XSS Vulnerabilities in Search Functionality and Course Tags

Description 1. XSS via Image Error in Search Box: - This vulnerability allows an attacker to execute a Cross-Site Scripting XSS attack through the search functionality of the web application. When a user performs a search, the application attempts to display an image related to the search query...

Store DOM XSS in FAQ

Description I noticed, your website is very secure. But you overlooked a flaw XSS Proof of Concept 1 .Login vs admin demo account and access admin page. 2 .Create a category, Question with payload: haidoalertdocument.domain 3 .Select FAQ status published and Sticky 4 .Back to the homepage, detect...

SQL Injection Vulnerability in Content Page

In menu Content page, there is a SQL Injection Vulnerability at Filter function. To exploit this vulnerability, attacker injection query into filter field. Proof of Concept 1. Login with admin 2. Go to "http://127.0.0.1/icms2/admin/content/5". In this case, the number 5 is content's id Can be...

Stored xss using journal-name

BUG ======== Stored xss using journal-name ACCOUNT ========== 1. user-A -- superadmin -- Victim -- Firefox browser Normal mode\ 2. user-B -- journal manager -- Attacker -- Firefox browser Container-1\ STEP TO RERPODUCE ====================== 1. From user-A account create a journal called...

Stored xss using journal-name in journal-tab

BUG ======== Stored xss using journal-name in journal-tab ACCOUNT ========== 1. user-A -- superadmin -- Victim -- Firefox browser Normal mode\ 2. user-B -- journal manager -- Attacker -- Firefox browser Container-1\ STEP TO RERPODUCE ====================== 1. From user-A account create a journal...

Cookie without Secure flag

Description Access and login to the website. Press F12 on your keyboard or right-click on the website to open dev-tool. At Application tab, choose Cookies and there are some sensitive cookies without Secure flag. Proof of Concept...

Relative Path Traversal vulnerability in the serve command

Description When a Cecil site is served by cecil serve, Relative Path Traversal is possible via the URI path. Proof of Concept Run the following commands: mkdir cecil-path-traversal-poc cd cecil-path-traversal-poc curl -L https://cecil.app/cecil.phar -o cecil chmod +x cecil ./cecil new:site -n...

Reflected Cross-Site Scripting (XSS) vulnerability in the dynamic 404 page

Description When running a Cecil site by cecil serve without a 404.html, Reflected Cross-Site Scripting XSS is possible via the URI path. Proof of Concept Run the following commands: mkdir cecil-404-xss-poc cd cecil-404-xss-poc curl -L https://cecil.app/cecil.phar -o cecil chmod +x cecil ./cecil...

AppImage Vim loads libc.so.6 from pwd

Description The appimage distribution of vim loads libc.so.6 from the current directory of the user. An attacker with control of files in a directory where the user uses vim could execute arbritrary code. Proof of Concept Proof of concept will use a malicious libc.so.6 generated with below patch ...

heap-buffer-overflow in function vim_regsub_both

Description heap-buffer-overflow in vimregsubboth at regexp.c:2482 Version git log commit e073a8b79f1d3398b27f35b7920746b564a169e9 HEAD - master, origin/master, origin/HEAD Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S vimregsubbothpoc -c :qa! helplang=en readonly...

Out of Bounds Read in scene_manager/loader_bt.c:478

Description Out of Bounds Read in MP4Box. Version $ ./bin/gcc/MP4Box -version MP4Box - GPAC version 2.3-DEV-revrelease c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC:...

Incomplete fix for SSRF in CVE-2023-4651

Description The fix commit a6bf758de0b3242b0c0e4b47a588aae0c94305b0 for CVE-2023-4651 is not complete. Only ip based URLs are blocked. Proof of Concept Clone the latest repo and install. On server, listen for 1234 on localhost. Use http://localhost:1234/ as URL for image upload. Observe a hit on...

SQL injection and Authentication bypass

Description The validApiKey middleware, which is responsible for verifying API keys provided in the request's Authorization header, is susceptible to SQL injection. This vulnerability can potentially lead to an authentication bypass, granting unauthorized access to API endpoints. NOTE: It's worth...

Store XSS in Survey menus

Description I noticed, your website is very secure. But you overlooked a flaw Store DOM XSS . Proof of Concept Detail: 1 .Login vs admin demo account and access Configuration 2 .Go to Survey menus == Survey menus entries 3 .Add new menu entry and insert payload in to GET data method...

Stored XSS in module named "New Submissions"

Description I tested the demo site you provided. I see that there is an Stored XSS vulnerability. I hope you can check and provide a fix as soon as possible. Proof of Concept Link video Poc https://drive.google.com/file/d/1BaAnaZQyfbUTu54rzwRtTevr-wx100/view?usp=sharing Steps 1 .Login as account...

Store DOM XSS when create survey

Description I noticed, your website is very secure. But you overlooked a flaw Store DOM XSS . Proof of Concept Detail: 1 .Login vs admin demo account 2 .Create new survey , insert payload in to Survey title: test" onclick = "alertdocument.domain" 3 . Click create == detect Store DOM XSS Video Poc...

