15236 matches found
Hemi VDP: VSCode launch.json file exposed on hemi.xyz
A .vscode/launch.json file was published publicly on https://hemi.xyz/...
U.S. Dept Of Defense: SSRF due to CVE-2021-26855 on ████████
Description: There exists a Server Side Request Frogery SSRF on █████████ due to CVE-2021-26855 References https://vulners.com/cve/CVE-2021-26855 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26855 Impact Server Side Request Frogery System Hosts ██████ Affected...
U.S. Dept Of Defense: WordPress application vulnerable to DoS attack via wp-cron.php
The WordPress application was vulnerable to a Denial of Service DoS attack via the wp-cron.php script, which could be exploited by sending a large number of requests to the script, causing it to consume excessive resources and overload the server, potentially leading to data loss and downtime. Th...
curl: Format string vulnerability, curl_msnprintf() function
Summary: A vulnerability has been identified in the curl library’s formatted output functions specifically in curlmsnprintf and its related functions. When a malicious attacker-controlled format string containing the %hn conversion specifier is passed, the function incorrectly attempts to write t...
curl: curl allows SSH connection even if host is not in known_hosts
Summary: Curl does not fail if the SSH host identity cannot be verified due to the host not being included in the .ssh/knownhosts file. This makes using curl to login into an previously unknown ssh host system vulnerable to meddler in the middle attacks. When using key based authentication it wil...
U.S. Dept Of Defense: Tomcat examples available for public, Disclosure Apache Tomcat version, Critical/High/Medium CVE
Summary: There are multiple issues found on ███: 1. ███████/examples/ - Apache Tomcat examples are available for public. Multiple issues - session and cookies manipulation, internals IP disclosure. 2. Error page contains information about Apache Tomcat version 3. Reported Tomcat version is...
Uber: uber.com may RCE by Flask Jinja2 Template Injection
Hi, Uber Security Team I found an RCE in rider.uber.com. First, if you change your profile name to '7'7 , and you will receive a mail "Your Uber account information has been updated" sent by [email protected] And in mail body, you can see your name become '7777777' This is a vulnerability about...
Hemi VDP: Broken X (Twitter) link on hemi.xyz/about
Vulnerability description not provided...
Pornhub: SSRF & XSS (W3 Total Cache)
The researcher discovered a vulnerable WordPress plugin. The plugin suffers from a server-side request forgery vulnerability that can be exploited in several ways. The researcher was successful in doing the following: Accessing a private server-status URL exposing a monitoring tool. Running a Fla...
Top Echelon Software: Clickjacking in main domain https://topechelon.com/
The target website was vulnerable to Clickjacking, a web-based attack that tricked users into interacting with a hidden or disguised iframe. The vulnerability could have been exploited to manipulate user actions, potentially leading to unauthorized activities...
Autodesk: SSRF in Autodesk Rendering leading to account takeover
A server side request forgery SSRF vulnerability was discovered in Autodesk Rendering. The vulnerability could have allowed an attacker to gain control of a victim's account while they were logged in. Autodesk has fixed the vulnerability...
XVIDEOS: Open redirect
Summary: An open redirect vulnerability was discovered on the website https://www.xnxx.com/todays-selection/1. This issue allows attackers to modify URLs to redirect users to arbitrary external websites, including malicious or phishing sites. The vulnerability can be exploited by manipulating...
Autodesk: Exposing debug.log file leads to server full path disclosure
Vulnerability description not provided...
WakaTime: Login Information and Credentials Have Been Leaked on wakatime.com
A security vulnerability was identified on wakatime.com, where user login information, including usernames and passwords, was leaked to the public. The issue appears to have been caused by insufficient protection of sensitive data, potentially due to inadequate encryption or improper handling of...
XVIDEOS: Stored XSS via SMTP Error Message
A Stored Cross-Site Scripting XSS vulnerability was identified on the /account/email page for www.xvideos.com. The vulnerability arose from the improper handling of SMTP error messages, which were passed into the html method without proper sanitization, allowing an attacker to store and execute...
AWS VDP: Non-Production API Endpoints for the Device Farm Service Fail to Log to CloudTrail Resulting in Silent Permission Enumeration
The Device Farm service was found to have two non-production API endpoints that could be accessed using standard IAM credentials without generating CloudTrail logs. This allowed silent permission enumeration, where an adversary could test the permissions of compromised credentials without...
Autodesk: Insecure Direct Object Reference (IDOR) in GraphQL deleteProfileImages Mutation
The Insecure Direct Object Reference IDOR vulnerability was discovered in the GraphQL deleteProfileImages mutation of the Autodesk User Profile. The vulnerability could have allowed an attacker to delete another user's photo through the "id" parameter. Autodesk has addressed the vulnerability...
