Lucene search
K

4072 matches found

Huntr
Huntr
added 2022/03/07 1:57 p.m.37 views

Authorization Bypass Through User-Controlled Key

Description Hello go restful maintainer team, I would like to report a security concerning your CORS Filter feature. Go restful allows user to specify a CORS Filter with a configurable AllowedDomains param - which is an array of domains allowed in CORS policy. However, although there's is already...

6.4CVSS1.6AI score0.02737EPSS
Exploits1
Huntr
Huntr
added 2022/03/07 1:21 p.m.17 views

Improper Authorization

Description Pacemakers daemon pcsd allows authentication via PAMs pamauthenticate. Unfortunately the authorization via pamacctmgmt has been omitted. Therefore unprivileged expired accounts that have been denied access can still login. Proof of Concept You can expire an account with chage -E0 Impa...

6.5CVSS3.3AI score0.01825EPSS
Exploits1References1
Huntr
Huntr
added 2022/03/07 12:8 p.m.10 views

Improper Authorization

Description When motuz is configured for PAM authentification it skips checking authorization completely. Therefore unprivileged expired accounts and accounts with expired passwords can still login. Proof of Concept You can expire an account with chage -E0 and still login. Impact Since disabling ...

3AI score
Exploits0References1
Huntr
Huntr
added 2022/03/06 11:18 p.m.23 views

Improper Authorization and possible DoS when using PAM Auth

Description When bareos versions after 18.2 are build and configured for PAM authentification it skips checking authorization completely. Expired accounts and accounts with expired passwords can still login. Further after wrong authentication or the code returns without releasing the PAM handle,...

6.8CVSS1AI score0.01996EPSS
Exploits1References1
Huntr
Huntr
added 2022/03/06 6:51 p.m.52 views

Server-Side Request Forgery (SSRF)

Description The fix for my previous report CVE-2022-0767 is still incomplete and could be bypassed via IPV4/IPV4 embedding : ssrf-ipv4ipv6.etclab.top will resolve to 0:0:0:0:0:ffff:127.0.0.1 Proof of Concept POST /admin/book/1 HTTP/1.1 Host: 127.0.0.1:8083 User-Agent: Mozilla/5.0 Windows NT 10.0;...

7.5CVSS0.01042EPSS
Exploits2
Huntr
Huntr
added 2022/03/06 4:12 p.m.33 views

Static Code Injection

Description The Microweber application allows HTML tags in the "First name", "Last name" and "Phone number" which can be exploited by Injecting HTML payloads. Proof of Concept 1.While buying product we need to fill contact information form. 2.Insert your html code in code block. e.g., Hurry Up!Go...

7.5CVSS0.5AI score0.04998EPSS
Exploits2References1
Huntr
Huntr
added 2022/03/06 3:50 p.m.46 views

Improper Neutralization of Special Elements Used in a Template Engine

Description The Microweber application allows HTML tags in the "Blog Comments" which can be exploited by Injecting HTML payloads. Proof of Concept 1.Open any blog in which comment is allowed. 2.Insert your html code in code block. e.g., Hurry Up!Go to https://evil.com and get free $1000 in your...

6.8CVSS0.2AI score0.04998EPSS
Exploits2References1
Huntr
Huntr
added 2022/03/06 2:32 p.m.20 views

Insufficient Granularity of Access Control

Description There are no rate limits and reuse of captcha is allowed resulting in reuse of same captcha to issue notifications to administrator Proof of Concept Capture the newsletter subscription flow in burp and continue with entering email & captcha until below POST form request is captured...

1.1AI score
Exploits0
Huntr
Huntr
added 2022/03/06 10:34 a.m.25 views

Improper Authorization

Description When Gogs is build and configured for PAM authentification it skips checking authorization completely. Therefore expired accounts and accounts with expired passwords can still login. Proof of Concept You can expire an account with chage -E0 and still login. Impact Since disabling an...

5.8CVSS2.3AI score0.01221EPSS
Exploits1References1
Huntr
Huntr
added 2022/03/06 10:22 a.m.17 views

Improper Authorization

Description When Gitea is build and configured for PAM authentification it skips checking authorization completely. Therefore expired accounts and accounts with expired passwords can still login. Proof of Concept You can expire an account with chage -E0 and still login. Impact Since disabling an...

