4072 matches found
Session Fixation in alovoa/alovoa
βοΈ Description When a logged in user changes his password, the session does not expire after the update. π΅οΈββοΈ Proof of Concept // PasswordController.java does not expire or force to logout the user after the update. @PostMappingvalue = "/change", consumes = "application/json" public void...
Improper Privilege Management in uvdesk/core-framework
βοΈ BUG privilege escalation bug to pin a threads π΅οΈββοΈ Proof of Concept 1. Frist from admin account goto http://localhost/uvdesk/public/en/member/agents and add new user called user B with Agent role .\ Now gives user-B all tikceting permission like can update/add/edit/delete/lock/pin to a ticket...
Cross-site Scripting (XSS) - DOM in alovoa/alovoa
βοΈ Description It is possible to run JavaScript code in the webpage by DOM unsanitized properties. The function onChangeLocal sets the value of window.location.search directly from the URL, without previous checks. π΅οΈββοΈ Proof of Concept // Vulnerable function in file fragments.html:139 function...
Cross-Site Request Forgery (CSRF) in dolibarr/dolibarr
βοΈ Description Attacker can delete any Exports for any user with CSRF vulnerability when the Admin or SuperAdmin or an authorized user click on PoC.html file, it is enough to attacker know the Export's names on server. I convert the...
Cross-Site Request Forgery (CSRF) in dolibarr/dolibarr
βοΈ Description Attacker can delete any Product for any user with CSRF vulnerability when the Admin or SuperAdmin or an authorized user click on PoC.html file, it is enough to attacker know the Product id on server. I convert the GET...
Cross-Site Request Forgery (CSRF) in dolibarr/dolibarr
βοΈ Description Attacker can delete any Third Parties for any user with CSRF vulnerability when the Admin or SuperAdmin or an authorized user click on PoC.html file, it is enough to attacker know the Third Parties id on server. I convert the GET...
in cortezaproject/corteza-server
Passwords shorter than 8 characters are considered to be weak NIST SP800-63B. Maximum password length should not be set too low, as it will prevent users from creating passphrases. ... It is important to set a maximum password length to prevent long password Denial of Service attacks. STEPS FOR...
Inefficient Regular Expression Complexity in cronvel/string-kit
βοΈ Description A ReDoS regular expression denial of service flaw was found in the string-kit package. An attacker that is able to provide crafted input to the naturalSort function may cause an application to consume an excessive amount of CPU. π΅οΈββοΈ Proof of Concept Create the following PoC file:...
Cross-Site Request Forgery (CSRF) in dolibarr/dolibarr
βοΈ Description Attacker can add or delete any permission for any user with CSRF vulnerability when the Admin or SuperAdmin or an authorized user click on PoC.html file, it is enough to attacker know the permission id on server that start from 1. There is no CSRF token in this situation and the CSR...
Cross-Site Request Forgery (CSRF) in dolibarr/dolibarr
βοΈ Description Attacker can Delete each Group with CSRF vulnerability when the Admin or SuperAdmin click on PoC.html file, it is enough to attacker know the Group id on server that start from 1. For bypass your CSRF token, I just delete token parameter value and set in nothings as you can see in "...
Inefficient Regular Expression Complexity in liriliri/licia
βοΈ Description A ReDoS regular expression denial of service flaw was found in the licia package. An attacker that is able to provide crafted input to the trim function may cause an application to consume an excessive amount of CPU. Similar to https://nvd.nist.gov/vuln/detail/CVE-2020-28500 π΅οΈββοΈ...
Cross-Site Request Forgery (CSRF) in dolibarr/dolibarr
βοΈ Description Attacker able to reopen any Poll in Tools section. π΅οΈββοΈ Proof of Concept // PoC.html https://demo.dolibarr.org/opensurvey/card.php?action=reopen&id=amyra52rg3g4ywzj...
in spiral-project/ihatemoney
π₯ BUG clickjacking bug. π₯ STEP TO REPRODUCE I see there is no X-Frame-Options header present in response . So, it allow to load dashboard url in iframe which make clickjacking attack . Iframe will be completely hidden with opacity control so that victim dont suspect . bellow code can be used as...
