Cross-site Scripting (XSS) - Reflected in gnuboard/gnuboard5

Description The reflected XSS vulnerability occurs to a flaw in the cleanxsstags function called in memo.php of Gnuboard 5. This cleanxsstags is a Sanitizer that removes XSS-vulnerable tags and attributes. However, it can bypass Sanitizer by using a newline character. %0A, %0D, ETC Proof of Conce...

Session Fixation in admidio/admidio

Description Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application. When authenticating a user, it doesn't assign a new session...

Cross-site Scripting (XSS) - Stored in patrowl/patrowlmanager

Description PatrOwl is vulnerable to stored XSS in asset group name. The payload will be triggered when someone try to delete the asset group. Proof of Concept https://drive.google.com/file/d/1F7m9g7s6xp-L5QKy5ACOvndWAj8g20s/view?usp=sharing Impact This vulnerability permit to an authenticate use...

Inefficient Regular Expression Complexity in nltk/nltk

Description nltk is vulnerable to ReDoS attack because of ^-?0-9+.0-9+?$ regex. If attacker succeeds to use malicious payload against RegexpTagger used in function getpostagger and maltregextagger, it will cause a nasty DoS. Proof of Concept // PoC.py import re, time pattern =...

Cross-site Scripting (XSS) - Reflected in pimcore/pimcore

Description pimcore is vulnerable to Reflected XSS via the Search function for Document, Assets and Data Objects. Steps to reproduce 1.Login to pimcore admin. 2.In the left menu bar, click the Search icon then choose Documents, the Search Documents tab will display. 3.Input payload " into the...

Cross-Site Request Forgery (CSRF) in pimcore/pimcore

Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging users to unintentional logout. More details One way GET could be abused here i...

Session Fixation in tsolucio/corebos

Description Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application. When authenticating a user, it doesn't assign a new session...

Cross-Site Request Forgery (CSRF) in yeswiki/yeswiki

Description Hey all, so i found that YesWiki doesn't implement any sort of anti-csrf mechanism, i found that the change email function is vulnerable to CSRF attacks which leads to Account Takeover. Proof of Concept Exploitation Scenario: - An attacker sends the above PoC to the victim. - rather...

Denial of Service in chatwoot/chatwoot

The extractreply function https://github.com/chatwoot/chatwoot/blob/a0ffefad717b632269883863c27242bb97d3b66d/app/presenters/mailpresenter.rbL105 is highly inefficient on HTML emails. A legitimate LinkedIn email has 20kb of HTML content which takes a minute or two to process through that function,...

Cross-Site Request Forgery (CSRF) in splitbrain/dokuwiki

Description DokuWiki is vulnerable to CSRF in enabling / disabling plugin due to missing CSRF token sectok Proof of Concept If a logged-in admin user visits an attacker's website with the following HTML code the LDAP plugin, for example, will be disabled Impact This vulnerability is capable of...

Cross-site Scripting (XSS) - DOM in emoncms/emoncms

Description EmonCMS 10.9.19 has a DOM-XSS vulnerability that is executed when javascript code is injected as imported data. Proof of Concept 1 - login into the app and browse to the section Feeds Import Data 2 - add alert1,a or 1638807909,alert2 in the CSV area. Then click on one of the empty fie...

Cross-site Scripting (XSS) - Generic in uiwjs/react-md-editor

Description XSS vulnerability through the markdown editor Proof of Concept Steps to Reproduce Visit the demo page. Past the payload in the markdown editor. Impact - Steal a user's token - Session hijacking...

Improper Privilege Management in dotcms/core

Description Hello team, I found a SSTI that allow me to get Full Privilege Escalation system user 1. While editing a template we have total access to the User and UserModel classes via $user 2. One of the UserModel methods is called setUserId 3. If we call setUserId and pass "system" as parameter...

Cross-site Scripting (XSS) - Reflected in emoncms/emoncms

Description EmonCMS 10.9.19 has 2 reflected XSS vulnerabilities: 1 - one that is executed when a user tries to generate a new app whose name contains javascript code. The vulnerability leverages the default option of displayerrors within the processsettings.php file which produce unsanitized erro...

Cross-site Scripting (XSS) - Reflected in tsolucio/corebos

Description Please enter a description of the vulnerability. coreBOS is vulnerable to Reflected XSS via activitytype in index Proof of Concept 1.After login, click poc url 2.select Activity Type // PoC.js...

Server-Side Request Forgery (SSRF) in snipe/snipe-it

Description Admin users on the external network can perform blind POST-based SSRF issue requests on behalf of the server into the internal network via the Slack Integration Performing portscans 1: Go to Slack Integrations 2: Use http://127.0.0.1:1337 as the Slack Endpoint. See the error message:...

