15305 matches found
Uber: SQL Injection on sctrack.email.uber.com.cn
Hi, Uber Security team I just traveled to China, when I call Uber in China. I received an advertisement mail from Uber and I found the unsubscribe link is different from the original unsubscribe link, and there is a SQL Injection under the unsubscribe link. You can see where to find the unsubscri...
Gratipay: PHP 5.4.45 is Outdated and Full of Preformance Interupting Arbitrary Code Execution Bugs
Your PHP version is affected by quite a few remote arbitrary code execution, remote file renaming, and remote file rewriting bugs that require no authentication and can cause big problems, from performance interruptions and messing with server files to DoS attacks. These are not related to any...
U.S. Dept Of Defense: Leaks of username and password leads to CVE-2018-18862 exploitation
A set of credentials for a BMC Remedy ITSM system were publicly exposed and leaked, allowing an attacker to access the system with the rights of these users. The vulnerability, CVE-2018-18862, was exploited through incorrect access control, potentially allowing the attacker to list roles and...
inDrive: inDriver Job - Admin Approval Bypass
A vulnerability was discovered in the "inDriver Job" application that allowed an attacker to bypass the admin approval process for publishing job offers. This vulnerability enabled the attacker to publish arbitrary content without undergoing the necessary moderation step...
Expedia Group Bug Bounty: Open Redirect in Logout & Login
An open redirect vulnerability was discovered in the logout and login functionality of Expedia's website. An attacker could exploit this vulnerability by manipulating the "rurl" parameter in the logout URL to redirect users to a malicious website, potentially leading to phishing or social...
Internet Bug Bounty: CVE-2022-45402: Apache Airflow: Open redirect during login
In Apache Airflow versions prior to 2.4.3, there was an open redirect in the webserver's /login endpoint. my initial email to [email protected]: Hi, In Apache Airflow, there is a parameter "next" on the Login page. And after a successful login, we're redirected to this parameter's value. I see...
Sifchain: A password in plain text in conf file
I found a password in plain text in \sifnode-develop\ui\e2e\config.js in the source code. password: "coolguy21" Impact I don't know actually how does this affects but passwords in plaintexts are always dangerous...
Nextcloud: Default Nextcloud allows http federated shares
userA on serverA runs on http only 2. userA sends a federated share to userB on serverB 3. userB is a normal user so he has no clue that there is no secure transport used and accepts the share 4. all the data written to and read from is now no longer protected by TLS Impact While maybe a bit far...
Sixt GmbH & Co. Autovermietung KG BBP: Cross domain token leakage via Referer header
Summary: The password reset link of user account on critical sixt+ domain/product can be obtained using the page https://www.sixt.com/php/profile/loginorpasswordforgotten. This page requires email address and surname/lastname of the user to send password reset link on email. This link contains th...
Node.js: DNS Max Responses for DOS
See Github my issue: https://github.com/nodejs/node/issues/36063 When i try to fetch the A Dns records of following domain: ticbrasil.com.br I dont get any response. I think thats the case because there are over 1300 responses. Version: v12.18.4, v14.15.0 Platform: 64-bit Windows 10 Pro &...
GitLab: Adding everyone to the repo due to the lack of rate limit
Summary Since there is no rate limit in the inviting users to the repository section, it is possible to add all users on gitlab to a repository. Steps to reproduce Step-by-step guide to reproduce the issue, including: 1. Create a repository 2. go to the project members section 3. choose a random...
Endless Group: XSS on https://fax.pbx.itsendless.org/ (CVE-2017-18024)
Summary: Hello Endless Hosting, I found an XSS on https://fax.pbx.itsendless.org/ . This domain running an AvantFax software 3.3.6 However, the exploit of CVE-2017-18024 for version 3.3.3 is working on that version. Here is the exploit code of CVE-2017-18024 history.pushState'', '', '/'...
h1-ctf: [H1-2006 2020] CTF Writeup
Summary: Multiple Vulnerabilities leading to full account takeover and access to restricted functions 1. Information Disclosure 2. Login 2FA Bypass 3. SSRF 4. Hardcoded validation 5. Sensitive information disclosure 6. Privilege Escalation 7. Payments 2FA Bypass through SSRF Steps To Reproduce: 0...
PlayStation: Websites Can Run Arbitrary Code on Machines Running the 'PlayStation Now' Application
Summary The PlayStation Now application version 11.0.2 is vulnerable to remote code execution RCE. Any website loaded in any browser on the same machine can run arbitrary code on the machine through a vulnerable websocket connection. 1. The local websocket server at localhost:1235 does not check...
GitHub Security Lab: CodeQL query for finding ReDoS and Regex Injection vulnerabilities in Java
This bug was reported directly to GitHub Security Lab...
HackerOne: Any user with access to program can resume and suspend HackerOne Gateway
An Insecure Direct Object Reference IDOR vulnerability is present in the UpdateGatewayProgramStateMutation that'd allow an attacker to suspend and resume the HackerOne Gateway feature for any program the user has access to. This includes any private programs that use the Gateway product and have ...
