4072 matches found
Heap-based Buffer Overflow in vim/vim
Description Heap Overflow in exretab. This issue was created to separate the previous issue. This bug has already been fixed with patch 8.2.4245. Proof of Concept $ echo -ne "bm9ybTBvMDAwMDAwMDAwMDAwMDAwMDAwMDD/MJMwMDAKc2lsIW5vcm0WYxwwMAkwCmZ1IFJldGFi...
in radareorg/radare2
NULL pointer dereference in loadbuffer radare2 suffers from a NULL pointer dereference error in loadbuffer of binxnukernelcache.c Environment date Fri Jan 28 11:03:53 PST 2022 uname -ms Linux x8664 ./radare2 -v radare2 5.5.5 27531 @ linux-x86-64 git.5.5.4 commit:...
Cross-site Scripting (XSS) - Reflected in phpipam/phpipam
Description Reflected XSS attacks AKA non-persistent attacks when a malicious script is reflected off of a web application to the victim’s browser. The script is activated through a link, which sends a request to a website with a vulnerability that enables execution of malicious scripts. The...
Business Logic Errors in dolibarr/dolibarr
Description Dolibarr is vulnerable to Business Logic Errors in the Weight, Length x Width x Height, Area, Volume fields of a Product since these values can be negative numbers. Proof of Concept 1.After login, in the top menu bar, click Products 2.In the left menu bar, click List to view the list ...
Open Redirect in alanaktion/phproject
Description Open Redirect in Login page due to unchecked to parameter. Proof of Concept Send users the following link https://demo.phproject.org/login?to=//example.com After users use their registered account to login, they will be redirected to example.com Impact By modifying the URL value to a...
Open Redirect in alanaktion/phproject
Description Bypass open redirect protection Proof of Concept patch for this report https://huntr.dev/bounties/1183df1a-5243-42f9-a263-267b92444b03/ easily can be bypassed Bypass url https://demo.phproject.org/login?to=//example.com...
None in vim/vim
Description Use after free occurs in skipwhite function charset.c:1474. commit : 166788c657f4b1090a31ea37a023b1f2c78790c8 Proof of Concept $ echo -ne "ZnUgUmUwYTAoZyxuKQp+CnMvCnIwIzAKZW5kZgpzL1wlJykvXD1hMDAwKDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwLCBSZTBhMCgnJywwMDApMDA=" | base64 -d...
Heap-based Buffer Overflow in vim/vim
Description Heap-buffer-overflow on read in yankcopyline This issue was created to separate this one and was fixed with Patch 8.2.4219. Proof of Concept Steps to reproduce: echo -n c2lsIW5vcm0wbxSA/zAWenk= | base64 -d heapowpoc3 vim -u NONE -i NONE -n -X -Z -e -m -s -S heapowpoc3 -c :qa! Sanitize...
Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat
Description Livehelperchat is vulnerable to stored cross site scripting. Proof of Concept 1 . Login to the demo account 2 . Go to settings -- Live help configuration --Visual settings for the visitor -- widget theme --new -- name field 3 . Add payload in name field and click save 4 . Go to settin...
Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat
Description LiveHelperChat is vulnerable to Stored XSS at the Name and Surname fields in the User account page. Payload constructor.constructor'alert1' Steps to reproduce 1.Login then go to User account page https://demo.livehelperchat.com/siteadmin/user/account 2.In the Name and Surname fields,...
Business Logic Errors in crater-invoice/crater
Description It is found that comapny currency can not be changed since the field is disabled as shown in the screenshot but it can be changed by tampering the parameter. Proof of Concept Actual Request POST /api/v1/company/settings HTTP/1.1 Host: demo.craterapp.com User-Agent: Mozilla/5.0 Windows...
