4072 matches found
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
βοΈ Description Hi, in https://github.com/FalconChristmas/fpp/blob/39aa11e6f9bf8e7ee63bdbb07ea9fcabf434a60e/www/uploadfile.phpL504 you build a JS script using unsanitized user input, this can lead to XSS : php var activeTabNumber = ; // π΅οΈββοΈ Proof of Concept Visit...
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
βοΈ Description Hi, in https://github.com/FalconChristmas/fpp/blob/123cdf2eb11062766da333a7a4d85bc0bf620e47/www/rebootRemoteFPP.phpL15 the variable ip is reflected without prior sanitization : php $ip = $GET'ip'; echo "Rebooting FPP system @ $ip\n"; π΅οΈββοΈ Proof of Concept Visit :...
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
βοΈ Description Hi, In https://github.com/FalconChristmas/fpp/blob/123cdf2eb11062766da333a7a4d85bc0bf620e47/www/virtualdisplay.phpL14 you create a variable canvasWidth that will be used and reflected multiple times without sanitizing user input : php Later in the script : another PHP file will be...
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
βοΈ Description Hi, there are 2 potential reflected XSS in https://github.com/FalconChristmas/fpp/blob/123cdf2eb11062766da333a7a4d85bc0bf620e47/www/restartRemoteFPPD.phpL16 : php $ip = $GET'ip'; // if isset$GET'mode' echo "Setting FPPD mode @ $ip\n"; // echo "Restarting FPPD @ $ip\n"; The ip...
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
βοΈ Description Hi, few days ago I reported this vulnerability : https://huntr.dev/bounties/8-other-FalconChristmas/fpp/ There were 2 XSS vectors in https://github.com/FalconChristmas/fpp/blob/f032d800a67ed280f8d577d95519a71c95114579/www/runEventScript.phpL41 : php \n"; // 1 // else ? ERROR: Unknow...
OS Command Injection in falconchristmas/fpp
βοΈ Description The version variable is directly embeded in a OS command in https://github.com/FalconChristmas/fpp/blob/123cdf2eb11062766da333a7a4d85bc0bf620e47/www/upgradefpp.phpL54 php $version = $GET'version'; // $command = "sudo /opt/fpp/scripts/upgradeFPP " . $version . " 2&1"; echo "Command:...
OS Command Injection in falconchristmas/fpp
βοΈ Description Hi, a command is built without filtering user input in https://github.com/FalconChristmas/fpp/blob/cc026bd238b641ad147a3f8e1df47052e34f16d3/www/copyFilesToRemote.phpL50 php $ip = $GET'ip'; // $command = "rsync -rtDlv --modify-window=1 $compress --stats $fppHome/media/$dir/...
OS Command Injection in falconchristmas/fpp
βοΈ Description Hi, it is possible to inject arbitrary OS commands in https://github.com/FalconChristmas/fpp/blob/59b7f7e8039a7019143c2c4b44f7d95b6358a4ef/www/formatstorage.phpL24 php &1"; echo "Command: $command\n"; echo...
OS Command Injection in falconchristmas/fpp
βοΈ Description Hi, it is possible ot inject arbitrary OS commands in https://github.com/FalconChristmas/fpp/blob/f032d800a67ed280f8d577d95519a71c95114579/www/upgradeOS.phpL46 php system$SUDO . " $fppDir/SD/upgradeOS-part1.sh /home/fpp/media/upload/" . $GET'os'; π΅οΈββοΈ Proof of Concept Visit :...
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
βοΈ Description An XSS vulnerability is present in https://github.com/FalconChristmas/fpp/blob/f032d800a67ed280f8d577d95519a71c95114579/www/upgradeOS.phpL26 due to absence of user input sanitization : php Image: π΅οΈββοΈ Proof of Concept Visit...
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
βοΈ Description A reflected XSS is possible because you echo user controlled content without sanitization in https://github.com/FalconChristmas/fpp/blob/40a636c6e38442e3674db0b85fdfc5ed8a79b823/www/changebranch.phpL25 php $branch = $GET'branch'; $command = "sudo /opt/fpp/scripts/gitbranch "...
