15365 matches found
RBKmoney: Information Disclosure - Composer.lock
Non-sensitive information disclosure via composer.lock...
RATELIMITED: xss in /users/[id]/set_tier endpoint
Summary: add summary of the vulnerability Hello there ! I found an XSS since you forgot to add the json content-type response header right there: https://github.com/gtsatsis/RLAPI-v3-OOP/blob/508d3c610ccc9076753bdc81151a5e8d76871a3e/src/Controller/UserController.phpL93 The tier parameter is...
Chaturbate: No rate limiting in changing room subject.
Before i shed more light on this: I noticed i can create over 200 apps but i don't really know how valid that was. I want to report that there is no rate limiting in changing room subject. Attacker scenrio: 1. Navigate to https://chaturbate.com/b/your username 2. Try to create a room subject and...
Node.js: HTTP Request Smuggling due to ignoring chunk extensions
Summary: The llhttp parser in the http module in Node 16.3.0 ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling HRS when a Node server is put behind an Apache Traffic Server ATS 9.0.0 proxy. Description: In the chunked transfer encoding format...
IRCCloud: Exposed, outdated nginx server (v1.4.6) potentially vulnerable to heap-based buffer overflow & RCE
Summary ======== During my reconnaissance for your bug bounty program, I discovered an instance of nginx version 1.4.6 running at the IP address https://54.153.101.52. To locate it, I search for IRCCloud-related certificated and found the self-signed certificate for this server...
h1-ctf: [h1ctf-Grinch Networks] MrR3b00t Saving the Christmas
Disclaimer: Certain things are a bit modified to set the pieces for the story. Also you can find the flags for all 12 challenges in file F1138300 , Now enjoy : █▀▄▀█ █▀█ ░ █▀█ █▄▄ █▀█ █▀█ ▀█▀ █░▀░█ █▀▄ ▄ █▀▄ █▄█ █▄█ █▄█ ░█░ saves the Christmas Episode - 0x00 Pil0t.py It was a gloomy clear night,...
Showmax: Wordpress directories/files visible to internet
A misconfiguration caused two directories being listable in our marketing blog that's running on wordpress. As the domain is out-of-scope of our program and the uploaded files include marketing material, it had no serious impact...
Node.js third-party modules: [exceljs] Possible XSS via cell value when worksheet is displayed in browser
Hi Team, I would like to report Stored XSS vulnerability in exceljs module. It allows to execute JavaScript code embeded in the XLS sheet when data from the sheet are displayed in the browser. Module module name: exceljs version: 1.4.6 npm page: https://www.npmjs.com/package/exceljs Module...
Shopify: SSRF in Exchange leads to ROOT access in all instances
The Exploit Chain - How to get root access on all Shopify instances 1 - Access Google Cloud Metadata - 1: Create a store partners.shopify.com - 2: Edit the template password.liquid and add the following content: html...
Solana BBP: Public and secret api key leaked via Solana BBP github repo
Sumarry: Most often Developers for their ease of use,leave API keys and some sensitive keys ,Tokens as hardcoded strings,which isn't really a good ideas as it can result in Leaks of sensitive information getting in Wrong Hands which indeed can results in Data theft and Tampering with how the...
GitHub Security Lab: XPath Injection query in java
This bug was reported directly to GitHub Security Lab...
HackerOne: Login page password-guessing attack
A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover the one correct combination that works. hackerone.com page doesn't have any protection against password-guessing attacks brute force...
Node.js: Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding)
A timing side-channel vulnerability in the crypto library's privateDecrypt API allowed attackers to remotely exploit and decrypt or forge signatures when processing encrypted messages...
Stripe: Fee discounts can be redeemed many times, resulting in unlimited fee-free transactions
A fee discount offer on Stripe transactions could be redeemed multiple times, resulting in unlimited fee-free transactions. The vulnerability allowed the attacker to call the /ajax/acceptfeediscountoffer endpoint multiple times, applying the discount each time. The impact was unlimited fee-free...
Bumble: Bumble API exposes read status of chat messages
Summary The Bumble app allows matches to chat with each other. In the mobile apps it is possible to see whether a message has been delivered the webapp does not offer this feature, but the read status of messages is never disclosed. However, by issuing a POST request to the API endpoint at...
Flickr: Information Disclosure: .dockerignore file is publicly accessible
Vulnerability description not provided...
Courier: Logout page does not prevent CSRF
Summary: Cross-Site Request Forgery CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. ... If the victim is an administrative account, CSRF can compromise the entire web application. Steps To Reproduce: 1.Create a...
