SSRF via POST /internal/models/download and GET /view REST APIs

This report is not public...

Denial of service by memory exhaustion

This report is not public...

Allowing execution user provided regexp, lead to Redos

Description librechat have a functionality of uploading chatgpt chat log. when processing the log, following code is executed: const pattern = new RegExp \u3010$citation.metadata.extra.citedmessageidx\u2020.+?\u3011, 'g', ; const replacement = $citation.metadata.title; messageText =...

Missing access control on endpoint to list all evaluations in lunary-ai/lunary

Description The /v1/evaluators/ route allows users to fetch all evaluators of a project by sending a GET request. However, the route lacks proper access control, such as middleware to ensure that only users with appropriate roles can access evaluator data. The current implementation: Does not...

Denial of service through memory exhaustion

This report is not public...

An user can view any others invite list

This report is not public...

SSRF via POST /api/proxy

This report is not public...

RCE & Full Read SSRF & Arbitrary File Read in /web_crawl endpoint

Description The webcrawl function in documentapp.py contains a RCE vulnerability. This function receives the URL parameter, accesses and obtains the HTML content of the URL through Chromium headless, and converts the HTML content into a PDF file. Users can obtain the converted PDF file through th...

SSRF via POST /v1/llm/add_llm and /v1/conversation/tts

This report is not public...

URL check not complete, lead to SSRF

This report is not public...

Denial of Service

This report is not public...

Web server DOS through run metrics

This report is not public...

Improper Role Modification by Admins for Billing Permissions

Description Admins, who do not have direct permissions to access billing resources, are able to change the permissions of existing users to have billing permissions. This can lead to a privilege escalation scenario where an administrator can: 1. Change the role of an existing user to include...

Lack of access control on /users/me/org endpoint

Description The /users/me/org route is not adequately protected by access control mechanisms such as a middleware. This lack of authorization allows unauthorized users to access information about all team members in the current organization, even if the user does not have sufficient privileges. A...

Remote Code Execution via Pickle Deserialization with Hard-Coded AuthKey in RPC Server

Description RagFlow implements an RPC server using Python's native multiprocessing package. It fully understands the use of AuthKey to access and control the group communication when applying multiprocessing for network conditions via socket, but the current implementation hard-coded the AuthKey ...

XSS through document upload

This report is not public...

Denial of service through sshfs-client in tracking server

This report is not public...

Running user provided regular expression, lead to DOS

This report is not public...

Unauthenticated Denial of Service (DoS) via Multipart Boundary in recent integration of Gradio UI

This report is not public...

Open Redirect

This report is not public...

7z slip lead to remote code execution

This report is not public...

rar slip lead to remote code execution

This report is not public...

Local File Inclusion in netease-youdao/qanything

This report is not public...

Redos (Regular Expression Denial of Service)

This report is not public...

server crash by zip bomb

This report is not public...

pickle deserialization vulnerability

Description There is a pickle deserialization vulnerability in the Latex English error correction plug-in function of gptacademic, which allows attackers to achieve remote command execution Environment setup 1. wget https://github.com/binary-husky/gptacademic/archive/refs/tags/version3.83.zip 2...

Missing check_access leads to directory deletion

This report is not public...

User can share/use/create prompts not permission

Description Users can share/use/create prompts without being granted permission by the admin. This can break application logic and permissions. Proof of Concept 1. Go to acount admin disable function share/use/create prompt. 2. share/use/create prompts with normal user. POST /api/prompts HTTP/1.1...

Patch bypass (Insufficient Patch) of CVE-2024-8736 leads to DoS

This report is not public...

heap-buffer-overflow in /radare2/shlr/java/code.c:211:21 in java_print_opcode

Description heap-buffer-overflow in /radare2/shlr/java/code.c:211:21 in javaprintopcode Version $ r2 -v radare2 5.8.9 31339 @ linux-x86-64 birth: git.5.8.8-691-gb2de2288d8 2023-10-1701:18:28 commit: b2de2288d8299f89288c503fc2ce22381b61aba0 Platform $ uname -a Linux user-GE40-2PC-Dragon-Eyes...

new 3 SEGV in MP4Box

Description new 3 SEGV in MP4Box Version $ ./MP4Box -version MP4Box - GPAC version 2.3-DEV-rev566-g50c2ab06f-master Platform $ uname -a Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic 3322.04.1-Ubuntu SMP PREEMPTDYNAMIC Thu Sep 7 10:33:52 UTC 2 x8664 x8664 x8664 GNU/Linux Reproduce ./MP4Box -das...

leaked all users names from a user without known permissions

Description - From any user account without authority go to /admin/users page to view employee information but can leak all employee names that exist on the platform. - The vulnerabilities occurred in the 3 features : delete, set active state, assign role in page /admin/users and...

Privilege Escalation to admin from any other users

Description By default, hestiacp creates a default fpm configuration that runs php-fpm service as the www-data user common socket. Also another php-fpm service runs from admin user and www-data group unix-socket. That allows any user upload php-file into /tmp dir, then run that script from...

Restricted vim sandbox escape

Description Restricted vim doesn't allow executing shell commands but it's possible to bypass this by setting GCONVPATH environment variable. I'm not sure if this can be consider a vulnerability but I decided to report it anyway found this while playing TeamItaly CTF . Proof of Concept Save this...

stack-buffer-overflow in gf_text_get_utf8_line

Description stack-buffer-overflow in gftextgetutf8line at filters/loadtext.c:381. Version git log commit 7edc40feef23efd8c9948292d269eae76fa475af HEAD - master, origin/master, origin/HEAD Author: jeanlf Date: Thu Oct 12 16:58:53 2023 +0200 ./bin/gcc/MP4Box -version MP4Box - GPAC version...

