4058 matches found
Cross-site Scripting (XSS) - Reflected
Description There is a Reflected cross site scripting issue chained using these endpoints: 1 /admin/content/0/edit 2 /apiqqalert1fca4/page Proof of Concept 1. Login to https://demo.microweber.org 2. Now visit https://demo.microweber.org/demo/admin/content/0/edit 3. Now open this url in same tab o...
Improper Access Control in Configuration (Credential store)
Description Pandora FMS v7.0NG.759 allows improper access control in Configuration Credential store where a user with the role of Operator Write could create, delete, view existing keys which are outside the intended role. Proof of Concept Affected endpoint: POST...
Insertion of Sensitive Information Into Debugging Code
Description Laravel debug mode exposes sensitive data, eg: internal source codes, stack traces, sql queries, databases names, tables names, user's cookies, email, phone number, username, laravel version, php version, etc Proof of Concept 1. Login into http://demo.microweber.org 2. Navigate to thi...
Cross-site Scripting (XSS) - Reflected
Description The endpoint https://demo.microweber.org/demo/admin/post/id/edit is vulnerable to cross site scripting. The "Edit source" field is affected. Proof of Concept 1. Login into https://demo.microweber.org 2. Navigate to https://demo.microweber.org/demo/admin/post/25/edit 3. click EditSourc...
Insecure Storage of Sensitive Information
Description:- When the user uploads his profile picture, the uploaded image’s EXIF Geolocation Data does not get stripped. As a result, anyone can get sensitive information of microweber users like their Geolocation, their Device information like Device Name, Version, Software & Software version...
Denial of Service
Description A malformed mdmp file causes a DoS attack and leads to resource exhaustion. Proof of Concept bash printf "%s" "TURNUJOnkwAA9f8AIwAAAAAAAAAA4FJj5gADAAAAGwAAAAAEAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAA" | base64 -d /tmp/a strace r2 /tmp/a This hangs and leads to resource exhaustion...
Cross-Site Request Forgery (CSRF) to User Privilege Escalation
Description Pandora FMS v7.0NG.759 allows Cross-Site Request Forgery in Bulk operation User operation resulting in elevation of privilege to Administrator group. Detail Version: Pandora FMS v7.0NG.759 - OUM 759 - MR 51 Affected components: Console Proof of Concept Affected Endpoint: POST...
NULL Pointer Dereference
Description Null pointer dereferencing occurs in finducmd. commit : cdf717283ca70b18f20b8a2cefe7957083280c6f Proof of Concept $ echo -ne "dGFiZQpzaWwwbm9ybTBxL2cJOkkb" | base64 -d poc Valgrind $ /valgrind/vg-in-place -s ./src/vim-u NONE -i NONE -n -X -Z -e -m -s -S poc -c ":qa!" ==1411416==...
Cross-site Scripting (XSS) - Reflected
Description Hi, The endpoint https://demo.microweber.org/demo/admin/page is vulnerable to Cross Site Scripting. Proof of Concept 1. just navigate to the poc url:...
Cross-site Scripting (XSS) - Stored
Description Stored XSS is a vulnerability in which the attacker can execute arbitrary javascript code in the victim's browser. The XSS payload is stored in a webpage and it gets executed whenever someone visits that webpage. I used &10 Line Feed character in the href attribute of tag to bypass th...
Uncaught Exception
Description The application is not able to handle errors, leading to expose of internal files paths. Vulnerable POC Url: https://demo.microweber.org/demo/api/saveedit Vulnerable Endpoint: demo/api/saveedit Vulnerable Parameter: database64= Request Method: POST Proof of Concept 1. Send a POST...
Use of Out-of-range Pointer Offset
Description Using out-of-range Pointer Offset occurs in unixexpandpath. commit : e89bfd212b21c227f026e467f882c62cdd6e642d Proof of Concept $ echo -ne "c2UgbWwgd2ljCnRj+42NjaYq" | base64 -d poc valgrind $ /valgrind/vg-in-place -s /vim-debug/src/vim.debug -u NONE -i NONE -n -X -Z -e -m -s -S poc -c...
Authorization Bypass Through User-Controlled Key
Description Bypass https://hackerone.com/reports/496293 via \b backspace character. Proof of Concept const parse = require'./index.js' url = parse'\bhttp://google.com' console.logurl Result: slashes: false, protocol: '', hash: '', query: '', pathname: '\bhttp://google.com', auth: '', host: '',...
Open Redirect on Rudloff/alltube
Description Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain...
Use multiple time the one-time coupon
Description I create a coupon only for one user and a one-time use coupon. Then create two users, and both of them can use the coupon, but only one of them should be able to use the coupon. Proof of Concept first, create a one-time and one-user coupon code that, e.g. is aaaaa. the attacker has tw...
Business Logic Errors
Description I found a IDOR vulnerability where we can able to delete their product in the cart by the id parameter Steps to Produce: First add any product in to the cart and checkout In the checkout page , we can see the cart details and we have functionality to delete the product also I gave the...
