4072 matches found
in vim/vim
Description A heap-based OOB read of size 1 occurs when a user tries to open a vim session file specified below. This happens regardless of any command line options that could be specified to restrict vim, such -Z and -m. This bug has been found on default vim build version 8.2.3931, commit hash...
None in vim/vim
Description A use after free vulnerability has been found in vim 8.2.3931 commit hash febb78fa1798e0f95983b3f7881419a754886df5. The bug has been reproduced on Ubuntu 20.04 with gcc 9.3.0. Proof of Concept After building vim with gcc and ASAN run vim with the following session file: $ echo -ne...
Heap-based Buffer Overflow in mruby/mruby
Description Heap Base Buffer Overflow mrbirepcutref Proof of Concept a = a. nil too many irep references RuntimeError ================================================================= ==990==ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000003a6 at pc 0x560e7e6acc2e bp...
Cross-Site Request Forgery (CSRF) in thorsten/phpmyfaq
Description Hi there, another CSRF in clearing search items. Proof of Concept 1. Install a local instance of phpmyfaq. 2. Go to this link /phpmyfaq/admin/?action=truncatesearchterms 3. See that all search terms are deleted. Impact This vulnerability is capable of CSRF...
Improper Access Control in bookstackapp/bookstack
Description parentChapter permissions are not enforced during sort. Users with only book-update permissions on their own page can move their pages into restricted chapters via modifying the parentChapter id in the sortmap. Users do not need to have access to restricted books / chapter in order to...
Cross-Site Request Forgery (CSRF) in thorsten/phpmyfaq
Description Hi there, there is a CSRF in your logout function. This will force admin to logout if he/she clicks on the link attacker gives him. Proof of Concept 1. Install phpmyfaq on your system. 2. Login as admin 3. Open this link /admin/index.php?action=logout 4. See that you are logged out of...
Cross-site Scripting (XSS) - Stored in convos-chat/convos
Description The Convos is an open source multi-user chat that runs in a web browser. You can't use SVG extension in Convos' chat window, but you can upload .html extension. This causes Stored XSS. Also, after uploading a file, it does not log in, and XSS occurs even if you connect. Proof of Conce...
in mruby/mruby
Description A NULL Pointer Dereference was discovered in mrbclass. The vulnerability causes a segmentation fault and application crash. version 6de0fcb ./mruby -v mruby 3.0.0 2021-03-05 System information Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz Proof of Concept poc base64 poc...
None in vim/vim
Description Hello there! Hope you are having an awesome day! 🤗 After I saw the last Rick de Jager's report, I decided to pick up their PoC as a valid input for fuzzing vim on its patch 8.2.3912, and ended up finding a new case of double-free! For testing, I compiled vim with GCC 9.3.0, and my O.S...
Cross-site Scripting (XSS) - Stored in chatwoot/chatwoot
Steps To Reproduce: 1. 1. Navigate to the campaigns section 2. 2. Click on "Create a ongoing campaign" 3. 3. Fill title, message, inbox and URL 4. 4. Then click on "Create" and intercept it 5. 5. Change your url's value to javascript:alert1 for example "url" : "https://google.com" to "url" :...
Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat
Description The livehelperchat is an open source live chat service. In this service, general users can chat 1:1 with administrators. When administrators send XSS PoC to general users, XSS occurs in general users' chat rooms. Since XSS PoC is saved in the chat room, XSS occurs even if you access t...
Cross-Site Request Forgery (CSRF) in zikula-modules/content
Description There is no csrf protection for content page duplicate functionality. Proof of Concept document.forms0.submit; Impact This vulnerability is capable of creating more number of duplicates by clicking malicious links...
Cross-site Scripting (XSS) - Stored in livehelperchat/fbmessenger
Description The application does not escape special characters. The $item-bbcode or $item-name variables can lead to stored XSS Proof of Concept Go to Facebook BBCode List https://demo.livehelperchat.com/siteadmin/fbmessenger/newbbcode and add an item with XSS payload into name or bbcode fields,...
Cross-site Scripting (XSS) - Reflected in livehelperchat/livehelperchat
Description The application does not escape special characters, and the $msgPArent or $Result'additionalpostmessage' variables can lead to reflected XSS Proof of Concept https://demo.livehelperchat.com/chat/chatwidgetchat/444/123/theme/1/cstarted/123";;alert'xss';" Impact XSS can have huge...
Cross-Site Request Forgery (CSRF) in thorsten/phpmyfaq
Description Hi there phpmyfaq team, I would like to report a Cross site request Forgery in phpmyfaq. It is in publishing question. Cross-site request forgery also known as CSRF is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to...
Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat
Description The Mobile Options settings does not sanitise and escape the $mboptions'fcmkey' parameter lead to stored XSS Proof of Concept Go to Mobile settings, fill XSS payload into FCM Key field kind of: somekey" Impact XSS can have huge implications for a web application and its users. User...
in livehelperchat/livehelperchat
Description When updating the geolocation detection configuration, we're given the option to specify a file location of a city database file, this can be used to determine if files exist or not. We are not able to see the contents of the file, but we are indeed able to determine if the file exist...
