15306 matches found
O1 Labs: SPF Records
The vulnerability was that you can spoof their email address and then the attacker can send emails from their email address which could lead to sending fake emails or attempts of phishing. To see if you can send an email of a target domain you need to check if it has an SPF Sender Policy Framewor...
Node.js third-party modules: Denial Of Service in Strapi Framework using argument injection
I would like to report Denial Of Service in Strapi Framework.It allows attacker to force restart the server using argument injection. Module module name: strapi version: 3.0.0-beta.18.3 and earlier npm page: https://www.npmjs.com/package/strapi Module Description The Strapi HTTP layer sits on top...
Shopify: Clickjacking in [exchangemarketplace.com]
Hi Team, Summary: X-Frame-Options ALLOW-FROM https://exchangemarketplace.com not supported by several Browser, this caused Clickjacking on https://exchangemarketplace.com Type of issue : Clickjacking Description: Clickjacking User Interface redress attack, UI redress attack, UI redressing is a...
CodeIgniter: Vulnerable Javascript library
Hi @codeigniter, Description You are using a vulnerable Javascript library. One or more vulnerabilities were reported for this version of the Javascript library. Consult Attack details and Web References for more information about the affected library and the vulnerabilities that were reported...
Imgur: 8ybhy85kld9zp9xf84x6.imgur.com Subdomain Takeover
Hello Gents, + While testing Imgur I found an unclaimed subdomain which is; “8ybhy85kld9zp9xf84x6.imgur.com”, and I was able to claim it! + But actually I didn't upload or host a simple file like mrbaka.html, because I need to upgrade the account to be able to use this custom domain! + Anyway, yo...
Nextcloud: Docker image with FPM is vulnerable to CVE-2019-11043
The CVE-2019-11043 vulnerability can be exploited in the latest nextcloud:fpm image. This is due to the specific nginx configuration recommended for nextcloud: https://github.com/nextcloud/dockerbase-version---fpm...
Zomato: Information Disclosure through Sentry Instance ███████
Hello team I found a bug sensitive information can be used from attackers to perfom attack in youre server I don't know if this in scope so i'm sorry if i'm wrrong withou spending youre time here the steps how i found this bug : 1-Please use burp suite to reproduce the same result 2-i notice you...
Pornhub: Account takeover via Pornhub Oauth
The researcher found it was possible to take over a YouPorn account by using an unverified account with matching email address to sign up to PornHub. this vulnerability works by abusing an insecure OAuth implementation. Due to improperly implemented oauth fuctionality and lack of user information...
Slack: Tricking the "Create snippet" feature into displaying the wrong filetype can lead to RCE on Slack users
An issue in Slack's Create snippet feature results in filetypes being displayed incorrectly. This can lead to RCE if a Slack user downloads an executable file thinking that it is a CSV or other benign file type. https://www.youtube.com/watch?v=cIlGfnn4iG8...
Qulture.Rocks: Unrestricted File Upload in Chat Window
Summary: The application allows the attacker to upload dangerous file types that can be automatically processed within the product's environment. Steps To Reproduce: 1. Hit the browser with below URL. https://qa.qulture.rocks/en/users/signin 2. Open The Cat window. 3. Upload any exe file . 4. Cli...
Mapbox: Mapbox API Access Token with No Scope Can Read Styles
HI I created one api token with 0 scope. Then I sent the following request to server GET /styles/v1/katilthe?accesstoken=pk.eyJ1Ijoia2F0aWx0aGUiLCJhIjoiY2lsbWJwcWpjNjhmNnZubWNhYXdwZm5obyJ9.2cPnaIiXcFnDRFMfrD1TRw HTTP/1.1 Host: api.mapbox.com User-Agent: Mozilla/5.0 Windows NT 6.3; WOW64; rv:44.0...
