Lucene search
K

4072 matches found

Huntr
Huntr
added 2022/03/14 1:51 p.m.34 views

Stored XSS via File Upload in star7th/showdoc

Description Stored XSS via uploading file in .properties format. Proof of Concept filename="test.properties" alert1 Steps to Reproduce 1. Login into showdoc.com.cn. 2. Navigate to file library https://www.showdoc.com.cn/attachment/index 3. In the File Library page, click the Upload button and...

3.5CVSS5.3AI score0.00533EPSS
Exploits1
Huntr
Huntr
added 2022/03/14 12:23 p.m.30 views

Stored XSS via File Upload

Description Stored XSS via uploading file in .m3u8a format. Proof of Concept filename="poc.m3u8a" alert1 Steps to Reproduce 1.Login into showdoc.com.cn.\ 2.Navigate to file library https://www.showdoc.com.cn/attachment/index\ 3.In the File Library page, click the Upload button and choose the...

3.5CVSS5.4AI score0.00754EPSS
Exploits1
Huntr
Huntr
added 2022/03/14 11:54 a.m.38 views

Stored XSS via File Upload

Description \ Stored XSS via uploading file in .md format. Proof of Concept filename="poc.md" alert1 Steps to Reproduce 1.Login into showdoc.com.cn.\ 2.Navigate to file library https://www.showdoc.com.cn/attachment/index\ 3.In the File Library page, click the Upload button and choose the poc.md...

3.5CVSS5.4AI score0.00725EPSS
Exploits1
Huntr
Huntr
added 2022/03/14 10:17 a.m.12 views

? before the @ sign allows one to bypass whitelists

Description ? before the @ sign in HTTP URLs allows one to bypass whitelists Proof of Concept Convince NodeJS HTTP client to make a request to 127.0.0.1 bypassing a google.com whitelist. const parse = require'parse-url' const http = require'http' const url = parse"http://[email protected]" if...

1AI score
Exploits0
Huntr
Huntr
added 2022/03/14 4:53 a.m.20 views

Stored XSS viva cshtm file upload

Description This is a bypass of the report:https://huntr.dev/bounties/8702e2bf-4af2-4391-b651-c8c89e7d089e/. Here the upload functionality allows the malicious files with the extension .cshtm which leads to Stored XSS. Proof of Concept 1.First, open your text file/notepad and paste the below...

3.5CVSS0.3AI score0.00807EPSS
Exploits1
Huntr
Huntr
added 2022/03/14 3:44 a.m.25 views

Stored XSS viva axd and cshtml file upload in star7th/showdoc

Description This is a bypass of the report: https://huntr.dev/bounties/3eb5a8f9-24e3-4eae-a212-070b2fbc237e/ & https://huntr.dev/bounties/6127739d-f4f2-44cd-ae3d-e3ccb7f0d7b5/. Here the upload functionality allows the malicious files with the extension .cshtml and .axd which leads to Stored XSS...

3.5CVSS0.4AI score0.00797EPSS
Exploits1
Huntr
Huntr
added 2022/03/13 2:20 p.m.35 views

File Upload Restriction Bypass leading to Stored XSS Vulnerability

Description File Upload Restriction Bypass leading to Stored XSS Vulnerability, by leveraging file extension vbhtm, vbhtml, soap, even any extension ends with html e.g. aahtml, bbhtml Proof of Concept Step 1 Access https://www.showdoc.com.cn/attachment/index Step 2 Prepare a file with content bel...

4.3CVSS6.2AI score0.0087EPSS
Exploits1
Huntr
Huntr
added 2022/03/13 1:26 p.m.22 views

Stored XSS due to Unrestricted File Upload

Description Stored XSS via uploading files in .xsd, .asa and .aspx already mentioned in previous report formats. Proof of Concept For .xsd filename="poc.xsd" alert1 For .asa and .aspx filename="poc.asa" alert1 Steps to Reproduce 1.Login into showdoc.com.cn.\ 2.Navigate to file library...