Improper Privilege Management in shelljs/shelljs
Details If ShellJS scripts running locally are using ShellJS exec function, local users on the filesystem can read the stdout of the running ShellJS process to disclose sensitive information present in the privileged process. This may leak sensitive information present in the privileged process...
Prototype Pollution in egorovsa/json-unflat
Description Versions 2.0.0 of json-unflat are vulnerable to prototype pollution. The function unflat does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects. JsonUnFlat.unflat = function json var...
Data Source Name Injection
Description TiDB Importer uses Go MySQL Driver for connecting to MySQL servers. This driver utilizes Data Source Name DSN strings for describing database connections with the following format: username:password@protocoladdress/dbname?param=value The driver has a built-in protection against LOCAL...
Cross-site Scripting (XSS) - DOM in chatwoot/chatwoot
Title XSS in markdown link-maker Description While chatting with a client, both sides may use markdown. However, neither client's nor Chatwoot inner user's input is verified. Steps to reproduce. Note: this works in Safari and Firefox, not Chrome. I will use Telegram bot. 1. 1. Start a conversatio...
Cross-site Scripting (XSS) - Stored in star7th/showdoc
Description Stored XSS via upload attachment with format .svg in File Library. Detail When opening the attachment, some format files will be rendered and loaded on the browser. So it allows executing arbitrary javascript code that was injected into attachment before. Proof of Concept PoC.svg var...
Cross-Site Request Forgery (CSRF) in pheditor/pheditor
Description Hi there, there is a minor CSRF problem in your logout function, this will force the user to logout without their consent. Proof of Concept 1. Install phpeditor on your system 2. Login as admin 3. Go to this link /pheditor/pheditor.php?logout=1 4. See that you are logged out of...
Cross-Site Request Forgery (CSRF) in e107inc/e107
Description Hi there, there is a Cross Site Request Forgery in e107 that allows an attacker to force admin user to repair a plugin. Proof of Concept 1. Install e107 in your system 2. Log in as adminstrator 3. Copy this link and paste to your browser:...
Cross-Site Request Forgery (CSRF) in e107inc/e107
Description Hi e107 team, I would like to report a CSRF in e107 source code. This is in install plugin feature Proof of Concept 1. Install a local instance of e107 2. Login as admin and access this link /e107admin/plugin.php?mode=installed&action=install&path=chatboxmenu 3. See that the pluglin...
None in vim/vim
Description intro While fuzzing, I found an edge case in the vim9 compiler for nested functions. It seems like you can make the compiler use the same line twice, by adding another command directly after an enddef token using the | operator. Depending on the inner functions body, this either resul...
Cross-site Scripting (XSS) - Stored in chatwoot/chatwoot
Title Stored XSS in customattributes Description Relying on frontend URI check without verifying it on the backend allows to inject arbitrary JS code. Steps to reproduce 1. 1. Create a custom attribute, set its type to Link 2. 2. Navigate to any conversation, click on the right sidebar. 3. 3...
Cross-site Scripting (XSS) - Reflected in livehelperchat/livehelperchat
Description The htmlspecialchars function does not escape special characters like single quote, and the $prefix parameter can lead to reflected XSS Proof of Concept https://demo.livehelperchat.com/siteadmin/user/avatarbuilder/1?=1640314779051&prefix=123%27;;%20alert%27xss%27;// Impact XSS can hav...
Cross-site Scripting (XSS) - Stored in pimcore/pimcore
Description The pimcore/pimcore package is an open source platform that provides PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce services. stored xss vulnerability occurs when you change the rule name in the admin dev page. Proof of Concept txt XSS POC : 1. Open the...
Business Logic Errors in janeczku/calibre-web
Description There is a possibility to create 2 public phasing shelfs that have the same name, which is a business logic error. Steps To Reproduce 1. Create a shelf with empty name 2. Tick the share with everyone box 3. Create another shelf with empty name 4. Tick the share with everyone box, it...
in polonel/trudesk
Description When logging in, the login page will tell you whether or not a username exists which is a vulnerability since it can be paired with the lack of rate limitation when logging in in order to help an attacker find out which accounts exist & then brute force those accounts' login...
Cross-Site Request Forgery (CSRF) in yourls/yourls
Description 1. Hi there YOURLS team, I would like to report a Cross Site Request forgery vulenrability on YOURLS. Cross-site request forgery also known as CSRF is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows ...
Cross-Site Request Forgery (CSRF) in tsolucio/corebos
Description The lack of a CSRF token and validation of the request method gives the attacker the ability to delete DeleteReportFolder Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact The attacker has the ability to delete arbitrary report folders on behalf of the victi...
in vim/vim
Description A heap-based OOB read of size 4 occurs when a user tries to open a vim session file specified below. This happens regarless of any command line options that could be specified to restrict vim, such -Z and -m. This bug has been found on default vim build in Ubuntu 20.04 for x8664/amd64...