OS Command Injection in falconchristmas/fpp
βοΈ Description Hi, there is a command injection vulnerability in https://github.com/FalconChristmas/fpp/blob/40a636c6e38442e3674db0b85fdfc5ed8a79b823/www/changebranch.phpL23 php &1"; echo "Command: $command\n"; echo...
in mcfriend99/bird
βοΈ Description Heap-based 1-byte write violation. Certain programs can cause the parser/syntax-checker to write out of bounds. The below program writes a single byte out of bounds. π΅οΈββοΈ Proof of Concept Program: var a = 'outer' def test var a = 'inner' echo 'It works! $a' echo a echo test test def...
Denial of Service in mcfriend99/bird
βοΈ Description The Bird interpreter is vulnerable to memory leaks. This occurs due to memory being allocated but never freed during the compilation/interpretation process. π΅οΈββοΈ Proof of Concept Compile the interpreter with ASAN enabled. Run the interpreter and execute print123 and then exit. You...
Heap-based Buffer Overflow in mcfriend99/bird
βοΈ Description Heap-based Write Violation. Certain input programs can result in write access violations by the syntax checker component of the interpreter. One such program writes 23 bytes onto the heap outside of bounds and may result in arbitrary code execution and memory leaks. π΅οΈββοΈ Proof of...
in hstm/dotfiles
βοΈ Description Owner of this Github repo has inadvertently committed their .pgpass file which contains login information for a localhost PostgreSQL server. We suggest the owner of this Github repo deletes the file from the repo, adds .pgpass to their .gitignore and changes their localhost...
Command Injection in sofianehamlaoui/lockdoor-framework
βοΈ Description Unsanitized user input leads to command injection in multiple scripts. π΅οΈββοΈ Proof of Concept payload = ;id https://drive.google.com/file/d/1ZPyCaSyDbD2-gQK43DKlAHkFxi8lmgh/view?usp=sharing π₯ Impact command run as root so it could do potential damage...
Code Injection in sofianehamlaoui/lockdoor-framework
βοΈ Description Multiple Command injection in infogathering.py file due to lack of sanitization. π΅οΈββοΈ Proof of Concept Payload : id Video: https://drive.google.com/file/d/1uozVKKHL1LSMvFW7ehX3eIoxsWFLCes1/view?usp=sharing π₯ Impact tools ask for root to run so every command injected will run as root...
in miodec/monkeytype
βοΈ Description Users can bypass leaderboard controls and inject any object they want into the leaderboard by spoofing post requests to /checkLeaderboards. Malicious users can send specially crafted post requests and inject any user they want to the top of the leaderboard with any value words per...
in psi-4ward/psitransfer
βοΈ Description Hi, with PsiTransfer we can upload files and protect them with a password. However, there is an IDOR that let an attacker retrieve arbitrary files and get the AES encrypted data of these files. All is left is to perform an offline bruteforce to crack the password of this file and ge...
in thisistherk/fast_obj
βοΈ Description Whilst experimenting with the test code built from commit d97389 with Clang 11 +UBSan on Ubuntu 20.04.2 LTS, we discovered an OBJ file which produces a signed integer overflow and a pointer overflow followed by a SIGSEGV π΅οΈββοΈ Proof of Concept echo...
Improper Access Control in causefx/organizr
βοΈ Description Google Maps API key without proper referer restrictions is found in your repo. It can be embeded to anyone's website and if the billing account is active, it will incur charges on your account. π΅οΈββοΈ Proof of Concept Visit the following link to verify that you can use the service...
Improper Access Control in openwhyd/openwhyd
βοΈ Description Youtube API key without proper referer restrictions is found in your repo. It can be embeded to anyone's website and if the billing account is active, it will incur charges on your account. π΅οΈββοΈ Proof of Concept Visit following link to verify anyone can access the api key:...
Improper Privilege Management in dolibarr/dolibarr
π₯ BUG unprivileged user can add personal email to another user. π₯ IMPACT user who dont have any access in "users and groups" can update users personal email. π₯ TESTED VERSION dolibarr 14.0.0-beta π₯ STEP TO REPRODUCE 1. First goto admin account and add user B as normal user .\ Now give user B...
in dolibarr/dolibarr
π₯ BUG unprivileged user can attach bank to another user. π₯ IMPACT user who dont have any access in "users and groups" can update users bank details π₯ TESTED VERSION dolibarr 14.0.0-beta π₯ STEP TO REPRODUCE 1. First goto admin account and add user B as normal user .\ Now give user B bellow...
