4057 matches found
in laravel/framework
āļø Description The activeurl rule for validation in input fails to correctly check dns record with dnsgetrecord resulting in bypassing the validation. šµļøāāļø Proof of Concept For a laravel installation having the following validation on route: php Route::get'/', function $urlValidator =...
Server-Side Request Forgery (SSRF) in frenchbread/private-ip
āļø Description private-ip is an npm module that is used to check if the IP address is private or not for preventing SSRF attacks. It has nearly 11k+ weekly downloads on npmjs. However, I discovered that an attacker may simply get around this check by constructing a malicious IP. šµļøāāļø Proof of...
Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat
āļø Description The faq section of LiveHelperChat can be modified listing some new questions/answers. However, the template is used incorrectly resulting in a CSTI injection which leads to stored XSS. šµļøāāļø Proof of Concept 1. Install the livechat 2. Go on https://your-host.com/siteadmin/faq/view/1...
in hascheksolutions/opentrashmail
āļø Description Hi, there is a local file inclusion vulnerability in opentrashmail. In https://github.com/HaschekSolutions/opentrashmail/blob/master/web/api.phpL23 : php ?php define'DS', DIRECTORYSEPARATOR; define'ROOT', dirnameFILE; // $action = strtolower$REQUEST'a'; $email =...
in flarum/framework
āļø Description Avatar URL from OAuth registration is passed to Intervention Image's ImageManager::make function without any validation on URL. Since ImageManager::make allows relative path to read file, it is possible to inject arbitrary inputs like storage/somefile.jpg or even absolute paths like...
in hascheksolutions/pictshare
BUG ========== sha1 comparision bypass DETAILS ============= There is vulnerable code which can bypass file sha1 hash checking bypass function sha1Exists$sha1 $handle = fopenROOT.DS.'data'.DS.'sha1.csv', "r"; if $handle while $line = fgets$handle !== false ifsubstr$line,0,40==$sha1 return...
SQL Injection in s-cart/core
āļø Description Searching keyword in/scadmin/currency is vulnerable to SQL injection. This will allow a user to run arbitrary SQL queries and completely delete, edit, export or change all information in the database - potentially rendering the entire platform unusable. šµļøāāļø Proof of Concept Login...
in phpmailer/phpmailer
āļø Description validateAddress function used to validate email addresses, uses calluserfunc to call the callable from the name of callable provided to the function as an argument $patternselect. But if no argument is passed, the function sets "php" as default value to $patternselect variable on...
Cross-site Scripting (XSS) - Stored in cortezaproject/corteza-server
š„ BUG Stored xss bug using file upload against admin . š„ TESTED VERSION v2021.3.6 š„ IMPACT lower level user can make xss attack against admin . Using xss bug attacker can execute arbitary javascript in victim account .\ Thus lower level user can execute arbitary javascript in admin account using...
Cross-site Scripting (XSS) - Stored in cortezaproject/corteza-server
š„ BUG Stored xss bug against admin . š„ TESTED VERSION v2021.3.6 š„ IMPACT lower level user can make xss attack against admin . Using xss bug attacker can execute arbitary javascript in victim account .\ Thus lower level user can execute arbitary javascript in admin account using this xss and can...
Command Injection in sofianehamlaoui/lockdoor-framework
āļø Description Unsanitized user input leads to command injection in Nasnum function input in the infogathering.py script. šµļøāāļø Proof of Concept Payload: ;id š„ Impact command run as root. So an attacker could do potential damage to the machine...
Heap-based Buffer Overflow in rup0rt/pcapfix
āļø Description Whilst testing the 'devel' branch of pcapfix, specifically commit fb723ccompiled with clang-13 and -fsanitize=address on Ubuntu 20.04.2 LTS, we discovered a POC which triggers a heap-buffer-overflow. šµļøāāļø Proof of Concept git clone https://github.com/Rup0rt/pcapfix cd pcapfix...
in kestasjk/webdiplomacy
āļø Description It can be possible to perform a clickjacking attack due to the lack of frame restrictions. The file https://github.com/kestasjk/webDiplomacy/blob/07de41f21192b0b611af343bc0d880c1de78d194/header.php does not set the response header X-Frame-Options: DENY. This issue can be found from...
