15267 matches found
Chaturbate: Login form on non-HTTPS page on http://stream.highwebmedia.com/auth/login/
Dear Team, Summary A page on a http://stream.highwebmedia.com/auth/login/ is not fully protected by an SSL certificate. This could allow an attacker in a Man-in-the-Middle position to obtain usernames and passwords of users visiting the site. Note the warning in screenshot 1, firefox has identifi...
Pornhub: [idor] Unauthorized Read access to all the private posts(Including Photos,Videos,Gifs)
Researcher was able to access private user content by calling the post ID...
Zomato: Bypass OTP verification when placing Order
User can bypass the OTP verification needed while placing an order with a restaurant. User can give a random number and intercept the OTP request. If wrong OTP is provided then the error message shows the session code which is the OTP in this case. Hence that session code can be used to verify th...
Shopify: H1514 Ability to MiTM Shopify PoS Session to Takeover Communications
Hi @iv-rodriguez, After a decent amount more digging and research, I must disagree with you on the "expecting to work offline" portion. The code actually specifically listens on all local interfaces 0.0.0.0 and the wifi network address is specifically used in the QR code connection string, as sho...
Concrete CMS: Remote Code Execution (Reverse Shell) - File Manager
Remote Code Execution Reverse Shell - File Manager • Title: concrete5-8.5.2 Remote Code Execution - Reverse Shell • Keyword: crayons • Software : concrete5 • Product Version: 8.5.2 • Vulnerability : Remote Code Execution - Reverse Shell • Vulnerable component: File Manager The attacker needs the...
Marktplaats: Multiple Apache 2.2.22 Vulnerabilities (XSS/ Code Exec/ DoS)
Hello, Your current version of apache 2.2.22 for http://aanbieding.marktplaats.com is vulnerable to many issues like DoS, XSS and Code Exec 1. DoS Refer: http://www.cvedetails.com/cve/CVE-2014-0231/ http://www.cvedetails.com/cve/CVE-2014-0098/ http://www.cvedetails.com/cve/CVE-2013-6438/...
Chaturbate: Leaking Username and Password in the URLs via Virustotal, can leads to account takeover
Hi Dear @chaturbate team Vulnerability Type Critical Information Leakage in URLs via Virustotal. Vulnerability Severity High. Description During my regular testing, went to https://www.virustotal.com/%2Fdomain%2Fchaturbate.com After reviewing all URLs more and more, I got 2 Interesting and Critic...
Sifchain: ETHEREUM_PRIVATE_KEY leaked
Summary: I found below private key for ethereum wallet leaked via public code in github repository ETHEREUMPRIVATEKEY="c87509a1c067bbde78beb793e6fa76530b6382a4c0241e5e4a9ec0a0f44dc0d3" Steps To Reproduce: You can find private key via below link :...
Chaturbate: Update Chat Allowed By Option ( without age verification )
Summary Hi Team, I am here again with one interesting issue. This issue deals with the fact that according to the policies of chaturbate, a broadcaster cannot modify the option - Chat Allowed By - until and unless he/she has verified his/her age default choice is set to all. This thing could be...
Chaturbate: [chatws25.stream.highwebmedia.com] - Reflected XSS in c parameter
Hi Team, Found that chatws25.stream.highwebmedia.com is vulnerable to reflected XSS in c parameter, we can verify it with following URL, it is also a Cloudflare filter bypass: https://chatws25.stream.highwebmedia.com/ws/007/tgpraolp/htmlfile?c=███...
ok.ru: Critical : Access to group videos where videos are restricted for all users(Broken authentication )
Private group videos could be accessed via direct link due to lack of access control checks on mobile site version: http://m.ok.ru/dk?st.cmd=altGroupMovieComments&st.ord=off&st.groupId=53605096554748&st.sbj=31115578108...
Starbucks: [newscdn.starbucks.com] CRLF Injection, XSS
PoC FireFox http://newscdn.starbucks.com/%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a%0d%0a0%0d%0a/%2e%2e After sending the request through FireFox this query is saved in cache and using a small trick can be made to work it in another browser. PoC Chrome Make sure you send...