Cross-site Scripting (XSS) - Stored in microweber/microweber
Description Stored XSS occurs when changing a user's profile Proof of Concept txt XSS POC : "alertdocument.domain 1. Open the https://demo.microweber.org/demo/admin 2. Go to "Users" "Edit profile" 3. Change the value of "First Name" to XSS PoC 4. Refresh Impact Through this vulnerability, an...
in delgan/loguru
Description Loguru is vulnerable to log injection on all logging methods as it is possible to inject newlines "\n" which will create a new log entry in the logfile. This can lead to attackers tampering with logs and a loss of integrity of the log files as a result Proof of Concept from loguru...
Cross-Site Request Forgery (CSRF) in crater-invoice/crater
Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging users to unintentional logout. More details One way GET could be abused here i...
Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat
Description Stored XSS is found in SettingsLive help configurationDepartments-Departments groups-edit When a user creates a new webhook under the NAME field and puts a payload constructor.constructor'alert1', the input gets stored, at user edit groupname , the payload gets executed. Proof of...
Stack-based Buffer Overflow in vim/vim
Description Stack overflow occurs in spellsuggest.c. commit : 44db8213d38c39877d2148eff6a72f4beccfb94e Proof of Concept $ echo -ne "bm9ybRZzMDAwRzAw/TAwMDAwMDAwMDAwMApzaWwwbm9ybS4udnpHLi4uLi4uLi4uLi4uLi4uLnZ2 ekcwICAgICB2IHo9" | base64 -d minimizedpoc Valgrind $ ./vg-in-place -s...
Use of a Broken or Risky Cryptographic Algorithm in x360ce/x360ce
Description The password-generation algorithm used in the function NewPassword simply adds bias to the output password instead of making it easier to remember. Proof of Concept - Use the NewPassword function a large amount of times and store the output. - Look at the frequency of each character o...
in x360ce/x360ce
Description x360ce uses the .NET Random and Guid classes to generate random numbers/bytes that are used for sensitive purposes . Proof of Concept None provided. Impact This vulnerability is capable of allowing attackers to predict sensitive information on x360ce's backend see the 'occurances'...
Cross-site Scripting (XSS) - Stored in pimcore/pimcore
Vuln : Stored XSS Description The pimcore/pimcore package is an open source platform that provides PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce services. stored xss vulnerability occurs when you change the value of name at "Setinngs" = "Website Settings" in the pimcore service. Proof of Concept...
Cross-site Scripting (XSS) - DOM in tastyigniter/tastyigniter
Description TastyIgniter provides a professional and reliable platform for restaurants wanting to offer online food ordering and table reservation to their customers. this is vulnerable for stored xss Proof of Concept Impact This vulnerability is capable of Stored XSS...
Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat
Description LiveHelperChat is vulnerable to Stored XSS at the Name field in the Admin themes of System configuration. Payload constructor.constructor'alert1' Steps to reproduce 1.Login then go to Setting - Live help configuration tab 2.Click on Admin themes in Visual settings for the admin sectio...
Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat
Description Stored XSS is found in ModuleFormsList of formsNew. Use payload constructor.constructor'alert1' while creating form, and you will see that the input gets stored, and every time the user visits, the payload gets executed. Proof of Concept Impact Through this vulnerability, an attacker ...
Path Traversal in gruntjs/grunt
Description Grunt is a JavaScript task runner, a tool used to automatically perform frequent tasks such as minification, compilation, unit testing, and linting. In GruntJS, file.copy operations in GruntJS are not protected against symlink traversal for both source and destination directories...
in vim/vim
Description Out of bound 1 byte read in vim. commit : 06b77229ca704d00c4f138ed0377556e54d5851f Proof of Concept $ echo -ne "c2lsMG5vcm0WcTAHMA==" | base64 -d minimizedpoc valgrind $ ./vg-in-place -s ./vim -u NONE -i NONE -n -X -Z -e -s -S ./minimizedpoc -c ":qa!" ==3442167== Invalid read of size ...
Heap-based Buffer Overflow in vim/vim
Description Heap-buffer-overflow on write in vim This issue was created to separate this one and was fixed with Patch 8.2.4218. Proof of Concept Steps to reproduce: echo -n bm9ybTBRgFBTMP8wMDCysDAwMDAwMDAwMDAwMDAw/zD/g7IwMDAwMDAwMDAwjjAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAD | base64 -d heapowpoc2 vim ...