Cross-Site Request Forgery (CSRF) in spiral-project/ihatemoney
βοΈ Description CSRF bug to delete project π΅οΈββοΈ Proof of Concept 1. goto https://ihatemoney.org/ and create a new project and project-name is XXXX .\ Now bellow request is vulnerable to csrf attack which will delete the whole project \ https://ihatemoney.org/xxxx/delete π₯ Impact Attacker can...
Cross-Site Request Forgery (CSRF) in dolibarr/dolibarr
βοΈ Description In this directory "https://demo.dolibarr.org/ecm/index.php?mainmenu=ecm&leftmenu=ecm&idmenu=167162" The attacker Can Perform a CSRF attack to Remove any folders. In this Directory application take a parameter named "token" and I set "token" parameter value to nothings like...
Cross-site Scripting (XSS) - Generic in emoncms/emoncms
βοΈ Description Line 94 of theme.php sends unvalidated data to a web browser, which can result in the browser executing malicious code. In this case the data is sent at builtinecho in theme.php at line 94. π΅οΈββοΈ Proof of Concept $q = ""; if isset$GET'q' $q = $GET'q'; //get in line 16 //print in line...
Server-Side Request Forgery (SSRF) in gogs/gogs
βοΈ Description In 2018, this issue was created to address a SSRF vulnerability in gogs wherein an attacker could have gogs send requests to network-internal hosts - a patch for this was released see diff and no queries about the SSRF issue seem to have been raised again since from what I can tell...
Cross-site Scripting (XSS) - Stored in chevereto/chevereto-free
βοΈ Description Stored xss via image upload TESTED VESRION latest github code as of 16/7/21 π΅οΈββοΈ Proof of Concept 1. First download https://github.com/ranjit-git/poc/blob/master/xss%22'%3E%3Cimg%20src%3Dx%20onerror%3Dalert123%3E.jpeg image file in linux . Dont change the file name . This type file...
Cross-Site Request Forgery (CSRF) in seriawei/zkeacms
βοΈ Description ZKEACMS is vulnerable to Cross-site request forgery. The app has no mechanism against CSRF in all HTTP requests. π΅οΈββοΈ Proof of Concept Sample: Add products to the shopping cart. HTML content: HTML setTimeout = form.submit , 2000; 1. Save the above content into an HTML file. 2. With...
in ampache/ampache
βοΈ Description According to PHP official documents 1 we have for mtrand function an security issue that says "This function does not generate cryptographically secure values, and should not be used for cryptographic purposes" and as we see in permalinks you use the mtrand function for generate...
Business Logic Errors in seriawei/zkeacms
βοΈ Description ZKEACMS is vulnerable to Business Logic error through negative product amount. π΅οΈββοΈ Proof of Concept PoC file content: HTML setTimeout = form.submit , 2000; 1. Save the above content into an HTML file. 2. Open it on the browser. Check the shopping cart negative value. PoC video. π₯...
Inefficient Regular Expression Complexity in apidoc/apidoc-core
βοΈ Description A ReDoS regular expression denial of service flaw was found in the apidoc-core package. An attacker that is able to provide crafted input to the trim function may cause an application to consume an excessive amount of CPU. Similar attack ref:...
in emoncms/emoncms
βοΈ Description In CSRF attack if attacker able to change the victim email then attacker can change email to own email and get password from password reset section and then the account take over happen here. π΅οΈββοΈ Proof of Concept 1.you login in your account 2.you make a file contain the following...
Cross-Site Request Forgery (CSRF) in emoncms/emoncms
βοΈ Description In CSRF attack if your users going to attacker website and click the mallicouse link then they able to steal users cookie, submit unwanted date, .... π΅οΈββοΈ Proof of Concept 1.you login in your account 2.you make a file contain the following html file. 3.open html as victim site...