None in chatwoot/chatwoot
āļø Description No rate limit on the login portal šµļøāāļø Proof of Concept POC VIDEO: https://drive.google.com/file/d/1fmhVsm2tZ2r1yIGduAlTWFO52semP5z/view?usp=sharing Conclusion: It gives 401 error when an incorrect password It gives 200 when it got the correct password š„ Impact Any attacker can able...
in alovoa/alovoa
āļø Description It is possible to set a weak password with no compliance with the register form checks that state "Your password needs to be at least 7 characters long and must contain characters and numbers." If a user bypasses the frontend checks, he will be able to register a completely weak...
Heap-based Buffer Overflow in rup0rt/pcapfix
āļø Description Whilst testing pcapfix built from commit 5c2965 with Clang 13 +ASan on Ubuntu 20.04.2 LTS, we discovered a PCAPNG file which triggers a heap-buffer-overflow during a memcpy operation. šµļøāāļø Proof of Concept echo "Cg0NCgAAAADT1MOysvgUAAAAAEpaggAAoPWPsvgUAAAAAAAAAAAA" | base64 -d...
Improper Privilege Management in mailtrain-org/mailtrain
BUG Lower level user can revoke access from a campaign for admin . IMPACT Admin will not be able to access perticular campaign .\ This happen when lower level user added admin to a campaign and them removed him . STEP TO REPRODUCE 1. From admin account goto http://localhost:3000/users and add a...
Heap-based Buffer Overflow in squell/id3
āļø Description Archive.org is a worthy cause to support. š During testing of id3 compiled from commit a899ea with Clang 13+ASan on Ubuntu 20.04.2, we discovered a payload which triggers a heap-buffer-overflow in ID3put. This particular bug was found using the AFL fuzzer. šµļøāāļø Proof of Concept echo...
in squell/id3
āļø Description Archive.org is a worthy cause to support. š During testing of id3 compiled from commit a899ea with Clang 13+ASan on Ubuntu 20.04.2, we discovered a payload which triggers a negative-size-param: size=-4 error when calling memcpy. This particular bug was discovered with the AFL fuzzer...
Cross-site Scripting (XSS) - Stored in range-of-motion/budget
āļø Description Stored xss using vue js šµļøāāļø Proof of Concept 1. First goto your account and visit https://app.budgethq.com/transactions and create a transaction .\ During creation put bellow xss payload in Description field and save it .\ Now see xss is executed Payload ---...
Cross-site Scripting (XSS) - Stored in idempiere/idempiere
āļø Description Stored xss via svg file upload šµļøāāļø Proof of Concept you can upload this svg file https://github.com/ranjit-git/poc/blob/master/evilsvgfile.svg .\ Check this 1 minute video to reproduce the bug https://drive.google.com/file/d/1nKXfSUjU5vDEMMY6cAmRs6d3MCPoj0uv/view?usp=sharing š„...
Classic Buffer Overflow in chatwoot/chatwoot
You can put a very long work email text until you get the last user to put and aries or DoS. Normally emails have 64 to 225 digits. Summary There is no limit to the number of characters in the work email, which allows a DoS attack. The DoS attack affects both server-side and client-side. NOTE: Th...
Cross-Site Request Forgery (CSRF) in monicahq/monica
āļø Description The /settings/exportToSql endpoint does not have CSRF Protection. This could be used to force download account data and potentially spoof users. šµļøāāļø Proof of Concept Login to user account. Create the following file and open the page in browser. // PoC.html To verify that you are a...
Cross-site Scripting (XSS) - Stored in volmarg/personal-management-system
āļø Description Stored xss šµļøāāļø Proof of Concept plz check this 1 minute video to reproduce the bug https://drive.google.com/file/d/1vYCGJtEZrIihtpioiD25RPRaX5YnKJMN/view?usp=sharing š„ Impact xss attack...
Heap-based Buffer Overflow in squell/id3
āļø Description When running the id3 app built from commit 51e738 with Clang 13 +ASan on Ubuntu 20.04.2 against the test data file encoding.tag, a heap-buffer-overflow is triggered at https://github.com/squell/id3/blob/51e738e7575c54fd7fdd54c931a155b25c3f2d30/id3v2.cL104. static ulong ul4uchar n4...
Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii
āļø Description The /export/export endpoint does not have CSRF Protection. This could be used to force download account data and potentially spoof users. šµļøāāļø Proof of Concept - Login to user account. - Create the following file and open the page in browser. // PoC.html To verify that you are a...
