Lucene search
K

1932 matches found

Hacker One
Hacker One
added 2016/06/22 4:56 p.m.273 views

Pornhub: RCE Possible Via Video Manager Export using @ character in Video Title

The researcher identified that it was possible to inject arbitrary characters into video titles, that when exported via video manager would result in client-side code execution. The researcher was successful in getting a pingback from a meterpreter shell on the victim's machine. Essentially using...

1.9AI score
Exploits0
Hacker One
Hacker One
added 2016/04/13 2:39 p.m.20 views

Moneybird: CSV Injection with the CSV export feature

This researcher pointed at that is was possible to include formulas in the CSV export of Moneybird. Because these CSV files are interpreted by Excel, the formulas are executed on the clients computer. We are now filtering the input into the CSV export to prevent this behaviour...

2.1AI score
Exploits0
Hacker One
Hacker One
added 2016/03/31 2:8 a.m.19 views

New Relic: CSV Injection in sub_accounts.csv

As an admin of a company, I can set my company name to be something like "=1+1", which, when downloaded by me or anyone else with permission to access that file, will execute and show "2" in the excel file. While this may seem safe, I am able to make the name something more malicious, such as...

3.1AI score
Exploits0
Hacker One
Hacker One
added 2016/03/26 2:59 a.m.45 views

Uber: CSV Injection in business.uber.com

business.uber.com allows for names to begin with an = which allows for injection of formulas into the downloaded CSVs. I wasn't quite sure what to categorize this as since there are two main problems with allowing injection of formulas into a CSV: 1. It allows for data exfiltration through...

Exploits0
Hacker One
Hacker One
added 2016/03/18 11:10 a.m.22 views

HackerOne: CSV Injection via the CSV export feature

I've bypassed 111192 by using this string ";=cmd|' /C calc'!A0" without doublequotes. Steps to reproduce are as in 111192. Tested in excel 2003-2013...

2AI score
Exploits0
Hacker One
Hacker One
added 2016/02/24 8:6 p.m.42 views

HackerOne: CSV Injection at the CSV export feature

Hi there, I have find a way to bypass the mitigation done in 72785 and 111192. What happens if an attacker creates a Ticket with the Tittle ":";-3+3+cmd|' /C calc'!D2. The ; will break the field making excel think that there are two fields. Although, you are using "" to encapsulate a field and , ...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2016/01/17 2:40 a.m.52 views

HackerOne: CSV Injection via the CSV export feature

Hi , I have managed to bypass your fix for 72785 by submitting a report with NewLine character 0x0a in the title before the CSV formula. Steps to reproduce: 1. As a researcher , Submit a report to a program with the title %0A-2+3+cmd|' /C calc'!D2 , here is an example request: POST...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2015/11/20 1:8 p.m.43 views

Shopify: CSV Excel Macro Injection Vulnerability in export list of current users - app.shopify.com

Hi , I have found that when a user tries to Export list of current users who installed his apps through: https://app.shopify.com/services/partners/apiclients//exportinstalledusers the fields of the CSV file are not properly escaped. which makes them vulnerable to CSV Excel Macro Injection...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2015/10/04 11:17 p.m.34 views

Automattic: CSV Injection in polldaddy.com

Hello, We can inject commands in any fields of a member in an email group =210 for example, and when it's exported to CSV it will be evaluated to 20 in the corresponding cell, this enables an attacker to spread malware and execute system level commands on a victim's machine if the victim download...

1AI score
Exploits0
Hacker One
Hacker One
added 2015/10/04 10:34 p.m.28 views

Trello: CSV Injection

Hello, We can inject commands in the name field of a board =210 for example, and when it's exported to CSV it will be evaluated to 20 in the corresponding cell, this enables an attacker to spread malware and execute system level commands on a victim's machine if the victim downloaded the CSV file...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2015/06/26 7:53 p.m.87 views

HackerOne: CSV Injection with the CVS export feature

The "Download as a CSV" feature of HackerOne does not properly "escape" fields. This allows an adversary to turn a field into active content so when a response team download the csv and opens it, the active content gets executed. Here is more information about this issue:...

0.3AI score
Exploits0
WPVulnDB
WPVulnDB
added 2014/08/01 10:58 a.m.11 views

Automatic 2.0.3 - csv.php q Parameter SQL Injection

The wp-automatic WordPress plugin was affected by a csv.php q Parameter SQL Injection security vulnerability...

3.2AI score
Exploits0References2Affected Software1
Rows per page
Query Builder