15371 matches found
Zomato: [Zomato Android/iOS] Theft of user session
Hi, I'd like to report a bug which allows to theft user data even without installing third-party apps. Activity xml is exported, and can be accessed by browser. When any WebView in a client app, or a browser meets a zomato://etc URL it will automatically launch Zomato app. File...
Semrush: XXE in Site Audit function exposing file and directory contents
Summary: The Project Site Audit function is vulnerable to XXE when parsing sitemap.xml files. Description: The Site Audit function spiders a given website and performs analysis on the discovered pages. In order to improve website spidering the URL of a sitemap.xml file can be provided. If provide...
HackerOne: Interstitial redirect bypass / open redirect in https://hackerone.com/zendesk_session
Hi guys , I have found a way to use the open redirect vulnerability that zendesk refused to fix and we discussed it in 101146 to bypass intristial redirect. in 101146 , @bencode said : I tend to agree with Zendesk, we don't really see any security issues with it. We use our interstitial to warn t...
Phabricator: Back - Refresh - Attack To Obtain User Credentials
Back - refresh attack is attack which enables an adversary to obtain application credentials by going by to previous page and re-submitting the expired-document. How to perform: 1. Register to https:///auth/register/ 2. Once registered, press "Back" on the browser window. Now you'll see the...
MTN Group: Firebase Database Takeover in https://pulseradio.mtn.co.ug/
Summary: During my test , in one of the subdomain of mtn.co.ug I found firebase configuration disclosed in the source code along with apiKey and database URL . Exploiting this vulnerability attacker is able to upload malicious data in the firebase account of pulseradio.mtn.co.ug and see database...
FetLife: Stored XSS via Angular Expression injection via Subject while starting conversation with other users.
The reporter pointed out that the Subject field for sending private messages using FetLife's onsite chat was vulnerable to a stored XSS exploit, allowing people to execute potentially malicious contents on the receiving end of the message...
HackerOne: Blind Stored XSS in HackerOne's Sal 4.1.4.2149 (sal.████.com)
The page located at https://sal.██████.com/list/Activity/hour/all/0/ suffers from a Cross-site Scripting XSS vulnerability when a user has set their hostname on their machine to an XSS payload. Vulnerable Page https://sal.██████.com/list/Activity/hour/all/0/ Victim IP Address ███████ Referer...
U.S. Dept Of Defense: Reflected XSS in https://www.█████/
Hello Security Team, I would like to report the XSS vulnerability on your system. Steps To Reproduce: Visit the following POC link and move your mouse allover index page: https://www.████/Z%22onmouseover=alert%60%60%20%22/████████/█████.aspx 1. Tested on firefox browser: ███████ 2.Tested on googl...
GSA Bounty: Limited LFI
Summary: Due to improper parameter sensitization local file inclusion is possible. LFI is limited as we were not able to truncate the end of string. Description: Application root is located at /var/www/dashboard/new/public Due to URL Manipulation we are able to raed file from...
Mail.ru: [icq.im] Reflected XSS via chat invite link
Insufficient filtering in icq.im allowed reflected XSS via invite link...
Django: Email Spoofing Possible on djangoproject.com Email Domain
Summary: Due to lacking a SPF and DMARC record it is possible to spoof emails from djangoproject.com. This could potentially be used to trick employees, customers or clients via phishing emails. Description: Mail servers rely on both SPF and DMARC to properly deal with email spoofing. SPF shows...
Semrush: Remote Code Execution on www.semrush.com/my_reports on Logo upload
The Logo upload in the report constructor at: https://www.semrush.com/myreports/constructor F340480 is passed through a not properly patched version of ImageMagick. You can use Postscript to get Ghostscript to run which in return allows to trigger arbitrary commands on the server, leading to Remo...
