U.S. Dept Of Defense: Old Session Does Not Expires After Password Change

Hello Team, I am Hemant Patidar working as a security researcher and I found a bug in your site. Report of bug is as follows:- Description: While conducting my research I discovered that the application Failure to invalidate the session after the password change. In this scenario changing the...

Internet Bug Bounty: ActionView sanitize helper bypass with 'style' and 'svg' tags

The Rails-html-sanitizer, which Rails ActionView also uses, failed to sanitize input when svg and style or math and style tags were allowed. This resulted in a potential XSS vulnerability in applications that used the sanitize helper...

Chaturbate: Camo Image Proxy Bypass with CSS Escape Sequences

Summary With CSS escape sequences it is possible to bypass CSS url detection and filtering. Details Users can use HTML tags in their Profile Bio in About Me and Wish List fields. Among other filtering and sanitization, image URLs are replaced by URLs on internal image proxy. For example, this...

Chaturbate: Cross-origin resource sharing: arbitrary origin trusted on chatws25.stream.highwebmedia.com

Very low-quality reports, such as those which only contain automated output, will be rejected. Summary Hi, i was able to discover a number of instances on chatws25.stream.highwebmedia.com were the application accepts an arbitrarily supplied origin. The application implements an HTML5 cross-origin...

curl: CRLF Injection in `--proxy-header` allows extra HTTP headers (CWE-93)

Hello Team, There is a bug in curl where a user can inject new HTTP headers into a proxy request by using special characters in the --proxy-header option. This is done by adding \r\n carriage return + line feed inside the header value. This breaks the HTTP format and lets the user create more...

Pornhub: idor allows you to delete photos and album from a gallery

The researcher discovered a vulnerability where a user may delete other users' images from their galleries...

HackerOne: The /reports/:id.json endpoint discloses potentially sensitive user attributes when reporter summary is present

The /reports/:id.json endpoint disclosed potentially sensitive user attributes, including the reporter's email, OTP backup codes, phone number, graphqlsecrettoken, and t-shirt size when a reporter summary was present...

Chaturbate: Reflected XSS on ssl-ccstatic.highwebmedia.com via player.swf

Hey there, There's a SWF based XSS on ssl-ccstatic.highwebmedia.com. You may want to update/remove the file. POC https://ssl-ccstatic.highwebmedia.com/jwplayer/player.swf?playerready=alertdocument.domain Thanks, Ben Impact...

Pornhub: Blind SQL injection in Hall of Fap

Summary: There is a blind SQL injection vulnerability in GET parameter topsort in page https://www.tube8.fr/ajax-hof/. Description: SQL functions can be injected into the SQL query. Using the sleep function, which makes the database sleep, we can notice the injection. PoC The following request wi...

QIWI: MobileIron Unauthenticated RCE on mdm.qiwi.com with WAF bypass

Last week, details about 3 CVEs affecting MobileIron MDM product were disclosed. When combined, an attacker can achieve unauthenticated remote code execution with arbitrary Java deserialization vector : - CVE-2020-15505 - Remote Code Execution - CVE-2020-15506 - Authentication Bypass -...

LinkedIn: HTML Injection in LinkedIn Premium Support Chat

The vulnerability exists in the LinkedIn Premium support chat interface where unsanitized HTML input was rendered directly in the chat window. An attacker could have exploited this by injecting malicious HTML such as clickable links, potentially leading to phishing or redirection attacks on...

HackerOne: Session not expired on logout

hackerone.com website is not expiring the user's session immediately after logout. Steps to verify: 1. Log into the website - hackerone.com. 2. Capture any request. For ex, profile edit page using burp proxy. 3. Logout from the website. 4. Replay the request captured in step 3 and notice it...

Node.js third-party modules: Unrestricted file upload (RCE)

I would like to report an unrestricted file upload in express-cart. It allows a user with administrative privileges to upload a file to any path. Module module name: express-cart version: 1.1.5 npm page: https://www.npmjs.com/package/express-cart Module Description expressCart is a fully function...

