4072 matches found
Cross-Site Request Forgery Vulnerability in Logout Functionality
Description Logout CSRF is a security vulnerability where an attacker forces a user to unknowingly log out of their session by tricking them into triggering a logout request through a malicious website or link. GET http://localhost:8080/logout Proof of Concept history.pushState'', '', '/'...
Store XSS when Add Reviewer
Description Store XSS when Add Reviewer Proof of Concept Payload: TESTalertdocument.domain Video Poc https://drive.google.com/file/d/16o4w6V-uCpkshFXYBb-pZRflpl7N3Sy4/view?usp=sharing...
CSRF in Cancel Reviewer and Reinstate Reviewer
Description CSRF in Cancel Reviewer and Reinstate Reviewer Proof of Concept Link Poc I attach the Poc link below. Thank You. https://drive.google.com/drive/folders/1QA5Kz6w2AgYdFDoDX2hHWK0zHAPoWt?usp=sharing...
CSRF in Review Details
Description CSRF in Review Details Proof of Concept 1 . Attacker send form fake to user history.pushState'', '', '/'; document.forms0.submit; 2 .User click, changed unwanted Recommendation and Reviewer rating changes Video Poc...
heap-use-after-free in MP4Box
Description heap-use-after-free in MP4Box Version $ ./MP4Box -version MP4Box - GPAC version 2.3-DEV-rev566-g50c2ab06f-master Platform $ uname -a Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic 3322.04.1-Ubuntu SMP PREEMPTDYNAMIC Thu Sep 7 10:33:52 UTC 2 x8664 x8664 x8664 GNU/Linux Asan 33mTTML...
2 FPE in MP4Box
Description 2 FPE in MP4Box Version $ ./MP4Box -version MP4Box - GPAC version 2.3-DEV-rev566-g50c2ab06f-master Platform $ uname -a Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic 3322.04.1-Ubuntu SMP PREEMPTDYNAMIC Thu Sep 7 10:33:52 UTC 2 x8664 x8664 x8664 GNU/Linux Reproduce ./MP4Box -dash 100...
memcpy-param-overlap in MP4Box
Description memcpy-param-overlap in MP4Box Version $ ./MP4Box -version MP4Box - GPAC version 2.3-DEV-rev566-g50c2ab06f-master Platform $ uname -a Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic 3322.04.1-Ubuntu SMP PREEMPTDYNAMIC Thu Sep 7 10:33:52 UTC 2 x8664 x8664 x8664 GNU/Linux Asan 32mDashe...
4 heap-buffer-overflow in MP4Box
Description 4 heap-buffer-overflow in MP4Box Version $ ./MP4Box -version MP4Box - GPAC version 2.3-DEV-rev566-g50c2ab06f-master Platform $ uname -a Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic 3322.04.1-Ubuntu SMP PREEMPTDYNAMIC Thu Sep 7 10:33:52 UTC 2 x8664 x8664 x8664 GNU/Linux Reproduce...
2 stack-buffer-overflow in MP4Box
Description 2 stack-buffer-overflow in MP4Box Version $ ./MP4Box -version MP4Box - GPAC version 2.3-DEV-rev566-g50c2ab06f-master Platform $ uname -a Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic 3322.04.1-Ubuntu SMP PREEMPTDYNAMIC Thu Sep 7 10:33:52 UTC 2 x8664 x8664 x8664 GNU/Linux Reproduce...
3 SEGV in MP4Box
Description 3 SEGV in MP4Box Version $ ./MP4Box -version MP4Box - GPAC version 2.3-DEV-rev566-g50c2ab06f-master Platform $ uname -a Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic 3322.04.1-Ubuntu SMP PREEMPTDYNAMIC Thu Sep 7 10:33:52 UTC 2 x8664 x8664 x8664 GNU/Linux Reproduce ./MP4Box -dash...
