in chevereto/chevereto-free

Clickjacking is a portmanteau of two words ‘click’ and ‘hijacking’. It refers to hijacking user’s click for malicious intent. In it, an attacker embeds the vulnerable site in an transparent iframe in attacker’s own website and overlays it with objects such as button using CSS skills. This tricks...

Sensitive Cookie Without 'HttpOnly' Flag in vuestorefront/vue-storefront

✍️ Description HTTPOnly attribute is not set for session cookies "vsf-commercetools-token" in the application. Proof of Concept Check this for POC: Image Impact When a cookie doesn’t have an HttpOnly flag, it can be accessed through JavaScript, which means that an XSS could lead to cookies being...

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in vuestorefront/vue-storefront

✍️ Description The secure flag is not set for session cookie "vsf-commercetools-token" in the application. Proof of Concept Check this for POC: Image Impact If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection,...

SQL Injection in ampache/ampache

Description The application does not validate and escape the type parameter before using it in a SQL statement in Model/Tag.php, leading to a SQL Injection Proof of Concept Time delay: GET /browse.php?action=tag&type=0%27orifnow=sysdate,sleep3,0or%27 HTTP/1.1 Host: demo.ampache.dev sec-ch-ua:...

Use of a Broken or Risky Cryptographic Algorithm in anonaddy/anonaddy

Description MD5 and SHA-1 are popular cryptographic hash algorithms often used to verify the integrity of messages and other data. Recent advances in cryptanalysis have discovered weaknesses in both algorithms. Consequently, MD5 and SHA-1 should no longer be relied upon to verify the authenticity...

Heap-based Buffer Overflow in vim/vim

When fuzzing vim commit 56858e4ed works with latest build with clang 12 and ASan, I discovered a heap buffer overflow. Proof of Concept Here is minimized poc sh /%.v 5/ c Extract then run crafted file with this command vim -u NONE -X -Z -e -s -S vimpoc1 -c :qa! ASan stack trace: bash...

Open Redirect in rotheross/otobo

Description there is a open redirect vulnerability in following url : https://demo.otobo.org/otobo/index.pl?Action=ExternalURLJump;URL=https://google.com here after click on link the victim will be redirected to https://google.com...

in erikdubbelboer/phpredisadmin

Description $response is a salted md5 hash generated based on the concatenated hashed of credentials with other parameters. It has been discovered that $response compares with $data'response' using comparison operator != in file login.inc.php. This might cause unexpected behavior due to type...

Cross-Site Request Forgery (CSRF) in pkp/pkp-lib

Description Missing CSRF token in role stage assignment, save language settings, and task notification 1: http://10.0.2.15/index.php/e/$$$call$$$/grid/settings/roles/user-group-grid/unassign-stage?stageId=1&userGroupId=5 2:...

in livehelperchat/livehelperchat

Description Sensitive data on the application can be exposed after the user logout Proof of Concept 1 Login to the application demo.livehelperchat.com/siteadmin/ 2 Go to page like My Account , or Any other page 3 Click logout 4 Click browser back button Impact When a user logs out without closing...

Cross-site Scripting (XSS) - Generic in snipe/snipe-it

Description At File Uploads allows for arbitrary execution of JavaScript Step to Reproduct XSS at filename Goto detail of one asset At tab File choose to upload file with filename contain payload: file'name XSS when upload file .svg In list file types are allowed don't have file .svg Goto detail ...

Sensitive Cookie Without 'HttpOnly' Flag in yeswiki/yeswiki

Description The software uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. The HttpOnly flag directs compatible browsers to prevent client-side script from accessing cookies. Including the HttpOnly flag in the Set-Cookie HTTP response header helps...

in yeswiki/yeswiki

Description During the comparisons of different variables, PHP will automatically convert the data into a common, comparable type. This makes it possible to compare the number 12 to the string '12' or check whether or not a string is empty by using a comparison like $string == True. This, however...

in yeswiki/yeswiki

Description Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker to inject javascript code via SVG...

Cross-site Scripting (XSS) - Stored in yeswiki/yeswiki

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into websites. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execut...

SQL Injection in yeswiki/yeswiki

Description A SQL injection attack consists of insertion or 'injection' of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data Insert/Update/Delete, execute administration operations ...

Cross-site Scripting (XSS) - Reflected in yeswiki/yeswiki

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into websites. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execut...

