15306 matches found
Udemy: Violation of secure design principle
A business process issue was reported as a security issue...
Internet Bug Bounty: OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
A malicious client can send an excessively large OCSP Status Request extension. If that client continually requests renegotiation, sending a large OCSP Status Request extension each time, then there will be unbounded memory growth on the server. This will eventually lead to a Denial Of Service...
Boozt Fashion AB: Application code is not obfuscated -- OWASP M9 (2016)
Description : Boost android app is not obfuscated which lead to view the source code of the app. Impact : Attackers can steal code and reuse it or sell it to create new application or create a malicious fake application based on the initial one. POC : Step 1 : First, I did the basic reverse...
X (Formerly Twitter): Stealing User emails by clickjacking cards.twitter.com/xxx/xxx
Hello In twitter you can create cards to generate leads. For example: https://twitter.com/i/cards/tfw/v1/759046372544741376?cardname=promotion&autoplaydisabled=true&earned=true&lang=en&cardheight=357 If you visit the above URL and click the button your email and username is sent to my domain. Sin...
Weblate: Testing flow includes a DeepSource secret
The testing workflow for the WeblateOrg/wlc repository included a DeepSource secret, which could have allowed a malicious actor to access parts of the repository and report artifacts to DeepSource. The recommended usage would have been to create a GitHub action environment secret and call it at...
Internet Bug Bounty: CVE-2023-27534: SFTP path ~ resolving discrepancy
A vulnerability was discovered in curl's SFTP implementation that allowed the tilde character to be used as a prefix in the first element of a path, resulting in the wrong path being accessed. This could be exploited to circumvent filtering or other security measures. The vulnerability was presen...
U.S. Dept Of Defense: DoS at āāāāā(CVE-2018-6389)
A vulnerability in WordPress allowed unauthenticated attackers to launch a denial of service attack by listing a large number of registered .js files from wp-includes/script-loader.php. The vulnerability was assigned CVE-2018-6389. Attackers could use this function to deplete server resources and...
GitLab: Stored-XSS in merge requests
Summary As an attacker I could do XSS on Web.com because it is vulnerable Stored XSS, also known as persistent XSS, is more damaging than non-persistent XSS. It occurs when a malicious script is injected directly into a vulnerable web application. Steps to reproduce 1. Go to https://gitlab.com/ 2...
Homebrew: clickjacking at brew.sh
hello , While performing security testing of your website i have found the vulnerability called Clickjacking. URL is in scope and vulnerable to Clickjacking. What is Clickjacking ? Clickjacking User Interface redress attack, UI redress attack, UI redressing is a malicious technique of tricking a...
Revive Adserver: Reflected XSS on /admin/stats.php
I found a reflected XSS attack on /admin/stats.php. Revive-Adserver version is revive-adserver-5.1.0. - Go to...
Ruby on Rails: Server-side template injection at ujs test server
I have found in the server code for testing ujs in Rails that template injection is possible and that leads to rce. code https://github.com/rails/rails/blob/v6.0.3.2/actionview/test/ujs/server.rb ruby module UJS class Server Blade::Assets.environment get "/" = "testsindex" match "/echo" =...
Courier: Missing rate limit in signup Form
Hello Team , Description When signing up for an account, you enter your email. When this email is already in use, the server responds with "UserConfirmed":true,"UserSub":"ae294fff-6d55-407d-9676-1f3518029037" This in not a problem, but the fact that you could send this request unlimited times is...
Node.js third-party modules: [devcert] Command Injection via insecure command formatting
I would like to report a Command Injection issue in the devcert module. It allows to execute arbitrary commands on the victim's PC. Module module name: devcert version: 1.1.0 npm page: https://www.npmjs.com/package/devcert Module Description devcert - Development SSL made easy Module Stats 276,46...
