Cross-site Scripting (XSS) - Generic in emoncms/emoncms

✍️ Description Line 94 of theme.php sends unvalidated data to a web browser, which can result in the browser executing malicious code. In this case the data is sent at builtinecho in theme.php at line 94. 🕵️‍♂️ Proof of Concept $q = ""; if isset$GET'q' $q = $GET'q'; //get in line 16 //print in line...

Server-Side Request Forgery (SSRF) in gogs/gogs

✍️ Description In 2018, this issue was created to address a SSRF vulnerability in gogs wherein an attacker could have gogs send requests to network-internal hosts - a patch for this was released see diff and no queries about the SSRF issue seem to have been raised again since from what I can tell...

Cross-site Scripting (XSS) - Stored in chevereto/chevereto-free

✍️ Description Stored xss via image upload TESTED VESRION latest github code as of 16/7/21 🕵️‍♂️ Proof of Concept 1. First download https://github.com/ranjit-git/poc/blob/master/xss%22'%3E%3Cimg%20src%3Dx%20onerror%3Dalert123%3E.jpeg image file in linux . Dont change the file name . This type file...

Cross-Site Request Forgery (CSRF) in seriawei/zkeacms

✍️ Description ZKEACMS is vulnerable to Cross-site request forgery. The app has no mechanism against CSRF in all HTTP requests. 🕵️‍♂️ Proof of Concept Sample: Add products to the shopping cart. HTML content: HTML setTimeout = form.submit , 2000; 1. Save the above content into an HTML file. 2. With...

in ampache/ampache

✍️ Description According to PHP official documents 1 we have for mtrand function an security issue that says "This function does not generate cryptographically secure values, and should not be used for cryptographic purposes" and as we see in permalinks you use the mtrand function for generate...

Business Logic Errors in seriawei/zkeacms

✍️ Description ZKEACMS is vulnerable to Business Logic error through negative product amount. 🕵️‍♂️ Proof of Concept PoC file content: HTML setTimeout = form.submit , 2000; 1. Save the above content into an HTML file. 2. Open it on the browser. Check the shopping cart negative value. PoC video. 💥...

Inefficient Regular Expression Complexity in apidoc/apidoc-core

✍️ Description A ReDoS regular expression denial of service flaw was found in the apidoc-core package. An attacker that is able to provide crafted input to the trim function may cause an application to consume an excessive amount of CPU. Similar attack ref:...

in emoncms/emoncms

✍️ Description In CSRF attack if attacker able to change the victim email then attacker can change email to own email and get password from password reset section and then the account take over happen here. 🕵️‍♂️ Proof of Concept 1.you login in your account 2.you make a file contain the following...

Cross-Site Request Forgery (CSRF) in emoncms/emoncms

✍️ Description In CSRF attack if your users going to attacker website and click the mallicouse link then they able to steal users cookie, submit unwanted date, .... 🕵️‍♂️ Proof of Concept 1.you login in your account 2.you make a file contain the following html file. 3.open html as victim site...

Cross-Site Request Forgery (CSRF) in emoncms/emoncms

✍️ Description In CSRF attack if your users going to attacker website and click the mallicouse link then they able to steal users cookie, submit unwanted date, .... 🕵️‍♂️ Proof of Concept 1.you login in your account 2.you make a file contain the following html file. 3.open html as victim site...

in emoncms/emoncms

✍️ Description weak password requirements can lead to account takeover vulnerability as attacker easily can perform Bruteforce attacks. 🕵️‍♂️ Proof of Concept if a attacker knows the username and email of the your users then attacker easily can reset the victim password and no privileges required...

in erudika/scoold

Reuse of cookies: The cookies are not expiring after sign out. Once the user signs out of his account, the cookies needs to be expired and should not be any use of reuse. But in this case, an attacker can grab the cookies and use them to log them into a user's account POC: 1Go to...

Open Redirect in ionicabizau/parse-url

✍️ Description parse-url improperly handles the user input such as https:/\ and interprets it as a relative path. Backslashes after the protocol are accepted by browsers and treated as normal slashes, but parse-url reads them as the relative path, which could lead to SSRF, open redirects, or other...

