4072 matches found
Cross-Site Request Forgery (CSRF) in collectiveaccess/pawtucket2
Description The following endpoints are vulnerable to CSRF attacks via GET requests even though they use AJAX: 1: Delete lightbox 2: Delete comments 3: Create comments 4: Create comments on objects 5: Add items into lightbox 6: Delete items from lightbox Proof of Concept Copy and paste the...
Use of a Broken or Risky Cryptographic Algorithm in livehelperchat/livehelperchat
Description livehelperchat uses cryptographically insecure functions microtime, mtrand and even rand to generate sensitive information. Proof of Concept None provided, see the PHP documentation that specifies the cryptographic insecurity of the above functions. Impact This vulnerability is capabl...
Use of a Broken or Risky Cryptographic Algorithm in froxlor/froxlor
Description Froxlor uses microtime to seed uniqid which is then hashed to produce a session token, microtime can be reasonably brute-forced/predicted, thus allowing for a relatively large-scale account-takeover attack or accurate targeted ones. Both microtime and uniqid are cryptographically...
in firefly-iii/firefly-iii
Description file upload vulnerability in application Proof of Concept step to reproduce 1login to application 2 goto https://demo.firefly-iii.org/create-from-bill/1 3 upload file any kind of file application accept Reference PoC 1 https://i.ibb.co/9wWRnsf/Screenshot-12.png...
Improper Access Control in collectiveaccess/pawtucket2
Description After the previous patch fix, users can join the Root group by specifying http://PAWTUCKET-URL/pawtucket/index.php/LoginReg/joinGroup/groupcode/ Proof of Concept http://PAWTUCKET-URL/pawtucket/index.php/LoginReg/joinGroup/groupcode/ Impact Attackers can join the Root group without bei...
Cross-site Scripting (XSS) - Reflected in shannah/xataface
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into websites. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execut...
Cross-site Scripting (XSS) - Reflected in part-db/part-db
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into websites. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execut...
Cross-Site Request Forgery (CSRF) in craigk5n/webcalendar
Description Cross-Site Request Forgery CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering such as sending a link via email or chat, an attacker may trick the users of a web...
Cross-site Scripting (XSS) - Reflected in craigk5n/webcalendar
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into websites. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execut...
Cross-site Scripting (XSS) - Stored in craigk5n/webcalendar
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into websites. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execut...
Improper Input Validation in filebrowser/filebrowser
Description File Browser is a web-interface that allows you to manage and navigate through your files in a web browser. One of its features is to allow a user to run specific shell commands in the server, these commands are specified by users with administrator privileges, with an allow list. Thi...
Type Confusion in craigk5n/webcalendar
Description During the comparisons of different variables, php will automatically convert the data into a common, comparable type. This leads to a variety of problems and might even cause security vulnerabilities. https://github.com/craigk5n/webcalendar has type juggling vulnerabilities that allo...
Exposure of Sensitive Information to an Unauthorized Actor in blair2004/nexopos-4x
Description Exposure of server side sensitive information due to unhandled exception in handling request method. Proof of Concept 1. Go to this link http://v4.nexopos.com/api/nexopos/v4/crud/ns.payments-types/4 2. See that the page returns with sensitive server side data. Here is a sample...
Cross-site Scripting (XSS) - Stored in fisharebest/webtrees
Description Multiple Stored XSS when Add new record at features Add a source citation, Add a shared note Proof of Concept // PoC.req POST /demo-stable/index.php?route=%2Fdemo-stable%2Ftree%2Fdemo%2Fcreate-source HTTP/2 Host: dev.webtrees.net Cookie: Secure-WT-ID=35jvr7cdk25bf0s6k0e1r91c3e...
Code Injection in yogeshojha/rengine
Description RCE via the YAML configuration of reNgine. In this configuration, the settings of the tools used in scans can be adapted. This functionality can be abused to executy arbitrary code. PoC In the yaml configuration of reNgine, edit the extensions field of dirfilesearch to make it look li...
in opensourcepos/opensourcepos
Description The use == and != of might cause type juggling at the affected code if $row-hashversion == 1. Proof of Concept If the md5 sum of users password starts with 0e, then any input with md5 sum starting with 0e will result in true at statement $row-password == md5$password Impact This...
Static Code Injection in collectiveaccess/pawtucket2
Description This is with reference to another SSRF report I made https://huntr.dev/bounties/43505ece-7d5e-44b8-a7a3-69bd42d0ad02/ in which the fix was to filter external src from images. Pawtucket2 makes use of the same code as Providence to filter HTML, however it does not include the new fix...
in youzan/vant
✍️ Description The @vant/cli package is vulnerable to Regular Expression Denial of Service ReDoS. An attacker that is able to provide a crafted string as the input to the decamelize function may cause an application to consume an excessive amount of CPU. Below pinned line using vulnerable regex...
