Stored XSS in Page Title

Description At the latest version, the page title has been escaped and cannot trigger the XSS payload. However, by login to a user with other privileges, I see that It's still not escaped yet. Proof of Concept Step 1: Login as Admin, create a page in site1 with the title "test and see that the pa...

Reflected XSS in URL path of '/admin/controllers/edit/activity/perms/'

Description /admin/controllers/edit/activity/perms/ takes input from the URL directly without sufficient sanitization leading to a Reflected XSS. A valid admin session is required, without it, the user will be brought to the login page instead of the affected page. Proof of Concept 1. Login as an...

Stored HTML injection

Description Stored HTML Injection: A Hidden Web Threat. Learn how attackers exploit input fields to inject malicious code into web applications, jeopardizing user data and site integrity. Discover crucial prevention measures to safeguard against this insidious vulnerability. Step to reproduce 1...

Unrestricted Upload File leads to Remote Code Execution

Description The upload file function is vulnerable that user can upload the file with other extensions .php, .phps, ... by using Magic Bytes technique. However, the .htaccess has almost prevented all the files with extensions such as php, phps, phtml, ... The attacker still can upload the hphp fi...

Cross-site Scripting (Stored XSS)

Description For any role that has permission to execute function assets, i can add a new asset. Even though the site only allows uploading images and gifs, I can still upload an html file by modifying the magic number and that leads to XSS. Proof of Concept 1. Link PoC:...

Unauthenticated Blind SQL Injection in '/tags/autocomplete'

Description The application was found to be vulnerable to an unauthenticated blind SQL injection in the /tags/autocomplete page. The GET parameter term does not sufficiently sanitize input. Proof of Concept 1. Make a GET request to...

Blind SSRF When Uploading Presentation (mitigation bypass)

Description This is actually a bypass of CVE-2023-33176 when i able to perform SSRF to internal network. Proof of Concept As we already know, we can upload files via api /bigbluebutton/api/insertDocument using a remote url. PresentationUrlDownloadServicesavePresentation is the method to handle th...

Pre-Auth SQLi leading to RCE in Social Media Skeleton v1.0

Summary A SQL Injection vulnerability exists in Social Media Skeleton v1.0 via the username and password parameters in admin/login.php. Not to be confused with login.php, which properly escapes special characters. Issue Description SQL injection SQLi is a code injection technique used to attack...

HTML injection Leads to Open redirection

Description HTML Injection Leads to Open Redirection is a dangerous web security issue. Attackers inject malicious HTML code into vulnerable websites, allowing them to execute harmful scripts in users' browsers. This may lead to unauthorized actions on users' behalf and redirect them to malicious...

HTML Injection Leads To Open Redirect

Description HTML injection is possible in the Installation title parameter, which leads to Open Redirect when clicked. Proof of Concept Open Redirect 1. Login as Admin 2. Navigate to settings 3. Edit the Installation title and set it to: Click Me 4. Save Changes 5. Click the Click Me text on the...

Server Side Request Forgery (SSRF)

Description It is possible to access the local environment in the Webhook function. Therefore, Blind SSRF makes it possible to perform a port scan against the local environment. Proof of Concept After logging in, access the webhook setting page, specify the URL with the following pattern, and che...

XSS in function navigateTo

Vunerability The check for external links checks if the protocol is script:, which is not a valid protocol and allows the user to provide a valid javascript payload using javascript: protocol. ts if isExternal && parseURLtoPath.protocol === 'script:' throw new Error'Cannot navigate to an URL with...

Stored html injection on segment name

Description I have found an HTML Injection vulnerability on your web application. HTML injection is a type of injection vulnerability that occurs when a user is able to control an input point and is able to inject arbitrary HTML code into a vulnerable web page. Note : I am recreating the report a...

stored XSS Bypass in the FAQ Fields

Hello, I was able to detect an XSS Payload to bypass the XSS Protections in the FAQ Fields and get a stored XSS which can be used to start further attacks. Thank you for your time and effort...

Stored XSS in Preview title

Description There is accumulated XSS in the preview title of the page. Proof of Concept Step 1. Log in to the administrator screen and create a new page. Step 2. Insert "Browse preview" from "Add new block" and specify Payload in "Preview title". Step 3. When you access the preview screen in the...

Stored XSS at Guest Lobby

Description Guest Lobby is vulnerable to XSS when users wait to enter the meeting due to inserting unsanitized messages to the element using unsafe innerHTML Proof of Concept 1.Start a new web conference and change Guest policy to "Ask Moderator" role moderator 2.Attacker edit "Message to the...

