Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description I found a stored XSS in your project which is lead by adding comments when creating landlord due to improper sanitization. 🕵️‍♂️ Proof of Concept Steps to reproduce: 1. Create a Landlord. 2. Enter x''' in the comments. 3. Save and you will see prompt. 💥 Impact This vulnerability is...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description I found a stored XSS in your project which is lead by adding anonymous group name. 🕵️‍♂️ Proof of Concept Steps to reproduce: 1. Create a group. 2. Enter group"' in the group name. 3. Save and visit view groups. 4. Click on the Anonymous group you just created. 💥 Impact This...

Cross-site Scripting (XSS) - Stored in aimeos/aimeos-core

✍️ Description Integrated online shop based on Laravel 6 LTS and the Aimeos e-commerce framework this webapp is vulnerabel for stored xss thru filename 🕵️‍♂️ Proof of Concept 💥 Impact This vulnerability is capable stored XSS...

Cross-site Scripting (XSS) - Stored in aimeos/aimeos-laravel

✍️ Description Integrated online shop based on Laravel 6 LTS and the Aimeos e-commerce framework this webapp is vulnerabel for stored xss thru filename 🕵️‍♂️ Proof of Concept 💥 Impact This vulnerability is capable admin ac takeover , XSS...

Cross-site Scripting (XSS) - Stored in munafio/chatify

✍️ Description A Laravel package helps you add a complete real-time messaging system to your new / existing application with only one command this package is vulnerable for xss 🕵️‍♂️ Proof of Concept 💥 Impact This vulnerability is capable of admin ac takeover...

Cross-Site Request Forgery (CSRF) in bigprof-software/online-rental-property-manager

💥 BUG csrf to turn off maintanance-mode 💥 VERSION TESTED latest version as of 4/7/21 💥 STEP TO REPRODUCE 1. just visit http://localhost/online-rental/app/admin/ajax-maintenance-mode.php?status=off and it will turn-off maintenance-mode if already enabled.\ Here no csrf token is checking...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

💥 BUG Stored xss 2 💥 VERSION TESTED latest version as of 4/7/21 💥 IMPACT xss allow to execute arbitary javascript in vicitm account 💥 STEP TO REPRODUCE 1. goto http://localhost/online-rental/app/admin/pageSettings.php and click on Sign Up tab .\ put bellow xss payload xss2"' in Members custom...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

💥 BUG Stored xss via signup page 💥 VERSION TESTED latest version as of 4/7/21 💥 IMPACT xss allow to execute arbitary javascript in vicitm account 💥 STEP TO REPRODUCE 1. goto http://localhost/online-rental/app/admin/pageSettings.php and click on Sign Up tab . Here allow signup.\ now put bellow xss...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

💥 BUG Stored xss via anonymouse-group 💥 VERSION TESTED latest version as of 4/7/21 💥 IMPACT xss allow to execute arbitary javascript in vicitm account 💥 STEP TO REPRODUCE 1. goto http://localhost/online-rental/app/admin/pageSettings.php and click Preconfigured users and groups tab .\ put bellow...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

💥 BUG Stored xss 1 💥 VERSION TESTED latest version as of 4/7/21 💥 IMPACT xss allow to execute arbitary javascript in vicitm account 💥 STEP TO REPRODUCE 1. goto http://localhost/online-rental/app/admin/pageSettings.php and click on Sign Up tab.\ put bellow xss payload in Members custom field 1....

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

💥 BUG XSS via groupname 💥 VERSION TESTED latest version as of 4/7/21 💥 IMPACT xss allow to execute arbitary javascript in vicitm account 💥 STEP TO REPRODUCE 1. goto http://localhost/online-rental/app/admin/pageViewGroups.php and create a new group .\ During creation put bellow xss payload in...

Cross-site Scripting (XSS) - Stored in volmarg/personal-management-system

💥 BUG XSS via issue-name 💥 IMPACT xss allow to execute arbitary javascript in vicitm account 💥 STEP TO REPRODUCE 1. goto http://personal-management-system.pl/my-issues/pending and create a new issue .\ During creation put bellow xss payload in name field and save it.\ xss"' Now whenever you visit...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

✍️ Description stored xss via Group name 🕵️‍♂️ Proof of Concept Step To Reproduce: Go to /admin/pageEditGroup.php and creat a group with payload: '/ Now visit user dashboard ie, /membershipprofile.php and see the xss pops up Poc video:...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

✍️ Description There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the Address field as tested on the latest release. 🕵️‍♂️ Proof of Concept Step to reproduce: Go to /admin/pageSettings.php?search-settings=smtp and the payload: ""@x.y in the "Senders...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

✍️ Description There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the Address field as tested on the latest release. 🕵️‍♂️ Proof of Concept Step To Reproduce: Go to /invoicesview.php and click add new if you already has any item, just click it to edit...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

