15369 matches found
Gratipay: clickjacking on https://gratipay.com/on/npm/[text]
hi team .. i found clickjacking URL on https://gratipay.com/on/npm/here this clickjacking must be 3 characturs and must be 5 number this entered endpoint of URL .. please fixed soon https://gratipay.com/on/npm/text step respond 1- go to https://gratipay.com/on/npm/text 2 - check name or number...
Ubiquiti Inc.: HTML Injection on airlink.ubnt.com
Hi I found an html injection vulnerability on airlink.ubnt.com Steps to reproduce: First go to: https://airlink.ubnt.com//ptp Next go on Save Simulation button and as simulation name put: "HTMLINJECTIONHERE and save it Now go on Open Simulation button and you will see html being executed : Your...
New Relic: SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability
Hi, I get in touch to report that cloud.newrelic.com is vulnerable to CVE-2014-3566 POODLE. Websites that support SSLv3 and CBC-mode ciphers are potentially vulnerable to an active MITM Man-in-the-middle attack. This attack, called POODLE, is similar to the BEAST attack and also allows a network...
GitLab: SSRF via git Repo by URL Abuse
Hi team , First things first, awesome work with As a poc i simply port forwarded port 4444 on my router and started simple HTTP server and listened on 4444 to check for incoming connections, by doing the steps mentioned above i got a GET request from 40.84.0.225 , images for the same are attached...
curl: CVE-2022-27774: Credential leak on redirect
Summary: Curl can be coaxed to leak user credentials to third-party host by issuing HTTP redirect to ftp:// URL. Steps To Reproduce: 1. Configure for example Apache2 on firstsite.tld to perform redirect with modrewrite: RewriteCond %HTTPUSERAGENT "^curl/" RewriteRule ^/redirectpoc...
Automattic: [intensedebate.com] XSS Reflected POST-Based
Summary: Hello, i have found a XSS Reflected POST-Based in https://www.intensedebate.com/ajax.php. Vulnerables URL : POST /https://www.intensedebate.com/ajax.php Vulnerables Parameters: $POST'txt'; Payload azertyuiop Steps to reproduce 1. Open the xss.html and will you see a javascript pop-up You...
Khan Academy: Login page vulnerable to bruteforce attacks via rate limiting bypass
SUMMARY This report consists of two vulnerabilities. 1st vulnerability: I found out that there is a rate limiting in place after 25 failed attempts. Now that is good, but when i use other email address to bruteforce, The rate limit didnt preserve to the new email. This may looks like a minor issu...
BTFS: frame injection on bittorrent.com
Hi team, headers.php is injectable. you can see on IE browsers. FULL URL : https://www.bittorrent.com/scripts/site/headers.php?=1586521900793&callback=%3ciframe%20src%3d%22http%3a%2f%2fgoogle.com%2f%3f%22%3e%3c%2fiframe%3e Impact fix them...
CompanyHub: No Rate Limit On forgot Password Leading To Massive Email Flooding
Summary: No rate limit check on forgot password which can lead to mass mailing and spamming of users and possible employees A little bit about Rate Limit: A rate limiting algorithm is used to check if the user session or IP-address has to be limited based on the information in the session cache. ...
Starbucks: Account take over of 'light' starbuckscardb2b users
This issue was found on https://www.starbuckscardb2b.com, this website belongs to starbucks and its is a critical vulnerability so I am reporting this. Issue: An attacker can takeover the account of the victim by creating a new account by using victim's who is already registered email address...
Stripo Inc: Bypass email verification and create email template with the editor
Description : The main goal to use the Stripo is to create an email templates with the editor that is available in the account. And you're not allowed to open it until you validate your email address. But by modifying the response , i was able to bypass the email verification. Steps To Reproduce:...
Capital One: Apache server-status enabled
Apache /server-status displays information about your Apache status. If you are not using this feature, disable it. GET /server-status HTTP/1.1 Connection: keep-alive Accept: / Accept-Encoding: gzip,deflate Host: proxy-copp.capitalone.com User-Agent: Mozilla/5.0 Windows NT 6.1; WOW64...
Node.js third-party modules: Code Injection Vulnerability in zombie Package
I would like to report a code injection vulnerability in zombie. It allows crawled websites to access privileged APIs such as the file system or child process. Module module name: zombie version: 6.1.2 npm page: https://www.npmjs.com/package/zombie Module Description Insanely fast, headless...
Uber: Reflected XSS on multiple uberinternal.com domains
The base parameter of /oidauth/prompt on multiple uberinternal.com subdomains was not sanitized before being reflected into the page body, making it vulnerable to reflected XSS. Additionally, these pages were affected by a clickjacking vulnerability that made exploitation easier, since a click wa...
Internet Bug Bounty: Exim off-by-one RCE vulnerability
Hi, I found an off-by-one in Exim MTA utility function. It was reported to exim and official patch has been released, assigned CVE-2018-6789. This bug affects all versions of exim. This bug is simple, but can be leverage to gain remote code execution, using skillful heap exploitation. Details are...
