Inefficient Regular Expression Complexity in x-neuron/antdfront

✍️ Description A ReDoS regular expression denial of service flaw was found in the antdFront package. An attacker that is able to provide crafted input to the isUrlinput function may cause an application to consume an excessive amount of CPU. 🕵️‍♂️ Proof of Concept Create the following poc.mjs //...

Cross-site Scripting (XSS) - Stored in leantime/leantime

✍️ Description A malicious actor is able to add New Project with a malicious payload, and upon opening the research menu, the XSS payload is being executed. 🕵️‍♂️ Proof of Concept 1; Log in with a proper roled user 2; Add a new Project to the system at the /projects/showAll/ URI with the + New...

Cross-site Scripting (XSS) - Stored in leantime/leantime

✍️ Description A malicious actor is able to add "new Retrospective" with a malicious payload, and upon opening the research menu, the XSS payload is being executed. 🕵️‍♂️ Proof of Concept - 1; Log in with a proper roled user - 2; Add a new board to the system at Retrospective menu on the left - 3;...

Cross-site Scripting (XSS) - Stored in leantime/leantime

✍️ Description A malicious actor is able to add "new board" with a malicious payload to any target, and upon opening the research menu, the XSS payload is being executed. 🕵️‍♂️ Proof of Concept 1; Log in with a proper roled user 2; Add a new board to the system at research menu on the left 3;...

in apolloconfig/apollo

✍️ Description The Application does not have control set in password complexity. It is possible to add a user with a single character password in the application. 🕵️‍♂️ Proof of Concept Adding the user. POST /users HTTP/1.1 Host: xxx.xxx.xxx.xxx Content-Length: 63 Accept: application/json,...

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in flatpressblog/flatpress

✍️ Description The secure flag is not set for session cookies in the application. 🕵️‍♂️ Proof of Concept 💥 Impact If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being...

Sensitive Cookie Without 'HttpOnly' Flag in flatpressblog/flatpress

✍️ Description HTTPOnly attribute is not set for session cookies in the application. 🕵️‍♂️ Proof of Concept 💥 Impact When a cookie doesn’t have an HttpOnly flag, it can be accessed through JavaScript, which means that an XSS could lead to cookies being stolen. These include session cookies that can...

Sensitive Cookie Without 'HttpOnly' Flag in pi-hole/adminlte

✍️ Description Please enter a description of the vulnerability. The cookie persistentlogin is set without httponly flag 🕵️‍♂️ Proof of Concept Enable remember me during Login POST /admin/index.php?login HTTP/1.1 Host: 192.168.159.138 Content-Length: 30 Cache-Control: max-age=0...

Cross-site Scripting (XSS) - Reflected in pi-hole/adminlte

✍️ Description Reflected XSS on any POST parameters with a correct token on /admin/settings.php When field is not in the defined list , $debug value is set to true , and the $POST is dumped without filtering 🕵️‍♂️ Proof of Concept 1. Login as admin 2. Settings - Flush log 3. replace field with XSS...

Inefficient Regular Expression Complexity in vuelidate/vuelidate

✍️ Description A ReDoS regular expression denial of service flaw was found in the @vuelidate/validators package. An attacker that is able to provide crafted input to the urlinput function may cause an application to consume an excessive amount of CPU. 🕵️‍♂️ Proof of Concept Create the following...

Cross-site Scripting (XSS) - Stored in bookstackapp/bookstack

✍️ Description There is svg tag filtration problem in "book page" egit leading to stored XSS. SVG images can be used on book pages, but there is not server side attribute filtration implemented for it. 🕵️‍♂️ Proof of Concept There is filter for href attribute, but inside SVG xlink:href used. That...

Cross-site Scripting (XSS) - Stored in bookstackapp/bookstack

✍️ Description There is html tag filtration problem in "book page" egit leading to stored XSS. By design "bad" tags and attributes stripped on client side when editing pageobvious bypass by editing request intercepted via burp and on server side addition filter applied, however this filter can be...

Cross-site Scripting (XSS) - Reflected in pi-hole/adminlte

✍️ Description Reflected XSS in POST /admin/scripts/pi-hole/php/customcname.php 🕵️‍♂️ Proof of Concept 1. Login as admin, Go to Local DNS - CNAME Records - Add a new CNAME record 2. Input alert1 in domain field and anything in target domain. 3. The Payload in post body domain is URL encoded, use a...

Forced Browsing in slackero/phpwcms

✍️ Description Image cache can be flushed by any authenticated, low privileged user. 🕵️‍♂️ Proof of Concept - Register a low privileged user without any administrator access. - Log in with the low privileged user - Open the following URL:...

Prototype Pollution in liriliri/licia

✍️ Description licia package is vulnerable to Prototype Pollution. The safeSet function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects. 🕵️‍♂️ Proof of Concept...

Command Injection in yogeshojha/rengine

✍️ Description RCE via the proxy feature of Rengine. Proxies can be added in Rengine for executables like httpx to use in a scan. This functionality can be used to inject a command and run arbitrary code. 🕵️‍♂️ Proof of Concept Add this as the only proxy in the proxy list in the Proxy settings:...

