4057 matches found
in publify/publify
Description There is not Rate limit protection bypass sent unlimited email victim who have account email address. Proof of Concept There is no rate limit users/password, attacker to send unlimited email who have account victim email address. POST /users/password HTTP/1.1 Host:...
in dompdf/dompdf
Description Improper restriction of external entities XXE in DomPDF's SVG parser allows it to perform an SSRF even if isRemoteEnabled set to false or even cause a deserialization attack in the SVG parser this time. Proof of Concept Payload 1 - SSRF only allowurlfopen required This embeds Google...
in flatcore/flatcore-cms
Description Even with $fcuploadaddons = false, an attacker can still upload files by making the post request Proof of Concept 1 Enable $fcuploadaddons = true. 2 Upload a PHP file, but do not send. 3 Disable $fcuploadaddons = true. 4 Send the file upload request. See that the file is still being...
Cross-site Scripting (XSS) - Stored in leantime/leantime
Description Multiple Stored XSS on featuers 'Milestones' , 'Research', 'Retrospective' at Leantime 2.1.8 Proof of Concept // PoC.req POST /leantime/public/tickets/editMilestone/ HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:94.0 Gecko/20100101 Firefox/94.0...
in stanfordnlp/corenlp
Description The Stanford CoreNLP package provides a set of natural language analysis tools written in Java, is using a vulnerable XML External Entity XXE. An attacker that is able to provide a crafted XML file as input to the readDocument function in the "DomReader.java" file may allow an attacke...
Cross-Site Request Forgery (CSRF) in pimcore/demo
Description Pimcore is vulnerable to Cross-site request forgery. It is possible to add arbitrary products to the victim's cart. Proof of Concept 1: Open https://demo.pimcore.fun/en/cart/add-to-cart?id=12 on a browser. 2: Check out the cart with Jaguar E-Type product. Impact Attackers might fool...
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in siwapp/siwapp
Description Secure flag is not implemented on the application Proof of Concept https://drive.google.com/file/d/1IOglL2LBh8CnvJUI0tRJw2wCJ8ugnws/view Impact The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The...
Cross-site Scripting (XSS) - Stored in siwapp/siwapp
Description Stored Cross-Site Scripting XSS vulnerability due to the lack of content validation and output encoding. This vulnerability can be exploited by uploading a crafted payload inside a document. Then, the vulnerability can be triggered when the user previews the document´s content. Proof ...
in flatcore/flatcore-cms
Description Attackers can trick admin users into performing actions because there is no X-Frame-Options: DENY header set by the application. This header is important because it prevents other websites from Iframing the website. If the website can be iframed, then the attacker can host a malicious...
Path Traversal in yuda-lyu/w-zip
Description w-zip is vulnerable to Arbitrary File Write via Archive Extraction Zip Slip. Proof of Concept // PoC.js var wz = require'w-zip'; let fpUnzip = './testData/outputZip' let fpUnzipExtract = fpUnzip + '/extract' let fpZip1 = fpUnzip + '/zipslip.zip' async function checkzipslip //unzip...
Code Injection in flatcore/flatcore-cms
Description Bypass of remote code execution in https://github.com/flatCore/flatCore-CMS/issues/59 The following payload uses . for concatenation and to execute system commands. Proof of Concept 1 Insert the following as Permalink value lol".whoamipwned.txt." 2 Go to...
Cross-Site Request Forgery (CSRF) in flatcore/flatcore-cms
Description 1 Missing CSRF token in delete posts and delete folder in the frontend 2 Missing backend CSRF validation in 1 removing and enabling fix status and 2 deleting posts, and 3 delete folder and 4 delexclude in the indexing page see Permalinks 3 Delete cache Proof of Concept Open in...
Cross-site Scripting (XSS) - Stored in snipe/snipe-it
Description Multiple Stored XSS at parameter 'name' when creating a record at features 'Custom Fields', 'Asset Models', 'Suppliers', 'Locations', at Snipe-It 5.2.0 Proof of Concept // PoC.req POST /snipe-it/public/fields HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X...
in bytebase/bytebase
Description it can be possible to perform a clickjacking attack due to the lack of frame restrictions. The application does not set the response header X-Frame-Options: DENY. Proof of Concept Clickjack test page save the script as clickjacking .html and page will render in iframes Impact it is...
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in bytebase/bytebase
Description Session cookie is not marked with 'Secure' Proof of Concept Login to demo page https://demo.bytebase.com/ Open Firefox developer option - storage - check secure option Below link shows POC https://i.ibb.co/DLG1pyt/Screenshot-48.png...
Improper Authorization in publify/publify
Description I found an IDOR in publify But I don't know this is intended or not ? If we assume that admins or publishers want to upload a media file and don't want to publish it and keep it private until the publish date there is a IDOR vulnerability here. for example I upload a .gif file and thi...
Improper Authorization in collectiveaccess/pawtucket2
Description Users without any readaccess to a lightbox can still view its contents via incrementing the id Proof of Concept ... http://10.0.2.15/pawtucket/index.php/Lightbox/Present/setid/1 http://10.0.2.15/pawtucket/index.php/Lightbox/Present/setid/2...
