4072 matches found
in mruby/mruby
Description NULL Pointer Dereference on mrbfullgc Proof of Concept // PoC.js def lambda = super lambda = @a ... ; lambda Result /asan/mruby/bin/mruby crash.rb AddressSanitizer:DEADLYSIGNAL ================================================================= ==354==ERROR: AddressSanitizer: SEGV on...
in bookstackapp/bookstack
Description Bookstack does not use secure Cache-Control headers. Proof of Concept 1: Login to application 2: View a shelf 3: Logout 4: Press the back button of the opened tab to still see that you can view the information about books previous page of your shelf. Impact This issue is capable of...
in atmosphere/atmosphere
Description The atmosphere is vulnerable to SSRF Server Side Request Forgery via XML External Entity XXE. An attacker that is able to provide a crafted XML file as input to the WebDotXmlReader constructor in the "WebDotXmlReader.java" file may allow an attacker to execute XML External Entities XX...
Sensitive Cookie Without 'HttpOnly' Flag in pkp/ojs
✍️ Description HTTPOnly attribute is not set for session cookies "OJSSID" in the application. Proof of Concept Check this for POC: Image Impact When a cookie doesn’t have an HttpOnly flag, it can be accessed through JavaScript, which means that an XSS could lead to cookies being stolen. These...
Cross-Site Request Forgery (CSRF) in opensourcepos/opensourcepos
Description Hello, there is another CSRF vulnerability on your nice application on the following endpoint. /sales/deleteitem/saleid...
in snipe/snipe-it
Description There is no rate limit sent unlimited email victim or any email address Proof of Concept There is no rate limit return-password , attacker to send unlimited email to victim or any email address. POST /password/email HTTP/1.1 Host: demo.snipeitapp.com Connection: close Content-Length: ...
Heap-based Buffer Overflow in vim/vim
Description Whilst testing vim built from commit be01090 with Clang 12 + ASan on Ubuntu 18.04, we discovered crafted input which triggers a bug in how vim draws information on the screen, causing a heap-buffer-overflow, WRITE of size 5 to occur. Proof of Concept The disclosed POC is trimmed down ...
Path Traversal in bookstackapp/bookstack
Description A path traversal vulnerability in BookStacks export function allows for the exposure of sensitive files in local or localsecure Laravel filesystems. Proof of Concept 1: Write the following in a new page: 2: Export in contained HTML to find the .htaccess file base64 encoded 3: If the...
Session Fixation in pheditor/pheditor
Description Session Fixation vulnerability found in pheditor in which it doesn't expire the sessions after password update. Proof of Concept // PoC 1. Open normal tab and one private tab 2. Open the pheditor on both of them and log in as a user 3. From private tab change the user password and log...
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in kevinpapst/kimai2
Description Session cookie dancer.session is not marked with 'Secure' Proof of Concept Login to demo page https://demo-stable.kimai.org/en/dashboard/, Open Firefox developer option - storage - check secure option...
Cross-Site Request Forgery (CSRF) in pkp/pkp-lib
Description Higher severity CSRF in PKP-LIB plugins ImportExport is vulnerable to CSRF in terms of file uploads and file imports, an attacker can import arbitrary users into the platform, 1: POST /index.php/e/management/importexport/plugin/UserImportExportPlugin/uploadImportXML 2: GET...
Improper Access Control in cortezaproject/corteza-server
Hi, Old unused Password reset tokens are not getting expired after using the new one. Suppose I am an attacker and I got access to the recovery email option of victim account. I logged in to victim recovery email suppose that is [email protected]. Then I used the forget password option. I will get o...
in cortezaproject/corteza-server
Description --------------- There is no rate limit sent unlimited email victim or any email address Proof of Concept ---------------------- There is no rate limit return-password , attacker to send unlimited email to victim or any email address. POST /auth/request-password-reset HTTP/1.1 Host:...
Heap-based Buffer Overflow in hoene/libmysofa
Description system : ubuntu 20.04 build command cd libmysofa mkdir build cd build CC=clang CXX=clang++ CFLAGS="-fsanitize=address -g" CXXFLAGS="-fsanitize=address -g" cmake ../ make all run cmd ./mysofa2json -c ./heapoobreadmemcpy ./mysofa2json -c ./heapoobread Proof of Concept poc 1 :...
in craigk5n/webcalendar
Description it can be possible to perform a clickjacking attack due to the lack of frame restrictions. The application does not set the response header X-Frame-Options: DENY. Proof of Concept Clickjack test page save the script as clickjacking .html and page will render in iframes...
in chevereto/chevereto-free
Clickjacking is a portmanteau of two words ‘click’ and ‘hijacking’. It refers to hijacking user’s click for malicious intent. In it, an attacker embeds the vulnerable site in an transparent iframe in attacker’s own website and overlays it with objects such as button using CSS skills. This tricks...