5.5CVSS2.3AI score0.00833EPSS
Exploits1References1
Huntr
Huntr
added 2022/03/05 7:20 p.m.22 views

Improper Authorization

Description When configuring saltstack to authentificate via the salt.auth.pam module. The authorization of a account validity is missing. Therefore expired accounts, or accounts with expired passwords, can still login. Proof of Concept Configure salt with salt.auth.pam and run it with an expired...

6.5CVSS1.8AI score0.01878EPSS
Exploits0References1
Huntr
Huntr
added 2022/03/05 2:24 p.m.33 views

Cross-site Scripting (XSS) - Stored

Description Iframe tags don't have a sandbox attribute, this makes an attacker able to execute malicious javascript via an iframe and perform phishing attacks. The sandbox attribute will block script execution and prevents the content to navigate its top-level browsing context which will stop thi...

3.5CVSS2.1AI score0.0077EPSS
Exploits1
Huntr
Huntr
added 2022/03/04 6:23 p.m.10 views

Exposure of Sensitive Information to an Unauthorized Actor

Bug Cookies & Authorisation headers are leaked to external sites. Description When following a redirect to an external site, Cookie & Autorisation headers are leaked to the third party application. json "headers": "Accept-Encoding":"gzip, deflate, br", "Authorization":"Bearer eyJhb12345abcdef",...

0.3AI score
Exploits0
Huntr
Huntr
added 2022/03/04 4:32 p.m.29 views

Cross-site Scripting (XSS) - Stored

Description Stored XSS in parameter Name when save Grid Options Proof of Concept // PoC.req POST /admin/object-helper/grid-save-column-config HTTP/1.1 Host: 10.x-dev.pimcore.fun Cookie: PHPSESSID=cef9a977bc8ae8591f7b3b14bcafedf4; pimcoreadminsid=1;...

3.5CVSS5.7AI score0.00677EPSS
Exploits1
Huntr
Huntr
added 2022/03/04 11:39 a.m.14 views

protocol spoofing

Description I found a vulnerability that incorrectly parses the protocol when using a javascript scheme. javascript location.href = 'javasript:https://google.com/%0aalert1' First, you can check that the above URL executes the script normally through the above code. txt - node.js ❯ node -e...

Exploits0
Huntr
Huntr
added 2022/03/04 10:29 a.m.21 views

hostname spoofing via javascript

Description If use parse-url for security check on url, it is dangerous because hostname spoofing through JavaScript scheme is possible. It also occurred in url.parse of node.js in 2018, and node.js acknowledged the vulnerability for this. So Node.js has patched it, and there are cases where a CV...

0.6AI score0.0405EPSS
Exploits0References2
Huntr
Huntr
added 2022/03/03 7:29 a.m.19 views

Use After Free in r_reg_get_name_idx

Description heap use after free in rreggetnameidx. ASAN report: ================================================================= ==1710816==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020001dff50 at pc 0x7fa7c085d87c bp 0x7ffc21731ac0 sp 0x7ffc21731ab0 READ of size 1 at...

4.3CVSS0.3AI score0.0065EPSS
Exploits1References1
Huntr
Huntr
added 2022/03/03 3:38 a.m.21 views

Cross-site Scripting (XSS) - Reflected

Description Please enter a description of the vulnerability. Proof of Concept xss in function add domain POST /add/web v-custom-doc-domain=alert1 https://drive.google.com/file/d/1EeoOX7Pmn5ptuweine4Cgcy1fyd6qEzJ/view?usp=sharing Impact...

4.3CVSS0.6AI score0.01077EPSS
Exploits1
Huntr
Huntr
added 2022/03/02 11:30 p.m.17 views

Server-Side Request Forgery (SSRF)

Description youtube-downloader takes an URL from the url query parameter, passes it directly to curl and streams the response to the browser. This makes it vulnerable to an SSRF attack if someone passes an URL containing an internal hostname, as it will stream internal resources to the browser...

1AI score
Exploits0
Huntr
Huntr
added 2022/03/02 8:56 p.m.19 views

Code Injection

Description The attacker can execute commands on the target OS running the operating system by setting the PLTRAINERGPUS when using the Trainer module. Proof of Concept bash $ pip3 install pytorch-lightning python import os from pytorchlightning import Trainer from...

