15369 matches found
UPchieve: url redirection
Summary: the following url is vulnerable to redirect https://app.upchieve.org Steps To Reproduce: when you add @evil.com the user will be directed to evil.com https://[email protected] Impact Users could get redirected to malicious domain...
U.S. Dept Of Defense: critical information disclosure
Description: hey all , I have found critical information through this endpoint ████ on ███████ DB credentials such as DBNAME,DBUSER,DBPASSWORD,DBHOST, etc.. Impact full access control on DB service on website System Hosts ███ Affected Products and Versions CVE Numbers Steps to Reproduce Go to...
Solana BBP: i don't the important and it's impact . the affected asset: https://github.com/solana-labs/solana/blob/master/.buildkite/env/secrets.ejson
Summary: add summary of the vulnerability Steps To Reproduce: add details for how we can reproduce the issue 1.i have browsed this source code of github: https://github.com/solana-labs/solana/tree/master/sdk 2. i have browsed the files and i found the file which called buildkite/env/secrets.ejson...
Smule: No Rate Limiting On Phone Number Login Leads to Login Bypass
Hey Team, Introduction: A rate limiting algorithm is used to check if the user session has to be limited based on the information in the session cache. In case a client made too many requests within a given time frame. Description: I was able to Bypass Authentication of any user by enumerating th...
Chaturbate: Internal loop going to infinite for cb.setTimeout(func, msecs) for broadcast app.
Hi There, I am not sure about that this is vulnerability for @chaturbate or not but in my seeing i thought it can be vulnerable and attacker can use this vulnerability for exploitation on @chaturbate website with normal user so finally i decide to report. As i was just playing with Broadcast app...
Trello: SSRF in account webhook (through API)
It was possible to create a webhook that pointed to the EC2 metadata address, http://169.254.169.254. While no data from that address would be returned, the webhook would be created successfully with a 200 status, indicating that proxy used by the webhook requests wasn't blocking access to that...
HackerOne: Unintended HTML inclusion as a result of https://hackerone.com/reports/110578
Hi, I was just reading https://hackerone.com/reports/110578 and testing out the changes. I had previously noticed that the editor would take something like: test and turn it into : test In other words, the code would recursively look at what should be the title string and use the first single or...
TikTok: Unrestricted File Upload on https://partner.tiktokshop.com/wsos_v2/oec_partner/upload
Vulnerability description not provided...
U.S. Dept Of Defense: Authentication Bypass Using Default Credentials on █████
An authentication bypass vulnerability was discovered on the admin console of █████████, allowing unauthorized access to the portal and its data using default credentials. The suggested mitigation is to change the credentials. No CVE numbers or affected product versions were mentioned...
8x8: SQL injection (stacked queries) in the export to Excel functionality on Vidyo Server
An abandoned Vidyo server was found to be vulnerable to SQL injection and exposing access to the associated local database. The Vidyo server was retired...
X (Formerly Twitter): Periscope-all Firebase database takeover
Hello, I found one public Firebase database of periscope.tv and I can able to insert data to this database and i only used it once for the testing purposes, so other database queries also possible. Please follow the below link to check the inserted test data. Periscope-all Firebase URL :-...
Khan Academy: Possible Subdomain Takeover
None of the weakness categories really fit this so I apologize for that. The subdomain learnstormindia.khanacademy.org points to 52.203.185.84 a webflow.io proxy server proxy-ssl.webflow.com. The CNAME entry in the subdomain is pointing to an external page service learnstormindia.khanacademy.org...
Cloudflare: Private API key leakage due to lack of access control
The lack of access control on the https://mobilesdk.cloudflare.com/api/v1/ api allows for a remote attacker to access and steal a logged in user's private data. This can be done due to the lack of origin protection. An attacker can embed the config URI...
Node.js third-party modules: XSS in express-useragent through HTTP User-Agent
Hello, I would like to report an XSS in express-useragent module due a lack of validating User-Agent header. Please note I already created an Github issue and asked for CVE CVE-2018-9863. I did not know about Node.js third-party modules on hackerone. Description express-useragent is simple...
Ed: Session Cookie Without Secure Flag,
Assigned to:-ED Assigned by:- Kirtikumar Anandrao Ramchandani Assigned on:- 25/04/2018 Bug overview:- Session Cookie without secure flag. Cookie Name:- gitlabsession Description:-Risk description: Since the Secure flag is not set on the cookie, the browser will send it over an unencrypted channel...
Automattic: [app.simplenote.com] Stored XSS via Markdown SVG filter bypass
Hi, A carefully crafted injection used against the Markdown input parser can be leveraged to store and execute arbitrary JavaScript in the app.simplenote.com context. Proof of concept Before proceeding to reproduce this vulnerability, please log in to app.simplenote.com and create a new note with...
Shopify: Force 500 Internal Server Error on any shop (for one user)
There is very strange behavior. If user open urls like below: - https://whashp.myshopify.com/?previewthemeid=11288717 - or https://lmfshp.myshopify.com/?previewthemeid=11290937 He got redirect to shop https://whashp.myshopify.com/ and 500 Internal Server Error response, and reload does not help i...
