4072 matches found
Prototype Pollution in fiznool/body-parser-xml
βοΈ Description This library uses an XML parsing library which causes prototype pollution. However, this issue can be fixed on our side. π΅οΈββοΈ Proof of Concept const express = require'express'; const bodyParser = require'body-parser'; require'body-parser-xml'bodyParser; const app = express; const...
in cythron/gcp
βοΈ Description Hard-Coded User Credentials are exposed in the docker file. π΅οΈββοΈ Proof of Concept https://github.com/cythron/gcp/blob/master/%23DockerfileL20 π₯ Impact Attacker is capable of login using given credentials...
Prototype Pollution in jalik/js-deep-extend
βοΈ Description Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as proto, constructor and prototype. An attacker...
Cross-site Scripting (XSS) - Reflected in tagspaces/viewertext
βοΈ Description viewerText used within the Tagspaces to show a preview of text files is vulnerable to cross site scripting. π΅οΈββοΈ Proof of Concept If any HTML is feeded to setContent function: javascript setContent"alert'xss'; It appends it to the dom without any filteration: javascript...
in tagspaces/tagspaces
Vulnerability Code Execution using Reflected Cross Site Scripting βοΈ Description Tagspaces is a file organizer that also works as a file manager. When you open a file, it tries to provide a preview of common files like images, code and text files. But if the extension is not known to tagspaces, it...
Cross-site Scripting (XSS) - Stored in knadh/listmonk
π₯ BUG Stored xss via file upload π₯ SUMMURY uploaded file extension only checked in client-side javascript. It must be also checked in server side so that user cant upload html file instead of image . π₯ STEP TO REPRODUCE 1. From your account goto http://localhost:9000/campaigns/media and upload a...
Cross-site Scripting (XSS) - Stored in knadh/listmonk
βοΈ Description Hello, I found stored xss on Logs while creating new campaign works with other stuff not only campaign π΅οΈββοΈ Proof of Concept https://drive.google.com/file/d/1Y5CMQdfzzdWwcCsQ8y85GgWPOilJVOgo/view?usp=sharing sorry for bad quality Payload: asdf" π₯ Impact xss...
Cross-site Scripting (XSS) - Stored in dolibarr/dolibarr
π₯ BUG Stored xss bypassing xss filter π₯ SUMMURY There are many different user with different role . Here using this xss bug lower level user can make xss attack against higher level user π₯ PAYLOAD XSS15 π₯ STEP TO REPRODUCE 1. First goto your account and edit a product . Now put above xss payload ...
Cross-site Scripting (XSS) - DOM in apexcharts/apexcharts.js
βοΈ Description Last version of Apexcharts.js is vulnerable to Cross-Site Scripting XSS π΅οΈββοΈ Proof of Concept Simply try one of the examples provided in samples/vanilla-js/scatter/scatter-images.html in this way: javascript var options = series: name: 'Messenger', data: 16.4, 5.4, ..... , name:...
Cross-site Scripting (XSS) - Stored in kalcaddle/kodexplorer
BUG ======== Stored xss via oexe file upload ACCOUNT ============= 1. user A--admin --victim 2. user B --demo user -- attacker STEP TO REPRODUCE ================== 1. from user B account create oexe file with bellow content...
Cross-site Scripting (XSS) - Stored in phplist/phplist3
βοΈ Description Stored xss π΅οΈββοΈ Proof of Concept see this recorded video https://drive.google.com/file/d/1EUTevCQWPK4txY6jqQ-MAcXyDO7Zx2q/view?usp=sharing π₯ Impact Xss bug...
Cross-site Scripting (XSS) - Stored in knadh/listmonk
βοΈ Description Stored xss π΅οΈββοΈ Proof of Concept Check this recorded video https://drive.google.com/file/d/1wlbisKCbYUZprOkAGzWGRQm0f-LDRD/view?usp=sharing π₯ Impact xss...
in utmsigep/member-directory
βοΈ Description Entering unintended values during the member creation flow causes unusual database state, unhandled exceptions/stack trace disclosure and denial of service due to continuous page crashes. π΅οΈββοΈ Proof of Concept - Select a member-status/group - Create New Member - Enter an invalid...
