4072 matches found
Store DOM XSS in Edit configuration
Description I noticed, your website is very secure. But you overlooked a flaw XSS Proof of Concept 1 .Login vs admin demo account and access admin page. 2 .Create a category titled "test456". 3 .Go to Configuration == Edit configuration. 4 .Change the "URL of your FAQ" data field with the payload...
heap-buffer-overflow in function avi_parse_input_file media_tools/avilib.c:2083
Description Heap-buffer-overflow in MP4Box. Version $ ./bin/gcc/MP4Box -version MP4Box - GPAC version 2.3-DEV-revrelease c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC:...
heap-buffer-overflow in function avi_read media_tools/avilib.c:67 in gpac/gpac
Description Heap-buffer-overflow in MP4Box. Version $ ./bin/gcc/MP4Box -version MP4Box - GPAC version 2.3-DEV-revrelease c 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC:...
IDOR Vulnerability Allow Low-Level User change role Everyone Includes Admin
Description By manipulating the userid in API PUT /answer/admin/api/user/role, users with low privilege can change role any users Proof of Concept Step 1: Login as user1 with user privilege Step2: Call API PUT /answer/admin/api/user/role with user privilege , change role everyone includes Admin...
Account takeover via password reset
Description An attacker could predict all future password reset tokens due to the use of RandomStringUtils.randomAlphanumeric in PasswordService. An attacker could crack the random number generator RNG seed from a password reset token, then perform password resets on their and the victim’s...
Unverified password change : old password can be used as new password
Description Pimcore Platform v 11.0.7 is not enforcing strict password policy which allow attacker to set old password as new password Proof of Concept 1- go to https://demo.pimcore.com/admin/login 2- login with demo user credentials Username: superuser Password: enterprisedemo 3- Now login and...
Store XSS in Widgets and pages
Description I noticed that you filtered the comment very carefully. But there are still some parts you missed Proof of Concept 1 .Login with admin 2 .Go to "https://demo.instantcms.io/admin/widgets" 3 . Insert payload in Position name and Title test" onmouseover = "alertdocument.cookie 4 .Click...
Session Fixation
Description Session fixation allows an attacker to impersonate a user by abusing an authenticated session ID SID. This attack can occur when a web application: •Fails to supply a new, unique SID to a user following a successful authentication •Allows a user to provide the SID to be used after...
Theft of Arbitrary Files due to lack of intent validation and insecure usage of provider paths in TTFViewerActivity.kt
Description Through the use of Oversecured, leading vulnerability scanner for Android and iOS applications, we were able to detect an Theft of Arbitrary Files vulnerability within TTFViewerActivity.kt. Check full issue definition in the image below: Root Cause Analysis The TTFViewerActivity faile...
Input Validation Vulnerability Leading to Denial of Service in LimeSurvey v5.6.34
Vulnerability Summary: LimeSurvey is a widely used open-source online survey system. In version 5.6.34, an input validation vulnerability has been identified, allowing attackers to exploit a vulnerability in surveys containing "file upload" options. This can lead to a denial of service by...
BrowserView Allows Popups, which leads to Remote Code Execution
Description The Application has a functionality that allows users to add URLs for custom Webservices. If a user adds a URL containing malicious code, then it can be used to open a new Browser Window, which will lead to Remote Code Execution on the victims computer. Proof of Concept ATTACKER SETUP...
Authentication cookie without Secure flag
Description Access and login to the website. Press F12 on your keyboard or right-click on the website to open dev-tool. At Application tab, choose Cookies and there are some sensitive cookies without Secure flag. Proof of Concept Link photo:...
Improper Authorization in Import Question function
Description The Import Question function does not check user permissions, allowing users to import questions into any survey without requiring authorization Proof of Concept Step 1: We have user1 who has no permissions Step 2: User1 performs importing questions into the survey by creating a reque...
DOM XSS at index FBD Table
Description I think your website is quite secure. But you overlooked the XSS vulnerability. Proof of Concept 1 .Login with demo account 2 .Access the link https://demo.librenms.org/search/search=fdb and insert the payload test123"alert1alertdocument.cookie 3 .Hit enter, XSS vulnerability detected...
Android Manifest Misconfiguration Leading to Task Hijacking
Description Task hijacking allows malicious apps to inherit permissions of vulnerable apps and is usually used for phishing login credentials of victims. This vulnerability applies to all Android versions before Android 11. Steps To Reproduce: 1. Victim installs malicious app 1. Victim starts...
DOM XSS in https://demo.modoboa.org/user/#profile/
Description I noticed, your website is very secure. But you overlooked a flaw DOM XSS. Detail: 1 .Login with demo account. 2 .Go to the link: https://demo.modoboa.org/user/profile/ and click Update 3 .Use burp to block proxy and inject payload in &language: Proof of Concept Video Poc...
RCE via TranformGraph().to_dot_graph function
Description Due to improper input validation a malicious user can provide a command or a script file as a value to savelayout argument, which will be placed as the first value in a list of arguments passed to subprocess.Popen. Although an error will be raised, the command or script will be execut...