Cross-Site Request Forgery Vulnerability in Logout Functionality

Description Logout CSRF is a security vulnerability where an attacker forces a user to unknowingly log out of their session by tricking them into triggering a logout request through a malicious website or link. GET http://localhost:8080/logout Proof of Concept history.pushState'', '', '/'...

Store XSS when Add Reviewer

Description Store XSS when Add Reviewer Proof of Concept Payload: TESTalertdocument.domain Video Poc https://drive.google.com/file/d/16o4w6V-uCpkshFXYBb-pZRflpl7N3Sy4/view?usp=sharing...

CSRF in Cancel Reviewer and Reinstate Reviewer

Description CSRF in Cancel Reviewer and Reinstate Reviewer Proof of Concept Link Poc I attach the Poc link below. Thank You. https://drive.google.com/drive/folders/1QA5Kz6w2AgYdFDoDX2hHWK0zHAPoWt?usp=sharing...

CSRF in Review Details

Description CSRF in Review Details Proof of Concept 1 . Attacker send form fake to user history.pushState'', '', '/'; document.forms0.submit; 2 .User click, changed unwanted Recommendation and Reviewer rating changes Video Poc...

heap-use-after-free in MP4Box

Description heap-use-after-free in MP4Box Version $ ./MP4Box -version MP4Box - GPAC version 2.3-DEV-rev566-g50c2ab06f-master Platform $ uname -a Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic 3322.04.1-Ubuntu SMP PREEMPTDYNAMIC Thu Sep 7 10:33:52 UTC 2 x8664 x8664 x8664 GNU/Linux Asan 33mTTML...

2 FPE in MP4Box

Description 2 FPE in MP4Box Version $ ./MP4Box -version MP4Box - GPAC version 2.3-DEV-rev566-g50c2ab06f-master Platform $ uname -a Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic 3322.04.1-Ubuntu SMP PREEMPTDYNAMIC Thu Sep 7 10:33:52 UTC 2 x8664 x8664 x8664 GNU/Linux Reproduce ./MP4Box -dash 100...

memcpy-param-overlap in MP4Box

Description memcpy-param-overlap in MP4Box Version $ ./MP4Box -version MP4Box - GPAC version 2.3-DEV-rev566-g50c2ab06f-master Platform $ uname -a Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic 3322.04.1-Ubuntu SMP PREEMPTDYNAMIC Thu Sep 7 10:33:52 UTC 2 x8664 x8664 x8664 GNU/Linux Asan 32mDashe...

4 heap-buffer-overflow in MP4Box

Description 4 heap-buffer-overflow in MP4Box Version $ ./MP4Box -version MP4Box - GPAC version 2.3-DEV-rev566-g50c2ab06f-master Platform $ uname -a Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic 3322.04.1-Ubuntu SMP PREEMPTDYNAMIC Thu Sep 7 10:33:52 UTC 2 x8664 x8664 x8664 GNU/Linux Reproduce...

2 stack-buffer-overflow in MP4Box

Description 2 stack-buffer-overflow in MP4Box Version $ ./MP4Box -version MP4Box - GPAC version 2.3-DEV-rev566-g50c2ab06f-master Platform $ uname -a Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic 3322.04.1-Ubuntu SMP PREEMPTDYNAMIC Thu Sep 7 10:33:52 UTC 2 x8664 x8664 x8664 GNU/Linux Reproduce...

3 SEGV in MP4Box

Description 3 SEGV in MP4Box Version $ ./MP4Box -version MP4Box - GPAC version 2.3-DEV-rev566-g50c2ab06f-master Platform $ uname -a Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic 3322.04.1-Ubuntu SMP PREEMPTDYNAMIC Thu Sep 7 10:33:52 UTC 2 x8664 x8664 x8664 GNU/Linux Reproduce ./MP4Box -dash...

NULL Pointer Dereference in function gf_filter_pck_new_alloc_internal

Description NULL Pointer Dereference in function gffilterpcknewallocinternal at filtercore/filterpck.c:108. Version git log commit 5692dc729491805e0e5f55c21d50ba1e6b19e88e HEAD - master, origin/master, origin/HEAD Author: Aurelien David Date: Wed Oct 11 13:24:46 2023 +0200 ac3dmx: add remain size...

heap-buffer-overflow in ac3dmx_process

Description Heap-buffer-overflow in ac3dmxprocess at filters/reframeac3.c:489. version git log commit 5692dc729491805e0e5f55c21d50ba1e6b19e88e HEAD - master, origin/master, origin/HEAD Author: Aurelien David Date: Wed Oct 11 13:24:46 2023 +0200 ac3dmx: add remain size check fixes 2627 ./MP4Box...

privilege escalation bug to edit survey

BUG ======== normal user can edit any survey AFFTED VERSION ============ 6.2.10 SUMMRUY ========== normal user has view permiision in survey . But still that user can edit the survey by adding that survey to his own group . STEP TO REPRODUCE ================= 1. There is already a superadminuser-...

heap-use-after-free in function editing_arg_idx

Description heap-use-after-free in function editingargidx at arglist.c:516 Vim Version git log commit 54844857fd6933fa4f6678e47610c4b9c9f7a091 HEAD - master, tag: v9.0.2009, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S editingargidxPOC2 -c :qa!...

post body leaked to third party site when 303 redirect happen

BUG ======= post body leaked to third party site when 303 redirect happen SUMMURY ============ as per specification provided https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections during redirection of 303 POST request, body should be lost and request method should be GET .\ \ check the...