Cross-site Scripting (XSS) - Stored in leantime/leantime

Description I found Stored XSS in the title of the content. Proof of Concept Step 1.First of all, build the environment with Docker and create an administrator user. 2.Next, create a new "To -DO" from "Project Dashboard" in the left menu. / 3.Next, create an account for the role of "Team Member"...

Heap-based Buffer Overflow in vim/vim

✍️ Description When fuzzing vim commit 3c19b5050 works with latest build and latest commit 65259b5c6 per this time of this report v8.2.3635 with clang 12 and ASan, I discovered a heap buffer overflow. Proof of Concept Here is the poc download link bash...

Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii

Description CSRF in switching transactions link Proof of Concept CLICK ME! Impact This vulnerability is capable of tricking users to switch transaction links...

Cross-Site Request Forgery (CSRF) in zmister2016/mrdoc

Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging users to unintentional logout. More details One way GET could be abused here i...

Cross-Site Request Forgery (CSRF) in kunstmaan/kunstmaanbundlescms

Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging users to unintentional logout. More details One way GET could be abused here i...

Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii

Description CSRF to disable 2FA Proof of Concept CLICK ME! Impact This vulnerability is capable of tricking users to disable 2FA...

Heap-based Buffer Overflow in allinurl/goaccess

Description Good evening, I hope you're doing well during these challenging times. During recent research, we discovered a heap-buffer-overflow vulnerability impacting countinvalid on line 555 of src/gstorage.c. It appears that this is caused by an excessive number of invalid log strings combined...

Cross-site Scripting (XSS) - Stored in meetecho/janus-gateway

Description an user can enter a text room in janus gateway with a malicious name that contains a xss payload and could poison other users on the room Proof of Concept just go to https://janus.conf.meetecho.com/textroomtest.html this is provided by github repo as a demo then enter in the name POC...

Cross-site Scripting (XSS) - Stored in pimcore/pimcore

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Proof of Concept // PoC.js Steps to reproduce : 1-- Go over settings -- Data Objects -- Objectbricks. 2-- Click Add or Edit a previous one . 3-...

Cross-Site Request Forgery (CSRF) in star7th/showdoc

Description You set the strict flag only for one of your cookies named cookietoken but in Team management attacker still can delete or add teams with CSRF vulnerability as the cookie with name PHPSESSID don't have strict flag. Proof of Concept 1.replace 38046 with the team id 2.open poc.html and...

Cross-site Scripting (XSS) - Stored in snipe/snipe-it

Description Cross site scripting vulnerability in checkout page in notes field Proof of Concept 1.Login to the demo page. 2. Go to accessories , select any product and add payload in the checkout notes 3. click save and open the product xss will trigger payload = " Impact This vulnerability is...

Cross-Site Request Forgery (CSRF) in star7th/showdoc

Description An attacker is able to create a new group for any item if users visit the attacker's website. Furthermore, the user-id "uid" is also exposed via the JSON response. We can bypass the CSRF Protection if we put our payload on an iframe or an HTML file and then send them to the victim...

Open Redirect in collectiveaccess/providence

Description I found a new way to bypass the Open Redirect with the "redirect" parameter on the login page. Vulnerable parameter redirect Payload https://demo.collectiveaccess.org.example.com Proof of Concept Send users the following login link...

Cross-Site Request Forgery (CSRF) in bytefury/crater

Description Attacker is able to logout a user if a logged in user visits attacker website. Impact This vulnerability is capable of forging user to unintentional logout. Test Tested on Edge, firefox, chrome and safari. Fix You should use POST instead of GET. To expand: One way GET could be abused...

Open Redirect in star7th/showdoc

Description I found a new way to exploit Open Redirect at the "redirect" parameter on the login page by using the Chinese dot %E3%80%82 to bypass the dot . filter. Vulnerable parameter redirect Payload /%09/google%E3%80%82com Proof of Concept Send users the following login link...

Cross-site Scripting (XSS) - Stored in kunstmaan/kunstmaanbundlescms

Description In kunstmaan / kunstmaanbundlescms, menu form slug field is vulnerable to cross site scripting Proof of Concept 1. login to demo page 2. go to pages, open any page 3. go to menu , in slug feild place the payload and save, it will trigger. payload : " Impact This vulnerability is capab...

Cross-site Scripting (XSS) - Reflected in kunstmaan/kunstmaanbundlescms

Description In kunstmaan / kunstmaanbundlescms ,extra metadata in seo form is vulnerable to reflected cross site scripting. Proof of Concept 1. login to the demo account 2. go to pages --select any page to edit -- go to SEO --- 3. Add payload to extra meta data and click save and see the preview ...

Improper Access Control in kevinpapst/kimai2

Description Authenticated users can preview invoices which they do not have read access to Proof of Concept To demonstrate this vulnerability, we will use tonyteamlead on the demo site. 1: Login as tonyteamlead. 2: Go to Invoices page, see that there is no Haley-Jaskolski invoice document present...

