125 matches found
Design/Logic Flaw
types/types.go in Containous Traefik 1.7.x through 1.7.11, when the --api flag is used and the API is publicly reachable and exposed without sufficient access control which is contrary to the API documentation, allows remote authenticated users to discover password hashes by reading the Basic HTT...
Lob: Discloser of Internal Ip address
Vulnerability : Internal Ip address Discloser. I have founded a similar report https://hackerone.com/reports/329791 Steps to Check. 1. Copy the link https://wp.lob.com/wp-json/wp/v2/pages. 2. You will get a Json-Response. 3. In Json Response, you will see a link...
CVE-2019-6599
In BIG-IP 11.6.1-11.6.3.2 or 11.5.1-11.5.8, or Enterprise Manager 3.1.1, improper escaping of values in an undisclosed page of the configuration utility may result with an improper handling on the JSON response when it is injected by a malicious script via a remote cross-site scripting XSS attack...
CVE-2019-6599
In BIG-IP 11.6.1-11.6.3.2 or 11.5.1-11.5.8, or Enterprise Manager 3.1.1, improper escaping of values in an undisclosed page of the configuration utility may result with an improper handling on the JSON response when it is injected by a malicious script via a remote cross-site scripting XSS attack...
LocalTapiola: User Information Disclosure via Json response
User Information Disclosure via Json response on a specific api end point POC URL: https://www.lahitapiolarahoitus.fi/wp-json/wp/v2/users/ Refernce: https://wpvulndb.com/wordpresses/462 Impact attacker can user those info for advance attack as bruteforce login...
CVE-2017-1000389
Some URLs provided by Jenkins global-build-stats plugin version 1.4 and earlier returned a JSON response that contained request parameters. These responses had the Content Type: text/html, so could have been interpreted as HTML by clients, resulting in a potential reflected cross-site scripting...
Cross site request forgery (csrf)
Some URLs provided by Jenkins global-build-stats plugin version 1.4 and earlier returned a JSON response that contained request parameters. These responses had the Content Type: text/html, so could have been interpreted as HTML by clients, resulting in a potential reflected cross-site scripting...
CVE-2017-1000389
Some URLs provided by Jenkins global-build-stats plugin version 1.4 and earlier returned a JSON response that contained request parameters. These responses had the Content Type: text/html, so could have been interpreted as HTML by clients, resulting in a potential reflected cross-site scripting...
HackerOne: Submitted reports state logs leakage
Hi team, Summary ---------- The endpoint https://hackerone.com/ returns a JSON response containing some informations about the , the parameter signal is returned as a high precision float number up to 14 digits after the comma, the fractional part of this JSON parameter can be used to disclose so...
Open-Xchange: SSRF in /appsuite/api/autoconfig
FYI: This was conducted on a local install of App Suite and not the sandbox. App Suite version was: 7.8.4 Rev14 Hello, There is a possible SSRF vulnerability in the following App Suite API endpoint that will primarily allow blind port scanning of the App Suite server and any internal servers...
HackerOne: Information Disclosure when /invitations/<token>.json is not yet accepted
Hi Team, Summary: First, i just want to clarify that this finding seems a purely human mistake from one of the hackerone member team who created a summary of this report: 283309 --- I have found that you guys HackerOne was disclosing email address and private program as part of this report summar...
HackerOne: View Any Program's Team Members through GET https://hackerone.com/invitations/
@nickcas discovered that it was possible to view all the team members of a program through a JSON response that is sent when a user is invited to collaborate on a report via the /invitations/ endpoint. He was able to provide a very clear PoC, which consisted of a list showing all the members of t...
Pushwoosh: Cleartext Password returned in JSON response
Password was returned in the JSON response For changing of password, which could be recovered by accessing the firefox.exe memory dump. The password string is persistent in the RAM even after restarting Firefox application until you restart the computer. Refer to the .docx for more information...
HackerOne: Ability to monitor reports' submission in real time
Hey , I would like to report an issue with the server responses that allow anyone users to monitor and track the reports' submission and the platform activity . Description : The issue occurs on the endpoint '/reports/reportid.json' due to the difference between server responses for submitted...
DEBIAN-CVE-2016-2045
Cross-site scripting XSS vulnerability in the SQL editor in phpMyAdmin 4.5.x before 4.5.4 allows remote authenticated users to inject arbitrary web script or HTML via a SQL query that triggers JSON data in a response...
Mail.ru: [orsotenslimselfie.lady.mail.ru] SQL Injection
Добрый день. GET параметр lastid уязвимо к SQL иньекции. Вектор атаки Union Based. PoC http://orsotenslimselfie.lady.mail.ru/ajax/contest?perPage=20&lastid=7913+union+select+concatversion,0x3a,user,2,3,4,version,6,7,8,9,10--+ вывод в JSON респонсе - 5.0.92-community-log:[email protected]...
Docker Remote API 未授权访问
介绍 docker 在使用集群管理如:Kubernetes,swarm时,要使用remote api对节点进行管理.remote api无认证时的默认端口是2375需要TLS认证默认登录是2376。 remote api默认是可以不需要认证能直接访问,能直接对docker进行操作,如新建容器,删除容器,查看镜像容器信息等... remote api操作方法见docker官方文档 检测docker remote api 未授权访问可以使用curl或者直接用浏览器访问 http://ip:2375/info 如果返回了json证明漏洞存在,如下图 其他参考链接...
HackerOne: Minimum bounty of a private program is visible for users that were removed from the program
Hello, Privileged information is getting leaked to an unauthorized user in the json response of https://hackerone.com/reports/.json. In a team there can be many members, also roles are defined. But an x-member of the team is getting information which should not be visible to him. As I tested it o...
HackerOne: Internal bounty and swag details disclosed as part of JSON response
Hello Hackerone team !!!! If Some company take option like this : Show minimum bounty on the program page? Do not display the minimum bounty on the program page. for example : https://hackerone.com/███████████ Private bounty details "basebounty":10 https://hackerone.com/████ Private swag details...
HackerOne: Reflected File Download
Info: Reflected File Download is a new web attack vector. It allows an attacker to craft a malicious file and present it to a victim, but there is no file present at the server. It was recently published at the BlackHat Eupore 2014 by Oren Hafif. Link to his presentation is given at the end...