15369 matches found
HackerOne: Pre-generation of 2FA secret/backup codes seems like an unnecessary risk
If you manage to get a malicious script running in HackerOne, requesting https://hackerone.com/settings/authentication/edit and parsing out the two factor authentication form will yield either… - the 2FA secret key and backup codes that will be used if 2FA is enabled for the first time this sessi...
Algolia: an xss issue
i found an xss issue here : https://www.algolia.com/explorer?index=test&tab=ranking i tried to put an xss payload " in index ranking so i put the xss payload in Ranking formula then hit save ...when it is being saved the xss payload is being stored that upon Indices xss payload executed p.s pleas...
HackerOne: Cross-domain AJAX request
Hi, Two weeks ago, I found a Cross-domain AJAX request, but due to the fact that you uses a very strict Content Security Policy, I hesitated to send this. Today, I noticed that bug has been fixed. But this fix can be bypassed. This example not working now screenshot 1:...
Whisper: SMS Invite Form Abuse
whisper.sh fails to protect the invite form from abuse from attackers. If a malicious individual wants to abuse this functionality, they could send repeated/automated requests to the same phone number or range of phone numbers that do no actually belong to himself. This would result in lots of...
Mail.ru: Possible xWork classLoader RCE: shared.mail.ru
Ее похоже аффектит https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2014-05-21 classLoader пролетает, то есть фикса на уровне регулярок нет версия в уязвимом скоупе Я конечно попробую в выходные реально код исполнить, но по внешним признакам оно там есть Все версии меньше...
VK.com: XSS on added name album on videos.
Hi Steps to reproduce: First go to : https://vk.com/video Next click on Add a Video After add a video from youtube and on title Field Insert TEST XSS And click save. Next after this go to https://vk.com/video again and you will see video with the name TEST XSS Click above TEST XSS and you will fo...
Enter: Email Enumeration (POC)
HI i am opening the ticket again now i have a poc to show you First here is the issue again: 1.log in robocoin account go to settings 2.choose change my email 3.enter your pass 4.enter any email you want to check 5.if the email isn't registered a message appears sayingthe email is changed 6.if it...
HackerOne: Insecure Direct Object Reference vulnerability
In the program portal, there is an option to add external people as participants in a bug report. The admin can then remove this person as well if needed. The request for removing an external reporter looks like: DELETE /reports//externalusers/ HTTP/1.1 Host: hackerone.com User-Agent:...
X (Formerly Twitter): Flaw in login with twitter to steal Oauth tokens
Hey hi, Steps to reproduce: ============================================= I have been testing the twitter kit in fabric. I added login with twitter integration to my application. I pushed the application to my android phone , clicked login with twitter. entered my username and password. Searched ...
X (Formerly Twitter): [Stored XSS] vine.co - profile page
Stored XSS via API request: While creating new account in Windows mobile app, i noticed this request: PUT /users/1147563919679037440 HTTP/1.1 avatarUrl=https%3A%2F%2Fvines.s3.amazonaws.com%2Favatarstrellis%2F2014%2F11%2F21%2F0B2EAE2EB811475639291495546881.3.4.jpg&username= it seems that the...
Coinbase: Credit Card Validation Issue
Hi Coinbase, I'm not sure if this counts as a bug, but it definitely counts as a vulerability. The issue is in your credit card verification for instant purchases. The system does not or rarely check the validity of a credit card after it is added. This allows me to make instant buy purchases,...
Automattic: Missing HSTS header in https://public-api.wordpress.com
Hi, Vulnerable Website: https://public-api.wordpress.com/oauth2/authorize?clientid=930&responsetype=code&blogid=0&state=05f9c401dedcb9b3f33d82e8b335d1128d24d4cbc4a73903374f952acdfd34f6&redirecturi=https%3A%2F%2Fvaultpress.com%2Flogin%2F%3Faction%3Drequestaccesstoken I tested the website using...
jsDelivr: Using nmap revealing sensitive information
check this = http://prntscr.com/3xlww2 nmap scan result . Starting Nmap 6.46 http://nmap.org at 2014-06-29 15:34 India Standard Time NSE: Loaded 30 scripts for scanning. NSE: Script Pre-scanning. Initiating Parallel DNS resolution of 1 host. at 15:35 Completed Parallel DNS resolution of 1 host. a...
