4072 matches found
Cross-site Scripting (XSS) - Stored in sylius/sylius
✍️ Description Open Source eCommerce Platform on Symfony this package vulnerable for stored xss thru svg files 🕵️♂️ Proof of Concept https://i.imgur.com/UNqIg8l.mp4 💥 Impact This vulnerability is capable of XSS...
Cross-site Scripting (XSS) - Stored in leantime/leantime
✍️ Description Stored xss bug using a xss payload in the Hypothesis when adding a new Research 🕵️♂️ Proof of Concept Goto http://localhost/leancanvas/simpleCanvas and click on add new and copy paste the following xss payload javascript " Click on safe and see the xss popup with the cookie. 💥...
Cross-site Scripting (XSS) - Stored in leantime/leantime
✍️ Description Stored xss bug using a xss payload in the Milestone Title when adding a new milestone 🕵️♂️ Proof of Concept Goto http://localhost/tickets/roadmap and click on add Milestone and copy paste the following xss payload javascript " Click on safe and see the xss popup with the cookie. 💥...
Cross-Site Request Forgery (CSRF) in boxbilling/boxbilling
✍️ Description CSRF on changing password of an admin account. There is no token or anti csrf implemented. 🕵️♂️ Proof of Concept Create a .html file poc.html for example and copy paste the following code in it. Change localhost to ur domain or ip address. javascript CSRF PoC send this file to a...
Cross-site Scripting (XSS) - Stored in chatwoot/chatwoot
✍️ Description XSS via file upload in profile settings 🕵️♂️ Proof of Concept open chatwoot ,login to your profile , go to profile settings upload SVG file with XSS payload and update profile open the avatar in new page, XSS will be triggered 💥 Impact custom javascript code is executed...
Server-Side Request Forgery (SSRF) in chatwoot/chatwoot
✍️ Description SSRF via SVG file upload 🕵️♂️ Proof of Concept create a new inbox, change its avatar to an SVG file with SSRF payload in it. and open the image in a new tab. 💥 Impact Host redirect...
Session Fixation in chatwoot/chatwoot
✍️ Description The application is vulnerable to Session Fixation vulnerability even after a user changes its password the old sessions on other devices persist. 🕵️♂️ Proof of Concept 1. open chatwoot and login to your account on multiple browsers 2. change the password of the account on one of...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system
✍️ Description I found a stored XSS in your project which is lead by adding client's comment. 🕵️♂️ Proof of Concept Steps to reproduce: 1. Create a Client. 2. Enter " in the comments. 3. Save and you will see XSS. 💥 Impact This vulnerability is capable of stored XSS...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system
✍️ Description I found a stored XSS in your project which is lead by adding invoice comment. 🕵️♂️ Proof of Concept Steps to reproduce: 1. Create a invoice. 2. Enter " in the comments. 3. Save and you will see XSS. 💥 Impact This vulnerability is capable of stored XSS...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system
✍️ Description I found a stored XSS in your project which is lead by adding unpaid invoice comment. 🕵️♂️ Proof of Concept Steps to reproduce: 1. Create a unpaid invoice. 2. Enter " in the comments. 3. Save and you will see XSS. 💥 Impact This vulnerability is capable of stored XSS...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system
✍️ Description I found a stored XSS in your project which is lead by adding anonymous group name. 🕵️♂️ Proof of Concept Steps to reproduce: 1. Create a group. 2. Enter group"' in the group name. 3. Save and visit view groups. 4. Click on Anonymous group you just created. 💥 Impact This...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager
✍️ Description I found a stored XSS in your project which is lead by adding Leases starting/ending. 🕵️♂️ Proof of Concept Steps to reproduce: 1. Create a Starting or Ending as both are vulnerable. 2. Enter " in the notes. 3. Save and you will see XSS. 💥 Impact This vulnerability is capable of...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager
✍️ Description I found a stored XSS in your project which is lead by adding Application/Leases notes. 🕵️♂️ Proof of Concept Steps to reproduce: 1. Create a Application/Leases. 2. Enter " in the notes. 3. Save and you will see XSS. 💥 Impact This vulnerability is capable of stored XSS...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager
✍️ Description I found a stored XSS in your project which is lead by adding Units description. 🕵️♂️ Proof of Concept Steps to reproduce: 1. Create a Unit. 2. Enter " in the description. 3. Save and you will see XSS. 💥 Impact This vulnerability is capable of stored XSS...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager
✍️ Description I found a stored XSS in your project which is lead by adding property name which reflects on summary-reports-application-leases-1.php 🕵️♂️ Proof of Concept Steps to reproduce: 1. Create a Property. 2. Enter x''' in the comments. 3. Save and visit...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager
✍️ Description I found a stored XSS in your project which is lead by adding comments when creating landlord due to improper sanitization. 🕵️♂️ Proof of Concept Steps to reproduce: 1. Create a Landlord. 2. Enter x''' in the comments. 3. Save and you will see prompt. 💥 Impact This vulnerability is...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager
✍️ Description I found a stored XSS in your project which is lead by adding anonymous group name. 🕵️♂️ Proof of Concept Steps to reproduce: 1. Create a group. 2. Enter group"' in the group name. 3. Save and visit view groups. 4. Click on the Anonymous group you just created. 💥 Impact This...
Cross-site Scripting (XSS) - Stored in aimeos/aimeos-core
✍️ Description Integrated online shop based on Laravel 6 LTS and the Aimeos e-commerce framework this webapp is vulnerabel for stored xss thru filename 🕵️♂️ Proof of Concept 💥 Impact This vulnerability is capable stored XSS...
Cross-site Scripting (XSS) - Stored in aimeos/aimeos-laravel
✍️ Description Integrated online shop based on Laravel 6 LTS and the Aimeos e-commerce framework this webapp is vulnerabel for stored xss thru filename 🕵️♂️ Proof of Concept 💥 Impact This vulnerability is capable admin ac takeover , XSS...
Cross-site Scripting (XSS) - Stored in munafio/chatify
✍️ Description A Laravel package helps you add a complete real-time messaging system to your new / existing application with only one command this package is vulnerable for xss 🕵️♂️ Proof of Concept 💥 Impact This vulnerability is capable of admin ac takeover...
Cross-Site Request Forgery (CSRF) in bigprof-software/online-rental-property-manager
💥 BUG csrf to turn off maintanance-mode 💥 VERSION TESTED latest version as of 4/7/21 💥 STEP TO REPRODUCE 1. just visit http://localhost/online-rental/app/admin/ajax-maintenance-mode.php?status=off and it will turn-off maintenance-mode if already enabled.\ Here no csrf token is checking...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager
💥 BUG Stored xss 2 💥 VERSION TESTED latest version as of 4/7/21 💥 IMPACT xss allow to execute arbitary javascript in vicitm account 💥 STEP TO REPRODUCE 1. goto http://localhost/online-rental/app/admin/pageSettings.php and click on Sign Up tab .\ put bellow xss payload xss2"' in Members custom...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager
💥 BUG Stored xss via signup page 💥 VERSION TESTED latest version as of 4/7/21 💥 IMPACT xss allow to execute arbitary javascript in vicitm account 💥 STEP TO REPRODUCE 1. goto http://localhost/online-rental/app/admin/pageSettings.php and click on Sign Up tab . Here allow signup.\ now put bellow xss...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager
💥 BUG Stored xss via anonymouse-group 💥 VERSION TESTED latest version as of 4/7/21 💥 IMPACT xss allow to execute arbitary javascript in vicitm account 💥 STEP TO REPRODUCE 1. goto http://localhost/online-rental/app/admin/pageSettings.php and click Preconfigured users and groups tab .\ put bellow...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager
💥 BUG Stored xss 1 💥 VERSION TESTED latest version as of 4/7/21 💥 IMPACT xss allow to execute arbitary javascript in vicitm account 💥 STEP TO REPRODUCE 1. goto http://localhost/online-rental/app/admin/pageSettings.php and click on Sign Up tab.\ put bellow xss payload in Members custom field 1....
Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager
💥 BUG XSS via groupname 💥 VERSION TESTED latest version as of 4/7/21 💥 IMPACT xss allow to execute arbitary javascript in vicitm account 💥 STEP TO REPRODUCE 1. goto http://localhost/online-rental/app/admin/pageViewGroups.php and create a new group .\ During creation put bellow xss payload in...
Cross-site Scripting (XSS) - Stored in volmarg/personal-management-system
💥 BUG XSS via issue-name 💥 IMPACT xss allow to execute arbitary javascript in vicitm account 💥 STEP TO REPRODUCE 1. goto http://personal-management-system.pl/my-issues/pending and create a new issue .\ During creation put bellow xss payload in name field and save it.\ xss"' Now whenever you visit...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system
✍️ Description stored xss via Group name 🕵️♂️ Proof of Concept Step To Reproduce: Go to /admin/pageEditGroup.php and creat a group with payload: '/ Now visit user dashboard ie, /membershipprofile.php and see the xss pops up Poc video:...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system
✍️ Description There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the Address field as tested on the latest release. 🕵️♂️ Proof of Concept Step to reproduce: Go to /admin/pageSettings.php?search-settings=smtp and the payload: ""@x.y in the "Senders...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system
✍️ Description There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the Address field as tested on the latest release. 🕵️♂️ Proof of Concept Step To Reproduce: Go to /invoicesview.php and click add new if you already has any item, just click it to edit...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system
✍️ Description In the repo online invoicing system i found a stored xss which gets exploited on unpaid invoice view which is lead by client name. 🕵️♂️ Proof of Concept Video POC: https://drive.google.com/file/d/1emTPPkSgGXM6XllelCrsdTYhhXMGCGb/view?usp=sharing Steps to reproduce: 1. Add a client...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager
✍️ Description In the repo online rental property manager where i found a stored xss which gets exploited on member profile view which is lead by group name. 🕵️♂️ Proof of Concept Video POC: https://drive.google.com/file/d/1oQUZmQfFwaiRUkGYVkJoXxedeSENDbwQ/view?usp=sharing Steps to reproduce: 1...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system
✍️ Description In the repo online invoicing system i found a stored xss which gets exploited on member profile view which is lead by group name. 🕵️♂️ Proof of Concept Video POC: https://drive.google.com/file/d/1wUNY4BQyvI5RzutUn8T5KbTRMAIAZOlJ/view?usp=sharing Steps to reproduce: 1. Create a group...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system
✍️ Description There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the Address field as tested on the latest release. 🕵️♂️ Proof of Concept Step to Reproduce: Go to /itemsview.php and add the payload: ""@x.y as Item Description and add required data and...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager
✍️ Description Stored XSS in anonymous user name due to improper sanitization of user input 🕵️♂️ Proof of Concept Steps to reproduce: 1. Go to http://192.168.43.130:8081/app//admin/pageSettings.php and click on pre-configured users. 2. Edit anonymous username to xss" 3. Save it and visit...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager
✍️ Description Stored XSS in setting up mail sender's name sue to improper sanitization of user input. 🕵️♂️ Proof of Concept Steps to reproduce: 1. Go to http://192.168.43.130:8081/app/admin/pageSettings.php?search-settings=smtp 2. Enter payload " 3. Now visit...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system
✍️ Description here is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the Address field as tested on the latest releaset 🕵️♂️ Proof of Concept Step To Reproduce: Visit clientsview.php and click add a new client Add any details add payload: on the Comments...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system
✍️ Description here is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the Address field as tested on the latest releasety. 🕵️♂️ Proof of Concept step to reproduce: Go to /admin/pageSettings.php and click Preconfigured users and groups Add payload: " on Name...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system
💥 BUG xss via unpaid-invoice-comment 💥 VERSION TESTED latest version as of 3/7/21 💥 IMPACT xss allow to execute arbitary javascript in vicitm account 💥 STEP TO REPRODUCE 1. goto http://localhost/online-invoice3/app/hooks/calendar-unpaid-invoices.php?date=2021-06-03&view=dayGridMonth and create a...
