15306 matches found
Nextcloud: https://portal.nextcloud.com/.htaccess file is readable
@mksahilisr reported a disclosure of the .htaccess file on https://portal.nextcloud.com. This has been resolved by adding the following to the Apache server configuration: order allow,deny deny from all Since the .htaccess file contained some potential sensitive data this report has only been...
Mail.ru: Reflected XSS on frag.mail.ru
Domain, site, application The "frag.mail.ru" is affected by a reflected XSS vulnerability on the "/user/register/" handler. Testing environment The exploitation of the issue has been tested on the latest version at the time of writing of Firefox: 52.0.1 both 32 and 64 bit on Sierra and Windows 7...
Open-Xchange: RTLO character in file names
DESCRIPTION ------- Hello, I have noticed that you allow the RTLO Right-To-Left-Override character is not filtered from the names of the files saved to drive, or in the attachement names, thus allowing 2 things : 1. Someone sends a malicious file html or exe or something esle via email that...
Ubiquiti Inc.: Reflected cross-site scripting (XSS) vulnerability in scores.ubnt.com allows attackers to inject arbitrary web script via p parameter.
Dear Ubiquiti Networks bug bounty team, Short Description --- scores.ubnt.com is still vulnerable to reflected XSS, a form of client-side code injection wherein one can execute malicious scripts into a page. The fix to https://hackerone.com/reports/158484 does not suffice for some browsers mainly...
LocalTapiola: SQL Injection on /webApp/lapsuudenturva (viestinta.lahitapiola.fi)
Issue The reporter found a blind SQL Injection attack in an application in viestinta.lahitapiola.fi. Fix The issue was investigated and found to be valid. The fix was to remove the application as it was not needed. Reasoning The reported case was valid and within the scope of the bug bounty...
Discourse: XSS in topics because of bandcamp preview engine vulnerability
Load http://try.discourse.org 2. Click "New topic" 3. Enter this payload https://89.223.28.48/bandcamp.com/album/index.html?XSSa2 to field with placeholder "Type title or paste a link here" 4. Wait for the preview engine to parse the link 4. XSS will fire F151439 You should sanitize external...
Internet Bug Bounty: NULL Pointer Dereference while unserialize php object
Because no checking result of objectinitex so that if user passing implement class, abstract class the result of this is FALSE and args is NULL, so that lead program crash if UNEXPECTEDclasstype-ceflags & ZENDACCINTERFACE|ZENDACCTRAIT|ZENDACCIMPLICITABSTRACTCLASS|ZENDACCEXPLICITABSTRACTCLASS if...
WordPress: Wordpress 4.7 - CSRF -> HTTP SSRF any private ip:port and basic-auth
Description This report is a variant on report 110801 but with broader vector. 110801 was a XSRF SSRF that allowd unintended GET requests to 0.0.0.0 on port 80, 443 and 8080. This vulnerability uses same entry vector of the press this scrape function but entirely bypasses the ip and port filter...
PortSwigger Web Security: XSS in IE11 on portswigger.net via Flash
Hello Portswigger Security Team, There is a reflective XSS vulnerability in portswigger.net. The flash file https://portswigger.net/burp/tutorials/video-js/video-js.swf is from an old video.js library version 3.2.0 which is vulnerable to XSS. This XSS will be blocked by CSP instruction object-src...
Informatica: [parc.informatica.com] Reflected Cross Site Scripting and Open Redirect
Hi ! I just want to report you a vulnerability in your subdomain ,,parc'' Description In this link https://parc.informatica.com/partners/apex/Cloudchat?endpoint= the vulnerable parameter is ,,endpoint''. Once the parameter takes the value of a XSS vector or a website link the code is executed aft...
Mindoktor: XSS at endpoint clinic.mindoktor.se in flash cookie
Issue : XSS found at endpoint clinic.mindoktor.se/user/login Endpoint :clinic.mindoktor.se/user/login Steps of reproduction 1 . Go to above Endoint 2. enter random email and password 3. Intercept the request with a sniffer Like Burp Suit 4. Change the email parameter to...
VK.com: ΠΡΠΎΡΠΎΠΉ ΡΠΏΠΎΡΠΎΠ± ΠΎΠ±Ρ ΠΎΠ΄Π° 2FA
ΠΠ΅Π΄ΠΎΡΡΠ°ΡΠΎΡΠ½Π°Ρ ΠΏΡΠΎΠ²Π΅ΡΠΊΠ° ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ ΠΏΡΠΈ ΡΠΌΠ΅Π½Π΅ IP-Π°Π΄ΡΠ΅ΡΠ°. ΠΠ°Π·Π΅ΠΉΠΊΠ° Ρ ΡΠ΅Π»ΠΎΠ³ΠΈΠ½ΠΎΠΌ ΠΏΡΠΈ ΡΠΌΠ΅Π½Π΅ IP Ρ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ...