Forced Browsing in slackero/phpwcms

✍️ Description A malicious actor is able to reveal the list and details of newsletter subscribers. 🕵️‍♂️ Proof of Concept - Method 1; This method requires a proxy utility, like BurpSuite. - With an administrator user, create some subscribers on the newsletters under CommunicationNewsletter...

Path Traversal in yogeshojha/rengine

✍️ Description Local File Inclusion through Path Traversal 🕵️‍♂️ Proof of Concept While logged in into a Rengine instance, go to /api/getFileContents/?nucleitemplate&name=../../../../../../../../etc/passwd. The contents of /etc/passwd are included into the response. 💥 Impact This vulnerability is...

Session Fixation in slackero/phpwcms

✍️ Description A malicious actor with access to the computer is able to reveal the loaded site's actual PHPSESSID value. Since upon login, this value does not change, the attacker can gain access via session hijacking, when the target logs in on the compromised computer. 🕵️‍♂️ Proof of Concept -...

Cross-site Scripting (XSS) - DOM in forkcms/forkcms

✍️ Description The underlying library needs to get the charset in lowercase but fork is passing it in uppercase causing some of the XSS protections to fail 🕵️‍♂️ Proof of Concept Go to...

Cross-site Scripting (XSS) - Stored in yogeshojha/rengine

✍️ Description Hi, When creating a template for nuclei, it is possible to upload a malicious template with xss load, clicking to see this template will run xss. 🕵️‍♂️ Proof of Concept 1- First, create the fake template: id: poc-xss alert1 info: name: xss-storage-rengine author: phor3nsic severity:...

Cross-site Scripting (XSS) - Stored in zikula/core

✍️ Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites 🕵️‍♂️ Proof of Concept // PoC.js 1- Go to -- https://demo.ziku.la/blocks/admin/block/edit/2 2- Go to Editor and link a test word with a link As...

in pimcore/pimcore

✍️ Description It is possible to enumerate usernames via the forgot password functionality 🕵️‍♂️ Proof of Concept When entering an username that is not registered in the application the response reads "User unknown". The following curl command demonstrates this: curl -i -s -k -X $'POST' \ -H...

Cross-site Scripting (XSS) - Stored in yogeshojha/rengine

✍️ Description A malicious actor is able to add "To-do" with a malicious payload to any target, and upon opening the target's summary, the XSS payload is being executed. 🕵️‍♂️ Proof of Concept 1; Create a scan with any domain 2; Start scanning the target 3; Add a "To-do" with any title and with the...

Cross-site Scripting (XSS) - Stored in zikula-modules/content

✍️ Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites 🕵️‍♂️ Proof of Concept // PoC.js 1- Go to -- https://demo.ziku.la/content/page/edit/PAGEID?slug=pages/content-introduction-page 2- inject this...

Cross-Site Request Forgery (CSRF) in ampache/ampache

✍️ Description csrf bug to disable user 🕵️‍♂️ Proof of Concept I see during disable a user there is no csrf token is checking .\ 1. First login into admin account .\ 2. Now copy url http://localhost/ampache-develop/public/admin/users.php?action=disable&userid=3 and paste in browser tab and hit...

Prototype Pollution in jonschlinkert/set-value

✍️ Description set-value package is vulnerable to Prototype Pollution. The set function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects. 🕵️‍♂️ Proof of Concept...

Prototype Pollution in vincit/objection.js

✍️ Description objection package is vulnerable to Prototype Pollution. 🕵️‍♂️ Proof of Concept Create the following PoC file: // poc.js var set = require"objection/lib/utils/objectUtils" let obj = console.log"Before: " + .polluted setobj, 'proto', 'polluted', 'Yes! Its Polluted' console.log"After: "...

Prototype Pollution in immerjs/immer

✍️ Description immer package is vulnerable to Prototype Pollution. 🕵️‍♂️ Proof of Concept Create the following PoC file: // poc.js const immer = require"immer"; immer.enablePatches; let obj = ; const patch = op: 'add', path: "proto","polluted", value: "Yes! Its Polluted"; console.log"Before : " +...

Cross-Site Request Forgery (CSRF) in combodo/itop

✍️ Description Attacker able to delete Standard SLA with CSRF attack. It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your application. In CSRF attack...

Cross-site Scripting (XSS) - Generic in forkcms/library

✍️ Description Please enter a description of the vulnerability. XSS is possible when the option allowHTML was set to true for text inputs and textfields 🕵️‍♂️ Proof of Concept http://demo.fork-cms.com/en/search?form=search&qwidget=%22%3E%3Csvg/onload=alertdocument.domain%3E 💥 Impact XSS attacks can...

Cross-site Scripting (XSS) - Stored in zmister2016/mrdoc

✍️ Description Stored xss bug allow to execute arbitary javascript code in vicitm account 🕵️‍♂️ Proof of Concept 1. First create a document and put bellow xss payload inside document content .\ xss"''\ 2. Now any user view this document project then xss is executed VIDEO POC --...