Stack-based Buffer Overflow in codeplea/tinyexpr
βοΈ Description Whilst experimenting with repl built from commit 61af1d, with Clang 10 +ASan on Ubuntu 20.04.2 LTS, we discovered an expression containing 4 null characters after a newline which, due to insufficient bounds checking, triggers a stack-buffer-overflow. π΅οΈββοΈ Proof of Concept echo...
Improper Access Control in bramp/myip
βοΈ Description Google Maps API key is enabled without proper referer restrictions is found in your repo. It can be embeded to anyone's website and if the billing account is active, it will incur charges on your account. If Google Maps is not used in your project, then all the following APIs should...
Exposure of Sensitive Information to an Unauthorized Actor in tl-its-umich-edu/my-learning-analytics
βοΈ Description Django secret key is exposed into the Dockerfile. This is used to sign JSON objects, create hashes and generate CSRF tokens. π΅οΈββοΈ Proof of Concept https://stackoverflow.com/questions/15170637/effects-of-changing-djangos-secret-key/15383766?noredirect=1comment2174349415383766 π₯...
Improper Privilege Management in dolibarr/dolibarr
π₯ BUG unprivileged user can attach agenda with leave. π₯ IMPACT user who dont have any access in leave can add agenda to this leave π₯ TESTED VERSION dolibarr 14.0.0-beta π₯ STEP TO REPRODUCE 1. First goto admin account and add user B as normal user .\ Now give user B bellow permission for Agenda...
Improper Privilege Management in dolibarr/dolibarr
π₯ BUG unprivileged user can add resource to a agenda π₯ IMPACT user with read-only permission can add resource agenda π₯ TESTED VERSION dolibarr 14.0.0-beta π₯ STEP TO REPRODUCE 1. First goto admin account and add user B as normal user .\ Now give user B bellow permission for Events/Agenda and...
in dolibarr/dolibarr
π₯ BUG unprivileged user can upload file to a task associated with a project. π₯ IMPACT user who has read-only access to a project can add file to task associated with this project π₯ TESTED VERSION dolibarr 14.0.0-beta π₯ STEP TO REPRODUCE 1. First goto admin account and add user B as normal user ....
in dolibarr/dolibarr
π₯ BUG unprivileged user can modify subject of a ticket π₯ IMPACT user with read-only permission can modify ticket subject π₯ TESTED VERSION dolibarr 14.0.0-beta π₯ STEP TO REPRODUCE 1. First goto admin account and add user B as normal user .\ Now give user B bellow permission for Ticket module ....
Improper Privilege Management in dolibarr/dolibarr
π₯ BUG unprivileged user can see task associated with a project π₯ IMPACT user dont have access to specific project but still can see task attached to this project . π₯ TESTED VERSION dolibarr 14.0.0-beta π₯ STEP TO REPRODUCE 1. First goto admin account and add user B as normal user .\ Now give user ...
Improper Privilege Management in dolibarr/dolibarr
π₯ BUG unprivileged user can download file of a agenda π₯ IMPACT user dont have access to specific agenda but still can download file uploaded to this agenda . π₯ TESTED VERSION dolibarr 14.0.0-beta π₯ STEP TO REPRODUCE 1. First goto admin account and add user B as normal user .\ Now give user B...
Improper Access Control in xamarin/googleplayservicescomponents
βοΈ Description Google Maps API key without proper referer restrictions is found in your repo. It can be embeded to anyone's website and if the billing account is active, it will incur charges on your account. π΅οΈββοΈ Proof of Concept Visit the following links to verify that you can use the service by...
Cross-site Scripting (XSS) - Stored in dolibarr/dolibarr
βοΈ Description dolibarr is vulnerable to XSS. It is possible to upload SVG files containing JavaScript code. π΅οΈββοΈ Proof of Concept SVG file content: html alertdocument.domain; 1. With an authenticated user, access http://localhost/societe/card.php?action=create&leftmenu=. 2. Write any content in...
Heap-based Buffer Overflow in croatiacontrolltd/asterix
βοΈ Description Whilst experimenting with asterix, built from commit f44cfea, compiled with Clang 10 + ASan on Ubuntu 20.04.2 LTS, we are able to induce a heap-buffer-overflow in DataItemBits::getBits asterix/src/asterix/DataItemBits.cpp:125. Since there is no bounds checking, when the software...
