4072 matches found
Open Redirect in ikus060/rdiffweb
Description ikus060/rdiffweb is vulnerable to open redirect at login page. Proof of Concept https://rdiffweb-demo.ikus-soft.com/login/?redirect=https://attacker.com after login to the above url it redirect to attacker .com Impact This vulnerability is capable of redirecting to malicious website...
Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition
Description Very low severity CSRF in /comments/thanks/id Proof of Concept CLICK ME! Impact This vulnerability is capable of tricking users to send quick thanks. Can potentially trick users to infringe rate limits and get themselves banned via a repeated CSRF attack if admins choose to set...
Cross-site Scripting (XSS) - Stored in krayin/laravel-crm
Description Stored XSS at Name of Tag Detail When rendering grid for Tag, Name value is not filtered before rendering which can trigger XSS Proof of Concept // PoC.req POST /admin/settings/tags/edit/1 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:95.0...
Cross-site Scripting (XSS) - Stored in tsolucio/corebos
Description coreBOS is vulnerable to Stored XSS via Entity Name in User Preferences. Steps to reproduce 1.After login, click on the avatar icon on the top right corner to go to My Preferences 2.Click Edit button 3.In Last Name field, input payload then click Save button 4.Now you will see that th...
Cross-Site Request Forgery (CSRF) in tsolucio/corebos
Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging users to unintentional logout. More details One way GET could be abused here i...
SQL Injection in wbce/wbce_cms
Description Plaintext administrator password recovery vulnerability due to SQL injection in password reset page. admin/login/forgot/index.php lines 33-34: php $sSql = "SELECT FROM TPusers WHERE email = '" . $email . "'"; $rRow = $database-query$sSql; Due to poor email validation attacker can inje...
Improper Access Control in bookstackapp/bookstack
Description A user with API access can view any attachment which they do not have read access to because read permissions are not being checked at the API attachments read controller. Proof of Concept 1: From default installation give the "Public" role access to system API 2: Upload attachment...
Cross-site Scripting (XSS) - Stored in francoisjacquet/rosariosis
Description I found XSS in the file upload function of the message function. Proof of Concept Step 1.First, access the latest version of the demo environment. "Https://www.rosariosis.org/demonstration/index.php" 2.Then log in with your student account. Student: username and password “student“...
Heap-based Buffer Overflow in allinurl/goaccess
Description Good evening and Happy Turkey Day! We are truly thankful for the Open Source Security community this year. Whilst testing goaccess built from commit 9774249, we discovered a crafted log which can trigger a heap-buffer-overflow during a memcmp operation on line 1525 of /src/parser.c...
in combodo/itop
Proof of Concept Bellow request is vulnerable to csrf attack history.pushState'', '', '/' document.forms0.submit;...
in combodo/itop
Proof of Concept Bellow request is vulnerable to csrf attack history.pushState'', '', '/' document.forms0.submit;...
PHP Remote File Inclusion in combodo/itop
Description csrf bug Proof of Concept Bellow request is vulnerable to csrf attack history.pushState'', '', '/' input type="hidden" name="class" v...
in combodo/itop
Description csrf bug Proof of Concept bellow request is vulnerable to csrf attack history.pushState'', '', '/' document.forms0.submit;...
Cross-site Scripting (XSS) - Stored in tsolucio/corebos
Description It's possible to inject the script on the field: First Name Which is permanently stored. It'll trigger each time refreshing or copying to the new tab. Proof of Concept POST /index.php HTTP/2 Host: demo.corebos.com Cookie: democoreboscom=2fadf4643e2c92731a5bea4397b2d08b;...
Cross-site Scripting (XSS) - Stored in leantime/leantime
Description I found Stored XSS in the title of the content. Proof of Concept Step 1.First of all, build the environment with Docker and create an administrator user. 2.Next, create a new "To -DO" from "Project Dashboard" in the left menu. / 3.Next, create an account for the role of "Team Member"...
Heap-based Buffer Overflow in vim/vim
✍️ Description When fuzzing vim commit 3c19b5050 works with latest build and latest commit 65259b5c6 per this time of this report v8.2.3635 with clang 12 and ASan, I discovered a heap buffer overflow. Proof of Concept Here is the poc download link bash...
Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii
Description CSRF in switching transactions link Proof of Concept CLICK ME! Impact This vulnerability is capable of tricking users to switch transaction links...
Cross-Site Request Forgery (CSRF) in zmister2016/mrdoc
Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging users to unintentional logout. More details One way GET could be abused here i...
Cross-Site Request Forgery (CSRF) in kunstmaan/kunstmaanbundlescms
Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging users to unintentional logout. More details One way GET could be abused here i...
Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii
Description CSRF to disable 2FA Proof of Concept CLICK ME! Impact This vulnerability is capable of tricking users to disable 2FA...
Heap-based Buffer Overflow in allinurl/goaccess
Description Good evening, I hope you're doing well during these challenging times. During recent research, we discovered a heap-buffer-overflow vulnerability impacting countinvalid on line 555 of src/gstorage.c. It appears that this is caused by an excessive number of invalid log strings combined...
Cross-site Scripting (XSS) - Stored in meetecho/janus-gateway
Description an user can enter a text room in janus gateway with a malicious name that contains a xss payload and could poison other users on the room Proof of Concept just go to https://janus.conf.meetecho.com/textroomtest.html this is provided by github repo as a demo then enter in the name POC...
Cross-site Scripting (XSS) - Stored in pimcore/pimcore
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Proof of Concept // PoC.js Steps to reproduce : 1-- Go over settings -- Data Objects -- Objectbricks. 2-- Click Add or Edit a previous one . 3-...
Cross-Site Request Forgery (CSRF) in star7th/showdoc
Description You set the strict flag only for one of your cookies named cookietoken but in Team management attacker still can delete or add teams with CSRF vulnerability as the cookie with name PHPSESSID don't have strict flag. Proof of Concept 1.replace 38046 with the team id 2.open poc.html and...
Cross-site Scripting (XSS) - Stored in snipe/snipe-it
Description Cross site scripting vulnerability in checkout page in notes field Proof of Concept 1.Login to the demo page. 2. Go to accessories , select any product and add payload in the checkout notes 3. click save and open the product xss will trigger payload = " Impact This vulnerability is...
Cross-Site Request Forgery (CSRF) in star7th/showdoc
Description An attacker is able to create a new group for any item if users visit the attacker's website. Furthermore, the user-id "uid" is also exposed via the JSON response. We can bypass the CSRF Protection if we put our payload on an iframe or an HTML file and then send them to the victim...
Open Redirect in collectiveaccess/providence
Description I found a new way to bypass the Open Redirect with the "redirect" parameter on the login page. Vulnerable parameter redirect Payload https://demo.collectiveaccess.org.example.com Proof of Concept Send users the following login link...
Cross-Site Request Forgery (CSRF) in bytefury/crater
Description Attacker is able to logout a user if a logged in user visits attacker website. Impact This vulnerability is capable of forging user to unintentional logout. Test Tested on Edge, firefox, chrome and safari. Fix You should use POST instead of GET. To expand: One way GET could be abused...
Open Redirect in star7th/showdoc
Description I found a new way to exploit Open Redirect at the "redirect" parameter on the login page by using the Chinese dot %E3%80%82 to bypass the dot . filter. Vulnerable parameter redirect Payload /%09/google%E3%80%82com Proof of Concept Send users the following login link...
Cross-site Scripting (XSS) - Stored in kunstmaan/kunstmaanbundlescms
Description In kunstmaan / kunstmaanbundlescms, menu form slug field is vulnerable to cross site scripting Proof of Concept 1. login to demo page 2. go to pages, open any page 3. go to menu , in slug feild place the payload and save, it will trigger. payload : " Impact This vulnerability is capab...
Cross-site Scripting (XSS) - Reflected in kunstmaan/kunstmaanbundlescms
Description In kunstmaan / kunstmaanbundlescms ,extra metadata in seo form is vulnerable to reflected cross site scripting. Proof of Concept 1. login to the demo account 2. go to pages --select any page to edit -- go to SEO --- 3. Add payload to extra meta data and click save and see the preview ...
Improper Access Control in kevinpapst/kimai2
Description Authenticated users can preview invoices which they do not have read access to Proof of Concept To demonstrate this vulnerability, we will use tonyteamlead on the demo site. 1: Login as tonyteamlead. 2: Go to Invoices page, see that there is no Haley-Jaskolski invoice document present...
Cross-Site Request Forgery (CSRF) in kevinpapst/kimai2
CSRF Set 1 modify invoice status Medium severity Description CSRF in saving invoices / modifying status of invoices pending and cancel only Proof of Concept The following state-changing endpoints are vulnerable to CSRF GET...
Improper Authorization in dolibarr/dolibarr
Description I found an IDOR in Dolibarr In preview2.dolibarr.org login with demo:demo then open Agenda section first, I Change all permissions of demo user in Reception to None second, I can't see the Receptions List in Products at all But I am able to see following Reception...
in chatwoot/chatwoot
I'll explain it briefly: A contact is created with the email address "[email protected]" and we are writing about sensitive information. userIdentifer is required to be validated with hmac. Now a human, on the other side of the world, comes into the chat and is asked by the bot for his email...
