4072 matches found
Cross-site Scripting (XSS) - Stored in pimcore/pimcore
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Proof of Concept 1-- Go Asset Metadata Class Definitions - Create another one or just edit aprevious one . 2 -- In the Name input Inject any XS...
in misp/misp-maltego
Description misconfigurations of nginx lead to a path traversal vulnerability. Proof of Concept Do a request to /munin../ can get any file under /var/cache/munin/ Impact An attacker can access files on the web server to which they should not have access...
Path Traversal in rhizome-conifer/conifer
Description misconfigurations of nginx lead to a path traversal vulnerability. Proof of Concept An attacker can access files like this: https://conifer.rhizome.org/static/app../admin.py https://conifer.rhizome.org/static/app../config/wr.yaml Impact An attacker can access files on the web server t...
Use of Uninitialized Variable in vim/vim
Greetings, A Stack Buffer Overflow issue was discovered in Vim. The POC file is reduced to the absolute minimum to reproduce the problem. Please see sanitizer output and the "trimmed" POC file link below. System info OS version : Ubuntu 20.04.2 LTS + Clang 12 with ASan Vim Version : master2446ec9...
Cross-site Scripting (XSS) - Stored in openpetra/openpetra
Description Multiple Stored XSS at openpetra 2020.10 Proof of Concept // PoC.req POST /api/serverMSponsorship.asmx/TSponsorshipWebConnectorMaintainChild HTTP/1.1 Host: demo.openpetra.org Cookie: ASP.NETSessionId=AEC44A33068E58B5DE583F3E; OpenPetraSessionID=b987029b-104f-45f1-aa29-339a49d0d55a...
Path Traversal in getgrav/grav
Steps: Host the project locally. For example if address is http://127.0.0.1:8088 == visit http://127.0.0.1:8088/system/config/permissions.yaml http://127.0.0.1:8088/system/config/permissions.yaml == you will get the content of permissions.yaml file. Impact: Successful exploitation could allow an...
in adodb/adodb
Description An attacker can inject values into the PostgreSQL connection string by bypassing adodbaddslashes . The function can be bypassed in phppgadmin for example by surrounding the username in quotes and submitting with other parameters injected in between. Proof of Concept I'm going to use...
in bookstackapp/bookstack
Description During reading recent BookStack source code 31665410 I discovered no uploaded file type and size check. Authenticated user with attachment create role can upload any type file. One of possibilities is to upload phishing page and get administrators credentials. Proof of Concept POST...
Cross-site Scripting (XSS) - Stored in getgrav/grav-plugin-admin
Description In Grav, you can preview the file you uploaded by hovering your mouse to the file and clicking the info icon. The normal preview should be like this: However, I noticed that it is possible to perform XSS on the filename due to the following HTML Code: We can upload a file with a...
Cross-site Scripting (XSS) - Stored in eventum/eventum
Description Stored XSS via upload 'Attached Files' with format .svg Proof of Concept // PoC.req POST /ajax/upload.php?file=dropfile HTTP/1.1 Host: 127.0.0.1:8888 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:94.0 Gecko/20100101 Firefox/94.0 Accept: application/json Accept-Language:...
None in glpi-project/glpi
Description We can have list of user of Emplyes in GLPI plateform Proof of Concept Here for example wa are as Intervenant Role. Steps to reproduce : 1. Go to Assistance--Planning 2.In the left of the menu in front of Plannings section, clich on Plus + Button 3. In the Actor Field List we select...
SQL Injection in eventum/eventum
Description Time-Based Blind SQL Injection in eventum 3.10.7 Proof of Concept // PoC.payload // Advanced Search // Parameter: sortby priority0=0&severity0=0&users0=0&category0=0&status0=0&release0=0&rows=5&sortby=prirank AND SELECT 2168 FROM...
Cross-Site Request Forgery (CSRF) in area17/twill
Description Attacker is able to logout a user if a logged in user visits attacker website. Impact This vulnerability is capable of forging user to unintentional logout. Test Tested on Edge, firefox, chrome and safari. Fix You should use POST instead of GET. To expand: One way GET could be abused...
Heap-based Buffer Overflow in vim/vim
Greetings, A Heap-based Buffer Overflow issue was discovered in Vim. The POC file is reduced to the absolute minimum to reproduce the problem. Please see sanitizer output and the "trimmed" POC file link below. System info OS version : Ubuntu 20.04.2 LTS + Clang 12 with ASan Vim Version :...
Cross-Site Request Forgery (CSRF) in microweber/microweber
Description There is a CSRF on Delete Cart Item in users side. I get this error "Item not removed from cart" message but the item already will be deleted.message isn't correct and the delete action will be done Proof of Concept // PoC.html history.pushState'', '', '/' after that you click on subm...
in bookstackapp/bookstack
Description The image extension validation service for Base64 image extraction in new Bookstack version is flawed as it uses the vulnerable trim function. This allows attackers to upload malicious files with broken extension, such as pngr, and browsers will interpret broken extension hosted on th...
