Lucene search
K

4072 matches found

Huntr
Huntr
•added 2021/07/03 8:58 a.m.•15 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

āœļø Description There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the Address field as tested on the latest release. šŸ•µļøā€ā™‚ļø Proof of Concept Steps to Reproduce: Go to https://localhost:443///admin/pageSettings.php?search-settings=smtp Add " as senders...

6AI score
Exploits0References1
Huntr
Huntr
•added 2021/07/03 6:7 a.m.•8 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

šŸ’„ BUG STORED XSSS šŸ’„ TESTED VERSION latest version as of 3/7/21 šŸ’„ STEP TO REPRODUCE plz check this 1 minute video to reproduce the bug https://drive.google.com/file/d/16Y2WR7PKj-OpDGGDMAxV60CaiSX2RZXl/view?usp=sharing...

0.1AI score
Exploits0
Huntr
Huntr
•added 2021/07/03 3:59 a.m.•9 views

Cross-site Scripting (XSS) - Reflected in bigprof-software/online-rental-property-manager

āœļø Description Reflected XSS in membershippasswordReset.php where key parameter leads to exploitation of a vulnerability. šŸ•µļøā€ā™‚ļø Proof of Concept // POC membershippasswordReset.php?key=;?"alert1 šŸ’„ Impact This vulnerability is capable of XSS, steal user cookies, session hijacking...

1.5AI score
Exploits0
Huntr
Huntr
•added 2021/07/03 3:47 a.m.•7 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

āœļø Description Stored xss in pageTransferOwnership.php where sourceMemberID parameter leads to xss which gets stored in pageViewRecords.php šŸ•µļøā€ā™‚ļø Proof of Concept Steps to reproduce: 1. Go to admin account 2. Visit URL /app/admin/pageTransferOwnership.php?sourceGroupID=2&sourceMemberID="alert1 šŸ’„...

0.8AI score
Exploits0
Huntr
Huntr
•added 2021/07/03 3:8 a.m.•8 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

āœļø Description Stored xss in adding group name. šŸ•µļøā€ā™‚ļø Proof of Concept Steps to reproduce: 1. Create a group and enter s"' in group name 2. Save and view it you will see popup šŸ’„ Impact This vulnerability is capable of stored xss...

0.4AI score
Exploits0
Huntr
Huntr
•added 2021/07/03 2:52 a.m.•6 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

āœļø Description Stored XSS in adding properties lead by adding owners first name and second name. šŸ•µļøā€ā™‚ļø Proof of Concept Video POC: https://drive.google.com/file/d/1QbdzPJPHmQPsNl-o43a-Slub4Z3hhNh/view?usp=sharing šŸ’„ Impact This vulnerability is capable of Stored XSS...

0.4AI score
Exploits0
Huntr
Huntr
•added 2021/07/03 2:38 a.m.•5 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

āœļø Description Stored xss in membership profile. šŸ•µļøā€ā™‚ļø Proof of Concept Steps to Reproduce: 1. Create a member account. 2. Login into the member account. 3. Enter the s"' payload in the State field. 4. Update the profile and You will see an alert. šŸ’„ Impact This vulnerability is capable of Stored XSS...

1.4AI score
Exploits0
Huntr
Huntr
•added 2021/07/03 2:36 a.m.•10 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

āœļø Description Stored xss in membership profile. šŸ•µļøā€ā™‚ļø Proof of Concept Steps to Reproduce: 1. Create a member account. 2. Login into the member account. 3. Enter the s"' payload in the city field. 4. Update the profile and You will see an alert. šŸ’„ Impact This vulnerability is capable of Stored xss...

1.4AI score
Exploits0
Huntr
Huntr
•added 2021/07/03 2:35 a.m.•11 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

āœļø Description Stored xss in membership profile. šŸ•µļøā€ā™‚ļø Proof of Concept Steps to Reproduce: 1. Create a member account. 2. Login into the member account. 3. Enter the s"' payload in the Address field. 4. Update the profile and You will see an alert. šŸ’„ Impact This vulnerability is capable of stored...

1.3AI score
Exploits0
Huntr
Huntr
•added 2021/07/03 2:33 a.m.•7 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

āœļø Description There is a stored xss in member profile in the full name šŸ•µļøā€ā™‚ļø Proof of Concept Steps to Reproduce: 1. Create a member account. 2. Login into the member account. 3. Enter the s"' payload in the Full Name field. 4. Update the profile and You will see an alert. šŸ’„ Impact Stored XSS...