NULL Pointer Dereference in function gf_filter_pck_new_alloc_internal
Description NULL Pointer Dereference in function gffilterpcknewallocinternal at filtercore/filterpck.c:108. Version git log commit 5692dc729491805e0e5f55c21d50ba1e6b19e88e HEAD - master, origin/master, origin/HEAD Author: Aurelien David Date: Wed Oct 11 13:24:46 2023 +0200 ac3dmx: add remain size...
heap-buffer-overflow in ac3dmx_process
Description Heap-buffer-overflow in ac3dmxprocess at filters/reframeac3.c:489. version git log commit 5692dc729491805e0e5f55c21d50ba1e6b19e88e HEAD - master, origin/master, origin/HEAD Author: Aurelien David Date: Wed Oct 11 13:24:46 2023 +0200 ac3dmx: add remain size check fixes 2627 ./MP4Box...
privilege escalation bug to edit survey
BUG ======== normal user can edit any survey AFFTED VERSION ============ 6.2.10 SUMMRUY ========== normal user has view permiision in survey . But still that user can edit the survey by adding that survey to his own group . STEP TO REPRODUCE ================= 1. There is already a superadminuser-...
heap-use-after-free in function editing_arg_idx
Description heap-use-after-free in function editingargidx at arglist.c:516 Vim Version git log commit 54844857fd6933fa4f6678e47610c4b9c9f7a091 HEAD - master, tag: v9.0.2009, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S editingargidxPOC2 -c :qa!...
post body leaked to third party site when 303 redirect happen
BUG ======= post body leaked to third party site when 303 redirect happen SUMMURY ============ as per specification provided https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections during redirection of 303 POST request, body should be lost and request method should be GET .\ \ check the...
Cross-Site Request Forgery (CSRF) in
Description CSRF led to change permissions of participant in Edit Assignment sessions. Proof of Concept Payload: https://drive.google.com/file/d/1dHY9CS6R4mKM4F0im5n1aUxFamMEjbAa/view?usp=sharing Video PoC: https://drive.google.com/file/d/1AdDFE-qOF-EvVEJzzXKguMfr6ZkXXEx/view?usp=drivelink...
Stored XSS in function Add discussion at the Copyediting section
Description I tested the demo site you provided and I see that there is a stored XSS in function Add discussion Proof of Concept payload: thanh"alert1 Steps 1. Login as any user 2. In the Unassigned section and click view 3. In the Workflow click Copyediting section and Add discussion 4. Insert...
CSRF in Payment Types
Description CSRF in Payment Types Proof of Concept 1 .Attacker send form fake to user history.pushState'', '', '/'; document.forms0.submit; 2 .User click , edited unwanted payment types Video Poc https://drive.google.com/file/d/1jI4bW5BJXGdJ7kICI-K1Kmg5y2EPw7f0/view?usp=sharing Payload Poc...
Root takeover via signature spoofing
Description When an app requests "CMDBECOMEMANAGER" via prctl, couple of checks done before promoting uid as root manager. Main check relies on requester's signature. Signature control is done in checkv2signature function in kernel\apksign.c, this function accepts both V2 and V3 signatures...
Heap OOB Read
Environment bash Distributor ID: Debian Description: Debian GNU/Linux bookworm/sid Version I checked against the latest release as of 10/08/23 the current master branch at commit 50c2ab06f45a3101d73d6f317e98f041809f4923 . Description This AddressSanitizer output is indicating an OOB read of inval...
CSRF in Send Reminder
Description CSRF in Send Reminder Proof of Concept 1 .Attacker sent form fake to victim history.pushState'', '', '/'; document.forms0.submit; 2 .Victim click, execute send reminder unexpected Video Poc https://drive.google.com/file/d/1eibfxIbACA6DWObg2bjZjJBiqTPlwWd/view?usp=sharing...
Improper Authorization allows opening of arbitrary files
Description Tested on Build94 of the Inure application. It was discovered that the application had an exported activity .activities.association.TextViewerActivity which accepted intent data via the file scheme + text/ mime type and opened the associated files from provided URI data string. The...
Cross-Site Request Forgery Vulnerability in Logout Functionality
Description Logout CSRF is a security vulnerability where an attacker forces a user to unknowingly log out of their session by tricking them into triggering a logout request through a malicious website or link. The csrftoken for the logout interface is invalid, it is recommended to change it to...
