15306 matches found
ok.ru: http://217.20.144.201 privilege escalation in apache tomcat SessionEample-script
Tomcat Servlet Examples application was accessible at wmf.ok.ru which leaved ok.ru vulnerable to cookie manipulation http://lab.onsec.ru/2013/03/tomcat-servlet-examples-threats.html and whatever else vulnerability Servlet Examples might contain...
Mobile Vikings: Insecure crossdomain.xml
Hi, https://mobilevikings.be/crossdomain.xml contains the following xml file: This will make any one able to receive content from https://mobilevikings.be/. More information about this issue is available here: http://gursevkalra.blogspot.nl/2013/08/bypassing-same-origin-policy-with-flash.html Bes...
curl: CVE-2024-11053: netrc + redirect credential leak
CVE-2024-11053 was a logic flaw in Curl that resulted in a credential leak during redirects. The issue was caused by the way Curl processed netrc credentials when performing redirects. Under certain conditions, the redirect passed along credentials specified for the original host to the redirecti...
Liberapay: Password Reset Token Leak Via Referrer
Vulnerability description not provided...
U.S. Dept Of Defense: Reflected xss on https://█████████
The website was vulnerable to a reflected XSS attack due to a flaw in the check that verifies the validity of the redirect URL. Attackers could exploit this vulnerability to execute malicious scripts on the victim's browser, leading to potential account takeover, phishing, and other malicious...
IBM: Subdomain Takeover Affecting at vex.weather.com
Vulnerability description not provided...
Internet Bug Bounty: JWT audience claim is not verified
An improper authorization vulnerability existed in all versions of Argo CD starting with v1.8.2, allowing the API to accept certain invalid tokens due to the lack of validation of the audience claim in signed tokens. This could allow an attacker to use a stolen token intended for a different...
Acronis: IDOR vulnerability (Price manipulation)
Target: acronis.cz Step to Reproduce 1.Go to acronis.cz 2.buy any product in this case i am going to buy this https://www.acronis.cz/produkt/acronis-cyber-protect-home-office/ for test 3.fill up details 4.go to burpsuite turn on intercept 5.click on buy now 6.check request in intercept change pri...
UPchieve: Business logic error
Hi UPCHIEVE SECURITY TEAM I'm Anto Vulnerability : Business logic error There is no password verification while changing a password. Steps to Reproduce : 1. Go to https://hackers.upchieve.org/resetpassword. 2. Click the change password. 3. If your old password was ex: hacker and in new password...
Acronis: No Rate Limit On Forgot Password Page
Summary A little bit about Rate Limit: A rate limiting algorithm is used to check if the user session or IP-address has to be limited based on the information in the session cache. In case a client made too many requests within a given time frame, HTTP-Servers can respond with status code 429: To...
Clario: rXSS on https://mackeeperapp.mackeeper.com/landings/download-blue/
Summary: Founded XSS on https://mackeeperapp.mackeeper.com/landings/download-blue/ PoC https://mackeeperapp.mackeeper.com/landings/download-blue/?affid=b450fb80-0136-11eb-a01d-50cf6001b201-zzb&epayId=;alertdocument.domain;//&guid=xxx Impact An attacker can run any malicious javascript code on a...
Revive Adserver: Reflected XSS on /admin/userlog-index.php
I found a reflected XSS attack on /admin/userlog-index.php. Revive-Adserver version is revive-adserver-5.1.0. - Go to...
Dropcontact: Unrestricted File Upload on https://app.dropcontact.io/app/upload/
hi team, I found Unrestricted File Upload Vulnerabilities on https://app.dropcontact.io/app/upload/. Steps To Reproduce: 1. Create an account in https://app.dropcontact.io/app/ 1. go to https://app.dropcontact.io/app/upload/ 1. try to upload html file , you will see message only : .csv, .txt, .xl...
Kubernetes: Fake email from <any_name>@kubernetes.io to any other email
Hi, I just found an issue No Valid SPF Records in your mail server @kubernetes.io Desciprition : There is a email spoofing vulnerability.Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email...
Mail.ru: Improper Restriction of Excessive Authentication Attempts at https://mirror.w1.dwar.ru/login.php
Password at dwar.ru was not sufficiently protected against bruteforce...
h1-ctf: [h1-2006 2020] Writeup h12006 CTF
^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$ Impact...
Open-Xchange: Null pointer deference in call to `mail_get_flags`
run test suite on following input require "vnd.dovecot.testsuite"; require "fileinto"; require "imap4flags"; require "mailbox"; testset "message" text: Subject: Test message. Test message. . ; test "Flag changes between stores" fileinto :create "FolderA"; if not testresultexecute testfail "failed...
h1-ctf: [H1-2006 2020] "Swiss Cheese" design style leads to helping Mårten Mickos pay poor hackers
Summary: Several vulnerabilities in the bountypay application leads to unauthorised access, information disclosure, SSRF and other fun stuff. Steps To Reproduce: This is how I helped Mårten Mickos pay the poor hackers who had been waiting so long for their bounties. First part: Web I started by...
h1-ctf: [H1-2006 2020] Multiple vulnerabilities lead to CEO account takeover and paid bounties
Summary: 1. A publicly accessible logfile discloses a user's credentials 2. Weak 2FA implementation allows user account takeover 3. Path injection in user's cookie allows SSRF, bypassing the IP restriction to list available builds on https://software.bountypay.h1ctf.com/ 4. API token leak in...
