4072 matches found
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in jonschoning/espial
Description Implement both Secure flag and httponly flag in the application. Proof of Concept Impact The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from bein...
in jonschoning/espial
Description It can be possible to perform a clickjacking attack due to the lack of frame restrictions. PoC https://i.ibb.co/QFTZD9j/clickjack.png Impact According to PortSwigger references, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable ...
in jonschoning/espial
Description Weak password implementation Proof of Concept step 1: login into account goto https://esp.ae8.org/Settings/Password step 2: change password demo to 12 or 1 and save changes step 3: we can see updated message application is allowing to set weak password. poc of image for your reference...
in gotify/server
Description On OS level, the authorization token of the user is being logged, with the default docker installation. Proof of Concept 1; Install the docker version of the software 2; Log in with any user 3; Observe the logs, and the following row is being displayed: GIN 2021/09/26 - 19:34:52 | 200...
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in kcal-app/kcal
Description Implement both Secure flag and httponly flag in the application. Proof of Concept Impact The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from bein...
in kcal-app/kcal
Description Weak password implementation Proof of Concept step 1: login into account goto http://demo.kcal.cooking/users/kcal/edit step 2: change password kcal to 12 and save changes step 3: we can see updated message application is allowing to set weak password. poc of image in below link...
Cross-site Scripting (XSS) - Reflected in opensourcepos/opensourcepos
Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites Proof of Concept // PoC POST Request: https://demo.opensourcepos.org/messages/send/ Data:...
Use of a Broken or Risky Cryptographic Algorithm in idno/known
Description In the referenced code, known uses an insecure RNG to generate a password because, in its words; this should "mitigate security holes if cleanup fails" - unfortunately, if the cleanup fails - an attacker may be able to predict the password to the created account. Proof of Concept See...
in amirsanni/mini-inventory-and-sales-management-system
Description It is possible to enumerate registered emails using forgot password functionality as application is showing the different response when email exists and does not exists Proof of Concept Impact The product behaves differently or sends different responses under different circumstances i...
Cross-Site Request Forgery (CSRF) in collectiveaccess/providence
Description I have found more endpoints which allow edit/duplicate were not protected from CSRF, the following endpoints are: 1: Edit Global Value in Pawtucket. 2: Change object type. 3: Duplicate object. 4: Duplicate items in the set and add to another set. Proof of Concept Via GET requests: 1...
Heap-based Buffer Overflow in mruby/mruby
Description Heap buffer overflow on mrb-vm-exec Proof of Concept // poc.rb 1.timesuntil% ;break Result ./mruby poc.rb ================================================================= ==1451==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000023d9 at pc 0x55b2fc3f1046 bp...
Cross-Site Request Forgery (CSRF) in galette/galette
Description Attacker is able to execute an CSRF attack when a user visits a malicious page Proof of Concept // PoC.html history.pushState'', '', '/' Impact This vulnerability is capable of allowing an attacker to submit CSRF through a crafted malicious page...
Code Injection in collectiveaccess/providence
Description client side injection Proof of Concept open the https://demo.collectiveaccess.org/find/QuickSearch/Index click on search input the code in search bar clickme https://i.ibb.co/tmB0K64/client.png Impact This vulnerability is injecting malicious code into application...
Cross-Site Request Forgery (CSRF) in collectiveaccess/providence
Description No CSRF token and GET requests allowed in Data and Metadata imports Proof of Concept 1. Login as administrator 2. Create a directory called test in /import directory and put a CSV file inside 3. On the browser with administrator cookies, visit...
Server-Side Request Forgery (SSRF) in collectiveaccess/providence
Description Authenticated, blind SSRF vulnerability exists in CollectiveAccess. Requires edit access tested with default cataloguer account Proof of Concept As the 'cataloguer', user: Step 1. Create a new object with the title: Step 2. After submitting this object, browse for objects in...
in kcal-app/kcal
Description it can be possible to perform a clickjacking attack due to the lack of frame restrictions. The application does not set the response header X-Frame-Options: DENY. Proof of Concept Clickjack test page save the script as clickjacking .html and page will render in iframes...
Cross-Site Request Forgery (CSRF) in attendize/attendize
Description Attacker is able to make an event live. Proof of Concept When you logged in open this POC.html in a browser. history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging user to unintentional mark an event live. Test Tested on Safari. Fix You...
Cross-Site Request Forgery (CSRF) in janeczku/calibre-web
Description csrf bug to chnage shelf from private to public Proof of Concept Bellow request is vulnerable to csrf attack document.getElementById"test".click; Impact csrf bug to change anyone shelf status from private to public...
