15365 matches found
Internet Bug Bounty: GNU Bourne-Again Shell (Bash) 'Shellshock' Vulnerability
GNU Bash versions 1.14 through 4.3 contain a flaw that processes commands placed after function definitions in the added environment variable, allowing remote attackers to execute arbitrary code via a crafted environment which enables network-based exploitation. Original disclosure:...
Uber: Golang expvar Information Disclosure
Package expvar provides a standardized interface to public variables, such as stack trace information and operation counters in servers...
GitHub Security Lab: Java: CWE-297 Insecure JavaMail SSL configuration
This bug was reported directly to GitHub Security Lab...
Open-Xchange: Blind XXE via Powerpoint files
Summary During the parsing of Powerpoint files it seems that it is possible to include XXE payload which will be executed on the Open-XChange server. I was able to identify which files exist on the server, and cause the server make arbitrary request to my own server, and I am pretty sure it is al...
ownCloud: Remote Code Execution on ownCloud instances with ImageMagick installed
A vulnerability in ownCloud instances with ImageMagick installed allowed attackers to execute arbitrary code on the system by uploading a specially crafted file and knowing the file path of a previously uploaded file. The vulnerability was due to the usage of ImageMagick for preview generation fo...
curl: CVE-2022-27776: Auth/cookie leak on redirect
Summary: Curl can be coaxed to leak Authorisation / Cookie headers by redirecting request to http:// URL on the same host. Successful exploitation requires that the attacker can either Man-in-the-Middle the connection or can access the traffic at the recipient side for example by redirecting to a...
New Relic: Verification Link not expiring leading to Account Takeover.
@bbunnny reported that verification links that are sent out on account creation can be used to access a victim's account until those links have expired. As access to those links requires that an attacker have access to the victim's email, this issue is out of scope for our program...
Zendesk: SMTP user enumeration via mail.zendesk.com
Several methods exist that can be used to ██████████ SMTP to enumerate valid usernames and addresses; namely VRFY, EXPN, and RCPT TO. mail.zendesk.com does not reply to EXPN or RCPT TO so we will concentrate on VRFY in this report. The VRFY command will request that the receiving SMTP server veri...
Zomato: Clickjacking login page of http://book.zomato.com/
The login page on book.zomato.com http://book.zomato.com/account/login.aspx is vulnerable to a clickjacking attack. Reproduction steps: 1. Paste the following HTML into a text editor and save the file as .html 2. Open the file in a web browser 3. Note that the iframe appears with the login page...
U.S. Dept Of Defense: ███ ████████ running a vulnerable log4j
Report Description: https://vulners.com/cve/CVE-2021-44228 Impact Probably arbitrary code execution System Hosts ███████ Affected Products and Versions CVE Numbers CVE-2021-44228 Steps to Reproduce 1. Browse to https://██████████/█████████https%3A%2F%2F███%2F 2. Enter a...
GitHub Security Lab: Java : Add query to detect Apache Struts enabled Development mode
This bug was reported directly to GitHub Security Lab...
Acronis: [acronis.secure.force.com] - Insecure Salesforce default/custom object permissions leads to information disclosure
Hi there, I know that this domain https://acronis.secure.force.com is not listed in scope but I thought it would be a good idea to share this finding with you because this endpoint is leaking internal information/meetings. Target: The Salesforce instance at https://acronis.secure.force.com...
Node.js third-party modules: [notevil] - Sandbox Escape Lead to RCE on Node.js and XSS in the Browser
I would like to report a sandbox escape / code injection vulnerability in notevil. It allows an attacker to escape the intended sandbox and execute javascript code in the global context, meaning that he/she can achieve arbitrary command execution RCE when running in nodejs and cross site scriptin...
Zomato: Free food bug done by burp suite
NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report! Summary: By this...
Stripo Inc: stripo blog search SQL Injection
Summary: Sql injection of search parameters at blog search request Steps To Reproduce: 1. request https://stripo.email/blog/search/ 2. input search 1' AND SELECT 6268 FROM SELECTSLEEP5ghXo AND 'IKlK'='IKlK 3. See a very large response delay Supporting Material/References: See attached screenshot...
Internet Bug Bounty: Linux kernel: CVE-2017-1000112: a memory corruption due to UFO to non-UFO path switch
Hi! CVE-2017-1000112 is a vulnerability I found in the Linux kernel caused by a UFO to non-UFO path switch for UFO packets. It can be exploited to gain kernel code execution from an unprivileged process. This vulnerability was reported to [email protected] and linux-distros@ following the...
Gratipay: grtp.co is vulnerable to http-vuln-cve2011-3192
vulnerability i have found! | http-vuln-cve2011-3192: | VULNERABLE: | Apache byterange filter DoS | State: VULNERABLE | IDs: CVE:CVE-2011-3192 OSVDB:74721 | The Apache web server is vulnerable to a denial of service attack when numerous | overlapping byte ranges are requested. | Disclosure date:...