✍️ Description In the repo online invoicing system i found a stored xss which gets exploited on unpaid invoice view which is lead by client name. 🕵️‍♂️ Proof of Concept Video POC: https://drive.google.com/file/d/1emTPPkSgGXM6XllelCrsdTYhhXMGCGb/view?usp=sharing Steps to reproduce: 1. Add a client...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description In the repo online rental property manager where i found a stored xss which gets exploited on member profile view which is lead by group name. 🕵️‍♂️ Proof of Concept Video POC: https://drive.google.com/file/d/1oQUZmQfFwaiRUkGYVkJoXxedeSENDbwQ/view?usp=sharing Steps to reproduce: 1...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

✍️ Description In the repo online invoicing system i found a stored xss which gets exploited on member profile view which is lead by group name. 🕵️‍♂️ Proof of Concept Video POC: https://drive.google.com/file/d/1wUNY4BQyvI5RzutUn8T5KbTRMAIAZOlJ/view?usp=sharing Steps to reproduce: 1. Create a group...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

✍️ Description There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the Address field as tested on the latest release. 🕵️‍♂️ Proof of Concept Step to Reproduce: Go to /itemsview.php and add the payload: ""@x.y as Item Description and add required data and...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description Stored XSS in anonymous user name due to improper sanitization of user input 🕵️‍♂️ Proof of Concept Steps to reproduce: 1. Go to http://192.168.43.130:8081/app//admin/pageSettings.php and click on pre-configured users. 2. Edit anonymous username to xss" 3. Save it and visit...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description Stored XSS in setting up mail sender's name sue to improper sanitization of user input. 🕵️‍♂️ Proof of Concept Steps to reproduce: 1. Go to http://192.168.43.130:8081/app/admin/pageSettings.php?search-settings=smtp 2. Enter payload " 3. Now visit...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

✍️ Description here is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the Address field as tested on the latest releaset 🕵️‍♂️ Proof of Concept Step To Reproduce: Visit clientsview.php and click add a new client Add any details add payload: on the Comments...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

✍️ Description here is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the Address field as tested on the latest releasety. 🕵️‍♂️ Proof of Concept step to reproduce: Go to /admin/pageSettings.php and click Preconfigured users and groups Add payload: " on Name...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

💥 BUG xss via unpaid-invoice-comment 💥 VERSION TESTED latest version as of 3/7/21 💥 IMPACT xss allow to execute arbitary javascript in vicitm account 💥 STEP TO REPRODUCE 1. goto http://localhost/online-invoice3/app/hooks/calendar-unpaid-invoices.php?date=2021-06-03&view=dayGridMonth and create a...

in beestat/app

✍️ Description The random number generator implemented by mtrand cannot withstand a cryptographic attack. In this case the function that generates weak random numbers is mtrand in user.php at line 58. 🕵️‍♂️ Proof of Concept Vulnerable Code / Create an anonymous user so we can log in and have access...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

💥 BUG xss via invoice-comment 💥 VERSION TESTED latest version as of 3/7/21 💥 IMPACT xss allow to execute arbitary javascript in vicitm account 💥 STEP TO REPRODUCE 1. goto http://localhost/online-invoice3/app/invoicesview.php and create a new invoice .\ During creation put bellow xss payload in...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

✍️ Description stored xss via client comment 🕵️‍♂️ Proof of Concept 1. First goto http://localhost/online-invoice3/app/clientsview.php and create a new client .\ During creation put bellow xss payload in comment section and save it .\ xss"' 2. Now any user open this client then xss is executed...

Cross-Site Request Forgery (CSRF) in bigprof-software/online-rental-property-manager

✍️ Description The app/admin/pageDeleteMember.php?memberID= does not have a CSRF protection. This could be used by attackers to trick the admin to delete a member from their system. 🕵️‍♂️ Proof of Concept For this attack to work, a logged in admin, should visit the POC page...

Cross-Site Request Forgery (CSRF) in bigprof-software/online-rental-property-manager

✍️ Description The app/admin/pageDeleteGroup.php?groupID= does not have a CSRF protection. This could be used by attackers to trick the admin to delete a group from their system. 🕵️‍♂️ Proof of Concept /online-rental-property-manager-6.8/app/admin/pageDeleteGroup.php?groupID=6"Click Here ! When an...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description Stored xss via employmentandincomehistoryview 🕵️‍♂️ Proof of Concept plz check this 1 minute video to reproduce the bug https://drive.google.com/file/d/1wmBmdvdHTLORNc9det4HYj1Dtfd97Y/view?usp=sharing...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description stored xss via residenceandrentalhistoryview 🕵️‍♂️ Proof of Concept check this 1 minute video to reproduce the bug https://drive.google.com/file/d/1BdPQ-89AXURe8wCGAlwuz8wL1Xge0cmJ/view?usp=sharing...

in bigprof-software/online-rental-property-manager

💥 BUG privilege escalation bug to add references to a applicant . 💥 IMPACT unprivileged user can add references to a applicant 💥 STEP TO REPRODUCE 1. From admin account goto http://localhost/online-rental/app/admin/pageViewMembers.php and add new user called user-B .\ Now revoke all acccess from...

in bigprof-software/online-rental-property-manager

💥 BUG privilege escalation bug to add employmentandincomehistory to a applicant . 💥 IMPACT unprivileged user can add employmentandincomehistory to a applicant 💥 STEP TO REPRODUCE 1. From admin account goto http://localhost/online-rental/app/admin/pageViewMembers.php and add new user called user-B...