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
āļø Description Reflected XSS in shutdownRemoteFPP.php when a user asked to provide an IP in URL, resulting in XSS šµļøāāļø Proof of Concept https://drive.google.com/file/d/1RXF4AO1j7OFfr7RhU1ZM0yPftd0qsxHt/view?usp=sharing payload: alert111 š„ Impact This vulnerability is capable of Reflected XSS...
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
āļø Description Reflected XSS in proxies.php when a user asked to add a proxy, resulting in XSS. šµļøāāļø Proof of Concept https://drive.google.com/file/d/14uabBenjADBpzWbbYqiF8a9FU2fzhX/view?usp=sharing payload: ' onmouseover='alert1 š„ Impact This vulnerability is capable of doing Reflected XSS...
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
āļø Description Reflected XSS in playlists.php when a user asked to add a note in Sequence Entry, resulting in XSS. šµļøāāļø Proof of Concept https://drive.google.com/file/d/1uU9IxbH3A45V8BSgtFOBrc5Gwj7S7k56/view?usp=sharing š„ Impact This vulnerability is capable of doing Reflected XSS...
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
āļø Description Reflected XSS in changebranch.php where due to improper implementation of code an attacker is able to inject malicious tags šµļøāāļø Proof of Concept $branch = escapeshellcmd$GET'branch'; $command = "sudo /opt/fpp/scripts/gitbranch " . $branch . " 2&1"; echo "Command: $command\n";...
Cross-site Scripting (XSS) - Stored in typecho/typecho
š„ BUG Stored xss against higher level user š„ IMPACT I see there is no xss protection in post writing ,allow to execute javascript command .\ There is many type of role like admin,contributor etc .\ So, here contributor user can write a post with xss payload and when admin open this post then xss ...
Prototype Pollution in robinvdvleuten/shvl
āļø Description Hi, I've seen a recent prototype pollution report to this library and, during the code review, found out that the applied fix doesn't work at all. The problem relies in the regex used to fix, as I shown bellow. šµļøāāļø Proof of Concept The reported prototype pollution resulted in the...
Stack-based Buffer Overflow in falconchristmas/fpp
āļø Description Hi, there is a stack based buffer overflow in https://github.com/FalconChristmas/fpp/blob/f4a1621c8be15a41305269830b700a2b5443aa0f/src/command.cL131 : When ./fpp is running it can send commands to ./fppd, a daemon that runs a main loop and listen for incoming socket connections : In...
Stack-based Buffer Overflow in falconchristmas/fpp
āļø Description Hi, There is a stack based buffer overflow in https://github.com/FalconChristmas/fpp/blob/f4a1621c8be15a41305269830b700a2b5443aa0f/src/fpp.cL177 : c else ifstrcmpargv1,"--log-mask" == 0 && argc 2 char newMask128; strcpynewMask, argv2;//overflow // argv2 is copied into newMask using...
Classic Buffer Overflow in falconchristmas/fpp
āļø Description Hi, There are multiple .bss buffer overflows in https://github.com/FalconChristmas/fpp/blob/f4a1621c8be15a41305269830b700a2b5443aa0f/src/fpp.cL64 : c char command8192; char response256; // int main int argc, char argv memsetcommand, 0, sizeofcommand; SetupDomainSocket; ifargc1 //...
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
āļø Description Hi, in https://github.com/FalconChristmas/fpp/blob/39aa11e6f9bf8e7ee63bdbb07ea9fcabf434a60e/www/uploadfile.phpL504 you build a JS script using unsanitized user input, this can lead to XSS : php var activeTabNumber = ; // šµļøāāļø Proof of Concept Visit...
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
āļø Description Hi, in https://github.com/FalconChristmas/fpp/blob/123cdf2eb11062766da333a7a4d85bc0bf620e47/www/rebootRemoteFPP.phpL15 the variable ip is reflected without prior sanitization : php $ip = $GET'ip'; echo "Rebooting FPP system @ $ip\n"; šµļøāāļø Proof of Concept Visit :...
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
āļø Description Hi, In https://github.com/FalconChristmas/fpp/blob/123cdf2eb11062766da333a7a4d85bc0bf620e47/www/virtualdisplay.phpL14 you create a variable canvasWidth that will be used and reflected multiple times without sanitizing user input : php Later in the script : another PHP file will be...
