Heap-based Buffer Overflow occurs in vim

Description Heap-based Buffer Overflow occurs in suggesttrychange. commit : d0b7bfa95798f5ec743d8afffbffb83aeac823da Proof of Concept $ echo -ne "c2UgZW5jb2Rpbmc9aXNvODg1OQpub3JtMFIwMDAwMDAwMDAwMApzaWwwbm9ybRYwCmZ1IFIoKQpz aWwhbm9ybRZpMDAwMDApCmNhbCBSKCkKbm9ybTF6PQplbmRmCmNhbCBSKCk=" | base64 -d...

Arbitrary file deletion in Gitea

Description When user delete the LFS data in Gitea, the oid parameter is not been validated. The attacker can make an oid whose prefix is .... to traverse directory and delete any files on the server. Proof of Concept Create a repository on Gitea. e.g. foo/bar Send a POST request with your Gitea...

Unrestricted XML Files Leads to Stored XSS

Description The web Application restricts upload files by blacklist extensions. It's not safe for the application to prevent the attack, there are many extension can cause an attack to user and web application. By uploading XML files, the users can perform an Stored XSS attack Proof of Concept 1...

Stored xss in showdoc through file upload

Description Hi. This is a bypass to the report in https://huntr.dev/bounties/df347aa9-ed9b-4f75-af99-c83b8aad3bcf/ . It fails to check for files with the extension .shtml which leads to stored xss Proof of Concept // poc.shtml adsasdadsdsa alert1 Impact Stored Xss...

Stored XSS in organisation name field

Description Upon a user creates a new organisation and invites members, by opening the invitation, the XSS payload is being executed. Proof of Concept Just simply create an organisation with the following name: XSSalert1. After saving the organisation, the XSS payload is being executed. Impact In...

Template injection in connection test endpoint leads to RCE

Description Please enter a description of the vulnerability. Proof of Concept Run a local docker instance sh sudo docker run -p 3000:3000 --name sqlpad -d --env SQLPADADMIN=admin --env SQLPADADMINPASSWORD=admin sqlpad/sqlpad:latest Navigate to http://localhost:3000/ Click on Connections-Add...

Reflected XSS

Description Privacy Consent in ForkCMS v 5.11.0 Setting unsanitized user input resulting in Reflected XSS. Proof of Concept Endpoint 1 http://IP/private/en/settings/index Step 1 Login to ForkCMS 2 Go to Settings - General 3 Insert payload on "Technical Name" user input at "Privacy Consent" panel...

hostname spoofing via Improper Input Validation

Description When to use the parse-url, If user put the https://google.comhashvalue as argument, parse-url doesn't parse the hash value and parses hostname and hash together as hostname. http://localhost/hashvalue and http://localhosthashvalue are the same.. txt - new URL of node ❯ node -e...

Multiple Stored Cross-site Scripting (XSS) Vulnerabilities in Shop's Other Settings, Shop's Autorespond E-mail Settings and Shops' Payments Methods

Description 1 Checkout URL and Custom order id parameters are vulnerable to stored XSS, which are located in Shop Settings other settings Advanced 2 From e-mail address and From name parameters are vulnerable to stored XSS, which are located in Shop Settings Autorespond E-mail settings check your...

Insecure deserialization of not validated module file

Description In recent Crater version 18507ddb tag: 6.0.6 highly privileged user can upload malicious module file and run insecure deserialization, which can lead to remote code execution. Proof of Concept 1. Prepare PHAR file - php --define phar.readonly=0 phar.php PHP data = $data; function...

Host Header injection in password Reset

Description The password reset uses $SERVER'HTTPHOST' to generate the password without any checks or filtering. Allowing a malicious attacker to generate a fake password reset link to steal password reset tokens which may lead to account takeover Impact Account Takeover...

Remote Command Execution in uploading repository file

Description When uploading a file to the repository in Gogs, the treepath parameter is not been validated. The attacker can set treepath=/.git/ to upload file into the .git directory. Rewrite .git/config file and set core.sshCommand, which leads to remote command execution vulnerability. Proof of...

