4072 matches found
Path Traversal in lampnick/doctron
āļø Description doctron is a golang tool that helps conversion of HTML to PDF or image. The input doesn't validate if it's a valid web URL. Trying to access local files using file:/// work. This allows getting a screenshot/PDF of the sensitive files on the system. šµļøāāļø Proof of Concept A demo...
Inefficient Regular Expression Complexity in daaku/nodejs-tmpl
āļø Description It allows cause a denial of service when formatting crafted string. šµļøāāļø Proof of Concept // PoC.js var tmpl = require"tmpl" forvar i = 1; i = 50000; i++ var time = Date.now; var attackstr = ""+"".repeati10000+"answer"; tmplattackstr, answer: 42 var timecost = Date.now - time;...
Open Redirect in digitalbazaar/forge
āļø Description parseUrl functionality in node-forge mishandles certain uses of backslash such as https:///\ and interprets the URI as a relative path. Browsers accept backslashes after the protocol, and treat it as a normal slash, while node-forge sees it as a relative path and leads to URL...
Improper Authorization in imran300/inventory
āļø Description A General manager user can edit/add other group PERMISSIONS LIST with IDOR. šµļøāāļø Proof of Concept go to this url when logging in as a General manager. http://localhost:8000/inventory/index.php/generals/addgroup and then you can see that Permissions can be bypassed. š„ Impact This...
Improper Authorization in imran300/inventory
āļø Description A designer user can deactivate any other users IDOR. šµļøāāļø Proof of Concept go to this url when logging in as a Designer. http://localhost:8000/inventory/index.php/Users/deactiveStatus/10 and then you can see that a user with id 10 will be deactivated. š„ Impact This vulnerability is...
Improper Authorization in imran300/inventory
āļø Description A designer user can activate any other users IDOR. šµļøāāļø Proof of Concept go to this url when logging in as a Designer. localhost:8000/inventory/index.php/Users/activeStatus/10 and then you can see that a user with id 10 will be activated. š„ Impact This vulnerability is capable of...
Improper Authorization in imran300/inventory
āļø Description A designer user can delete any other users IDOR. šµļøāāļø Proof of Concept go to this url when logging in as a Designer. localhost/inventory/users/deleteusers/10 and then you can see that a user with id 10 will be deleted. š„ Impact This vulnerability is capable of delete any user...
Cross-Site Request Forgery (CSRF) in imran300/inventory
āļø Description You didn't set any CSRF protection for deleting a user. šµļøāāļø Proof of Concept // PoC.html history.pushState'', '', '/' document.forms0.submit; After that admin open the PoC.html file the user with id 7 will be deleted. š„ Impact This vulnerability is capable of delete any user with...
Cross-Site Request Forgery (CSRF) in imran300/inventory
āļø Description You didn't set any CSRF protection for deactivating a user. šµļøāāļø Proof of Concept // PoC.html history.pushState'', '', '/' document.forms0.submit; After that admin open the PoC.html file the user with id 7 will be deactivated. š„ Impact This vulnerability is capable of deactivate any...
Cross-Site Request Forgery (CSRF) in imran300/inventory
āļø Description You didn't set any CSRF protection for activating a user. šµļøāāļø Proof of Concept // PoC.html history.pushState'', '', '/' document.forms0.submit; After that admin open the PoC.html file the user with id 7 will be activated. š„ Impact This vulnerability is capable of activate any user...
Heap-based Buffer Overflow in vim/vim
āļø Description Hello, we hope this message finds you well during these challenging times. Whilst testing vim built from commit deba5e with Ubuntu clang version 12.0.0-3ubuntu120.04.3 and Address Sanitizer, we discovered crafted input which triggers a heap-buffer-overflow, WRITE of size 15. Please...
Inefficient Regular Expression Complexity in nervjs/taro
āļø Description A ReDoS regular expression denial of service flaw was found in the @tarojs/helper package. An attacker that is able to provide crafted input as url may cause an application to consume an excessive amount of CPU. šµļøāāļø Proof of Concept Create the following poc.mjs // PoC.mjs import...
