15370 matches found
Razer: AWS subdomain Takeover at estore.razersynapse.com
The tester discovered the razersynapse.com domain was vulnerable to a subdomain takeover. Although this is out of scope of our program, we appreciate the tester bringing this to our attention...
HackerOne: HTTP Parameter Pollution using semicolons in iframe element at hackerone.com/careers allows loading external Greenhouse forms
Summary: I noticed that HackerOne career pages loads it's application forms from Greenhouse.io via an iframe. The ghjid parameter value is taken into the iframe element for the token parameter in the iframe URL boards.greenhouse.io. Any html characters are escaped in order to avoid XSS and possib...
Nextcloud: IDOR - Disable sharing
Decription: ----- Users are shared files or folder. can disable this sharing. Detail: ------ + use request: DELETE /nextcloud/ocs/v2.php/apps/filessharing/api/v1/shares/share-id?format=json HTTP/1.1 Host: your-host User-Agent: Mozilla/5.0 Windows NT 10.0; WOW64; rv:47.0 Gecko/20100101 Firefox/47....
Uber: Multiple Vulnerabilities (Including SQLi) in love.uber.com
Hi, I noticed you are using a critically vulnerable version of WMPL. By accessing http://love.uber.com/wp-content/plugins/sitepress-multilingual-cms/changelog.md, Attacker could find out http://love.uber.com/ is running WMPL version 3.1.8.4 Which is Vulnerable to, 1. SQL injection which gives ful...
Automattic: Stored XSS on app.crowdsignal.com your-subdomain.crowdsignal.net via Thank You Header
A stored XSS vulnerability was found on app.crowdsignal.com, allowing an attacker to execute arbitrary JavaScript code on the victim's browser. The vulnerability could be triggered by editing the Thank You Header with a malicious payload and could result in the compromise of sensitive user...
Node.js: Weak randomness in WebCrypto keygen
https://github.com/nodejs/node/pull/35093 introduced a call to EntropySource in SecretKeyGenTraits::DoKeyGen in src/crypto/cryptokeygen.cc. There are two problems with this: 1. It does not check the return value, it assumes EntropySource always succeeds, but it can and sometimes will fail. 2. The...
Phabricator: Possible to make restricted files public on Phabricator via Diffusion
Files on Phabricator are always viewable to a user if they are attached to an object that they can view. It seems Phabricator does check if you can view a file before allowing you to a attach it. If you don't have access to the file, it will just look like this F99999999999 in plaintext. It seems...
U.S. Dept Of Defense: [CVE-2021-29156 on ForgeRock OpenAm] LDAP Injection in Webfinger Protocol!
Description: https://████████ is vulnerable to CVE-2021-29156. References https://nvd.nist.gov/vuln/detail/CVE-2021-29156 https://portswigger.net/research/hidden-oauth-attack-vectors...
Nextcloud: HEIC image preview can be used to invoke Imagick
The HEIC image preview provider calls into Imagick at https://github.com/nextcloud/server/blob/5d097ddb4b99673f57b8c085dedd93880ee2539d/lib/private/Preview/HEIC.phpL98-L109. This is bad as Imagick processes all kind of image types. One can use this for example to exfiltrate arbitrary files by...
Kaspersky: No Rate Limit On Forgot Password Page
Reported security issue allowed a potential attacker to abuse the password recovery option on our My Kaspersky portal for mass sending of password recovery messages. This was fixed with a password reset throttling feature to protect our service from its abuse by third parties. Note that this...
Basecamp: Possible DOM XSS on app.hey.com
Summary: Hello Team, While testing it was observed that on https://app.hey.com/, on Search box there is a possibility of XSS. Although the payload is reflected in the DOM but the CSP blocks the execution of the script, the XSS can happen if the CSP is somehow bypassed. The Subject parameter is...
Topcoder: SVG file upload leads to XML injection
Summary: Upload Avatar option allows the user to upload image/ . Thus enabling the upload of many file formats including SVG files MIME type: image/svg+xml SVG files are XML based graphics files in 2D images. Thus, this opens up an attack vector to upload specially crafted malicious SVG files. Th...
Monero: Monero wallet password change is confirmed when not matching
Summary: If you change your wallet password in gui, the confirmation does not need to match the new password. Releases Affected: list each version and OS of the application affected list each version and OS of the application affected Steps To Reproduce: Open your wallet. Go to settings. Change...
Mail.ru: [API] ICQ user's avatar can be manipulated remotely
Description: При обращении к API методу установки аватара пользователя https://ub.icq.net/files/api/v1.1/avatar/set Можно передать дополнительный GET параметр: targetSn - с установленным UIN'ом любого пользователя Тем самым можем изменить аватарку у любого пользователя Steps To Reproduce: 1...
New Relic: [Bypass] Code injection to open redirect in https://insights.newrelic.com/accounts/2521182/dashboards/1026927
INTRODUCES: Overcoming mechanism of controlling url insertion, redirecting users to fake pages STEPS: Payload: Add dashboard note and insert code malicious. Code : Click link to view note detail : Impact Redirecting users to malicious pages, stealing user information such as fake scripts and user...
