4072 matches found
in dotcms/core
Description Hello, dotCMS has an XXE vulnerability in the template design page. To exploit this flaw, a attacker needs the permission to edit and preview templates, and this can be abused to read internal files Video Poc This section of the documentation explain how to use the XMLTool in the...
Cross-site Scripting (XSS) - Stored in openwhyd/openwhyd
Description openwhyd is vulnerable to Stored XSS at the Name field in User Profile. Payload " Steps to reproduce 1.After login, click on the username to go to the Profile page 2.Click Edit Profile button - choose Edit Profile Info 3.In the Name field, input payload "then click Save button 4.Reloa...
in mruby/mruby
Description NULL Pointer Dereference in mrbfullgc Proof of Concept a = a. nil AddressSanitizer:DEADLYSIGNAL ================================================================= ==21352==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 pc 0x556b44382444 bp 0x7fff4e9961d0 sp...
Cross-site Scripting (XSS) - Stored in vanessa219/vditor
Description the editor has XSS vulnerability Proof of Concept payload: Open the editorhttps://ld246.com/guide/markdown, enter the payload, and trigger the XSS vulnerability demo pic : https://drive.google.com/file/d/1fl07CUXSS0DyvjtuftslMnyr2uGZ8F7/view?usp=sharing Impact This vulnerability has t...
in humhub/humhub
Description Hello guys, hope you are having an awesome day! ๐ค HumHub has a functionality for spaces where you define that only invited users will be able to join a space. Private spaces come with this option but you can also define it for public ones. While a user is creating a space, this user i...
Cross-Site Request Forgery (CSRF) in patrowl/patrowlmanager
Description Hi there, there is a CSRF in duplicating rule due to the usage of GET method. Proof of Concept 1. Install a local instance of PatrowlManager 2. Go to list rule and create a new rule 3. Access this link http://localhost:8083/rules/api/v1/alerting/duplicate/1 and see that the rule is...
Business Logic Errors in pimcore/pimcore
Description The application is vulnerable to Business Logic error through negative cart amount. Proof of Concept Step 1: Login to the application https://10.x-dev.pimcore.fun/admin/login?perspective= Step 2: Navigate to Online shop - Pricing Rules - Voucher Discount - Actions Step 3: Enter Negati...
Inclusion of Sensitive Information in Source Code in pimcore/demo
Description API Keys is hard coded in the application source code. The use of a hard-coded API Key has many negative implications. Proof of Concept "security" = "method" = "datahubapikey", "apikey" = "6332aa5e6d3d6c0be31da2a8b3442113", "skipPermissionCheck" = FALSE...
Cross-Site Request Forgery (CSRF) in microweber/microweber
Description Attacker is able to logout a user if a logged in user visits attacker website. Impact This vulnerability is capable of forging user to unintentional logout. Test Tested on Edge, firefox, chrome and safari. Fix You should use POST instead of GET ANY. To expand: One way GET could be...
Cross-site Scripting (XSS) - Stored in tsolucio/corebos
Description Stored Cross-Site Scripting XSS vulnerability due to the lack of content validation and output encoding. This vulnerability can be exploited by uploading a crafted payload inside a document. Proof of Concept https://demo.corebos.com/index.php?module=Users&action=index&parenttab=Settin...
Cross-site Scripting (XSS) - Generic in bigbluebutton/bigbluebutton
Description Shared notes panel is vulnerable to XSS when rendering a new note, due to missing username sanitization. Proof of Concept 1. 1.Start a new web conference and share the link with other people 2. 2.A malicious user joins the conference with the following username: 3. 3.As soon as the...
Improper Access Control in snipe/snipe-it
Description Regular users with DENY set to all models permissions can still view model information via the /models/id/clone endpoint due to no authorize'view' permission being set. Proof of Concept 1: Create regular user and set DENY to all permissions in asset models. 2: Login as the user 3:...
Cross-Site Request Forgery (CSRF) in yetiforcecompany/yetiforcecrm
Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging users to unintentional logout. More details One way GET could be abused here i...
Cross-Site Request Forgery (CSRF) in splitbrain/dokuwiki
Description Another low-severity CSRF last one, I think. identified on styling page Proof of Concept Requests to the following endpoint used by admins to edit template styling settings do not contain sectok CSRF token POST /doku.php?id=start&do=admin&page=styling Impact This vulnerability is...
Code Injection in quickbox/qb
Description While this is a theoretical finding the code seems to be vulnerable to Remote Code Execution Proof of Concept Description At line 406 you can see the following code: $process = $GET'serviceenable'; This means we can do /dashboard/inc/config.php?serviceenable=ourvalue Now between line...
Cross-site Scripting (XSS) - Reflected in gnuboard/gnuboard5
Description The reflected XSS vulnerability occurs to a flaw in the cleanxsstags function called in memo.php of Gnuboard 5. This cleanxsstags is a Sanitizer that removes XSS-vulnerable tags and attributes. However, it can bypass Sanitizer by using a newline character. %0A, %0D, ETC Proof of Conce...
Session Fixation in admidio/admidio
Description Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application. When authenticating a user, it doesn't assign a new session...
