Prototype Pollution in domcloud/dom-portal

Prototype Pollution in dom-portal Reported on Jan 20th 2022 | Timothee Desurmont Description The function unflatten located in domainbio.php could potentially leed to prototype pollution and givie an attacker unprivilladge access to sensitive information. Proof of Concept Create a file called...

Cross-site Scripting (XSS) - Reflected in mermaid-js/mermaid-live-editor

Description There is a reflected XSS vulnerability in Mermaid v8.13.9 Live Editor. It is fixed in Mermaid develop Branch - Proof of Concept Open following link: \ \ \ \ Or copy & paste following in Mermaid v8.13.9 Live Editor: classDiagram class Duck +String beakColor +swim +quack Impact Execute...

in mastodon/mastodon

Description The message event listener in embed.js does not check the origin of postMessage before changing the height of the embedded toots. The vulnerable code allows any origin to postMessage on the browser window and feeds attacker's input id and height to code and now attacker is able to...

Prototype Pollution in mastodon/mastodon

Description Javascript is "prototype" language which means when a new "object" is created, it carries the predefined properties and methods of an "object" with itself like toString, constructor etc. By using prototype-pollution vulnerability, an attacker can overwrite/create the property of that...

Exposure of Sensitive Information to an Unauthorized Actor in pimcore/pimcore

Description XSS Proof of Concept Previous bug https://huntr.dev/bounties/96506857-06bc-4c84-88b7-4f397715bcf6/ is not properly fixed. it can be bypassed using with event handler . https://github.com/pimcore/pimcore/commit/35d1853baf64d6a1d90fd8803e52439da53a3911 its only checking...

Heap-based Buffer Overflow in gpac/gpac

Description When fuzzing gpac with clang 10 I found a heap overflow. Proof of Concept pocgffprintf Crash stack trace aldo@vps:/gpac/bin/gcc$ ASANOPTIONS=symbolize=1 ASANSYMBOLIZERPATH=/usr/bin/llvm-symbolizer ./MP4Box -disox -ttxt -2 -dump-chap-ogg -dump-cover -drtp -bt -out /dev/null...

None in gpac/gpac

Description Use After Free in gpac Proof of Concept MP4Box -bt POC4 MP4Box -bt POC5 POC4 is here. POC5 is here. ASAN ==414586==ERROR: AddressSanitizer: heap-use-after-free on address 0x6100000007fc at pc 0x7f7926081250 bp 0x7ffd2e84f4a0 sp 0x7ffd2e84f490 READ of size 4 at 0x6100000007fc thread T0...

None in gpac/gpac

Description Use After Free in gpac Proof of Concept Version: MP4Box - GPAC version 1.1.0-DEV-rev1647-gb6f68145e-master c 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC:...

Classic Buffer Overflow in gpac/gpac

Description Buffer Overflow in gpac Proof of Concept Version: MP4Box - GPAC version 1.1.0-DEV-rev1647-gb6f68145e-master c 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC:...

Stack-based Buffer Overflow in gpac/gpac

Description Stack-based Buffer Overflow in gpac Proof of Concept MP4Box -bt POC3 POC3is here gdb Program received signal SIGABRT, Aborted. 0x0000000000b68d4b in raise LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA...

Cross-Site Request Forgery (CSRF) in requarks/wiki

Description CSRF to upload and overwrite files Proof of Concept Open this HTML as a logged-in user var xhr = new XMLHttpRequest; xhr.open"POST", "http://127.0.0.1:3000/u", true; xhr.setRequestHeader"Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8";...

Heap-based Buffer Overflow in gpac/gpac

Description Heap-based Buffer Overflow in gpac Proof of Concept Version: MP4Box - GPAC version 1.1.0-DEV-rev1646-gddd7990bb-master c 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929...

Cross-site Scripting (XSS) - Stored in pimcore/pimcore

Description Pimcore settings module is vulnerable to stored cross site scripting Proof of Concept 1 . Login to dev demo account. https://10.x-dev.pimcore.fun/ 2 . Goto settings --data objects --Add a new class -- add payload in icon field 3 . Click save and close and open that class alert will...

Cross-Site Request Forgery (CSRF) in microweber/microweber

Description CSRF issues deleting the content of the website since it is having no CSRF token validation. Request POST /demo/api/content/delete HTTP/1.1 Host: demo.microweber.org User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:96.0 Gecko/20100101 Firefox/96.0 Accept: / Accept-Language:...

in microweber/microweber

Description Sensitive information as part of the error is getting disclosed during the upload of an unrestricted file. Steps to Reproduce Instance 1 1. Log in to the application https://demo.microweber.org 2. Add a new post and upload an SVG file and you will see an error message getting Popped o...