Improper Access Control in teamultroid/ultroid
βοΈ Description Google Maps API key without proper referer restrictions is found in your repo. It can be embeded to anyone's website and if the billing account is active, it will incur charges on your account. π΅οΈββοΈ Proof of Concept Visit this link to verify that you can use the service by visiting...
Improper Access Control in codingtrain/website
βοΈ Description Google Maps API key without proper referer restrictions is found in your repo. It can be embeded to anyone's website and if the billing account is active, it will incur charges on your account. π΅οΈββοΈ Proof of Concept Visit this link to verify that you can use the service by visiting...
Improper Access Control in kenzo-404/lynx-userbot
βοΈ Description Google Maps API key without proper referer restrictions is found in your repo. It can be embeded to anyone's website and if the billing account is active, it will incur charges on your account. π΅οΈββοΈ Proof of Concept Visit this link to verify that you can use the service by visiting...
in koel/koel
βοΈ Description Koel is lacking any form of rate limiting in the login form, thus allowing an attacker to brute force their way in. π΅οΈββοΈ Proof of Concept - Spin up an instance of Koel. - Open up burpsuite and capture a login request, send it to intruder, set your options and run. - 401 is shown...
Path Traversal in kalcaddle/kodexplorer
βοΈ Description I have confirmed a file transversal vulnerability on any server running Kodexplorer, Malicious user can read any file π΅οΈββοΈ Proof of Concept First setup local installation of kodExplorer. If the server is running with root permission:...
SQL Injection in akshayp282/quizx
βοΈ Description Course deletion on the teacher portal is vulnerable to SQL injection. This will allow a user to run arbitrary SQL queries and completely erase, export or change all information in the database - potentially rendering the entire platform unusable. π΅οΈββοΈ Proof of Concept - Log in to...
Cross-site Scripting (XSS) - Stored in stevearc/pypicloud
βοΈ Description i didn't know there was something like this π΅οΈββοΈ Proof of Concept details https://github.com/stevearc/pypicloud/issues/280 π₯ Impact stored xss on admin panel many users still have older versions...
Improper Privilege Management in dolibarr/dolibarr
π₯ BUG unprivileged user can edit/share linked file of a project . π₯ VIDEO https://drive.google.com/file/d/1YaiG0vjFTuqZRck7dMLqkhT7HSZqaEdu/view?usp=sharing π₯ STEP TO REPRODUCE 1. From admin account add user B as normal user .\ now give user B bellow permission for project module.\ ----Read...
Improper Privilege Management in dolibarr/dolibarr
π₯ BUG unprivileged user can download project file π₯ STEP TO REPRODUCE ========================== 1. From admin account add user B as normal user .\ now give user B bellow permission for project module.\ ----Read projects and tasks shared project and projects I'm contact for. Can also enter time...
Improper Privilege Management in dolibarr/dolibarr
π₯ BUG unprivileged user can modify directory π₯ STEP TO REPRODUCE 1. From admin account add user B as normal user .\ Now dont give any permission for DMS/ECM module for user B .\ So, user B should not see any DMS/ECM details .\ \ 2. Now from admin account goto...
Improper Privilege Management in dolibarr/dolibarr
π₯ BUG unprivileged user can see all details of a product π₯ STEP TO REPRODUCE 1. From admin account add user B as normal user .\ Now dont give any permission for Product module for user B .\ So, user B should not see any product details .\ \ 2. Now from admin create a product .\ \ 3. Finally goto...
Cross-site Scripting (XSS) - Stored in dolibarr/dolibarr
βοΈ Description The dolibarr is vulnerable to XSS. It is possible to bypass the sanitizer through onpointerdown event. π΅οΈββοΈ Proof of Concept Payload: XSS. 1. With an authenticated user, access http://localhost/product/index.php. 2. Click on New product in the left bar. 3. Put any content in the Ref...
Cross-site Scripting (XSS) - Stored in changeweb/unifiedtransform
βοΈ Description Stored Cross Site Scripting in the message/all.blade.php. π΅οΈββοΈ Proof of Concept As a teacher, click on "My Courses" and then "message students". CKEditor hides the underlying where we can add tag or capture the request in a proxy like burpsuite and edit the HTTP POST request. Select...