15371 matches found
MyEtherWallet: Malicious Node JavaScript Injection Leading to Theft of Private Keys and User Funds
Summary This vulnerability allows injection of arbitrary JavaScript code by the node that the MyEtherWallet user is connected to. This could be one of the default nodes e.g api.myetherwallet.com, or a custom node. With this code injection, the private key can be stolen if Keystore File or Private...
Internet Bug Bounty: imagecolormatch Out Of Bounds Write on Heap
The link to the PHP bug: https://bugs.php.net/bug.php?id=77270 This is possible to exploit in PHP 7.0.33 and 5.6.39. I used this vulnerability to write a local safe mode bypass exploit. It is possible to write up to 1200 bytes over the boundaries of a buffer allocated in the imagecolormatch...
Node.js third-party modules: Prototype pollution attack in node.extend
I would like to report a prototype pollution vulnerability in node.extend. It allows an attacker to inject properties on Object.prototype. Module module name: node.extend version: 2.0.0 npm page: https://www.npmjs.com/package/node.extend Module Description A port of jQuery.extend that actually...
HackerOne: DOM Based XSS in www.hackerone.com via PostMessage
Summary: The Marketo contact form available on the www.hackerone.com website is affected by a cross-site scripting vulnerability, caused by an insecure 'message' event listener installed on the page. Whilst this could allow an attacker to execute JavaScript in the context of the www.hackerone.com...
Coinbase: Captcha Bypass in Coinbase SignUp Form
Vulnerability description: The g-recaptcha-response is not validated on the server-side when submitting a Signup form to the endpoint. Any or no value can be provided for this header Step to reproduce: 1. https://www.coinbase.com/signup 2. Fill the input field and Validate the captcha. 3. Trun on...
Ruby: Parsing invalid unicode codepoints using json c extension (2.0.1+) triggers a segfault
Using the default json library packaged with ruby, one can trigger a segmentation fault by submitting a string with a unicode escape sequence in the range between \ud800-\udbff https://en.wikipedia.org/wiki/UTF-16U.2BD800toU.2BDFFF. This is can lead to a denial of service attack by segmentation...
VK.com: HTML Injection possible due to bad filter
Hello, I have found an area where it may be possible to run certain HTML/JS scripts. TO REPRODUCE: 1. Go to documents 2. Upload anything and edit it 3. On the edit page in tags, enter code without a closing bracket ex. img src=x 4. Click enter 5. It will be parsed in that area, but after saving i...
HackerOne: Null byte injection
Hi , I would like to report an issue that I have noticed in https://hackerone.com/users/signin?invitationtoken= . I am not sure if this is a valid security issue , but I have decided to report it anyway and see what you guys think. Details: - When you go to...
Internet Bug Bounty: Deadlock in x86 HVM standard VGA handling
The Xen hypervisor contained a vulnerability in its handling of standard VGA memory accesses for HVM guests. The locking mechanism used had an unusual discipline that could lead to a deadlock when emulating an instruction with two memory accesses to VGA memory. The vulnerability was acknowledged ...
Internet Bug Bounty: CVE-2024-27281: RCE vulnerability with .rdoc_options in RDoc
A remote code execution vulnerability was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. The vulnerability was caused by the lack of restrictions on the classes that could be restored when parsing .rdocoptions as a YAML file. Additionally, object injection and...
EXNESS: GraphQL attribute Batching DOS can take down pwapi.ex2b.com
Summary: Hi team! I hope you are having a great day! pwapi.ex2b.com instances work with a GraphQL API. This GraphQL endpoint is at / and can be called by unauthenticated users. This Graphql endpoint allows you to perform a query with the same attribute multiple times on a single request. The more...
Internet Bug Bounty: CVE-2023-40273: Session fixation in Apache Airflow web interface
A session fixation vulnerability was discovered in Apache Airflow web interface. This vulnerability allowed an authenticated user to continue accessing the webserver even after their password had been reset by the admin. The issue has been addressed in version 2.7.0 of Apache Airflow...
inDrive: Full access to InDrive jira panel via exposed API token
The Jira API token was exposed in a GitHub repository, allowing unauthorized access to the InDrive Atlassian panel and sensitive information stored in Jira...
Internet Bug Bounty: potential denial of service attack via the locale parameter
In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a denial of service attack via the locale parameter, which is treated as a regular expression. Impact By crafting a Python regex, a vulnerable site could suffer a DOS attack. The attack was...
curl: Memory leak in CURLOPT_XOAUTH2_BEARER
Summary: Once a bearer token is set with CURLOPTXOAUTH2BEARER, each HTTP request done with the same handler leaks the token itself. Steps To Reproduce: Given the following code: c include int mainvoid curlglobalinitCURLGLOBALALL; CURL curl = curleasyinit; curleasysetoptcurl, CURLOPTHTTPAUTH,...
GitHub Security Lab: [Java] JShell Injection
This bug was reported directly to GitHub Security Lab...
GitHub Security Lab: [Java] CWE-918: Added URLClassLoader and WebClient SSRF sinks
This bug was reported directly to GitHub Security Lab...
