Command Injection in sofianehamlaoui/lockdoor-framework

✍️ Description inurlbr function is vulnerable to CI of exploitation.py 🕵️‍♂️ Proof of Concept // PoC https://drive.google.com/file/d/1HpID3CrNAqK7t0C2JttP75Eqptha6r-D/view?usp=sharing 💥 Impact command run as root. So an attacker could do potential damage to the machine...

Command Injection in sofianehamlaoui/lockdoor-framework

✍️ Description Unsanitized user input leads to command injection. 🕵️‍♂️ Proof of Concept // PoC whatweb CI https://drive.google.com/file/d/1mrYiu7oTaAm2qjLDKz23VMUkiujafTh/view?usp=sharing 💥 Impact command run as root. So an attacker could do potential damage to the machine...

Command Injection in sofianehamlaoui/lockdoor-framework

✍️ Description Unsanitized user input leads to command injection 🕵️‍♂️ Proof of Concept POC screenshot: https://drive.google.com/file/d/1zShz68hGd5zcpB1fpk4KVv5TDS6-vXT/view?usp=sharing 💥 Impact command run as root. So an attacker could do potential damage to the machine...

Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp

✍️ Description ?tab= parameter is vulnerable to Cross Site Scripting. Line 1974 of backup.php sends unvalidated data to a web browser, which can result in the browser executing malicious code of XSS. 🕵️‍♂️ Proof of Concept POC SCREENSHOT: 1. Just visit /settings.php?tab=alert1 and XSS will be pop...

OS Command Injection in falconchristmas/fpp

✍️ Description Application is reading invalidated user input at Line 44 through: $plugin = $pluginInfo'repoName';. Line 57 in plugin.php calls system to execute a command. This might allow an attacker to inject malicious commands. 🕵️‍♂️ Proof of Concept SCREENSHOT:...

in beestat/app

✍️ Description The random number generator implemented by mtrand on session keys is not suitable for cryptographic purposes generation of tokens, passwords, or cryptographic keys either. mtrand function that produces predictable values is utilized as a source of randomness in a security-sensitive...

Cross-site Scripting (XSS) - Stored in nebulade/meemo

✍️ Description Stored xss in meemo file create functionality 🕵️‍♂️ Proof of Concept Payload: Test POC screenshot: https://drive.google.com/file/d/1aLBRIdU2AAz-RXa6uEF0IiWfks5jHMu/view?usp=sharing Tested on the demo website of the latest release. To reproduce create a file and add the following...

in alovoa/alovoa

✍️ Description Random.setSeed should not be called with a constant integer argument. If a Random object is seeded with a specific value, the values returned by Random.nextInt and similar methods which return or assign values are predictable. 🕵️‍♂️ Proof of Concept Vulnerable code of:...

Cross-site Scripting (XSS) - Stored in microweber/microweber

✍️ Description Hello, I found CSRF + XSS on website so the impact of XSS could be presented. There is no CSRF token or protection on: http://example.microweber.me/checkout/contact-information-save CSRF HTML PoC: history.pushState'', '', '/' and when we submit request XSS gets executed at the same...

OS Command Injection in mrchuckomo/poddycast

✍️ Description The application does not clean the HTML characters of the podcast information obtained from the Feed, which allows the injection of HTML and JS code. XSS Being an application made in electron, an XSS can be scaled to RCE, making it possible to execute commands on the machine where...

Improper Access Control in dani-garcia/vaultwarden

✍️ Description Vaultwarden allows users to share files and texts securely with anyone. This feature enables the user to control the number of accesses to a file or text and also the expiration date. A person, to retrieve one of these files, needs to access the share link in a browser. This link...

in hascheksolutions/opentrashmail

✍️ Description Attackers can control the filesystem path argument to readfile at api.php line 35 for ?email= parameter, which allows them to access or modify otherwise protected files. Analysis Trace: 1. application take unsensitized input at: $email = strtolower$REQUEST'email'; 2. Assigning user...

OS Command Injection in sofianehamlaoui/lockdoor-framework

✍️ Description Command Injection due to unsanitized variable named algo 🕵️‍♂️ Proof of Concept 💥 Impact CI with the highest privilege...