Cross-site Scripting (XSS) - Stored in leantime/leantime
āļø Description A malicious actor is able to add new Client with a malicious payload, and upon opening the research menu, the XSS payload is being executed. šµļøāāļø Proof of Concept - 1; Log in with a proper roled user - 2; Add a new client to the system at upper right corner at /clients/showAll/ URI...
Cross-site Scripting (XSS) - Stored in leantime/leantime
āļø Description A malicious actor is able to add new Milestone with a malicious payload, and upon opening the research menu, the XSS payload is being executed. šµļøāāļø Proof of Concept - 1; Log in with a proper roled user - 2; Add a new Milestone to the system at the /tickets/roadmap URI with the +...
in leantime/leantime
āļø Description In the source code of the application, the Secret Hash value and the initialization vector is being hardcoded. šµļøāāļø Proof of Concept In the following code snippet, we can see the hard-coded secret hash and IV. private $encryptionMethod = 'AES-256-CBC'; private $secrethash =...
Inefficient Regular Expression Complexity in x-neuron/antdfront
āļø Description A ReDoS regular expression denial of service flaw was found in the antdFront package. An attacker that is able to provide crafted input to the isUrlinput function may cause an application to consume an excessive amount of CPU. šµļøāāļø Proof of Concept Create the following poc.mjs //...
Cross-site Scripting (XSS) - Stored in leantime/leantime
āļø Description A malicious actor is able to add New Project with a malicious payload, and upon opening the research menu, the XSS payload is being executed. šµļøāāļø Proof of Concept 1; Log in with a proper roled user 2; Add a new Project to the system at the /projects/showAll/ URI with the + New...
Cross-site Scripting (XSS) - Stored in leantime/leantime
āļø Description A malicious actor is able to add "new Retrospective" with a malicious payload, and upon opening the research menu, the XSS payload is being executed. šµļøāāļø Proof of Concept - 1; Log in with a proper roled user - 2; Add a new board to the system at Retrospective menu on the left - 3;...
Cross-site Scripting (XSS) - Stored in leantime/leantime
āļø Description A malicious actor is able to add "new board" with a malicious payload to any target, and upon opening the research menu, the XSS payload is being executed. šµļøāāļø Proof of Concept 1; Log in with a proper roled user 2; Add a new board to the system at research menu on the left 3;...
in apolloconfig/apollo
āļø Description The Application does not have control set in password complexity. It is possible to add a user with a single character password in the application. šµļøāāļø Proof of Concept Adding the user. POST /users HTTP/1.1 Host: xxx.xxx.xxx.xxx Content-Length: 63 Accept: application/json,...
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in flatpressblog/flatpress
āļø Description The secure flag is not set for session cookies in the application. šµļøāāļø Proof of Concept š„ Impact If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being...
Sensitive Cookie Without 'HttpOnly' Flag in flatpressblog/flatpress
āļø Description HTTPOnly attribute is not set for session cookies in the application. šµļøāāļø Proof of Concept š„ Impact When a cookie doesnāt have an HttpOnly flag, it can be accessed through JavaScript, which means that an XSS could lead to cookies being stolen. These include session cookies that can...
Sensitive Cookie Without 'HttpOnly' Flag in pi-hole/adminlte
āļø Description Please enter a description of the vulnerability. The cookie persistentlogin is set without httponly flag šµļøāāļø Proof of Concept Enable remember me during Login POST /admin/index.php?login HTTP/1.1 Host: 192.168.159.138 Content-Length: 30 Cache-Control: max-age=0...
Cross-site Scripting (XSS) - Reflected in pi-hole/adminlte
āļø Description Reflected XSS on any POST parameters with a correct token on /admin/settings.php When field is not in the defined list , $debug value is set to true , and the $POST is dumped without filtering šµļøāāļø Proof of Concept 1. Login as admin 2. Settings - Flush log 3. replace field with XSS...
