15365 matches found
HackerOne: www.hackerone.com website CSP "script-src" includes "unsafe-inline"
Summary: The HTTP header of the hackerone.com website includes an unsafe CSP parameter for "script-src". Description: The hackerone.com website https://www.hackerone.com has a Content-Security-Policy configured, as pointed out on the Bug Bounty page of their program: We utilize a strict Content...
curl: Credentials forwarded to HTTP after HTTPS→HTTP same-port redirect — url_set_data_creds uses scheme-blind comparator
Hi all, The recent creds: hold credentials refactor — commit 8f71d0fde5 2026-05-11 https://github.com/curl/curl/commit/8f71d0fde5 — introduced a credential-leak regression on HTTPS→HTTP same-port redirects. -u user:pass and --oauth2-bearer both end up in cleartext after a 302 from https://h:N/ to...
Internet Bug Bounty: 1-byte heap buffer overflow in DNS resolver
Official announcement: http://mailman.nginx.org/pipermail/nginx-announce/2021/000300.html A security issue in nginx resolver was identified, which might allow an attacker to cause 1-byte memory overwrite by using a specially crafted DNS response, resulting in worker process crash or, potentially,...
Lichess: ImageId Format Injection in Image Upload Endpoint
The image upload endpoint in the Lichess application did not properly validate the 'rel' parameter, allowing an attacker to inject special characters that broke the expected format of the generated ImageId. This could have led to parsing issues in other parts of the application that relied on the...
Ian Dunn: SSRF Possible through /wordpress/xmlrpc.php
Hello, I have found a SSRF in iandunn.name through the xmlrpc.php API. I understood you've said about this endpoint in the past making up junk reports, but this is on a function which isn't disabled by disabling the endpoint, as I can prove with a Proof-Of-Concept. There is a function using...
Aiven Ltd: 0-day Cross Origin Request Forgery vulnerability in Grafana 8.x .
Disclaimer To triage, please note that this is still a 0-day that was alerted to Grafana already, in order to make sure the client is safe I report this issue now, please make sure to not spread it further or leak it, as the best interest is to let you be aware and safer from any potential attack...
U.S. Dept Of Defense: (CORS) Cross-origin resource sharing misconfiguration
Description: Affected website: https://██████████/wp-json Impact Step-by-step Reproduction : 1. Send this request: javascript GET /wp-json HTTP/1.1 Host: █████████ Connection: close Origin: http://evil.com Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 Windows NT...
Internet Bug Bounty: Apache HTTP Server: mod_proxy_ajp: Possible request smuggling
Inconsistent Interpretation of HTTP Requests 'HTTP Request Smuggling' vulnerability in modproxyajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions...
Mattermost: [mattermost.com] CORS Misconfiguration leakage of admin users
Sumarry : CORS policies on pages containing sensitive information should be reviewed to determine whether it is appropriate for the application to trust both the intentions and security posture of any domains granted access. It's possible to get information about the users registered such as: id,...
FormAssembly: scripts loader DOS vulnerability
1 vulnerability description WordPress allows users to load multiple JS files and CSS files through load-scripts.php files at once. For example, https://wpwebsite.com/wp-admin/load-scripts.php?c=1&load%5B%5D=jquery-ui-core,editor&ver=4.9.1, file load-scripts.php will load jquery-ui-core and editor...
U.S. Dept Of Defense: Unencrypted __VIEWSTATE parameter in a DoD website
Hi there i realise that the information passing to the server in the subdomain http://████████ can be seen without any encryption thought the VIEWSTATE Parameter. To reduce the change of someone interception the information the parameter should be encrypted due to the sensivity of the information...
Internet Bug Bounty: UAF in OpenSSL up to 3.0.7
A use-after-free vulnerability was found in OpenSSL up to version 3.0.7 following BIOnewNDEF calls. This could result in a crash when the BIOpop function is called after BIOnewNDEF fails and improperly cleans up the BIO chain. The vulnerability impacts the public API functions...
