Lucene search
K

4072 matches found

Huntr
Huntr
added 2021/07/05 5:39 p.m.7 views

Cross-site Scripting (XSS) - Stored in sylius/sylius

✍️ Description Open Source eCommerce Platform on Symfony this package vulnerable for stored xss thru svg files 🕵️‍♂️ Proof of Concept https://i.imgur.com/UNqIg8l.mp4 💥 Impact This vulnerability is capable of XSS...

0.2AI score0.00239EPSS
Exploits0
Huntr
Huntr
added 2021/07/05 2:34 p.m.14 views

Cross-site Scripting (XSS) - Stored in leantime/leantime

✍️ Description Stored xss bug using a xss payload in the Hypothesis when adding a new Research 🕵️‍♂️ Proof of Concept Goto http://localhost/leancanvas/simpleCanvas and click on add new and copy paste the following xss payload javascript " Click on safe and see the xss popup with the cookie. 💥...

7AI score
Exploits0
Huntr
Huntr
added 2021/07/05 2:29 p.m.10 views

Cross-site Scripting (XSS) - Stored in leantime/leantime

✍️ Description Stored xss bug using a xss payload in the Milestone Title when adding a new milestone 🕵️‍♂️ Proof of Concept Goto http://localhost/tickets/roadmap and click on add Milestone and copy paste the following xss payload javascript " Click on safe and see the xss popup with the cookie. 💥...

7AI score
Exploits0
Huntr
Huntr
added 2021/07/05 11:42 a.m.5 views

Cross-Site Request Forgery (CSRF) in boxbilling/boxbilling

✍️ Description CSRF on changing password of an admin account. There is no token or anti csrf implemented. 🕵️‍♂️ Proof of Concept Create a .html file poc.html for example and copy paste the following code in it. Change localhost to ur domain or ip address. javascript CSRF PoC send this file to a...

Exploits0
Huntr
Huntr
added 2021/07/05 8:44 a.m.12 views

Cross-site Scripting (XSS) - Stored in chatwoot/chatwoot

✍️ Description XSS via file upload in profile settings 🕵️‍♂️ Proof of Concept open chatwoot ,login to your profile , go to profile settings upload SVG file with XSS payload and update profile open the avatar in new page, XSS will be triggered 💥 Impact custom javascript code is executed...

1.3AI score0.00285EPSS
Exploits0
Huntr
Huntr
added 2021/07/05 8:9 a.m.20 views

Server-Side Request Forgery (SSRF) in chatwoot/chatwoot

✍️ Description SSRF via SVG file upload 🕵️‍♂️ Proof of Concept create a new inbox, change its avatar to an SVG file with SSRF payload in it. and open the image in a new tab. 💥 Impact Host redirect...

1.1AI score0.00367EPSS
Exploits0
Huntr
Huntr
added 2021/07/05 7:34 a.m.18 views

Session Fixation in chatwoot/chatwoot

✍️ Description The application is vulnerable to Session Fixation vulnerability even after a user changes its password the old sessions on other devices persist. 🕵️‍♂️ Proof of Concept 1. open chatwoot and login to your account on multiple browsers 2. change the password of the account on one of...

2.9AI score0.00197EPSS
Exploits0References1
Huntr
Huntr
added 2021/07/05 6:30 a.m.9 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

✍️ Description I found a stored XSS in your project which is lead by adding client's comment. 🕵️‍♂️ Proof of Concept Steps to reproduce: 1. Create a Client. 2. Enter " in the comments. 3. Save and you will see XSS. 💥 Impact This vulnerability is capable of stored XSS...

1.2AI score
Exploits0
Huntr
Huntr
added 2021/07/05 6:28 a.m.9 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

✍️ Description I found a stored XSS in your project which is lead by adding invoice comment. 🕵️‍♂️ Proof of Concept Steps to reproduce: 1. Create a invoice. 2. Enter " in the comments. 3. Save and you will see XSS. 💥 Impact This vulnerability is capable of stored XSS...

1.6AI score
Exploits0
Huntr
Huntr
added 2021/07/05 6:27 a.m.8 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

✍️ Description I found a stored XSS in your project which is lead by adding unpaid invoice comment. 🕵️‍♂️ Proof of Concept Steps to reproduce: 1. Create a unpaid invoice. 2. Enter " in the comments. 3. Save and you will see XSS. 💥 Impact This vulnerability is capable of stored XSS...