Node.js: Node.js: TLS session reuse can lead to hostname verification bypass
The Node.js TLS library supports client side reuse of TLS sessions when multiple connections to the same server are opened. Code that wants to use this feature can listen for the 'session' event https://nodejs.org/api/tls.htmltlseventsession on a tls.TLSSocket to get notified of newly created TLS...
GitLab: Email notification about login email changed is not received when using verified linked email address
Summary In https://gitlab.com/profile, user can update the email id to use for login to gitlab account using field "Email". Usually, when this login email id is updated, there will be 2 email sent on previous email Id with subjects as. Email 1 - Email Changed:- This tell that login email has been...
Razer: AWS subdomain Takeover at estore.razersynapse.com
The tester discovered the razersynapse.com domain was vulnerable to a subdomain takeover. Although this is out of scope of our program, we appreciate the tester bringing this to our attention...
New Relic: [Bypass] Code injection to open redirect in https://insights.newrelic.com/accounts/2521182/dashboards/1026927
INTRODUCES: Overcoming mechanism of controlling url insertion, redirecting users to fake pages STEPS: Payload: Add dashboard note and insert code malicious. Code : Click link to view note detail : Impact Redirecting users to malicious pages, stealing user information such as fake scripts and user...
Zomato: [www.zomato.com] Blind XSS on one of the Admin Dashboard
Thanks for the report @pandaaaa. The Blind XSS fired when the order details were viewed by the admin at the back-end, The script was injected through an API endpoint from the Zomato app on one of the parameters which was recently introduced to provide special instructions to the restaurant on how...
Razer: Race Condition in Oauth 2.0 flow can lead to malicious applications create multiple valid sessions
The tester discovered a flaw in the Razer ID authentication system that could allow multiple access tokens. This was a minor issue but could theoretically have led to extended access due to unexpired tokens. Razer thanks the tester for their diligence. Here is a write-up for similar bug:...
Starbucks: Information Exposure Through an Error Message at news.starbucks.com
I've discovered Information Exposure Through an Error Message on your system POC link: https://news.starbucks.com/cms/index.php?/cp/login/forgottenpasswordform=http://evil.com/?id=test-test Vulnerable url --...
PayPal: [PayPal Android] Remote theft of user session using push_notification_webview deeplink
A deeplink feature built into the PayPal Android application failed to validate the requested endpoint. A specifically crafted request from a website or separate app on the device could call the deeplink and direct traffic to any destination. While the impact was limited by compensating controls,...
U.S. Dept Of Defense: Remote Code Execution (RCE) in a DoD website
SUMMARY: ==================== This report describes a vulnerability similar to that described in my other reports 329376, 329397, 329399 The DoD https://████/psc/EXPROD/ Web System uses the Oracle PeopleSoft platform which is vulnerable to Remote Code Execution RCE and Denial of Service Attacks D...
GitLab: Evaluating Ruby code by injecting Rescue job on the system_hook_push queue through web hook
The secret token field of a webhook is vulnerable to a new line injection, allowing an attacker to inject non-HTTP commands in a TCP stream. When a GitLab instance is configured with an external Redis instance, e.g. on 127.0.0.1:6379, it may result in arbitrary code execution on a Sidekiq worker ...
GSA Bounty: Server Side Misconfiguration (EMAIL SPOOFING)
Hi team, Bug Type: Server Security Misconfiguration Mail Server Misconfiguration Missing SPF on Email Domain Weakness: Improper Authentication Description: i observe this when i send a email from [email protected] through http://emkei.cz/ to email [email protected] and afte...
X (Formerly Twitter): XXE on sms-be-vip.twitter.com in SXMP Processor
Hi team, What type of issue are you reporting? Does it align to a CWE or OWASP issue? I've identified an XXE vulnerability in the cloudhopper sxmp servlet on sms-be-vip.twitter.com which discloses local files to an external attacker and allows web requests to be sent. This aligns to...
Udemy: sweet32
hello have found new attack against 3DES-CBC cipher in TLS,that they can decrypt customer data using a method called SWEET32 Birthday Attack. This Vulnerability has got CVE-2016-2183 and has cvss score 5.0 in atach you will see a print screen vuln confirmation by nmap script Mitigation for SWEET3...
Nextcloud: HTTP-Basic Authentication on logs.nextcloud.com
Greetings, While visiting https://logs.nextcloud.com/ , I noticed that this server use HTTP-Basic Authentication. F152730 POC : ------ GET https://logs.nextcloud.com/ HTTP/1.1 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.11; rv:50.0 Gecko/20100101 Firefox/50.0 Accept:...
