4072 matches found
None in radareorg/radare2
Description This vulnerability is of type use-after-free. And after quick investigation I think it is very likely to be successfully exploited to remote code execution. The bug exists in latest stable release radare2-5.5.4 and lastest master branch ed2030b79e68986bf04f3a6279463ab989fe400f, update...
in radareorg/radare2
Description This vulnerability is of out-of-bound read which accesses the address beyond/past the buffer. The bug exists in latest stable release radare2-5.5.4 and lastest master branch ed2030b79e68986bf04f3a6279463ab989fe400f, updated in Jan 22, 2022. Specifically, the vulnerable code and the...
in radareorg/radare2
Description This vulnerability is of out-of-bound read which is caused by negative buffer index. The bug exists in latest stable release radare2-5.5.4 and lastest master branch ed2030b79e68986bf04f3a6279463ab989fe400f, updated in Jan 22, 2022. Specifically, the vulnerable code is highlighted out ...
Static Code Injection in gibbonedu/core
Description The file export.php accepts a directory in the q parameter. We can upload a txt file in the server with our php exploit on it and pass its location in the q parameter, then the php exploit in the uploaded txt file will be executed Proof of Concept 1. Upload a txt file. Inside the txt...
Cross-site Scripting (XSS) - Reflected in gibbonedu/core
Description There's a reflected xss in the tab parameter in both the student dashboard and the staff dashboard Proof of Concept Visit http://localhost/gibon/index.php?tab=asd%3C/script%3E%3Csvg/onload=alert1%3E Impact This vulnerability is result to xss which then can be used to achieve more thin...
Improper Authentication in liukuo362573/yishaadmin
Description Hi there yishaadmin maintainer, I would like to report an improper authentication vulnerability in yishaadmin source code. The link /admin/OrganizationManage/User/GetFormJson?id=user-id does not require any authentication and return sensitive user data for anyone like username, gender...
Improper Authorization in liukuo362573/yishaadmin
Description Hi there yisshadmin team, I would like to report an improper authorization in yishaadmin source code. The link /admin/ToolManage/Server/ServerIndex requires no authorization and available for anyone to view server information like IP, RAM, CPU... Proof of Concept 1. Access the link...
Improper Privilege Management in liukuo362573/yishaadmin
Description Hi there yishaadmin maintainer team, I would like to report an improper privilege management in yishaadmin source code. The link /admin/ToolManage/Server/GetServerJson requires no authentication and accessible for everyone, which returns server info like RAM, CPU usage. Proof of Conce...
Cross-site Scripting (XSS) - Stored in microweber/microweber
Description There is a persistent XSS Vulnerability exsists in the checkout page where we can able to execute any javascription in the last name field...
in jsdecena/laracom
Description Hi there, I would like to report a vulnerability that allows a hacker to upload dangerous file type in jsdecena/laracom. Attacker must have an account with permission to Edit Product E.g. Clerk role. Then, he can upload malcious file with extensions such as html, svg,... which leads t...
Improper Privilege Management in heroiclabs/nakama
Description A predefined View Only user has access to the User Management function at the :7351//users endpoint. By default this is a predefined system administrator function, and no other users should be able to access this function. Proof of Concept - Create a View-only user with the...
in heroiclabs/nakama
Description It is possible to enumerate usernames via the Log-In function. Proof of Concept The login response provides information, whether the username is registered or not in the application. If the user is registered, and wrong password provided, the following information being displayed:...
Cross-site Scripting (XSS) - Reflected in pimcore/data-hub
Description pimcore Datahub is vulnerable to Reflected XSS in the Path of Documents, Assets and Objects in the Security Definition tab Steps to reproduce 1.Go to https://demo.pimcore.fun/admin/ and login. 2.In the left menu bar, click the Datahub icon and click on any existing configuration then ...
Cross-site Scripting (XSS) - Reflected in pimcore/pimcore
Description Reflected cross site scripting vulnerability in pimpore/pimcore , it is in group field in Field collections and objectbricks in settings module. Proof of Concept 1 .Login to demo account 2 . Go to settings module --data objects --object bricks or Field collection -- edit any one and a...
Prototype Pollution in domcloud/dom-portal
Prototype Pollution in dom-portal Reported on Jan 20th 2022 | Timothee Desurmont Description The function unflatten located in domainbio.php could potentially leed to prototype pollution and givie an attacker unprivilladge access to sensitive information. Proof of Concept Create a file called...
Cross-site Scripting (XSS) - Reflected in mermaid-js/mermaid-live-editor
Description There is a reflected XSS vulnerability in Mermaid v8.13.9 Live Editor. It is fixed in Mermaid develop Branch - Proof of Concept Open following link: \ \ \ \ Or copy & paste following in Mermaid v8.13.9 Live Editor: classDiagram class Duck +String beakColor +swim +quack Impact Execute...
in mastodon/mastodon
Description The message event listener in embed.js does not check the origin of postMessage before changing the height of the embedded toots. The vulnerable code allows any origin to postMessage on the browser window and feeds attacker's input id and height to code and now attacker is able to...