Cross-site Scripting (XSS) - Stored in utmsigep/member-directory
βοΈ Description Donor creation is vulnerable to stored XSS originating from donor creation due to missing sanitization on user input. π΅οΈββοΈ Proof of Concept - Select a member-status/group - Create Member - Enter an XSS payload into the directory notes field, eg. - Hit save. Upon...
Cross-site Scripting (XSS) - Generic in utmsigep/member-directory
βοΈ Description Non-administrative functions display success banners after multiple actions that reflect user-input directly without sanitization. π΅οΈββοΈ Proof of Concept Donation Creation and Update - Donations - New Donation - Enter XSS payloads into the fields Last Name, First Name and Receipt ID,...
Cross-site Scripting (XSS) - Generic in utmsigep/member-directory
βοΈ Description Administrative functions display success banners after multiple actions that reflect user-input directly without sanitization. π΅οΈββοΈ Proof of Concept Member-status Creation and Update - Directory Admin - Member Statuses - Create New Member Status - Code: Enter a string, Label: Enter...
Path Traversal in demon1a/discord-recon
βοΈ Description Scanning internal git directories leaks using Improper input validation in truffleHog function urlHost = urlparseargument.netloc if urlHost != "github.com" and urlHost != "gitlab.com": await ctx.send"You're trying to scan unallowed URL, please use a github/gitlab URL." return The...
in rockcarry/ffjpeg
βοΈ Description An exploitable heap overflow vulnerability exists in function bmpload in bmp.c. π΅οΈββοΈ Proof of Concept make ./ffjpeg -e poc π₯ Impact This vulnerability is capable of Code execution...
in cythron/tweango
βοΈ Description The Django secret key was hard coded in the Github repository which is vulnerable as https://huntr.dev/bounties/1-other-cythron/Tweango/ accordingly. Since the GitHub public API monitor every single git commit that is made, attacker can still find the key from commit lists. = It is...
Heap-based Buffer Overflow in strukturag/libde265
βοΈ Description heap-buffer-overflow of decctx.cc in function readspsNAL π΅οΈββοΈ Proof of Concept Verification stepsοΌ 1.Get the source code of Bento4 2.Compile the Bento4 bash $ ./autogen.sh $ export CFLAGS="-g -lpthread -fsanitize=address" $ export CXXFLAGS="-g -lpthread -fsanitize=address" $...
Heap-based Buffer Overflow in axiomatic-systems/bento4
βοΈ Description heap-buffer-overflow π΅οΈββοΈ Proof of Concept Verification stepsοΌ 1.Get the source code of Bento4 2.Compile the Bento4 bash $ cd Bento4 $ mkdir checkbuild && cd checkbuild $ cmake ../ -DCMAKECCOMPILER=clang -DCMAKECXXCOMPILER=clang++ -DCMAKECFLAGS="-fsanitize=address"...
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
βοΈ Description In https://github.com/FalconChristmas/fpp/blob/123cdf2eb11062766da333a7a4d85bc0bf620e47/www/shutdownRemoteFPP.phpL15 a user input is directly echo-ed in the page without sanitization : php $ip = $GET'ip'; echo "Shutting down FPP system @ $ip\n"; π΅οΈββοΈ Proof of Concept Visit :...
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
βοΈ Description In https://github.com/FalconChristmas/fpp/blob/123cdf2eb11062766da333a7a4d85bc0bf620e47/www/runEventScript.phpL30 you echo unsanitied user input in two places : php \n"; // 1 echo "\n"; system$SUDO . " $fppDir/scripts/eventScript $scriptDirectory/$script $args"; echo "\n"; else ?...
OS Command Injection in falconchristmas/fpp
βοΈ Description In https://github.com/FalconChristmas/fpp/blob/123cdf2eb11062766da333a7a4d85bc0bf620e47/www/runEventScript.phpL32 a command is built using unsanitized user input : php \n"; echo "\n"; system$SUDO . " $fppDir/scripts/eventScript $scriptDirectory/$script $args"; // scripts and args ar...
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
βοΈ Description In https://github.com/FalconChristmas/fpp/blob/123cdf2eb11062766da333a7a4d85bc0bf620e47/www/copystorage.phpL29 you echo a command built with untrusted user-input without sanitizing it : php &1"; echo "Command: $command\n"; // I can embed custom and malicious JS here echo...