LocalTapiola: Disclosure of Users Information via Wordpress API (?rest_route)
Summary: It's possible to get information about the users registered such as: id, name, login name, etc. without authentication in Wordpress via API on www.lahitapiolarahoitus.fi. Description: By default Wordpress allow public access to Rest API to get informations about all users registered on t...
curl: Buffer Overflow Vulnerability in strcpy() Leading to Remote Code Execution
Summary: The vulnerability in the program arises from a classic buffer overflow, triggered by the unsafe use of the strcpy function without bounds checking. The program copies data from a source buffer to a destination buffer, allowing attackers to overflow the buffer if the input string exceeds...
GitHub Security Lab: [go]: Add query for detecting CORS misconfiguration
This bug was reported directly to GitHub Security Lab...
h1-ctf: h1 hacky holidays CTF solution
Simple script to print all the flags. Full solution to follow want to spend more time writing this, but am racing to be first 10 submissions: echo "Flag 1 -- robots.txt" curl https://hackyholidays.h1ctf.com/robots.txt 2/dev/null | grep flag echo "" echo "Flag 2 -- js descrambed --...
Weblate: Open Github Repo Leaking WEBLATE SECRET KEY
Team, While going through Github search I discovered a public repository which contains Weblate Secret Key Issue & Poc: Repo: https://github.com/WeblateOrg File:https://github.com/WeblateOrg/weblate/blob/592472958f7b847701c51b36f4768b9784219fa1/weblate/settingsdocker.py SECRETKEY = os.environ.get...
Stripo Inc: Information disclosure through Server side resource forgery
Summary: The application https://my.stripo.email has a template feature where can we can enter html code. By including an iframe in the html template, I was able to make a call to my server. This exposed an internally running web application. Please refer below, 63.33.82.168 - -...
U.S. Dept Of Defense: LDAP Anonymous Login enabled in ████
LDAP Anonymous Login was enabled in ██████████, allowing unauthorized users to connect to the LDAP server without providing any authentication credentials. This could lead to unauthorized access and retrieval of sensitive information stored in the LDAP directory...
Insolar: XDSI(Cross Domain Script Inclusion)
Summary: As I did not get the proper CWE id over id to add but the proper CWE id is 829: The page includes one or more script files from a third-party domain. Here you are including in your website, someone else's code; You don't have any control over what is in that code, and you don't have any...
Smule: Open redirect bypass & SSRF Security Vulnerability
Open redirect issue. Full disclosure/writeup: https://medium.com/@snwlvl...
Ubiquiti Inc.: RCE in AirOS 6.2.0 Devices with CSRF bypass
There are certain end-points containing functionalities that are vulnerable to command injection. It is possible to craft an input string that passes the filter check but still contains commands, resulting in remote code execution. These vulnerabilities can be also can be also paired with other e...
Reverb.com: Disclosure of all uploads to Cloudinary via hardcoded api secret in Android app
Hi, in file com/reverb/app/CloudinaryFacade.java you have hardcoded the following config: java private static final java.lang.String CONFIG = "cloudinary://434762629765715:█████@reverb"; where 434762629765715:████████ is basic auth details. It shouldn't be disclosed to third parties as official...
GitHub Security Lab: CodeQL query to detect Server-Side Template Injections (JavaScript)
This bug was reported directly to GitHub Security Lab...
Stripo Inc: No length on password
Hey when I try to set the password while creating account I noticed that you haven't kept any password limit. You need to decrease password length :There are two reasons for limiting the password size. For one, hashing a large amount of data can cause significant resource consumption on behalf of...
Gratipay: UDP port 5060 (SIP) Open
SIPSession Initiation Protocol udp port 5060 is open in www.gratipay.com host . Bug id - CSCtj04672 Refer CVE-2011-3280 It may be the cause of DDOS and many other attack...
U.S. Dept Of Defense: Reflected XSS via Moodle on ███ [CVE-2022-35653]
A reflected XSS vulnerability was identified in the LTI module of Moodle. The vulnerability was caused by insufficient sanitization of user-supplied data in the LTI module. A remote attacker could have tricked a victim into following a specially crafted link, which could have executed arbitrary...
