15306 matches found
Open-Xchange: Stored-XSS with user interaction on [sandbox.open-xchange.com] via inserted link in mail
Hello, I would like to report about Stored-XSS on sandbox.open-xchange.com via inserted link in mail. Steps to Reproduce ---- 1 Login as first user User A and start creating new mail message 2 Click on a insert link button and paste the following text qwe"-alertdocument.domain-" into Url and Plea...
VK.com: Π‘ΠΌΠΎΡΡΠΈΠΌ ΡΠΎΡΠΎΠ³ΡΠ°ΡΠΈΠΈ ΠΈΠ· ΡΠ°ΡΡΠ½ΡΡ /Π·Π°ΠΊΡΡΡΡΡ Π³ΡΡΠΏΠΏ.
ΠΡΠΎΡΠΌΠΎΡΡ Π·Π°ΠΊΡΡΡΡΡ ΡΠΎΡΠΎΠ³ΡΠ°ΡΠΈΠΉ. ΠΠ΅ΡΡΠΊΠΈ Ρ Π°ΠΊ Π½Π° ΠΏΡΠΎΡΠΌΠΎΡΡ Π»ΡΠ±ΡΡ ΡΠΎΡΠΎΠΊ ΠΈΠ· Π»ΡΠ±ΡΡ Π³ΡΡΠΏ + Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΡ ΠΈΡ Π»Π°Π΅ΠΊΠ° ΠΈ ΠΏΠΎΠ»ΡΡΠ΅Π½ΠΈΡ Ρ Π΅ΡΠ° Π΄Π»Ρ Π»ΡΠ±ΠΎΠ³ΠΎ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ...
Ed: Fix for self-DoS in Security-txt Chrome Extension.
@sp1d3rs found a self-DoS vulnerability in the Security-txt Chrome Extension. He was also kind enough to provide a fix wich you can find on GitHub. We merged @sp1d3rs' fix when he submitted a PR. We later decided that it was better to stop using XHR and use Fetch instead, a newer API. This was th...
Brave Software: Homograph Attack Bypass [ Tested on Linux & Windows ]
Summary: at 175286 you has been patched, and i try it work, but i've another way to bypass it. when we add a site to our Homepage with @, it's not validate a url properly, make sure it's display the punycode. Products affected: Brave 0.18.36 Linux & Windows Steps To Reproduce: 1. In browser add...
Legal Robot: Password reset token issue
Summary Can still change password without token Step to Reproduce - Request for password reset link. - Go to email and click on password reset link https://app.legalrobot.com/password-reset/token?v=uWeyFJS0-N9fIk0nG0b0NZ70lkwNNi7RdUZu0KhiaX - Now remove the token and use the link...
GSA Bounty: Email Spoofing - SPF record set to Neutral
Hi, Introduction: There is a email spoofing vulnerability.Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email spoofing is a tactic used in phishing and spam campaigns because people are more...
Nextcloud: Password of failed (2FA) login attempt is stored in log
If I try to log in on Webdav with my usual Nextcloud password, it doesn't work due to 2FA. I need an application password. The password of a failed login attempt by any user is stored plain text in the log: ...OCA\\DAV\\Connector\\Sabre\\Auth-validateUserPass'matthes', 'THEPASSWORD'... Even...
Nextcloud: Email Spoofing Vulnerability from nextcloud.
Hi nextcloud, Here is Shaifullah Shaon BlackEyE, An Ethical Hacker. a white hat cyber security researcher from Bangladesh reporting a serious 3'rd ranking in OWASP security vulnerability on your system. There is an Email Spoofing Vulnerability from nextcloud. Steps to reproduce: 1 Go to...
RubyGems: Escape sequence injection in "summary" field
Seems we can include any escape sequence in the "summary" field of gemspec. This allows attackers to inject escape sequences to a victim's terminal emulator. How to attack 1 An attacker creates a gem with summary string that includes malicious escape sequences, and push it to rubygems.org. 2 A...
Nextcloud: information disclose
Hello Team . I Reported a issue - disclosure SERVER Version !! when i interrupt this https://demo.nextcloud.com/ Request , its disclosure The server version Server: Apache/2.4.6 CentOS OpenSSL/1.0.1e-fips As you can See this Pic , or you can Interrupt the url useing Any Proxy tools like Burp Suit...