None in bobthecow/mustache.php

Description In Mustache.php v2.0.0 through v2.14.0, Sections tag can lead to arbitrary php code execution even if strictcallables is true when section value is controllable. Proof of Concept './cache', 'strictcallables'=true ; echo $m-render' repo phpinfo;// No repos : / repo phpinfo;// ',...

in vim/vim

Description A heap-based OOB read of size 4 occurs when a user tries to open a vim session file specified below. This happens regardless of any command line options that could be specified to restrict vim, such -Z and -m. This bug has been found on default vim build lastest commit hash...

Heap-based Buffer Overflow in vim/vim

Description Heap-buffer-overflow in vim Proof of Concept ./vim -u NONE -X -Z -e -s -S poc3 -c :qa! POC3 is here. Bt ==728741==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000025500 at pc 0x0000008961b2 bp 0x7ffca76ad0b0 sp 0x7ffca76ad0a8 READ of size 1 at 0x621000025500 thread T0...

in gpac/gpac

Description Null Pointer Dereference in gfdumpvrmlfield.isra Proof of Concept MP4Box -bt POC2 POC2 is here. Bt Program received signal SIGSEGV, Segmentation fault. 0x0000000000644ca4 in gfdumpvrmlfield.isra LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA...

Cross-site Scripting (XSS) - Stored in pimcore/pimcore

Description stored xss vulnerability occurs when you change the value of Group at "Settings" = "Thumbnalis" = "Video Thumbnails" in the pimcore service. Proof of Concept txt XSS POC : " 1. Open the https://10.x-dev.pimcore.fun/admin/login?perspective= 2. After login, Go to "Settings" = "Thumbnali...

in pimcore/pimcore

Description The pimcore/pimcore package is an open source platform that provides PIM, MDM, CDP, DAM, DXP/CMS and digital commerce services. You can upload an infinite number of dangerous SVG files in "Settings" = "System Settings" = "Appearance and Branding" of the pimcore service. Then why is it...

Cross-site Scripting (XSS) - Stored in pimcore/pimcore

Description The pimcore/pimcore package is an open source platform that provides PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce services. stored xss vulnerability occurs when you add media query at "Settings" = "Thumbnails" = "Video Thumbnails" in the pimcore service. Proof of Concept txt XSS POC...

in mruby/mruby

Description There is a NULL Pointer Dereference in ivfree src/variable.c:232:20. This bug has been found on mruby lastest commit hash 31fa3304049fc406a201a72293cce140f0557dca on Ubuntu 20.04 for x8664/amd64. Proof of Concept 6.times3.times%until-break b= 0,m:0 s=0 Steps to reproduce 1- Clone repo...

Cross-Site Request Forgery (CSRF) in liangliangyy/djangoblog

Description Hi there, I would like to report a Cross Site Request Forgery in djangoblog source code. Cross-site request forgery also known as CSRF is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker t...

Improper Access Control in janeczku/calibre-web

Description With default settings, low-level users will not have permission to create new shelf with public mode. However, due to incorrect checking, the function does not work as intended. Steps To Reproduce - Step 1: Login with admin account and go to http://hostname:8083/admin/user/new. Create...

in livehelperchat/livehelperchat

Description LiveHelperChat is vulnerable to Insecure Direct Object Reference / IDOR vulnerability. The system's authorization functionality does not prevent one user from deleting another user by modifying the userid identifying the user. Each user has a userid 1,2,3,.... A malicious authorized...

Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat

Description Stored XSS is found in SettingsLive help configurationIncoming Webhooks. When a user creates a new webhook under the NAME field and puts a payload constructor.constructor'alert1', the input gets stored, and every time the user visits, the payload gets executed. Proof of Concept...

Cross-site Scripting (XSS) - Stored in zikula/core

Description In zikula/core cross site scripting vulnerability is present in block modules block list description field. This commit e453ad not properly santize the input. Proof of Concept login to the demo account go to blocks https://demo.ziku.la/blocks/admin/view Add payload in block list...

Cross-site Scripting (XSS) - Reflected in janeczku/calibre-web

Description There is a reflected XSS vulnerability on the site calibre-web. Proof of Concept 1. go to the calibre e-book management 2. create a new book give the title name 3. and give the title sort name 4. save and go to the website 5.go to Author 6.press one of the books 7. then right click an...

Cross-site Scripting (XSS) - Stored in crater-invoice/crater

Description There is a vulnerability in the upload avatar functionality of crater invoice which would allow an attacker to upload malicious .SVG files in order to execute Javascript. All that is required is that the victim browse to the link location of the .SVG file Proof of Concept xss.svg:...

Inefficient Regular Expression Complexity in parallax/jspdf

Description The jspdf package is vulnerable to ReDoS regular expression denial of service. An attacker that is able to provide crafted input to the setZoomMode functionality may cause an application to consume an excessive amount of CPU. Proof of Concept // PoC.js var jsPDF = require"jspdf".jsPDF...

