4057 matches found
Cross-site Scripting (XSS) - Generic in utmsigep/member-directory
✍️ Description Administrative functions display success banners after multiple actions that reflect user-input directly without sanitization. 🕵️♂️ Proof of Concept Member-status Creation and Update - Directory Admin - Member Statuses - Create New Member Status - Code: Enter a string, Label: Enter...
Path Traversal in demon1a/discord-recon
✍️ Description Scanning internal git directories leaks using Improper input validation in truffleHog function urlHost = urlparseargument.netloc if urlHost != "github.com" and urlHost != "gitlab.com": await ctx.send"You're trying to scan unallowed URL, please use a github/gitlab URL." return The...
in rockcarry/ffjpeg
✍️ Description An exploitable heap overflow vulnerability exists in function bmpload in bmp.c. 🕵️♂️ Proof of Concept make ./ffjpeg -e poc 💥 Impact This vulnerability is capable of Code execution...
in cythron/tweango
✍️ Description The Django secret key was hard coded in the Github repository which is vulnerable as https://huntr.dev/bounties/1-other-cythron/Tweango/ accordingly. Since the GitHub public API monitor every single git commit that is made, attacker can still find the key from commit lists. = It is...
Heap-based Buffer Overflow in strukturag/libde265
✍️ Description heap-buffer-overflow of decctx.cc in function readspsNAL 🕵️♂️ Proof of Concept Verification steps: 1.Get the source code of Bento4 2.Compile the Bento4 bash $ ./autogen.sh $ export CFLAGS="-g -lpthread -fsanitize=address" $ export CXXFLAGS="-g -lpthread -fsanitize=address" $...
Heap-based Buffer Overflow in axiomatic-systems/bento4
✍️ Description heap-buffer-overflow 🕵️♂️ Proof of Concept Verification steps: 1.Get the source code of Bento4 2.Compile the Bento4 bash $ cd Bento4 $ mkdir checkbuild && cd checkbuild $ cmake ../ -DCMAKECCOMPILER=clang -DCMAKECXXCOMPILER=clang++ -DCMAKECFLAGS="-fsanitize=address"...
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
✍️ Description In https://github.com/FalconChristmas/fpp/blob/123cdf2eb11062766da333a7a4d85bc0bf620e47/www/shutdownRemoteFPP.phpL15 a user input is directly echo-ed in the page without sanitization : php $ip = $GET'ip'; echo "Shutting down FPP system @ $ip\n"; 🕵️♂️ Proof of Concept Visit :...
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
✍️ Description In https://github.com/FalconChristmas/fpp/blob/123cdf2eb11062766da333a7a4d85bc0bf620e47/www/runEventScript.phpL30 you echo unsanitied user input in two places : php \n"; // 1 echo "\n"; system$SUDO . " $fppDir/scripts/eventScript $scriptDirectory/$script $args"; echo "\n"; else ?...
OS Command Injection in falconchristmas/fpp
✍️ Description In https://github.com/FalconChristmas/fpp/blob/123cdf2eb11062766da333a7a4d85bc0bf620e47/www/runEventScript.phpL32 a command is built using unsanitized user input : php \n"; echo "\n"; system$SUDO . " $fppDir/scripts/eventScript $scriptDirectory/$script $args"; // scripts and args ar...
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
✍️ Description In https://github.com/FalconChristmas/fpp/blob/123cdf2eb11062766da333a7a4d85bc0bf620e47/www/copystorage.phpL29 you echo a command built with untrusted user-input without sanitizing it : php &1"; echo "Command: $command\n"; // I can embed custom and malicious JS here echo...
OS Command Injection in falconchristmas/fpp
✍️ Description In https://github.com/FalconChristmas/fpp/blob/123cdf2eb11062766da333a7a4d85bc0bf620e47/www/copystorage.phpL27 you build a command using unsanitized user input : php &1"; // no sanitization : echo "Command: $command\n"; echo...
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
✍️ Description In https://github.com/FalconChristmas/fpp/blob/721c99aed6897792bf7f79fa02a280995e27d409/www/gitCheckoutVersion.phpL26 you echo a user input without sanitization : html Version: 🕵️♂️ Proof of Concept Visit...
