from:"Andrey Stoykov"

[FD] Vulnerabilities Disclosure - Shoplazza Stored XSS

2022-12-13 Thread Andrey Stoykov

# Exploit Title: Shoplazza 1.1 - Stored Cross Site Scripting # Exploit Author: Andrey Stoykov # Software Link: https://github.com/Shoplazza/LifeStyle # Version: 1.1 # Tested on: Ubuntu 20.04 Stored XSS #1: To reproduce do the following: 1. Login as normal user account 2. Browse "Blog Posts"

[FD] 4images RCE

2022-12-20 Thread Andrey Stoykov

# Exploit Title: 4images 1.9 - Remote Command Execution # Exploit Author: Andrey Stoykov # Software Link: https://www.4homepages.de/download-4images # Version: 1.9 # Tested on: Ubuntu 20.04 To reproduce do the following: 1. Login as administrator user 2. Browse to "General" -> &qu

[FD] Full Disclosure - Shopify Application

2023-03-11 Thread Andrey Stoykov

Correspondence from Shopify declined to comment regarding new discovered vulnerabilities within their website. Although 'frontend' vulnerabilities are considered out of scope, person/tester foundhimself a beefy bugbounty from the same page that has been listed below, including similar functionalit

[FD] Full Disclosure - Fastly

2023-03-11 Thread Andrey Stoykov

Correspondence from Fastly declined to comment regarding new discovered vulnerabilities within their website. Poor practices regarding password changes. 1. Reset user password 2. Access link sent 3. Temporary password sent plaintext // HTTP POST request POST /user/mwebsec%40gmail.com/password

[FD] SQLi - Faculty Evaluation System

2023-07-07 Thread Andrey Stoykov

# Exploit Title: Faculty Evaluation System - SQL Injection # Date: 07/2023 # Exploit Author: Andrey Stoykov # Version: 1.0 # Tested on: Windows Server 2022 SQLi #1 File: edit_evaluation Line #4 $qry = $conn->query("SELECT * FROM ratings where id = ".$_GET['id'])->fetc

[FD] Unquoted Path - XAMPP 8.2.4

2023-07-11 Thread Andrey Stoykov

# Exploit Title: XAMPP 8.2.4 - Unquoted Path # Date: 07/2023 # Exploit Author: Andrey Stoykov # Version: 8.2.4 # Software Link: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/8.2.4/xampp-windows-x64-8.2.4-0-VS16-installer.exe # Tested on: Windows Server 2022 # Blog: http

[FD] WBCE - Stored XSS

2023-07-16 Thread Andrey Stoykov

# Exploit Title: WBCE - Stored XSS # Date: 07/2023 # Exploit Author: Andrey Stoykov # Version: 1.6.1 # Tested on: Windows Server 2022 # Blog: http://msecureltd.blogspot.com Steps to Exploit: 1. Login to application 2. Browse to following URI "http://host/wbce/admin/pages/intro.php"

[FD] Availability Booking Calendar PHP - Stored XSS and Unrestricted File Upload

2023-07-25 Thread Andrey Stoykov

# Exploit Title: Availability Booking Calendar PHP - Multiple Issues # Date: 07/2023 # Exploit Author: Andrey Stoykov # Tested on: Ubuntu 20.04 # Blog: http://msecureltd.blogspot.com XSS #1: Steps to Reproduce: 1. Browse to Bookings 2. Select All Bookings 3. Edit booking and select Promo Code

[FD] Stored XSS - Perch

2023-08-01 Thread Andrey Stoykov

# Exploit Title: # Date: 07/2023 # Exploit Author: Andrey Stoykov # Version: 3.2 # Tested on: Windows Server 2022 # Blog: http://msecureltd.blogspot.com XSS #1: File: roles.edit.post.php Line #57: [...] label('roleTitle', 'Title'); ?> text(

[FD] Pentest Paper - Introduction to Web Pentest

2023-08-01 Thread Andrey Stoykov

exploitation of XSS, SQLi, CSRF and Open redirect. Has brief theory explanation prior to showing how to exploit each flaw. Kind Regards, Andrey Stoykov ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web

