4072 matches found
Session Fixation in bytebase/bytebase
Description If admin deciding to deactivate a user and the user already logged in the system before then until user remain in the current session he/she can do anything that can do them before...
Cross-Site Request Forgery (CSRF) in bytebase/bytebase
Description all part of application That use POST http method to change or create data are vulnerable to CSRF attacks. for example the PATCH methods are not vulnerable I will show just create a member POC for you and if you want to see other POCs of other endpoint just say me to provide them too ...
in flatcore/flatcore-cms
Title: race condition vs Temporary File Upload Description flatCore-CMS is vulnerable to Race condition while dealing uploading gallery Codes at https://github.com/flatCore/flatCore-CMS/blob/main/acp/core/files.uploadgallery.phpL31 php ifarraykeyexists'file',$FILES && $FILES'file''error' == 0...
Code Injection in flatcore/flatcore-cms
Description Another code injection payload in linkname. Proof of Concept Insert into linkname $sleep 10 Go to http://FLATCORE-IP/flatCore-CMS/content/cache/cachelastedit.php and see that the page has stopped for 10 seconds. $ escapes the string, switches context to OS commands. Impact Blind RCE a...
in mostafa-samir/zip-local
Description zip-local is vulnerable to Arbitrary File Write via Archive Extraction Zip Slip. Proof of Concept // PoC.js var zipper = require'zip-local'; zipper.unzip"zipslip.zip", functionerror, unzipped if!error // extract to the current working directory unzipped.savenull, function ; var...
in star7th/showdoc
Firstly, I would say to the dev, your application Showdoc is good to use, and I will keep an eye on it, continuously improving the safety of it. Then, I would also thank the staff in huntr.dev, your quick response impressed me a lot. Good to work with you enthusiastic people. Description ...
Heap-based Buffer Overflow in hoene/libmysofa
Description system : ubuntu 20.04 build command cd libmysofa mkdir build cd build CC=clang CXX=clang++ CFLAGS="-fsanitize=address -g" CXXFLAGS="-fsanitize=address -g" cmake ../ make all repro ./mysofa2json -c ./libmyfofamysofacheck Proof of Concept...
Cross-site Scripting (XSS) - Reflected in dmpop/mejiro
Description From OWASP : : Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script...
in star7th/showdoc
Description - CWE: CWE-288:Authentication Bypass Using an Alternate Path or Channel - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L , CVSS Score: 8.3High - Credit:Qianxin, Network Security Department, Product-Safety Team Unc1e In showdoc, there is a SSO process , DOC is shown in...
in fisharebest/webtrees
Description In fix commit https://github.com/fisharebest/webtrees/commit/fc904122e0c1b55f274bc4c8cd883c266176e34e, the fix was to set CSP to script-src in HTML files to none. Webtrees by default has X-Frame-Options headers to prevent clickjacking, but since X-Frame-Options: SAMEORIGIN, it is...
Cross-site Scripting (XSS) - Reflected in mariotti94/webrisc-v
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into websites. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execut...
Cross-Site Request Forgery (CSRF) in jspark311/buriedunderthenoisefloor
Description Cross-Site Request Forgery CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering such as sending a link via email or chat, an attacker may trick the users of a web...
Cross-site Scripting (XSS) - Stored in jspark311/buriedunderthenoisefloor
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into websites. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execut...
in jspark311/buriedunderthenoisefloor
Description Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. https://github.com/jspark311/BuriedUnderTheNoiseFloor/ is vulnerable to remo...
Cross-site Scripting (XSS) - Reflected in jspark311/buriedunderthenoisefloor
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into websites. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execut...
in publify/publify
Description There is not Rate limit protection bypass sent unlimited email victim who have account email address. Proof of Concept There is no rate limit users/password, attacker to send unlimited email who have account victim email address. POST /users/password HTTP/1.1 Host:...
in dompdf/dompdf
Description Improper restriction of external entities XXE in DomPDF's SVG parser allows it to perform an SSRF even if isRemoteEnabled set to false or even cause a deserialization attack in the SVG parser this time. Proof of Concept Payload 1 - SSRF only allowurlfopen required This embeds Google...
in flatcore/flatcore-cms
Description Even with $fcuploadaddons = false, an attacker can still upload files by making the post request Proof of Concept 1 Enable $fcuploadaddons = true. 2 Upload a PHP file, but do not send. 3 Disable $fcuploadaddons = true. 4 Send the file upload request. See that the file is still being...