Cross-Site Request Forgery (CSRF) in snipe/snipe-it

Description I found some low/medium level CSRFs on nice snipe-it application Proof of Concepts change the state of Requestable Assets : // PoC.html history.pushState'', '', '/' restore a hardware : // PoC.html history.pushState'', '', '/'...

Cross-Site Request Forgery (CSRF) in opensourcepos/opensourcepos

Description You have not set any CSRF protection for receivings/deleteitem/itemid endpoint. Proof of Concept //PoC.html history.pushState'', '', '/'...

Cross-Site Request Forgery (CSRF) in opensourcepos/opensourcepos

Description Attacker able to delete supplier with CSRF attack Proof of Concept //PoC.html history.pushState'', '', '/'...

Classic Buffer Overflow in sjord/checkmate

Description Good morning, I hope this message finds you well during these challenging times. Whilst testing checkmate built from commit 8e497d8, we discovered crafted input which triggers a bug in the frame parsing code, leading to a global-buffer-overflow, READ of size 4. Proof of Concept First...

in snipe/snipe-it

Description Sensitive data on the application can be exposed after the user logout Proof of Concept 1 Login to the application https://demo.snipeitapp.com/ 2 Goto page like My Account , or Any other page 3 Click logout 4 Click browser back button Impact When a user logs out without closing the...

Cross-Site Request Forgery (CSRF) in collectiveaccess/pawtucket2

Description After taking a look at the application again, I found few more create / update endpoints which should have CSRF protection Proof of Concept http://PAWTUCKET-URL/pawtucket/index.php/Lightbox/saveUserGroup?name=123&description=abc&groupid=...

in collectiveaccess/pawtucket2

Description With ref to this report: https://www.huntr.dev/bounties/9708c444-2cf2-4aed-8188-1dc7def05ba1/, should replicate over proper cache-control Proof of Concept Example of sensitive 1 Login to application dashboard 2 Go to lightbox page 3 Click logout. 4 Click go back button to see group...

in firefly-iii/firefly-iii

Description There is no rate limit sent unlimited email victim or any email address Proof of Concept There is no rate limit return-password , attacker to send unlimited email to victim or any email address. POST /password/email HTTP/2 Host: demo.firefly-iii.org Cookie:...

in netdisco/netdisco

Description it can be possible to perform a clickjacking attack due to the lack of frame restrictions. The application does not set the response header X-Frame-Options: DENY. Proof of Concept Clickjack test page save the script as clickjacking .html and page will render in iframes below link show...

Prototype Pollution in kriszyp/json-schema

Description A constructed payload sent to validate will lead to prototype pollution. Proof of Concept // PoC.js const validate = require"json-schema"; const instance = JSON.parse "$schema": "type": "object", "properties": "proto": "type": "object", "properties": "polluted": "type": "string",...

Server-Side Request Forgery (SSRF) in appwrite/appwrite

Description An authenticated SSRF vulnerability exists in appwrite's webhooks / tasks feature. The gopher:// protocol can be used to cause code execution on the Redis server that comes along with appwrite. The attacker must know the IP address of the redis-server which can be done by creating...

in cortezaproject/corteza-server

Setup the application on your local system. Steps: -------- 1. Login in application and navigate to the settings, where change the user password and capture the request in burp suit. 2. Now logout from application and copy the Authorization token. 3. After logout the authorization token must be...

in cortezaproject/corteza-server

Set up the cortezaproject in your local machine. Steps: -------- 1. Create the account on corteza 2. Login using same credentails from chrome and firefox. 3. Change user password from chrome. 4. Perform any activity in Firefox the session is still valid. Mitigation: --------------- After changing...

Server-Side Request Forgery (SSRF) in chevereto/chevereto-free

Description Attackers can make the server perform arbitrary requests to internal IPs as well as use the file:/// protocol to disclose internal image data. Proof of Concept 1: Create a valid image file on the server /path/to/index.png 2: Choose add Image URLs and use a valid URL and click OK. Then...

Session Fixation in pheditor/pheditor

Description PHPEditor session are not regenerated after every login leading to possible session fixation attacks local attack vector Proof of Concept 1. Open two browsers Browser 1: Attacker, Browser 2: Victim 2. Visit https://PHP-EDITOR/phpeditor.php server and copy cookie from Browser 1 3. Past...

in pheditor/pheditor

Description This issue allows an attacker to influence calls to the 'unlink' function and delete arbitrary files. https://github.com/pheditor/pheditor is vulnerable to DoS via Arbitrary file deletion. Proof of concept Vuln variable: $POST'path' Snippet: case 'delete': if isset$POST'path' &&...

in pheditor/pheditor

Description With your new fix in https://github.com/pheditor/pheditor/commit/69a79e3ba7f4a9f844cf5919c14a953e4a0d1867, it is basically impossible to change the password now because you forgot to add in the CSRF token in the reset password functionality, hence the password cannot be changed from...

