in kcal-app/kcal

Description it can be possible to perform a clickjacking attack due to the lack of frame restrictions. The application does not set the response header X-Frame-Options: DENY. Proof of Concept Clickjack test page save the script as clickjacking .html and page will render in iframes...

Cross-Site Request Forgery (CSRF) in attendize/attendize

Description Attacker is able to make an event live. Proof of Concept When you logged in open this POC.html in a browser. history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging user to unintentional mark an event live. Test Tested on Safari. Fix You...

Cross-Site Request Forgery (CSRF) in janeczku/calibre-web

Description csrf bug to chnage shelf from private to public Proof of Concept Bellow request is vulnerable to csrf attack document.getElementById"test".click; Impact csrf bug to change anyone shelf status from private to public...

Open Redirect in jonschoning/espial

Description Open Redirect at add url with parameter ?next= Proof of Concept // PoC.request POST /api/add HTTP/2 Host: esp.ae8.org Cookie:...

Cross-site Scripting (XSS) - Stored in jonschoning/espial

Description Stored XSS in parameter description when add url Proof of Concept // PoC.request POST /api/add HTTP/2 Host: esp.ae8.org Cookie:...

Improper Privilege Management in openemr/openemr

Description A predefined Front desk receptionist have access to the Audit Log Tamper Report function. By default this is a predefined system administrator function, and no other users should be able to access this function. Proof of Concept Log in with a Front desk receptionist user Simply open t...

Cross-Site Request Forgery (CSRF) in namelessmc/nameless

Description With this CSRF any user is able to remove any punishment on any user made by the staff. Proof of Concept After you log in, open this POC.html in a browser. This will remove any punishment that's specified in the POC. history.pushState'', '', '/' document.forms0.submit; This specific P...

Cross-site Scripting (XSS) - Stored in collectiveaccess/providence

Description stored xss via event name Proof of Concept Plz check this 1 minute video to reproduce the bug https://drive.google.com/file/d/1iMDosuZYYmFyJEVxXo7KB09TghKPs-7/view?usp=sharing \ Here i uses bellow xss payload xss2"'onmouseover=prompt;// Impact Stored xss...

Cross-site Scripting (XSS) - Reflected in collectiveaccess/providence

Description Reflected XSS in form Search Proof of Concept // PoC.js POST /find/QuickSearch/Index HTTP/1.1 Host: demo.collectiveaccess.org Cookie: cademo=5b9d06b7-3860-477d-9d53-85e6b2b1ae99; CAcademouilocale=enUS User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:93.0 Gecko/20100101...

Inefficient Regular Expression Complexity in crankyoldgit/irremoteesp8266

✍️ Description The IRremoteESP8266 package is vulnerable to ReDoS regular expression denial of service. An attacker that is able to provide crafted input to the extractsupports function in the file scrapesupporteddevices.py may cause an application to consume an excessive amount of CPU. Below...

Open Redirect in collectiveaccess/providence

Description Open Redirect on Login with parameter ?redirect= Proof of Concept // PoC.request POST /system/Auth/DoLogin HTTP/1.1 Host: demo.collectiveaccess.org Cookie: cademo=ea7632ab-0ad8-4b0f-939f-9e292f232ff6; CAcademouilocale=enUS User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:93...

in mruby/mruby

Description NULL Pointer Dereference on easet Proof of Concept // poc.rb ...1, From: +- 2 Result mruby/bin/mruby poc.rb AddressSanitizer:DEADLYSIGNAL ================================================================= ==28787==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 pc...

in aces/loris

Description It is possible to perform a clickjacking attack due to the lack of frame restrictions such as X-Frame-Options: DENY Proof of Concept Tested :: https://demo.loris.ca/ https://drive.google.com/file/d/1oSi2JpYnPjjoL6QvhFnsHcTD94KMzKBj/view?usp=sharing Impact Clickjacking is an...

Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition

Description CSRF in deleting comments Proof of Concept 1. Logging in using admin/staff account 2. Go to torrent https://unit3d.site/torrents/19comments 3. Access the link https://unit3d.site/comments/delete/5 4 .See that the comment is deleted Impact This vulnerability is capable of deleting...

Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition

Description CSRF in flushing peer Proof of Concept 1. Login stafff/admin account 2. Access this link https://unit3d.site/dashboard/flush/peers 3. See that the peers has been flushed. Impact This vulnerability is capable of flushing peers...

Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition

Description CSRF allows enable/disable bots CSRF allows flush chatbox Proof of Concept After logging in to unit3d.site, Access this link: https://unit3d.site/dashboard/chat/bots/2/disable, https://unit3d.site/dashboard/chat/bots/2/enable See that the chat bot is disabled/enabled correspondingly...

Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition

Description Attacker is able to run staff commands. Proof of Concept When you logged in open this POC.html in a browser. You can run staff only tools. history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging user to unintentional run staff only tools...

Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition

Description Attacker is able to disable the form Proof of Concept When you logged in open this POC.html in a browser. You can put the website into maintenance mode. history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of disabling the website...

Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition

Description Attacker is able to change a torrents featured state to un-featured if a logged in user visits attacker website. Proof of Concept When you logged in open this POC.html in a browser. You can check the torrents state changed to un-featured. history.pushState'', '', '/'...

Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition

Description Attacker is able to change a torrents featured state to if a logged in user visits attacker website. Proof of Concept 1. When you logged in open this POC.html in a browser. 2. You can check the torrents state changed to featured. history.pushState'', '', '/' document.forms0.submit;...

Inefficient Regular Expression Complexity in trentm/python-markdown2

Description I would like to report a Regular Expression Denial of Service ReDoS vulnerability in markdown2. The ReDoS vulnerability is mainly due to the sub-pattern with quantified overlapping adjacency and can be exploited with the following code. Proof of Concept // PoC.py import markdown2 from...

Cross-site Scripting (XSS) - Reflected in forkcms/forkcms

Description Reflected XSS in form Search Proof of Concept // PoC.request POST /frontend/ajax HTTP/1.1 Host: demo.fork-cms.com Cookie: frontendlanguage=en; PHPSESSID=megjfhiirsim3v6klp91i7qjat User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:93.0 Gecko/20100101 Firefox/93.0 Accept:...

Cross-site Scripting (XSS) - Generic in tsolucio/corebos

Description Generic XSS in RSS content allows for the arbitrary execution of JavaScript Proof of Concept // PoC Request Add RSS Feed POST /corebos/index.php?module=Rss&action=RssAjax&file=Popup&directmode=ajax&rssurl=http://127.0.0.1:9999/rss.xml HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0...

Cross-site Scripting (XSS) - Stored in tsolucio/corebos

Description Stored XSS in Subject in To Dos Proof of Concept // PoC Request POST /corebos/index.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:93.0 Gecko/20100101 Firefox/93.0 Accept:...

Inefficient Regular Expression Complexity in cronvel/terminal-kit

Description I would like to report a Regular Expression Denial of Service ReDoS vulnerability in terminal-kit. It allows cause a denial of service when calling function markupWidth. The ReDoS vulnerability is mainly due to the regex /^^|^./g and can be exploited with the following code. Proof...

Cross-site Scripting (XSS) - Stored in unclebob/fitnesse

Description Stored XSS in FileName allows for arbitrary execution of JavaScript Proof of Concept // PoC Request POST /files/ HTTP/1.1 Host: localhost:8081 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:93.0 Gecko/20100101 Firefox/93.0 Accept:...

Cross-site Scripting (XSS) - Stored in evereux/flicket

Description Stored XSS in deleting departments page due to unsanitized input in many places. Proof of Concept 1. Create a new department with name 2. After creating the above department, Click on delete icon next to it and see the pop up. 3. Create a new ticket with title 4. View the ticket and s...

Cross-site Scripting (XSS) - Reflected in sbrl/pepperminty-wiki

✍️ Description Stored XSS in action 🕵️‍♂️ Proof of Concept 1. Navigate to "index.php?action=alert1;&page=Main Page" 2. See XSS executed 💥 Impact With this vulnerability, You can run arbitrary java script on all users...

Inefficient Regular Expression Complexity in tapjs/tap-mocha-reporter

Description I would like to report a Regular Expression Denial of Service ReDoS vulnerability in tap-mocha-reporter. The ReDoS vulnerability is mainly due to the regex /^\s+|\s+$|/g and can be exploited with the following code. Proof of Concept // PoC.js var tapMochaReporter =...

Inefficient Regular Expression Complexity in validatorjs/validator.js

Description I would like to report a Regular Expression Denial of Service ReDoS vulnerability in validator. It allows cause a denial of service when calling function 'rtrim'. The ReDoS vulnerability is mainly due to the regex /\s+$/g and can be exploited with the following code. Proof of Concept ...

in dompdf/dompdf

Description DomPDF is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the filegetcontents function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate...

in osticket/osticket

Description The URL parser incorrectly parses the URL given IFrame src attributes. An attacker is able to inject iframe elements linking to arbitrary domains which can be viewed by admins, bypassing the embedded domain whitelist. Proof of Concept will render malicious-server site rather than...

Inefficient Regular Expression Complexity in ampproject/amphtml

✍️ Description The amphtml package is vulnerable to ReDoS regular expression denial of service. An attacker that is able to provide a crafted template as input to the expandTemplate function of core/types/string/index.js may cause an application to consume an excessive amount of CPU. Below pinned...

Inefficient Regular Expression Complexity in alvations/sacremoses

✍️ Description The sacremoses package is vulnerable to ReDoS regular expression denial of service. An attacker that is able to provide a crafted text as input to the hasnumericonly function may cause an application to consume an excessive amount of CPU. Below pinned line using vulnerable regex...

