Cross-site Scripting (XSS) - Stored in pimcore/pimcore

✍️ Description pimcore is a Open Source Data & Experience Management Platform PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce this package is vulnerable for Stored XSS custom meta data 🕵️‍♂️ Proof of Concept 💥 Impact This vulnerability is capable of Stored XSS...

Path Traversal in os4ed/opensis-classic

✍️ Description The ajax.php modname parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server. 🕵️‍♂️ Proof of Concept // Ajax.php GET /Ajax.php?modname=../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1 302 Found Location: index.php...

Cross-Site Request Forgery (CSRF) in azuracast/azuracast

✍️ Description Attacker able to enable any Streamer/DJ account section with CSRF attack. It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your...

Open Redirect in openwhyd/openwhyd

✍️ Description There is an open redirect in the following URL: https://openwhyd.org/consent?redirect=https://mdakh404.github.io after the user agrees on the site policy, it will be redirected to my blog ! it's an open redirect. 🕵️‍♂️ Proof of Concept 1- Open the link:...

Inefficient Regular Expression Complexity in ramda/ramda

✍️ Description A ReDoS regular expression denial of service flaw was found in the ramda package. An attacker that is able to provide crafted input to the trim function may cause an application to consume an excessive amount of CPU. Similar attack ref: https://nvd.nist.gov/vuln/detail/CVE-2020-7753...

Inefficient Regular Expression Complexity in axios/axios

✍️ Description A ReDoS regular expression denial of service flaw was found in the axios package. An attacker that is able to provide crafted input to the trim function may cause an application to consume an excessive amount of CPU. Similar attack ref: https://nvd.nist.gov/vuln/detail/CVE-2020-7753...

Sensitive Cookie Without 'HttpOnly' Flag in azuracast/azuracast

✍️ Description HTTPOnly attribute is not set for session cookies in the application. 🕵️‍♂️ Proof of Concept 💥 Impact When a cookie doesn’t have an HttpOnly flag, it can be accessed through JavaScript, which means that an XSS could lead to cookies being stolen. These include session cookies that can...

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in azuracast/azuracast

✍️ Description The secure flag is not set for appsession cookie in the application. 🕵️‍♂️ Proof of Concept PoC Image: https://i.ibb.co/v1y0Fdv/cookie-flag.png 💥 Impact If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP...

SQL Injection in opensourcepos/opensourcepos

✍️ Description The Application is vulnerable to blind SQL Injection 🕵️‍♂️ Proof of Concept URL: https://dev.opensourcepos.org/itemkits/search?sort=1 Vulnerable Parameter: sort SQLMap POC --- Parameter: sort GET Type: boolean-based blind Title: Boolean-based blind - Parameter replace original value...

SQL Injection in opensourcepos/opensourcepos

✍️ Description The Application is vulnerable to blind SQL Injection 🕵️‍♂️ Proof of Concept URL: https://dev.opensourcepos.org/giftcards/search?sort=1 Vulnerable Parameter: sort SQLMap POC --- Parameter: sort GET Type: boolean-based blind Title: Boolean-based blind - Parameter replace original value...

SQL Injection in opensourcepos/opensourcepos

✍️ Description The Application is vulnerable to blind SQL Injection 🕵️‍♂️ Proof of Concept URL: https://dev.opensourcepos.org/attributes/search?sort=1 Vulnerable Parameter: sort SQLMap POC --- Parameter: sort GET Type: boolean-based blind Title: Boolean-based blind - Parameter replace original...

