Cross-Site Request Forgery (CSRF) in thorsten/phpmyfaq

Description Hi there phpmyfaq team, I would like to report a Cross site request Forgery in phpmyfaq. It is in publishing question. Cross-site request forgery also known as CSRF is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to...

Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat

Description The Mobile Options settings does not sanitise and escape the $mboptions'fcmkey' parameter lead to stored XSS Proof of Concept Go to Mobile settings, fill XSS payload into FCM Key field kind of: somekey" Impact XSS can have huge implications for a web application and its users. User...

in livehelperchat/livehelperchat

Description When updating the geolocation detection configuration, we're given the option to specify a file location of a city database file, this can be used to determine if files exist or not. We are not able to see the contents of the file, but we are indeed able to determine if the file exist...

Improper Privilege Management in shelljs/shelljs

Details If ShellJS scripts running locally are using ShellJS exec function, local users on the filesystem can read the stdout of the running ShellJS process to disclose sensitive information present in the privileged process. This may leak sensitive information present in the privileged process...

Prototype Pollution in egorovsa/json-unflat

Description Versions 2.0.0 of json-unflat are vulnerable to prototype pollution. The function unflat does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects. JsonUnFlat.unflat = function json var...

Data Source Name Injection

Description TiDB Importer uses Go MySQL Driver for connecting to MySQL servers. This driver utilizes Data Source Name DSN strings for describing database connections with the following format: username:password@protocoladdress/dbname?param=value The driver has a built-in protection against LOCAL...

Cross-site Scripting (XSS) - DOM in chatwoot/chatwoot

Title XSS in markdown link-maker Description While chatting with a client, both sides may use markdown. However, neither client's nor Chatwoot inner user's input is verified. Steps to reproduce. Note: this works in Safari and Firefox, not Chrome. I will use Telegram bot. 1. 1. Start a conversatio...

Cross-site Scripting (XSS) - Stored in star7th/showdoc

Description Stored XSS via upload attachment with format .svg in File Library. Detail When opening the attachment, some format files will be rendered and loaded on the browser. So it allows executing arbitrary javascript code that was injected into attachment before. Proof of Concept PoC.svg var...

Cross-Site Request Forgery (CSRF) in pheditor/pheditor

Description Hi there, there is a minor CSRF problem in your logout function, this will force the user to logout without their consent. Proof of Concept 1. Install phpeditor on your system 2. Login as admin 3. Go to this link /pheditor/pheditor.php?logout=1 4. See that you are logged out of...

Cross-Site Request Forgery (CSRF) in e107inc/e107

Description Hi there, there is a Cross Site Request Forgery in e107 that allows an attacker to force admin user to repair a plugin. Proof of Concept 1. Install e107 in your system 2. Log in as adminstrator 3. Copy this link and paste to your browser:...

Cross-Site Request Forgery (CSRF) in e107inc/e107

Description Hi e107 team, I would like to report a CSRF in e107 source code. This is in install plugin feature Proof of Concept 1. Install a local instance of e107 2. Login as admin and access this link /e107admin/plugin.php?mode=installed&action=install&path=chatboxmenu 3. See that the pluglin...

None in vim/vim

Description intro While fuzzing, I found an edge case in the vim9 compiler for nested functions. It seems like you can make the compiler use the same line twice, by adding another command directly after an enddef token using the | operator. Depending on the inner functions body, this either resul...

Cross-site Scripting (XSS) - Stored in chatwoot/chatwoot

Title Stored XSS in customattributes Description Relying on frontend URI check without verifying it on the backend allows to inject arbitrary JS code. Steps to reproduce 1. 1. Create a custom attribute, set its type to Link 2. 2. Navigate to any conversation, click on the right sidebar. 3. 3...

Cross-site Scripting (XSS) - Reflected in livehelperchat/livehelperchat

Description The htmlspecialchars function does not escape special characters like single quote, and the $prefix parameter can lead to reflected XSS Proof of Concept https://demo.livehelperchat.com/siteadmin/user/avatarbuilder/1?=1640314779051&prefix=123%27;;%20alert%27xss%27;// Impact XSS can hav...

Cross-site Scripting (XSS) - Stored in pimcore/pimcore

Description The pimcore/pimcore package is an open source platform that provides PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce services. stored xss vulnerability occurs when you change the rule name in the admin dev page. Proof of Concept txt XSS POC : 1. Open the...

Business Logic Errors in janeczku/calibre-web

Description There is a possibility to create 2 public phasing shelfs that have the same name, which is a business logic error. Steps To Reproduce 1. Create a shelf with empty name 2. Tick the share with everyone box 3. Create another shelf with empty name 4. Tick the share with everyone box, it...

in polonel/trudesk

Description When logging in, the login page will tell you whether or not a username exists which is a vulnerability since it can be paired with the lack of rate limitation when logging in in order to help an attacker find out which accounts exist & then brute force those accounts' login...

Cross-Site Request Forgery (CSRF) in yourls/yourls

Description 1. Hi there YOURLS team, I would like to report a Cross Site Request forgery vulenrability on YOURLS. Cross-site request forgery also known as CSRF is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows ...

