15365 matches found
Bumble: The login of Hotor Not is Vulnerable to bruteforce.
I was able to validate that The Login of HotorNot is Vulnerable to BruteForcing . Steps to reproduce: 1. https://hotornot.com/signin 2.Use Burp intruder attack for BruteForcing 3.Send as many requests you want. Fix: Proper mitigation of BruteForcing should be done using Ratelimitng etc...
HackerOne: Google Analytics could be used as CSP bypass for data exfiltration on hackerone.com
Greetings, I believe I may have found a way to bypass CSP on hackerone.com The issue lies here: img-src 'self' data: www.google-analytics.com As you can imagine, how can image tags be used maliciously here to this safe site? Well, as you know, on google-analytics.com we have the ability to host...
HackerOne: Session not invalidated after password reset
After a password reset link is requested and a user's password is then changed, not all existing sessions are logged out automatically. The automatic removal of existing sessions linked to a user whose password was changed is only the case if the session was initiated with the 'Remember me for a...
curl: CVE-2021-22947: STARTTLS protocol injection via MITM
Summary: A man-in-the-middle can inject cleartext forged responses to future encrypted commands by pipelining them to the STARTTLS response. Steps To Reproduce: Use the attached test case within the curl test system. It is based on IMAP FETCH with explicit TLS. Upon test failure, the downloaded...
WHO COVID-19 Mobile App: DMARC and SPF records
If you are encountering this error of No DMARC Record found, this means that your domain does not have a published DMARC record. DMARC Records are published via DNS as a textTXT record. They will let receiving servers know what they should do with non-aligned email received from your domain...
Internet Bug Bounty: CVE-2024-53908: Django Potential SQL injection in `HasKey(lhs, rhs)` on Oracle
CVE-2024-53908: Django potential SQL injection in HasKeylhs, rhs on Oracle was reported. The vulnerability was found in the direct usage of the django.db.models.fields.json.HasKey lookup on Oracle databases when untrusted data was used as an lhs value. Applications that used the jsonfield.haskey...
Shopify: Open Redirect - www.shopify.com
Hello Shopify team, I found an open redirect in www.shopify.com Link: - https://www.shopify.com/plus/get-cdn-asset?asset=http://evil.com/? Vulnerable parameter: asset Impact - Open redirect that can lead to phishing and other type of attacks. Have a good day, zonduu...
Ian Dunn: Dos https://iandunn.name/ via CVE-2018-6389 exploitation
Similar to 752010 Detail:- There is possibility in /wp-admin/load-scripts.php script to generate large 3Mb amount of data via simple non-authenticated request to server. The vulnerability is registered as https://vulners.com/cve/CVE-2018-6389 Detailed attack scenario is described for example here...
Gratipay: Missing Certificate Authority Authorization rule
Hi Team, Summary Certificate Authority Authorization supported by LetsEncrypt and other CAs allows a domain owner to specify which Certificate Authorities should be allowed to issue certificates for the domain. All CAA-compliant certificate authorities should refuse to issue a certificate unless...
curl: Data race conditions reported by helgrind when performing parallel DNS queries in libcurl
While running binary built from curl git repo file "docs/examples/10-at-a-time.c" under valgrind specifically with the helgrind tool, reports race condition in getaddrinfo calls. Using the latest curl/libcurl from github repo. From the valgrind documentation "Helgrind is a Valgrind tool for...
Pornhub: Reflected XSS in Meta Tag
The researcher reported a reflected XSS bug in a meta tag in the search bar. XSS found with @the-useless-one! All details here: https://the-useless-one.github.io/posts/2017/03/28/meet-beautiful-xss-in-your-area-a-youporn-bug-bounty-sfw/...
GitHub Security Lab: [Java] CWE-312: Query to detect cleartext storage of sensitive information using Android SharedPreferences
This bug was reported directly to GitHub Security Lab...
Rockstar Games: phpinfo() on graph.rockstargames.com exposes sensitive information
In this report, the researcher identified a subdomain that was improperly made public while sensitive information was disclosed, including phpinfo. We were able to fix the deployment and remove the sensitive information, thus resolving the issue...
h1-ctf: Hacky Holidays CTF Writeup
Greetings team Yay! Finally I made it to the end, thank you very much for launching this fantastic event, I had to review topics that I thought I knew, learned a lot and I am sure that I will continue learning with the community : F1130889 Hacky Holidays! P.S. I will put my writeup in my next...
Shopify: Stocky App Administrator can create a backdoor admin account by using an existing POS User
Details The Stocky App has POS Users that are being created once a POS Staff logs in into the application from the Point Of Sale application on a mobile device. From the users management page located at https://stocky.shopifyapps.com/users there's no visible way to edit those POS users. Although,...
GitHub Security Lab: Java: CWE-939 - Address improper URL authorization
This bug was reported directly to GitHub Security Lab...
Brave Software: HTTP Request Smuggling
When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to "smuggle" a request to one device without the other device being awa...
Qulture.Rocks: Privilege escalation from member user ( editor ) to admin user
Qulture.Rocks has multiple levels of admins, where you could manage parts of the application. One of those levels had a wrong configuration, which did not blocked it from updating its level to a higher one. Our team worked rapidly to fix this issue, blocking said level of updating itself...