SQL Injection in opensourcepos/opensourcepos

✍️ Description The Application is vulnerable to blind SQL Injection 🕵️‍♂️ Proof of Concept URL: https://dev.opensourcepos.org/suppliers/search?sort=1 Vulnerable Parameter: sort SQLMap POC --- Parameter: sort GET Type: boolean-based blind Title: Boolean-based blind - Parameter replace original value...

in opensourcepos/opensourcepos

✍️ Description It can be possible to perform a clickjacking attack due to the lack of frame restrictions. The application does not set the response header X-Frame-Options: DENY. 🕵️‍♂️ Proof of Concept Image: https://i.ibb.co/cbtVcb1/clickjack.png 💥 Impact According to PortSwigger references, it is...

in opensourcepos/opensourcepos

✍️ Description The giftcards/view/ POST request can be hijacked so that the information will be sent to another page, by modifying the login page URL. 🕵️‍♂️ Proof of Concept Change the login page URL to https://mydomain.com/giftcards/view/anotherpagehere Then the form action in the webpage will be...

Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat

✍️ Description Stored xss via generalsettings 🕵️‍♂️ Proof of Concept 1. gotohttps://demo.livehelperchat.com/siteadmin/chatbox/configuration and update a General settings with xss payload xss"'' and save it . 2. now try to edit this Chatbox settings using url like...

Cross-site Scripting (XSS) - Reflected in leantime/leantime

✍️ Description Cross-site scripting XSS vulnerabilities Line 9 of delCanvasItem.tpl.php sends unvalidated data to a web browser, which can result in the browser executing malicious code. 🕵️‍♂️ Proof of Concept /leancanvas/delCanvasItem/" 💥 Impact The attacker can: Perform any action within the...

in froxlor/froxlor

✍️ Description The login form POST request can be hijacked so that the credentials will be sent to an external website, by modifying the login page URL. 🕵️‍♂️ Proof of Concept Change the login page URL to https://mydomain.com/index.php/evilsite.com Then the form action in the webpage will be...

Sensitive Cookie Without 'HttpOnly' Flag in froxlor/froxlor

✍️ Description HTTPOnly attribute is not set for session cookies in the application. 🕵️‍♂️ Proof of Concept 💥 Impact When a cookie doesn’t have an HttpOnly flag, it can be accessed through JavaScript, which means that an XSS could lead to cookies being stolen. These include session cookies that can...

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in froxlor/froxlor

✍️ Description The secure flag is not set for PHPSESSID session cookie in the application. 🕵️‍♂️ Proof of Concept 💥 Impact If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from...

Cross-site Scripting (XSS) - Reflected in zoujingli/thinkadmin

✍️ Description The Application is Vulnerable to reflected XSS Attack. 🕵️‍♂️ Proof of Concept Open the following page in the browser as admin. The 商品名称 field is vulnerable to reflected XSS. An alert box is displayed as PoC...

in zoujingli/thinkadmin

✍️ Description The application implements a cross-origin resource sharing CORS policy for requests that allows access from any domain. 🕵️‍♂️ Proof of Concept Request GET /data/shop.goods/index.html HTTP/2 Host: testdomain11.com Cookie: lang=zh-cn; PHPSESSID=45780759c5ea6ae0be9cfc95fde04bc9...

in zoujingli/thinkadmin

✍️ Description It can be possible to perform a clickjacking attack due to the lack of frame restrictions. The application does not set the response header X-Frame-Options: DENY. 🕵️‍♂️ Proof of Concept 💥 Impact According to PortSwigger references, it is possible for a page controlled by an attacker...

Cross-Site Request Forgery (CSRF) in namelessmc/nameless

✍️ Description Attacker able to disable any widget with CSRF attack. It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your application. In CSRF attacks...

Cross-Site Request Forgery (CSRF) in namelessmc/nameless

✍️ Description Attacker able to reset any profile banner with CSRF attack. It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your application. In CSRF...

Cross-Site Request Forgery (CSRF) in namelessmc/nameless

✍️ Description Attacker able to delete any reaction with CSRF attack. It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your application. In CSRF attack...

Cross-Site Request Forgery (CSRF) in namelessmc/nameless

✍️ Description Attacker able to leave any user message with CSRF attack. It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your application. In CSRF...

Cross-Site Request Forgery (CSRF) in namelessmc/nameless

✍️ Description Attacker able to disable any module with CSRF attack. It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your application. In CSRF attacks...

