15306 matches found
Zomato: [www.zomato.com] Blind SQL Injection in /php/geto2banner
Hi Team! Our team discovered a Blind SQL Injection by Abusing LocalParams resid in /php/geto2banner We are working to create a full PDF Report as an WriteUp ; Here is a Temporal Exploit based on the Vulnerable request: POST /php/geto2banner HTTP/1.1 Host: www.zomato.com Connection: close...
GitLab: Stored XSS in markdown when redacting references
Summary It's possible to inject arbitrary html into the markdown by abusing the ReferenceRedactorFilter. This is due to the data-original attribute allowing html encoded data to be stored, which is then extracted and used as the link content. If the original data already is html encoded then it...
Stripo Inc: Authorization for wp-admin directory are vulnerable to brute force.
The domain https://my.stripo.email in the directory /wp-admin are not blocking amount of request in the authorization form, this leads to bruteforce attack. Where the attacker are able to guess tons of passwords without getting blocked or the password field gets locked. This attack make it possib...
Stripo Inc: Able to change password by entering wrong old password
Vulnerability Name: Able to change password by entering wrong old password. Description: The password change mechanism which is located at https://my.stripo.email/cabinet//profile is insecure as the password can be changed without knowing the old password. Any unauthorized user can access the...
Node.js third-party modules: Prototype pollution in dot-prop
I would like to report a parameter pollution in dot-prop It allows an attacker to modify the prototype of a base object which can vary in severity depending on the implementation DoS, access to sensitive data, RCE. Module module name: dot-prop version: 5.1.1 npm page:...
Central Security Project: OS Command Injection in Nexus Repository Manager 2.x(bypass CVE-2019-5475)
OS Command Injection in Nexus Repository Manager 2.xbypass CVE-2019-5475 Maven artifact groupId: org.sonatype.nexus.plugins artifactId: nexus-yum-repository-plugin version: 2.14.14-01 Vulnerability Vulnerability Description The Nexus Yum Repository Plugin is vulnerable to Remote Code Execution. A...
Nextcloud: Code injection in macOS Desktop Client
Vulnerability description I've identified a code injection vulnerability in your macOS desktop client. Any malicious application, running with standard user permissions is able to exploit this vulnerability and execute code in your application's context. Requirements In order to exploit this...
Nextcloud: User with read-only access to a share can gain write access to sub-folders in the share
user0 creates folders /test and /test/sub user0 creates file /test/sub/file.txt user0 shares folder /test with user1 with read+share permissions 17 user1 receives the folder /test and can read-download /test/sub/file.txt - good user1 creates a link share of /test/sub - it has permissions 1...
Mail.ru: [authdl.mail.ru] Spoofing IP address
Client IP address could be spoofed via X-Forwarded-For headers in authdl.mail.ru. While no direct impact were identified, this issue could potentially lead to issues with logging, limitations or ABF protection...
Zomato: Improper validation allows user to unlock Zomato Gold multiple times at the same restaurant within one day
Summary: Using this vulnerability, a user can use his account to claim Zomato Gold benefit several times in the same restaurant within one day. Description: Based on Zomato Gold terms and condition, Zomato Gold can be used only once at each partner restaurant in a day. But I think it doesn't work...
Grab: [parcel.grab.com] DOM XSS at /assets/bower_components/lodash/perf/
Summary: DOM Based XSS or as it is called in some texts, “type-0 XSS” is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner...
CodeIgniter: Link sanitation bypass in xss_clean()
Hi there, While researching a website that uses your framework xssclean function to sanitize user's input in comments, I was able to bypass it and could trigger XSS payloads using javascript links in allowed tags such as anchors. This could be achieved by using the new HTML5 standard entities suc...
Shopify: Shopify GitHub Login and Password exposed all private source code might be available.
Sello com.shopify.Sello https://itunes.apple.com/us/app/sello/id947038847?mt=8 ios Mobile Application Versions 1.0.1, 1.1, 1.1.2, 1.1.3, 1.2, Podfile left inside application exposes GitHub Password for Shopify. username: shopify-dep password: 1910c92631a81a4c41dafbf96d537e3f24506b11 Impact: Acces...
Zendesk: Stored XSS via Angular Expression injection on developer.zendesk.com
developer.zendesk.com is vulnerable to stored XSS via Angular template injection. To replicate: Browse to https://developer.zendesk.com Sign up with an arbitrary email address and the following name: "'a'.constructor.prototype.charAt=.join;$eval'x=alert1';" Observe the popup. This is a stored...
HackerOne: Reflected File Download attack allows attacker to 'upload' executables to hackerone.com domain
Hi hackerone team, I'm a friend of Peiying and am looking for a position at hackerone. While playing around with your product, I found a serious vulnerability in your application: it allows attackers to craft executables on the hackerone.com domain rather than the sandboxed one on S3. 1. attacker...
Uzbey: CMS Information Disclosure
Hi, I noticed that the CHANGELOG.txt disclose Drupal vesion. It might help an attacker to perform information gathering and help an attacker to find the vulnerabilties from the version. PoC: https://staging.uzbey.com/CHANGELOG.txt...