Faceless: Tap Jacking Attack on Button Tags
UI Redressing Tap jacking attack may trick users into tapping a specifically crafted malicious App popup window e.g. toast view, making it a gateway for varied threats such as framing attack. Using this technique, a malicious App could potentially trick a user into making purchases, clicking on...
Mail.ru: connect.mail.ru: SSRF
Можно лазить по внутренним ресурсам в сети mail.ru : POST /ajax?ajaxcall=1&funcname=perlfetchconnectpage HTTP/1.1 Host: connect.mail.ru User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.9; rv:29.0 Gecko/20100101 Firefox/29.0 Accept: text/javascript, text/html, application/xml, text/xml, /...
Mail.ru: Clickjacking
URL :- http://promo.calendar.mail.ru/ POC :- Clickjack test page Website is vulnerable to clickjacking!...
Yahoo!: reflected XSS, http://extprodweb11.cc.gq1.yahoo.com/, 4/8/14, #SpringClean
Thank you for your submission to the Yahoo Bug Bounty program. We were able to reproduce the issue you reported and have implemented appropriate fixes. We appreciate your adherence to responsible disclosure guidelines and look forward to your future participation in the program...
Slack: Stored XSS in Slackbot Direct Messages
Whenever a new team is created, Slackbot uses automated profile completion by asking a few questions from the user like the first name, last name, skype account etc. But instead of providing the correct details we provide as input then Slackbot will cause the data go inside the anchor tag ... so...
Yahoo!: Flickr: Invitations disclosure (resend feature)
Thank you for your submission to the Yahoo Bug Bounty program. We were able to reproduce the issue you reported and have implemented appropriate fixes. We appreciate your adherence to responsible disclosure guidelines and look forward to your future participation in the program...
curl: TLS verifyhost bypass in rustls, mbedTLS, and wolfSSL when verifypeer=0
The now-well-known CURLOPTSSLVERIFYHOST-bypass-when-CURLOPTSSLVERIFYPEER=0 defect exists in three of curl's TLS backends: rustls EXPERIMENTAL, mbedTLS, and wolfSSL DNS hostnames only. The documented contract at docs/libcurl/opts/CURLOPTSSLVERIFYPEER.md:57-59: The check that the host name in the...
curl: libcurl: Improper Authentication State Management on Cross-Protocol Redirects
Following the recent advisory for CVE-2025-14524, I conducted an investigation into how libcurl manages OAuth2 credentials during complex redirect chains. I have confirmed that while the library successfully protects traditional user credentials, it fails to clear OAuth2 Bearer tokens in the same...
AWS VDP: Amazon Kendra Intelligent Ranking Service Reporting "AWS Internal" for CloudTrail Events Generated from FIPS Endpoints
The AWS Kendra Intelligent Ranking service was found to incorrectly report the user-agent and network information as "AWS Internal" for four API endpoints that are FIPS endpoints. This issue can lead to the obscuring of request information that may be used to track down an adversary...
Internet Bug Bounty: [CVE-2024-47888] Possible ReDoS vulnerability in plain_text_for_blockquote_node in Action Text
There is a possible ReDoS vulnerability in the plaintextforblockquotenode helper in Action Text. This vulnerability has been assigned the CVE identifier CVE-2024-47888. Carefully crafted text was found to cause the plaintextforblockquotenode helper to take an unexpected amount of time, possibly...
Liberapay: Unsafe yaml load can lead to remote code execution
The YAML load function can lead to remote code execution vulnerability. The vulnerability allows the construction of arbitrary Python objects from untrusted YAML data, which can be exploited by an attacker...
