15369 matches found
8x8: F5 BIG-IP TMUI RCE - CVE-2020-5902 (██.packet8.net)
@remonsec reported to us a vulnerability in F5 BIG-IP's Traffic Management User Interface TMUI, which exploited, could have led to RCE in undisclosed pages: CVE-2020-5902 We swiftly applied the fix to the F5 BIG-IP & restricted access further, which resolved the issue...
Greenhouse.io: Subdomain Takeover on demo.greenhouse.io pointing to unbouncepages
Actuall this report is same as of this one:- https://hackerone.com/reports/38007 Subdomain takeover vulnerabilities occur when a subdomain subdomain.example.com is pointing to a service e.g. GitHub pages, Heroku, etc. that has been removed or deleted. This allows an attacker to set up a page on t...
Doppler VDP: Stored XSS in [https://dashboard.doppler.com/workplace/*/logs] pages
Summary: I have found a stored XSS vulnerability in the following config setting page. https://dashboard.doppler.com/workplace//projects/example-project/configs/dev/logs When you invite other users to the workspace, the xss could be used to exploit other users also. Steps To Reproduce: 1 . Visit...
HackerOne: 2020-10-09 Credential Stuffing Attack
Executive summary On October 4, 2020 and October 5, 2020, an attacker launched two credential stuffing attacks against HackerOne.com. On October 9, 2020, HackerOne’s Security team noticed the attack during their weekly audit of anomalies in their log aggregation platform, leading to the Incident...
Internet Bug Bounty: Potential DoS vulnerability in Django in multipart parser
A potential denial-of-service vulnerability was discovered in Django's multipart parser, which could result in too many open files or memory exhaustion. This vulnerability was fixed in Django 3.2.18, 4.0.10, and 4.1.7 by limiting the number of file parts parsed via a new setting. The severity of...
Nord Security: xmlrpc.php FILE IS enable it will used for Bruteforce attack and Denial of Service(DoS)
Hi Team, The website https://www.nordvpn.com has the xmlrpc.php file enabled and could thus be potentially used for such an attack against other victim hosts. Wordpress that have xmlrpc.php enabled for pingbacks, trackbacks, etc. can be made as a part of a huge botnet causing a major DDOS. URL:...
Bime: Subdomain takeover due to unclaimed Amazon S3 bucket on a2.bime.io
I noticed BIME is primarily built on Amazon AWS, which spawned my interest. I started looking for DNS entries that were still pointing to S3 buckets that however no longer exist. It appears this was the case for a2.bime.io, which points to an Amazon S3 website bucket in the US East region. Steps ...
U.S. Dept Of Defense: https://██████ vulnerable to CVE-2020-3187 - Unauthenticated arbitrary file deletion in Cisco ASA/FTD
Hi team , while testing i found a host ip https://█████████ which belong to DoD ██████████.mil running web services interface of Cisco ASA/FTD and it is vulnerable to CVE-2020-3187 - Unauthenticated arbitrary file deletion in Cisco ASA/FTD. An attacker could exploit this vulnerability by sending ...
U.S. Dept Of Defense: https://█████████ Vulnerable to CVE-2018-0296 Cisco ASA Path Traversal Authentication Bypass
Summary: https://█████ is an ASA running software vulnerable to CVE-2018-0296 which allows a remote attacker to exploit a path traversal vulnerability and bypass authentication to sensitive files. The attacker can use this to enumerate the ASA VPN web directory structure and exploit privileged...
Shopify: Bypassed password authentication before enabling OTP verification
When we enable Two step verification then shopify first ask for password then allow user to set OTP verification. Here i bypassed this password verification. Steps to reproduce the vulnerability. 1.To produce this vulnerability i created two account on shopify . For easy understand let give them...
Gratipay: CSP Policy Bypass and javascript execution
Content Security Policy CSP is a computer security standard introduced to prevent cross-site scripting XSS, clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. CSP provides a standard method for website owners to declare...