[FD] Stored XSS and RCE - adaptcmsv3.0.3

2024-02-13 Thread Andrey Stoykov

# Exploit Title: Stored XSS and RCE - adaptcmsv3.0.3 # Date: 02/2024 # Exploit Author: Andrey Stoykov # Version: 3.0.3 # Tested on: Ubuntu 22.04 # Blog: http://msecureltd.blogspot.com *Description* - It was found that adaptcms v3.0.3 was vulnerable to stored cross site scripting - Also the

[FD] XAMPP 5.6.40 - Error Based SQL Injection

2024-03-02 Thread Andrey Stoykov

# Exploit Title: XAMPP - Error Based SQL Injection # Date: 02/2024 # Exploit Author: Andrey Stoykov # Version: 5.6.40 # Tested on: Ubuntu 22.04 # Blog: http://msecureltd.blogspot.com Steps to Reproduce: 1. Login to phpmyadmin 2. Visit Export > New Template > test > Create 3. Na

[FD] Multiple XSS Issues in boidcmsv2.0.1

2024-03-02 Thread Andrey Stoykov

# Exploit Title: Multiple XSS Issues in boidcmsv2.0.1 # Date: 3/2024 # Exploit Author: Andrey Stoykov # Version: 2.0.1 # Tested on: Ubuntu 22.04 # Blog: http://msecureltd.blogspot.com XSS via SVG File Upload Steps to Reproduce: 1. Login with admin user 2. Visit "Media" page 3. Upload

[FD] Multiple Issues in concretecmsv9.2.7

2024-04-11 Thread Andrey Stoykov

# Exploit Title: Multiple Web Flaws in concretecmsv9.2.7 # Date: 4/2024 # Exploit Author: Andrey Stoykov # Version: 9.2.7 # Tested on: Ubuntu 22.04 # Blog: http://msecureltd.blogspot.com Verbose Error Message - Stack Trace: 1. Directly browse to edit profile page 2. Error should come up with

[FD] Reflected XSS - atutorv2.2.4

2025-01-27 Thread Andrey Stoykov

# Exploit Title: Reflected XSS - atutorv2.2.4 # Date: 01/2025 # Exploit Author: Andrey Stoykov # Version: 2.2.4 # Tested on: Ubuntu 22.04 # Blog: https://msecureltd.blogspot.com/2025/01/friday-fun-pentest-series-17-reflected.html Description: - It was found that the application was vulnerable to

[FD] Host Header Injection - atutorv2.2.4

2025-01-27 Thread Andrey Stoykov

# Exploit Title: Host Header Injection - atutorv2.2.4 # Date: 01/2025 # Exploit Author: Andrey Stoykov # Version: 2.2.4 # Tested on: Ubuntu 22.04 # Blog: https://msecureltd.blogspot.com/2025/01/friday-fun-pentest-series-18-host.html Description: - It was found that the application had a Host

[FD] Stored XSS via Send Message Functionality - dolphin.prov7.4.2

2025-03-24 Thread Andrey Stoykov

# Exploit Title: Stored XSS via Send Message Functionality - dolphin.prov7.4.2 # Date: 03/2025 # Exploit Author: Andrey Stoykov # Version: 7.4.2 # Date: 03/2025 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/2025/03/friday-fun-pentest-series-20-stored-xss.html Stored XSS via

[FD] SQL Injection in Admin Functionality - dolphin.prov7.4.2

2025-03-24 Thread Andrey Stoykov

# Exploit Title: SQL Injection in Admin Functionality - dolphin.prov7.4.2 # Date: 03/2025 # Exploit Author: Andrey Stoykov # Version: 7.4.2 # Date: 03/2025 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/2025/03/friday-fun-pentest-series-21-sql.html SQL Injection in Admin

[FD] XSS via SVG Image Upload - AlegroCartv1.2.9

2025-04-23 Thread Andrey Stoykov

# Exploit Title: XSS via SVG Image Upload - alegrocartv1.2.9 # Date: 04/2025 # Exploit Author: Andrey Stoykov # Version: 1.2.9 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/ XSS via SVG Image Upload: Steps to Reproduce: 1. Visit http://192.168.58.129/alegrocart/administrator

[FD] Business Logic Flaw: Price Manipulation - AlegroCartv1.2.9

2025-04-23 Thread Andrey Stoykov

# Exploit Title: Business Logic Flaw: Price Manipulation - alegrocartv1.2.9 # Date: 04/2025 # Exploit Author: Andrey Stoykov # Version: 1.2.9 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/ Business Logic Flaw: Price Manipulation #1: Steps to Reproduce: 1. Visit the store and