Inefficient Regular Expression Complexity in vuelidate/vuelidate
āļø Description A ReDoS regular expression denial of service flaw was found in the @vuelidate/validators package. An attacker that is able to provide crafted input to the urlinput function may cause an application to consume an excessive amount of CPU. šµļøāāļø Proof of Concept Create the following...
Cross-site Scripting (XSS) - Stored in bookstackapp/bookstack
āļø Description There is svg tag filtration problem in "book page" egit leading to stored XSS. SVG images can be used on book pages, but there is not server side attribute filtration implemented for it. šµļøāāļø Proof of Concept There is filter for href attribute, but inside SVG xlink:href used. That...
Cross-site Scripting (XSS) - Stored in bookstackapp/bookstack
āļø Description There is html tag filtration problem in "book page" egit leading to stored XSS. By design "bad" tags and attributes stripped on client side when editing pageobvious bypass by editing request intercepted via burp and on server side addition filter applied, however this filter can be...
Cross-site Scripting (XSS) - Reflected in pi-hole/adminlte
āļø Description Reflected XSS in POST /admin/scripts/pi-hole/php/customcname.php šµļøāāļø Proof of Concept 1. Login as admin, Go to Local DNS - CNAME Records - Add a new CNAME record 2. Input alert1 in domain field and anything in target domain. 3. The Payload in post body domain is URL encoded, use a...
Forced Browsing in slackero/phpwcms
āļø Description Image cache can be flushed by any authenticated, low privileged user. šµļøāāļø Proof of Concept - Register a low privileged user without any administrator access. - Log in with the low privileged user - Open the following URL:...
Prototype Pollution in liriliri/licia
āļø Description licia package is vulnerable to Prototype Pollution. The safeSet function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects. šµļøāāļø Proof of Concept...
Command Injection in yogeshojha/rengine
āļø Description RCE via the proxy feature of Rengine. Proxies can be added in Rengine for executables like httpx to use in a scan. This functionality can be used to inject a command and run arbitrary code. šµļøāāļø Proof of Concept Add this as the only proxy in the proxy list in the Proxy settings:...
Forced Browsing in slackero/phpwcms
āļø Description A malicious actor is able to reveal the list and details of newsletter subscribers. šµļøāāļø Proof of Concept - Method 1; This method requires a proxy utility, like BurpSuite. - With an administrator user, create some subscribers on the newsletters under CommunicationNewsletter...
Path Traversal in yogeshojha/rengine
āļø Description Local File Inclusion through Path Traversal šµļøāāļø Proof of Concept While logged in into a Rengine instance, go to /api/getFileContents/?nucleitemplate&name=../../../../../../../../etc/passwd. The contents of /etc/passwd are included into the response. š„ Impact This vulnerability is...
Session Fixation in slackero/phpwcms
āļø Description A malicious actor with access to the computer is able to reveal the loaded site's actual PHPSESSID value. Since upon login, this value does not change, the attacker can gain access via session hijacking, when the target logs in on the compromised computer. šµļøāāļø Proof of Concept -...
Cross-site Scripting (XSS) - DOM in forkcms/forkcms
āļø Description The underlying library needs to get the charset in lowercase but fork is passing it in uppercase causing some of the XSS protections to fail šµļøāāļø Proof of Concept Go to...
Cross-site Scripting (XSS) - Stored in yogeshojha/rengine
āļø Description Hi, When creating a template for nuclei, it is possible to upload a malicious template with xss load, clicking to see this template will run xss. šµļøāāļø Proof of Concept 1- First, create the fake template: id: poc-xss alert1 info: name: xss-storage-rengine author: phor3nsic severity:...
Cross-site Scripting (XSS) - Stored in zikula/core
āļø Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites šµļøāāļø Proof of Concept // PoC.js 1- Go to -- https://demo.ziku.la/blocks/admin/block/edit/2 2- Go to Editor and link a test word with a link As...
in pimcore/pimcore
āļø Description It is possible to enumerate usernames via the forgot password functionality šµļøāāļø Proof of Concept When entering an username that is not registered in the application the response reads "User unknown". The following curl command demonstrates this: curl -i -s -k -X $'POST' \ -H...