Inefficient Regular Expression Complexity in pyload/pyload

✍️ Description The pyload package is vulnerable to ReDoS regular expression denial of service. An attacker that is able to provide crafted HTML comments as input to the comments function of utils/web/purge.py may cause an application to consume an excessive amount of CPU. Below pinned line using...

Cross-site Scripting (XSS) - Stored in zikula-modules/content

Description Stored XSS in External element Feed when created Content Proof of Concept POST /content/item/edit?type=Zikula%5CContentModule%5CContentType%5CFeedType HTTP/2 Host: demo.ziku.la Cookie: zsid=5idn7q9udrp7mgirikmdlep45d User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:93.0...

Cross-site Scripting (XSS) - Stored in zikula/core

Description Stored XSS in Blocks Module when Create new block with Block type ZikulaBlocksModule/Xslt Proof of Concept POST /blocks/admin/block/edit/8 HTTP/2 Host: demo.ziku.la Cookie: zsid=5idn7q9udrp7mgirikmdlep45d User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:93.0 Gecko/20100101...

Inefficient Regular Expression Complexity in josdejong/jsoneditor

✍️ Description The jsoneditor package is vulnerable to ReDoS regular expression denial of service. An attacker that is able to provide a crafted element as input to the getInnerText function may cause an application to consume an excessive amount of CPU. Below pinned line using vulnerable regex...

Open Redirect in zikula/core

Description Open Redirect on Login with parameter ?returnUrl= Proof of Concept POST /login?returnUrl=https://google.com HTTP/2 Host: demo.ziku.la Cookie: zsid=b6g4qa64983t2tg073uh1e1rjm User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:93.0 Gecko/20100101 Firefox/93.0 Accept:...

Cross-site Scripting (XSS) - Stored in zikula-modules/content

Description Stored XSS in Content allows for the arbitrary execution of JavaScript Proof of Concept POST /content/admin/page/edit HTTP/2 Host: demo.ziku.la Cookie: zsid=3u8efffphk5430gdmlevluk6fa User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:93.0 Gecko/20100101 Firefox/93.0 Accept:...

Inefficient Regular Expression Complexity in nltk/nltk

✍️ Description The nltk package is vulnerable to ReDoS regular expression denial of service. An attacker that is able to provide as an input to the readcomparisonblock function in the file "nltk/corpus/reader/comparativesents.py" may cause an application to consume an excessive amount of CPU. Belo...

Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii

Description Hello dear firefly-iii team I found some CSRFs with low priority in firefly-iii...

Server-Side Request Forgery (SSRF) in osticket/osticket

Description The SSRF vulnerability in OSTickets detailed in CVE-2020-24881 is still unfixed, attackers can still make arbitrary requests via the server to the private network via the PDF print generator although they will not be able to exfiltrate anything other than image data. Proof of Concept ...

Cross-site Scripting (XSS) - Stored in causefx/organizr

Description When creating a new Tab, the name of the tab can store JavaScript. This also happens, when editing the name of an existing Tab. - I tested it with docker image for Organizr hash 7fb764ccd226. organizr/organizr latest 7fb764ccd226 4 weeks ago 73.3MB - Branch is v2-master. Proof of...

Inefficient Regular Expression Complexity in pksunkara/inflect

✍️ Description The inflect package is vulnerable to ReDoS regular expression denial of service. An attacker that is able to provide a crafted tablename as input to the classify function may cause an application to consume an excessive amount of CPU. Below pinned line using vulnerable regex. 🕵️‍♂️...

Cross-Site Request Forgery (CSRF) in janeczku/calibre-web

Description Hi team :, the /shelf/remove/id and /shelf/add/id is vulnerable against CSRFleading to the possibility to add and remove shelves' items on the behalf of the victim user. Proof of Concept 1. Install the application 2. Create a new shelf id == 1 in this case 3. The attacker sends the...

Cross-site Scripting (XSS) - Stored in zikula-modules/mediamodule

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Proof of Concept // PoC.js Steps to reproduce : 1 -- Go to link -- https://demo.ziku.la/media/media/create/paste/url 2 -- Inject Payload in...

Cross-site Scripting (XSS) - Reflected in zikula/core

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites Proof of Concept // PoC.js POST /categories/admin/category/contextMenu HTTP/2 Host: demo.ziku.la Cookie: zsid=a9b37grip4in2kp0j6kaugdvrh...

Cross-site Scripting (XSS) - Reflected in zikula/core

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites Proof of Concept // PoC Request: POST /permissions/test HTTP/1.1 Host: demo.ziku.la Cookie: zsid=qk60gkn4dmhgrjc6io2kt3dij4 User-Agent:...

in zikula/core

Description Rate limit bypass sent unlimited email victim or any email address Proof of Concept There is no rate limit lost-user-name, attacker to send unlimited email to victim or any email address. POST /zauth/account/lost-user-name HTTP/1.1 Host: demo.ziku.la User-Agent: Mozilla/5.0 Windows NT...