Cross-Site Request Forgery (CSRF) in kevinpapst/kimai2

CSRF Set 1 modify invoice status Medium severity Description CSRF in saving invoices / modifying status of invoices pending and cancel only Proof of Concept The following state-changing endpoints are vulnerable to CSRF GET...

Improper Authorization in dolibarr/dolibarr

Description I found an IDOR in Dolibarr In preview2.dolibarr.org login with demo:demo then open Agenda section first, I Change all permissions of demo user in Reception to None second, I can't see the Receptions List in Products at all But I am able to see following Reception...

in chatwoot/chatwoot

I'll explain it briefly: A contact is created with the email address "[email protected]" and we are writing about sensitive information. userIdentifer is required to be validated with hmac. Now a human, on the other side of the world, comes into the chat and is asked by the bot for his email...

Open Redirect in collectiveaccess/providence

Description I find a way to bypass the Open Redirect at the login page with the "redirect" parameter. Vulnerable parameter redirect Payload https://[email protected] Proof of Concept Send users the following login link...

CRLF Injection in phpservermon/phpservermon

Description misconfig of nginx lead to crlf injection In nginx, $uri is url decoded, which will decode %0d%0a to CRLF. code: return 301 http://$uri; Proof of Concept A request to: http://www.test.com/%0d%0afakeheader:123%0d%0a%0d%0afakecontent Impact CRLF Injection allows an attacker to inject...

Cross-site Scripting (XSS) - Stored in django-helpdesk/django-helpdesk

Description Stored XSS via Markdown at Description or Comment of Ticket Detail When rendering to Markdown, the application does not filter and check the properties are valid, so when the user enters XSS it will render as XSS . Proof of Concept // PoC.req POST /tickets/submit/ HTTP/1.1 Host:...

Heap-based Buffer Overflow in vim/vim

Description Greetings, A Heap-based Buffer Overflow issue was discovered in Vim. The POC file is reduced to the absolute minimum to reproduce the problem. Please see sanitizer output and the "trimmed" POC file link below. System info OS version : Ubuntu 20.04.2 LTS + Clang 12 with ASan Vim Versio...

in star7th/showdoc

Description Logged in by LDAP will lead to a weak-password initialization， php isExist$username ; if!$userInfo D"User"-register$ldapuser,$ldapuser.time; //【register with a weak password, such as : tom/tom1637248826】 $rs2=ldapbind$ldapconn, $dn , $password;//【when the LDAP password is WRONG，no...

Cross-site Scripting (XSS) - Stored in kevinpapst/kimai2

Description Cross site scripting vulnerability in name field on customer edit form Proof of Concept place this payload in customer name field and save " Impact This vulnerability is capable of stolen the user session...

in elgg/elgg

Hello Elgg Team, hope you are having an awesome day : Just found an issue on the latest version of Elgg, and apparently the previous versions also have the same flaw. Description There is this endpoint, which is: http://elgg-example-here.com/ajax/form/admin/user/changeemail This endpoint is...

in tsolucio/corebos

Description There's no bound limit to the number of characters/special characters in "Add Module - Window Title" Add window -- Modules. javascript:chooseType'Module';fnRemoveWindow;setFilterdocument.getElementById'selmoduleid' Steps to reproduce Step 1. Goto -...

Cross-site Scripting (XSS) - Stored in invoiceninja/invoiceninja

Description In recent InvoiceNinja version 9d7145c in /documents it is possible to store svg file with html/js content, which later can be used to phish other users Proof of Concept POST /documents HTTP/1.1 Host: 172.17.0.1:8888 User-Agent: Mozilla/5.0 X11; Linux x8664; rv:95.0 Gecko/20100101...

Improper Authorization in hdinnovations/unit3d-community-edition

Description 2FA bypass in in chat functions. The "twostep" middleware is not implemented under the vue.php routing. Proof of Concept 1: Login into account with 2FA. Do not complete the 2FA process. 2: See all chat messages at https://UNIT3D-URL/api/chat/messages/1 3: If the CSRF token does not...

in janeczku/calibre-web

Description A user with no permissions about public shelves can edit his own private shelf making it public. This vulnerability is called Mass Assignment. Proof of Concept The file shelf.py at line 247 sets as public every shelf to be edited, so if the user injects the parameter ispublic=on in th...

Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition

Description CSRF to delete chat messages POC CLICK ME! Impact This vulnerability is capable of tricking users to delete messages. This is probably the last state-changing endpoint in your application which is unprotected from CSRF...

Cross-site Scripting (XSS) - Stored in kevinpapst/kimai2

Description Stored XSS via Markdown at the comment in Project Proof of Concept // PoC.req POST /kimai2/public/en/admin/project/3/commentadd HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:95.0 Gecko/20100101 Firefox/95.0 Accept:...