Cross-Site Request Forgery (CSRF) in tsolucio/corebos

Description The lack of a CSRF token and validation of the request method gives the attacker the ability to delete DeleteReportFolder Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact The attacker has the ability to delete arbitrary report folders on behalf of the victi...

in vim/vim

Description A heap-based OOB read of size 4 occurs when a user tries to open a vim session file specified below. This happens regarless of any command line options that could be specified to restrict vim, such -Z and -m. This bug has been found on default vim build in Ubuntu 20.04 for x8664/amd64...

Cross-site Scripting (XSS) - Stored in pimcore/customer-data-framework

Description Stored cross site scripting vulnerability in pimcore app, name and description field field is vulnerable to xss in customer automation rules. Proof of Concept 1 .login to the account 2 .go to customers -- customer automation rules -- Add payload in name field. 3 .payload " Impact This...

Cross-Site Request Forgery (CSRF) in opensourcepos/opensourcepos

Description CSRF on logout functionality. Attacker able to logout the user by sending malicious link Proof of Concept Impact This vulnerability is capable of logout the user session Note This is not an attack, it is a kind of annoyance to the user , though it is a valid csrf . By Using post metho...

Improper Privilege Management in rhizome-conifer/conifer

Description Hi there, I would like to report an improper privilege escalation in conifer. Any user can view all recordings of other users. Proof of Concept 1. Go to https://conifer.rhizome.org/ and register 2 accounts, let's call it user1 and user2 2. Use user1 and create a collection, let's name...

Inefficient Regular Expression Complexity in idank/explainshell

Description In the latest version of explainshell ebc5e9f2 I discovered regular expression that is vulnerable to ReDoS Regular Expression Denial of Service Proof of Concept PoC based on code in explainshell/options.py Python import logging import re if name == "main":...

Inefficient Regular Expression Complexity in python/cpython

Description In recent cpython version 31ff9671 I discovered regular expression that is vulnerable to ReDoS Regular Expression Denial of Service. Vulnerability exists in EntryPoint class which is used to parse package/module entry-points. Proof of Concept Simplified PoC based on init.py Python...

Cross-Site Request Forgery (CSRF) in archivy/archivy

Title Missing CSRF token validation leads to note deletion. Summary Route /dataobj/delete/ is responsible for note deletion. Instead of POST it accepts GET and DELETE methods. @app.route"/dataobj/delete/", methods="DELETE", "GET" def deletedatadataobjid: try: data.deleteitemdataobjid except...

Cross-site Scripting (XSS) - Stored in pimcore/pimcore

Description Stored cross site scripting vulnerability in report class field on custom report feature. Proof of Concept 1 . Login to dev account https://10.x-dev.pimcore.fun/admin/ 2 . Go to marketing -- custom reports -- Report class :field in left navigation menu 3 . Add payload " in report clas...

Open Redirect in erudika/scoold

Description Hi erudika scoold team, there is an Open redirect in your source code at question url Proof of Concept 1. Go to this link https://pro.scoold.com/questions/space?returnto=https://google.com 2. Observe that you are redirected to google.com Impact This vulnerability is capable of Open...

Cross-Site Request Forgery (CSRF) in erudika/scoold

Description Hi there, I would like to report a CSRF vulnerability in erudika/scoold. This allows an attacker to change the current user question space or add them to default space against their will. Proof of Concept 1. Access scoold demo at https://pro.scoold.com/ and log in 2. Access this link...

Cross-site Scripting (XSS) - Stored in pimcore/pimcore

Description pimcore is vulnerable to Stored Cross-Site Scripting in the name field via the import functionality. Steps to reproduce: 1. Navigate to settings -- Data Objects -- Objectbricks 2. ave the following data as JSON file and import it: json "classDefinitions": , "key": null, "parentClass":...

Cross-Site Request Forgery (CSRF) in polonel/trudesk

Description There is a CSRF vulnerability which would allow an attacker to restart the server by simply having a victim with the appropriate privileges visit an attacker's crafted webpage. The vulnerability exists when performing a GET request to the /api/v1/admin/restart endpoint There is also...

in gpac/gpac

Description A null pointer dereference was discovered in BDCheckSFTimeOffset. The vulnerability causes a segmentation fault and application crash. Version: ./MP4Box -version MP4Box - GPAC version 1.1.0-DEV-revUNKNOWNREV c 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Pleas...

in vim/vim

Description Untrusted Pointer Dereference leading to a segmentation fault Segmentation fault in vimregexecmulti at regexp.c:2896 Proof of Concept ./vim -u NONE -X -Z -e -s -S POC1 -c ':qa! POC1https://drive.google.com/file/d/1VOS93VSakO96z2rnvIdWDYRM9KAEIgC/view?usp=sharing bt Program received...

in michaelrsweet/htmldoc

Description In gifreadimage, in image.cxx, gifreadlzw might return a value greater than 255, which results in an out of bounds read, leading to denial of service. c typedef uchar gifcmapt2563; / ... / static int / I - 0 = success, -1 = failure / gifreadimageFILE fp, / I - Input file / imaget img,...