Cross-Site Request Forgery (CSRF) in namelessmc/nameless

✍️ Description Attacker able to delete any custom page with CSRF attack. It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your application. In CSRF...

Cross-site Scripting (XSS) - Stored in namelessmc/nameless

✍️ Description stored xss via forum 🕵️‍♂️ Proof of Concept 1. First goto http://localhost/nameless/index.php?route=/panel/forums/&action=new and create a forum.\ During creation put bellow xss paylaod in forum icon.\ xss"' 2. Now save it .\ 3. Now goto above forum url...

Cross-Site Request Forgery (CSRF) in namelessmc/nameless

✍️ Description csrf bug to stick a topic 🕵️‍♂️ Proof of Concept Bellow url is vulnerable to csrf attack to stick a topic . http://localhost/nameless/index.php?route=/forum/stick/&tid=1 💥 Impact csrf bug to stick a topic...

Cross-Site Request Forgery (CSRF) in namelessmc/nameless

✍️ Description csrf bug to follow a topic 🕵️‍♂️ Proof of Concept i see everywhere is csrf token checking . But in this case csrf token checking is missing .\ Bellow url is vulnerable to csrf attack to follow a topic . http://localhost/nameless/index.php?route=/forum/topic/1/&action=follow 💥 Impact...

Cross-Site Request Forgery (CSRF) in namelessmc/nameless

✍️ Description csrf bug to lock a topic 🕵️‍♂️ Proof of Concept i see everywhere is csrf token checking . But in this case csrf token checking is missing .\ Bellow url is vulnerable to csrf attack to lock a topic . http://localhost/nameless/index.php?route=/forum/lock/&tid=1 💥 Impact csrf bug to...

Cross-Site Request Forgery (CSRF) in livehelperchat/livehelperchat

✍️ Description csrf bug to create a group chatlist 🕵️‍♂️ Proof of Concept There is no csrf token checking during creating a group-chatlist.\ Bellow request is vulnerable to csrf attack document.getElementById"myForm".submit 💥 Impact csrf bug to create a group chatlist...

Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat

✍️ Description stored xss XMP configuration 🕵️‍♂️ Proof of Concept Plz check this 1 minute video to reproduce the bug https://drive.google.com/file/d/1j1b5XDv2v73539J5MYwxYDe0IPt9yS3f/view?usp=sharing 💥 Impact xss bug allow to execute arbitary javascript code...

Cross-Site Request Forgery (CSRF) in livehelperchat/livehelperchat

✍️ Description csrf bug to update uploaded-file 🕵️‍♂️ Proof of Concept Bellow request is vulnerable to csrf bug to update uploaded-file. Submit request POST /siteadmin/file/edit/2 HTTP/1.1 Host: demo.livehelperchat.com Cookie: PHPSESSID=b8cdt7e1436rstdhbgq5mjqskq User-Agent: Mozilla/5.0 X11;...

Cross-Site Request Forgery (CSRF) in livehelperchat/livehelperchat

✍️ Description csrf bug to make clone of a role 🕵️‍♂️ Proof of Concept i see everywhere csrf token is checking but during cloning of role, it does not check csrf token .\ Belllow url is vulnerable to csrf attack to make a clone of role...

Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat

✍️ Description Stored xss via rolename 🕵️‍♂️ Proof of Concept 1. First goto https://demo.livehelperchat.com/siteadmin/permission/roles and create a role with xss payload xss"'' and save it .\ 2. now try to edit this role using url like...

Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat

✍️ Description Stored Xss on smtp/Sender address 🕵️‍♂️ Proof of Concept Step To Reproduce: 1. Go to system/smtp 2. add the payload: " on "Sender address" or "Default from e-mail address" or "Default from name" all the 3 params are vulnerable to xss 3. save it and you can see that the xss fires poc...