Node.js third-party modules: bunyan - RCE via insecure command formatting
I would like to report RCE in bunyan It allows arbitrary commands remotely inside the victim's PC Module module name: bunyan version: 1.8.12 npm page: https://www.npmjs.com/package/bunyan Module Description Bunyan is a simple and fast JSON logging library for node.js services: Module Stats 920,19...
Nextcloud: Code injection possible with malformed Nextcloud Talk chat commands
Summary The Nextcloud Talk app allows system administrators to setup chat commands that can be executed in Talk using the "/command" syntax. Users can provide additional arguments to the commands, such as "/calc 1+1" or "/wiki Hello", which are passed to the underlying script using @exec. If...
Genasys Technologies: Missing redaction on a disclosed report
Hi team, I wasn't sure if this worth a report, but I thought that you should be aware and HackerOne's support referred me to submit a report. I ran into a diclosed report where the reporter asked to redact his email but we can still extract his email and more info about his google account from th...
Sifchain: wrong url in hackerone > goes to wix.com > unconnected
Summary: Hi there, this is a very small issue out of scope. Your current domain name in your hackerone program is wrong: http://sifchain.finance and moves to wix.com Steps To Reproduce: 1. Login as a researcher 2. Open the program from sifchain: https://hackerone.com/sifchain?type=team 3. click o...
Razer: Reflected XSS on molpay.com with cloudflare bypass
The tester discovered a reflected XSS vulnerability on molpay.com which could allow an adversary to steal client side information such as a cookie. Razer Fintech thanks the tester for his clear report and PoC. Follow brutelogic for amazing bypass tips. Thank you for bounty @razer 🙏...
U.S. Dept Of Defense: https://██████/ Vulnerable to CVE-2013-3827 (Directory-traversal vulnerability)
Description: Hi team, https://█████/ using older version of Oracle JavaServer which is vulnerable to CVE-2013-3827. POC: https://█████/████ References https://www.securityfocus.com/bid/63052/info https://www.exploit-db.com/exploits/38802 Impact Directory-traversal System Hosts █████ Affected...
U.S. Dept Of Defense: External Service Interaction | https://█████████.mil
Description: I am able to trick web server ███████.mil into making DNS and HTTP requests to my vps server and burp collaborator. Walkthrough Section: 1. Create an account using the registration form https://████████.mil/█████/accounts/register/ ███████ 2. Provide the required information to creat...
Dropbox: Race condition when redeeming coupon codes
Hello, there is a race condition when redeeming coupon codes in https://www.dropbox.com/coupons. Basically, it enables me to reuse one coupon code many times. Here are the steps to reproduce: 1. Get a coupon code. I bought mine on fiverr. 2. Go to https://www.dropbox.com/coupons and enter your co...
BlockDev Sp. Z o.o: DoS of https://blog.makerdao.com/ via CVE-2018-6389
DoS of https://blog.makerdao.com/ via CVE-2018-6389...
Unikrn: Staging Rabbitmq instance is exposed to the internet with default credentials
Description: RabbitMQ is an open-source message-broker software sometimes called message-oriented middleware that originally implemented the Advanced Message Queuing Protocol AMQP and has since been extended with a plug-in architecture to support Streaming Text Oriented Messaging Protocol STOMP,...
Pornhub: Time Based SQL-inject in post-parametr login[username] [domain - youporn.com]
The researcher discovered a time based blind SQL injection on a POST login parameter...
Pornhub: RCE Possible Via Video Manager Export using @ character in Video Title
The researcher identified that it was possible to inject arbitrary characters into video titles, that when exported via video manager would result in client-side code execution. The researcher was successful in getting a pingback from a meterpreter shell on the victim's machine. Essentially using...
Ruby: Unintentional file creation caused at Tempfile with directory traversal
The Tempfile argument of basename can use ../ without escaping. Therefore, directory traversal may occur and unintended files may be generated. create file patern log vagrant@localhost $ ls . vagrant@localhost $ irb irbmain:001:0 require 'tempfile' = true irbmain:002:0...