10CVSS1AI score0.00965EPSS
Exploits1References1
Huntr
Huntr
added 2022/03/02 8:25 p.m.10 views

Improper Authorization

Description When veyon is used in a Linux environment and is configured to use PAM as authentication method, The authorization of an account validity is missing. Therefore expired accounts or accounts with expired passwords can still login. This bug is in the provided tool veyon-auth-helper - aft...

0.5AI score
Exploits0References1
Huntr
Huntr
added 2022/03/02 3:26 p.m.40 views

Improper Authorization

Description When configuring cobbler-web to authentificate via PAM. The authorization of a account validity is missing. Therefore expired accounts can still login. Proof of Concept Enable authnpam in the modules.conf Create a testuser to login $ useradd expireduser $ passwd expireduser 12345 $...

6.4CVSS2.1AI score0.02256EPSS
Exploits1References1
Huntr
Huntr
added 2022/03/02 2:30 p.m.33 views

Cross-site Scripting (XSS) - Stored

Description Autolab is vulnerable to stored cross-site-scripting in the upload files functionality in courses feature, this can be used to execute XSS attack against the victim who is a student/teacher. Steps to Reproduce PoC 1 login to autolab 2 go to...

3.5CVSS0.00646EPSS
Exploits1References1
Huntr
Huntr
added 2022/03/01 2:11 p.m.33 views

Open Redirect

Description bypass https://huntr.dev/bounties/f53d5c42-c108-40b8-917d-9dad51535083/ urijs fix CVE-2022-0613 , however attacker can bypass to exploit this issue Proof of Concept // PoC.js var URI = require'urijs'; var url = new URI"https::\\github.com/foo/bar"; console.logurl; output: URI string:...

5.8CVSS0.1AI score0.0158EPSS
Exploits2
Huntr
Huntr
added 2022/03/01 9:35 a.m.18 views

Cross-site Scripting (XSS) - Stored

Description SVG sanitizer cloud be bypassed via flowing SVG file that leads to stored XSS Proof of Concept Upload the above SVG file in your profile, view it, and click anywhere on the page then XSS will be triggered : Impact This vulnerability is capable of performing arbitrary actions on behalf...

3.5CVSS2AI score0.01771EPSS
Exploits1
Huntr
Huntr
added 2022/02/28 7:32 p.m.15 views

OS Command Injection

Description npm-lockfile before 2.0.4 does not santize unsafe external input and invoke sensitive command execution API with the input, causing command injection vulnerability. Proof of Concept // npm i [email protected] const getLockfile = require'npm-lockfile/getLockfile';...

10CVSS3AI score0.02675EPSS
Exploits1
Huntr
Huntr
added 2022/02/28 2:48 p.m.34 views

Improper Resolution of Path Equivalence

DESCRIPTION Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain. This behavior can be...

5.8CVSS0.2AI score0.02388EPSS
Exploits1References4
Huntr
Huntr
added 2022/02/28 12:49 p.m.26 views

Code Injection

Description Improper php function sanitization, lead to an ability to inject arbitrary PHP code and run arbitrary commands on file system. In the function "doleval" in file "dolibarr/htdocs/core/lib/functions.lib.php" dangerous PHP functions are sanitized using "strreplace" and can be bypassed...

6.5CVSS0.3AI score0.43578EPSS
Exploits1
Huntr
Huntr
added 2022/02/27 3:46 p.m.8 views

File Descriptor Leak

Possible sensitive files Vulnerability description: A possible sensitive file has been found. This file is not directly linked from the website. This check looks for common sensitive resources like password files, configuration files, log files, include files, statistics data, database dumps. Eac...

6.8AI score
Exploits0References2
Huntr
Huntr
added 2022/02/27 3:39 p.m.18 views

Improper Preservation of Permissions

Git repository found Description: Git metadata directory .git was found in this folder. An attacker can extract sensitive information by requesting the hidden metadata directory that version control tool Git creates. The metadata directories are used for development purposes to keep track of...