SQL injection in slug parameter

Description The /api/workspace/:slug endpoint exposes a critical SQL injection vulnerability in the slug parameter. This vulnerability arises due to the insecure handling of user-supplied data slug in the construction of a SQL query. An attacker can exploit this vulnerability by crafting a...

Relative path traversal

Description The endpoint /system/data-exports/:filename is intended to export AnythingLLM data zip file for download based on a specified filename parameter. However, a critical security vulnerability arises due to insufficient validation and sanitization of the request.params.filename parameter...

segmentation fault in function f_fullcommand

Description segmentation fault in function ffullcommand at exdocmd.c:4101 Proof of Concept valgrind ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pocseg -c :qa! ==14662== Memcheck, a memory error detector ==14662== Copyright C 2002-2017, and GNU GPL'd, by Julian Seward et al. ==14662== Using...

Store XSS in Mail Setup

Description I noticed, your website is very secure. But you overlooked a flaw XSS . Proof of Concept Detail: 1 .Login vs admin demo account and access admin page. 2 .Go to Configuration == Mail setup. 3 .Insert payload into Password: test"alertdocument.domain 4 .Click save configuration == detect...

Store XSS in Users

Description I noticed, your website is very secure. But you overlooked a flaw XSS . Proof of Concept Detail: 1 .Login vs admin demo account and access admin page. 2 .Create a users ,insert payload in to Real name test" 3 .Click edit on the user just created, detect XSS Video Poc...

Cross-Site Scripting ( XSS) Via file upload

Description I tested the demo site you provided. I see that there is a file upload vulnerability which can lead to XSS. Hope you check and find a solution as soon as possible. Proof of Concept link video Poc https://drive.google.com/file/d/1LAcTulbfhGJfCmWdIel9e-SkuoQbDq/view?usp=sharing Steps 1...

Stored XSS in module named "Create Issues"

Description I tested the demo site you provided. I see that there is an XSS vulnerability. I hope you can check and provide a fix as soon as possible. Proof of Concept link video Poc https://drive.google.com/file/d/1CEEFO0ukhjug6dNRfb-vdQNuBUyezoJp/view?usp=sharing Steps 1 .Login as account demo ...

heap-buffer-overflow in function swf_def_font scene_manager/swf_parse.c:1449

Description Heap-buffer-overflow in MP4Box. Version $ ./bin/gcc/MP4Box -version MP4Box - GPAC version 2.3-DEV-revrelease c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC:...

heap-use-after-free in mp4_mux_process_fragmented filters/mux_isom.c:6634

Description heap-use-after-free in MP4Box. Version $ ./bin/gcc/MP4Box -version MP4Box - GPAC version 2.3-DEV-revrelease c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC:...

stack-overflow in gf_bt_check_line scene_manager/loader_bt.c:408

Description stack-overflow in MP4Box Version $ ./bin/gcc/MP4Box -version MP4Box - GPAC version 2.3-DEV-revrelease c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC:...

Store XSS in FAQ Multisites

Description I noticed, your website is very secure. But you overlooked a flaw XSS Proof of Concept 1 .Login vs admin demo account and access admin page. 2 .Go to Configuration == FAQ Multisites 3 . Edit Instance URL with payload: javascript:alertdocument.domain 4 .Edit Instance path with payload:...

File Upload Vulnerability in Categories

Description I noticed, your website is very secure. But you overlooked a flaw File Upload. Proof of Concept Detail: 1 .Login vs admin demo account and access admin page. 2 .Create a category titled "test" and upload a file image. 3 .Using burp suite edit Content-type: image/html and insert payloa...

left shift of negative value in scene_manager/swf_parse.c:213:12

Description left shift of negative value in MP4Box Version $ ./bin/gcc/MP4Box -version MP4Box - GPAC version 2.3-DEV-revrelease c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC...

Out of Bounds Read in MPEG12_ParseSeqHdr media_tools/mpeg2_ps.c

Description Out of Bounds Read in MP4Box. Version $ ./bin/gcc/MP4Box -version MP4Box - GPAC version 2.3-DEV-revrelease c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC:...

signed integer overflow in filters/mux_isom.c:5716:20

Description The signed integer overflow in MP4Box, and the program will eventually crash due to double-free,. It is uncertain whether the signed integer overflow is directly related to double-free Version $ ./bin/gcc/MP4Box -version MP4Box - GPAC version 2.3-DEV-revrelease c 2000-2023 Telecom Par...

Use After Free in gf_filterpacket_del filter_core/filter.c:38

Description Use After Free in MP4Box. I'm not sure if this is a bug or an exploitable vulnerability. Since it was a double-free crash, I classified it as a UAF vulnerability type. Version $ ./bin/gcc/MP4Box -version MP4Box - GPAC version 2.3-DEV-revrelease c 2000-2023 Telecom Paris distributed...

LimeSurvey 5.6.34-230816 has a storage based XSS vulnerability caused by importManifest

Description A regular user with "theme" privileges who maliciously sets the "templatename" during the importManifest process can lead to a stored Cross-Site Scripting XSS vulnerability. Proof of Concept The first step is to create a user with only 'theme' permission. Log in to this user and make ...