Shopify: GraphQL AdminGenerateSessionPayload is leaked to staff with no permission
@hiffley reported the ability to generate app tokens via the adminGenerateSession mutation in Shopify Admin, as a staff member with no permissions. This allowed for accessing a small subset of installed apps that are using this new flow including Shopify Email. Access was limited to the current...
Internet Bug Bounty: CVE-2019-11043: a buffer underflow in fpm_main.c can lead to RCE in php-fpm
The vulnerability exists in php-fpm because of missing bounds check in fpmmain.c. If the FastCGI variable PATHINFO is empty, the underflow happens when the code tries to calculate the value of the pathinfo variable. An invalid pointer in pathinfo leads to a single byte out-of-bounds write, which...
Udemy: [engineering.udemy.com] - Subdomain Takeover (ghost.io)
Hi Security Team, Found that DNS record of engineering.udemy.com domain was pointing to inactive ghost.io instance. So when we visit https://engineering.udemy.com we will be notified that site doesn't exist. F310092 $ host engineering.udemy.com engineering.udemy.com is an alias for...
InVision: CORS Man-in-the-Middle account compromise
Description ==================== The invisionapp application implements HTTPS correctly by redirecting any HTTP traffic to HTTPS; this prevents, for example, the person sitting in the same office or home as you, or someone on the same open-wireless network as you e.g. McDonalds or airport, from...
XVIDEOS: Self-XSS on Suggest Tag dialog box
Summary: Stored cross-site scripting arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way. vulnerable URL : https://www.xvideos.com/video57921571/friendb.ifd. Vulnerability Description : Application have a add ta...
Kaspersky: [Fixed] KIS for macOS is vulnerable to AV bypass due to improper client authorization on XPC service
Note! Thank you for your report. For the purposes of the further analysis of the vulnerability, that you kindly report to us, could you please fill all fields in square brackets. This information will help us to respond you more quickly and triage your report. Thanks a lot for your assistance...
Ruby on Rails: Open Redirect (6.0.0 < rails < 6.0.3.2)
Hello, I was looking at the change log https://github.com/rails/rails/commit/2121b9d20b60ed503aa041ef7b926d331ed79fc2 for CVE-2020-8185 and found another problem existed. https://github.com/rails/rails/blob/v6.0.3.1/actionpack/lib/actiondispatch/middleware/actionableexceptions.rbL21 ruby redirect...
Shipt: Multiple Subdomain Takeovers: fly.staging.shipt.com, fly.us-west-2.staging.shipt.com, fly.us-east-1.staging.shipt.com
A researcher identified 3 different abandoned subdomain CNAME records that pointed to a 3rd party service fly.io that Shipt had recently stopped using. Upon receiving the report, the Shipt information security team responded quickly and resolved the issue by removing the stale DNS records...
HackerOne: Signals get affected once reports closed as self
According to your documentation "https://hackerone.com/blog/introducing-signal-and-impact" Examples ActivityReputation Report Self close as N/A : 0 . its means Signals are not affected . But our case signal affected by self-closed reports Signals doesn't take the 0 baseline into consideration for...
Linktree: Account takeover - improper validation of jwt signature (with regards to experiation date claim)
Some backend services did not properly validate JWTs. As a result JWT validation could be bypassed by setting the expiration date claim to a unix timestamp in the past, and abusing this for account takeover. The expiration date claim of the JWT token was not properly handled. I was able to bypass...
Dropbox: Full Response SSRF via Google Drive
This researcher pointed out that HelloSign's Google Drive doc export feature had a URL parsing issue that could allow extra parameters to be passed to Google Drive API. By making use of an extra parameter in the Google Drive API, it was possible for researchers to force HelloSign to parse externa...
U.S. Dept Of Defense: https://█████ is vulnerable to CVE-2020-3452 Read-Only Path Traversal Vulnerability
Summary: https://████████ is vulnerable to a Read-Only Path Traversal Vulnerability Description: Get request parameters at the /+CSCOT+/translation-table and the /+CSCOT+/oem-customization are not properly sanitized which allows for reading files within the webroot directory that are not intended...
Shopify: Password reset link not expired at Stocky App
You can use password reset link to reset password multiple times. Steps: 1. Go to https://stocky.shopifyapps.com/users/forgottenpassword and Send the password reset link to your email. if this page doesn't appear you should add login details via this https://stocky.shopifyapps.com/preferences/use...
Keybase: SOP bypass using browser cache
Summary An attacker has the ability to extract sensitive information from user's accounts, due to a CORS issue. On a minor note, this also is a cross-site leak as we can fingerprint what exact keybase user has accessed the attacker's website. Information disclosed:...
Slack: State parameter missing on google OAuth
Hi, State parameter i.e anti-csrf token to prevent session hijacking attacks is missing on Google OAuth i.e...
