4072 matches found
Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition
Description More CSRFs, related to warnings feature this time 1: /warnings/id/deactivate 2: /warnings/username/mass-deactivate 3: /warnings/id/restore Proof of Concept CLICK ME! Impact This vulnerability is capable of tricking users to deactivate / restore warnings...
Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition
Description More unprotected CSRF endpoints that allows for state-changing operations. 1: GET /dashboard/moderation/1/approve 2: GET /requests/1/accept 3: GET /requests/1/reject 4: GET /requests/1/unclaim 5: GET /requests/1/reset Proof of Concept CLICK ME! Impact This vulnerability is capable of...
Open Redirect in star7th/showdoc
Description Open Redirect at login page due to unchecked "redirect" parameter. Vulnerable parameter redirect Payload /%09/google.com Proof of Concept Send users the following login link https://www.showdoc.com.cn/user/login?redirect=/%09/google.com After users use their registered account to logi...
Cross-Site Request Forgery (CSRF) in kevinpapst/kimai2
Description CSRF in deleting invoice templates Proof of Concept CLICK ME! Impact This vulnerability is capable of tricking admin user to delete invoice templates...
Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition
Description CSRF to FlushOwnGhostPeers Proof of Concept CLICK ME! Impact This vulnerability is capable of tricking users to perform unintended actions...
in jitsi/jicofo
Description misconfigurations of nginx lead to a path traversal vulnerability. Proof of Concept according to https://github.com/jitsi/jicofo/blob/master/doc/shibboleth.md?plain=1L251 a request to /shibboleth-sp../ can get any file under /usr/share Impact An attacker can access files on the web...
Cross-Site Request Forgery (CSRF) in pterodactyl/panel
Description Following state-changing endpoints are vulnerable to CSRF: 1: GET /admin/nodes/view/1/settings/token auto-generates token when token not generated yet 2: GET /admin/settings/mail/test The X-CSRF-Token header for the API request is not validated on backend, should be a POST request to...
Path Traversal in welliamcao/opsmanage
漏洞 README.md文件中的nginx配置存在安全漏洞,导致恶意攻击者可以任意读取项目中的文件。 POC 对于github上的demo地址,一种可行的攻击方式为: http://42.194.214.22:8000/static../ 可以看到读取到整个项目的文件。如果用户对该项目进行过二开,并在init.sql,conf/中写入了一些敏感信息,可能造成较大危害 影响 攻击者可以读取项目目录下任意文件...
Improper Access Control in janeczku/calibre-web
Description Although a user has no permissions about public shelves, he can create them. Proof of Concept The method createshelf at shelf.py does not check if the user has public shelf permissions for create it. @shelf.route"/shelf/create", methods="GET", "POST" @loginrequired def createshelf:...
Cross-site Scripting (XSS) - DOM in janeczku/calibre-web
Description It is possible to execute XSS payloads when editing book properties, such as uploading a cover or a format. Proof of Concept The file editbooks.js contains the following code: $"btn-upload-cover".on"change", function var filename = $this.val; if filename.substring3, 11 === "fakepath"...
in janeczku/calibre-web
Description A user can see the name of private shelves from other users when trying to remove a book of those shelves. Proof of Concept The file shelf.py in its line 221 exposes the name of the shelf when the user tries to remove a book from a shelf which is not his. log.warning"You are not allow...
SQL Injection in cacti/cacti
Description SQL Injection vulnerability occurs because the input taken from parameters is not sanitized for SQL Injection statement in useradmin.php useradmin.php:84 updatepolicies function contains sql injection vulnerability getnfilterrequestvar function takes get/post parameter without...
SQL Injection in glpi-project/glpi
Description A user with only the following rights on a sub-entity: - Setup General setup Read + Update - Administration Entity Read + Update is authorized to update "UI options" field from "UI customization" tab of an entity's configuration. This customization option is not correctly escaped,...
Heap-based Buffer Overflow in vim/vim
Description Greetings, A Heap-based Buffer Overflow issue was discovered in Vim. The POC file is reduced to the absolute minimum to reproduce the problem. Please see sanitizer output and the "trimmed" POC file link below. System info OS version : Ubuntu 20.04.2 LTS + Clang 12 with ASan Vim Versio...
in elgg/elgg
Hello there! Hope you're having an awesome day :D Actually, it's been a few months since I found this bug, but I had no success in trying to contact you guys, and now I discovered that you're on Huntr. So now I'm sending my report from here : Summary During this week, I was participating at a bug...
Cross-site Scripting (XSS) - Stored in django-helpdesk/django-helpdesk
Description Stored XSS via upload 'Attachments' with format .svg or .html Detail When opening the attachment, some format files will be rendered and loaded on the browser. So it allows executing arbitrary javascript code that was injected into attachment before. Proof of Concept // PoC.svg...