NULL Pointer Dereference in media_tools/mpeg2_ps.c, media_tools/avilib.c and filters/dasher.c

Description NULL Pointer Dereference in MP4Box. Version $ ./bin/gcc/MP4Box -version MP4Box - GPAC version 2.3-DEV-revrelease c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC:...

division by zero in scene_manager/swf_svg.c, filters/dasher.c , filters/mux_isom.c and scene_manager/swf_parse.c

Description division by zero in MP4Box. Version $ ./bin/gcc/MP4Box -version MP4Box - GPAC version 2.3-DEV-revrelease c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC:...

Store DOM XSS in Edit configuration

Description I noticed, your website is very secure. But you overlooked a flaw XSS Proof of Concept 1 .Login vs admin demo account and access admin page. 2 .Create a category titled "test456". 3 .Go to Configuration == Edit configuration. 4 .Change the "URL of your FAQ" data field with the payload...

heap-buffer-overflow in function avi_parse_input_file media_tools/avilib.c:2083

Description Heap-buffer-overflow in MP4Box. Version $ ./bin/gcc/MP4Box -version MP4Box - GPAC version 2.3-DEV-revrelease c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC:...

heap-buffer-overflow in function avi_read media_tools/avilib.c:67 in gpac/gpac

Description Heap-buffer-overflow in MP4Box. Version $ ./bin/gcc/MP4Box -version MP4Box - GPAC version 2.3-DEV-revrelease c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC:...

IDOR Vulnerability Allow Low-Level User change role Everyone Includes Admin

Description By manipulating the userid in API PUT /answer/admin/api/user/role, users with low privilege can change role any users Proof of Concept Step 1: Login as user1 with user privilege Step2: Call API PUT /answer/admin/api/user/role with user privilege , change role everyone includes Admin...

Account takeover via password reset

Description An attacker could predict all future password reset tokens due to the use of RandomStringUtils.randomAlphanumeric in PasswordService. An attacker could crack the random number generator RNG seed from a password reset token, then perform password resets on their and the victim’s...

Unverified password change : old password can be used as new password

Description Pimcore Platform v 11.0.7 is not enforcing strict password policy which allow attacker to set old password as new password Proof of Concept 1- go to https://demo.pimcore.com/admin/login 2- login with demo user credentials Username: superuser Password: enterprisedemo 3- Now login and...

Store XSS in Widgets and pages

Description I noticed that you filtered the comment very carefully. But there are still some parts you missed Proof of Concept 1 .Login with admin 2 .Go to "https://demo.instantcms.io/admin/widgets" 3 . Insert payload in Position name and Title test" onmouseover = "alertdocument.cookie 4 .Click...

Session Fixation

Description Session fixation allows an attacker to impersonate a user by abusing an authenticated session ID SID. This attack can occur when a web application: •Fails to supply a new, unique SID to a user following a successful authentication •Allows a user to provide the SID to be used after...

Theft of Arbitrary Files due to lack of intent validation and insecure usage of provider paths in TTFViewerActivity.kt

Description Through the use of Oversecured, leading vulnerability scanner for Android and iOS applications, we were able to detect an Theft of Arbitrary Files vulnerability within TTFViewerActivity.kt. Check full issue definition in the image below: Root Cause Analysis The TTFViewerActivity faile...

Input Validation Vulnerability Leading to Denial of Service in LimeSurvey v5.6.34

Vulnerability Summary: LimeSurvey is a widely used open-source online survey system. In version 5.6.34, an input validation vulnerability has been identified, allowing attackers to exploit a vulnerability in surveys containing "file upload" options. This can lead to a denial of service by...

BrowserView Allows Popups, which leads to Remote Code Execution

Description The Application has a functionality that allows users to add URLs for custom Webservices. If a user adds a URL containing malicious code, then it can be used to open a new Browser Window, which will lead to Remote Code Execution on the victims computer. Proof of Concept ATTACKER SETUP...

Authentication cookie without Secure flag

Description Access and login to the website. Press F12 on your keyboard or right-click on the website to open dev-tool. At Application tab, choose Cookies and there are some sensitive cookies without Secure flag. Proof of Concept Link photo:...

Improper Authorization in Import Question function

Description The Import Question function does not check user permissions, allowing users to import questions into any survey without requiring authorization Proof of Concept Step 1: We have user1 who has no permissions Step 2: User1 performs importing questions into the survey by creating a reque...

DOM XSS at index FBD Table

Description I think your website is quite secure. But you overlooked the XSS vulnerability. Proof of Concept 1 .Login with demo account 2 .Access the link https://demo.librenms.org/search/search=fdb and insert the payload test123"alert1alertdocument.cookie 3 .Hit enter, XSS vulnerability detected...

Android Manifest Misconfiguration Leading to Task Hijacking

Description Task hijacking allows malicious apps to inherit permissions of vulnerable apps and is usually used for phishing login credentials of victims. This vulnerability applies to all Android versions before Android 11. Steps To Reproduce: 1. Victim installs malicious app 1. Victim starts...