Khan Academy: Unauthorized Account Access via Leaked Credentials in URL Format (Account Takeover )

The vulnerability allowed attackers to access user accounts on khanAcademy.com using leaked credentials that were publicly available. The credentials were found in clear text format on a third-party website. By entering the email and password, the attacker could perform an account takeover withou...

Sifchain: CORS misconfiguration

Description: Affected website: https://sifchain.finance/wp-json/oembed/1.0/embed?url=https://sifchain.finance/&format=xml Step-by-step Reproduction : 1. Send this request: javascript GET /wp-json/oembed/1.0/embed?url=https://sifchain.finance/&format=xml HTTP/1.1 Host: sifchain.finance...

Ruby on Rails: RCE which may occur due to `ActiveSupport::MessageVerifier` or `ActiveSupport::MessageEncryptor` (especially Active storage)

Since ActiveSupport::MessageVerifier and ActiveSupport::MessageEncryptor use Marshal as the default serializer, I confirmed that RCE is possible by object injection. ruby https://github.com/rails/rails/blob/v5.2.2/activesupport/lib/activesupport/messageverifier.rbL110 def initializesecret, option...

XVIDEOS: CSRF on delete friend requests - Not protected with CSRF Token

Summary: Hello XVideos Security Team, The is a possibility of CSRF on the POST method when deleting friend requests that are sent by the users. Any user can send the malicious contents to perform the post method in order to delete a friend request for a specific member. Steps To Reproduce: 1. Log...

Internet Bug Bounty: ActionView sanitize helper bypass with noscript

The Rails-html-sanitizer 1.6.0 contained a vulnerability that allowed bypassing the sanitization process when the noscript tag was used. This could have led to potential cross-site scripting XSS attacks in applications that used the vulnerable version of the sanitizer, including those using the...

Nextcloud: XSS in PDF Viewer

An outdated version of PDF.js in use allows for the CVE-2018-5158 vulnerability. When the payload PDF is shown in the supplied PDF viewer, it can execute arbitrary JavaScript. I have tested the payload PDF, and it is working in the Safari 13.0.5 the latest version and Firefox 74.0 the latest...

Showmax: delete the subaccount from the user id

Entry in order to delete this sub-profile, you must first create an account. then you need to find the user id and master id of the account that you will delete, you can do a brute force attempt to find it, if it holds, you can delete the child profile of this person or view a lot of information...

Chaturbate: View Failed Approval and Pending videos other users

See videos uploaded by a user. The video is available when it waits for confirmation or is not accepted. Steps To Reproduce: 1 - Go victim page : https://chaturbate.com/p/akaxanxa/?tab=bio 2 - Open video : https://chaturbate.com/photovideos/photo/big/username/contentid/ 3 - Get random requests -...

Cosmos: Attacker can use any non-enabled capability

The Capabilites implementation in CosmWasm contracts was found to have a vulnerability. Even if the executing chain did not allow a specific capability, a CosmWasm contract could still execute actions that required that capability. This was due to a naive implementation of capabilities and...

Mars: insecure deserilize object leads to RCE On Sitecore (CVE-██████████-27218)

This critical vulnerability involved an insecure deserialization issue in Sitecore implementation, which was assigned CVE-2025-27218. The vulnerability allowed remote code execution through unsanitized user input in the ThumbnailsAccessToken header. The vulnerability was remediated by removing...

curl: Memory Leak

in getparameter via strdup in toolgetparam.c SIGSEGV Project: cURL File: src/toolgetparam.c Function: getparameter → indirectly via getstr Detected By: AddressSanitizer ASan Command Used: ASANOPTIONS="detectleaks=1:verbosity=2:malloccontextsize=50" ./curl -K Overview A memory leak vulnerability h...