OS Command Injection in falconchristmas/fpp
✍️ Description Hi, in https://github.com/FalconChristmas/fpp/blob/721c99aed6897792bf7f79fa02a280995e27d409/www/gitCheckoutVersion.phpL38 : php A system function is called with a user input, a malicious user could profit from it if the version variable contains a command 🕵️♂️ Proof of Concept...
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
✍️ Description FalconChristmas/fpp suffer from a XSS vulnerability. In https://github.com/FalconChristmas/fpp/blob/master/www/playlists.phpL15 we see : php var initialPlaylist = ""; XSS is possible because the playlist variable isn't sanitized before reflection in the webpage. 🕵️♂️ Proof of...
in cythron/tweango
✍️ Description Django secret key is pushed into Github repository. This is used to sign Json objects, create hashes and generate Csrf tokens. 🕵️♂️ Proof of Concept https://stackoverflow.com/questions/15170637/effects-of-changing-djangos-secret-key/15383766?noredirect=1comment2174349415383766 💥...
Cross-site Scripting (XSS) - Reflected in thecoshman/http
✍️ Description The web server is vulnerable to Cross-site scripting. An attacker can host a file with an XSS payload as the file name. When a user visits the web server address, the javascript will be executed in the browser. This is due to improper sanitization. 🕵️♂️ Proof of Concept - Create a...
in axiomatic-systems/bento4
✍️ Description NULL pointer dereference of Ap4StszAtom.cpp in function GetSampleSize 🕵️♂️ Proof of Concept Verification steps: 1.Get the source code of Bento4 2.Compile the Bento4 bash $ cd Bento4 $ mkdir checkbuild && cd checkbuild $ cmake ../ -DCMAKECCOMPILER=clang -DCMAKECXXCOMPILER=clang++...
in axiomatic-systems/bento4
✍️ Description NULL pointer dereference of Ap4Descriptor.h in function GetTag 🕵️♂️ Proof of Concept Verification steps: 1.Get the source code of Bento4 2.Compile the Bento4 bash $ cd Bento4 $ mkdir checkbuild && cd checkbuild $ cmake ../ -DCMAKECCOMPILER=clang -DCMAKECXXCOMPILER=clang++...
Cross-site Scripting (XSS) - Reflected in forkcms/forkcms
✍️ Description The forkcms is vulnerable to XSS through Online movies id edition. 🕵️♂️ Proof of Concept 1. With an authenticated user, access http://localhost/private/en/medialibrary/mediaitemindex. 2. Click on New media. 3. Select Online movies Youtube, Vimeo, ... and click on Next. 4. Select any...
Session Fixation in monicahq/monica
✍️ Description Recently there was more than 5 reports at huntr showing how to trigger XSS in monica ,the session fixation i am reporting here can be used with these bugs or can be used for post exploitation methods to maintain access on an account even after changing the password of the account...
OS Command Injection in falconchristmas/fpp
✍️ Description FPP - Falcon Player is vulnerable to OS Command injection attacks on ping.php because it doesnt sanitize user supplied parameters as shown below. : Vulnerable variable: count Method: GET The $count variable is constructed using the user supplied data, and then is used in a system...
Cross-site Scripting (XSS) - Stored in forkcms/forkcms
✍️ Description The forkcms is vulnerable to XSS through image name edition. 🕵️♂️ Proof of Concept 1. With an authenticated user, access http://localhost/private/en/medialibrary/mediaitemindex. 2. Click on New media. 3. Upload any image and then click on Back to overview. 4. With the image...
Path Traversal in thecodingmachine/mouf
✍️ Description Mouf is vulnerable to path traversal attacks on mouf/mouf/src/direct/getsourcefile.php because it doesnt sanitize user supplied parameters as shown below. Vulnerable variable: file Method: GET The $file variable is constructed using the user supplied data, and then a file is open...
Improper Privilege Management in monicahq/monica
✍️ Description Bypass payment verification and add more contact. From free account user can add only 10 contacts . but using this bug user can add more than 10 contacts for free 🕵️♂️ Proof of Concept 1. First goto https://app.monicahq.com/people from free account and add 10 contacts . Now you cant...
Improper Privilege Management in chatwoot/chatwoot
✍️ Description Privilege escalation bug to add slack integration by a agent 🕵️♂️ Proof of Concept 1. First goto https://app.chatwoot.com/app/accounts/4534/settings/agents/list from admin account and add a user B as agent . Now here user B cant add slack integration 2. Finally from user B account...