Cross-Site Request Forgery (CSRF) in collectiveaccess/providence
Description More AJAX endpoints vulnerable to CSRF. 1: GET http://10.0.2.15/providence/index.php/find/BrowseObjects/createSetFromResult 2: POST http://10.0.2.15/providence/index.php/find/SearchObjects/saveResultsEditorData Proof of Concept 1:...
Heap-based Buffer Overflow in timetoogo/ff-proxy
Description Heap based buffer overflow in ffclientsendrequest. Can be triggered if the buffer size is more than FFCLIENTMAXPACKETLENGTH Proof of Concept z3phyr@ubuntu:/ff-proxy$ lsbrelease -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 20.04.3 LTS Release: 20.04...
Cross-site Scripting (XSS) - Reflected in pkp/omp
✍️ Description i was able to perform a Reflected XSS against your website/repository. The Reflected XSS vulnerability occurs when the data provided by the attacker is not sanitized by the server, and then reflected "normal" pages returned to other users in the course of regular browsing. Proof of...
Cross-Site Request Forgery (CSRF) in namelessmc/nameless
Description Several endpoints are vulnerable to CSRF 1: module install /index.php?route=/panel/core/modules/&action=install 2: clear template cache /index.php?route=/panel/core/paneltemplates/&action=clearcache 3: install templates, activate template, deactivate template, delete template,...
in pixelfed/pixelfed
Description: There is no rate limit sent unlimited email victim or any email address. Proof of Concept: There is no rate limit return-password , attacker to send unlimited email to victim or any email address. Impact: Attacker can sent unlimited email to any mail address . Solution: Add 'throttle...
in thedevdojo/wave
Description: There is no rate limit sent unlimited email victim or any email address. Proof of Concept: There is no rate limit return-password , attacker to send unlimited email to victim or any email address. Impact: Attacker can sent unlimited email to any mail address . Solution: Add 'throttle...
in attendize/attendize
Description: There is no rate limit sent unlimited email victim or any email address. Proof of Concept: There is no rate limit return-password , attacker to send unlimited email to victim or any email address. Impact: Attacker can sent unlimited email to any mail address . Solution: Add 'throttle...
in bookstackapp/bookstack
Description The dompdf chroot option in Bookstack App is set to basepath, which is the Laravel root folder /var/www/bookstack. An attacker can hence load any image file in the Laravel folder /var/www/bookstack or its subdirectories via PDF exports. Proof of Concept 1: Place an image file in...
Cross-Site Request Forgery (CSRF) in publify/publify
Description An attacker is able to craft an URL with special parameters, what contains the theme switching command. Upon sending the malicious link to a logged-in administrator, the theme is being changed. Proof of Concept With an admin user, simply open the following URL please replace the...
Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition
Description There is a CSRF vulnerability on Empty Inbox in Private Messages inbox. Proof of Concept //POC.html history.pushState'', '', '/'...
in fisharebest/webtrees
Description The program allows to upload files with dangerous file types in the media upload section, leading to XSS and other exploits like shell uploads, HTML injection leading to Social Engineering attacks, etc ..., I have demonstrated HTML file upload leading to XSS here. Proof of Concept mov...
in squell/id3
Description Hello, I hope you're doing well. Whilst testing id3 built from commit 896d42a, we discovered crafted input which triggers a negative-size-param size=-1 error when when calling memcpy, causing the software to crash. Proof of Concept First... Second... echo...
in publify/publify
Description publify does not use secure Cache-Control headers. Proof of Concept 1: Login to application 2: click on admin link https://demo-publify.herokuapp.com/admin 3: Logout 4: Press the back button of the opened tab to still see that you can view the information . Impact This issue is capabl...
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in publify/publify
Description Session cookie publifyblogsession is not marked with 'Secure' Proof of Concept Login to demo page https://demo-publify.herokuapp.com/ Open Firefox developer option - storage - check secure option Below link shows POC https://i.ibb.co/j3K5YDg/Screenshot-45.png...
Cross-site Scripting (XSS) - Stored in fisharebest/webtrees
Description Stored XSS via upload file .svg allows for arbitrary execution of JavaScript Proof of Concept // PoC.req POST /demo-dev/tree/demo/add-media-file/X9222 HTTP/2 Host: dev.webtrees.net Cookie: Secure-WT-ID=63trarcpiic93psog3t8okts4h User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15;...
Cross-site Scripting (XSS) - Stored in admidio/admidio
Description Stored XSS via upload file .svg allows for arbitrary execution of JavaScript Proof of Concept // PoC.req POST /demoen/admprogram/system/fileupload.php?module=documentsfiles&mode=uploadfiles&id=1 HTTP/2 Host: www.admidio.org Cookie:...
Cross-Site Request Forgery (CSRF) in i-love-flamingo/flamingo-commerce
Description CSRF in cart related endpoints. This include: - Adding items to cart - Clean cart - Delete item from cart - Update cart This happens because the system use GET request for these actions and thus allows CSRF attacks. Proof of Concept 1. Access this link in a browser...