Stored Cross Site Scripting (XSS)
Description The location endpoint is not sanitized which leads to the Stored Cross Site Scripting XSS Proof of Concept 1. Login as a standard user non-admin Asset page List All https://drive.google.com/file/d/1qymhc6sMe9EeS2bOe4CE2XTAbzFkgHao/view?usp=drivelink 2. Click to open any asset Edit Ass...
RXSS in onpremises version of structurizr
Description During investigation it was found that onpremises api endpoint GET parameter version is vulnerable to XSS injection: /workspace/workspaceid?version=1; Proof of Concept 1. Visit the link provided: http:///workspace/1/?version=1%22;alert1; 2. XSS injected...
SQL Injection in opportunities module
Description During the save of the the opportunity the duplicateparentid is not properly validated and cleaned, which allows for injecting sql. Proof of Concept Add sql injection statement to opportunities duplicateparentid on save request...
Stored XSS in Attachment File Name
Description A stored cross-site scripting vulnerability exists within the file attachment upload functionality. Replication Steps 0x01. As a user with only the "Edit Record" and "Add Attachments" permissions, the user proceeded to edit a FAQ record and clicked "Add new attachment", as seen in the...
Application allows excessively long password value
Description Vrite v0.2.0 allows excessively long passwords to be set for user accounts which introduce several issues and challenges, primarily related to performance, storage, and compatibility. Proof of Concept 1. Make an user profile in the app. 2. Go to settings security Change password. 3. I...
Heap BoF in trunc_string()
Environment bash Distributor ID: Debian Description: Debian GNU/Linux bookworm/sid Version I checked against the master branch as of 09/25 at commit 6ee7b521fa7531ef356ececc8be7575c3800f872 . Description Heap BoF in the file /src/message.c in the function truncstring at line 356. Snippet c bufe -...
CSRF in Save Box Settings
Description CSRF in Save Box Settings Proof of Concept 1 .Attacker send form fake to user history.pushState'', '', '/'; document.forms0.submit; 2 .User click, interface home changed Video Poc https://drive.google.com/file/d/18y9P7SZuHgNC3uzmD50Xo82Yrmp5V4VS/view?usp=sharing...
CWE-476 leads to potential OOB Read
Environment bash Distributor ID: Debian Description: Debian GNU/Linux bookworm/sid Version I checked against the master branch as of 09/25 at commit f109bf93c9402e4e3122a7ae7846e6feae4fa222 . Description This AddressSanitizer output is indicating a OOB read that is semi-controllable, but is...
CSRF on marking an admin task as complete
Description A data altering method is done through a get request in AdminTaskToggleDoneView, making it vulnerable to csrf attack. In django, get request is considered as a safe method and is not protected against csrf. Proof of Concept python class AdminTaskToggleDoneViewLoginRequiredMixin,...
Open Redirect
Description There is an open redirect in the endpoint /project/switch/project due to the use of symfony's redirect function from a user controlled input. Proof of Concept php $targetPath = $request-query-get'targetPath', false; if $targetPath return $this-redirect$targetPath;...
CSRF edit Blacklist settings( YES to NO)
Description CSRF edit Blacklist settings Proof of Concept 1 .For example, the data fields in the Blacklist settings are all set to: YES. 2 .The attacker sends a fake form to the user: history.pushState'', '', '/'; document.forms0.submit; 3 .User Clicked, changed the setting to NO, which the user...
Reflected XSS in /admin/index.php
Description Description I noticed, your website is very secure. But you overlooked a flaw XSS Proof of Concept 1. Step 1: Access the demo website 2. Step 2: Access admin/index.php?action=ngductung"img src/onerror="alert'XSS' 3. Step 3: Detect XSS Video PoC...
Store XSS when Edit label set
Description Store XSS when Edit label set. I noticed, you have filtered the input when creating the label set. But, perhaps you forgot to filter when editing the label set. Proof of Concept 1 .Create a label set 2 .Edit label set with payload : haidoalertdocument.domain 3 .Click Export multiple...
Heap OOB Read
Environment bash Distributor ID: Debian Description: Debian GNU/Linux bookworm/sid Version I checked against the latest release as of 09/28/23 the current master branch at commit c5603fa8de0e7d4460718e28f90989ffdf925494 . Description This AddressSanitizer output is indicating an OOB read of inval...
