Session Fixation in admidio/admidio

Description admin create a membermember role user named B then B log in to the Admidio after that user B already logged into the Admidio, Admin decide to delete all Roles of user B but user B can do anything that he/she can do before...

in microweber/microweber

Description For comments when the captcha is enable, the attacker can send many spam comments only with first correct captcha code, this means attacker only one time enter the captcha and then can use it for many many times and make damage on availability of system...

in microweber/microweber

Description I create a coupon only for one user and also is one-time use coupon. then create two user and both of them can use the coupon but only one of them should able to use the coupon...

Session Fixation in microweber/microweber

Description If a usernot admin already logged in the system and then admin inactivated the user, user remain active until he/she logged into the system...

in mruby/mruby

Description SEGV on mrbarypush Proof of Concept 1.times 0 0,o:0 = and 0 Result /asan/mruby/bin/mruby crash.rb AddressSanitizer:DEADLYSIGNAL ================================================================= ==68494==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000011 pc 0x560ae5baa377 ...

Cross-site Scripting (XSS) - Stored in openwhyd/openwhyd

Overview The openwhyd open-source application and openwhyd.org are vulnerable to a stored cross-site scripting vulnerability via user profiles. Malicious users can inject arbitrary javascript into the username setting on their profiles which, when visited by external users, would execute javascri...

in admidio/admidio

Description it can be possible to perform a clickjacking attack due to the lack of frame restrictions. The application does not set the response header X-Frame-Options: DENY. Proof of Concept Clickjack test page save the script as clickjacking .html and page will render in iframes Impact it is...

in zmister2016/mrdoc

description Use of Cryptographically Weak Pseudo-Random Number Generator PRNG in Mrdoc allows an attacker to reset arbitrary user‘s password 1、/admin/sendemailvcode/，check email & generate email & send mail def sendemailvcoderequest: if request.method == 'POST': email = request.POST.get'email',No...

Cross-site Scripting (XSS) - Stored in thorsten/phpmyfaq

✍️ Description The persistent or stored XSS vulnerability is a more devastating variant of a cross-site scripting flaw, it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular...

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in thorsten/phpmyfaq

✍️ Description The secure flag is not set for session cookie in the application. Proof of Concept Check this for POC: Image Impact If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie...

in zmister2016/mrdoc

Description When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication. Proof of Concept https://github.com/zmister2016/MrDoc/blob/master/appadmin/views.pyL985 普通用户修改密码 @loginrequired @logger.catch def...

in zmister2016/mrdoc

Description ● Arbitrary file upload at /uploaddocimg/ ● An attacker could abuse this vuln ○ For a html , could do phishing ○ For a py， may lead to Remote Code Execution（by overwrting the existing Django py files, not proved yet） Proof of Concept Arbitrary file upload， HTML for instance POST...

Server-Side Request Forgery (SSRF) in zmister2016/mrdoc

Description ● SSRF in /uploaddocimg/, an attacker could abuse url to visit any intranet in the envioronment of MrDoc server, casuing breaking the border of network. ● Depending on the different env, it could leak sensitive meta-data，according to...

in mruby/mruby

Description Please enter a description of the vulnerability. Proof of Concept super super Result /asan/mruby/bin/mruby /crash.rb AddressSanitizer:DEADLYSIGNAL ================================================================= ==18265==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030...

Cross-Site Request Forgery (CSRF) in namelessmc/nameless

Description More CSRF endpoints in delete webhooks Proof of Concept /index.php?route=/panel/core/hooks/&action=delete&id=2 Impact This vulnerability is capable of tricking admin users to deleting webhooks...

Inefficient Regular Expression Complexity in stylelint/stylelint

Description I would like to report a Regular Expression Denial of Service ReDoS vulnerability in stylelint. It allows causing a denial of service when calling function isKeyframeSelector. Proof of Concept // PoC.js var isKeyframeSelector = require"stylelint/lib/utils/isKeyframeSelector" forvar i ...

in robotichead/nearbeach

Description Sensitive data on the application can be exposed after the user logout Proof of Concept 1 Login to the application https://demo.nearbeach.app/ 2 Goto page like My Account , or Any other page 3 Click logout 4 Click browser back button Impact When a user logs out without closing the...

Cross-Site Request Forgery (CSRF) in kevinpapst/kimai2

Description kevinpapst / kimai delete functionality is vulnerable to Cross site request forgery csrf attack Proof of Concept // PoC.js 1. login to admin account https://www.kimai.org/demo/ 2. goto invoice -- go down to preview invoices -- click save all it will redirect to this page -...