Cross-site Scripting (XSS) - Stored in forkcms/forkcms
Description When uploading a new module, the description of the module can contain JavaScript code. After uploading the new module and looking at the Details page, the JavaScript code would be executed. Proof of Concept - I downloaded this module...
in marcoax/magutticms
Description RCE via 'upload file image or document' on maguttiCms 8.62 allows remote authenticated administrators to execute arbitrary PHP code Proof of Concept // PoC.req POST /admin/api/uploadifiveSingle HTTP/1.1 Host: 127.0.0.1:8000 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15;...
Cross-site Scripting (XSS) - Reflected in collectiveaccess/providence
Description Reflected XSS in form Search. After report https://huntr.dev/bounties/b76d075f-f6b2-40f0-b08e-a56e934d7c60/ I have retested the vulnerability and my payload is able to bypass your filter mechanism. The input tag of the search form was escaped by my payload Step to Reproduct Login to...
Heap-based Buffer Overflow in vim/vim
Description Greetings, A Heap-based Buffer Overflow issue was discovered in Vim. The POC file is reduced to the absolute minimum to reproduce the problem. Please see sanitizer output and the "trimmed" POC file link below. System info OS version : Ubuntu 20.04.2 LTS + Clang 12 with ASan Vim Versio...
None in vim/vim
Description Greetings, A Use After Free issue was discovered in Vim. The POC file is reduced to the absolute minimum to reproduce the problem. Please see sanitizer output and the "trimmed" POC file link below. System info OS version : Ubuntu 20.04.2 LTS + Clang 12 with ASan Vim Version :...
Sensitive Cookie Without 'HttpOnly' Flag in kasuganosoras/pigeon
Description One or more cookies don't have the HttpOnly flag set. When a cookie is set with the HttpOnly flag, it instructs the browser that the cookie can only be accessed by the server and not by client-side scripts. This is an important security protection for session cookies. Remediation If...
Session Fixation in kasuganosoras/pigeon
✍️ Description Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application. When authenticating a user, it doesn't assign a new sessio...
Sensitive Cookie Without 'HttpOnly' Flag in namelessmc/nameless
Description Due to a culmination of factors in the design of the authentication and authorization system and a lack of proper cookie setting it is possible for a malicious user to exfiltrate session tokens from a NamelessMC instance and aggregate them in a remote service. A malicious administrati...
Cross-Site Request Forgery (CSRF) in pterodactyl/panel
Description Attacker is able to logout a user if a logged in user visits attacker website. Impact This vulnerability is capable of forging user to unintentional logout. Test Tested on Firefox, Chrome and Safari. Fix You use POST instead of GET. To expand: One way ANY could be abused here is that ...
in firefly-iii/firefly-iii
Description Firefly 3 allows users to register OAuth clients. However, Firefly allows duplicate client names to be registered into the application. Hence, attackers from a different account assuming registration is enabled can register a client with duplicate client name and trick the user into...
Improper Privilege Management in shadow-maint/shadow
Description The su utility, if compiled with PAM support, uses waitpid internally to monitor its child process. It depends on the creation of zombie processes for proper monitoring, but the creation can be suppressed by ignoring the SIGCHLD signal see waitpid manual page. If su is spawned from a...
Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii
Description there is a CSRF on Run rules again action Proof of Concept // PoC.html history.pushState'', '', '/'...
in pimcore/pimcore
Description I found unrestricted file upload, to force an image parser to allocate a large volume of memory based on the image headers large file in profile picture, 4250x64250 pixels whole image into memory, it tries to allocate 4128062500 pixels into memory, flooding the memory and causing DoS...
Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii
Description No CSRF in duplicate rule, and modifying the order of the rule group Proof of Concept Click Me! Click Me! Click Me! Impact This vulnerability is capable of tricking admin users to duplicate rule and modifying order of rule groups Permalinks selected with reference to this report:...
SQL Injection in forkcms/forkcms
Description When calling the url for deleting one or more tags, the parameter id is vulnerable for SQL injection. Proof of Concept Call an URL like this one as an authenticated user. http://forkcms.site/private/de/tags/massaction?token=n93e05rj0l&id=3;insert into usersemail,password,isgod values...
Business Logic Errors in simplcommerce/simplcommerce
Description SimplCommerce allows negative product allowing one to get products for free The fix here https://github.com/simplcommerce/SimplCommerce/issues/971 does not work because client-side controls can by bypassed by modifying the POST request Proof of Concept 1: Add one $75 and $25 item in...
Business Logic Errors in microweber/microweber
Description A fixed price coupon can be applied to get negative price for a product Proof of Concept 1: Create a fixed coupon Example: $200 coupon, $300 minimum 2: Add two products into the cart Example $50 + $300 3: Apply the fixed coupon. 4: Remove the $300 product. Observe that the price is no...
Cross-Site Request Forgery (CSRF) in microweber/microweber
Description Hello Microweber team I found a CSRF on deleting the comments : //PoC.html history.pushState'', '', '/' after you run this PoC.html you can see that the comment with id 1 will be deleted...