Legal Robot: SSL BREACH attack (CVE-2013-3587)
Hello security team, The site legalrobot.com is potentially vulnerable to the BREACH attack. Allowing an attacker the ability to: - Inject partial chosen plaintext into a victim's requests - Measure the size of encrypted traffic - can leverage information leaked by compression to recover targeted...
OneWeb: Vulnerable Jira Instance
Multiple information exposure vulnerabilites were identified in a Jira Server instance unauthenticated access to APIs and system browser functions. @lesleybw found multiple CVEs and exposures on a Jira instance owned by OneWeb 1...
Bumble: Email Spoofing
There is an Email Spoofing Vulnerability. Steps to reproduce: 1 Go to http://emkei.cz/ 2 Fill "From Email" field to [email protected] or any other badoo email. 3 Fill the victim's address your address to "TO" field and fill in other details as you wish. You will receive email from badoo admin...
Pornhub: [IDOR] Deleting other users comment
Hello, Normally you cannot delete comments if you post on someones stream and i have found a way to delete others comment. PoC: https://youtu.be/mxEE9vcxKA Let me know if you cannot reproduce it ! Thanks! Mikko...
X (Formerly Twitter): IDOR- Activate Mopub on different organizations- steal api token- Fabric.io
Hello, There is an option to enroll your organization in fabric.io for mopub , but this particular end point is missing proper authorization checks allowing any user to steal API tokens. Vulnerable request ================ POST /api/v3/organizations/5460d2394b793294df01104a/mopub/activate HTTP/1....
GitLab: RCE when removing metadata with ExifTool
Summary When uploading image files, GitLab Workhorse passes any files with the extensions jpg|jpeg|tiff through to ExifTool to remove any non-whitelisted tags. An issue with this is that ExifTool will ignore the file extension and try to determine what the file is based on the content, allowing f...
ownCloud: SMB User Authentication Bypass and Persistence
Authentication Bypass ================== The external user authentication app in OwnCloud does not properly authenticate against an SMB server. In it's current implementation, the file owncloud/apps/userexternal/lib/smb.php, line 46-47 uses the command smbclient -L //host/dummy -Uuser%pass, where...
InnoGames: Cache Poisoning via uppercase letters in invalid path
Summary of the issue Cache poisoning vulnerability appears in the request to innogames.com. The issue arises when language path parameter from the url gets processed on the backend to become lowercase. Then if a path provided in X-Forwarded-Host does not exist on the server, 301 response is...
Nord Security: Arbitrary Set-Cookie via "?coupon=" due to semi-colon not encoded
Related to , the separator in the cookie header is semi-colon ; and this issue is caused by semicolon ; not encoded, so the attacker can arbitrarily manipulate cookies. Arbitrary set cookie will cause several problems like: - Session Fixation - Cookie Bomb Client-Side DoS - Etc Vulnerable Endpoin...
Razer: Expired reCAPTCHA site key leads to Rate Limit Bypass and Email Enumeration
The tester discovered a configuration issue involving Google reCAPTCHA that would allow adversaries to enumerate valid email addresses for users. While minor, Razer appreciates the report and clear PoC...
Mail.ru: [iot-hackathon.geekbrains.ru] Tilda Subdomain Takeover
iot-hackathon.geekbrains.ru subdomain was delegated to tilda.cc service, which is vulnerable to takeover...
Khan Academy: Cross site scripting (content-sniffing)
Your website may be vulnerable to cross site scripting attacks HTTP request: GET...
Node.js: url.parse() hostname spoofing via javascript: URIs
Summary: Using url.parse in security sensitive checks is dangerous as an arbitrary hostname can be spoofed via javascript: URIs. Description: The original url.parse API is dangerous as it allows to spoof an arbitrary hostname via a javascript: URI: bash $ node -e...
curl: Buffer Overflow Risk in Curl_inet_ntop and inet_ntop4
Curl is a software that I love and is an important tool for the world. If my report doesn't align, I apologize for that. The Curlinetntop function is designed to convert IP addresses from binary format to human-readable string format, supporting both IPv4 and IPv6. It internally delegates to...
Enjin: Reset password policy isn't consistent with registration / change password policy.
The security researcher identified that the password policy on the reset password page wasn't consistent with the policy set forth on the registration and change password pages. The minimum characters, on the reset password page, was only for 6 characters whereas the other pages require a minimum...
Pornhub: Reflect XSS on Mobile Search page
The user was able to exploit the 'search' parameter being reflected in the page body in order to execute reflected XSS within the context of Redtube. Many of developer confuse that adding slashes at double quotes can protect the xss. However, At the DOM, Adding slashes is not protecting XSS...
