Heap-based Buffer Overflow in vim/vim

✍️ Description When fuzzing vim commit cd2f8f0e0 works with latest build and latest commit 7c0fb8003 per this time of this report v8.2.3811 with clang 13 and ASan, I discovered a heap buffer overflow. Proof of Concept Here is the poc bash ev0- How to build bash LD=lld AS=llvm-as AR=llvm-ar...

Cross-Site Request Forgery (CSRF) in janeczku/calibre-web

Description CSRF on various endpoints Summary Pretty recently CSRF protection in calibre-web was implemented. However, there are some state-changing endpoints that accept GET requests instead of POST. The most impactful route so far, that allows to completely shutdown the server:...

Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat

Description livehelperchat is vulnerable to stored XSS in users profile setting where username, password, repeat password, nickname, name, surname, job title fields are vulnerable to stored XSS. Proof of Concept this.constructor.constructor'alert"foo"' Enter the given payload in the above-mention...

Cross-Site Request Forgery (CSRF) in livehelperchat/livehelperchat

Description I found one more CSRF at Clean cache in the System tab of System configuration via GET request. Proof of Concept CLICK ME! Impact This vulnerability is capable of tricking admin to clear the cache of the system, that can potential lead to a DoS attack. Remediation Use POST request...

Cross-Site Request Forgery (CSRF) in splitbrain/dokuwiki

Description Auditing the AJAX endpoints revealed that some endpoints which perform state-changes do not have CSRF protection. Proof of Concept POST /lib/exe/ajax.php?call=draftdel&id=start Impact This vulnerability is capable of tricking users to delete their own drafts...

Improper Access Control in splitbrain/dokuwiki

Description Users can access drafts of restricted files if they have create permissions on the same namespace and have the ability to create their own usernames due to the conflicting cache names. This can reveal draft contents, delete draft and overwrite the draft content of the restricted file...

Cross-Site Request Forgery (CSRF) in snipe/snipe-it

Description CSRF to disrupt request tracking Proof of Concept Open the HTML file as a logged-in user Impact Unauthenticated attackers situated outside of the organization can disrupt request tracking by sending the malicious HTML to a user which will cause them to request an asset...

Cross-site Scripting (XSS) - Stored in pimcore/web2print-tools

Description Stored XSS in the Description of the Favorite Output Channel Configurations. Steps to reproduce 1.Go to https://demo.pimcore.fun/admin/ and login. 2.In the left menu bar, click the Settings icon then choose Favorite Output Channel Configurations, the Favorite Output Channel...

Cross-site Scripting (XSS) - Stored in yeswiki/yeswiki

Description Stored XSS when Add a new entry for Forum Proof of Concept // PoC.req POST /doryphore/?BazaR&vue=saisir&action=saisirfiche&id=2 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:96.0 Gecko/20100101 Firefox/96.0 Accept:...

Cross-Site Request Forgery (CSRF) in laravelio/laravel.io

Description This CSRF is capable of making a user unintentionally subscribe and unsubscribe to a thread. Proof of Concept Visit https://laravel.io/forum/storing-sessions-as-in-a-storage-bucket/subscribe Visit https://laravel.io/forum/storing-sessions-as-in-a-storage-bucket/unsubscribe Impact One...

Cross-site Scripting (XSS) - Stored in yetiforcecompany/yetiforcecrm

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a differen...

Cross-site Scripting (XSS) - Stored in meetecho/janus-gateway

Description The stored XSS vulnerability occurs in the chat window because the user's input value is inserted into the web page without verification. javascript to: username, text: result ; textroom.data text: JSON.stringifymessage, error: functionreason bootbox.alertreason; , success: function...

Business Logic Errors in yetiforcecompany/yetiforcecrm

Description YetiForceCRM application is vulnerable to Business Logic Errors in the Weight of a Product since that value can be a negative number. Proof of Concept 1.After login, in the left menu bar, click Databases - Products 2.Click any product to go to the product details. 3.In the product...

Cross-Site Request Forgery (CSRF) in splitbrain/dokuwiki

Description Although security token is present in the delete draft POST request. It is not being checked in the backend by checkSecurityToken CSRF checks. Proof of Concept 1: As a logged-in user create a draft page, on the data/cache directory of the server run the command to confirm a draft has...

Cross-Site Request Forgery (CSRF) in livehelperchat/livehelperchat

Description CSRF in switching between enable and disable of the following: - Dark/bright - Auto uppercase sentences - Do not scroll to the bottom on chat open - Auto preload previous visitor chat messages - Load previous message on scroll - New messages - New chats - Online - Based on activity -...

