15368 matches found
GitHub Security Lab: CodeQL query for unsafe TLS versions
This bug was reported directly to GitHub Security Lab...
MTN Group: Remote OS Command Execution on Oracle Weblogic server via [CVE-2017-3506]
Summary Hello. I was able to identify RCE vulnerability due to the outdated Oracle Weblogic instance on https://raebilling.mtn.co.za. Steps To Reproduce To reproduce, try this request with BurpSuite This request to the https://raebilling.mtn.co.za/wls-wsat/RegistrationRequesterPortType will trigg...
DRIVE.NET, Inc.: Same site Scripting
Same site scripting I have found an error of some misconfigured DNS in a subdomain of yours which causes same site scripting. PoC 1 Open a terminal and type ping localhost.drive2.ru You would see that it resolves back to 127.0.0.1 A screenshot has been attached Impact This may cause security issu...
Legal Robot: Email Length Verification
Hi Team, Hope you are good. I found your website app.legalrobot.com vulnerable to this vulnerability. Bug: Improper authentication - generic Description: Dont know much about the websites that how they stored email address.Email addresses are stored as VARCHAR128 But here your website legalrobot...
8x8: LFI via Jolokia at https://█.█.█.█:1293
@shuvam321 reported to us a single exposed host in the acceptance environment. The report demonstrated a Local File Inclusion via Jolokia, e.g.: https://█.█.█.█:1293/actuator/jolokia/exec/com.sun.management:type=DiagnosticCommand/compilerDirectivesAdd/!/etc!/hostname No sensitive information has...
Nextcloud: Talk Android broadcast receiver is not protected by broadcastPermission allowing malicious apps to communicate
Summary: Call to registerReceiver misses the broadcastPermission argument - no permissions will be checked for the broadcaster, which allows a malicious application to communicate with the broadcast receiver. Supporting Material/References: Screenshot Snyk report references to fixes in other repo...
Omise: assets/vendor.js file exposing sentry.io token and DNS and application id .
Information Disclosure in javascript file...
U.S. Dept Of Defense: SharePoint Web Services Exposed to Anonymous Access
Summary: Any unauthenticated/anonymous users are able to access the SharePoint Web Services .wsdl files for the ██████████ website. Description: The SharePoint installation for this particular site allows any user to access the spdisco.aspx on the web server which discloses the location of of all...
Myndr: Reflected XSS in https://blocked.myndr.net
Summary: Reflected XSS in Domain https://blocked.myndr.net Steps To Reproduce: 1. Go to the https://blocked.myndr.net. 2. Find the endpoint in the domain -https://blocked.myndr.net/?trg=1 3. Add the payload ?trg="alert1 4. You can see the pop up in your browser. Impact With the help of XSS, a...
Internet Bug Bounty: ap_find_token() Buffer Overread
Versions Affected: httpd 2.2.32 httpd 2.4.24 unreleased httpd 2.4.25 Description: The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows apfindtoken to search past the end of its input string. By maliciously crafting a sequence of request...
HackerOne: AWS S3 bucket writeable for authenticated aws users
Hi All, I know that hackerone-attachments is used for file uploads on reports and so I did a quick scan for similar buckets and found . While I can't confirm if you own it or not, it appears that it is publicly writable using the aws cli. When I tried to write to hackerone-attachments, I get: "mo...
Sandbox Escape: Linux PI futex self-requeue bug
I hope I haven't messed something up... The issue exists when after blocking in futexwaitrequeuepi, q.rtwaiter is NULL but &rtwaiter on the stack has been added to various waiter lists by rtmutexstartproxylock. This is not supposed to be possible, because setting rtwaiter to NULL indicates atomic...
U.S. Dept Of Defense: reflected xss in www.████████.gov
A reflected XSS vulnerability was discovered in a government website, allowing an attacker to execute malicious scripts on a victim's browser. The vulnerability could lead to cookie stealing, arbitrary requests, malware download, and defacement of the website. The vulnerability was triggered by...
Reddit: CVE-2020-11022
Vulnerability description not provided...
lemlist: CVE-2019-19935 - DOM based XSS in the froala editor
Summary: A stored XSS flow exist in the froala editor used in the web application. This can be trigger by using the code view of the editor Steps To Reproduce: 1. Start a new campaign 2. fill all the fieds and choose blank email template for the message 3. Switch to code editor view and inject "...
Internet Bug Bounty: Cache Manager ACL Bypass
Summary: ACL Manager can be bypassed giving non authorized users to squid-internal-mgr. Possible to bypass other urlregex, but only focused on manager. with the hostname of the server running squid echo -e "GET https://jeriko.one%252f@:3128/squid-internal-mgr/activerequests HTTP/1.1\r\n\r\n" |nc...
Mail.ru: DNS Misconfiguration
Your localhost.mail.ru has address 127.0.0.1 and this may lead to "Same- Site" Scripting. Here is detailed description of this minor security issue by Tavis Ormandy: http://www.securityfocus.com/archive/1/486606/30/0/threaded I can also ping the localhost network from mail.ru, as in the image...
