4072 matches found
None in vim/vim
Description A Heap-based Buffer Overflow has been found in vim commit a909c48 Proof of Concept base64 poc ZGVmIEZpcnN0RnVuY3Rpb24oKQogIGRlZiBTZWNvbmRGdW5jdGlvbihKICA9CiAgIyBOb2lzCiAg IyBvbmUKICAgCiAgIGVuZGRlZnxCQkJCCmVuZGRlZgojIENvbXBpbGUgYWxsIGZ1bmN0aW9ucwpk ZWZjb21waWxlCg==...
Heap-based Buffer Overflow in vim/vim
Description A Heap-based Buffer Overflow has been found in vim commit 2f0936c Proof of Concept base64 poc ZGVmIEZpcnN0RnVuY3Rpb24oKQogIGRlZiBTZWNvbmRGdW5vbmUKJCAgCiAgIGVuZGRCQkJCCmVu ZGRlZgojIEN/////bGUgYWxsZWZ8QkJCQgplbmRkZWYKIyBDb21waWxlIGFsbCBmdW5jdGlvbnMK ZGVmY29tcGlsZQo=...
Cross-Site Request Forgery (CSRF) in liukuo362573/yishaadmin
Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging users to unintentional logout. More details One way GET could be abused here i...
in lquixada/cross-fetch
BUG ====== Cookie header leaked to third party site and it allow to hijack victim account SUMMURY ============ When fetching a remote url with Cookie if it get Location response header then it will follow that url and try to fetch that url with provided cookie . So cookie is leaked here to...
Cross-site Scripting (XSS) - Stored in orchardcms/orchardcore
Description The application does not escape special characters before output to FE, lead to stored XSS. Proof of Concept Example of a case: 1. Go to Content Content Types /Admin/ContentTypes/List 2. Create or edit a type with XSS payload into Display Name field, e.g: Social Meta Settings Tick on...
Improper Access Control in snipe/snipe-it
Description All bulk actions bulk-edit / bulk-delete / form info in asset models do not have access control checks Proof of concept 1: Grant view to Asset Models 2: UI for bulk-edit and bulk-delete is still enabled, proceed. 3: You may bulk-delete / edit any asset model Impact This vulnerability ...
Exposure of Sensitive Information to an Unauthorized Actor in node-fetch/node-fetch
BUG ====== Cookie header leaked to third party site and it allow to hijack victim account SUMMURY ============ When fetching a remote url with Cookie if it get Location response header then it will follow that url and try to fetch that url with provided cookie . So cookie is leaked here to...
Insecure Temporary File in tensorflow/tensorflow
Description tensorflow package is using the deprecated function tempfile.mktemp which is not secure. Because a different process may create a file with this name in the time between the call to mktemp and the subsequent attempt to create the file by the first process. Impact Availability will get...
in follow-redirects/follow-redirects
BUG ====== Cookie header leaked to third party site and it allow to hijack victim account SUMMURY ============ When fetching a remote url with Cookie if it get Location response header then it will follow that url and try to fetch that url with provided cookie . So cookie is leaked here to...
Path Traversal in konloch/bytecode-viewer
Description the.bytecode.club:Bytecode-Viewer is a lightweight user-friendly Java/Android Bytecode Viewer, Decompiler & More. Affected versions of the package are vulnerable to Arbitrary File Write via Archive Extraction AKA "Zip Slip". The vulnerability is exploited using a specially crafted...
Exposure of Sensitive Information to an Unauthorized Actor in scrapy/scrapy
BUG ====== Cookie header leaked to third party site and it allow to hijack victim account SUMMURY ============= When you crawling a site with cookie and it received Location header to redirect then scrappy send all cookie to this redirect url even if this is different domain . But every browser...
Exposure of Sensitive Information to an Unauthorized Actor in axios/axios
BUG ====== Cookie header leaked to third party site and it allow to hijack victim account SUMMURY ============ When fetching a remote url with Cookie if it get Location response header then it will follow that url and try to fetch that url with provided cookie . So cookie is leaked here to...
