Cross-site Scripting (XSS) - Stored in django-helpdesk/django-helpdesk

Description Stored XSS via upload 'Attachments' with format .svg or .html Detail When opening the attachment, some format files will be rendered and loaded on the browser. So it allows executing arbitrary javascript code that was injected into attachment before. Proof of Concept // PoC.svg...

Cross-site Scripting (XSS) - Stored in snipe/snipe-it

Description Multiple Stored XSS at 'snipeitram3' and 'snipeitcpu4' in the multipart message of POST request when creating a new Asset or editing an existed Asset. Proof of Concept POST /hardware HTTP/1.1 Host: develop.snipeitapp.com Connection: close Content-Length: 2560 Cache-Control: max-age=0...

in cortezaproject/corteza-server

Description Hey, when I attempt to change the password after creating an account I noticed that you haven't kept any password boundary. You need to limit password length. Hashing a large amount of data can cause significant resource consumption on behalf of the server and would be an easy target...

Cross-Site Request Forgery (CSRF) in bookstackapp/bookstack

Description Login CSRF via /register/confirm/token endpoint. Proof of Concept 1: Register account with the same username as our victim, an email confirmation will take place 2: Retrieve token from email. 3: Send a link http://BOOKSTACKAPPURL/register/confirm/token to user. 4: When the user clicks...

Cross-site Scripting (XSS) - Stored in eventum/eventum

Description Multiple Stored XSS in Administration at eventum 3.10.8 Proof of Concept // PoC.payload " Step to Reproduct Goto Administration Areas and choose to feature below Manage News Input payload into fieldTitle Manage Status Input payload into fieldTitle Manage Projects Input payload into...

Cross-Site Request Forgery (CSRF) in code16/sharp

Description Attacker is able to logout a user if a logged in user visits attacker website. Impact This vulnerability is capable of forging user to unintentional logout. Test Tested on Edge, firefox, chrome and safari. Fix You should use POST instead of GET. To expand: One way GET could be abused...

Cross-Site Request Forgery (CSRF) in kevinpapst/kimai2

Description cross site request forgery vulnerability is present in delete functionality of doctor feature. Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of delete the existing logs...

SQL Injection in galette/galette

Description Hi, I could find a SQL Injection when adding a user. From OWASP : A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify...

Cross-site Scripting (XSS) - Stored in patrowl/patrowlmanager

Description PatrOwl is vulnerable to stored XSS. Proof of Concept Impact This vulnerability permit to an authenticate user to execute JavaScript on other users Web Browser...

in cortezaproject/corteza-server

Description There's no bound limit to the number of "characters/special characters" in the name field of the user. Vulnerable Field: Full Name By sending a very long string it’s possible to cause a denial a service attack on the server. This may lead to the website becoming unavailable or...

Cross-Site Request Forgery (CSRF) in bookstackapp/bookstack

Description Attacker is able to logout a user if a logged in user visits attacker website. Impact This vulnerability is capable of forging user to unintentional logout. Test Tested on Edge, firefox, chrome and safari. Fix You should use POST instead of GET. To expand: One way GET could be abused...

in v2fly/v2ray-core

Description Good afternoon. While looking at your code, we discovered an off-by-one index comparison against length may lead to out-of-bounds read flaw in your v2ray-core repository. Indexing operations on arrays, slices or strings should use an index at most one less than the length. If the inde...

Cross-site Scripting (XSS) - Stored in galette/galette

Description Hi, By reviewing your project I've found multiples stored cross-site scripting. From OWASP : Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web...

Heap-based Buffer Overflow in vim/vim

Description Team, trust you are doing well. As part of continues fuzzing VIM v8.2.3582 15d9890eee53afc61eb0a03b878a19cb5672f732 in persistence mode, I found a heap use-after-free mlappendint. Proof of Concept Affected version: v8.2.3582 Tested on: Linux s157903 4.15.0-106-generic 107-Ubuntu SMP T...

Cross-Site Request Forgery (CSRF) in galette/galette

Description Hello, Looking at the Galette application, I could observe that it is not protected against CSRF Cross-Site Request Forgery From OWASP : Cross-Site Request Forgery CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently...

Cross-Site Request Forgery (CSRF) in baijunyao/laravel-bjyblog

Description Attacker is able to logout a user if a logged in user visits attacker website. Impact This vulnerability is capable of forging user to unintentional logout. Test Tested on Edge, firefox, chrome and safari. Fix You should use POST instead of GET. To expand: One way GET could be abused...

Code Injection in tsolucio/corebos

Description The user can control a point and infuse arbitrary HTML code into a vulnerable web page. This vulnerability can have numerous results, like disclosure of a user’s session treats that might be utilized to impersonate the victim, or, more generally, it can permit the aggressor to alter t...