Enjin: Unrestricted Upload of File with Dangerous Type
The security researcher was able to execute CWE-434: Unrestricted Upload of File with Dangerous Type through a legacy API endpoint used to upload images. This file was directly upload to our CDN with the appropriate MIME time of the file...
Vanilla: XSS through chat messages
vulnerability name: cross site scripting through chat messages vulnerability description: cross site scripting is a vulnerability that allows an attacker to send malicious codeusually in javascript form to another user Because a browser cannot know if the script should be trusted or not, it will...
8x8: Sensitive data disclosure via exposed phpunit file
Several domains with the development phpunit configuration files exposed without proper restrictions...
Snapchat: Github Token Leaked publicly for https://github.sc-corp.net
Description : GitHub is a truly awesome service but it is unwise to put any sensitive data in code that is hosted on GitHub and similar services as i was able to find github token indexed 7 hours Ago by user ██████ - Software Engineer - Snap Inc Issue & POC : You can find the leak in this link :...
Valve: SQL Injection in report_xml.php through countryFilter[] parameter
An unvalidated parameter on an partner reporting page reportxml.php could be used to read certain SQL data from a single backing database. Blind SQL Injection && Akamai WAF Bypass. Wait for the write-up ;...
VK.com: API: Bug in method auth.validatePhone
The bug is that auth.validatePhone does not validate the parameter "sid". In theory he should be in the format "2fa$userId$appId$hash", but to get the correct result send SMS/make call enough only "2fa$userId$anyText". For example, these requests will send a SMS:...
curl: CVE-2022-42916: HSTS bypass via IDN
Summary: HSTS checks are bypassed if any character in the IDN convertNameprep to a '.' for example"。"UTF-8:E38082. I think there are other characters that become ".UTF-8:2E" as a result of converting with IDN. '。UTF-8:E38082' is converted to '.' so it doesn't matter if it's last or not. So the sa...
Mail.ru: RCE Jira(CVE-2019–11581) [my-com.atlassian.net]
Hello, Summary i found the domain my-com.atlassian.net is vulnerable with RCE JiraCVE-2019–11581 via contact admin function POC - on page https://my-com.atlassian.net/secure/ContactAdministrators!default.jspa - use payload on Subject & Request details...
Legal Robot: Registration Allows Disposable Email Addresses
Hello LegalRobot, I'd like to report a nice little bug. As I already give a clear Title so I think u understand this.Simply LegalRobot allows disposable or temporary email address to register account. Let me know if u have any question Thanks Cheers Anas...
Coinbase: Bypassing 2FA for BTC transfers
Under advanced settings, users have the ability to protect their wallet by requiring two-factor confirmation when sending bitcoins. Personally, I have configured my account with the most secure option, which requires two factor confirmation when sending any amount of bitcoins. However, a flaw...
U.S. Dept Of Defense: XSS vulnerability found in javascript code of https://███.mil
The XSS vulnerability was found in the JavaScript code of the website https://███.mil. The parameter "code" was not sufficiently sanitized, allowing the injection of malicious code. This vulnerability could have been exploited to execute arbitrary scripts in the context of the affected website...
Chaturbate: Add non-existent room moderator
Description A broadcaster can add or remove a non-existent user as a moderator. This is submitted using the testbed as it wasn't possible to initiate a broadcast on the production site. Steps 1. As a broadcaster add a moderator to the broadcast attachment 1. 2. Observe the request sent to the...
Mixmax: Blind SSRF due to img tag injection in career form
Hi, There is SSRF vulnerability due to img tag injection in career form. Attacker can inject multiple tags and perform multiple requests on remote hosts. POC 1. Visit https://mixmax.com/careers. 2. Click on Apply now. 3. Insert img tag in all the fields. 4. Click on Send Application. 5. Check...