File upload filter bypass leading to stored XSS

Description A User can upload .a-zhtml file e.g. ahtml, bhtml, chtml, ddhtml, AS LONG AS it ends with html with XSS payload. Upon upload, a URL with malicious html can be accessed and javascript will be executed. Proof of Concept taking chtml as example Step 1 Login to the demo portal with admin...

Stored Cross Site Scripting

Vulnerability Type Stored Cross Site-Scripting XSS Affected URL https://localhost/openemr-6.0.0/ /controller.php?practicesettings&documentcategory&action=addnode&parentid=XX Affected Parameter “name” Method POST Authentication Required? Yes Issue Summary A stored XSS vulnerability found in ”...

Accounting User Can Download Patient Reports in openemr

Vulnerability Type Insecure Direct Object Reference Affected URL https://localhost/openemr/interface/patientfile/report/customreport.php Affected Parameters “Issue7” Authentication Required? Yes Issue Summary Non-privilege users accounting & front-office can download patient reports containing...

XSS on dynamic_text module

Description There is XSS vulnerability on dynamictext module. Proof of Concept Visit - https://demo.microweber.org/demo/admin/view:modules/loadmodule:dynamictext Impact Below Post request was used to upload XSS payload POST /demo/api/savedynamictext HTTP/1.1 Host: demo.microweber.org Cookie:...

SSL certificate verification disabled

Description This report is strange, partially because the existence of this code has been acknowledged without any alarm about its security implications, and also because a pull request that would fix the vulnerability opened as a bug patch has been open for over two years! Having SSL certificate...

SSL verification omitted in OAuth2 credential flow

Description Pulsar uses Curl to send HTTPS requests and typically uses the tlsAllowInsecure global variable derived from isTlsAllowInsecureConnection to determine whether SSL verification¹ should be enabled/disabled². In the linked occurances, those checks do not occur and SSL verification is...

HTTP Request Smuggling

Summary Due to several violations of the HTTP standard as defined in RFC7230, Waitress is vulnerable to HTTP request smuggling when used with an upstream proxy that exhibits nonstandard behaviour. Each issue is explained in the Occurrences section below...

Unrestricted Upload of File with Dangerous Type

Description Malicious user can bypass checking and upload .phtm or .php6 file which leads to stored XSS. Proof of Concept - Step 1: Login as admin at https://demo.microweber.org/demo/admin/ - Step 2: Go to Websites setting and Edit any page https://demo.microweber.org/demo/admin/page/24/edit -...

Integer Overflow or Wraparound

Description The microweber application allows large characters to insert in the input field like "Town, ZIP, State, Address, and Additional Info field" which can allow attackers to cause a Denial of Service DoS via a crafted HTTP request. Proof of Concept 1.Buy a product and in the Shipping metho...

Insufficient Session Expiration

Description The application failed to invalidate the session after changing the password and In this scenario changing the password doesn't destroy the other sessions which are logged in with old passwords. Proof of Concept 1.Login same account in two different browsers. 2.Try to change the...

Server-Side Request Forgery (SSRF)

Description The fixes for CVE-2022-0767 & CVE-2022-0766 only address loopback/localhost IP addresses, this is an issue as other internal endpoints may be accessible to an attacker one of the most popular examples is 169.254.169.254 which is the AWS metadata address Proof of Concept The same as...

File upload filter bypass leading to stored XSS

Description A User Can uplaod .cshtml file with XSS payload. Proof of Concept Login to the demo portal with admin creds at https://demo.microweber.org/demo/admin/ Navigate to page create functionality at https://demo.microweber.org/demo/admin/page/create Select the picture upload request in burp...

Abusing Backup/Restore feature to achieve Remote Code Execution

Description Admin can use Backup modules to upload a malicious PHP file, which can lead to RCE. Proof of Concept + Log in as admin, navigate to Modules - Backup: https://demo.microweber.org/demo/admin/view:modules/loadmodule:adminbackup + Prepare a malicious PHP file, in this case info2.php +...