Cross-site Scripting (XSS) - Reflected in coppermine-gallery/cpg1.6.x
✍️ Description Coppermine is vulnerable to XSS attacks on /plugins/uploadh5a/help.php because it doesnt sanitize user supplied parameters as shown below. Vulnerable variable: t Method: GET The $styles variable is constructed using the user supplied data, and then is echo in the response. $styles =...
Cross-site Scripting (XSS) - Reflected in bustle/mobiledoc-kit
✍️ Description XSS using bypass of url validation 🕵️♂️ Proof of Concept i see your code https://github.com/bustle/mobiledoc-kit uses a dependance https://github.com/bustle/mobiledoc-dom-renderer . This dependency uses for url validation to prevent xss . It filter javascript,vbscript protocol to...
Path Traversal in svenstaro/miniserve
✍️ Description The file upload feature in miniserver is vulnerable to path traversal vulnerability. An attacker can upload a file with "../" in the filename and the web server will then upload the file outside of the directory scope allowing path traversal. The severity of this security issue...
Code Injection in c0oki3s/python-tools
✍️ Description python-tools is using an unsecure input function in https://github.com/C0oki3s/python-tools/blob/main/Dircreate/Dircreate.pyL8. Given that the script can be run using python2 or python3, if you feed the program with a python command and the python interpreter is python2, then the...
Insufficiently Protected Credentials in hotrodzphotography/hotrodzphotography.github.io
✍️ Description Private mailgun API key found in https://github.com/hotrodzphotography/hotrodzphotography.github.io/blob/1e8d0227f3558f3df8140ee0042867fcb1146379/src/views/Contact.vueL48 90e27fb32160148dc1cc3890ef601355' 🕵️♂️ Proof of Concept curl --user 'api:key-90e27fb32160148dc1cc3890ef601355'...
Command Injection in sofianehamlaoui/lockdoor-framework
✍️ Description Command injection occurs due to lack of sanitization of input passed to the os.system command usage in the package. as the package runs only as root every command processed inside the package system command will be running with root privileges , so every command passed via simple...
OS Command Injection in sztheory/exifcleaner
✍️ Description Command Injection using XSS via EXIF Data. The application displays the image metadata in HTML format without removing malicious tags, therefore an XSS attack can be performed. bash exiftool -Comment='OverJT' MYIMAGE.png Being an application made in electron, it allows to easily...
Cross-site Scripting (XSS) - Reflected in blockonomics/woocommerce-plugin
✍️ Description Reflected javascript injection vulnerabilities exist when web applications take parameters from the URL and display them on a page. Reflection vulnerabilities occur when a website outputs a variable from the webpage URL directly to the page, such as in a PHP application that accepts...
Improper Privilege Management in chatwoot/chatwoot
✍️ Description Privilege escalation bug to add agent in a inbox 🕵️♂️ Proof of Concept 1. First goto https://app.chatwoot.com/app/accounts/4534/settings/agents/list from admin account and add a user B as agent . 2. now goto https://app.chatwoot.com/app/accounts/4534/settings/inboxes/list and add a...
Improper Privilege Management in chatwoot/chatwoot
✍️ Description Privilege escalation to view all conversation 🕵️♂️ Proof of Concept 1. First goto https://app.chatwoot.com/app/accounts/4534/settings/agents/list from admin account and add a user B as agent . 2. now goto https://app.chatwoot.com/app/accounts/4534/settings/inboxes/list and add a...
Cross-site Scripting (XSS) - Stored in jam-py/jam-py
✍️ Description Stored XSS at comment box at suppliers Profile. In fact, all input has XSS. No input parameter is sanitized before saving in the database. 🕵️♂️ Proof of Concept 1. git clone https://github.com/jam-py/jam-py 2. cd jam-py && python setup.py install 3. cd demo 4. python server.py 5...
Cross-Site Request Forgery (CSRF) in boxbilling/boxbilling
✍️ Description CSRF BUG 🕵️♂️ Proof of Concept i see whole boxbilling software is vulnerable to csrf bug . There is no protection for csrf attack the csrf attack poc will be bellow code document.getElementById"myForm".submit In this html code change your sitename and save the file as html . Now...