SQL Injection in forkcms/forkcms
Description When an authenticated user exports translations, the user calls an URL like this: http://forkcms.site/private/de/locale/export?token=5z0ao1nk4p&type%5B0%5D=lbl&language%5B0%5D=de The parameter type0 and language0 are both vulnerable for SQL injection. Proof of Concept PoC for paramete...
Server-Side Request Forgery (SSRF) in pimcore/pimcore
Description Your demo server is running in a vulnerable Apache server Apache/2.4.38. The attacker can easily exploit SSRF vulnerability just by visiting a crafted URL. The vulnerability has been discovered few days ago and it relies on modproxy module. I know that this vulnerability is not direct...
Heap-based Buffer Overflow in zyantific/zydis
Description Hello, we hope you're doing well during these challenging times. Whilst testing zydis built from commit 077b185 with Clang12 + ASan on Ubuntu 18.04, we discovered a crafted PE file that when fed to ZydisPE triggers a heap-buffer-overflow, READ of size 1. Proof of Concept POC Base64...
Cross-site Scripting (XSS) - Stored in shopware/shopware
Description Stored XSS when add media file with format .svg allows for arbitrary execution of JavaScript Proof of Concept // PoC.req POST /shopware/backend/mediaManager/upload?albumID=-10 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:94.0 Gecko/20100101...
Cross-site Scripting (XSS) - Stored in rmuif/web
Description rmuif is vulnerable to XSS. It is possible to use tags in SVG content when uploading a profile picture. Proof of Concept SVG content: HTML alertdocument.domain; 1: Save the above content into an SVG file. 2: Access the settings page and upload this file as a profile picture. 3: Access...
Cross-site Scripting (XSS) - Stored in forkcms/forkcms
Description When uploading a new theme, the description of a theme can contain JavaScript code. This can be used for Cross-Site-Scripting. Proof of Concept I downloaded the Kompact theme https://github.com/jessedobbelaere/fork-cms-theme-kompact/archive/master.zip, extracted it and changed in...
Cross-site Scripting (XSS) - Stored in getgrav/grav
Description Grav is vulnerable to XSS. It is possible to use instead of : in tags. Proof of Concept Payload: HTML CLICK HERE 1: Edit a page with the payload user with low privileges. 2: Check out the target page and click on CLICK HERE. PoC video. Impact This vulnerability is capable of executing...
Cross-site Scripting (XSS) - Stored in archerysec/archerysec
Description The application is vulnerable to a Stored XSS attack. It is possible for an authenticated user to inject a JavaScript payload that will be executed in the web browser of the users viewing the concerned pages. When uploading a Burp scan, the XML field "issueBackground" of a vulnerabili...
SQL Injection in yeswiki/yeswiki
Description A boolean-based SQL Injection vulnerability has been found in the email parameter of the registration form. When a new user registers, the application first checks if the email exists through the emailExistsInDB function located in line 999 of the User.class.php. As you can see, it do...
Cross-site Scripting (XSS) - Stored in forkcms/forkcms
Description Hello. ForkCMS does not properly sanitize the website's TITLE when it is imported into the meta tags. Proof of Concept If we set the page title to something like this: Home - Hi'"script src=//xss/scriptx="99\r\n%0A%09%0Dsvg\onload=confirm1 It gets reflected back here: "" Impact This...
Cross-site Scripting (XSS) - Stored in boxbilling/boxbilling
Description Stored XSS at parameter 'iconurl' when Create New Product, New Category or New Addon Proof of Concept // PoC.req POST /BoxBilling/src/index.php?url=/api/admin/product/update HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:94.0 Gecko/20100101...
Cross-site Scripting (XSS) - Stored in forkcms/forkcms
Description XSS in the question asking session feedback page Proof of Concept Hi'" link https://demo.fork-cms.com/private/en/faq/edit?token=u1xyihius6&id=1 paste the payload in the question section and view the question in link Impact custom javascript code execution , session stealing etc...
Cross-site Scripting (XSS) - Stored in msaari/relevanssi
Description Good afternoon. Beginning on 12 October 2021, our XSS catcher started receiving callbacks from a group of sites that are using the Relevanssi plugin for Wordpress. It appears to us that the software is not properly filtering Unsuccessful searches before displaying the information to t...
Cross-site Scripting (XSS) - Stored in osticket/osticket
Description As it is written on github profile, osTicket is a widely-used open source support ticket system. During source code research I discovered bad uploaded file type check, which is controlled by user. Unauthenticated user can upload malicious html/js file. FROM OWASP:: Cross-Site Scriptin...
Cross-site Scripting (XSS) - Reflected in admidio/admidio
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Proof of Concept // PoC.js Vuln Link --...
Inefficient Regular Expression Complexity in cfinke/typo.js
Description I would like to report a Regular Expression Denial of Service ReDoS vulnerability in typo-js. It allows causing a denial of service when calling function removeAffixComments. Proof of Concept // PoC.js var Typo = require"typo-js" var emptydict = new Typo; forvar i = 1; i = 50000; i++...