15371 matches found
Nextcloud: Expired SSL certificate
I would like to inform you that the SSL certificate for www.nextcloud.org is expired at: 24. August 2016 15:03 Thanks...
Uber: Compromising Atlassian Confluence (team.uberinternal.com) via WordPress (newsroom.uber.com)
This issue has some relevance to most of my previous submissions so I thought it's clearer if I open a new ticket about it. I understood you've intended the various .uber.com WordPress sites to be isolated so that compromising them wouldn't impact Uber's internal network or user data. This has be...
Uber: Enumerating userIDs with phone numbers
Fyi, this is my second account since the other one r0t is limited to 4 reports and they are all in triage. So about this issue, when a user is on a trip and invites other users to split the fare, the server responds with info about his number, like: Name, UserID and his picture, and info about th...
Bumble: Password modification without knowing actual password & httpOnly bypass
Two issues: Session cookie is returned in HTML source code of /encounters page, which would allow an XSS attacker to steal it, even if httpOnly is activated. A secret value, present in HTML source code of some api.phtml pages, can be used to modify user's password without knowing actual one...
Shopify: File name and folder enumeration.
Hello, An attacker can enumerate your sensitive files and folder such as configuration files name via the timezone parameter in cube.csv: GET...
Gratipay: The POODLE attack (SSLv3 supported) for https://grtp.co/
Websites that support SSLv3 and CBC-mode ciphers are potentially vulnerable to an active MITM Man-in-the-middle attack. This attack, called POODLE, is similar to the BEAST attack and also allows a network attacker to extract the plaintext of targeted parts of an SSL connection, usually cookie dat...
Zaption: Open redirect filter bypass
Hi , An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it. its possible to bypass your redirect filter using :...
Mobile Vikings: Insecure crossdomain.xml
Hi, https://mobilevikings.be/crossdomain.xml contains the following xml file: This will make any one able to receive content from https://mobilevikings.be/. More information about this issue is available here: http://gursevkalra.blogspot.nl/2013/08/bypassing-same-origin-policy-with-flash.html Bes...
curl: CVE-2023-38546: cookie injection with none file
Vulnerability description not provided...
Internet Bug Bounty: CVE-2023-40195: Apache Airflow Spark Provider Deserialization Vulnerability RCE
Apache Airflow Spark Provider before 4.1.3 was affected by a deserialization vulnerability that allowed remote code execution RCE. Attackers could exploit this vulnerability by configuring a malicious Spark server address through the Airflow UI, which would then manipulate the PySpark clients...
inDrive: XSS on terra-6.indriverapp.com
A Cross-Site Scripting XSS vulnerability was discovered on the terra-6.indriverapp.com domain that allowed javascript code execution in users' browsers...
Internet Bug Bounty: JWT audience claim is not verified
An improper authorization vulnerability existed in all versions of Argo CD starting with v1.8.2, allowing the API to accept certain invalid tokens due to the lack of validation of the audience claim in signed tokens. This could allow an attacker to use a stolen token intended for a different...
Acronis: IDOR vulnerability (Price manipulation)
Target: acronis.cz Step to Reproduce 1.Go to acronis.cz 2.buy any product in this case i am going to buy this https://www.acronis.cz/produkt/acronis-cyber-protect-home-office/ for test 3.fill up details 4.go to burpsuite turn on intercept 5.click on buy now 6.check request in intercept change pri...
Ian Dunn: Multiple server ssh usernames leaked in your github repository
hi security team,while searching on github,I have found multiple ssh usernames that belongs to your organization are exposed in the organization github repository STEPS TO REPRODUCE:- 1.Go to this repository. you will see the leaked multiple server ssh usernames...
Clario: rXSS on https://mackeeperapp.mackeeper.com/landings/download-blue/
Summary: Founded XSS on https://mackeeperapp.mackeeper.com/landings/download-blue/ PoC https://mackeeperapp.mackeeper.com/landings/download-blue/?affid=b450fb80-0136-11eb-a01d-50cf6001b201-zzb&epayId=;alertdocument.domain;//&guid=xxx Impact An attacker can run any malicious javascript code on a...
GitLab: Stored DOM XSS via Mermaid chart
Prologue Gitlab supports Mermaid as part of GFM to allow users to generate diagrams and flowcharts from text. In version 8.6.0, Mermaid added a support of directives to add more control over stylesthemes applied to the diagrams. You can read more about how this works here:...
FetLife: Stored XSS via `Create a Fetish` section.
The reporter pointed out that the fetish field for creating new fetishes on FetLife was vulnerable to a stored XSS exploit, after creating a fetish for which this exploit was used the contents would execute whenever people added the fetish to their profile and attempted to edit the fetish through...
Revive Adserver: Reflected XSS on /admin/userlog-index.php
I found a reflected XSS attack on /admin/userlog-index.php. Revive-Adserver version is revive-adserver-5.1.0. - Go to...
