protocol spoofing

Description I found a vulnerability that incorrectly parses the protocol when using a javascript scheme. javascript location.href = 'javasript:https://google.com/%0aalert1' First, you can check that the above URL executes the script normally through the above code. txt - node.js ❯ node -e...

hostname spoofing via javascript

Description If use parse-url for security check on url, it is dangerous because hostname spoofing through JavaScript scheme is possible. It also occurred in url.parse of node.js in 2018, and node.js acknowledged the vulnerability for this. So Node.js has patched it, and there are cases where a CV...

Use After Free in r_reg_get_name_idx

Description heap use after free in rreggetnameidx. ASAN report： ================================================================= ==1710816==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020001dff50 at pc 0x7fa7c085d87c bp 0x7ffc21731ac0 sp 0x7ffc21731ab0 READ of size 1 at...

Cross-site Scripting (XSS) - Reflected

Description Please enter a description of the vulnerability. Proof of Concept xss in function add domain POST /add/web v-custom-doc-domain=alert1 https://drive.google.com/file/d/1EeoOX7Pmn5ptuweine4Cgcy1fyd6qEzJ/view?usp=sharing Impact...

Server-Side Request Forgery (SSRF)

Description youtube-downloader takes an URL from the url query parameter, passes it directly to curl and streams the response to the browser. This makes it vulnerable to an SSRF attack if someone passes an URL containing an internal hostname, as it will stream internal resources to the browser...

Code Injection

Description The attacker can execute commands on the target OS running the operating system by setting the PLTRAINERGPUS when using the Trainer module. Proof of Concept bash $ pip3 install pytorch-lightning python import os from pytorchlightning import Trainer from...

Improper Authorization

Description When veyon is used in a Linux environment and is configured to use PAM as authentication method, The authorization of an account validity is missing. Therefore expired accounts or accounts with expired passwords can still login. This bug is in the provided tool veyon-auth-helper - aft...

Improper Authorization

Description When configuring cobbler-web to authentificate via PAM. The authorization of a account validity is missing. Therefore expired accounts can still login. Proof of Concept Enable authnpam in the modules.conf Create a testuser to login $ useradd expireduser $ passwd expireduser 12345 $...

Cross-site Scripting (XSS) - Stored

Description Autolab is vulnerable to stored cross-site-scripting in the upload files functionality in courses feature, this can be used to execute XSS attack against the victim who is a student/teacher. Steps to Reproduce PoC 1 login to autolab 2 go to...

Open Redirect

Description bypass https://huntr.dev/bounties/f53d5c42-c108-40b8-917d-9dad51535083/ urijs fix CVE-2022-0613 , however attacker can bypass to exploit this issue Proof of Concept // PoC.js var URI = require'urijs'; var url = new URI"https::\\github.com/foo/bar"; console.logurl; output: URI string:...

Cross-site Scripting (XSS) - Stored

Description SVG sanitizer cloud be bypassed via flowing SVG file that leads to stored XSS Proof of Concept Upload the above SVG file in your profile, view it, and click anywhere on the page then XSS will be triggered : Impact This vulnerability is capable of performing arbitrary actions on behalf...

OS Command Injection

Description npm-lockfile before 2.0.4 does not santize unsafe external input and invoke sensitive command execution API with the input, causing command injection vulnerability. Proof of Concept // npm i [email protected] const getLockfile = require'npm-lockfile/getLockfile';...

Improper Resolution of Path Equivalence

DESCRIPTION Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain. This behavior can be...

Code Injection

Description Improper php function sanitization, lead to an ability to inject arbitrary PHP code and run arbitrary commands on file system. In the function "doleval" in file "dolibarr/htdocs/core/lib/functions.lib.php" dangerous PHP functions are sanitized using "strreplace" and can be bypassed...

File Descriptor Leak

Possible sensitive files Vulnerability description: A possible sensitive file has been found. This file is not directly linked from the website. This check looks for common sensitive resources like password files, configuration files, log files, include files, statistics data, database dumps. Eac...

Improper Preservation of Permissions

Git repository found Description: Git metadata directory .git was found in this folder. An attacker can extract sensitive information by requesting the hidden metadata directory that version control tool Git creates. The metadata directories are used for development purposes to keep track of...

Cross-site Scripting (XSS) - Stored

Description pimcore is vulnerable to Stored XSS at Key field in the Navigation & Properties tab of a Document page. Payload " Step to reproduce 1.Go to https://demo.pimcore.fun/admin/ and login. 2.Click on any document Home, de,... in the Documents 3.Go to Navigation & Properties tab, in the Key...

Insecure Storage of Sensitive Information

Vulnerability name: EXIF Geolocation Data Not Stripped From Uploaded Images vulnerability Description:- When the user uploads his profile picture, the uploaded image’s EXIF Geolocation Data does not get stripped. As a result, anyone can get sensitive information of microweber users like their...

