in hstm/dotfiles

✍️ Description Owner of this Github repo has inadvertently committed their .pgpass file which contains login information for a localhost PostgreSQL server. We suggest the owner of this Github repo deletes the file from the repo, adds .pgpass to their .gitignore and changes their localhost...

Command Injection in sofianehamlaoui/lockdoor-framework

✍️ Description Unsanitized user input leads to command injection in multiple scripts. 🕵️‍♂️ Proof of Concept payload = ;id https://drive.google.com/file/d/1ZPyCaSyDbD2-gQK43DKlAHkFxi8lmgh/view?usp=sharing 💥 Impact command run as root so it could do potential damage...

Code Injection in sofianehamlaoui/lockdoor-framework

✍️ Description Multiple Command injection in infogathering.py file due to lack of sanitization. 🕵️‍♂️ Proof of Concept Payload : id Video: https://drive.google.com/file/d/1uozVKKHL1LSMvFW7ehX3eIoxsWFLCes1/view?usp=sharing 💥 Impact tools ask for root to run so every command injected will run as root...

in miodec/monkeytype

✍️ Description Users can bypass leaderboard controls and inject any object they want into the leaderboard by spoofing post requests to /checkLeaderboards. Malicious users can send specially crafted post requests and inject any user they want to the top of the leaderboard with any value words per...

in psi-4ward/psitransfer

✍️ Description Hi, with PsiTransfer we can upload files and protect them with a password. However, there is an IDOR that let an attacker retrieve arbitrary files and get the AES encrypted data of these files. All is left is to perform an offline bruteforce to crack the password of this file and ge...

in thisistherk/fast_obj

✍️ Description Whilst experimenting with the test code built from commit d97389 with Clang 11 +UBSan on Ubuntu 20.04.2 LTS, we discovered an OBJ file which produces a signed integer overflow and a pointer overflow followed by a SIGSEGV 🕵️‍♂️ Proof of Concept echo...

Improper Access Control in causefx/organizr

✍️ Description Google Maps API key without proper referer restrictions is found in your repo. It can be embeded to anyone's website and if the billing account is active, it will incur charges on your account. 🕵️‍♂️ Proof of Concept Visit the following link to verify that you can use the service...

Improper Access Control in openwhyd/openwhyd

✍️ Description Youtube API key without proper referer restrictions is found in your repo. It can be embeded to anyone's website and if the billing account is active, it will incur charges on your account. 🕵️‍♂️ Proof of Concept Visit following link to verify anyone can access the api key:...

Improper Privilege Management in dolibarr/dolibarr

💥 BUG unprivileged user can add personal email to another user. 💥 IMPACT user who dont have any access in "users and groups" can update users personal email. 💥 TESTED VERSION dolibarr 14.0.0-beta 💥 STEP TO REPRODUCE 1. First goto admin account and add user B as normal user .\ Now give user B...

in dolibarr/dolibarr

💥 BUG unprivileged user can attach bank to another user. 💥 IMPACT user who dont have any access in "users and groups" can update users bank details 💥 TESTED VERSION dolibarr 14.0.0-beta 💥 STEP TO REPRODUCE 1. First goto admin account and add user B as normal user .\ Now give user B bellow...

Stack-based Buffer Overflow in codeplea/tinyexpr

✍️ Description Whilst experimenting with repl built from commit 61af1d, with Clang 10 +ASan on Ubuntu 20.04.2 LTS, we discovered an expression containing 4 null characters after a newline which, due to insufficient bounds checking, triggers a stack-buffer-overflow. 🕵️‍♂️ Proof of Concept echo...

Improper Access Control in bramp/myip

✍️ Description Google Maps API key is enabled without proper referer restrictions is found in your repo. It can be embeded to anyone's website and if the billing account is active, it will incur charges on your account. If Google Maps is not used in your project, then all the following APIs should...

Exposure of Sensitive Information to an Unauthorized Actor in tl-its-umich-edu/my-learning-analytics

✍️ Description Django secret key is exposed into the Dockerfile. This is used to sign JSON objects, create hashes and generate CSRF tokens. 🕵️‍♂️ Proof of Concept https://stackoverflow.com/questions/15170637/effects-of-changing-djangos-secret-key/15383766?noredirect=1comment2174349415383766 💥...

