15369 matches found
Greenhouse.io: openssh-server Forced Command Handling Information Disclosure Vulnerability on blog.greenhouse.io
Summary of the issue: The authparseoptions function in auth-options.c in sshd in OpenSSH before 5.7 provides debug messages containing authorizedkeys command options, which allows remote authenticated users to obtain potentially sensitive information by reading these messages, as demonstrated by...
8x8: █.8x8.vc/index.js: Exposed Google Maps API Key Allowing Potential Abuse of Paid Services
The Google Maps API key was inadvertently exposed in client-side code, allowing potential unauthorized access to some Google Maps services. The issue was promptly addressed by implementing appropriate API key restrictions where feasible...
mycompany VDP: This test report has been disclosed by 20_root.
This test report has been disclosed by 20root. ████...
Daimler Truck: Time-based SQL Injection
CWE: CWE-89 CVSS: 9.1 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N URL: www.bharatbenz.com//dealer/0'XORifnow=sysdate,sleep20,0XOR'Z QL injection SQLi refers to an injection attack wherein an attacker can execute malicious SQL statements that control a web application's database server. Impact ...
Acronis: [CVE-2021-44228] nps.acronis.com is vulnerable to the recent log4shell 0-day
Summary The website at nps.acronis.com is vulnerable to CVE-2021-44228 Steps To Reproduce I used this script to find this. It spins up an interact-sh server to receive the callback and send the payload in the query string and about 30 diffent headers. You can reproduce manually with curl and...
h1-ctf: [h1-2006 2020] Write up for H1-2006 CTF
I huffed and puffed my way up a flight of stairs into a dimly lit, dusty room, looking for Sherlock. As I made way through scattered books, I exclaimed, "Sherlock, wake up! It’s that time of the year. h1-ctf, a chance to get an invitation to hackerone’s live hacking event. “zer0ttl, of course! Yo...
OLX: SQL Injection https://www.olx.co.id
I found the SQL Injection security hole on the website https://www.olx.co.id, this is a critical finding. here is the POC from the findings that I got Affectect:https://www.olx.co.id/ajax/buybundle/getbundle/ POC: Request DATA POST /ajax/buybundle/getbundle/ HTTP/1.1 Host: www.olx.co.id User-Agen...
Nextcloud: Text app leaks file path of shared files
By sending a request for a share without a README.md, the whole file path will be returned to the user: PUT /apps/text/public/session/create?token=EHTs4P7kATowiMg HTTP/1.1 Host: cloud.nextcloud.com User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:89.0 Gecko/20100101 Firefox/89.0 Accept...
Basecamp: Information Disclosure of Garbage Collection Cycle
Hello, Upon enumerating a subdomain content I found a directory that discloses the duration of the garbage collection cycles. I think that these information should be kept private because public should not know information about the target application and how it operates or do its garbage...
Solana BBP: Sensitive data leaks [username, password, keys]
Summary: Hello team, This bug shows some critical asset like secret username, password, keys, etc. publicly on githubq Steps To Reproduce: Please visit the url below 1. https://github.com/solana-labs/solana/blob/e310bad7ab09a4a5bd23314983bffa1707506230/.buildkite/env/secrets.ejson 2...
Semrush: OAuth `redirect_uri` bypass using IDN homograph attack resulting in user's access token leakage
Issue Summary: It was found that SEMrush OAuth implementation fails to properly validate the value of redirecturi parameter which was bypassed using IDN homograph attack which results in leaking the user's access token to an attacker-controlled domain name. IDN homography attack exploits the fact...
WordPress: Parameter tampering : Price Manipulation of Products
Hello Security Team, I have found that you can buy any products in less amount or even we can say as free by changing the price of the product!! POC : 1 go to https://mercantile.wordpress.org/ 2 choose any product and add to cart 3 Now go to cart add your billing details 4 Intercept request with...
GitLab: Container scanning and Dependency scanning report leaked to unauthorized users
Hi GitLab Security team Summary GitLab makes the container scanning and dependency scanning information available as part of a JSON endpoint for merge requests. These reports are output of the CI job and should only be displayed if the visiting user has access to CI. However, right now GitLab...
Mail.ru: Clickjacking Full account takeover and editing the personal information at [account.my.com]
Hi, while i was testing i found that my.com is vulnerable to clickjacking so i checked if the settings page is vulnerable or not and it was vulnerable so now this has a risk!, the attacker could make an exploit code at the changing password page to takeover the victim account, and the same with t...
Dropbox: SSRF vulnerablity in app webhooks
Server Side Request Forgery SSRF is a vulnerabilty which allows an attacker to make web requests from the context of the server host machine to arbitrary URL's. This vulnerability can allow the attacker to access resources internal to the network, which would otherwise be inaccessible. This...