Cross-site Scripting (XSS) - Stored in patrowl/patrowlmanager
Description PatrOwl is vulnerable to stored XSS in asset group name. The payload will be triggered when someone try to delete the asset group. Proof of Concept https://drive.google.com/file/d/1F7m9g7s6xp-L5QKy5ACOvndWAj8g20s/view?usp=sharing Impact This vulnerability permit to an authenticate use...
Inefficient Regular Expression Complexity in nltk/nltk
Description nltk is vulnerable to ReDoS attack because of ^-?0-9+.0-9+?$ regex. If attacker succeeds to use malicious payload against RegexpTagger used in function getpostagger and maltregextagger, it will cause a nasty DoS. Proof of Concept // PoC.py import re, time pattern =...
Cross-site Scripting (XSS) - Reflected in pimcore/pimcore
Description pimcore is vulnerable to Reflected XSS via the Search function for Document, Assets and Data Objects. Steps to reproduce 1.Login to pimcore admin. 2.In the left menu bar, click the Search icon then choose Documents, the Search Documents tab will display. 3.Input payload " into the...
Cross-Site Request Forgery (CSRF) in pimcore/pimcore
Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging users to unintentional logout. More details One way GET could be abused here i...
Session Fixation in tsolucio/corebos
Description Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application. When authenticating a user, it doesn't assign a new session...
Cross-Site Request Forgery (CSRF) in yeswiki/yeswiki
Description Hey all, so i found that YesWiki doesn't implement any sort of anti-csrf mechanism, i found that the change email function is vulnerable to CSRF attacks which leads to Account Takeover. Proof of Concept Exploitation Scenario: - An attacker sends the above PoC to the victim. - rather...
Denial of Service in chatwoot/chatwoot
The extractreply function https://github.com/chatwoot/chatwoot/blob/a0ffefad717b632269883863c27242bb97d3b66d/app/presenters/mailpresenter.rbL105 is highly inefficient on HTML emails. A legitimate LinkedIn email has 20kb of HTML content which takes a minute or two to process through that function,...
Cross-Site Request Forgery (CSRF) in splitbrain/dokuwiki
Description DokuWiki is vulnerable to CSRF in enabling / disabling plugin due to missing CSRF token sectok Proof of Concept If a logged-in admin user visits an attacker's website with the following HTML code the LDAP plugin, for example, will be disabled Impact This vulnerability is capable of...
Cross-site Scripting (XSS) - DOM in emoncms/emoncms
Description EmonCMS 10.9.19 has a DOM-XSS vulnerability that is executed when javascript code is injected as imported data. Proof of Concept 1 - login into the app and browse to the section Feeds Import Data 2 - add alert1,a or 1638807909,alert2 in the CSV area. Then click on one of the empty fie...
Cross-site Scripting (XSS) - Generic in uiwjs/react-md-editor
Description XSS vulnerability through the markdown editor Proof of Concept Steps to Reproduce Visit the demo page. Past the payload in the markdown editor. Impact - Steal a user's token - Session hijacking...
Improper Privilege Management in dotcms/core
Description Hello team, I found a SSTI that allow me to get Full Privilege Escalation system user 1. While editing a template we have total access to the User and UserModel classes via $user 2. One of the UserModel methods is called setUserId 3. If we call setUserId and pass "system" as parameter...
Cross-site Scripting (XSS) - Reflected in emoncms/emoncms
Description EmonCMS 10.9.19 has 2 reflected XSS vulnerabilities: 1 - one that is executed when a user tries to generate a new app whose name contains javascript code. The vulnerability leverages the default option of displayerrors within the processsettings.php file which produce unsanitized erro...
Cross-site Scripting (XSS) - Reflected in tsolucio/corebos
Description Please enter a description of the vulnerability. coreBOS is vulnerable to Reflected XSS via activitytype in index Proof of Concept 1.After login, click poc url 2.select Activity Type // PoC.js...
Server-Side Request Forgery (SSRF) in snipe/snipe-it
Description Admin users on the external network can perform blind POST-based SSRF issue requests on behalf of the server into the internal network via the Slack Integration Performing portscans 1: Go to Slack Integrations 2: Use http://127.0.0.1:1337 as the Slack Endpoint. See the error message:...
Cross-site Scripting (XSS) - Reflected in admidio/admidio
Description The Reflected XSS vulnerability occurs because redirect.php does not properly validate the value of the url parameter. Using javascript: throws an error in parsing the url. But I bypassed it using javascript://%0A. Proof of Concept txt 1. Open the...
Improper Authorization in openwhyd/openwhyd
Description This Account Takeover via Dom XSS vulnerability occurs because the backend does not check the value of the redirect parameter in the login logic. javascript if form.fbUid userModel.updatedbUser.id, $set: fbId: form.fbUid, fbTok: form.fbTok, // access token provided on last facebook...
Open Redirect in openwhyd/openwhyd
Description This vulnerability was discovered in Here by @mdakh404. However, it is not patched properly and I bypassed with a simple trick. diff r.html = mainTemplate.renderWhydPager; // call the adequate renderer - if r.redirect response.redirectr.redirect; + if r.redirect...