3.5CVSS5.6AI score0.0074EPSS
Exploits1
Huntr
Huntr
added 2022/03/13 11:59 a.m.20 views

Stored XSS due to Unrestricted File Upload

Description Stored XSS via uploading files in .xsl format. Proof of Concept filename="poc.xsl" alert1 Steps to Reproduce 1.Login into showdoc.com.cn.\ 2.Navigate to file library https://www.showdoc.com.cn/attachment/index\ 3.In the File Library page, click the Upload button and choose the poc.xsl...

3.5CVSS5.5AI score0.0061EPSS
Exploits1
Huntr
Huntr
added 2022/03/13 10:46 a.m.11 views

Malicious usage of '+' in protocol can lead to whitelist bypasses

Description Malicious usage of '+' in protocol can lead to whitelist bypasses. Proof of Concept The following PoC shows how if parse-url is used to check the resource of a URL against a whitelist, we can bypass a whitelist check for google.com, and then convince the standard HTTP client in NodeJS...

0.1AI score
Exploits0
Huntr
Huntr
added 2022/03/13 9:53 a.m.24 views

Stored XSS due to Unrestricted File Upload

Description Stored XSS via uploading files in .aspx format. Proof of Concept filename="poc.aspx" alert1 Steps to Reproduce 1.Login into showdoc.com.cn.\ 2.Navigate to file library https://www.showdoc.com.cn/attachment/index\ 3.In the File Library page, click the Upload button and choose the...

3.5CVSS5.3AI score0.00538EPSS
Exploits1
Huntr
Huntr
added 2022/03/13 9:14 a.m.24 views

Unrestricted Upload of File with Dangerous Type

Description This is a bypass of report https://huntr.dev/bounties/3eb5a8f9-24e3-4eae-a212-070b2fbc237e/. The upload feature allows the files with the extension .html which leads to Stored XSS. Proof of Concept - Step 1: Login into showdoc.com.cn. - Step 2: Go to...

3.5CVSS5.6AI score0.00625EPSS
Exploits1
Huntr
Huntr
added 2022/03/13 6:54 a.m.19 views

Stored XSS via file upload

Description Hello Team, \ This is a bypass to the report in https://huntr.dev/bounties/6127739d-f4f2-44cd-ae3d-e3ccb7f0d7b5/. \ The upload feature allows the files with the extension .xxhtml which leads to Stored XSS. Proof of Concept filename="poc.xxhtml" alert1 Steps to Reproduce 1.Login into...

3.5CVSS5.6AI score0.00631EPSS
Exploits1
Huntr
Huntr
added 2022/03/12 7:36 p.m.52 views

The microweber application allows large characters to insert in the input field "post title" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request.

Proof of Concept 1. Go to add post http://site.com/admin/post/create 2. click on create new post 3. There will a option called post title 4. Fill the input field with huge characters, more than 1 lakh 5. Copy the below payload and put it in the input fields and click on continue. 6. You will see...

4.3CVSS2.2AI score0.04498EPSS
Exploits1References1
Huntr
Huntr
added 2022/03/12 3:45 p.m.37 views

Heap-based Buffer Overflow occurs in vim

Description Heap-based Buffer Overflow occurs in suggesttrychange. commit : d0b7bfa95798f5ec743d8afffbffb83aeac823da Proof of Concept $ echo -ne "c2UgZW5jb2Rpbmc9aXNvODg1OQpub3JtMFIwMDAwMDAwMDAwMApzaWwwbm9ybRYwCmZ1IFIoKQpz aWwhbm9ybRZpMDAwMDApCmNhbCBSKCkKbm9ybTF6PQplbmRmCmNhbCBSKCk=" | base64 -d...

4.6CVSS7.7AI score0.00698EPSS
Exploits1
Huntr
Huntr
added 2022/03/12 11:4 a.m.10 views

Arbitrary file deletion in Gitea

Description When user delete the LFS data in Gitea, the oid parameter is not been validated. The attacker can make an oid whose prefix is .... to traverse directory and delete any files on the server. Proof of Concept Create a repository on Gitea. e.g. foo/bar Send a POST request with your Gitea...