AWS VDP: Non-Production API Endpoints for the DocumentDB Elastic Service Fail to Log to CloudTrail Resulting in Silent Permission Enumeration
The DocumentDB Elastic service was found to have three non-production API endpoints that could be accessed using standard IAM credentials without logging to CloudTrail. This allowed for silent permission enumeration, where an adversary could determine the permissions of compromised credentials...
WakaTime: Leaked credentials ( emails and passwords , etc...)
The security researcher reported the discovery of a large number of leaked credentials, including emails and passwords, on a Telegram bot. The source of the leaked data is unknown, but the volume of exposed information is substantial. The researcher did not attempt to verify the validity of the...
curl: CVE-2025-0725: gzip integer overflow
The libcurl library contained a vulnerability in the gzip content encoding function that allowed a malicious HTTP server to craft an arbitrary heap chunk in the memory of the victim and trigger a free of that forged chunk. This was possible due to an integer overflow in the handling of gzip...
Localize: Nginx version is disclosed in HTTP response
Summary: I found a version disclosure Nginx in your web server's HTTP response. Extracted Version: 1.16.1 This information might help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of Nginx. Steps To Reproduc...
AWS VDP: Amazon Comprehend Medical Service Reporting "AWS Internal" for CloudTrail Events Generated from FIPS Endpoints
The Comprehend Medical service was found to have 8 API endpoints that incorrectly reported the user-agent and network information as "AWS Internal" in CloudTrail event logs. This behavior was observed specifically for FIPS endpoints, which may have been an intentional design decision. The...
Internet Bug Bounty: Apache HTTP [2.4.17-2.4.38] Local Root Privilege Escalation
Hello, I reported a Local Root privilege escalation vulnerability on Apache HTTPd at the beginning of the year. Apache has now patched it, as you can see here. The vulnerability affects modprefork, modevent, and modworker, the most used mods on Linux. Basically, this is an arbitrary function call...
AWS VDP: Non-Production API Endpoints for the Datazone Service Fail to Log to CloudTrail Resulting in Silent Permission Enumeration
The vulnerability found in the Datazone service allows an adversary to enumerate permissions of compromised credentials without logging to CloudTrail. Forty-four non-production endpoints were identified that can be accessed using standard IAM credentials and do not generate CloudTrail logs. This...
Autodesk: CVE-2023-5561 on Payapps.com
A vulnerability was identified at the WordPress site on payapps.com. This vulnerability allowed unauthenticated attackers to discern the email addresses of users who have published public posts. The vulnerability has been fixed...
Radancy: x-request-id header reflected in server response without sanitization
Domain and URL: maximum.nl Summary: When issuing a GET request to maximum.nl, its possible to set the x-request-id header which is then reflected in the server response without any sanitization. Description: An attacker can use this vulnerability to escalate to more advanced attacks such as CRLF...
Autodesk: Insecure Direct Object Reference (IDOR) Vulnerability in Autodesk User Profile
An Insecure Direct Object Reference IDOR vulnerability was discovered in the Autodesk User Profile. The vulnerability was found in the "id" parameter, which could have allowed an attacker to edit another user's profile...
Autodesk: Twitter broken link hijacking in thewild.com
A broken link hijacking vulnerability was discovered on thewild.com. The issue was reported and subsequently fixed by Autodesk...
U.S. Dept Of Defense: SharePoint exposed web services
Microsoft SharePoint is a web application platform developed by Microsoft. Because of improper configuration an anonymous user has access to the SharePoint Web Services. The impact of this vulnerability The SharePoint Web Services can disclose sensitive information. This information can be used t...
Lichess: Direct IP Access to Website
Summary: The website is accessible directly via its IP address 37.187.205.99, which may bypass domain-based security policies and expose potential misconfigurations. Steps To Reproduce: 1. Open a web browser and enter the IP address: http://37.187.205.99 2. Observe that it loads the main website...
Autodesk: Stored XSS via Post Tittle Enabling Non-Privileged User to Privileged User Exploitation on https://forums.autodesk.com/
A stored cross-site scripting XSS vulnerability was found on Autodesk Forums. The vulnerability allowed an attacker to inject malicious JavaScript code when viewed by both non-privileged and privileged users. The vulnerability was fixed by Autodesk...
Reddit: Exposed proxy allows to access internal reddit domains
An exposed proxy at 52.90.28.77:30920 was found to allow access to internal reddit domains, such as snoo.dev, which were used by Reddit employees...
IBM: Weak credentials found in Jenkins endpoint
Weak credentials were discovered in a Jenkins endpoint. The issue was reported to IBM, analyzed, and remediated...
AWS VDP: Non-Production API Endpoints for the Forecast Service Fail to Log to CloudTrail Resulting in Silent Permission Enumeration
The Forecast service in Amazon Web Services AWS has four non-production API endpoints that can be accessed using standard IAM credentials, but do not log any activity to CloudTrail. This allows for silent permission enumeration, where an adversary can test the capabilities of compromised...
