in mruby/mruby

Description Using out of range pointer occurs in entrydeletedp. commit : ad3ce7b41c4375f818d02a24e6a09cbc790048c9 Proof of Concept $ echo -ne "MC5TJDAsKir9PTAsdjowLHY6MA==" | base64 -d poc ASAN $ ./bin/mruby.asan poc AddressSanitizer:DEADLYSIGNAL...

in unshiftio/url-parse

Description Incorrect conversion of @ in protocol in the href leads to improper validation of hostname. Proof of Concept Url-parse is not able to verify broken protocol. This will allow to bypass hostname validation. parse = require'url-parse' console.logparse"http:@/127.0.0.1" Now imagine if the...

Improper Authorization in chocobozzz/peertube

Description The app doesn't check the status of video when making data changes. Normal users can create new comment or reply comment in private videos. Proof of Concept note: I'm using instance p.lu for testing - Step 1: Login as video test1 and upload private video. Get video ID of private video...

Improper Access Control in chocobozzz/peertube

Description The app doesn't check the status of video when making data changes. Normal users can rating like or dislike in private videos. Proof of Concept note: I'm using instance p.lu for testing - Step 1: Login as video test1 and upload private video. Get video ID of private video - Step 2: Ca...

Improper Access Control in salesagility/suitecrm

Description In SuiteCRM v7.12.4, affecting Users Module, any user with the User Type as Regular User could modify other users profiles via the update profile section. The prerequisite of this attack is by knowing the user record ID and username User Name respectively. The user records ID can be...

Improper Access Control in liangliangyy/djangoblog

Description "formvalid" function in comments/views.py file performs the task of saving user comments. However, this function doesn't check the status of article, so users can leave comments on draft article or public article with commentstatus is off. Proof of Concept - Step 1: Login as admin in...

in microweber/microweber

Description Sensitive information as part of the error is getting disclosed while viewing comments from "loadmodule:commentssearch=" Proof of Concept 1. Login to https://demo.microweber.org 2. Visit https://demo.microweber.org/demo/admin/view:modules/loadmodule:commentssearch= 3. Now enter anythi...

Open Redirect in microweber/microweber

Description An Open Redirect vulnerability enables attacker to redirect the victims/users to malicious websites. The bug exists due to improper fix of https://huntr.dev/bounties/c9d586e7-0fa1-47ab-a2b3-b890e8dc9b25/. By adding an extra slash / the previous fix can be bypassed. Proof of Concept...

Business Logic Errors in microweber/microweber

Description The product is vulnerable to Business Logic error through negative product amount. Proof of Concept Step 1: Login to the application, Navigate to Shops - Products - Add Product Step 2: Fill in all the required details with Pricing parameter as -100 and click on save. Here an item is...

Cross-site Scripting (XSS) - Stored in librenms/librenms

Description Stored XSS in create/modify Transport Groups, Add/Edit Service and Edit Service Template Proof of Concept Payload: ' PoC image: Xss payload in create/modify Transport Groups Xss payload in Add/Edit Service Xss payload in Edit Service Template XSS will fire-up by user visiting: 1...

Improper Authorization in librenms/librenms

Description LibreNMS v22.1.0 allows users with the normal role/level to interact with the plugin setting resulting in the users could take action such as switching on/off any installed plugins which are supposedly accessible by the Administrator only. Proof of Concept Affected endpoints: 1 GET...

Exposure of Sensitive Information to an Unauthorized Actor in librenms/librenms

LibreNMS v22.1.0 allows users with the normal role/level to view/access the alert transport details. The alert transport may expose sensitive information to an actor that is not explicitly authorized to have access to that information which are supposedly accessible by the Administrator only. Pro...

Improper Access Control in librenms/librenms

Description Improper Access Control vulnerability in LibreNMS v22.1.0 allows attackers with the normal role/level to interact with port-groups functionality such as create, edit/modify and delete the existing port group. The port-groups functionality fails to enforce policy such that normal users...

Cross-site Scripting (XSS) - Generic in librenms/librenms

Description Cross-Site Scripting vulnerability in LibreNMS v22.1.0 which allows attackers to execute arbitrary javascript code which affected Alerts module Alert Transport in Transport name field. Proof of Concept Endpoint: 1 POST http://HOST/ajaxform.php - Parameter name Payload: ' XSS will...

