15372 matches found
HackerOne: Attacker with an Old account might still be able to DoS ctf.hacker101.com by sending a Crafted request
Summary: by sending a crafted request on ctf.hacker101.com a very long delay with a response of error 502 has been observed I suspect that if I made this request on multiple tabs on my browser concurrently, it may cause ctf.hacker101.com to crash thats why I haven't tried it. Description: By...
Brave Software: DMARC RECORD MISSING
VULNERABILITY TYPE- DMARC RECORD MISSING. HOW TO REPRODUCEPOC-ATTACHED IMAGE:- 1.GO TO- https://mxtoolbox.com 2.ENTER THE WEBSITEbrave.org.CLICK GO. 3.YOU WILL SEE THE FAULTNo DMARC Record found 4.In the new page that loads change MXLookup to DMARCLookup I HAVE ALREADY INFORMEDD THEM.THEY TOLD TO...
Roblox: Reflected XSS through multiple inputs in the issue collector on Jira
Note I put this as Medium because that's what the CVE is. This vulnerability is known and it's classified under CVE-2018-5230. Here's a link to the thread on it by Atlassian: https://jira.atlassian.com/browse/JRASERVER-67289 Description --------------------- I noticed when testing that your Jira...
Mail.ru: blind XXE in autodiscover parser
Как воспроизвести: 1 Закинуть на сервер атакующего xml должен быть доступен на сервере атакующего по адресу /autodiscover/autodiscover.xml: Я сделал такой ответ при запросе любой xml'ки: obmhld.com/autodiscover/autodiscover.xml email settings SMTP 52.34.103.214 1191 off [email protected] yandex....
Kubernetes: Authenticated kubernetes principal with restricted permissions can retrieve ingress-nginx serviceaccount token and secrets across all namespaces
Summary: Retrieving ingress-nginx serviceaccount token ingress-nginx allows adding custom snippets of nginx configuration to Kubernetes ingress objects. These snippets can be applied to either the relevant location or server blocks with the following annotations, respectively...
Mail.ru: [sj.my.com] Source Code Disclosure /.svn/wc.db
Available SVN files for sj.my.com led to source code disclosure. sj.my.com is not currently covered by Bug Bounty program...
Semrush: Post Based XSS On Upload Via CK Editor [semrush.com]
Summary: XSS Via Post Method When Upload via CKEditor Description: This XSS is execute by error message when upload some image on https://www.semrush.com/my-posts/api/image/upload/?CKEditor=text&CKEditorFuncNum=0&langCode=en Browsers Verified In: Firefox Steps To Reproduce: - This is POST based...
Starbucks: Open Redirect on /account/signin?ReturnUrl
The attacker can redirect the victim just after the authentication. Open redirect on Login page: https://www.starbucks.com/account/signin?ReturnUrl= Steps to reproduce Go to Login Page. https://www.starbucks.com/account/signin?ReturnUrl=%2faccount%2fHome The paramter: ReturnUrl can be modified as...
Node.js third-party modules: [html-janitor] Bypassing sanitization using DOM clobbering
Module: Name: html-janitor Version: 2.0.2 Summary: Arbitrary HTML can pass the sanitization process, which can be unexpected and dangerous XSS in case user-controlled input is passed to the clean function. Description: Proof of concept: javascript var myJanitor = new HTMLJanitortags:p:; var...
GitHub Security Lab: [Java] CWE-598: Use of GET Request Method with Sensitive Query Strings
This bug was reported directly to GitHub Security Lab...
Visma Bug Bounty Program: Stored XSS when uploading files to an invoice
I've found a stored XSS from the fileupload. The parameter fileID is vulnerable and will be stored to the page. Steps To Reproduce Login Navigate to one of your invoices Upload some file and intercept the traffic Once you see the JSON payload like this "id":"abcabccabcabc","name":"file-name" modi...
Alibaba BBP: SSRF / Arbitrary File Read on Alibaba Cloud Academy
Summary: Alibaba Cloud Academy certificate download function is vulnerable with SSRF bug. It can also read arbitrary file on the server. Steps To Reproduce: - Login to your https://edu.alibabacloud.com/ account - Click the url to Ping external...
HackerOne: How the Bug stole hacking
In light of the season - here's a story I wrote for you: Every hacker down in Hackerone liked hacking alot, But the Bug who lived down in the source code, did not! The Bug hating hacking! The whole Bug-hunt season! Now please don’t ask why. No one quite knows the reason. It could be perhaps, that...
Starbucks: JumpCloud API Key leaked via Open Github Repository.
Summary: Open Github Repo Leaking Starbucks JumbCloud API Key Description: Team, While going through Github search I discovered a public repository which contains Jumbcloud API Key of Starbucks. Repo: https://github.com/██████████/Project. File:...
GitHub Security Lab: CodeQL query for MVEL injections
This bug was reported directly to GitHub Security Lab...