Phabricator: SSRF in notifications.server configuration
Modifying the notification server settings so that it connects to a malicious server. An attacker is able to redirect traffic from the vulnerable application to internal or external network resources. Steps To Reproduce: --------------------- 1. Open your phabricator installation authenticated wi...
Shopify: Reflective Cross-site Scripting via Newsletter Form
.myshopify.com is vulnerable to a reflective cross-site scripting attack in the newsletter form. This can be crafted to trigger on a page load without any further user interaction. The following example url shows this vulnerability:...
Razer: 2FA doesn't work in "https://insider.razer.com"
Hello, I found 2FA bypass vulnerability in https://insider.razer.com and I found this feature not at all working after enabled 2FA. Please follow the below steps to reproduce the issue Steps to reproduce 1. Login to https://insider.razer.com with your credentials. 2. Next, go to Two-Step...
Upserve : DOM Based XSS via postMessage at https://inventory.upserve.com/login/
Description DOM based XSS is possible at https://inventory.upserve.com/login/ due to insecure origin checking when receiving a postMessage. POC 1. Visit https://hq.upserve.com.āāāāāāāā/upservexss.html 2. Click link 3. View alert on https://inventory.upserve.com Vulnerable Code javascript...
Paragon Initiative Enterprises: Github repo's wiki publicly editable
Hello Team, Primablock Github repo's wiki page is publicly editable. This enables an attacker to edit the wiki pages of the affected repo's. Adding content that may link to malicious code libraries that would be installed and used by developers or information that may mislead users. Links:...
h1-5411-CTF: h1-5411-CTF report: LFI / Deserialization / XXE vulnerability,
NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: h1-5411-ctf write-up The CTF...
WakaTime: password token validation
Hello, when I reset password all tokens are valid can be used, should keep valid only token in the last request or you can invalidate all reset links after using one of the requests successfully. Steps: 1 go to the password reset page and request more than one request. 2 go to your email and use...
Uber: Subdomain takeover at signup.uber.com
The domain signup.uber.com was pointing to an unclaimed Netlify domain, allowing an attacker to take over the subdomain. We remediated this issue by deleting the CNAME record from our DNS. Thanks, @ak1t4! Another great TKO - thanks UBER!...
Nextcloud: IDOR - Disable sharing
Decription: ----- Users are shared files or folder. can disable this sharing. Detail: ------ + use request: DELETE /nextcloud/ocs/v2.php/apps/filessharing/api/v1/shares/share-id?format=json HTTP/1.1 Host: your-host User-Agent: Mozilla/5.0 Windows NT 10.0; WOW64; rv:47.0 Gecko/20100101 Firefox/47....
HackerOne: Session Hijacking attack (Different Scenario)
Hey I was able to replay a cookie of a current active session and hijack that by replaying the cookie. Now this is different from any conventional vanilla session hijacking because it works even when the user is not logged in. But the condition is that the victim's session must be active at the...
curl: CVE-2022-27779: cookie for trailing dot TLD
Summary: In CVE-2014-3620 curl prevents cookies from being set for Top Level Domains TLDs. According to the advisory, curl's "cookie parser has no Public Suffix awareness", but it will "reject TLDs from being allowed". However, a cookie can still be set for a TLD + trailing dot. A trailing dot...
Internet Bug Bounty: CVE-2022-24288: Apache Airflow: TWO RCEs in example DAGs
In Apache Airflow, prior to version 2.2.4, In DAG script of airflow , there is two command injection vulnerability RCE in the some scripts, which an attacker can execute arbitrary commands on the system. The impact is even greater when airflow is configured for unauthenticated access. These two...
HackerOne: Internal Gitlab Ticket Disclosure via External Slack Channels
@noneoftheabove was able to enumerate GitLab ticket titles and descriptions by posting links in a shared Slack channel. As part of HackerOne's investigation, it was determined that the misconfiguration could also be used to obtain the contents of exceptions from HackerOne's production environment...
h1-ctf: Hackyholidays [ h1-ctf] writeup [mission:- stop the grinch ]
Hello Team Description In the continuous series of 12 days, twelve flags were hidden inside Hackyholidays site - hackyholidays.h1ctf.com in which once we get all the flags, grinch can be stopped. This write-up will describe solving all the 12 days challenges. Step To Reproduce + It all started wh...
