15306 matches found
GitHub Security Lab: [CATENACYBER]: [CPP] CWE-476 Null Pointer Dereference : Another query to either missing or redundant NULL check
This bug was reported directly to GitHub Security Lab...
WordPress: Clickjacking on donation page
Description: Vulnerable URL: https://wordpressfoundation.org/donate/ Clickjacking on the vulnerable URL allows an attacker to redirect a victim to do a donation at an attacker's page. Steps To Reproduce: 1 To test whether the page is vulnerable to clickjacking or not use this code i Frame THIS PA...
Curve: Sensitive Info Leak - An Attacker Can Retrieve All the Users Mobile Numbers at https://website-api.production.curve.app/api/waitlist/us
Hi, When am going through all the JS files in curve.com I found a link called "/usa" is used to create Curve USA Waitlists by entering your name, email address, mobile number and address details. F874173 Then there is a functionality called "Track my Position" by using which joined users can view...
Topcoder: SSRF at https://cognitive.topcoder.com leads to AWS instance metadata due to vulnerable email subscription feature
Summary: Topcoder makes use of Amazons AWS in their web application environment. I noticed a feature that allows a user to subscribe and receive emails from Topcoder. This feature is vulnerable to server side request forgery since it allows a user to supply an arbitrary URL which the application...
U.S. Dept Of Defense: SSN is exposed on slides, previous critical report was not fixed in an appropriate way
Summary: SSN is exposed on slides, previous critical report was not fixed in an appropriate way Description: 1. SSN is exposed on a screenshot. Slide 13th. SSN is covered by an olive/green rectangle which is moveable. The image itself was not updated. ██████wp-content/uploads/2018/12/████████ 2...
Stripo Inc: subdomain takeover at status-stage0.stripo.email
The subdomain status-stage0.stripo.email was pointed at uptimerobot.com whereas it was not being used , but having Cname record as stats.uptimerobot.com . Hence anyone can takeover it. I have parked it with an account on uptimerobot.com note : this issue is similar to report but with another...
Semrush: Persistent CSV injection
Hi Team, https://www.semrush.com/notes is vulnerable to persistent csv injection stored csv injection POC: 1 Login into application and open https://www.semrush.com/notes 2 click on "Add note" button 3 And enter csv injection payloads like =4+4, =HYPERLINK"http://evil.com", "EVIL" and click on sa...
GSA Bounty: Subdomain Takeover due to unclaimed domain pointing to AWS
Note: I know this is on an out of scope domain, however felt it should still be raised as it was the only subdomain of data.gov to be vulnerable. Issue Details The consultant identified that subdomain https://18f.domains.api.data.gov/ is pointing to dn9rrjaiux2m0.cloudfront.net via a DNS CNAME...
Internet Bug Bounty: Exim handles BDAT data incorrectly and leads to crash/hang
Original article is here Incorrect BDAT data handling leads to DoS Vulnerability Analysis When receiving data with BDAT command, SMTP server should not consider a single dot ‘.’ in a line to be the end of message. However, we found exim does in receivemsg when parsing header. Like the following...
Inflection: XST(Cross Site Tracing)
Researcher reported that OPTIONS and TRACE HTTP methods are enabled. HTTP configuration best practices are not currently in scope for our HackerOne program, so we closed the report. Researcher requested that we disclose it...
Internet Bug Bounty: Mercurial can be tricked into granting authorized users access to the Python debugger
I reported this bug privately to Mercurial and they produced an out of band release to fix the bug here: https://www.mercurial-scm.org/wiki/WhatsNewMercurial4.1.3.282017-4-18.29 I produced a very detailed proof of concept with a Metasploit exploit module, which can be seen publicly here:...
Uber: DOM based XSS on
Possible Remote code execution DOM based XSS Vuln Jquery param : var strliID=jQuerylocation.attr'hash'; Target: Logged admin Go url https://drive.uber.com/melbourne/wp-admin/admin.php?page=Optionsgallerystyles" Solution : Upgrade latest version gallery plugin Your version v1.9.55 Test my localhos...
Internet Bug Bounty: Integer overflow in ftp_genlist() resulting in heap overflow
https://bugs.php.net/bug.php?id=69545 Description: ------------ The ftpgenlist function of the ftp extension is prone to an integer overflow, which may result in remote code execution. ext/ftp/ftp.c:ftpgenlist... 1826 size = 0; 1827 lines = 0; 1828 lastch = 0; 1829 while rcvd = myrecvftp, data-fd...
Node.js: Path traversal through path stored in Uint8Array
A vulnerability was discovered in Node.js that allowed path traversal through Uint8Array objects. This vulnerability affected users using the experimental permission model in Node.js 20...
curl: CVE-2023-32001: fopen race condition
A race condition vulnerability existed in the fopen function of the curl library. This vulnerability allowed an attacker to exploit the race condition between the stat and fopen functions, potentially leading to unauthorized file overwrites or the theft of sensitive data such as cookies. The...
Internet Bug Bounty: CVE-2022-42916: HSTS bypass via IDN
Original Report:https://hackerone.com/reports/1730660 Impact HSTS bypass...
