15368 matches found
RelateIQ: Captcha Bypass With Extension
Hello, These days Captcha's are one of the most vulnerable methods To Protect The Website From Bots, But there is a Extension Named Rumola Which Automatically Fills up the Captcha While We Fill Other Credentials like Email etc. Here a Vulnerability Arises That Bots May Use This Extension Script i...
Yahoo!: Flickr: Invitations disclosure (resend feature)
Thank you for your submission to the Yahoo Bug Bounty program. We were able to reproduce the issue you reported and have implemented appropriate fixes. We appreciate your adherence to responsible disclosure guidelines and look forward to your future participation in the program...
curl: TLS verifyhost bypass in rustls, mbedTLS, and wolfSSL when verifypeer=0
The now-well-known CURLOPTSSLVERIFYHOST-bypass-when-CURLOPTSSLVERIFYPEER=0 defect exists in three of curl's TLS backends: rustls EXPERIMENTAL, mbedTLS, and wolfSSL DNS hostnames only. The documented contract at docs/libcurl/opts/CURLOPTSSLVERIFYPEER.md:57-59: The check that the host name in the...
Rocket.Chat: Unauthenticated reading of every file via livechat auth and predicting MongoDB ObjectId()
Vulnerability description not provided...
curl: libcurl: Improper Authentication State Management on Cross-Protocol Redirects
Following the recent advisory for CVE-2025-14524, I conducted an investigation into how libcurl manages OAuth2 credentials during complex redirect chains. I have confirmed that while the library successfully protects traditional user credentials, it fails to clear OAuth2 Bearer tokens in the same...
AWS VDP: Amazon Kendra Intelligent Ranking Service Reporting "AWS Internal" for CloudTrail Events Generated from FIPS Endpoints
The AWS Kendra Intelligent Ranking service was found to incorrectly report the user-agent and network information as "AWS Internal" for four API endpoints that are FIPS endpoints. This issue can lead to the obscuring of request information that may be used to track down an adversary...
Internet Bug Bounty: [CVE-2024-47888] Possible ReDoS vulnerability in plain_text_for_blockquote_node in Action Text
There is a possible ReDoS vulnerability in the plaintextforblockquotenode helper in Action Text. This vulnerability has been assigned the CVE identifier CVE-2024-47888. Carefully crafted text was found to cause the plaintextforblockquotenode helper to take an unexpected amount of time, possibly...
Liberapay: Unsafe yaml load can lead to remote code execution
The YAML load function can lead to remote code execution vulnerability. The vulnerability allows the construction of arbitrary Python objects from untrusted YAML data, which can be exploited by an attacker...
U.S. Dept Of Defense: Reflected Cross-site Scripting via search query on ██████
The summary is as follows: A reflected cross-site scripting vulnerability was discovered in the search query functionality of the ████████ website. An attacker could execute arbitrary JavaScript code in the victim's browser by injecting malicious payload into the search query parameter...
Publitas: Unauthorized Access to Offline Publication Cover Pages via SOURCE_DOCUMENT_ID
A vulnerability was discovered that allowed unauthorized access to offline publication cover pages by sending requests with specific source document IDs. This exposed cover pages and associated user and publication IDs that were intended to be private...
Enjin: Weak Email Verification: Newly Registered Users Can Bypass Email Verification Step and Log In
Newly registered users were able to bypass email verification and log in. This vulnerability has since been addressed...
PortSwigger Web Security: CSP bypass on PortSwigger.net using Google script resources
A cross-site scripting vulnerability was discovered on PortSwigger.net. The site's content security policy allowed resources from Google's reCAPTCHA domain, which contains AngularJS. This could be abused to bypass the CSP and load arbitrary scripts from other domains. The issue allowed an attacke...
U.S. Dept Of Defense: User automatically logged in as Sys Admin user on https://███/Administration/Administration.aspx
A vulnerability was discovered where any user could be automatically logged in as a system administrator on a web application. This allowed unrestricted access and privileges could be abused to modify user privileges, add or delete users, and upload files, jeopardizing the integrity of the...
Mozilla: Subdomain takeover on one of the subdomain under mozgcp.net
A subdomain takeover was reported on a subdomain under mozgcp.net due to a dangling DNS record that had been registered by researchers, allowing them to host content under the subdomain...
HackerOne: Able to see Bonus amount given to a report even if the bounty and Bonus is not visible to public or mentioned in {Report-Id}.json
A vulnerability allowed users to see the bonus amount given to a report, even if the bounty and bonus were not visible to the public or mentioned in the report's JSON file. This resulted in the exposure of confidential information...
Internet Bug Bounty: unsanitized input goes to regex function leads to ReDos that make request hangs
An authenticated user could exploit a vulnerability in Apache Airflow versions prior to 2.6.3 by providing crafted input, causing the current request to hang...