VK.com: XSS Š² Š½Š°Š·Š²Š°Š½ŠøŠø Š·Š²Š¾Š½ŠŗŠ°
XSS Š² ŃŠ½ŠøŠæŠæŠµŃŠµ Š·Š²Š¾Š½ŠŗŠ°. Š£ŃŠ·Š²ŠøŠ¼Š¾ŃŃŃ ŠæŠ¾Š·Š²Š¾Š»ŃŠ»Š° Š²ŃŠæŠ¾Š»Š½ŠøŃŃ ŃŠŗŃŠøŠæŃ Š½Š° ŃŃŠ¾ŃŠ¾Š½Šµ ŠæŠ¾Š»ŃŠ·Š¾Š²Š°ŃŠµŠ»Ń, ŠæŠ¾Š·Š²Š¾Š½ŠøŠ² ŠµŠ¼Ń...
HackerOne: Getting New Invitations without Leaving Programs
Hello there, I hope all is well! Description When you leave the private program, you get a chance to get a new invitation. But using this vulnerability, I can get new invitations without leaving private programs. Steps: 1. Go to any private bug bounty program. 2. Click Leave Program button 3. Cli...
Internet Bug Bounty: OOB read in php_strip_tags_ex
This issue is open https://bugs.php.net/bug.php?id=79099&edit=2 You can know the bug in the link Impact Memoey leak or rce...
Node.js third-party modules: [angular-http-server] Server Directory Traversal
I would like to report a Server Directory Traversal vulnerability in angular-http-server. It allows reading local files on the target server. Module module name: angular-http-server version: 1.4.3 npm page: https://www.npmjs.com/package/angular-http-server Module Description A very simple...
U.S. Dept Of Defense: WebLogic Server Side Request Forgery
Universal Description Discovery and Integration UDDI application is publicly available on this WebLogic server. The SearchPublicRegistries.jsp page can be abused by unauthenticated attackers to cause the WebLogic web server to connect to an arbitrary TCP port of an arbitrary host. Responses...
Nextcloud: Weak ssh algorithms and CVE-2023-48795 Discovered on various subdomains of nextcloud.com
Security researchers discovered a vulnerability in the Secure Shell SSH cryptographic network protocol, known as Terrapin CVE-2023-48795. This vulnerability could have allowed an attacker to downgrade the security of the secure channel. Weak SSH algorithms were also identified on various subdomai...
curl: CVE-2023-46218: cookie mixed case PSL bypass
A vulnerability in libcurl was discovered that allows bypassing cookie domain restrictions through improper hostname normalization. This enables a malicious site to set supercookies readable by other sites under the same top level domain. The issue was caused by libcurl failing to convert the...
Internet Bug Bounty: CVE-2023-27536: GSS delegation too eager connection re-use
A vulnerability was found in libcurl versions 7.22.0 to 7.88.1 that allowed for the reuse of a previously created connection even when the GSS delegation option had been changed, potentially changing the user's permissions in a second transfer. This could affect krb5/kerberos/negotiate/GSSAPI...
Sorare: Mystery with a leaked token and Reusability of email confirmation link leading to Account Takeover
A vulnerability was discovered where leaked email confirmation links could be reused to gain access to a user's account without requiring a password. This was possible by modifying the token parameter in the URL of the expired confirmation link. An attacker who gains access to such a leaked link...
GlassWire: Facebook App API credentials leaked in the APK
Facebook App API credentials were leaked in the GlassWire version 1,1,26,0b F1827380 APK file, including the App ID and App Secret. This could allow an attacker to modify Facebook App settings using the leaked token...