CS Money: Able to upload backgrounds before entering 2FA
Summary: Hi Team, I am able to see and use uploaded backgrounds and able to upload new ones without proper authentication of 2FA. I hope you remember this report 993786. Steps To Reproduce: 1. Login with a steam account and enable 2FA. 1. Now logout your account. Clear all the cookies. 1. Now aga...
GitHub Security Lab: Java : add fastjson detection. Improve RemoteFlowSource class, support SpringMvc
This bug was reported directly to GitHub Security Lab...
Shopify: XSS stored in the Shopify Email app
step: 1、install app Shopify Email F1076928 2、Click General under Settings 3、Change phone number to 1234567" F1076939 4、Open shopify email app and create an email 5、Show phone number F1076940 6、watch the vedio poc for more information Impact store xss...
CS Money: Bypass restrict of member subscription to use custom background in https://3d.cs.money without prime subscription
Summary: In website https://3d.cs.money you need to subscribe prime to have a custom background for skin F999661 But with this vulnerability, we can use custom background without any fee required Steps To Reproduce: add details for how we can reproduce the issue - Grab a build of skin - Save it...
Stripo Inc: weak password poilicy in signup password leak to account takeover
Summary: add summary of the vulnerability i create account with weak password Steps To Reproduce: add details for how we can reproduce the issue 1.i create account with weak password qwerty123 2- account create done without validation 3- it should have protected users from attack and have policy...
GitHub Security Lab: Java : add MongoDB injection sinks
This bug was reported directly to GitHub Security Lab...
Dropcontact: Unrestricted File Upload on https://app.dropcontact.io/app/upload/
hi team, I found Unrestricted File Upload Vulnerabilities on https://app.dropcontact.io/app/upload/. Steps To Reproduce: 1. Create an account in https://app.dropcontact.io/app/ 1. go to https://app.dropcontact.io/app/upload/ 1. try to upload html file , you will see message only : .csv, .txt, .xl...
Kubernetes: Fake email from <any_name>@kubernetes.io to any other email
Hi, I just found an issue No Valid SPF Records in your mail server @kubernetes.io Desciprition : There is a email spoofing vulnerability.Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email...
Open-Xchange: Null pointer deference in call to `mail_get_flags`
run test suite on following input require "vnd.dovecot.testsuite"; require "fileinto"; require "imap4flags"; require "mailbox"; testset "message" text: Subject: Test message. Test message. . ; test "Flag changes between stores" fileinto :create "FolderA"; if not testresultexecute testfail "failed...
h1-ctf: [H1-2006 2020] "Swiss Cheese" design style leads to helping Mårten Mickos pay poor hackers
Summary: Several vulnerabilities in the bountypay application leads to unauthorised access, information disclosure, SSRF and other fun stuff. Steps To Reproduce: This is how I helped Mårten Mickos pay the poor hackers who had been waiting so long for their bounties. First part: Web I started by...
h1-ctf: [H1-2006 2020] Multiple vulnerabilities lead to CEO account takeover and paid bounties
Summary: 1. A publicly accessible logfile discloses a user's credentials 2. Weak 2FA implementation allows user account takeover 3. Path injection in user's cookie allows SSRF, bypassing the IP restriction to list available builds on https://software.bountypay.h1ctf.com/ 4. API token leak in...
Node.js: Node.js: TLS session reuse can lead to hostname verification bypass
The Node.js TLS library supports client side reuse of TLS sessions when multiple connections to the same server are opened. Code that wants to use this feature can listen for the 'session' event https://nodejs.org/api/tls.htmltlseventsession on a tls.TLSSocket to get notified of newly created TLS...
GitLab: Email notification about login email changed is not received when using verified linked email address
Summary In https://gitlab.com/profile, user can update the email id to use for login to gitlab account using field "Email". Usually, when this login email id is updated, there will be 2 email sent on previous email Id with subjects as. Email 1 - Email Changed:- This tell that login email has been...
New Relic: [Bypass] Code injection to open redirect in https://insights.newrelic.com/accounts/2521182/dashboards/1026927
INTRODUCES: Overcoming mechanism of controlling url insertion, redirecting users to fake pages STEPS: Payload: Add dashboard note and insert code malicious. Code : Click link to view note detail : Impact Redirecting users to malicious pages, stealing user information such as fake scripts and user...
Razer: Race Condition in Oauth 2.0 flow can lead to malicious applications create multiple valid sessions
The tester discovered a flaw in the Razer ID authentication system that could allow multiple access tokens. This was a minor issue but could theoretically have led to extended access due to unexpired tokens. Razer thanks the tester for their diligence. Here is a write-up for similar bug:...
OLX: SQL Injection on https://www.olx.co.id
I found the SQL Injection on the website https://www.olx.co.id Affectected URL : https://www.olx.co.id/ajax/buybundle/getbundle/ POC: 1 In this below request i got SQL injection vulnerability in location parameter post method POST /ajax/buybundle/getbundle/ HTTP/1.1 Host: www.olx.co.id User-Agent...
