Huntr

Research Posts (9)

• Mar 30, 2021

  Cross Site Scripting in digidocu

  Reported a stored cross site scripting in digidocu.
• Jun 11, 2021

  Code Execution via Cross Site Scripting in Tagspaces (A file manager)

  Reported a code execution via cross site scripting in TagSpaces. The XSS is used to escape the sandbox of electron to gain Code Execution in TagSpaces.
• Apr 3, 2021

  Stored Cross Site Scripting in October CMS

  Reported a stored cross site scripting by uploading XML file in October CMS.
• Jun 12, 2021

  active_url validation check bypass in Laravel

  Reported and fixed a vulnerability in Laravel where active_url validation rule could be bypassed in a situation where a target has a subdomain localhost.
• Jun 12, 2021

  POP Gadget using function injection in RequiredIf

  Reported and fixed a vulnerability in Laravel where Illuminate\Validation\Rules\RequiredIf could be used as a gadget chain for deserialization vulnerabilities.
• Jun 11, 2021

  Relative Path Traversal in Flarum using fake OAuth Provider

  Reported a low impact Path Traversal where an OAuth Provider could read local files exploiting relative path traversal in Flarum.
• Jul 17, 2021

  FILTER_VALIDATE_URL bypass in PHP 8

  Reported a bypass of FILTER_VALIDATE_URL filter in PHP 8 that can lead to SSRF by escaping the URL validations in any PHP target which depend on FILTER_VALIDATE_URL.
• Jul 10, 2021

  Untrusted code execution in PHPMailer

  Reported a vulnerability in PHPMailer where a function could run unexpectedly while sending a mail leading to untrusted code execution.
• May 18, 2021

  XSS in Unified Transform (A school management software)

  Reported a stored cross site scripting in xyz