Chaturbate: Passive stored XSS at broadcast room
The hacker found that a specially crafted app names could insert a small amount of data into an A tag's href in the "Broadcaster is running these apps: " chat text. Because of the character limit this required multiple successive clicks on different app names, and in the example utilised the room...
Rockstar Games: Brute Force against VMware Horizon
In this report, the researcher discovered a VMWare Horizon admin remote access login portal that was publicly accessible and not sufficiently protected against credential stuffing/brute force attacks. No user accounts were breached; all employees are required to use MFA to login through such...
Brave Software: Cross-origin resource sharing misconfiguration (CORS)
Hi! In this report I want to describe High level bug which can seriously compromise a user account. If I am authorize on this site, I can steal user's sessions, some personal information or do some action. In my tests, I found the relevant vulnerability using different methods. I detected the COR...
Node.js third-party modules: [klona] Prototype pollution
I would like to report Prototype pollution in klona It allows adding arbitrary property to Prototype while deep cloning an object Module module name: klona version: Hunter's comments and funny memes goes here F690469 Impact Denial of Service and possible Remote code execution by overriding object...
FormAssembly: formassembly.com is vulnerable to padding-oracle attacks.
Dear Formassembly bug bounty team, Summary --- formassembly.com is vulnerable to CVE-2016-2107, allowing remote attackers to obtain sensitive information via padding-oracle attacks. $ git clone https://github.com/FiloSottile/CVE-2016-2107.git $ go run main.go www.formassembly.com ... Vulnerable:...
Brave Software: Incorrect security UI of files' download source on brave MacOS
The incorrect display of the download source in the Brave download alert was identified. Instead of displaying the actual source of the downloaded file, the browser displayed the referrer header value, which could have misled users into believing the file was from a trusted source...
Acronis: Unrestricted file upload vulnerability in IMCE
Summary Steps To Reproduce POC 1. Go to "https://forum.acronis.com/" and creat user 1. Click on edit profile and go to Signature click on inser image usig imce file manger 1. Now upload php file and bypass to add .gif in the endpoint Recommendations...
h1-ctf: [h1-415 2020] @_bayotop h1-415-ctf writeup
TL;DR: Thanks for the challenge! 1. Abusing account recovery via QR codes to get access to [email protected]. 2. Blind XSS in /support/review/ including CSP bypass. 3. Missing input sanitization on name parameter when POSTing to /support/review/. 4. Access to remote debugging port on local...
QIWI: Unauthenticated SSRF in jira.tochka.com leading to RCE in confluence.bank24.int
Summary This report describes a combination of two separate vulnerabilities in two separate services. This chain of vulnerabilities allows unauthenticated attacker to run arbitrary code on a server inside the company's internal network. Vulnerability 1 Jira at https://jira.tochka.com is vulnerabl...
Brave Software: Torrent Viewer extension web service available on all interfaces
Summary: When files are downloaded via the Torrent Viewer, a local web service is spun up that allows the user to download the files. This web service listens on all interfaces, allowing anyone in the network to view what files are being downloaded, and download them from the user. This mostly...
Daimler Truck: Default credential to login at site management panel
Summary: Hi Team During recon on shodan I came across an IP pointing towards lre.daimlertruck.com Here is the shodan link https://www.shodan.io/host/20.219.79.49 On port 8443, there was a login panel at https://20.219.79.49:8443/Site/ and using default credential admin admin I was able to login...
Chaturbate: CSS Injection on /embed/ via bgcolor parameter leaks user's CSRF token and allows for XSS
Hi there, There's a CSS injection here: https://chaturbate.com/embed/admin/?bgcolor=%7D%7Bbackground:red&tour=nvfS&disablesound=0&campaign=iNSGX body, divmain, div.content, div.block, div.section margin: 0px; padding: 0px; body min-width:800px; div.content width: 100%; body background:...
curl: CVE-2020-8286: Inferior OCSP verification
cURL in /lib/vtls/openssl.c does not check that the certificate serial number in the stapled OCSP response matches the serial number of the certificate it is trying to validate the peer certificate. This results in a passed validity challenge even when connecting to a site that has had its...