SQL Injection in star7th/showdoc
Description The uid parameter does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injection. Proof of Concept Time based: POST /server/index.php?s=/api/adminUser/addUser HTTP/1.1 Content-Type: application/x-www-form-urlencoded Accept:...
Cross-site Scripting (XSS) - Stored in pimcore/customer-data-framework
Description stored xss vulnerability occurs when you change the value of Description at "Customer Management Framework" = "Customer automation rules" = "New Customers" = "Description" in the pimcore service. Proof of Concept txt XSS POC : 1. Open the https://10.x-dev.pimcore.fun/admin/ 2. After...
Improper Authorization in janeczku/calibre-web
Description With default settings, low-level users will not have permission to edit the sort order of books in private shelf of another user. However, due to incorrect checking, the application does not work as intended. Proof of Concept - Step 1: Login with admin account and go to...
Cross-site Scripting (XSS) - Stored in pimcore/data-hub
Description The pimcore/pimcore package is an open source platform that provides PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce services. stored xss vulnerability occurs when you change the value of Group at "Datahub" in the pimcore service. Proof of Concept XSS POC : " txt 1. Open the...
Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat
Description Stored XSS is found in SettingsLive help configurationPersonal Themestatic content. Under the NAME field put a payload constructor.constructor'alert1' while creating content, and you will see that the input gets stored, and every time the user visits, the payload gets executed. Proof ...
in star7th/showdoc
Description There is a filter to prevent upload php, HTML, svg filetype in the code snippet from line 115 to line 122 in AttachmentController.class.php: if strstrstriptagsstrtolower$uploadFile'name', ".php" || strstrstriptagsstrtolower$uploadFile'name', ".htm" ||...
Cross-Site Request Forgery (CSRF) in requarks/wiki
Note: Not a vulnerability in ExpressJS Description Fix can by bypassed. Express treats routes as case insensitive while req.path is case sensitive. The fix in the previous report was to check if req.path === "/u"...
in vim/vim
Description A heap-based OOB read of size 4 occurs when a user tries to open a vim session file specified below. This happens regardless of any command line options that could be specified to restrict vim, such -Z and -m. This bug has been found on default vim build lastest commit hash...
Improper Authorization in liukuo362573/yishaadmin
Description When downloading files using the /admin/File/DownloadFile?filePath= URI, you're able to download any file you want, as long as you know the path of the file, even as an unauthenticated user. This means that an unauthenticated user could download the /etc/passwd/ file or any file that...
Heap-based Buffer Overflow in vim/vim
Description 2 Heap-buffer-overflow on write in vim 1 Heap-buffer-overflow on read in vim Heap-buffer-overflow on write in vim 1 Proof of Concept Steps to reproduce: echo -n cmV0ODAwCnMvXHYvCQpzZSBhaQpzaWwwbm9ybTppDQ== | base64 -d heapowpoc1 vim -u NONE -i NONE -n -X -Z -e -m -s -S heapowpoc1 -c...
Heap-based Buffer Overflow in vim/vim
Description - Heap Overflow and arbitrary 41 bytes write. - Unsorted bin doubly linked list corruption. - commit hash : 058ee7c5699ef551be5aa04c66b3cffc436e9b08 Proof of Concept $ echo -ne "bm9ybTBv7wX//wUwIDUwMDAwMDAwezAtMDAwMP/yAAD6MDAwMDAwMDAwMDQwKSkpMDAQMDAwMDAw...
Exposure of Sensitive Information to an Unauthorized Actor in httpie/httpie
Description All cookies saved to session storage are supercookies. Proof of Concept in /etc/hosts 127.0.0.1 host1.example.com 127.0.0.1 host2.example.net headers-helper.rpy; run with twist web --resource-script= and it'll run on 8080 from pprint import pformat from twisted.web.resource import...
