Type Confusion in lirantal/daloradius

Description During the comparisons of different variables, PHP will automatically convert the data into a common, comparable type. This makes it possible to compare the number 12 to the string '12' or check whether or not a string is empty by using a comparison like $string == True. This, however...

Cross-site Scripting (XSS) - Stored in phoronix-test-suite/phoronix-test-suite

Description Hi there phoronix test suite maintainer team. There is a stored XSS in phoronix-test-suite source code. This is in group name. Proof of Concept 1. Install a local instance of phoronix test suite 2. Create an account and log in, then create a group with name . Note that you cannot crea...

in slidevjs/slidev

Description Vulnerability: CSS injection and Limited XSS via postMessage While reading the code, I came across packages/client/iframes/monaco/index.ts file, where a message eventListener is being used. The callback function adds the content of message inside tag. This way, the attacker can post a...

Improper Authorization in saleor/saleor

Title GraphQL traversal due to missing permission checks Description orders and customers fields allow to access each other via nodes edges. However, connections don't check user's permissions, which allows, for instance, a staff with just Customers permissions get full information about the orde...

Exposure of Sensitive Information to an Unauthorized Actor in hoppscotch/hoppscotch

Description Steal authorization token via xss and hijack attack Proof of Concept Using this attack , attacker can hijack account by stealing authorization header . I see there is team based collaboration exists ,so one user can hack other user account using this bug . STEP -------- First host...

in livehelperchat/livehelperchat

Description When resetting your password, you're able to enumerate users based on the way that the server responds to your request. If you enter an email that doesn't exist for example: [email protected], then the server will respond with an HTTP 302 FOUND status response code indicated by line 97 o...

in zikula/core

Description When sending test emails, you're able to spam a target email address with as many emails as an attacker wants to a victim's email address due to lack of rate limiting /mailer/config/test I've put together a simple Python script that exploits this and would allow you to send a custom...

Cross-site Scripting (XSS) - Stored in getgrav/grav

Description Stored XSS is a vulnerability in which the attacker can execute arbitrary javascript code in the victim's browser. The XSS payload is stored in a webpage and it gets executed whenever someone visits that webpage. I used &58 instead of : in the href attribute of tag to bypass the xss...

Exposure of Sensitive Information to an Unauthorized Actor in microweber/microweber

Description Any unauthorized/unauthenticated actor can find the PII data of all the users registered in the application. PII - Personally Identifiable Information leaked by this application is first name, last name, email id, picture, username, isadmin status Proof of Concept 1 Visit...

Cross-Site Request Forgery (CSRF) in gunet/openeclass

Description No CSRF is provided when deleting messages. Proof of Concept The attacker could delete a specific message as they are generated consecutively and brute forcing it. history.pushState'', '', '/' or the could just delete all the messages: history.pushState'', '', '/' Impact Combining thi...

Improper Access Control in microweber/microweber

Description Access Controls are used in an application to restrict a user to access only intended functions. If the user is able to access any feature/function which is not allowed by the application and user gets successful in this attempt, then it will be considered as broken access control...

Cross-site Scripting (XSS) - Stored in microweber/microweber

Description Stored XSS is a vulnerability in which the attacker can execute arbitrary javascript code in the victim's browser. The XSS payload is stored in a webpage and it gets executed whenever someone visits that webpage. Proof of Concept 1 Visit "Contact Us" page and put in Message field. Cli...

Code Injection in microweber/microweber

Description HTML Injection is a vulnerability in which the attacker can inject malicious html content in the webpage. Proof of Concept 1 Admin has enabled Comments module, so that people can comment on a blog post. 2 Attacker post the following comment: SOMETHING+SOMETHING Now, observe the change...

Cross-site Scripting (XSS) - Reflected in microweber/microweber

Description XSS - Cross-Site Scripting is vulnerability which allows attackers to execute arbitrary javascript code in the browser of victim. PAYLOAD for firefox: a' onafterscriptexecute=alertdocument.domain c='a requires NO user-interaction PAYLOAD for all major browsers: a'...

Open Redirect in microweber/microweber

Description An Open Redirect vulnerability enables attacker to redirect the victims/users to malicious websites. Proof of Concept 1. Visit https://demo.microweber.org/demo/api/logout?redirectto=https://example.com It will redirect you to example.com Impact Attackers can use it in phishing campaig...

Server-Side Request Forgery (SSRF) in dompdf/dompdf

Description DomPDF uses filegetcontents to obtain HTTP files when allowurlfopen is "On". On default contexts, filegetcontents will redirect whenever served with a 302 response. When developers use DomPDF with isRemoteEnabled set to "true" and allowurlfopen set to "true", but restrict IP addresses...

Heap-based Buffer Overflow in neomutt/neomutt

Description When connected through imap/imaps with a server, neomutt is prone to a heap buffer overflow when using the auto completion feature. Proof of Concept Prepare client configuration which connects to 127.0.0.1:14300 cat muttrc imap.txt.b64 EOF...

Cross-site Scripting (XSS) - Stored in cacti/cacti

Description Hi there cacti maintainer team, I would like to report a stored XSS in cacti source code. It is due to unsanitized error message in synchronizing aggregates for color. Proof of Concept 1. Install a cacti instance in your local 2. Go to Color and create a color with name 3. Back to col...