Nextcloud: https://portal.nextcloud.com/.htaccess file is readable
@mksahilisr reported a disclosure of the .htaccess file on https://portal.nextcloud.com. This has been resolved by adding the following to the Apache server configuration: order allow,deny deny from all Since the .htaccess file contained some potential sensitive data this report has only been...
Mail.ru: Reflected XSS on frag.mail.ru
Domain, site, application The "frag.mail.ru" is affected by a reflected XSS vulnerability on the "/user/register/" handler. Testing environment The exploitation of the issue has been tested on the latest version at the time of writing of Firefox: 52.0.1 both 32 and 64 bit on Sierra and Windows 7...
Open-Xchange: RTLO character in file names
DESCRIPTION ------- Hello, I have noticed that you allow the RTLO Right-To-Left-Override character is not filtered from the names of the files saved to drive, or in the attachement names, thus allowing 2 things : 1. Someone sends a malicious file html or exe or something esle via email that...
LocalTapiola: SQL Injection on /webApp/lapsuudenturva (viestinta.lahitapiola.fi)
Issue The reporter found a blind SQL Injection attack in an application in viestinta.lahitapiola.fi. Fix The issue was investigated and found to be valid. The fix was to remove the application as it was not needed. Reasoning The reported case was valid and within the scope of the bug bounty...
Discourse: XSS in topics because of bandcamp preview engine vulnerability
Load http://try.discourse.org 2. Click "New topic" 3. Enter this payload https://89.223.28.48/bandcamp.com/album/index.html?XSSa2 to field with placeholder "Type title or paste a link here" 4. Wait for the preview engine to parse the link 4. XSS will fire F151439 You should sanitize external...
WordPress: Wordpress 4.7 - CSRF -> HTTP SSRF any private ip:port and basic-auth
Description This report is a variant on report 110801 but with broader vector. 110801 was a XSRF SSRF that allowd unintended GET requests to 0.0.0.0 on port 80, 443 and 8080. This vulnerability uses same entry vector of the press this scrape function but entirely bypasses the ip and port filter...
PortSwigger Web Security: XSS in IE11 on portswigger.net via Flash
Hello Portswigger Security Team, There is a reflective XSS vulnerability in portswigger.net. The flash file https://portswigger.net/burp/tutorials/video-js/video-js.swf is from an old video.js library version 3.2.0 which is vulnerable to XSS. This XSS will be blocked by CSP instruction object-src...
Coinbase: Application error message
poc url:https://developers.coinbase.com/api/%e3h This page contains an error/warning message that may disclose sensitive information.The message can also contain the location of the file that produced the unhandled exception.This may be a false positive if the error message is found in...
Internet Bug Bounty: Adobe Flash Player ShimContentResolver(resolverType=0) class Memory Corruption Vulnerability
I. Summary Adobe Flash Player is prone to a vulnerability which leads to memory corruption because of improper validation of ShimContentResolver.resolve. ------------------------------------------------------------------ II. Description Normally, resolve should validate its parameter with...
Vimeo: CSRF on Vimeo via cross site flashing leading to info disclosure and private videos go public
Hello Vimeo Security Team. There is a CSRF vulnerability on Vimeo.com. With this vulnerability, an attacker can make all the victim's vimeo videos go public just by having the victim open a link to the attacker webpage. He can also get the victim's vimeo name, user id, user account type and perfo...
Zendesk: XSS In /zuora/ functionality
Hello there, I wanted to report a XSS vulnerability in the /zuora/ functionality on the zendesk application. Affected URL: -...
withinsecurity: Content Spoofing OR Text Injection in https://withinsecurity.com
Hi, I just found Content Spoofing OR Text-based injection vulnerability in https://withinsecurity.com site that would like to get fixed, Below are the POC and steps to reproduced an issue. 1 Go to https://withinsecurity.com this site 2 Then just changed above url like this...
Ruby on Rails: Validation bypass for Active Record and Active Model
Possible Input Validation Circumvention in Active Model There is a possible input validation circumvention vulnerability in Active Model. This vulnerability has been assigned the CVE identifier CVE-2016-0753. Versions Affected: 4.1.0 and newer Not affected: 4.0.13 and older Fixed Versions:...