Cross-Site Request Forgery (CSRF) in emoncms/emoncms
βοΈ Description In CSRF attack if your users going to attacker website and click the mallicouse link then they able to steal users cookie, submit unwanted date, .... π΅οΈββοΈ Proof of Concept 1.you login in your account 2.you make a file contain the following html file. 3.open html as victim site...
in emoncms/emoncms
βοΈ Description weak password requirements can lead to account takeover vulnerability as attacker easily can perform Bruteforce attacks. π΅οΈββοΈ Proof of Concept if a attacker knows the username and email of the your users then attacker easily can reset the victim password and no privileges required...
in erudika/scoold
Reuse of cookies: The cookies are not expiring after sign out. Once the user signs out of his account, the cookies needs to be expired and should not be any use of reuse. But in this case, an attacker can grab the cookies and use them to log them into a user's account POC: 1Go to...
Open Redirect in ionicabizau/parse-url
βοΈ Description parse-url improperly handles the user input such as https:/\ and interprets it as a relative path. Backslashes after the protocol are accepted by browsers and treated as normal slashes, but parse-url reads them as the relative path, which could lead to SSRF, open redirects, or other...
Open Redirect in ionicabizau/git-up
βοΈ Description git-up improperly handles the user input such as https:/\ and interprets it as a relative path. Backslashes after the protocol are accepted by browsers and treated as normal slashes, but git-up reads them as the relative path, which could lead to SSRF, open redirects, or other...
Use of a Broken or Risky Cryptographic Algorithm in boxbilling/boxbilling
βοΈ Description The function mtrand is used to generate ticket hashes at the reference shown, this function is cryptographically flawed due to its nature being one pseudorandomness, an attacker can take advantage of the cryptographically insecure nature of this function to disclose critical...
Cross-site Scripting (XSS) - Reflected in swiftyspiffy/twitch-token-generator
βοΈ Description An almost XSS exists in this repository that, if not for the WAF used on https://twitchtokengenerator.com; would have resulted in reflected XSS. Despite this, it is possible to inject HTML onto the page, making some attack scenarios possible. π΅οΈββοΈ Proof of Concept - Navigate to...
Use of a Broken or Risky Cryptographic Algorithm in emoncms/emoncms
βοΈ Description The function mtrand is used to generate verification keys, API keys both read & write, and even hash salts, this function is cryptographically flawed due to its nature being one pseudorandomness, an attacker can take advantage of the cryptographically insecure nature of this functio...
Use of a Broken or Risky Cryptographic Algorithm in panique/huge
βοΈ Description The function mtrand is used to generate password-reset tokens, this function is cryptographically flawed due to its nature being one pseudorandomness, an attacker can take advantage of the cryptographically insecure nature of this function to enumerate password-reset tokens that...
Use of a Broken or Risky Cryptographic Algorithm in mautic/mautic
βοΈ Description The function mtrand is used to generate session tokens, this function is cryptographically flawed due to its nature being one pseudorandomness, an attacker can take advantage of the cryptographically insecure nature of this function to enumerate session tokens for accounts that are...
Heap-based Buffer Overflow in squell/id3
βοΈ Description Hello! We compiled id3 from commit 857ac8 with Clang-13 + ASan, and we discovered a crafted file which triggers a heap-buffer-overflow, WRITE of size 1. This and the previous bug were discovered with the help of honggfuzz. π΅οΈββοΈ Proof of Concept echo...
Heap-based Buffer Overflow in squell/id3
βοΈ Description Hello! We compiled id3 from commit 857ac8 with Clang-13 + ASan, and we discovered a crafted file which triggers a negative-size-param and a heap-buffer-overflow with a READ of size 40987248. But for the purposes of this report, we are going to look at the heap-buffer-overflow, as it...
Cross-site Scripting (XSS) - Stored in pimcore/pimcore
βοΈ Description pimcore is a Open Source Data & Experience Management Platform PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce this package is vulnerable for Stored XSS thru gender tag π΅οΈββοΈ Proof of Concept π₯ Impact This vulnerability is capable of stored xss π Location Gender.phpL21...
in ethibox/stacks
βοΈ Description Please enter a description of the vulnerability. 1Visit https://github.com/ethibox/stacks/blob/master/wordpress.ymlL47-L50 for the exposed database credentials π₯ Impact This vulnerability is capable of database getting compromised...
