in opensourcepos/opensourcepos

Description The use == and != of might cause type juggling at the affected code if $row-hashversion == 1. Proof of Concept If the md5 sum of users password starts with 0e, then any input with md5 sum starting with 0e will result in true at statement $row-password == md5$password Impact This...

Static Code Injection in collectiveaccess/pawtucket2

Description This is with reference to another SSRF report I made https://huntr.dev/bounties/43505ece-7d5e-44b8-a7a3-69bd42d0ad02/ in which the fix was to filter external src from images. Pawtucket2 makes use of the same code as Providence to filter HTML, however it does not include the new fix...

in youzan/vant

✍️ Description The @vant/cli package is vulnerable to Regular Expression Denial of Service ReDoS. An attacker that is able to provide a crafted string as the input to the decamelize function may cause an application to consume an excessive amount of CPU. Below pinned line using vulnerable regex...

Improper Access Control in collectiveaccess/pawtucket2

Description An attacker can join any user group in the Pawtucket2 interface as the URLs are not being randomised Proof of Concept Any attacker can join the Administrator group using: http://PAWTUCKETURL/pawtucket/index.php/LoginReg/joinGroup/groupid/2 An attacker can join any group by incrementin...

in dbeaver/dbeaver

✍️ Description The dbeaver is vulnerable to XML External Entity XXE. An attacker that is able to provide a crafted XML file as input to the parseDocument function in the "XMLUtils.java" file may allow an attacker to execute XML External Entities XXE, including exposing the contents of local files...

Open Redirect in sbrl/pepperminty-wiki

Description I saw this report https://huntr.dev/bounties/89f222e4-2aaa-44f8-8b24-657d3a0e741f/ and this fix commit : https://github.com/sbrl/Pepperminty-Wiki/blob/f59e68127cb4147e49f9453e1f657cc24972fda5/modules/page-login.phpL167 and I find out that you never use the new $returntoredirect...

in stanfordnlp/corenlp

✍️ Description The Stanford CoreNLP package provides a set of natural language analysis tools written in Java, is using a vulnerable XML External Entity XXE. An attacker that is able to provide a crafted XML file as input to the getTextContentFromTagsFromFile function in the "XMLUtils.java" file...

in khodakhah/nodcms

Description There is no rate limit sent unlimited email victim or any email address Proof of Concept There is no rate limit return-password , attacker to send unlimited email to victim or any email address. POST /en/return-password HTTP/1.1 Host: demo.nodcms.com User-Agent: Mozilla/5.0 Windows NT...

Open Redirect in fisharebest/webtrees

Description I saw this report : https://huntr.dev/bounties/ad4278af-52b7-4c34-8d43-9b829105d499/ and Also your fix commit https://www.github.com/fisharebest/webtrees/commit/551ad4afbcef2a72a6cf6461f1747762180b12c5 then I should say that the fix can be bypassed with such payloads : If the baseurl ...

Cross-site Scripting (XSS) - Reflected in collectiveaccess/providence

Description: Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites Proof of Concept // PoC.js POC --...

in fisharebest/webtrees

Description There is not rate limit protection , Rate limit bypass sent unlimited email victim or any email address. Proof of Concept There is no rate limit password-request , attacker to send unlimited email to victim or any email address. POST...

Cross-Site Request Forgery (CSRF) in gunet/openeclass

Description Missing CSRF Token at all form POST action in on Application Proof of Concept // CSRF PoC history.pushState'', '', '/' Impact With CSRF attack, the attacker can perform operations to add, edit, and delete data on the application through the victim...

Session Fixation in gunet/openeclass

Description The Cookie before & after user login doesn't change Proof of Concept // PoC.js 1 Load website in a new browser 2 Get cookie before login 3 Login to website 4 Get cookie after login Compare those 2 values Impact Through other attack methods such as XSS, the attacker can store the user'...

Exposure of Sensitive Information to an Unauthorized Actor in blair2004/nexopos-4x

Description Unhandled exception leads to exposure of server side and sql query information. Proof of Concept 1. Go to demo page http://v4.nexopos.com and login using demo account 2. Go to Customer - Create coupon and try to create a coupon without entering coupon code leave it empty 3. See that t...

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in blair2004/nexopos-4x

Description Session cookie nexopossession is not marked as Secure Proof of Concept 1. Open demo page https://v4.nexopos.com/sign-in using firefox; login using demo account 2. Go to Developer tool - Storage - Cookie and see that nexopossession has Secure = False...