Instacart: Seemingly sensitive information at /api/v2/zones
Overview == https://www.instacart.com/api/v2/zones is accessible by a regular Instacart user and seems to return sensitive information such as names, emails, phone numbers, money amounts and dates. GET /api/v2/zones "meta": "code": 200 , "data": "zones": ... "id": 73, "name": "ββββ", "createdat":...
Shopify: (FULL PATH DISCLOSURE) Unknown MySQL server host 'shardm-reader.chi2.shopify.io'
Hello, Found a website of you guys that is poiting to: shardm-reader.chi2.shopify.io' This domain is disclosure fill path because there is none MySQL server host. POC: https://104.196.154.1/ Response a whole page with path disclosures: lib/patches/mysqlmonitoring.rb:19:in connect'...
Coinbase: Application error message
poc url:https://developers.coinbase.com/api/%e3h This page contains an error/warning message that may disclose sensitive information.The message can also contain the location of the file that produced the unhandled exception.This may be a false positive if the error message is found in...
Internet Bug Bounty: Adobe Flash Player ShimContentResolver(resolverType=0) class Memory Corruption Vulnerability
I. Summary Adobe Flash Player is prone to a vulnerability which leads to memory corruption because of improper validation of ShimContentResolver.resolve. ------------------------------------------------------------------ II. Description Normally, resolve should validate its parameter with...
Vimeo: CSRF on Vimeo via cross site flashing leading to info disclosure and private videos go public
Hello Vimeo Security Team. There is a CSRF vulnerability on Vimeo.com. With this vulnerability, an attacker can make all the victim's vimeo videos go public just by having the victim open a link to the attacker webpage. He can also get the victim's vimeo name, user id, user account type and perfo...
Zendesk: XSS In /zuora/ functionality
Hello there, I wanted to report a XSS vulnerability in the /zuora/ functionality on the zendesk application. Affected URL: -...
Uber: text injection in get.uber.com/check-otp
Text Injection no HTML or JS in a landing page on get.uber.com...
VK.com: vk.com/login.php
ΠΡΠΏΠΎΠ»Π½ΠΈΠ² 3 ΠΏΡΠΎΡΡΠ΅ΠΉΡΠΈΡ ΡΠ°Π³Π°, ΠΈ ΠΡ ΡΡΠΎΠ»ΠΊΠ½ΡΡΠ΅ΡΡ Ρ ΠΎΡΠΊΠ°Π·ΠΎΠΌ ΡΠ΅ΡΠ²Π΅ΡΠ° ΡΡΠΎ-Π»ΠΈΠ±ΠΎ Π΄Π΅Π»Π°ΡΡ. Π¨Π°Π³ 1: ΠΠ΅ΡΠ΅ΠΉΡΠΈ ΠΏΠΎ Π°Π΄ΡΠ΅ΡΡ vk.com/login.php Π¨Π°Π³ 2: ΠΠ²Π΅ΡΡΠΈ Π² ΠΏΠΎΠ»Π΅ "Π»ΠΎΠ³ΠΈΠ½" ΡΠΈΠΌΠ²ΠΎΠ»Ρ 00 ΠΈΠ»ΠΈ 000 ΠΈΠ»ΠΈ 0000, ΠΈ ΡΠ°ΠΊ Π΄ΠΎ 17 Π½ΡΠ»Π΅ΠΉ, ΠΏΠ°ΡΠΎΠ»Ρ ΡΠΊΠ°Π·Π°ΡΡ Π»ΡΠ±ΠΎΠΉ. Π¨Π°Π³ 3: ΠΠ°ΠΆΠ°ΡΡ Π»ΠΎΠ³ΠΈΠ½ ΠΈ ΡΠ΅ΡΠ²Π΅Ρ Π±ΡΠ΄Π΅Ρ ΡΠΈΠ»ΡΠ½ΠΎ Π½Π΅Π΄ΠΎΠ²ΠΎΠ»Π΅Π½. Π‘ΠΏΠ°ΡΠΈΠ±ΠΎ, ΠΈ ΠΈΡΠΏΡΠ°Π²ΡΡΠ΅ ΡΠ²...
withinsecurity: Content Spoofing OR Text Injection in https://withinsecurity.com
Hi, I just found Content Spoofing OR Text-based injection vulnerability in https://withinsecurity.com site that would like to get fixed, Below are the POC and steps to reproduced an issue. 1 Go to https://withinsecurity.com this site 2 Then just changed above url like this...