Cross-site Scripting (XSS) - Stored in pimcore/customer-data-framework
Description Stored cross site scripting vulnerability in pimcore app, name and description field field is vulnerable to xss in customer automation rules. Proof of Concept 1 .login to the account 2 .go to customers -- customer automation rules -- Add payload in name field. 3 .payload " Impact This...
Cross-Site Request Forgery (CSRF) in opensourcepos/opensourcepos
Description CSRF on logout functionality. Attacker able to logout the user by sending malicious link Proof of Concept Impact This vulnerability is capable of logout the user session Note This is not an attack, it is a kind of annoyance to the user , though it is a valid csrf . By Using post metho...
Improper Privilege Management in rhizome-conifer/conifer
Description Hi there, I would like to report an improper privilege escalation in conifer. Any user can view all recordings of other users. Proof of Concept 1. Go to https://conifer.rhizome.org/ and register 2 accounts, let's call it user1 and user2 2. Use user1 and create a collection, let's name...
Inefficient Regular Expression Complexity in idank/explainshell
Description In the latest version of explainshell ebc5e9f2 I discovered regular expression that is vulnerable to ReDoS Regular Expression Denial of Service Proof of Concept PoC based on code in explainshell/options.py Python import logging import re if name == "main":...
Inefficient Regular Expression Complexity in python/cpython
Description In recent cpython version 31ff9671 I discovered regular expression that is vulnerable to ReDoS Regular Expression Denial of Service. Vulnerability exists in EntryPoint class which is used to parse package/module entry-points. Proof of Concept Simplified PoC based on init.py Python...
Cross-Site Request Forgery (CSRF) in archivy/archivy
Title Missing CSRF token validation leads to note deletion. Summary Route /dataobj/delete/ is responsible for note deletion. Instead of POST it accepts GET and DELETE methods. @app.route"/dataobj/delete/", methods="DELETE", "GET" def deletedatadataobjid: try: data.deleteitemdataobjid except...
Cross-site Scripting (XSS) - Stored in pimcore/pimcore
Description Stored cross site scripting vulnerability in report class field on custom report feature. Proof of Concept 1 . Login to dev account https://10.x-dev.pimcore.fun/admin/ 2 . Go to marketing -- custom reports -- Report class :field in left navigation menu 3 . Add payload " in report clas...
Open Redirect in erudika/scoold
Description Hi erudika scoold team, there is an Open redirect in your source code at question url Proof of Concept 1. Go to this link https://pro.scoold.com/questions/space?returnto=https://google.com 2. Observe that you are redirected to google.com Impact This vulnerability is capable of Open...
Cross-Site Request Forgery (CSRF) in erudika/scoold
Description Hi there, I would like to report a CSRF vulnerability in erudika/scoold. This allows an attacker to change the current user question space or add them to default space against their will. Proof of Concept 1. Access scoold demo at https://pro.scoold.com/ and log in 2. Access this link...
Cross-site Scripting (XSS) - Stored in pimcore/pimcore
Description pimcore is vulnerable to Stored Cross-Site Scripting in the name field via the import functionality. Steps to reproduce: 1. Navigate to settings -- Data Objects -- Objectbricks 2. ave the following data as JSON file and import it: json "classDefinitions": , "key": null, "parentClass":...
Cross-Site Request Forgery (CSRF) in polonel/trudesk
Description There is a CSRF vulnerability which would allow an attacker to restart the server by simply having a victim with the appropriate privileges visit an attacker's crafted webpage. The vulnerability exists when performing a GET request to the /api/v1/admin/restart endpoint There is also...
in gpac/gpac
Description A null pointer dereference was discovered in BDCheckSFTimeOffset. The vulnerability causes a segmentation fault and application crash. Version: ./MP4Box -version MP4Box - GPAC version 1.1.0-DEV-revUNKNOWNREV c 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Pleas...
in vim/vim
Description Untrusted Pointer Dereference leading to a segmentation fault Segmentation fault in vimregexecmulti at regexp.c:2896 Proof of Concept ./vim -u NONE -X -Z -e -s -S POC1 -c ':qa! POC1https://drive.google.com/file/d/1VOS93VSakO96z2rnvIdWDYRM9KAEIgC/view?usp=sharing bt Program received...
in michaelrsweet/htmldoc
Description In gifreadimage, in image.cxx, gifreadlzw might return a value greater than 255, which results in an out of bounds read, leading to denial of service. c typedef uchar gifcmapt2563; / ... / static int / I - 0 = success, -1 = failure / gifreadimageFILE fp, / I - Input file / imaget img,...
Cross-site Scripting (XSS) - Stored in admidio/admidio
Description When adding a menu after logging in with an administrator account, there is no verification of the URL value, so the XSS payload is stored in the DB. After that, when you click the saved menu, XSS is triggered. If an administrator adds a menu, normal users can click it too. Proof of...
Command Injection in parse-community/parse-server
Description This is a Remote Code Execution vulnerability in the Parse Server. This vulnerability affects the Parse Server in the default configuration with MongoDB, probably a similar attack can affect the PostgreSQL storage as well. The main weakness that leads to RCE is the Prototype Pollution...