15369 matches found
Algolia: Hyperlink Injection in Friend Invitation Emails
Description A user can change their last name to a URL in order to send email invitations containing malicious hyperlinks. Steps to Reproduce 1. Create a new Algolia account with the last name http://example.com. 2. Navigate to My Account Referrral 3. Send an invitation to an email address that y...
U.S. Dept Of Defense: ███████ - XSS - CVE-2020-3580
████ appears to be affected by the Cisco ASA XSS CVE-2020-3580, This vulnerablity is targets the saml service within the VPN. It is triggered via a POST request to /+CSCOE+/saml/sp/acs?tgname=a References...
HackerOne: Cross-site Scripting (XSS) on HackerOne careers page
Dear HackerOne team, Summary: I found DOM XSS at endpoint https://www.hackerone.com/careers, but can not bypass CSP. It's work on IE and Edge. Steps To Reproduce - JS file is "Masonry js file", vulnerability code: javascript //Checking for potential Lever source or origin parameters var pageUrl =...
Shopify: StoreFront API allows for a brute force attack on customer login by not timing out ALL attempts
It seems that the service used for login purposes could be brute forced. the system fails when the password is incorrect, after some unsuccessful attempts the following message is shown: "data":"customerAccessTokenCreate":null,"errors":"message":"Login attempt limit exceeded. Please try again...
Internet Bug Bounty: mod_http2, read-after-free in h2 connection shutdown (CVE-2019-10082)
Using fuzzed network input, the http/2 session handling could be made to read memory after being freed, during connection shutdown. This is made possible by a race condition in which nghttp2 maintains a reference to a stream after modhttp2 has destroyed it. This vulnerability has been fixed in...
Mail.ru: Insecure Storage and Overly Permissive Google Maps API Key in Android App
Google API keys used in Cloud Mail.Ru for Android application were not properly limited in functionality...
IRCCloud: IDOR with Geolocation data not stripped from images
Vulnerable URL :- https://usercontent.irccloud-cdn.com/file/0wXMTrPu/hgjbk Vulnerability Discription: When an image is taken using a smartphone or camera certain metadata fields are often attached to it. These fields could include the model of the camera, the time it was taken, whether the flash...
X (Formerly Twitter): Reset password without knowing current password
Description Hi team, I found an interesting flaw in your password recovery mechanism that can get the ability of reset password without a valid token and knowing current password. I'm going to explain it here: In https://www.twitterflightschool.com/ domain if you try to reset your password from...
ownCloud: Webview Vulnerablity [OwnCloudAndroid Application]
Hi OwnCloud Team , Vulnerability Description: What is Webview?: We can load a remote URL or display HTML pages stored in our application within an activity using WebView. Internally it uses WebKit rendering engine to display web pages. It supports methods to navigate forward and backward, text...
Acronis: CVE-2020-6287 https://redapi2.acronis.com
Hi team. Summary CVE-2020-6287 https://redapi2.acronis.com https://nvd.nist.gov/vuln/detail/CVE-2020-6287 SAP NetWeaver AS JAVA LM Configuration Wizard, versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute...
Nextcloud: Bookmarks: Delete all existing bookmarks of a user
A logical bug in the bookmark app makes it possible to delete all the existing bookmarks of the user. Here are the steps to reproduce: - Create couple of valid bookmarks - Import a bookmark.html file that contains the line Bookmark. All the bookmarks of the user is replaced with blank url and...
Nextcloud: The session token in the URL
Hello team I found that tat the URL transport the Session token and it's a sentive information so Placing session tokens into the URL increases the risk that they will be captured by an attacker. fix Applications should use an alternative mechanism for transmitting session tokens, such as HTTP...
Sifchain: RSA PRIVATE KEY discloser
hi, https://github.com/Sifchain/sifnode/blob/4fb7523322f74e70600a10fff4dbdd42425c077f/ui/.vagrant/machines/default/virtualbox/privatekey disclosing RSA PRIVATE KEY. Impact might give access to sensitive data protected with this key...
New Relic: A Log in page does not properly validate the authenticity token at the server side
Description: POST /login?returnto=%2Foauthprovider%2Fauthorize%3Fresponsetype%3Dcode%26clientid%3D%252BvB2dkv4yOb37C00ACk%252B6A%253D%253D%26redirecturi%3Dhttps%253A%252F%252Frpm.newrelic.com%252Fauth%252Fnewrelic%252Fcallback%26state%3D2ea541fcd18aa27925ad8977848536106cbaf1bbb4611f90 HTTP/1.1...
Basecamp: Error Page Content Spoofing or Text Injection
Target: https://gopher.hey.com/ Description: Content spoofing, also referred to as content injection, "arbitrary text injection" or virtual defacement, is an attack targeting a user made possible by an injection vulnerability in a web application. When an application does not properly handle...
U.S. Dept Of Defense: xmlrpc.php FILE IS enable which enables attacker to XSPA Brute-force and even Denial of Service(DOS), in https://████/xmlrpc.php
Summary: Hello team, I have found a security vulnerability inhttps://███████/xmlrpc.php which lets attacker to: 1: XSPA or PortScan 2: Bruteforce 3:DOS and much more Description: Impact Step-by-step Reproduction Instructions █████████ 1: Go to https://██████/xmlrpc.php to check if it is enabled o...
