4072 matches found
Cross-Site Request Forgery (CSRF) in babybuddy/babybuddy
✍️ Description The user/reset-api-key/endpoint does not have a CSRF protection. This could be exploited by an attacker to change the API key without the admin not actually requesting for a change. 🕵️♂️ Proof of Concept For the following attack to work, the admin victim must be logged into their...
Cross-site Scripting (XSS) - Stored in falconchristmas/fpp
✍️ Description fpp is vulnerable to XSS through file name. 🕵️♂️ Proof of Concept 1. Access /upload. 2. Change the name of an image to .png. 3. Upload it. 💥 Impact JavaScript code execution...
Prototype Pollution in gregberge/xstyled
✍️ Description @xstyled/util is vulnerable to Prototype Pollution. This package allowing for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE. 🕵️♂️ Proof of Concept 1. Create the following PoC file: js // poc.js var util = require"@xstyled/util" var obj =...
in chatwoot/chatwoot
💥 BUG unprivileged user can see ticket content 💥 IMPACT User does not have any inboixes but still can see ticket details in inbox . 💥 STEP TO REPRODUCE 1.First from admin account goto https://app.chatwoot.com/app/accounts/4534/settings/agents/list and add new agent user-B .\ Now dont add this...
Cross-site Scripting (XSS) - Stored in thoughtbot/administrate
💥 BUG Stored xss using unsanitize url 💥 IMPACT There is no url scheme sanitization, allow to provide javascript protocol in url which cause xss 💥 PAYLOAD javascript:alertdocument.domain 💥 STEP TO REPRODUCE tested in demo version https://administrate-demo.herokuapp.com/admin.\ 1. Plz check this 1...
Improper Privilege Management in gskinner/regexr
✍️ Description I managed to find a Critical IDOR in the https://github.com/gskinner/regexr/ . Any user is able to change the Visibility Status of any pattern set 📚 Proof of Concept 1: Go to https://regexr.com/ 2: Click on "New" in the Top Left Corner 3: Select Pattern Settings and Fill out "patter...
Improper Privilege Management in polonel/trudesk
💥 BUG external user can submit ticket even when its disabled 💥 SUMMURY external user can submit ticket even when its disabled 💥 STEP TO REPRODUCE 1. First from admin account goto settings--tickets and disallow Allow public tickets .\ So, external user cant create ticket using url...
in polonel/trudesk
💥 BUG Stored xss via file upload 💥 IMPACT Stored xss allow to execute arbitary javascript in victim trudesk account External user also can execute xss in admin account here. 💥 STEP TO REPRODUCE 1. First from admin goto http://localhost:8118/teams and create a team called team2.\ Now goto...
in polonel/trudesk
💥 BUG Unprivileged user can subscribs others to a ticket 💥 IMPACT user with lower level permission can subscribe others to a ticket 💥 STEP TO REPRODUCE 1. First from admin goto http://localhost:8118/teams and create a team called team2.\ Now goto http://localhost:8118/accounts/agents and add new...
Cross-site Scripting (XSS) - Stored in polonel/trudesk
💥 BUG Stored xss bug using file upload against admin . 💥 SUMMURY Here trudesk only allow to upload image file but it can be bypassed and attacker can upload html file . As html file can serve any javascript code ,so attacker can execute any javascript code in vicitm trudesk account . 💥 IMPACT low...
Cross-site Scripting (XSS) - Stored in polonel/trudesk
💥 BUG Stored xss using ticket content in markdown 💥 IMPACT There is no xss filter present . Using this stored xss external user can attack admin and can execute arbitary javascript code in vicitm account . TESTED VERSION ========== trudesk 1.1.5 💥 STEP TO REPRODUCE 1. First goto...
Cross-site Scripting (XSS) - Stored in polonel/trudesk
💥 BUG Stored xss using fullname 💥 IMPACT There is no xss filter present . Using this stored xss external user can attack admin and can execute arbitary javascript code in vicitm account . TESTED VERSION ========== trudesk 1.1.5 💥 STEP TO REPRODUCE 1. First goto...
Path Traversal in kalcaddle/kodexplorer
✍️ Description KodExplorer A web-based file manager, web IDE/browser-based code editor. I discovered that by uploading a symbolic linked file via any user, he/she could see any file in the server which causes Path Traversal vulnerability. 🕵️♂️ Proof of Concept 1. Create a file by the following...
