Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat

Description Stored XSS is found in SettingsLive help configurationDepartments-Departments groups-edit When a user creates a new webhook under the NAME field and puts a payload constructor.constructor'alert1', the input gets stored, at user edit groupname , the payload gets executed. Proof of...

Stack-based Buffer Overflow in vim/vim

Description Stack overflow occurs in spellsuggest.c. commit : 44db8213d38c39877d2148eff6a72f4beccfb94e Proof of Concept $ echo -ne "bm9ybRZzMDAwRzAw/TAwMDAwMDAwMDAwMApzaWwwbm9ybS4udnpHLi4uLi4uLi4uLi4uLi4uLnZ2 ekcwICAgICB2IHo9" | base64 -d minimizedpoc Valgrind $ ./vg-in-place -s...

Use of a Broken or Risky Cryptographic Algorithm in x360ce/x360ce

Description The password-generation algorithm used in the function NewPassword simply adds bias to the output password instead of making it easier to remember. Proof of Concept - Use the NewPassword function a large amount of times and store the output. - Look at the frequency of each character o...

in x360ce/x360ce

Description x360ce uses the .NET Random and Guid classes to generate random numbers/bytes that are used for sensitive purposes . Proof of Concept None provided. Impact This vulnerability is capable of allowing attackers to predict sensitive information on x360ce's backend see the 'occurances'...

Cross-site Scripting (XSS) - Stored in pimcore/pimcore

Vuln : Stored XSS Description The pimcore/pimcore package is an open source platform that provides PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce services. stored xss vulnerability occurs when you change the value of name at "Setinngs" = "Website Settings" in the pimcore service. Proof of Concept...

Cross-site Scripting (XSS) - DOM in tastyigniter/tastyigniter

Description TastyIgniter provides a professional and reliable platform for restaurants wanting to offer online food ordering and table reservation to their customers. this is vulnerable for stored xss Proof of Concept Impact This vulnerability is capable of Stored XSS...

Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat

Description LiveHelperChat is vulnerable to Stored XSS at the Name field in the Admin themes of System configuration. Payload constructor.constructor'alert1' Steps to reproduce 1.Login then go to Setting - Live help configuration tab 2.Click on Admin themes in Visual settings for the admin sectio...

Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat

Description Stored XSS is found in ModuleFormsList of formsNew. Use payload constructor.constructor'alert1' while creating form, and you will see that the input gets stored, and every time the user visits, the payload gets executed. Proof of Concept Impact Through this vulnerability, an attacker ...

Path Traversal in gruntjs/grunt

Description Grunt is a JavaScript task runner, a tool used to automatically perform frequent tasks such as minification, compilation, unit testing, and linting. In GruntJS, file.copy operations in GruntJS are not protected against symlink traversal for both source and destination directories...

in vim/vim

Description Out of bound 1 byte read in vim. commit : 06b77229ca704d00c4f138ed0377556e54d5851f Proof of Concept $ echo -ne "c2lsMG5vcm0WcTAHMA==" | base64 -d minimizedpoc valgrind $ ./vg-in-place -s ./vim -u NONE -i NONE -n -X -Z -e -s -S ./minimizedpoc -c ":qa!" ==3442167== Invalid read of size ...

Heap-based Buffer Overflow in vim/vim

Description Heap-buffer-overflow on write in vim This issue was created to separate this one and was fixed with Patch 8.2.4218. Proof of Concept Steps to reproduce: echo -n bm9ybTBRgFBTMP8wMDCysDAwMDAwMDAwMDAwMDAw/zD/g7IwMDAwMDAwMDAwjjAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAD | base64 -d heapowpoc2 vim ...

SQL Injection in star7th/showdoc

Description The uid parameter does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injection. Proof of Concept Time based: POST /server/index.php?s=/api/adminUser/addUser HTTP/1.1 Content-Type: application/x-www-form-urlencoded Accept:...