Open Redirect in ionicabizau/git-up

✍️ Description git-up improperly handles the user input such as https:/\ and interprets it as a relative path. Backslashes after the protocol are accepted by browsers and treated as normal slashes, but git-up reads them as the relative path, which could lead to SSRF, open redirects, or other...

Use of a Broken or Risky Cryptographic Algorithm in boxbilling/boxbilling

✍️ Description The function mtrand is used to generate ticket hashes at the reference shown, this function is cryptographically flawed due to its nature being one pseudorandomness, an attacker can take advantage of the cryptographically insecure nature of this function to disclose critical...

Cross-site Scripting (XSS) - Reflected in swiftyspiffy/twitch-token-generator

✍️ Description An almost XSS exists in this repository that, if not for the WAF used on https://twitchtokengenerator.com; would have resulted in reflected XSS. Despite this, it is possible to inject HTML onto the page, making some attack scenarios possible. 🕵️‍♂️ Proof of Concept - Navigate to...

Use of a Broken or Risky Cryptographic Algorithm in emoncms/emoncms

✍️ Description The function mtrand is used to generate verification keys, API keys both read & write, and even hash salts, this function is cryptographically flawed due to its nature being one pseudorandomness, an attacker can take advantage of the cryptographically insecure nature of this functio...

Use of a Broken or Risky Cryptographic Algorithm in panique/huge

✍️ Description The function mtrand is used to generate password-reset tokens, this function is cryptographically flawed due to its nature being one pseudorandomness, an attacker can take advantage of the cryptographically insecure nature of this function to enumerate password-reset tokens that...

Use of a Broken or Risky Cryptographic Algorithm in mautic/mautic

✍️ Description The function mtrand is used to generate session tokens, this function is cryptographically flawed due to its nature being one pseudorandomness, an attacker can take advantage of the cryptographically insecure nature of this function to enumerate session tokens for accounts that are...

Heap-based Buffer Overflow in squell/id3

✍️ Description Hello! We compiled id3 from commit 857ac8 with Clang-13 + ASan, and we discovered a crafted file which triggers a heap-buffer-overflow, WRITE of size 1. This and the previous bug were discovered with the help of honggfuzz. 🕵️‍♂️ Proof of Concept echo...

Heap-based Buffer Overflow in squell/id3

✍️ Description Hello! We compiled id3 from commit 857ac8 with Clang-13 + ASan, and we discovered a crafted file which triggers a negative-size-param and a heap-buffer-overflow with a READ of size 40987248. But for the purposes of this report, we are going to look at the heap-buffer-overflow, as it...

Cross-site Scripting (XSS) - Stored in pimcore/pimcore

✍️ Description pimcore is a Open Source Data & Experience Management Platform PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce this package is vulnerable for Stored XSS thru gender tag 🕵️‍♂️ Proof of Concept 💥 Impact This vulnerability is capable of stored xss 📍 Location Gender.phpL21...

in ethibox/stacks

✍️ Description Please enter a description of the vulnerability. 1Visit https://github.com/ethibox/stacks/blob/master/wordpress.ymlL47-L50 for the exposed database credentials 💥 Impact This vulnerability is capable of database getting compromised...

Open Redirect in ionicabizau/parse-url

✍️ Description parse-url mishandles certain uses of backslash such as https:/\ and interprets the URI as a relative path. Browsers accept backslashes after the protocol, and treat it as a normal slash, while parse-url sees it as a relative path. Which will lead to SSRF attacks, open redirects, or...

Open Redirect in ionicabizau/parse-path

✍️ Description parse-path mishandles certain uses of backslash such as https:/\ and interprets the URI as a relative path. Browsers accept backslashes after the protocol, and treat it as a normal slash, while parse-path sees it as a relative path. Which will lead to SSRF attacks, open redirects, o...