Acronis: CVE-2021-40438 on cp-eu2.acronis.com
Hi team Summary CVE-2021-40438 on cp-eu2.acronis.com Steps To Reproduce...
Doppler VDP: email spoofing on doppler.team
Summary: There is an Email Spoofing vulnerability on your domain doppler.team which allows an attacker to send an email with your domain namesuch as [email protected] and so on. Steps To Reproduce: 1. Go to http://emkei.cz 1. Fill "From Email" field to [email protected] or any other doppler...
BugPoC: Solution for XSS challenge calc.buggywebsite.com
Summary: http://calc.buggywebsite.com/ is a angular site designed as a calculator. After observing the source code , there is iframe frame.html with functionality of displaying the data of postmessage in the webpage. js window.addEventListener"message", receiveMessage, false; function...
Open-Xchange: Buffer over-reads in i_stream_zlib_read
This can be reproduced by a sample program using libcompression int mainint argc, char argv const unsigned char datadec; sizet sizedec; const uint8t data = argv1; sizet size = strlendata; struct istream testinput = testistreamcreatedatadata, size; const struct compressionhandler handler =...
Razer: Accessible Druid Monitor console on https://api.pay-staging.razer.com/
The tester discovered a monitoring application was available on a remotely accessible administrative console in the Razer Pay staging environment, which could have been used to leverage information that could have compromised the server. The Razer Pay team removed this and other similar servers...
X (Formerly Twitter): Periscope android app deeplink leads to CSRF in follow action
Hello Twitter Team Summary This issue is mainly in the Periscope Android app against CSRF follow action using deeplink. Description In normal Periscope Website, when we share a follow link like www.pscp.tv//follow, we get a response whether to follow a person or not, giving us an option, means CS...
WordPress: code.wordpress.net subdomain Takeover
Hy Wordpress sec i found as it is posible to takeover this domain http://code.wordpress.net when you navigate it you will get this error msg: Warning! Domain mapping upgrade for this domain not found. Please log in and go to the Domains Upgrades page of your blog to use this domain. $ host...
Zendesk: CSV Excel Macro Injection Vulnerability in export chat logs
Scenario: An attacker creates a name as =AND21 with a fake email and with random text in the message body. This is similar to a vulnerability recently found in zendesk.com as well. When a team member clicks export as csv and opens it instead of seeing =AND21 they see TRUE. Meaning that cell is no...
Internet Bug Bounty: CVE-2023-23914: HSTS ignored on multiple requests
Multiple requests made using curl's HSTS functionality ignored the HTTPS protocol and used an insecure clear-text HTTP step instead. This was due to the state not being properly carried on, allowing the bypass of intended security controls. The vulnerability was assigned CVE-2023-23914 and had a...
Internet Bug Bounty: CVE-2022-27775: Bad local IPv6 connection reuse
Summary: curl/libcurl doesn't consider IPv6 address zone index when doing connection reuse. if connection exists to specific IPv6 address and other conditions for connection reuse are fulfilled it will be reused for connections regardless of the zone index. Steps To Reproduce: 1. Set up a fake...
GitHub Security Lab: Java: Static initialization vector
This bug was reported directly to GitHub Security Lab...
GitHub Security Lab: [Python] CWE-287: LDAP Improper Authentication
This bug was reported directly to GitHub Security Lab...
New Relic: HTML Injection In Email In one.newrelic.com
Hi, There's a HTML injection vulnerability present inside emails sent from Newrelic when the name on the organization inviting user contains HTML. The html is stored in the backend database and when emails are sent invitation, the HTML is sent along with the rest of the email. Steps to reproduce:...
Automattic: Unauthenticated access to webmail at maildev.happytools.dev leading to compromised wordpress site api.happytools.dev [RCE]
Summary: Dear Team, Today when I trying to find bugs on happy tools I have found 2 domains below for staging environment - https://maildev.happytools.dev - https:// api.happytools.dev Two websites above ssl certificate was expired. But you can adjust your date-time to 02/02/2020 or before that ti...
Starbucks: Unrestricted File Upload Leads to RCE on mobile.starbucks.com.sg
ko2sec discovered an .ashx endpoint on mobile.starbucks.com.sg intended for image files permitted unrestricted file type uploads which could lead to a potential RCE. ko2sec's thorough analysis provided additional endpoints on other out of scope domains that shared this vulnerability. @ko2sec —...
Node.js: Child process environment injection via prototype pollution
Summary: prototype pollution causes polluted system environment for child processes. Description: This can be used to inject arbitrary --require flags to node.js child processes or in the case of current node.js versions it can be used to inject arbitrary JavaScript to child processes. In practic...
U.S. Dept Of Defense: LFI with potential to RCE on ██████ using CVE-2019-3396
POC POST /rest/tinymce/1/macro/preview HTTP/1.1 Host: ██████ Content-Type: application/json Content-Length: 174 "contentId":"12345","macro":"name":"widget","body":"","params":"url":"https://www.youtube.com/watch?v=wHEHYJpCkpg","width":"300","height":"200","template":"file://../" Thanks, Ben Impac...
