15369 matches found
WHO COVID-19 Mobile App: Internal API endpoint is accesible for everyone
Summary: It looks like the endpoint /internal/cron/refreshCaseStats as configured in cron.yaml https://github.com/WorldHealthOrganization/app/blob/master/server/appengine/src/main/webapp/WEB-INF/cron.yamlL3 is accesible for everyone. Since it is configured as a cronjob to run every 5 minutes and...
HackerOne: Second-order SOQL injection through email and campaign name parameter in Salesforce lead submission
The HackerOne directory contains profiles of bug bounty and vulnerability disclosure programs that aren't managed on HackerOne. These profiles can be claimed by the organization that manages it. As part of this flow, they will need to enter an email address to confirm that affiliation with the...
U.S. Dept Of Defense: [SQLI ]Time Bassed Injection at ██████████ via referer header
Hi the ████ was vulnerable to time bassed injection via referer header steps 1- copy the request to your burp suite : GET /DNCdb.php?alert= HTTP/1.1 Host: ███████ User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:81.0 Gecko/20100101 Firefox/81.0 Accept:...
Mail.ru: [my.games] Stored XSS via untrusted bucket
Domain, site, application -- https://my.games/ Details -- If you check page source of https://my.games, you can notice that site gets static files scripts, styles, images using following URL declaration: https://my.games/hotbox/mygames/frontend/v3-6-13/img/share/main.png mygames here is a name of...
Mail.ru: Stored xss on https://go.mail.ru/
Reflected XSS via GET parameter in go.mail.ru...
Semmle: Worker container escape lead to arbitrary file reading in host machine [again]
Summary: After a successful build, LGTM allow user to view the file list. By default, only source code files and build config files are reserved lgtm.yml and .lgtm.yml. If there are both files in folder, LGTM will process lgtm.yml file and skip .lgtm.yml, but it still keeps both of files in...
Mail.ru: XSS account.mail.ru in state JSON script
Domain, site, application -- account.mail.ru Testing environment -- Chrome Steps to reproduce -- Login and open...
Shopify: HTTP-Response-Splitting on v.shopify.com
I discovered a HTTP-Response-Splitting issue on v.shopify.com Steps to reproduce: Call the following URL in any browser and catch the response e.g. with burp...
OkCupid: https://www.okcupid.com/hidden-users CSRF vulnerability.
Hi, The html code below : Will make it possible to hide an user.. You can patch this by supplying a CSRF token : Best regards, Olivier Beg...
Internet Bug Bounty: moderate: mod_deflate denial of service
A resource consumption flaw was found in moddeflate. If request body decompression was configured using the "DEFLATE" input filter, a remote attacker could cause the server to consume significant memory and/or CPU resources. The use of request body decompression is not a common configuration...
Internet Bug Bounty: important: Apache HTTP Server weakness in mod_rewrite when first segment of substitution matches filesystem path. (CVE-2024-38475)
The Apache HTTP Server was found to have a vulnerability in modrewrite where improper escaping of output allowed attackers to map URLs to filesystem locations that were permitted to be served by the server but were not intentionally/directly reachable by any URL. This resulted in potential code...
U.S. Dept Of Defense: Default Credentials on Kinetic Core System Console - https://█████/kinetic/app/
Weak default credentials of "admin/admin" were discovered on the Kinetic Core System Console application, potentially allowing attackers to identify underlying technologies and access sensitive information such as server logs and user data. The vulnerability was present in version 2.1.0-SNAPSHOT...
Internet Bug Bounty: CVE-2022-23520: Incomplete fix for CVE-2022-32209 (XSS in Rails::Html::Sanitizer under certain configurations)
The following is from: https://hackerone.com/reports/1654310 While building a PoC for CVE-2022-32209, I noticed that I could not fix my vulnerable application by updating https://github.com/rails/rails-html-sanitizer from 1.4.2 to 1.4.3 even though the Hackerone report about this vulnerability...
curl: CVE-2022-43551: Another HSTS bypass via IDN
Summary: I found an issue similar to CVE-2022-42916 again. Since the phenomenon is the same, I will describe the same as last time. HSTS checks are bypassed if any character in the IDN convertNameprep to a '.' for example"。"UTF-8:E38082. I think there are other characters that become ".UTF-8:2E" ...
h1-ctf: First CTF ever!
Pretext Started looking into hacking this autumn and then found out HackerOne was doing a Christmas themed CTF. Further investigation showed that the deplorable Grinch might be up to no good again - Christmas is in danger! TLDR Lots of hacking took place, the Grinch was stopped, Christmas saved a...
Stripo Inc: Public and secret api key leaked in JavaScript source
Summary: Summary the vulnerabilities I am surfing on the stripo website. I found a sensitive data including authentication key written in public accessible javascript file. URL Vulnerability https://staging.empleio.stripo.email/main.c1965c58f39a0f4aadc3.js Steps To Reproduce: Open...
