub is vulnerable to Stored XSS in multiple places including: 1 Field-Collections in Data Objects 2 Objectbricks in Data Objects Proof of Concept for both 1 & 2 Step 1: Go to https://10.x-dev.pimcore.fun/admin/ and login. Step 2: Click Settings Data Objects Field-Collectio...
Untrusted Search Path
Description A current working directory type of DLL hijacking vulnerability is found in all executbales in ventoy-1.0.70-windows.zip, including: 1 Ventoy2Disk.exe 2 VentoyPlugson.exe 3 VentoyVlnk.exe Proof of Concept Step 1 : Craft a malicious x86 dll named as "TextShaping.dll" and place in the...
Cross-site Scripting (XSS) - Stored
Description pimcore datahub is vulnerable to Stored XSS in multiple places including: 1 the Pricing Rule of Online Shop in EcommerceFrameworkBundle. Whenever an admin user access Pricing Rule, a stored XSS will be triggered. 2 Image Thumbnails in Settings. Whenever an admin user access Image...
Cross-site Scripting (XSS) - Stored
Description pimcore datahub is vulnerable to Stored XSS in the Unique Indetifier of the function of "Add a new configuration" in Datahub. Whenever an admin user access data hub, a stored XSS will be triggered. Proof of Concept Step 1: Go to https://demo.pimcore.fun/admin/ and login. Step 2: Click...
Untrusted Pointer Dereference
Description Null Pointer Dereference in gpac Proof of Concept Version: /fuzzing/gpac/gpac/bin/gcc/MP4Box -version MP4Box - GPAC version 2.1-DEV-rev15-g6c0f4ff03-master c 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters:...
Cross-site Scripting (XSS) - Stored
Description Email tracking pixel hits store the user agent of the browser / mail client that opens the email. That user agens is not sanitised on input, but also not escaped on output in the template. This allows anonymous users to store XSS payloads in the timeline on their contact page Proof of...
NULL Pointer Dereference
Description There is a NULL Pointer Dereference in mrbvmexec vm.c:1929. This bug has been found on mruby lastest commit hash c2f7ed514dfa0fcae2e7e72d51f25be3d3d6d72c on Ubuntu 20.04 for x8664/amd64. Proof of Concept 1- Clone repo and build with ASAN using MRUBYCONFIG=buildconfig/clang-asan.rb rak...