Exploits0References1
Huntr
Huntr
added 2022/02/27 10:55 a.m.27 views

Cross-site Scripting (XSS) - Stored

Description pimcore is vulnerable to Stored XSS at Key field in the Navigation & Properties tab of a Document page. Payload " Step to reproduce 1.Go to https://demo.pimcore.fun/admin/ and login. 2.Click on any document Home, de,... in the Documents 3.Go to Navigation & Properties tab, in the Key...

3.5CVSS0.4AI score0.01266EPSS
Exploits1
Huntr
Huntr
added 2022/02/27 10:28 a.m.52 views

Insecure Storage of Sensitive Information

Vulnerability name: EXIF Geolocation Data Not Stripped From Uploaded Images vulnerability Description:- When the user uploads his profile picture, the uploaded image’s EXIF Geolocation Data does not get stripped. As a result, anyone can get sensitive information of microweber users like their...

4CVSS0.4AI score0.01074EPSS
Exploits1References3
Huntr
Huntr
added 2022/02/27 2:50 a.m.34 views

Protocol/Hostname spoofing via Improper Input Validation

Description The uri.js doesn't remove whitespace characters from the beginning of the protocol, so it doesn't parse URLs properly. Several methods, including http.get, location.href, and fetch, strip the whitespace character in front of the protocol before sending the request. Proof of Concept...

5CVSS0.6AI score0.01995EPSS
Exploits1
Huntr
Huntr
added 2022/02/26 2:7 p.m.30 views

Prototype Pollution

Description fullPage utils are available to developers using window.fputils. They can use these utils for their own use-case other than fullPage as well. However, one of the utils deepExtend is vulnerable to Prototype Pollution vulnerability. Javascript is "prototype" language which means when a...

7.5CVSS0.01271EPSS
Exploits1References1
Huntr
Huntr
added 2022/02/26 5:57 a.m.31 views

Server-Side Request Forgery (SSRF)

Description Alltube takes URL from the query parameter and directly uses it in the youtube-dl command, It makes any unauthenticated attacker can perform an SSRF attack and pass internal hostnames in the URL parameter and obtain information about that service from the response. Proof of Concept GE...

6.4CVSS0.4AI score0.01617EPSS
Exploits1
Huntr
Huntr
added 2022/02/25 11:36 a.m.30 views

Weak Password Recovery Mechanism for Forgotten Password

Description: There is no rate limit sent unlimited email victim or any email address. Proof of Concept: There is no rate limit return-password , attacker to send unlimited email to victim or any email address. Impact: Attacker can sent unlimited email to any mail address . Solution: Add 'throttle...

5CVSS1.9AI score0.01221EPSS
Exploits1References1
Huntr
Huntr
added 2022/02/25 6:35 a.m.15 views

Improper Authorization in User Management to Vertical Privilege Escalation

Description Pandora FMS v7.0NG.759 allows improper authorization in User Management where any authenticated user with access to the User Management module could create, modify, delete any user with full admin privilege. The impact could lead to vertical privilege escalation to access the privileg...

6.5CVSS1.8AI score0.00581EPSS
Exploits0References1
Huntr
Huntr
added 2022/02/25 5:2 a.m.19 views

Server-Side Request Forgery (SSRF)

Description The SSRF Protection is incomplete and can be bypassed via an HTTP redirect, the python-requests library will follow redirections by default can be disabled byallowredirects=False. An attacker can set up their HTTP server to respond with a 302 redirect to redirect the request to...

7.5CVSS0.4AI score0.00962EPSS
Exploits1References1
Huntr
Huntr
added 2022/02/25 4:31 a.m.21 views

Cross-site Scripting (XSS) - Stored

Description pimcore is vulnerable to Stored XSS at Title field in the SEO & Settings tab of a Document page. Payload " Step to reproduce 1.Go to https://demo.pimcore.fun/admin/ and login. 2.Click on any document Home, de,... in the Documents 3.Go to SEO & Settings tab, in the Title field, input...

3.5CVSS0.2AI score0.6662EPSS
Exploits1
Huntr
Huntr
added 2022/02/25 2:32 a.m.29 views

Cross-site Scripting (XSS) - Stored

Description Stored XSS via upload attachment with format .xml in File Library. Detail When opening the attachment, some format files will be rendered and loaded on the browser. So it allows executing arbitrary javascript code that was injected into attachment before. Proof of Concept PoC.xml...

