4072 matches found
Authorization Bypass Through User-Controlled Key
Description Hello go restful maintainer team, I would like to report a security concerning your CORS Filter feature. Go restful allows user to specify a CORS Filter with a configurable AllowedDomains param - which is an array of domains allowed in CORS policy. However, although there's is already...
Improper Authorization
Description Pacemakers daemon pcsd allows authentication via PAMs pamauthenticate. Unfortunately the authorization via pamacctmgmt has been omitted. Therefore unprivileged expired accounts that have been denied access can still login. Proof of Concept You can expire an account with chage -E0 Impa...
Improper Authorization
Description When motuz is configured for PAM authentification it skips checking authorization completely. Therefore unprivileged expired accounts and accounts with expired passwords can still login. Proof of Concept You can expire an account with chage -E0 and still login. Impact Since disabling ...
Improper Authorization and possible DoS when using PAM Auth
Description When bareos versions after 18.2 are build and configured for PAM authentification it skips checking authorization completely. Expired accounts and accounts with expired passwords can still login. Further after wrong authentication or the code returns without releasing the PAM handle,...
Server-Side Request Forgery (SSRF)
Description The fix for my previous report CVE-2022-0767 is still incomplete and could be bypassed via IPV4/IPV4 embedding : ssrf-ipv4ipv6.etclab.top will resolve to 0:0:0:0:0:ffff:127.0.0.1 Proof of Concept POST /admin/book/1 HTTP/1.1 Host: 127.0.0.1:8083 User-Agent: Mozilla/5.0 Windows NT 10.0;...
Static Code Injection
Description The Microweber application allows HTML tags in the "First name", "Last name" and "Phone number" which can be exploited by Injecting HTML payloads. Proof of Concept 1.While buying product we need to fill contact information form. 2.Insert your html code in code block. e.g., Hurry Up!Go...
Improper Neutralization of Special Elements Used in a Template Engine
Description The Microweber application allows HTML tags in the "Blog Comments" which can be exploited by Injecting HTML payloads. Proof of Concept 1.Open any blog in which comment is allowed. 2.Insert your html code in code block. e.g., Hurry Up!Go to https://evil.com and get free $1000 in your...
Insufficient Granularity of Access Control
Description There are no rate limits and reuse of captcha is allowed resulting in reuse of same captcha to issue notifications to administrator Proof of Concept Capture the newsletter subscription flow in burp and continue with entering email & captcha until below POST form request is captured...
Improper Authorization
Description When Gogs is build and configured for PAM authentification it skips checking authorization completely. Therefore expired accounts and accounts with expired passwords can still login. Proof of Concept You can expire an account with chage -E0 and still login. Impact Since disabling an...
Improper Authorization
Description When Gitea is build and configured for PAM authentification it skips checking authorization completely. Therefore expired accounts and accounts with expired passwords can still login. Proof of Concept You can expire an account with chage -E0 and still login. Impact Since disabling an...
Improper Authorization
Description When configuring saltstack to authentificate via the salt.auth.pam module. The authorization of a account validity is missing. Therefore expired accounts, or accounts with expired passwords, can still login. Proof of Concept Configure salt with salt.auth.pam and run it with an expired...
Cross-site Scripting (XSS) - Stored
Description Iframe tags don't have a sandbox attribute, this makes an attacker able to execute malicious javascript via an iframe and perform phishing attacks. The sandbox attribute will block script execution and prevents the content to navigate its top-level browsing context which will stop thi...
Exposure of Sensitive Information to an Unauthorized Actor
Bug Cookies & Authorisation headers are leaked to external sites. Description When following a redirect to an external site, Cookie & Autorisation headers are leaked to the third party application. json "headers": "Accept-Encoding":"gzip, deflate, br", "Authorization":"Bearer eyJhb12345abcdef",...
Cross-site Scripting (XSS) - Stored
Description Stored XSS in parameter Name when save Grid Options Proof of Concept // PoC.req POST /admin/object-helper/grid-save-column-config HTTP/1.1 Host: 10.x-dev.pimcore.fun Cookie: PHPSESSID=cef9a977bc8ae8591f7b3b14bcafedf4; pimcoreadminsid=1;...
protocol spoofing
Description I found a vulnerability that incorrectly parses the protocol when using a javascript scheme. javascript location.href = 'javasript:https://google.com/%0aalert1' First, you can check that the above URL executes the script normally through the above code. txt - node.js ❯ node -e...
hostname spoofing via javascript
Description If use parse-url for security check on url, it is dangerous because hostname spoofing through JavaScript scheme is possible. It also occurred in url.parse of node.js in 2018, and node.js acknowledged the vulnerability for this. So Node.js has patched it, and there are cases where a CV...