Topcoder: Cross Site Scripting via CVE-2018-5230 on https://apps.topcoder.com
Hi, I found reflected xss on https://apps.topcoder.com via error message.. Payload : %3CIFRAME%20SRC%3D%22javascript%3Aalert%28%27XSS%27%29%22%3E.vm Vulnerable link : https://apps.topcoder.com/wiki/labels/%3CIFRAME%20SRC%3D%22javascript%3Aalert'XSS'%22%3E.vm Step to reproduce : Create an account...
Semrush: Cross-origin resource sharing misconfig
Description An HTML5 cross-origin resource sharing CORS policy controls whether and how content running on other domains can perform two-way interaction with the domain that publishes the policy. The policy is fine-grained and can apply access controls per-request based on the URL and other...
HackerOne: (HackerOne SSO-SAML) Login CSRF, Open Redirect, and Self-XSS Possible Exploitation
Summary: Login CSRF, Open Redirect, and Self-XSS Possible Exploitation through HackerOne SSO-SAML PoC - Go to █████; Use a browser window with clear cookies. Source-code: setTimeoutfunctiondocument.location.href = "https://hackerone.com/users/saml/signin?email=████&rememberme=true";, 5000; Impact...
Trello: DOM based XSS via Wistia embedding
Hi, You are using Wistia to embed video at trello.com. However external script from fast.wistia.com vulnerable to XSS and allows to run malicious javascript on your side. vulnerable code: fast.wistia.net/assets/external/E-v1.js I found that parameter wchannel can be controled to load js from...
curl: CVE-2023-27533: Telnet option IAC injection
A vulnerability existed in the CURLOPTTELNETOPTIONS option of the cURL library, which allowed an attacker to inject unintended TELNET commands to the telnet connection by escaping out of the telnet subnegotiation. This could allow the attacker to execute arbitrary OS commands on the target system...
Aiven Ltd: Kafka Connect RCE via connector SASL JAAS JndiLoginModule configuration
Summary: When configuring the connector via the Aiven API or the Kafka Connect REST API, the attacker can set the database.history.producer.sasl.jaas.config connector property for the io.debezium.connector.mysql.MySqlConnector connector. This is likely true for other debezium connectors too. By...
PortSwigger Web Security: No Rate Limit On Regenerate Password on Portswigger
Introduction A little bit about Rate Limit: A rate limiting algorithm is used to check if the user session or IP-address has to be limited based on the information in the session cache. In case a client made too many requests within a given timeframe, HTTP-Servers can respond with status code 429...
h1-ctf: [H1-2006 2020] Bounty Pay CTF challenge
H1-2006 2020 Bounty Pay CTF challenge Hi there! This is my H1-2006 CTF writeup submission. First of all, thanks for the great challenge! This was my first H1 CTF that I played. I really enjoyed doing it and I learned new things solving this challenge. In my case, it was the demonstration that I...
HackerOne: Potential stored Cross-Site Scripting vulnerability in Support Backend
HackerOne maintains an internal Support Backend system for employees. On the internal user profiles for hackers, a small overview is shown that lists the skills the user tagged their penetration tester profile with. Although the skills are currently managed by HackerOne and a user can only pick...
Tor: Tor Browser: iframe with `data:` uri has access to parent window
Version: 7.5.4 based on Mozilla Firefox 52.8.0 Tested with standard security slider. However, it's likely to be possible with a higher security level. Summary In Tor Browser iframe with data:uri inherits the origin of parent window. That leads to iframe has access to parent window. PoC Iframe cou...
Mail.ru: [web.icq.com] Stored XSS in link when sending message
Domain, site, application -- https://web.icq.com/ Testing environment -- Chrome Steps to reproduce -- 1 Enter a chat 2 Send the following message: https://www.google.com/"onmouseover="javascript:prompt" 3 Hover the link Actual results -- XSS prompt shows. Expected results, security impact...
Ubiquiti Inc.: Read-Only user can execute arbitraty shell commands on AirOS
This vulnerability is very similar to 128750, but it avoid the solution applied to the last beta XM firmware. In this report is used the last beta XM firmware: XM.v6.0-beta9 Vulnerability The vulnerability resides in the function fetchCookies file remote.inc:117. Just like last time is a non...
Yahoo!: readble .htaccess + Source Code Disclosure (+ .SVN repository)
Thank you for your submission to the Yahoo Bug Bounty program. We were able to reproduce the issue you reported and have implemented appropriate fixes. We appreciate your adherence to responsible disclosure guidelines and look forward to your future participation in the program...
Reddit: Blind SSRF to internal services in matrix preview_link API
A vulnerability was found in the previewlink functionality of Matrix software used in Reddit's new chat system. The endpoint allowed for partially blind SSRF, enabling attackers to send GET requests and exfiltrate data about internal services. This could potentially lead to service enumeration an...