3.5CVSS0.3AI score0.00732EPSS
Exploits1
Huntr
Huntr
added 2022/02/24 6:18 p.m.10 views

Improper Input Validation

Description If an attacker inserts a null byte at the beginning of the javascript scheme, parse will not parse the javascript scheme properly. Therefore, all null bytes must be removed before parsing. Proof of Concept javascript const parseUrl = require"parse-url" url =...

0.6AI score
Exploits0References1
Huntr
Huntr
added 2022/02/24 5:31 p.m.39 views

Improper Authorization

Description A low-privilege user I tested it with Editor priv user can create any role in the application. Proof of Concept Make a POST request to /Admin/Roles/Create using low-priv user's cookie and RequestVerificationToken A new role will be created with the specified name. Impact A low-priv us...

4CVSS1.7AI score0.00728EPSS
Exploits1
Huntr
Huntr
added 2022/02/24 3:25 a.m.23 views

Business Logic Errors

Description Product status of product is unpublished has been deleted by admin in Trash folder but user can still add to cart and make purchases Proof of Concept Step 1: Admin go to Shop Products: Unpublish product and Delete product Step 2: User add product to cart by request POST...

4CVSS4.6AI score0.00631EPSS
Exploits1
Huntr
Huntr
added 2022/02/23 10:19 p.m.24 views

Denial of Service

Description R2 will hang for several crafted binaries. Proof of Concept bash printf "%s" "AAA4AAAAAB4=" | base64 -d /tmp/a printf "%s" "z/rt/gwAAAEuAAB//wAAAACe2QEaAAAG+s8yAOH/AQAAAA==" | base64 -d /tmp/a printf "%s"...

4.3CVSS1.7AI score0.00941EPSS
Exploits1
Huntr
Huntr
added 2022/02/23 10:15 p.m.9 views

Improper Input Validation

Description If hostname is not entered as in the following PoC, Open Redirect and SSRF occur because hostname is empty. Proof of Concept javascript // PoC : http:@127.0.0.1 const parseUrl = require"parse-url" const http = require"http" url = parseUrl"http:@127.0.0.1" console.logurl...

0.1AI score
Exploits0
Huntr
Huntr
added 2022/02/23 4:46 p.m.22 views

Server-Side Request Forgery (SSRF)

Description There is a Blind SSRF in fetching remote images in /uploaddocimg/ endpoint. It's because it does not check hostname before sending HTTP Request to it and only if the content-type be a valid image it will save the response. However, we do not have a full SSRF but there is still a blind...

7.1AI score
Exploits0
Huntr
Huntr
added 2022/02/23 12:52 p.m.29 views

Improper Access Control

Description It was found that if a user is not having access to the requested items module, a normal user with no access can still access and view the requested content. It is a more detailed explanation of the given report where it was marked as invalid :...

4CVSS1.3AI score0.00994EPSS
Exploits1
Huntr
Huntr
added 2022/02/22 5:15 p.m.22 views

Cross-site Scripting (XSS) - Stored

Description I found a Stored XSS vulnerability at admin page: https://demo.microweber.org/demo/admin/view:settingsoptiongroup=files Proof of Concept Step 1: Go to Settings Website settings Files Step 2: Create new folder with folder name : // Request --------------------------------------- POST...

3.5CVSS4.4AI score0.00613EPSS
Exploits1
Huntr
Huntr
added 2022/02/22 3:9 p.m.33 views

Improper Access Control (IDOR)

Description Dolibarr v14.0.5 allows improper access control issues in the userphoto modulepart. The impact could lead to data exposure as the attached files and documents may contain sensitive information of relevant parties such as contacts, suppliers, invoices, orders, stocks, agenda, accountin...

4CVSS0.7AI score0.00996EPSS
Exploits1
Huntr
Huntr
added 2022/02/22 12:50 p.m.17 views

Business Logic Errors

Description In Dolibarr v14.0.5, any low privileged users could update their login name which should only be updated by admin. Proof of Concept POST /dolibarr/user/card.php?id=2 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:97.0 Gecko/20100101 Firefox/97.0...

4CVSS4.6AI score0.00868EPSS
Exploits1
Total number of security vulnerabilities4072