U.S. Dept Of Defense: Reflected Cross-site Scripting via search query on ██████
The summary is as follows: A reflected cross-site scripting vulnerability was discovered in the search query functionality of the ████████ website. An attacker could execute arbitrary JavaScript code in the victim's browser by injecting malicious payload into the search query parameter...
Publitas: Unauthorized Access to Offline Publication Cover Pages via SOURCE_DOCUMENT_ID
A vulnerability was discovered that allowed unauthorized access to offline publication cover pages by sending requests with specific source document IDs. This exposed cover pages and associated user and publication IDs that were intended to be private...
Enjin: Weak Email Verification: Newly Registered Users Can Bypass Email Verification Step and Log In
Newly registered users were able to bypass email verification and log in. This vulnerability has since been addressed...
PortSwigger Web Security: CSP bypass on PortSwigger.net using Google script resources
A cross-site scripting vulnerability was discovered on PortSwigger.net. The site's content security policy allowed resources from Google's reCAPTCHA domain, which contains AngularJS. This could be abused to bypass the CSP and load arbitrary scripts from other domains. The issue allowed an attacke...
U.S. Dept Of Defense: User automatically logged in as Sys Admin user on https://███/Administration/Administration.aspx
A vulnerability was discovered where any user could be automatically logged in as a system administrator on a web application. This allowed unrestricted access and privileges could be abused to modify user privileges, add or delete users, and upload files, jeopardizing the integrity of the...
HackerOne: Able to see Bonus amount given to a report even if the bounty and Bonus is not visible to public or mentioned in {Report-Id}.json
A vulnerability allowed users to see the bonus amount given to a report, even if the bounty and bonus were not visible to the public or mentioned in the report's JSON file. This resulted in the exposure of confidential information...
Internet Bug Bounty: unsanitized input goes to regex function leads to ReDos that make request hangs
An authenticated user could exploit a vulnerability in Apache Airflow versions prior to 2.6.3 by providing crafted input, causing the current request to hang...
Automattic: Authentication bypass on JetPack SSO manager - Allows to access the administration panel of wordpress without user interaction
A vulnerability was found in the JetPack SSO manager plugin that allowed authentication bypass on WordPress sites using the plugin. By exploiting the plugin's account invitation and email verification features, an attacker could gain administrative access to WordPress sites with a user account...
Reddit: RichText parser vulnerability in scheduled posts allows XSS
Hyperlinks were not being filtered on the server-side in Reddit's scheduled post feature, allowing an attacker to modify a request with a normal hyperlink that embeds a malicious link using a javascript scheme. This could result in an XSS attack if an admin clicked on the malicious link while...
Yelp: Subdomain Takeover on delivey.yelp.com
Summary: Subdomain takeover vulnerabilities occur when a subdomain delivery.yelp.com is pointing to a service Vulnerable url : delivery.yelp.com This is an verify Link. F1959331 Platforms Affected: website Steps To Reproduce 1. Create the Amazon S3 Bucket on this Name : delivery.yelp.com F1959320...
GitHub: Github Apps can use Scoped-User-To-Server Tokens to Obtain Full Access to User's Projects in Project V2 GraphQL api
An incorrect authorization vulnerability was found in GitHub Enterprise Server that allowed GitHub Apps to gain access to and modify most organization-level resources that are not tied to a repository, regardless of granted permissions. This vulnerability affected all versions of GitHub Enterpris...
Rocket.Chat: Regex account takeover
Summary: get admin reset token with authenticated user Description: normal user login can access to admin reset token and set a new password for admin user Releases Affected: 3.18.5 3.0.5 Steps To Reproduce from initial installation to vulnerability: Add details for how we can reproduce the issue...
GitHub Security Lab: [Java]: Flow sources and steps for JMS and RabbitMQ
This bug was reported directly to GitHub Security Lab...
GitHub Security Lab: [Java]: CWE-200 - Query to detect insecure WebResourceResponse implementation
This bug was reported directly to GitHub Security Lab...
