4058 matches found
Cross-site Scripting (XSS) - Stored in admidio/admidio
Description I can send a message. In the here, I can create a link. But, when i create a link, I can use an onfocus/autofocus attribute after escape the href attribute because do not processing for double quote Proof of Concept txt 1. Open the...
Cross-site Scripting (XSS) - Stored in mautic/mautic
Description When installing Mautic both via UI or CLI the first and last name of the admin account are not sanitised before being stored in the database. This results in a possible stored XSS possibility, as those fields are displayed and re-used without any sanitisation. During install the raw...
in crater-invoice/crater
Description In recent Crater version e3f3809f tag: 6.0.1 customer with enabled portal function can upload PHP file instead of avatar. Proof of Concept POST /api/v1/company-name/customer/profile HTTP/1.1 Host: 172.17.0.1:8888 User-Agent: Mozilla/5.0 X11; Linux x8664; rv:97.0 Gecko/20100101...
in skylot/jadx
Description parseXml function in ExportGradleProject is not secured against XXE because it does not include the disallow-doctype-decl attribute, therefore JADX is vulnerable to XXE when parsing a malicious Android Manifest when exporting Android app to Gradle. In...
Cross-site Scripting (XSS) - Stored in e107inc/e107
A Stored Cross-Site Scripting XSS using svg exists in e107 version 2.3.1 Date: 12/1/2022 Exploit Author: Trương Hữu Phúc Contact me: + Github: https://github.com/truonghuuphuc + Facebook: https://www.facebook.com/DdosFulzac.auz1/ + Email: [email protected] + Product: e107 + Version: 2.3.1...
Cross-Site Request Forgery (CSRF) in yetiforcecompany/yetiforcecrm
Description Hi there, I would like to report a CSRF vulnerability in yetiforcecompany/yetiforcecrm. This allows an attacker to create a new admin. Even when SameSite: Strict enable, this still can be exploited by an attacker with lowest privilege account E.g. guest. Proof of Concept + These are...
Cross-site Scripting (XSS) - Stored in chaskiq/chaskiq
Description chaskid is a Open Source Messaging Platform for Marketing, Support & Sales this package is vulnerable for xss Proof of Concept Impact This vulnerability is capable of stored XSS...
Heap-based Buffer Overflow in vim/vim
Description A Heap-based Buffer Overflow has been found in vim commit 3cf21b3 Proof of Concept base64 poc ZggwMDAwMDAwMDAwMDAwMDAwMBkwMDAwCmYIMDAwMDAwMCUlJSUlJSUlJSUlMDAwMDD8CmUlJSUl JSUlJSUlJSUlJQp2cwp2MP8wbwo= /fuzzing/vim/vim/src/vim -u NONE -X -Z -e -s -S ./poc -c :qa! ASan stack trace:...
Cross-site Scripting (XSS) - Stored in orchardcms/orchardcore
Description The Stored XSS vulnerability occurs because the menu editing function can insert a JavaScript Scheme as the value of the menu's HREF. Proof of Concept txt 1. Go to Content - Menu - Edit 2. Enter javascript:alertdocument.domain as the URL value using the Add or Edit menu function. 3...
Cross-Site Request Forgery (CSRF) in phoronix-test-suite/phoronix-test-suite
Description Hi there, I would like to report another CSRF in phoronix Proof of Concept 1. Install a local instance of phoronix 2. Create a benchmark and note down benchmark id 3. Access the link /?benchmark//&repeat, /?benchmark//&disable and /?benchmark//&remove and see that the benchmark is...
Exposure of Sensitive Information to an Unauthorized Actor in feross/simple-get
BUG ====== Cookie header leaked to third party site and it allow to hijack victim account SUMMURY ============ When fetching a remote url with Cookie if it get Location response header then it will follow that url and try to fetch that url with provided cookie . So cookie is leaked here to...
Exposure of Sensitive Information to an Unauthorized Actor in sscarduzio/elasticsearch-readonlyrest-plugin
Description elasticsearch-readonlyrest-plugin is using TLS. There are many serious vulnerabilities in early TLS that left unaddressed put organizations at risk of being breached. The widespread POODLE and BEAST exploits are just a couple of examples of how attackers have taken advantage of...
in log4js-node/log4js-node
BUG ======== any unprivileged user can see log file and sensitive information disclosed SUMMURY ============ log4js create log file to store the log . Log may contain many sentsitive information like username,password,token,api-key etc .\ So, this log file should not accessed by other user .\ But...
Cross-site Scripting (XSS) - Stored in orchardcms/orchardcore
Description The application does not escape special characters before output to FE, lead to stored XSS. Proof of Concept 1. Go to Workflows Create Workflow Add Task/Event 2. Set a title with XSS payload, e.g: aa Impact XSS can have huge implications for a web application and its users. User...
Cross-site Scripting (XSS) - Stored in admidio/admidio
Description Stored xss Proof of Concept txt onmouseover="alert1"link Video : https://drive.google.com/file/d/1WzArNdgXgjVOS6qsePRvGWIz6ljtxApx/view?usp=sharing Impact Through this vulnerability, an attacker is capable to execute malicious scripts...
