4072 matches found
Server-Side Request Forgery (SSRF)
Description Bypass of this report: https://huntr.dev/bounties/499688c4-6ac4-4047-a868-7922c3eab369/ Proof of Concept Blacklist does not check for 0.0.0.0 PAYLOAD: http://0.0.0.0 This payload will be resolved to localhost python import socket from urllib.parse import urlparse PAYLOAD =...
Heap-based Buffer Overflow
Description Heap overflow occurs in winlbrchartabsize. commit :592f6250017c31c8996325403e511f4502077ba5 Proof of Concept poc $ echo -ne "c2UgZW5jb2Rpbmc9aXNvODg1OQpub3JtOnNlIAEbCnNlIHZhcnRhYnN0b3A9NDAwCm5vcm0waTAw CQQ=" | base64 -d poc Valgrind $ /valgrind/vg-in-place -s /vim-debug/src/vim -u NON...
Out-of-bounds Read
Description OOB read occurs in mrbarypush. commit : 5d9239c2c4644fa8a59d9f5159b4950569dd5e0e Proof of Concept poc $ echo -ne "WzpfXVswLDAsMCwwLDAsMCwwLDAsMCwwLDAsMCwwLDBdPTpO" | base64 -d poc ASAN $ ./bin/mruby poc AddressSanitizer:DEADLYSIGNAL...
Use of Out-of-range Pointer Offset
Description This issue occur in the v8.2.4428 version. Proof of Concept sh $ echo "dnMgIDPKKSAwMGNtZGxicmVh4OvbmfsA3ykA3/8wAMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAhAAAA AAAAAODr3/f/fwAAAAAAAAAAAPZRIwAAAAAAa3N5bWxpbmsgCmJcJlx6cypcenMqQGU=" | base64 -d poc $ /valgrind/vg-in-place -s ./src/vim -u NONE -i NON...
NULL Pointer Dereference
Description NULL Pointer Dereference in MP4BOX Command MP4Box -info POC6 POC6 is here. ASAN result iso file Unknown box type url@ in parent dref iso file Unknown box type traj in parent moov iso file Unknown box type 80rak in parent moov iso file Incomplete box mdat - start 11495 size 901165 iso...
Multiple Open Redirect
Description In the /user/login endpoint, it doesnt check the value of the next parameter when the user is logged in and pass it directly to redirect which result to open redirect. The bug also exist in /user/logout, /user/register, /user/login, /user/resend-activation. Proof of Concept 1. Go to...
Unrestricted Upload of File with Dangerous Type
Description In recent Crater version bed05fc2 tag: 6.0.4 privileged user can upload PHP file as expense receipt. Proof of Concept POST /api/v1/expenses/59/upload/receipts HTTP/1.1 Host: 172.17.0.1:8888 User-Agent: Mozilla/5.0 X11; Linux x8664; rv:98.0 Gecko/20100101 Firefox/98.0 Accept: /...
Classic Buffer Overflow in john
Description For 1Password Cloud Keychain plugin, the length of inputs are not properly checked. Then inputs are copied to fixed length buffers. For example, creating a salt with a larger length allow a buffer overflow. Proof of Concept Using the cloudkeychain.hash file: $ ./run/john...
Heap-based Buffer Overflow in john
Description For PEM plugin, the length of the ciphertext is not properly checked. Then the ciphertext is copied to a fixed length buffer. Creating a ciphertext with a larger length allow a heap overflow. Proof of Concept Using the following file pem.hash bash $ ./congigure -enable-asan; make -j4;...
Cross-site Scripting (XSS) - Stored
Description Stored cross-site scripting also known as second-order or persistent XSS arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way. Proof of Concept Steps to Reproduce:- = Install the WebApp and Setup it =...
Improper Access Control in File Manager module
Description In Webmin 1.984, any authenticated low privilege user who did not have access to the File Manager module could interact with a variety of file manager capabilities such as modifying file ownership chown, viewing file properties, listing or deleting files and directories on the server...