Cross-Site Request Forgery (CSRF) in snipe/snipe-it

Description Attacker is able to logout a user if a logged in user visits attacker website. Impact This vulnerability is capable of forging user to unintentional logout. Test Tested on Edge, firefox, chrome and safari. Fix You should use POST instead of GET. To expand: One way GET could be abused...

Cross-site Scripting (XSS) - Generic in snipe/snipe-it

Description XSS in bulk audit function via the asset tag parameter Proof of Concept 1: Go to http:///hardware/bulkaudit feature 2: Use alertdocument.domain as "Asset Tag" parameter 3: Click "Audit", the XSS should be triggered via the message Asset Tag ASSETTAG not found. Impact This vulnerabilit...

Cross-Site Request Forgery (CSRF) in snipe/snipe-it

Description CSRF in custom field settings Proof of Concept /fields/1/fieldset/1/disassociate" /fields/required/3/3" /fields/optional/3/3" Impact This vulnerability is capable of trick admin user to modify custom forms...

Cross-site Scripting (XSS) - Stored in tsolucio/corebos

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites Proof of Concept Step to Reproduce: 1 Go to http://demo.corebos.com/index.php?module=Users&action=DetailView&record=1&modechk=prefview 2 add the...

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in getgrav/grav

✍️ Description The secure flag is not set for session cookies in the application. 💥 Impact If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an...

Heap-based Buffer Overflow in zyantific/zydis

As discussed in the report at https://www.huntr.dev/bounties/96b0a482-7041-45b1-9327-c6a4a8f32d3a/, I am re-opening the report here for proper tracking. Description Hello, we hope you're doing well during these challenging times. Whilst testing zydis built from commit 077b185 with Clang12 + ASan ...

Cross-site Scripting (XSS) - Stored in django-helpdesk/django-helpdesk

Description Stored XSS via parameter title when create new ticket Details At the table tickets in admin, when rendering data for column Ticket it allows for arbitrary execution of JavaScript Vulnerability code data: "ticket", render: function data, type, row, meta if type === 'display' data = '' ...

OS Command Injection in ohmyzsh/ohmyzsh

Description In Oh My Zsh, there is a function called omzurldecode, which is used to decode URLs. Since this function is using eval with user inputs without any sanitization, it's possible to inject arbitrary commands into the eval context, which allows an attacker to achieve the command injection...

Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii

Description Attacker is able to logout a user if a logged in user visits attacker website. Impact This vulnerability is capable of forging user to unintentional logout. Test Tested on Edge, firefox, chrome and safari. Fix You should use POST instead of GET/ANY. To expand: One way GET/ANY could be...

Cross-site Scripting (XSS) - Stored in leantime/leantime

Description Stored XSS via filename when upload file Proof of Concept // PoC.req POST /leantime/public//projects/showProject/3 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:94.0 Gecko/20100101 Firefox/94.0 Accept:...

in sebastienheyd/boilerplate-media-manager

Description RCE via 'Rename Media' after upload media on boilerplate-media-manager 7.1.3 Proof of Concept // PoC.req upload media POST /admin/medias/ajax/upload HTTP/1.1 Host: 127.0.0.1:8000 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:94.0 Gecko/20100101 Firefox/94.0 Accept:...

Heap-based Buffer Overflow in hoene/libmysofa

Description The variable st-filtlen in the function speexresamplerresetmem is not checked to see if it is 0 before it is used, and after subtracting one, it becomes 0xffffffff, causing heap overflow Proof of Concept src/mysofa2json -c poc ==30201==ERROR: AddressSanitizer: heap-buffer-overflow on...

Cross-site Scripting (XSS) - Reflected in tsolucio/corebos

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites Proof of Concept. // PoC.js Link --...

Cross-Site Request Forgery (CSRF) in tsolucio/corebos

Description Hey corebos team, in the meanwhile I find another low level CSRF. attacker can activate/deactivate a Task of workflow with CSRF attack. Proof of Concept // PoC.html history.pushState'', '', '/'...

PHP Remote File Inclusion in tsolucio/corebos

Description An attacker can use Local File Inclusion LFI to trick the web application into exposing or running files on the web server. An LFI attack may lead to information disclosure, remote code execution, or even Cross-site Scripting XSS. Proof of Concept // PoC.js Link --...

SQL Injection in forkcms/forkcms

Description When deleting submissions which belong to a formular made with module FormBuilder, the parameter id is vulnerable for SQL injection. Proof of Concept - Call the URL...

Path Traversal in bookstackapp/bookstack

Description During reading recent BookStack source code 85dc8d I discovered path traversal vulnerability. Authenticated user can have access to all files stored in storage directory. Proof of Concept GET /uploads/images/..%2f/..%2f/logs/laravel.log HTTP/1.1 Host: 172.17.0.1:8888 User-Agent:...

Business Logic Errors in pimcore/demo

Description There is no check over the number of items that a user can add to the cart. Adding a huge amount of items when updating the cart, causes the server to fail returning a 500 Internal Server Error. Proof of Concept Below POST request causes the server to fail adding 900000000 items of th...