Tor: Information Exposure Through Directory Listing
Vulnerability description The web server is configured to display the list of files contained in this directory. This is not recommended because the directory may contain files that are not normally exposed through links on the web site. Link as POC: https://www.torproject.org/static/...
Sifchain: Vulnerable javascript dependency at Main domain
Hello, Issue detail, Burp observed 1 outdated JavaScript libraries with 4 known vulnerabilities. Burp detected bootstrap version 4.0.0, which has the following vulnerabilities: CVE-2019-8331: XSS in data-template, data-content and data-title properties of tooltip/popover CVE-2018-14041: XSS in...
Uber: RCE via npm misconfig -- installing internal libraries from the public registry
The hacker spotted some orphaned references to Uber-branded Node.js library packages and claimed them on the public NPM registry to run their own proof-of-concept code. Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies...
GitHub Security Lab: Java: CWE-522 Insecure basic authentication
This bug was reported directly to GitHub Security Lab...
Ruby on Rails: XSS by file (Active Storage `Proxying`)
Hello, I've seen similar issues with 407319 and 429868 occur with Active Storage's new File serving strategies Proxying. Commit is https://github.com/rails/rails/commit/dfb5a82b259e134eac89784ac4ace0c44d1b4aee. ruby...
Ruby: Escape sequence injection vulnerability in WEBrick BasicAuth
WEBrick BasicAuth outputs any non-existing user name to logs without sanitizing. By exploting this, an attacker can inject malicious escape sequences to its logs. This issue is exactly the same as the old already-fixed vulnerability. How to reproduce: 1 Run this WEBrick server program in a...
Pornhub: Mixed Reflected-Stored XSS on pornhub.com (without user interaction) in the playlist playing section
The researcher discovered a temporarily cached stored XSS using the playlist function of the website. I discovered a Reflected XSS under the PornHub playlists and reported it. Some time after, I noticed, that Reflected XSS using the pkey parameter of the playlist, e.g...
Starbucks: CSRF: add item to victim's cart automatically (starbucks.com - updatecart)
Steps: 1. Victim login their starbucks account first. 2. Attacker send a form/link to victim. 3. If victim click the form/link, An item would automatically add to victim's cart. 4. If victim do not find this item, he/she would pay for this item which can greatly influence your repuation. Attached...
Internet Bug Bounty: Argo CD reconciles apps outside configured namespaces when sharding is enabled
An authorization bypass vulnerability was found in Argo CD versions 2.5.0-rc1 and later, allowing a malicious user to deploy applications outside of the configured allowed namespaces when sharding is enabled. The vulnerability was triggered when an application was updated, and the controller...
h1-ctf: Hacky Holidays Writeup
On December 12th, 2020, the CTF became live and the scope that we are allowed to attack was In Scope Domain - hackyholidays.h1ctf.com Our main motive was to infiltrate his network and take him down. The challenges appeared one by one till 24th of December. Here we will be going through all the...
Yelp: JDBC credentials leaked via github
Summary: jdbc credentials found on a public github repo.though the repo belongs to yelp or not there is a doubt.I have found many more sensitive data on that repo.so kindly check the repo all together.sensitive data found publicly. Platforms Affected: website Steps To Reproduce: 1. visit the link...
GitHub Security Lab: CodeQL query for SpEL injections
This bug was reported directly to GitHub Security Lab...
h1-ctf: [h1-415 2020] Spent a week and failed at solving the last step.
Summary: I found something interesting with Headless chrome debugging in the last step, I am sure I am going to solve this after trying very hard for about a week, I don't know when this CTF is going to end, that's why I am submitting a summary of how to solve this so that I can write the full...
Starbucks: Subdomain takeover on developer.openapi.starbucks.com
Hi team, Summary: Subdomain developer.openapi.starbucks.com is vulnerable to subdomain takeover via Mashery service. The reason why it's worked unfortunately not fully clear to me. Details: Doing my recent research on starbucks.com subdomains, I stumbled upon http://developer.openapi.starbucks.co...
8x8: Subdomain takeover of ████.jitsi.net
Summary █████.jitsi.net points to an AWS EC2 instance at 18.195.93.116 that no longer exists. I was able to take control of this IP address and run my own EC2 instance. I can now serve content on this domain, obtain a TLS certificate for this domain, etc. If any customers or servers are pointing ...
Pornhub: Unsecured Elasticsearch Instance
The researcher has found an insecure Elasticsearch instance accessible to the public. A publicly accessible server running Elasticsearch instance was identified, due to a firewall misconfiguration. The instance was only intermittently accessible because of round robin ordering. The instance...
Lichess: Path Traversal Vulnerability in Lila Project
A path traversal vulnerability was discovered in the Lila project that allowed an attacker to access arbitrary files on the server by manipulating user-supplied input to traverse outside the intended directory structure...
Sifchain: Path Transversal inside saveContracts.js
Reference: https://portswigger.net/web-security/file-path-traversal Directory traversal also known as file path traversal is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data,...