15306 matches found
Revive Adserver: Reflected XSS on /admin/userlog-index.php
I found a reflected XSS attack on /admin/userlog-index.php. Revive-Adserver version is revive-adserver-5.1.0. - Go to...
Internet Bug Bounty: Some build dependencies are downloaded over an insecure channel (without subsequent integrity checks)
Summary: Build jobs mingw64 | openssl-1.1.1d and mingw32 | openssl-1.0.2u download dependencies from build.openvpn.net and www.oberhumer.comover an insecure channel http, not https and do not check their integrity in any way. This opens the door to person-in-the-middle attacks, whereby an attacke...
Weblate: Reset password cookie leads to account takeover
Hi There are 3 issues on this report lead to account takeover. 1- When the user requests a reset password link, server sends a link for the user via email, whenever the user click on the link for the first time redirects to Reset password page but if the user close browser or tab and click again ...
CS Money: Bypass restrict of member subscription to use custom background in https://3d.cs.money without prime subscription
Summary: In website https://3d.cs.money you need to subscribe prime to have a custom background for skin F999661 But with this vulnerability, we can use custom background without any fee required Steps To Reproduce: add details for how we can reproduce the issue - Grab a build of skin - Save it...
Bitwarden: Rate limits too low for email 2FA
NO RATE LIMIT ON 2FA CAN LEAD TO ACCOUNT COMPROMISE! 1. Create account on vault.bitwarden.com if you don't have. 2.Setup 2FA via email 3.Logout and log in again. This time along with password you have to fill the 2fa code which is sent to the email. 4.Type Any Random number, intercept request wit...
Dropcontact: Unrestricted File Upload on https://app.dropcontact.io/app/upload/
hi team, I found Unrestricted File Upload Vulnerabilities on https://app.dropcontact.io/app/upload/. Steps To Reproduce: 1. Create an account in https://app.dropcontact.io/app/ 1. go to https://app.dropcontact.io/app/upload/ 1. try to upload html file , you will see message only : .csv, .txt, .xl...
X (Formerly Twitter): Denial of Service [Chrome]
Hi Team, Summary: I encountered such an error while creating a new account: F903872 But I don't remember where I found this last point. I remember only when I was a new member. I created a url using the load %xx as in 500686 reports as follows. https://twitter.com/i/flow/%00 I got a result like t...
Mail.ru: Improper Restriction of Excessive Authentication Attempts at https://mirror.w1.dwar.ru/login.php
Password at dwar.ru was not sufficiently protected against bruteforce...
h1-ctf: [h1-2006 2020] Writeup h12006 CTF
^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$ Impact...
Open-Xchange: Null pointer deference in call to `mail_get_flags`
run test suite on following input require "vnd.dovecot.testsuite"; require "fileinto"; require "imap4flags"; require "mailbox"; testset "message" text: Subject: Test message. Test message. . ; test "Flag changes between stores" fileinto :create "FolderA"; if not testresultexecute testfail "failed...
h1-ctf: [H1-2006 2020] "Swiss Cheese" design style leads to helping Mårten Mickos pay poor hackers
Summary: Several vulnerabilities in the bountypay application leads to unauthorised access, information disclosure, SSRF and other fun stuff. Steps To Reproduce: This is how I helped Mårten Mickos pay the poor hackers who had been waiting so long for their bounties. First part: Web I started by...
h1-ctf: [H1-2006 2020] Multiple vulnerabilities lead to CEO account takeover and paid bounties
Summary: 1. A publicly accessible logfile discloses a user's credentials 2. Weak 2FA implementation allows user account takeover 3. Path injection in user's cookie allows SSRF, bypassing the IP restriction to list available builds on https://software.bountypay.h1ctf.com/ 4. API token leak in...
Node.js: Node.js: TLS session reuse can lead to hostname verification bypass
The Node.js TLS library supports client side reuse of TLS sessions when multiple connections to the same server are opened. Code that wants to use this feature can listen for the 'session' event https://nodejs.org/api/tls.htmltlseventsession on a tls.TLSSocket to get notified of newly created TLS...
GitLab: Email notification about login email changed is not received when using verified linked email address
Summary In https://gitlab.com/profile, user can update the email id to use for login to gitlab account using field "Email". Usually, when this login email id is updated, there will be 2 email sent on previous email Id with subjects as. Email 1 - Email Changed:- This tell that login email has been...
Razer: AWS subdomain Takeover at estore.razersynapse.com
The tester discovered the razersynapse.com domain was vulnerable to a subdomain takeover. Although this is out of scope of our program, we appreciate the tester bringing this to our attention...
New Relic: [Bypass] Code injection to open redirect in https://insights.newrelic.com/accounts/2521182/dashboards/1026927
INTRODUCES: Overcoming mechanism of controlling url insertion, redirecting users to fake pages STEPS: Payload: Add dashboard note and insert code malicious. Code : Click link to view note detail : Impact Redirecting users to malicious pages, stealing user information such as fake scripts and user...