InnoGames: Impersonation and ticket id enumeration on support.innogames.com
A missing check for authorization made it possible to answer tickets owned by other users in their own name...
HackerOne: Reflected XSS on www.hackerone.com and resources.hackerone.com
Good day : I hope your doing as well as can be during these difficult times. I have found xss at 2 endpoints: https://www.hackerone.com/resources/ and https://resources.hackerone.com The payloads that work are here:...
New Relic: Bypassing Protection Mechanism: Change of Account Name after Session Log out
The researcher illustrated a delay in session invalidation. This has not been added to our public policy to help prevent confusion...
Bumble: Reflected XSS
The researcher has found an XSS when sending messages through our service...
Semmle: All Burp Suite Scan report
Summary: 1. Detected Deserialization RCE: Jackson 1.1. https://lgtm-com.pentesting.semmle.net/blog/ lgtmshortsession cookie 1.2. https://lgtm-com.pentesting.semmle.net/internalapi/v0.2/getSuggestedProjects apiVersion parameter 2. Session token in URL 3. CSP: Inline scripts can be inserted 3.1...
Phabricator: Window.opener fix bypass
Description Due to a recent reporthttps://hackerone.com/reports/306414 a fix was deployed in order to resolve the tabnabbing issue. However by using a line break the fix can be bypassed. Steps to reproduce 1 Browse to your Phabricator instance and create a new document. 2 Now paste in the followi...
Kaspersky: Hard Coded username and password in registry
I was using a tool called RegShot to take a snap shot of the registry before and after installation in order to see what changes were being made in the registry and I discovered hard-coded credentials I have attached the full comparison details of the registry changes but these are the lines and...
Uber: Reflected XSS on developer.uber.com via Angular template injection
developer.uber.com is vulnerable to reflected XSS via Angular template injection. The following url demonstrates the root issue using a trivial payload: https://developer.uber.com/docs/deep-linking?q=wrtz77 If you view the rendered source of the resulting page, you'll find the string 'wrtz49',...
Mail.ru: scfbp.tng.mail.ru: Heartbleed
MacBook-Pro-Kirill:Pentest isox$ python heartbleed.py scfbp.tng.mail.ru defribulator v1.16 A tool to test and exploit the TLS heartbeat vulnerability aka heartbleed CVE-2014-0160 Connecting to: scfbp.tng.mail.ru:443, 1 times Sending Client Hello for TLSv1.0 Received Server Hello for TLSv1.0...
curl: Incorrect Type Conversion in interpreting IPv4-mapped IPv6 addresses and below `curl` results in indeterminate SSRF vulnerabilities.
Vulnerability description not provided...
curl: CVE-2022-35260: .netrc parser out-of-bounds access
Summary: Curl expects the .netrc file to have space characters. So if there is no space character, it will do an out-of-bounds read and a 1-byte out-of-bounds write. This can happen multiple times depending on the state of the memory. Steps To Reproduce: curl --netrc-file .netrc test.local ".netr...
Internet Bug Bounty: Rails::Html::SafeListSanitizer vulnerable to xss attack in an environment that allows the style tag
It seems to be a problem caused by a difference between the nokogiri java implementation and the ruby implementation. jruby9.3.3.0 nokogiri java, use Rails::Html::SafeListSanitizer.new.sanitize, allow select/style tag code tags = %wselect style puts...
curl: CVE-2022-32206: HTTP compression denial of service
Summary: Curl does not prevent resource consumption when processing certain header types, but keeps on allocating more and more resources until the application terminates or the system crashes, see below. The attack vectors include at least: - Sending many Transfer-Encodingwith repeated encodings...
GitHub Security Lab: Java : Add query for detecting Log Injection vulenrabilities
This bug was reported directly to GitHub Security Lab...
CS Money: Internal Path Disclosure
Hello Team, I would like to report internal path disclosure in response. I was trying for Stored XSS but got no luck in that process. I observed the responses, one of the responses showing file path with 500 Internal Server Error. Steps To Reproduce: 1. Go to cs.money and sign in through steam...
lemlist: Stored XSS at [ https://app.lemlist.com/campaigns/cam_QRS5caF2ca7MJtiLS/leads ] in " LINKEDIN URL" Field.
Summary: Vulnerability : A. Type:- Cross Site Scripting Stored B. Description:- Stored XSS, also known as persistent XSS, is the more damaging than non-persistent XSS. It occurs when a malicious script is injected directly into a vulnerable web application. Summary : When you will login into the...
Mail.ru: Sensitive information exposure via git commit
Token for a test ICQ bot account was leaked via git commit data for opensource Jira plugin...
Ruby on Rails: Untrusted users able to run pending migrations in production
Untrusted users able to run pending migrations in production There is a vulnerability in versions of Rails prior to 6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production. This vulnerability has been assigned the CVE identifier CVE-2020-XXXX...