Cross-site Scripting (XSS) - Stored
Description 1. Go to Setting Server == Choose Configuare. 2. Continue to choose backup == Remote Backup. 3. Inject the payload into the fields host,port,username... Proof of Concept link ProC : https://drive.google.com/file/d/1DcCMP9lT93HYNO3RzGllCVu3Mgk7yfK/view?usp=sharing Payload payload = "im...
Dom XSS in module "Search IPv4"
Description 1 .Access to IPv4 search function 2 .Enter the payload in the IPv4 field to perform the search Payload : "alertdocument.cookie 3 .Enter the search button and the payload will be executed Poc Video poc https://drive.google.com/file/d/1A-zwXxsA-7GHa0iGfRGQc61JkOb-4A38/view?usp=sharing...
DOM XSS in https://demo.librenms.org/ports
Description I noticed, your website is very secure. But you overlooked a flaw XSS Detail: 1 .Login with demo account. 2 .Go to the link: https://demo.librenms.org/ports 3 .Insert payload and press enter: test' onclick='alertdocument.cookie 4 .Click on the box hostname or port, detect XSS Proof of...
Reflected xss in installation space parameter
Description Cross-Site Scripting XSS is a type of security vulnerability that occurs when an attacker injects malicious code, usually in the form of scripts, into a web application. This code is then executed by unsuspecting users who visit the affected web page. in this case the path of...
DOM XSS in https://demo.librenms.org/eventlog
Description I noticed, your website is very secure. But you overlooked a flaw XSS Detail: 1 .Login with demo account. 2 .Go to the link: https://demo.librenms.org/eventlog and click Filter 3 .Use burp suite to block proxy and inject payload in eventtype: test%22-alertdocument.cookie// 4 .Check,...
HTML Injection
Description I think your website is quite secure. But you overlooked the HTML Injection vulnerability ID:WSTG-CLNT-03 of OWASP. Proof of Concept 1 .Login with demo account 2 .Access the link https://demo.librenms.org/search/search=ipv4 and insert the payload search=test/b 3 .Hit enter, html...
DOM XSS in https://demo.librenms.org/outages
Description I noticed, your website is very secure. But you overlooked a flaw XSS Detail: 1 .Login with demo account. 2 .Go to the link: https://demo.librenms.org/outages and click Filter 3 .Use burp suite to block proxy and inject payload: "alertdocument.cookie 4 .Check, detect xss Proof of...
There are 6 NULL Pointer Dereference vulnerabilities in MP4Box
NULL Pointer Dereference in function utils/xmlparser.c:1038 Description NULL Pointer Dereference in function utils/xmlparser.c:1038 Environment No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 20.04 LTS Release: 20.04 Codename: focal Version MP4Box - GPAC version...
Stored XSS
Description Due to insufficient validation of uploaded files - bad actors can upload malicious SVG file with XSS payload. That leads to Stored XSS. Because accessToken cookie has valid HttpOnly flag, can not take victims cookie there in this way, but please keep in mind that XSS in general is abo...
Important Cookie without Secure flag
Description Cookie accessToken is without Secure flag. Mentioned cookie is responsible for user auth. Proof of Concept Repro steps: As logged in user https://app.vrite.io/ open DevTools and check Cookies table, get value of accessToken cookie. Open other browser, go to app.vrite.io site, open...
CSRF Logout
Description Bad actor can send to victim link ie. obfuscated with payload /logout and if victim will use it - can change the state of user logged in/logged out. Proof of Concept As logged in user open in new browser tab this site https://app.vrite.io/session/logout Go back to previous tab, refres...
Stored Cross-site Scripting
Description Stored XSS attack, the attacker typically injects malicious code, such as JavaScript, into a web form or other input field on a vulnerable web application. This code is then stored on the server and may be displayed to other users who visit the affected page, allowing the attacker to...
Improver Validation of File Name Causes RCE
Description Due to insufficient sanitization of the music file name, it is possible to execute arbitrary commands on the victims computer, through a specially crafted file name. Note that this bug was only found exploitable only on the MacOS version of this application. Although still applicable ...
Heap-use-after-free in function buflist_altfpos in vim
Description Heap-use-after-free in function buflistaltfpos at buffer.c:3703 Proof of Concept ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./pochuaf -c :qa! ==1404==ERROR: AddressSanitizer: heap-use-after-free on address 0x625000011940 at pc 0x0000004a4dbe bp 0x7ffc6204d090 sp 0x7ffc6204d080 READ of...
Insufficient access control in the export functionality for the 'Groups' module exposing user password hashes
Description The web application incorrectly returns sensitive data to authenticated lower privileged users when making requests to export data from the 'Groups' module. This includes information such as the user's email address, password hash and whether two-factor authentication is configured...