0.6AI score
Exploits0
Huntr
Huntr
•added 2021/07/03 2:21 a.m.•9 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

šŸ’„ BUG xss via unit description šŸ’„ VERSION TESTED latest version as of 1/7/21 šŸ’„ IMPACT xss allow to execute arbitary javascript in vicitm account šŸ’„ STEP TO REPRODUCE 1. goto http://localhost/online-rental/app/unitsview.php and create a new unit .\ During creation put bellow xss payload in...

2.4AI score
Exploits0
Huntr
Huntr
•added 2021/07/03 2:11 a.m.•12 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

šŸ’„ BUG xss via Applications/Leases šŸ’„ VERSION TESTED latest version as of 1/7/21 šŸ’„ IMPACT xss allow to execute arbitary javascript in vicitm account šŸ’„ STEP TO REPRODUCE 1. goto http://localhost/online-rental/app/applicationsleasesview.php and create a new application .\ During creation put bellow...

2.9AI score
Exploits0
Huntr
Huntr
•added 2021/07/03 1:59 a.m.•10 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

āœļø Description Stored xss in profile City field.\ There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the State name field as tested on the latest release. šŸ•µļøā€ā™‚ļø Proof of Concept Steps to Reproduce: 1. Create a user account. 2. Login into the user...

0.3AI score
Exploits0
Huntr
Huntr
•added 2021/07/03 1:58 a.m.•8 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

āœļø Description Stored xss in profile Full-name field.\ There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the State name field as tested on the latest release. šŸ•µļøā€ā™‚ļø Proof of Concept Steps to Reproduce: 1. Create a user account. 2. Login into the user...

0.2AI score
Exploits0
Huntr
Huntr
•added 2021/07/03 1:55 a.m.•9 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

āœļø Description Stored xss in profile Address field.\ There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the State name field as tested on the latest release. šŸ•µļøā€ā™‚ļø Proof of Concept Steps to Reproduce: 1. Create a user account. 2. Login into the user...

0.2AI score
Exploits0
Huntr
Huntr
•added 2021/07/03 1:53 a.m.•11 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

āœļø Description Stored xss in profile state field There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the State name field as tested on the latest release. šŸ•µļøā€ā™‚ļø Proof of Concept Steps to Reproduce: 1. Create a user account. 2. Login into the user...

0.2AI score
Exploits0
Huntr
Huntr
•added 2021/07/03 1:44 a.m.•9 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

šŸ’„ BUG xss via groupname permission šŸ’„ VERSION TESTED latest version as of 1/7/21 šŸ’„ IMPACT xss allow to execute arbitary javascript in vicitm account šŸ’„ STEP TO REPRODUCE 1. first goto http://localhost/online-rental/app/admin/pageEditGroup.php and add a new group and put bellow xss payload in...

0.8AI score
Exploits0
Huntr
Huntr
•added 2021/07/03 1:39 a.m.•10 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

šŸ’„ BUG Stored xss via group name šŸ’„ TESTED VERSION latest version as of 01/07/21 šŸ’„ STEP TO REPRODUCE 1. create a group with bellow xss payload in name.\ group1"'.\ 2. Now add a new user called user-B to the above group .\ 3. Finally visit...

1.7AI score
Exploits0
Huntr
Huntr
•added 2021/07/03 1:23 a.m.•10 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

šŸ’„ BUG xss via landlord comment šŸ’„ VERSION TESTED latest version as of 1/7/21 šŸ’„ IMPACT xss allow to execute arbitary javascript in vicitm account šŸ’„ STEP TO REPRODUCE 1. first goto http://localhost/online-rental/app/rentalownersview.php and add a new landlord .\ During creation put bellow xss payloa...

2.6AI score
Exploits0
Huntr
Huntr
•added 2021/07/02 7:8 p.m.•10 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

šŸ’„ BUG xss via groupname in item šŸ’„ VERSION TESTED latest version as of 1/7/21 šŸ’„ IMPACT xss allow to execute arbitary javascript in vicitm account šŸ’„ STEP TO REPRODUCE 1. first goto http://localhost/online-invoice2/app/admin/pageEditGroup.php and add a new group and put bellow xss payload in...

2AI score
Exploits0
Huntr
Huntr
•added 2021/07/02 6:53 p.m.•13 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

šŸ’„ BUG xss via groupname šŸ’„ VERSION TESTED latest version as of 1/7/21 šŸ’„ IMPACT xss allow to execute arbitary javascript in vicitm account šŸ’„ STEP TO REPRODUCE 1. first goto http://localhost/online-invoice2/app/admin/pageEditGroup.php and add a new group and put bellow xss payload in group-name....