GitHub Security Lab: ihsinme: CPP Add query for CWE-783 Operator Precedence Logic Error When Use Bool Type
This bug was reported directly to GitHub Security Lab...
U.S. Dept Of Defense: Sensitive data exposure via https://███████/jira//secure/QueryComponent!Default.jspa - CVE-2020-14179
Description: Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. Impact...
U.S. Dept Of Defense: CVE 2020 14179 on jira instance
Summary: An remote attacker can view the custom sla fields used in the jira instance and also can use the sla fields to make a jql query. Impact Information disclosure of the custom sla fields, senstive information leakage throught he jql query parameter Read more about the impact here:...
Mail.ru: mrgs.my.games account takeover
A chain of different bugs and misconfigurations invalid handling of arrays-like names in cookies, stored session with NULL ids allowed to login to mrgs.my.games with few different accounts...
BugPoC: LFI to steal /etc/passwd - Bypass filter in the <meta property="og:image"> tag via redirect and much more
Hey Team, Good &simple challenge. Wasn't able to find time to attempt this initially but was able to go about it today. The explanation of the bug with the POC is hosted on bugpoc.com Here is the id & password as requested - BugPoC ID : bp-wHwB2qAF - Password : dARKlYbAnana89 POC Screenshot using...
HackerOne: Pentester can obtain information about other pentesters who applied for the same test, but weren't accepted
Hi team, I don't know your policy about pentestersabout their visibility on the platform, But I couldn't find any other pentesters before. 1 For example: GraphQL has the h1pentester attribute that would explicitly point us to the pentester, but if we make a query, it doesn't reveal the pentester ...
QIWI: CVE-2020-3187 - unauthenticated arbitrary file deletion in Cisco
Steps to reproduce: I could delete arbitrary files from https://79.142.21.220/ using CVE-2020-3187. POC video is attached. Browser/OS: Chrome/Windows ALSO Cisco ASA - Arbitary File Read - CVE-2020-3452 the file downloaded also attached here for poc Impact Impact: RCE is P1 critical vulnerability,...
Shopify: Email Confirmation Bypass in your-store.myshopify.com which leads to privilege escalation
Hello Shopify, I have found a bug by which I can verify any email on .myshopify.com, the bug is very strange but it works. Also I can take over the accounts but only the ones which do not have SSO. To reproduce please follow the steps exactly as I written otherwise you will not be able to reprodu...
Open-Xchange: Panic in file smtp-address.c: line 684 (smtp_address_write): assertion failed: (smtp_char_is_qpair(*p))
Reproducer is running test suite against file crash2.txt and getting following output : ./src/testsuite/testsuite crash2.txt Test case: crash2.txt: testsuitecatena: Panic: file smtp-address.c: line 684 smtpaddresswrite: assertion failed: smtpcharisqpairp Abort trap: 6 Content or crash2.txt is...
Zomato: [www.zomato.com] Blind SQL Injection in /php/geto2banner
Hi Team! Our team discovered a Blind SQL Injection by Abusing LocalParams resid in /php/geto2banner We are working to create a full PDF Report as an WriteUp ; Here is a Temporal Exploit based on the Vulnerable request: POST /php/geto2banner HTTP/1.1 Host: www.zomato.com Connection: close...
GitLab: Stored XSS in markdown when redacting references
Summary It's possible to inject arbitrary html into the markdown by abusing the ReferenceRedactorFilter. This is due to the data-original attribute allowing html encoded data to be stored, which is then extracted and used as the link content. If the original data already is html encoded then it...
Stripo Inc: Authorization for wp-admin directory are vulnerable to brute force.
The domain https://my.stripo.email in the directory /wp-admin are not blocking amount of request in the authorization form, this leads to bruteforce attack. Where the attacker are able to guess tons of passwords without getting blocked or the password field gets locked. This attack make it possib...
Stripo Inc: Able to change password by entering wrong old password
Vulnerability Name: Able to change password by entering wrong old password. Description: The password change mechanism which is located at https://my.stripo.email/cabinet//profile is insecure as the password can be changed without knowing the old password. Any unauthorized user can access the...
Nextcloud: Code injection in macOS Desktop Client
Vulnerability description I've identified a code injection vulnerability in your macOS desktop client. Any malicious application, running with standard user permissions is able to exploit this vulnerability and execute code in your application's context. Requirements In order to exploit this...
Nextcloud: User with read-only access to a share can gain write access to sub-folders in the share
user0 creates folders /test and /test/sub user0 creates file /test/sub/file.txt user0 shares folder /test with user1 with read+share permissions 17 user1 receives the folder /test and can read-download /test/sub/file.txt - good user1 creates a link share of /test/sub - it has permissions 1...
HackerOne: Disclosure of h1 challenges name through the calendar
Summary: It seems like the Calendar somehow grabs the name of the target for a h1 challenge even though the target name is not public. Description: h1challenges do not disclose the name of the target until the time it starts. For example for this challenge: █████ the name of the target is not...