Open-Xchange: SSL Certification Expired And TLS Vulnerability
I Found SSL Certification Expired at https://licenses.dovecot.fi/ I Found Vulnerability CVE-2016-2183 lists.dovecot.fi CVE-2016-2183 Description : A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover...
curl: [Critical] Curl CVE-2023-38545 vulnerability code changes are disclosed on the internet
Vulnerability description not provided...
h1-ctf: [H1-2006 2020] Bypassing access control checks by modifying the URL, internal application state, or the HTML page, or using a custom API attack tool
H1-2006 CTF Writeup F859938 Summary: Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification or destruction of all data, or performing a business function outside of the limits of...
Pornhub: HTTP Track/Trace Method Enabled
Researcher identified that HTTP TRACE method was enabled...
Internet Bug Bounty: Key Reinstallation Attacks: Breaking WPA2 by forcing nonce reuse
Full background information is at krackattacks.com and all detailed information can be found in our research paper. Key Reinstallation Attack: 4-way handshake example We use the 4-way handshake to illustrate the idea behind key reinstallation attacks CVE-2017-13077. Note that in practice, all...
Mail.ru: [ii.worki.ru ] emarsys subdomain takeover
hi team i am find a subdomain takeover vulnerbility in ii.worki.ru subdomain the ii.worki.ru which is delegated to emarsys.net , which is vulnerable to takeover. CName :- ████████ Name: ii.worki.ru Type:CNAME when you search https://ii.worki.ru it redirects to █████████ which is emarsys.net servi...
h1-ctf: [h1-415 2020] Multiple vulnerabilities leading to leaking of secret user files
Hello, I'm just submitting both flags for CTF, will send my write up on hacker summary, since it's 7:00 am now :. Original flag for CTF: h1ctfy3s1mc0sm1cn0w Extra flag for unintended account takeover: h1ctfwtf1shapp3ningw1thth1ss1mulat1on Sincerely, @nukedx Impact By chaining multiple...
TikTok: IDOR delete any Tickets on ads.tiktok.com
An IDOR Insecure Direct Object Reference vulnerability was found on TikTok ads, through the "draftorderid" parameter which could have allowed an attacker to delete the support tickets of other users. We thank @datph4m for reporting this to our team and confirming its resolution...
h1-ctf: [h1-415 2020] finally
add or chars behind Joberts email, which leaks on the login page 2. register a new account using that email 3. sign out and use the recover feature with the just generated qr code. this will get you into Joberts account 3. head to /support and submit a blind XSS payload which extracts the...
Nord Security: DoS of https://nordvpn.com/ via CVE-2018-6389 exploitation
There is possibility in /wp-admin/load-scripts.php script to generate large 3Mb amount of data via simple non-authenticated request to server. The vulnerability is registered as https://vulners.com/cve/CVE-2018-6389 Details Detailed attack scenario is described for example here:...
GitHub Security Lab: Java : CWE-548 - J2EE server directory listing enabled
This bug was reported directly to GitHub Security Lab...
Shopify: xss stored
Se encuentra un xss en las notas del cliente se requiere inicio de session, se encuentra en el campo notas de cliente POC https://macken22jorg.myshopify.com/admin/customers https://macken22jorg.myshopify.com/admin/customers/2901321318444...
Visma Bug Bounty Program: Unrestricted file upload when creating quotes allows for Stored XSS
An attacker is able to bypass the restrictions which limit user uploads to .PDF only. Utilizing this exploit an attacker can upload malicious content to the web server. First the system checks the MIME-Type, and if it fails too match Content-Type: application/pdf then the upload won't be processe...
Whisper: Host Header Injection/Redirection
whisper.sh is vulnerable to host header injection because the host header can be changed to something outside the target domain ie. whisper.sh and cause it to redirect to to that domain instead see below. Attack vectors are somewhat limited but depends on how the host header is used by the back-e...
Revive Adserver: Open redirect in ck.php and lg.php
An opportunity for open redirects has been available by design since the early versions of Revive Adserver's predecessors in the impression and click tracking scripts to allow third party ad servers to track such metrics when delivering ads. Historically the display advertising industry has...
Nextcloud: SQL Injection found in NextCloud Android App Content Provider
Using Drozer, we identified com.nextcloud.client is vulnerable to Sql Injection here is output from drozer: dz run scanner.provider.injection -a com.nextcloud.client Scanning com.nextcloud.client... Not Vulnerable: content://com.nextcloud.android.providers.UsersAndGroupsSearchProvider...
Pornhub: Unsecured Kibana/Elasticsearch instance
The researcher has found an insecure Kibana instance accessible to the public. A publicly accessible Kibana instance was identified. This vulnerability was discovered using the infrastructure monitoring platform BugLabs.me - http://buglabs.me...