Improper Privilege Management in cortezaproject/corteza-server
💥 BUG unprivileged user can dismiss other user reminders 💥 IMPACT lower level user can dismiss other user reminders 💥 STEP TO REPRODUCE 1. First from admin goto http://localhost:18080/admin/system/user and add a new user called user B .\ Now give this user crm permission so that user B can create...
Code Injection in laravel/framework
✍️ Description Function injection in Illuminate\Validation\Rules\RequiredIf can be exploited to generate gadget chains for deserialization vulnerabiltiies. 🕵️♂️ Proof of Concept ?php use Illuminate\Validation\Rules\RequiredIf; require"vendor/autoload.php"; $gadget = serializenew...
in laravel/framework
✍️ Description The activeurl rule for validation in input fails to correctly check dns record with dnsgetrecord resulting in bypassing the validation. 🕵️♂️ Proof of Concept For a laravel installation having the following validation on route: php Route::get'/', function $urlValidator =...
Server-Side Request Forgery (SSRF) in frenchbread/private-ip
✍️ Description private-ip is an npm module that is used to check if the IP address is private or not for preventing SSRF attacks. It has nearly 11k+ weekly downloads on npmjs. However, I discovered that an attacker may simply get around this check by constructing a malicious IP. 🕵️♂️ Proof of...
Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat
✍️ Description The faq section of LiveHelperChat can be modified listing some new questions/answers. However, the template is used incorrectly resulting in a CSTI injection which leads to stored XSS. 🕵️♂️ Proof of Concept 1. Install the livechat 2. Go on https://your-host.com/siteadmin/faq/view/1...
in hascheksolutions/opentrashmail
✍️ Description Hi, there is a local file inclusion vulnerability in opentrashmail. In https://github.com/HaschekSolutions/opentrashmail/blob/master/web/api.phpL23 : php ?php define'DS', DIRECTORYSEPARATOR; define'ROOT', dirnameFILE; // $action = strtolower$REQUEST'a'; $email =...
in flarum/framework
✍️ Description Avatar URL from OAuth registration is passed to Intervention Image's ImageManager::make function without any validation on URL. Since ImageManager::make allows relative path to read file, it is possible to inject arbitrary inputs like storage/somefile.jpg or even absolute paths like...
in hascheksolutions/pictshare
BUG ========== sha1 comparision bypass DETAILS ============= There is vulnerable code which can bypass file sha1 hash checking bypass function sha1Exists$sha1 $handle = fopenROOT.DS.'data'.DS.'sha1.csv', "r"; if $handle while $line = fgets$handle !== false ifsubstr$line,0,40==$sha1 return...
SQL Injection in s-cart/core
✍️ Description Searching keyword in/scadmin/currency is vulnerable to SQL injection. This will allow a user to run arbitrary SQL queries and completely delete, edit, export or change all information in the database - potentially rendering the entire platform unusable. 🕵️♂️ Proof of Concept Login...
in phpmailer/phpmailer
✍️ Description validateAddress function used to validate email addresses, uses calluserfunc to call the callable from the name of callable provided to the function as an argument $patternselect. But if no argument is passed, the function sets "php" as default value to $patternselect variable on...
Cross-site Scripting (XSS) - Stored in cortezaproject/corteza-server
💥 BUG Stored xss bug using file upload against admin . 💥 TESTED VERSION v2021.3.6 💥 IMPACT lower level user can make xss attack against admin . Using xss bug attacker can execute arbitary javascript in victim account .\ Thus lower level user can execute arbitary javascript in admin account using...
Cross-site Scripting (XSS) - Stored in cortezaproject/corteza-server
💥 BUG Stored xss bug against admin . 💥 TESTED VERSION v2021.3.6 💥 IMPACT lower level user can make xss attack against admin . Using xss bug attacker can execute arbitary javascript in victim account .\ Thus lower level user can execute arbitary javascript in admin account using this xss and can...
Command Injection in sofianehamlaoui/lockdoor-framework
✍️ Description Unsanitized user input leads to command injection in Nasnum function input in the infogathering.py script. 🕵️♂️ Proof of Concept Payload: ;id 💥 Impact command run as root. So an attacker could do potential damage to the machine...