Cross-site Scripting (XSS) - Stored in librenms/librenms

Description Cross-Site Scripting vulnerability in LibreNMS v22.1.0 which allows attackers to execute arbitrary javascript code in the browser of a victim which affected Devices module Add Device in sysName, Hardware and Community fields. Proof of Concept Endpoint: 1 POST http://HOST/addhost...

SQL Injection in salesagility/suitecrm

Description In SuiteCRM v7.12.4, a malicious user can inject SQL query in order to affect the execution of predefined SQL commands impacting database leakage. Proof of Concept The $POST'record'1 parameter is controllable by a user and it is concatenated into SQL query 2 without validating them...

Exposure of Sensitive Information to an Unauthorized Actor in node-fetch/node-fetch

Description The Authorization header leaks from same hostname https-http redirect. If https://example.com redirects to http://example.com, then an attacker who can listen in on the wire or perform a MITM attack will be able to receive the Authorization header due to the use of the insecure HTTP...

Insecure Storage of Sensitive Information in chatwoot/chatwoot

BUG ======== Stored xss via referer url allow to hijack victim access-token STEP TO REPRODUCE =================== 1. From admin account goto https://app.chatwoot.com/app/accounts/42689/settings/inboxes/list and create a inbox of type website .\ Now get you configuration script from this inbox and...

Heap-based Buffer Overflow in mruby/mruby

Description Heap Overflow occurs in mrbfsend. commit : 38b164ace7d6ae1c367883a3d67d7f559783faad Proof of Concept $ echo -ne "c2VuZCJzZW5kIiwic2VuZCIsInNlbmQiLCJzZW5kIiwic2VuZCIsInNlbmQiLCJzZW5kIiwic2Vu ZCIsInNlbmQiLCJzZW5kIiwic2VuZCIsInNlbmQiLCJzZW5kIiwic2VuZCIsInNlbmQiCg==" | base64 -d poc ASAN ...

Cross-site Scripting (XSS) - Reflected in gnuboard/gnuboard5

Description https://github.com/gnuboard/gnuboard5/blob/v5.4.22/mobile/shop/lg/mispwapurl.phpL7 has no filtering for the variable. So, Attackers can trigger Reflected XSS via $GET'LGDOID' Proof of Concept /mobile/shop/lg/mispwapurl.php?LGDOID=%3Cscript%3Ealert1%3C/script%3E Impact Attacker can...

Exposure of Sensitive Information to an Unauthorized Actor in snipe/snipe-it

Description An attacker can enumerate users through the response message in the password reset page. When you visit the password reset page, you will be provided with the option to enter your email address. Let's use two different emails, one will be a valid address, and another will be an invali...

in snipe/snipe-it

Description An attacker can enumerate users through the response time in the password reset page. When you visit the password reset page, you will be provided with the option to enter your email address. Let's use two different emails, one will be a valid address, and another will be an invalid...

in liangliangyy/djangoblog

Description The application leaked emails of unvalidated users to anonymous user. Proof of Concept - Step 1: Go to http://127.0.0.1:8000/register and create account. After create success, you will receive URL like http://127.0.0.1:8000/account/result.html?type=register&id=4 - Step 2: Open another...

Cross-site Scripting (XSS) - Reflected in orchardcms/orchardcore

Description Reflected XSS is found under DesignShortcodeNew Shortcode Proof of Concept POC Video https://drive.google.com/file/d/1yFfa7g8MMUvJrrKTpJXZEHhQLRSZ1Cii/view?usp=sharing Impact Through this vulnerability, an attacker is capable to execute malicious scripts...

Improper Privilege Management in snipe/snipe-it

Description It was found that if a user is not having access to supplier module, he can access and view the supplier content. Proof of Concept 1. Create two users, one admin and one normal user 2. A normal user is not having access to the supplier module. 3. But by enumeration the normal user vie...

Exposure of Sensitive Information to an Unauthorized Actor in ionicabizau/parse-url

Description First Assume this example var parseUrl = require"parse-url" parseUrl"http://[email protected]:[email protected]/path/name?foo=bar&bar=42some-hash" that return : protocols: "http" protocol: "http" port: null resource: "[email protected]" user: "" pathname:...