OS Command Injection in fabio286/antares

✍️ Description The application displays the connection error message returned by the server without removing the malicious tags, which leads to XSS attacks. https://imgur.com/3MhhvFp.png https://i.imgur.com/RksNgXF.png Being an application made in electron, an XSS can be scaled to RCE, making it...

in phpservermon/phpservermon

✍️ Description The program creates a cookie without setting the secure flag to true. Modern web browsers support a secure flag for each cookie. If the flag is set, the browser will only send the cookie over HTTPS. Sending cookies over an unencrypted channel can expose them to network sniffing...

in phpservermon/phpservermon

✍️ Description The random number generator implemented by mtrand cannot withstand a cryptographic attack. Insecure randomness errors occur when a function that can produce predictable values is used as a source of randomness in security-sensitive context. In this case the function that generates...

in lavv17/lftp

✍️ Description Whilst testing lftp built from commit d67fc1 with Clang 13 +ASan on Ubuntu 20.04.2 LTS, we discovered a crafted file which triggers a null pointer dereference and segfault. 🕵️‍♂️ Proof of Concept echo "aiYgAQEBNA==" | base64 -d /tmp/file.fuzz && ./lftp -f /tmp/file.fuzz The above POC...

Stack-based Buffer Overflow in rup0rt/pcapfix

Description A stack over flow was found in pcapfix in function fixpcappackets in pcap.c at line 550 The root cause seem at line 458 , there is an int overflow if filesize-pos-sizeofpackethdr is negative. Test version : 1.1.6 2fe168e Test env: gcc 9.3.0 ubuntu 20.04 x86-64 Proof of Concept...

Heap-based Buffer Overflow in rup0rt/pcapfix

Description A heap over flow was found in pcapfix in function fixpcapng in pcapng.c at line 1571 Test version : 1.1.6 2fe168e Test env: gcc 9.3.0 ubuntu 20.04 x86-64 Proof of Concept CFLAGS="-fsanitize=address" make ./pcapfix poc poc is attatched in reference link c ==618350==ERROR:...

Heap-based Buffer Overflow in rup0rt/pcapfix

Description A heap over flow was found in pcapfix in function fixpcapng in pcapng.c at line 216 Test version : 1.1.6 2fe168e Test env: gcc 9.3.0 ubuntu 20.04 x86-64 Proof of Concept CFLAGS="-fsanitize=address" make ./pcapfix poc poc is attatched in reference link c ==603793==ERROR:...

Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat

✍️ Description The questionary section of livehelperchat can be modified listing new question . However, the template is used incorrectly resulting in a CSTI injection which leads to stored XSS. 🕵️‍♂️ Proof of Concept Install the livechat Go on...

Cross-site Scripting (XSS) - Stored in livehelperchat/fbmessenger

✍️ Description The Facebook notifications of livehelperchat fbmessenger extension can be modified listing new notifications. However, the template is used incorrectly resulting in a CSTI injection which leads to stored XSS. 🕵️‍♂️ Proof of Concept Install the livechat Install fbmessenger extension...

Server-Side Request Forgery (SSRF) in kalcaddle/kodexplorer

✍️ Description SSRF via SVG due to improper processing of SVG files. 🕵️‍♂️ Proof of Concept Payload: https://drive.google.com/file/d/1q-GHJ01p8Ssok1GWN-QxSznBy1JGvY8x/view?usp=sharing Download and upload it on the server and run the server on port 8000 and then view the file. 💥 Impact This...

Server-Side Request Forgery (SSRF) in kalcaddle/kodexplorer

✍️ Description SSRF protection bypass via crafted payload which leads to SSRF. 🕵️‍♂️ Proof of Concept Payload: 2130706433 This is the decimal way of representing localhost which resolves to localhost. 💥 Impact This vulnerability is capable of SSRF...