Zomato: [www.zomato.com] Blind XSS on one of the Admin Dashboard
Thanks for the report @pandaaaa. The Blind XSS fired when the order details were viewed by the admin at the back-end, The script was injected through an API endpoint from the Zomato app on one of the parameters which was recently introduced to provide special instructions to the restaurant on how...
Razer: Race Condition in Oauth 2.0 flow can lead to malicious applications create multiple valid sessions
The tester discovered a flaw in the Razer ID authentication system that could allow multiple access tokens. This was a minor issue but could theoretically have led to extended access due to unexpired tokens. Razer thanks the tester for their diligence. Here is a write-up for similar bug:...
Coda: Lack or Origin check leads to Cross-Site Websocket Hijacking (CSWSH)
Summary @fisher discovered a CSRF-related vulnerability in Coda docs by which an attacked could craft a convincing page that would make modifications to a specific document without the victim knowing. This is due to the inherent nature of Websockets not being secure by default. Although a...
Starbucks: Information Exposure Through an Error Message at news.starbucks.com
I've discovered Information Exposure Through an Error Message on your system POC link: https://news.starbucks.com/cms/index.php?/cp/login/forgottenpasswordform=http://evil.com/?id=test-test Vulnerable url --...
PayPal: [PayPal Android] Remote theft of user session using push_notification_webview deeplink
A deeplink feature built into the PayPal Android application failed to validate the requested endpoint. A specifically crafted request from a website or separate app on the device could call the deeplink and direct traffic to any destination. While the impact was limited by compensating controls,...
U.S. Dept Of Defense: Remote Code Execution (RCE) in a DoD website
SUMMARY: ==================== This report describes a vulnerability similar to that described in my other reports 329376, 329397, 329399 The DoD https://████/psc/EXPROD/ Web System uses the Oracle PeopleSoft platform which is vulnerable to Remote Code Execution RCE and Denial of Service Attacks D...
GitLab: Evaluating Ruby code by injecting Rescue job on the system_hook_push queue through web hook
The secret token field of a webhook is vulnerable to a new line injection, allowing an attacker to inject non-HTTP commands in a TCP stream. When a GitLab instance is configured with an external Redis instance, e.g. on 127.0.0.1:6379, it may result in arbitrary code execution on a Sidekiq worker ...
GSA Bounty: Server Side Misconfiguration (EMAIL SPOOFING)
Hi team, Bug Type: Server Security Misconfiguration Mail Server Misconfiguration Missing SPF on Email Domain Weakness: Improper Authentication Description: i observe this when i send a email from [email protected] through http://emkei.cz/ to email [email protected] and afte...
Uber: Possibility to inject a malicious JavaScript code in any file on tags.tiqcdn.com results in a stored XSS on any page in most Uber domains
When creating new tags on Tealium, the application did not check that the user creating the tag had authorized as the same account they were creating a tag for. It was possible for an attacker to inject arbitrary content into a web page using the utag.js tag. Depending on how the victim implement...
X (Formerly Twitter): XXE on sms-be-vip.twitter.com in SXMP Processor
Hi team, What type of issue are you reporting? Does it align to a CWE or OWASP issue? I've identified an XXE vulnerability in the cloudhopper sxmp servlet on sms-be-vip.twitter.com which discloses local files to an external attacker and allows web requests to be sent. This aligns to...
Udemy: sweet32
hello have found new attack against 3DES-CBC cipher in TLS,that they can decrypt customer data using a method called SWEET32 Birthday Attack. This Vulnerability has got CVE-2016-2183 and has cvss score 5.0 in atach you will see a print screen vuln confirmation by nmap script Mitigation for SWEET3...
Nextcloud: HTTP-Basic Authentication on logs.nextcloud.com
Greetings, While visiting https://logs.nextcloud.com/ , I noticed that this server use HTTP-Basic Authentication. F152730 POC : ------ GET https://logs.nextcloud.com/ HTTP/1.1 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.11; rv:50.0 Gecko/20100101 Firefox/50.0 Accept:...
Internet Bug Bounty: Bleichenbacher oracle in SSLv2 (CVE-2016-0704)
I'm retroactively submitting CVE-2016-0704, a.k.a. "Leaky Export", which is a Bleichenbacher-style bug that leads to another variant of the Special DROWN attack. I'm submitting on behalf of myself and J. Alex Halderman, as we independently found this bug. This was validated by OpenSSL as...
Uber: Compromising Atlassian Confluence (team.uberinternal.com) via WordPress (newsroom.uber.com)
This issue has some relevance to most of my previous submissions so I thought it's clearer if I open a new ticket about it. I understood you've intended the various .uber.com WordPress sites to be isolated so that compromising them wouldn't impact Uber's internal network or user data. This has be...
Zendesk: Chat History CSV Export Excel Injection Vulnerability
I have found a vulnerability in the Chat History export function. If an attacker submits a special name containing a system command when chatting with an agent and that agent later exports the history of that chat to CSV, the resulting CSV may execute commands when opened. I have tested this usin...
Shopify: customers password hash leak!!!!