Improper Authorization in blair2004/nexopos-4x

Description No authorization in downloading customer export file. Proof of Concept 1. Access this link in browser without logging in: http://v4.nexopos.com/export/customers-list.csv 2. See that you can download customer list file without logging in. Impact This vulnerability is capable of exposur...

Cross-Site Request Forgery (CSRF) in opensourcepos/opensourcepos

Description in some delete actions I change the HTTP request method to GET and Also remove the CSRF token from request and then I able to Bypass your CSRF protection...

in dompdf/dompdf

Description The Scenario 3 you described in this report https://huntr.dev/bounties/0bdddc12-ff67-4815-ab9f-6011a974f48e/ actually opens up the ability to bypass chroot checks. Proof of Concept 1: Make sure you install Dompdf from GitHub https://github.com/dompdf/dompdf/ and include the following...

Cross-site Scripting (XSS) - Stored in admidio/admidio

Description Stored XSS in parameter 'msgbody' at 'Write e-mail' allows for the arbitrary execution of JavaScript Proof of Concept // PoC.req POST /demo/admprogram/modules/messages/messagessend.php HTTP/2 Host: www.admidio.org Cookie:...

in kcal-app/kcal

Description There isn't any proper authorization for delete goal action that lead to IDOR vulnerability...

Open Redirect in fisharebest/webtrees

Description OpenRedirect at login with parameter &url= Proof of Concept // PoC.request POST /demo-stable/index.php?route=%2Fdemo-stable%2Flogin%2Fdemo HTTP/2 Host: dev.webtrees.net Cookie: Secure-WT-ID=ekks8678620p55do7do21jd4p1 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:93.0...

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in openfun/openedx-docker

Description Secure flag is not implemented on the application Proof of Concept https://drive.google.com/file/d/10vEIf77qf1ejR14lL5GZCMn9bZmmbIBd/view?usp=sharing Impact The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP...

Open Redirect in blogifierdotnet/blogifier

Description Open redirect at login page due to unchecked "returnUrl" param Proof of Concept 1. Go to demo page link http://demo.blogifier.net/admin/login/?returnUrl=https://google.com 2. Login using demo account and see that you are redirected to google.com Impact This vulnerability is capable of...

in osticket/osticket

Description The forgot password can be abused to leak possible usernames due to different responses returned when a user exists or a user does not. Proof of Concept 1. Go to http://OSTICKET-SERVER/htdocs/osticket/scp/pwreset.php 2. Key in a user which does not exist, the response is: "Unable to...

in zikula/core

Description Sensitive data on the application can be exposed after the user logs Proof of Concept // PoC 1 Login to the application 2 Goto page like My Account 3 Click logout 4 Click browser back button Impact When a user logs out without closing the browser someone can view the information insid...

Heap-based Buffer Overflow in hoene/libmysofa

Description There are some heap-buffer-overflows in mysofa2json of libmysofa. They are in function loudness, mysofacheck and readOHDRHeaderMessageDataLayout. System info Ubuntu 20.04.3 LTS clang 12.0.1 libmysofa github master branch commit 0cb89cb Command to Reproduce build libmysofa with...

Exposure of Sensitive Information to an Unauthorized Actor in kcal-app/kcal

Description An attacker can view the foods and other informations in the application through direct call to api functions without any authenication Proof of Concept Step 1 Go to http://demo.kcal.cooking/api/v1/foods?pagenumber=1&pagesize=12...

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in netdisco/netdisco

Description Session cookie dancer.session is not marked with 'Secure' Proof of Concept 1. Go to demo page https://netdisco2-demo.herokuapp.com, the page will automatically logs in as guest 2. Open Firefox developer and see that the cookie dancer.session is not marked with 'Secure'...

Sensitive Cookie Without 'HttpOnly' Flag in filegator/filegator

Description HTTPOnly attribute is not set for session cookies in the application. Proof of Concept https://ibb.co/R950Vxj Impact When a cookie doesn’t have an HttpOnly flag, it can be accessed through JavaScript, which means that an XSS could lead to cookies being stolen. These include session...

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in filegator/filegator

Description Secure flag is not implemented on the application Proof of Concept https://ibb.co/nLTbftm Impact The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies...

in kcal-app/kcal

Description Sensitive Data can be exposed even after logouting the application due to ui wrong action Proof of Concept 1 login to the application dashboard http://demo.kcal.cooking/ 2 Goto Any pages recipes,foods 3 Click logout 4 Click browser back button Application structure exposed we can stil...

in flarum/framework

Description Sensitive Data can be exposed even after logouting the application due to ui wrong action Proof of Concept 1 login to the application dashboard as admin https://demo.flarum.site/admin/ 2 Goto Any pages dashboard,permissions etc 3 Click logout 4 Click browser back button 5 Will Re-ente...

in collectiveaccess/providence

Description Sensitive Data can be exposed even after logouting the application due to ui wrong action Proof of Concept 1 login to the application dashboard https://demo.collectiveaccess.org 2 Goto Any pages dashboard,administrations etc 3 Click logout 4 Click browser back button Impact Any other...