Shopify: Unauthenticated read and write access to ALL endpoints of a store is possible for removed staff members who had "Apps" permission
Technical Background ===================== Shopify Apps need an access token to work with the data of a store. Is very important to keep this token in a secure place. Quoting the Shopify Blog: ... this is like a password into this shop, so you’ll want to store this token in a very safe place...
Phabricator: Hyper Link Injection In email and Space Characters Allowed at Password Field.
Hello mongoose , I found that when you put email and password for signup, you can use space characters for the password which shouldn't be allowed. I also found that you can use hyperlink in First Name Field at next step when you are entering your personal information here and when you will get t...
U.S. Dept Of Defense: Out-of-date Version (Apache)
URL https://████████/ Identified Version 2.2.15 contains 4 important and 10 other vulnerabilities Latest Version 2.2.31 Vulnerability Database Result is based on 27.10.2016 vulnerability database content. Vulnerability Details Link identified you are using an out-of-date version of Apache. Impact...
StopTheHacker: Wordpress flashmediaelement.swf XSS on stopthehacker.com
Hi, It appears that the domain stopthehacker.com has an XSS vulnerability, specifically in flashmediaelement.swf. PoC: https://www.stopthehacker.com/wp-includes/js/mediaelement/flashmediaelement.swf?jsinitfunctio%gn=alertPoC%20PoC%20PoC Please see the attached screen shot for the alert box...
Reddit: [accounts.reddit.com] Redirect parameter allows for XSS
The dest parameter in accounts.reddit.com was vulnerable to Cross-Site Scripting XSS attacks, allowing an attacker to execute malicious code and steal user cookies by tricking them into logging in. The vulnerability was exploitable both for logged-in and logged-out users...
Fastify: Open redirect in fastify-static via mishandled user's input when attempt to redirect
Summary: When fastify-static is mounted at root and the register option redirect: true, the following 2 lines cause open redirect bug: https://github.com/fastify/fastify-static/blob/master/index.jsL156-L157. A remote attackers can redirect users to arbitrary web sites via a double forward slash:...
VK.com: Reflected XSS в /video
XSS в поиске по видеозаписям. xss в параметрах date, len, order при поиске видеозаписи с указанием параметров...
Mail.ru: [my.games] Stored XSS via untrusted bucket
Domain, site, application -- https://my.games/ Details -- If you check page source of https://my.games, you can notice that site gets static files scripts, styles, images using following URL declaration: https://my.games/hotbox/mygames/frontend/v3-6-13/img/share/main.png mygames here is a name of...
HackerOne: Private program disclosure via `vpn_suspended` GraphQL query
Summary: vpnsuspended of Team object got exposed Description: An attacker can get vpnsuspended value of any program including external program which also have private program eg. █████ and external program which does not have private program What an attacker can do with this ? If an external...
Mail.ru: XSS account.mail.ru in state JSON script
Domain, site, application -- account.mail.ru Testing environment -- Chrome Steps to reproduce -- Login and open...
Shopify: HTTP-Response-Splitting on v.shopify.com
I discovered a HTTP-Response-Splitting issue on v.shopify.com Steps to reproduce: Call the following URL in any browser and catch the response e.g. with burp...
OkCupid: https://www.okcupid.com/hidden-users CSRF vulnerability.
Hi, The html code below : Will make it possible to hide an user.. You can patch this by supplying a CSRF token : Best regards, Olivier Beg...
Internet Bug Bounty: PHP openssl_x509_parse() Memory Corruption Vulnerability
Overview: Quote from http://www.php.net "PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML." The PHP function opensslx509parse uses a helper function called asn1timetotimet to convert timestamps from ASN1 string...
Internet Bug Bounty: moderate: Apache HTTP Server proxy encoding problem (CVE-2024-38473)
Moderate: Apache HTTP Server proxy encoding problem CVE-2024-38473 An encoding problem was discovered in modproxy in Apache HTTP Server versions 2.4.59 and earlier. This issue allowed request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via...
curl: CVE-2024-2398: HTTP/2 push headers memory-leak
CVE-2024-2398 was a memory-leak vulnerability in the HTTP/2 push headers implementation of libcurl. For each incoming PUSHPROMISE header, a new string was allocated and stored in an array. When the number of headers exceeded a threshold, libcurl freed the array but forgot to free the individual...
curl: CVE-2023-38545: socks5 heap buffer overflow
Vulnerability description not provided...
Fastly VDP: Cache purge requests are not authenticated
Vulnerability description not provided...
curl: CVE-2022-43551: Another HSTS bypass via IDN
Summary: I found an issue similar to CVE-2022-42916 again. Since the phenomenon is the same, I will describe the same as last time. HSTS checks are bypassed if any character in the IDN convertNameprep to a '.' for example"。"UTF-8:E38082. I think there are other characters that become ".UTF-8:2E" ...
