in bookstackapp/bookstack

Description The image extension validation service for Base64 image extraction in new Bookstack version is flawed as it uses the vulnerable trim function. This allows attackers to upload malicious files with broken extension, such as pngr, and browsers will interpret broken extension hosted on th...

Cross-site Scripting (XSS) - Stored in forkcms/forkcms

Description When uploading a new module, the description of the module can contain JavaScript code. After uploading the new module and looking at the Details page, the JavaScript code would be executed. Proof of Concept - I downloaded this module...

in marcoax/magutticms

Description RCE via 'upload file image or document' on maguttiCms 8.62 allows remote authenticated administrators to execute arbitrary PHP code Proof of Concept // PoC.req POST /admin/api/uploadifiveSingle HTTP/1.1 Host: 127.0.0.1:8000 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15;...

Cross-site Scripting (XSS) - Reflected in collectiveaccess/providence

Description Reflected XSS in form Search. After report https://huntr.dev/bounties/b76d075f-f6b2-40f0-b08e-a56e934d7c60/ I have retested the vulnerability and my payload is able to bypass your filter mechanism. The input tag of the search form was escaped by my payload Step to Reproduct Login to...

Heap-based Buffer Overflow in vim/vim

Description Greetings, A Heap-based Buffer Overflow issue was discovered in Vim. The POC file is reduced to the absolute minimum to reproduce the problem. Please see sanitizer output and the "trimmed" POC file link below. System info OS version : Ubuntu 20.04.2 LTS + Clang 12 with ASan Vim Versio...

None in vim/vim

Description Greetings, A Use After Free issue was discovered in Vim. The POC file is reduced to the absolute minimum to reproduce the problem. Please see sanitizer output and the "trimmed" POC file link below. System info OS version : Ubuntu 20.04.2 LTS + Clang 12 with ASan Vim Version :...

Sensitive Cookie Without 'HttpOnly' Flag in kasuganosoras/pigeon

Description One or more cookies don't have the HttpOnly flag set. When a cookie is set with the HttpOnly flag, it instructs the browser that the cookie can only be accessed by the server and not by client-side scripts. This is an important security protection for session cookies. Remediation If...

Session Fixation in kasuganosoras/pigeon

✍️ Description Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application. When authenticating a user, it doesn't assign a new sessio...

Sensitive Cookie Without 'HttpOnly' Flag in namelessmc/nameless

Description Due to a culmination of factors in the design of the authentication and authorization system and a lack of proper cookie setting it is possible for a malicious user to exfiltrate session tokens from a NamelessMC instance and aggregate them in a remote service. A malicious administrati...

Cross-Site Request Forgery (CSRF) in pterodactyl/panel

Description Attacker is able to logout a user if a logged in user visits attacker website. Impact This vulnerability is capable of forging user to unintentional logout. Test Tested on Firefox, Chrome and Safari. Fix You use POST instead of GET. To expand: One way ANY could be abused here is that ...

in firefly-iii/firefly-iii

Description Firefly 3 allows users to register OAuth clients. However, Firefly allows duplicate client names to be registered into the application. Hence, attackers from a different account assuming registration is enabled can register a client with duplicate client name and trick the user into...

Improper Privilege Management in shadow-maint/shadow

Description The su utility, if compiled with PAM support, uses waitpid internally to monitor its child process. It depends on the creation of zombie processes for proper monitoring, but the creation can be suppressed by ignoring the SIGCHLD signal see waitpid manual page. If su is spawned from a...

Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii

Description there is a CSRF on Run rules again action Proof of Concept // PoC.html history.pushState'', '', '/'...

in pimcore/pimcore

Description I found unrestricted file upload, to force an image parser to allocate a large volume of memory based on the image headers large file in profile picture, 4250x64250 pixels whole image into memory, it tries to allocate 4128062500 pixels into memory, flooding the memory and causing DoS...

Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii

Description No CSRF in duplicate rule, and modifying the order of the rule group Proof of Concept Click Me! Click Me! Click Me! Impact This vulnerability is capable of tricking admin users to duplicate rule and modifying order of rule groups Permalinks selected with reference to this report:...

SQL Injection in forkcms/forkcms

Description When calling the url for deleting one or more tags, the parameter id is vulnerable for SQL injection. Proof of Concept Call an URL like this one as an authenticated user. http://forkcms.site/private/de/tags/massaction?token=n93e05rj0l&id=3;insert into usersemail,password,isgod values...

Business Logic Errors in simplcommerce/simplcommerce

Description SimplCommerce allows negative product allowing one to get products for free The fix here https://github.com/simplcommerce/SimplCommerce/issues/971 does not work because client-side controls can by bypassed by modifying the POST request Proof of Concept 1: Add one $75 and $25 item in...