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
āļø Description Hi, there are 2 potential reflected XSS in https://github.com/FalconChristmas/fpp/blob/123cdf2eb11062766da333a7a4d85bc0bf620e47/www/restartRemoteFPPD.phpL16 : php $ip = $GET'ip'; // if isset$GET'mode' echo "Setting FPPD mode @ $ip\n"; // echo "Restarting FPPD @ $ip\n"; The ip...
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
āļø Description Hi, few days ago I reported this vulnerability : https://huntr.dev/bounties/8-other-FalconChristmas/fpp/ There were 2 XSS vectors in https://github.com/FalconChristmas/fpp/blob/f032d800a67ed280f8d577d95519a71c95114579/www/runEventScript.phpL41 : php \n"; // 1 // else ? ERROR: Unknow...
OS Command Injection in falconchristmas/fpp
āļø Description The version variable is directly embeded in a OS command in https://github.com/FalconChristmas/fpp/blob/123cdf2eb11062766da333a7a4d85bc0bf620e47/www/upgradefpp.phpL54 php $version = $GET'version'; // $command = "sudo /opt/fpp/scripts/upgradeFPP " . $version . " 2&1"; echo "Command:...
OS Command Injection in falconchristmas/fpp
āļø Description Hi, a command is built without filtering user input in https://github.com/FalconChristmas/fpp/blob/cc026bd238b641ad147a3f8e1df47052e34f16d3/www/copyFilesToRemote.phpL50 php $ip = $GET'ip'; // $command = "rsync -rtDlv --modify-window=1 $compress --stats $fppHome/media/$dir/...
OS Command Injection in falconchristmas/fpp
āļø Description Hi, it is possible to inject arbitrary OS commands in https://github.com/FalconChristmas/fpp/blob/59b7f7e8039a7019143c2c4b44f7d95b6358a4ef/www/formatstorage.phpL24 php &1"; echo "Command: $command\n"; echo...
OS Command Injection in falconchristmas/fpp
āļø Description Hi, it is possible ot inject arbitrary OS commands in https://github.com/FalconChristmas/fpp/blob/f032d800a67ed280f8d577d95519a71c95114579/www/upgradeOS.phpL46 php system$SUDO . " $fppDir/SD/upgradeOS-part1.sh /home/fpp/media/upload/" . $GET'os'; šµļøāāļø Proof of Concept Visit :...
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
āļø Description An XSS vulnerability is present in https://github.com/FalconChristmas/fpp/blob/f032d800a67ed280f8d577d95519a71c95114579/www/upgradeOS.phpL26 due to absence of user input sanitization : php Image: šµļøāāļø Proof of Concept Visit...
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
āļø Description A reflected XSS is possible because you echo user controlled content without sanitization in https://github.com/FalconChristmas/fpp/blob/40a636c6e38442e3674db0b85fdfc5ed8a79b823/www/changebranch.phpL25 php $branch = $GET'branch'; $command = "sudo /opt/fpp/scripts/gitbranch "...
OS Command Injection in falconchristmas/fpp
āļø Description Hi, there is a command injection vulnerability in https://github.com/FalconChristmas/fpp/blob/40a636c6e38442e3674db0b85fdfc5ed8a79b823/www/changebranch.phpL23 php &1"; echo "Command: $command\n"; echo...
in mcfriend99/bird
āļø Description Heap-based 1-byte write violation. Certain programs can cause the parser/syntax-checker to write out of bounds. The below program writes a single byte out of bounds. šµļøāāļø Proof of Concept Program: var a = 'outer' def test var a = 'inner' echo 'It works! $a' echo a echo test test def...
Denial of Service in mcfriend99/bird
āļø Description The Bird interpreter is vulnerable to memory leaks. This occurs due to memory being allocated but never freed during the compilation/interpretation process. šµļøāāļø Proof of Concept Compile the interpreter with ASAN enabled. Run the interpreter and execute print123 and then exit. You...
Heap-based Buffer Overflow in mcfriend99/bird
āļø Description Heap-based Write Violation. Certain input programs can result in write access violations by the syntax checker component of the interpreter. One such program writes 23 bytes onto the heap outside of bounds and may result in arbitrary code execution and memory leaks. šµļøāāļø Proof of...