Open Redirect in collectiveaccess/providence
Description I find a way to bypass the Open Redirect at the login page with the "redirect" parameter. Vulnerable parameter redirect Payload https://[email protected] Proof of Concept Send users the following login link...
CRLF Injection in phpservermon/phpservermon
Description misconfig of nginx lead to crlf injection In nginx, $uri is url decoded, which will decode %0d%0a to CRLF. code: return 301 http://$uri; Proof of Concept A request to: http://www.test.com/%0d%0afakeheader:123%0d%0a%0d%0afakecontent Impact CRLF Injection allows an attacker to inject...
Cross-site Scripting (XSS) - Stored in django-helpdesk/django-helpdesk
Description Stored XSS via Markdown at Description or Comment of Ticket Detail When rendering to Markdown, the application does not filter and check the properties are valid, so when the user enters XSS it will render as XSS . Proof of Concept // PoC.req POST /tickets/submit/ HTTP/1.1 Host:...
Heap-based Buffer Overflow in vim/vim
Description Greetings, A Heap-based Buffer Overflow issue was discovered in Vim. The POC file is reduced to the absolute minimum to reproduce the problem. Please see sanitizer output and the "trimmed" POC file link below. System info OS version : Ubuntu 20.04.2 LTS + Clang 12 with ASan Vim Versio...
in star7th/showdoc
Description Logged in by LDAP will lead to a weak-password initialization, php isExist$username ; if!$userInfo D"User"-register$ldapuser,$ldapuser.time; //【register with a weak password, such as : tom/tom1637248826】 $rs2=ldapbind$ldapconn, $dn , $password;//【when the LDAP password is WRONG,no...
Cross-site Scripting (XSS) - Stored in kevinpapst/kimai2
Description Cross site scripting vulnerability in name field on customer edit form Proof of Concept place this payload in customer name field and save " Impact This vulnerability is capable of stolen the user session...
in elgg/elgg
Hello Elgg Team, hope you are having an awesome day : Just found an issue on the latest version of Elgg, and apparently the previous versions also have the same flaw. Description There is this endpoint, which is: http://elgg-example-here.com/ajax/form/admin/user/changeemail This endpoint is...
in tsolucio/corebos
Description There's no bound limit to the number of characters/special characters in "Add Module - Window Title" Add window -- Modules. javascript:chooseType'Module';fnRemoveWindow;setFilterdocument.getElementById'selmoduleid' Steps to reproduce Step 1. Goto -...
Cross-site Scripting (XSS) - Stored in invoiceninja/invoiceninja
Description In recent InvoiceNinja version 9d7145c in /documents it is possible to store svg file with html/js content, which later can be used to phish other users Proof of Concept POST /documents HTTP/1.1 Host: 172.17.0.1:8888 User-Agent: Mozilla/5.0 X11; Linux x8664; rv:95.0 Gecko/20100101...
Improper Authorization in hdinnovations/unit3d-community-edition
Description 2FA bypass in in chat functions. The "twostep" middleware is not implemented under the vue.php routing. Proof of Concept 1: Login into account with 2FA. Do not complete the 2FA process. 2: See all chat messages at https://UNIT3D-URL/api/chat/messages/1 3: If the CSRF token does not...
in janeczku/calibre-web
Description A user with no permissions about public shelves can edit his own private shelf making it public. This vulnerability is called Mass Assignment. Proof of Concept The file shelf.py at line 247 sets as public every shelf to be edited, so if the user injects the parameter ispublic=on in th...
Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition
Description CSRF to delete chat messages POC CLICK ME! Impact This vulnerability is capable of tricking users to delete messages. This is probably the last state-changing endpoint in your application which is unprotected from CSRF...
Cross-site Scripting (XSS) - Stored in kevinpapst/kimai2
Description Stored XSS via Markdown at the comment in Project Proof of Concept // PoC.req POST /kimai2/public/en/admin/project/3/commentadd HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:95.0 Gecko/20100101 Firefox/95.0 Accept:...
Cross-Site Request Forgery (CSRF) in kevinpapst/kimai2
Description CSRF related to duplicate action. the duplication occurs first before redirecting to edit form Proof of Concept GET /en/admin/teams/id/duplicate GET /en/admin/project/id/duplicate Impact This vulnerability is capable of tricking admin users to duplicate teams Note This is probably all...
Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition
Description CSRF related to Torrents section. 6 actions recorded 1: /id/torrentfl 2: /id/torrentdoubleup 3: /id/bumpTorrent 4: /id/torrentsticky 5: /id/reseed 6: /id/freeleechtoken Proof of Concept CLICK ME! Impact This vulnerability is capable of tricking admin users to reseed / use freeleech...