Use After Free in r_reg_get_name_idx
Description heap use after free in rreggetnameidx. ASAN report: ================================================================= ==1710816==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020001dff50 at pc 0x7fa7c085d87c bp 0x7ffc21731ac0 sp 0x7ffc21731ab0 READ of size 1 at...
Cross-site Scripting (XSS) - Reflected
Description Please enter a description of the vulnerability. Proof of Concept xss in function add domain POST /add/web v-custom-doc-domain=alert1 https://drive.google.com/file/d/1EeoOX7Pmn5ptuweine4Cgcy1fyd6qEzJ/view?usp=sharing Impact...
Server-Side Request Forgery (SSRF)
Description youtube-downloader takes an URL from the url query parameter, passes it directly to curl and streams the response to the browser. This makes it vulnerable to an SSRF attack if someone passes an URL containing an internal hostname, as it will stream internal resources to the browser...
Code Injection
Description The attacker can execute commands on the target OS running the operating system by setting the PLTRAINERGPUS when using the Trainer module. Proof of Concept bash $ pip3 install pytorch-lightning python import os from pytorchlightning import Trainer from...
Improper Authorization
Description When veyon is used in a Linux environment and is configured to use PAM as authentication method, The authorization of an account validity is missing. Therefore expired accounts or accounts with expired passwords can still login. This bug is in the provided tool veyon-auth-helper - aft...
Improper Authorization
Description When configuring cobbler-web to authentificate via PAM. The authorization of a account validity is missing. Therefore expired accounts can still login. Proof of Concept Enable authnpam in the modules.conf Create a testuser to login $ useradd expireduser $ passwd expireduser 12345 $...
Cross-site Scripting (XSS) - Stored
Description Autolab is vulnerable to stored cross-site-scripting in the upload files functionality in courses feature, this can be used to execute XSS attack against the victim who is a student/teacher. Steps to Reproduce PoC 1 login to autolab 2 go to...
Open Redirect
Description bypass https://huntr.dev/bounties/f53d5c42-c108-40b8-917d-9dad51535083/ urijs fix CVE-2022-0613 , however attacker can bypass to exploit this issue Proof of Concept // PoC.js var URI = require'urijs'; var url = new URI"https::\\github.com/foo/bar"; console.logurl; output: URI string:...
Cross-site Scripting (XSS) - Stored
Description SVG sanitizer cloud be bypassed via flowing SVG file that leads to stored XSS Proof of Concept Upload the above SVG file in your profile, view it, and click anywhere on the page then XSS will be triggered : Impact This vulnerability is capable of performing arbitrary actions on behalf...
OS Command Injection
Description npm-lockfile before 2.0.4 does not santize unsafe external input and invoke sensitive command execution API with the input, causing command injection vulnerability. Proof of Concept // npm i [email protected] const getLockfile = require'npm-lockfile/getLockfile';...
Improper Resolution of Path Equivalence
DESCRIPTION Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain. This behavior can be...
Code Injection
Description Improper php function sanitization, lead to an ability to inject arbitrary PHP code and run arbitrary commands on file system. In the function "doleval" in file "dolibarr/htdocs/core/lib/functions.lib.php" dangerous PHP functions are sanitized using "strreplace" and can be bypassed...
File Descriptor Leak
Possible sensitive files Vulnerability description: A possible sensitive file has been found. This file is not directly linked from the website. This check looks for common sensitive resources like password files, configuration files, log files, include files, statistics data, database dumps. Eac...
Improper Preservation of Permissions
Git repository found Description: Git metadata directory .git was found in this folder. An attacker can extract sensitive information by requesting the hidden metadata directory that version control tool Git creates. The metadata directories are used for development purposes to keep track of...
Cross-site Scripting (XSS) - Stored
Description pimcore is vulnerable to Stored XSS at Key field in the Navigation & Properties tab of a Document page. Payload " Step to reproduce 1.Go to https://demo.pimcore.fun/admin/ and login. 2.Click on any document Home, de,... in the Documents 3.Go to Navigation & Properties tab, in the Key...
Insecure Storage of Sensitive Information
Vulnerability name: EXIF Geolocation Data Not Stripped From Uploaded Images vulnerability Description:- When the user uploads his profile picture, the uploaded image’s EXIF Geolocation Data does not get stripped. As a result, anyone can get sensitive information of microweber users like their...
Protocol/Hostname spoofing via Improper Input Validation
Description The uri.js doesn't remove whitespace characters from the beginning of the protocol, so it doesn't parse URLs properly. Several methods, including http.get, location.href, and fetch, strip the whitespace character in front of the protocol before sending the request. Proof of Concept...
