4057 matches found
Cross-Site Request Forgery (CSRF) in
Description CSRF led to change permissions of participant in Edit Assignment sessions. Proof of Concept Payload: https://drive.google.com/file/d/1dHY9CS6R4mKM4F0im5n1aUxFamMEjbAa/view?usp=sharing Video PoC: https://drive.google.com/file/d/1AdDFE-qOF-EvVEJzzXKguMfr6ZkXXEx/view?usp=drivelink...
Stored XSS in function Add discussion at the Copyediting section
Description I tested the demo site you provided and I see that there is a stored XSS in function Add discussion Proof of Concept payload: thanh"alert1 Steps 1. Login as any user 2. In the Unassigned section and click view 3. In the Workflow click Copyediting section and Add discussion 4. Insert...
CSRF in Payment Types
Description CSRF in Payment Types Proof of Concept 1 .Attacker send form fake to user history.pushState'', '', '/'; document.forms0.submit; 2 .User click , edited unwanted payment types Video Poc https://drive.google.com/file/d/1jI4bW5BJXGdJ7kICI-K1Kmg5y2EPw7f0/view?usp=sharing Payload Poc...
Root takeover via signature spoofing
Description When an app requests "CMDBECOMEMANAGER" via prctl, couple of checks done before promoting uid as root manager. Main check relies on requester's signature. Signature control is done in checkv2signature function in kernel\apksign.c, this function accepts both V2 and V3 signatures...
Heap OOB Read
Environment bash Distributor ID: Debian Description: Debian GNU/Linux bookworm/sid Version I checked against the latest release as of 10/08/23 the current master branch at commit 50c2ab06f45a3101d73d6f317e98f041809f4923 . Description This AddressSanitizer output is indicating an OOB read of inval...
CSRF in Send Reminder
Description CSRF in Send Reminder Proof of Concept 1 .Attacker sent form fake to victim history.pushState'', '', '/'; document.forms0.submit; 2 .Victim click, execute send reminder unexpected Video Poc https://drive.google.com/file/d/1eibfxIbACA6DWObg2bjZjJBiqTPlwWd/view?usp=sharing...
Improper Authorization allows opening of arbitrary files
Description Tested on Build94 of the Inure application. It was discovered that the application had an exported activity .activities.association.TextViewerActivity which accepted intent data via the file scheme + text/ mime type and opened the associated files from provided URI data string. The...
Cross-Site Request Forgery Vulnerability in Logout Functionality
Description Logout CSRF is a security vulnerability where an attacker forces a user to unknowingly log out of their session by tricking them into triggering a logout request through a malicious website or link. The csrftoken for the logout interface is invalid, it is recommended to change it to...
Stored Cross Site Scripting (XSS)
Description The location endpoint is not sanitized which leads to the Stored Cross Site Scripting XSS Proof of Concept 1. Login as a standard user non-admin Asset page List All https://drive.google.com/file/d/1qymhc6sMe9EeS2bOe4CE2XTAbzFkgHao/view?usp=drivelink 2. Click to open any asset Edit Ass...
RXSS in onpremises version of structurizr
Description During investigation it was found that onpremises api endpoint GET parameter version is vulnerable to XSS injection: /workspace/workspaceid?version=1; Proof of Concept 1. Visit the link provided: http:///workspace/1/?version=1%22;alert1; 2. XSS injected...
SQL Injection in opportunities module
Description During the save of the the opportunity the duplicateparentid is not properly validated and cleaned, which allows for injecting sql. Proof of Concept Add sql injection statement to opportunities duplicateparentid on save request...
Stored XSS in Attachment File Name
Description A stored cross-site scripting vulnerability exists within the file attachment upload functionality. Replication Steps 0x01. As a user with only the "Edit Record" and "Add Attachments" permissions, the user proceeded to edit a FAQ record and clicked "Add new attachment", as seen in the...
Application allows excessively long password value
Description Vrite v0.2.0 allows excessively long passwords to be set for user accounts which introduce several issues and challenges, primarily related to performance, storage, and compatibility. Proof of Concept 1. Make an user profile in the app. 2. Go to settings security Change password. 3. I...
Heap BoF in trunc_string()
Environment bash Distributor ID: Debian Description: Debian GNU/Linux bookworm/sid Version I checked against the master branch as of 09/25 at commit 6ee7b521fa7531ef356ececc8be7575c3800f872 . Description Heap BoF in the file /src/message.c in the function truncstring at line 356. Snippet c bufe -...
CSRF in Save Box Settings
Description CSRF in Save Box Settings Proof of Concept 1 .Attacker send form fake to user history.pushState'', '', '/'; document.forms0.submit; 2 .User click, interface home changed Video Poc https://drive.google.com/file/d/18y9P7SZuHgNC3uzmD50Xo82Yrmp5V4VS/view?usp=sharing...
CWE-476 leads to potential OOB Read
Environment bash Distributor ID: Debian Description: Debian GNU/Linux bookworm/sid Version I checked against the master branch as of 09/25 at commit f109bf93c9402e4e3122a7ae7846e6feae4fa222 . Description This AddressSanitizer output is indicating a OOB read that is semi-controllable, but is...