Internet Bug Bounty: Deadlock in x86 HVM standard VGA handling
The Xen hypervisor contained a vulnerability in its handling of standard VGA memory accesses for HVM guests. The locking mechanism used had an unusual discipline that could lead to a deadlock when emulating an instruction with two memory accesses to VGA memory. The vulnerability was acknowledged ...
TikTok: Account Takeover via Authentication Bypass in TikTok Account Recovery
An improper authentication mechanism in TikTok's account recovery process was identified. The vulnerability was reported and has been completely fixed. There was no evidence of exploitation...
Internet Bug Bounty: CVE-2024-27281: RCE vulnerability with .rdoc_options in RDoc
A remote code execution vulnerability was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. The vulnerability was caused by the lack of restrictions on the classes that could be restored when parsing .rdocoptions as a YAML file. Additionally, object injection and...
U.S. Dept Of Defense: Unauthenticated Access to Admin Panel Functions at https://██████████/████████
Description: I discovered that the admin panel at https://████/█████ and all its functions can be accessed without authentication. Impact An attacker is able to use the administrative functions in order to upload, delete or modify files. System Hosts ████████ Affected Products and Versions ██████...
Mail.ru: CVE-2020-11110: Grafana Unauthenticated Stored XSS -████.bizml.ru
Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot. PoC - Send the following HTTP request http POST...
GitHub Security Lab: [Java] JShell Injection
This bug was reported directly to GitHub Security Lab...
Sifchain: Open S3 Bucket | information leakage
Hi I found an Open S3 Bucket. - POC : aws s3 ls s3://amazon-eks/ Source : https://github.com/Sifchain/sifnode/blob/bebbe9883560bbde4f452f81a2d85bdbc243636a/deploy/rake/dependencies.rake21 regards oos Impact information leakage...
BugPoC: LFI to steal /etc/passwd - Bypass filter in the <meta property="og:image"> tag via redirect and much more
Hey Team, Good &simple challenge. Wasn't able to find time to attempt this initially but was able to go about it today. The explanation of the bug with the POC is hosted on bugpoc.com Here is the id & password as requested - BugPoC ID : bp-wHwB2qAF - Password : dARKlYbAnana89 POC Screenshot using...
Shopify: Email Confirmation Bypass in your-store.myshopify.com which leads to privilege escalation
Hello Shopify, I have found a bug by which I can verify any email on .myshopify.com, the bug is very strange but it works. Also I can take over the accounts but only the ones which do not have SSO. To reproduce please follow the steps exactly as I written otherwise you will not be able to reprodu...
h1-ctf: [H1-2006 2020] CTF write-up
Hello, thank you for the awesome CTF! I definetly learned a lot. For now I will submit just the Flag. I am going to follow up with the Writeup as soon as possible. ^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$ Kind regards, Alex - hackingfish Attached: A screenshot of the site which is showing the...
Starbucks: Cross-Site Scripting (XSS) on www.starbucks.com | .co.uk login pages
Hi team, Summary: There is a cross-site scripting vulnerability on the login page of www.starbucks.com and various regions, due to improper escaping on the URL path. Description: The login page at https://www.starbucks.com/account/signin builds several links by the relative URL path. An attacker...
Node.js third-party modules: [reveal.js] XSS by calling arbitrary method via postMessage
I would like to report XSS in reveal.js It allows gaining access to the victim's account and performing actions on his behalf Module module name: reveal.js version: 3.8.0 npm page: https://www.npmjs.com/package/reveal.js Module Description A framework for easily creating beautiful presentations...
HackerOne: Disclosure of h1 challenges name through the calendar
Summary: It seems like the Calendar somehow grabs the name of the target for a h1 challenge even though the target name is not public. Description: h1challenges do not disclose the name of the target until the time it starts. For example for this challenge: █████ the name of the target is not...
RATELIMITED: HTTP PUT method is enabled ratelimited.me
Found on HTTP PUT sites enabled on web servers. I tried testing to write the file / codelayer137.txt uploaded to the server using the PUT verb, and the contents of the file were then taken using the GET verb. the following is POC Request: PUT /codeslayer137.txt HTTP/1.1 Host: ratelimited.me...
OLX: Cross-site Scripting (XSS) - Reflected
Dear Security OLX team, I want to report the findings of the security gap on the olx.co.id website, the detailed findings are as follows: impact:https://www.olx.co.id/adminpanel/login/ Payload : ope8i"alert1grpo8 POC: paramter = userpassword POST /adminpanel/login/?ref0action=index&ref0method=ind...
Coinbase: Stored CSS Injection
When creating a product, users can upload a logo. The logourl was not escaped properly, allowing an attacker to inject malicious characters into a style tag. This vulnerability did not allow for XSS due to our CSP, however, it did allow for CSS injection...
WakaTime: Can link to websites from profile
when I input a website to my profile it creates tag link: test.org this is a flaw, how? if the owner of the profile and a malicious link it is possible to redirect the user to a phishing page of wakatime. Here's the scenario of this attack: 1 Attacker put a malicious link on his profile. 2 Once t...