Open Redirect in jonschoning/espial
Description Open Redirect at add url with parameter ?next= Proof of Concept // PoC.request POST /api/add HTTP/2 Host: esp.ae8.org Cookie:...
Cross-site Scripting (XSS) - Stored in jonschoning/espial
Description Stored XSS in parameter description when add url Proof of Concept // PoC.request POST /api/add HTTP/2 Host: esp.ae8.org Cookie:...
Improper Privilege Management in openemr/openemr
Description A predefined Front desk receptionist have access to the Audit Log Tamper Report function. By default this is a predefined system administrator function, and no other users should be able to access this function. Proof of Concept Log in with a Front desk receptionist user Simply open t...
Cross-Site Request Forgery (CSRF) in namelessmc/nameless
Description With this CSRF any user is able to remove any punishment on any user made by the staff. Proof of Concept After you log in, open this POC.html in a browser. This will remove any punishment that's specified in the POC. history.pushState'', '', '/' document.forms0.submit; This specific P...
Cross-site Scripting (XSS) - Stored in collectiveaccess/providence
Description stored xss via event name Proof of Concept Plz check this 1 minute video to reproduce the bug https://drive.google.com/file/d/1iMDosuZYYmFyJEVxXo7KB09TghKPs-7/view?usp=sharing \ Here i uses bellow xss payload xss2"'onmouseover=prompt;// Impact Stored xss...
Cross-site Scripting (XSS) - Reflected in collectiveaccess/providence
Description Reflected XSS in form Search Proof of Concept // PoC.js POST /find/QuickSearch/Index HTTP/1.1 Host: demo.collectiveaccess.org Cookie: cademo=5b9d06b7-3860-477d-9d53-85e6b2b1ae99; CAcademouilocale=enUS User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:93.0 Gecko/20100101...
Inefficient Regular Expression Complexity in crankyoldgit/irremoteesp8266
✍️ Description The IRremoteESP8266 package is vulnerable to ReDoS regular expression denial of service. An attacker that is able to provide crafted input to the extractsupports function in the file scrapesupporteddevices.py may cause an application to consume an excessive amount of CPU. Below...
Open Redirect in collectiveaccess/providence
Description Open Redirect on Login with parameter ?redirect= Proof of Concept // PoC.request POST /system/Auth/DoLogin HTTP/1.1 Host: demo.collectiveaccess.org Cookie: cademo=ea7632ab-0ad8-4b0f-939f-9e292f232ff6; CAcademouilocale=enUS User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:93...
in mruby/mruby
Description NULL Pointer Dereference on easet Proof of Concept // poc.rb ...1, From: +- 2 Result mruby/bin/mruby poc.rb AddressSanitizer:DEADLYSIGNAL ================================================================= ==28787==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 pc...
in aces/loris
Description It is possible to perform a clickjacking attack due to the lack of frame restrictions such as X-Frame-Options: DENY Proof of Concept Tested :: https://demo.loris.ca/ https://drive.google.com/file/d/1oSi2JpYnPjjoL6QvhFnsHcTD94KMzKBj/view?usp=sharing Impact Clickjacking is an...
Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition
Description CSRF in deleting comments Proof of Concept 1. Logging in using admin/staff account 2. Go to torrent https://unit3d.site/torrents/19comments 3. Access the link https://unit3d.site/comments/delete/5 4 .See that the comment is deleted Impact This vulnerability is capable of deleting...
Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition
Description CSRF in flushing peer Proof of Concept 1. Login stafff/admin account 2. Access this link https://unit3d.site/dashboard/flush/peers 3. See that the peers has been flushed. Impact This vulnerability is capable of flushing peers...
Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition
Description CSRF allows enable/disable bots CSRF allows flush chatbox Proof of Concept After logging in to unit3d.site, Access this link: https://unit3d.site/dashboard/chat/bots/2/disable, https://unit3d.site/dashboard/chat/bots/2/enable See that the chat bot is disabled/enabled correspondingly...
Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition
Description Attacker is able to run staff commands. Proof of Concept When you logged in open this POC.html in a browser. You can run staff only tools. history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging user to unintentional run staff only tools...
Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition
Description Attacker is able to disable the form Proof of Concept When you logged in open this POC.html in a browser. You can put the website into maintenance mode. history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of disabling the website...
Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition
Description Attacker is able to change a torrents featured state to un-featured if a logged in user visits attacker website. Proof of Concept When you logged in open this POC.html in a browser. You can check the torrents state changed to un-featured. history.pushState'', '', '/'...
Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition
Description Attacker is able to change a torrents featured state to if a logged in user visits attacker website. Proof of Concept 1. When you logged in open this POC.html in a browser. 2. You can check the torrents state changed to featured. history.pushState'', '', '/' document.forms0.submit;...
