15369 matches found
Internet Bug Bounty: RCE vulnerability in apache-airflow-providers-apache-sqoop 3.1.0
A remote code execution vulnerability was found in the Apache Airflow Sqoop Provider before version 3.1.1, due to improper input validation in the libjars parameter, allowing attackers to execute arbitrary system commands on the machine performing the MR task...
Internet Bug Bounty: Linux kernel: CVE-2017-7308: a signedness issue in AF_PACKET sockets
Hi! CVE-2017-7308 is a vulnerability I found in the Linux kernel caused by a signedness issue in AFPACKET sockets. It can be exploited to gain kernel code execution from an unprivileged process. The kernel has to be built with CONFIGPACKET for the vulnerability to be present. A lot of modern...
Nextcloud: Nextcloud.com is vulnerable to SWEET32 attack
Researchers have found new attack against 3DES-CBC cipher in TLS,that they can decrypt customer data using a method called SWEET32 Birthday Attack. This Vulnerability has got CVE-2016-2183 and has cvss score 5.0 This vulnerability can be found manually by simply using nmap script nmap -Pn -p...
Daimler Truck: Blind xss at https://homologation.omniplus.com/
Hello team, I have found a blind xss leads to admin panel exposed with cookie StepToReproduce 1- Navigate to https://homologation.omniplus.com/ 2- You will face a submit form contains 6 pages 3- At each input field you have to put your blind xss payload , for me I used xss.report just go there an...
h1-ctf: [h1-415 2020] Chain of vulnerabilities leading to account takeover and unauthorized access of sensitive internal resources
Note: Please read this report as "An attacker taking over a customer's account" and not as "helping Jobert recovering his document" : Summary: Chaining following issues let's an attacker access sensitive information, 1. Exposure of customer email and regex logic error leading to account takeover ...
GSA Bounty: Information disclosure (system username) in the x-amz-meta-s3cmd-attrs response header on federation.data.gov
Description Hi. I just noticed, that you are extended the scope for the bounty program. I looked to the first resource - https://federation.data.gov/ I noticed, that the x-amz-meta-s3cmd-attrs response header returns sensitive information, like system username:...
Paragon Initiative Enterprises: Non-secure requests are not automatically upgraded to HTTPS
Non-secure requests to bridge.cspr.ng e.g. http://bridge.cspr.ng/ are not automatically upgraded to HTTPS. This is not something you would notice when you use the latest version of modern web browsers such as Google Chrome or Firefox, because bridge.cspr.ng is HSTS preloaded. When a domain is...
Nextcloud: ci.nextcloud.com: CVE-2015-5477 BIND9 TKEY Vulnerability + Exploit (Denial of Service)
Hello Team NextCloud, In reference report 217381 I've reported the DDOS attack via DNS Port at OwnCloud.. And it was successfully patched. But now same issue I got at ci.nextcloud.com Proof Of Concept: Here it is the nmap result of ci.nextcloud.com NMap Scan Results: Starting Nmap 7.40...
Mail.ru: [realty.mail.ru] XSS, SSI Injection
XSS === PoC Открыть с помощью Internet Explorer https://blackfan.ru/x?r=https://realty.mail.ru/%22--%3e%3csvg/onload=alertdocument.domain%3e/%252e%252e Request GET /"--/.. HTTP/1.1 Host: realty.mail.ru Connection: close SSI Injection === PoC Request-URI также попадает в SSI код GET //"-- HTTP/1.1...
SHEIN: RCE via npm misconfig -- installing internal libraries from the public registry
The following node package has been installed on at least one shein owned build/development server directly from the public npm registry. https://www.npmjs.com/package/shineout-mobile This package should normally be downloaded from the internal shein registry, but a misconfiguration appears to ha...
PlayStation: Use-After-Free In IPV6_2292PKTOPTIONS leading To Arbitrary Kernel R/W Primitives
Summary Due to missing locks in option IPV62292PKTOPTIONS of setsockopt , it is possible to race and free the struct ip6pktopts buffer, while it is being handled by ip6setpktopt. This structure contains pointers ip6popktinfo that can be hijacked to obtain arbitrary kernel R/W primitives. As a...