Relative Path Traversal to Remote Code Execution
Description Pandora FMS v7.0NG.759 allows relative path traversal in File Manager where a privileged user could upload a .php file outside the intended images directory which is restricted to execute the .php file. The impact could lead to Remote Code Execution with running application privilege...
Heap-based Buffer Overflow
Description heap-buffer-overflow /home/ubuntu/fuzz/radare2/libr/include/rendian.h:176 in rreadle32 Environment Distributor ID: Ubuntu Description: Ubuntu 20.04 LTS Release: 20.04 Codename: focal radare2 5.6.3 27472 @ linux-x86-64 git.5.6.2 commit: d24dbb9fbb0b398a6a739847008ccef3ea7e687c ASAN...
NULL Pointer Dereference
Description NULL pointer dereference in binsymbols.c Environment bash Distributor ID: Ubuntu Description: Ubuntu 20.04 LTS Release: 20.04 Codename: focal radare2 5.6.3 27472 @ linux-x86-64 git.5.6.2 commit: d24dbb9fbb0b398a6a739847008ccef3ea7e687c POC radare2 -AA -qq ./poc poc ASAN...
Cross-site Scripting (XSS) - Reflected
Description There is a Reflected cross site scripting issue chained using these endpoints: 1 /admin/content/0/edit 2 /apiqqalert1fca4/page Proof of Concept 1. Login to https://demo.microweber.org 2. Now visit https://demo.microweber.org/demo/admin/content/0/edit 3. Now open this url in same tab o...
Improper Access Control in Configuration (Credential store)
Description Pandora FMS v7.0NG.759 allows improper access control in Configuration Credential store where a user with the role of Operator Write could create, delete, view existing keys which are outside the intended role. Proof of Concept Affected endpoint: POST...
Insertion of Sensitive Information Into Debugging Code
Description Laravel debug mode exposes sensitive data, eg: internal source codes, stack traces, sql queries, databases names, tables names, user's cookies, email, phone number, username, laravel version, php version, etc Proof of Concept 1. Login into http://demo.microweber.org 2. Navigate to thi...
Cross-site Scripting (XSS) - Reflected
Description The endpoint https://demo.microweber.org/demo/admin/post/id/edit is vulnerable to cross site scripting. The "Edit source" field is affected. Proof of Concept 1. Login into https://demo.microweber.org 2. Navigate to https://demo.microweber.org/demo/admin/post/25/edit 3. click EditSourc...
Insecure Storage of Sensitive Information
Description:- When the user uploads his profile picture, the uploaded image’s EXIF Geolocation Data does not get stripped. As a result, anyone can get sensitive information of microweber users like their Geolocation, their Device information like Device Name, Version, Software & Software version...
Denial of Service
Description A malformed mdmp file causes a DoS attack and leads to resource exhaustion. Proof of Concept bash printf "%s" "TURNUJOnkwAA9f8AIwAAAAAAAAAA4FJj5gADAAAAGwAAAAAEAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAA" | base64 -d /tmp/a strace r2 /tmp/a This hangs and leads to resource exhaustion...
Cross-Site Request Forgery (CSRF) to User Privilege Escalation
Description Pandora FMS v7.0NG.759 allows Cross-Site Request Forgery in Bulk operation User operation resulting in elevation of privilege to Administrator group. Detail Version: Pandora FMS v7.0NG.759 - OUM 759 - MR 51 Affected components: Console Proof of Concept Affected Endpoint: POST...
NULL Pointer Dereference
Description Null pointer dereferencing occurs in finducmd. commit : cdf717283ca70b18f20b8a2cefe7957083280c6f Proof of Concept $ echo -ne "dGFiZQpzaWwwbm9ybTBxL2cJOkkb" | base64 -d poc Valgrind $ /valgrind/vg-in-place -s ./src/vim-u NONE -i NONE -n -X -Z -e -m -s -S poc -c ":qa!" ==1411416==...
Cross-site Scripting (XSS) - Reflected
Description Hi, The endpoint https://demo.microweber.org/demo/admin/page is vulnerable to Cross Site Scripting. Proof of Concept 1. just navigate to the poc url:...