Cross-site Scripting (XSS) - Stored in snipe/snipe-it
Description Multiple Stored XSS at 'snipeitram3' and 'snipeitcpu4' in the multipart message of POST request when creating a new Asset or editing an existed Asset. Proof of Concept POST /hardware HTTP/1.1 Host: develop.snipeitapp.com Connection: close Content-Length: 2560 Cache-Control: max-age=0...
in cortezaproject/corteza-server
Description Hey, when I attempt to change the password after creating an account I noticed that you haven't kept any password boundary. You need to limit password length. Hashing a large amount of data can cause significant resource consumption on behalf of the server and would be an easy target...
Cross-Site Request Forgery (CSRF) in bookstackapp/bookstack
Description Login CSRF via /register/confirm/token endpoint. Proof of Concept 1: Register account with the same username as our victim, an email confirmation will take place 2: Retrieve token from email. 3: Send a link http://BOOKSTACKAPPURL/register/confirm/token to user. 4: When the user clicks...
Cross-site Scripting (XSS) - Stored in eventum/eventum
Description Multiple Stored XSS in Administration at eventum 3.10.8 Proof of Concept // PoC.payload " Step to Reproduct Goto Administration Areas and choose to feature below Manage News Input payload into fieldTitle Manage Status Input payload into fieldTitle Manage Projects Input payload into...
Cross-Site Request Forgery (CSRF) in code16/sharp
Description Attacker is able to logout a user if a logged in user visits attacker website. Impact This vulnerability is capable of forging user to unintentional logout. Test Tested on Edge, firefox, chrome and safari. Fix You should use POST instead of GET. To expand: One way GET could be abused...
Cross-Site Request Forgery (CSRF) in kevinpapst/kimai2
Description cross site request forgery vulnerability is present in delete functionality of doctor feature. Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of delete the existing logs...
SQL Injection in galette/galette
Description Hi, I could find a SQL Injection when adding a user. From OWASP : A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify...
Cross-site Scripting (XSS) - Stored in patrowl/patrowlmanager
Description PatrOwl is vulnerable to stored XSS. Proof of Concept Impact This vulnerability permit to an authenticate user to execute JavaScript on other users Web Browser...
in cortezaproject/corteza-server
Description There's no bound limit to the number of "characters/special characters" in the name field of the user. Vulnerable Field: Full Name By sending a very long string it’s possible to cause a denial a service attack on the server. This may lead to the website becoming unavailable or...
Cross-Site Request Forgery (CSRF) in bookstackapp/bookstack
Description Attacker is able to logout a user if a logged in user visits attacker website. Impact This vulnerability is capable of forging user to unintentional logout. Test Tested on Edge, firefox, chrome and safari. Fix You should use POST instead of GET. To expand: One way GET could be abused...
in v2fly/v2ray-core
Description Good afternoon. While looking at your code, we discovered an off-by-one index comparison against length may lead to out-of-bounds read flaw in your v2ray-core repository. Indexing operations on arrays, slices or strings should use an index at most one less than the length. If the inde...
Cross-site Scripting (XSS) - Stored in galette/galette
Description Hi, By reviewing your project I've found multiples stored cross-site scripting. From OWASP : Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web...
Heap-based Buffer Overflow in vim/vim
Description Team, trust you are doing well. As part of continues fuzzing VIM v8.2.3582 15d9890eee53afc61eb0a03b878a19cb5672f732 in persistence mode, I found a heap use-after-free mlappendint. Proof of Concept Affected version: v8.2.3582 Tested on: Linux s157903 4.15.0-106-generic 107-Ubuntu SMP T...
Cross-Site Request Forgery (CSRF) in galette/galette
Description Hello, Looking at the Galette application, I could observe that it is not protected against CSRF Cross-Site Request Forgery From OWASP : Cross-Site Request Forgery CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently...
Cross-Site Request Forgery (CSRF) in baijunyao/laravel-bjyblog
Description Attacker is able to logout a user if a logged in user visits attacker website. Impact This vulnerability is capable of forging user to unintentional logout. Test Tested on Edge, firefox, chrome and safari. Fix You should use POST instead of GET. To expand: One way GET could be abused...
Code Injection in tsolucio/corebos
Description The user can control a point and infuse arbitrary HTML code into a vulnerable web page. This vulnerability can have numerous results, like disclosure of a user’s session treats that might be utilized to impersonate the victim, or, more generally, it can permit the aggressor to alter t...
Cross-Site Request Forgery (CSRF) in snipe/snipe-it
Description Attacker is able to logout a user if a logged in user visits attacker website. Impact This vulnerability is capable of forging user to unintentional logout. Test Tested on Edge, firefox, chrome and safari. Fix You should use POST instead of GET. To expand: One way GET could be abused...