1.8AI score
Exploits0
Huntr
Huntr
added 2021/07/05 6:27 a.m.10 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

✍️ Description I found a stored XSS in your project which is lead by adding anonymous group name. 🕵️‍♂️ Proof of Concept Steps to reproduce: 1. Create a group. 2. Enter group"' in the group name. 3. Save and visit view groups. 4. Click on Anonymous group you just created. 💥 Impact This...

0.7AI score
Exploits0
Huntr
Huntr
added 2021/07/05 6:26 a.m.8 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description I found a stored XSS in your project which is lead by adding Leases starting/ending. 🕵️‍♂️ Proof of Concept Steps to reproduce: 1. Create a Starting or Ending as both are vulnerable. 2. Enter " in the notes. 3. Save and you will see XSS. 💥 Impact This vulnerability is capable of...

1AI score
Exploits0
Huntr
Huntr
added 2021/07/05 6:24 a.m.12 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description I found a stored XSS in your project which is lead by adding Application/Leases notes. 🕵️‍♂️ Proof of Concept Steps to reproduce: 1. Create a Application/Leases. 2. Enter " in the notes. 3. Save and you will see XSS. 💥 Impact This vulnerability is capable of stored XSS...

0.9AI score
Exploits0
Huntr
Huntr
added 2021/07/05 6:23 a.m.7 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description I found a stored XSS in your project which is lead by adding Units description. 🕵️‍♂️ Proof of Concept Steps to reproduce: 1. Create a Unit. 2. Enter " in the description. 3. Save and you will see XSS. 💥 Impact This vulnerability is capable of stored XSS...

1.2AI score
Exploits0
Huntr
Huntr
added 2021/07/05 6:22 a.m.11 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description I found a stored XSS in your project which is lead by adding property name which reflects on summary-reports-application-leases-1.php 🕵️‍♂️ Proof of Concept Steps to reproduce: 1. Create a Property. 2. Enter x''' in the comments. 3. Save and visit...

0.8AI score
Exploits0
Huntr
Huntr
added 2021/07/05 6:22 a.m.8 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description I found a stored XSS in your project which is lead by adding comments when creating landlord due to improper sanitization. 🕵️‍♂️ Proof of Concept Steps to reproduce: 1. Create a Landlord. 2. Enter x''' in the comments. 3. Save and you will see prompt. 💥 Impact This vulnerability is...

1.1AI score
Exploits0
Huntr
Huntr
added 2021/07/05 6:21 a.m.8 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description I found a stored XSS in your project which is lead by adding anonymous group name. 🕵️‍♂️ Proof of Concept Steps to reproduce: 1. Create a group. 2. Enter group"' in the group name. 3. Save and visit view groups. 4. Click on the Anonymous group you just created. 💥 Impact This...

0.7AI score
Exploits0
Huntr
Huntr
added 2021/07/04 8:9 p.m.26 views

Cross-site Scripting (XSS) - Stored in aimeos/aimeos-core

✍️ Description Integrated online shop based on Laravel 6 LTS and the Aimeos e-commerce framework this webapp is vulnerabel for stored xss thru filename 🕵️‍♂️ Proof of Concept 💥 Impact This vulnerability is capable stored XSS...

0.9AI score
Exploits0References1
Huntr
Huntr
added 2021/07/04 7:48 p.m.31 views

Cross-site Scripting (XSS) - Stored in aimeos/aimeos-laravel

✍️ Description Integrated online shop based on Laravel 6 LTS and the Aimeos e-commerce framework this webapp is vulnerabel for stored xss thru filename 🕵️‍♂️ Proof of Concept 💥 Impact This vulnerability is capable admin ac takeover , XSS...

1.4AI score
Exploits0References1
Huntr
Huntr
added 2021/07/04 6:12 p.m.13 views

Cross-site Scripting (XSS) - Stored in munafio/chatify

✍️ Description A Laravel package helps you add a complete real-time messaging system to your new / existing application with only one command this package is vulnerable for xss 🕵️‍♂️ Proof of Concept 💥 Impact This vulnerability is capable of admin ac takeover...