An endpoint in the Draft Order feature would return a serialized version of the Customer that contained the account password hashed and salted as well as the last password reset token when available...
ok.ru: http://217.20.144.201 privilege escalation in apache tomcat SessionEample-script
Tomcat Servlet Examples application was accessible at wmf.ok.ru which leaved ok.ru vulnerable to cookie manipulation http://lab.onsec.ru/2013/03/tomcat-servlet-examples-threats.html and whatever else vulnerability Servlet Examples might contain...
Shopify: Lack of SSL Pinning on POS Application ( iOS )
Description Given that this is a POS application and handle CHD, cryptographic security is of most importance. Applications such as Square, Amazons POS, etc. have already implemented this. The iOS application is correctly checking for SSL certs using the os keychain, but due to the lack of checki...
Mobile Vikings: Insecure crossdomain.xml
Hi, https://mobilevikings.be/crossdomain.xml contains the following xml file: This will make any one able to receive content from https://mobilevikings.be/. More information about this issue is available here: http://gursevkalra.blogspot.nl/2013/08/bypassing-same-origin-policy-with-flash.html Bes...
curl: CVE-2024-11053: netrc + redirect credential leak
CVE-2024-11053 was a logic flaw in Curl that resulted in a credential leak during redirects. The issue was caused by the way Curl processed netrc credentials when performing redirects. Under certain conditions, the redirect passed along credentials specified for the original host to the redirecti...
curl: CVE-2023-38546: cookie injection with none file
Vulnerability description not provided...
Internet Bug Bounty: CVE-2023-40195: Apache Airflow Spark Provider Deserialization Vulnerability RCE
Apache Airflow Spark Provider before 4.1.3 was affected by a deserialization vulnerability that allowed remote code execution RCE. Attackers could exploit this vulnerability by configuring a malicious Spark server address through the Airflow UI, which would then manipulate the PySpark clients...
Node.js: Weak randomness in WebCrypto keygen
https://github.com/nodejs/node/pull/35093 introduced a call to EntropySource in SecretKeyGenTraits::DoKeyGen in src/crypto/cryptokeygen.cc. There are two problems with this: 1. It does not check the return value, it assumes EntropySource always succeeds, but it can and sometimes will fail. 2. The...
Yelp: installed.json sensitive file was publicly accessible on your web application which discloses information about authors and admins
kindly if you don't accept this issue please close it as informative , thanks in advance Description: The installed.json file is a sensitive file and it was publicly accessible on your webserver , which discloses some information about your web site and users such as authors like admin as shown...
Phabricator: Possible to make restricted files public on Phabricator via Diffusion
Files on Phabricator are always viewable to a user if they are attached to an object that they can view. It seems Phabricator does check if you can view a file before allowing you to a attach it. If you don't have access to the file, it will just look like this F99999999999 in plaintext. It seems...
Kaspersky: No Rate Limit On Forgot Password Page
Reported security issue allowed a potential attacker to abuse the password recovery option on our My Kaspersky portal for mass sending of password recovery messages. This was fixed with a password reset throttling feature to protect our service from its abuse by third parties. Note that this...
GitLab: Stored DOM XSS via Mermaid chart
Prologue Gitlab supports Mermaid as part of GFM to allow users to generate diagrams and flowcharts from text. In version 8.6.0, Mermaid added a support of directives to add more control over stylesthemes applied to the diagrams. You can read more about how this works here:...
FetLife: Stored XSS via `Create a Fetish` section.
The reporter pointed out that the fetish field for creating new fetishes on FetLife was vulnerable to a stored XSS exploit, after creating a fetish for which this exploit was used the contents would execute whenever people added the fetish to their profile and attempted to edit the fetish through...
Stripo Inc: Non-revoked API Key Disclosure in a Disclosed API Key Disclosure Report on Stripo
Summary: Can you imagine discovering an API key disclosure vulnerability in a disclosed API key disclosure report? The same thing is what I came across while going through the disclosed reports at Stripo Inc. Plus, the disclosed API key isn't even revoked, and therefore I am still able to use the...
GitHub Security Lab: Java : add MongoDB injection sinks
This bug was reported directly to GitHub Security Lab...
U.S. Dept Of Defense: Reflected XSS on ███████
Summary: Reflected Cross site Scripting XSS on████leaving.html?url=%22%3E%3Cscript%3Ealertdocument.domain%3C/script%3E Steps To Reproduce: 1. Navigate to███leaving.html?url= 2. Enter a crafted XSS payload like "alert"xss by nagli" 3. Alert will pop :- █████████ How can the system be exploited wit...
BugPoC: DOM based Cross-site Scripting
Summary: The postMessage API is an alternative to JSONP, XHR with CORS headers and other methods enabling sending data between origins. It was introduced with HTML5 and like many other cross-document features it can be a source of client-side vulnerabilities. Steps To Reproduce: Visit -...
Kubernetes: Fake email from <any_name>@kubernetes.io to any other email
Hi, I just found an issue No Valid SPF Records in your mail server @kubernetes.io Desciprition : There is a email spoofing vulnerability.Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email...
Monero: Monero wallet password change is confirmed when not matching
Summary: If you change your wallet password in gui, the confirmation does not need to match the new password. Releases Affected: list each version and OS of the application affected list each version and OS of the application affected Steps To Reproduce: Open your wallet. Go to settings. Change...