Cross-site Scripting (XSS) - Reflected in admidio/admidio

Description The Reflected XSS vulnerability occurs because redirect.php does not properly validate the value of the url parameter. Using javascript: throws an error in parsing the url. But I bypassed it using javascript://%0A. Proof of Concept txt 1. Open the...

Improper Authorization in openwhyd/openwhyd

Description This Account Takeover via Dom XSS vulnerability occurs because the backend does not check the value of the redirect parameter in the login logic. javascript if form.fbUid userModel.updatedbUser.id, $set: fbId: form.fbUid, fbTok: form.fbTok, // access token provided on last facebook...

Open Redirect in openwhyd/openwhyd

Description This vulnerability was discovered in Here by @mdakh404. However, it is not patched properly and I bypassed with a simple trick. diff r.html = mainTemplate.renderWhydPager; // call the adequate renderer - if r.redirect response.redirectr.redirect; + if r.redirect...

Cross-Site Request Forgery (CSRF) in babybuddy/babybuddy

Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging users to unintentional logout. More details One way GET could be abused here i...

Cross-site Scripting (XSS) - Stored in elgg/elgg

Analysis Hello guys, how are doing? Hope you're having an awesome day 🤗 Elgg has a functionality for any authenticated user to report pages to the administrators whenever they think that there's something wrong going on with this page. This functionality has an issue, because in order to create a...

Cross-site Scripting (XSS) - Stored in tsolucio/corebos

Description Stored XSS via upload File with format .svg when creating Document. Detail When opening the attachment, some format files will be rendered and loaded on the browser. So it allows executing arbitrary javascript code that was injected into attachment before. Proof of Concept PoC.svg var...

PHP Remote File Inclusion in crater-invoice/crater

Description No mime type restriction on file uploads, allowing an attacker to upload and execute arbitrary PHP code. Proof of Concept Login to the dashboard, preferably using your own localhost install. Go to "Expenses", "Settings Account" or "Settings Company". Upload any PHP file you want. Impa...

None in vim/vim

✍️ Description When fuzzing vim commit 021ef351c works with latest build and latest commit 04b7b4b per this time of this report v8.2.3728, I discovered a use after free. This crash triggered with only clang 10 and ASan. And I'm testing with clang 13 it doesn't crash so I assume this crash doesn't...

in crater-invoice/crater

Description In recent Crater version ed6268aa tag: 5.0.3 lowest privileged user can upload PHP file instead of avatar. Proof of Concept POST /api/v1/me/upload-avatar HTTP/1.1 Host: 172.17.0.1:8888 User-Agent: Mozilla/5.0 X11; Linux x8664; rv:95.0 Gecko/20100101 Firefox/95.0 Accept: /...

Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat

Description Stored XSS via upload Photo avatar with format .svg in Account data. Detail When opening the attachment, some format files will be rendered and loaded on the browser. So it allows executing arbitrary javascript code that was injected into attachment before. Proof of Concept PoC.svg va...

Cross-Site Request Forgery (CSRF) in livehelperchat/livehelperchat

Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging users to unintentional logout. More details One way GET could be abused here i...

in qmpaas/leadshop

Description The vulnerability is in the api/ImageController.php file. When $type is 2, it will enter the logic for uploading video files. However, the function $upload-video that handles video uploads does not detect the file suffix name. This results in arbitrary file uploads. Proof of Concept...

Open Redirect in gnuboard/gnuboard5

Description php ?php includeonce'./common.php'; $g5'title' = "로그인 검사"; $mbid = isset$POST'mbid' ? trim$POST'mbid' : ''; $mbpassword = isset$POST'mbpassword' ? trim$POST'mbpassword' : ''; runevent'memberlogincheckbefore', $mbid; if !$mbid || !$mbpassword alert'회원아이디나 비밀번호가 공백이면 안됩니다.'; $mb =...

Server-Side Request Forgery (SSRF) in dotcms/core

Description Hi team, I found a SSRF that allow me to access the elasticsearch API and get full response from the querys - As can be read in the following link dotCMS uses elastisearch, with this SSRF we can direct access the elastisearch REST API, - In a cloud environment, it can be possible to...

Prototype Pollution in fabiocaccamo/utils.js

Summary I discovered a prototype pollution vulnerability via utils.js method analysis. javascript set: functionobj, path, value var keys = path.split'.'; var key; var cursor = obj; for var i = 0, j = keys.length; i j; i++ key = keysi; if !TypeUtil.isObjectcursorkey cursorkey = ; if i j - 1 cursor...

Cross-site Scripting (XSS) - Generic in zikula/core

Description In zikula/core cross site scripting vulnerability is present in block module description field Proof of Concept 1. login to the demo account 2. go to blocks https://demo.ziku.la/blocks/admin/view 3. Add payload in title field and save 4 payload = " Impact This vulnerability is capable...