Cross-site Scripting (XSS) - Reflected
Description Reflected Cross-Site Scripting XSS vulnerability allows attackers to execute arbitrary external javascript code in the browser. In the application there exists a XSS vulnerability that occurs in the api: Payload: "alertwindow.location GET /system/api/restApiViewer: Passing XSS payload...
Insufficient Session Expiration
Insufficient session expiration is a web application security vulnerability that occurs when a web application does not properly manage the lifecycle of a user's session. This can allow an attacker to hijack the user's session and gain unauthorized access to the application. The web application m...
Weak Password Requirements
Weak password requirements are password policies that are too lax and allow users to create passwords that are easy to guess or crack. This can make it easier for attackers to gain unauthorized access to accounts and systems. It was discovered that the validation takes place only on the client si...
File Upload Bypass Leads to Stored XSS
Description Fix at https://huntr.dev/bounties/fce38751-bfd6-484c-b6e1-935e0aa8ffdc/ is not adequate,attacker can use test.html?a=1 to bypass built-in PHP function pathinfo. Also can used for .php Proof of Concept // payload.html?a=1 alert'xss' POC Video:...
STORED XSS in File Upload
Description In the file upload, I can't upload files with extension like html,php,.. but I can upload a file with extension "inc" and that leads to stored XSS. Proof of Concept https://drive.google.com/file/d/1eDE63KXbZLYraDus6hSXwiTaLDVx9ut/view?usp=sharing...
Cross-Site Request Forgery (CSRF)
A Cross-site request forgery CSRF attack is a type of malicious attack whereby an attacker tricks a victim into performing an action on a website that they do not intend to do. This can be done by sending the victim a malicious link or by exploiting a vulnerability in the website. For example, an...
Arbitrary file upload
Description Due to lack of file extension validation, privileged user administrator can upload arbitrary files with "update logo" and "update icon" features. The application uses the extension provided in the filename parameter. Proof of Concept POST /admin/default/jqadm/save/settings?locale=en...
Password Plaintext Storage
The application stored a password in a database in plaintext format. Storing user passwords in a database in plaintext is a security vulnerability that can have serious consequences. If an attacker is able to gain access to the database, they will be able to see all of the user passwords in plain...
Stored XSS via user's Username
Description The application allows creating users with Username containing Malicious HTML/Javascript that can be executed in the users’ privileged context during the user editing process or visiting a phishing link. Proof of Concept Step 1: A privileged user creates a normal user account with...
Stored XSS in the Cases functionality
Description When creating or editing a case, the web application fails to perform sufficient sanitisation on the description POST parameter, allowing users to inject HTML with malicious JavaScript events. The application does attempt to remove unauthorised elements and events; however, the testin...
Cookie without Secure flag
Description There is a ICMS62EC2566CC4B5 cookie without Secure flag and this is authentication cookie. Proof of Concept Link photo PoC: https://drive.google.com/file/d/1uWsRKMT-KyuRPA01Ra1W3YphQgNmMkuu/view?usp=sharing...
Authentication cookie is not renewed after successfully login
Description ICMS62EC2566CC4B5 cookie is still same after log in. The value is not changed or renewed. Detail: 1/ Access to the web demo and user browser's dev tool to check the cookie. 2/ Observe the value of ICMS62EC2566CC4B5 cookie, try to log in and it is still the same. Proof of Concept Link...
XSS at file uploading
Description In menu Add page, there is a upload file function and xss payload can be injected there. Detail: 1/ Access to the web demo and go to Add page menu. 2/ At upload file function, upload an file with filename is a payload xss. 3/ It will be triggered immediately. Proof of Concept Payload:...
New password can be set as same as the old password
Description The web application allows us to set new password as the old one at Password change function. Detail: 1/ Access to the demo website and go to My profile. 2/ Choose Edit profile, at the Security tab, change the password with the new password and the old password are the same. 3/ Logout...
Reflected XSS in LimeSurvey via userid parameter
Description The userid parameter in the 'Delete Confirm' feature in user management is rendered directly into the webpage without proper handling. This allows users to inject malicious HTML/JavaScript code into the webpage that can be executed in the admin or privileged user's context. Proof of...
File Upload Bypass Leads to Stored XSS
Description In the file upload feature, the system did not allow uploading files with extensions like html, ... But when uploading files with extension xhtml, it leads to XSS vulnerabilities. Proof of Concept https://drive.google.com/file/d/1MTa4st4POafaUAwn17n7ygpTrF9BXp/view?usp=sharing...
Improper validation of intent data received in TextViewerActivity allows opening of arbitrary files
Description Tested on Build87 of the Inure application. It was discovered that the application had an exported activity .activities.association.TextViewerActivity which accepted intent data via the file scheme + text/ mime type and opened the associated files from provided URI data string. It is...
Theft of Arbitrary Files due to execution of attacker scripts from BashAssociation.kt
Description Tested on Build87 of the Inure application. It was discovered that the application had an exported activity app.simple.inure.activities.association.BashAssociation which accepted intent data via the file scheme + text/x-shellscript mime type and executed the commands contained within...