1.8AI score
Exploits0
Huntr
Huntr
added 2022/03/12 5:44 a.m.48 views

Unrestricted XML Files Leads to Stored XSS

Description The web Application restricts upload files by blacklist extensions. It's not safe for the application to prevent the attack, there are many extension can cause an attack to user and web application. By uploading XML files, the users can perform an Stored XSS attack Proof of Concept 1...

3.5CVSS0.01877EPSS
Exploits1
Huntr
Huntr
added 2022/03/12 2:18 a.m.31 views

Stored xss in showdoc through file upload

Description Hi. This is a bypass to the report in https://huntr.dev/bounties/df347aa9-ed9b-4f75-af99-c83b8aad3bcf/ . It fails to check for files with the extension .shtml which leads to stored xss Proof of Concept // poc.shtml adsasdadsdsa alert1 Impact Stored Xss...

3.5CVSS5.6AI score0.00538EPSS
Exploits1
Huntr
Huntr
added 2022/03/11 9:54 p.m.18 views

Stored XSS in organisation name field

Description Upon a user creates a new organisation and invites members, by opening the invitation, the XSS payload is being executed. Proof of Concept Just simply create an organisation with the following name: XSSalert1. After saving the organisation, the XSS payload is being executed. Impact In...

1.6AI score
Exploits0
Huntr
Huntr
added 2022/03/11 9:30 p.m.165 views

Template injection in connection test endpoint leads to RCE

Description Please enter a description of the vulnerability. Proof of Concept Run a local docker instance sh sudo docker run -p 3000:3000 --name sqlpad -d --env SQLPADADMIN=admin --env SQLPADADMINPASSWORD=admin sqlpad/sqlpad:latest Navigate to http://localhost:3000/ Click on Connections-Add...

6.5CVSS1.2AI score0.08669EPSS
Exploits12
Huntr
Huntr
added 2022/03/11 7:16 p.m.6 views

Reflected XSS

Description Privacy Consent in ForkCMS v 5.11.0 Setting unsanitized user input resulting in Reflected XSS. Proof of Concept Endpoint 1 http://IP/private/en/settings/index Step 1 Login to ForkCMS 2 Go to Settings - General 3 Insert payload on "Technical Name" user input at "Privacy Consent" panel...

Exploits0
Huntr
Huntr
added 2022/03/11 5:26 p.m.24 views

hostname spoofing via Improper Input Validation

Description When to use the parse-url, If user put the https://google.comhashvalue as argument, parse-url doesn't parse the hash value and parses hostname and hash together as hostname. http://localhost/hashvalue and http://localhosthashvalue are the same.. txt - new URL of node ❯ node -e...

7.1AI score
Exploits0
Huntr
Huntr
added 2022/03/11 5:8 p.m.24 views

Multiple Stored Cross-site Scripting (XSS) Vulnerabilities in Shop's Other Settings, Shop's Autorespond E-mail Settings and Shops' Payments Methods

Description 1 Checkout URL and Custom order id parameters are vulnerable to stored XSS, which are located in Shop Settings other settings Advanced 2 From e-mail address and From name parameters are vulnerable to stored XSS, which are located in Shop Settings Autorespond E-mail settings check your...

3.5CVSS5.3AI score0.03197EPSS
Exploits1
Huntr
Huntr
added 2022/03/11 5:1 p.m.35 views

Insecure deserialization of not validated module file

Description In recent Crater version 18507ddb tag: 6.0.6 highly privileged user can upload malicious module file and run insecure deserialization, which can lead to remote code execution. Proof of Concept 1. Prepare PHAR file - php --define phar.readonly=0 phar.php PHP data = $data; function...