Internet Bug Bounty: The Host Authorization middleware in Action Pack is vulnerable to crafted X-Forwarded-Host values
Title: The Host Authorization middleware in Action Pack is vulnerable to crafted X-Forwarded-Host values Scope: https://github.com/rails/rails Weakness: Open Redirect Severity: Medium Link: https://hackerone.com/reports/1189310 Date: 2021-05-09 06:29:19 +0000 By: @mshtawy CVE IDs: CVE-2021-22942,...
Basecamp: Login session not expire
@blackbibin reported that after signing in, you could go back in the browser and the login info would still be populated. We've ensured the login page is reloaded in this case...
Shopify: Improper Input Validation on https://oberlo-image-proxy.shopifycloud.com/
The service under https://oberlo-image-proxy.shopifycloud.com/ seems to work like a image proxy through the url GET parameter and it suppose to handle only images. █████████ When other content type than an image is present the service returns a 404 error to the user. curl -si...
GitHub Security Lab: [Java]: CWE-601 Spring url redirection detect
This bug was reported directly to GitHub Security Lab...
Automattic: SQL Injection Union Based
Summary: Hello, I have found a SQL Injection Union Based on https://intensedebate.com/commenthistory/$YourSiteId The $YourSiteId into the url is vulnerable to SQL Injection. Steps to reproduce 1. Logging into https://intensedebate.com 2. After create your own site on...
Node.js third-party modules: Default behavior of Fastifys versioned routes can be used for cache poisoning when Fastify is used in combination with a http cache / CDN
I would like to report possible cache poisoning in Fastify It allows an attacker to perform an cache poisoning when Fastify is used in combination with a http cache / CDN. Module module name: Fastify version: 3.x npm page: https://www.npmjs.com/package/fastify Module Description Fast and low...
Shopify: [Information Disclosure] Amazon S3 Bucket of Shopify Ping (iOS) have public access of other users image
Hello Shopify, when testing Shopify Ping share image function, I discovered an Amazon S3 bucket which has public access which allows an attacker to view all the image of other merchant & users. Steps To Reproduce: 1. Install Shopify Ping on your phone then enable Shopify Chat for your store. 2. G...
HackerOne: Team object in GraphQL disclosed private_comment
Summary: Hi Team, Some privateI think part of GraphQL reveals to us Steps To Reproduce Without authorization 1. https://hackerone.com/graphql POST: "query":"query nodeid: \"gid://hackerone/SurveyRatingItem/█████\" ... on...
Radancy: [mijn.werkenbijdefensie.nl] Denial of service occurs due to lack of email length confirmation
Creating an account on https://mijn.werkenbijdefensie.nl/profielaanmaken/ could be done with a very long emailaddress. A max email address length validation check has been implemented as per RFC the maximum length allowed for an email address is 255 characters. However, we don't validate email...
Open-Xchange: Buffer overread in parse_angle_addr called from message_address_parse_path
Call messageaddressparsepathpooldatastackcreate, data0, size0, &addr2; with input 0x3c,0x40,0x5b,0x40,0x40,0x28, ie parser.data == '@' if parsedomainlistctx 0 && ctx-parser.data == ':' ctx-parser.data++; - else if parsingpath && ctx-parser.data != ':' + else if parsingpath && ctx-parser.data...
Evernote: One Click Code Execution via File
This issue was reported to Evernote by @ajdumanhug and fixed in November 2019. This disclosure is a copy of the original, and is for historical purposes only. Overview The Open with Terminal functional is vulnerable to One Click Code Execution. Tested the vulnerability using the Mac Desktop App...
Visma Public: Open Redirection In connect.identity.stagaws.visma.com
The researcher found an open redirection in one of the parameters. This can be used to trick a user to a fake website asking for credentials, and trick the user to give out credentials...
MariaDB: Exposed debug.log file leads to information disclosure
At the following address i have found debug.log file disclose the application full path on the server. And there is database username too in debug.log http://mariadb.org/wp-content/debug.log Impact Information disclosure...
Stripo Inc: No Rate Limiting on /reset-password-request/ endpoint
Hi there ! I noticed when we hit the /reset-password-request/ endpoint too many times via some proxy for e.g:- Burp there is no rate limit on that endpoint and you can spam the email with 100's of requests and resend even more password reset emails to the users as there is no rate limiting on tha...
Nextcloud: xmlrpc.php is enabled - Nextcloud
Hi Nextcloud Team, Summary: An attacker can devise a XML request to list all the methods that are enabled on the server. Replace Get with POST request and add method call in the request. To reproduce the vulnerability you need to use Firefox browser and Burpsuite Open:...
GitLab: Command injection by overwriting authorized_keys file through GitLab import
The Projects::GitlabProjectsImportService contains a vulnerability that allows an attacker to write files to arbitrary directories on the server. This leads to an arbitrary command execution vulnerability by overwriting the authorizedkeys file. To reproduce, sign in to a GitLab instance that has...
WakaTime: Lack of Password Confirmation When Changing Email
When any user wants to change the password, current password is asked for proceeding the request. This should also be implemented on changing the email. Attack Scenerio : When some forget to logout from the account in a publc computer, anyone can change the email to its own and verify it. And aft...