MTN Group: SQL Injection on cookie parameter
Summary: Hello team. It seams one of the parameters in the cookies is vulnerable to SQL injection. Below requests has the lang parameter in cookies. If you inject one quote mark like '. You get SQL error with the syntax. By injecting a second you have the error removed. I did not attempt to...
Internet Bug Bounty: mod_http2, memory corruption on early pushes (CVE-2019-10081)
HTTP/2 very early pushes, for example configured with H2PushResource, could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the client. Scenarios where an attacker may be ab...
WakaTime: JSON CSRF on POST Heartbeats API
Thanks @sp1d3rs! WakaTime API used JSON for communications and supported cookie-based authentication/CSRF protection on https://api.wakatime.com. Usually, JSON is CSRF-safe, but only when requests with content-type other than application/json gets rejected or additional CSRF protection is in plac...
MTN Group: Password reset token leak on third party website via Referer header [cloudivr.mtnbusiness.com.ng]
Summary: F1426175 It has been identified that the application is leaking referrer token to third party sites. In this case it was found that the password reset token is being leaked to third party sites which is a issue knowing the fact that it can allow any malicious users to use the token and...
U.S. Dept Of Defense: Blind Stored XSS on ███████ leads to takeover admin account
Hello Team, I am Hemant Patidar working as a security researcher and I found a bug in your site. Report of bug is as follows:- Vulnerable URL: https://████████/ Description: I have found that various field of the profile page is not properly configured to wipe out HTML tags and Javascript code...
Kubernetes: No valid SPF record found
Desciprition : There is a email spoofing vulnerability.Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email spoofing is a tactic used in phishing and spam campaigns because people are more...
New Relic: Insecure transition from HTTP to HTTPS in form post
Vulnerability description:- This form is served from an insecure page http page. This page could be hijacked using a Man-in-the-middle attack and an attacker can replace the form target. This vulnerability affects:- /selfies/submit. attack details:- Form name: "form144" Form action:...
HackerOne: Race condition allows to send multiple times feedback for the hacker
Summary: Hello team! We've found out that the program's should be able to send feedback only once per report which is very logical. However, the program user is able to send multiple parallels requests which will lead to the race condition situation and will send multiple feedback to the hacker...
Rocket.Chat: Post-Auth Blind NoSQL Injection in the users.list API leads to Remote Code Execution
Summary: The users.list API endpoint is vulnerable to NoSQL injection attacks. It can be used to take over accounts by leaking password reset tokens and 2FA secrets. Taking over an admin account leads to Remote Code Execution. Description: The users.list API endpoint takes a custom query via the...
Shopify: xss triggered in "myshopify.com/admin/product"
I tried to make a product description and add the xss script in the paragraph. steps for reproduction 1. create a new product 2. enter xss in the product description paragraph, such as; nameproduct Impact xss can be triggered...
Chaturbate: A 10GB file is reachable
Summary A file is 10GB is accessible on the following server: http://edge193.stream.highwebmedia.com:8080/. Steps To Reproduce: 1. Open the following link: http://edge193.stream.highwebmedia.com:8080/download Additional notes: I tried to download the file and analyze it, but after 20 seconds the...
HackerOne: Blind SSRF on errors.hackerone.net due to Sentry misconfiguration
Summary: When setting up Sentry you should turn off "source code scrapping". If it is turned on, then server that has Sentry on it will make blind get requests everywhere controlled from outside via error reporting. Description: Hello Hackerone team. In your CSP I found ?sentrykey parameter, so i...
hostinger : 1 Click Account Takeover via Auth Token Theft on marketing.hostinger.com
The vulnerability discovered in the marketing.hostinger.com subdomain allowed for one-click account takeover through the theft of authentication tokens. An attacker could exploit the whitelisted redirect functionality of the subdomain to steal a victim's authentication token, which could then be...