Cross-Site Request Forgery (CSRF) in kunstmaan/kunstmaanbundlescms
Description Cross site request forgery in Kunstmaan/KunstmaanBundlesCMS Proof of Concept 1. Delete function in "redirects" feature -- vulnarebility is in parameter id document.forms0.submit; Impact In a successful CSRF attack, the attacker causes the victim user to carry out an action...
in mruby/mruby
Description NULL Pointer Dereference on mrbfullgc Proof of Concept // PoC.js def lambda = super lambda = @a ... ; lambda Result /asan/mruby/bin/mruby crash.rb AddressSanitizer:DEADLYSIGNAL ================================================================= ==354==ERROR: AddressSanitizer: SEGV on...
in bookstackapp/bookstack
Description Bookstack does not use secure Cache-Control headers. Proof of Concept 1: Login to application 2: View a shelf 3: Logout 4: Press the back button of the opened tab to still see that you can view the information about books previous page of your shelf. Impact This issue is capable of...
in atmosphere/atmosphere
Description The atmosphere is vulnerable to SSRF Server Side Request Forgery via XML External Entity XXE. An attacker that is able to provide a crafted XML file as input to the WebDotXmlReader constructor in the "WebDotXmlReader.java" file may allow an attacker to execute XML External Entities XX...
Sensitive Cookie Without 'HttpOnly' Flag in pkp/ojs
✍️ Description HTTPOnly attribute is not set for session cookies "OJSSID" in the application. Proof of Concept Check this for POC: Image Impact When a cookie doesn’t have an HttpOnly flag, it can be accessed through JavaScript, which means that an XSS could lead to cookies being stolen. These...
Cross-Site Request Forgery (CSRF) in opensourcepos/opensourcepos
Description Hello, there is another CSRF vulnerability on your nice application on the following endpoint. /sales/deleteitem/saleid...
in snipe/snipe-it
Description There is no rate limit sent unlimited email victim or any email address Proof of Concept There is no rate limit return-password , attacker to send unlimited email to victim or any email address. POST /password/email HTTP/1.1 Host: demo.snipeitapp.com Connection: close Content-Length: ...
Heap-based Buffer Overflow in vim/vim
Description Whilst testing vim built from commit be01090 with Clang 12 + ASan on Ubuntu 18.04, we discovered crafted input which triggers a bug in how vim draws information on the screen, causing a heap-buffer-overflow, WRITE of size 5 to occur. Proof of Concept The disclosed POC is trimmed down ...
Path Traversal in bookstackapp/bookstack
Description A path traversal vulnerability in BookStacks export function allows for the exposure of sensitive files in local or localsecure Laravel filesystems. Proof of Concept 1: Write the following in a new page: 2: Export in contained HTML to find the .htaccess file base64 encoded 3: If the...
Session Fixation in pheditor/pheditor
Description Session Fixation vulnerability found in pheditor in which it doesn't expire the sessions after password update. Proof of Concept // PoC 1. Open normal tab and one private tab 2. Open the pheditor on both of them and log in as a user 3. From private tab change the user password and log...
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in kevinpapst/kimai2
Description Session cookie dancer.session is not marked with 'Secure' Proof of Concept Login to demo page https://demo-stable.kimai.org/en/dashboard/, Open Firefox developer option - storage - check secure option...
Cross-Site Request Forgery (CSRF) in pkp/pkp-lib
Description Higher severity CSRF in PKP-LIB plugins ImportExport is vulnerable to CSRF in terms of file uploads and file imports, an attacker can import arbitrary users into the platform, 1: POST /index.php/e/management/importexport/plugin/UserImportExportPlugin/uploadImportXML 2: GET...
Improper Access Control in cortezaproject/corteza-server
Hi, Old unused Password reset tokens are not getting expired after using the new one. Suppose I am an attacker and I got access to the recovery email option of victim account. I logged in to victim recovery email suppose that is [email protected]. Then I used the forget password option. I will get o...
in cortezaproject/corteza-server
Description --------------- There is no rate limit sent unlimited email victim or any email address Proof of Concept ---------------------- There is no rate limit return-password , attacker to send unlimited email to victim or any email address. POST /auth/request-password-reset HTTP/1.1 Host:...
Heap-based Buffer Overflow in hoene/libmysofa
Description system : ubuntu 20.04 build command cd libmysofa mkdir build cd build CC=clang CXX=clang++ CFLAGS="-fsanitize=address -g" CXXFLAGS="-fsanitize=address -g" cmake ../ make all run cmd ./mysofa2json -c ./heapoobreadmemcpy ./mysofa2json -c ./heapoobread Proof of Concept poc 1 :...
in craigk5n/webcalendar
Description it can be possible to perform a clickjacking attack due to the lack of frame restrictions. The application does not set the response header X-Frame-Options: DENY. Proof of Concept Clickjack test page save the script as clickjacking .html and page will render in iframes...