Prototype Pollution in mastodon/mastodon
Description Javascript is "prototype" language which means when a new "object" is created, it carries the predefined properties and methods of an "object" with itself like toString, constructor etc. By using prototype-pollution vulnerability, an attacker can overwrite/create the property of that...
Exposure of Sensitive Information to an Unauthorized Actor in pimcore/pimcore
Description XSS Proof of Concept Previous bug https://huntr.dev/bounties/96506857-06bc-4c84-88b7-4f397715bcf6/ is not properly fixed. it can be bypassed using with event handler . https://github.com/pimcore/pimcore/commit/35d1853baf64d6a1d90fd8803e52439da53a3911 its only checking...
Heap-based Buffer Overflow in gpac/gpac
Description When fuzzing gpac with clang 10 I found a heap overflow. Proof of Concept pocgffprintf Crash stack trace aldo@vps:/gpac/bin/gcc$ ASANOPTIONS=symbolize=1 ASANSYMBOLIZERPATH=/usr/bin/llvm-symbolizer ./MP4Box -disox -ttxt -2 -dump-chap-ogg -dump-cover -drtp -bt -out /dev/null...
None in gpac/gpac
Description Use After Free in gpac Proof of Concept MP4Box -bt POC4 MP4Box -bt POC5 POC4 is here. POC5 is here. ASAN ==414586==ERROR: AddressSanitizer: heap-use-after-free on address 0x6100000007fc at pc 0x7f7926081250 bp 0x7ffd2e84f4a0 sp 0x7ffd2e84f490 READ of size 4 at 0x6100000007fc thread T0...
None in gpac/gpac
Description Use After Free in gpac Proof of Concept Version: MP4Box - GPAC version 1.1.0-DEV-rev1647-gb6f68145e-master c 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC:...
Classic Buffer Overflow in gpac/gpac
Description Buffer Overflow in gpac Proof of Concept Version: MP4Box - GPAC version 1.1.0-DEV-rev1647-gb6f68145e-master c 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC:...
Stack-based Buffer Overflow in gpac/gpac
Description Stack-based Buffer Overflow in gpac Proof of Concept MP4Box -bt POC3 POC3is here gdb Program received signal SIGABRT, Aborted. 0x0000000000b68d4b in raise LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA...
Cross-Site Request Forgery (CSRF) in requarks/wiki
Description CSRF to upload and overwrite files Proof of Concept Open this HTML as a logged-in user var xhr = new XMLHttpRequest; xhr.open"POST", "http://127.0.0.1:3000/u", true; xhr.setRequestHeader"Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8";...
Heap-based Buffer Overflow in gpac/gpac
Description Heap-based Buffer Overflow in gpac Proof of Concept Version: MP4Box - GPAC version 1.1.0-DEV-rev1646-gddd7990bb-master c 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929...
Cross-site Scripting (XSS) - Stored in pimcore/pimcore
Description Pimcore settings module is vulnerable to stored cross site scripting Proof of Concept 1 . Login to dev demo account. https://10.x-dev.pimcore.fun/ 2 . Goto settings --data objects --Add a new class -- add payload in icon field 3 . Click save and close and open that class alert will...
Cross-Site Request Forgery (CSRF) in microweber/microweber
Description CSRF issues deleting the content of the website since it is having no CSRF token validation. Request POST /demo/api/content/delete HTTP/1.1 Host: demo.microweber.org User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:96.0 Gecko/20100101 Firefox/96.0 Accept: / Accept-Language:...
in microweber/microweber
Description Sensitive information as part of the error is getting disclosed during the upload of an unrestricted file. Steps to Reproduce Instance 1 1. Log in to the application https://demo.microweber.org 2. Add a new post and upload an SVG file and you will see an error message getting Popped o...
None in bobthecow/mustache.php
Description In Mustache.php v2.0.0 through v2.14.0, Sections tag can lead to arbitrary php code execution even if strictcallables is true when section value is controllable. Proof of Concept './cache', 'strictcallables'=true ; echo $m-render' repo phpinfo;// No repos : / repo phpinfo;// ',...
in vim/vim
Description A heap-based OOB read of size 4 occurs when a user tries to open a vim session file specified below. This happens regardless of any command line options that could be specified to restrict vim, such -Z and -m. This bug has been found on default vim build lastest commit hash...
Heap-based Buffer Overflow in vim/vim
Description Heap-buffer-overflow in vim Proof of Concept ./vim -u NONE -X -Z -e -s -S poc3 -c :qa! POC3 is here. Bt ==728741==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000025500 at pc 0x0000008961b2 bp 0x7ffca76ad0b0 sp 0x7ffca76ad0a8 READ of size 1 at 0x621000025500 thread T0...
in gpac/gpac
Description Null Pointer Dereference in gfdumpvrmlfield.isra Proof of Concept MP4Box -bt POC2 POC2 is here. Bt Program received signal SIGSEGV, Segmentation fault. 0x0000000000644ca4 in gfdumpvrmlfield.isra LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA...