Cross-site Scripting (XSS) - Stored in bytefury/crater
✍️ Description Stored xss using customer billing address 🕵️♂️ Proof of Concept 1. First goto demo app https://demo.craterapp.com/admin/customers/create and create a customer . During creation put bellow xss payload in billing address field and save it . Now see xss is executed payload -- xss"'...
Cross-site Scripting (XSS) - Generic in mailtrain-org/mailtrain
✍️ Description Stored xss via campaign file upload 🕵️♂️ Proof of Concept 1. First goto http://localhost:3000/campaigns and open a campaign . 2.Now in linux create a file with bellow name. 3. Now upload the created file in the above capaign http://localhost:3000/campaigns/1/files and see xss is...
Cross-site Scripting (XSS) - Generic in boxbilling/boxbilling
✍️ Description XSS is possible via support ticket reply functionality for admin. It can happen if a client registers with his name as the XSS payload and admin replies with the default greetings. Otherwise admin have to manually enter the payload in reply form. 🕵️♂️ Proof of Concept 1. Register...
Cross-site Scripting (XSS) - Stored in forkcms/forkcms
✍️ Description The forkcms is vulnerable to XSS through search request. It is possible to set the HTTP referer header to javascript:. 🕵️♂️ Proof of Concept Execute the following command localhost: shell curl -H 'Referer: javascript:alert'...
Improper Access Control in idno/known
✍️ Description A logged in user can edit 'Public' or 'Members only' status of other users 🕵️♂️ Proof of Concept 1. Create a 'Public' or 'Members only' status update with a first user 2. Login with a second user and go to the root page e.g. http://yoursite/known where you can see the status of the...
Cross-site Scripting (XSS) - Generic in boxbilling/boxbilling
✍️ Description Cross site scripting via redirect url 🕵️♂️ Proof of Concept goto your boxbilling account and visit http://mysite.com/boxbilling/index.php?url=/bb-admin/extension/settings/redirect . here put xss paylaod xss"' in the redirect url field After saved you can see xss is executed Video...
Cross-site Scripting (XSS) - Generic in boxbilling/boxbilling
✍️ Description Xss via support ticket 🕵️♂️ Proof of Concept login into your boxbilling account and create support ticket . put bellow xss payload in support ticket click-me Now save the link and click the and see xss is executed Video Poc--...
Prototype Pollution in ssnau/xkit
✍️ Description Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as proto, constructor and prototype. An attacker...
Server-Side Request Forgery (SSRF) in prasathmani/tinyfilemanager
✍️ Description SSRF to access internal server 🕵️♂️ Proof of Concept 1. goto http://localhost/tinyfilemanager/index.php?p=&upload and put internal serveer address and see it will fetch that file Video Poc https://drive.google.com/file/d/1dsTqvuQbGN619Gdncze4tuIH7MsonliT/view?usp=sharing 💥 Impact...
Cross-site Scripting (XSS) - Generic in prasathmani/tinyfilemanager
✍️ Description Crss site scripting bug exist via file upload 🕵️♂️ Proof of Concept 1. Upload a file and capture the request in burpsuite . 2. Now change fullpath parameter value to xss payload in burpsuite and forward the request . and see xss is executed Video poc...
Cross-site Scripting (XSS) - Generic in chatwoot/chatwoot
SUMMURY i contacted the company directly , but they told me submit the bug through huntr ✍️ Description Stored xss .Agent can make cross site scripting against admin VIDEO POC https://drive.google.com/file/d/1vWXiFKbsqVhMUS4kgpz50wSNsFTo9Ny/view?usp=sharing 🕵️♂️ Proof of Concept STEP TO REPRODUCE...
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in sebhildebrandt/systeminformation
✍️ Description The systeminformation package is vulnerable to Improper Input Validation through versions function. 🕵️♂️ Proof of Concept javascript // PoC.js const si = require'systeminformation'; si.versionstoString : = console.log"This is a PoC" ; 💥 Impact This vulnerability allows attackers to...
Cross-site Scripting (XSS) - Stored in octobercms/library
✍️ Description OctoberCMS uses october/rain library to handle file uploads. Previously it was possible to upload malicious files with HTML content to the CMS via its Media upload feature. This security issue marked as CVE-2020-15249 was fixed in 1.0.469. But it is still possible to upload XML...