Starbucks: CRLF injection on www.starbucks.com
The vulnerability allows setting arbitrary headers, and also enables response splitting which can then be exploited further. POC: curl -i 'https://www.starbucks.com/email-prospecttg9wh%0d%0aset-cookie:foo%0d%0a%0d%0a4t6uf?requesturl=/responsibility/global-report/policies' -d...
Internet Bug Bounty: URN Request bypass ACL Checks
Summary: Attacker can bypass ACL checks gaining access to restricted HTTP servers such as those running on localhost. Attacker could also gain access to CacheManager if VIA header is turned off. Only lines with : will be readable though, and the response must be less than 4096 bytes or it'll...
X (Formerly Twitter): character limitation bypass can lead to DoS on Twitter App and 500 Internal Server Error
Summary: If you are creating a new moment on https://twitter.com/username/moments you get redirected to https://twitter.com/i/moments/edit/moments-id. There you can set a title, a description and also you can add, if you want, a Tweet to your Moment. The title and also the description are...
Nord Security: Reduced Payment amount while paying on Crypto Currencies
Summary: While the payment is made via Crypto Currencies on the site "https://join.nordvpn.com/order/", the amount can be reduced to 25.64 instead of the original amount, this can cause loss of revenue to the company. Even the BTC value reflects the reduced converted values, see the screenshot...
Rocket.Chat: Clickjacking in the admin page
Summary: Hello Rocket.Chat, There is a clickjacking vulnerability in a very critical page which is the admin info page. For my installation, the URL https://penetrationtester.rocket.chat/admin/users was used for creating the PoC. Description: Clickjacking User Interface redress attack, UI redress...
curl: Race condition with CURL_LOCK_DATA_CONNECT can cause connections to be used at the same time
Summary: We've seen race conditions when using CURLLOCKDATACONNECT in libcurl where sometimes two different threads using two different easy handles ends up sharing the same connection pointer at the same time. This causes UAFs and double frees when both threads are freeing items on the same...
Gratipay: Information Disclosure on inside.gratipay.com
Hello @gratipay, By checking request headers I've been able to identify that inside.gratipay.com is running on Server: WSGIServer/0.1 Python/2.7.11. Request: https://inside.gratipay.com/assets/inside-gratipay.svg GET /assets/inside-gratipay.svg HTTP/1.1 Host: inside.gratipay.com User-Agent:...
Snapchat: Stealing SSO Login Tokens (snappublisher.snapchat.com)
Description Attacker can steal SSO login tokens for snappublisher.snapchat.com by chaining different flaws in SSO and Snapchat’s Snappublisher tool. Detailed attack flow is as follows. Attack Flow 1.. Snapchat fetches a SSO LOGIN TOKEN from accounts.snapchat.com to login into different products o...
Uber: Change any Uber user's password through /rt/users/passwordless-signup - Account Takeover (critical)
Through the endpoint at /rt/users/passwordless-signup it is possible to change the password of any Uber user, given knowledge of their phone number or by just enumerating phone numbers until one is found that is registered with Uber - not too hard given the number of Uber users. I've tested this...
drchrono: Stored XSS via AngularJS Injection
Hi All, I've found a stored XSS vulnerability via an Angular Template Injection in the messages referral address field. Description After visiting https://1337test.drchrono.com/messages/referrals/contacts/, you can enter new contact information. In the field for the address, if enter 55, when the...
Internet Bug Bounty: Use After Free Vulnerability in unserialize() with SplDoublyLinkedList
https://bugs.php.net/bug.php?id=70366...
Internet Bug Bounty: Possible DoS by memory exhaustion in net/imap
The net-imap gem implemented an IMAP client in Ruby. Versions prior to 0.3.8, 0.4.19, and 0.5.6 contained a vulnerability that could lead to denial of service by memory exhaustion. The vulnerability was caused by the response parser using Rangetoa to convert uid-set data without limiting the...
Ionity GmbH: HTML injection in swagger UI
A vulnerability was discovered in the Swagger UI that allowed for HTML injection. This vulnerability existed because the application failed to properly sanitize user-supplied input before rendering it in the HTML context. An attacker could have exploited this issue to execute arbitrary scripts in...
EXNESS: Unrestricted Access to Celery Flower Instance
The publicly accessible Celery Flower instance allowed unrestricted access, exposing sensitive information, and the ability to manipulate tasks...
curl: CVE-2021-22876: Automatic referer leaks credentials
Summary: When using the --referer ';auto' feature the current URL is copied as-is to the referrer header of the subsequent request. The recommendation 1 is to strip these along with the URL fragment. I can imagine this may, in rare cases, result in unwanted/unexpected disclosure of credentials e....
PortSwigger Web Security: HTML Injection in Swing can disclose netNTLM hash or cause DoS
The vulnerability is like a SSRF but on the client side, where an attacker can force an unsolicited hidden request made by Burp Suite when the victim performs some actions. During normal browsing to a website through Burp Suite Pro or Community, if the website makes a request with HTML code in a...