U.S. Dept Of Defense: ███ is vulnerable to CVE-2020-3452 Read-Only Path Traversal Vulnerability
Summary: ████████ is vulnerable to Read-Only Path Traversal Vulnerability as described at https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86 Description: Get request parameters at the /+CSCOT+/translation-table and the /+CSCOT+/oem-customization...
Glassdoor: 2FA bypass by sending blank code
Summary: █████████. This is a failure in null check of the entered code. In simple terms, the 2FA while logging in can be bypassed by sending a blank code. This could be because of incorrect comparison of entered code with true code. A pre-validation may be null check before comparing the codes...
BlockDev Sp. Z o.o: Blind SSRF at https://chat.makerdao.com/account/profile
Blind SSRF at https://chat.makerdao.com/account/profile...
UPchieve: No Rate Limiting for Password Reset Email Leads to Email Flooding
There is "No Rate Limiting" implemented in sending the Password Reset Email. Thus, attacker can use this Vulnerability to bomb out the Email Inbox of the victim. Affected URL : https://hackers.upchieve.org/resetpassword Steps to Reproduce: 1. Log In to : https://hackers.upchieve.org/ 2. Go To :...
Shopify: Cache poisoning via X-Forwarded-Host in www.shopify.com/partners/blog
Hello, run in loop requests with X-Forwarded-Host: yourhackerzsite.com - after some time You will notice in response yourhackerzsite.com F981839 now remove X-Forwarded-Host - there still be our url: F981841 i've logged to my VPS to verify this bug and downloaded poisoned page...
Razer: OTP token bypass in accessing user settings
The tester was able to determine that the OTP token used by Razer ID was not being properly verified against the specific user which would allow an adversary to replay their own OTP token against a different user. If the adversary also had been able to obtain the user's login and password through...
Pornhub: IDOR - Access to private video thumbnails even if video requires password authentication
The researcher discovered an IDOR path which allows the user to few content and images from a password protected videos...
curl: CVE-2023-27537: HSTS double-free
A double-free vulnerability CVE-2023-27537 existed in libcurl's HSTS HTTP Strict Transport Security implementation due to a lack of exclusion control when processing HSTS with multi-threading. This could lead to a use-after-free UAF issue when other threads access entries. An attacker could explo...
Nextcloud: Full path disclosure vulnerability via Upload .htaccess file
Hello Security team, i foud Full path disclosure vulnerability via Upload .htaccess file see POC video. Thankz Impact Sensitive File/Folder Information...
Internet Bug Bounty: CVE-2023-23915: HSTS amnesia with --parallel
Multiple transfers in parallel using curl's HSTS cache saving feature resulted in the cache file being overwritten by the most recently completed transfer, causing a later HTTP-only transfer to the earlier hostname to not get upgraded properly to HSTS, leading to a bypass of intended security...
U.S. Dept Of Defense: Public instance of Jenkins on https://██████████/ with /script enabled
Summary: An Amazon instance was found on https://█████/ running Jenkins. On analysing the SSL certificate, I reported here to the DoD. Description: On checking the SSL certificate, the details show: Issued to and Issued By records: CN: █████ OrganizationO: █████████ Organizational Unit OU: ███...
Rockstar Games: LFI and SSRF via XXE in emblem editor
This summary is provided by the researcher who submitted this report, @alexbirsan . About one year after I started messing with the emblem editor, I finally found a full SSRF and LFI. I was able to extract text files from the server and HTTP responses by rendering them on my crew emblem. For thos...
Internet Bug Bounty: Buffer overflow in req_parsebody method in lua_request.c
Software Versions ------------------- Ubuntu - 18.04 32-bit Apache 2.4.51 32-bit Description ------------- This bug is present in "reqparsebody" method of modules/lua/luarequest.c file. Below mentioned lines of code cause this bug. cpp ... sizet vlen = 0; ... ... vlen = end - crlf - 8; buffer =...
