DOM XSS in https://demo.modoboa.org/user/#profile/

Description I noticed, your website is very secure. But you overlooked a flaw DOM XSS. Detail: 1 .Login with demo account. 2 .Go to the link: https://demo.modoboa.org/user/profile/ and click Update 3 .Use burp to block proxy and inject payload in &language: Proof of Concept Video Poc...

RCE via TranformGraph().to_dot_graph function

Description Due to improper input validation a malicious user can provide a command or a script file as a value to savelayout argument, which will be placed as the first value in a list of arguments passed to subprocess.Popen. Although an error will be raised, the command or script will be execut...

Cross-site Scripting (XSS) - Stored

Description 1. Go to Setting Server == Choose Configuare. 2. Continue to choose backup == Remote Backup. 3. Inject the payload into the fields host,port,username... Proof of Concept link ProC : https://drive.google.com/file/d/1DcCMP9lT93HYNO3RzGllCVu3Mgk7yfK/view?usp=sharing Payload payload = "im...

Dom XSS in module "Search IPv4"

Description 1 .Access to IPv4 search function 2 .Enter the payload in the IPv4 field to perform the search Payload : "alertdocument.cookie 3 .Enter the search button and the payload will be executed Poc Video poc https://drive.google.com/file/d/1A-zwXxsA-7GHa0iGfRGQc61JkOb-4A38/view?usp=sharing...

DOM XSS in https://demo.librenms.org/ports

Description I noticed, your website is very secure. But you overlooked a flaw XSS Detail: 1 .Login with demo account. 2 .Go to the link: https://demo.librenms.org/ports 3 .Insert payload and press enter: test' onclick='alertdocument.cookie 4 .Click on the box hostname or port, detect XSS Proof of...

Reflected xss in installation space parameter

Description Cross-Site Scripting XSS is a type of security vulnerability that occurs when an attacker injects malicious code, usually in the form of scripts, into a web application. This code is then executed by unsuspecting users who visit the affected web page. in this case the path of...

DOM XSS in https://demo.librenms.org/eventlog

Description I noticed, your website is very secure. But you overlooked a flaw XSS Detail: 1 .Login with demo account. 2 .Go to the link: https://demo.librenms.org/eventlog and click Filter 3 .Use burp suite to block proxy and inject payload in eventtype: test%22-alertdocument.cookie// 4 .Check,...

HTML Injection

Description I think your website is quite secure. But you overlooked the HTML Injection vulnerability ID:WSTG-CLNT-03 of OWASP. Proof of Concept 1 .Login with demo account 2 .Access the link https://demo.librenms.org/search/search=ipv4 and insert the payload search=test/b 3 .Hit enter, html...

DOM XSS in https://demo.librenms.org/outages

Description I noticed, your website is very secure. But you overlooked a flaw XSS Detail: 1 .Login with demo account. 2 .Go to the link: https://demo.librenms.org/outages and click Filter 3 .Use burp suite to block proxy and inject payload: "alertdocument.cookie 4 .Check, detect xss Proof of...

There are 6 NULL Pointer Dereference vulnerabilities in MP4Box

NULL Pointer Dereference in function utils/xmlparser.c:1038 Description NULL Pointer Dereference in function utils/xmlparser.c:1038 Environment No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 20.04 LTS Release: 20.04 Codename: focal Version MP4Box - GPAC version...

Stored XSS

Description Due to insufficient validation of uploaded files - bad actors can upload malicious SVG file with XSS payload. That leads to Stored XSS. Because accessToken cookie has valid HttpOnly flag, can not take victims cookie there in this way, but please keep in mind that XSS in general is abo...

Important Cookie without Secure flag

Description Cookie accessToken is without Secure flag. Mentioned cookie is responsible for user auth. Proof of Concept Repro steps: As logged in user https://app.vrite.io/ open DevTools and check Cookies table, get value of accessToken cookie. Open other browser, go to app.vrite.io site, open...

CSRF Logout

Description Bad actor can send to victim link ie. obfuscated with payload /logout and if victim will use it - can change the state of user logged in/logged out. Proof of Concept As logged in user open in new browser tab this site https://app.vrite.io/session/logout Go back to previous tab, refres...

Stored Cross-site Scripting

Description Stored XSS attack, the attacker typically injects malicious code, such as JavaScript, into a web form or other input field on a vulnerable web application. This code is then stored on the server and may be displayed to other users who visit the affected page, allowing the attacker to...

Improver Validation of File Name Causes RCE

Description Due to insufficient sanitization of the music file name, it is possible to execute arbitrary commands on the victims computer, through a specially crafted file name. Note that this bug was only found exploitable only on the MacOS version of this application. Although still applicable ...

Heap-use-after-free in function buflist_altfpos in vim

Description Heap-use-after-free in function buflistaltfpos at buffer.c:3703 Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pochuaf -c :qa! ==1404==ERROR: AddressSanitizer: heap-use-after-free on address 0x625000011940 at pc 0x0000004a4dbe bp 0x7ffc6204d090 sp 0x7ffc6204d080 READ of...