Ruby on Rails: Validation bypass for Active Record and Active Model
Possible Input Validation Circumvention in Active Model There is a possible input validation circumvention vulnerability in Active Model. This vulnerability has been assigned the CVE identifier CVE-2016-0753. Versions Affected: 4.1.0 and newer Not affected: 4.0.13 and older Fixed Versions:...
HackerOne: Know whether private program for company exist or not
HI, There are some company which are hosting private BB on HackerOne which are not visible unless they invite you. However, you can check if any company is hosting private BB on HackerOne or not if you can guess the username they use. Generally most company chooses the same name as their company...
Whisper: SMS Invite Form Abuse
whisper.sh fails to protect the invite form from abuse from attackers. If a malicious individual wants to abuse this functionality, they could send repeated/automated requests to the same phone number or range of phone numbers that do no actually belong to himself. This would result in lots of...
Mail.ru: help2.m.smailru.net: XSS
GET /login/index.php/article/articleview/ALERT"alert1 HTTP/1.1 Host: help2.m.smailru.net User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.10; rv:32.0 Gecko/20100101 Firefox/32.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language:...
Internet Bug Bounty: PHP yaml_parse/yaml_parse_file/yaml_parse_url Unsafe Deserialization
https://bugs.php.net/bug.php?id=69617 Description: ------------ The PHP unserialize function is considered unsafe due to its behavior regarding class instantiation; in cases where serialized data is attacker controlled, it can be tampered with, allowing for the instantiation of arbitrary PHP...
Enter: Email Enumeration (POC)
HI i am opening the ticket again now i have a poc to show you First here is the issue again: 1.log in robocoin account go to settings 2.choose change my email 3.enter your pass 4.enter any email you want to check 5.if the email isn't registered a message appears sayingthe email is changed 6.if it...
Faceless: Tap Jacking Attack on Button Tags
UI Redressing Tap jacking attack may trick users into tapping a specifically crafted malicious App popup window e.g. toast view, making it a gateway for varied threats such as framing attack. Using this technique, a malicious App could potentially trick a user into making purchases, clicking on...
Slack: Stored XSS in Slackbot Direct Messages
Whenever a new team is created, Slackbot uses automated profile completion by asking a few questions from the user like the first name, last name, skype account etc. But instead of providing the correct details we provide as input then Slackbot will cause the data go inside the anchor tag ... so...
HackerOne: Control Characters Not Stripped From Username on Signup
Hey, To be honest, I'm not sure if there is any real security implications of this bug, but it's IMO something which should be fixed at some point since it'll be pretty easy. On signup, the username you chose has to be alphanumeric. If you submit someone else's username, followed by a null-byte...
Yahoo!: Yahoo mail login page bruteforce protection bypass
Thank you for your submission to Yahooβs Bug Bounty program. While we recognize the effort that you put into the research and writing of a report for us to evaluate, we will take your report into consideration for any future releases. We appreciate your adherence to responsible disclosure...
curl: Path Traversal Bypass in file:// URLs Due to Incomplete URL-Encoded Path Normalization
Summary: The dedotdotify function in lib/urlapi.c is responsible for removing path traversal sequences ../ and ./ from URLs according to RFC 3986. However, the function only recognizes literal forward slashes / when identifying path segments and does not handle URL-encoded slashes %2f or %2F. Thi...
AWS VDP: Amazon Kendra Intelligent Ranking Service Reporting "AWS Internal" for CloudTrail Events Generated from FIPS Endpoints
The AWS Kendra Intelligent Ranking service was found to incorrectly report the user-agent and network information as "AWS Internal" for four API endpoints that are FIPS endpoints. This issue can lead to the obscuring of request information that may be used to track down an adversary...
Cosmos: Heap-Buffer-Overread in contains_whitespace when calling parser_validate after supplying a maliciously crafted buffer to parser_parse
A heap-buffer-overread vulnerability was discovered in the containswhitespace function when calling parservalidate after supplying a maliciously crafted buffer to parserparse. The vulnerability was not exploitable in the primary use case of the library, but a length check was added to prevent thi...
HackerOne: [ Spot Check ] Team members can edit a user's write-up
Team members could edit a user's spot check write-up. The write-up could be modified through a GraphQL request, even though there was no option to edit the write-up in the user interface. This was considered unintended functionality, as HackerOne had previously fixed vulnerabilities where team...
