Inefficient Regular Expression Complexity in mochajs/mocha

Description I would like to report a Regular Expression Denial of Service ReDoS vulnerability in mocha. It allows cause a denial of service when stripping crafted invalid function definition from strs. The ReDoS vulnerability is mainly due to the regex...

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in spiral-project/ihatemoney

Description Secure flag is not implemented on the application Proof of Concept https://drive.google.com/file/d/10p4ejCFsLA6LO32nPNTRKqZjlqVHVpUf/view?usp=sharing Impact The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP...

in zikula/core

Description Sensitive Data can be exposed even after logouting the application Proof of Concept Tested url :: https://demo.ziku.la/ Tested on :: Firefox 1 Login to the application 2 Got my account 3 Click logout button 4 Press browser back button 5 Now the we can re-enter to the dashboard Impact...

Inefficient Regular Expression Complexity in validatorjs/validator.js

Description I would like to report a Regular Expression Denial of Service ReDoS vulnerability in validator. It allows cause a denial of service when validating crafted invalid MagnetURIs. The ReDoS vulnerability is mainly due to the sub-pattern .+&tr=.+ with quantified overlapping adjacency and c...

Inefficient Regular Expression Complexity in isaacs/minimatch

Description I would like to report a Regular Expression Denial of Service ReDoS vulnerability in minimatch. It allows cause a denial of service when calling function braceExpand. The ReDoS vulnerability is mainly due to the regex /./ and can be exploited with the following code. Proof of Concept...

Heap-based Buffer Overflow in mruby/mruby

Description Heap buffer overflow in mruby Proof of Concept // poc.rb %= % .clear ensure begin unless ?n = % :regex or 11 Compile mruby with asan git clone https://github.com/mruby/mruby cd mruby LDFLAGS="-fsanitize=address" CFLAGS="-fsanitize=address -g" make ./bin/mruby poc.rb Result ./bin/mruby...

Cross-site Scripting (XSS) - Stored in zoujingli/thinkadmin

Description Stored XSS Content allows for the arbitrary execution of JavaScript Proof of Concept In Wechat management at feature - Reply rule management - Follow reply configuration - Default reply configuration - Follow automatic replies Save Reply text with payload : \x3csVg/\x3e XSS will trigg...

Session Fixation in alovoa/alovoa

Description On changing password both session using which user changes password and old sessions in any other browser or device does not expire and remains active. Proof of Concept STEPS TO REPRODUCE: 1. Log in to Browser A and make sure to check 'stay logged in to this device' checkbox while...

Stack-based Buffer Overflow in gwsw/less

Description The less utility is a pager used by many applications and setups. One such setup is access to log files. If permissions are not sufficient for regular users, less can be called with sudo. LESSSECURE=1 can be set to disable many dangerous operations which a regular user should not be...

Inefficient Regular Expression Complexity in chocobozzz/peertube

Description Hello Again dear Peertube team. I found inefficient regular expression in that have a Polynomial execution time that can be lead to ReDoS attacks and it is better to replace it with another regex or Use google re2 regex engine for server sides code. Proof of Concept I create two...

Cross-site Scripting (XSS) - Stored in zhongshaofa/easyadmin

Description Stored XSS in FileName allows for arbitrary execution of JavaScript Proof of Concept At Upload Management Upload File Image with filename : Sun'set.jpg Image Upload File https://user-images.githubusercontent.com/31820707/133646077-b6a14692-fea3-4a37-95e7-eb4c4e6f9073.png Image XSS...

in zoujingli/thinkadmin

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Proof of Concept: please Note that this leads also to a verbose error that shows credentials of the owner . Ex : Link --...

Inefficient Regular Expression Complexity in faisalman/ua-parser-js

Description Hello my dear I found another inefficient regular expression in ua-parser-js that have a Polynomial execution time not exponential but still dangerous. Proof of Concept I create two payloads that you can compare the execution times between them in Regexr provided links. payload 1...

in khodakhah/nodcms

Description Violation of secure design principles Proof of Concept step 1: click on login page and login into account. step 2: we can see dashboard and further options inside the application step 3: logout from application step 4: directly visit the url: https://demo.nodcms.com/admin/ step 5:...

Exposure of Sensitive Information to an Unauthorized Actor in opendatacube/odc-tools

Description Information Disclosure AWS PrincipleID, sourceIPAddress, configurationId and more. Proof of Concept https://raw.githubusercontent.com/opendatacube/odc-tools/develop/apps/dctools/tests/data/sentinel-2-nrt20200821.json Impact Leaks Sensitive Data...