Cross-site Scripting (XSS) - Stored in admidio/admidio
Description I can create links using the Web links feature. However, since the input value is not URL-encoded, the onfocus and autofocus properties can be used by escaping the properties of the "A" tag using double quotation marks ". Proof of Concept txt...
in vim/vim
Description A heap-based OOB read of size 1 occurs when a user tries to open a vim session file specified below. This happens regardless of any command line options that could be specified to restrict vim, such -Z and -m. This bug has been found on default vim build lastest commit hash...
Type Confusion in lirantal/daloradius
Description During the comparisons of different variables, PHP will automatically convert the data into a common, comparable type. This makes it possible to compare the number 12 to the string '12' or check whether or not a string is empty by using a comparison like $string == True. This, however...
Cross-site Scripting (XSS) - Stored in phoronix-test-suite/phoronix-test-suite
Description Hi there phoronix test suite maintainer team. There is a stored XSS in phoronix-test-suite source code. This is in group name. Proof of Concept 1. Install a local instance of phoronix test suite 2. Create an account and log in, then create a group with name . Note that you cannot crea...
in slidevjs/slidev
Description Vulnerability: CSS injection and Limited XSS via postMessage While reading the code, I came across packages/client/iframes/monaco/index.ts file, where a message eventListener is being used. The callback function adds the content of message inside tag. This way, the attacker can post a...
Improper Authorization in saleor/saleor
Title GraphQL traversal due to missing permission checks Description orders and customers fields allow to access each other via nodes edges. However, connections don't check user's permissions, which allows, for instance, a staff with just Customers permissions get full information about the orde...
Exposure of Sensitive Information to an Unauthorized Actor in hoppscotch/hoppscotch
Description Steal authorization token via xss and hijack attack Proof of Concept Using this attack , attacker can hijack account by stealing authorization header . I see there is team based collaboration exists ,so one user can hack other user account using this bug . STEP -------- First host...
in livehelperchat/livehelperchat
Description When resetting your password, you're able to enumerate users based on the way that the server responds to your request. If you enter an email that doesn't exist for example: [email protected], then the server will respond with an HTTP 302 FOUND status response code indicated by line 97 o...
in zikula/core
Description When sending test emails, you're able to spam a target email address with as many emails as an attacker wants to a victim's email address due to lack of rate limiting /mailer/config/test I've put together a simple Python script that exploits this and would allow you to send a custom...
Cross-site Scripting (XSS) - Stored in getgrav/grav
Description Stored XSS is a vulnerability in which the attacker can execute arbitrary javascript code in the victim's browser. The XSS payload is stored in a webpage and it gets executed whenever someone visits that webpage. I used &58 instead of : in the href attribute of tag to bypass the xss...
Exposure of Sensitive Information to an Unauthorized Actor in microweber/microweber
Description Any unauthorized/unauthenticated actor can find the PII data of all the users registered in the application. PII - Personally Identifiable Information leaked by this application is first name, last name, email id, picture, username, isadmin status Proof of Concept 1 Visit...
Cross-Site Request Forgery (CSRF) in gunet/openeclass
Description No CSRF is provided when deleting messages. Proof of Concept The attacker could delete a specific message as they are generated consecutively and brute forcing it. history.pushState'', '', '/' or the could just delete all the messages: history.pushState'', '', '/' Impact Combining thi...
Improper Access Control in microweber/microweber
Description Access Controls are used in an application to restrict a user to access only intended functions. If the user is able to access any feature/function which is not allowed by the application and user gets successful in this attempt, then it will be considered as broken access control...
Cross-site Scripting (XSS) - Stored in microweber/microweber
Description Stored XSS is a vulnerability in which the attacker can execute arbitrary javascript code in the victim's browser. The XSS payload is stored in a webpage and it gets executed whenever someone visits that webpage. Proof of Concept 1 Visit "Contact Us" page and put in Message field. Cli...