Sensitive Cookie Without 'HttpOnly' Flag in vuestorefront/vue-storefront
✍️ Description HTTPOnly attribute is not set for session cookies "vsf-commercetools-token" in the application. Proof of Concept Check this for POC: Image Impact When a cookie doesn’t have an HttpOnly flag, it can be accessed through JavaScript, which means that an XSS could lead to cookies being...
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in vuestorefront/vue-storefront
✍️ Description The secure flag is not set for session cookie "vsf-commercetools-token" in the application. Proof of Concept Check this for POC: Image Impact If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection,...
SQL Injection in ampache/ampache
Description The application does not validate and escape the type parameter before using it in a SQL statement in Model/Tag.php, leading to a SQL Injection Proof of Concept Time delay: GET /browse.php?action=tag&type=0%27orifnow=sysdate,sleep3,0or%27 HTTP/1.1 Host: demo.ampache.dev sec-ch-ua:...
Use of a Broken or Risky Cryptographic Algorithm in anonaddy/anonaddy
Description MD5 and SHA-1 are popular cryptographic hash algorithms often used to verify the integrity of messages and other data. Recent advances in cryptanalysis have discovered weaknesses in both algorithms. Consequently, MD5 and SHA-1 should no longer be relied upon to verify the authenticity...
Heap-based Buffer Overflow in vim/vim
When fuzzing vim commit 56858e4ed works with latest build with clang 12 and ASan, I discovered a heap buffer overflow. Proof of Concept Here is minimized poc sh /%.v 5/ c Extract then run crafted file with this command vim -u NONE -X -Z -e -s -S vimpoc1 -c :qa! ASan stack trace: bash...
Open Redirect in rotheross/otobo
Description there is a open redirect vulnerability in following url : https://demo.otobo.org/otobo/index.pl?Action=ExternalURLJump;URL=https://google.com here after click on link the victim will be redirected to https://google.com...
in erikdubbelboer/phpredisadmin
Description $response is a salted md5 hash generated based on the concatenated hashed of credentials with other parameters. It has been discovered that $response compares with $data'response' using comparison operator != in file login.inc.php. This might cause unexpected behavior due to type...
Cross-Site Request Forgery (CSRF) in pkp/pkp-lib
Description Missing CSRF token in role stage assignment, save language settings, and task notification 1: http://10.0.2.15/index.php/e/$$$call$$$/grid/settings/roles/user-group-grid/unassign-stage?stageId=1&userGroupId=5 2:...
in livehelperchat/livehelperchat
Description Sensitive data on the application can be exposed after the user logout Proof of Concept 1 Login to the application demo.livehelperchat.com/siteadmin/ 2 Go to page like My Account , or Any other page 3 Click logout 4 Click browser back button Impact When a user logs out without closing...
Cross-site Scripting (XSS) - Generic in snipe/snipe-it
Description At File Uploads allows for arbitrary execution of JavaScript Step to Reproduct XSS at filename Goto detail of one asset At tab File choose to upload file with filename contain payload: file'name XSS when upload file .svg In list file types are allowed don't have file .svg Goto detail ...
Sensitive Cookie Without 'HttpOnly' Flag in yeswiki/yeswiki
Description The software uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. The HttpOnly flag directs compatible browsers to prevent client-side script from accessing cookies. Including the HttpOnly flag in the Set-Cookie HTTP response header helps...
in yeswiki/yeswiki
Description During the comparisons of different variables, PHP will automatically convert the data into a common, comparable type. This makes it possible to compare the number 12 to the string '12' or check whether or not a string is empty by using a comparison like $string == True. This, however...
in yeswiki/yeswiki
Description Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker to inject javascript code via SVG...
Cross-site Scripting (XSS) - Stored in yeswiki/yeswiki
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into websites. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execut...
SQL Injection in yeswiki/yeswiki
Description A SQL injection attack consists of insertion or 'injection' of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data Insert/Update/Delete, execute administration operations ...
Cross-site Scripting (XSS) - Reflected in yeswiki/yeswiki
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into websites. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execut...
Cross-Site Request Forgery (CSRF) in snipe/snipe-it
Description I found some low/medium level CSRFs on nice snipe-it application Proof of Concepts change the state of Requestable Assets : // PoC.html history.pushState'', '', '/' restore a hardware : // PoC.html history.pushState'', '', '/'...
Cross-Site Request Forgery (CSRF) in opensourcepos/opensourcepos
Description You have not set any CSRF protection for receivings/deleteitem/itemid endpoint. Proof of Concept //PoC.html history.pushState'', '', '/'...