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in ledgersmb/ledgersmb

Description Secure flag is not implemented on the application Proof of Concept https://drive.google.com/file/d/1ESnBKwFef8D42A2VD3W59vXMLdWhCxS9/view?usp=sharing Impact The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP...

in khodakhah/nodcms

Description Clear Text submission of password through unencrypted channel Proof of Concept POST /en/login HTTP/1.1 Host: demo.nodcms.com User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:92.0 Gecko/20100101 Firefox/92.0 Accept: application/json, text/javascript, /; q=0.01 Accept-Language:...

Sensitive Cookie Without 'HttpOnly' Flag in babybuddy/babybuddy

Description HttpOnly flag not mentioned Proof of Concept step to reproduce below show request GET /login/?next=/google.com HTTP/1.1 Host: demo.baby-buddy.net User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:92.0 Gecko/20100101 Firefox/92.0 Accept:...

in babybuddy/babybuddy

Description Violation of secure design principles Proof of Concept step 1: login to account and logout step 2: click back button in browser step 3:check rightt corner of there we can see user profile option step 4: click on that application settings is getting listed PoC image attached as link...

in babybuddy/babybuddy

Description Weak password implementation Proof of Concept step 1: login into account step 2: goto settings http://demo.baby-buddy.net/user/password/ step 3: change password admin to 12 and save changes step 4: we can see updated message application is allowing to set weak password. poc of image i...

Cross-site Scripting (XSS) - Stored in mineweb/minewebcms

Description A malicious actor is able to add new Notification with a malicious payload, and upon the user receives the notification, the malicious payload is being executed. Proof of Concept - 1; Log in with any user, who is able to submit notifications - 2; Create a new notification at...

in zoujingli/thinkadmin

Description upload file to any path Proof of Concept User can upload file to any path by path-traversal POST /admin/api.upload/file.html HTTP/2 Host: v6.thinkadmin.top Cookie: lang=zh-cn; PHPSESSID=88a2945fb139bb74f87137d2144709ab; limit=20 Content-Length: 14170 Sec-Ch-Ua: "Google Chrome";v="93",...

Code Injection in zoujingli/thinkadmin

Description remote code execution Proof of Concept Bellow request is vulnerable to arbitary system command injection .\ During file upload it does not properly check file upload which allow to upload php file and this php file will execute system command POST /admin/api.upload/file.html HTTP/2...

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in babybuddy/babybuddy

Description Secure flag is not implemented on the application Proof of Concept https://drive.google.com/file/d/1zWCQRRZl42kEbqrs0QS4hXyUdjnBRf/view Impact The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The...

Cross-site Scripting (XSS) - DOM in zoujingli/thinkadmin

Description DOM based xss via url hash frgament Proof of Concept First login into https://v6.thinkadmin.top and then visit https://v6.thinkadmin.top/admin.htmlhttps://bbounty.000webhostapp.com/cors.php?id=xxxxx2 and see xss is executed Impact DOM based xss via url hash fragment...

Cross-site Scripting (XSS) - Stored in zoujingli/thinkadmin

Description Stored xss Proof of Concept Plz check this 1 minute video to reproduce the bug https://drive.google.com/file/d/1hyN4X9gIgQJH2B5QEFhkniGt78sIw1iF/view?usp=sharing Impact Xss allow to arbitary javascript code execution...

Cross-site Scripting (XSS) - Stored in zoujingli/thinkadmin

Description Stored xss via name Proof of Concept 1. First goto https://v6.thinkadmin.top/admin.html/admin/base.html?type=datea&spm=m-2-4-8 and edit a data and put bellow xss payload in Data name field . xss"' Now see xss is executed VIEDO...

Cross-site Scripting (XSS) - DOM in mineweb/minewebcms

✍️ Description A malicious actor is able to add a malicious payload as a new Navigation Bar Link Title, and after every time any users visit the main root page of the website, the XSS payload is executed and the session of whoever visits the site is compromised. 🕵️‍♂️ Proof of Concept 1; Create a...

Cross-site Scripting (XSS) - Stored in mineweb/minewebcms

Description A malicious actor is able to add a malicious payload as a new Page Title, and after every time any administrative user visits the /admin/pages route, the XSS payload is executed. Proof of Concept 1;Create a new Page at the following route: /admin/pages/add. Use the following payload a...