Ruby on Rails: Rack parses encoded cookie names allowing an attacker to send malicious `__Host-` and `__Secure-` prefixed cookies
The rack cookie parser parses the cookie string using unescape. This allows a malicious attacker to set a second cookie with the name being percent encoded. Typically it would be expected that we cannot trust cookies and in most cases that's true. However in a couple of cases certain expectations...
h1-ctf: [h1-415 2020] H1-415 CTF Writeup by W--
H1-415 CTF Writeup Intro HackerOne kicked off this year's H1-415 CTF with the following tweet: F692033 Loading the target challenge website shows that the website is called My Docz Converter. A quick look at the challenge website shows that it allows users to register an account and then upload a...
Chaturbate: Open redirect in securegatewayaccess.com / secure.chaturbate.com via prejoin_data parameter
Summary Hello, I have found that if there is a valid wegdigest parameter in the in the GET request to https://secure.chaturbate.com/post and other parameters are invalid, a Location header will be automatically constructor based on the contents of the prejoindata parameter. This allows someone to...
Zomato: Self-Stored XSS - Chained with login/logout CSRF
NOTE! This report explains taking over an account in a single click by chaining stored XSS, WAF bypass, login and logout CSRF. Summary: Attacker can takeover someone's account by stealing their facebook / google login tokens chaining multiple vulnerabilities. Description: Attacker leaves a review...
Node.js third-party modules: Pixel flood attack cause the javascript heap out of memory
I would like to report Pixel flood attack in jimp It allows flooding the memory and causing DoS by uploading a crafted image 5kb image, and the Jimp module will tries to allocate 4128062500 pixels into memory. Module module name: jimp version: An image processing library for Node written entirely...
Mail.ru: api.icq.com / возможность написать кому угодно (даже icqsystem)
Можно написать на любой uin через api запрос сделав хитрую махинацию у нас есть запрос api.icq.net/im/sendIM ?t=1 &mentions= &message=0 &f= &aimsid=003.3533131881.4023885996%3A740645342 видим параметр ?t=1 попробовав отослать на неё сообщение Увы у нас не получится Но если в параметр добавить 0...
Semrush: SSLv3 Poodle Attack on Ip Of semrush
Summary: POODLE SSLv3 bug on multiple servers Description: CVE-2014-3566: The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka...
U.S. Dept Of Defense: Unauthenticated Blind SSRF at https://█████ via xmlrpc.php file
An unauthenticated blind SSRF vulnerability was discovered on the xmlrpc.php file at a certain endpoint, allowing an attacker to send requests to external URLs and potentially conduct further attacks. Input validation and filtering are recommended to prevent such attacks in the future...
Internet Bug Bounty: CVE-2022-43551: Another HSTS bypass via IDN
Curl versions 7.77.0 to 7.86.0 were affected by a vulnerability CVE-2022-43551 that allowed bypassing of the HTTP Strict Transport Security HSTS check, enabling attackers to trick curl into using HTTP instead of HTTPS. The vulnerability was caused by the use of IDN characters that get replaced to...
Liberapay: Failure to Invalid Session after Password Change
Summary While conducting my researching I discovered that the application Failure to invalidate session after password. In this scenario changing the password doesn't destroys the other sessions which are logged in with old passwords. Reproduction Steps -Login with the same account in Chrome and...
ecobee: CSTI on https://www.ecobee.com leads to XSS
Summary: Hi EcoBee team, the https://www.ecobee.com domain is vulnerable against angular injection via CSTI, that leads to XSS. Steps To Reproduce: 1. Go on https://www.ecobee.com/?s=x%20=%20%27y%27:%27%27.constructor.prototype;%20x%27y%27.charAt=.join;$eval%27x=alert/Mik/%27; 1. XSS executed...
Internet Bug Bounty: Optionsbleed / CVE-2017-9798
Bug has been disclosed here: https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html poc code: https://github.com/hannob/optionsbleed Apache is currently preparing 2.4.28, which will contain the fix, a patch is available in their svn repo...
HackerOne: www.hackerone.com website CSP "script-src" includes "unsafe-inline"
Summary: The HTTP header of the hackerone.com website includes an unsafe CSP parameter for "script-src". Description: The hackerone.com website https://www.hackerone.com has a Content-Security-Policy configured, as pointed out on the Bug Bounty page of their program: We utilize a strict Content...