Cross-site Scripting (XSS) - Stored in jonschoning/espial

Description Stored XSS in url link Proof of Concept // PoC reqest POST /api/add HTTP/2 Host: esp.ae8.org Cookie:...

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in khodakhah/nodcms

Description Implement both Secure flag and httponly flag in the application. Proof of Concept Impact The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from bein...

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in jonschoning/espial

Description Implement both Secure flag and httponly flag in the application. Proof of Concept Impact The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from bein...

in jonschoning/espial

Description It can be possible to perform a clickjacking attack due to the lack of frame restrictions. PoC https://i.ibb.co/QFTZD9j/clickjack.png Impact According to PortSwigger references, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable ...

in jonschoning/espial

Description Weak password implementation Proof of Concept step 1: login into account goto https://esp.ae8.org/Settings/Password step 2: change password demo to 12 or 1 and save changes step 3: we can see updated message application is allowing to set weak password. poc of image for your reference...

in gotify/server

Description On OS level, the authorization token of the user is being logged, with the default docker installation. Proof of Concept 1; Install the docker version of the software 2; Log in with any user 3; Observe the logs, and the following row is being displayed: GIN 2021/09/26 - 19:34:52 | 200...

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in kcal-app/kcal

Description Implement both Secure flag and httponly flag in the application. Proof of Concept Impact The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from bein...

in kcal-app/kcal

Description Weak password implementation Proof of Concept step 1: login into account goto http://demo.kcal.cooking/users/kcal/edit step 2: change password kcal to 12 and save changes step 3: we can see updated message application is allowing to set weak password. poc of image in below link...

Cross-site Scripting (XSS) - Reflected in opensourcepos/opensourcepos

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites Proof of Concept // PoC POST Request: https://demo.opensourcepos.org/messages/send/ Data:...

Use of a Broken or Risky Cryptographic Algorithm in idno/known

Description In the referenced code, known uses an insecure RNG to generate a password because, in its words; this should "mitigate security holes if cleanup fails" - unfortunately, if the cleanup fails - an attacker may be able to predict the password to the created account. Proof of Concept See...

in amirsanni/mini-inventory-and-sales-management-system

Description It is possible to enumerate registered emails using forgot password functionality as application is showing the different response when email exists and does not exists Proof of Concept Impact The product behaves differently or sends different responses under different circumstances i...

Cross-Site Request Forgery (CSRF) in collectiveaccess/providence

Description I have found more endpoints which allow edit/duplicate were not protected from CSRF, the following endpoints are: 1: Edit Global Value in Pawtucket. 2: Change object type. 3: Duplicate object. 4: Duplicate items in the set and add to another set. Proof of Concept Via GET requests: 1...

Heap-based Buffer Overflow in mruby/mruby

Description Heap buffer overflow on mrb-vm-exec Proof of Concept // poc.rb 1.timesuntil% ;break Result ./mruby poc.rb ================================================================= ==1451==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000023d9 at pc 0x55b2fc3f1046 bp...

Cross-Site Request Forgery (CSRF) in galette/galette

Description Attacker is able to execute an CSRF attack when a user visits a malicious page Proof of Concept // PoC.html history.pushState'', '', '/' Impact This vulnerability is capable of allowing an attacker to submit CSRF through a crafted malicious page...

Code Injection in collectiveaccess/providence

Description client side injection Proof of Concept open the https://demo.collectiveaccess.org/find/QuickSearch/Index click on search input the code in search bar clickme https://i.ibb.co/tmB0K64/client.png Impact This vulnerability is injecting malicious code into application...

Cross-Site Request Forgery (CSRF) in collectiveaccess/providence

Description No CSRF token and GET requests allowed in Data and Metadata imports Proof of Concept 1. Login as administrator 2. Create a directory called test in /import directory and put a CSV file inside 3. On the browser with administrator cookies, visit...

Server-Side Request Forgery (SSRF) in collectiveaccess/providence

Description Authenticated, blind SSRF vulnerability exists in CollectiveAccess. Requires edit access tested with default cataloguer account Proof of Concept As the 'cataloguer', user: Step 1. Create a new object with the title: Step 2. After submitting this object, browse for objects in...