Cross-site Scripting (XSS) - Stored
Stored-xss is possible when adding a rule. Create a new Alert Rule like below and adjust the query like below with the following payload " Save the rule and see a xss-pop up...
Cross-site Scripting (XSS) - Reflected
Description Can escape the meta tag because the user doesn't escape the double-quote in the $redirectUrl parameter when logging out. Proof of Concept txt https:///demo/api/logout?redirectto=/asdf" Impact Through this vulnerability, an attacker is capable to execute malicious scripts...
Path Traversal in silvanmelchior/RPi_Cam_Web_Interface
Description A path traversal attack also known as directory traversal aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash ../” sequences and its variations or by using absolute file paths, it may be...
Heap-based Buffer Overflow
Description There is a heap corruption when r2 processes a crafted dyldcache file. Confirmed on the latest release 5.6.2 and the master branch. Proof of Concept bash printf "%s"...
Authorization Bypass Through User-Controlled Key
Description url-parse is unable to find the correct hostname when no port number is provided in the url. Payload: http://example.com: Proof of Concept javascript var Url = require'url-parse'; var PAYLOAD = "http://example.com:"; // Expected hostname: example.com // Actual hostname by url-parse:...
Cross-site Scripting (XSS) - Generic
Description The user-controlled GET user parameter in index.php is unsanitized resulting in Cross-Site Scripting. Proof of Concept Endpoint: GET https://HOST/edit/user File: /web/edit/user/index.phpL11 // Check user argument if empty$GET'user' header"Location: /list/user/"; exit; Request...
Arbitrary Command Injection
Description When creating a strapi app using npxcreate-strapi-app, we can inject arbitrary commands through the template cli argument as per the code in this particular link https://github.com/strapi/strapi/blob/master/packages/generators/app/lib/utils/fetch-npm-template.jsL13, this happens due t...
Cross-site Scripting (XSS) - Reflected
Description The user-controlled GET domain parameter in index.php is unsanitized resulting in Reflected Cross-Site Scripting. Proof of Concept Endpoint: GET https://HOST/edit/web/ // File: /web/edit/web/index.phpL28 // List domain $vdomain = $GET'domain'; // User controllable parameter if...
Improper Input Validation
Description There is a lack of input length validation in phone number field at the checkout product where any user may able to add more than 5000+ character which shouldn't be allowed . Our expected result should be only 255 character should be allowed Steps to Reproduce In the Shop , checkout...
CRLF Injection leads to Stack Trace Exposure due to lack of filtering at https://demo.microweber.org/
Description The Introduction of a New Line Character lets the attacker the stack trace at demo.microweber.org/ This Attack becomes more significant because of its Less complication. The Stack trace discloses following information : 1. Backend Response code. 2. The Versions of Backend Laravel...
in microweber/microweber
Description There is no input field length in update username where any user can able to add large number of characters like imagine we can add more 5000+ character on to the update name field . Steps to Reproduce Visit the particular URL Vulnerable-link Where there is a functionality to update o...
Heap-based Buffer Overflow in gpac/gpac
Description Heap-based Buffer Overflow in gpac Proof of Concept Version: MP4Box - GPAC version 1.1.0-DEV-rev1762-g90a145735-master c 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929...
Improper Authorization in webmin/webmin
Description The /cron/saveallow.cgi endpoint is accessible to any authenticated low privilege users resulting in controlling user access to cron jobs. They could allow and deny other users access to cron jobs affecting the Scheduled Cron Jobs module. Proof of Concept Affected Endpoint: GET...
Improper Privilege Management in rhizome-conifer/conifer
Description In admincontroller.py file, all APIs will perform user permission checks using adminview function to avoid access from low-level users. However, this does not apply to API /api/v1/admin/defaults. Anonymous users can change maxsize configuration which prevents other users from creating...
Improper Access Control to Remote Code Execution
Description In Webmin v1.984, affecting File Manager module, any authenticated low privilege user without access rights to the File Manager module could interact with file manager functionalities such as download file from remote URL and change file permission chmod. It is possible to achieve...
Cross-site Scripting (XSS) - Stored
Description The application does not escape special characters before output to FE, lead to stored XSS. Proof of Concept 1. Go to Content Menus or Content Items. 2. Add an Item with the title set to XSS payload, e.g: Title" 3. Save Draft or Publish Go to View/Preview Draft. XSS will be triggered...