Internet Bug Bounty: Linux kernel: CVE-2017-6074: DCCP double-free vulnerability
Hi! CVE-2017-6074 1 is a double-free vulnerability I found in the Linux kernel. It can be exploited to gain kernel code execution from an unprivileged processes. The kernel needs to be built with CONFIGIPDCCP for the vulnerability to be present. A lot of modern distributions enable this option by...
AlienVault : Puplic .htaccess/.htpasswd/.canvas files leads to password disclosure.
iam a big fan of fuzzing/bruteforcing after my last submission 288533 on http://data.alienvault.com, i decided to go further, after some bruteforcing i came across this directory which looked kinda interesting for me http://data.alienvault.com/snort/ when u try to access the directory you will ge...
Semrush: Email Spoofing
Hey SemRush, It appears that spoofed email can be sent from 1 of your emails. The following email is vulnerable: [email protected] Information: Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source...
Palantir Public: SQL Injection at https://files.palantir.com/ due to CVE-2021-38159
A vulnerability was discovered in an Internet-facing asset files.palantir.com. A proof of concept POC was developed and used to validate the finding. The vulnerability was patched and resolved. Blog about this vulnerability published. You can read full detail here:...
Omise: The endpoint '/test/webhooks' is vulnerable to DNS Rebinding
Summary: DNS rebinding attack is a method of switching the resolution of domain names as wished by the attacker. The aim is to lure the web app to a different IP address/host. In this attack, and particularly in our case, a malicious server will first perform a domain name resolution to the IP...
GitHub Security Lab: [Python]: Add SqlAlchemy support for SQL injection query
This bug was reported directly to GitHub Security Lab...
Ruby: imap: StartTLS stripping attack (CVE-2016-0772).
net/imap does not seem to raise an exception when the remote end imap server fails to respond with taggedresponse NO/BAD or OK to an explicit call of imap.starttls. This may allow a malicious MITM to perform a starttls stripping attack if the client code does not explicitly set usessl = true on...
Open-Xchange: Null dereference or redundant null check in `mail_crypt_load_global_private_key` for plugin mail-crypt
In this function, we check once if errorr is not NULL in if enctype == DCRYPTKEYENCRYPTIONTYPEPASSWORD / Fail here if password is not set since openssl will prompt for it otherwise / if keypassword == NULL if errorr != NULL errorr = tstrdupprintf"%s: %s unset, no " "password to decrypt the key",...
Node.js third-party modules: [Uppy] Internal Server side request forgery (bypass of #786956)
I would like to report Internal Server-side request forgery in Uppy It allows the attacker to easily extract information from internal servers Module module name: Uppy version:1.15.0 npm page: https://www.npmjs.com/package/uppy Module Description Uppy is a sleek, modular JavaScript file uploader...
Staging.every.org: Flaw in Change Email https://youtu.be/MMvlcHIGs2A
See https://youtu.be/MMvlcHIGs2A...
Shopify: CSRF on connecting Paypal as Payment Provider
Hi, I think there is a weak csrf protection on adding paypal as the payment provider, but the protection is not good. When user try to add paypal as payment provider, they will make this GET request...
h1-ctf: [h1-415 2020] My writeup on how to retrieve the special secret document
Summary: An attacker without any privilege is able to retrieve the special secret document, hosted on the https://h1-415.h1ctf.com website. To do so, multiple steps are required : 1. The authentication must be bypassed to have a licensed account; 2. The support team portal is vulnerable to a blin...
Semrush: Reflected XSS using Header Injection
Host : www.semrush.com Path : /billing-admin/profile/subscription/?l=de Payload : c5obc'+alert1+'p7yd5 Steps to reproduce : Request Header : GET /billing-admin/profile/subscription/?l=de HTTP/1.1 Host: www.semrush.com Accept: / Accept-Language: en User-Agent: Mozilla/5.0 compatible; MSIE 9.0;...
Gratipay: Possible User Session Hijack using Invalid HTTPS certificate on inside.gratipay.com domain
Good evening team! This is a theoretical risk but I thought it was still worth reporting since every endpoint and any data flowing through inside.gratipay.com is unencrypted. POC https://inside.gratipay.com And every sub directory under inside.gratipay.com. Description Since the certificate is on...