CSRF on marking an admin task as complete
Description A data altering method is done through a get request in AdminTaskToggleDoneView, making it vulnerable to csrf attack. In django, get request is considered as a safe method and is not protected against csrf. Proof of Concept python class AdminTaskToggleDoneViewLoginRequiredMixin,...
Open Redirect
Description There is an open redirect in the endpoint /project/switch/project due to the use of symfony's redirect function from a user controlled input. Proof of Concept php $targetPath = $request-query-get'targetPath', false; if $targetPath return $this-redirect$targetPath;...
CSRF edit Blacklist settings( YES to NO)
Description CSRF edit Blacklist settings Proof of Concept 1 .For example, the data fields in the Blacklist settings are all set to: YES. 2 .The attacker sends a fake form to the user: history.pushState'', '', '/'; document.forms0.submit; 3 .User Clicked, changed the setting to NO, which the user...
Reflected XSS in /admin/index.php
Description Description I noticed, your website is very secure. But you overlooked a flaw XSS Proof of Concept 1. Step 1: Access the demo website 2. Step 2: Access admin/index.php?action=ngductung"img src/onerror="alert'XSS' 3. Step 3: Detect XSS Video PoC...
Store XSS when Edit label set
Description Store XSS when Edit label set. I noticed, you have filtered the input when creating the label set. But, perhaps you forgot to filter when editing the label set. Proof of Concept 1 .Create a label set 2 .Edit label set with payload : haidoalertdocument.domain 3 .Click Export multiple...
Heap OOB Read
Environment bash Distributor ID: Debian Description: Debian GNU/Linux bookworm/sid Version I checked against the latest release as of 09/28/23 the current master branch at commit c5603fa8de0e7d4460718e28f90989ffdf925494 . Description This AddressSanitizer output is indicating an OOB read of inval...
CSRF Edit Locale files
Description CSRF edit Locale files Proof of Concept 1 .Attack sends fake requests to users history.pushState'', '', '/'; document.forms0.submit; 2 .User click, edited unwanted Locale files Payload Poc https://drive.google.com/file/d/1wpgmDoK0fGsiPSKfThVoEWq50pj7sBz5/view?usp=sharing Video Poc...
CSRF Delete Navigation Menu Items
Description CSRF Delete Navigation Menu Items Proof of Concept 1 .Attack sends fake requests to users history.pushState'', '', '/'; document.forms0.submit; 2 .User click, deletes unwanted Navigation Menu Items Payload Poc...
CSRF Delete Categories
Description CSRF Delete Categories Proof of Concept 1 .Attack sends fake requests to users history.pushState'', '', '/'; document.forms0.submit; 2 .User clicks, deletes unwanted Categories Payload Poc https://drive.google.com/file/d/12cCzI-b9KLCRlND6MmjM6j-DJfTJiIt/view?usp=sharing Video Poc...
SSRF vulnerability in the vrite
Description This vulnerability can be used to leak remote server information, bypass CDN like cloudflare. Also it can be used to the SSRF attack. Proof of Concept Here we can use it to leak the real IP of the https://app.vrite.io. GET /proxy?url=https://your-vps-ip.nip.io/ HTTP/2 Host: app.vrite....
Incorrect Authorization in User role
Description Incorrect Authorization in User role Proof of Concept 1 .Default, administrator User ID =1 cannot add user roles 2 .Remove the "disable" class at Inspect 3 .After that, add the user role success Video Poc https://drive.google.com/file/d/1vQPHZwaghByHsqEgQI9p3EiGeVCTbLK7/view?usp=shari...
Add arbitrary users to the user group
Description Add arbitrary users to the user group Proof of Concept 1 .Administrator user haido456 creates a user group name : group456 2 .User hai123 has general user rights but has the right to add arbitrary users to the user group: group456 3 .This includes users that the admin does not want...
Session is not expiring after password resetting
Description Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs, in this case the session is not getting expired after the password change Proof of Concept 1. Open http://localhost:8188/studio/profile in 2 browsers I use Firefox a...
No rate limit on sending magic link to sign-in
Description It was observed that rate limit is not being implemented on sending magic link , which allows an attacker to spam the victims mailbox. Affected URL : https://app.vrite.io/api/v1/auth.sendMagicLink?batch=1 Proof of Concept 1. Visit - https://app.vrite.io/auth 2. select option "continue...
stored xss using journal-role when user try to export user of any journal
BUG ========== stored xss using journal-role when user try to export user of any journal SUMMURY ========= lower level user can attack higher level user using this xss STEP TO REPRODUCE ================ 1. from Admin account create a journal called "journal-A" .\ \ 2. Admin goto above journal...
Disabled accounts still work normally
Description Disabled accounts still work normally Proof of Concept The account A is logged in and active. Admin suddenly disabled that account, but account A still works normally. Video Poc https://drive.google.com/file/d/15OHZF71pJyGaU30dQaw6NglkpZEhpOPm/view?usp=sharing...
Store XSS at Label sets list in (Version 6.2.7)
Description First of all, I apologize for reporting back. I noticed, the latest current version is 6.2.7. XSS vulnerabilities still exist Proof of Concept Detail: 1 .Login and access Label sets list 2 .Create new label set 3 . Insert payload in to Title haido" onclick="alert1 4 .Click save ==...