Node.js third-party modules: `http-proxy-agent` passes unsanitized options to Buffer(arg), resulting in DoS and uninitialized memory leak
I would like to report a Buffer allocation vulnerability in http-proxy-agent. In setups where auth argument is user-controlled, it allows to: cause Denial of Service by trivially consuming all the available CPU resources extract uninitialized memory chunks from the server on Node.js This module...
Snapchat: RCE/LFI on test Jenkins instance due to improper authentication flow
@nahamsec found a test Jenkins instance where they could login with any valid Google account. Once logged in, they gained the ability to execute arbitrary code via the Jenkins Script Console. This was a test jenkins instance with no access to source code or resources. Methodology Here is the...
Pornhub: Publicly exposed SVN repository, ht.pornhub.com
After I found the subversion repository I visited the following location https://netreact.eu/hubtraffic I could see the usernames in the repo and the following weak credentials gave me access: stefan:123456 An attacker can commit code to this location which could be mirrored on the main site and...
Internet Bug Bounty: CVE-2023-27537: HSTS double-free
A double-free vulnerability was discovered in libcurl's support for sharing HSTS data between separate handles, which could result in a use-after-free or double-free when two threads share the same HSTS data without proper mutexes or thread locks...
Nord Security: Incorrect control of the trial period
The report by @corryl identified an issue with service expire time validation. A user was able to bypass the subscription period validation checks which in turn allowed a user to use our service for free for a certain time...
Snapchat: Exposed Kubernetes API - RCE/Exposed Creds
@txt3rob found one of Snaps internal Kubernetes instances exposing an API endpoint without authorization to the public. With access to this API he was able to run arbitrary code/jobs as a cluster-admin and gained access to credentials with internal access to a significant number of instances...
U.S. Dept Of Defense: Remote Code Execution (RCE) in a DoD website
A remote code execution RCE vulnerability was found on a DoD website which could have enabled an attacker to execute remote commands on the web server. @0daystolive and @dly were able to demonstrate this vulnerability by developing a custom script that caused the webserver to execute a benign...
Tor: Snowflake server: Leak of TLS packets from other clients
TLS packets from other clients were leaked to Snowflake clients due to a vulnerability in the Snowflake pluggable transport server. This issue allowed Snowflake clients to receive "ghost" packets at the KCP layer, containing TLS packets unrelated to the current session. The leaked packets include...
Internet Bug Bounty: CVE-2022-38362: Apache Airflow Docker Provider <3.0 RCE vulnerability in example dag
Apache Airflow Docker's Provider shipped with an example DAG that was vulnerable to authenticated remote code exploit of code on the Airflow worker host. Vulnerability summary: In DAG script of airflow 2.3.3, there is a command injection vulnerability RCE in the script exampledockercopydata.py of...
GitHub Security Lab: [Java] CWE-601: Add Spring URL Redirect ResponseEntity sink
This bug was reported directly to GitHub Security Lab...
U.S. General Services Administration: PHP info page disclosure
phpinfo is a debug functionality that prints out detailed information on both the system and the PHP configuration. Step to reproduce: Go here: https://mysmartplans.gsa.gov/phpinfo.php An attacker can obtain information such as: Exact PHP version. Exact OS and its version. Details of the PHP...
curl: Abusing URL Parsers by long schema name
Summary: There is known technique to exploit inconsistency of URL parser and URL requester logic to perform Server Side Request Forgery attack. Firstly it was presented by Orange Tsai at A New Era Of SSRF Exploiting URL Parser. Firstly I found the familiar issue at old versions of curl, but explo...
Visma Bug Bounty Program: [IDOR]Ability to View/Delete/Edit (Forward to attachment archive) Email of other user if GUID is known.
Insecure Direct Object Reference IDOR vulnerability is discovered via a certain endpoint and the application exposes a reference to an internal implementation object which allows the attacker to perform unauthorized actions...
Lob: HTTP Request Smuggling on vpn.lob.com
Hi , vpn.lob.com is vulnerable to CL TE Front end server uses Content-Length , Back-end Server uses Transfer-encoding HTTP request smuggling attack. Steps to reproduce 1. Run the burp suite turbo intruder on the following request POST /auth/session HTTP/1.1 Host: vpn.lob.com User-Agent: Mozilla/5...
Mail.ru: Heartbleed: my.com (185.30.178.33) port 1433
MacBook-Pro-Kirill:Pentest isox$ python heartbleed.py 185.30.178.33 -p 1443 defribulator v1.16 A tool to test and exploit the TLS heartbeat vulnerability aka heartbleed CVE-2014-0160 Connecting to: 185.30.178.33:1443, 1 times Sending Client Hello for TLSv1.0 Received Server Hello for TLSv1.0...