WakaTime: user api key leaked

The user's API key was found exposed in an older URL while testing the WakaTime tool. The API key successfully authenticated requests to a restricted endpoint, indicating that it was valid and granted access to protected resources...

AWS VDP: (Part 2) Non-Production API Endpoints for the Datazone Service Fail to Log to CloudTrail Resulting in Silent Permission Enumeration

The non-production API endpoints for the Datazone service failed to log to CloudTrail, resulting in silent permission enumeration. The vulnerability was discovered through certificate transparency monitoring, where three additional vulnerable endpoints were identified...

Kraden: Found Origin IP's Lead To Access To kraden.com

Summary: Discovered that the kraden.com site exposed its Non-Cloudflare IP which could allow bypassing of anti-DDoS mechanisms. Description:Your origin servers are not blocking access from non-Cloudflare servers. This way crawlers can find your origin servers' IPs by checking random IPs until the...

TikTok: External SSRF and Local File Read via video upload due to vulnerable FFmpeg HLS processing

A local file disclosure vulnerability was found which an attacker could have used to upload a payload file via the TikTok website and potentially exfiltrate arbitrary local system files. We thank @ach for reporting this to our team and confirming the resolution. Summary: FFmpeg is a free and...

U.S. Dept Of Defense: Public google drive link Exposes Military Orders Containing PII (Name, SSN etc..) and Operational Details

A public Google Drive link was found that exposed military orders containing personally identifiable information PII such as full names, Social Security numbers, home addresses, and security clearance levels. The vulnerability was discovered on a website located at...

Endless Group: CVE-2017-8779 exploit on open rpcbind port could lead to remote DoS

Summary: An open rpcbind port on https://da.theendlessweb.com allows for possible exploitation by an existing Metasploit module. This could lead to large and unfreed memory allocations for XDR strings. Description: Port scanning on 149.56.38.19 which is the IP of https://da.theendlessweb.com show...

RubyGems: Cross-Domain JavaScript Source File Inclusion

The page includes one or more script files from a third-party domain. XSSI is a fancy way of saying: you are including in your program, someone elses code; You don't have any control over what is in that code, and you don't have any control over the security of the server on which it is hosted...

Lichess: Open Redirect Vulnerability in OAuth Flow Leading to Potential Phishing Attack

Summary: An open redirect vulnerability exists in the OAuth flow on lichess4545.com. By manipulating the redirecturi parameter during the OAuth authorization process with Lichess, an attacker can redirect users to an arbitrary external domain e.g., example.com after login. This could be exploited...

Ruby: Response splitting vulnerability in WEBrick

Hi, WEBrick seems to be vulnerable to a response splitting attack. The reproduction script is very similar to the code shown on the owasp page: ruby require 'webrick' class MyServlet ::WEBrick::HTTPServlet::AbstractServlet def service req, res res.cookies WEBrick::Cookie.new'author',...

Yelp: Multiple Vulnerabilities in (*.blog.yelp.com) - Leakage user admin Sensitive Exposure

Hi! Team @yelp, We Found Multiple Vulnerabilities in you websites , Username Admin Login Sensitive Exposure Refferals Hackerone 753725 Platforms Affected: website . https://blog.yelp.com/wp-json/ user-admin sensitive exposure . https://blog.yelp.com/wp-login.php Admin-Page disclousure Steps To...

Autodesk: Django Debug Mode Enabled - Information Disclosure on api.wwm-dev.autodesk.com

The domain api.wwm-dev.autodesk.com was discovered to have Django debug mode enabled, which led to information disclosure. The issue was fixed by Autodesk...

Ruby on Rails: 1-Click Cross-Site Scripting via Custom Configuration in SafeListSanitizer

Vulnerability description not provided...

U.S. Dept Of Defense: [CVE-2018-7600] Remote Code Execution due to outdated Drupal server on www.█████████

Summary Due to an outdated Drupal version, remote code execution is possible on www.█████ via CVE-2018-7600. Description Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple...