OS Command Injection in falconchristmas/fpp
βοΈ Description In https://github.com/FalconChristmas/fpp/blob/123cdf2eb11062766da333a7a4d85bc0bf620e47/www/copystorage.phpL27 you build a command using unsanitized user input : php &1"; // no sanitization : echo "Command: $command\n"; echo...
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
βοΈ Description In https://github.com/FalconChristmas/fpp/blob/721c99aed6897792bf7f79fa02a280995e27d409/www/gitCheckoutVersion.phpL26 you echo a user input without sanitization : html Version: π΅οΈββοΈ Proof of Concept Visit...
OS Command Injection in falconchristmas/fpp
βοΈ Description Hi, in https://github.com/FalconChristmas/fpp/blob/721c99aed6897792bf7f79fa02a280995e27d409/www/gitCheckoutVersion.phpL38 : php A system function is called with a user input, a malicious user could profit from it if the version variable contains a command π΅οΈββοΈ Proof of Concept...
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
βοΈ Description FalconChristmas/fpp suffer from a XSS vulnerability. In https://github.com/FalconChristmas/fpp/blob/master/www/playlists.phpL15 we see : php var initialPlaylist = ""; XSS is possible because the playlist variable isn't sanitized before reflection in the webpage. π΅οΈββοΈ Proof of...
in cythron/tweango
βοΈ Description Django secret key is pushed into Github repository. This is used to sign Json objects, create hashes and generate Csrf tokens. π΅οΈββοΈ Proof of Concept https://stackoverflow.com/questions/15170637/effects-of-changing-djangos-secret-key/15383766?noredirect=1comment2174349415383766 π₯...
Cross-site Scripting (XSS) - Reflected in thecoshman/http
βοΈ Description The web server is vulnerable to Cross-site scripting. An attacker can host a file with an XSS payload as the file name. When a user visits the web server address, the javascript will be executed in the browser. This is due to improper sanitization. π΅οΈββοΈ Proof of Concept - Create a...
in axiomatic-systems/bento4
βοΈ Description NULL pointer dereference of Ap4StszAtom.cpp in function GetSampleSize π΅οΈββοΈ Proof of Concept Verification stepsοΌ 1.Get the source code of Bento4 2.Compile the Bento4 bash $ cd Bento4 $ mkdir checkbuild && cd checkbuild $ cmake ../ -DCMAKECCOMPILER=clang -DCMAKECXXCOMPILER=clang++...
in axiomatic-systems/bento4
βοΈ Description NULL pointer dereference of Ap4Descriptor.h in function GetTag π΅οΈββοΈ Proof of Concept Verification stepsοΌ 1.Get the source code of Bento4 2.Compile the Bento4 bash $ cd Bento4 $ mkdir checkbuild && cd checkbuild $ cmake ../ -DCMAKECCOMPILER=clang -DCMAKECXXCOMPILER=clang++...
Cross-site Scripting (XSS) - Reflected in forkcms/forkcms
βοΈ Description The forkcms is vulnerable to XSS through Online movies id edition. π΅οΈββοΈ Proof of Concept 1. With an authenticated user, access http://localhost/private/en/medialibrary/mediaitemindex. 2. Click on New media. 3. Select Online movies Youtube, Vimeo, ... and click on Next. 4. Select any...
Session Fixation in monicahq/monica
βοΈ Description Recently there was more than 5 reports at huntr showing how to trigger XSS in monica ,the session fixation i am reporting here can be used with these bugs or can be used for post exploitation methods to maintain access on an account even after changing the password of the account...
OS Command Injection in falconchristmas/fpp
βοΈ Description FPP - Falcon Player is vulnerable to OS Command injection attacks on ping.php because it doesnt sanitize user supplied parameters as shown below. : Vulnerable variable: count Method: GET The $count variable is constructed using the user supplied data, and then is used in a system...
Cross-site Scripting (XSS) - Stored in forkcms/forkcms
βοΈ Description The forkcms is vulnerable to XSS through image name edition. π΅οΈββοΈ Proof of Concept 1. With an authenticated user, access http://localhost/private/en/medialibrary/mediaitemindex. 2. Click on New media. 3. Upload any image and then click on Back to overview. 4. With the image...
Path Traversal in thecodingmachine/mouf
βοΈ Description Mouf is vulnerable to path traversal attacks on mouf/mouf/src/direct/getsourcefile.php because it doesnt sanitize user supplied parameters as shown below. Vulnerable variable: file Method: GET The $file variable is constructed using the user supplied data, and then a file is open...