Cross-site Scripting (XSS) - Stored in leantime/leantime
Description Multiple Stored XSS on featuers 'Milestones' , 'Research', 'Retrospective' at Leantime 2.1.8 Proof of Concept // PoC.req POST /leantime/public/tickets/editMilestone/ HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:94.0 Gecko/20100101 Firefox/94.0...
in stanfordnlp/corenlp
Description The Stanford CoreNLP package provides a set of natural language analysis tools written in Java, is using a vulnerable XML External Entity XXE. An attacker that is able to provide a crafted XML file as input to the readDocument function in the "DomReader.java" file may allow an attacke...
Cross-Site Request Forgery (CSRF) in pimcore/demo
Description Pimcore is vulnerable to Cross-site request forgery. It is possible to add arbitrary products to the victim's cart. Proof of Concept 1: Open https://demo.pimcore.fun/en/cart/add-to-cart?id=12 on a browser. 2: Check out the cart with Jaguar E-Type product. Impact Attackers might fool...
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in siwapp/siwapp
Description Secure flag is not implemented on the application Proof of Concept https://drive.google.com/file/d/1IOglL2LBh8CnvJUI0tRJw2wCJ8ugnws/view Impact The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The...
Cross-site Scripting (XSS) - Stored in siwapp/siwapp
Description Stored Cross-Site Scripting XSS vulnerability due to the lack of content validation and output encoding. This vulnerability can be exploited by uploading a crafted payload inside a document. Then, the vulnerability can be triggered when the user previews the document´s content. Proof ...
in flatcore/flatcore-cms
Description Attackers can trick admin users into performing actions because there is no X-Frame-Options: DENY header set by the application. This header is important because it prevents other websites from Iframing the website. If the website can be iframed, then the attacker can host a malicious...
Path Traversal in yuda-lyu/w-zip
Description w-zip is vulnerable to Arbitrary File Write via Archive Extraction Zip Slip. Proof of Concept // PoC.js var wz = require'w-zip'; let fpUnzip = './testData/outputZip' let fpUnzipExtract = fpUnzip + '/extract' let fpZip1 = fpUnzip + '/zipslip.zip' async function checkzipslip //unzip...
Code Injection in flatcore/flatcore-cms
Description Bypass of remote code execution in https://github.com/flatCore/flatCore-CMS/issues/59 The following payload uses . for concatenation and to execute system commands. Proof of Concept 1 Insert the following as Permalink value lol".whoamipwned.txt." 2 Go to...
Cross-Site Request Forgery (CSRF) in flatcore/flatcore-cms
Description 1 Missing CSRF token in delete posts and delete folder in the frontend 2 Missing backend CSRF validation in 1 removing and enabling fix status and 2 deleting posts, and 3 delete folder and 4 delexclude in the indexing page see Permalinks 3 Delete cache Proof of Concept Open in...
Cross-site Scripting (XSS) - Stored in snipe/snipe-it
Description Multiple Stored XSS at parameter 'name' when creating a record at features 'Custom Fields', 'Asset Models', 'Suppliers', 'Locations', at Snipe-It 5.2.0 Proof of Concept // PoC.req POST /snipe-it/public/fields HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X...
in bytebase/bytebase
Description it can be possible to perform a clickjacking attack due to the lack of frame restrictions. The application does not set the response header X-Frame-Options: DENY. Proof of Concept Clickjack test page save the script as clickjacking .html and page will render in iframes Impact it is...
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in bytebase/bytebase
Description Session cookie is not marked with 'Secure' Proof of Concept Login to demo page https://demo.bytebase.com/ Open Firefox developer option - storage - check secure option Below link shows POC https://i.ibb.co/DLG1pyt/Screenshot-48.png...
Improper Authorization in publify/publify
Description I found an IDOR in publify But I don't know this is intended or not ? If we assume that admins or publishers want to upload a media file and don't want to publish it and keep it private until the publish date there is a IDOR vulnerability here. for example I upload a .gif file and thi...
Improper Authorization in collectiveaccess/pawtucket2
Description Users without any readaccess to a lightbox can still view its contents via incrementing the id Proof of Concept ... http://10.0.2.15/pawtucket/index.php/Lightbox/Present/setid/1 http://10.0.2.15/pawtucket/index.php/Lightbox/Present/setid/2...
Cross-Site Request Forgery (CSRF) in collectiveaccess/providence
Description More AJAX endpoints vulnerable to CSRF. 1: GET http://10.0.2.15/providence/index.php/find/BrowseObjects/createSetFromResult 2: POST http://10.0.2.15/providence/index.php/find/SearchObjects/saveResultsEditorData Proof of Concept 1:...
Heap-based Buffer Overflow in timetoogo/ff-proxy
Description Heap based buffer overflow in ffclientsendrequest. Can be triggered if the buffer size is more than FFCLIENTMAXPACKETLENGTH Proof of Concept z3phyr@ubuntu:/ff-proxy$ lsbrelease -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 20.04.3 LTS Release: 20.04...