Cross-Site Request Forgery (CSRF) in kevinpapst/kimai2

Description CSRF related to duplicate action. the duplication occurs first before redirecting to edit form Proof of Concept GET /en/admin/teams/id/duplicate GET /en/admin/project/id/duplicate Impact This vulnerability is capable of tricking admin users to duplicate teams Note This is probably all...

Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition

Description CSRF related to Torrents section. 6 actions recorded 1: /id/torrentfl 2: /id/torrentdoubleup 3: /id/bumpTorrent 4: /id/torrentsticky 5: /id/reseed 6: /id/freeleechtoken Proof of Concept CLICK ME! Impact This vulnerability is capable of tricking admin users to reseed / use freeleech...

Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition

Description More CSRFs, related to warnings feature this time 1: /warnings/id/deactivate 2: /warnings/username/mass-deactivate 3: /warnings/id/restore Proof of Concept CLICK ME! Impact This vulnerability is capable of tricking users to deactivate / restore warnings...

Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition

Description More unprotected CSRF endpoints that allows for state-changing operations. 1: GET /dashboard/moderation/1/approve 2: GET /requests/1/accept 3: GET /requests/1/reject 4: GET /requests/1/unclaim 5: GET /requests/1/reset Proof of Concept CLICK ME! Impact This vulnerability is capable of...

Open Redirect in star7th/showdoc

Description Open Redirect at login page due to unchecked "redirect" parameter. Vulnerable parameter redirect Payload /%09/google.com Proof of Concept Send users the following login link https://www.showdoc.com.cn/user/login?redirect=/%09/google.com After users use their registered account to logi...

Cross-Site Request Forgery (CSRF) in kevinpapst/kimai2

Description CSRF in deleting invoice templates Proof of Concept CLICK ME! Impact This vulnerability is capable of tricking admin user to delete invoice templates...

Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition

Description CSRF to FlushOwnGhostPeers Proof of Concept CLICK ME! Impact This vulnerability is capable of tricking users to perform unintended actions...

in jitsi/jicofo

Description misconfigurations of nginx lead to a path traversal vulnerability. Proof of Concept according to https://github.com/jitsi/jicofo/blob/master/doc/shibboleth.md?plain=1L251 a request to /shibboleth-sp../ can get any file under /usr/share Impact An attacker can access files on the web...

Cross-Site Request Forgery (CSRF) in pterodactyl/panel

Description Following state-changing endpoints are vulnerable to CSRF: 1: GET /admin/nodes/view/1/settings/token auto-generates token when token not generated yet 2: GET /admin/settings/mail/test The X-CSRF-Token header for the API request is not validated on backend, should be a POST request to...

Path Traversal in welliamcao/opsmanage

漏洞 README.md文件中的nginx配置存在安全漏洞，导致恶意攻击者可以任意读取项目中的文件。 POC 对于github上的demo地址，一种可行的攻击方式为： http://42.194.214.22:8000/static../ 可以看到读取到整个项目的文件。如果用户对该项目进行过二开，并在init.sql，conf/中写入了一些敏感信息，可能造成较大危害 影响 攻击者可以读取项目目录下任意文件...

Improper Access Control in janeczku/calibre-web

Description Although a user has no permissions about public shelves, he can create them. Proof of Concept The method createshelf at shelf.py does not check if the user has public shelf permissions for create it. @shelf.route"/shelf/create", methods="GET", "POST" @loginrequired def createshelf:...

Cross-site Scripting (XSS) - DOM in janeczku/calibre-web

Description It is possible to execute XSS payloads when editing book properties, such as uploading a cover or a format. Proof of Concept The file editbooks.js contains the following code: $"btn-upload-cover".on"change", function var filename = $this.val; if filename.substring3, 11 === "fakepath"...

in janeczku/calibre-web

Description A user can see the name of private shelves from other users when trying to remove a book of those shelves. Proof of Concept The file shelf.py in its line 221 exposes the name of the shelf when the user tries to remove a book from a shelf which is not his. log.warning"You are not allow...

SQL Injection in cacti/cacti

Description SQL Injection vulnerability occurs because the input taken from parameters is not sanitized for SQL Injection statement in useradmin.php useradmin.php:84 updatepolicies function contains sql injection vulnerability getnfilterrequestvar function takes get/post parameter without...

SQL Injection in glpi-project/glpi

Description A user with only the following rights on a sub-entity: - Setup General setup Read + Update - Administration Entity Read + Update is authorized to update "UI options" field from "UI customization" tab of an entity's configuration. This customization option is not correctly escaped,...

Heap-based Buffer Overflow in vim/vim

Description Greetings, A Heap-based Buffer Overflow issue was discovered in Vim. The POC file is reduced to the absolute minimum to reproduce the problem. Please see sanitizer output and the "trimmed" POC file link below. System info OS version : Ubuntu 20.04.2 LTS + Clang 12 with ASan Vim Versio...