394 matches found
CVE-2019-17566
A flaw was found in the Apache Batik library, where it is vulnerable to a Server-Side Request Forgery attack SSRF via "xlink:href" attributes. This flaw allows an attacker to cause the underlying server to make arbitrary GET requests. The highest threat from this vulnerability is to system...
Open-Xchange: SSRF protection bypass in /appsuite/api/oxodocumentfilter addfile action
Summary The URL validation logic applied when handling /appsuite/api/oxodocumentfilter&action=addfile suffers from three defects which can be used to execute Time of Check Time of Use ToCToU SSRF attack. This issue allows malicious actors to execute HTTP GET requests on internal network services...
Security Bulletin: IBM QRadar SIEM is vulnerable to Using Components with Known Vulnerabilities (CVE-2017-3164)
Summary IBM QRadar SIEM is vulnerable to Using Components with Known Vulnerabilities Vulnerability Details CVEID: CVE-2017-3164 DESCRIPTION: Apache Solr is vulnerable to server-side request forgery, caused by not having corresponding allowlist mechanism in the shards parameter. By using a...
XXExploiter - Tool To Help Exploit XXE Vulnerabilities
I wrote this tool to help me testing XXE vulnerabilities. It generates the XML payloads, and automatically starts a server to serve the needed DTD's or to do data exfiltration. IMPORTANT: This tool is still under development and although most of its features are already working, some may have not...
GitLab: SSRF into Shared Runner, by replacing dockerd with malicious server in Executor
Note I've assigned the severity HIGH and submitted this report based on previously disclosed blind SSRF bugs that were previously disclosed. https://hackerone.com/reports/398799 If that's not correct, please adjust or let me know if you require more immediate impact on users in order to consider...
CVE-2020-1925
Apache Olingo versions 4.0.0 to 4.7.0 provide the AsyncRequestWrapperImpl class which reads a URL from the Location header, and then sends a GET or DELETE request to this URL. It may allow to implement a SSRF attack. If an attacker tricks a client to connect to a malicious server, the server can...
Server side request forgery (ssrf)
Apache Olingo versions 4.0.0 to 4.7.0 provide the AsyncRequestWrapperImpl class which reads a URL from the Location header, and then sends a GET or DELETE request to this URL. It may allow to implement a SSRF attack. If an attacker tricks a client to connect to a malicious server, the server can...
Is AWS Liable in Capital One Breach?
Amazon is at least partly blame for the massive 2019 Capital One breach that impacted more than 100 million customers, senators are alleging. Security researchers however are of two minds. In a letter to the Federal Trade Commission FTC this week, U.S. senators Ron Wyden D-Ore. and Elizabeth Warr...
CVE-2019-12632
A vulnerability in Cisco Finesse could allow an unauthenticated, remote attacker to bypass access controls and conduct a server-side request forgery SSRF attack on an affected system. The vulnerability exists because the affected system does not properly validate user-supplied input. An attacker...
Server side request forgery (ssrf)
A vulnerability in Cisco Unified Contact Center Express Unified CCX could allow an unauthenticated, remote attacker to bypass access controls and conduct a server-side request forgery SSRF attack on a targeted system. The vulnerability is due to improper validation of user-supplied input on the...
CVE-2019-12852
An SSRF attack was possible on a JetBrains YouTrack server. The issue 1 of 2 was fixed in JetBrains YouTrack 2018.4.49168...
h1-5411-CTF: Solution for h15411's CTF challenge
Baby steps Earlier today a friend tipped me off about an ongoing CTF challenge that was being run by HackerOne and would get the first ten winners a ticket to participate in h15411, which will be a live-hacking event happening in Buenos Aires. This immediately caught my attention and I decided to...
Slack: SSRF in api.slack.com, using slash commands and bypassing the protections.
Bypassing the reports 61312 and 356765 Tutorial: Go to api.slack.com and create an application with your own slash command. F320014 Enter your own domain: in your own domain: index.php location: http://:::22/ F320019 And save. Go to your Slack and type /youslash Try with my server...
Server side request forgery (ssrf)
An XML external entity XXE vulnerability in Fortify Software Security Center SSC, version 17.1, 17.2, 18.1 allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery SSRF attacks via a crafted DTD in an XML request...
Security Bulletin: API Connect Developer Portal is affected by a PHP vulnerability (CVE-2017-7272)
Summary IBM API Connect has addressed the following vulnerability. PHP is vulnerable to server-side request forgery, caused by a flaw in the fsockopen function. By using a specially crafted argument, an attacker could exploit this vulnerability to conduct a Server Side Request Forgery SSRF attack...
Server side request forgery (ssrf)
Citrix NetScaler VPX through NS12.0 53.13.nc allows an SSRF attack via the /rapi/readurl URI by an authenticated attacker who has a webapp account. The attacker can gain access to the nsroot account, and execute remote commands with root privileges...
FreeBSD : rubygem-geminabox -- XSS & CSRF vulnerabilities (2bffdf2f-9d45-11e7-a25c-471bafc3262f)
Gem in a box XSS vulenrability - CVE-2017-14506 : Malicious attacker create GEM file with crafted homepage value gem.homepage in .gemspec file includes XSS payload. The attacker access geminabox system and uploads the gem file or uses CSRF/SSRF attack to do so. From now on, any user access...
FFmpeg arbitrary file read vulnerability analysis-vulnerability warning-the black bar safety net
Vulnerability analysis The vulnerability was originally developed by neex submitted to the HackerOne platform, and eventually get a 1000$bonus, the original link is https://hackerone.com/reports/226756 the. According to the authors, the exploitability of the vulnerability in the FFmpeg can handle...
CVE-2017-8794
An issue was discovered on Accellion FTA devices before FTA912180. Because a regular expression intended to match local https URLs lacks an initial ^ character, courier/web/1000@/wmProgressval.html allows SSRF attacks with a file:///etc/passwdhttps:// URL pattern...
The bundled Atlassian OAuth plugin allows arbitrary HTTP requests to be proxied - CVE-2017-9506
The version of the bundled Atlassian OAuth plugin was vulnerable to Server Side Request Forgery SSRF. This allowed a XSS and or a SSRF attack to be performed. More information about the Atlassian OAuth plugin issue see https://ecosystem.atlassian.net/browse/OAUTH-344...