Cross-site Scripting (XSS) - Stored in zikula/core

Description In zikula/core cross site scripting vulnerability is present in block module title field Proof of Concept 1. login to the demo account 2. go to blocks https://demo.ziku.la/blocks/admin/view 3. Add payload in title field and save 4 payload = " Impact This vulnerability is capable of...

Cross-site Scripting (XSS) - Reflected in zikula/core

Description In zikula/core cross site scripting vulnerability in extension list name field. Proof of Concept 1. login to the demo account 2. go to extensions https://demo.ziku.la/extensions/module/modify/3 3. Add payload in displayname field payload " Impact This vulnerability is capable of stole...

None in fcambus/logswan

Description Good morning, I hope you're doing well today. Whilst testing logswan built with Clang12 + ASan on Ubuntu 20.04.3 LTS from commit bcfd41, we discovered a heap-use-after-free situation during a strcmp operation on line 259 of logswan/src/logswan.c. Proof of Concept First... echo...

Open Redirect in ikus060/rdiffweb

Description ikus060/rdiffweb is vulnerable to open redirect at login page. Proof of Concept https://rdiffweb-demo.ikus-soft.com/login/?redirect=https://attacker.com after login to the above url it redirect to attacker .com Impact This vulnerability is capable of redirecting to malicious website...

Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition

Description Very low severity CSRF in /comments/thanks/id Proof of Concept CLICK ME! Impact This vulnerability is capable of tricking users to send quick thanks. Can potentially trick users to infringe rate limits and get themselves banned via a repeated CSRF attack if admins choose to set...

Cross-site Scripting (XSS) - Stored in krayin/laravel-crm

Description Stored XSS at Name of Tag Detail When rendering grid for Tag, Name value is not filtered before rendering which can trigger XSS Proof of Concept // PoC.req POST /admin/settings/tags/edit/1 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:95.0...

Cross-site Scripting (XSS) - Stored in tsolucio/corebos

Description coreBOS is vulnerable to Stored XSS via Entity Name in User Preferences. Steps to reproduce 1.After login, click on the avatar icon on the top right corner to go to My Preferences 2.Click Edit button 3.In Last Name field, input payload then click Save button 4.Now you will see that th...

Cross-Site Request Forgery (CSRF) in tsolucio/corebos

Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging users to unintentional logout. More details One way GET could be abused here i...

SQL Injection in wbce/wbce_cms

Description Plaintext administrator password recovery vulnerability due to SQL injection in password reset page. admin/login/forgot/index.php lines 33-34: php $sSql = "SELECT FROM TPusers WHERE email = '" . $email . "'"; $rRow = $database-query$sSql; Due to poor email validation attacker can inje...

Improper Access Control in bookstackapp/bookstack

Description A user with API access can view any attachment which they do not have read access to because read permissions are not being checked at the API attachments read controller. Proof of Concept 1: From default installation give the "Public" role access to system API 2: Upload attachment...

Cross-site Scripting (XSS) - Stored in francoisjacquet/rosariosis

Description I found XSS in the file upload function of the message function. Proof of Concept Step 1.First, access the latest version of the demo environment. "Https://www.rosariosis.org/demonstration/index.php" 2.Then log in with your student account. Student: username and password “student“...

Heap-based Buffer Overflow in allinurl/goaccess

Description Good evening and Happy Turkey Day! We are truly thankful for the Open Source Security community this year. Whilst testing goaccess built from commit 9774249, we discovered a crafted log which can trigger a heap-buffer-overflow during a memcmp operation on line 1525 of /src/parser.c...

in combodo/itop

Proof of Concept Bellow request is vulnerable to csrf attack history.pushState'', '', '/' document.forms0.submit;...

in combodo/itop

Proof of Concept Bellow request is vulnerable to csrf attack history.pushState'', '', '/' document.forms0.submit;...

PHP Remote File Inclusion in combodo/itop

Description csrf bug Proof of Concept Bellow request is vulnerable to csrf attack history.pushState'', '', '/' input type="hidden" name="class" v...

in combodo/itop

Description csrf bug Proof of Concept bellow request is vulnerable to csrf attack history.pushState'', '', '/' document.forms0.submit;...

Cross-site Scripting (XSS) - Stored in tsolucio/corebos

Description It's possible to inject the script on the field: First Name Which is permanently stored. It'll trigger each time refreshing or copying to the new tab. Proof of Concept POST /index.php HTTP/2 Host: demo.corebos.com Cookie: democoreboscom=2fadf4643e2c92731a5bea4397b2d08b;...

Cross-site Scripting (XSS) - Stored in leantime/leantime

Description I found Stored XSS in the title of the content. Proof of Concept Step 1.First of all, build the environment with Docker and create an administrator user. 2.Next, create a new "To -DO" from "Project Dashboard" in the left menu. / 3.Next, create an account for the role of "Team Member"...