Open Redirect in tjenkinson/url-toolkit

✍️ Description url-toolkit mishandles certain uses of backslash such as https:/\ and interprets the URI as a relative path. Browsers accept backslashes after the protocol, and treat it as a normal slash, while url-toolkit sees it as a relative path. Which will lead to SSRF attacks, open redirects,...

Cross-site Scripting (XSS) - Reflected in leantime/leantime

✍️ Description Reflected XSS in editBoxDialog.tpl.php where "module" and "label" parameters leads to exploitation of a vulnerability. 🕵️‍♂️ Proof of Concept Open this link http://127.0.0.1/setting/editBoxLabel?module=idealabels%22%3E%3Cscript%3Ealert%22XSS%20by%20OverJT%22%3C/script%3E&label=jjj 💥...

Server-Side Request Forgery (SSRF) in aimeos/aimeos-core

✍️ Description Integrated online shop based on Laravel 6 LTS and the Aimeos e-commerce framework this web app is vulnerable for stored SSRF thru svg files 🕵️‍♂️ Proof of Concept 💥 Impact This vulnerability is capable SSRF...

Cross-Site Request Forgery (CSRF) in spiral-project/ihatemoney

✍️ Description The //delete/ end point lacks CSRF protection. This could be exploited by attackers to make the admin delete records from database. 🕵️‍♂️ Proof of Concept For the attack to work, a logged in user should click the link could be performed with JavaScript. /delete/"Click here 💥 Impact...

Server-Side Request Forgery (SSRF) in erudika/scoold

✍️ Description Possible SSRF in scoold in user profile picture from URL 🕵️‍♂️ Proof of Concept Steps to reproduce: 1. Create an account and click on the image. 2. Now open the local server or enter any IP:port ex: http://127.0.0.1:8082 3. Now enter the URL and then view the image, you will see get...

Session Fixation in erudika/scoold

✍️ Description Session Fixation vulnerability found in scoold in which it doesn't expire the sessions after password update. 🕵️‍♂️ Proof of Concept Steps to reproduce: 1. Open the same account in the normal and private tab. 2. Change the password from anyone tab let's say private and then refresh...

Cross-site Scripting (XSS) - Stored in sergix44/xbackbone

✍️ Description Stored xss through file upload via a .svg file 🕵️‍♂️ Proof of Concept Upload a .svg file with the following content: javascript alertdocument.cookie; give a name you want ending with .svg store-xss.svg for example and upload the file, after upload click on open click on raw see the...

Cross-site Scripting (XSS) - Stored in omeka/omeka-s

✍️ Description Stored xss bug using a xss payload in the Title when adding a new site. the xss is getting executed when you are trying to delete the website, see the PoC for details. 🕵️‍♂️ Proof of Concept Goto http://localhost/omeka/omeka-s/admin/site and click on add new site copy paste the...

Open Redirect in medialize/uri.js

✍️ Description urijs mishandles certain uses of backslash such as https:/\ and interprets the URI as a relative path. Browsers accept backslashes after the protocol, and treat it as a normal slash, while url-parse sees it as a relative path. 🕵️‍♂️ Proof of Concept 1. Create the following PoC file:...

Open Redirect in unshiftio/url-parse

✍️ Description url-parse mishandles certain uses of backslash such as https:/\ and interprets the URI as a relative path. Browsers accept backslashes after the protocol, and treat it as a normal slash, while url-parse sees it as a relative path. Similar attacks:...

Cross-site Scripting (XSS) - Stored in sylius/sylius

✍️ Description Open Source eCommerce Platform on Symfony this package vulnerable for stored xss thru svg files 🕵️‍♂️ Proof of Concept https://i.imgur.com/UNqIg8l.mp4 💥 Impact This vulnerability is capable of XSS...

Cross-site Scripting (XSS) - Stored in leantime/leantime

✍️ Description Stored xss bug using a xss payload in the Hypothesis when adding a new Research 🕵️‍♂️ Proof of Concept Goto http://localhost/leancanvas/simpleCanvas and click on add new and copy paste the following xss payload javascript " Click on safe and see the xss popup with the cookie. 💥...