Cross-site Scripting (XSS) - Stored in convos-chat/convos

Description Stored XSS via upload File with format .svg when chatting in private conversation. Detail When opening the attachment, some format files will be rendered and loaded on the browser. So it allows executing arbitrary javascript code that was injected into attachment before. Proof of...

in convos-chat/convos

Description Hi there, I would like to report a vulnerability that allows a hacker to upload dangerous file type in convos. Proof of Concept Go to a conversation and click on upload file, then upload a file. The request to upload file looks like this: POST /api/files.json HTTP/1.1 Host:...

Cross-site Scripting (XSS) - Stored in yetiforcecompany/yetiforcecrm

Description I found file upload XSS, Stored Cross-Site Scripting XSS vulnerability due to the lack of content validation and output encoding. Proof of Concept 1. login and navigate to https://gitstable.yetiforce.com/index.php?module=Users&view=PreferenceEdit&record=5 2. Layout photo Add file. 3...

Cross-site Scripting (XSS) - Reflected in openwhyd/openwhyd

Description openwhyd is vulnerable to Reflected XSS vulnerability via the redirect parameter at login page. Payload alertdocument.cookie Vulnerable URL https://openwhyd.org/login?redirect=alertdocument.cookie Proof of Concept Send users the following login link...

Open Redirect in openwhyd/openwhyd

Description openwhyd is vulnerable to Open Redirect vulnerability via the redirect parameter at login page. Vulnerable parameter redirect Vulnerable URL https://openwhyd.org/login?redirect=https://google.com Proof of Concept Send users the following login link...

Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition

Description CSRF to delete user accounts Proof of Concept Impact This vulnerability is capable of tricking admin users to delete user accounts...

in netristv/ws-scrcpy

Description read file From server Proof of Concept GET /../../../../../../../../../../../../etc/passwd HTTP/1.1 Host: xxxx Impact test on ws-scrcpy-0.7，this is The latest version...

in pytorchlightning/pytorch-lightning

Description There is untrusted YAML Deserialization vulnerability on PyTorchLightning Github repository. PyTorchLightning's saving.py core.saving.loadhparamsfromyaml functionality is calling "yaml.UnsafeLoader" from pyyaml Python library which is not secure method. Because of that, maliciously...

Cross-Site Request Forgery (CSRF) in splitbrain/dokuwiki

Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' Impact This vulnerability is capable of forging users to unintentional logout. More Detail One way GET could be abused here is that a person competito...

Business Logic Errors in tsolucio/corebos

Description The application is vulnerable to Business Logic error through negative product amount. Proof of Concept Step 1: Login into the application https://demo.corebos.com/index.php?action=Login&module=Users Step 2: Navigate to Inventory - Product - Edit any product. Step 3: Now enter an amou...

Cross-site Scripting (XSS) - Stored in tsolucio/corebos

Description Stored XSS via File upload with format .xml in Product module. When opening the attachment, some format files will be rendered and loaded on the browser. So it allows executing arbitrary JavaScript code that was injected into attachment before. Proof of Concept alertdocument.domain;...

Cross-site Scripting (XSS) - Stored in snipe/snipe-it

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a differen...

Cross-Site Request Forgery (CSRF) in convos-chat/convos

Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' Impact This vulnerability is capable of forging users to unintentional logout. More Detail One way GET could be abused here is that a person competito...

Improper Access Control in bookstackapp/bookstack

Description A logged-in user with no privileges OR guest user if public access enabled can access the /search/users/select AJAX endpoint meant for admins to manage audit logs, to dump all usernames existing in the Bookstack database. This can also be used to harvest email belonging to a user...

Cross-site Scripting (XSS) - Reflected in yeswiki/yeswiki

Description Hey all, i found that the search function of YesWiki integrates the searched term into a value attribute inside an input tag, for example if i do a search on sneaky for example, it will put the term sneaky inside a value attribute: html now if i add a double quote to the searched term...

Cross-Site Request Forgery (CSRF) in francoisjacquet/rosariosis

Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging users to unintentional logout. More details One way GET could be abused here i...

in patrowl/patrowlmanager

Description Hi there, I would like to report a vulnerability in the way PatrowlManager handle upload files. This is in Finding - Import feature Proof of Concept 1. Install PatrowlManager on you local system 2. Go to Finding - Import and import a file 3. An import request look like this POST...

Improper Privilege Management in patrowl/patrowlmanager

Description Hi there, I would like to report an improper privilege management in PatrowlManager - it's an IDOR. All imports findings file is placed under /media/imports// In that, ownerid is predictable and tmpfile is in format of import, for example: import11639213059582.json This filename is...

Cross-Site Request Forgery (CSRF) in gunet/openeclass

Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging users to unintentional logout. More details One way GET could be abused here i...

Business Logic Errors in yetiforcecompany/yetiforcecrm

Description The application is vulnerable to Business Logic error through negative product amount. Proof of Concept Step 1: Login into the application https://gitstable.yetiforce.com/index.php Step 2: Navigate to Database - Product - Edit any product. Step 3: Now enter a negative amount in Unit...