U.S. Dept Of Defense: DoS at ████████ (CVE-2018-6389)
An unauthenticated attacker could cause a denial of service resource consumption on a WordPress site by using the large list of registered .js files to construct a series of requests to load every file many times. The vulnerability was registered as CVE-2018-6389...
8x8: CVE-2019-11248 on http://█.█.█.█:9100/debug/pprof/goroutine
@mrk0anti reported to us an exposed debugging endpoint /debug/pprof over the unauthenticated Kubelet healthz port 9100. No sensitive information has been disclosed & the affected host belonged to our staging environment. The issue has been rectified...
Mail.ru: SSRF + RCE через fastCGI в POST /api/nr/video
Domain, site, application -- app.nativeroll.tv Steps to reproduce -- 1. Традиционно нужен аксес токен от аккаунта паблишера, можно зарегистрировать здесь https://seedr.ru/register-user/publisher 2. Войти как паблишер https://seedr.ru/login/publisher 3. Поперехватывать запросы, получить токен. 4...
Clario: Google API key leaks and security misconfiguration leads Open Redirect Vulnerability
Summary: Hello, when i search your targets and javascript files I found an googleapikey leaks in url = https://account.clario.co/js/main.044af6485f6b0cd90809.js. Part of the leak down below; 'https://firebasedynamiclinks.googleapis.com/v1/shortLinks?key=AIzaSyAw-SpLHVTIP3IFEIkckCuEmIhnUrY9OrQ';...
Gratipay: Insecure Transportation Security Protocol Supported (TLS 1.0)
Description: Its observed that that insecure transportation security protocol TLS 1.0 is supported by your web server. TLS 1.0 has several flaws. An attacker can cause connection failures and they can trigger the use of TLS 1.0 to exploit vulnerabilities like BEAST. Websites using TLS 1.0 will be...
Internet Bug Bounty: CVE-2024-45230 - Potential denial-of-service in django.utils.html.urlize() (Another pattern)
CVE-2024-45230: Potential denial-of-service vulnerability in django.utils.html.urlize The django.utils.html.urlize and urlizetrunc functions were affected by a potential denial-of-service vulnerability. Very large inputs containing a specific sequence of characters could have resulted in reduced...
Shopify: SSL cookie without secure flag set
hello shopify security team, I have found security vulnerability. Vulnerable URL :- https://app.shopify.com/services/signup/track/ The following cookie was issued by the application and does not have the secure flag set: signupsessionid=0875b12b680173807271e6c444a964e8; path=/; expires=Mon, 04 Ma...
Cloudflare: Cookie missing the Secure flag
Cookie cfduid missing the Secure flag Summary: The Secure flag was missing on the cookie: This may allow the cookie to be transferred over an insecure channel. .the cookies are cfduid cfeffload cfeffload...
FetLife: Race condition in endpoint POST fetlife.com/users/invitation, allow attacker to generate unlimited invites
This report describes the same bug as 1455487. I rewrite this bug here to make the report clearer. I will self-close 1455487 right now. Description The Invite Your Friend to Join FetLife feature is vulnerable to race condition. By sending many requests at the same time to endpoint POST...
GitHub Security Lab: ihsinme: CPP Add query for CWE-401 memory leak on unsuccessful call to realloc function
This bug was reported directly to GitHub Security Lab...
HackerOne: latest_activity_id and latest_activity_at may disclose information about internal activities to unauthorized users
Mini information disclosure related with team's internal comments/assign group activity id and datetime are exposed Steps: 1 As victim, Create a sandbox team and create report 2 Add attacker as a participant for the report 3 As victim, create some internal comments team -only comments /assign gro...
Moneybird: Bypass password reset rate limit protection at moneybird.com/passwords
Attacker found a way to completely bypass our rate limit protection, allowing for other types of attacks. This involved changing the value of the X-Forwarded-For header. Attacker never got a 429 response from our servers when the value for each request is different. Injecting X-Forwarded-For :...