Cross-site Scripting (XSS) - Stored in admidio/admidio

Description When editing your profile, you can create social media links. However, the stored XSS vulnerability using the autofocus and onfocus attributes occurs because the double-quote is not URL-encoded in the input value of the social media link. Proof of Concept txt 1. Open the...

Improper Access Control in chocobozzz/peertube

Description Unauthenticated users can obtain the caption of private videos Proof of Concept 1: First, create a private video and upload a caption 2: As an unauthenticated user, logout and visit the /api/v1/videos/1/captions 3: The response should return a lazy-static URL...

Cross-site Scripting (XSS) - Stored in erudika/scoold

Description The Schold is a Q&A/knowledge base platform written in Java. When writing a Q&A, you can use the markdown editor. So I tried to exploit the syntax to try an XSS attack. It seemed to validate javascript: on the backend. So I couldn't use it. However, according to RFC3986, the scheme ca...

Exposure of Sensitive Information to an Unauthorized Actor in polonel/trudesk

Description When you delete a conversation, the server responds with sensitive data including user IDs and emails among other data. The endpoint that's contacted in order to delete a conversation is /api/v1/messages/conversation/. A user with low level privileges such as a customer account could...

Cross-site Scripting (XSS) - Stored in zikula/core

Description When inputting a name for a module category whether editing an existing one or adding a new one, you're able to inject your own Javascript, leading to it being executed. An example payload that you can enter is: xss and then each time that you click the category to expand it, your...

in star7th/showdoc

Description In the recent Showdoc application 925970e7 tag:v2.9.15 I have discovered possibility to enumerate registered users in the system. Proof of Concept Request: POST /server/index.php?s=/api/user/register HTTP/1.1 Host: 172.17.0.3 User-Agent: Mozilla/5.0 X11; Linux x8664; rv:96.0...

Server-Side Request Forgery (SSRF) in transloadit/uppy

Description Uppy is vulnerable to SSRF through IPv4-mapped IPv6 addresses - https://www.ibm.com/docs/en/zos/2.1.0?topic=addresses-ipv4-mapped-ipv6 The report at https://hackerone.com/reports/786956 does not fix it because it uses a easily bypassable deny list in...

Cross-site Scripting (XSS) - Reflected in keystonejs/keystone

Description On Login Page, There Is A "from=" parameter in URL which is vulnerable to open redirect and which can be escalated to reflected XSS. Proof of Concept 1. Install Keystone 6 On Your System. 2. Go To http://localhost:3000/signin?from=http://evil.com And Login And You'll Be Redirected To...

None in radareorg/radare2

Description This vulnerability is of use-after-free. The bug exists in latest stable release radare2-5.5.4. Specifically, the vulnerable code is picked out as follows libr/io/iobank.c: // ./libr/io/iobank.c line 229 // the entry-data is a freed pointer address while entry && riosubmapto RIOSubMap...

Server-Side Request Forgery (SSRF) in rodber/chevereto-free

Description There was some hardening done previously against private IP addresses in the SSRF vulnerability I disclosed in the previous report https://github.com/rodber/chevereto-free/. However the checks can be bypassed by URL redirection. Proof of Concept If http://example.com resolves to a...

in radareorg/radare2

Description This vulnerability is of out-of-bound read. The bug exists in latest stable release radare2-5.5.4. Specifically, the vulnerable code is picked out as follows: // libr/util/buf.c line 631 RAPI void rbuffiniRBuffer b ... // the pointer address of b-methods is broken if...

Server-Side Request Forgery (SSRF) in chocobozzz/peertube

Description There is an SSRF vulnerability in PeerTube, registered users outside of the external network can issue GET requests into the internal network via the Import With URL option. Proof of Concept Setting a Python3 server on 8080 python3 -m http.server 8080 And importing this URL...

Cross-site Scripting (XSS) - Stored in convos-chat/convos

Description I found a way to bypass the Stored XSS via uploading File with format .svg when chatting in private conversation. Since you have filtered the content of the svg file as below: state $RULES = svg = qr Steps to Reproduce 1.After login, go to any private conversation. 2.In the chat bar,...

Heap-based Buffer Overflow in gpac/gpac

Description Heap-based Buffer Overflow SFSAddString at bifs/scriptdec.c:76 Proof of Concept POC1 is here. Result MP4Box -disox -ttxt -2 -dump-chap-ogg -dump-cover -drtp -bt -out /dev/null POC1 ··· 5 538135 abort ./source/gpac/bin/gcc/MP4Box -disox -ttxt -2 -dump-chap-ogg -dump-cover -drtp Bt...

in gpac/gpac

Description Null Pointer Dereference in gfutf8wcslen Proof of Concept POC is here. bt Program received signal SIGSEGV, Segmentation fault. ----------------------------------registers----------------------------------- RAX: 0x24 '$' RBX: 0x5555555e2870 -- 0x5555555e2840 -- 0x2000000020000000 '' RC...