Insufficient Session Expiration
Description User's action is still vaild when admin changed privileges. Proof of Concept 1. Admin create user1 and grant all privileges. 2. go into incognito mode and login as user1 then go to user list page. 3. admin create user2 and in user1 browser refresh the page to see user2. 4. Then admin...
Improper validation of intent data received in TextViewerActivity allows opening of arbitrary files in hamza417/inure
Description Tested on Build89 of the Inure application. It was discovered that the application had an exported activity .activities.association.TextViewerActivity which accepted intent data via the file scheme + text/ mime type and opened the associated files from provided URI data string. The...
IDOR - Users can change Administrator information (User ID = 1 )
Description IDOR - Users can change Administrator information User ID = 1 Proof of Concept 1 .Create an account with all rights. 2 .Detect default the administrator user ID = 1 information cannot be changed. 3 .Broken access control, can change administrator information user ID = 1 Video Poc...
Deleted account still has the right to create, delete other accounts (delete surveys)
Description An account that has been deleted still has the right to create, delete surveys other accounts Proof of Concept Video Poc https://drive.google.com/file/d/1kvNqK8tYvWDabLigI6dZsp4kpKKkrfIx/view?usp=sharing...
NULL Pointer Dereference
Environment Windows 10 22H2 19045.3448 Version I checked against the latest trunk as of 09/19/23 at commit 3a126babc77dd5af4cd8fb0c45d8c0eb172c7b8c and the current release 4.12.0. Description This is a null pointer dereference that causes the IE driver to crash when selenium gets the cookies from...
No rate limiting on creating access token
Description: Access token creation is a critical security component in many applications, especially when it comes to user authentication and authorization. Without proper rate limiting controls, attackers may exploit this process to launch various types of attacks, such as brute force attacks,...
SQL Injection in `icms2/install/index.php`
Introduction I'm quite hesitant about reporting this vulnerability. After thinking about it, I knew I needed to provide this information to you!. As described in the documentation https://docs.instantcms.ru/en/manual/instal, at Post-Installation steps, you described that the installation director...
Password Reset link hijacking via Host Header Poisoning
Description LinkStack uses the Host header when sending out password reset links. This allows an attacker to insert a malicious host header, leading to password reset link / token leakage. Tested on a default Docker Compose installation of LinkStack https://github.com/LinkStackOrg/linkstack-docke...
Time-Based Blind SQL injection leads to database extraction
Proof of Concept Login your account. then copy the coope and paste on below raw request POST /ajaxtable.php HTTP/1.1 Host: demo.librenms.org User-Agent: Mozilla/5.0 Windows NT 10.0; rv:78.0 Gecko/20100101 Firefox/78.0 Content-Length: 221 Accept: / Accept-Language: en-US,en;q=0.5 Content-Type:...
Multiple Self-XSS Vulnerabilites
Description Multiple Self-XSS Vulnerabilities are triggered at multiple endpoints. http://localhost:8083/edit/server/ There is a bug in web/templates/pages/editserver.php file. Attacker can control $vtimezone. php ', theme: '', language: '', hasSmtpRelay: , remoteBackupEnabled: , backupType: '',...
STORED XSS in Journal-> Sections
Description Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XS...
XSS/CSRF in GetImage Endpoint
Description The endpoint at /o/get/image?url= does not have sufficient protections to protect users from CSRF and XSS. An attacker can craft a malicious svg image that will allow them to perform any action of the victim. In the case where the victim is the admin this can lead to a site takover...
Dom XSS in module "Search IPv6"
Description 1 .Access to IPv6 search function 2 .Enter the payload in the IPv4 field to perform the search Payload : "alertdocument.cookie 3 .Enter the search button and the payload will be executed Proof of Concept Link video Poc :...
Stored XSS at LOGO+USER menu
Description Please enter a description of the vulnerability. Proof of Concept login with admin account visit https://demo.instantcms.io/admin/widgets?templatename=modern&scrollto=row-14 navigate to logo+user menu tab insert payload 1" onmouseover = "alert'hackedbytisha' at Parent row Tag CSS clas...
Admin account TakeOver
Description The endpoint api/system/update-env allows any authenticated users to change env variables of the back-end process : js process.envenvKey = value; The envKey value comes from here : js const envKey, checks = KEYMAPPINGkey; One of the value in the KEYMAPPING dictionnary is : js JWTSecre...
Improper input validation leads to arbitrary file deletion
Description The /process endpoint of the python API in collector/api.py exposes an endpoint waiting for a POST request with a parameter named filename : py @api.route"/process", methods="POST" def processfile: content = request.json targetfilename = content.get"filename" printf"Processing...
Store XSS in Widgets and pages in instantsoft/icms2
Description I noticed that you filtered the filter very carefully. But there are still some parts you missed Proof of Concept 1 . Login with admin 2 . Go to "http://localhost/o2/admin/menu/itemedit/18" 3 . Insert payload in CSS class 4 . Click save , and go to home page, and Detect store xss in...