Stack-based Buffer Overflow in vim/vim
Description Buffer overflow occurs in gaconcatshortenesc. commit : f5288c589500de0677444af4a428cfbccfccb8ce Proof of Concept poc $ echo -ne "bm9ybTEwMGdy3YAKZnUgUigpCmxldCBsaW5lPWdldGxpbmUoMSkKcmV0dSBsaW5lCmVuZGYKCmNh bGwgYXNzZXJ0X2VxdWFsKDEsUigpKQo=" | base64 -d poc ASAN $ ./src/vim.asan -u NONE...
in mruby/mruby
Description commit ecb28f4bf463483cf914c799d086b0cfff997aee Proof of Concept sh ⚡ root@pocas /fuzz/mruby2 master ± echo "P2MKWyoqMCwqKjgsbTowXQSAPRpbAAB7" | base64 -d poc1 ⚡ root@pocas /fuzz/mruby2 master ± ./bin/mruby poc1 AddressSanitizer:DEADLYSIGNAL...
Open Redirect in archivy/archivy
Description The application doesn't check the target website before redirecting leads to Open Redirect vulnerability. Proof of Concept Install local service for testing - Step 1: Go to http://127.0.0.1:5000/login?next=%2F%2fevil.com - Step 2: Enter valid credential, you will be redirect to evil.c...
Open Redirect in ikus060/rdiffweb
Description The application has an Open Redirect vulnerability because the data filtering process does not completely prevent attacks. Proof of Concept - Step 1: Visit https://rdiffweb-demo.ikus-soft.com/login/?redirect=//evil.com - Step 2: Login with valid account, you will be redirect to evil.c...
OS Command Injection in part-db/part-db
Description OS command injection also known as shell injection is a web security vulnerability that allows an attacker to execute arbitrary operating system OS commands on the server that is running an application, and typically fully compromise the application and all its data. Very often, an...
Path Traversal in prasathmani/tinyfilemanager
Description A Path Traversal vulnerability exists in Tiny File Manager, which allows the upload of files to an arbitrary location in the server. This flaw derives from the way that the file upload/creation is handled when a file with the same name already exists in the target directory. Affected...
Improper Access Control in zulip/zulip
Description According to the current design of the application, when the user wants to get value of apikey, API /json/fetchapikey will require password to authentication. However, the application exists another API routed at /json/users/me/apikey/regenerate that allows regenerating apikey value a...
Cross-site Scripting (XSS) - Stored in helloxz/onenav
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into websites. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execut...
in helloxz/onenav
Description During the comparisons of different variables, PHP will automatically convert the data into a common, comparable type. This makes it possible to compare the number 12 to the string '12' or check whether or not a string is empty by using a comparison like $string == True. This, however...
in medialize/uri.js
Description Bypass for https://huntr.dev/bounties/1625558772840-medialize/URI.js/ urijs fixed the issue for CVE-2021-3647, however an attacker can still exploit the issue due to case-sensitive checks in the earlier patch. Attacker can use case-insensitive protocol schemes like HTTP, htTP, HTtp et...
in ionicabizau/parse-path
Description parse-path is unable to detect the right resource. While parsing http://[email protected] url, parse-path thinks that the host/resource is example.com, however the actual resource is 127.0.0.1. Proof of Concept SSRF PoC javascript const parsePath = require"parse-path"; const axios...
in mruby/mruby
Description There is a NULL Pointer Dereference in aryconcat array.c:301. This bug has been found on mruby lastest commit hash ecb28f4bf463483cf914c799d086b0cfff997aee on Ubuntu 20.04 for x8664/amd64. Proof of Concept The crash is not reproducible in a debug build, so a release build config must ...
in thexxturboxx/dex2jar
Description This vulnerability is originally reported to pxb1988/dex2jar, but re-sending it again for maintained fork repository as requested. dex2jar is a set of tools to work with android .dex and java .class files. In these tools, there is a tool called "dex2smali", and this tool allows a...
Cross-site Scripting (XSS) - Stored in alanaktion/phproject
Description This is a vulnerability caused by incorrect patching of the vulnerability at https://huntr.dev/bounties/a465d272-35fc-4f9c-99f3-b89790c5ad1c/. For api /files/@id/@name, the application performed download action if the file was in svg format...
Improper Access Control in alanaktion/phproject
Description The application has a vulnerability that allows anonymous users to download files on the server. In addition, when authenticated user deletes a file in an issue, the file is only unlinked, not completely deleted on the server. That results in anonymous users being able to download the...
in alanaktion/phproject
Description When the user clicks on the file, the application will checking Content-Type to decide whether to download or display the data directly. However, due to incorrect checking, a vulnerability exists leads to Stored XSS. I recommend that the force action relies on the file format instead ...
Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat
Description LiveHelperChat is vulnerable to Stored XSS at the Company name field customercompanynameValueParam parameter in the Copyright settings tab of the Chat configuration page. Payload constructor.constructor'alert1' Steps to reproduce 1.Login then go to Chat configuration page...
Improper Authorization in salesagility/suitecrm
Description In SuiteCRM v7.12.4, affecting Employee Module, any user with the User Type as Regular User could export employee records via /index.php?entryPoint=export endpoint. The prerequisite of this attack is by knowing the user record ID which can be obtained in the employees' section. The...