ExpressionEngine: Type Juggling -> PHP Object Injection -> SQL Injection Chain
Justin Kennedy identified a Type Juggling vulnerability in ExpressionEngine that allowed access to unserialize using user supplied data, ultimately achieving SQL Injection. The full details of this vulnerability can be found here:...
LocalTapiola: Remote Code Execution in NovaStor NovaBACKUP DataCenter backup software (Hiback)
Issue This report contains information about a vulnerability in NovaStor NovaBACKUP DataCenter backup software. Fix There is no immediate fix. LähiTapiola has internal network controls in place for mitigation. Reasoning The report is partially out of scope as the software in question is not...
Internet Bug Bounty: CVE-2022-40127: RCE in Apache Airflow <2.4.0 bash example
airflow-2.3.3/airflow/exampledags/examplebashoperator.py has a command injection vulnerability. I can control the runid in the following codeexamplebashoperator.py,So I can inject custom commands. alsorunthis = BashOperator taskid='alsorunthis', bashcommand='echo "runid= runid | dagrun= dagrun "'...
XVIDEOS: Script breaking tag (Forces website to render blank) (Informative)
Summary: This is a bug affecting core HTML and JS elements on the site via Search Steps To Reproduce: 1. Open https://www.xvideos.com 2. Click to search enter payload= "" without quotes 3. Hit enter or search, watch the page break and not load any content content is loaded in console, renders pag...
Node.js: Built-in TLS module unexpectedly treats "rejectUnauthorized: undefined" as "rejectUnauthorized: false", disabling all certificate validation
NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: "rejectUnauthorized: false"...
curl: Inadequate Cryptographic Key Size and Insecure Cryptographic Mode. File Name :- curl_ntlm_core.c
The application is generating cryptographic keys or key pairs using a short and inadequate length. This application is using the ECB Electronic Codebook mode of operation to perform encryption, which is considered semantically insecure. Vulnerable File name :- curlntlmcore.c Vulnerable line no. 2...
Khan Academy: CSV Injection Via Student Password/Name Leads To Client Side RCE And Reading Client Files
Insufficient CSV escaping could result in our site generating an unsafe CSV file for an end user under certain conditions. See the reporter's summary for more. Two CSV Injection Issues Was Discovered On Khan's Teacher CSV Export Function, That Could Allow Client Site Remote Code Execution, And...
Mail.ru: Bypass OTP on contact back request at https://driver.city-mobil.ru/
It was possible to bypass phone verification for support call back request...
Starbucks: Default credentials for the temporary POC site alipoc.stg.starbucks.com.cn permitted WAF bypass and RCE
neweq discovered that a temporary proof of concept site alipoc.stg.starbucks.com.cn was initially configured with default credentials for a brief period of time before being taken offline. @neweq — thank you for reporting this vulnerability and for confirming the resolution...
Monero: Exploiting Network and Timing Side-Channels to Break Monero Receiver Anonymity
Summary: We present various examples of side-channel leakage in the communication between a Monero wallet and P2P node. Communication patterns and timing leak whether the wallet is the payee of a transaction that is sent into the transaction pool or mined in a block—thereby breaking transaction...
Internet Bug Bounty: Improper handling of Chunked data request in sapi_apache2.c leads to Reflected XSS
Hey, Chunked requests can trigger xss and html injection at any end point because the APRBRIGADEINSERTTAILbrigade, bucket is getting destroyed by other handlers. Affected versions: Any OS: Any https://bugs.php.net/bug.php?id=76 Prashanths-MacBook-Pro: prashanthvarma$ nc localhost 80 POST /lol.php...
Grab: Leaking sensitive information on Github lead full access to all Grab Slack channels
Summary: Accidental leakage of secret keys in such code repositories is a real problem, after my report 387117, I decided to dig deeper than the previous report and looking to some random profiles in Github, and doing some dirty work I was able to access to the developer’s company’s internal chat...