Shopify: XSS Stored via Upload avatar PNG [HTML] File in accounts.shopify.com
Hello team, I found unrestricted file upload via avatar in https://accounts.shopify.com/accounts/, and XSS Stored in PNG IDAT chunks using exiftool , exiftool command exiftool -Comment=""alertprompt'XSS BY ZEROX4'" xsscommentexifmetadatadoublequote.png Payload example : �PNG �...
Pornhub: XSS on pornhubselect.com
The researcher discovered a reflected XSS in the search route of pornhubselect.com domain...
Vimeo: Watch any Password Video without password
Hello Jeremy and Vimeo Security Team, There is a vulnerability in Vimeo which allows any user to watch password video without the password. A user can like a passworded video without password, then the user can watch the video on Couchmode without the password. POC link :...
GitHub Security Lab: [Java] CWE-094: Rhino code injection
This bug was reported directly to GitHub Security Lab...
Chaturbate: Stored XSS on chaturbate.com (wish list)
Hi, I found a stored XSS on chaturbate.com Description The input wishlist in the bio of a user allows him/her to enter CSS properties, however some browsers like Opera or Internet Explorer are vulnerable to XSS through the attribute style. request http POST /accounts/editbio/ HTTP/1.1 Host:...
Chaturbate: Users may still able to view chat room panel of password protected rooms
The hacker found that the chat room panel could be accessed without the user having the room password. This was resolved. An attacker may able to view a password protected chat room panel by requesting the api endpoint for room panel. It discloses information depends on what app they use...
Hanno's projects: Open redirect in Serendipity (exit.php)
Summary Serendipity contains a script named exit.php that can be directly accessed. When crafting an hyperlink pointing to this page with the parameter url containing a base64-encoded URL, it will redirect the user to this URL. Description The file exit.php contains the following code: php ?php /...
Shopify: Ability to see password protected content by bypassing the password page of shopify preview URL for new development stores (as of August 17, 2020)
Hi, Description I have found a way to bypass the password page of a shopify preview URL for new development stores created as of August 17, 2020. Currenty, with older development stores, when we share a preview url with someone, we are able to see the content of the store without having to enter ...
Pornhub: Disclosure of private photos/albums - http://www.pornhub.com/album/show_image_box
An endpoint was identified by the researcher allowing private user albums/photos to be viewed. An endpoint allowing to view any private albums/photos was identified. Check out the infrastructure monitoring platform BugLabs.me for bounty hunters - https://buglabs.me...
U.S. Dept Of Defense: Remote Code Execution via CVE-2019-18935
Summary: The website at https://█████████/apps/XTRAHome/Telerik.Web.UI.WebResource.axd?type=rau is vulnerable to CVE-2017-11317 and CVE-2019-18935, allowing an attacker to upload arbitrary files and gain remote code execution on the underlying system. Step-by-step Reproduction Instructions 1...
Snapchat: Bypassing "You've requested your data the maximum number of times today." + "Please Verify an email address with snapchat to continue"
Hello Again , I found an 2 issues in accounts.snapchat.com/accounts/downloadmydata - The first one : Bypassing The maximum number of Data Requests per day and download the Account Data any time the Attacker wants. - The Second : Download The Account Data without any Email verification. Requiremen...
Pornhub: Stored XSS in galleries - https://www.redtube.com/gallery/[id] path
Researcher successfully closed the image 'alt' attribute and injected javascript by intercepting the album creation request and submitting an XSS payload as the album title. This led to stored cross-site scripting on the user's album page, executed against any users who visited the album. Stored...
Tor: Crashes/Buffer at 0x2C0086,name=PBrowser::Msg_Destroy
Hi Team, Steps to Reproduce: 1. Open Tor 2. Navigate to string.html Where string.html : function tor var uristring = unescape"%u4141%u4141"; fori=0; i 3. 'Gah! This tab has crashed. However, running it to debug mode generates the below exception : !!! ParentMessageChannel Error:...