HackerOne: Know whether private program for company exist or not
HI, There are some company which are hosting private BB on HackerOne which are not visible unless they invite you. However, you can check if any company is hosting private BB on HackerOne or not if you can guess the username they use. Generally most company chooses the same name as their company...
Whisper: SMS Invite Form Abuse
whisper.sh fails to protect the invite form from abuse from attackers. If a malicious individual wants to abuse this functionality, they could send repeated/automated requests to the same phone number or range of phone numbers that do no actually belong to himself. This would result in lots of...
Internet Bug Bounty: PHP yaml_parse/yaml_parse_file/yaml_parse_url Unsafe Deserialization
https://bugs.php.net/bug.php?id=69617 Description: ------------ The PHP unserialize function is considered unsafe due to its behavior regarding class instantiation; in cases where serialized data is attacker controlled, it can be tampered with, allowing for the instantiation of arbitrary PHP...
Enter: Email Enumeration (POC)
HI i am opening the ticket again now i have a poc to show you First here is the issue again: 1.log in robocoin account go to settings 2.choose change my email 3.enter your pass 4.enter any email you want to check 5.if the email isn't registered a message appears sayingthe email is changed 6.if it...
Faceless: Tap Jacking Attack on Button Tags
UI Redressing Tap jacking attack may trick users into tapping a specifically crafted malicious App popup window e.g. toast view, making it a gateway for varied threats such as framing attack. Using this technique, a malicious App could potentially trick a user into making purchases, clicking on...
Slack: Stored XSS in Slackbot Direct Messages
Whenever a new team is created, Slackbot uses automated profile completion by asking a few questions from the user like the first name, last name, skype account etc. But instead of providing the correct details we provide as input then Slackbot will cause the data go inside the anchor tag ... so...
HackerOne: Control Characters Not Stripped From Username on Signup
Hey, To be honest, I'm not sure if there is any real security implications of this bug, but it's IMO something which should be fixed at some point since it'll be pretty easy. On signup, the username you chose has to be alphanumeric. If you submit someone else's username, followed by a null-byte...
Yahoo!: Yahoo mail login page bruteforce protection bypass
Thank you for your submission to Yahooβs Bug Bounty program. While we recognize the effort that you put into the research and writing of a report for us to evaluate, we will take your report into consideration for any future releases. We appreciate your adherence to responsible disclosure...
curl: Path Traversal Bypass in file:// URLs Due to Incomplete URL-Encoded Path Normalization
Summary: The dedotdotify function in lib/urlapi.c is responsible for removing path traversal sequences ../ and ./ from URLs according to RFC 3986. However, the function only recognizes literal forward slashes / when identifying path segments and does not handle URL-encoded slashes %2f or %2F. Thi...
AWS VDP: Amazon Kendra Intelligent Ranking Service Reporting "AWS Internal" for CloudTrail Events Generated from FIPS Endpoints
The AWS Kendra Intelligent Ranking service was found to incorrectly report the user-agent and network information as "AWS Internal" for four API endpoints that are FIPS endpoints. This issue can lead to the obscuring of request information that may be used to track down an adversary...
Cosmos: Heap-Buffer-Overread in contains_whitespace when calling parser_validate after supplying a maliciously crafted buffer to parser_parse
A heap-buffer-overread vulnerability was discovered in the containswhitespace function when calling parservalidate after supplying a maliciously crafted buffer to parserparse. The vulnerability was not exploitable in the primary use case of the library, but a length check was added to prevent thi...
HackerOne: [ Spot Check ] Team members can edit a user's write-up
Team members could edit a user's spot check write-up. The write-up could be modified through a GraphQL request, even though there was no option to edit the write-up in the user interface. This was considered unintended functionality, as HackerOne had previously fixed vulnerabilities where team...
Liberapay: Unsafe yaml load can lead to remote code execution
The YAML load function can lead to remote code execution vulnerability. The vulnerability allows the construction of arbitrary Python objects from untrusted YAML data, which can be exploited by an attacker...
U.S. Dept Of Defense: Reflected Cross-site Scripting via search query on ββββββ
The summary is as follows: A reflected cross-site scripting vulnerability was discovered in the search query functionality of the ββββββββ website. An attacker could execute arbitrary JavaScript code in the victim's browser by injecting malicious payload into the search query parameter...