Open Redirect in kalcaddle/kodexplorer

✍️ Description Open redirection via SVG file uplaod which redirects users to different site. 🕵️‍♂️ Proof of Concept Steps to reproduce: 1. download and upload the file https://drive.google.com/file/d/1yt4-5lgFS7ZGJog1uXAQ5rMxKGgVq/view?usp=sharing 2. View the file. 💥 Impact This vulnerability is...

in kalcaddle/kodexplorer

✍️ Description During file upload, there is no check if the file is already present or not which causes file to overwrite existing file. 🕵️‍♂️ Proof of Concept Steps to reproduce: 1. Create 2 files of the same name and of different content. 2. Upload the first file and then the second file, you...

in phpservermon/phpservermon

✍️ Description Insecure randomness errors occur when a function that can produce predictable values is used as a source of randomness in security-sensitive context. This code uses the rand function to generate "unique" identifiers for the receipt pages it generates. In this case the function that...

Cross-Site Request Forgery (CSRF) in erudika/scoold

✍️ Description The /voteup/question/ endpoint does not have a CSRF protection. This could be exploited by an attacker to manipulate votes in a question. 🕵️‍♂️ Proof of Concept An attacker creates the following web page and sends a link to a logged in user. // PoC.html Click Here When an...

in kalcaddle/kodexplorer

💥 BUG direct file url leaked for eml file 💥 IMPACT user can upload eml file and can share this . After sharing this file , it will leak direct link of this file .\ Which allow to download this file even when sharing is disabled . 💥 STEP TO REPRODUCE 1. First goto your kodexplorer admin account an...

in kalcaddle/kodexplorer

💥 BUG any user can download any file 💥 IMPACT download any kodexplorer uploaded file 💥 STEP TO REPRODUCE 1. First goto your kodexplorer admin account and visit desktop .\ Now upload a txt file called a.txt to desktop .\ 2. Now open another browser and visit...

None in babybuddy/babybuddy

✍️ Description Improper restriction at login portal which lets an attacker brute force user's accounts. 🕵️‍♂️ Proof of Concept Video POC: https://drive.google.com/file/d/1udzAGroSqDbEqPRYlUzv7bHgHq7oMNuk/view?usp=sharing You will get 200 for incorrect as it opens the same page for login and 302...

in polonel/trudesk

✍️ Description trudesk is vulnerable to arbitrary file upload. The app is allowing upload files, such as text/html. Consequently, It is possible to exploit XSS. 🕵️‍♂️ Proof of Concept 1. Create a ticket. 2. Access the ticket created and upload an HTML file which contains . 3. Access the HTML file...

Session Fixation in amirsanni/mini-inventory-and-sales-management-system

✍️ Description Application does not destroy session cookie after log out. An attacker can use the old cookie of any user to to manipulate application data even after log out. 🕵️‍♂️ Proof of Concept 1. Login to the application and copy the session cookie from the request. 2. Now logout from the...

Heap-based Buffer Overflow in squell/id3

✍️ Description While testing id3 built from commit 0de713 with Clang 13 +ASan on Ubuntu 20.04.2, we discovered a POC which triggers a heap-buffer-overflow in tag::unbinarize. This particular flaw was discovered with the help of honggfuzz. 🕵️‍♂️ Proof of Concept echo...

Cross-site Scripting (XSS) - Stored in polonel/trudesk

✍️ Description trudesk is vulnerable to XSS via chat. 🕵️‍♂️ Proof of Concept 1. Send a message with the content . PoC video 💥 Impact JavaScript code execution...

Cross-Site Request Forgery (CSRF) in babybuddy/babybuddy

✍️ Description The user/reset-api-key/endpoint does not have a CSRF protection. This could be exploited by an attacker to change the API key without the admin not actually requesting for a change. 🕵️‍♂️ Proof of Concept For the following attack to work, the admin victim must be logged into their...

Cross-site Scripting (XSS) - Stored in falconchristmas/fpp

✍️ Description fpp is vulnerable to XSS through file name. 🕵️‍♂️ Proof of Concept 1. Access /upload. 2. Change the name of an image to .png. 3. Upload it. 💥 Impact JavaScript code execution...