1AI score
Exploits0
Huntr
Huntr
added 2021/07/04 5:25 p.m.12 views

Cross-Site Request Forgery (CSRF) in bigprof-software/online-rental-property-manager

💥 BUG csrf to turn off maintanance-mode 💥 VERSION TESTED latest version as of 4/7/21 💥 STEP TO REPRODUCE 1. just visit http://localhost/online-rental/app/admin/ajax-maintenance-mode.php?status=off and it will turn-off maintenance-mode if already enabled.\ Here no csrf token is checking...

1.3AI score
Exploits0
Huntr
Huntr
added 2021/07/04 5:22 p.m.9 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

💥 BUG Stored xss 2 💥 VERSION TESTED latest version as of 4/7/21 💥 IMPACT xss allow to execute arbitary javascript in vicitm account 💥 STEP TO REPRODUCE 1. goto http://localhost/online-rental/app/admin/pageSettings.php and click on Sign Up tab .\ put bellow xss payload xss2"' in Members custom...

2.1AI score
Exploits0
Huntr
Huntr
added 2021/07/04 5:20 p.m.7 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

💥 BUG Stored xss via signup page 💥 VERSION TESTED latest version as of 4/7/21 💥 IMPACT xss allow to execute arbitary javascript in vicitm account 💥 STEP TO REPRODUCE 1. goto http://localhost/online-rental/app/admin/pageSettings.php and click on Sign Up tab . Here allow signup.\ now put bellow xss...

2.6AI score
Exploits0
Huntr
Huntr
added 2021/07/04 5:18 p.m.6 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

💥 BUG Stored xss via anonymouse-group 💥 VERSION TESTED latest version as of 4/7/21 💥 IMPACT xss allow to execute arbitary javascript in vicitm account 💥 STEP TO REPRODUCE 1. goto http://localhost/online-rental/app/admin/pageSettings.php and click Preconfigured users and groups tab .\ put bellow...

3AI score
Exploits0
Huntr
Huntr
added 2021/07/04 5:16 p.m.11 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

💥 BUG Stored xss 1 💥 VERSION TESTED latest version as of 4/7/21 💥 IMPACT xss allow to execute arbitary javascript in vicitm account 💥 STEP TO REPRODUCE 1. goto http://localhost/online-rental/app/admin/pageSettings.php and click on Sign Up tab.\ put bellow xss payload in Members custom field 1....

2AI score
Exploits0
Huntr
Huntr
added 2021/07/04 4:31 p.m.9 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

💥 BUG XSS via groupname 💥 VERSION TESTED latest version as of 4/7/21 💥 IMPACT xss allow to execute arbitary javascript in vicitm account 💥 STEP TO REPRODUCE 1. goto http://localhost/online-rental/app/admin/pageViewGroups.php and create a new group .\ During creation put bellow xss payload in...

2.3AI score
Exploits0
Huntr
Huntr
added 2021/07/04 10:19 a.m.9 views

Cross-site Scripting (XSS) - Stored in volmarg/personal-management-system

💥 BUG XSS via issue-name 💥 IMPACT xss allow to execute arbitary javascript in vicitm account 💥 STEP TO REPRODUCE 1. goto http://personal-management-system.pl/my-issues/pending and create a new issue .\ During creation put bellow xss payload in name field and save it.\ xss"' Now whenever you visit...

1.1AI score
Exploits0
Huntr
Huntr
added 2021/07/04 6:34 a.m.8 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

✍️ Description stored xss via Group name 🕵️‍♂️ Proof of Concept Step To Reproduce: Go to /admin/pageEditGroup.php and creat a group with payload: '/ Now visit user dashboard ie, /membershipprofile.php and see the xss pops up Poc video:...

7AI score
Exploits0
Huntr
Huntr
added 2021/07/04 6:11 a.m.7 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

✍️ Description There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the Address field as tested on the latest release. 🕵️‍♂️ Proof of Concept Step to reproduce: Go to /admin/pageSettings.php?search-settings=smtp and the payload: ""@x.y in the "Senders...

5.9AI score
Exploits0
Huntr
Huntr
added 2021/07/04 5:53 a.m.6 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

✍️ Description There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the Address field as tested on the latest release. 🕵️‍♂️ Proof of Concept Step To Reproduce: Go to /invoicesview.php and click add new if you already has any item, just click it to edit...