CSRF Edit Locale files
Description CSRF edit Locale files Proof of Concept 1 .Attack sends fake requests to users history.pushState'', '', '/'; document.forms0.submit; 2 .User click, edited unwanted Locale files Payload Poc https://drive.google.com/file/d/1wpgmDoK0fGsiPSKfThVoEWq50pj7sBz5/view?usp=sharing Video Poc...
CSRF Delete Navigation Menu Items
Description CSRF Delete Navigation Menu Items Proof of Concept 1 .Attack sends fake requests to users history.pushState'', '', '/'; document.forms0.submit; 2 .User click, deletes unwanted Navigation Menu Items Payload Poc...
CSRF Delete Categories
Description CSRF Delete Categories Proof of Concept 1 .Attack sends fake requests to users history.pushState'', '', '/'; document.forms0.submit; 2 .User clicks, deletes unwanted Categories Payload Poc https://drive.google.com/file/d/12cCzI-b9KLCRlND6MmjM6j-DJfTJiIt/view?usp=sharing Video Poc...
SSRF vulnerability in the vrite
Description This vulnerability can be used to leak remote server information, bypass CDN like cloudflare. Also it can be used to the SSRF attack. Proof of Concept Here we can use it to leak the real IP of the https://app.vrite.io. GET /proxy?url=https://your-vps-ip.nip.io/ HTTP/2 Host: app.vrite....
Incorrect Authorization in User role
Description Incorrect Authorization in User role Proof of Concept 1 .Default, administrator User ID =1 cannot add user roles 2 .Remove the "disable" class at Inspect 3 .After that, add the user role success Video Poc https://drive.google.com/file/d/1vQPHZwaghByHsqEgQI9p3EiGeVCTbLK7/view?usp=shari...
Add arbitrary users to the user group
Description Add arbitrary users to the user group Proof of Concept 1 .Administrator user haido456 creates a user group name : group456 2 .User hai123 has general user rights but has the right to add arbitrary users to the user group: group456 3 .This includes users that the admin does not want...
Session is not expiring after password resetting
Description Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs, in this case the session is not getting expired after the password change Proof of Concept 1. Open http://localhost:8188/studio/profile in 2 browsers I use Firefox a...
No rate limit on sending magic link to sign-in
Description It was observed that rate limit is not being implemented on sending magic link , which allows an attacker to spam the victims mailbox. Affected URL : https://app.vrite.io/api/v1/auth.sendMagicLink?batch=1 Proof of Concept 1. Visit - https://app.vrite.io/auth 2. select option "continue...
stored xss using journal-role when user try to export user of any journal
BUG ========== stored xss using journal-role when user try to export user of any journal SUMMURY ========= lower level user can attack higher level user using this xss STEP TO REPRODUCE ================ 1. from Admin account create a journal called "journal-A" .\ \ 2. Admin goto above journal...
Disabled accounts still work normally
Description Disabled accounts still work normally Proof of Concept The account A is logged in and active. Admin suddenly disabled that account, but account A still works normally. Video Poc https://drive.google.com/file/d/15OHZF71pJyGaU30dQaw6NglkpZEhpOPm/view?usp=sharing...
Store XSS at Label sets list in (Version 6.2.7)
Description First of all, I apologize for reporting back. I noticed, the latest current version is 6.2.7. XSS vulnerabilities still exist Proof of Concept Detail: 1 .Login and access Label sets list 2 .Create new label set 3 . Insert payload in to Title haido" onclick="alert1 4 .Click save ==...
Insufficient Session Expiration
Description User's action is still vaild when admin changed privileges. Proof of Concept 1. Admin create user1 and grant all privileges. 2. go into incognito mode and login as user1 then go to user list page. 3. admin create user2 and in user1 browser refresh the page to see user2. 4. Then admin...
Improper validation of intent data received in TextViewerActivity allows opening of arbitrary files in hamza417/inure
Description Tested on Build89 of the Inure application. It was discovered that the application had an exported activity .activities.association.TextViewerActivity which accepted intent data via the file scheme + text/ mime type and opened the associated files from provided URI data string. The...