Cross-Site Request Forgery (CSRF) in opensourcepos/opensourcepos
Description Attacker able to delete supplier with CSRF attack Proof of Concept //PoC.html history.pushState'', '', '/'...
Classic Buffer Overflow in sjord/checkmate
Description Good morning, I hope this message finds you well during these challenging times. Whilst testing checkmate built from commit 8e497d8, we discovered crafted input which triggers a bug in the frame parsing code, leading to a global-buffer-overflow, READ of size 4. Proof of Concept First...
in snipe/snipe-it
Description Sensitive data on the application can be exposed after the user logout Proof of Concept 1 Login to the application https://demo.snipeitapp.com/ 2 Goto page like My Account , or Any other page 3 Click logout 4 Click browser back button Impact When a user logs out without closing the...
Cross-Site Request Forgery (CSRF) in collectiveaccess/pawtucket2
Description After taking a look at the application again, I found few more create / update endpoints which should have CSRF protection Proof of Concept http://PAWTUCKET-URL/pawtucket/index.php/Lightbox/saveUserGroup?name=123&description=abc&groupid=...
in collectiveaccess/pawtucket2
Description With ref to this report: https://www.huntr.dev/bounties/9708c444-2cf2-4aed-8188-1dc7def05ba1/, should replicate over proper cache-control Proof of Concept Example of sensitive 1 Login to application dashboard 2 Go to lightbox page 3 Click logout. 4 Click go back button to see group...
in firefly-iii/firefly-iii
Description There is no rate limit sent unlimited email victim or any email address Proof of Concept There is no rate limit return-password , attacker to send unlimited email to victim or any email address. POST /password/email HTTP/2 Host: demo.firefly-iii.org Cookie:...
in netdisco/netdisco
Description it can be possible to perform a clickjacking attack due to the lack of frame restrictions. The application does not set the response header X-Frame-Options: DENY. Proof of Concept Clickjack test page save the script as clickjacking .html and page will render in iframes below link show...
Prototype Pollution in kriszyp/json-schema
Description A constructed payload sent to validate will lead to prototype pollution. Proof of Concept // PoC.js const validate = require"json-schema"; const instance = JSON.parse "$schema": "type": "object", "properties": "proto": "type": "object", "properties": "polluted": "type": "string",...
Server-Side Request Forgery (SSRF) in appwrite/appwrite
Description An authenticated SSRF vulnerability exists in appwrite's webhooks / tasks feature. The gopher:// protocol can be used to cause code execution on the Redis server that comes along with appwrite. The attacker must know the IP address of the redis-server which can be done by creating...
in cortezaproject/corteza-server
Setup the application on your local system. Steps: -------- 1. Login in application and navigate to the settings, where change the user password and capture the request in burp suit. 2. Now logout from application and copy the Authorization token. 3. After logout the authorization token must be...
in cortezaproject/corteza-server
Set up the cortezaproject in your local machine. Steps: -------- 1. Create the account on corteza 2. Login using same credentails from chrome and firefox. 3. Change user password from chrome. 4. Perform any activity in Firefox the session is still valid. Mitigation: --------------- After changing...
Server-Side Request Forgery (SSRF) in chevereto/chevereto-free
Description Attackers can make the server perform arbitrary requests to internal IPs as well as use the file:/// protocol to disclose internal image data. Proof of Concept 1: Create a valid image file on the server /path/to/index.png 2: Choose add Image URLs and use a valid URL and click OK. Then...
Session Fixation in pheditor/pheditor
Description PHPEditor session are not regenerated after every login leading to possible session fixation attacks local attack vector Proof of Concept 1. Open two browsers Browser 1: Attacker, Browser 2: Victim 2. Visit https://PHP-EDITOR/phpeditor.php server and copy cookie from Browser 1 3. Past...
in pheditor/pheditor
Description This issue allows an attacker to influence calls to the 'unlink' function and delete arbitrary files. https://github.com/pheditor/pheditor is vulnerable to DoS via Arbitrary file deletion. Proof of concept Vuln variable: $POST'path' Snippet: case 'delete': if isset$POST'path' &&...
in pheditor/pheditor
Description With your new fix in https://github.com/pheditor/pheditor/commit/69a79e3ba7f4a9f844cf5919c14a953e4a0d1867, it is basically impossible to change the password now because you forgot to add in the CSRF token in the reset password functionality, hence the password cannot be changed from...
Open Redirect in firefly-iii/firefly-iii
Steps: 1. Login in application and and navigate to bill section and create bill and capture the request. Web applications use different techniques to redirect users to the next page. Apps may use URL query parameters, header values, with JavaScript code, or it may be backend code. In case of this...