TikTok: Unauthorized Access to TikTok Account [Private Videos] via API Endpoint
The vulnerability on a TikTok endpoint that allowed unauthorized viewing of videos from private accounts was discovered and reported by @datph4m. The issue was subsequently remediated...
MTN Group: Wordpress users Disclosure [ /wp-json/wp/v2/users/ ]
Summary: Using REST API, we can see all the WordPress users/author with some of their information. Which can even be Personal information of employees/author. The file v2/users at: https://www.mtn.com/wp-json/wp/v2/users/ is enabled and this give the attacker many users names like: Amogelang...
Uber: Google Maps API Key Leakage
Google allows developers/vendors to restrict the usage of these keys in several different ways, as can be read here: https://developers.google.com/maps/api-key-best-practices...
Basecamp: Password reset link not expiring after changing password in settings
@blackbibin reported password reset link not expiring when password was updated from an active session, by going to the Account's Login & Security setting. We were only expiring password reset links when the password was updated through a password reset request. Now we expire password reset links...
GitHub Security Lab: [Java] CWE-327: Add more broken crypto algorithms
This bug was reported directly to GitHub Security Lab...
GitHub Security Lab: CodeQL query to detect open Spring Boot actuator endpoints
This bug was reported directly to GitHub Security Lab...
Node.js: Denial of Service by resource exhaustion CWE-400 due to unfinished HTTP/1.1 requests
Summary: Node.js is vulnerable to HTTP denial of service DOS attacks based on delayed requests submission which can make the server unable to accept new connections. Description: An attacker can open an arbitrary number of HTTP connections and keep the server busy by never completing the request...
Open-Xchange: Command Injection via STARTTLS in SMTP
During our research into the security of email servers at Münster University of Applied Sciences, we found a command injection vulnerability related to STARTTLS in Dovecot. See the attached advisory for details. The vulnerability allows a MITM attacker between a mail client and Dovecot to inject...
Internet Bug Bounty: Apache HTTP Server: mod_proxy_uwsgi HTTP response splitting (CVE-2023-27522)
A vulnerability was found in Apache HTTP Server's modproxyuwsgi, affecting versions 2.4.30 through 2.4.55. The issue allowed special characters in the origin response header to truncate or split the response forwarded to the client, potentially resulting in security headers being ignored by the...
8x8: Disclosure of Users Information On Wordpress Api [https://jitsi.org/]
Jitsi was running a default WordPress site that had not yet been hardened to prevent user enumeration via the API...
New Relic: Internal Ports Scanning via Blind SSRF
Introduction: I found a Blind SSRF issue that allows scanning internal ports. How to reproduce: Go to https://rpm.newrelic.com/accounts//notificationchannels?type=WebhookIntegration F215718 Fill the input. In the web hook URL section, fill: http://:/. Send the request. Look up the response. If...
LocalTapiola: /icons/README available on viestinta.lahitapiola.fi
Basic report information Summary: Informational message that the file http://viestinta.lahitapiola.fi/icons/README exists. Description: http://viestinta.lahitapiola.fi/icons/README exists. Domain: http://viestinta.lahitapiola.fi/ Browsers / Apps Verified In: any browser any client Steps To...
Ruby on Rails: JSON keys are not properly escaped
Rails does not escape hash keys properly in tojson when generating json. Values are escaped as expected ruby irbmain:001:0 "a"="".tojson = ""a":"\u003c\u003e"" However keys are not: ruby irbmain:002:0 ""="a".tojson = """:"a"" This is because the json gem calls .tos on the keys here which...
ReddAPI: Login page password-guessing attack
Hello team of Reddapi! Here to report a vulnerability on your site. Affected site: www.reddapi.com Vulnerability: Login page password-guessing attack Severity:Low. Vulnerability description: A brute-force attack is an attempt to discover a password by systematically trying every possible...
XVIDEOS: Enable 2FA without verifying the email
A vulnerability in xvideos.com allows an attacker to register using victim email addresses which are unverified. This can be further exploited to enable two-factor authentication 2FA, permanently locking the victim out of their own email account. This results in a denial-of-service attack against...