1AI score
Exploits0
Huntr
Huntr
•added 2021/07/02 6:37 p.m.•10 views

Improper Privilege Management in bigprof-software/online-invoicing-system

šŸ’„ BUG privilege escalation bug to add item to a price-history šŸ’„ IMPACT unprivileged user can add item to a price-history šŸ’„ STEP TO REPRODUCE 1. From admin account goto http://localhost/online-invoice2/app/admin/pageViewMembers.php and add new user called user-B .\ Now revoke all acccess from item...

0.9AI score
Exploits0
Huntr
Huntr
•added 2021/07/02 6:35 p.m.•6 views

Improper Privilege Management in bigprof-software/online-invoicing-system

šŸ’„ BUG privilege escalation bug to add invoice to a client . šŸ’„ IMPACT unprivileged user can add invoice to a client šŸ’„ STEP TO REPRODUCE 1. From admin account goto http://localhost/online-invoice2/app/admin/pageViewMembers.php and add new user called user-B .\ Now revoke all acccess from client...

1.5AI score
Exploits0
Huntr
Huntr
•added 2021/07/02 4:11 p.m.•6 views

in getgrav/grav

āœļø Description A cookie with an overly broad path can be accessed through other applications on the same domain. šŸ•µļøā€ā™‚ļø Proof of Concept Application deployed at http://real.example.com/grav and the application sets a session ID cookie with path "/" when users log in to the forum. then below code is...

0.8AI score
Exploits0References1
Huntr
Huntr
•added 2021/07/02 3:33 p.m.•18 views

in projectsend/projectsend

šŸ’„ BUG create client even when self client registration is disabled šŸ’„ IMPACT any user can create create client even when self client registration is disabled šŸ’„ STEP TO REPRODUCE 1. From admin account goto http://localhost/projectsend2/options.php?section=clients and disabled client registration....

0.2AI score
Exploits0
Huntr
Huntr
•added 2021/07/02 3:0 p.m.•14 views

Cross-site Scripting (XSS) - Stored in projectsend/projectsend

āœļø Description section parameter at Line 331 of email-templates.php sends unvalidated data to a web browser, which can result in the browser executing malicious code. In this case the data is sent at builtinecho in email-templates.php at line 331 šŸ•µļøā€ā™‚ļø Proof of Concept Data enters in application...

0.2AI score
Exploits0
Huntr
Huntr
•added 2021/07/02 2:39 p.m.•6 views

Cross-site Scripting (XSS) - Reflected in projectsend/projectsend

āœļø Description GET parameter ?client= in Line 419 of manage-files.php sends unvalidated data to a web browser, which can result in the browser executing malicious code. In this case the data is sent at builtinecho in manage-files.php at line 419. šŸ•µļøā€ā™‚ļø Proof of Concept Data enters a web application...

0.3AI score
Exploits0
Huntr
Huntr
•added 2021/07/02 2:5 p.m.•14 views

Cross-site Scripting (XSS) - Stored in devcode-it/openstamanager

āœļø Description Stored xss through file upload via anagrafiche šŸ•µļøā€ā™‚ļø Proof of Concept Go to an existing Anagrafiche or create a new one. Upload a .svg file with the following content: javascript alertdocument.cookie; give a name you want ending with .svg store-xss.svg for example. when you click on...

7AI score
Exploits0
Huntr
Huntr
•added 2021/07/02 12:44 p.m.•10 views

in projectsend/projectsend

šŸ’„ BUG privilege escalation bug to update admin email-address and company name etc . šŸ’„ IMPACT unprivileged user can update admin email-address and company name etc šŸ’„ STEP TO REPRODUCE 1. From admin account goto http://localhost/projectsend2/users.php and add new user called user-B with uploader...

Exploits0
Huntr
Huntr
•added 2021/07/02 4:30 a.m.•9 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

āœļø Description There is a Stored XSS in the online invoicing system view price history which is lead by adding invoice items. šŸ’„ TESTED VERSION https://github.com/bigprof-software/online-invoicing-system/releases/tag/v5.0 šŸ•µļøā€ā™‚ļø Proof of Concept POC Video:...