Cross-site Scripting (XSS) - Stored in admidio/admidio

Description When adding a menu after logging in with an administrator account, there is no verification of the URL value, so the XSS payload is stored in the DB. After that, when you click the saved menu, XSS is triggered. If an administrator adds a menu, normal users can click it too. Proof of...

Command Injection in parse-community/parse-server

Description This is a Remote Code Execution vulnerability in the Parse Server. This vulnerability affects the Parse Server in the default configuration with MongoDB, probably a similar attack can affect the PostgreSQL storage as well. The main weakness that leads to RCE is the Prototype Pollution...

Cross-site Scripting (XSS) - Reflected in tsolucio/corebos

Description coreBOS is vulnerable to Reflected Cross-Site Scripting in the advftcriteriagroups - advftcriteria parameters. Payload - Outside the JSON object. alertdocument.cookie - Inside the JSON object...

Cross-Site Request Forgery (CSRF) in star7th/showdoc

Description I found that the CSRF vulnerability that I reported to you before https://huntr.dev/bounties/1d8439e8-b3f7-40f8-8b30-f9cb05ff2bcd/ can still be exploited via the GET request. An attacker is able to do unintentional action in the victim account by tricking other users clicking on the...

Cross-site Scripting (XSS) - Stored in janeczku/calibre-web

Description Missing input check on Identifiers lead to stored XSS. Steps to reproduce 1. 1. Any book - Edit metadata - Identifiers 2. 2. Set any value to the first field and javascript:alertdocument.domain to the second one. 3. 3. Save the book, select it, click on Identifier - XSSed! Proof of...

Server-Side Request Forgery (SSRF) in janeczku/calibre-web

Title Blind SSRF via URL fetch Summary calibre-web allows external URL fetching in order to upload a book cover. However, instead of external URL it is possible to point to localhost, which will be reached resulting in blind SSRF. Steps to reproduce 1. 1. As an admin give permissions to upload...

Cross-site Scripting (XSS) - Stored in polonel/trudesk

Description There are several areas in the web application that are vulnerable to stored XSS. They include: The chat feature when sending messages /messages/startconversation The name field when creating a department /departments Name field when creating teams /teams You can also exploit the XSS...

Cross-site Scripting (XSS) - Stored in requarks/wiki

Description Stored XSS can be performed by malicious XML / HTM files. There is no check in place to prevent such files from being uploaded. Proof of Concept 1 XML 1: Upload the following file as payload.xml: alert1 alert2 confirmdocument.domain Hello http://google.com Proof of Concept 2 HTM 2:...

Cross-site Scripting (XSS) - Stored in friends-of-forkcms/fork-cms-module-commerce

Description In the admin section in Commerce - Shop settings - Stock statuses - Edit stock statuses one can add XSS payloads. After adding XSS payloads when a user is visiting Commerce - Shop settings - Stock statuses the JavaScript code will be run. Proof of Concept Go to Commerce - Shop setting...

Cross-site Scripting (XSS) - Reflected in requarks/wiki

Description SVG sanitization is incomplete. Attackers can bypass fix in https://github.com/Requarks/wiki/security/advisories/GHSA-3qv4-gp35-rgh7 to perform XSS via malicious SVG files. Proof of Concept The fix commit sanitizes SVG if MimeType = svg+xml. Unfortunately this can be controlled by use...

SQL Injection in tsolucio/corebos

Description coreBOS is vulnerable to Blind SQL Injections in parameter userviewtype which allows the attacker to execute SQL commands on the target database. it is a time-based attack in which the result of the query will be determined based on the time of the response. payload...

Cross-site Scripting (XSS) - Stored in getgrav/grav-plugin-admin

Description grav-plugin-admin 1.10.25 has a Stored-XSS vulnerability that is executed when metadata information of a file whose name contains javascript are shown. Proof of Concept 1 - After installing grav+admin browse to http://127.0.0.1/admin/pages/home. 2 - Create a file named as follows:...

Cross-site Scripting (XSS) - Stored in zulip/zulip

Description Zulip is a powerful, open source group chat application that combines the immediacy of real-time chat with the productivity benefits of threaded conversations. Zulip is used by open source projects, Fortune 500 companies, large standards bodies, and others who need a real-time chat...

Cross-site Scripting (XSS) - Stored in pimcore/pimcore

Description XSS in Classification Store included panels like Collections, Groups, Key,... in the store Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web...

Cross-site Scripting (XSS) - Reflected in opensourcepos/opensourcepos

Description Reflected Cross site scripting vulnerability in barcode field and name field in itemkits category Proof of Concept 1. Login to the demo account 2. Go to item kits , edit any item and add payload in barcode field and click save 3. payload " 4. poc 1 https://ibb.co/ZJZLKdQ 5. poc 2...

Cross-site Scripting (XSS) - Stored in tsolucio/corebos

Description coreBOS is vulnerable to Stored Cross-Site Scripting in the Campaign Type - Campaign Status - Expected Response fields. Request POST /index.php HTTP/1.1 Host: demo.corebos.com User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:95.0 Gecko/20100101 Firefox/95.0 Accept:...