Cross-site Scripting (XSS) - Stored
Description Stored XSS is a vulnerability in which the attacker can execute arbitrary javascript code in the victim's browser. The XSS payload is stored in a webpage and it gets executed whenever someone visits that webpage. I used &10 Line Feed character in the href attribute of tag to bypass th...
Uncaught Exception
Description The application is not able to handle errors, leading to expose of internal files paths. Vulnerable POC Url: https://demo.microweber.org/demo/api/saveedit Vulnerable Endpoint: demo/api/saveedit Vulnerable Parameter: database64= Request Method: POST Proof of Concept 1. Send a POST...
Use of Out-of-range Pointer Offset
Description Using out-of-range Pointer Offset occurs in unixexpandpath. commit : e89bfd212b21c227f026e467f882c62cdd6e642d Proof of Concept $ echo -ne "c2UgbWwgd2ljCnRj+42NjaYq" | base64 -d poc valgrind $ /valgrind/vg-in-place -s /vim-debug/src/vim.debug -u NONE -i NONE -n -X -Z -e -m -s -S poc -c...
Authorization Bypass Through User-Controlled Key
Description Bypass https://hackerone.com/reports/496293 via \b backspace character. Proof of Concept const parse = require'./index.js' url = parse'\bhttp://google.com' console.logurl Result: slashes: false, protocol: '', hash: '', query: '', pathname: '\bhttp://google.com', auth: '', host: '',...
Open Redirect on Rudloff/alltube
Description Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain...
Use multiple time the one-time coupon
Description I create a coupon only for one user and a one-time use coupon. Then create two users, and both of them can use the coupon, but only one of them should be able to use the coupon. Proof of Concept first, create a one-time and one-user coupon code that, e.g. is aaaaa. the attacker has tw...
Business Logic Errors
Description I found a IDOR vulnerability where we can able to delete their product in the cart by the id parameter Steps to Produce: First add any product in to the cart and checkout In the checkout page , we can see the cart details and we have functionality to delete the product also I gave the...
Cross-site Scripting (XSS) - Stored
Stored-xss is possible when adding a rule. Create a new Alert Rule like below and adjust the query like below with the following payload " Save the rule and see a xss-pop up...
Cross-site Scripting (XSS) - Reflected
Description Can escape the meta tag because the user doesn't escape the double-quote in the $redirectUrl parameter when logging out. Proof of Concept txt https:///demo/api/logout?redirectto=/asdf" Impact Through this vulnerability, an attacker is capable to execute malicious scripts...
Path Traversal in silvanmelchior/RPi_Cam_Web_Interface
Description A path traversal attack also known as directory traversal aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash ../” sequences and its variations or by using absolute file paths, it may be...
Heap-based Buffer Overflow
Description There is a heap corruption when r2 processes a crafted dyldcache file. Confirmed on the latest release 5.6.2 and the master branch. Proof of Concept bash printf "%s"...
Authorization Bypass Through User-Controlled Key
Description url-parse is unable to find the correct hostname when no port number is provided in the url. Payload: http://example.com: Proof of Concept javascript var Url = require'url-parse'; var PAYLOAD = "http://example.com:"; // Expected hostname: example.com // Actual hostname by url-parse:...
Cross-site Scripting (XSS) - Generic
Description The user-controlled GET user parameter in index.php is unsanitized resulting in Cross-Site Scripting. Proof of Concept Endpoint: GET https://HOST/edit/user File: /web/edit/user/index.phpL11 // Check user argument if empty$GET'user' header"Location: /list/user/"; exit; Request...
Arbitrary Command Injection
Description When creating a strapi app using npxcreate-strapi-app, we can inject arbitrary commands through the template cli argument as per the code in this particular link https://github.com/strapi/strapi/blob/master/packages/generators/app/lib/utils/fetch-npm-template.jsL13, this happens due t...