GSA Bounty: xmlrpc.php file enabled - data.gov
Wordpress that have xmlrpc.php enabled for pingbacks, trackbacks, etc. can be made as a part of a huge botnet causing a major DDOS. this website www.data.gov has the xmlrpc.php file enabled. Impact This can be automated from multiple hosts and be used to cause a mass DDOS attack on the victim...
Snapchat: Subdomain Takeover via unclaimed UserVoice domain
@benocular found a bitstripsforschools CNAME entry pointing to an unclaimed UserVoice domain, which could be taken over by an external party. The CNAME entry was for a product that is no longer active...
Valve: ImageMagick GIF coder vulnerability leading to memory disclosure
Due to CVE-2017-15277, portions of server memory on some steamcommunity web servers could be leaked via image updates. An attacker would not be able to control what memory would be returned, but system information could be obtained. I was able to arbitrarily disclose server memory on...
Khan Academy: SSL/TLS Vulnerability at khanacademy.org
CVE - 2011 - 3389 Description : The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle...
X (Formerly Twitter): HTTP Response Splitting (CRLF injection) due to headers overflow
Hi, I would like to report another HTTP Response Splitting vulnerability caused by header fields "overflow" that allows attackers to inject arbitrary headers in the response. Note that this issue is similar to 52042 but the root cause is different. Also, the below PoC is not the only affected pag...
Node.js: DNS rebinding in --inspect (insufficient fix of CVE-2018-7160)
Summary: While the debugger i.e., the --inspect option tries to prevent DNS rebinding, the whitelist is excessive. Description: The whitelist includes “localhost6”, which is not that widespread. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS...
HackerOne: Attacker with an Old account might still be able to DoS ctf.hacker101.com by sending a Crafted request
Summary: by sending a crafted request on ctf.hacker101.com a very long delay with a response of error 502 has been observed I suspect that if I made this request on multiple tabs on my browser concurrently, it may cause ctf.hacker101.com to crash thats why I haven't tried it. Description: By...
Starbucks: Open Redirect on /account/signin?ReturnUrl
The attacker can redirect the victim just after the authentication. Open redirect on Login page: https://www.starbucks.com/account/signin?ReturnUrl= Steps to reproduce Go to Login Page. https://www.starbucks.com/account/signin?ReturnUrl=%2faccount%2fHome The paramter: ReturnUrl can be modified as...
Mail.ru: blind XXE in autodiscover parser
Как воспроизвести: 1 Закинуть на сервер атакующего xml должен быть доступен на сервере атакующего по адресу /autodiscover/autodiscover.xml: Я сделал такой ответ при запросе любой xml'ки: obmhld.com/autodiscover/autodiscover.xml email settings SMTP 52.34.103.214 1191 off [email protected] yandex....
Kubernetes: Authenticated kubernetes principal with restricted permissions can retrieve ingress-nginx serviceaccount token and secrets across all namespaces
Summary: Retrieving ingress-nginx serviceaccount token ingress-nginx allows adding custom snippets of nginx configuration to Kubernetes ingress objects. These snippets can be applied to either the relevant location or server blocks with the following annotations, respectively...
Informatica: Blind SQL injection at tsftp.informatica.com
The parameter refreshtoken sent to the REST path /api/v1/token is vulnerable to blind SQL injection. Compare the response time of these 2 requests: $ time curl -X POST "https://tsftp.informatica.com/api/v1/token" -H "accept: application/json" -H "Content-Type: application/x-www-form-urlencoded" -...
U.S. Dept Of Defense: https://██████ vulnerable to CVE-2020-3187 - Unauthenticated arbitrary file deletion in Cisco ASA/FTD
Hi @U.S. Dept Of Defense, I found a host which is running on the web services interface of Cisco ASA/FTD and it is vulnerable to CVE-2020-3187 - Unauthenticated arbitrary file deletion in Cisco ASA/FTD. An attacker could exploit this vulnerability by sending a crafted HTTP request containing...