Cross-site Scripting (XSS) - Stored

Description Type parameter in the body of POST request triggered by add/edit tax in microweb are vulnerable to stored XSS. 1 Settings Taxes Tax type Proof of Concept Step 1: Access https://demo.microweber.org/?template=dream Step 2: Browse to Settings Taxes Tax type Step 3: Add or Edit current ta...

Unrestricted file upload leads to stored XSS

Description A user can bypass checking and upload .aspx file which lead to stored XSS. Proof of Concept Log in as admin: https://demo.microweber.org/demo/admin/ Go to Websites Edit a page. Under Pictures, choose Add files Instead of uploading a normal picture, use the below request to upload an...

Reflected Cross-site Scripting (XSS) Vulnerability

Description hestiacp is vulnerable to Reflected XSS in the Hostname field within Basic Options of the function "Configure Server" in Hestia Control Panel Proof of Concept 1 Access https://demo.hestiacp.com:8083/edit/server/ 2 Click "Configure" 3 Click Basic Options 4 Enter below as payload in the...

Open Redirect

Description parse-url parses the url as https://google.com::/test, and if two or more colons are inserted in the port part, the port is parsed as one hostname. txt - node - url.parse ❯ node -e 'console.logrequire"url".parse"https://google.com::/test"' Url protocol: 'https:', slashes: true, auth:...

Cross-site Scripting (XSS) - Stored

Description pimcore datahub is vulnerable to Stored XSS in multiple places including: 1 Field-Collections in Data Objects 2 Objectbricks in Data Objects Proof of Concept for both 1 & 2 Step 1: Go to https://10.x-dev.pimcore.fun/admin/ and login. Step 2: Click Settings Data Objects Field-Collectio...

Untrusted Search Path

Description A current working directory type of DLL hijacking vulnerability is found in all executbales in ventoy-1.0.70-windows.zip, including: 1 Ventoy2Disk.exe 2 VentoyPlugson.exe 3 VentoyVlnk.exe Proof of Concept Step 1 : Craft a malicious x86 dll named as "TextShaping.dll" and place in the...

Cross-site Scripting (XSS) - Stored

Description pimcore datahub is vulnerable to Stored XSS in multiple places including: 1 the Pricing Rule of Online Shop in EcommerceFrameworkBundle. Whenever an admin user access Pricing Rule, a stored XSS will be triggered. 2 Image Thumbnails in Settings. Whenever an admin user access Image...

Cross-site Scripting (XSS) - Stored

Description pimcore datahub is vulnerable to Stored XSS in the Unique Indetifier of the function of "Add a new configuration" in Datahub. Whenever an admin user access data hub, a stored XSS will be triggered. Proof of Concept Step 1: Go to https://demo.pimcore.fun/admin/ and login. Step 2: Click...

Untrusted Pointer Dereference

Description Null Pointer Dereference in gpac Proof of Concept Version: /fuzzing/gpac/gpac/bin/gcc/MP4Box -version MP4Box - GPAC version 2.1-DEV-rev15-g6c0f4ff03-master c 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters:...

Cross-site Scripting (XSS) - Stored

Description Email tracking pixel hits store the user agent of the browser / mail client that opens the email. That user agens is not sanitised on input, but also not escaped on output in the template. This allows anonymous users to store XSS payloads in the timeline on their contact page Proof of...

NULL Pointer Dereference

Description There is a NULL Pointer Dereference in mrbvmexec vm.c:1929. This bug has been found on mruby lastest commit hash c2f7ed514dfa0fcae2e7e72d51f25be3d3d6d72c on Ubuntu 20.04 for x8664/amd64. Proof of Concept 1- Clone repo and build with ASAN using MRUBYCONFIG=buildconfig/clang-asan.rb rak...

Authorization Bypass Through User-Controlled Key

Description Hello go restful maintainer team, I would like to report a security concerning your CORS Filter feature. Go restful allows user to specify a CORS Filter with a configurable AllowedDomains param - which is an array of domains allowed in CORS policy. However, although there's is already...