RubyGems: No limit of summary length allows Denail of Service
Currently, there is no limit for summary length. I think, pushing a gem whose summary is huge, will make gem search unavailable. This is not Arbitrary Code Execution, but really easy to attack. According to CVSS v3.0 Calculator, the severity is High 7.5. How to attack 1 An attacker creates a gem...
Weblate: Open SMTP port can let anyone send email from mail.chihar.com
An open SMTP port 587 can let anyone connect and send emails impersonating someone in your the company if he could enumerate the email addresses. POC - 1. I performed an nmap scan and was able to find an open port 587 for SMTP 2. I did a netcat connection to it and was able to run commands such a...
X (Formerly Twitter): SSRF in https://cards-dev.twitter.com/validator
Hello, After my previous report 2 years ago https://hackerone.com/reports/30860 you fixed the vulnerability, but now it looks like this fix was reverted and the same problem exists again. Test scenario: Open https://cards-dev.twitter.com/validator 1. Closed port on localhost http://0.0.0.0:123 -...
X (Formerly Twitter): Html Injection and Possible XSS in sms-be-vip.twitter.com
Hi, I would like to report HTML Injection and possible cross site scripting XSS vulnerability in sms-be-vip.twitter.com Overview The sms-be-vip.twitter.com 404 error page appears to be vulnerable to XSS and HTML Injection as it doesn't encode the HTML tags in the path name such as...
Internet Bug Bounty: Uninitialized pointer in phar_make_dirstream
https://bugs.php.net/bug.php?id=70433...
IBM: Exposed Logs and Bearer Tokens on Test Endpoint
Exposed Logs and Bearer Tokens on Test Endpoint were reported to IBM, analyzed, and have been remediated...
Automattic: Stored XSS on wordpress.com
A Stored XSS vulnerability was found on WordPress.com via app.crowdsignal.com. An attacker could use this vulnerability to execute malicious script code in the victim user's browser and redirect them to malicious sites...
curl: CVE-2022-43552: HTTP Proxy deny use-after-free
Issues reported by Trail of Bits. This is either one or two issues. Summary: ./src/curl 0 -x0:80 telnet:/j-uj-u//0 -m 01 ./src/curl 0 -x0:80 smb:/j-uj-u//0 -m 01 Both command line ends up having libcurl access and use already freed heap-memory. For read and write. Steps To Reproduce: See above, r...
Nextcloud: Insecure randomness for default password in file sharing when password policy app is disabled
The password generation function used for protecting shared links in Nextcloud was using an insecure random number generator, which could allow an attacker to access the shared files without knowledge of the password...
Internet Bug Bounty: DNS rebinding in --inspect (insufficient fix of CVE-2022-32212 affecting macOS devices)
A vulnerability in Node.js allowed an attacker-controlled DNS server to bypass DNS rebinding protection by resolving hosts in the .local domain. This allowed an attacker to gain access to the Node.js debugger, potentially resulting in remote code execution. The vulnerability affected all versions...
Reddit: IDOR allows an attacker to modify the links of any user
Hi team! I found an IDOR which allows to modify the links of any user. Users can put their custom links or social media links on their profile, ex: F1855366 To reproduce this: - Replicate the following request by replacing it with your own authentication headers: You must also put in the body of...
XVIDEOS: No-Rate limit of current password on delete account endpoint(https://www.xvideos.com/account/close)
Hi Team!!! This Attack happen when victim login in other device and forget to logout ,Then attacker can delete it's account by brute force the current password because current password has no-rate limit. After guessing current password attacker can easily delete the victim account. Steps To...
Uber: CVE-2020-3452 - unauthenticated file read on anyconnect.routematch.com
The CISCO ASA instance at anyconnect.routematch.com was vulnerable to CVE-2020-3452, allowing an unauthenticated attacker to retrieve arbitrary files on the local filesystem...
TikTok: HTML Injection on Company Name on Email
By changing the company name to any HTML code on the TikTok Creator Marketplace, an attacker could potentially use this to send phishing emails to users containing injected HTML payload. We thank @gnux for reporting this to our team and confirming the resolution!...
Engel & Völkers Technology GmbH: Debug information at the /sapi endpoint
Summary: Sending a GET request to www.engelvoelkers.com/sapi and the server responds with a 500 Internal Server Error which yields a stack trace. Steps To Reproduce: - Enter www.engelvoelkers.com/sapi into your web browser and you can see the stacktrace. https://bugpoc.com/pocbp-VPZDeo2Z I will...
Phabricator: Edit Policy restriction does not prevent comments.
Change the edit policy of a Maniphest Task - Attempt to comment on the the task with a user who doesn't have access Impact Given a few users I spoke to believe restricting the edit policy blocks comments, This allows an underpriveleged user to gain access to carry out a restrcited action. Mongoos...
curl: Partial password leak over DNS on HTTP redirect
Summary: From version 7.62 curl and curllib leaks part of user credentials in the plain text DNS request. This happens if the server makes redirect, both 301 and 302 to a relative path eg header 'Location: /login'. It is NOT an issue in case of absolute redirection eg header 'Location:...