U.S. Dept Of Defense: CVE-2020-3452, unauthenticated file read in Cisco ASA & Cisco Firepower.
Summary: The affected IP: █████ Here is POC of CVE-2020-3452, unauthenticated file read in Cisco ASA & Cisco Firepower. For example to read "/+CSCOE+/portalinc.lua" file. for example: ████/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portalinc.lua&default-language&lang=../ Suggested...
Kubernetes: Private IP addresses Disclosure
The following URL leaks the Private IP Addresses:- kubernetes.io/feed.xml The following Server’s Cluster RFC 1918 IP addresses were disclosed in the response: • 10.1.2.3 • 10.104.207.136 • 10.224.0.0 • 10.250.0.0 • 10.250.112.0 • 10.250.96.0 • 10.55.252.216 • 10.96.0.0 • 10.96.0.1 • 10.96.15.180 ...
Node.js third-party modules: Bypass of SSRF Vulnerability
Bypass of SSRF report https://hackerone.com/reports/793704 Fix applied after reporting the actual report did not prevent from SSRF issue. https://github.com/TryGhost/Ghost/commit/47739396705519a36018686894d1373e9eb92216diff-3aa52b4b8c6e0fb8422de65648e35887R101 The function fetchOembedData only...
Palo Alto Software: Unauthorised access to pagespeed global admin at https://webtools.paloalto.com/
Summary: I came across this subdomain https://webtools.paloalto.com/ which took my attention, after a bit enumeration I found an endpoint which allows anyone to access PageSpeed Global Admin without any type of authentication. Vulnerable URL: https://webtools.paloalto.com/pagespeed-global-admin/...
Liberapay: Full Path disclosure on 500 error
On manipulating cookie + parameter: gitHub 500 error returned with path disclosing of Python Files. Error Below: Traceback most recent call last: File "/opt/python/run/venv/local/lib/python3.6/site-packages/statechain.py", line 328, in loop newstate = functiondeps.askwargs File...
MariaDB: scripts loader (denial of service) vulnerability
1 vulnerability description WordPress allows users to load multiple JS files and CSS files through load-scripts.php files at once. For example, https://wpwebsite.com/wp-admin/load-scripts.php?c=1&load=jquery-ui-core,editor&ver=4.9.1, file load-scripts.php will load jquery-ui-core and editor files...
Node.js: HTTP Request Smuggling Due to Incorrect Parsing of Multi-line Transfer-Encoding
Summary: The llhttp parser in the http module in Node v17.6.0 does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling HRS. Description: When Node receives the following request: http GET / HTTP/1.1 Transfer-Encoding: chunked , identity 1 a 0 it...
Mail.ru: SMTP Header Injection at http://abonement.ucs.ru
It was possible to abuse the functionality of abonement.ucs.ru to send messages to arbitrary e-mail via CRLF injection vulnerability...
Quora: [controlsyou.quora.com] 429 Too Many Requests Error-Page XSS
Summary: XSS on the error page when the user makes too many requests. Steps To Reproduce 1. Make a lot of requests to get the error 429 2. Open PoC in FireFox https://controlsyou.quora.com/'-alertdocument.domain-' HTTP Response ... ga'set', 'dimension1', 'board-'-alertdocument.domain-''; ga'set',...
Nextcloud: Admin audit is not properly logging unsetting of expiration date
In relation to https://hackerone.com/reports/1177353 1. Enable the audit log 2. Share a file 3. Set and expiration date So far all looks good in the log 4. Unset the the expiration date. 5. See a pretty useless log line Impact The audit log is used to get a full trail of the actions which is now...
Uber: Pixel flood attack in https://riders.uber.com/profile
Hi, It is the exact issue described here: https://hackerone.com/reports/390 Where uploading lottapixel.jpg it causes your service to time out HTTP/1.1 504 Gateway Time-out Server: nginx Date: Wed, 30 Mar 2016 02:29:22 GMT Content-Type: text/html; charset=utf-8 Content-Length: 13928 Connection:...