Heap-based Buffer Overflow in rup0rt/pcapfix
✍️ Description Whilst testing the 'devel' branch of pcapfix, specifically commit fb723ccompiled with clang-13 and -fsanitize=address on Ubuntu 20.04.2 LTS, we discovered a POC which triggers a heap-buffer-overflow. 🕵️♂️ Proof of Concept git clone https://github.com/Rup0rt/pcapfix cd pcapfix...
in kestasjk/webdiplomacy
✍️ Description It can be possible to perform a clickjacking attack due to the lack of frame restrictions. The file https://github.com/kestasjk/webDiplomacy/blob/07de41f21192b0b611af343bc0d880c1de78d194/header.php does not set the response header X-Frame-Options: DENY. This issue can be found from...
None in chatwoot/chatwoot
✍️ Description No rate limit on the login portal 🕵️♂️ Proof of Concept POC VIDEO: https://drive.google.com/file/d/1fmhVsm2tZ2r1yIGduAlTWFO52semP5z/view?usp=sharing Conclusion: It gives 401 error when an incorrect password It gives 200 when it got the correct password 💥 Impact Any attacker can able...
in alovoa/alovoa
✍️ Description It is possible to set a weak password with no compliance with the register form checks that state "Your password needs to be at least 7 characters long and must contain characters and numbers." If a user bypasses the frontend checks, he will be able to register a completely weak...
Heap-based Buffer Overflow in rup0rt/pcapfix
✍️ Description Whilst testing pcapfix built from commit 5c2965 with Clang 13 +ASan on Ubuntu 20.04.2 LTS, we discovered a PCAPNG file which triggers a heap-buffer-overflow during a memcpy operation. 🕵️♂️ Proof of Concept echo "Cg0NCgAAAADT1MOysvgUAAAAAEpaggAAoPWPsvgUAAAAAAAAAAAA" | base64 -d...
Improper Privilege Management in mailtrain-org/mailtrain
BUG Lower level user can revoke access from a campaign for admin . IMPACT Admin will not be able to access perticular campaign .\ This happen when lower level user added admin to a campaign and them removed him . STEP TO REPRODUCE 1. From admin account goto http://localhost:3000/users and add a...
Heap-based Buffer Overflow in squell/id3
✍️ Description Archive.org is a worthy cause to support. 👍 During testing of id3 compiled from commit a899ea with Clang 13+ASan on Ubuntu 20.04.2, we discovered a payload which triggers a heap-buffer-overflow in ID3put. This particular bug was found using the AFL fuzzer. 🕵️♂️ Proof of Concept echo...
in squell/id3
✍️ Description Archive.org is a worthy cause to support. 👍 During testing of id3 compiled from commit a899ea with Clang 13+ASan on Ubuntu 20.04.2, we discovered a payload which triggers a negative-size-param: size=-4 error when calling memcpy. This particular bug was discovered with the AFL fuzzer...
Cross-site Scripting (XSS) - Stored in range-of-motion/budget
✍️ Description Stored xss using vue js 🕵️♂️ Proof of Concept 1. First goto your account and visit https://app.budgethq.com/transactions and create a transaction .\ During creation put bellow xss payload in Description field and save it .\ Now see xss is executed Payload ---...
Cross-site Scripting (XSS) - Stored in idempiere/idempiere
✍️ Description Stored xss via svg file upload 🕵️♂️ Proof of Concept you can upload this svg file https://github.com/ranjit-git/poc/blob/master/evilsvgfile.svg .\ Check this 1 minute video to reproduce the bug https://drive.google.com/file/d/1nKXfSUjU5vDEMMY6cAmRs6d3MCPoj0uv/view?usp=sharing 💥...
Classic Buffer Overflow in chatwoot/chatwoot
You can put a very long work email text until you get the last user to put and aries or DoS. Normally emails have 64 to 225 digits. Summary There is no limit to the number of characters in the work email, which allows a DoS attack. The DoS attack affects both server-side and client-side. NOTE: Th...
Cross-Site Request Forgery (CSRF) in monicahq/monica
✍️ Description The /settings/exportToSql endpoint does not have CSRF Protection. This could be used to force download account data and potentially spoof users. 🕵️♂️ Proof of Concept Login to user account. Create the following file and open the page in browser. // PoC.html To verify that you are a...