Evernote: Reflected XSS in the shared note view on https://evernote.com
Summary: There is a reflected XSS vulnerability on https://evernote.com, in the shared web note view, triggered through the view and ionUrl parameters of the /shard/sSHARDNUMBER/client/snv endpoint. Description: When a user creates a note and shares it, it is stored in the following endpoint, bei...
Evernote: [34.96.80.155] Server Logs Disclosure lead to Information Leakage
Summary: In this case server log is available for any in /server-status Steps To Reproduce: 1. Go to https://34.96.80.155/server-status/ and follow attack scenario's Attack Scenario's: Serg.io 1. User go to server and enter sensitive info that can be logged example : http://host/login?privatekey=...
Nextcloud: When sharing a Deck card in conversation the metaData can be manipulated to open arbitrary URL
Summary: This report is similar to 1337178 In Nextcloud Deck a user can post their decks in to a conversation via nextcloud talk. The link in metaData can be manipulated to point to a another URL. Steps To Reproduce: 0. Setup burpsuite to proxy 1. Go to Nextcloud Deck and pick a board 2. Pick any...
Nextcloud: Attacker can obtain write access to any federated share/public link
Hi mates, I stumbled across this with public links. But the same holds true for any federated share. I will try to describe the link scenario. At first I thought there were more steps and resharing was involved. But it really is very simples: 1. An attacker obtains a public link again plenty of...
Mail.ru: [tanks.mail.ru] SSRF + Кража cookie
Введение: Этим прекрасным вечером решили начать движок форума vBulletin, ведь он стоит на 7 сайтах которые относятся к Ext.B, а награды Вы там подняли в 3 раза практически, звучит вкусно : Глаз упал на forumrunner, ведь там была sql-injcve 16 года ПРимерно за час была обнаружена SSRF, да не прост...
Nextcloud: Leak arbitrary file under nextcloud android client privacy directory
Steps to reproduce: 1.install and login nextcloud android client 2.create a directory and set it 'shareable' 3.install the poc app "setresultcontactphotocrop" key code: EvilActivity public class EvilActivity extends AppCompatActivity final static String PRIVATEURI =...
TikTok: Lack of rate limitation on careers site allows the attacker to brute force the verification code
An attacker could have potentially attempted to brute force the verification code needed to reset a candidate's password by leveraging a lack of rate limiting on the TikTok careers portal. We thank @iambouali for reporting this to our team and confirming the resolution...
Stripo Inc: No rate limit in email subscription
I managed to bypass the following report 1029723 please follow the steps below: Description: No rate limit in Email Subscription, you just have to add a fixed throttle in Burp Suite to avoid the 429 response. Note: I will use tempmail in the screenshots PoC Steps: 1. Go to https://stripo.email/ a...
U.S. Dept Of Defense: hardcoded password stored in javascript of https://████.mil
Summary: I have discovered a cleartext password stored within a javascript. This password allows me to authentication to https://█████.mil. Description: I have discovered a cleartext password stored within a javascript. This password allows me to authentication to https://███████.mil. To confirm...
Zomato: Improper Validation at Partners Login
Timeline | Timeline | Action | |---|---| | Thu, 24 Sep 2020, 12:10 IST | Researcher submitted the report on H1 with initial severity as High. | | Thu, 24 Sep 2020, 12:32 IST | First response - we asked for clarification via demonstration on attack scenarios. Parallelly, we began our own...
Shopify: Privilege Escalation in Point Of Sale Application from POS Manage Staff Role to potentially Store Owner
I was playing a bit with the Point Of Sale application and it came to my attention that it is possible to navigate from the Point Of Sale Application up to the Plan & Permission in the admin. I am not sure if this is intentional, but since it leads to potentially take over a shop, I'm reporting i...
h1-ctf: [H1-2006 2020] I made the CEO's bounty payment!
^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$ I will write the details in comment. Impact I have headache now...