Liberapay: Unsafe yaml load can lead to remote code execution
The YAML load function can lead to remote code execution vulnerability. The vulnerability allows the construction of arbitrary Python objects from untrusted YAML data, which can be exploited by an attacker...
U.S. Dept Of Defense: Reflected Cross-site Scripting via search query on ββββββ
The summary is as follows: A reflected cross-site scripting vulnerability was discovered in the search query functionality of the ββββββββ website. An attacker could execute arbitrary JavaScript code in the victim's browser by injecting malicious payload into the search query parameter...
U.S. Dept Of Defense: User automatically logged in as Sys Admin user on https://βββ/Administration/Administration.aspx
A vulnerability was discovered where any user could be automatically logged in as a system administrator on a web application. This allowed unrestricted access and privileges could be abused to modify user privileges, add or delete users, and upload files, jeopardizing the integrity of the...
Exodus: 2 Cache Poisoning Attack Methods Affect Core Functionality www.exodus.com
Summary: www.exodus.com hosts static js and css files on Server: cloudflare . Which is cached by cloudflare and passed to all other users accessing the source. I was able to impact the core functionality by using a custom HTTP. Here are 2 details of the Bug. Steps To Reproduce: 1. 501 Not...
Evernote: [34.96.80.155] Server Logs Disclosure lead to Information Leakage
Summary: In this case server log is available for any in /server-status Steps To Reproduce: 1. Go to https://34.96.80.155/server-status/ and follow attack scenario's Attack Scenario's: Serg.io 1. User go to server and enter sensitive info that can be logged example : http://host/login?privatekey=...
Nextcloud: When sharing a Deck card in conversation the metaData can be manipulated to open arbitrary URL
Summary: This report is similar to 1337178 In Nextcloud Deck a user can post their decks in to a conversation via nextcloud talk. The link in metaData can be manipulated to point to a another URL. Steps To Reproduce: 0. Setup burpsuite to proxy 1. Go to Nextcloud Deck and pick a board 2. Pick any...
Rockstar Games: Cache Poisoning DoS on updates.rockstargames.com
In this report, the researcher discovered that there was a cache poisoning weakness on updates.rockstargames.com due to an unkeyed header, trailer. By sending this header, an attacker could cause the cache to save a malformed response with status code 400. An example of such a request, as provide...
Zenly: Google Maps API key stored as plain text leading to DOS and financial damage
The researcher highlighted the fact that the Google Maps API key which is by design easily retrievable from the .apk was missing some restrictions. It then could be used by anyone to query the Google Static Map API, and possibly lead to financial damage. Resolved by enforcing missing restrictions...
h1-ctf: Writeup Hackyholiday CTF
Hi there, Find my writeup on attached : F1128138 Thanks adam for making the CTF, Really PAIN for my head! Impact Hackerone Hoodie ? ππ...
Stripo Inc: No rate limit in email subscription
I managed to bypass the following report 1029723 please follow the steps below: Description: No rate limit in Email Subscription, you just have to add a fixed throttle in Burp Suite to avoid the 429 response. Note: I will use tempmail in the screenshots PoC Steps: 1. Go to https://stripo.email/ a...
Informatica: Improper Sanitization leads to XSS Fire on admin panel
Summary Because the HTML is not sanitized when taking the input on https://accounts.informatica.com/registration.html, the input is vulnerable to XSS. When a payload such as " is put into the form under company it triggers a blind xss. When the payload successfully is loaded, it dumps information...
TikTok: Bypass "Industry Documents" Validation
The researcher found that the attacker can bypass the review process and mark the document as "approved" when a user adds Industry Documents. The attacker will bypass only the qualification status at frontend, the form status is still under review, and it will be reviewed by an employee...
RBKmoney: Apple Pay cryptogram replay and amount tampering
During Apple Pay in-app or on-site payments the device generates a payment cryptogram, which contains a transaction ID, encrypted payment data, etc. This is an example of the cryptogram which the phone passes to the internet acquiring service on api.transferwise.com: "token": "paymentData":...
Mail.ru: ΠΡΠΊΡΡΡΠ°Ρ Π°Π΄ΠΌΠΈΠ½ΠΊΠ° Tarantool
Testing installation of internal Tarantool admin inteface without actual users data was available from external network...
h1-ctf: [H1-2006 2020] 36 hours of brain cycles utilized on solving a neat puzzle
Here we go: F852423 Recon: The given scope is: .bountypay.h1ctf.com Found subdomains: bountypay.h1ctf.com api.bountypay.h1ctf.com app.bountypay.h1ctf.com software.bountypay.h1ctf.com staff.bountypay.h1ctf.com www.bountypay.h1ctf.com Relevant GitHub repository:...