Starbucks: Information Exposure Through an Error Message at news.starbucks.com
I've discovered Information Exposure Through an Error Message on your system POC link: https://news.starbucks.com/cms/index.php?/cp/login/forgottenpasswordform=http://evil.com/?id=test-test Vulnerable url --...
PayPal: [PayPal Android] Remote theft of user session using push_notification_webview deeplink
A deeplink feature built into the PayPal Android application failed to validate the requested endpoint. A specifically crafted request from a website or separate app on the device could call the deeplink and direct traffic to any destination. While the impact was limited by compensating controls,...
Node.js third-party modules: Samlify is vulnerable to signature wrapping
I would like to report a signature wrapping weakness in samlify It allows an attacker to modify a SAML token received from the IdP before validating it with the service provider Module module name: samlify version: 2.3.7 npm page: https://www.npmjs.com/package/samlify Module Description Highly...
U.S. Dept Of Defense: Remote Code Execution (RCE) in a DoD website
SUMMARY: ==================== This report describes a vulnerability similar to that described in my other reports 329376, 329397, 329399 The DoD https://████/psc/EXPROD/ Web System uses the Oracle PeopleSoft platform which is vulnerable to Remote Code Execution RCE and Denial of Service Attacks D...
GitLab: Evaluating Ruby code by injecting Rescue job on the system_hook_push queue through web hook
The secret token field of a webhook is vulnerable to a new line injection, allowing an attacker to inject non-HTTP commands in a TCP stream. When a GitLab instance is configured with an external Redis instance, e.g. on 127.0.0.1:6379, it may result in arbitrary code execution on a Sidekiq worker ...
Uber: Possibility to inject a malicious JavaScript code in any file on tags.tiqcdn.com results in a stored XSS on any page in most Uber domains
When creating new tags on Tealium, the application did not check that the user creating the tag had authorized as the same account they were creating a tag for. It was possible for an attacker to inject arbitrary content into a web page using the utag.js tag. Depending on how the victim implement...
X (Formerly Twitter): XXE on sms-be-vip.twitter.com in SXMP Processor
Hi team, What type of issue are you reporting? Does it align to a CWE or OWASP issue? I've identified an XXE vulnerability in the cloudhopper sxmp servlet on sms-be-vip.twitter.com which discloses local files to an external attacker and allows web requests to be sent. This aligns to...
Nextcloud: HTTP-Basic Authentication on logs.nextcloud.com
Greetings, While visiting https://logs.nextcloud.com/ , I noticed that this server use HTTP-Basic Authentication. F152730 POC : ------ GET https://logs.nextcloud.com/ HTTP/1.1 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.11; rv:50.0 Gecko/20100101 Firefox/50.0 Accept:...
Internet Bug Bounty: Bleichenbacher oracle in SSLv2 (CVE-2016-0704)
I'm retroactively submitting CVE-2016-0704, a.k.a. "Leaky Export", which is a Bleichenbacher-style bug that leads to another variant of the Special DROWN attack. I'm submitting on behalf of myself and J. Alex Halderman, as we independently found this bug. This was validated by OpenSSL as...
Zendesk: Chat History CSV Export Excel Injection Vulnerability
I have found a vulnerability in the Chat History export function. If an attacker submits a special name containing a system command when chatting with an agent and that agent later exports the history of that chat to CSV, the resulting CSV may execute commands when opened. I have tested this usin...
Shopify: customers password hash leak!!!!
An endpoint in the Draft Order feature would return a serialized version of the Customer that contained the account password hashed and salted as well as the last password reset token when available...
ok.ru: http://217.20.144.201 privilege escalation in apache tomcat SessionEample-script
Tomcat Servlet Examples application was accessible at wmf.ok.ru which leaved ok.ru vulnerable to cookie manipulation http://lab.onsec.ru/2013/03/tomcat-servlet-examples-threats.html and whatever else vulnerability Servlet Examples might contain...
Internet Bug Bounty: Null pointer dereference in phar_get_fp_offset()
https://bugs.php.net/bug.php?id=69720...
Shopify: Lack of SSL Pinning on POS Application ( iOS )
Description Given that this is a POS application and handle CHD, cryptographic security is of most importance. Applications such as Square, Amazons POS, etc. have already implemented this. The iOS application is correctly checking for SSL certs using the os keychain, but due to the lack of checki...
curl: CVE-2024-11053: netrc + redirect credential leak
CVE-2024-11053 was a logic flaw in Curl that resulted in a credential leak during redirects. The issue was caused by the way Curl processed netrc credentials when performing redirects. Under certain conditions, the redirect passed along credentials specified for the original host to the redirecti...
U.S. Dept Of Defense: Information Disclosure FrontPage Configuration Information
An information disclosure vulnerability was discovered in the Microsoft FrontPage configuration of a subdomain. This vulnerability allowed an attacker to view the version number and scripting paths of Sharepoint using Firefox...