Cross-Site Request Forgery (CSRF) in babybuddy/babybuddy
Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging users to unintentional logout. More details One way GET could be abused here i...
Cross-site Scripting (XSS) - Stored in elgg/elgg
Analysis Hello guys, how are doing? Hope you're having an awesome day ๐ค Elgg has a functionality for any authenticated user to report pages to the administrators whenever they think that there's something wrong going on with this page. This functionality has an issue, because in order to create a...
Cross-site Scripting (XSS) - Stored in tsolucio/corebos
Description Stored XSS via upload File with format .svg when creating Document. Detail When opening the attachment, some format files will be rendered and loaded on the browser. So it allows executing arbitrary javascript code that was injected into attachment before. Proof of Concept PoC.svg var...
PHP Remote File Inclusion in crater-invoice/crater
Description No mime type restriction on file uploads, allowing an attacker to upload and execute arbitrary PHP code. Proof of Concept Login to the dashboard, preferably using your own localhost install. Go to "Expenses", "Settings Account" or "Settings Company". Upload any PHP file you want. Impa...
None in vim/vim
โ๏ธ Description When fuzzing vim commit 021ef351c works with latest build and latest commit 04b7b4b per this time of this report v8.2.3728, I discovered a use after free. This crash triggered with only clang 10 and ASan. And I'm testing with clang 13 it doesn't crash so I assume this crash doesn't...
in crater-invoice/crater
Description In recent Crater version ed6268aa tag: 5.0.3 lowest privileged user can upload PHP file instead of avatar. Proof of Concept POST /api/v1/me/upload-avatar HTTP/1.1 Host: 172.17.0.1:8888 User-Agent: Mozilla/5.0 X11; Linux x8664; rv:95.0 Gecko/20100101 Firefox/95.0 Accept: /...
Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat
Description Stored XSS via upload Photo avatar with format .svg in Account data. Detail When opening the attachment, some format files will be rendered and loaded on the browser. So it allows executing arbitrary javascript code that was injected into attachment before. Proof of Concept PoC.svg va...
Cross-Site Request Forgery (CSRF) in livehelperchat/livehelperchat
Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging users to unintentional logout. More details One way GET could be abused here i...
in qmpaas/leadshop
Description The vulnerability is in the api/ImageController.php file. When $type is 2, it will enter the logic for uploading video files. However, the function $upload-video that handles video uploads does not detect the file suffix name. This results in arbitrary file uploads. Proof of Concept...
Open Redirect in gnuboard/gnuboard5
Description php ?php includeonce'./common.php'; $g5'title' = "๋ก๊ทธ์ธ ๊ฒ์ฌ"; $mbid = isset$POST'mbid' ? trim$POST'mbid' : ''; $mbpassword = isset$POST'mbpassword' ? trim$POST'mbpassword' : ''; runevent'memberlogincheckbefore', $mbid; if !$mbid || !$mbpassword alert'ํ์์์ด๋๋ ๋น๋ฐ๋ฒํธ๊ฐ ๊ณต๋ฐฑ์ด๋ฉด ์๋ฉ๋๋ค.'; $mb =...
Server-Side Request Forgery (SSRF) in dotcms/core
Description Hi team, I found a SSRF that allow me to access the elasticsearch API and get full response from the querys - As can be read in the following link dotCMS uses elastisearch, with this SSRF we can direct access the elastisearch REST API, - In a cloud environment, it can be possible to...
Prototype Pollution in fabiocaccamo/utils.js
Summary I discovered a prototype pollution vulnerability via utils.js method analysis. javascript set: functionobj, path, value var keys = path.split'.'; var key; var cursor = obj; for var i = 0, j = keys.length; i j; i++ key = keysi; if !TypeUtil.isObjectcursorkey cursorkey = ; if i j - 1 cursor...
Cross-site Scripting (XSS) - Generic in zikula/core
Description In zikula/core cross site scripting vulnerability is present in block module description field Proof of Concept 1. login to the demo account 2. go to blocks https://demo.ziku.la/blocks/admin/view 3. Add payload in title field and save 4 payload = " Impact This vulnerability is capable...
Cross-site Scripting (XSS) - Stored in zikula/core
Description In zikula/core cross site scripting vulnerability is present in block module title field Proof of Concept 1. login to the demo account 2. go to blocks https://demo.ziku.la/blocks/admin/view 3. Add payload in title field and save 4 payload = " Impact This vulnerability is capable of...
Cross-site Scripting (XSS) - Reflected in zikula/core
Description In zikula/core cross site scripting vulnerability in extension list name field. Proof of Concept 1. login to the demo account 2. go to extensions https://demo.ziku.la/extensions/module/modify/3 3. Add payload in displayname field payload " Impact This vulnerability is capable of stole...
None in fcambus/logswan
Description Good morning, I hope you're doing well today. Whilst testing logswan built with Clang12 + ASan on Ubuntu 20.04.3 LTS from commit bcfd41, we discovered a heap-use-after-free situation during a strcmp operation on line 259 of logswan/src/logswan.c. Proof of Concept First... echo...