Open Redirect in ionicabizau/parse-url
βοΈ Description parse-url mishandles certain uses of backslash such as https:/\ and interprets the URI as a relative path. Browsers accept backslashes after the protocol, and treat it as a normal slash, while parse-url sees it as a relative path. Which will lead to SSRF attacks, open redirects, or...
Open Redirect in ionicabizau/parse-path
βοΈ Description parse-path mishandles certain uses of backslash such as https:/\ and interprets the URI as a relative path. Browsers accept backslashes after the protocol, and treat it as a normal slash, while parse-path sees it as a relative path. Which will lead to SSRF attacks, open redirects, o...
Open Redirect in tjenkinson/url-toolkit
βοΈ Description url-toolkit mishandles certain uses of backslash such as https:/\ and interprets the URI as a relative path. Browsers accept backslashes after the protocol, and treat it as a normal slash, while url-toolkit sees it as a relative path. Which will lead to SSRF attacks, open redirects,...
Cross-site Scripting (XSS) - Reflected in leantime/leantime
βοΈ Description Reflected XSS in editBoxDialog.tpl.php where "module" and "label" parameters leads to exploitation of a vulnerability. π΅οΈββοΈ Proof of Concept Open this link http://127.0.0.1/setting/editBoxLabel?module=idealabels%22%3E%3Cscript%3Ealert%22XSS%20by%20OverJT%22%3C/script%3E&label=jjj π₯...
Server-Side Request Forgery (SSRF) in aimeos/aimeos-core
βοΈ Description Integrated online shop based on Laravel 6 LTS and the Aimeos e-commerce framework this web app is vulnerable for stored SSRF thru svg files π΅οΈββοΈ Proof of Concept π₯ Impact This vulnerability is capable SSRF...
Cross-Site Request Forgery (CSRF) in spiral-project/ihatemoney
βοΈ Description The //delete/ end point lacks CSRF protection. This could be exploited by attackers to make the admin delete records from database. π΅οΈββοΈ Proof of Concept For the attack to work, a logged in user should click the link could be performed with JavaScript. /delete/"Click here π₯ Impact...
Server-Side Request Forgery (SSRF) in erudika/scoold
βοΈ Description Possible SSRF in scoold in user profile picture from URL π΅οΈββοΈ Proof of Concept Steps to reproduce: 1. Create an account and click on the image. 2. Now open the local server or enter any IP:port ex: http://127.0.0.1:8082 3. Now enter the URL and then view the image, you will see get...
Session Fixation in erudika/scoold
βοΈ Description Session Fixation vulnerability found in scoold in which it doesn't expire the sessions after password update. π΅οΈββοΈ Proof of Concept Steps to reproduce: 1. Open the same account in the normal and private tab. 2. Change the password from anyone tab let's say private and then refresh...
Cross-site Scripting (XSS) - Stored in sergix44/xbackbone
βοΈ Description Stored xss through file upload via a .svg file π΅οΈββοΈ Proof of Concept Upload a .svg file with the following content: javascript alertdocument.cookie; give a name you want ending with .svg store-xss.svg for example and upload the file, after upload click on open click on raw see the...
Cross-site Scripting (XSS) - Stored in omeka/omeka-s
βοΈ Description Stored xss bug using a xss payload in the Title when adding a new site. the xss is getting executed when you are trying to delete the website, see the PoC for details. π΅οΈββοΈ Proof of Concept Goto http://localhost/omeka/omeka-s/admin/site and click on add new site copy paste the...
Open Redirect in medialize/uri.js
βοΈ Description urijs mishandles certain uses of backslash such as https:/\ and interprets the URI as a relative path. Browsers accept backslashes after the protocol, and treat it as a normal slash, while url-parse sees it as a relative path. π΅οΈββοΈ Proof of Concept 1. Create the following PoC file:...
Open Redirect in unshiftio/url-parse
βοΈ Description url-parse mishandles certain uses of backslash such as https:/\ and interprets the URI as a relative path. Browsers accept backslashes after the protocol, and treat it as a normal slash, while url-parse sees it as a relative path. Similar attacks:...