U.S. Dept Of Defense: SOAP WSDL Parser SQL Code Execution
Summary: SOAP WSDL Parser SQL Code Execution Description: It was possible to parse WSDL resources and read all functions from the SOAP Admin Panel, therefor i was able to repeat the sql query with a tampered request with my own custom SQL command. i was able to extract all the database names for...
Node.js third-party modules: [markdown-pdf] Local file reading
I would like to report local file reading in markdown-pdf It allows to insert a malicious html code, which allows to read the local files. Module module name: markdown-pdf version: 8.1.1 npm page: https://www.npmjs.com/package/markdown-pdf Module Description Node module that converts Markdown fil...
HackerOne: Invitation token leaks to https://bat.bing.com
Summary Invitation page contains iframes that points to https://b5s.hackerone-ext-content.com/!/invitations/ and https://a4l.hackerone-ext-content.com/!/invitations/. A GET request to these endpoints executes a script that points to https://bat.bing.com/bat.js. The corresponding request to bing...
Ubiquiti Inc.: HTML Injection on airlink.ubnt.com
Hi I found an html injection vulnerability on airlink.ubnt.com Steps to reproduce: First go to: https://airlink.ubnt.com//ptp Next go on Save Simulation button and as simulation name put: "HTMLINJECTIONHERE and save it Now go on Open Simulation button and you will see html being executed : Your...
GitLab: SSRF via git Repo by URL Abuse
Hi team , First things first, awesome work with As a poc i simply port forwarded port 4444 on my router and started simple HTTP server and listened on 4444 to check for incoming connections, by doing the steps mentioned above i got a GET request from 40.84.0.225 , images for the same are attached...
Informatica: [oneclickdrsfdc-test.informatica.com] Tomcat Example Scripts Exposed Unauthenticated
Issue The consultant identified that there is an unauthenticated installation of apache tomcat installed on the affected host. This particular installation has the /examples directory exposed which contains several scripts that execute server side code, these scripts can also be leveraged to carr...
Mars: CVE-2022-21371: Oracle WebLogic Server Local File Inclusion
A vulnerability was identified in Oracle WebLogic Server's Web Container component. Affected versions included ██████████, ██████████, ██████████, and ██████████. The vulnerability could be exploited by an unauthenticated attacker over HTTP, potentially leading to unauthorized access to critical...
Internet Bug Bounty: CVE-2023-28319: UAF in SSH sha256 fingerprint check
A use-after-free vulnerability was found in libcurl's SSH server public key verification feature, affecting versions 7.81.0 to 8.0.1. When the verification check failed, libcurl would free the memory for the fingerprint before returning an error message containing the now-freed hash, potentially...
curl: CVE-2023-28321: IDN wildcard match
An improper validation of a certificate with host mismatch vulnerability was found in curl/libcurl, which allowed an attacker to perform a man-in-the-middle attack. The vulnerability was caused by the use of wildcards for validation during TLS communication, even if the hostname is an IDN. This...
Sifchain: SSH server due to Improper Signature Verification
I found that you are using golang.org/x/[email protected] which has a vulnerability that was fixed in this version golang.org/x/[email protected] but that vulnerability is: golang.org/x/crypto/ssh is an SSH client and server Version...
Nextcloud: Webauthn tokens are not removed on user deletion
userA has an account on serverA 2. userA enables passwordless login webauthn and registers a key/device 3. userA is removed from the system 4. a new user comes along and gets assigned userA as id 5. the old userA tries to login with their key 6. the old userA can see all data of the new userA...
Informatica: loing in to marketplace panel on enablement.informatica.com
hello dear support I have found the issue and you can log in in to panel with any password and username F1163976 url: https://enablement.informatica.com/marketplace/ F1163979 Impact Can gain access to admin panel...