GitHub Security Lab: ihsinme: CPP Add query for CWE-14 compiler removal of code to clear buffers.
This bug was reported directly to GitHub Security Lab...
Doppler VDP: Limited access to billing dashboard by Admin and Collaborator in conflict with user role permissions.
Summary: Hello Team, The admin and collaborator roles aren't supposed to be able to have read access to the billing dashboard. However, a bug was found where both roles have limited read access to the dashboard contrary to Doppler docs. F1151905 Steps To Reproduce: 1. Log in to your...
Doppler VDP: Owner can change themself for another Role Mode but application doesnot have this function.
Hello team, I have found a Privilege escalation bug in your application. Basically your website doesn't allow owner to change role mode for themself, they only can able to change role mode of another user. But i found authorization bug in your application that if we add user id of themself in...
h1-ctf: [hacky-holidays] Grinch network is down
Flag 1 As always CTF begins with a tweet: F1126838 So we are supposed to start from https://hackyholidays.h1ctf.com/ . The first flag was easy on https://hackyholidays.h1ctf.com/ I found a file named robots.txt which had the following content: User-agent: Disallow: /s3cr3t-ar3a Flag:...
h1-ctf: Stopping Grinch to ruin XMas!
Hello, Gonna just submit flags first then will send my write up later tomorrow. flag1: flag48104912-28b0-494a-9995-a203d1e261e7 https://hackyholidays.h1ctf.com/robots.txt recon revealing hidden endpoint flag2: flagb7ebcb75-9100-4f91-8454-cfb9574459f7 https://hackyholidays.h1ctf.com/s3cr3t-ar3a...
BugPoC: Solution for XSS challenge wacky.buggywebsite.com
Summary: Found a HTML injection in https://wacky.buggywebsite.com/frame.html?param=Injected Bypasswing CSP : CSP : script-src 'nonce-txjohfomwjdo' 'strict-dynamic'; frame-src 'self'; object-src 'none'; Then found a vuln code in https://wacky.buggywebsite.com/frame.html js window.fileIntegrity =...
Dropcontact: Dropcontact's disclosed report is exposing Private/Confidential information
Some other report was disclosed fully with confidential information !...
Shopify: Stored XSS in my staff name fired in another your internal panel
Hi all, I had lots of tests for bug bounty in my test store "trstore-3.myshopify.com" created about 4 years ago and then one of your developers noticed that a stored cross-site scripting payload in my staff name fired in another your internal panel. I have attached the email sent to me by your...
Open-Xchange: Panic: Input stream data unexpectedly has references
Run test suite binary on following input ./testsuite crash.txt with crash.txt file being : require "vnd.dovecot.testsuite"; require "variables"; require "editheader"; set "message" text: From: [email protected] To: [email protected] Subject: Frop! Frop! . ; testset "message" "$message"; test...
Visma Bug Bounty Program: Administration page visible without authentication
A backend system administration interface could be accessed without authorization, but it did not display any data unless the user was correctly logged in...
Nextcloud: Update App Store: Django account high jacking vulnerability
High Severity Framework Security Fix Impact There's a nasty bug that allows accounts to be highjacked. Attackers still can't distribute archive since they are signed but can highjack admin accounts and swap out packges in the admin panel. I've updated the deps, tests work fine locally but you...
Mail.ru: API method at api.my.games allows to enumerate user emails
API method which allowed to enumerate emails at https://api.my.games/ was not sufficiently protected...
Ruby: Ruby is shipping a vulnerable jQuery
No this isn't a report about the website! Ruby ships Darkfish as part of RDoc https://github.com/ruby/ruby/tree/HEAD/lib/rdoc/generator/template/darkfish https://github.com/ruby/rdoc/tree/master/lib/rdoc/generator/template/darkfish https://github.com/ged/darkfish Darkfish includes jQuery v1.6.4,...