[FD] Stored XSS in "Message" Functionality - AlegroCartv1.2.9

2025-04-23 Thread Andrey Stoykov

# Exploit Title: Stored XSS in "Message" Functionality - alegrocartv1.2.9 # Date: 04/2025 # Exploit Author: Andrey Stoykov # Version: 1.2.9 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/ Stored XSS #1: Steps to Reproduce: 1. Login as demonstrator account and visit

[FD] Self Stored XSS - acp2sev7.2.2

2025-02-20 Thread Andrey Stoykov

# Exploit Title: Self Stored XSS - acp2sev7.2.2 # Date: 02/2025 # Exploit Author: Andrey Stoykov # Version: 7.2.2 # Tested on: Ubuntu 22.04 # Blog: https://msecureltd.blogspot.com/2025/02/friday-fun-pentest-series-19-self.html Self Stored XSS #1: Steps to Reproduce: 1. Visit "

[FD] Stored XSS in "Description" Functionality - cubecartv6.5.9

2025-06-03 Thread Andrey Stoykov

# Exploit Title: Stored XSS in "Description" Functionality - cubecartv6.5.9 # Date: 05/2025 # Exploit Author: Andrey Stoykov # Version: 6.5.9 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/ Stored XSS #1: Steps to Reproduce: 1. Visit "Account" > "Ad

[FD] Authenticated File Upload to RCE - adaptcmsv3.0.3

2025-06-03 Thread Andrey Stoykov

# Exploit Title: Authenticated File Upload to RCE - adaptcmsv3.0.3 # Date: 06/2025 # Exploit Author: Andrey Stoykov # Version: 3.0.3 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/ Authenticated File Upload to RCE #1: Steps to Reproduce: 1. Login as admin user and visit "S

[FD] Stored XSS "Send Message" Functionality - adaptcmsv3.0.3

2025-06-03 Thread Andrey Stoykov

# Exploit Title: Stored XSS "Send Message" Functionality - adaptcmsv3.0.3 # Date: 06/2025 # Exploit Author: Andrey Stoykov # Version: 3.0.3 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/ Stored XSS "Send Message" Functionality #1: Steps to Reproduce: 1.

[FD] IDOR "Change Password" Functionality - adaptcmsv3.0.3

2025-06-03 Thread Andrey Stoykov

# Exploit Title: IDOR "Change Password" Functionality - adaptcmsv3.0.3 # Date: 06/2025 # Exploit Author: Andrey Stoykov # Version: 3.0.3 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/ IDOR "Change Password" Functionality #1: Steps to Reproduce: 1. Lo

[FD] Stored XSS via File Upload - adaptcmsv3.0.3

2025-06-03 Thread Andrey Stoykov

# Exploit Title: Stored XSS via File Upload - adaptcmsv3.0.3 # Date: 06/2025 # Exploit Author: Andrey Stoykov # Version: 3.0.3 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/ Stored XSS via File Upload #1: Steps to Reproduce: 1. Login with low privilege user and visit "Pr

[FD] Session Fixation - bluditv3.16.2

2025-07-07 Thread Andrey Stoykov

# Exploit Title: Session Fixation - bluditv3.16.2 # Date: 07/2025 # Exploit Author: Andrey Stoykov # Version: 3.16.2 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/ Session Fixation #1: Steps to Reproduce: Visit the login page. Login with valid user and observe that the

[FD] Stored XSS "Add New Content" Functionality - bluditv3.16.2

2025-07-07 Thread Andrey Stoykov

# Exploit Title: Stored XSS "Add New Content" Functionality - bluditv3.16.2 # Date: 07/2025 # Exploit Author: Andrey Stoykov # Version: 3.16.2 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/ Stored XSS "Add New Content" Functionality #1: Steps to Reproduce:

[FD] XSS via SVG File Uploa - bluditv3.16.2

2025-07-07 Thread Andrey Stoykov

# Exploit Title: XSS via SVG File Upload - bluditv3.16.2 # Date: 07/2025 # Exploit Author: Andrey Stoykov # Version: 3.16.2 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/ XSS via SVG File Upload #1: Steps to Reproduce: 1. Login with admin account and click on "General&quo