Cross-site Scripting (XSS) - Reflected in cortezaproject/corteza-server

Description The logout function doesn't clean/filter value of "back" parameter before reflecting into html code leading to Reflected XSS vulnerability. Proof of Concept Visit URL: https://latest.cortezaproject.org/auth/logout?back=%22%3E%3Cscript%3Ealertorigin%3C/script%3E%3C%22 Poc:...

Code Injection in publify/publify

Description The application doesn't check/filter the comments provided by the user before save to database. Attacker can't insert js code to steal admin's data but can insert html code, leads to many information security risks. Proof of Concept - Step 1: Go to...

Heap-based Buffer Overflow in vim/vim

Description Heap overflow occurs in exretab. commit : 414acd342f4a66d930da34d419929985b48bd301 Proof of Concept $ echo -ne "ZnUgUihiLG4pCmxldCBvbGRfdGFic3RvcD0mdGFic3RvcApleGUicmV0ImE6bgppZiBhOm4KZXhl J3NlIHRhYnN0b3A9Jy5vbGRfdGFic3RvcAplbApjYWwgbCgiIixSKCcnLDQpCmNhbCBsKCIiLFIo...

in gravitl/netmaker

Description Netmaker is an applicaton that enable easly deployment of a mesh vpn based on Wiregaurd. To authenticate and manage users throughout the application, it is used JWT tokens. The secret key used to sign these tokens is hard-coded in the code, which means they can be faked. So, an attack...

Exposure of Sensitive Information to an Unauthorized Actor in fgribreau/node-request-retry

Exposure of Sensitive Information to an Unauthorized Actor in FGRibreau/node-request-retry Reported on Feb 10 2022 | Timothee Desurmont Vulnerability type: CWE-200 Bug Cookies are leaked to external sites. Description js request$mysite/redirect.php?url=$attacker/, options When fetching a Redirect...

Inefficient Regular Expression Complexity in gitpython-developers/gitpython

Description In the latest version of GitPython cd29f07b I discovered regular expression that is vulnerable to ReDoS Regular Expression Denial of Service Proof of Concept PoC based on code in git/remote.py Python import logging import re logging.basicConfigformat='%asctimes - %levelnames:...

in snipe/snipe-it

Description unprivileged user can get supplier Proof of Concept 1. Create regular user and set DENY to all permissions in asset and supplier models.\ 2. Login as the user and sent bellow request to get supplier await fetch"https://demo.snipeitapp.com/api/v1/suppliers/selectlist?page=1",...

Improper Access Control in publify/publify

Description Article in draft mode can only be accessed by admins who have permission to manage article. Anonymous users can't view but can leave comments on article in draft mode. The cause of the vulnerability is that the draft article is setting to comment enabled and createcomment function onl...

Improper Privilege Management in snipe/snipe-it

Description Unprivilege user can create maintainance for asset Proof of Concept 1. Create regular user and set DENY to all permissions in asset models.\ 2. Login as the user and sent bellow request to create maintainance for asset await fetch"https://demo.snipeitapp.com/hardware/maintenances",...

Path Traversal in pimcore/pimcore

Description The application doesn't perform a check/filter against the value of "importFile" parameter at endpoint "/admin/translation/import". After the API is executed, PHP unlink function will proceed to delete the file. Proof of Concept - Step 1: Login as admin at...

Improper Access Control in liukuo362573/yishaadmin

Description https://www.github.com/liukuo362573/yishaadmin has an endpoint "/admin/File/UploadFile" that allows uploading files without authentication. Root-cause Server doesn't check user's permission when attacker access the endpoint. After that, server will directly call UploadFile function wi...

None in radareorg/radare2

Description Use After Free occurs in riobankmapaddtop. commit : 4d75eeb99a0d913e9b443e7aaf73aa44a323739d Proof of Concept $ echo -ne "VlowMFcwMOEwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwEDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw...