Insufficient access control in the export functionality for the 'Groups' module exposing user password hashes

Description The web application incorrectly returns sensitive data to authenticated lower privileged users when making requests to export data from the 'Groups' module. This includes information such as the user's email address, password hash and whether two-factor authentication is configured...

Cross-site Scripting (XSS) - Reflected

Description Reflected Cross-Site Scripting XSS vulnerability allows attackers to execute arbitrary external javascript code in the browser. In the application there exists a XSS vulnerability that occurs in the api: Payload: "alertwindow.location GET /system/api/restApiViewer: Passing XSS payload...

Insufficient Session Expiration

Insufficient session expiration is a web application security vulnerability that occurs when a web application does not properly manage the lifecycle of a user's session. This can allow an attacker to hijack the user's session and gain unauthorized access to the application. The web application m...

Weak Password Requirements

Weak password requirements are password policies that are too lax and allow users to create passwords that are easy to guess or crack. This can make it easier for attackers to gain unauthorized access to accounts and systems. It was discovered that the validation takes place only on the client si...

File Upload Bypass Leads to Stored XSS

Description Fix at https://huntr.dev/bounties/fce38751-bfd6-484c-b6e1-935e0aa8ffdc/ is not adequate，attacker can use test.html?a=1 to bypass built-in PHP function pathinfo. Also can used for .php Proof of Concept // payload.html?a=1 alert'xss' POC Video:...

STORED XSS in File Upload

Description In the file upload, I can't upload files with extension like html,php,.. but I can upload a file with extension "inc" and that leads to stored XSS. Proof of Concept https://drive.google.com/file/d/1eDE63KXbZLYraDus6hSXwiTaLDVx9ut/view?usp=sharing...

Cross-Site Request Forgery (CSRF)

A Cross-site request forgery CSRF attack is a type of malicious attack whereby an attacker tricks a victim into performing an action on a website that they do not intend to do. This can be done by sending the victim a malicious link or by exploiting a vulnerability in the website. For example, an...

Arbitrary file upload

Description Due to lack of file extension validation, privileged user administrator can upload arbitrary files with "update logo" and "update icon" features. The application uses the extension provided in the filename parameter. Proof of Concept POST /admin/default/jqadm/save/settings?locale=en...

Password Plaintext Storage

The application stored a password in a database in plaintext format. Storing user passwords in a database in plaintext is a security vulnerability that can have serious consequences. If an attacker is able to gain access to the database, they will be able to see all of the user passwords in plain...

Stored XSS via user's Username

Description The application allows creating users with Username containing Malicious HTML/Javascript that can be executed in the users’ privileged context during the user editing process or visiting a phishing link. Proof of Concept Step 1: A privileged user creates a normal user account with...

Stored XSS in the Cases functionality

Description When creating or editing a case, the web application fails to perform sufficient sanitisation on the description POST parameter, allowing users to inject HTML with malicious JavaScript events. The application does attempt to remove unauthorised elements and events; however, the testin...

Cookie without Secure flag

Description There is a ICMS62EC2566CC4B5 cookie without Secure flag and this is authentication cookie. Proof of Concept Link photo PoC: https://drive.google.com/file/d/1uWsRKMT-KyuRPA01Ra1W3YphQgNmMkuu/view?usp=sharing...

Authentication cookie is not renewed after successfully login

Description ICMS62EC2566CC4B5 cookie is still same after log in. The value is not changed or renewed. Detail: 1/ Access to the web demo and user browser's dev tool to check the cookie. 2/ Observe the value of ICMS62EC2566CC4B5 cookie, try to log in and it is still the same. Proof of Concept Link...

XSS at file uploading

Description In menu Add page, there is a upload file function and xss payload can be injected there. Detail: 1/ Access to the web demo and go to Add page menu. 2/ At upload file function, upload an file with filename is a payload xss. 3/ It will be triggered immediately. Proof of Concept Payload:...

New password can be set as same as the old password

Description The web application allows us to set new password as the old one at Password change function. Detail: 1/ Access to the demo website and go to My profile. 2/ Choose Edit profile, at the Security tab, change the password with the new password and the old password are the same. 3/ Logout...

Reflected XSS in LimeSurvey via userid parameter

Description The userid parameter in the 'Delete Confirm' feature in user management is rendered directly into the webpage without proper handling. This allows users to inject malicious HTML/JavaScript code into the webpage that can be executed in the admin or privileged user's context. Proof of...

File Upload Bypass Leads to Stored XSS

Description In the file upload feature, the system did not allow uploading files with extensions like html, ... But when uploading files with extension xhtml, it leads to XSS vulnerabilities. Proof of Concept https://drive.google.com/file/d/1MTa4st4POafaUAwn17n7ygpTrF9BXp/view?usp=sharing...