6.5CVSS0.3AI score0.01579EPSS
Exploits1References2
Huntr
Huntr
added 2022/03/11 4:5 p.m.44 views

Host Header injection in password Reset

Description The password reset uses $SERVER'HTTPHOST' to generate the password without any checks or filtering. Allowing a malicious attacker to generate a fake password reset link to steal password reset tokens which may lead to account takeover Impact Account Takeover...

6.8CVSS1.8AI score0.01319EPSS
Exploits1References1
Huntr
Huntr
added 2022/03/11 3:27 p.m.39 views

Remote Command Execution in uploading repository file

Description When uploading a file to the repository in Gogs, the treepath parameter is not been validated. The attacker can set treepath=/.git/ to upload file into the .git directory. Rewrite .git/config file and set core.sshCommand, which leads to remote command execution vulnerability. Proof of...

6.5CVSS0.5AI score0.65237EPSS
Exploits1References1
Huntr
Huntr
added 2022/03/11 11:10 a.m.24 views

File upload filter bypass leading to stored XSS

Description A User can upload .a-zhtml file e.g. ahtml, bhtml, chtml, ddhtml, AS LONG AS it ends with html with XSS payload. Upon upload, a URL with malicious html can be accessed and javascript will be executed. Proof of Concept taking chtml as example Step 1 Login to the demo portal with admin...

3.5CVSS5.2AI score0.00895EPSS
Exploits1
Huntr
Huntr
added 2022/03/11 6:34 a.m.24 views

Stored Cross Site Scripting

Vulnerability Type Stored Cross Site-Scripting XSS Affected URL https://localhost/openemr-6.0.0/ /controller.php?practicesettings&documentcategory&action=addnode&parentid=XX Affected Parameter “name” Method POST Authentication Required? Yes Issue Summary A stored XSS vulnerability found in ”...

3.5CVSS0.6AI score0.51613EPSS
Exploits2References1
Huntr
Huntr
added 2022/03/11 6:12 a.m.38 views

Accounting User Can Download Patient Reports in openemr

Vulnerability Type Insecure Direct Object Reference Affected URL https://localhost/openemr/interface/patientfile/report/customreport.php Affected Parameters “Issue7” Authentication Required? Yes Issue Summary Non-privilege users accounting & front-office can download patient reports containing...

4CVSS0.3AI score0.00865EPSS
Exploits2References1
Huntr
Huntr
added 2022/03/10 7:47 p.m.23 views

XSS on dynamic_text module

Description There is XSS vulnerability on dynamictext module. Proof of Concept Visit - https://demo.microweber.org/demo/admin/view:modules/loadmodule:dynamictext Impact Below Post request was used to upload XSS payload POST /demo/api/savedynamictext HTTP/1.1 Host: demo.microweber.org Cookie:...

4.3CVSS0.1AI score0.01062EPSS
Exploits1
Huntr
Huntr
added 2022/03/10 6:22 p.m.12 views

SSL certificate verification disabled

Description This report is strange, partially because the existence of this code has been acknowledged without any alarm about its security implications, and also because a pull request that would fix the vulnerability opened as a bug patch has been open for over two years! Having SSL certificate...

1.5AI score
Exploits0References1
Huntr
Huntr
added 2022/03/10 5:24 p.m.22 views

SSL verification omitted in OAuth2 credential flow

Description Pulsar uses Curl to send HTTPS requests and typically uses the tlsAllowInsecure global variable derived from isTlsAllowInsecureConnection to determine whether SSL verification¹ should be enabled/disabled². In the linked occurances, those checks do not occur and SSL verification is...

5.1CVSS0.2AI score0.00704EPSS
Exploits1
Huntr
Huntr
added 2022/03/10 3:29 a.m.36 views

HTTP Request Smuggling

Summary Due to several violations of the HTTP standard as defined in RFC7230, Waitress is vulnerable to HTTP request smuggling when used with an upstream proxy that exhibits nonstandard behaviour. Each issue is explained in the Occurrences section below...

