939 matches found
Slack: Open redirect vulnerability
Hi, Open redirect issue: 1 Go to this URL: https://sehacure.slack.com/link?url=http://www.likelo.com The victim will be redirected. Impacts: The attacker can force the user to install trojans,malwares, etc. into his system. And can conduct phishing attacks. Please have a check. Best regards, Anan...
Slack: Stored XSS in Channel Chat
Hi there is a stored XSS in Channel Chat feature. I strong believe this a critical stored XSS I've made a video as POC and Reproduction steps here: - https://www.dropbox.com/s/2opkr6ojsseo1ka/Slack-Chat-Stored-XSS.mov Thanks and Regards Prakhar Prasad...
Slack: Stored XSS on this link https://sehacure.slack.com/help/requests/
Hi, This is a little tricky one. First of all go to your profile page and change your name to " Save it. Wait!!! You will not see a javascript pop up there because there is proper input validation on the profile page. Now to see the prompt box 1 Go to this link...
Slack: CSRF on add comment section
Hi, Steps to repro: 1 Go to this link https://sehacure.slack.com/help/requests/237956 2 The malicious guy should now the request number and the username. 3 Open Tamper data using tamper data firefox addon,Fill the reply in the form. 4 Submit the request.You will see there are no anti-csrf token i...
Slack: csrf
Hi, Anti CSRF token to prevent CSRF attacks are missing on this link https://sehacure.slack.com/help/requests/new A new request can be submitted by an malicious guy to the support team on behalf of the user. The victim will never get to know. 1 Go to this link...
Slack: CSRF vulnerability on https://sehacure.slack.com/account/settings
Hi, The CSRF token is not getting expired for a user.This can led to username change and many other account change information as well. To reproduce the issue: 1 Login into your Slack.com account 2 Go to this URl https://sehacure.slack.com/account/settings 3 Inspect element Copy your anti CSRF...
Slack: Stored XSS in username.slack.com
Hi There is a stored XSS in username.slack.com. Steps to reproduce: 1. Login to your Slack 2. Goto "Create Private Group" and with any name and purpose 3. Goto https://manish.slack.com/messages/group/files/ 4. Upload a file hitting upload icon ^ filename shall be ".jpeg 5. After file is uploaded...
Slack: URL redirection flaw
An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it. Steps to reproduce: 1 Go to this URL:...
Slack: Stored XSS in www.slack-files.com
Hi, We can create posts under https://subdomain.slack.com/files/create/post Post will have XSS payload like " in title and body We save it and hit "Create public link" and once we share the link it will trigger XSS. Example/POC: https://slack-files.com/T025LLJ2X-F025N8W7W-3a5691 Thanks Prakhar...
Slack: Session Fixation disclosing email address
Desc: Session fixation occurs due to SessionID in URL. A valid session-URL should be only a one time use. In this case a valid session-URL remains active for infinite time. The browser/cache may store this unique Session-URL and disclose EMAIL address of the user. Working: 1Register 2One...
Slack: Slack OAuth2 "redirect_uri" Bypass
Hi, I've found a way to circumvent redirecturi restrictions imposed by the web application using domain-suffix/subdomain technique. I created an OAuth application under https://api.slack.com/applications/new. That has OAuth redirecturi configured to http://www.google.com. So technically Allowed...
Slack: Broken Authentication (including Slack OAuth bugs)
Hi, Hope you are doing good! Please have a look at the below report. Description: OAuth Framework Flaw Bypassing redirecturi validation An attacker to exploit this Flaw just needs to find a open redirection flaw in the site which is using Slack's OAuth for logins. Impact: A malicious user can ste...
Slack: Reflective XSS can be triggered in IE
https://slack.com/go/2-2190974613-d56827?77d50"alert9 The following URL is vulnerable to XSS and can be reproduce in IE...
Computerviren - Arten, Verfahren, Technik & Geschichte
Document Title: =============== Computerviren - Arten, Verfahren, Technik & Geschichte References: =========== https://www.vulnerability-lab.com/resources/documents/194.pdf Release Date: ============= 2011-07-17 Vulnerability Laboratory ID VL-ID: ==================================== 194 Discovery...
CVE-2005-4151
The Wipe Free Space utility in PGP Desktop Home 8.0 and Desktop Professional 9.0.3 Build 2932 and earlier does not clear file slack space in the last cluster for the file, which allows local users to access the previous contents of the disk...
CVE-2005-4151
The Wipe Free Space utility in PGP Desktop Home 8.0 and Desktop Professional 9.0.3 Build 2932 and earlier does not clear file slack space in the last cluster for the file, which allows local users to access the previous contents of the disk...
CVE-2005-4151
The CVE-2005-4151 entry concerns the Wipe Free Space utility in PGP Desktop Home 8.0 and Desktop Professional 9.0.3 Build 2932 and earlier. The issue is that the utility does not clear file slack space in the last cluster for a file, enabling local users to access previous contents of the disk. A...
PGP Desktop Wipe Free Space incomplete information wiping
Slack space in the last file cluster is not cleaned...
Information leak in the Linux kernel ext2 implementation
Description: Information leak in the Linux kernel ext2 implementation References: CAN-2005-0400 Authors: Mathieu Lafon [email protected] Romain Francoise [email protected] Arkoon Security Team Advisory - March 25, 2005 http://arkoon.net/advisories/ext2-make-empty-leak.txt Revision: 1.0 1...