Cross-site Scripting (XSS) - Stored in pimcore/customer-data-framework

Description stored xss vulnerability occurs when you change the value of Description at "Customer Management Framework" = "Customer automation rules" = "New Customers" = "Description" in the pimcore service. Proof of Concept txt XSS POC : 1. Open the https://10.x-dev.pimcore.fun/admin/ 2. After...

Improper Authorization in janeczku/calibre-web

Description With default settings, low-level users will not have permission to edit the sort order of books in private shelf of another user. However, due to incorrect checking, the application does not work as intended. Proof of Concept - Step 1: Login with admin account and go to...

Cross-site Scripting (XSS) - Stored in pimcore/data-hub

Description The pimcore/pimcore package is an open source platform that provides PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce services. stored xss vulnerability occurs when you change the value of Group at "Datahub" in the pimcore service. Proof of Concept XSS POC : " txt 1. Open the...

Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat

Description Stored XSS is found in SettingsLive help configurationPersonal Themestatic content. Under the NAME field put a payload constructor.constructor'alert1' while creating content, and you will see that the input gets stored, and every time the user visits, the payload gets executed. Proof ...

in star7th/showdoc

Description There is a filter to prevent upload php, HTML, svg filetype in the code snippet from line 115 to line 122 in AttachmentController.class.php: if strstrstriptagsstrtolower$uploadFile'name', ".php" || strstrstriptagsstrtolower$uploadFile'name', ".htm" ||...

Cross-Site Request Forgery (CSRF) in requarks/wiki

Note: Not a vulnerability in ExpressJS Description Fix can by bypassed. Express treats routes as case insensitive while req.path is case sensitive. The fix in the previous report was to check if req.path === "/u"...

in vim/vim

Description A heap-based OOB read of size 4 occurs when a user tries to open a vim session file specified below. This happens regardless of any command line options that could be specified to restrict vim, such -Z and -m. This bug has been found on default vim build lastest commit hash...

Improper Authorization in liukuo362573/yishaadmin

Description When downloading files using the /admin/File/DownloadFile?filePath= URI, you're able to download any file you want, as long as you know the path of the file, even as an unauthenticated user. This means that an unauthenticated user could download the /etc/passwd/ file or any file that...

Heap-based Buffer Overflow in vim/vim

Description 2 Heap-buffer-overflow on write in vim 1 Heap-buffer-overflow on read in vim Heap-buffer-overflow on write in vim 1 Proof of Concept Steps to reproduce: echo -n cmV0ODAwCnMvXHYvCQpzZSBhaQpzaWwwbm9ybTppDQ== | base64 -d heapowpoc1 vim -u NONE -i NONE -n -X -Z -e -m -s -S heapowpoc1 -c...

Heap-based Buffer Overflow in vim/vim

Description - Heap Overflow and arbitrary 41 bytes write. - Unsorted bin doubly linked list corruption. - commit hash : 058ee7c5699ef551be5aa04c66b3cffc436e9b08 Proof of Concept $ echo -ne "bm9ybTBv7wX//wUwIDUwMDAwMDAwezAtMDAwMP/yAAD6MDAwMDAwMDAwMDQwKSkpMDAQMDAwMDAw...

Exposure of Sensitive Information to an Unauthorized Actor in httpie/httpie

Description All cookies saved to session storage are supercookies. Proof of Concept in /etc/hosts 127.0.0.1 host1.example.com 127.0.0.1 host2.example.net headers-helper.rpy; run with twist web --resource-script= and it'll run on 8080 from pprint import pformat from twisted.web.resource import...

Improper Authentication in liukuo362573/yishaadmin

Description Hi, I would like to report an improper authentication vulnerability in https://www.github.com/liukuo362573/yishaadmin. Endpoint "/admin/OrganizationManage/User/ExportUserJson" does not require any authentication and return xls file contain users data like username, fullname, email,...