Cross-site Scripting (XSS) - Stored in volmarg/personal-management-system
✍️ Description Stored xss 🕵️♂️ Proof of Concept plz check this 1 minute video to reproduce the bug https://drive.google.com/file/d/1vYCGJtEZrIihtpioiD25RPRaX5YnKJMN/view?usp=sharing 💥 Impact xss attack...
Heap-based Buffer Overflow in squell/id3
✍️ Description When running the id3 app built from commit 51e738 with Clang 13 +ASan on Ubuntu 20.04.2 against the test data file encoding.tag, a heap-buffer-overflow is triggered at https://github.com/squell/id3/blob/51e738e7575c54fd7fdd54c931a155b25c3f2d30/id3v2.cL104. static ulong ul4uchar n4...
Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii
✍️ Description The /export/export endpoint does not have CSRF Protection. This could be used to force download account data and potentially spoof users. 🕵️♂️ Proof of Concept - Login to user account. - Create the following file and open the page in browser. // PoC.html To verify that you are a...
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
✍️ Description Reflected XSS in shutdownRemoteFPP.php when a user asked to provide an IP in URL, resulting in XSS 🕵️♂️ Proof of Concept https://drive.google.com/file/d/1RXF4AO1j7OFfr7RhU1ZM0yPftd0qsxHt/view?usp=sharing payload: alert111 💥 Impact This vulnerability is capable of Reflected XSS...
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
✍️ Description Reflected XSS in proxies.php when a user asked to add a proxy, resulting in XSS. 🕵️♂️ Proof of Concept https://drive.google.com/file/d/14uabBenjADBpzWbbYqiF8a9FU2fzhX/view?usp=sharing payload: ' onmouseover='alert1 💥 Impact This vulnerability is capable of doing Reflected XSS...
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
✍️ Description Reflected XSS in playlists.php when a user asked to add a note in Sequence Entry, resulting in XSS. 🕵️♂️ Proof of Concept https://drive.google.com/file/d/1uU9IxbH3A45V8BSgtFOBrc5Gwj7S7k56/view?usp=sharing 💥 Impact This vulnerability is capable of doing Reflected XSS...
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
✍️ Description Reflected XSS in changebranch.php where due to improper implementation of code an attacker is able to inject malicious tags 🕵️♂️ Proof of Concept $branch = escapeshellcmd$GET'branch'; $command = "sudo /opt/fpp/scripts/gitbranch " . $branch . " 2&1"; echo "Command: $command\n";...
Cross-site Scripting (XSS) - Stored in typecho/typecho
💥 BUG Stored xss against higher level user 💥 IMPACT I see there is no xss protection in post writing ,allow to execute javascript command .\ There is many type of role like admin,contributor etc .\ So, here contributor user can write a post with xss payload and when admin open this post then xss ...
Prototype Pollution in robinvdvleuten/shvl
✍️ Description Hi, I've seen a recent prototype pollution report to this library and, during the code review, found out that the applied fix doesn't work at all. The problem relies in the regex used to fix, as I shown bellow. 🕵️♂️ Proof of Concept The reported prototype pollution resulted in the...
Stack-based Buffer Overflow in falconchristmas/fpp
✍️ Description Hi, there is a stack based buffer overflow in https://github.com/FalconChristmas/fpp/blob/f4a1621c8be15a41305269830b700a2b5443aa0f/src/command.cL131 : When ./fpp is running it can send commands to ./fppd, a daemon that runs a main loop and listen for incoming socket connections : In...
Stack-based Buffer Overflow in falconchristmas/fpp
✍️ Description Hi, There is a stack based buffer overflow in https://github.com/FalconChristmas/fpp/blob/f4a1621c8be15a41305269830b700a2b5443aa0f/src/fpp.cL177 : c else ifstrcmpargv1,"--log-mask" == 0 && argc 2 char newMask128; strcpynewMask, argv2;//overflow // argv2 is copied into newMask using...
Classic Buffer Overflow in falconchristmas/fpp
✍️ Description Hi, There are multiple .bss buffer overflows in https://github.com/FalconChristmas/fpp/blob/f4a1621c8be15a41305269830b700a2b5443aa0f/src/fpp.cL64 : c char command8192; char response256; // int main int argc, char argv memsetcommand, 0, sizeofcommand; SetupDomainSocket; ifargc1 //...