5CVSS0.3AI score0.01738EPSS
Exploits0References2
Huntr
Huntr
added 2022/03/10 2:1 a.m.29 views

Unrestricted Upload of File with Dangerous Type

Description Malicious user can bypass checking and upload .phtm or .php6 file which leads to stored XSS. Proof of Concept - Step 1: Login as admin at https://demo.microweber.org/demo/admin/ - Step 2: Go to Websites setting and Edit any page https://demo.microweber.org/demo/admin/page/24/edit -...

3.5CVSS4.9AI score0.00528EPSS
Exploits1
Huntr
Huntr
added 2022/03/09 9:26 p.m.21 views

Integer Overflow or Wraparound

Description The microweber application allows large characters to insert in the input field like "Town, ZIP, State, Address, and Additional Info field" which can allow attackers to cause a Denial of Service DoS via a crafted HTTP request. Proof of Concept 1.Buy a product and in the Shipping metho...

5CVSS2.1AI score0.04498EPSS
Exploits1References1
Huntr
Huntr
added 2022/03/09 8:17 p.m.28 views

Insufficient Session Expiration

Description The application failed to invalidate the session after changing the password and In this scenario changing the password doesn't destroy the other sessions which are logged in with old passwords. Proof of Concept 1.Login same account in two different browsers. 2.Try to change the...

6.4CVSS1.3AI score0.02432EPSS
Exploits2References1
Huntr
Huntr
added 2022/03/09 7:6 p.m.77 views

Server-Side Request Forgery (SSRF)

Description The fixes for CVE-2022-0767 & CVE-2022-0766 only address loopback/localhost IP addresses, this is an issue as other internal endpoints may be accessible to an attacker one of the most popular examples is 169.254.169.254 which is the AWS metadata address Proof of Concept The same as...

6.4CVSS2.7AI score0.01316EPSS
Exploits3
Huntr
Huntr
added 2022/03/09 6:40 p.m.16 views

File upload filter bypass leading to stored XSS

Description A User Can uplaod .cshtml file with XSS payload. Proof of Concept Login to the demo portal with admin creds at https://demo.microweber.org/demo/admin/ Navigate to page create functionality at https://demo.microweber.org/demo/admin/page/create Select the picture upload request in burp...

3.5CVSS0.00773EPSS
Exploits1References1
Huntr
Huntr
added 2022/03/09 6:14 p.m.24 views

Abusing Backup/Restore feature to achieve Remote Code Execution

Description Admin can use Backup modules to upload a malicious PHP file, which can lead to RCE. Proof of Concept + Log in as admin, navigate to Modules - Backup: https://demo.microweber.org/demo/admin/view:modules/loadmodule:adminbackup + Prepare a malicious PHP file, in this case info2.php +...

6.5CVSS0.7AI score0.0207EPSS
Exploits1
Huntr
Huntr
added 2022/03/09 5:44 p.m.34 views

Cross-site Scripting (XSS) - Stored

Description Type parameter in the body of POST request triggered by add/edit tax in microweb are vulnerable to stored XSS. 1 Settings Taxes Tax type Proof of Concept Step 1: Access https://demo.microweber.org/?template=dream Step 2: Browse to Settings Taxes Tax type Step 3: Add or Edit current ta...

3.5CVSS5.4AI score0.02389EPSS
Exploits1
Huntr
Huntr
added 2022/03/09 2:43 p.m.91 views

Unrestricted file upload leads to stored XSS

Description A user can bypass checking and upload .aspx file which lead to stored XSS. Proof of Concept Log in as admin: https://demo.microweber.org/demo/admin/ Go to Websites Edit a page. Under Pictures, choose Add files Instead of uploading a normal picture, use the below request to upload an...

3.5CVSS4.6AI score0.00613EPSS
Exploits1
Huntr
Huntr
added 2022/03/09 2:33 p.m.26 views

Reflected Cross-site Scripting (XSS) Vulnerability

Description hestiacp is vulnerable to Reflected XSS in the Hostname field within Basic Options of the function "Configure Server" in Hestia Control Panel Proof of Concept 1 Access https://demo.hestiacp.com:8083/edit/server/ 2 Click "Configure" 3 Click Basic Options 4 Enter below as payload in the...