LocalTapiola: Wordpress Users Disclosure (/wp-json/wp/v2/users/)
Information Using REST API, we can see all the WordPress users/author with some of their information. Step TO Reproduce You can get user info by entering below url in your browser: https://www.lahitapiolarahoitus.fi/wp-json/wp/v2/users/ Result javascript "id": 1, "name": "LTR", "url": "",...
Autodesk: IDOR Vulnerability Allowing Unauthorized Profile Picture Change
An IDOR vulnerability was found on the Autodesk User Profile, which allowed an attacker to edit another user's profile picture. The vulnerability was reported and has been fixed by Autodesk...
Chaturbate: Forget password link not expiring after email change.
I found a token miss configuration flaw in chaturbate.com, When we reset password for a user a link is sent to the registered email address but incase it remain unused and email is updated by user from setting panel then too that old token reset link sent at old email address remains valid. A...
curl: CVE-2025-0665: eventfd double close
Summary: GitHub issue 15725 describes a double close in libcurl 8.11.1. I believe that a double close in multi threaded code should be considered a security vulnerability. A fix already exists for this, so it should be good in the next release. I am not 100% sure this is the place to be making su...
Dust: UI flaw allows unauthorized users to add documents to restricted folders
The UI flaw allowed unauthorized users to add documents to restricted folders. The vulnerability constituted an Insecure Direct Object Reference IDOR issue, where users could manipulate the client-side behavior to perform actions they were not supposed to have access to, such as uploading documen...
Dust: Unauthorized Table Creation by Member
A member user was able to create tables inside restricted company data spaces, despite the UI indicating that only workspace builders admins should be allowed. The "Add Data" button appeared disabled in the UI, but it was still interactable and functional, allowing the member to successfully crea...
Dust: Privilege Escalation in Edit and Create Secret Endpoints Leads to Unauthorized Secret Modification
The vulnerability allows a user with the Builder role to list all existing secret names, create new secrets, and overwrite existing secrets by using the same name. This behavior violates permission boundaries and leads to privilege escalation and unauthorized access to sensitive data...
TomTom: Anonymous user login to Nexus Repository Manager
Hello, By default the Nexus Repository Manager has two login users one is admin and the other is anonymous. The default password for the user "admin" is admin123 The default password for the user "anonymous" is anonymous On your Nexus Repository Manager the password for the user admin has been...
Imgur: Login to any user account using other facebook app access token
Vulnerable Url: https://api.imgur.com/generatetoken/thirdpartynativeandroid?type=facebook Vulnerable Param: accesstoken Attck: Hacker can build own facebook app and get victim's facebook access token and use that access token to login into imgur account POC:...
Shopify: Bypass of biometrics security functionality is possible in Android application (com.shopify.mobile)
Summary Shopify Android App has an option to sign in to the app using fingerprint. But if the application was open and someone triggers a "deeplink", authentication is no longer required. Step to Reproduce F523700 Link: Shopify Help Center - Topics - Products NOTE¹: The application must be open...
curl: Heap‑based buffer overflow in curl -K <config_file> allows arbitrary write .
Summary: A heap‑based buffer overflow in curl’s config‑file parser parseconfig -- getparameter allows an attacker supplying a crafted config file to overwrite internal pointers via cleanarg, leading to a write‑what‑where primitive and potential remote code execution. Affected version -curl 8.13.0...
Yelp: Unauthorized Reservation Cancellation Through IDOR Vulnerability
Vulnerability description not provided...
Trello: Subdomain Take over & username enemuration
Bug 1 ====== The ip of domain is not pointing to wpengine.com,Attacker can signup there and takeover subdomain by using this ip check the error message by visiting domain ip it say's that: This domain is successfully pointed at WP Engine, but is not configured for an account on our platform. If y...
Imgur: RCE by command line argument injection to `gm convert` in `/edit/process?a=crop`
Summary The y parameter of /edit/process endpoint with a=crop is vulnerable to command-line argument injection to something that appears to be GraphicsMagick utility probably gm convert. Due to GraphicsMagick's hacker-friendly processing of |-starting filenames supplied to -write option, it leads...
Dust: Race Condition in Folder Creation Allows Bypassing Folder Limit
The application enforced a hard limit of 10 folders per user under a specific space. However, due to a race condition, it was possible to bypass this limit by sending multiple folder creation requests simultaneously after deleting one folder. This allowed creating more than 10 folders, breaking t...
Nextcloud: Remote Code Execution via Extract App Plugin
Hi, I found a critical issue in the Add-on "Extract" listed in the Nextcloud Marketplace: https://apps.nextcloud.com/apps/extract This extension can be installed directly from Nextcloud Application The vulnerability was found in file: extract/lib/Controller/ExtractionController.php line 102. The...