Pornhub: Stored XSS on the https://www.redtube.com/users/[profile]/collections
Researcher successfully closed the image 'alt' attribute and injected javascript by submitting an XSS payload as the collection title. This led to stored cross-site scripting on the user's collections page, executed against any users who visited the user's collections. The user's favorites page w...
h1-ctf: Hacky Holidays CTF Writeup
Intro: 12 days of challenges - some more challenging than others! This holiday CTF had all 12 challenges hosted on the website https://hackyholidays.h1ctf.com/ F1129112 Challenge 1: I started by significantly overthinking all of the early challenges in this competition. When this CTF started the...
Sifchain: xmlrpc.php And /wp-json/wp/v2/users FILE IS enable it will used for bruteforce attack and denial of service
Hi Team : i am abbas heybati ; Summary: After reviewing the given scope, I realized that the main domain "http://sifchain.finance" has several vulnerabilities that I will report to you as a scenario. I realize that I have reported to you outside of Scope. The report is related to the mentioned...
GSA Bounty: Wordpress Users Disclosure (/wp-json/wp/v2/users/) on data.gov
Summary: Hello TTS Bug bounty team! I have found data.gov User/admin usernames disclosed. Using REST API, we can see all the WordPress users/author with some of their information. Steps To Reproduce: You can find the information disclosure by going to data.gov/wp-json/wp/v2/users/ Supporting Vide...
XVIDEOS: Host Header Injection Attack - www.xnxx.com
Host Header Injection Attack - www.xnxx.com An attacker can manipulate the Host header as seen by the web application and cause the application to behave in unexpected ways. Very often multiple websites are hosted on the same IP address. This is where the Host Header comes in. This header specifi...
HackerOne: SQL injection in GraphQL endpoint through embedded_submission_form_uuid parameter
The embeddedsubmissionformuuid parameter in the /graphql endpoint is vulnerable to a SQL injection. Execute the following command to reproduce the behavior: Locally: curl -X POST http://localhost:8080/graphql?embeddedsubmissionformuuid=1%27%3BSELECT%201%3BSELECT%20pgsleep\30%3B--%27...
Chaturbate: DoS attacks utilizing camo.stream.highwebmedia.com
DoS attacks utilizing camo.stream.highwebmedia.com Summary The asset proxy at camo.stream.highwebmedia.com used to embed external images linked by users fails to enforce 1. a timeout on slow responses if a little data is sent every 10 seconds a kind of "reverse-slowloris" attack 1. a size limit o...
Pornhub: (Pornhub & Youporn & Brazzers ANDROID APP) : Upload Malicious APK / Overrite Existing APK / Android BackOffice Access
The researcher discovered weak credentials protecting an Android APK admin page...
U.S. Dept Of Defense: Remote Code Execution via Insecure Deserialization in Telerik UI
Hello, I found an outdated version of Telerik Web UI v2016.2.607.40 at the following URL: https://███/Telerik.Web.UI.WebResource.axd?type=rau. This means that we can achieve full RCE by chaining two different CVEs: CVE-2017-11317, which allows us to upload arbitrary files on the server, and...
X (Formerly Twitter): Unauthorized Access to Protected Tweets via niche.co API
Hello, Summary: Normally If user victim set to private / protect their tweets in setting Tweet privacy, other people/user will not able to see their recent or their pass status/twits when they visit his/her victim profile. people only can see their victim profile images and information about how...
WakaTime: User Email Disclosure via ID-Based Invitation
The issue occurs when inviting a user by their WakaTime ID. If a user has set their email to private, their email address was disclosed when they were invited using their ID. This contradicted the privacy settings and led to unintended email exposure...
curl: ("possible") UAF
Title: Potential Use-After-Free Vulnerability in cfh2proxyctxfree Function of libcurl Vulnerability Overview: A potential Use-After-Free UAF vulnerability has been identified in the cfh2proxyctxfree function of the libcurl library. This issue occurs when the cfh2proxyctx object is freed and then...