Improper Privilege Management in delgan/loguru
BUG ======== unprivileged user can see log file and sensitive information disclosed SUMMURY ============ loguru create log file to store the log . Log may contain many sentsitive information like username,password,token,key etc .\ So, this log file should not accessed by other user .\ But when...
in stanfordnlp/corenlp
Description The TransformXML function makes use of SAXParser generated from a SAXParserFactory with no FEATURESECUREPROCESSING set, allowing for XXE attacks. In...
Cross-site Scripting (XSS) - Stored in pimcore/pimcore
Description pimcore is vulnerable to Stored XSS at Name field in the setting tab of the Global Targeting Rules. Steps to reproduce 1.Go to https://demo.pimcore.fun/admin/ and login. 2.In the left menu bar, click the Marketing icon then choose Personalization / Targeting - Global Targeting Rules...
Business Logic Errors in silverstripe/silverstripe-framework
Description SilverStripe Framework is vulnerable to Business Logic Errors in the Failed login count since that value can be a negative number. Proof of Concept 1.After login, go to Security page under the path /admin/security/ 2.Click on any member record 3.In the member edit form, enter a negati...
in ionicabizau/parse-url
Description urldomain validation bypass Proof of Concept parse-url not able verify urldomain properly when basic authentication is given .This allow to bypass hostname validation . Lets username is admin and password is password123@ and hostname is 127.0.0.1 . so the url will be...
in vim/vim
Description Memory Allocation with Excessive Size Value Proof of Concept base64 poc aAp2ewp5Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3NzcKXQo= vim -u NONE -X -Z -e -s -S ./poc -c :qa! ==1206187==ERROR: AddressSanitizer: requested allocation size 0xfffffffffffffff8 0x7f8 after adjustments for alignment, red zones...
Cross-Site Request Forgery (CSRF) in phoronix-test-suite/phoronix-test-suite
Description Hello phoronix test suite maintainer team, there is a Cross site request forgery vulnerability in phoronix test suite. Proof of Concept 1. Install phoronix test suite on your system 2. Create a test suite 3. Open another tab in browser and go to the link /?localsuites/delete/-1.0.0, f...
Cross-site Scripting (XSS) - Generic in projectsend/projectsend
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a differen...
Cross-Site Request Forgery (CSRF) in phoronix-test-suite/phoronix-test-suite
Description Hi there, I would like to report a Cross Site Request Forgery in phoronix source code. Cross-site request forgery also known as CSRF is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to...
Improper Access Control in snipe/snipe-it
Description A user with no rights for API tokens can view the page where API tokens can be generated and can generate API tokens. Proof of Concept - Create a user with no permission for anything i.e. everything on deny. - Log in with this user to the web application. - Visit...
SQL Injection in dolibarr/dolibarr
Description The searchusers parameter does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injection. Proof of Concept Slow query example: POST /dolibarr-14.0.5/htdocs/compta/sociales/list.php HTTP/1.1 Content-Type:...
Business Logic Errors in dolibarr/dolibarr
Description The application does not check the input of price number lead to Business Logic error through negative price amount. Proof of Concept 1. Go to Product and Services area htdocs/product/index.php 2. Create a new or edit an item, insert a negative amount into Selling price field. Also in...
Cross-site Scripting (XSS) - DOM in mrdoob/three.js
Description DOM-based XSS is a vulnerability in which the attacker can inject arbitrary javascript code in any DOM sink that supports dynamic code execution. In our case, source is window.location.hash and sink is iframe.src Proof of Concept 1 Visit...
SQL Injection in pimcore/pimcore
Description The storeId parameter does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injection. Proof of Concept 1. Add items to Classification Store: Key definition, Group,... 2. Injection boolean base:...
Insecure Temporary File in mlflow/mlflow
Description mlflow package is using the deprecated function tempfile.mktemp which is not secure. Because a different process may create a file with this name in the time between the call to mktemp and the subsequent attempt to create the file by the first process. Impact Availability will get...
Improper Access Control in chocobozzz/peertube
Description Unauthenticated users can obtain comments on private videos Proof of Concept VÃsit the following API link where 123 is the ID of the private video: /api/v1/videos/123/comment-threads Response contains all the comments on that private video. Impact This vulnerability disclosure comment...
Heap-based Buffer Overflow in vim/vim
Description Heap-buffer-overflow in vim Command ./vim -u NONE -X -Z -e -s -S minpoc -c :qa! Proof of Concept minpoc is here. bt Program received signal SIGABRT, Aborted. GIraise sig=sig@entry=6 at ../sysdeps/unix/sysv/linux/raise.c:50 50 ../sysdeps/unix/sysv/linux/raise.c: No such file or...
Cross-site Scripting (XSS) - DOM in karma-runner/karma
Description DOM-based XSS is a vulnerability in which the attacker can inject arbitrary javascript code in any DOM sink that supports dynamic code execution. In our case, source is query parameter returnurl and sink is location.href. Proof of Concept 1 Start karma server and visit the following...