RATELIMITED: HTTP PUT method is enabled ratelimited.me
Found on HTTP PUT sites enabled on web servers. I tried testing to write the file / codelayer137.txt uploaded to the server using the PUT verb, and the contents of the file were then taken using the GET verb. the following is POC Request: PUT /codeslayer137.txt HTTP/1.1 Host: ratelimited.me...
Zomato: Improper validation allows user to unlock Zomato Gold multiple times at the same restaurant within one day
Summary: Using this vulnerability, a user can use his account to claim Zomato Gold benefit several times in the same restaurant within one day. Description: Based on Zomato Gold terms and condition, Zomato Gold can be used only once at each partner restaurant in a day. But I think it doesn't work...
Grab: [parcel.grab.com] DOM XSS at /assets/bower_components/lodash/perf/
Summary: DOM Based XSS or as it is called in some texts, “type-0 XSS” is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner...
Uber: Bulk UUID enumeration via invite codes
It is possible to enumerate UUID via invite code. During signup if we enter invite code then create request's response contains inviteruuid . As invite codes are public so attacker can easily enumerate bulk UUID . Here is sample request :- POST /signup/clients/create HTTP/1.1 X-Uber-RedirectCount...
Shopify: Shopify GitHub Login and Password exposed all private source code might be available.
Sello com.shopify.Sello https://itunes.apple.com/us/app/sello/id947038847?mt=8 ios Mobile Application Versions 1.0.1, 1.1, 1.1.2, 1.1.3, 1.2, Podfile left inside application exposes GitHub Password for Shopify. username: shopify-dep password: 1910c92631a81a4c41dafbf96d537e3f24506b11 Impact: Acces...
Zendesk: Stored XSS via Angular Expression injection on developer.zendesk.com
developer.zendesk.com is vulnerable to stored XSS via Angular template injection. To replicate: Browse to https://developer.zendesk.com Sign up with an arbitrary email address and the following name: "'a'.constructor.prototype.charAt=.join;$eval'x=alert1';" Observe the popup. This is a stored...
HackerOne: Reflected File Download attack allows attacker to 'upload' executables to hackerone.com domain
Hi hackerone team, I'm a friend of Peiying and am looking for a position at hackerone. While playing around with your product, I found a serious vulnerability in your application: it allows attackers to craft executables on the hackerone.com domain rather than the sandboxed one on S3. 1. attacker...
Bykea: IDOR on in-app hardcoded zombie endpoint
The researcher discovered an Insecure Direct Object Reference IDOR vulnerability in a hardcoded legacy zombie endpoint that was no longer actively used but remained accessible. By reverse engineering the Android app and reviewing the code for unused endpoints, the sensitive details related to...
inDrive: SSRF in https://couriers.indrive.com/api/file-storage
A server side request forgery vulnerability was present in the url parameter of the https://couriers.indrive.com/api/file-storage endpoint, allowing arbitrary external websites to be requested and their content returned in responses...
U.S. Dept Of Defense: Unauthenticated Access to Admin Panel Functions at https://██████████/████████
Description: I discovered that the admin panel at https://████/█████ and all its functions can be accessed without authentication. Impact An attacker is able to use the administrative functions in order to upload, delete or modify files. System Hosts ████████ Affected Products and Versions ██████...
Mail.ru: CVE-2020-11110: Grafana Unauthenticated Stored XSS -████.bizml.ru
Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot. PoC - Send the following HTTP request http POST...
Tor: Tor Browser using --log or --verbose logs the exact connection time a client connects to any v2 domains.
Summary: A vulnerability in the Tor Browser 78.11.0esr and below allows a local or physical attacker to view metadata about v2 domains, namely the exact timestamp that a user connected to a v2 onion address while using either the --log or --verbose command line options. A local or physical attack...
Sifchain: Open S3 Bucket | information leakage
Hi I found an Open S3 Bucket. - POC : aws s3 ls s3://amazon-eks/ Source : https://github.com/Sifchain/sifnode/blob/bebbe9883560bbde4f452f81a2d85bdbc243636a/deploy/rake/dependencies.rake21 regards oos Impact information leakage...
Ruby on Rails: redirect_to(["string"]) remote code execution
For example, redirecttoparams:userinput with a URL of ?userinput=something calls the method somethingurl and tries to redirect the return value of the method. If this call is on an unauthenticated route, it would allow an external user to test if a route name exists by determining if the app 500s...
Doppler VDP: Access page must be reloaded to perform multiple requests
Hello team, I have found a authorization issues in your website. With this issue Low privileged user's like collaborator users can still access DEV environment even workplace owner unchecked dev access permission from owner account. With this issue collaborator user can unlimited access that dev...
U.S. Dept Of Defense: Sensitive data exposure via https://███████/secure/QueryComponent!Default.jspa - CVE-2020-14179
Summary: Information Disclosure vulnerability in outdated Jira. Description: Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the...
Shopify: Self xss in product reviews
1、install app Product Reviews F1070556 2、Open a product and write a review 3、Press F12 on the keyboard,Change the type of email to text. 4、Write in email"[email protected]. F1070565 5、Write other required fields,then submit. F1070566 Impact Self xss...