Inefficient Regular Expression Complexity in trentm/python-markdown2
Description I would like to report a Regular Expression Denial of Service ReDoS vulnerability in markdown2. The ReDoS vulnerability is mainly due to the sub-pattern with quantified overlapping adjacency and can be exploited with the following code. Proof of Concept // PoC.py import markdown2 from...
Cross-site Scripting (XSS) - Reflected in forkcms/forkcms
Description Reflected XSS in form Search Proof of Concept // PoC.request POST /frontend/ajax HTTP/1.1 Host: demo.fork-cms.com Cookie: frontendlanguage=en; PHPSESSID=megjfhiirsim3v6klp91i7qjat User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:93.0 Gecko/20100101 Firefox/93.0 Accept:...
Cross-site Scripting (XSS) - Generic in tsolucio/corebos
Description Generic XSS in RSS content allows for the arbitrary execution of JavaScript Proof of Concept // PoC Request Add RSS Feed POST /corebos/index.php?module=Rss&action=RssAjax&file=Popup&directmode=ajax&rssurl=http://127.0.0.1:9999/rss.xml HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0...
Cross-site Scripting (XSS) - Stored in tsolucio/corebos
Description Stored XSS in Subject in To Dos Proof of Concept // PoC Request POST /corebos/index.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:93.0 Gecko/20100101 Firefox/93.0 Accept:...
Inefficient Regular Expression Complexity in cronvel/terminal-kit
Description I would like to report a Regular Expression Denial of Service ReDoS vulnerability in terminal-kit. It allows cause a denial of service when calling function markupWidth. The ReDoS vulnerability is mainly due to the regex /^^|^./g and can be exploited with the following code. Proof...
Cross-site Scripting (XSS) - Stored in unclebob/fitnesse
Description Stored XSS in FileName allows for arbitrary execution of JavaScript Proof of Concept // PoC Request POST /files/ HTTP/1.1 Host: localhost:8081 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:93.0 Gecko/20100101 Firefox/93.0 Accept:...
Cross-site Scripting (XSS) - Stored in evereux/flicket
Description Stored XSS in deleting departments page due to unsanitized input in many places. Proof of Concept 1. Create a new department with name 2. After creating the above department, Click on delete icon next to it and see the pop up. 3. Create a new ticket with title 4. View the ticket and s...
Cross-site Scripting (XSS) - Reflected in sbrl/pepperminty-wiki
✍️ Description Stored XSS in action 🕵️♂️ Proof of Concept 1. Navigate to "index.php?action=alert1;&page=Main Page" 2. See XSS executed 💥 Impact With this vulnerability, You can run arbitrary java script on all users...
Inefficient Regular Expression Complexity in tapjs/tap-mocha-reporter
Description I would like to report a Regular Expression Denial of Service ReDoS vulnerability in tap-mocha-reporter. The ReDoS vulnerability is mainly due to the regex /^\s+|\s+$|/g and can be exploited with the following code. Proof of Concept // PoC.js var tapMochaReporter =...
Inefficient Regular Expression Complexity in validatorjs/validator.js
Description I would like to report a Regular Expression Denial of Service ReDoS vulnerability in validator. It allows cause a denial of service when calling function 'rtrim'. The ReDoS vulnerability is mainly due to the regex /\s+$/g and can be exploited with the following code. Proof of Concept ...
in dompdf/dompdf
Description DomPDF is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the filegetcontents function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate...
in osticket/osticket
Description The URL parser incorrectly parses the URL given IFrame src attributes. An attacker is able to inject iframe elements linking to arbitrary domains which can be viewed by admins, bypassing the embedded domain whitelist. Proof of Concept will render malicious-server site rather than...
Inefficient Regular Expression Complexity in ampproject/amphtml
✍️ Description The amphtml package is vulnerable to ReDoS regular expression denial of service. An attacker that is able to provide a crafted template as input to the expandTemplate function of core/types/string/index.js may cause an application to consume an excessive amount of CPU. Below pinned...
Inefficient Regular Expression Complexity in alvations/sacremoses
✍️ Description The sacremoses package is vulnerable to ReDoS regular expression denial of service. An attacker that is able to provide a crafted text as input to the hasnumericonly function may cause an application to consume an excessive amount of CPU. Below pinned line using vulnerable regex...
Inefficient Regular Expression Complexity in pyload/pyload
✍️ Description The pyload package is vulnerable to ReDoS regular expression denial of service. An attacker that is able to provide crafted HTML comments as input to the comments function of utils/web/purge.py may cause an application to consume an excessive amount of CPU. Below pinned line using...