Improper Authentication in liukuo362573/yishaadmin
Description Hi, I would like to report an improper authentication vulnerability in https://www.github.com/liukuo362573/yishaadmin. Endpoint "/admin/OrganizationManage/User/ExportUserJson" does not require any authentication and return xls file contain users data like username, fullname, email,...
Heap-based Buffer Overflow in gpac/gpac
Description Heap-based Buffer Overflow in gpac Proof of Concept Version: MP4Box - GPAC version 1.1.0-DEV-rev1659-g7d3281e88-master c 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929...
Improper Access Control in liukuo362573/yishaadmin
Description YiShaAdmin is vulnerable to Improper Access Control via the /admin/SystemManage/LogApi/GetPageListJson endpoint. Anyone can view the Log API of the YiShaAdmin without any authentication. This API contains the sensitive information include: ExecuteURL, ExecuteParam, ExecuteTime,...
Cross-site Scripting (XSS) - Stored in vanessa219/vditor
Description The Vanessa219/vditor is a markdown editor supported by browsers. If the user passes javascript:alertdocument.domain as the URL value when creating a link using the markdown syntax, there is no sanitizing process and the link is created as it is. Proof of Concept txt XSS PoC : xss 1...
Improper Authentication in liukuo362573/yishaadmin
Description Hi there, there is another improper authorization at /admin/SystemManage/LogOperate/GetFormJson, this will allow anyone to view yishaadmin log without logging in. Proof of Concept 1. Access the link http://106.14.124.170/admin/SystemManage/LogOperate/GetFormJson?id=405689053455847424...
Improper Privilege Management in liukuo362573/yishaadmin
Description Hi there, there is another improper privilege management in /admin/OrganizationManage/Position/GetFormJson Proof of Concept 1. Access the link http://106.14.124.170:80/admin/OrganizationManage/Position/GetFormJson?id=16508640061130139 2. See that the page return with position data...
Improper Authorization in liukuo362573/yishaadmin
Description Hi there, there is another Improper authorization in /admin/OrganizationManage/Department/GetFormJson Proof of Concept 1. Open link http://106.14.124.170/admin/OrganizationManage/Department/GetFormJson?id=16508640061124402 without logging in demo page. 2. See that department data is...
Improper Access Control in janeczku/calibre-web
Description With default settings, low-level users will not have permission to read name of private shelf shelf create by another user and not in public mode. However, due to incorrect HTML render, the application does not work as intended. Proof of Concept - Step 1: Login with admin account and ...
in vim/vim
Description Stack Pointer $RSP is corrupted at function eval7t in eval.c during calling eval3, eval4, eval5, eval6, eval7... continuously while parsing too many brackets. vim version : 8.2.4195 latest commit hash : 79a6e25b79cdb35e00d8b364516103eb358d8cc7 Proof of Concept $ echo -ne...
Cross-site Scripting (XSS) - Stored in vanessa219/vditor
Description The Vanessa219/vditor is a markdown editor supported by browsers. When a user creates a link using the markdown syntax, the server does not URL-encode the double-quotes, so the user can escape the href attribute and trigger XSS using the on attribute. Proof of Concept txt XSS PoC : xs...
Heap-based Buffer Overflow in radareorg/radare2
Description This vulnerability is of out-of-bound read which accesses the address beyond/past the buffer. The bug exists in latest stable release radare2-5.5.4 and lastest master branch ed2030b79e68986bf04f3a6279463ab989fe400f, updated in Jan 22, 2022. Specifically, the vulnerable code is located...
None in radareorg/radare2
Description This vulnerability is of type Expired Pointer Dereference or specifically, use-after-free. The bug exists in latest stable release radare2-5.5.4 and lastest master branch ed2030b79e68986bf04f3a6279463ab989fe400f, updated in Jan 22, 2022. Specifically, the vulnerable code located at...
in radareorg/radare2
Description This vulnerability is of out-of-bound read which accesses the address beyond/past the buffer. The bug exists in latest stable release radare2-5.5.4 and lastest master branch ed2030b79e68986bf04f3a6279463ab989fe400f, updated in Jan 22, 2022. Specifically, the vulnerable code and the...