Improper validation of intent data received in TextViewerActivity allows opening of arbitrary files

Description Tested on Build87 of the Inure application. It was discovered that the application had an exported activity .activities.association.TextViewerActivity which accepted intent data via the file scheme + text/ mime type and opened the associated files from provided URI data string. It is...

Theft of Arbitrary Files due to execution of attacker scripts from BashAssociation.kt

Description Tested on Build87 of the Inure application. It was discovered that the application had an exported activity app.simple.inure.activities.association.BashAssociation which accepted intent data via the file scheme + text/x-shellscript mime type and executed the commands contained within...

Heap-based Buffer Overflow

Description heap-buffer-overflow p/bf/plugin.c:176 in decode Environment radare2 5.8.9 31000 @ linux-x86-64 commit: 95b648f0907e91e10d55fc48147a7dae99029c5b Build export CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan" CXXFLAGS="-fsanitize=address -static-libasan"...

privilege escalation bug to creation survey-group with others group as parent

BUG ======= privilege escalation bug to creation survey-group with others group as parent\ ACCOUNT ============= 1. user-A -- superadmin\ 2. user-B -- normal user\ user-B has only create permission in survey-group . does not have view permission in survey group\ as user-B does not have view...

SSRF Blind in the image upload module via url

Description Web application with the function of uploading images through a link provided by the user . This access error leads to RCE and scanning of intranet ports Proof of Concept Link video Poc https://drive.google.com/file/d/17fksa8odZAqCuqRQbOCutc9I7eoNun-/view?usp=sharing Steps 1 . Use a...

Misconfiguration in message sending function

Description Web application misconfiguration in messaging function. This vulnerability results in a user's messages being automatically sent to all other users. This results in the user's information potentially being exposed Proof of Concept link video Poc...

authorized Admin Account Takeover

Description The icms2 contains a flaw in its admin account management functionality, specifically in the process of changing and resetting passwords for administrators. Through careful analysis and testing, it was observed that an authenticated administrator has the capability to change the...

Store XSS via Upload Photos in album

Description The application does not check the file upload and content file extension. This results in an attacker being able to upload a malicious file that leads to xss. Proof of Concept Video POC: https://drive.google.com/file/d/1QZSCvgrmdXaZb7xoD-eA0iLlL7vDPKYw/view?usp=sharing Payload...

Store XSS in module name "admin/controllers/edit/comments/comments_list"

Description I noticed that you filtered the comment very carefully. But there are still some parts you missed Proof of Concept 1.Login with admin 2.go to "https://demo.instantcms.io/admin/controllers/edit/comments/commentslist" 3.Select 1 comment and insert payload 4.Click save , and store xss...

Self XSS in "Content Types / Add Content Type"

Description Add payload to field System name: Proof of Concept https://drive.google.com/file/d/1xJ24a3HveP4dpKXF5zmtsNIa2-wweoA/view?usp=sharing...

stored XSS Bypass in the TAGS Section and other places in the application

Hello, I was able to bypass the XSS Protection and get a stored XSS using the XSS Payload in the Video and Screenshots. Thank you for your time and effort. Best regards Ahmed Hassan...

CSRF Logout

Description Bad actor can send to victims link ie. obfuscated with payload /signout and when victims will use it - can change the state of user logged in/logged out. Proof of Concept Payload: https://eu.aptabase.com/api/auth/signout Repro steps: As logged in user https://eu.aptabase.com/ open new...

HTML Injection - real Aptabase emails

Description Due to lack of validation Name field during registration, bad actor can send emails with HTML injected code to the victims. Proof of Concept Payload example: Jameees Repro steps: Go to https://eu.aptabase.com/auth/register and for field 'Name' use payload with HTML. Open email from...

Cross-site Scripting (Stored XSS)

Description For any role that has permission to execute function assets, i can upload a html file and that leads to XSS. Proof of Concept 1. Link PoC: https://docs.google.com/document/d/1pZAi6PZiBmN3yNsBmY8Z9Qd3hv-8zPHUh69h-i1rvA/edit?usp=sharing 2. Link video PoC:...

File Upload Bypass Leads to Remote Code Execution (RCE)

Description Vulnerable file upload functionality that users can upload files. Although almost all files with extensions like php, phtml, etc. have been prevented, an attacker can still upload phps files and remote code execute . Condition The Apache server which is hosting the web application nee...

Multiple Stored XSS Found

Description Stored XSS Cross-Site Scripting is a type of web security vulnerability caused by improper input validation and inadequate data sanitization in a web application. It occurs when an attacker injects malicious scripts usually in the form of HTML or JavaScript into a website's database o...

IDOR in Users Edit screen

Description By manipulating the User ID in the URL, users with low privilege can view the information of any users Proof of Concept Step 1: Login as user1 with author privilege, see that he can only access the edit screen of himself. Click on edit button. Step 2: See the userID in the URL, modify...