Business Logic Errors in microweber/microweber

Description A fixed price coupon can be applied to get negative price for a product Proof of Concept 1: Create a fixed coupon Example: $200 coupon, $300 minimum 2: Add two products into the cart Example $50 + $300 3: Apply the fixed coupon. 4: Remove the $300 product. Observe that the price is no...

Cross-Site Request Forgery (CSRF) in microweber/microweber

Description Hello Microweber team I found a CSRF on deleting the comments : //PoC.html history.pushState'', '', '/' after you run this PoC.html you can see that the comment with id 1 will be deleted...

SQL Injection in forkcms/forkcms

Description When an authenticated user exports translations, the user calls an URL like this: http://forkcms.site/private/de/locale/export?token=5z0ao1nk4p&type%5B0%5D=lbl&language%5B0%5D=de The parameter type0 and language0 are both vulnerable for SQL injection. Proof of Concept PoC for paramete...

Server-Side Request Forgery (SSRF) in pimcore/pimcore

Description Your demo server is running in a vulnerable Apache server Apache/2.4.38. The attacker can easily exploit SSRF vulnerability just by visiting a crafted URL. The vulnerability has been discovered few days ago and it relies on modproxy module. I know that this vulnerability is not direct...

Heap-based Buffer Overflow in zyantific/zydis

Description Hello, we hope you're doing well during these challenging times. Whilst testing zydis built from commit 077b185 with Clang12 + ASan on Ubuntu 18.04, we discovered a crafted PE file that when fed to ZydisPE triggers a heap-buffer-overflow, READ of size 1. Proof of Concept POC Base64...

Cross-site Scripting (XSS) - Stored in shopware/shopware

Description Stored XSS when add media file with format .svg allows for arbitrary execution of JavaScript Proof of Concept // PoC.req POST /shopware/backend/mediaManager/upload?albumID=-10 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:94.0 Gecko/20100101...

Cross-site Scripting (XSS) - Stored in rmuif/web

Description rmuif is vulnerable to XSS. It is possible to use tags in SVG content when uploading a profile picture. Proof of Concept SVG content: HTML alertdocument.domain; 1: Save the above content into an SVG file. 2: Access the settings page and upload this file as a profile picture. 3: Access...

Cross-site Scripting (XSS) - Stored in forkcms/forkcms

Description When uploading a new theme, the description of a theme can contain JavaScript code. This can be used for Cross-Site-Scripting. Proof of Concept I downloaded the Kompact theme https://github.com/jessedobbelaere/fork-cms-theme-kompact/archive/master.zip, extracted it and changed in...

Cross-site Scripting (XSS) - Stored in getgrav/grav

Description Grav is vulnerable to XSS. It is possible to use instead of : in tags. Proof of Concept Payload: HTML CLICK HERE 1: Edit a page with the payload user with low privileges. 2: Check out the target page and click on CLICK HERE. PoC video. Impact This vulnerability is capable of executing...

Cross-site Scripting (XSS) - Stored in archerysec/archerysec

Description The application is vulnerable to a Stored XSS attack. It is possible for an authenticated user to inject a JavaScript payload that will be executed in the web browser of the users viewing the concerned pages. When uploading a Burp scan, the XML field "issueBackground" of a vulnerabili...

SQL Injection in yeswiki/yeswiki

Description A boolean-based SQL Injection vulnerability has been found in the email parameter of the registration form. When a new user registers, the application first checks if the email exists through the emailExistsInDB function located in line 999 of the User.class.php. As you can see, it do...

Cross-site Scripting (XSS) - Stored in forkcms/forkcms

Description Hello. ForkCMS does not properly sanitize the website's TITLE when it is imported into the meta tags. Proof of Concept If we set the page title to something like this: Home - Hi'"script src=//xss/scriptx="99\r\n%0A%09%0Dsvg\onload=confirm1 It gets reflected back here: "" Impact This...

Cross-site Scripting (XSS) - Stored in boxbilling/boxbilling

Description Stored XSS at parameter 'iconurl' when Create New Product, New Category or New Addon Proof of Concept // PoC.req POST /BoxBilling/src/index.php?url=/api/admin/product/update HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:94.0 Gecko/20100101...

Cross-site Scripting (XSS) - Stored in forkcms/forkcms

Description XSS in the question asking session feedback page Proof of Concept Hi'" link https://demo.fork-cms.com/private/en/faq/edit?token=u1xyihius6&id=1 paste the payload in the question section and view the question in link Impact custom javascript code execution , session stealing etc...

Cross-site Scripting (XSS) - Stored in msaari/relevanssi

Description Good afternoon. Beginning on 12 October 2021, our XSS catcher started receiving callbacks from a group of sites that are using the Relevanssi plugin for Wordpress. It appears to us that the software is not properly filtering Unsuccessful searches before displaying the information to t...