Cross-site Scripting (XSS) - Stored in leantime/leantime

✍️ Description Stored xss bug using a xss payload in the Milestone Title when adding a new milestone 🕵️‍♂️ Proof of Concept Goto http://localhost/tickets/roadmap and click on add Milestone and copy paste the following xss payload javascript " Click on safe and see the xss popup with the cookie. 💥...

Cross-Site Request Forgery (CSRF) in boxbilling/boxbilling

✍️ Description CSRF on changing password of an admin account. There is no token or anti csrf implemented. 🕵️‍♂️ Proof of Concept Create a .html file poc.html for example and copy paste the following code in it. Change localhost to ur domain or ip address. javascript CSRF PoC send this file to a...

Cross-site Scripting (XSS) - Stored in chatwoot/chatwoot

✍️ Description XSS via file upload in profile settings 🕵️‍♂️ Proof of Concept open chatwoot ,login to your profile , go to profile settings upload SVG file with XSS payload and update profile open the avatar in new page, XSS will be triggered 💥 Impact custom javascript code is executed...

Server-Side Request Forgery (SSRF) in chatwoot/chatwoot

✍️ Description SSRF via SVG file upload 🕵️‍♂️ Proof of Concept create a new inbox, change its avatar to an SVG file with SSRF payload in it. and open the image in a new tab. 💥 Impact Host redirect...

Session Fixation in chatwoot/chatwoot

✍️ Description The application is vulnerable to Session Fixation vulnerability even after a user changes its password the old sessions on other devices persist. 🕵️‍♂️ Proof of Concept 1. open chatwoot and login to your account on multiple browsers 2. change the password of the account on one of...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

✍️ Description I found a stored XSS in your project which is lead by adding client's comment. 🕵️‍♂️ Proof of Concept Steps to reproduce: 1. Create a Client. 2. Enter " in the comments. 3. Save and you will see XSS. 💥 Impact This vulnerability is capable of stored XSS...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

✍️ Description I found a stored XSS in your project which is lead by adding invoice comment. 🕵️‍♂️ Proof of Concept Steps to reproduce: 1. Create a invoice. 2. Enter " in the comments. 3. Save and you will see XSS. 💥 Impact This vulnerability is capable of stored XSS...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

✍️ Description I found a stored XSS in your project which is lead by adding unpaid invoice comment. 🕵️‍♂️ Proof of Concept Steps to reproduce: 1. Create a unpaid invoice. 2. Enter " in the comments. 3. Save and you will see XSS. 💥 Impact This vulnerability is capable of stored XSS...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

✍️ Description I found a stored XSS in your project which is lead by adding anonymous group name. 🕵️‍♂️ Proof of Concept Steps to reproduce: 1. Create a group. 2. Enter group"' in the group name. 3. Save and visit view groups. 4. Click on Anonymous group you just created. 💥 Impact This...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description I found a stored XSS in your project which is lead by adding Leases starting/ending. 🕵️‍♂️ Proof of Concept Steps to reproduce: 1. Create a Starting or Ending as both are vulnerable. 2. Enter " in the notes. 3. Save and you will see XSS. 💥 Impact This vulnerability is capable of...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description I found a stored XSS in your project which is lead by adding Application/Leases notes. 🕵️‍♂️ Proof of Concept Steps to reproduce: 1. Create a Application/Leases. 2. Enter " in the notes. 3. Save and you will see XSS. 💥 Impact This vulnerability is capable of stored XSS...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description I found a stored XSS in your project which is lead by adding Units description. 🕵️‍♂️ Proof of Concept Steps to reproduce: 1. Create a Unit. 2. Enter " in the description. 3. Save and you will see XSS. 💥 Impact This vulnerability is capable of stored XSS...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description I found a stored XSS in your project which is lead by adding property name which reflects on summary-reports-application-leases-1.php 🕵️‍♂️ Proof of Concept Steps to reproduce: 1. Create a Property. 2. Enter x''' in the comments. 3. Save and visit...