GitHub Security Lab: [javascript] CWE-117: CodeQL query to detect Log Injection
This bug was reported directly to GitHub Security Lab...
h1-ctf: [H1-2006 2020] CTF Writeup
Summary: The CTF's objective could be found in the following Twitter post: F858468 As outlined on https://hackerone.com/h1-ctf, all subdomains of bountypay.h1ctf.com are in scope. Doing subdomain enumeration revealed the following subdomains: api.bountypay.h1ctf.com app.bountypay.h1ctf.com...
curl: curl overwrite local file with -J
Summary: curl supports the Content-disposition header, including the filename= option. By design, curl does not allow server-provided local file override by verifying that the filename= argument does not exist before opening it. However, the implementation contains 2 minor logical bugs that allow...
Mail.ru: Time-Based SQL injection at city-mobil.ru
Bind time-based SQL injection in https://city-mobil.ru/ due to unsafe usage of GET parameter JSON SLEEP PROFIT! P.S. Detail summary coming soon.... possibly... watch at https://blog.deteact.com...
Zomato: Zomato Map server going out of memory while resizing map image
Go to https://maps.zomato.com/php/staticmap?center=0,0&size=240x150&maptype=zomato&markers=180,180,pinres32&sensor=false&scale=%&zoom=eval2147483647+1&language=en a map will be displayed Now increase the map size by 10x...
Starbucks: Subdomain takeover on svcgatewayus.starbucks.com
Hello, this is pretty serious security issue in some context, so please act as fast as possible. Overview: One of the starbucks.com subdomains is pointing to Azure, which has unclaimed CNAME record. ANYONE is able to own starbucks.com subdomain at the moment. This vulnerability is called subdomai...
Mozilla: Denial of Access to Static Resources via Cache Poisoning on addons.allizom.org
A cache poisoning vulnerability was identified on addons.allizom.org that allowed an attacker to block access to static resources such as images and JavaScript files. The issue was exploited by processing the X-HTTP-Method-Override header, which was honored by the origin server and treated the...
Internet Bug Bounty: CVE-2022-27776: Auth/cookie leak on redirect
Summary: curl/libcurl can be coaxed to leak Authorization / Cookie headers by redirecting request to http:// URL on the same host. Successful exploitation requires that the attacker can either Man-in-the-Middle the connection or can access the traffic at the recipient side for example by...
GitHub Security Lab: ihsinme: CPP add query for CWE-788 Access of memory location after the end of a buffer using strncat.
This bug was reported directly to GitHub Security Lab...
ImpressCMS: Slack server disclose h1 private issue report
Summary ======= Upon browsing the https://www.impresscms.org/, one of the post include the public Slack Channel however the devel channel exposed some of the private h1 reports. Checking ImpressCMS hacktivity the issues that get resolved/reported are private which helps me to verify that the team...
Starbucks: Minimal information disclosure of internal asset names and links which were not publicly accessible.
e4366eolywrgpidfbio discovered an application with links to internal Starbucks related resources. No public access to these resources was available, resulting in minimal information disclosure of host and resource names. @e4366eolywrgpidfbio — thank you for reporting this issue...
Valve: Panorama UI XSS leads to Remote Code Execution via Kick/Disconnect Message
Overview Counter-Strike: Global Offensive's UI is built of a framework called Panorama which is heavily influenced by modern HTML/CSS with JS capabilities. Because of these properties, the UI becomes easily vulnerable to different types of code injection, most notably XSS. Previously, it was...
U.S. Dept Of Defense: https://████████ Impacted by DNN ImageHandler SSRF
Summary: https://███████ runs DNN 8.0.0 to 9.1.1 and is impacted by CVE 2017-0929 allowing for a SSRF through the DNN ImageHandler. Origin servers will request any image file supplied by the attacker. This allows for internal NIPR sites to be mapped and accessed through a vulnerable host. The...
Grammarly: Handling of `tracking` command allows making arbitrary blind requests with user's cookies from Grammarly Extension's origin
Summary: Attacker could trigger Grammarly extension's gnar.fetch command using a crafted page to perform XHR with cookies and any configurational params to any cross-origin resource. Description: Page could Init Grammarly popup editor no user gesture, helper Events have isTrusted property, which...
Adobe: Parameter tampering can result in product price manipulation
Parameters set during the shopping cart checkout workflow are vulnerable to tampering. By intercepting POST requests and manipulating the XML payload, product prices could be set to arbitrary values. P.O.C Video URL: https://youtu.be/3VMlV7jyzg...
Greenhouse.io: openssh-server Forced Command Handling Information Disclosure Vulnerability on blog.greenhouse.io
Summary of the issue: The authparseoptions function in auth-options.c in sshd in OpenSSH before 5.7 provides debug messages containing authorizedkeys command options, which allows remote authenticated users to obtain potentially sensitive information by reading these messages, as demonstrated by...
8x8: █.8x8.vc/index.js: Exposed Google Maps API Key Allowing Potential Abuse of Paid Services
The Google Maps API key was inadvertently exposed in client-side code, allowing potential unauthorized access to some Google Maps services. The issue was promptly addressed by implementing appropriate API key restrictions where feasible...
mycompany VDP: This test report has been disclosed by 20_root.
This test report has been disclosed by 20root. ████...