U.S. Dept Of Defense: Information disclosure at '████████' --- CVE-2020-14179
Research conducted on ████████ indicates that the Atlassian Jira Server and Data Center instance allows remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint CVE-2020-14179...
Internet Bug Bounty: Read and write beyond bounds in mod_sed
This CVE consists of several bugs in modsed, where overflows, truncation, uses after free and a logic error can allow a remote, unauthenticated attacker to read and/or write heap locations beyond bounds. See https://github.com/apache/httpd/commit/943f57b336f264d77e5b780c82ab73daf3d14deb and...
Uber: OneLogin authentication bypass on WordPress sites
First, I'm sorry about reporting another WordPress bug my intention was just to check if WP-OneLogin stores any sensitive info that could be used to attack OneLogin on your other websites. Overview The .uber.com WordPress sites use OneLogin SAML-SSO instead of the normal WordPress login. The...
Django: Deserialization of potentially malicious data to RCE
Hello, Django Team! It's my first time working with you, hope it will be great! Note: I have not seen this issue neither in known vulnerabilities nor in documentation, so here I am. Summary Several type of caches in https://github.com/django/django/tree/main/django/core/cache/backends use python...
Uber: password reset token leaking allowed for ATO of an Uber account
With an email address for a valid Uber account, it was possible to take over that account because the reset token was exposed in the response of a password reset HTTP request. This meant an attacker could initiate password reset for an account and immediately receive the reset token for that...
arxius: Disclose of phpmyadmin
User doesn’t know how to pentest and just reports open ports and phpmyadmin then requests public disclosure. Whatever makes him happy. %00...
U.S. Dept Of Defense: Elmah.axd is publicly accessible and leaking Error Log for ROOT on █████_PRD_WEB1 █████████elmah.axd
Description: Hello, Security team, hope you are doing well. I found out that elmah.axd is publicly accessible on ████████ which is leaking error log which contain cookies and server code etc. Step-by-step Reproduction Instructions 1. Go to ██████elmah.axd and you will see the error logs. 2. Same...
Chaturbate: CSRF on change video thumbnail at https://chaturbate.com
Hi I noticed Changing video thumbnail option have the workflow with GET request and there is lack of csrf token on changing video thumbnail option,so if attacker somehow able to obtain the thumbnailid of victim's video then it can help attacker to inducing victim to change video thumbnail...
curl: CVE-2022-32207: Unpreserved file permissions
Summary: Curl fails to preserve file permissions when writing: - CURLOPTCOOKIEJAR database - CURLOPTALTSVC database - CURLOPTHSTS database Instead the permissions is always reset to 0666 & umask if the file is updated. As a result a file that was before protected against read access by other user...
HackerOne: PII data Leakage through hackerone reports
Summary: I found PII data leakage through the HackerOne report. I found a link in one of the disclosed report that allow me to get the address and phone numbers of security researchers. Here I got the address and phone number of ████ ███ Vulnerability Name: PII data Leakage through Steps to...
pixiv: Bypass extension check leads to stored XSS at https://s2.booth.pm
In this report, a hacker identified a stored XSS in the header image upload function at https://manage.booth.pm/design/edit using Content-Type header manipulation. Upon file upload, the server failed to properly validate the provided Content-Type, accepting unintended values such as Content-Type:...
Internet Bug Bounty: Windows builds with insecure path defaults (CVE-2019-1552)
Advisory: https://www.openssl.org/news/secadv/20190730.txt Severity: Low OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable...
Glovo: Django debug enabled showing information about system, database, configuration files
Summary: Hi team, This subdomain pulpo.it.glovoint.com is a Django application running with debug mode turned on DEBUG = True . One of the main features of debug mode is the display of detailed error pages to help developers. If your app raises an exception when DEBUG is True, Django will display...
Pornhub: [ssrf] libav vulnerable during conversion of uploaded videos
Researcher was successful in exploiting a vulnerability in the libav ffmpeg encoder in order to execute SSRF attacks...
Internet Bug Bounty: Apache Airflow Fab Provider: Application does not invalidate session after password change via Airflow cli
The Apache Airflow Fab Provider before version 1.5.2 was affected by an insufficient session expiration vulnerability. When a user's password was changed using the admin CLI, the existing user sessions were not cleared, allowing logged-in users to continue accessing the system even after the...
nullsec VDP: Test by HDR
Test by HDR...
Internet Bug Bounty: HTTP multi-header compression denial of service
A vulnerability was discovered in curl versions 7.57.0 to 7.87.0 that allowed a malicious server to insert an unlimited number of compression steps by using many headers, resulting in a "malloc bomb" and a denial of service attack. The vulnerability was fixed in version 7.88.0 by capping the numb...
Sifchain: Email Spoofing on sifchain.finance
Summary: There is an Email Spoofing vulnerability on your domain sifchain.finance which allows an attacker to send an email with your domain namesuch as [email protected] and so on. Steps To Reproduce: Go to http://emkei.cz Fill "From Email" field to [email protected] or any other...