Prototype Pollution in gregberge/xstyled

✍️ Description @xstyled/util is vulnerable to Prototype Pollution. This package allowing for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE. 🕵️‍♂️ Proof of Concept 1. Create the following PoC file: js // poc.js var util = require"@xstyled/util" var obj =...

in chatwoot/chatwoot

💥 BUG unprivileged user can see ticket content 💥 IMPACT User does not have any inboixes but still can see ticket details in inbox . 💥 STEP TO REPRODUCE 1.First from admin account goto https://app.chatwoot.com/app/accounts/4534/settings/agents/list and add new agent user-B .\ Now dont add this...

Cross-site Scripting (XSS) - Stored in thoughtbot/administrate

💥 BUG Stored xss using unsanitize url 💥 IMPACT There is no url scheme sanitization, allow to provide javascript protocol in url which cause xss 💥 PAYLOAD javascript:alertdocument.domain 💥 STEP TO REPRODUCE tested in demo version https://administrate-demo.herokuapp.com/admin.\ 1. Plz check this 1...

Improper Privilege Management in gskinner/regexr

✍️ Description I managed to find a Critical IDOR in the https://github.com/gskinner/regexr/ . Any user is able to change the Visibility Status of any pattern set 📚 Proof of Concept 1: Go to https://regexr.com/ 2: Click on "New" in the Top Left Corner 3: Select Pattern Settings and Fill out "patter...

Improper Privilege Management in polonel/trudesk

💥 BUG external user can submit ticket even when its disabled 💥 SUMMURY external user can submit ticket even when its disabled 💥 STEP TO REPRODUCE 1. First from admin account goto settings--tickets and disallow Allow public tickets .\ So, external user cant create ticket using url...

in polonel/trudesk

💥 BUG Stored xss via file upload 💥 IMPACT Stored xss allow to execute arbitary javascript in victim trudesk account External user also can execute xss in admin account here. 💥 STEP TO REPRODUCE 1. First from admin goto http://localhost:8118/teams and create a team called team2.\ Now goto...

in polonel/trudesk

💥 BUG Unprivileged user can subscribs others to a ticket 💥 IMPACT user with lower level permission can subscribe others to a ticket 💥 STEP TO REPRODUCE 1. First from admin goto http://localhost:8118/teams and create a team called team2.\ Now goto http://localhost:8118/accounts/agents and add new...

Cross-site Scripting (XSS) - Stored in polonel/trudesk

💥 BUG Stored xss bug using file upload against admin . 💥 SUMMURY Here trudesk only allow to upload image file but it can be bypassed and attacker can upload html file . As html file can serve any javascript code ,so attacker can execute any javascript code in vicitm trudesk account . 💥 IMPACT low...

Cross-site Scripting (XSS) - Stored in polonel/trudesk

💥 BUG Stored xss using ticket content in markdown 💥 IMPACT There is no xss filter present . Using this stored xss external user can attack admin and can execute arbitary javascript code in vicitm account . TESTED VERSION ========== trudesk 1.1.5 💥 STEP TO REPRODUCE 1. First goto...

Cross-site Scripting (XSS) - Stored in polonel/trudesk

💥 BUG Stored xss using fullname 💥 IMPACT There is no xss filter present . Using this stored xss external user can attack admin and can execute arbitary javascript code in vicitm account . TESTED VERSION ========== trudesk 1.1.5 💥 STEP TO REPRODUCE 1. First goto...

Path Traversal in kalcaddle/kodexplorer

✍️ Description KodExplorer A web-based file manager, web IDE/browser-based code editor. I discovered that by uploading a symbolic linked file via any user, he/she could see any file in the server which causes Path Traversal vulnerability. 🕵️‍♂️ Proof of Concept 1. Create a file by the following...

Improper Privilege Management in cortezaproject/corteza-server

💥 BUG unprivileged user can dismiss other user reminders 💥 IMPACT lower level user can dismiss other user reminders 💥 STEP TO REPRODUCE 1. First from admin goto http://localhost:18080/admin/system/user and add a new user called user B .\ Now give this user crm permission so that user B can create...

Code Injection in laravel/framework

✍️ Description Function injection in Illuminate\Validation\Rules\RequiredIf can be exploited to generate gadget chains for deserialization vulnerabiltiies. 🕵️‍♂️ Proof of Concept ?php use Illuminate\Validation\Rules\RequiredIf; require"vendor/autoload.php"; $gadget = serializenew...