Improper Privilege Management in monicahq/monica
βοΈ Description Bypass payment verification and add more contact. From free account user can add only 10 contacts . but using this bug user can add more than 10 contacts for free π΅οΈββοΈ Proof of Concept 1. First goto https://app.monicahq.com/people from free account and add 10 contacts . Now you cant...
Improper Privilege Management in chatwoot/chatwoot
βοΈ Description Privilege escalation bug to add slack integration by a agent π΅οΈββοΈ Proof of Concept 1. First goto https://app.chatwoot.com/app/accounts/4534/settings/agents/list from admin account and add a user B as agent . Now here user B cant add slack integration 2. Finally from user B account...
Cross-site Scripting (XSS) - Reflected in coppermine-gallery/cpg1.6.x
βοΈ Description Coppermine is vulnerable to XSS attacks on /plugins/uploadh5a/help.php because it doesnt sanitize user supplied parameters as shown below. Vulnerable variable: t Method: GET The $styles variable is constructed using the user supplied data, and then is echo in the response. $styles =...
Cross-site Scripting (XSS) - Reflected in bustle/mobiledoc-kit
βοΈ Description XSS using bypass of url validation π΅οΈββοΈ Proof of Concept i see your code https://github.com/bustle/mobiledoc-kit uses a dependance https://github.com/bustle/mobiledoc-dom-renderer . This dependency uses for url validation to prevent xss . It filter javascript,vbscript protocol to...
Path Traversal in svenstaro/miniserve
βοΈ Description The file upload feature in miniserver is vulnerable to path traversal vulnerability. An attacker can upload a file with "../" in the filename and the web server will then upload the file outside of the directory scope allowing path traversal. The severity of this security issue...
Code Injection in c0oki3s/python-tools
βοΈ Description python-tools is using an unsecure input function in https://github.com/C0oki3s/python-tools/blob/main/Dircreate/Dircreate.pyL8. Given that the script can be run using python2 or python3, if you feed the program with a python command and the python interpreter is python2, then the...
Insufficiently Protected Credentials in hotrodzphotography/hotrodzphotography.github.io
βοΈ Description Private mailgun API key found in https://github.com/hotrodzphotography/hotrodzphotography.github.io/blob/1e8d0227f3558f3df8140ee0042867fcb1146379/src/views/Contact.vueL48 90e27fb32160148dc1cc3890ef601355' π΅οΈββοΈ Proof of Concept curl --user 'api:key-90e27fb32160148dc1cc3890ef601355'...
Command Injection in sofianehamlaoui/lockdoor-framework
βοΈ Description Command injection occurs due to lack of sanitization of input passed to the os.system command usage in the package. as the package runs only as root every command processed inside the package system command will be running with root privileges , so every command passed via simple...
OS Command Injection in sztheory/exifcleaner
βοΈ Description Command Injection using XSS via EXIF Data. The application displays the image metadata in HTML format without removing malicious tags, therefore an XSS attack can be performed. bash exiftool -Comment='OverJT' MYIMAGE.png Being an application made in electron, it allows to easily...
Cross-site Scripting (XSS) - Reflected in blockonomics/woocommerce-plugin
βοΈ Description Reflected javascript injection vulnerabilities exist when web applications take parameters from the URL and display them on a page. Reflection vulnerabilities occur when a website outputs a variable from the webpage URL directly to the page, such as in a PHP application that accepts...
Improper Privilege Management in chatwoot/chatwoot
βοΈ Description Privilege escalation bug to add agent in a inbox π΅οΈββοΈ Proof of Concept 1. First goto https://app.chatwoot.com/app/accounts/4534/settings/agents/list from admin account and add a user B as agent . 2. now goto https://app.chatwoot.com/app/accounts/4534/settings/inboxes/list and add a...
Improper Privilege Management in chatwoot/chatwoot
βοΈ Description Privilege escalation to view all conversation π΅οΈββοΈ Proof of Concept 1. First goto https://app.chatwoot.com/app/accounts/4534/settings/agents/list from admin account and add a user B as agent . 2. now goto https://app.chatwoot.com/app/accounts/4534/settings/inboxes/list and add a...