Nextcloud: The application uses basic authentication.
Basic authentication is enabled on file access requests ==================== Description --------------------- Basic authentication is enabled on the server if we request for the direct URL of a file. The issues of using Basic Authentication can be read here - OWASP: Basic Authentication. Though...
Internet Bug Bounty: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.50
Hello Apache team, @fms and myself were able to bypass the latest patch for CVE 2021-41773 in the Apache 2.4.50. These are the payloads: 1 %%32%65%%32%65 2 .%%32%65 3 .%%32e 4 .%2%65 PoC Path Traversal GET /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/etc/passwd HTTP/1.1...
Visma Public: HTML-injection in PDF-export leads to LFI
The researcher was able to extract contents of files using the pdf-generator in "Yearly Financial Statements". This was done by adding an IFRAME-tag inside the companyname. Once rendered in Yearly Financial Statements, it included the file the IFRAME was pointing to. In this POC it was /etc/passw...
U.S. Dept Of Defense: CRXDE Lite/CRX is on ██████ exposed that leads to PII disclosure
hi team , i found that aem is running on ████████ and CRXDE Lite/CRX is exposed to unauthenticated user that can lead to information disclosure POC ==== 1-visit https://██████//██████████ 2-go to query and search for admin then execute 3-go to this endpoint to retrieve the information...
Node.js third-party modules: [metascraper] Stored XSS in Open Graph meta properties read by metascrapper
Hi Guys, metascrapper is vulnerable to Stored XSS via Open Graph metadata, if they are used in HTML without any sanitization. Module: A library to easily scrape metadata from an article on the web using Open Graph metadata, regular HTML metadata, and series of fallbacks...
Automattic: Stored XSS vulnerability in comments on *.wordpress.com
Summary: The SyntaxHighlighter plugin used in the comments section of .wordpress.com sites is vulnerable to stored XSS via a crafted payload. Platforms Affected: .wordpress.com SyntaxHighlighter is also an open source plugin which is affected by this vulnerability:...
Concrete CMS: Password Reset link hijacking via Host Header Poisoning
Summary Concrete5 uses the Host header when sending out password reset links. This allows an attacker to insert a malicious host header, leading to password reset link / token leakage. Impact The victim will receive the malicious link in their email, and, when clicked, will leak the user's passwo...
Judge.me : Log4j RCE on https://judge.me/reviews
Summary: CVE-2021-44228, also named Log4Shell or LogJam, is a Remote Code Execution RCE class vulnerability. If attackers manage to exploit it on one of the servers, they gain the ability to execute arbitrary code and potentially take full control of the system. What makes CVE-2021-44228 especial...
AWS VDP: Non-Production API Endpoints for the Neptune Graph Service Fail to Log to CloudTrail Resulting in Silent Permission Enumeration
The non-production API endpoints for the Neptune Graph Service were found to fail logging to CloudTrail, resulting in silent permission enumeration. Specifically, seven non-production endpoints were identified that could be used with standard IAM credentials without generating CloudTrail logs. Th...
Internet Bug Bounty: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) (CVE-2021-42013)
It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier...
curl: Port and service scanning on localhost due to improper URL validation.
Summary: Generally web masters and developers protect user-accessible CURL from requesting forbidden domains so that the attacker is not able to access internal resources. It is usually done using regular expressions. Mostly addresses like 127.x.x.x, 192.168.x.x and "integer" notation of IP...
HubSpot: Reflected XSS and Server Side Template Injection in all HubSpot CMSes
Really I don't know why BugCrowd team closed my submission as N/A F337815 They mentioned that Not in Scope ?! So I reported it again in another submission But this Time I messaged the Security Company Directly and triaged and Fixed in 2 Days . Full Poc : I was found in this path /hcms/cta so this...
Sifchain: Wordpress Users Disclosure (/wp-json/wp/v2/users/) on sifchain.finance
Information: Using REST API, we can see all the WordPress users/author with some of their information. Step To Reproduce: You can get user info by entering below url in your browser: https://www.sifchain.finance/wp-json/wp/v2/users/ Results:...
Legal Robot: LUCKY13 (CVE-2013-0169) effects legalrobot.com
Hello security team, The site legalrobot.com is potentially vulnerable to the Lucky13. Reference: --------- https://bugzilla.redhat.com/showbug.cgi?id=907589...
WakaTime: Forgot password link doesn't expire after used, only after some hours
Hi, Hope you guys are doing great. I want to report couple of issues regarding forgot password mechanism. 1st ISSUE: One thing I noticed that when password rest link is requested and user change its password, that reset link should expire immediately but in your case , used reset link can be reus...
Ruby on Rails: Explicit, dynamic render path: Dir. Trav + RCE
Possible Information Leak Vulnerability in Action View There is a possible directory traversal and information leak vulnerability in Action View. This vulnerability has been assigned the CVE identifier CVE-2016-0752. Versions Affected: All. Not affected: None. Fixed Versions: 5.0.0.beta1.1,...