Cross-site Scripting (XSS) - Stored in yourls/yourls

✍️ Description stored xss 🕵️‍♂️ Proof of Concept plz check this 1 minute video to reproduce the bug https://drive.google.com/file/d/1MHQSKVczRNwDC8S6xKuedjMNcQw8YOz5/view?usp=sharing 💥 Impact Stored xss allow to executed arbitary javascript code...

in circuitverse/circuitverse

✍️ Description no rate limit allow to send unlimited email to any mail address 🕵️‍♂️ Proof of Concept During forgot password there is no rate limit to send password-reset email which allow to send unlimited email to a mail address. bellow request is vulnerable to rate-limit bug POST /users/password...

Improper Privilege Management in circuitverse/circuitverse

✍️ Description subscribe to any private project 🕵️‍♂️ Proof of Concept There is two different user called user-A and user-B.\ 1. User-A created a private project .\ 2. Now User-B sent bellow request to subscribe to above private project PUT /commontator/threads/496401/subscribe HTTP/2 Host:...

Improper Privilege Management in circuitverse/circuitverse

✍️ Description upvote in any private comment 🕵️‍♂️ Proof of Concept Bellow request is vulnerable to upvote in any comment of private project POST /commontator/comments/1312/upvote HTTP/2 Host: circuitverse.org Cookie: User-Agent: Mozilla/5.0 X11; Ubuntu; Linux x8664; rv:90.0 Gecko/20100101...

Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat

✍️ Description here is a Stored XSS on the user profile image uploader via svg file 🕵️‍♂️ Proof of Concept Step to reproduce: 1. Go to account profile 2. Click the choose file option to update profile image 3. Upload the svg file containing malicious code: or you can download it from :...

in circuitverse/circuitverse

✍️ Description Privilege escalation bug to add comment to any private project 🕵️‍♂️ Proof of Concept Bellow request is vulnerable to privilege escalation bug POST /commontator/threads/496401/comments HTTP/2 Host: circuitverse.org Cookie: .. User-Agent: Mozilla/5.0 X11; Ubuntu; Linux x8664; rv:90.0...

Cross-Site Request Forgery (CSRF) in myvesta/vesta

✍️ Description Attacker is able to rename any file on the server if logged in user visits attacker website. 🕵️‍♂️ Proof of Concept Create a test.txt file under /home/user when you logged in open this POC.html in a browser you can check test.txt renames to test.php. //PoC.html history.pushState'',...

Cross-Site Request Forgery (CSRF) in myvesta/vesta

✍️ Description Attacker is able to delete any file on the server if logged in user visits attacker website. 🕵️‍♂️ Proof of Concept Create a test.txt file under /home/user when you logged in open this POC.html in a browser you can check test.txt deletes. //PoC.html history.pushState'', '', '/'...

Cross-Site Request Forgery (CSRF) in myvesta/vesta

✍️ Description The download/web-log endpoint does not have CSRF Protection. This could be used to force download access log and potentially sensitive information leakage. 🕵️‍♂️ Proof of Concept Login to user account. Create the following POC.html file and open the page in browser. To verify that...

Cross-Site Request Forgery (CSRF) in myvesta/vesta

✍️ Description The download/web-log endpoint does not have CSRF Protection. This could be used to force download error log and potentially sensitive information leakage. 🕵️‍♂️ Proof of Concept Login to user account. Create the following POC.html file and open the page in browser. To verify that you...

Cross-Site Request Forgery (CSRF) in myvesta/vesta

✍️ Description Attacker is able to "delete" an element from favorite. this vulnerability happens on some sections. for example on “Firewall” tab list/firewall/ 🕵️‍♂️ Proof of Concept 1.when you logged in open this POC.html in a browser 2.you can check unintentionally first record deletes from...

Cross-Site Request Forgery (CSRF) in myvesta/vesta

✍️ Description Attacker is able to add an element to favorite. this vulnerability happens on some sections. for example on “Firewall” tab list/firewall/ 🕵️‍♂️ Proof of Concept 1.when you logged in open this POC.html in a browser 2.you can check unintentionally first record saves as favorite...