Heap-based Buffer Overflow in gpac/gpac

Description Heap-based Buffer Overflow in gpac Proof of Concept Version: MP4Box - GPAC version 1.1.0-DEV-rev1659-g7d3281e88-master c 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929...

Improper Access Control in liukuo362573/yishaadmin

Description YiShaAdmin is vulnerable to Improper Access Control via the /admin/SystemManage/LogApi/GetPageListJson endpoint. Anyone can view the Log API of the YiShaAdmin without any authentication. This API contains the sensitive information include: ExecuteURL, ExecuteParam, ExecuteTime,...

Cross-site Scripting (XSS) - Stored in vanessa219/vditor

Description The Vanessa219/vditor is a markdown editor supported by browsers. If the user passes javascript:alertdocument.domain as the URL value when creating a link using the markdown syntax, there is no sanitizing process and the link is created as it is. Proof of Concept txt XSS PoC : xss 1...

Improper Authentication in liukuo362573/yishaadmin

Description Hi there, there is another improper authorization at /admin/SystemManage/LogOperate/GetFormJson, this will allow anyone to view yishaadmin log without logging in. Proof of Concept 1. Access the link http://106.14.124.170/admin/SystemManage/LogOperate/GetFormJson?id=405689053455847424...

Improper Privilege Management in liukuo362573/yishaadmin

Description Hi there, there is another improper privilege management in /admin/OrganizationManage/Position/GetFormJson Proof of Concept 1. Access the link http://106.14.124.170:80/admin/OrganizationManage/Position/GetFormJson?id=16508640061130139 2. See that the page return with position data...

Improper Authorization in liukuo362573/yishaadmin

Description Hi there, there is another Improper authorization in /admin/OrganizationManage/Department/GetFormJson Proof of Concept 1. Open link http://106.14.124.170/admin/OrganizationManage/Department/GetFormJson?id=16508640061124402 without logging in demo page. 2. See that department data is...

Improper Access Control in janeczku/calibre-web

Description With default settings, low-level users will not have permission to read name of private shelf shelf create by another user and not in public mode. However, due to incorrect HTML render, the application does not work as intended. Proof of Concept - Step 1: Login with admin account and ...

in vim/vim

Description Stack Pointer $RSP is corrupted at function eval7t in eval.c during calling eval3, eval4, eval5, eval6, eval7... continuously while parsing too many brackets. vim version : 8.2.4195 latest commit hash : 79a6e25b79cdb35e00d8b364516103eb358d8cc7 Proof of Concept $ echo -ne...

Cross-site Scripting (XSS) - Stored in vanessa219/vditor

Description The Vanessa219/vditor is a markdown editor supported by browsers. When a user creates a link using the markdown syntax, the server does not URL-encode the double-quotes, so the user can escape the href attribute and trigger XSS using the on attribute. Proof of Concept txt XSS PoC : xs...

Heap-based Buffer Overflow in radareorg/radare2

Description This vulnerability is of out-of-bound read which accesses the address beyond/past the buffer. The bug exists in latest stable release radare2-5.5.4 and lastest master branch ed2030b79e68986bf04f3a6279463ab989fe400f, updated in Jan 22, 2022. Specifically, the vulnerable code is located...

None in radareorg/radare2

Description This vulnerability is of type Expired Pointer Dereference or specifically, use-after-free. The bug exists in latest stable release radare2-5.5.4 and lastest master branch ed2030b79e68986bf04f3a6279463ab989fe400f, updated in Jan 22, 2022. Specifically, the vulnerable code located at...

in radareorg/radare2

Description This vulnerability is of out-of-bound read which accesses the address beyond/past the buffer. The bug exists in latest stable release radare2-5.5.4 and lastest master branch ed2030b79e68986bf04f3a6279463ab989fe400f, updated in Jan 22, 2022. Specifically, the vulnerable code and the...