[FD] Directory Traversal "Site Title" - bluditv3.16.2

2025-07-07 Thread Andrey Stoykov

# Exploit Title: Directory Traversal "Site Title" - bluditv3.16.2 # Date: 07/2025 # Exploit Author: Andrey Stoykov # Version: 3.16.2 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/ Directory Traversal "Site Title" #1: Steps to Reproduce: 1. Login with admin

[FD] Stored XSS "Edit Header" Functionality - seotoasterv2.5.0

2025-07-29 Thread Andrey Stoykov

# Exploit Title: Stored XSS "Edit Header" Functionality - seotoasterv2.5.0 # Date: 07/2025 # Exploit Author: Andrey Stoykov # Version: 2.5.0 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/ Stored XSS "Edit Header" Functionality #1: Steps to Reproduce: Log

[FD] Open Redirect "Login Page" Functionality - seotoasterv2.5.0

2025-07-29 Thread Andrey Stoykov

# Exploit Title: Open Redirect "Login Page" Functionality - seotoasterv2.5.0 # Date: 07/2025 # Exploit Author: Andrey Stoykov # Version: 2.5.0 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/ Open Redirect "Login Page" Functionality #1: Steps to Rep

[FD] Stored XSS "Create Page" Functionality - seotoasterv2.5.0

2025-07-29 Thread Andrey Stoykov

# Exploit Title: Stored XSS "Create Page" Functionality - seotoasterv2.5.0 # Date: 07/2025 # Exploit Author: Andrey Stoykov # Version: 2.5.0 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/ Stored XSS "Create Page" Functionality #1: Steps to Reproduce 1.

[FD] Stored XSS "Edit General Info" Functionality - seotoasterv2.5.0

2025-07-29 Thread Andrey Stoykov

# Exploit Title: Stored XSS "Edit General Info" Functionality - seotoasterv2.5.0 # Date: 07/2025 # Exploit Author: Andrey Stoykov # Version: 2.5.0 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/ Stored XSS "Edit General Info" Functionality #3: Steps to Repr

[FD] Vulnerabilities Disclosure - Shoplazza Stored XSS

[FD] 4images RCE

[FD] Full Disclosure - Shopify Application

[FD] Full Disclosure - Fastly

[FD] SQLi - Faculty Evaluation System

[FD] Unquoted Path - XAMPP 8.2.4

[FD] WBCE - Stored XSS

[FD] Availability Booking Calendar PHP - Stored XSS and Unrestricted File Upload

[FD] Stored XSS - Perch

[FD] Pentest Paper - Introduction to Web Pentest

[FD] Stored XSS and RCE - adaptcmsv3.0.3

[FD] XAMPP 5.6.40 - Error Based SQL Injection

[FD] Multiple XSS Issues in boidcmsv2.0.1

[FD] Multiple Issues in concretecmsv9.2.7

[FD] Reflected XSS - atutorv2.2.4

[FD] Host Header Injection - atutorv2.2.4

[FD] Stored XSS via Send Message Functionality - dolphin.prov7.4.2

[FD] SQL Injection in Admin Functionality - dolphin.prov7.4.2

[FD] XSS via SVG Image Upload - AlegroCartv1.2.9

[FD] Business Logic Flaw: Price Manipulation - AlegroCartv1.2.9

[FD] Stored XSS in "Message" Functionality - AlegroCartv1.2.9

[FD] Self Stored XSS - acp2sev7.2.2

[FD] Stored XSS in "Description" Functionality - cubecartv6.5.9

[FD] Authenticated File Upload to RCE - adaptcmsv3.0.3

[FD] Stored XSS "Send Message" Functionality - adaptcmsv3.0.3

[FD] IDOR "Change Password" Functionality - adaptcmsv3.0.3

[FD] Stored XSS via File Upload - adaptcmsv3.0.3

[FD] Session Fixation - bluditv3.16.2

[FD] Stored XSS "Add New Content" Functionality - bluditv3.16.2

[FD] XSS via SVG File Uploa - bluditv3.16.2

[FD] Directory Traversal "Site Title" - bluditv3.16.2

[FD] Stored XSS "Edit Header" Functionality - seotoasterv2.5.0

[FD] Open Redirect "Login Page" Functionality - seotoasterv2.5.0

[FD] Stored XSS "Create Page" Functionality - seotoasterv2.5.0

[FD] Stored XSS "Edit General Info" Functionality - seotoasterv2.5.0

35 matches

Site Navigation

Mail list logo

Footer information