Cross-site Scripting (XSS) - Stored in outline/outline
Description outline is a fastest wiki and knowledge base for growing teams. Beautiful, feature rich, and markdown compatible. this package is vulnerable for stored XSS Proof of Concept Or here is the original video Impact This vulnerability is capable of Stored XSS...
Insecure Temporary File in horovod/horovod
Description horovod package is using the deprecated function tempfile.mktemp which is not secure. Because a different process may create a file with this name in the time between the call to mktemp and the subsequent attempt to create the file by the first process. Impact Availability will get...
in unshiftio/url-parse
Description Improperly handeling username and password . And unable to detect the hostname . Proof of Concept url-parse not able verify basic authentication credential and also wrongly verifying hostname .This allow to bypass hostname validation .\ Lets username is admin and password is...
None in vim/vim
Description A Heap-based Buffer Overflow has been found in vim commit a909c48 Proof of Concept base64 poc ZGVmIEZpcnN0RnVuY3Rpb24oKQogIGRlZiBTZWNvbmRGdW5jdGlvbihKICA9CiAgIyBOb2lzCiAg IyBvbmUKICAgCiAgIGVuZGRlZnxCQkJCCmVuZGRlZgojIENvbXBpbGUgYWxsIGZ1bmN0aW9ucwpk ZWZjb21waWxlCg==...
Heap-based Buffer Overflow in vim/vim
Description A Heap-based Buffer Overflow has been found in vim commit 2f0936c Proof of Concept base64 poc ZGVmIEZpcnN0RnVuY3Rpb24oKQogIGRlZiBTZWNvbmRGdW5vbmUKJCAgCiAgIGVuZGRCQkJCCmVu ZGRlZgojIEN/////bGUgYWxsZWZ8QkJCQgplbmRkZWYKIyBDb21waWxlIGFsbCBmdW5jdGlvbnMK ZGVmY29tcGlsZQo=...
Cross-Site Request Forgery (CSRF) in liukuo362573/yishaadmin
Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging users to unintentional logout. More details One way GET could be abused here i...
in lquixada/cross-fetch
BUG ====== Cookie header leaked to third party site and it allow to hijack victim account SUMMURY ============ When fetching a remote url with Cookie if it get Location response header then it will follow that url and try to fetch that url with provided cookie . So cookie is leaked here to...
Cross-site Scripting (XSS) - Stored in orchardcms/orchardcore
Description The application does not escape special characters before output to FE, lead to stored XSS. Proof of Concept Example of a case: 1. Go to Content Content Types /Admin/ContentTypes/List 2. Create or edit a type with XSS payload into Display Name field, e.g: Social Meta Settings Tick on...
Improper Access Control in snipe/snipe-it
Description All bulk actions bulk-edit / bulk-delete / form info in asset models do not have access control checks Proof of concept 1: Grant view to Asset Models 2: UI for bulk-edit and bulk-delete is still enabled, proceed. 3: You may bulk-delete / edit any asset model Impact This vulnerability ...
Exposure of Sensitive Information to an Unauthorized Actor in node-fetch/node-fetch
BUG ====== Cookie header leaked to third party site and it allow to hijack victim account SUMMURY ============ When fetching a remote url with Cookie if it get Location response header then it will follow that url and try to fetch that url with provided cookie . So cookie is leaked here to...
Insecure Temporary File in tensorflow/tensorflow
Description tensorflow package is using the deprecated function tempfile.mktemp which is not secure. Because a different process may create a file with this name in the time between the call to mktemp and the subsequent attempt to create the file by the first process. Impact Availability will get...
in follow-redirects/follow-redirects
BUG ====== Cookie header leaked to third party site and it allow to hijack victim account SUMMURY ============ When fetching a remote url with Cookie if it get Location response header then it will follow that url and try to fetch that url with provided cookie . So cookie is leaked here to...
Path Traversal in konloch/bytecode-viewer
Description the.bytecode.club:Bytecode-Viewer is a lightweight user-friendly Java/Android Bytecode Viewer, Decompiler & More. Affected versions of the package are vulnerable to Arbitrary File Write via Archive Extraction AKA "Zip Slip". The vulnerability is exploited using a specially crafted...
Exposure of Sensitive Information to an Unauthorized Actor in scrapy/scrapy
BUG ====== Cookie header leaked to third party site and it allow to hijack victim account SUMMURY ============= When you crawling a site with cookie and it received Location header to redirect then scrappy send all cookie to this redirect url even if this is different domain . But every browser...
Exposure of Sensitive Information to an Unauthorized Actor in axios/axios
BUG ====== Cookie header leaked to third party site and it allow to hijack victim account SUMMURY ============ When fetching a remote url with Cookie if it get Location response header then it will follow that url and try to fetch that url with provided cookie . So cookie is leaked here to...
Cross-site Scripting (XSS) - Stored in admidio/admidio
Description I can create links using the Web links feature. However, since the input value is not URL-encoded, the onfocus and autofocus properties can be used by escaping the properties of the "A" tag using double quotation marks ". Proof of Concept txt...
in vim/vim
Description A heap-based OOB read of size 1 occurs when a user tries to open a vim session file specified below. This happens regardless of any command line options that could be specified to restrict vim, such -Z and -m. This bug has been found on default vim build lastest commit hash...