Protocol/Hostname spoofing via Improper Input Validation

Description The uri.js doesn't remove whitespace characters from the beginning of the protocol, so it doesn't parse URLs properly. Several methods, including http.get, location.href, and fetch, strip the whitespace character in front of the protocol before sending the request. Proof of Concept...

Prototype Pollution

Description fullPage utils are available to developers using window.fputils. They can use these utils for their own use-case other than fullPage as well. However, one of the utils deepExtend is vulnerable to Prototype Pollution vulnerability. Javascript is "prototype" language which means when a...

Server-Side Request Forgery (SSRF)

Description Alltube takes URL from the query parameter and directly uses it in the youtube-dl command, It makes any unauthenticated attacker can perform an SSRF attack and pass internal hostnames in the URL parameter and obtain information about that service from the response. Proof of Concept GE...

Weak Password Recovery Mechanism for Forgotten Password

Description: There is no rate limit sent unlimited email victim or any email address. Proof of Concept: There is no rate limit return-password , attacker to send unlimited email to victim or any email address. Impact: Attacker can sent unlimited email to any mail address . Solution: Add 'throttle...

Improper Authorization in User Management to Vertical Privilege Escalation

Description Pandora FMS v7.0NG.759 allows improper authorization in User Management where any authenticated user with access to the User Management module could create, modify, delete any user with full admin privilege. The impact could lead to vertical privilege escalation to access the privileg...

Server-Side Request Forgery (SSRF)

Description The SSRF Protection is incomplete and can be bypassed via an HTTP redirect, the python-requests library will follow redirections by default can be disabled byallowredirects=False. An attacker can set up their HTTP server to respond with a 302 redirect to redirect the request to...

Cross-site Scripting (XSS) - Stored

Description pimcore is vulnerable to Stored XSS at Title field in the SEO & Settings tab of a Document page. Payload " Step to reproduce 1.Go to https://demo.pimcore.fun/admin/ and login. 2.Click on any document Home, de,... in the Documents 3.Go to SEO & Settings tab, in the Title field, input...

Cross-site Scripting (XSS) - Stored

Description Stored XSS via upload attachment with format .xml in File Library. Detail When opening the attachment, some format files will be rendered and loaded on the browser. So it allows executing arbitrary javascript code that was injected into attachment before. Proof of Concept PoC.xml...

Improper Input Validation

Description If an attacker inserts a null byte at the beginning of the javascript scheme, parse will not parse the javascript scheme properly. Therefore, all null bytes must be removed before parsing. Proof of Concept javascript const parseUrl = require"parse-url" url =...

Improper Authorization

Description A low-privilege user I tested it with Editor priv user can create any role in the application. Proof of Concept Make a POST request to /Admin/Roles/Create using low-priv user's cookie and RequestVerificationToken A new role will be created with the specified name. Impact A low-priv us...

Business Logic Errors

Description Product status of product is unpublished has been deleted by admin in Trash folder but user can still add to cart and make purchases Proof of Concept Step 1: Admin go to Shop Products: Unpublish product and Delete product Step 2: User add product to cart by request POST...

Denial of Service

Description R2 will hang for several crafted binaries. Proof of Concept bash printf "%s" "AAA4AAAAAB4=" | base64 -d /tmp/a printf "%s" "z/rt/gwAAAEuAAB//wAAAACe2QEaAAAG+s8yAOH/AQAAAA==" | base64 -d /tmp/a printf "%s"...

Improper Input Validation

Description If hostname is not entered as in the following PoC, Open Redirect and SSRF occur because hostname is empty. Proof of Concept javascript // PoC : http:@127.0.0.1 const parseUrl = require"parse-url" const http = require"http" url = parseUrl"http:@127.0.0.1" console.logurl...

Server-Side Request Forgery (SSRF)

Description There is a Blind SSRF in fetching remote images in /uploaddocimg/ endpoint. It's because it does not check hostname before sending HTTP Request to it and only if the content-type be a valid image it will save the response. However, we do not have a full SSRF but there is still a blind...

Improper Access Control

Description It was found that if a user is not having access to the requested items module, a normal user with no access can still access and view the requested content. It is a more detailed explanation of the given report where it was marked as invalid :...

Cross-site Scripting (XSS) - Stored

Description I found a Stored XSS vulnerability at admin page: https://demo.microweber.org/demo/admin/view:settingsoptiongroup=files Proof of Concept Step 1: Go to Settings Website settings Files Step 2: Create new folder with folder name : // Request --------------------------------------- POST...

Improper Access Control (IDOR)

Description Dolibarr v14.0.5 allows improper access control issues in the userphoto modulepart. The impact could lead to data exposure as the attached files and documents may contain sensitive information of relevant parties such as contacts, suppliers, invoices, orders, stocks, agenda, accountin...

Business Logic Errors

Description In Dolibarr v14.0.5, any low privileged users could update their login name which should only be updated by admin. Proof of Concept POST /dolibarr/user/card.php?id=2 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:97.0 Gecko/20100101 Firefox/97.0...