Internet Bug Bounty: Use of uninitialized value in ftp_getrc_msg method of mod_proxy_ftp.c
This is a Security Bug Report for modproxyftp. This bug is present in ftpgetrcmsg method of modules/proxy/modproxyftp.c file. This is the line which causes this bug. c ... mb = aprcpystrnmb, response + 4, me - mb; ... If ftp server returns a response like "\r\n", which has 3 characters with...
Grab: [Grab Android/iOS] Insecure deeplink leads to sensitive information disclosure
A deeplink feature was found missing validation that led to sensitive information disclosure. Once triggered, the deeplink would direct users to load any attacker-controlled URL within a webview. The impact was further escalated as the webview contain sensitive information. A temporary patch was...
U.S. Dept Of Defense: Splunk Sensitive Information Disclosure @████████
A vulnerability in Splunk through version 7.0.1 allowed for information disclosure by appending a specific query to a URL, which could result in the exposure of sensitive information, such as license keys...
Nord Security: Version problem in wordpress leads to the many vulnearability
Title: WordPress 3.9-5.1 - Comment Cross-Site Scripting XSS Reference: https://wpvulndb.com/vulnerabilities/9230 Reference: https://github.com/WordPress/WordPress/commit/0292de60ec78c5a44956765189403654fe4d080b Reference:...
curl: curl on Windows can be forced to execute code via OpenSSL environment variables
Preface: While I have an interest in security, I am not a professional security researcher, so please be forgiving of any lack of convention in this submission. The intent is to help improve security of the OpenSSL and curl projects, their consumers and end users. I will be sending this same...
Nextcloud: Password authentication at newsletter.nextcloud.com discloses username list
summary: A vulnerability classified as problematic has been found in OpenSSH 7.2p2. check INFO.pngAffected is an unknown function of the component Authentication. The manipulation of the argument Password with an unknown input leads to a information disclosure vulnerability Username. CWE is...
U.S. Dept Of Defense: [██████] Cross-origin resource sharing misconfiguration (CORS)
Hi! In this report I want to describe High level bug which can seriously compromise a user account. If I am authorize on this site, I can steal user's sessions, some personal information or do some action. Steps for reproduce 1 Send this request GET...
Whisper: CVE-2014-0224 openssl ccs vulnerability
your site is vulnerable to CVE-2014-0224 OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL...
GitLab: Found Origin IP's lead to access to gitlab
@m-narayanan disclosed a known Origin IP / CloudFlare bypass issue, remediation for which was and is being tracked at https://gitlab.com/gitlab-com/gl-infra/reliability/-/issues/9945 The requested disclosure, then later requested it to be made private again...
Solana BBP: Heap memory can be accessible through metrics.solana.com
Summary: Heap memory can be accessable due to misconfiguration in one of the sub-domains. While doing recon i ended up downloading heap memory file. Steps To Reproduce: 1.Open https://metrics.solana.com:8086/debug/pprof/heap 2. now you can see heap memory accessible through it Supporting...
RATELIMITED: Source code disclosure at ███
Summary: Source code disclosure at ███████ Steps To Reproduce: POC: link download source code: ███████ Supporting Material/References: █████ ███████ Impact Source Code Disclosure Sensitive Information Disclosure...
Nutanix: AWS S3 bucket writeable for authenticated AWS users
S3 bucket permissions were not configured correctly, allowing any authenticated AWS user to delete and write files. Nutanix didn't properly configure one of their S3 buckets permissions and inadvertently allowed any authenticated AWS user to delete and write files. An attacker could post a...
Snapchat: Exposed Kubernetes API - RCE/Exposed Creds
@txt3rob found one of Snaps internal Kubernetes instances exposing an API endpoint without authorization to the public. With access to this API he was able to run arbitrary code/jobs as a cluster-admin and gained access to credentials with internal access to a significant number of instances...
MyEtherWallet: Development configuration file https://myetherwallet.com/
Vulnerability description A configuration file e.g. Vagrantfile, Gemfile, Rakefile, ... was found in this directory. This file may expose sensitive information that could help a malicious user to prepare more advanced attacks. It's recommended to remove or restrict access to this type of files fr...
Coinbase: Transactions visible on Unconfirmed devices
Pusher authentication did not take device confirmation into account. This would allow an attacker with a valid session but an unconfirmed device to snoop on pusher updates like incoming transactions. This issue was in the coinbase event notification Pusher, which allowed me to read notification o...
AMBER AI: Support Portal Takeover via Leaked API KEY
Thanks @khizer47 for the report. Insecure zendesk API token hardcoded in JS file, causing Support portals to lose control of administrator rights. We removed dangerous token and controlled permissions by using more secure OAuth token. An API key & associated Email was Hardcoded into a JS file...
Sifchain: No Valid SPF Records/don't have DMARC record
Hiii, There is any issue No valid SPF Records on https://sifchain.finance/ Desciprition : There is a email spoofing vulnerability.Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email spoofing ...
GitHub Security Lab: CPP: Missing/incomplete TLS server certificate hostname validation
This bug was reported directly to GitHub Security Lab...