Reddit: One-click account hijack for anyone using Apple sign-in with Reddit, due to response-type switch + leaking href to XSS on www.redditmedia.com
Hi, Description I've been researching new ways to steal OAuth codes and access-tokens using postMessage, and I found a way for me to steal the code and/or access-token from Apple-sign-in on reddit.com allowing a full account hijack of the account in Reddit. The way it works is this: 1. Attacker...
8x8: DNS Misconfiguration (Subdomain Takeover) - █████████.8x8.com
@melbadry9 reported to us an issue with an A record which pointed to subdomains outside of 8x8's control. This was caused due to a misconfiguration in a script, together with changes in AWS' DNS resolution behaviour. The issue has been rectified...
U.S. Dept Of Defense: Stored XSS at https://www.█████████.mil
Summary: Stored XSS exists at https://www.██████.mil. A user can fill out the form and upload a file containing javascript code to trigger XSS. Description: Stored XSS exists at https://www.████.mil. A user can fill out the form and upload a file containing javascript code to trigger XSS. Impact ...
WHO COVID-19 Mobile App: Internal API endpoint is accesible for everyone
Summary: It looks like the endpoint /internal/cron/refreshCaseStats as configured in cron.yaml https://github.com/WorldHealthOrganization/app/blob/master/server/appengine/src/main/webapp/WEB-INF/cron.yamlL3 is accesible for everyone. Since it is configured as a cronjob to run every 5 minutes and...
HackerOne: Security@ email forwarding and Embedded Submission drafts can be used to obtain copy of deleted attachments from other HackerOne users
HackerOne has a number of ways for hackers to submit security vulnerabilities to a program, two of which are through an embedded submission form and through security@ email forwarding. These two features can be exploited to update a report draft created through security@ email forwarding that doe...
Shipt: bypass the [OKTA] login redirect can lead to disclosing limited-information about the sub-domain at [ shiptsec.com ]
A security researcher identified limited and non-sensitive information disclosure for one of our public-facing tools that is used by internal users. While the risk was very low and nothing was directly exploitable, we went ahead and made the quick change to mitigate this behavior. We made the...
InnoGames: Impersonation and ticket id enumeration on support.innogames.com
A missing check for authorization made it possible to answer tickets owned by other users in their own name...
HackerOne: Reflected XSS on www.hackerone.com and resources.hackerone.com
Good day : I hope your doing as well as can be during these difficult times. I have found xss at 2 endpoints: https://www.hackerone.com/resources/ and https://resources.hackerone.com The payloads that work are here:...
Nord Security: Unauthorized User Can Delete Any User Account
DESCRIPTION: Your help desk allows creating tickets by email. Which means the user can send an email to the NordVPN support email to a add a new ticket to his activities. So when you send an email to [email protected] from your email address, this ticket will be created on the account that you...
PayPal: Token leak in security challenge flow allows retrieving victim's PayPal email and plain text password
A bug was identified whereby sensitive, unique tokens were being leaked in a JS file used by the recaptcha implementation. In certain cases, a user must solve a CAPTCHA challenge after authenticating. When the security challenge is completed, the authentication request is replayed to log in. The...
Uber: Full Path and internal information disclosure+ SQLNet.log file disclose internal network information
The site at lab.usuppliers.uber.com was intended only for authenticated users, but certain internal pages did not enforce an authentication requirement. The log file at /OAHTML/bin/sqlnet.log disclosed internal Uber IP addresses, hostnames, and one internal username. Thanks again for this report...
Kaspersky: Hard Coded username and password in registry
I was using a tool called RegShot to take a snap shot of the registry before and after installation in order to see what changes were being made in the registry and I discovered hard-coded credentials I have attached the full comparison details of the registry changes but these are the lines and...
Uber: Reflected XSS on developer.uber.com via Angular template injection
developer.uber.com is vulnerable to reflected XSS via Angular template injection. The following url demonstrates the root issue using a trivial payload: https://developer.uber.com/docs/deep-linking?q=wrtz77 If you view the rendered source of the resulting page, you'll find the string 'wrtz49',...
Mail.ru: scfbp.tng.mail.ru: Heartbleed
MacBook-Pro-Kirill:Pentest isox$ python heartbleed.py scfbp.tng.mail.ru defribulator v1.16 A tool to test and exploit the TLS heartbeat vulnerability aka heartbleed CVE-2014-0160 Connecting to: scfbp.tng.mail.ru:443, 1 times Sending Client Hello for TLSv1.0 Received Server Hello for TLSv1.0...
ReddAPI: Browser cross-site scripting filter misconfiguration
Issue detail :- No X-XSS-Protection header was set in the response. This means that the browser uses default behaviour that detection of a cross-site scripting attack never prevents rendering. Remediation detail The following header should be set: X-XSS-Protection: 1; mode=block Issue background ...
Internet Bug Bounty: moderate: mod_deflate denial of service
A resource consumption flaw was found in moddeflate. If request body decompression was configured using the "DEFLATE" input filter, a remote attacker could cause the server to consume significant memory and/or CPU resources. The use of request body decompression is not a common configuration...