Improper Access Control in collectiveaccess/pawtucket2
Description An attacker can join any user group in the Pawtucket2 interface as the URLs are not being randomised Proof of Concept Any attacker can join the Administrator group using: http://PAWTUCKETURL/pawtucket/index.php/LoginReg/joinGroup/groupid/2 An attacker can join any group by incrementin...
in dbeaver/dbeaver
✍️ Description The dbeaver is vulnerable to XML External Entity XXE. An attacker that is able to provide a crafted XML file as input to the parseDocument function in the "XMLUtils.java" file may allow an attacker to execute XML External Entities XXE, including exposing the contents of local files...
Open Redirect in sbrl/pepperminty-wiki
Description I saw this report https://huntr.dev/bounties/89f222e4-2aaa-44f8-8b24-657d3a0e741f/ and this fix commit : https://github.com/sbrl/Pepperminty-Wiki/blob/f59e68127cb4147e49f9453e1f657cc24972fda5/modules/page-login.phpL167 and I find out that you never use the new $returntoredirect...
in stanfordnlp/corenlp
✍️ Description The Stanford CoreNLP package provides a set of natural language analysis tools written in Java, is using a vulnerable XML External Entity XXE. An attacker that is able to provide a crafted XML file as input to the getTextContentFromTagsFromFile function in the "XMLUtils.java" file...
in khodakhah/nodcms
Description There is no rate limit sent unlimited email victim or any email address Proof of Concept There is no rate limit return-password , attacker to send unlimited email to victim or any email address. POST /en/return-password HTTP/1.1 Host: demo.nodcms.com User-Agent: Mozilla/5.0 Windows NT...
Open Redirect in fisharebest/webtrees
Description I saw this report : https://huntr.dev/bounties/ad4278af-52b7-4c34-8d43-9b829105d499/ and Also your fix commit https://www.github.com/fisharebest/webtrees/commit/551ad4afbcef2a72a6cf6461f1747762180b12c5 then I should say that the fix can be bypassed with such payloads : If the baseurl ...
Cross-site Scripting (XSS) - Reflected in collectiveaccess/providence
Description: Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites Proof of Concept // PoC.js POC --...
in fisharebest/webtrees
Description There is not rate limit protection , Rate limit bypass sent unlimited email victim or any email address. Proof of Concept There is no rate limit password-request , attacker to send unlimited email to victim or any email address. POST...
Cross-Site Request Forgery (CSRF) in gunet/openeclass
Description Missing CSRF Token at all form POST action in on Application Proof of Concept // CSRF PoC history.pushState'', '', '/' Impact With CSRF attack, the attacker can perform operations to add, edit, and delete data on the application through the victim...
Session Fixation in gunet/openeclass
Description The Cookie before & after user login doesn't change Proof of Concept // PoC.js 1 Load website in a new browser 2 Get cookie before login 3 Login to website 4 Get cookie after login Compare those 2 values Impact Through other attack methods such as XSS, the attacker can store the user'...
Exposure of Sensitive Information to an Unauthorized Actor in blair2004/nexopos-4x
Description Unhandled exception leads to exposure of server side and sql query information. Proof of Concept 1. Go to demo page http://v4.nexopos.com and login using demo account 2. Go to Customer - Create coupon and try to create a coupon without entering coupon code leave it empty 3. See that t...
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in blair2004/nexopos-4x
Description Session cookie nexopossession is not marked as Secure Proof of Concept 1. Open demo page https://v4.nexopos.com/sign-in using firefox; login using demo account 2. Go to Developer tool - Storage - Cookie and see that nexopossession has Secure = False...
Improper Authorization in blair2004/nexopos-4x
Description No authorization in downloading customer export file. Proof of Concept 1. Access this link in browser without logging in: http://v4.nexopos.com/export/customers-list.csv 2. See that you can download customer list file without logging in. Impact This vulnerability is capable of exposur...
Cross-Site Request Forgery (CSRF) in opensourcepos/opensourcepos
Description in some delete actions I change the HTTP request method to GET and Also remove the CSRF token from request and then I able to Bypass your CSRF protection...
in dompdf/dompdf
Description The Scenario 3 you described in this report https://huntr.dev/bounties/0bdddc12-ff67-4815-ab9f-6011a974f48e/ actually opens up the ability to bypass chroot checks. Proof of Concept 1: Make sure you install Dompdf from GitHub https://github.com/dompdf/dompdf/ and include the following...