Cross-Site Request Forgery (CSRF) in pkp/ojs

Description No CSRF token in DataCite save settings plugin OJS only POC document.forms0.submit; Impact This vulnerability is capable of tricking admins to change settings for OJS DataCite plugin...

Cross-Site Request Forgery (CSRF) in pkp/pkp-lib

Description No CSRF in upload profile too: /index.php/e/$$$call$$$/tab/user/profile-tab/upload-profile-image. More endpoints: Reordering data: /index.php/e/$$$call$$$/grid/settings/submission-checklist/submission-checklist-grid/save-sequence...

Cross-site Scripting (XSS) - Stored in admidio/admidio

Description Hi, By continuing to look at the project I was able to find a new XSS stored. Although it seems to be filtered in some parts of the site, when sending a photo as a greeting card, it is possible to include an arbitrary payload in the text field leading to a stored XSS. From OWASP :...

SQL Injection in ampache/ampache

Description The application does not validate and escape the client parameter before using it in a SQL statement at getbookmark function in Repository/Model/Bookmark.php file, leading to a SQL Injection The function named getbookmark which called by in 3 functions: bookmarkcreate, bookmarkedit an...

Sensitive Cookie Without 'HttpOnly' Flag in craigk5n/webcalendar

✍️ Description HTTPOnly attribute is not set for session cookies in the application 💥 Impact When a cookie doesn’t have an HttpOnly flag, it can be accessed through JavaScript, which means that an XSS could lead to cookies being stolen. These include session cookies that can make it easier to...

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in craigk5n/webcalendar

Description Session cookie is not marked with 'Secure' Proof of Concept Login to demo page http://webcalendar.sourceforge.net/demo/ Open Firefox developer option - storage - check secure option...

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in frontaccountingerp/fa

✍️ Description The secure flag is not set for session cookie "PHPSESSID" in the application. Proof of Concept Check this for POC: Image Impact If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing...

Cross-site Scripting (XSS) - Stored in admidio/admidio

Description Hello, Looking at your project, I saw in the commits several anti-CSRF token addition but also a commit to not allow SVG file upload. However a blacklist in general is a bad idea, for example php, php3, ... are blocked but it is always possible to send a .php7 or .phps file ... Among...

in forkcms/forkcms

Description Insufficient Session expiration even after Credential like password of the account is being updated. Proof of Concept open the same account in multiple browsers. change the password in one Browser. Reload the other one. as a result we can see the account on the other browser is not...

Cross-site Scripting (XSS) - Stored in ampache/ampache

Description ampache has a stored XSS in the View Existing User , an attacker could exploit with the Website attribute to steal the other users' cookie Proof of Concept 1 Visit http://ampache//index.phppreferences.php?tab=account set the Website attribut toe： foo" onmouseover=alertdocument.cookie ...

Cross-Site Request Forgery (CSRF) in pkp/omp

✍️ Description Attacker or malicious user is able to delete any user profile photo if a logged in user visits attacker website. because lack of CSRF token 🕵️‍♂️ Proof of Concept 1.when you logged in open this POC.html in a browser 2.you can check unintentionally your profile photo deleted...

in namelessmc/nameless

Description Nameless is vulnerable to clickjacking because it does not have the X-Frame-Options header set to DENY or SAMEORIGIN only nginx proxy has it. This header is important because it prevents other websites from Iframing the website. If the website can be iframed, then the attacker can hos...

SQL Injection in flatcore/flatcore-cms

Pre-Auth SQL injection Description flatCore-CMS is vulnerable to variable-overwritten vulnerability, leading to a Pre-Auth SQL injection in index.php ​ source code 1 at index.phpL41 php $fcprefs = fcgetpreferences; $languagePack = $fcprefs'prefsdefaultlanguage'; $SESSION'fcadminhelpers' = array; ...

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in mineweb/minewebcms

Description Hello, In the password reset it is possible to perform a Host Header Injection, so the victim will receive an email pointing to a third party site. By clicking, the attacker will be able to retrieve the victim's account reset token and use it to access his account. From Portswigger :...