Prototype Pollution
Description fullPage utils are available to developers using window.fputils. They can use these utils for their own use-case other than fullPage as well. However, one of the utils deepExtend is vulnerable to Prototype Pollution vulnerability. Javascript is "prototype" language which means when a...
Server-Side Request Forgery (SSRF)
Description Alltube takes URL from the query parameter and directly uses it in the youtube-dl command, It makes any unauthenticated attacker can perform an SSRF attack and pass internal hostnames in the URL parameter and obtain information about that service from the response. Proof of Concept GE...
Weak Password Recovery Mechanism for Forgotten Password
Description: There is no rate limit sent unlimited email victim or any email address. Proof of Concept: There is no rate limit return-password , attacker to send unlimited email to victim or any email address. Impact: Attacker can sent unlimited email to any mail address . Solution: Add 'throttle...
Improper Authorization in User Management to Vertical Privilege Escalation
Description Pandora FMS v7.0NG.759 allows improper authorization in User Management where any authenticated user with access to the User Management module could create, modify, delete any user with full admin privilege. The impact could lead to vertical privilege escalation to access the privileg...
Server-Side Request Forgery (SSRF)
Description The SSRF Protection is incomplete and can be bypassed via an HTTP redirect, the python-requests library will follow redirections by default can be disabled byallowredirects=False. An attacker can set up their HTTP server to respond with a 302 redirect to redirect the request to...
Cross-site Scripting (XSS) - Stored
Description pimcore is vulnerable to Stored XSS at Title field in the SEO & Settings tab of a Document page. Payload " Step to reproduce 1.Go to https://demo.pimcore.fun/admin/ and login. 2.Click on any document Home, de,... in the Documents 3.Go to SEO & Settings tab, in the Title field, input...
Cross-site Scripting (XSS) - Stored
Description Stored XSS via upload attachment with format .xml in File Library. Detail When opening the attachment, some format files will be rendered and loaded on the browser. So it allows executing arbitrary javascript code that was injected into attachment before. Proof of Concept PoC.xml...
Improper Input Validation
Description If an attacker inserts a null byte at the beginning of the javascript scheme, parse will not parse the javascript scheme properly. Therefore, all null bytes must be removed before parsing. Proof of Concept javascript const parseUrl = require"parse-url" url =...
Improper Authorization
Description A low-privilege user I tested it with Editor priv user can create any role in the application. Proof of Concept Make a POST request to /Admin/Roles/Create using low-priv user's cookie and RequestVerificationToken A new role will be created with the specified name. Impact A low-priv us...
Business Logic Errors
Description Product status of product is unpublished has been deleted by admin in Trash folder but user can still add to cart and make purchases Proof of Concept Step 1: Admin go to Shop Products: Unpublish product and Delete product Step 2: User add product to cart by request POST...
Denial of Service
Description R2 will hang for several crafted binaries. Proof of Concept bash printf "%s" "AAA4AAAAAB4=" | base64 -d /tmp/a printf "%s" "z/rt/gwAAAEuAAB//wAAAACe2QEaAAAG+s8yAOH/AQAAAA==" | base64 -d /tmp/a printf "%s"...
Improper Input Validation
Description If hostname is not entered as in the following PoC, Open Redirect and SSRF occur because hostname is empty. Proof of Concept javascript // PoC : http:@127.0.0.1 const parseUrl = require"parse-url" const http = require"http" url = parseUrl"http:@127.0.0.1" console.logurl...
Server-Side Request Forgery (SSRF)
Description There is a Blind SSRF in fetching remote images in /uploaddocimg/ endpoint. It's because it does not check hostname before sending HTTP Request to it and only if the content-type be a valid image it will save the response. However, we do not have a full SSRF but there is still a blind...
Improper Access Control
Description It was found that if a user is not having access to the requested items module, a normal user with no access can still access and view the requested content. It is a more detailed explanation of the given report where it was marked as invalid :...
Cross-site Scripting (XSS) - Stored
Description I found a Stored XSS vulnerability at admin page: https://demo.microweber.org/demo/admin/view:settingsoptiongroup=files Proof of Concept Step 1: Go to Settings Website settings Files Step 2: Create new folder with folder name : // Request --------------------------------------- POST...
Improper Access Control (IDOR)
Description Dolibarr v14.0.5 allows improper access control issues in the userphoto modulepart. The impact could lead to data exposure as the attached files and documents may contain sensitive information of relevant parties such as contacts, suppliers, invoices, orders, stocks, agenda, accountin...
Business Logic Errors
Description In Dolibarr v14.0.5, any low privileged users could update their login name which should only be updated by admin. Proof of Concept POST /dolibarr/user/card.php?id=2 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:97.0 Gecko/20100101 Firefox/97.0...