Code Injection in microweber/microweber
Description HTML Injection is a vulnerability in which the attacker can inject malicious html content in the webpage. Proof of Concept 1 Admin has enabled Comments module, so that people can comment on a blog post. 2 Attacker post the following comment: SOMETHING+SOMETHING Now, observe the change...
Cross-site Scripting (XSS) - Reflected in microweber/microweber
Description XSS - Cross-Site Scripting is vulnerability which allows attackers to execute arbitrary javascript code in the browser of victim. PAYLOAD for firefox: a' onafterscriptexecute=alertdocument.domain c='a requires NO user-interaction PAYLOAD for all major browsers: a'...
Open Redirect in microweber/microweber
Description An Open Redirect vulnerability enables attacker to redirect the victims/users to malicious websites. Proof of Concept 1. Visit https://demo.microweber.org/demo/api/logout?redirectto=https://example.com It will redirect you to example.com Impact Attackers can use it in phishing campaig...
Server-Side Request Forgery (SSRF) in dompdf/dompdf
Description DomPDF uses filegetcontents to obtain HTTP files when allowurlfopen is "On". On default contexts, filegetcontents will redirect whenever served with a 302 response. When developers use DomPDF with isRemoteEnabled set to "true" and allowurlfopen set to "true", but restrict IP addresses...
Heap-based Buffer Overflow in neomutt/neomutt
Description When connected through imap/imaps with a server, neomutt is prone to a heap buffer overflow when using the auto completion feature. Proof of Concept Prepare client configuration which connects to 127.0.0.1:14300 cat muttrc imap.txt.b64 EOF...
Cross-site Scripting (XSS) - Stored in cacti/cacti
Description Hi there cacti maintainer team, I would like to report a stored XSS in cacti source code. It is due to unsanitized error message in synchronizing aggregates for color. Proof of Concept 1. Install a cacti instance in your local 2. Go to Color and create a color with name 3. Back to col...
Cross-site Scripting (XSS) - Stored in admidio/admidio
Description When editing your profile, you can create social media links. However, the stored XSS vulnerability using the autofocus and onfocus attributes occurs because the double-quote is not URL-encoded in the input value of the social media link. Proof of Concept txt 1. Open the...
Improper Access Control in chocobozzz/peertube
Description Unauthenticated users can obtain the caption of private videos Proof of Concept 1: First, create a private video and upload a caption 2: As an unauthenticated user, logout and visit the /api/v1/videos/1/captions 3: The response should return a lazy-static URL...
Cross-site Scripting (XSS) - Stored in erudika/scoold
Description The Schold is a Q&A/knowledge base platform written in Java. When writing a Q&A, you can use the markdown editor. So I tried to exploit the syntax to try an XSS attack. It seemed to validate javascript: on the backend. So I couldn't use it. However, according to RFC3986, the scheme ca...
Exposure of Sensitive Information to an Unauthorized Actor in polonel/trudesk
Description When you delete a conversation, the server responds with sensitive data including user IDs and emails among other data. The endpoint that's contacted in order to delete a conversation is /api/v1/messages/conversation/. A user with low level privileges such as a customer account could...
Cross-site Scripting (XSS) - Stored in zikula/core
Description When inputting a name for a module category whether editing an existing one or adding a new one, you're able to inject your own Javascript, leading to it being executed. An example payload that you can enter is: xss and then each time that you click the category to expand it, your...
in star7th/showdoc
Description In the recent Showdoc application 925970e7 tag:v2.9.15 I have discovered possibility to enumerate registered users in the system. Proof of Concept Request: POST /server/index.php?s=/api/user/register HTTP/1.1 Host: 172.17.0.3 User-Agent: Mozilla/5.0 X11; Linux x8664; rv:96.0...