Cross-Site Request Forgery (CSRF) in namelessmc/nameless

Description More instances of CSRF Proof of Concept /index.php?route=/panel/users/reports/&action=close&id=1 /index.php?route=/panel/users/reports/&action=open&id=1 /index.php?route=/panel/core/emails/errors/&do=delete&id=2 /index.php?route=/panel/core/emails/errors/&do=purge...

in flatcore/flatcore-cms

Description The Cookie before & after user login doesn't change. Proof of Concept // PoC 1 Load new website in a new browser 2 Get cookie before login 3 Login to website 4 Get cookie after login Compare those 2 values Impact Through other attack methods such as XSS, the attacker can store the...

in flatcore/flatcore-cms

Description Use of incorrect operator == and != for pagepsw Proof of Concept If my actual page password is 240610708 then an attacker can key in QLTHNDT because: md5240610708 = 0e462097431906509019562988736854 md5QLTHNDT = 0e405967825401955372549139051580 And PHP will evaluate...

Session Fixation in bytebase/bytebase

Description If admin deciding to deactivate a user and the user already logged in the system before then until user remain in the current session he/she can do anything that can do them before...

Cross-Site Request Forgery (CSRF) in bytebase/bytebase

Description all part of application That use POST http method to change or create data are vulnerable to CSRF attacks. for example the PATCH methods are not vulnerable I will show just create a member POC for you and if you want to see other POCs of other endpoint just say me to provide them too ...

in flatcore/flatcore-cms

Title： race condition vs Temporary File Upload Description flatCore-CMS is vulnerable to Race condition while dealing uploading gallery Codes at https://github.com/flatCore/flatCore-CMS/blob/main/acp/core/files.uploadgallery.phpL31 php ifarraykeyexists'file',$FILES && $FILES'file''error' == 0...

Code Injection in flatcore/flatcore-cms

Description Another code injection payload in linkname. Proof of Concept Insert into linkname $sleep 10 Go to http://FLATCORE-IP/flatCore-CMS/content/cache/cachelastedit.php and see that the page has stopped for 10 seconds. $ escapes the string, switches context to OS commands. Impact Blind RCE a...

in mostafa-samir/zip-local

Description zip-local is vulnerable to Arbitrary File Write via Archive Extraction Zip Slip. Proof of Concept // PoC.js var zipper = require'zip-local'; zipper.unzip"zipslip.zip", functionerror, unzipped if!error // extract to the current working directory unzipped.savenull, function ; var...

in star7th/showdoc

Firstly, I would say to the dev, your application Showdoc is good to use, and I will keep an eye on it, continuously improving the safety of it. Then, I would also thank the staff in huntr.dev, your quick response impressed me a lot. ​ Good to work with you enthusiastic people. ​ Description ​...

Heap-based Buffer Overflow in hoene/libmysofa

Description system : ubuntu 20.04 build command cd libmysofa mkdir build cd build CC=clang CXX=clang++ CFLAGS="-fsanitize=address -g" CXXFLAGS="-fsanitize=address -g" cmake ../ make all repro ./mysofa2json -c ./libmyfofamysofacheck Proof of Concept...

Cross-site Scripting (XSS) - Reflected in dmpop/mejiro

Description From OWASP : : Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script...

in star7th/showdoc

Description - CWE: CWE-288:Authentication Bypass Using an Alternate Path or Channel - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L , CVSS Score: 8.3High - Credit：Qianxin, Network Security Department, Product-Safety Team Unc1e In showdoc, there is a SSO process , DOC is shown in...

in fisharebest/webtrees

Description In fix commit https://github.com/fisharebest/webtrees/commit/fc904122e0c1b55f274bc4c8cd883c266176e34e, the fix was to set CSP to script-src in HTML files to none. Webtrees by default has X-Frame-Options headers to prevent clickjacking, but since X-Frame-Options: SAMEORIGIN, it is...

Cross-site Scripting (XSS) - Reflected in mariotti94/webrisc-v

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into websites. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execut...

Cross-Site Request Forgery (CSRF) in jspark311/buriedunderthenoisefloor

Description Cross-Site Request Forgery CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering such as sending a link via email or chat, an attacker may trick the users of a web...

Cross-site Scripting (XSS) - Stored in jspark311/buriedunderthenoisefloor

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into websites. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execut...

in jspark311/buriedunderthenoisefloor

Description Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. https://github.com/jspark311/BuriedUnderTheNoiseFloor/ is vulnerable to remo...

Cross-site Scripting (XSS) - Reflected in jspark311/buriedunderthenoisefloor

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into websites. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execut...