U.S. Dept Of Defense: [CVE-2020-3452] Unauthenticated file read in Cisco ASA
i found out that https://█████████/ was vulnerable to CVE-2020-3452 The IP has a SSL certificate pointing to █████████ curl -kv https://██████████/ Output Server certificate: subject: C=US; ████.mil Impact Anyone can read any file present on the server. System Hosts ███ Affected Products and...
Shopify: Subdomain Takeover of multiple *.ttcdn.co domains
@priyanshuxo demonstrated being able to takeover multiple ttcdn.co subdomains. While we removed the DNS records, the ttcdn.co domain is out of scope for our program, making this report ineligible for a bounty. This is a limited disclosure at their request...
SMTP2GO: Stored XSS at https://app.smtp2go.com/settings/users/
Vulnerability : A. Type:- Cross Site Scripting Stored B. Description:- Stored XSS, also known as persistent XSS, is the more damaging than non-persistent XSS. It occurs when a malicious script is injected directly into a vulnerable web application. Summary : When you will create a particular user...
h1-ctf: [H1-2006 2020] From multiple vulnerabilities to complete ATO on any customer account and staff admin
First of all, thanks for the awesome CTF. I enjoyed it very much : Summary The CTF was about helping HackerOne's beloved CEO, @martenmickos, to approve May bug bounty payments after he has lost his login details for BountyPay. It all started with this tweet: F860982 And as you all know, I had to...
GitHub Security Lab: [Java] CWE-939 - Address improper URL authorization
This bug was reported directly to GitHub Security Lab...
Ian Dunn: xmlrpc.php FILE IS enable it can be used for conducting a Bruteforce attack and Denial of Service(DoS)
Hi Team, The website https://www.iandunn.name has the xmlrpc.php file enabled and could thus be potentially used for such an attack against other victim hosts. Wordpress that have xmlrpc.php enabled for pingbacks, trackbacks, etc. can be made as a part of a huge botnet causing a major DDOS. URL:...
Infogram: LFI through the MySQL connection
Hello team! I've found a way to read Infogram's server local files through the MySQL connection. The problem is that you're using the LOAD DATA LOCAL feature with your MySQL client. This how an attacker can easily send server's local files to her/his database. I've successfully readed the...
WordPress: Lack of Password Confirmation when Changing Password and Email
Hello Team, I noticed that it is not necessary to put your Password when Changing Emails, Password, etc.. which is easy to an attacker to Change it's Victim's Credentials when he hijack or takeover an account on wordpress forum account. Let me know if you need more information. Best Regards,...
Pornhub: [phpobject in cookie] Remote shell/command execution
The researcher was able to exploit a vulnerable deserialization function in PHP leading to remote shell on a production server...
Algolia: API Key added for one Indices works for all other indices too.
Hi, I created one API key and restricted it to only one index by adding it and gave it right for creating record. Now this api can be used to add records in other indeces in same account. Screenshot is attached...
Internet Bug Bounty: OpenSSL Key Recovery Attack on DH small subgroups (CVE-2016-0701)
Full write up: http://intothesymmetry.blogspot.ch/2016/01/openssl-key-recovery-attack-on-dh-small.html DH small subgroups CVE-2016-0701 ================================== Severity: High Historically OpenSSL usually only ever generated DH parameters based on "safe" primes. More recently in version...
HackerOne: mailto: link injection on https://hackerone.com/directory
I just found that entering a non-existing porogram returns the following response: The Directory doesn't have a profile matching these criteria. If an organization has published security contact information or a vulnerability disclosure policy, please let us know. The bold part has a mailto: link...
Internet Bug Bounty: Apache Airflow Google Cloud Sql Provider Remote Command Execution
An improper input validation vulnerability was discovered in Apache Airflow Google Provider before version 8.10.0, which could allow an attacker to execute remote commands on the victim's machine by modifying the existing connection configuration information. The vulnerability was discovered by X...
HackerOne: Scope information is leaked when visiting policy scopes tab of any External Program
Scope information was leaked when visiting the policy scopes tab of any external program on HackerOne, allowing unauthorized users to view private program details. The vulnerability was caused by the new scope policy feature that displayed all program names and scopes using the new functionality...
Acronis: Subdomain takeover of main domain of https://www.cyberlynx.lu/
Summary Hi Acronis Security Team , Hope you well. I found one of your subdomains which is www.cyberlynx.lu One of your Acquisition is pointing towards www.cyberlynx.lu canonical name = www118.wixdns.net. www118.wixdns.net canonical name = balancer.wixdns.net. balancer.wixdns.net canonical name =...