GitHub Security Lab: CodeQL query to detect JNDI injections
This bug was reported directly to GitHub Security Lab...
h1-ctf: [h1-415 2020] I found Joberts missing file!
The key is: h1ctfy3s1mc0sm1cn0w My writeup is available unpublished at: https://p4fg.github.io/h14152020/ I might edit some styling but the main contents is there. The twist of my writeup is that tried to give a detailed account of EVERYTHING to allow new hackers to follow along my discoveries an...
LocalTapiola: OpenSSL Padding Oracle Attack (CVE-2016-2107) on viestinta.lahitapiola.fi
Hello Lahitapiola Security Team, I would like to make two reports: 1. Subdomain viestinta.lahitapiola.fi is vulnerable to CVE-2016-2107 . 2. All the Lahitapiola domains/subdomains in scope of bug bounty have weak cipher suites and are susceptible to various SSL related attacks. Subdomain...
HackerOne: HTTP header injection in info.hackerone.com allows setting cookies for hackerone.com
The subdomain info.hackerone.com is vulnerable to HTTP header injection. I'm aware that you are only interested in critical issues affecting this subdomain. However, you may be interested in this issue as a vulnerability in this domain may affect the domain hackerone.com. The vulnerability is a...
GitHub Security Lab: CPP: Out of order Linux permission dropping without checking return codes
This bug was reported directly to GitHub Security Lab...
Imgur: Sourcemaps and Unminified Source Code Exposed on Pages
Hello, I'm not sure if this was actually meant to be made public on purpose, but I was looking through some of the sources that were loaded and found out the following: https://imgur.com/ - See ██████ s.imgur.com - desktop-assets - js contains multiple minified JS files as one would usually expec...
HackerOne: ImageMagick GIF coder vulnerability leading to memory disclosure
Hello Hackerone Security Team, Well,we are aware of Imagemagick Gif parsor method to collect the pixels and then we can recover it to gain server information. https://github.com/neex/gifoeb However,it has no impact on hackerone since it's immune to gif files uploading functionality. So, ,gif...
MariaDB: Path Traversal CVE-2021-26086 CVE-2021-26085
These vulnerabilities were found with https://trickest.com https://trickest.io CVE-2021-26085: ===================== https://jira.mariadb.org:/s/123cfx//;/WEB-INF/web.xml CVE-2021-26086: ===================== https://jira.mariadb.org/s/cfx//;/WEB-INF/web.xml Video explanation: -------------------...
Glovo: Moodle XSS on evolve.glovoapp.com
Cross Site Scripting XSS / Moodle XSS Summary : Cross-site scripting XSS is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by...
h1-ctf: [h1-415 2020] h1ctf{y3s_1m_c0sm1c_n0w}
Summary: add summary of the vulnerability Account takeover was possible because of the email validation used - [email protected] could be registered, but when the the system created the recovery QR code the extra symbols would get stripped leaving us with a valid recovery QR code to log into...
DuckDuckGo: DOM XSS on 50x.html page on proxy.duckduckgo.com
Hi, I read the report about DOM XSS on 50x.html page https://hackerone.com/reports/405191. I decided to check some other subdomains to be sure. This link still executes javascript: https://proxy.duckduckgo.com/50x.html?e=&atb=test%22/%3E%3Cimg%20src=x%20onerror=alert%27test%27;%3E The following...
X (Formerly Twitter): Sub Domain Takeover at mk.prd.vine.co
Hey It looks like the EC2 Instance at mk.prd.vine.co has been stopped and now it has been assigned to someone else Proof of Concept 1. http://mk.prd.vine.co/ few days back didn't have port 443 open but now it does have an open port 443 Response 400 Bad Request 400 Bad Request awselb/2.0 So it loo...