Cross-site Scripting (XSS) - Stored in yogeshojha/rengine

✍️ Description 'Delete Scheduled Task' confirmation model executes javascript as part of the name of a scan engine. 🕵️‍♂️ Proof of Concept 1. Name a scan engine as a XSS payload. Example: 2. Schedule a scan for any target using the created scan engine. 3. Try to delete the scheduled task Location...

Cross-site Scripting (XSS) - Stored in zmister2016/mrdoc

✍️ Description online document system developed based on python. It is suitable for individuals and small teams to manage documents, wiki, knowledge and notes. like gitbook this package is vulnerable for XSS 🕵️‍♂️ Proof of Concept 💥 Impact This vulnerability is capable of...

Cross-site Scripting (XSS) - Stored in zmister2016/mrdoc

✍️ Description online document system developed based on python. It is suitable for individuals and small teams to manage documents, wiki, knowledge and notes. like gitbook this package is vulnerable for XSS 🕵️‍♂️ Proof of Concept 💥 Impact This vulnerability is capable of XSS...

in zmister2016/mrdoc

✍️ Description online document system developed based on python. It is suitable for individuals and small teams to manage documents, wiki, knowledge and notes. like gitbook this package is vulnerable for RCE due to Yaml.load in import function 🕵️‍♂️ Proof of Concept Uploaded ZIp : Payload.yaml :...

Cross-site Scripting (XSS) - Stored in namelessmc/nameless

✍️ Description Stored XSS in google analytics. 🕵️‍♂️ Proof of Concept 1. goto 'http://localhost/Nameless/index.php?route=/panel/core/seo/' logged in as admin. 2. enter "G-XXXXXXXX'; javascript:alert1; alert1; instead will cause any admin who visits the SEO page to have the java script activated on...

SQL Injection in phili67/ecclesiacrm

✍️ Description SQL Injection SQLi found in search section for http://YOURIP/ecclesiacrm/v2/people/list/person. A SQL Injection allows an attacker to run SQL command remotely and can extract information such as password, usernames and other sensitive data. This SQLi is a blind SQLi and doesn't...

Cross-Site Request Forgery (CSRF) in qkqpttgf/onemanager-php

✍️ Description Attacker able to rename any file with CSRF attack. It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your application. In CSRF attacks it...

Cross-Site Request Forgery (CSRF) in qkqpttgf/onemanager-php

✍️ Description Attacker able to rename any disktag with CSRF attack. It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your application. In CSRF attacks...

Cross-Site Request Forgery (CSRF) in qkqpttgf/onemanager-php

✍️ Description Attacker able to make copy of any disk with CSRF attack. It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your application. In CSRF...

Cross-Site Request Forgery (CSRF) in qkqpttgf/onemanager-php

✍️ Description Attacker able to delete any disk with CSRF attack. It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your application. In CSRF attacks it...

Cross-Site Request Forgery (CSRF) in qkqpttgf/onemanager-php

✍️ Description Attacker able to delete any folder with CSRF attack history.pushState'', '', '/' As you can see there is no CSRF token...

Path Traversal in os4ed/opensis-classic

✍️ Description The module.php modname parameter in OpenSIS 8.0 is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.; 🕵️‍♂️ Proof of Concept // Modules.php GET /Modules.php?modname=../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1 302...

Cross-Site Request Forgery (CSRF) in aimeos/ai-client-html

✍️ Description Attacker able to pin any product in favorites with CSRF attack. In CSRF attacks it is necessary that a user logged into your application and just going to a malicious website and after that only with a redirection attacker can perform attack on unprotected endpoint, this means only...

Cross-Site Request Forgery (CSRF) in aimeos/ai-client-html

✍️ Description Attacker able to add any product in favorites with CSRF attack. In CSRF attacks it is necessary that a user logged into your application and just going to a malicious website and after that only with a redirection attacker can perform attack on unprotected endpoint, this means only...

Cross-site Scripting (XSS) - Stored in pimcore/pimcore

✍️ Description pimcore is a Open Source Data & Experience Management Platform PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce this package is vulnerable for Stored XSS thru SEO menu 🕵️‍♂️ Proof of Concept 💥 Impact This vulnerability is capable of...

Cross-site Scripting (XSS) - Stored in pimcore/pimcore

✍️ Description pimcore is a Open Source Data & Experience Management Platform PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce this package is vulnerable for Stored XSS thru adding customer 🕵️‍♂️ Proof of Concept 💥 Impact This vulnerability is capable of XSS...

Cross-site Scripting (XSS) - Stored in yogeshojha/rengine

✍️ Description When a XSS payload is used as the name of a gf pattern, it executes. 🕵️‍♂️ Proof of Concept 1. Name a file .json 2. Import the file as a gf pattern at https://127.0.0.1/scanEngine/toolsettings 3. Click on the uploaded gf pattern. 💥 Impact The impact is same as any other Stored XSS...

Cross-site Scripting (XSS) - Reflected in azuracast/azuracast

✍️ Description The Application is Vulnerable to reflected HTML Injection 🕵️‍♂️ Proof of Concept Open the following page in the browser as admin. The page is vulnerable to HTML Injection...