Open Redirect in firefly-iii/firefly-iii

Steps: 1. Login in application and and navigate to bill section and create bill and capture the request. Web applications use different techniques to redirect users to the next page. Apps may use URL query parameters, header values, with JavaScript code, or it may be backend code. In case of this...

Cross-Site Request Forgery (CSRF) in collectiveaccess/pawtucket2

Description The following endpoints are vulnerable to CSRF attacks via GET requests even though they use AJAX: 1: Delete lightbox 2: Delete comments 3: Create comments 4: Create comments on objects 5: Add items into lightbox 6: Delete items from lightbox Proof of Concept Copy and paste the...

Use of a Broken or Risky Cryptographic Algorithm in livehelperchat/livehelperchat

Description livehelperchat uses cryptographically insecure functions microtime, mtrand and even rand to generate sensitive information. Proof of Concept None provided, see the PHP documentation that specifies the cryptographic insecurity of the above functions. Impact This vulnerability is capabl...

Use of a Broken or Risky Cryptographic Algorithm in froxlor/froxlor

Description Froxlor uses microtime to seed uniqid which is then hashed to produce a session token, microtime can be reasonably brute-forced/predicted, thus allowing for a relatively large-scale account-takeover attack or accurate targeted ones. Both microtime and uniqid are cryptographically...

in firefly-iii/firefly-iii

Description file upload vulnerability in application Proof of Concept step to reproduce 1login to application 2 goto https://demo.firefly-iii.org/create-from-bill/1 3 upload file any kind of file application accept Reference PoC 1 https://i.ibb.co/9wWRnsf/Screenshot-12.png...

Improper Access Control in collectiveaccess/pawtucket2

Description After the previous patch fix, users can join the Root group by specifying http://PAWTUCKET-URL/pawtucket/index.php/LoginReg/joinGroup/groupcode/ Proof of Concept http://PAWTUCKET-URL/pawtucket/index.php/LoginReg/joinGroup/groupcode/ Impact Attackers can join the Root group without bei...

Cross-site Scripting (XSS) - Reflected in shannah/xataface

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into websites. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execut...

Cross-site Scripting (XSS) - Reflected in part-db/part-db

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into websites. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execut...

Cross-Site Request Forgery (CSRF) in craigk5n/webcalendar

Description Cross-Site Request Forgery CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering such as sending a link via email or chat, an attacker may trick the users of a web...

Cross-site Scripting (XSS) - Reflected in craigk5n/webcalendar

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into websites. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execut...

Cross-site Scripting (XSS) - Stored in craigk5n/webcalendar

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into websites. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execut...

Improper Input Validation in filebrowser/filebrowser

Description File Browser is a web-interface that allows you to manage and navigate through your files in a web browser. One of its features is to allow a user to run specific shell commands in the server, these commands are specified by users with administrator privileges, with an allow list. Thi...

Type Confusion in craigk5n/webcalendar

Description During the comparisons of different variables, php will automatically convert the data into a common, comparable type. This leads to a variety of problems and might even cause security vulnerabilities. https://github.com/craigk5n/webcalendar has type juggling vulnerabilities that allo...

Exposure of Sensitive Information to an Unauthorized Actor in blair2004/nexopos-4x

Description Exposure of server side sensitive information due to unhandled exception in handling request method. Proof of Concept 1. Go to this link http://v4.nexopos.com/api/nexopos/v4/crud/ns.payments-types/4 2. See that the page returns with sensitive server side data. Here is a sample...

Cross-site Scripting (XSS) - Stored in fisharebest/webtrees

Description Multiple Stored XSS when Add new record at features Add a source citation, Add a shared note Proof of Concept // PoC.req POST /demo-stable/index.php?route=%2Fdemo-stable%2Ftree%2Fdemo%2Fcreate-source HTTP/2 Host: dev.webtrees.net Cookie: Secure-WT-ID=35jvr7cdk25bf0s6k0e1r91c3e...

Code Injection in yogeshojha/rengine

Description RCE via the YAML configuration of reNgine. In this configuration, the settings of the tools used in scans can be adapted. This functionality can be abused to executy arbitrary code. PoC In the yaml configuration of reNgine, edit the extensions field of dirfilesearch to make it look li...