CWE-521: Weak Password Requirements

Description Users at this moment can set really weak password like 123. Proof of Concept Go to register page and set really weak password like 123, see allowed - registered in. For example, go to https://sandbox.openedx.org/register?next=/dashboard , type '1' see info 'This password is too short...

Stored XSS in title

Description There is Stored XSS in the item title of the menu on the administrator screen. Proof of Concept Step 1. Log in to the admin screen and select Add New Item in Menu. Step 2. Specify the following Payload for the item title and save it. Step 3. Once saved, any script can be executed on t...

Insufficient Session Expiration because of lacking of cache check

Description The web application's session management system suffers from an "Insufficient Session Expiration" vulnerability due to the lack of proper cache check. This vulnerability allows a user's session to remain valid even after the user has logged out, potentially granting unauthorized acces...

Vim's embedded terminal allows injection via DECRQSS response

Description DECRQSS is a terminal response that replies with certain information about the terminal. Various terminals have bugs where a piece of data from the request i.e. data that the terminal receives is echoed back in the reply. In some cases this is enough to make it so if untrusted data...

XSS with CSP bypass leads to diagrams backdoor

🔒️ Requirements The user must go on a link and remove a square. In the following section, I'll give PoCs only for chromium based browsers 📝 Description 📦 Load plugins by default Thanks to the ?p= parameter, it is possible to enforce the user to load built-in plugins without warning for a specific...

Reflected XSS at upload file

Description 1/ Access to the demo website and login at this case I used user admin 2/ At function upload photo to an album, try upload a file with the name is payload XSS. 3/ The payload will be triggered at error content. Proof of Concept Video PoC:...

Server Side Request Forgery (SSRF)

Description There is Blind SSRF on the vocabulary screen in the administrator screen. Proof of Concept Step 1. Log in to the administrator screen and access "Import new vocabulary" from the "vocabulary" page. Step 2. Specify the following Payload in the "Vocabulary URL" field and check that the...

Stored XSS via SVG Upload

Description By uploading an SVG file containing JavaScript code in the file upload function on the administrator screen, it is possible to execute any script on the browser of the accessing user. Proof of Concept Log in to the administrator screen, access the Assets page, and upload the SVG file...

Potential XSS injection in stuff and say attributes

Description The stuff and say attributes are not sanitized before being used in innerHTML. Because of this, they could be used to inject arbitrary JS in the page. Proof of Concept html obfumatic XSS "Fallback text...

SQL injection in Data Objects function

Description Log in as an admin, go to Data Objects function, and perform a sort action. Observer the request on Burpsuite and injection point is the 'sort' parameter Proof of Concept POC request that makes the application sleep for 5 seconds Data Objects function payload:...

Business Logic Error - letting the Name Field blank

Hello, I was able to bypass the restriction for setting an admin username and letting the username via spaces blank. Let's have a look. As you can see the name is with a red star and therefore required to be filled. Now we will add2 spaces and let the username blank and save. As you can see all t...

XSS in webmention.js

Description webmention.js has a XSS vulnerability here. Comment name has not escaped. https://github.com/PlaidWeb/webmention.js/blob/9457e71433c0d2430bbe767ecc5b5837140d0ee4/static/webmention.jsL330 Proof of Concept 1. 1 Put a webmention.js on your site 2. 2 Send a webmention that includes XSS...

Session is still valid after changing password

Description The application does not delete the old login session on the server side after changing the password. This poses a risk when a user uses a public computer and an attacker captures the login session. Even if the user has changed the password, the login session is still taken over by th...

Arbitrary command execution on Windows

Description Opening files from an untrusted directory can lead to execution of arbitrary commands on Windows systems, this is possible by having a malicious file with the same name as a trusted executable, Windows gives priority to the current directory when searching for executables. Several...

SQL Injection

Description GLPI 10.0.8 and are affected by an SQL injection on the page ajax/dashboard.php Proof of Concept I can provide you the POC written in python3.5 or higher. Just provide me a way to send it to you. Tested under the following environment: - Ubuntu 20.04 - GLPI 10.0.8 and 10.0.7 - Mysql...

Stored Xss in Question field due to lack of sanitization in Link.php

Description Stored XSS Cross-Site Scripting is a type of web application vulnerability that allows an attacker to inject malicious scripts into a website or web application. Unlike reflected XSS, where the malicious script is embedded in a URL and executed immediately, stored XSS involves the...

Stored XSS in description of theme

Description The attacker can execute JavaScript code through the theme's description. Proof of Concept Step 1 : - Choose any theme to upload i used a copy of vanila theme - Open theme folder and change description tag of config.xml file vanilla Bootstrap Vanilla theme 16/10/2017 LimeSurvey GmbH...