Cross-site Scripting (XSS) - Stored in admidio/admidio
Description Stored XSS in parameter 'msgbody' at 'Write e-mail' allows for the arbitrary execution of JavaScript Proof of Concept // PoC.req POST /demo/admprogram/modules/messages/messagessend.php HTTP/2 Host: www.admidio.org Cookie:...
in kcal-app/kcal
Description There isn't any proper authorization for delete goal action that lead to IDOR vulnerability...
Open Redirect in fisharebest/webtrees
Description OpenRedirect at login with parameter &url= Proof of Concept // PoC.request POST /demo-stable/index.php?route=%2Fdemo-stable%2Flogin%2Fdemo HTTP/2 Host: dev.webtrees.net Cookie: Secure-WT-ID=ekks8678620p55do7do21jd4p1 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:93.0...
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in openfun/openedx-docker
Description Secure flag is not implemented on the application Proof of Concept https://drive.google.com/file/d/10vEIf77qf1ejR14lL5GZCMn9bZmmbIBd/view?usp=sharing Impact The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP...
Open Redirect in blogifierdotnet/blogifier
Description Open redirect at login page due to unchecked "returnUrl" param Proof of Concept 1. Go to demo page link http://demo.blogifier.net/admin/login/?returnUrl=https://google.com 2. Login using demo account and see that you are redirected to google.com Impact This vulnerability is capable of...
in osticket/osticket
Description The forgot password can be abused to leak possible usernames due to different responses returned when a user exists or a user does not. Proof of Concept 1. Go to http://OSTICKET-SERVER/htdocs/osticket/scp/pwreset.php 2. Key in a user which does not exist, the response is: "Unable to...
in zikula/core
Description Sensitive data on the application can be exposed after the user logs Proof of Concept // PoC 1 Login to the application 2 Goto page like My Account 3 Click logout 4 Click browser back button Impact When a user logs out without closing the browser someone can view the information insid...
Heap-based Buffer Overflow in hoene/libmysofa
Description There are some heap-buffer-overflows in mysofa2json of libmysofa. They are in function loudness, mysofacheck and readOHDRHeaderMessageDataLayout. System info Ubuntu 20.04.3 LTS clang 12.0.1 libmysofa github master branch commit 0cb89cb Command to Reproduce build libmysofa with...
Exposure of Sensitive Information to an Unauthorized Actor in kcal-app/kcal
Description An attacker can view the foods and other informations in the application through direct call to api functions without any authenication Proof of Concept Step 1 Go to http://demo.kcal.cooking/api/v1/foods?pagenumber=1&pagesize=12...
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in netdisco/netdisco
Description Session cookie dancer.session is not marked with 'Secure' Proof of Concept 1. Go to demo page https://netdisco2-demo.herokuapp.com, the page will automatically logs in as guest 2. Open Firefox developer and see that the cookie dancer.session is not marked with 'Secure'...
Sensitive Cookie Without 'HttpOnly' Flag in filegator/filegator
Description HTTPOnly attribute is not set for session cookies in the application. Proof of Concept https://ibb.co/R950Vxj Impact When a cookie doesn’t have an HttpOnly flag, it can be accessed through JavaScript, which means that an XSS could lead to cookies being stolen. These include session...
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in filegator/filegator
Description Secure flag is not implemented on the application Proof of Concept https://ibb.co/nLTbftm Impact The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies...
in kcal-app/kcal
Description Sensitive Data can be exposed even after logouting the application due to ui wrong action Proof of Concept 1 login to the application dashboard http://demo.kcal.cooking/ 2 Goto Any pages recipes,foods 3 Click logout 4 Click browser back button Application structure exposed we can stil...
in flarum/framework
Description Sensitive Data can be exposed even after logouting the application due to ui wrong action Proof of Concept 1 login to the application dashboard as admin https://demo.flarum.site/admin/ 2 Goto Any pages dashboard,permissions etc 3 Click logout 4 Click browser back button 5 Will Re-ente...
in collectiveaccess/providence
Description Sensitive Data can be exposed even after logouting the application due to ui wrong action Proof of Concept 1 login to the application dashboard https://demo.collectiveaccess.org 2 Goto Any pages dashboard,administrations etc 3 Click logout 4 Click browser back button Impact Any other...
Cross-site Scripting (XSS) - Stored in jonschoning/espial
Description Stored XSS in url link Proof of Concept // PoC reqest POST /api/add HTTP/2 Host: esp.ae8.org Cookie:...
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in khodakhah/nodcms
Description Implement both Secure flag and httponly flag in the application. Proof of Concept Impact The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from bein...