Zomato: [www.zomato.com] Union SQLi + Waf Bypass
Summary @gerbenjavado found a SQL Injection vulnerability in one of our end point and he was able to bypass our WAF...
Starbucks: Open redirect / Reflected XSS payload in root that affects all your sites (store.starbucks.* / shop.starbucks.* / teavana.com)
Hello, during some open redirects testing, I have noticed a very strange redirect that occured when I had modified a parameter using something like cofee. I have digged up further and then I have noticed that one can make a redirect by modifying GET parameters with this structure : //google.com...
Eobot: No password length restriction
Hello Eobot, I am able to sign up on your web application using a long 100000 characters password which may lead to website becoming unavailable or unresponsive. Usually this problem is caused by a vulnerable password hashing implementation. When a long password is sent, the password hashing...
X (Formerly Twitter): csp bypass + xss
Hi, On my previous report number 126464 I've mentioned that analytics.twitter.com has a CSP bypass which I couldn't exploit that time. Now, I've found a reflected XSS on careers.twitter.com which again I couldn't exploit by itself. Because you have CSP, and I've combined two of them to successful...
Uber: Bulk UUID enumeration via invite codes
It is possible to enumerate UUID via invite code. During signup if we enter invite code then create request's response contains inviteruuid . As invite codes are public so attacker can easily enumerate bulk UUID . Here is sample request :- POST /signup/clients/create HTTP/1.1 X-Uber-RedirectCount...
Pornhub: [RCE] Unserialize to XXE - file disclosure on ams.upload.pornhub.com
Researcher was able to exploit a serialization error in the SimpleXMLElement class to perform object injection using the callbackUrl parameter. Researcher was successful in achieving the following: SSRF Local file inclusion Limited execution of database commands without output I exploited the...
Bykea: IDOR on in-app hardcoded zombie endpoint
The researcher discovered an Insecure Direct Object Reference IDOR vulnerability in a hardcoded legacy zombie endpoint that was no longer actively used but remained accessible. By reverse engineering the Android app and reviewing the code for unused endpoints, the sensitive details related to...
UPchieve: Authentication Bypass - Email Verification code bypass in account registration process.
Hi Team, I was able to bypass Email Verification code in account registration process. Summary : Authentication Bypass is a dangerous vulnerability, which is found in Web-Applications. An Attackers can bypass the control mechanisms which are used by the underlying web application like Email...
Judge.me : Stored XSS in Email Templates via link
Summary: Stored cross-site scripting also known as second-order or persistent XSS arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way. FYI: I Install judge.me in Shopify E-Commerce Steps To Reproduce: 1. Go to...
MTN Group: CVE-2021-38314 @ https://www.mtn.co.rw
Summary: Hello. I your domain https://www.mtn.co.rw was vulnerable to CVE-2021-38314 Description: The Gutenberg Template Library & Redux Framework plugin = 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the includes function in...
Basecamp: Information Disclosure .htaccess accesible for public
Hello team! While doing a preliminary recon on the sub domain of "launchpad.37signals.com" I've come across a few sensitive files that should not be facing the public web; I'll leave you a list organized by criticality and some proof. Information disclosure of path .htaccess on the subdomain of...
Urban Company: Broken Link on Urban Company's Vulnerability Submission Form
Summary: - Urban Company has an unclaimed broken link on their HackerOne security page which can be claimed by any malicious user. And then later the malicious user can exploit this issue to deceive new researchers to submit their legitimate findings to the wrong hands. Steps To Reproduce: 1.Visi...
Ruby on Rails: redirect_to(["string"]) remote code execution
For example, redirecttoparams:userinput with a URL of ?userinput=something calls the method somethingurl and tries to redirect the return value of the method. If this call is on an unauthenticated route, it would allow an external user to test if a route name exists by determining if the app 500s...
Doppler VDP: Access page must be reloaded to perform multiple requests
Hello team, I have found a authorization issues in your website. With this issue Low privileged user's like collaborator users can still access DEV environment even workplace owner unchecked dev access permission from owner account. With this issue collaborator user can unlimited access that dev...
h1-ctf: Taking Grinch Down To Save Holidays
Hi thank you Hackerone and Adam for organizing the CTF, this had honestly helped me to learn good skills and techniques. The CTF began with the scope: hackyholidays.h1ctf.com and mission to take down grinch So here's a quick visual summary of all the challenges F1131175 F1131176 1. Grinch Robots ...
U.S. Dept Of Defense: Sensitive data exposure via https://███████/secure/QueryComponent!Default.jspa - CVE-2020-14179
Summary: Information Disclosure vulnerability in outdated Jira. Description: Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the...
U.S. Dept Of Defense: CVE 2020 14179 on jira instance
Summary: An remote attacker can view the custom sla fields used in the jira instance and also can use the sla fields to make a jql query. Impact Information disclosure of the custom sla fields, senstive information leakage throught he jql query parameter Read more about the impact here:...