Razer: Race Condition in Oauth 2.0 flow can lead to malicious applications create multiple valid sessions
The tester discovered a flaw in the Razer ID authentication system that could allow multiple access tokens. This was a minor issue but could theoretically have led to extended access due to unexpired tokens. Razer thanks the tester for their diligence. Here is a write-up for similar bug:...
HackerOne: Searching from Hacktivity returns hits for words in limited disclosure reports that are not visible
Summary: It appears I'm able to discover words used in limited disclosed reports, that are not publicly visible, by using the search function available from the Hactivity page. Description: Recently I was investigating a finding for another program which involved exploiting XSS ████. I wondered h...
PayPal: [PayPal Android] Remote theft of user session using push_notification_webview deeplink
A deeplink feature built into the PayPal Android application failed to validate the requested endpoint. A specifically crafted request from a website or separate app on the device could call the deeplink and direct traffic to any destination. While the impact was limited by compensating controls,...
GSA Bounty: Server Side Misconfiguration (EMAIL SPOOFING)
Hi team, Bug Type: Server Security Misconfiguration Mail Server Misconfiguration Missing SPF on Email Domain Weakness: Improper Authentication Description: i observe this when i send a email from [email protected] through http://emkei.cz/ to email [email protected] and afte...
Legal Robot: Lack of input validation in e-mail & user name, job title, company name field
Hi, During sign up input validation didn't deploy properly on e-mail & name field. I've tested inputing following e-mail during sign up: hacker%@gmail.com Your system send email to verification the account though the e-mail address is invalid as gmail doesn't allow user to sign up using special...
X (Formerly Twitter): XXE on sms-be-vip.twitter.com in SXMP Processor
Hi team, What type of issue are you reporting? Does it align to a CWE or OWASP issue? I've identified an XXE vulnerability in the cloudhopper sxmp servlet on sms-be-vip.twitter.com which discloses local files to an external attacker and allows web requests to be sent. This aligns to...
Pornhub: I am because bug
I'm because I hacker found bug because I report this bug I want to report a bug and because want some $$$$ so please because you are telling me how much you pay money so I give you bug. Me because very poor :' want money because father :' F181917 Thank you wish you because pay lots $$$$$$$$...
Udemy: sweet32
hello have found new attack against 3DES-CBC cipher in TLS,that they can decrypt customer data using a method called SWEET32 Birthday Attack. This Vulnerability has got CVE-2016-2183 and has cvss score 5.0 in atach you will see a print screen vuln confirmation by nmap script Mitigation for SWEET3...
Boozt Fashion AB: Application code is not obfuscated -- OWASP M9 (2016)
Description : Boost android app is not obfuscated which lead to view the source code of the app. Impact : Attackers can steal code and reuse it or sell it to create new application or create a malicious fake application based on the initial one. POC : Step 1 : First, I did the basic reverse...
Zomato: Subdomain Takeover
Hello, Your Subdomain engineering.zomato.com is Pointing to Tumblr.com You should immediately remove the DNS-entry for engineering.zomato.com is Pointing to Tumblr.com.. Any One Can Claim That Domain , Please Read The Advisory Below. Remediation Please make sure you're always going through your...
Shopify: customers password hash leak!!!!
An endpoint in the Draft Order feature would return a serialized version of the Customer that contained the account password hashed and salted as well as the last password reset token when available...
Internet Bug Bounty: Null pointer dereference in phar_get_fp_offset()
https://bugs.php.net/bug.php?id=69720...
Shopify: Lack of SSL Pinning on POS Application ( iOS )
Description Given that this is a POS application and handle CHD, cryptographic security is of most importance. Applications such as Square, Amazons POS, etc. have already implemented this. The iOS application is correctly checking for SSL certs using the os keychain, but due to the lack of checki...
Internet Bug Bounty: mod_proxy_fcgi buffer overflow
This issue was reported directly to the Apache team. A buffer overflow was found in modproxyfcgi. A malicious FastCGI server could send a carefully crafted response which could lead to a heap buffer overflow. http://httpd.apache.org/security/vulnerabilities24.html2.4.11-dev...
Internet Bug Bounty: Same Origin Security Bypass Vulnerability
This bug was reported directly to Adobe. http://helpx.adobe.com/security/products/flash-player/apsb14-08.html...
8x8: Credential leak on GitHub: https://github.com/█/█/ (Peoplesoft CRM)
Credentials for a database associated with Peoplesoft CRM were leaked on GitHub. The leak was reported and the repository containing the credentials was taken down. The credentials were associated with a database that is no longer in use...
U.S. Dept Of Defense: DoS at █████(CVE-2018-6389)
A vulnerability in WordPress allowed unauthenticated attackers to launch a denial of service attack by listing a large number of registered .js files from wp-includes/script-loader.php. The vulnerability was assigned CVE-2018-6389. Attackers could use this function to deplete server resources and...