Cross-site Scripting (XSS) - Reflected in pkp/omp
✍️ Description i was able to perform a Reflected XSS against your website/repository. The Reflected XSS vulnerability occurs when the data provided by the attacker is not sanitized by the server, and then reflected "normal" pages returned to other users in the course of regular browsing. Proof of...
Cross-Site Request Forgery (CSRF) in namelessmc/nameless
Description Several endpoints are vulnerable to CSRF 1: module install /index.php?route=/panel/core/modules/&action=install 2: clear template cache /index.php?route=/panel/core/paneltemplates/&action=clearcache 3: install templates, activate template, deactivate template, delete template,...
in pixelfed/pixelfed
Description: There is no rate limit sent unlimited email victim or any email address. Proof of Concept: There is no rate limit return-password , attacker to send unlimited email to victim or any email address. Impact: Attacker can sent unlimited email to any mail address . Solution: Add 'throttle...
in thedevdojo/wave
Description: There is no rate limit sent unlimited email victim or any email address. Proof of Concept: There is no rate limit return-password , attacker to send unlimited email to victim or any email address. Impact: Attacker can sent unlimited email to any mail address . Solution: Add 'throttle...
in attendize/attendize
Description: There is no rate limit sent unlimited email victim or any email address. Proof of Concept: There is no rate limit return-password , attacker to send unlimited email to victim or any email address. Impact: Attacker can sent unlimited email to any mail address . Solution: Add 'throttle...
in bookstackapp/bookstack
Description The dompdf chroot option in Bookstack App is set to basepath, which is the Laravel root folder /var/www/bookstack. An attacker can hence load any image file in the Laravel folder /var/www/bookstack or its subdirectories via PDF exports. Proof of Concept 1: Place an image file in...
Cross-Site Request Forgery (CSRF) in publify/publify
Description An attacker is able to craft an URL with special parameters, what contains the theme switching command. Upon sending the malicious link to a logged-in administrator, the theme is being changed. Proof of Concept With an admin user, simply open the following URL please replace the...
Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition
Description There is a CSRF vulnerability on Empty Inbox in Private Messages inbox. Proof of Concept //POC.html history.pushState'', '', '/'...
in fisharebest/webtrees
Description The program allows to upload files with dangerous file types in the media upload section, leading to XSS and other exploits like shell uploads, HTML injection leading to Social Engineering attacks, etc ..., I have demonstrated HTML file upload leading to XSS here. Proof of Concept mov...
in squell/id3
Description Hello, I hope you're doing well. Whilst testing id3 built from commit 896d42a, we discovered crafted input which triggers a negative-size-param size=-1 error when when calling memcpy, causing the software to crash. Proof of Concept First... Second... echo...
in publify/publify
Description publify does not use secure Cache-Control headers. Proof of Concept 1: Login to application 2: click on admin link https://demo-publify.herokuapp.com/admin 3: Logout 4: Press the back button of the opened tab to still see that you can view the information . Impact This issue is capabl...
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in publify/publify
Description Session cookie publifyblogsession is not marked with 'Secure' Proof of Concept Login to demo page https://demo-publify.herokuapp.com/ Open Firefox developer option - storage - check secure option Below link shows POC https://i.ibb.co/j3K5YDg/Screenshot-45.png...
Cross-site Scripting (XSS) - Stored in fisharebest/webtrees
Description Stored XSS via upload file .svg allows for arbitrary execution of JavaScript Proof of Concept // PoC.req POST /demo-dev/tree/demo/add-media-file/X9222 HTTP/2 Host: dev.webtrees.net Cookie: Secure-WT-ID=63trarcpiic93psog3t8okts4h User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15;...
Cross-site Scripting (XSS) - Stored in admidio/admidio
Description Stored XSS via upload file .svg allows for arbitrary execution of JavaScript Proof of Concept // PoC.req POST /demoen/admprogram/system/fileupload.php?module=documentsfiles&mode=uploadfiles&id=1 HTTP/2 Host: www.admidio.org Cookie:...
Cross-Site Request Forgery (CSRF) in i-love-flamingo/flamingo-commerce
Description CSRF in cart related endpoints. This include: - Adding items to cart - Clean cart - Delete item from cart - Update cart This happens because the system use GET request for these actions and thus allows CSRF attacks. Proof of Concept 1. Access this link in a browser...
Cross-Site Request Forgery (CSRF) in kunstmaan/kunstmaanbundlescms
Description Cross site request forgery in Kunstmaan/KunstmaanBundlesCMS Proof of Concept 1. Delete function in "redirects" feature -- vulnarebility is in parameter id document.forms0.submit; Impact In a successful CSRF attack, the attacker causes the victim user to carry out an action...