Cross-site Scripting (XSS) - Stored in pimcore/pimcore
Description stored xss vulnerability occurs when you change the value of Group at "Settings" = "Thumbnalis" = "Video Thumbnails" in the pimcore service. Proof of Concept txt XSS POC : " 1. Open the https://10.x-dev.pimcore.fun/admin/login?perspective= 2. After login, Go to "Settings" = "Thumbnali...
in pimcore/pimcore
Description The pimcore/pimcore package is an open source platform that provides PIM, MDM, CDP, DAM, DXP/CMS and digital commerce services. You can upload an infinite number of dangerous SVG files in "Settings" = "System Settings" = "Appearance and Branding" of the pimcore service. Then why is it...
Cross-site Scripting (XSS) - Stored in pimcore/pimcore
Description The pimcore/pimcore package is an open source platform that provides PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce services. stored xss vulnerability occurs when you add media query at "Settings" = "Thumbnails" = "Video Thumbnails" in the pimcore service. Proof of Concept txt XSS POC...
in mruby/mruby
Description There is a NULL Pointer Dereference in ivfree src/variable.c:232:20. This bug has been found on mruby lastest commit hash 31fa3304049fc406a201a72293cce140f0557dca on Ubuntu 20.04 for x8664/amd64. Proof of Concept 6.times3.times%until-break b= 0,m:0 s=0 Steps to reproduce 1- Clone repo...
Cross-Site Request Forgery (CSRF) in liangliangyy/djangoblog
Description Hi there, I would like to report a Cross Site Request Forgery in djangoblog source code. Cross-site request forgery also known as CSRF is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker t...
Improper Access Control in janeczku/calibre-web
Description With default settings, low-level users will not have permission to create new shelf with public mode. However, due to incorrect checking, the function does not work as intended. Steps To Reproduce - Step 1: Login with admin account and go to http://hostname:8083/admin/user/new. Create...
in livehelperchat/livehelperchat
Description LiveHelperChat is vulnerable to Insecure Direct Object Reference / IDOR vulnerability. The system's authorization functionality does not prevent one user from deleting another user by modifying the userid identifying the user. Each user has a userid 1,2,3,.... A malicious authorized...
Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat
Description Stored XSS is found in SettingsLive help configurationIncoming Webhooks. When a user creates a new webhook under the NAME field and puts a payload constructor.constructor'alert1', the input gets stored, and every time the user visits, the payload gets executed. Proof of Concept...
Cross-site Scripting (XSS) - Stored in zikula/core
Description In zikula/core cross site scripting vulnerability is present in block modules block list description field. This commit e453ad not properly santize the input. Proof of Concept login to the demo account go to blocks https://demo.ziku.la/blocks/admin/view Add payload in block list...
Cross-site Scripting (XSS) - Reflected in janeczku/calibre-web
Description There is a reflected XSS vulnerability on the site calibre-web. Proof of Concept 1. go to the calibre e-book management 2. create a new book give the title name 3. and give the title sort name 4. save and go to the website 5.go to Author 6.press one of the books 7. then right click an...
Cross-site Scripting (XSS) - Stored in crater-invoice/crater
Description There is a vulnerability in the upload avatar functionality of crater invoice which would allow an attacker to upload malicious .SVG files in order to execute Javascript. All that is required is that the victim browse to the link location of the .SVG file Proof of Concept xss.svg:...
Inefficient Regular Expression Complexity in parallax/jspdf
Description The jspdf package is vulnerable to ReDoS regular expression denial of service. An attacker that is able to provide crafted input to the setZoomMode functionality may cause an application to consume an excessive amount of CPU. Proof of Concept // PoC.js var jsPDF = require"jspdf".jsPDF...
Static Code Injection in playframework/play-samples
Description "play-samples" project uses the vulnerable log4j library 2.17.0. This can cause potential RCE vulnerability on the project. Vulnerability: CVE-2021-44832 Remote Code Execution. Another reference from Apache for CVE-2021-44832. You should upgrade the log4j library to latest version...
in livehelperchat/livehelperchat
Lack of server side validation An admin can delete his/her account by bypassing client side validation 1.Login in application as admin. 2.Nagiate to settings and create another user. 3.Now see the list of user, an admin can only delete other user account rather than his/her. 4.Click on delete and...
in detekt/detekt
Description The read function makes use of SAXParser generated from a SAXParserFactory with no FEATURESECUREPROCESSING set, allowing for XXE attacks. In...
in liquibase/liquibase
Description The XMLChangeLogSAXParser function makes use of SAXParser generated from a SAXParserFactory with no FEATURESECUREPROCESSING set, allowing for XXE attacks. In...
in jesusfreke/smali
Description The loadResourceIds function makes use of SAXParser generated from a SAXParserFactory with no FEATURESECUREPROCESSING set, allowing for XXE attacks. In...