Static Code Injection in playframework/play-samples

Description "play-samples" project uses the vulnerable log4j library 2.17.0. This can cause potential RCE vulnerability on the project. Vulnerability: CVE-2021-44832 Remote Code Execution. Another reference from Apache for CVE-2021-44832. You should upgrade the log4j library to latest version...

in livehelperchat/livehelperchat

Lack of server side validation An admin can delete his/her account by bypassing client side validation 1.Login in application as admin. 2.Nagiate to settings and create another user. 3.Now see the list of user, an admin can only delete other user account rather than his/her. 4.Click on delete and...

in detekt/detekt

Description The read function makes use of SAXParser generated from a SAXParserFactory with no FEATURESECUREPROCESSING set, allowing for XXE attacks. In...

in liquibase/liquibase

Description The XMLChangeLogSAXParser function makes use of SAXParser generated from a SAXParserFactory with no FEATURESECUREPROCESSING set, allowing for XXE attacks. In...

in jesusfreke/smali

Description The loadResourceIds function makes use of SAXParser generated from a SAXParserFactory with no FEATURESECUREPROCESSING set, allowing for XXE attacks. In...

in hazelcast/hazelcast

Description The AbstractXmlConfigRootTagRecognizer function makes use of SAXParser generated from a SAXParserFactory with no FEATURESECUREPROCESSING set, allowing for XXE attacks. In...

in mybatis/generator

Description The isConfigFile function makes use of SAXParser generated from a SAXParserFactory with no FEATURESECUREPROCESSING set, allowing for XXE attacks. In...

in jetbrains/kotlin

Description The ModuleXmlParser.parse function makes use of SAXParser generated from a SAXParserFactory with no FEATURESECUREPROCESSING set, allowing for XXE attacks. In...

Cross-site Scripting (XSS) - Stored in cyrisxd/love-lock-card

Description Currenty, adding a "+ to the password, or a DOM element to the title, you can inject scripts into HA. I know that this library is meant to be not-secure by design, as stated in the README, and that if someone can update the Lovelance dashboard he can probably execute JS code in other...

in stanfordnlp/corenlp

Description When a malicious schema XML file is passed to getValidatingXmlParser, the parser is vulnerable to XXE when the SchemaFactory parses the schema XML file. In...

Cross-site Scripting (XSS) - Stored in saleor/saleor-dashboard

Description Because the dangerouslySetInnerHTML method is used to output the input value of the DOM, XSS vulnerabilities occur in many logics. Proof of Concept html " Impact Through this vulnerability, an attacker is capable to execute malicious scripts...

in mruby/mruby

Description There is a NULL Pointer Dereference in preparesingletonclass src/class.c:360:13. This bug has been found on mruby lastest commit hash 171d32c0071d776207174a40a8fa26def3dbb931 on Ubuntu 20.04 for x8664/amd64. Proof of Concept 1.timesb= a=0 0,m:0 c=0=0,nil=nil0 def mend def c.eend Steps...

Cross-Site Request Forgery (CSRF) in livehelperchat/livehelperchat

Description A CSRF issue is found in the SettingsLive help configurationCanned Messages. It was found that no CSRF token validation is getting done as no CSRF token is getting passed with the request. Also while generating statistics, the action is done through GET method with no CSRF token. Two...

Cross-site Scripting (XSS) - Reflected in icecoder/icecoder

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into websites. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execut...

Cross-Site Request Forgery (CSRF) in livehelperchat/livehelperchat

Description A CSRF issue is found in the SettingsLive help configurationFile Configuration. It was found that no CSRF token validation is getting done as no CSRF token is getting passed with the request. Proof of Concept Actual Request POST /siteadmin/file/configuration HTTP/1.1 Host:...

Cross-site Scripting (XSS) - Stored in chaskiq/chaskiq

Description When creating a link using the editor function, the Stored XSS vulnerability occurs because a javascript scheme can be used. Proof of Concept txt 1. Go to campaigns - Mailing Campaigns - Editor 2. Enter the URL: javascript:alertdocument.domain 3. After, Click the URL Video :...

Cross-site Scripting (XSS) - Stored in chaskiq/chaskiq

Description When building an app, an XSS vulnerability occurs in the app's name. Proof of Concept txt 1. Go to App Settings 2. Enter " as the name of the app Video : https://www.youtube.com/watch?v=dEFDHHGxzoY Impact Through this vulnerability, an attacker is capable to execute malicious scripts...

Cross-Site Request Forgery (CSRF) in livehelperchat/livehelperchat

Description A CSRF issue is found in the audit configuration under settings. It was found that no CSRF token validation is getting done on the server-side. If we remove the CSRF token and keep the CSRF token field empty, the action is getting performed. Proof of Concept Request POST...

Improper Input Validation in chatwoot/chatwoot

Description This vulnerability impacts all fields sent to Chatwoot. Any field that has an excessive amount of characters in it will cause the agent's page to take an abnormal amount of time to load, often requiring the content to be removed before the page will load. In my example, I put 20000000...