in beestat/app
✍️ Description The random number generator implemented by mtrand cannot withstand a cryptographic attack. In this case the function that generates weak random numbers is mtrand in user.php at line 58. 🕵️♂️ Proof of Concept Vulnerable Code / Create an anonymous user so we can log in and have access...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system
💥 BUG xss via invoice-comment 💥 VERSION TESTED latest version as of 3/7/21 💥 IMPACT xss allow to execute arbitary javascript in vicitm account 💥 STEP TO REPRODUCE 1. goto http://localhost/online-invoice3/app/invoicesview.php and create a new invoice .\ During creation put bellow xss payload in...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system
✍️ Description stored xss via client comment 🕵️♂️ Proof of Concept 1. First goto http://localhost/online-invoice3/app/clientsview.php and create a new client .\ During creation put bellow xss payload in comment section and save it .\ xss"' 2. Now any user open this client then xss is executed...
Cross-Site Request Forgery (CSRF) in bigprof-software/online-rental-property-manager
✍️ Description The app/admin/pageDeleteMember.php?memberID= does not have a CSRF protection. This could be used by attackers to trick the admin to delete a member from their system. 🕵️♂️ Proof of Concept For this attack to work, a logged in admin, should visit the POC page...
Cross-Site Request Forgery (CSRF) in bigprof-software/online-rental-property-manager
✍️ Description The app/admin/pageDeleteGroup.php?groupID= does not have a CSRF protection. This could be used by attackers to trick the admin to delete a group from their system. 🕵️♂️ Proof of Concept /online-rental-property-manager-6.8/app/admin/pageDeleteGroup.php?groupID=6"Click Here ! When an...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager
✍️ Description Stored xss via employmentandincomehistoryview 🕵️♂️ Proof of Concept plz check this 1 minute video to reproduce the bug https://drive.google.com/file/d/1wmBmdvdHTLORNc9det4HYj1Dtfd97Y/view?usp=sharing...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager
✍️ Description stored xss via residenceandrentalhistoryview 🕵️♂️ Proof of Concept check this 1 minute video to reproduce the bug https://drive.google.com/file/d/1BdPQ-89AXURe8wCGAlwuz8wL1Xge0cmJ/view?usp=sharing...
in bigprof-software/online-rental-property-manager
💥 BUG privilege escalation bug to add references to a applicant . 💥 IMPACT unprivileged user can add references to a applicant 💥 STEP TO REPRODUCE 1. From admin account goto http://localhost/online-rental/app/admin/pageViewMembers.php and add new user called user-B .\ Now revoke all acccess from...
in bigprof-software/online-rental-property-manager
💥 BUG privilege escalation bug to add employmentandincomehistory to a applicant . 💥 IMPACT unprivileged user can add employmentandincomehistory to a applicant 💥 STEP TO REPRODUCE 1. From admin account goto http://localhost/online-rental/app/admin/pageViewMembers.php and add new user called user-B...
Improper Privilege Management in bigprof-software/online-rental-property-manager
💥 BUG privilege escalation bug to add residenceandrental to a applicant . 💥 IMPACT unprivileged user can add residenceandrental to a applicant 💥 STEP TO REPRODUCE 1. From admin account goto http://localhost/online-rental/app/admin/pageViewMembers.php and add new user called user-B .\ Now revoke...
Improper Privilege Management in bigprof-software/online-rental-property-manager
💥 BUG privilege escalation bug to add applications/leases to a applicant . 💥 IMPACT unprivileged user can add applications/leases to a applicant 💥 STEP TO REPRODUCE 1. From admin account goto http://localhost/online-rental/app/admin/pageViewMembers.php and add new user called user-B .\ Now revoke...