U.S. Dept Of Defense: User automatically logged in as Sys Admin user on https://βββ/Administration/Administration.aspx
A vulnerability was discovered where any user could be automatically logged in as a system administrator on a web application. This allowed unrestricted access and privileges could be abused to modify user privileges, add or delete users, and upload files, jeopardizing the integrity of the...
Exodus: 2 Cache Poisoning Attack Methods Affect Core Functionality www.exodus.com
Summary: www.exodus.com hosts static js and css files on Server: cloudflare . Which is cached by cloudflare and passed to all other users accessing the source. I was able to impact the core functionality by using a custom HTTP. Here are 2 details of the Bug. Steps To Reproduce: 1. 501 Not...
Evernote: [34.96.80.155] Server Logs Disclosure lead to Information Leakage
Summary: In this case server log is available for any in /server-status Steps To Reproduce: 1. Go to https://34.96.80.155/server-status/ and follow attack scenario's Attack Scenario's: Serg.io 1. User go to server and enter sensitive info that can be logged example : http://host/login?privatekey=...
Nextcloud: When sharing a Deck card in conversation the metaData can be manipulated to open arbitrary URL
Summary: This report is similar to 1337178 In Nextcloud Deck a user can post their decks in to a conversation via nextcloud talk. The link in metaData can be manipulated to point to a another URL. Steps To Reproduce: 0. Setup burpsuite to proxy 1. Go to Nextcloud Deck and pick a board 2. Pick any...
Rockstar Games: Cache Poisoning DoS on updates.rockstargames.com
In this report, the researcher discovered that there was a cache poisoning weakness on updates.rockstargames.com due to an unkeyed header, trailer. By sending this header, an attacker could cause the cache to save a malformed response with status code 400. An example of such a request, as provide...
Zenly: Google Maps API key stored as plain text leading to DOS and financial damage
The researcher highlighted the fact that the Google Maps API key which is by design easily retrievable from the .apk was missing some restrictions. It then could be used by anyone to query the Google Static Map API, and possibly lead to financial damage. Resolved by enforcing missing restrictions...
h1-ctf: Writeup Hackyholiday CTF
Hi there, Find my writeup on attached : F1128138 Thanks adam for making the CTF, Really PAIN for my head! Impact Hackerone Hoodie ? ππ...
Stripo Inc: No rate limit in email subscription
I managed to bypass the following report 1029723 please follow the steps below: Description: No rate limit in Email Subscription, you just have to add a fixed throttle in Burp Suite to avoid the 429 response. Note: I will use tempmail in the screenshots PoC Steps: 1. Go to https://stripo.email/ a...
Informatica: Improper Sanitization leads to XSS Fire on admin panel
Summary Because the HTML is not sanitized when taking the input on https://accounts.informatica.com/registration.html, the input is vulnerable to XSS. When a payload such as " is put into the form under company it triggers a blind xss. When the payload successfully is loaded, it dumps information...
TikTok: Bypass "Industry Documents" Validation
The researcher found that the attacker can bypass the review process and mark the document as "approved" when a user adds Industry Documents. The attacker will bypass only the qualification status at frontend, the form status is still under review, and it will be reviewed by an employee...
RBKmoney: Apple Pay cryptogram replay and amount tampering
During Apple Pay in-app or on-site payments the device generates a payment cryptogram, which contains a transaction ID, encrypted payment data, etc. This is an example of the cryptogram which the phone passes to the internet acquiring service on api.transferwise.com: "token": "paymentData":...
Mail.ru: ΠΡΠΊΡΡΡΠ°Ρ Π°Π΄ΠΌΠΈΠ½ΠΊΠ° Tarantool
Testing installation of internal Tarantool admin inteface without actual users data was available from external network...
h1-ctf: [H1-2006 2020] 36 hours of brain cycles utilized on solving a neat puzzle
Here we go: F852423 Recon: The given scope is: .bountypay.h1ctf.com Found subdomains: bountypay.h1ctf.com api.bountypay.h1ctf.com app.bountypay.h1ctf.com software.bountypay.h1ctf.com staff.bountypay.h1ctf.com www.bountypay.h1ctf.com Relevant GitHub repository:...