Heap-based Buffer Overflow in mruby/mruby

Description Heap Overflow occurs in mrbfsend. commit : d912b864df3199f2108601a0451532c587a5e830 Proof of Concept $ echo -ne "c2VuZCJzZW5kIiwic2VuZCIsInNlbmQiLCJzZW5kIiwic2VuZCIsInNlbmQiLCJzZW5kIiwic2Vu ZCIsInNlbmQiLCJzZW5kIiwic2VuZCIsInNlbmQiLCJzZW5kIiwic2VuZCIsInNlbmQiLCJzZW5k IgAAAAo=" | base64...

Cross-site Scripting (XSS) - Stored in chatwoot/chatwoot

Description In order to render raw HTML in Vue.js you may use v-html attribute, which opens a door for XSS in case of malicious input. Chatwoot actually uses it in several places, such as...

Cross-site Scripting (XSS) - Reflected in phoronix-test-suite/phoronix-test-suite

Description Hi, i found a Reflected XSS vulnerability POST based XSS + no CSRF token in phoronix test suite, Results tab. Proof of Concept Install a local instance of phoronix create a Search results form like this: // PoC.html history.pushState'', '', '/' document.forms0.submit; // and send to...

Cross-site Scripting (XSS) - Stored in microweber/microweber

Description There is a reflected XSS in creating and searching tag function . where any user can execute any malicious code results in the cookie stealing or Account takeover vulnerability Steps to Produce: Go to this particular URL URL Click on live edit , Now In the tag section and select the...

in vim/vim

Description Using out of range pointer offset occurs in enterbuffer. commit : b247e0622ef16b7819f5dadefd3e3f0a803b4021 This case is created to correct the previous issue. Proof of Concept $ echo -ne "ZnUgUigpCnRhYjBsb3AKZTAKbGYKZW5kZgpjYWwgUigpCm5vcm0XFjAKY2FsIFIoKQpidw==" | base64 -d mpoc Valgri...

Cross-site Scripting (XSS) - Stored in ptrofimov/beanstalk_console

Description Stored XSS in parameter 'host' when add server Proof of Concept // PoC.req GET / HTTP/1.1 Host: 127.0.0.1:8088 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:97.0 Gecko/20100101 Firefox/97.0 Accept:...

in mruby/mruby

Description commit 4e8ab145da52c3cfb0bd4b823df8041dcc52f454 Author: Yukihiro "Matz" Matsumoto Date: Tue Feb 8 13:03:51 2022 +0900 Proof of Concept sh $ echo -ne "e30KWyoqMCxtOjBdBHM9MDYudGl0ZXN7My7+////c3slXSN7W11lYWsKYj17fQpbKiowLG06MF3/...

Cross-site Scripting (XSS) - Reflected in effgarces/bookedscheduler

Setup the Booked Scheduler locally.URL like the following. http://192.168.5.5/phpsch/ Attcker 2. Login as valid user. 3. Make an reservation from the dashboard. 4. Open the information you reserved.URL like the following http://192.168.5.5/Web/reservation.php?rn=62020af2eee4d833634703 5. The...

Improper Access Control in liukuo362573/yishaadmin

Description https://www.github.com/liukuo362573/yishaadmin has an endpoint "/admin/File/DeleteFile" that allows deleting files without authentication. Root-cause Server doesn't check user's permission when attacker access the endpoint. After that, server will directly call delete function with th...

Path Traversal in liukuo362573/yishaadmin

Description https://www.github.com/liukuo362573/yishaadmin has an endpoint "/admin/File/DownloadFile" that allows downloading/deleting files without authentication. In addition, this endpoint has path traversal vulnerability that allows arbitrary file read/delete. Proof of Concept - using BurpSui...

Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects/follow-redirects

Note Reclarification of https://huntr.dev/bounties/6d9fd2bf-39e4-4291-b228-30f131b9ccdc/ Description The Authorization header leaks from same hostname https-http redirect. If https://example.com redirects to http://example.com, then an attacker who can listen in on the wire or perform a MITM atta...

Cross-site Scripting (XSS) - Stored in pimcore/pimcore

Description The pimcore/pimcore package is an open source platform that provides PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce services. stored xss vulnerability occurs when you change the value of Abbreviation, Longname, Converter Service at "Settings" = "Data Objects" = "Quantity Value" in the...