HackerOne: Information disclosure (reset password token) and changing the user's password
The user gets an e-mail with password recovery link, which includes reset password token. The user clicks this link and is expected to enter a new password twice. Before entering the password the user clicks a link to a picture https://xkcd.com/936/. When this happens, cross-domain referer leakag...
Mail.ru: SQL injection delivery-club.ru (ClickHouse)
Some requests to clickhouse in delivery-club.ru were externally available potentially allowing SQL-like requests execution...
GitHub Security Lab: [javascript] CWE-020: CodeQL query to detect missing origin validation in cross-origin communication via postMessage
This bug was reported directly to GitHub Security Lab...
GitHub Security Lab: Java: CWE-532 sensitive info logging
This bug was reported directly to GitHub Security Lab...
Open-Xchange: Missing (or redundant) null check in `dcrypt_openssl_sign`
Function dcryptopensslsign in file src/lib-dcrypt/dcrypt-openssl.c has the following code if EVPPKEYbaseidkey-key == EVPPKEYRSA errorr = "Format does not support RSA"; return FALSE; and later if md == NULL if errorr != NULL errorr = tstrdupprintf "Unknown digest %s", algorithm; return FALSE; So,...
Brave Software: Torrent extension: Cross-origin downloading + "URL spoofing" + CSP-blocked XSS
Summary: \378809 allows navigating to chrome-extension:// \378805 allows displaying alert windows on chrome-extension:// origin As I said in 378809, navigation to chrome-extension:// allows attacking dependencies/components of extensions. Brave has only 3 extensions installed by default w\o...
Bitwarden: Mailgun misconfiguration on email.bitwarden.com
Hi, While checking the subdomains i found that the subdomain email.bitwarden.com upon navigating downloads a file saying "Mailgun Magnificent API" And has the following DNS info DNS Records for email.bitwarden.com Hostname Type TTL Priority Content email.bitwarden.com SOA 899 ns-586.awsdns-09.net...
Nextcloud: Design Issues on ( ███ ) Lead to show ( IPS of Users )
Hello , I know this Domain is maybe out of scope But it Connected to the main Website I have see it Cashable the Download IPS for Users Status. As I saw that You active statics awstats That show me Full access to Status on the website . POC...
Mail.ru: [files.ucs.ru] ProFTPd mod_copy Arbitrary Read/Write
CVE-2015-3306 in opened to external network FTP server on files.ucs.ru...
Node.js: `fs.realpath.native` on darwin may cause buffer overflow
NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: The libuv's implementation of...
GitHub Security Lab: gagliardetto: Query to detect incorrect conversion between numeric types
This bug was reported directly to GitHub Security Lab...
Helium: Hyperlink Injection on Email Invitation
DESCRIPTION Found an hyperlink injection of the name of Organization when the attacker invites the victim to his organization with injection hyperlink. STEPS 1. Add organization with the name of https://attacker.com and switch it. 2. Go to user and invite the victim using email. 3. victim will se...
Bumble: The login of Hotor Not is Vulnerable to bruteforce.
I was able to validate that The Login of HotorNot is Vulnerable to BruteForcing . Steps to reproduce: 1. https://hotornot.com/signin 2.Use Burp intruder attack for BruteForcing 3.Send as many requests you want. Fix: Proper mitigation of BruteForcing should be done using Ratelimitng etc...
Internet Bug Bounty: rpcbind "rpcbomb" CVE-2017-8779, CVE-2017-8804
Description: this allowed an attacker to easily disrupt a remote system through excessive memory consumption. Writeup: https://guidovranken.wordpress.com/2017/05/03/rpcbomb-remote-rpcbind-denial-of-service-patches/ Demonstration video: https://www.youtube.com/watch?v=b38H3oEgrQw this video shows...
HackerOne: Session not invalidated after password reset
After a password reset link is requested and a user's password is then changed, not all existing sessions are logged out automatically. The automatic removal of existing sessions linked to a user whose password was changed is only the case if the session was initiated with the 'Remember me for a...
Informatica: [███] Cross-Site Scripting (XSS) via /ssl-vpn/getconfig.esp at GlobalProtect VPN Portal
A Cross-Site Scripting XSS vulnerability was discovered in the GlobalProtect VPN portal's getconfig.esp endpoint. The vulnerability existed because the application reflected user input from the user parameter in an XML response without proper sanitization. This allowed an attacker to inject SVG...
curl: CVE-2023-27538: SSH connection too eager reuse still
A vulnerability CVE-2023-27538 existed in the SSH connection reuse feature of cURL library. The vulnerability allowed for connection reuse even when different SSH keys were used, due to a broken check for SSH key matching. The vulnerability could potentially lead to unauthorized access to sensiti...
curl: CVE-2021-22947: STARTTLS protocol injection via MITM
Summary: A man-in-the-middle can inject cleartext forged responses to future encrypted commands by pipelining them to the STARTTLS response. Steps To Reproduce: Use the attached test case within the curl test system. It is based on IMAP FETCH with explicit TLS. Upon test failure, the downloaded...