HackerOne: Missing spf flags for hackerone.com
I just checked for SPF records for the hackerone.com domain, and there are none, effectively allowing for spamspoof to originate from that domain. you can validate by testing yourself here: http://www.kitterman.com/spf/validate.html i want to show you an attack scenario An attacker would send a...
Node.js: Node.js Certificate Verification Bypass via String Injection
This is a report on behalf of Google, who did not want to report through H1. --- Summary Node’s APIs for reporting certificate fields are ambiguous and allow bypassing certificate verification in some circumstances. Details In light of CVE-2021-3712, I’ve been looking at code which misuses...
UPchieve: i can join without user and pass in this website https://argocd.upchieve.org/settings/accounts
Summary: i can see the Content Steps To Reproduce: the wbsite is not good 1. if i join this website i can see Content https://argocd.upchieve.org/settings/accounts Supporting Material/References: you most need good programmers https://argocd.upchieve.org/settings/accounts Recommendations for...
Solana BBP: email spoofing
email spoofing Impact step 1:visit: https://www.kitterman.com/spf/getspf3.py step 2:in domain name, type:https://github.com/solana-labs/solana-program-library step 3: check SPF record, it will appear" No valid SPF record found" step 4:visit: https://emkei.cz/ step 5:type name as...
WakaTime: Private leaderboard owner email disclosure when sending invites
Hi , the unVerify email disclosure when invite to any one on Leaderboards . Step .. 1- create account [email protected] . 2- not verify email . 3- go to Leaderboards . 4- check invite any email [email protected] . your friends. 5- your friends look inbox the waketime invite it say [email protected]...
Dropcontact: API key is not validated for C.R.M integration [Pipedrive] of LOGGED IN USER, A user can use another USER'S API key for this operation.
We didn't verified the API key when a new user was using his pipedrive free trial, so someone could take a key of another pipedrive which don't belong to him and make his free trial on this api key. Or launch a free trial on a pipedrive already connected to pipedrive...
DuckDuckGo: XSS on Videos IA
Failure found in the videos tab. A user was created on a website https://rutube.ru/video/83a4775f020b3fd68efd3dc9a73031e8/ one with the tag " . When we search DuckDuckGo for the video or user tag, we find a xss flaw in page...
Starbucks: Misuse of an authentication cookie combined with a path traversal on app.starbucks.com permitted access to restricted data
zlz and rhynorater discovered that by obtaining a valid authentication cookie and then combining that with a path traversal, this allowed access to restricted data. noapearson assisted by providing additional information post discovery. @zlz / @rhynorater / @noapearson — thank you for reporting...
Nextcloud: Missing ownership check on remote wipe endpoint
On settings/user/security You can mark a device for wipe out that does not belong to you. Steps: 1. Create 2 accounts one for the hacker and one for the victim 2. On both accounts add devices with different names 3. On the hacker account, while intercepting with burpsuite, select the option to wi...
Shopify: Shopify Stocky App OAuth Misconfiguration
@vulnh0lic noticed that a staff member without Apps permission was able to access the Stocky app. We determined that this was because of a bug in Stocky's OAuth authentication code, which allowed the user to be granted access to Stocky at the start of the OAuth process rather than the end. This...
Starbucks: Bulgaria - Subdomain takeover of mail.starbucks.bg
nukedx discovered that the mail.starbucks.bg domain was pointing to a mail service from icn.bg and confirmed that icn.bg did not host this domain. nukedx successfully claimed the subdomain from icn.bg, configured login credentials through the web panel and setup a valid email server. nukedx then...
X (Formerly Twitter): Changing email address on Twitter for Android unsets "Protect your Tweets"
NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: Verifying email address on...
Kaspersky: URL Advisor component in KIS products family is vulnerable to Universal XSS
Summary In Microsoft Edge, URL Advisor UI is served as first-party content on every domain. So the XSS vulnerability I found in this UI automatically applies to all websites, it allows running code in the context of any domain. Description URL Advisor frame is located under...
Nextcloud: Possible SSRF in email server settings(SMTP mode)
Description: vul address https://demo.nextcloud.com/xxx/settings/admin/additional,when you change smtp server address ,you will get some different hints. Reproduce steps: 1.Go to https://demo.nextcloud.com/xxx/settings/admin/additional,choose SMTP mode 2.Set server address to "172.17.1.0,then you...
Uber: Header Injection
Hi Uber , I would like to report an issue on the domain http://m.uber.com Upon testing some back and forth requests to this domain , I figured out that it is possible to inject arbitrary content into the Headers of the requests . Upon increasing the size of the payload in the header , it leads to...
Yahoo!: Yahoo YQL Injection?
Thank you for your submission to Yahoo’s Bug Bounty program. While we recognize the effort that you put into the research and writing of a report for us to evaluate, but this functionality is working as designed. We appreciate your adherence to responsible disclosure guidelines and look forward t...