Trello: Unpatched (https://hackerone.com/reports/221928)- Unviladate File Upload to XSS on trello-attachment Bucket
Report no: https://hackerone.com/reports/221928 is unpatched. Poc: https://trello-attachments.s3.amazonaws.com/59663070a9025afc4b32c7c6/596641e05abfc29b1bd67ff8/9c5258c6acf27ffdf5e80d5bfabbb83b/lol.svg XSS Link...
Internet Bug Bounty: PHP INI Parsing Stack Buffer Overflow Vulnerability
Description: A stack buffer overflow exists in the latest stable release of PHP-7.1.5 and PHP-5.6.30 in PHP INI parsing API, which may accept network / local filesystem input. On malformed inputs, a stack buffer overflow in zendinidoop could write 1-byte off a fixed size stack buffer. On...
X (Formerly Twitter): HTTP Response Splitting (CRLF injection) in report_story
Hi, I would like to report a HTTP Response Splitting vulnerability in https://twitter.com/i/safety/reportstory that allows attackers to inject arbitrary headers and contents in the response. PoC:...
HackerOne: GIF flooding
Current limits --------------------- Image size: 1 MB Image dimensions: 2048x2048px File types: jpg/png/gif Another image hack --------------------- A GIF composed of 40k 1x1 images made Paperclip freeze until timeout. As attachments I sent the file composed of 40k images, and a screenshot of the...
Mattermost: Bypass Email Verification in Customer Portal
Hi team hope you doing well : i found a vulnerability OTP Bypass on https://portal.test.cloud.mattermost.com . Summery : I was able to use the otp that was sent to victim email and i used it in the attacker's email verify .when i tried this issue first time the server log me out , and second time...
Zivver: ADB Backup is enabled within AndroidManifest
In this report, it was highlighted that the ADB backup feature enabled in the Android application could be used by an attacker with physical access to the victim's device to 'migrate' data from app storage on the phone and later possibly extract secrets from that backup. For this attack to succee...
Sifchain: mongodb credentials leaked in github
Steps To Reproduce: add details for how we can reproduce the issue 1. Go to values.yaml file file. 2.Check from line 23: blockExplorer: args: mongoUsername: "mongodb" mongoPassword: mongoDatabase: "blockexplorer" env: rootURL: "http://localhost:3000" chainnet: "" genesisURL: "" remote: rpcURL: ""...
GitHub Security Lab: LDAP injection vulnerability in Java
This bug was reported directly to GitHub Security Lab...
WordPress: CSRF on comment post
Hi Wordpress, I just found an CSRF on comment post. It allow attacker make victim comments on a post. Steps To Reproduce: Attacker send to victim a link with content below: history.pushState'', '', '/' Video poc: F891759 Impact Attacker make victim comments on a post...
DuckDuckGo: DOM XSS on duckduckgo.com search
Hello, The is a DOM XSS vulnerability on https://duckduckgo.com search through the norw parameter. PoC URL: https://duckduckgo.com/?q=a&norw=" Screenshot: F820482 Impact The attacker can execute JS code...
Open-Xchange: Recursor accepts unsigned, empty NXDOMAINs in secure zones
Hi! This is a slightly edited version of the email I sent to the project's security contacts on 2020-04-21. Open-Xchange confirmed it and asked me to resubmit it here. --- Subject: Recursor may be accepting unsigned, empty NXDOMAINs in secure zones I can easily reproduce this against Cloudflare's...
GitHub Security Lab: CWE-094 ScriptEngine in java
This bug was reported directly to GitHub Security Lab...
RATELIMITED: Information Disclosure on https://theendlessweb.com/
Dear Team, I have found an Information Disclosure Vulnerabilities at https://theendlessweb.com/ Step to Reproduce: Step 1: https://theendlessweb.com/vendor/composer/installed.json Let me know if you need any additional information. Regards, Dhamu. Impact This file expose sensitive information tha...
ok.ru: Cisco ASA Denial of Service & Path Traversal (CVE-2018-0296)
Unpatched CVE-2018-0296 in test Cisco ASA instance enter-test.odkl.ru...
New Relic: Insecure Infrastructure Integrations YML Loading leads to Windows Privilege Escalation
After installing the Windows Infrastructure client as discussed in https://docs.newrelic.com/docs/infrastructure/new-relic-infrastructure/installation/install-infrastructure-windows-server I noticed that integration yml config files are not only loaded from the folder within Program Files, but al...
arxius: another local file disclosure via ffmpeg
Summary The fix for https://hackerone.com/reports/242831 can be easily bypassed. It looks like you've banned file:// substring, which is not enough. Repro steps 1. Download genavi.py attached and run the script like this: python3 genavi.py /etc/passwd mustsandboxffmpeg.avi.mp4. 2. Visit...
Internet Bug Bounty: Roundcube virtualmin privilege escalation (CVE-2017-8114)
Description Password plugin in its virtualmin driver allows to an attacker, that has a valid username/password to login in his web panel, to execute malicious inputs. This could allow to an attacker to reset victim's password and in some scenarios getting a system shell. CVE CVE-2017-8114 Details...