Improper Privilege Management in dolibarr/dolibarr

💥 BUG unprivileged user can attach agenda with leave. 💥 IMPACT user who dont have any access in leave can add agenda to this leave 💥 TESTED VERSION dolibarr 14.0.0-beta 💥 STEP TO REPRODUCE 1. First goto admin account and add user B as normal user .\ Now give user B bellow permission for Agenda...

Improper Privilege Management in dolibarr/dolibarr

💥 BUG unprivileged user can add resource to a agenda 💥 IMPACT user with read-only permission can add resource agenda 💥 TESTED VERSION dolibarr 14.0.0-beta 💥 STEP TO REPRODUCE 1. First goto admin account and add user B as normal user .\ Now give user B bellow permission for Events/Agenda and...

in dolibarr/dolibarr

💥 BUG unprivileged user can upload file to a task associated with a project. 💥 IMPACT user who has read-only access to a project can add file to task associated with this project 💥 TESTED VERSION dolibarr 14.0.0-beta 💥 STEP TO REPRODUCE 1. First goto admin account and add user B as normal user ....

in dolibarr/dolibarr

💥 BUG unprivileged user can modify subject of a ticket 💥 IMPACT user with read-only permission can modify ticket subject 💥 TESTED VERSION dolibarr 14.0.0-beta 💥 STEP TO REPRODUCE 1. First goto admin account and add user B as normal user .\ Now give user B bellow permission for Ticket module ....

Improper Privilege Management in dolibarr/dolibarr

💥 BUG unprivileged user can see task associated with a project 💥 IMPACT user dont have access to specific project but still can see task attached to this project . 💥 TESTED VERSION dolibarr 14.0.0-beta 💥 STEP TO REPRODUCE 1. First goto admin account and add user B as normal user .\ Now give user ...

Improper Privilege Management in dolibarr/dolibarr

💥 BUG unprivileged user can download file of a agenda 💥 IMPACT user dont have access to specific agenda but still can download file uploaded to this agenda . 💥 TESTED VERSION dolibarr 14.0.0-beta 💥 STEP TO REPRODUCE 1. First goto admin account and add user B as normal user .\ Now give user B...

Improper Access Control in xamarin/googleplayservicescomponents

✍️ Description Google Maps API key without proper referer restrictions is found in your repo. It can be embeded to anyone's website and if the billing account is active, it will incur charges on your account. 🕵️‍♂️ Proof of Concept Visit the following links to verify that you can use the service by...

Cross-site Scripting (XSS) - Stored in dolibarr/dolibarr

✍️ Description dolibarr is vulnerable to XSS. It is possible to upload SVG files containing JavaScript code. 🕵️‍♂️ Proof of Concept SVG file content: html alertdocument.domain; 1. With an authenticated user, access http://localhost/societe/card.php?action=create&leftmenu=. 2. Write any content in...

Heap-based Buffer Overflow in croatiacontrolltd/asterix

✍️ Description Whilst experimenting with asterix, built from commit f44cfea, compiled with Clang 10 + ASan on Ubuntu 20.04.2 LTS, we are able to induce a heap-buffer-overflow in DataItemBits::getBits asterix/src/asterix/DataItemBits.cpp:125. Since there is no bounds checking, when the software...

Improper Access Control in teamultroid/ultroid

✍️ Description Google Maps API key without proper referer restrictions is found in your repo. It can be embeded to anyone's website and if the billing account is active, it will incur charges on your account. 🕵️‍♂️ Proof of Concept Visit this link to verify that you can use the service by visiting...

Improper Access Control in codingtrain/website

✍️ Description Google Maps API key without proper referer restrictions is found in your repo. It can be embeded to anyone's website and if the billing account is active, it will incur charges on your account. 🕵️‍♂️ Proof of Concept Visit this link to verify that you can use the service by visiting...