Cross-Site Request Forgery (CSRF) in pheditor/pheditor

Description Cross-Site Request Forgery CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering such as sending a link via email or chat, an attacker may trick the users of a web...

Cross-site Scripting (XSS) - Reflected in pheditor/pheditor

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into websites. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execut...

Path Traversal in pheditor/pheditor

Description A path traversal attack also known as directory traversal aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash ../” sequences and its variations or by using absolute file paths, it may be...

Open Redirect in sbrl/pepperminty-wiki

Description Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain...

Cross-site Scripting (XSS) - Reflected in sbrl/pepperminty-wiki

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into websites. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execut...

in sbrl/pepperminty-wiki

Unrestricted Upload of File with Dangerous Type allows javascript injection Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file...

Path Traversal in dmpop/mejiro

Description A path traversal attack also known as directory traversal aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash ../” sequences and its variations or by using absolute file paths, it may be...

Cross-site Scripting (XSS) - Reflected in dmpop/mejiro

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into websites. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execut...

Cross-site Scripting (XSS) - Stored in dmpop/mejiro

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into websites. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execut...

in dmpop/mejiro

Description Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish this...

Cross-site Scripting (XSS) - Reflected in area17/twill

Description The Application is vulnerable to reflected cross-site scripting attack. URL: /contact/offices/ Parameter: offset Proof of Concept Open the following URL in the browser for POC...

Inefficient Regular Expression Complexity in fb55/nth-check

Description I would like to report a Regular Expression Denial of Service ReDoS vulnerability in nth-check. It allows cause a denial of service when parsing crafted invalid CSS nth-checks. The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern \s?:+-?\s\d+? with quantified...

Cross-Site Request Forgery (CSRF) in microweber/microweber

Description Attacker able to delete any file In Files module if this module enabled there isn't any csrf protection in this endpoint. Proof of Concept After open the PoC.html file you can see that the file with name 1.jpg will be deleted. //PoC.html history.pushState'', '', '/'...

Prototype Pollution in antfu/utils

Description @antfu/utils is a collection of common JavaScript / TypeScript utils. It is vulnerable to Prototype Pollution on the deepMerge function. This allows for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE. About the vulnerability Prototype Pollution...

Prototype Pollution in mariocasciaro/object-path

Description object-path package is vulnerable to Prototype Pollution. The del function fails to validate which Object properties it deletes. This allows attackers to modify the prototype of Object, causing the modification of default properties like toString on all objects. Proof of Concept Creat...

Cross-Site Request Forgery (CSRF) in glpi-project/glpi

✍️ Description Hello dear glpi team I found one more CSRF vulnerability. 🕵️‍♂️ Proof of Concept 1.fisrt user already should be logged in In Firefox or safari. 2.Open the PoC.html and click on submit button Also it can be auto-submit 3.Here a Planning start and end times with itemsid 3will be...

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in tildeclub/site

✍️ Description The file signup-handler.php creates a user by accepting input from request parameters username, email, interest, sshkey. The affected parameter is sshkey. It does not sanitizes special characters and only checks if the first 4 character of the input is ssh- which allows the signup...

Cross-Site Request Forgery (CSRF) in e107inc/e107

✍️ Description Attacker or malicious user is able to change emoticons activation status if a logged in user visits attacker website. 🕵️‍♂️ Proof of Concept 1.when you logged in open this POC.html in a browser 2.you can check unintentionally emoticons deactivated //POC.html history.pushState'', '',...

Cross-Site Request Forgery (CSRF) in e107inc/e107

✍️ Description Attacker or malicious user is able to change search setting “specific for one area such comments" if a logged in user visits attacker website. because lack of CSRF token 🕵️‍♂️ Proof of Concept 1.when you logged in open this POC.html in a browser 2.you can check unintentionally some...

Cross-Site Request Forgery (CSRF) in e107inc/e107

✍️ Description Attacker or malicious user is able to change delete any banning record if a logged in user visits attacker website. because lack of CSRF token "checking" 🕵️‍♂️ Proof of Concept 1.when you logged in open this POC.html in a browser 2.you can check unintentionally blacklist record with...

Cross-Site Request Forgery (CSRF) in e107inc/e107

✍️ Description Attacker or malicious user is able to change URL configuration if a logged in user visits attacker website. because lack of CSRF token 🕵️‍♂️ Proof of Concept 1.when you logged in open this POC.html in a browser 2.you can check unintentionally your search URL changed form /search.php...