Server-Side Request Forgery (SSRF)

Description Bypass of this report: https://huntr.dev/bounties/499688c4-6ac4-4047-a868-7922c3eab369/ Proof of Concept Blacklist does not check for 0.0.0.0 PAYLOAD: http://0.0.0.0 This payload will be resolved to localhost python import socket from urllib.parse import urlparse PAYLOAD =...

Heap-based Buffer Overflow

Description Heap overflow occurs in winlbrchartabsize. commit :592f6250017c31c8996325403e511f4502077ba5 Proof of Concept poc $ echo -ne "c2UgZW5jb2Rpbmc9aXNvODg1OQpub3JtOnNlIAEbCnNlIHZhcnRhYnN0b3A9NDAwCm5vcm0waTAw CQQ=" | base64 -d poc Valgrind $ /valgrind/vg-in-place -s /vim-debug/src/vim -u NON...

Out-of-bounds Read

Description OOB read occurs in mrbarypush. commit : 5d9239c2c4644fa8a59d9f5159b4950569dd5e0e Proof of Concept poc $ echo -ne "WzpfXVswLDAsMCwwLDAsMCwwLDAsMCwwLDAsMCwwLDBdPTpO" | base64 -d poc ASAN $ ./bin/mruby poc AddressSanitizer:DEADLYSIGNAL...

Use of Out-of-range Pointer Offset

Description This issue occur in the v8.2.4428 version. Proof of Concept sh $ echo "dnMgIDPKKSAwMGNtZGxicmVh4OvbmfsA3ykA3/8wAMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAhAAAA AAAAAODr3/f/fwAAAAAAAAAAAPZRIwAAAAAAa3N5bWxpbmsgCmJcJlx6cypcenMqQGU=" | base64 -d poc $ /valgrind/vg-in-place -s ./src/vim -u NONE -i NON...

NULL Pointer Dereference

Description NULL Pointer Dereference in MP4BOX Command MP4Box -info POC6 POC6 is here. ASAN result iso file Unknown box type url@ in parent dref iso file Unknown box type traj in parent moov iso file Unknown box type 80rak in parent moov iso file Incomplete box mdat - start 11495 size 901165 iso...

Multiple Open Redirect

Description In the /user/login endpoint, it doesnt check the value of the next parameter when the user is logged in and pass it directly to redirect which result to open redirect. The bug also exist in /user/logout, /user/register, /user/login, /user/resend-activation. Proof of Concept 1. Go to...

Unrestricted Upload of File with Dangerous Type

Description In recent Crater version bed05fc2 tag: 6.0.4 privileged user can upload PHP file as expense receipt. Proof of Concept POST /api/v1/expenses/59/upload/receipts HTTP/1.1 Host: 172.17.0.1:8888 User-Agent: Mozilla/5.0 X11; Linux x8664; rv:98.0 Gecko/20100101 Firefox/98.0 Accept: /...

Classic Buffer Overflow in john

Description For 1Password Cloud Keychain plugin, the length of inputs are not properly checked. Then inputs are copied to fixed length buffers. For example, creating a salt with a larger length allow a buffer overflow. Proof of Concept Using the cloudkeychain.hash file: $ ./run/john...

Heap-based Buffer Overflow in john

Description For PEM plugin, the length of the ciphertext is not properly checked. Then the ciphertext is copied to a fixed length buffer. Creating a ciphertext with a larger length allow a heap overflow. Proof of Concept Using the following file pem.hash bash $ ./congigure -enable-asan; make -j4;...

Cross-site Scripting (XSS) - Stored

Description Stored cross-site scripting also known as second-order or persistent XSS arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way. Proof of Concept Steps to Reproduce:- = Install the WebApp and Setup it =...

Improper Access Control in File Manager module

Description In Webmin 1.984, any authenticated low privilege user who did not have access to the File Manager module could interact with a variety of file manager capabilities such as modifying file ownership chown, viewing file properties, listing or deleting files and directories on the server...

Relative Path Traversal to Remote Code Execution

Description Pandora FMS v7.0NG.759 allows relative path traversal in File Manager where a privileged user could upload a .php file outside the intended images directory which is restricted to execute the .php file. The impact could lead to Remote Code Execution with running application privilege...

Heap-based Buffer Overflow

Description heap-buffer-overflow /home/ubuntu/fuzz/radare2/libr/include/rendian.h:176 in rreadle32 Environment Distributor ID: Ubuntu Description: Ubuntu 20.04 LTS Release: 20.04 Codename: focal radare2 5.6.3 27472 @ linux-x86-64 git.5.6.2 commit: d24dbb9fbb0b398a6a739847008ccef3ea7e687c ASAN...

NULL Pointer Dereference

Description NULL pointer dereference in binsymbols.c Environment bash Distributor ID: Ubuntu Description: Ubuntu 20.04 LTS Release: 20.04 Codename: focal radare2 5.6.3 27472 @ linux-x86-64 git.5.6.2 commit: d24dbb9fbb0b398a6a739847008ccef3ea7e687c POC radare2 -AA -qq ./poc poc ASAN...