Cross-site Scripting (XSS) - Reflected
Description The user-controlled GET domain parameter in index.php is unsanitized resulting in Reflected Cross-Site Scripting. Proof of Concept Endpoint: GET https://HOST/edit/web/ // File: /web/edit/web/index.phpL28 // List domain $vdomain = $GET'domain'; // User controllable parameter if...
Improper Input Validation
Description There is a lack of input length validation in phone number field at the checkout product where any user may able to add more than 5000+ character which shouldn't be allowed . Our expected result should be only 255 character should be allowed Steps to Reproduce In the Shop , checkout...
CRLF Injection leads to Stack Trace Exposure due to lack of filtering at https://demo.microweber.org/
Description The Introduction of a New Line Character lets the attacker the stack trace at demo.microweber.org/ This Attack becomes more significant because of its Less complication. The Stack trace discloses following information : 1. Backend Response code. 2. The Versions of Backend Laravel...
in microweber/microweber
Description There is no input field length in update username where any user can able to add large number of characters like imagine we can add more 5000+ character on to the update name field . Steps to Reproduce Visit the particular URL Vulnerable-link Where there is a functionality to update o...
Heap-based Buffer Overflow in gpac/gpac
Description Heap-based Buffer Overflow in gpac Proof of Concept Version: MP4Box - GPAC version 1.1.0-DEV-rev1762-g90a145735-master c 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929...
Improper Authorization in webmin/webmin
Description The /cron/saveallow.cgi endpoint is accessible to any authenticated low privilege users resulting in controlling user access to cron jobs. They could allow and deny other users access to cron jobs affecting the Scheduled Cron Jobs module. Proof of Concept Affected Endpoint: GET...
Improper Privilege Management in rhizome-conifer/conifer
Description In admincontroller.py file, all APIs will perform user permission checks using adminview function to avoid access from low-level users. However, this does not apply to API /api/v1/admin/defaults. Anonymous users can change maxsize configuration which prevents other users from creating...
Improper Access Control to Remote Code Execution
Description In Webmin v1.984, affecting File Manager module, any authenticated low privilege user without access rights to the File Manager module could interact with file manager functionalities such as download file from remote URL and change file permission chmod. It is possible to achieve...
Cross-site Scripting (XSS) - Stored
Description The application does not escape special characters before output to FE, lead to stored XSS. Proof of Concept 1. Go to Content Menus or Content Items. 2. Add an Item with the title set to XSS payload, e.g: Title" 3. Save Draft or Publish Go to View/Preview Draft. XSS will be triggered...
Stack-based Buffer Overflow in vim/vim
Description Buffer overflow occurs in gaconcatshortenesc. commit : f5288c589500de0677444af4a428cfbccfccb8ce Proof of Concept poc $ echo -ne "bm9ybTEwMGdy3YAKZnUgUigpCmxldCBsaW5lPWdldGxpbmUoMSkKcmV0dSBsaW5lCmVuZGYKCmNh bGwgYXNzZXJ0X2VxdWFsKDEsUigpKQo=" | base64 -d poc ASAN $ ./src/vim.asan -u NONE...
in mruby/mruby
Description commit ecb28f4bf463483cf914c799d086b0cfff997aee Proof of Concept sh ⚡ root@pocas /fuzz/mruby2 master ± echo "P2MKWyoqMCwqKjgsbTowXQSAPRpbAAB7" | base64 -d poc1 ⚡ root@pocas /fuzz/mruby2 master ± ./bin/mruby poc1 AddressSanitizer:DEADLYSIGNAL...
Open Redirect in archivy/archivy
Description The application doesn't check the target website before redirecting leads to Open Redirect vulnerability. Proof of Concept Install local service for testing - Step 1: Go to http://127.0.0.1:5000/login?next=%2F%2fevil.com - Step 2: Enter valid credential, you will be redirect to evil.c...
Open Redirect in ikus060/rdiffweb
Description The application has an Open Redirect vulnerability because the data filtering process does not completely prevent attacks. Proof of Concept - Step 1: Visit https://rdiffweb-demo.ikus-soft.com/login/?redirect=//evil.com - Step 2: Login with valid account, you will be redirect to evil.c...