Cross-site Scripting (XSS) - Stored in pimcore/pimcore

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Proof of Concept 1-- Go Asset Metadata Class Definitions - Create another one or just edit aprevious one . 2 -- In the Name input Inject any XS...

in misp/misp-maltego

Description misconfigurations of nginx lead to a path traversal vulnerability. Proof of Concept Do a request to /munin../ can get any file under /var/cache/munin/ Impact An attacker can access files on the web server to which they should not have access...

Path Traversal in rhizome-conifer/conifer

Description misconfigurations of nginx lead to a path traversal vulnerability. Proof of Concept An attacker can access files like this: https://conifer.rhizome.org/static/app../admin.py https://conifer.rhizome.org/static/app../config/wr.yaml Impact An attacker can access files on the web server t...

Use of Uninitialized Variable in vim/vim

Greetings, A Stack Buffer Overflow issue was discovered in Vim. The POC file is reduced to the absolute minimum to reproduce the problem. Please see sanitizer output and the "trimmed" POC file link below. System info OS version : Ubuntu 20.04.2 LTS + Clang 12 with ASan Vim Version : master2446ec9...

Cross-site Scripting (XSS) - Stored in openpetra/openpetra

Description Multiple Stored XSS at openpetra 2020.10 Proof of Concept // PoC.req POST /api/serverMSponsorship.asmx/TSponsorshipWebConnectorMaintainChild HTTP/1.1 Host: demo.openpetra.org Cookie: ASP.NETSessionId=AEC44A33068E58B5DE583F3E; OpenPetraSessionID=b987029b-104f-45f1-aa29-339a49d0d55a...

Path Traversal in getgrav/grav

Steps: Host the project locally. For example if address is http://127.0.0.1:8088 == visit http://127.0.0.1:8088/system/config/permissions.yaml http://127.0.0.1:8088/system/config/permissions.yaml == you will get the content of permissions.yaml file. Impact: Successful exploitation could allow an...

in adodb/adodb

Description An attacker can inject values into the PostgreSQL connection string by bypassing adodbaddslashes . The function can be bypassed in phppgadmin for example by surrounding the username in quotes and submitting with other parameters injected in between. Proof of Concept I'm going to use...

in bookstackapp/bookstack

Description During reading recent BookStack source code 31665410 I discovered no uploaded file type and size check. Authenticated user with attachment create role can upload any type file. One of possibilities is to upload phishing page and get administrators credentials. Proof of Concept POST...

Cross-site Scripting (XSS) - Stored in getgrav/grav-plugin-admin

Description In Grav, you can preview the file you uploaded by hovering your mouse to the file and clicking the info icon. The normal preview should be like this: However, I noticed that it is possible to perform XSS on the filename due to the following HTML Code: We can upload a file with a...

Cross-site Scripting (XSS) - Stored in eventum/eventum

Description Stored XSS via upload 'Attached Files' with format .svg Proof of Concept // PoC.req POST /ajax/upload.php?file=dropfile HTTP/1.1 Host: 127.0.0.1:8888 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:94.0 Gecko/20100101 Firefox/94.0 Accept: application/json Accept-Language:...

None in glpi-project/glpi

Description We can have list of user of Emplyes in GLPI plateform Proof of Concept Here for example wa are as Intervenant Role. Steps to reproduce : 1. Go to Assistance--Planning 2.In the left of the menu in front of Plannings section, clich on Plus + Button 3. In the Actor Field List we select...

SQL Injection in eventum/eventum

Description Time-Based Blind SQL Injection in eventum 3.10.7 Proof of Concept // PoC.payload // Advanced Search // Parameter: sortby priority0=0&severity0=0&users0=0&category0=0&status0=0&release0=0&rows=5&sortby=prirank AND SELECT 2168 FROM...

Cross-Site Request Forgery (CSRF) in area17/twill

Description Attacker is able to logout a user if a logged in user visits attacker website. Impact This vulnerability is capable of forging user to unintentional logout. Test Tested on Edge, firefox, chrome and safari. Fix You should use POST instead of GET. To expand: One way GET could be abused...

Heap-based Buffer Overflow in vim/vim

Greetings, A Heap-based Buffer Overflow issue was discovered in Vim. The POC file is reduced to the absolute minimum to reproduce the problem. Please see sanitizer output and the "trimmed" POC file link below. System info OS version : Ubuntu 20.04.2 LTS + Clang 12 with ASan Vim Version :...

Cross-Site Request Forgery (CSRF) in microweber/microweber

Description There is a CSRF on Delete Cart Item in users side. I get this error "Item not removed from cart" message but the item already will be deleted.message isn't correct and the delete action will be done Proof of Concept // PoC.html history.pushState'', '', '/' after that you click on subm...