Improper Access Control in kenzo-404/lynx-userbot

✍️ Description Google Maps API key without proper referer restrictions is found in your repo. It can be embeded to anyone's website and if the billing account is active, it will incur charges on your account. 🕵️‍♂️ Proof of Concept Visit this link to verify that you can use the service by visiting...

in koel/koel

✍️ Description Koel is lacking any form of rate limiting in the login form, thus allowing an attacker to brute force their way in. 🕵️‍♂️ Proof of Concept - Spin up an instance of Koel. - Open up burpsuite and capture a login request, send it to intruder, set your options and run. - 401 is shown...

Path Traversal in kalcaddle/kodexplorer

✍️ Description I have confirmed a file transversal vulnerability on any server running Kodexplorer, Malicious user can read any file 🕵️‍♂️ Proof of Concept First setup local installation of kodExplorer. If the server is running with root permission:...

SQL Injection in akshayp282/quizx

✍️ Description Course deletion on the teacher portal is vulnerable to SQL injection. This will allow a user to run arbitrary SQL queries and completely erase, export or change all information in the database - potentially rendering the entire platform unusable. 🕵️‍♂️ Proof of Concept - Log in to...

Cross-site Scripting (XSS) - Stored in stevearc/pypicloud

✍️ Description i didn't know there was something like this 🕵️‍♂️ Proof of Concept details https://github.com/stevearc/pypicloud/issues/280 💥 Impact stored xss on admin panel many users still have older versions...

Improper Privilege Management in dolibarr/dolibarr

💥 BUG unprivileged user can edit/share linked file of a project . 💥 VIDEO https://drive.google.com/file/d/1YaiG0vjFTuqZRck7dMLqkhT7HSZqaEdu/view?usp=sharing 💥 STEP TO REPRODUCE 1. From admin account add user B as normal user .\ now give user B bellow permission for project module.\ ----Read...

Improper Privilege Management in dolibarr/dolibarr

💥 BUG unprivileged user can download project file 💥 STEP TO REPRODUCE ========================== 1. From admin account add user B as normal user .\ now give user B bellow permission for project module.\ ----Read projects and tasks shared project and projects I'm contact for. Can also enter time...

Improper Privilege Management in dolibarr/dolibarr

💥 BUG unprivileged user can modify directory 💥 STEP TO REPRODUCE 1. From admin account add user B as normal user .\ Now dont give any permission for DMS/ECM module for user B .\ So, user B should not see any DMS/ECM details .\ \ 2. Now from admin account goto...

Improper Privilege Management in dolibarr/dolibarr

💥 BUG unprivileged user can see all details of a product 💥 STEP TO REPRODUCE 1. From admin account add user B as normal user .\ Now dont give any permission for Product module for user B .\ So, user B should not see any product details .\ \ 2. Now from admin create a product .\ \ 3. Finally goto...

Cross-site Scripting (XSS) - Stored in dolibarr/dolibarr

✍️ Description The dolibarr is vulnerable to XSS. It is possible to bypass the sanitizer through onpointerdown event. 🕵️‍♂️ Proof of Concept Payload: XSS. 1. With an authenticated user, access http://localhost/product/index.php. 2. Click on New product in the left bar. 3. Put any content in the Ref...

Cross-site Scripting (XSS) - Stored in changeweb/unifiedtransform

✍️ Description Stored Cross Site Scripting in the message/all.blade.php. 🕵️‍♂️ Proof of Concept As a teacher, click on "My Courses" and then "message students". CKEditor hides the underlying where we can add tag or capture the request in a proxy like burpsuite and edit the HTTP POST request. Select...

Prototype Pollution in fiznool/body-parser-xml

✍️ Description This library uses an XML parsing library which causes prototype pollution. However, this issue can be fixed on our side. 🕵️‍♂️ Proof of Concept const express = require'express'; const bodyParser = require'body-parser'; require'body-parser-xml'bodyParser; const app = express; const...

in cythron/gcp

✍️ Description Hard-Coded User Credentials are exposed in the docker file. 🕵️‍♂️ Proof of Concept https://github.com/cythron/gcp/blob/master/%23DockerfileL20 💥 Impact Attacker is capable of login using given credentials...

Prototype Pollution in jalik/js-deep-extend

✍️ Description Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as proto, constructor and prototype. An attacker...