0.2AI score
Exploits0
Huntr
Huntr
•added 2021/07/02 3:28 a.m.•9 views

Cross-site Scripting (XSS) - Reflected in projectsend/projectsend

šŸ’„ BUG reflected xss šŸ’„ STEP TO REPRODUCE 1. Login to your account and visit url http://localhost/projectsend2/process.php?do=returnfilesids&files%5B0%5D%5Bname%5D=batch%5B%5D&files%5B0%5D%5Bvalue%5D=32%27%22%3E%3Cimg+src=x+onerror=alert%3E and see xss is executed šŸ’„ IMPACT Attacker can execute...

0.8AI score
Exploits0
Huntr
Huntr
•added 2021/07/02 3:17 a.m.•11 views

Cross-site Scripting (XSS) - Stored in projectsend/projectsend

šŸ’„ BUG CSRF bug to delete file šŸ’„ SUMMURY during batch delete file there is no csrf token present šŸ’„ STEP TO REPRODUCE 1. vulnerable url is http://localhost/projectsend2/manage-files.php?action=delete&batch=27&batch=31&page=1 .\ Here in this url change file-id to delete and open the url and see file...

7AI score
Exploits0
Huntr
Huntr
•added 2021/07/02 1:20 a.m.•11 views

Cross-site Scripting (XSS) - Stored in projectsend/projectsend

šŸ’„ BUG Stored xss during file upload šŸ’„ STEP TO REPRODUCE check this 1 minute video to reproduce the bug https://drive.google.com/file/d/17TkVQxAOuXxSnlaPh4smvbJndcW-JQla/view?usp=sharing šŸ’„ IMPACT Lower level user can make xss attack against admin. So, using this xss bug lower level user can execut...

0.4AI score
Exploits0
Huntr
Huntr
•added 2021/07/02 1:8 a.m.•8 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

āœļø Description There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the State name field as tested on the latest release. šŸ•µļøā€ā™‚ļø Proof of Concept Steps to Reproduce: 1. Create a user account. 2. Login into the user account. 3. Enter the s"' payload in the...

0.6AI score
Exploits0
Huntr
Huntr
•added 2021/07/02 1:7 a.m.•10 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

āœļø Description There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the City field as tested on the latest release. šŸ•µļøā€ā™‚ļø Proof of Concept Steps to Reproduce: 1. Create a user account. 2. Login into the user account. 3. Enter the s"' payload in the City...

1AI score
Exploits0
Huntr
Huntr
•added 2021/07/02 1:5 a.m.•8 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

āœļø Description There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the Address field as tested on the latest release. šŸ•µļøā€ā™‚ļø Proof of Concept Steps to Reproduce: 1. Create a user account. 2. Login into the user account. 3. Enter the s"' payload in the...

0.9AI score
Exploits0
Huntr
Huntr
•added 2021/07/02 1:4 a.m.•5 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

āœļø Description There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the Full name field as tested on latest release. šŸ•µļøā€ā™‚ļø Proof of Concept Steps to Reproduce: 1. Create a user account. 2. Login into the user account. 3. Enter the s"' payload in the Full...

0.5AI score
Exploits0
Huntr
Huntr
•added 2021/07/01 6:57 p.m.•5 views

Cross-site Scripting (XSS) - Reflected in bigprof-software/online-invoicing-system

āœļø Description /app/admin/pageTransferOwnership.php with sourceMemberID parameter is vulnerable to Reflected XSS. Line 216 of pageTransferOwnership.php sends unvalidated data to a web browser, which can result in the browser executing malicious code. In this case the data is sent at builtinecho in...

0.5AI score
Exploits0References1
Huntr
Huntr
•added 2021/07/01 8:58 a.m.•11 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

šŸ’„ BUG Stored xss via client address in invoice šŸ’„ TESTED VERSION latest version as of 01/07/21 šŸ’„ STEP TO REPRODUCE 1. From admin account goto http://localhost/online-invoice2/app/admin/pageViewMembers.php and add a new user called user-B with read-write permission in invoice/client module .\ 2...

0.7AI score
Exploits0
Huntr
Huntr
•added 2021/07/01 8:55 a.m.•3 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

šŸ’„ BUG Stored xss via group name šŸ’„ TESTED VERSION latest version as of 01/07/21 šŸ’„ STEP TO REPRODUCE 1. create a group with bellow xss payload in name.\ group1"'.\ 2. Now add a new user called user-B to the above group .\ 3. Finally visit...

1.6AI score
Exploits0
Huntr
Huntr
•added 2021/07/01 2:45 a.m.•22 views

Session Fixation in filegator/filegator

āœļø Description the password reset function is vulnerable to session fixation bug, it's a small low hanging bug šŸ•µļøā€ā™‚ļø Proof of Concept open filegator and login with similar accounts in multiple browsers. change the password of the user in one browser and reload the other login session. we can see...

