Lucene search
K

63 matches found

Hacker One
Hacker One
added 2016/03/18 3:20 p.m.77 views

Imgur: XSS via React element spoofing

Hello, I noticed an XSS on imgur. Proof of concept: visit the URL http://imgur.com/vidgif/ticket/aaaaaaaa?errorpropsdangerouslySetInnerHTMLhtml=%3Cimg%20src=a%20onerror=%22alert%27XSS%20on%20%27%2bdocument.domain%22%3E&errorisReactElement=true&errortype=body It's not the simplest case as it...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2016/03/11 9:42 p.m.15 views

Imgur: Local file read in image editor

Filepaths were able to traverse up outside of their intended directory when using the /edit/process API endpoint. Insufficient imageid filtration in image editor allowed an attacker to read arbitrary files. An attacker could read files by setting file path in imageid GET param in /edit/process AP...

1.9AI score
Exploits0
Hacker One
Hacker One
added 2016/02/11 8:16 p.m.100 views

Imgur: SSRF / Local file enumeration / DoS due to improper handling of certain file formats by ffmpeg

Hello! Short description ======== https://imgur.com/vidgif/upload endpoint is vulnerable to a SSRF/LFE vulnerability which allows an attacker to craft connections originating from imgur servers to any destination on the internet and imgur internal network and disclose lists of files located on...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2016/02/11 10:23 a.m.588 views

Imgur: SSRF and local file read in video to gif converter

Video to gif converter on http://imgur.com/vidgif uses Lavf/55.48.100 with network options enabled. It makes possible SSRF by uploading specially crafted playlist. For example we can use mp4 file http://yngwie.ru/1.mp4 EXTM3U EXT-X-MEDIA-SEQUENCE:0 EXTINF:10.0, http://yngwie.ru/2.mp4 EXT-X-ENDLIS...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2016/02/10 6:53 p.m.405 views

Imgur: SSRF in https://imgur.com/vidgif/url

Hello, Short description ======== https://imgur.com/vidgif/url endpoint is vulnerable to a SSRF vulnerability which allows an attacker to craft connections originating from imgur servers to any destination on the internet and imgur internal network and craft outgoing UDP-packets / telnet-based...

9CVSS9AI score0.11027EPSS
Exploits0
Hacker One
Hacker One
added 2016/01/19 11:17 p.m.98 views

Imgur: Big Bug in SSL : breach compression attack (CVE-2013-3587) affect imgur.com

Hi imgur Security Team, This is an urgent issue and wish you fix it as soon as possible ... so this web application " imgur.com " " is potentially vulnerable to the BREACH attack. An attacker with the ability to: Inject partial chosen plaintext into a victim's requests Measure the size of encrypt...

4.3CVSS0.1AI score0.06049EPSS
Exploits2
Hacker One
Hacker One
added 2015/12/27 4:48 p.m.21 views

Imgur: XSS in imgur mobile 3

Hi i find other XSS Poc http://m.imgur.com/user/%22%3E%3Cimg%20src=x%20onerror=alert1%3E/message thanks ^^...

Exploits0
Hacker One
Hacker One
added 2015/12/26 8:53 p.m.19 views

Imgur: XSS in imgur mobile

hi poc : http://m.imgur.com/user/phoenixrachel%22%3E%3Cimg%20src=x%20onerror=alert1%3E...

Exploits0
Hacker One
Hacker One
added 2015/12/15 9:14 p.m.23 views

Imgur: risk of having secure=false in a crossdomain.xml

api.imgur.com permits SWF files on a non-HTTPS server to load data from this HTTPS server. Setting the secure attribute to false could compromise the security offered by HTTPS. In particular, setting this attribute to false opens secure content to snooping and spoofing attacks. The...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2015/12/03 8:43 a.m.29 views

Imgur: Attack User Privacy Settings - X-Frame-Options missing on m.imgur.com/user/username/settings

Hello, I would like to report that almost entire mobile web site is vulnerable to clickjacking attacks, Maybe the most important critical part the /settings node, As an attacker could force a user to change his privacy settings with only two clicks, please see live video demonstration, of course...

2.6AI score
Exploits0
Hacker One
Hacker One
added 2015/11/25 9:31 a.m.1224 views

Imgur: Login to any user account using other facebook app access token

Vulnerable Url: https://api.imgur.com/generatetoken/thirdpartynativeandroid?type=facebook Vulnerable Param: accesstoken Attck: Hacker can build own facebook app and get victim's facebook access token and use that access token to login into imgur account POC:...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2015/11/22 4:11 a.m.23 views

Imgur: Imgur dev environments facing the Internet

A security group configuration error allowed Imgur development environments to face the public internet. Typically these environments were protected behind a special endpoint which would open access to authenticated Imgur employees for a short time window. Since the development environments were...

1.5AI score
Exploits0
Hacker One
Hacker One
added 2015/11/05 12:25 a.m.19 views

Imgur: XSS m.imgur.com

Hi find xss vulnerability in your site Poc http://m.imgur.com/gallery/iT5l7%22%3E%3Cimg%20src=x%20onerror=alert1%3E...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2015/10/29 8:57 a.m.28 views

Imgur: Persistent XSS in https://p.imgur.com/albumview.gif and http://p.imgur.com/imageview.gif / post statistics

In p.imgur.com/albumview.gif, a post paramater could be set containing html and javascript. This was not escaped properly and the code would be executed. The reporter used the following example URLs as a proof of concept https://p.imgur.com/albumview.gif?a=F78FO&r=https://community.imgur.com/aler...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2015/10/24 9:5 a.m.16 views

Imgur: Persistent XSS in image title

When adding a title to uploaded images, one can insert XSS into the title which is then executed for anyone viewing the image. PoC contains a harmless XSS: http://imgur.com/bSZwUBG&rAmpN4O How to recreate: 1. Open the Image Options page for an album. 2. Press "Add Title / Description" 3. Enter so...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2015/10/09 8:37 p.m.17 views

Imgur: Csrf near report abuse meme

Hey team i would like to report a real csrf threat which allows attacker to make report abuse to any meme on behalf of the users how i found this bug :- lets visit to any meme example :- 1 http://imgur.com/t/memes/ieTEJEd 2 i clicked on post options 3 i got an option called report i clicked on it...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2015/10/01 8:24 p.m.16 views

Imgur: Server Side Request Forgery In Video to GIF Functionality

imgur.com is vulnerable to Server Side Request Forgery because it fails to sanitize or verify the "url" GET parameter. This could be used by attackers to launch attacks against other 3rd party sites or proxy an attackers requests through the affected site to hide the attackers origin. In more...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2015/10/01 10:39 a.m.37 views

Imgur: Crossdomain.xml settings on api.imgur.com too open

The crossdomain.xml file hosted at http://api.imgur.com/crossdomain.xml was too open. This allowed SWF files to make HTTP requests and see it's response. If this was not changed, then attacker.com can embed a SWF on attacker.com/example.html that makes an HTTP request to http://api.imgur.com/. Th...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2015/10/01 12:15 a.m.19 views

Imgur: Content Sniffing not enabled

The HTTP header X-Content-Type-Options was not set to nosniff. This can cause some browsers to try to determine the content/encoding type of a response, which is an undesired behavior...

1.7AI score
Exploits0
Hacker One
Hacker One
added 2015/10/01 12:4 a.m.20 views

Imgur: "Sign me out everywhere" does not work for desktop sessions

An account option that allowed users to sign out everywhere was found to not be functioning properly. A user selecting this option was not signed out. A fix has been rolled out to update session security as a result of this report...

2.2AI score
Exploits0
Rows per page
Query Builder