Cross-site Scripting (XSS) - Reflected in tagspaces/viewertext

✍️ Description viewerText used within the Tagspaces to show a preview of text files is vulnerable to cross site scripting. 🕵️‍♂️ Proof of Concept If any HTML is feeded to setContent function: javascript setContent"alert'xss'; It appends it to the dom without any filteration: javascript...

in tagspaces/tagspaces

Vulnerability Code Execution using Reflected Cross Site Scripting ✍️ Description Tagspaces is a file organizer that also works as a file manager. When you open a file, it tries to provide a preview of common files like images, code and text files. But if the extension is not known to tagspaces, it...

Cross-site Scripting (XSS) - Stored in knadh/listmonk

💥 BUG Stored xss via file upload 💥 SUMMURY uploaded file extension only checked in client-side javascript. It must be also checked in server side so that user cant upload html file instead of image . 💥 STEP TO REPRODUCE 1. From your account goto http://localhost:9000/campaigns/media and upload a...

Cross-site Scripting (XSS) - Stored in knadh/listmonk

✍️ Description Hello, I found stored xss on Logs while creating new campaign works with other stuff not only campaign 🕵️‍♂️ Proof of Concept https://drive.google.com/file/d/1Y5CMQdfzzdWwcCsQ8y85GgWPOilJVOgo/view?usp=sharing sorry for bad quality Payload: asdf" 💥 Impact xss...

Cross-site Scripting (XSS) - Stored in dolibarr/dolibarr

💥 BUG Stored xss bypassing xss filter 💥 SUMMURY There are many different user with different role . Here using this xss bug lower level user can make xss attack against higher level user 💥 PAYLOAD XSS15 💥 STEP TO REPRODUCE 1. First goto your account and edit a product . Now put above xss payload ...

Cross-site Scripting (XSS) - DOM in apexcharts/apexcharts.js

✍️ Description Last version of Apexcharts.js is vulnerable to Cross-Site Scripting XSS 🕵️‍♂️ Proof of Concept Simply try one of the examples provided in samples/vanilla-js/scatter/scatter-images.html in this way: javascript var options = series: name: 'Messenger', data: 16.4, 5.4, ..... , name:...

Cross-site Scripting (XSS) - Stored in kalcaddle/kodexplorer

BUG ======== Stored xss via oexe file upload ACCOUNT ============= 1. user A--admin --victim 2. user B --demo user -- attacker STEP TO REPRODUCE ================== 1. from user B account create oexe file with bellow content...

Cross-site Scripting (XSS) - Stored in phplist/phplist3

✍️ Description Stored xss 🕵️‍♂️ Proof of Concept see this recorded video https://drive.google.com/file/d/1EUTevCQWPK4txY6jqQ-MAcXyDO7Zx2q/view?usp=sharing 💥 Impact Xss bug...

Cross-site Scripting (XSS) - Stored in knadh/listmonk

✍️ Description Stored xss 🕵️‍♂️ Proof of Concept Check this recorded video https://drive.google.com/file/d/1wlbisKCbYUZprOkAGzWGRQm0f-LDRD/view?usp=sharing 💥 Impact xss...

in utmsigep/member-directory

✍️ Description Entering unintended values during the member creation flow causes unusual database state, unhandled exceptions/stack trace disclosure and denial of service due to continuous page crashes. 🕵️‍♂️ Proof of Concept - Select a member-status/group - Create New Member - Enter an invalid...

Cross-site Scripting (XSS) - Stored in utmsigep/member-directory

✍️ Description Donor creation is vulnerable to stored XSS originating from donor creation due to missing sanitization on user input. 🕵️‍♂️ Proof of Concept - Select a member-status/group - Create Member - Enter an XSS payload into the directory notes field, eg. - Hit save. Upon...

Cross-site Scripting (XSS) - Generic in utmsigep/member-directory

✍️ Description Non-administrative functions display success banners after multiple actions that reflect user-input directly without sanitization. 🕵️‍♂️ Proof of Concept Donation Creation and Update - Donations - New Donation - Enter XSS payloads into the fields Last Name, First Name and Receipt ID,...