Hemi VDP: Linkedin Broken Link Hijacking on https://hemi.xyz/about
The LinkedIn account link for a team member on the https://hemi.xyz/about page pointed to a non-existent LinkedIn account...
XVIDEOS: Unauthenticated API Access Exposing Premium Content and Financial Data
Security Report: Unauthenticated API Access Exposing Premium Content and Financial Data Issue Summary A critical security flaw has been identified on xvideos.red, allowing unrestricted access to premium channels and videos without requiring a paid membership. Normally, these resources should be...
PortSwigger Web Security: Burp Suite extensions can execute arbitrary code
Dear PortSwigger Security Team, I hope you’re doing well. I’m reaching out to share a security concern regarding Burp Suite’s extension framework that could allow an attacker to compromise a machine by executing untrusted code. While Burp Suite offers powerful extensibility, this flexibility can...
XVIDEOS: Error Page Content Spoofing or Text Injection
F4027663 Title: Error Page Content Spoofing or Text Injection URL: https://www.xvcams.com/assets/!!!ATENTION!%20This%20server%20is%20on%20Maintenance%20please%20go%20to%20WWW.EVIL.COM ---...
XVIDEOS: Error Page Content Spoofing or Text Injection
The content spoofing vulnerability on multi.xnxx.com allowed arbitrary text to be injected into error pages. The injected content was reflected back to users under the trusted domain, which could have been exploited for social engineering attacks...
Vimeo: All Vimeo Private videos disclosure via Authorization Bypass
Hello, There is a vulnerability in https://vimeo.com/VIDEOID?action=share that makes all Vimeo private videos available to anybody. POC link : http://opnsec.com/vimeo/vl/videoLeak.php?video=VIDEOID POC requirements : - No need to be logged in Vimeo - Because of sensitivity of this, I put a passwo...
curl: Use after free (read) in curl_multi_perform with DoH and Proxy options, and resolve timeouts
Summary: summary of the vulnerability There is a use after free in curlmultiperform when DoH resolver timeouts and CURLOPTPROXY is used see reproducer and stack trace I found it via fuzzing with https://github.com/catenacyber/curl-fuzzer/tree/proxy after fixing a small memory leak in curl Another...
XVIDEOS: API Data Leakage Vulnerability Report - `xvcams.com`
HackerOne API Data Leakage Vulnerability Report - xvcams.com --- Summary: A sensitive data exposure vulnerability was discovered in the API endpoints of xvcams.com. These API responses leak personally identifiable information PII of models, including birthdates, locations, eye color, phone...
Autodesk: Wordpress users Disclosure
we can see all the WordPress users/author with some of their information. Which can even be Personal information of employees/author. The file author-sitemap.xml at:https://www.payapps.com/author-sitemap.xml is enabled and this give the attacker many users names and emails like: F4036174 Impact...
Slack: TLS1/SSLv3 Renegotiation Vulnerability
URL: http://www.slack.com Vulnerability description A flaw in the design of the TLS v. 1/SSL v. 3 TLS/SSL handshake process was discovered in 2009, and RFC 5746 Feb. 2010 was released to update the protocol specification. Since then, most system manufacturers have released patches to fix this fla...
Shopify: SSRF via 'Add Image from URL' feature
Hi Security team, It is possible to add image from URL for products. To do this the folowing request is used: POST /admin/products/922460995/images HTTP/1.1 Host: test-4925.myshopify.com User-Agent: Mozilla/5.0 Windows NT 6.1; WOW64; rv:38.0 Gecko/20100101 Firefox/38.0 Accept: text/html,...
AWS VDP: Sensitive API Key Leakage
Vulnerability: AWS Sensitive Keys Leakage Details : the AWS Access Key & Secret Key is leaked in a Public GitHub Repository located at : Repository located at : █████████ Steps To Reproduce: Go to : ██████ In the middle of this file you can see the Keys Please see the attached screenshot also...
Greenhouse.io: SSH port on store.greenhouse.io is vulnerable to brute force attacks
Open SSH port found on third party vendor...