4.3CVSS0.9AI score0.00855EPSS
Exploits1
Huntr
Huntr
added 2022/03/09 11:22 a.m.7 views

Open Redirect

Description parse-url parses the url as https://google.com::/test, and if two or more colons are inserted in the port part, the port is parsed as one hostname. txt - node - url.parse ❯ node -e 'console.logrequire"url".parse"https://google.com::/test"' Url protocol: 'https:', slashes: true, auth:...

0.1AI score
Exploits0
Huntr
Huntr
added 2022/03/09 10:44 a.m.26 views

Cross-site Scripting (XSS) - Stored

Description pimcore datahub is vulnerable to Stored XSS in multiple places including: 1 Field-Collections in Data Objects 2 Objectbricks in Data Objects Proof of Concept for both 1 & 2 Step 1: Go to https://10.x-dev.pimcore.fun/admin/ and login. Step 2: Click Settings Data Objects Field-Collectio...

3.5CVSS5.5AI score0.0079EPSS
Exploits1
Huntr
Huntr
added 2022/03/08 5:45 p.m.14 views

Untrusted Search Path

Description A current working directory type of DLL hijacking vulnerability is found in all executbales in ventoy-1.0.70-windows.zip, including: 1 Ventoy2Disk.exe 2 VentoyPlugson.exe 3 VentoyVlnk.exe Proof of Concept Step 1 : Craft a malicious x86 dll named as "TextShaping.dll" and place in the...

1.5AI score
Exploits0References2
Huntr
Huntr
added 2022/03/08 5:12 p.m.33 views

Cross-site Scripting (XSS) - Stored

Description pimcore datahub is vulnerable to Stored XSS in multiple places including: 1 the Pricing Rule of Online Shop in EcommerceFrameworkBundle. Whenever an admin user access Pricing Rule, a stored XSS will be triggered. 2 Image Thumbnails in Settings. Whenever an admin user access Image...

3.5CVSS5.5AI score0.0079EPSS
Exploits1
Huntr
Huntr
added 2022/03/08 4:20 p.m.23 views

Cross-site Scripting (XSS) - Stored

Description pimcore datahub is vulnerable to Stored XSS in the Unique Indetifier of the function of "Add a new configuration" in Datahub. Whenever an admin user access data hub, a stored XSS will be triggered. Proof of Concept Step 1: Go to https://demo.pimcore.fun/admin/ and login. Step 2: Click...

3.5CVSS0.3AI score0.00573EPSS
Exploits1
Huntr
Huntr
added 2022/03/08 5:49 a.m.18 views

Untrusted Pointer Dereference

Description Null Pointer Dereference in gpac Proof of Concept Version: /fuzzing/gpac/gpac/bin/gcc/MP4Box -version MP4Box - GPAC version 2.1-DEV-rev15-g6c0f4ff03-master c 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters:...

0.1AI score
Exploits0
Huntr
Huntr
added 2022/03/07 10:1 p.m.8 views

Cross-site Scripting (XSS) - Stored

Description Email tracking pixel hits store the user agent of the browser / mail client that opens the email. That user agens is not sanitised on input, but also not escaped on output in the template. This allows anonymous users to store XSS payloads in the timeline on their contact page Proof of...

0.2AI score
Exploits0
Huntr
Huntr
added 2022/03/07 2:41 p.m.40 views

NULL Pointer Dereference

Description There is a NULL Pointer Dereference in mrbvmexec vm.c:1929. This bug has been found on mruby lastest commit hash c2f7ed514dfa0fcae2e7e72d51f25be3d3d6d72c on Ubuntu 20.04 for x8664/amd64. Proof of Concept 1- Clone repo and build with ASAN using MRUBYCONFIG=buildconfig/clang-asan.rb rak...

7.1CVSS0.3AI score0.00814EPSS
Exploits1
Total number of security vulnerabilities4072