Mars: Jolokia Reflected XSS
Summary: salam Hi team i hope you are well , after doing some recon on mars.com i saw that the website use jolkia 1.3.5 it's vulnerable to reflected XSS Steps To Reproduce: 1. Vuln Link : https://couponsmanager-uat.b2b.mars.com/jolokia/read%3Csvg%20onload=alertdocument.cookie%3E?mimeType=text/htm...
Internet Bug Bounty: CVE-2022-27782: TLS and SSH connection too eager reuse
Summary: Curl fails to consider some security related options when reusing TLS connections. For example: TLS CURLOPTSSLOPTIONS CURLOPTPROXYSSLOPTIONS CURLOPTCRLFILE CURLOPTPROXYCRLFILE CURLOPTTLSAUTHTYPE CURLOPTTLSAUTHUSERNAME CURLOPTTLSAUTHPASSWORD CURLOPTPROXYTLSAUTHTYPE...
UPchieve: CLICKJACKING LEADS TO DEACTIVATE ACCOUNT
Hello UPCHEIVE SECURITY TEAM, I'm Anto Vulnerability : Clickjacking in https://hackers.upchieve.org/profile Steps to Reproduce: 1. Create a HTML file with following code Click the place where its shows Click 1 Click 2 Click 2 2, Save and Open it on your browser the page will be appear. Impact An...
GitHub Security Lab: [Java]: CWE-665 Insecure environment during RMI/JMX Server initialisation - All for one bounty
This bug was reported directly to GitHub Security Lab...
GitHub Security Lab: [Java] CWE-326: Query to detect weak encryption with an insufficient key size
This bug was reported directly to GitHub Security Lab...
Kubernetes: XSS on kubernetes-csi.github.io (mdBook)
Report Submission Form Summary: Hi, I have recently found XSS vulnerability in mdBook CVE-2020-26297, fixed and disclosed on 4th January 2020. The details were published in a security advisory here: https://blog.rust-lang.org/2021/01/04/mdbook-security-advisory.html I did a quick recon and found ...
GitHub Security Lab: Java: Add SSRF query for Java
This bug was reported directly to GitHub Security Lab...
U.S. Dept Of Defense: Path traversal on https://███ allows arbitrary file read (CVE-2020-3452)
Summary: According to Cisco: A vulnerability in the web services interface of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targete...
Mail.ru: HTML/iframe/XSS injection on https://www.ucs.ru/online/shelter/settings/check/
Potential XSS via POST parameters in www.ucs.ru...
h1-ctf: [h1-2006 2020] Chained vulnerabilities lead to account takeover
Summary Mårten Mickos lost his account for BountyPay, the new service HackerOne is using to pay bug bounties. In this report I explain how I accessed a customer's account using a log file and bypassed its 2FA validation. I then leverage an open redirect bug to gain access to an internal server an...
HackerOne: Disclosure of the name of a program that has a private part with an external link
Summary: Hi team , @jobert , @bencode . Not so long ago, you made an output to the program panel of information about whether the program has the function- retest. Also, this is reflected in the report by the attribute activeretestsubscription. It seems that it is reflected in publish reports tha...
Stripo Inc: my.stripo.emai email verification bypassed and also create email templates
Summary: According to the Stripo.emai When the new user sign up Stripo.email allow to create email templates after the verification of the email of Your stripo account. Until your email get verified You are not able to create a email templates in your acc. User need to verified their email...
Kubernetes: Man in the middle using LoadBalancer or ExternalIPs services
I rated this vulnerability as high because trying to rate it with CVSS v3.0 Calculator gives me 9.9 which seems way too high as you do require to be able to create services in the K8S cluster. Summary: This report details 2 ways to man in the middle traffic by: a creating a LoadBalancer service a...
Stripo Inc: Redirection through referer tag
Summary: I replaced the referer value https://stripo.email/de/ with www.google.com and it worked, it redirected me to google.com Steps To Reproduce: 1. Open URL https://stripo.email/de/subscribe/ 2. Intercept with BurpSuite 3. Change the parameter value of referer and insert any domain you want i...
Razer: [razer-assets2] Listing of Amazon S3 Bucket accessible to any AWS cli
The tester determined that an S3 bucket had insecure permissions. No customer data was in danger, but thee was the potential for some Razer product collateral to be prematurely leaked, so Razer secured this bucket out of caution. Full writeup over at...
Kartpay: bypass captcha in the form forgot password
Summary: In this issue I can bypass Captcha Protection in the Forgot Password form. Browsers Verified In: firefox url: https://affiliate.kartpay.com/ url vulnerable: https://affiliate.kartpay.com/forgotpassword Steps To Reproduce: 1-Enter your email in the forgot password parameter. 2-complet...
Upserve : DOM Based XSS via postMessage at https://inventory.upserve.com/login/
Description DOM based XSS is possible at https://inventory.upserve.com/login/ due to insecure origin checking when receiving a postMessage. POC 1. Visit https://hq.upserve.com.████████/upservexss.html 2. Click link 3. View alert on https://inventory.upserve.com Vulnerable Code javascript...
h1-5411-CTF: h1-5411-CTF report: LFI / Deserialization / XXE vulnerability,
NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: h1-5411-ctf write-up The CTF...