Server-Side Request Forgery (SSRF) in transloadit/uppy
Description Uppy is vulnerable to SSRF through IPv4-mapped IPv6 addresses - https://www.ibm.com/docs/en/zos/2.1.0?topic=addresses-ipv4-mapped-ipv6 The report at https://hackerone.com/reports/786956 does not fix it because it uses a easily bypassable deny list in...
Cross-site Scripting (XSS) - Reflected in keystonejs/keystone
Description On Login Page, There Is A "from=" parameter in URL which is vulnerable to open redirect and which can be escalated to reflected XSS. Proof of Concept 1. Install Keystone 6 On Your System. 2. Go To http://localhost:3000/signin?from=http://evil.com And Login And You'll Be Redirected To...
None in radareorg/radare2
Description This vulnerability is of use-after-free. The bug exists in latest stable release radare2-5.5.4. Specifically, the vulnerable code is picked out as follows libr/io/iobank.c: // ./libr/io/iobank.c line 229 // the entry-data is a freed pointer address while entry && riosubmapto RIOSubMap...
Server-Side Request Forgery (SSRF) in rodber/chevereto-free
Description There was some hardening done previously against private IP addresses in the SSRF vulnerability I disclosed in the previous report https://github.com/rodber/chevereto-free/. However the checks can be bypassed by URL redirection. Proof of Concept If http://example.com resolves to a...
in radareorg/radare2
Description This vulnerability is of out-of-bound read. The bug exists in latest stable release radare2-5.5.4. Specifically, the vulnerable code is picked out as follows: // libr/util/buf.c line 631 RAPI void rbuffiniRBuffer b ... // the pointer address of b-methods is broken if...
Server-Side Request Forgery (SSRF) in chocobozzz/peertube
Description There is an SSRF vulnerability in PeerTube, registered users outside of the external network can issue GET requests into the internal network via the Import With URL option. Proof of Concept Setting a Python3 server on 8080 python3 -m http.server 8080 And importing this URL...
Cross-site Scripting (XSS) - Stored in convos-chat/convos
Description I found a way to bypass the Stored XSS via uploading File with format .svg when chatting in private conversation. Since you have filtered the content of the svg file as below: state $RULES = svg = qr Steps to Reproduce 1.After login, go to any private conversation. 2.In the chat bar,...
Heap-based Buffer Overflow in gpac/gpac
Description Heap-based Buffer Overflow SFSAddString at bifs/scriptdec.c:76 Proof of Concept POC1 is here. Result MP4Box -disox -ttxt -2 -dump-chap-ogg -dump-cover -drtp -bt -out /dev/null POC1 ··· 5 538135 abort ./source/gpac/bin/gcc/MP4Box -disox -ttxt -2 -dump-chap-ogg -dump-cover -drtp Bt...
in gpac/gpac
Description Null Pointer Dereference in gfutf8wcslen Proof of Concept POC is here. bt Program received signal SIGSEGV, Segmentation fault. ----------------------------------registers----------------------------------- RAX: 0x24 '$' RBX: 0x5555555e2870 -- 0x5555555e2840 -- 0x2000000020000000 '' RC...
Cross-Site Request Forgery (CSRF) in e107inc/e107
Description Hi there e107 team, there is another CSRF on your downloading plugins feature Proof of Concept 1. Install a local instance of e107. 2. Log in as admin 3. Access this link...
Improper Access Control in crater-invoice/crater
Description In recent Crater version faf1ef09 tag: 5.0.6 I discovered, that not authenticated user can download all expense receipts uploaded to any company. Proof of Concept Python import requests for i in range1, 100: r = requests.getf'http://172.17.0.1:8080/expenses/i/download-receipt' if...
Cross-site Scripting (XSS) - Stored in convos-chat/convos
Description The Convos is an open source multi-user chat that runs in a web browser. Characters starting with "https://" in the chat window create tag. Stored XSS vulnerability using onfocus and autofocus occurs because escaping exists for "" but escaping for double quarter does not exist. Proof ...