Mongoose Prototype Pollution Vulnerability

If an attacker has some way to control an object on the Mongo server through one way or another, it is possible to cause prototype pollution on any Mongoose client. Notably, if a poorly implemented service allows a user to control the object in findByIdAndUpdate and similar functions, this bug...

XSS vulnerabilities via various embeds

Description JSFiddle, Gliffy, Otter and Tldraw embeds lack sufficient input validation. Every one of them can be abused to achieve a stored XSS on a main application domain. This XSS triggers for everyone viewing the document. Proof of Concept PoC file is different for each vulnerable embed. See...

Use of predictable RNG for password generation

Description pkp-lib implements a password-generation function with the following line of code being integral to its functionality: PHP for ... $password .= mtrand1, 4 == 4 ? $numbersmtrand0, strlen$numbers - 1 : $lettersmtrand0, strlen$letters - 1; This relies upon mtrandlow, high; to generate a...

Out of bounds read in VobSub loader

Description The gpac VobSub parser takes a FILE handle and attempts to load the information from that file into its memory. The main focus of this report revolves around the first few lines of the function and how they make some assumptions about buffer sizes that allows for an out-of-bounds read...

Improper Control of Generation of Code

Description Kimai Plugin EasyBackupBundle allows admins to edit mysql commands from the configuration tab, an attacker can append arbitrary commands to achieve code execution. This can be also extended to an arbitrary file read while specifying filenames such as /etc/passwd in backup. Proof of...

youtube service is vulnerable to XSS vulnerability

Description If an attacker is able to insert a div with attributes on a page where the youtube service is enabled, they can craft a width attribute that would allow them to execute arbitrary JS on the page. Other attributes like theme or controls are also vulnerable to this. Proof of Concept html...

Fossbilling is Vulnerable to HTML Injection During the Generation of Invoices, Which Leads To An Open Redirect Vulnerability.

Description FOSSBilling suffers from a lack of sanitization in the handling of admin input values. This issue manifests when clients attempt to generate invoices for their orders. Specifically, in the PDF generation of invoices, the company name, editable through the admin portal, is included. An...

attackers with role "USER" can create tags

Description It seems that the users with role ""USER" has no permission with creating tags, but we do not enforce it. Ohers operation, like edit and delete has no problem. Proof of Concept pull the latest docker and setup answer 1 create a user with name "normaluser", whose role is "USER" 2 admin...

Reflected XSS in date

Description There is a reflective XSS on the FOSSBilling admin screen. Proof of Concept By accessing the following URL, it is possible to execute any script on the browser of the logged-in administrator user. URL:...

CSV Injection while export users

1 admin add a client, or a client signup. 2 the client logins and edit himeself 3 the client change his COMPANY as "=1+cmd|'/C calc'!A0" 4 admin go to export the client as a csv file 5 admin open the csv and we can see that the calculator is opened. see...

CSV Injection while export users

1 admin add a user, or a user signup. 2 the user logins and edit himeself 3 the user change his realname as "=1+cmd|'/C calc'!A0" 4 admin go to export the users as a csv file 5 admin open the csv and we can see that the calculator is opened. see https://owasp.org/www-community/attacks/CSVInjectio...

Broken Access Control on Private Message Function

Description There is 2 issues I found in one function. A = admin B = user1 C = attacker. Scenario 1: A send private message to B with subject "testing". B or C can change the subject, this will disturb Integrity of the messages as long as they know the UUID messages. Scenario 2: A send private...

Open Redirect via deskDomain

Description This vulnerability occurs because the desired domain value can be inserted into the A tag through deskDomain manipulation. javascript if window.location.hash != null && window.location.hash.substring0, 9 == 'TICKETS' try var temp = JSON.parsedecodeURIComponent...

Reflected XSS

Description An attacker can steal the session token of any user by exploiting reflected XSS. Proof of Concept Send GET request to any of the below links. http://target/templates/pages/debugpanel.php?id=xss"alertdocument.cookie http://target/templates/pages/debugpanel.php?id=xss"alert'xss' Send PO...

XSS Reflected via import file funtion

Description The application does import data from the file without cleaning the data inside before processing, resulting in javascript code that can be injected and triggered when the victim executes the function. Proof of Concept Step1: The attacker creates a .csv file containing a payload to...

Stored XSS via user's Full Name

Description The user's full name is rendered as HTML during user deletion. This enables an user to add Javascript code in the username which when can be executed in admin's webpage during user deletion. Proof of Concept - Login as a normal user and change the Full name to: javascript "...

Unauthorized access to Survey menu entries

Description The application is not properly verifying the authorization of users accessing survey menu entries. Proof of Concept 1. Login as a user with limited privilege. In my case the user permission is set as follows and has no access to surveys. 2. Visit...