6AI score
Exploits0
Huntr
Huntr
added 2021/07/04 2:14 a.m.10 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

✍️ Description In the repo online invoicing system i found a stored xss which gets exploited on unpaid invoice view which is lead by client name. 🕵️‍♂️ Proof of Concept Video POC: https://drive.google.com/file/d/1emTPPkSgGXM6XllelCrsdTYhhXMGCGb/view?usp=sharing Steps to reproduce: 1. Add a client...

0.3AI score
Exploits0
Huntr
Huntr
added 2021/07/04 1:27 a.m.13 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description In the repo online rental property manager where i found a stored xss which gets exploited on member profile view which is lead by group name. 🕵️‍♂️ Proof of Concept Video POC: https://drive.google.com/file/d/1oQUZmQfFwaiRUkGYVkJoXxedeSENDbwQ/view?usp=sharing Steps to reproduce: 1...

6.6AI score
Exploits0
Huntr
Huntr
added 2021/07/04 1:25 a.m.9 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

✍️ Description In the repo online invoicing system i found a stored xss which gets exploited on member profile view which is lead by group name. 🕵️‍♂️ Proof of Concept Video POC: https://drive.google.com/file/d/1wUNY4BQyvI5RzutUn8T5KbTRMAIAZOlJ/view?usp=sharing Steps to reproduce: 1. Create a group...

6.6AI score
Exploits0
Huntr
Huntr
added 2021/07/03 7:9 p.m.11 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

✍️ Description There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the Address field as tested on the latest release. 🕵️‍♂️ Proof of Concept Step to Reproduce: Go to /itemsview.php and add the payload: ""@x.y as Item Description and add required data and...

0.1AI score
Exploits0
Huntr
Huntr
added 2021/07/03 5:3 p.m.12 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description Stored XSS in anonymous user name due to improper sanitization of user input 🕵️‍♂️ Proof of Concept Steps to reproduce: 1. Go to http://192.168.43.130:8081/app//admin/pageSettings.php and click on pre-configured users. 2. Edit anonymous username to xss" 3. Save it and visit...

0.2AI score
Exploits0
Huntr
Huntr
added 2021/07/03 4:48 p.m.8 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description Stored XSS in setting up mail sender's name sue to improper sanitization of user input. 🕵️‍♂️ Proof of Concept Steps to reproduce: 1. Go to http://192.168.43.130:8081/app/admin/pageSettings.php?search-settings=smtp 2. Enter payload " 3. Now visit...

Exploits0
Huntr
Huntr
added 2021/07/03 4:25 p.m.11 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

✍️ Description here is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the Address field as tested on the latest releaset 🕵️‍♂️ Proof of Concept Step To Reproduce: Visit clientsview.php and click add a new client Add any details add payload: on the Comments...

6AI score
Exploits0
Huntr
Huntr
added 2021/07/03 4:4 p.m.9 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

✍️ Description here is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the Address field as tested on the latest releasety. 🕵️‍♂️ Proof of Concept step to reproduce: Go to /admin/pageSettings.php and click Preconfigured users and groups Add payload: " on Name...

5.8AI score
Exploits0
Huntr
Huntr
added 2021/07/03 3:58 p.m.8 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

💥 BUG xss via unpaid-invoice-comment 💥 VERSION TESTED latest version as of 3/7/21 💥 IMPACT xss allow to execute arbitary javascript in vicitm account 💥 STEP TO REPRODUCE 1. goto http://localhost/online-invoice3/app/hooks/calendar-unpaid-invoices.php?date=2021-06-03&view=dayGridMonth and create a...

3AI score
Exploits0
Huntr
Huntr
added 2021/07/03 3:30 p.m.13 views

in beestat/app

✍️ Description The random number generator implemented by mtrand cannot withstand a cryptographic attack. In this case the function that generates weak random numbers is mtrand in user.php at line 58. 🕵️‍♂️ Proof of Concept Vulnerable Code / Create an anonymous user so we can log in and have access...

0.8AI score
Exploits0References1
Huntr
Huntr
added 2021/07/03 3:16 p.m.8 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

💥 BUG xss via invoice-comment 💥 VERSION TESTED latest version as of 3/7/21 💥 IMPACT xss allow to execute arbitary javascript in vicitm account 💥 STEP TO REPRODUCE 1. goto http://localhost/online-invoice3/app/invoicesview.php and create a new invoice .\ During creation put bellow xss payload in...

