U.S. Dept Of Defense: SQL injection located in `███` in POST param `████████`

Hey DoD security team! I was able to exploit an SQL injection 1 in one of your domains. Description An SQL injection 1 was discovered in domain https://████████/██████ in the parameter ██████████. The SQL injection was located in a WHERE statment fallowed by a INT value. The vulnerable parameter...

Shopify: Theme editor `oseid` parameter is leaked to third-party services through the `Referer` header which leads to somekind of storefront password bypass.

Hello Shopify, Summary While reading @danishalkatiri's report 997350, I remembered a report that @francisbeaudoin shared with me some time agomid-February 2021 about leaking the theme editor oseid parameter and being able to exploit it to a point where he was able to somewhat bypass the storefron...

Cisco Jabber Certificate Validation Vulnerability

Cisco Jabber is a web conferencing and instant messaging application that allows users to send messages over the Extensible Messaging and Status Protocol XMPP. Cisco Jabber suffers from a certificate validation vulnerability that can be exploited by an attacker to be able to inspect or modify the...

IBM Cloud Pak System Arbitrary File Upload Vulnerability (CNVD-2021-01067)

IBM Cloud Pak System is a full-stack, converged infrastructure with configurable, pre-integrated software from IBM USA. An arbitrary file upload vulnerability exists in IBM Cloud Pak System 2.3. An attacker can exploit this vulnerability by intercepting requests and modifying the file extension t...

Shopify: Order lookup features of Shopify Chat Application leads to customer orders enumeration due to lack of user input validation

It came to my attention that the Shopify Chat application allows a customer to retrieve its order status by only providing the order email and number. Noticing that it results in being provided the order status page link, I started playing a bit with both parameters and I found out that it is...

CS Money: Application DOS via specially crafted payload on 3d.cs.money

Summary: Hello Team, While testing it was observed that on 3d.cs.money a DOS is possible via specially crafted request using only single request from single machine on search bar. Though I am aware of the Out of Scope policy "Any activity that could lead to the disruption of our service DoS", thi...

Acronis: Cross Origin Resource Sharing Misconfiguration

Description :- Cross-Origin Resource Sharing CORS is a mechanism that uses additional HTTP headers to tell browsers to give a web application running at one origin, access to selected resources from a different origin. The CORS mechanism supports secure cross-origin requests and data transfers...

Zomato: Ability to manipulate price with a max threshold of `<1 Rupee` in support rider parameter

Hi Team I have found an issue in support rider amount calculation at the time of checkout where the amount is tamperable by negative fraction of rupees which makes the total amount decreased by maximum of 1rs. POC - 1-Goto - zomato.com 2 - Add anything to your cart 3- At the checkout page , Add...

Privilege Escalation

An attacker is able to intercept certain requests to the Kubelet and send a redirect response that may be followed by a client using the credentials from the original request. This can lead to compromise of other nodes...

PT-2021-9173 · Openshift Container Platform · Kibana

Name of the Vulnerable Software and Affected Versions: OpenShift Container Platform's distribution of Kibana affected versions not specified Description: A flaw in OpenShift Container Platform's distribution of Kibana allows it to be opened in an iframe, enabling an attacker to intercept and...

CVE-2020-10743

It was discovered that OpenShift Container Platform's OCP distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana, such as...

Nextcloud: Remote code execution via path traversal in Zip extraction in the Extract app

I realise this doesn't qualify for a reward, as it's a vulnerability in a third-party app, but as the app is part of the "official" VM image provided by Hansson IT, I think it's well worth fixing. The Extract app doesn't validate the path or filename of a zip file to be extracted, allowing an...

Ping Identity: Google Maps API key leaked during device pairing

Summary: just on intercepting and going through the request i made from ort-admin.pingone.com . i found that the google map api key was leaking through get request . i was able to validate that the leaked key was a valid one Steps To Reproduce: 1.login to account goto setup tab ping iD device...

FAST or Burp or both?

By @aLLy , Wallarm Research Hello guys, time to talk details about Wallarm FAST Framework for Application Security Testing. It’s a new automatic web vulnerability scanning and fuzzing detection tool by Wallarm Inc. It is well suited for security researchers in enterprise Red Teams as well as for...

Transparent Tor for Windows: Tallow

Tallow is a small program that redirects all outbound traffic from a Windows machine via the Tor anonymity network. Any traffic that cannot be handled by Tor, e.g. UDP, is blocked. Tallow also intercepts and handles DNS requests preventing potential leaks. Tallow has several applications,...

UltimatePOS 2.5 - Remote Code Execution

UltimatePOS 2.5 - Remote Code Execution Exploit Title: UltimatePOS 2.5 - Remote Code Execution Google Dork: intext:"UltimatePOS" Date: 2018-08-22 Exploit Author: Renos Nikolaou Vendor Homepage: http://ultimatefosters.com/ Software Link:...

Dashbuilder: Lack of clickjacking protection on the login page

It was discovered that the Dashbuilder login page could be opened in an IFRAME, which made it possible to intercept and manipulate requests. An attacker could use this flaw to trick a user into performing arbitrary actions in the Console clickjacking...

Pornhub: Stored XSS in galleries - https://www.redtube.com/gallery/[id] path

Researcher successfully closed the image 'alt' attribute and injected javascript by intercepting the album creation request and submitting an XSS payload as the album title. This led to stored cross-site scripting on the user's album page, executed against any users who visited the album. Stored...

Unspecified vulnerability in Http-signature

Http-signature is a library that includes client and server components with the Joyent HTTP signature scheme. A security vulnerability exists in Http-signature version 0.9.11 and earlier. An attacker can exploit this vulnerability by intercepting a request and replacing the packet header name and...

Monstra CMS 3.0.4 - Cross-Site Scripting (1)

Monstra CMS 3.0.4 - Cross-Site Scripting 1 Title: Monstra CMS www.target.com' url = input'Target : ' print' Required admin's PHPSESSID.' PHPSESSID = input'PHPSESSID : ' pagename = input'Pagename : ' script = input'Script : ' target = 'http://' + url + '/admin/index.php?id=pages&action=addpage'...