Cross-site Scripting (XSS) - Reflected in yetiforcecompany/yetiforcecrm

Description Application is vulnerable to Reflected cross site scripting attack on create Invoice. Proof of Concept Step 1: Login into the application https://gitstable.yetiforce.com/index.php Step 2: Navigate to Quick Create - Cost Invoice Step 3: Click on Source and enter the XSS Playload in...

in dotcms/core

Description Hello, dotCMS has an XXE vulnerability in the template design page. To exploit this flaw, a attacker needs the permission to edit and preview templates, and this can be abused to read internal files Video Poc This section of the documentation explain how to use the XMLTool in the...

Cross-site Scripting (XSS) - Stored in openwhyd/openwhyd

Description openwhyd is vulnerable to Stored XSS at the Name field in User Profile. Payload " Steps to reproduce 1.After login, click on the username to go to the Profile page 2.Click Edit Profile button - choose Edit Profile Info 3.In the Name field, input payload "then click Save button 4.Reloa...

in mruby/mruby

Description NULL Pointer Dereference in mrbfullgc Proof of Concept a = a. nil AddressSanitizer:DEADLYSIGNAL ================================================================= ==21352==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 pc 0x556b44382444 bp 0x7fff4e9961d0 sp...

Cross-site Scripting (XSS) - Stored in vanessa219/vditor

Description the editor has XSS vulnerability Proof of Concept payload: Open the editorhttps://ld246.com/guide/markdown, enter the payload, and trigger the XSS vulnerability demo pic : https://drive.google.com/file/d/1fl07CUXSS0DyvjtuftslMnyr2uGZ8F7/view?usp=sharing Impact This vulnerability has t...

in humhub/humhub

Description Hello guys, hope you are having an awesome day! 🤗 HumHub has a functionality for spaces where you define that only invited users will be able to join a space. Private spaces come with this option but you can also define it for public ones. While a user is creating a space, this user i...

Cross-Site Request Forgery (CSRF) in patrowl/patrowlmanager

Description Hi there, there is a CSRF in duplicating rule due to the usage of GET method. Proof of Concept 1. Install a local instance of PatrowlManager 2. Go to list rule and create a new rule 3. Access this link http://localhost:8083/rules/api/v1/alerting/duplicate/1 and see that the rule is...

Business Logic Errors in pimcore/pimcore

Description The application is vulnerable to Business Logic error through negative cart amount. Proof of Concept Step 1: Login to the application https://10.x-dev.pimcore.fun/admin/login?perspective= Step 2: Navigate to Online shop - Pricing Rules - Voucher Discount - Actions Step 3: Enter Negati...

Inclusion of Sensitive Information in Source Code in pimcore/demo

Description API Keys is hard coded in the application source code. The use of a hard-coded API Key has many negative implications. Proof of Concept "security" = "method" = "datahubapikey", "apikey" = "6332aa5e6d3d6c0be31da2a8b3442113", "skipPermissionCheck" = FALSE...

Cross-Site Request Forgery (CSRF) in microweber/microweber

Description Attacker is able to logout a user if a logged in user visits attacker website. Impact This vulnerability is capable of forging user to unintentional logout. Test Tested on Edge, firefox, chrome and safari. Fix You should use POST instead of GET ANY. To expand: One way GET could be...

Cross-site Scripting (XSS) - Stored in tsolucio/corebos

Description Stored Cross-Site Scripting XSS vulnerability due to the lack of content validation and output encoding. This vulnerability can be exploited by uploading a crafted payload inside a document. Proof of Concept https://demo.corebos.com/index.php?module=Users&action=index&parenttab=Settin...

Cross-site Scripting (XSS) - Generic in bigbluebutton/bigbluebutton

Description Shared notes panel is vulnerable to XSS when rendering a new note, due to missing username sanitization. Proof of Concept 1. 1.Start a new web conference and share the link with other people 2. 2.A malicious user joins the conference with the following username: 3. 3.As soon as the...

Improper Access Control in snipe/snipe-it

Description Regular users with DENY set to all models permissions can still view model information via the /models/id/clone endpoint due to no authorize'view' permission being set. Proof of Concept 1: Create regular user and set DENY to all permissions in asset models. 2: Login as the user 3:...

Cross-Site Request Forgery (CSRF) in yetiforcecompany/yetiforcecrm

Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging users to unintentional logout. More details One way GET could be abused here i...

Cross-Site Request Forgery (CSRF) in splitbrain/dokuwiki

Description Another low-severity CSRF last one, I think. identified on styling page Proof of Concept Requests to the following endpoint used by admins to edit template styling settings do not contain sectok CSRF token POST /doku.php?id=start&do=admin&page=styling Impact This vulnerability is...