1.2AI score
Exploits0
Huntr
Huntr
•added 2021/07/01 1:46 a.m.•9 views

Cross-site Scripting (XSS) - Stored in getgrav/grav

āœļø Description Grav is vulnerable to XSS via bad SVG files. It is possible to upload an SVG file that contains errors after script tags. šŸ•µļøā€ā™‚ļø Proof of Concept SVG file content: html alertdocument.domain; 1. Create an SVG file with the above content. 2. Upload it through profile image update. 3...

Exploits0
Huntr
Huntr
•added 2021/06/30 9:36 p.m.•34 views

Inefficient Regular Expression Complexity in chatwoot/chatwoot

āœļø Description If we want to use Regex in our match or search or replace or ... functions, we must be sanitize this function's inputs. if an attacker capable to inject any Regex or abuse the bad Regexes that used in our codes, then the ReDoS vulnerability appear and according to "freezing the web ...

5CVSS1.4AI score0.01222EPSS
Exploits1
Huntr
Huntr
•added 2021/06/30 5:49 p.m.•9 views

Server-Side Request Forgery (SSRF) in kalcaddle/kodexplorer

āœļø Description The path is vulnerable to ssrf via svg file upload šŸ•µļøā€ā™‚ļø Proof of Concept upload an SVG file with SSRF payload in it. open option on the file and open with browser. šŸ’„ Impact redirect host via ssrf...

1.8AI score
Exploits0
Huntr
Huntr
•added 2021/06/30 12:34 p.m.•10 views

Cross-site Scripting (XSS) - Stored in combodo/itop

šŸ’„ BUG stored xss via file upload šŸ’„ STEP TO REPRODUCE here in this case i uploaded a html file with xss payload inside.\ Plz check this 1 minute video to reproduce https://drive.google.com/file/d/1xKqYFgrsFUfp9Ufe4XiATQcAL-Q6Mr9G/view?usp=sharing šŸ’„ Impact I see there is many different type of role...

7AI score
Exploits0
Huntr
Huntr
•added 2021/06/30 12:31 p.m.•5 views

Cross-site Scripting (XSS) - Stored in combodo/itop

šŸ’„ BUG stored xss via problem title šŸ’„ STEP TO REPRODUCE Plz check this 1 minute video to reproduce https://drive.google.com/file/d/1n7ni3y5LNkK2ntrTTvVNLNOEmf2iKReO/view?usp=sharing šŸ’„ Impact I see there is many different type of role base user . So, user who has permission to create problem can ma...

6.8AI score
Exploits0
Huntr
Huntr
•added 2021/06/30 12:27 p.m.•11 views

Cross-site Scripting (XSS) - Stored in combodo/itop

šŸ’„ BUG stored xss via contact lastname šŸ’„ STEP TO REPRODUCE Plz check this 1 minute video to reproduce https://drive.google.com/file/d/1bR9ili6jKxX3UQ2dQUQTqNL0e4LsMDtk/view?usp=sharing šŸ’„ Impact I see there is many different type of role base user . So, user who has permission to create contact can...

0.7AI score
Exploits0
Huntr
Huntr
•added 2021/06/30 9:17 a.m.•9 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

āœļø Description There is a Stored XSS in the online invoicing system when adding a group name. šŸ•µļøā€ā™‚ļø Proof of Concept Video POC: https://drive.google.com/file/d/13VaUfJrhd7m565lMQWZMfzXhfYPVjPV/view?usp=sharing Payload: ''' šŸ’„ Impact Stored XSS...

Exploits0
Huntr
Huntr
•added 2021/06/30 9:11 a.m.•10 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

āœļø Description There is a Stored XSS in the online invoicing system which could be exploited by any user who has permission to add a client. when a comment is added during the creation of a client by the user then due to improper sanitization XSS payload gets triggered. šŸ•µļøā€ā™‚ļø Proof of Concept Video...

0.2AI score
Exploits0
Huntr
Huntr
•added 2021/06/30 8:58 a.m.•7 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

āœļø Description There is a Stored XSS in the online invoicing system which could be exploited by any user who has permission to add the invoice. when a comment is added during the creation of invoices by any user then due to improper sanitization XSS payload gets triggered. šŸ•µļøā€ā™‚ļø Proof of Concept...

0.4AI score
Exploits0
Total number of security vulnerabilities4072