Internet Bug Bounty: Bleichenbacher oracle in SSLv2 (CVE-2016-0704)
I'm retroactively submitting CVE-2016-0704, a.k.a. "Leaky Export", which is a Bleichenbacher-style bug that leads to another variant of the Special DROWN attack. I'm submitting on behalf of myself and J. Alex Halderman, as we independently found this bug. This was validated by OpenSSL as...
Zendesk: Chat History CSV Export Excel Injection Vulnerability
I have found a vulnerability in the Chat History export function. If an attacker submits a special name containing a system command when chatting with an agent and that agent later exports the history of that chat to CSV, the resulting CSV may execute commands when opened. I have tested this usin...
Shopify: customers password hash leak!!!!
An endpoint in the Draft Order feature would return a serialized version of the Customer that contained the account password hashed and salted as well as the last password reset token when available...
Shopify: Lack of SSL Pinning on POS Application ( iOS )
Description Given that this is a POS application and handle CHD, cryptographic security is of most importance. Applications such as Square, Amazons POS, etc. have already implemented this. The iOS application is correctly checking for SSL certs using the os keychain, but due to the lack of checki...
curl: CVE-2023-38546: cookie injection with none file
Vulnerability description not provided...
Internet Bug Bounty: CVE-2023-40195: Apache Airflow Spark Provider Deserialization Vulnerability RCE
Apache Airflow Spark Provider before 4.1.3 was affected by a deserialization vulnerability that allowed remote code execution RCE. Attackers could exploit this vulnerability by configuring a malicious Spark server address through the Airflow UI, which would then manipulate the PySpark clients...
Node.js: Weak randomness in WebCrypto keygen
https://github.com/nodejs/node/pull/35093 introduced a call to EntropySource in SecretKeyGenTraits::DoKeyGen in src/crypto/cryptokeygen.cc. There are two problems with this: 1. It does not check the return value, it assumes EntropySource always succeeds, but it can and sometimes will fail. 2. The...
Yelp: installed.json sensitive file was publicly accessible on your web application which discloses information about authors and admins
kindly if you don't accept this issue please close it as informative , thanks in advance Description: The installed.json file is a sensitive file and it was publicly accessible on your webserver , which discloses some information about your web site and users such as authors like admin as shown...
Phabricator: Possible to make restricted files public on Phabricator via Diffusion
Files on Phabricator are always viewable to a user if they are attached to an object that they can view. It seems Phabricator does check if you can view a file before allowing you to a attach it. If you don't have access to the file, it will just look like this F99999999999 in plaintext. It seems...
Kaspersky: No Rate Limit On Forgot Password Page
Reported security issue allowed a potential attacker to abuse the password recovery option on our My Kaspersky portal for mass sending of password recovery messages. This was fixed with a password reset throttling feature to protect our service from its abuse by third parties. Note that this...
GitLab: Stored DOM XSS via Mermaid chart
Prologue Gitlab supports Mermaid as part of GFM to allow users to generate diagrams and flowcharts from text. In version 8.6.0, Mermaid added a support of directives to add more control over stylesthemes applied to the diagrams. You can read more about how this works here:...
FetLife: Stored XSS via `Create a Fetish` section.
The reporter pointed out that the fetish field for creating new fetishes on FetLife was vulnerable to a stored XSS exploit, after creating a fetish for which this exploit was used the contents would execute whenever people added the fetish to their profile and attempted to edit the fetish through...
Stripo Inc: Non-revoked API Key Disclosure in a Disclosed API Key Disclosure Report on Stripo
Summary: Can you imagine discovering an API key disclosure vulnerability in a disclosed API key disclosure report? The same thing is what I came across while going through the disclosed reports at Stripo Inc. Plus, the disclosed API key isn't even revoked, and therefore I am still able to use the...
Shopify: XSS stored in the Shopify Email app
step: 1、install app Shopify Email F1076928 2、Click General under Settings 3、Change phone number to 1234567" F1076939 4、Open shopify email app and create an email 5、Show phone number F1076940 6、watch the vedio poc for more information Impact store xss...
GitHub Security Lab: Java : add MongoDB injection sinks
This bug was reported directly to GitHub Security Lab...
U.S. Dept Of Defense: Reflected XSS on ███████
Summary: Reflected Cross site Scripting XSS on████leaving.html?url=%22%3E%3Cscript%3Ealertdocument.domain%3C/script%3E Steps To Reproduce: 1. Navigate to███leaving.html?url= 2. Enter a crafted XSS payload like "alert"xss by nagli" 3. Alert will pop :- █████████ How can the system be exploited wit...
BugPoC: DOM based Cross-site Scripting
Summary: The postMessage API is an alternative to JSONP, XHR with CORS headers and other methods enabling sending data between origins. It was introduced with HTML5 and like many other cross-document features it can be a source of client-side vulnerabilities. Steps To Reproduce: Visit -...