2.5AI score
Exploits0
Huntr
Huntr
added 2021/07/03 3:12 p.m.8 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

✍️ Description stored xss via client comment 🕵️‍♂️ Proof of Concept 1. First goto http://localhost/online-invoice3/app/clientsview.php and create a new client .\ During creation put bellow xss payload in comment section and save it .\ xss"' 2. Now any user open this client then xss is executed...

2.5AI score
Exploits0
Huntr
Huntr
added 2021/07/03 12:24 p.m.7 views

Cross-Site Request Forgery (CSRF) in bigprof-software/online-rental-property-manager

✍️ Description The app/admin/pageDeleteMember.php?memberID= does not have a CSRF protection. This could be used by attackers to trick the admin to delete a member from their system. 🕵️‍♂️ Proof of Concept For this attack to work, a logged in admin, should visit the POC page...

2.6AI score
Exploits0References1
Huntr
Huntr
added 2021/07/03 12:24 p.m.13 views

Cross-Site Request Forgery (CSRF) in bigprof-software/online-rental-property-manager

✍️ Description The app/admin/pageDeleteGroup.php?groupID= does not have a CSRF protection. This could be used by attackers to trick the admin to delete a group from their system. 🕵️‍♂️ Proof of Concept /online-rental-property-manager-6.8/app/admin/pageDeleteGroup.php?groupID=6"Click Here ! When an...

2.1AI score
Exploits0References1
Huntr
Huntr
added 2021/07/03 9:25 a.m.7 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description Stored xss via employmentandincomehistoryview 🕵️‍♂️ Proof of Concept plz check this 1 minute video to reproduce the bug https://drive.google.com/file/d/1wmBmdvdHTLORNc9det4HYj1Dtfd97Y/view?usp=sharing...

0.8AI score
Exploits0
Huntr
Huntr
added 2021/07/03 9:23 a.m.10 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description stored xss via residenceandrentalhistoryview 🕵️‍♂️ Proof of Concept check this 1 minute video to reproduce the bug https://drive.google.com/file/d/1BdPQ-89AXURe8wCGAlwuz8wL1Xge0cmJ/view?usp=sharing...

0.8AI score
Exploits0
Huntr
Huntr
added 2021/07/03 9:7 a.m.3 views

in bigprof-software/online-rental-property-manager

💥 BUG privilege escalation bug to add references to a applicant . 💥 IMPACT unprivileged user can add references to a applicant 💥 STEP TO REPRODUCE 1. From admin account goto http://localhost/online-rental/app/admin/pageViewMembers.php and add new user called user-B .\ Now revoke all acccess from...

0.4AI score
Exploits0
Huntr
Huntr
added 2021/07/03 9:6 a.m.10 views

in bigprof-software/online-rental-property-manager

💥 BUG privilege escalation bug to add employmentandincomehistory to a applicant . 💥 IMPACT unprivileged user can add employmentandincomehistory to a applicant 💥 STEP TO REPRODUCE 1. From admin account goto http://localhost/online-rental/app/admin/pageViewMembers.php and add new user called user-B...

0.5AI score
Exploits0
Huntr
Huntr
added 2021/07/03 9:3 a.m.12 views

Improper Privilege Management in bigprof-software/online-rental-property-manager

💥 BUG privilege escalation bug to add residenceandrental to a applicant . 💥 IMPACT unprivileged user can add residenceandrental to a applicant 💥 STEP TO REPRODUCE 1. From admin account goto http://localhost/online-rental/app/admin/pageViewMembers.php and add new user called user-B .\ Now revoke...

0.5AI score
Exploits0
Huntr
Huntr
added 2021/07/03 9:0 a.m.5 views

Improper Privilege Management in bigprof-software/online-rental-property-manager

💥 BUG privilege escalation bug to add applications/leases to a applicant . 💥 IMPACT unprivileged user can add applications/leases to a applicant 💥 STEP TO REPRODUCE 1. From admin account goto http://localhost/online-rental/app/admin/pageViewMembers.php and add new user called user-B .\ Now revoke...

0.6AI score
Exploits0
Total number of security vulnerabilities4072