Cross-site Scripting (XSS) - Stored in yogeshojha/rengine
āļø Description A malicious actor is able to add "To-do" with a malicious payload to any target, and upon opening the target's summary, the XSS payload is being executed. šµļøāāļø Proof of Concept 1; Create a scan with any domain 2; Start scanning the target 3; Add a "To-do" with any title and with the...
Cross-site Scripting (XSS) - Stored in zikula-modules/content
āļø Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites šµļøāāļø Proof of Concept // PoC.js 1- Go to -- https://demo.ziku.la/content/page/edit/PAGEID?slug=pages/content-introduction-page 2- inject this...
Cross-Site Request Forgery (CSRF) in ampache/ampache
āļø Description csrf bug to disable user šµļøāāļø Proof of Concept I see during disable a user there is no csrf token is checking .\ 1. First login into admin account .\ 2. Now copy url http://localhost/ampache-develop/public/admin/users.php?action=disable&userid=3 and paste in browser tab and hit...
Prototype Pollution in jonschlinkert/set-value
āļø Description set-value package is vulnerable to Prototype Pollution. The set function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects. šµļøāāļø Proof of Concept...
Prototype Pollution in vincit/objection.js
āļø Description objection package is vulnerable to Prototype Pollution. šµļøāāļø Proof of Concept Create the following PoC file: // poc.js var set = require"objection/lib/utils/objectUtils" let obj = console.log"Before: " + .polluted setobj, 'proto', 'polluted', 'Yes! Its Polluted' console.log"After: "...
Prototype Pollution in immerjs/immer
āļø Description immer package is vulnerable to Prototype Pollution. šµļøāāļø Proof of Concept Create the following PoC file: // poc.js const immer = require"immer"; immer.enablePatches; let obj = ; const patch = op: 'add', path: "proto","polluted", value: "Yes! Its Polluted"; console.log"Before : " +...
Cross-Site Request Forgery (CSRF) in combodo/itop
āļø Description Attacker able to delete Standard SLA with CSRF attack. It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your application. In CSRF attack...
Cross-site Scripting (XSS) - Generic in forkcms/library
āļø Description Please enter a description of the vulnerability. XSS is possible when the option allowHTML was set to true for text inputs and textfields šµļøāāļø Proof of Concept http://demo.fork-cms.com/en/search?form=search&qwidget=%22%3E%3Csvg/onload=alertdocument.domain%3E š„ Impact XSS attacks can...
Cross-site Scripting (XSS) - Stored in zmister2016/mrdoc
āļø Description Stored xss bug allow to execute arbitary javascript code in vicitm account šµļøāāļø Proof of Concept 1. First create a document and put bellow xss payload inside document content .\ xss"''\ 2. Now any user view this document project then xss is executed VIDEO POC --...
Cross-site Scripting (XSS) - Stored in yogeshojha/rengine
āļø Description 'Delete Scheduled Task' confirmation model executes javascript as part of the name of a scan engine. šµļøāāļø Proof of Concept 1. Name a scan engine as a XSS payload. Example: 2. Schedule a scan for any target using the created scan engine. 3. Try to delete the scheduled task Location...
Cross-site Scripting (XSS) - Stored in zmister2016/mrdoc
āļø Description online document system developed based on python. It is suitable for individuals and small teams to manage documents, wiki, knowledge and notes. like gitbook this package is vulnerable for XSS šµļøāāļø Proof of Concept š„ Impact This vulnerability is capable of...
Cross-site Scripting (XSS) - Stored in zmister2016/mrdoc
āļø Description online document system developed based on python. It is suitable for individuals and small teams to manage documents, wiki, knowledge and notes. like gitbook this package is vulnerable for XSS šµļøāāļø Proof of Concept š„ Impact This vulnerability is capable of XSS...