Automattic: Authentication bypass on JetPack SSO manager - Allows to access the administration panel of wordpress without user interaction
A vulnerability was found in the JetPack SSO manager plugin that allowed authentication bypass on WordPress sites using the plugin. By exploiting the plugin's account invitation and email verification features, an attacker could gain administrative access to WordPress sites with a user account...
HackerOne: RXSS at image.hackerone.live via the `url` parameter
Vulnerability description not provided...
Reddit: RichText parser vulnerability in scheduled posts allows XSS
Hyperlinks were not being filtered on the server-side in Reddit's scheduled post feature, allowing an attacker to modify a request with a normal hyperlink that embeds a malicious link using a javascript scheme. This could result in an XSS attack if an admin clicked on the malicious link while...
Brave Software: S3 Bucket Takeover "brave-browser-rpm-staging-release-test"
An unclaimed S3 bucket was found on the domain hosting services of brave.com, which could have been taken over by an attacker to spread malware using the keyrings of the brave browser. The bucket was used to get keyrings of the browser in Linux distros, and it was pointing towards an unclaimed S3...
Yelp: Direct access to tox.ini file which is contain configuration details
The tox.ini file, which contained configuration details, was publicly accessible...
Yelp: Subdomain Takeover on delivey.yelp.com
Summary: Subdomain takeover vulnerabilities occur when a subdomain delivery.yelp.com is pointing to a service Vulnerable url : delivery.yelp.com This is an verify Link. F1959331 Platforms Affected: website Steps To Reproduce 1. Create the Amazon S3 Bucket on this Name : delivery.yelp.com F1959320...
GitHub: Github Apps can use Scoped-User-To-Server Tokens to Obtain Full Access to User's Projects in Project V2 GraphQL api
An incorrect authorization vulnerability was found in GitHub Enterprise Server that allowed GitHub Apps to gain access to and modify most organization-level resources that are not tied to a repository, regardless of granted permissions. This vulnerability affected all versions of GitHub Enterpris...
Reddit: Misconfigurated login page able to lock login action for any account without user interaction
Summary While observing a few things about the login feature, I found that the account was locked after a certain number of requests. Although this feature is actually added to prevent problems such as rate limit, it is open to account lock attacks by attackers. PoC 1. Save this code as exploit.p...
Rocket.Chat: Regex account takeover
Summary: get admin reset token with authenticated user Description: normal user login can access to admin reset token and set a new password for admin user Releases Affected: 3.18.5 3.0.5 Steps To Reproduce from initial installation to vulnerability: Add details for how we can reproduce the issue...
GitHub Security Lab: [Java]: Flow sources and steps for JMS and RabbitMQ
This bug was reported directly to GitHub Security Lab...
TikTok: disclosure the live_analytics information of any livestream.
A possible disclosure of the liveanalytics information for any livestream was found by accessing the roomid parameter via devtools. We thank @datph4m for reporting this to our team...
GitHub Security Lab: [Java]: CWE-200 - Query to detect insecure WebResourceResponse implementation
This bug was reported directly to GitHub Security Lab...
Evernote: Reflected XSS in the shared note view on https://evernote.com
Summary: There is a reflected XSS vulnerability on https://evernote.com, in the shared web note view, triggered through the view and ionUrl parameters of the /shard/sSHARDNUMBER/client/snv endpoint. Description: When a user creates a note and shares it, it is stored in the following endpoint, bei...
Shopify: Reflected XSS online-store-git.shopifycloud.com
Summary: Hello, I hope you are having a good day!, There is a feature called "Shopify Github Integration", it helps to associate a GitHub account to a Shopify store. In the Github connection proccess there is a URL https://online-store-git.shopifycloud.com which is vulnerable to XXS reflected...
Nextcloud: When sharing a Deck card in conversation the metaData can be manipulated to open arbitrary URL
Summary: This report is similar to 1337178 In Nextcloud Deck a user can post their decks in to a conversation via nextcloud talk. The link in metaData can be manipulated to point to a another URL. Steps To Reproduce: 0. Setup burpsuite to proxy 1. Go to Nextcloud Deck and pick a board 2. Pick any...
Nextcloud: Attacker can obtain write access to any federated share/public link
Hi mates, I stumbled across this with public links. But the same holds true for any federated share. I will try to describe the link scenario. At first I thought there were more steps and resharing was involved. But it really is very simples: 1. An attacker obtains a public link again plenty of...
Mail.ru: [tanks.mail.ru] SSRF + Кража cookie
Введение: Этим прекрасным вечером решили начать движок форума vBulletin, ведь он стоит на 7 сайтах которые относятся к Ext.B, а награды Вы там подняли в 3 раза практически, звучит вкусно : Глаз упал на forumrunner, ведь там была sql-injcve 16 года ПРимерно за час была обнаружена SSRF, да не прост...