U.S. Dept Of Defense: Command Injection (via CVE-2019-11510 and CVE-2019-11539)

Summary: The Navy has a Pulse Secure SSL VPN https://████████/dana-na/auth/urldefault/welcome.cgi that is vulnerable to: CVE-2019-11510 - Pre-auth Arbitrary File Reading CVE-2019-11539 - Post-auth Command Injection vulnerable hostname from ssl certificate: ██████████.navy.mil The pre-auth arbitra...

Ruby on Rails: Directory traversal attack in view resolver

There seems to be two cases that allow directory traversal when using wildcard URL segments that allow rendering view outside view paths. For example, let say there is a route get '/help/action’, controller: ‘help’ and a matching controller class HelpController ApplicationController end This...

Bumble: Compromising the user ID

Vulnerability allows to compromise the user ID in the "Dating" menu. This is a serious vulnerability that violates the logic of the site and allows the attacker to write a message to the user he likes before the user responds reciprocally. In order to play the vulnerability, you need to go to the...

Nextcloud: Blind SSRF Vulnerability in Appstore Release Upload Form

Vulnerability description not provided...

Sifchain: Origin IP Disclosure Vulnerability

Summary: It is possible to access origin IP servers served by nginx and not cloudflare. Even though these IP's don't serve a functional version of the app it is possible to enable DDoS attacks by bypassing cloudflare protections. Steps To Reproduce: Even though these IP's don't serve a functional...

U.S. Dept Of Defense: CVE-2020-3187 - Unauthenticated Arbitrary File Deletion

Summary: A vulnerability in the web services interface of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and obtain read and delete access to sensitive files on a...

Imgur: No length on password

Hey, when I try to set the password while creating an account I noticed that you haven't kept any password limit. You need to decrease password length: There are two reasons for limiting the password size. For one, hashing a large amount of data can cause significant resource consumption on behal...

R3: Exposed Prometheus instance at prometheus.qa.r3.com

Summary Hi there, just wanted to note that all of your assets are listed as out of scope on HackerOne right now, which is a bit confusing. Nevertheless, I noticed that your Prometheus server at prometheus.qa.r3.com is exposed to the internet, which appears to let you view all of the internal...

U.S. Dept Of Defense: CVE-2021-26855 on ████████ resulting in SSRF

Description: CVE-2021-26855 exists on ███████ resulting in SSRF References https://vulners.com/cve/CVE-2021-26855 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26855 Impact Server Side Request Frogery System Hosts ███████ Affected Products and Versions CVE Numbers...

Lichess: Weak Rate Limiting Controls in the (LOGIN) page Expose System to Brute Force and DoS Attacks

Summary: The login page lacks proper rate limiting, allowing an attacker to easily perform a brute-force attack. This vulnerability enables the attacker to systematically try different username and password combinations until they successfully compromise any account, which poses a significant...

Uzbey: HTML Form Without CSRF Protection Vulnerability

HTML Form Without CSRF Protection Vulnerability Respected Sir/Madam I Hope Your Cooperate With Me Cause It's Not Easy To Find Vulnerability On Your Official Website Vulnerability description Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or...

Doppler: WAF bypass and java script incomplete handling of Unicode characters might leads to dom-xss

hello, WAF : doppler uses cloudfare firewall to prevent unwanted malicous injections "https://share.doppler.com/ext/jquery/dist/jquery.min.js?c=%22%3Cscript%3Ealert%27XSS%27%3C/script%3E%22" by accessing the endpoint you'll get to know that! But I found that this code ""%0D%0A%0D%0A" bypass the...

Node.js: Corrupted pointer in node::fs::ReadFileUtf8(const FunctionCallbackInfo<Value>& args) when args[0] is a string.

In Node.js, the ReadFileUtf8 internal binding was found to have a memory leak due to a corrupted pointer in uvfss.file. A UTF-16 path buffer was allocated and subsequently overwritten when the file descriptor was set, leading to an unrecoverable memory leak on every call...