Cross-site Scripting (XSS) - Generic in snipe/snipe-it
Description XSS in bulk audit function via the asset tag parameter Proof of Concept 1: Go to http:///hardware/bulkaudit feature 2: Use alertdocument.domain as "Asset Tag" parameter 3: Click "Audit", the XSS should be triggered via the message Asset Tag ASSETTAG not found. Impact This vulnerabilit...
Cross-Site Request Forgery (CSRF) in snipe/snipe-it
Description CSRF in custom field settings Proof of Concept /fields/1/fieldset/1/disassociate" /fields/required/3/3" /fields/optional/3/3" Impact This vulnerability is capable of trick admin user to modify custom forms...
Cross-site Scripting (XSS) - Stored in tsolucio/corebos
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites Proof of Concept Step to Reproduce: 1 Go to http://demo.corebos.com/index.php?module=Users&action=DetailView&record=1&modechk=prefview 2 add the...
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in getgrav/grav
✍️ Description The secure flag is not set for session cookies in the application. 💥 Impact If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an...
Heap-based Buffer Overflow in zyantific/zydis
As discussed in the report at https://www.huntr.dev/bounties/96b0a482-7041-45b1-9327-c6a4a8f32d3a/, I am re-opening the report here for proper tracking. Description Hello, we hope you're doing well during these challenging times. Whilst testing zydis built from commit 077b185 with Clang12 + ASan ...
Cross-site Scripting (XSS) - Stored in django-helpdesk/django-helpdesk
Description Stored XSS via parameter title when create new ticket Details At the table tickets in admin, when rendering data for column Ticket it allows for arbitrary execution of JavaScript Vulnerability code data: "ticket", render: function data, type, row, meta if type === 'display' data = '' ...
OS Command Injection in ohmyzsh/ohmyzsh
Description In Oh My Zsh, there is a function called omzurldecode, which is used to decode URLs. Since this function is using eval with user inputs without any sanitization, it's possible to inject arbitrary commands into the eval context, which allows an attacker to achieve the command injection...
Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii
Description Attacker is able to logout a user if a logged in user visits attacker website. Impact This vulnerability is capable of forging user to unintentional logout. Test Tested on Edge, firefox, chrome and safari. Fix You should use POST instead of GET/ANY. To expand: One way GET/ANY could be...
Cross-site Scripting (XSS) - Stored in leantime/leantime
Description Stored XSS via filename when upload file Proof of Concept // PoC.req POST /leantime/public//projects/showProject/3 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:94.0 Gecko/20100101 Firefox/94.0 Accept:...
in sebastienheyd/boilerplate-media-manager
Description RCE via 'Rename Media' after upload media on boilerplate-media-manager 7.1.3 Proof of Concept // PoC.req upload media POST /admin/medias/ajax/upload HTTP/1.1 Host: 127.0.0.1:8000 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:94.0 Gecko/20100101 Firefox/94.0 Accept:...
Heap-based Buffer Overflow in hoene/libmysofa
Description The variable st-filtlen in the function speexresamplerresetmem is not checked to see if it is 0 before it is used, and after subtracting one, it becomes 0xffffffff, causing heap overflow Proof of Concept src/mysofa2json -c poc ==30201==ERROR: AddressSanitizer: heap-buffer-overflow on...
Cross-site Scripting (XSS) - Reflected in tsolucio/corebos
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites Proof of Concept. // PoC.js Link --...
Cross-Site Request Forgery (CSRF) in tsolucio/corebos
Description Hey corebos team, in the meanwhile I find another low level CSRF. attacker can activate/deactivate a Task of workflow with CSRF attack. Proof of Concept // PoC.html history.pushState'', '', '/'...
PHP Remote File Inclusion in tsolucio/corebos
Description An attacker can use Local File Inclusion LFI to trick the web application into exposing or running files on the web server. An LFI attack may lead to information disclosure, remote code execution, or even Cross-site Scripting XSS. Proof of Concept // PoC.js Link --...
SQL Injection in forkcms/forkcms
Description When deleting submissions which belong to a formular made with module FormBuilder, the parameter id is vulnerable for SQL injection. Proof of Concept - Call the URL...
Path Traversal in bookstackapp/bookstack
Description During reading recent BookStack source code 85dc8d I discovered path traversal vulnerability. Authenticated user can have access to all files stored in storage directory. Proof of Concept GET /uploads/images/..%2f/..%2f/logs/laravel.log HTTP/1.1 Host: 172.17.0.1:8888 User-Agent:...
Business Logic Errors in pimcore/demo
Description There is no check over the number of items that a user can add to the cart. Adding a huge amount of items when updating the cart, causes the server to fail returning a 500 Internal Server Error. Proof of Concept Below POST request causes the server to fail adding 900000000 items of th...