U.S. Dept Of Defense: Path traversal on ████████
Summary: The web application hosted on the "█████████" domain is affected by a path traversal vulnerability that could permit to an attacker to include arbirtary files that are outside of the restricted directory. Description: The affected handler is the "/html/js/editor/editor.jsp". This handler...
CS Money: Authentication Bypass to (CVE-2023-2982)
An authentication bypass vulnerability was discovered in an older version of the WordPress plugin WordPress Social Login and Register Discord, Google, Twitter, LinkedIn...
Nextcloud: Nextcloud Desktop Client RCE via malicious URI schemes
Nextcloud Desktop utilizes QT's QDesktopServices::openUrl to open URLs. This function invokes the OS'/Desktop environment's default application to handling the URI scheme and file extension. During the Nextcloud Add Account flow, the server's login website is opened within a native window/WebView...
Brave Software: Brave Browser potentially logs the last time a Tor window was used
Summary: A vulnerability in the Brave Browser allows an attacker to view the last time a Tor session was used in incognito mode. A local, on-disk attacker could read the Brave Browser's "Local State" json file and identify the last time a Tor session was used, affecting the confidentiality of a...
Mail.ru: Broken twitter link hijacking at https://games.mail.ru/pc/search/
Link on https://games.mail.ru/pc/search/ page was pointing to invalid twitter account...
GSA Bounty: Blind SSRF on https://labs.data.gov/dashboard/Campaign/json_status/ Endpoint
Summary: Due to improper routes handling multiple malicious actions are possible. Attacker is able to call Class/Function/Param1/Param2 directly from source code. this may lead to call function that should be not accessible from GUI. Any Class from...
Stripo Inc: Blind SSRF while Creating Templates
Blind SSRF While Creating Email Templates...
Moneybird: Enable 2FA without verifying the email
Description : I able to add 2FA to my account without verifying my email Attack scenario : 1. Attacker sign up with victim email Email verification will be sent to victim email. 2. Attacker able to login without verifying email. 3. Attacker add 2FA. Impact the victim can't register an account wit...
Open-Xchange: [XSS] content_disposition=inline in files
Hi. No filter for application/ when contentdisposition=inline PoC: - 1. Auth https://sandbox.open-xchange.com/ajax/share/021f28560fbe7d5b21f28d3fbe7d42379932c8eb965ee141/1/8/NTc/NTcvMzQ4 2. XSS...
Adobe: Main Domain Takeover at https://www.marketo.net/
Resolved valid subdomain takeover report on Marketo. We appreciate the collaboration with the researcher...
Internet Bug Bounty: CVE-2022-27774: Credential leak on redirect
Summary: curl/libcurl can be coaxed to leak user credentials to third-party host by issuing HTTP redirect to ftp:// URL. Steps To Reproduce: 1. Configure for example Apache2 on firstsite.tld to perform redirect with modrewrite: RewriteCond %HTTPUSERAGENT "^curl/" RewriteRule ^/redirectpoc...
GitHub Security Lab: [Java] CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
This bug was reported directly to GitHub Security Lab...
Sifchain: Information disclosure on Sifchain
Summary: Hello Team, I have found user/admin usernames disclosed. Using REST API, we can see all the WordPress users/authors with some of their information. such as id, name, login name, etc. and employees of Sifchain without authentication on https://sifchain.finance/ Steps To Reproduce: You can...
U.S. Dept Of Defense: SSRF due to CVE-2021-27905 in www.████████
Apache Solr is vulnerable to SSRF using the parameter "masterUrl". This issue is registered as CVE-2021-27905. Impact A successful SSRF attack can often result in unauthorized actions or access to data within the organization, either in the vulnerable application itself or on other back-end syste...
Stripo Inc: Bypass of #1047119: Missing Rate Limit while creating Plug-Ins at https://my.stripo.email/cabinet/plugins/
Summary: I have found a bypass for the report https://hackerone.com/reports/1047119 It seems that a proper fix was not issued therefore the issue still remains. Steps To Reproduce: 1. Create a Plug-In and capture the request. 1. Send this to Intruder 1. Follow the rest in the Video POC. POC Video...
Snapchat: Leaked JFrog Artifactory username and password exposed on GitHub - https://snapchat.jfrog.io
Researcher found valid jFrog credentials which were committed to a public Github repository of a Snap employee. This allowed access to internal Snap libraries/artifacts along with the ability to push updates to existing artifacts as well...
U.S. Dept Of Defense: Subdomain takeover of ████
Summary: I was able to claim the subdomain: ████ using Microsoft Azure CDN profiles Description: Impact Platforms Affected: Subdomain Azure CDN Step-by-step Reproduction Instructions 1. Using dig, I was able to determine that the subdomain '███████' was vulnerable to takeover. The record showed...
Node.js third-party modules: Trojan:JS/CoinMiner in npm files
Hello, I am a front end developer and use Vue.js and Visual Studio Code and have had an issue recently with scripts not running in my terminal so decided to fault find. All programmes that I can think of are up to date, and today I decided to do a full windows defender scan and found the above...