Cross-Site Request Forgery (CSRF) in e107inc/e107

Description Hi there e107 team, there is another CSRF on your downloading plugins feature Proof of Concept 1. Install a local instance of e107. 2. Log in as admin 3. Access this link...

Improper Access Control in crater-invoice/crater

Description In recent Crater version faf1ef09 tag: 5.0.6 I discovered, that not authenticated user can download all expense receipts uploaded to any company. Proof of Concept Python import requests for i in range1, 100: r = requests.getf'http://172.17.0.1:8080/expenses/i/download-receipt' if...

Cross-site Scripting (XSS) - Stored in convos-chat/convos

Description The Convos is an open source multi-user chat that runs in a web browser. Characters starting with "https://" in the chat window create tag. Stored XSS vulnerability using onfocus and autofocus occurs because escaping exists for "" but escaping for double quarter does not exist. Proof ...

in vim/vim

Description A heap-based OOB read of size 1 occurs when a user tries to open a vim session file specified below. This happens regardless of any command line options that could be specified to restrict vim, such -Z and -m. This bug has been found on default vim build version 8.2.3931, commit hash...

None in vim/vim

Description A use after free vulnerability has been found in vim 8.2.3931 commit hash febb78fa1798e0f95983b3f7881419a754886df5. The bug has been reproduced on Ubuntu 20.04 with gcc 9.3.0. Proof of Concept After building vim with gcc and ASAN run vim with the following session file: $ echo -ne...

Heap-based Buffer Overflow in mruby/mruby

Description Heap Base Buffer Overflow mrbirepcutref Proof of Concept a = a. nil too many irep references RuntimeError ================================================================= ==990==ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000003a6 at pc 0x560e7e6acc2e bp...

Cross-Site Request Forgery (CSRF) in thorsten/phpmyfaq

Description Hi there, another CSRF in clearing search items. Proof of Concept 1. Install a local instance of phpmyfaq. 2. Go to this link /phpmyfaq/admin/?action=truncatesearchterms 3. See that all search terms are deleted. Impact This vulnerability is capable of CSRF...

Improper Access Control in bookstackapp/bookstack

Description parentChapter permissions are not enforced during sort. Users with only book-update permissions on their own page can move their pages into restricted chapters via modifying the parentChapter id in the sortmap. Users do not need to have access to restricted books / chapter in order to...

Cross-Site Request Forgery (CSRF) in thorsten/phpmyfaq

Description Hi there, there is a CSRF in your logout function. This will force admin to logout if he/she clicks on the link attacker gives him. Proof of Concept 1. Install phpmyfaq on your system. 2. Login as admin 3. Open this link /admin/index.php?action=logout 4. See that you are logged out of...

Cross-site Scripting (XSS) - Stored in convos-chat/convos

Description The Convos is an open source multi-user chat that runs in a web browser. You can't use SVG extension in Convos' chat window, but you can upload .html extension. This causes Stored XSS. Also, after uploading a file, it does not log in, and XSS occurs even if you connect. Proof of Conce...

in mruby/mruby

Description A NULL Pointer Dereference was discovered in mrbclass. The vulnerability causes a segmentation fault and application crash. version 6de0fcb ./mruby -v mruby 3.0.0 2021-03-05 System information Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz Proof of Concept poc base64 poc...

None in vim/vim

Description Hello there! Hope you are having an awesome day! 🤗 After I saw the last Rick de Jager's report, I decided to pick up their PoC as a valid input for fuzzing vim on its patch 8.2.3912, and ended up finding a new case of double-free! For testing, I compiled vim with GCC 9.3.0, and my O.S...

Cross-site Scripting (XSS) - Stored in chatwoot/chatwoot

Steps To Reproduce: 1. 1. Navigate to the campaigns section 2. 2. Click on "Create a ongoing campaign" 3. 3. Fill title, message, inbox and URL 4. 4. Then click on "Create" and intercept it 5. 5. Change your url's value to javascript:alert1 for example "url" : "https://google.com" to "url" :...

Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat

Description The livehelperchat is an open source live chat service. In this service, general users can chat 1:1 with administrators. When administrators send XSS PoC to general users, XSS occurs in general users' chat rooms. Since XSS PoC is saved in the chat room, XSS occurs even if you access t...

Cross-Site Request Forgery (CSRF) in zikula-modules/content

Description There is no csrf protection for content page duplicate functionality. Proof of Concept document.forms0.submit; Impact This vulnerability is capable of creating more number of duplicates by clicking malicious links...

Cross-site Scripting (XSS) - Stored in livehelperchat/fbmessenger

Description The application does not escape special characters. The $item-bbcode or $item-name variables can lead to stored XSS Proof of Concept Go to Facebook BBCode List https://demo.livehelperchat.com/siteadmin/fbmessenger/newbbcode and add an item with XSS payload into name or bbcode fields,...

Cross-site Scripting (XSS) - Reflected in livehelperchat/livehelperchat

Description The application does not escape special characters, and the $msgPArent or $Result'additionalpostmessage' variables can lead to reflected XSS Proof of Concept https://demo.livehelperchat.com/chat/chatwidgetchat/444/123/theme/1/cstarted/123";;alert'xss';" Impact XSS can have huge...