None in radareorg/radare2

Description This vulnerability is of type use-after-free. And after quick investigation I think it is very likely to be successfully exploited to remote code execution. The bug exists in latest stable release radare2-5.5.4 and lastest master branch ed2030b79e68986bf04f3a6279463ab989fe400f, update...

in radareorg/radare2

Description This vulnerability is of out-of-bound read which accesses the address beyond/past the buffer. The bug exists in latest stable release radare2-5.5.4 and lastest master branch ed2030b79e68986bf04f3a6279463ab989fe400f, updated in Jan 22, 2022. Specifically, the vulnerable code and the...

in radareorg/radare2

Description This vulnerability is of out-of-bound read which is caused by negative buffer index. The bug exists in latest stable release radare2-5.5.4 and lastest master branch ed2030b79e68986bf04f3a6279463ab989fe400f, updated in Jan 22, 2022. Specifically, the vulnerable code is highlighted out ...

Static Code Injection in gibbonedu/core

Description The file export.php accepts a directory in the q parameter. We can upload a txt file in the server with our php exploit on it and pass its location in the q parameter, then the php exploit in the uploaded txt file will be executed Proof of Concept 1. Upload a txt file. Inside the txt...

Cross-site Scripting (XSS) - Reflected in gibbonedu/core

Description There's a reflected xss in the tab parameter in both the student dashboard and the staff dashboard Proof of Concept Visit http://localhost/gibon/index.php?tab=asd%3C/script%3E%3Csvg/onload=alert1%3E Impact This vulnerability is result to xss which then can be used to achieve more thin...

Improper Authentication in liukuo362573/yishaadmin

Description Hi there yishaadmin maintainer, I would like to report an improper authentication vulnerability in yishaadmin source code. The link /admin/OrganizationManage/User/GetFormJson?id=user-id does not require any authentication and return sensitive user data for anyone like username, gender...

Improper Authorization in liukuo362573/yishaadmin

Description Hi there yisshadmin team, I would like to report an improper authorization in yishaadmin source code. The link /admin/ToolManage/Server/ServerIndex requires no authorization and available for anyone to view server information like IP, RAM, CPU... Proof of Concept 1. Access the link...

Improper Privilege Management in liukuo362573/yishaadmin

Description Hi there yishaadmin maintainer team, I would like to report an improper privilege management in yishaadmin source code. The link /admin/ToolManage/Server/GetServerJson requires no authentication and accessible for everyone, which returns server info like RAM, CPU usage. Proof of Conce...

Cross-site Scripting (XSS) - Stored in microweber/microweber

Description There is a persistent XSS Vulnerability exsists in the checkout page where we can able to execute any javascription in the last name field...

in jsdecena/laracom

Description Hi there, I would like to report a vulnerability that allows a hacker to upload dangerous file type in jsdecena/laracom. Attacker must have an account with permission to Edit Product E.g. Clerk role. Then, he can upload malcious file with extensions such as html, svg,... which leads t...

Improper Privilege Management in heroiclabs/nakama

Description A predefined View Only user has access to the User Management function at the :7351//users endpoint. By default this is a predefined system administrator function, and no other users should be able to access this function. Proof of Concept - Create a View-only user with the...

in heroiclabs/nakama

Description It is possible to enumerate usernames via the Log-In function. Proof of Concept The login response provides information, whether the username is registered or not in the application. If the user is registered, and wrong password provided, the following information being displayed:...

Cross-site Scripting (XSS) - Reflected in pimcore/data-hub

Description pimcore Datahub is vulnerable to Reflected XSS in the Path of Documents, Assets and Objects in the Security Definition tab Steps to reproduce 1.Go to https://demo.pimcore.fun/admin/ and login. 2.In the left menu bar, click the Datahub icon and click on any existing configuration then ...

Cross-site Scripting (XSS) - Reflected in pimcore/pimcore

Description Reflected cross site scripting vulnerability in pimpore/pimcore , it is in group field in Field collections and objectbricks in settings module. Proof of Concept 1 .Login to demo account 2 . Go to settings module --data objects --object bricks or Field collection -- edit any one and a...