Chaturbate: CSV Injection with the CSV export feature
Hi there, hope you are well, The "Download as a CSV" feature of does not properly "escape" fields. So that particular field is vulnerable to CSV injection. Steps of POC Step 1 : Go to any chat room and donate any token to some and in note insert =4+4. Step 2 : Now go to on this link and download...
HackerOne: Blind SSRF in "Integrations" by abusing a bug in Ruby's native resolver.
Summary HackerOne allows bug bounty programs to integrate their reports queue with issue tracking tools such as Jira and Phabricator. By abusing a bug that I discovered in Ruby's native resolver, I am able to bypass the SSRF filter and could potentially scan your internal network. Vulnerability...
Zomato: Bypass OTP verification when placing Order
Description Attacker was able to bypass the OTP verification needed while placing an order with a restaurant...
U.S. Dept Of Defense: [██████] Reflected XSS via Keycloak on ██████
A cross-site scripting XSS vulnerability was discovered in Keycloak 8.0 and earlier versions. This vulnerability allowed an attacker to execute arbitrary script and potentially steal authentication credentials. The vulnerability was due to a lack of input validation, which allowed an attacker to...
HackerOne: HackerOne Undisclosed Report Leak via PoC of Full Disclosure on Hacktivity
Sensitive report data, including report title, severity, program, and report ID, was leaked due to a mistake by a researcher and HackerOne. The leak occurred when HackerOne disclosed a report but did not redact the video proof of concept, which contained undisclosed reports reported by the...
GitHub Security Lab: Java: Query for detecting JEXL injections
This bug was reported directly to GitHub Security Lab...
Qulture.Rocks: Server Name disclosure
Hi, I found a Server Name disclosure Cowboy in the your web server's HTTP response! This information might help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the Server! Request with Burp: GET / HTTP/1.1 Host: qa.qulture.rocks...
Khan Academy: https://www.khanacademy.org/login open-redirect
Hi, I found a bypass in the redirects : https://www.khanacademy.org/login?continue=http://www.olivierbeg.nl won't work. https://www.khanacademy.org/login?continue=http:/www.olivierbeg.nl will work :- Best regards, Olivier Beg...
8x8: █.8x8.vc/index.js: Exposed Google Maps API Key Allowing Potential Abuse of Paid Services
The Google Maps API key was inadvertently exposed in client-side code, allowing potential unauthorized access to some Google Maps services. The issue was promptly addressed by implementing appropriate API key restrictions where feasible...
Internet Bug Bounty: CVE-2024-21733 Apache Tomcat HTTP Request Smuggling (Client- Side Desync) (CWE: 444)
SECURITY CVE-2024-21733 Apache Tomcat - Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0-M11 to 9.0.43 Apache Tomcat 8.5.7 to 8.5.63 Description: Incomplete POST requests triggered an error response that could contain data fr...
Internet Bug Bounty: FREAK: Factoring RSA_EXPORT Keys to Impersonate TLS Servers
Many TLS servers, including those hosting sensitive websites such as www.nsa.gov and connect.facebook.net, support weak EXPORTRSA ciphersuites. By factoring their 512-bit ephemeral RSA keys, a network attacker is able to impersonate these websites to web browsers and more generally, to client...
Internet Bug Bounty: Use After Free Vulnerability in unserialize()
Use After Free Vulnerability in unserialize Taoguang Chen - Write Date: 2015.2.3 - Release Date: 2015.3.20 A use-after-free vulnerability was discovered in unserialize with a specially defined object's wakeup magic method that can be abused for leaking arbitrary memory blocks or execute arbitrary...
Internet Bug Bounty: TLS heartbeat read overrun
A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. Thanks for Neel Mehta of Google Security for discovering th...
U.S. Dept Of Defense: CVE-2023-29489 XSS in cpanel at [www.███] - Securado, Oman
A cross-site scripting XSS vulnerability was found on the cpanel application hosted on a website. The vulnerability allowed an attacker to steal cookies or hijack a browser session. The cpanel was not updated due to the disabled auto-update feature. The vulnerability was mitigated by enabling the...
curl: CVE-2023-28322: more POST-after-PUT confusion
A vulnerability existed in libcurl that allowed an attacker to inject unintended data or cause a segfault by confusing the POST and PUT methods. The previous fix for this vulnerability was insufficient as it only corrected the CURLOPTPOST option, which is not always used when sending data with th...
GitHub: Delimiter injection in GitHub Actions core.exportVariable
The GitHub Actions ToolKit provides a set of packages to make creating actions easier. The core.exportVariable function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values t...
Nextcloud: Talk Android broadcast receiver is not protected by broadcastPermission allowing malicious apps to communicate
Summary: Call to registerReceiver misses the broadcastPermission argument - no permissions will be checked for the broadcaster, which allows a malicious application to communicate with the broadcast receiver. Supporting Material/References: Screenshot Snyk report references to fixes in other repo...