HackerOne: New link opening method makes hackerone vulnerable to tabnabbing
Summary: Hackerone recently changed how it opens the external links and this new way is vulnerable to tabnabbing. Description: Please see the POC. Steps To Reproduce 1. Click here: https://awasthi7.github.io/ 2. Click on proceed when warning appears. 3. The site will open in new tab and hackerone...
Moneybird: No rate Limit
Mailing to our support team using the support center in the application was improperly rate limited. There is now a better rate limiter in place...
Nextcloud: Leak arbitrary file under nextcloud android client privacy directory
Steps to reproduce: 1.install and login nextcloud android client 2.create a directory and set it 'shareable' 3.install the poc app "setresultcontactphotocrop" key code: EvilActivity public class EvilActivity extends AppCompatActivity final static String PRIVATEURI =...
HackerOne: Bypassing the External Link Warning
Summary: As the HackerOne team is aware, the URL https://hackerone.com/users/saml/[email protected] can redirect users to external pages. Because of this, there is a protection in the links created by Markdown to show the user a warning when clicking in any link started with...
BlockFi: credentials found in config file on github
Summary: Hi, credentials belonging to blockfi.com was found exposed on github, these credentials can lead to attackers gaining access into the network and stealing information and destroying servers Steps To Reproduce:...
Mail.ru: Stored xss in calendar via call link
Call link URI schema in calendar.mail.ru web application was filtered improperly, allowing malicious javascript: links...
TikTok: Lack of rate limitation on careers site allows the attacker to brute force the verification code
An attacker could have potentially attempted to brute force the verification code needed to reset a candidate's password by leveraging a lack of rate limiting on the TikTok careers portal. We thank @iambouali for reporting this to our team and confirming the resolution...
Stripo Inc: No rate limit in email subscription
I managed to bypass the following report 1029723 please follow the steps below: Description: No rate limit in Email Subscription, you just have to add a fixed throttle in Burp Suite to avoid the 429 response. Note: I will use tempmail in the screenshots PoC Steps: 1. Go to https://stripo.email/ a...
Automattic: Stored XSS in Intense Debate comment system
Hi Team, Summary: The Intense Debate comment system is vulnerable to stored xss by users , this would allow for atacking admins/users on the blog , Platforms Affected: Intense Debate comment system Steps To Reproduce: 1. Go to intensedebate.com/moderate/-ID- 2. Go to comments allow images in...
Mail.ru: Stored XSS through fileupload
Stored XSS in view uploaded file functionality on static.donationalerts.ru...
U.S. Dept Of Defense: hardcoded password stored in javascript of https://████.mil
Summary: I have discovered a cleartext password stored within a javascript. This password allows me to authentication to https://█████.mil. Description: I have discovered a cleartext password stored within a javascript. This password allows me to authentication to https://███████.mil. To confirm...
Zomato: Improper Validation at Partners Login
Timeline | Timeline | Action | |---|---| | Thu, 24 Sep 2020, 12:10 IST | Researcher submitted the report on H1 with initial severity as High. | | Thu, 24 Sep 2020, 12:32 IST | First response - we asked for clarification via demonstration on attack scenarios. Parallelly, we began our own...
Shopify: Privilege Escalation in Point Of Sale Application from POS Manage Staff Role to potentially Store Owner
I was playing a bit with the Point Of Sale application and it came to my attention that it is possible to navigate from the Point Of Sale Application up to the Plan & Permission in the admin. I am not sure if this is intentional, but since it leads to potentially take over a shop, I'm reporting i...
h1-ctf: [H1-2006 2020] I made the CEO's bounty payment!
^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$ I will write the details in comment. Impact I have headache now...
Mail.ru: MySQL username and password leaked on [2017.russianaicup.ru]
Configuration file available via web interface could disclosure potenrially sensitive inormation Configuration file available via web interface could disclosure potentially sensitive information...
Concrete CMS: Stored XSS in the file search filter
Download Concrete5 8.5.2 and install it 2. Log into your Concrete5 instance as admin 3. Go to Dashboard Files Search 4. In the file search bar, click Advanced 5. In the window that appears, enter a phrase and click the save button, paste the following payload: and click the save button 6. In the...
X (Formerly Twitter): 暴力破解用户密码没有速率控制
http://www.twitter.com的登录功能存在一个问题,只限制了单个用户尝试登录系统的错误次数,并不限制用固定的密码去尝试登录不同用户,或者是撞库 请您跟着视频操作,否则无法复现到此问题 Impact 暴力破解用户密码没有速率控制...