Improper Privilege Management in bigprof-software/online-rental-property-manager

💥 BUG privilege escalation bug to add residenceandrental to a applicant . 💥 IMPACT unprivileged user can add residenceandrental to a applicant 💥 STEP TO REPRODUCE 1. From admin account goto http://localhost/online-rental/app/admin/pageViewMembers.php and add new user called user-B .\ Now revoke...

Improper Privilege Management in bigprof-software/online-rental-property-manager

💥 BUG privilege escalation bug to add applications/leases to a applicant . 💥 IMPACT unprivileged user can add applications/leases to a applicant 💥 STEP TO REPRODUCE 1. From admin account goto http://localhost/online-rental/app/admin/pageViewMembers.php and add new user called user-B .\ Now revoke...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

✍️ Description There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the Address field as tested on the latest release. 🕵️‍♂️ Proof of Concept Steps to Reproduce: Go to https://localhost:443///admin/pageSettings.php?search-settings=smtp Add " as senders...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

💥 BUG STORED XSSS 💥 TESTED VERSION latest version as of 3/7/21 💥 STEP TO REPRODUCE plz check this 1 minute video to reproduce the bug https://drive.google.com/file/d/16Y2WR7PKj-OpDGGDMAxV60CaiSX2RZXl/view?usp=sharing...

Cross-site Scripting (XSS) - Reflected in bigprof-software/online-rental-property-manager

✍️ Description Reflected XSS in membershippasswordReset.php where key parameter leads to exploitation of a vulnerability. 🕵️‍♂️ Proof of Concept // POC membershippasswordReset.php?key=;?"alert1 💥 Impact This vulnerability is capable of XSS, steal user cookies, session hijacking...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description Stored xss in pageTransferOwnership.php where sourceMemberID parameter leads to xss which gets stored in pageViewRecords.php 🕵️‍♂️ Proof of Concept Steps to reproduce: 1. Go to admin account 2. Visit URL /app/admin/pageTransferOwnership.php?sourceGroupID=2&sourceMemberID="alert1 💥...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description Stored xss in adding group name. 🕵️‍♂️ Proof of Concept Steps to reproduce: 1. Create a group and enter s"' in group name 2. Save and view it you will see popup 💥 Impact This vulnerability is capable of stored xss...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description Stored XSS in adding properties lead by adding owners first name and second name. 🕵️‍♂️ Proof of Concept Video POC: https://drive.google.com/file/d/1QbdzPJPHmQPsNl-o43a-Slub4Z3hhNh/view?usp=sharing 💥 Impact This vulnerability is capable of Stored XSS...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description Stored xss in membership profile. 🕵️‍♂️ Proof of Concept Steps to Reproduce: 1. Create a member account. 2. Login into the member account. 3. Enter the s"' payload in the State field. 4. Update the profile and You will see an alert. 💥 Impact This vulnerability is capable of Stored XSS...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description Stored xss in membership profile. 🕵️‍♂️ Proof of Concept Steps to Reproduce: 1. Create a member account. 2. Login into the member account. 3. Enter the s"' payload in the city field. 4. Update the profile and You will see an alert. 💥 Impact This vulnerability is capable of Stored xss...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description Stored xss in membership profile. 🕵️‍♂️ Proof of Concept Steps to Reproduce: 1. Create a member account. 2. Login into the member account. 3. Enter the s"' payload in the Address field. 4. Update the profile and You will see an alert. 💥 Impact This vulnerability is capable of stored...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description There is a stored xss in member profile in the full name 🕵️‍♂️ Proof of Concept Steps to Reproduce: 1. Create a member account. 2. Login into the member account. 3. Enter the s"' payload in the Full Name field. 4. Update the profile and You will see an alert. 💥 Impact Stored XSS...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

💥 BUG xss via unit description 💥 VERSION TESTED latest version as of 1/7/21 💥 IMPACT xss allow to execute arbitary javascript in vicitm account 💥 STEP TO REPRODUCE 1. goto http://localhost/online-rental/app/unitsview.php and create a new unit .\ During creation put bellow xss payload in...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

💥 BUG xss via Applications/Leases 💥 VERSION TESTED latest version as of 1/7/21 💥 IMPACT xss allow to execute arbitary javascript in vicitm account 💥 STEP TO REPRODUCE 1. goto http://localhost/online-rental/app/applicationsleasesview.php and create a new application .\ During creation put bellow...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description Stored xss in profile City field.\ There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the State name field as tested on the latest release. 🕵️‍♂️ Proof of Concept Steps to Reproduce: 1. Create a user account. 2. Login into the user...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description Stored xss in profile Full-name field.\ There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the State name field as tested on the latest release. 🕵️‍♂️ Proof of Concept Steps to Reproduce: 1. Create a user account. 2. Login into the user...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description Stored xss in profile Address field.\ There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the State name field as tested on the latest release. 🕵️‍♂️ Proof of Concept Steps to Reproduce: 1. Create a user account. 2. Login into the user...