Cross-site Scripting (XSS) - Stored in osticket/osticket

Description As it is written on github profile, osTicket is a widely-used open source support ticket system. During source code research I discovered bad uploaded file type check, which is controlled by user. Unauthenticated user can upload malicious html/js file. FROM OWASP:: Cross-Site Scriptin...

Cross-site Scripting (XSS) - Reflected in admidio/admidio

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Proof of Concept // PoC.js Vuln Link --...

Inefficient Regular Expression Complexity in cfinke/typo.js

Description I would like to report a Regular Expression Denial of Service ReDoS vulnerability in typo-js. It allows causing a denial of service when calling function removeAffixComments. Proof of Concept // PoC.js var Typo = require"typo-js" var emptydict = new Typo; forvar i = 1; i = 50000; i++...

in appendium/flatpack

Description The flatpack vulnerable to XML External Entity XXE. An attacker that is able to provide a crafted XML file as input to the parse function in the MapParser.java file may allow an attacker to execute XML External Entities XXE. Proof of Concept import java.io.File; import...

Heap-based Buffer Overflow in hoene/libmysofa

Description system : ubuntu 20.04 build command cd libmysofa mkdir build cd build CC=clang CXX=clang++ CFLAGS="-fsanitize=address -g" CXXFLAGS="-fsanitize=address -g" cmake ../ make all Proof of Concept https://drive.google.com/file/d/1JbQAECcj5-SDRZVUsRWiaBgJQZ0nMiK/view?usp=sharing repro...

Session Fixation in tsolucio/corebos

Description I created a user with username test then I log in with test in the same time on another session I delete the user test as an admin. but the user test that already logged in before that admin delete it is able to do anything that he could do before. you should kick out the users after...

in tsolucio/corebos

Description Just like last report of mine there is another improper privilege management that test user can see other users special workflow contents like Tasks just go to this link that belong to admin from another users account...

Cross-Site Request Forgery (CSRF) in tsolucio/corebos

Description There is one more low level CSRF : make on/off a task of workflow history.pushState'', '', '/' document.forms0.submit;...

Cross-Site Request Forgery (CSRF) in tsolucio/corebos

Description Hey Corebos team An attacker able to delete a workFlow as there isn't exist any CSRF token for it. //PoC.html history.pushState'', '', '/' document.forms0.submit; after that you open the PoC.html file the workflow with id equal to 27 will be deleted...

Cross-site Scripting (XSS) - Reflected in tsolucio/corebos

Description Reflected XSS via upload of malicious SVG file. Proof of Concep 1: Upload SVG file via /corebos/index.php?module=Documents&action=DetailView&viewname=0&start=&record=8460& alertdocument.location; 2: Trigger the reflected XSS by visiting the malicious SVG file stored in the storage...

Cross-site Scripting (XSS) - Reflected in admidio/admidio

Description Have reviewed your fix for double URL encoding here: https://github.com/Admidio/admidio/commit/6b3820a574dc5f52243fbaafdb7089560c99d949 But it can easily be bypassed by triple URL encoding. Note: apparently after applying the above fix from Github on the machine, I cannot use the...

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in tsolucio/corebos

Description Session cookie is not marked with 'Secure' Proof of Concept Login to demo page http://demo.corebos.com/index.php?action=index&module=Home Open Firefox developer option - storage - check secure option...

Cross-site Scripting (XSS) - Reflected in admidio/admidio

Description Possible to perform reflected XSS by using double URL encoding when retrieving files Proof of Concept Trigger XSS via...

Open Redirect in forkcms/forkcms

Description When a user, who has access to admin page and who is not logged in, opens a page like http://forkcms.site/private/de/authentication?querystring=//google.de/ and the user enters their credentials, the user is redirected to https://google.de. When a user, who has access to admin page an...

Cross-site Scripting (XSS) - Stored in opensourcepos/opensourcepos

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Proof of Concept // PoC.js 1-- Just got https://demo.opensourcepos.org/messages 2-- send a payload on number phone field . 3-- you will get an...

Cross-Site Request Forgery (CSRF) in kunstmaan/kunstmaanbundlescms

Description There is exist multiple high impact CSRF that attacker can delete many part of applications contents. I provide the full list of CSRFs vulnerable endpoints for you. because the number of endpoints are too many I don't put the PoC.html of all of the vulnerable endpoints...

in chatwoot/chatwoot

Description chatwoot failed to validate the original email when a user changing his/her email address in Profile Setting, An attacker may use the mechanism to forge arbitrary email（especially in trusted domain） Proof of Concept my original email is：[email protected], and I had confirmed it b...

Cross-site Scripting (XSS) - Reflected in admidio/admidio

Description Am still able to reproduce the SVG-XSS vulnerability here https://huntr.dev/bounties/96221dff-0d40-4326-9a9e-f66608307980/ on my local system just downloaded the latest release on the website. Think you may have accidentally included SVG files into the whitelist. Proof of Concept POST...