GitHub Security Lab: Java: Fix NashornScriptEngine detection in ScriptEngine query
This bug was reported directly to GitHub Security Lab...
Mail.ru: Brute-force any email account through allods.mail.ru
!!! Полная версия отчета со скриншотами находится во вложенном PDF-файле. Vulnerability Technical description ========================= По адресу https://allods.mail.ru/account.php находится форма регистрации нового пользователя в игре. В процессе заполнения формы, посылается Ajax POST-запрос в...
Internet Bug Bounty: Dragonblood: Design and Implementation Flaws in WPA3 and EAP-pwd
Full background information is at our website and detailed information can be found in our research paper. Vulnerability Summary First Disclosure Summarized, the Dragonfly handshake of WPA3 and EAP-pwd is supposed to prevent dictionary attacks. However, we discovered design flaws that still enabl...
Equifax-vdp: Important information leaked on Github
While searchin on Github about Equifax i found some juicy information like a username and password of this subdomain https://transport5.ec.equifax.com/, internal ip of the database and its username & password In the following link...
Liberapay: User Enumeration
@offgouvea reported a user enumeration issue. User enumerations are out-of-scope as mentioned in our program's policy...
RATELIMITED: Hackerone1
NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: add summary of the vulnerabili...
Infogram: User enumeration via forgot password error message
Hi Team, Vulnerable URL : https://infogram.com/forgot Description: During testing forgot password field whether it's rate limiting is working or not, I noticed forgot password field is vulnerable to user enumeration. When user enter email id which is not available into database it shows an error ...
arxius: Local File Disclosure via ffmpeg
Summary ffmpeg is a video and audio software that is used for generating previews and for converting videos. Your current installation allows HLS playlists that contain references to external files, which leads to local file disclosure. Reproduction 1. Download this script...
Open-Xchange: Web Browser XSS Protection Not Enabled
Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server http://www.dovecot.fi/s=..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Csystem.ini&submit=Search...
HackerOne: HTML injection can lead to data theft
Hey, This is more like an in-depth security thing with a reasonable attack scenario. In some occasions, it seems to be possible to leak sensitive data to an external server, not affected by the CSP. This can happen in the following situation: 1. There's a HTML injection vulnerability 2. The...
curl: Cache purge requests are not authenticated
Vulnerability description not provided...
Internet Bug Bounty: Integer overflow in CipherUpdate
Summary: I reported an integer overflow to the OpenSSL security list on Dec 13, 2020 and it was fixed in OpenSSL 1.1.1j. Reporting it here for the bounty. It was assigned CVE-2021-23840 https://nvd.nist.gov/vuln/detail/CVE-2021-23840 which NVD rated CVSS 7.5. Amusingly, the same bug worked around...
GitHub Security Lab: [Java] CWE-555: Query to detect password in Java EE configuration files
This bug was reported directly to GitHub Security Lab...
curl: curl overwrites local file with -J option if file non-readable, but file writable.
Summary: When using -J -O options on curl command line tool and a server responding with a header that is using Content-Disposition to provide a filename, existing local file will be overwritten if the file is non-readable by the current user, but file is writable by the current user. Curl contai...
h1-ctf: [H1-2006 2020] Multiple vulnerabilities allow to leak sensitive information
Summary: --------------------- Hello team! This report is detailed write-up for chain of vulnerabilities that ended up with leaking sensitive information - a flag. CTF itself was really fun and I've enjoyed it. Hope you find my report valid and useful. Steps To Reproduce: ---------------------...
Internet Bug Bounty: Basic Authentication Heap Overflow
Summary: An attacker can get arbitrary data overflowed in the heap via Basic Authorization base64 blob. Even when basic auth isn't configured. Report sent to developers When calling HttpHeader::getAuth the field value will be base64 decoded. The call to the decode method doesn't ensure that the...
Slack: Subdomain takeover on podcasts.slack-core.com
I noticed slack-core.com is used for Slack's call infrastructure. I had never seen that domain before, so I decided to find out what else was running on it. It turned out podcasts.slack-core.com was pointing to a Podcast and RSS hosting service called Feed.Press. However, there was no Feed.Press...
GitHub Security Lab: [Java]: CWE 295 - Insecure TrustManager - MiTM
This bug was reported directly to GitHub Security Lab...
GitHub Security Lab: CodeQL query for disabled revocation checking
This bug was reported directly to GitHub Security Lab...
8x8: PHPinfo page on http://█████.callstats.io
PHPInfo file was exposed on legacy system. phpinfo was available at callstats.io subdomain. It disclosing information on a server and PHP version information...