Improper Authorization

Description Pacemakers daemon pcsd allows authentication via PAMs pamauthenticate. Unfortunately the authorization via pamacctmgmt has been omitted. Therefore unprivileged expired accounts that have been denied access can still login. Proof of Concept You can expire an account with chage -E0 Impa...

Improper Authorization

Description When motuz is configured for PAM authentification it skips checking authorization completely. Therefore unprivileged expired accounts and accounts with expired passwords can still login. Proof of Concept You can expire an account with chage -E0 and still login. Impact Since disabling ...

Improper Authorization and possible DoS when using PAM Auth

Description When bareos versions after 18.2 are build and configured for PAM authentification it skips checking authorization completely. Expired accounts and accounts with expired passwords can still login. Further after wrong authentication or the code returns without releasing the PAM handle,...

Server-Side Request Forgery (SSRF)

Description The fix for my previous report CVE-2022-0767 is still incomplete and could be bypassed via IPV4/IPV4 embedding : ssrf-ipv4ipv6.etclab.top will resolve to 0:0:0:0:0:ffff:127.0.0.1 Proof of Concept POST /admin/book/1 HTTP/1.1 Host: 127.0.0.1:8083 User-Agent: Mozilla/5.0 Windows NT 10.0;...

Static Code Injection

Description The Microweber application allows HTML tags in the "First name", "Last name" and "Phone number" which can be exploited by Injecting HTML payloads. Proof of Concept 1.While buying product we need to fill contact information form. 2.Insert your html code in code block. e.g., Hurry Up!Go...

Improper Neutralization of Special Elements Used in a Template Engine

Description The Microweber application allows HTML tags in the "Blog Comments" which can be exploited by Injecting HTML payloads. Proof of Concept 1.Open any blog in which comment is allowed. 2.Insert your html code in code block. e.g., Hurry Up!Go to https://evil.com and get free $1000 in your...

Insufficient Granularity of Access Control

Description There are no rate limits and reuse of captcha is allowed resulting in reuse of same captcha to issue notifications to administrator Proof of Concept Capture the newsletter subscription flow in burp and continue with entering email & captcha until below POST form request is captured...

Improper Authorization

Description When Gogs is build and configured for PAM authentification it skips checking authorization completely. Therefore expired accounts and accounts with expired passwords can still login. Proof of Concept You can expire an account with chage -E0 and still login. Impact Since disabling an...

Improper Authorization

Description When Gitea is build and configured for PAM authentification it skips checking authorization completely. Therefore expired accounts and accounts with expired passwords can still login. Proof of Concept You can expire an account with chage -E0 and still login. Impact Since disabling an...

Improper Authorization

Description When configuring saltstack to authentificate via the salt.auth.pam module. The authorization of a account validity is missing. Therefore expired accounts, or accounts with expired passwords, can still login. Proof of Concept Configure salt with salt.auth.pam and run it with an expired...

Cross-site Scripting (XSS) - Stored

Description Iframe tags don't have a sandbox attribute, this makes an attacker able to execute malicious javascript via an iframe and perform phishing attacks. The sandbox attribute will block script execution and prevents the content to navigate its top-level browsing context which will stop thi...

Exposure of Sensitive Information to an Unauthorized Actor

Bug Cookies & Authorisation headers are leaked to external sites. Description When following a redirect to an external site, Cookie & Autorisation headers are leaked to the third party application. json "headers": "Accept-Encoding":"gzip, deflate, br", "Authorization":"Bearer eyJhb12345abcdef",...

Cross-site Scripting (XSS) - Stored

Description Stored XSS in parameter Name when save Grid Options Proof of Concept // PoC.req POST /admin/object-helper/grid-save-column-config HTTP/1.1 Host: 10.x-dev.pimcore.fun Cookie: PHPSESSID=cef9a977bc8ae8591f7b3b14bcafedf4; pimcoreadminsid=1;...