15369 matches found
Nextcloud: Valid share tokens allow to access tempory upload files of share owner
A vulnerability was discovered that allowed access to temporary upload files of a share owner using valid share tokens...
HackerOne: Insecure Direct Object Reference (IDOR) Allows Viewing Private Report Details via /bugs.json Endpoint
The Insecure Direct Object Reference IDOR vulnerability allowed viewing private report details through the /bugs.json endpoint. Any private reports could be accessed by sending a POST request to the endpoint with the organization ID and a single-digit text query. This gave access to sensitive...
inDrive: SSRF in https://couriers.indrive.com/api/file-storage
A server side request forgery vulnerability was present in the url parameter of the https://couriers.indrive.com/api/file-storage endpoint, allowing arbitrary external websites to be requested and their content returned in responses...
Internet Bug Bounty: CVE-2023-27533: TELNET option IAC injection
A vulnerability CVE-2023-27533 was found in curl versions 7.7 to 7.88.1 that allowed users to pass on user name and "telnet options" for server negotiation without proper input scrubbing, potentially allowing for the injection of unintended TELNET commands to the telnet connection. The severity o...
U.S. Dept Of Defense: Unauthenticated Access to Admin Panel Functions at https://██████████/████████
Description: I discovered that the admin panel at https://████/█████ and all its functions can be accessed without authentication. Impact An attacker is able to use the administrative functions in order to upload, delete or modify files. System Hosts ████████ Affected Products and Versions ██████...
MTN Group: CVE-2021-38314 @ https://www.mtn.co.rw
Summary: Hello. I your domain https://www.mtn.co.rw was vulnerable to CVE-2021-38314 Description: The Gutenberg Template Library & Redux Framework plugin = 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the includes function in...
GitHub Security Lab: [Java] JShell Injection
This bug was reported directly to GitHub Security Lab...
Urban Company: Broken Link on Urban Company's Vulnerability Submission Form
Summary: - Urban Company has an unclaimed broken link on their HackerOne security page which can be claimed by any malicious user. And then later the malicious user can exploit this issue to deceive new researchers to submit their legitimate findings to the wrong hands. Steps To Reproduce: 1.Visi...
Nextcloud: Password policy changes not enforced for existing passwords
So this is two reports in one. Sort of. But they are the same issue, or at least related. 1. When you setup your nextcloud there is no password policy at all. There is the strength indicator. I get the password policy app is not yet active at that point. But a minimum length would not be that...
GitHub Security Lab: Java: CWE-652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
This bug was reported directly to GitHub Security Lab...
h1-ctf: Taking Grinch Down To Save Holidays
Hi thank you Hackerone and Adam for organizing the CTF, this had honestly helped me to learn good skills and techniques. The CTF began with the scope: hackyholidays.h1ctf.com and mission to take down grinch So here's a quick visual summary of all the challenges F1131175 F1131176 1. Grinch Robots ...
U.S. Dept Of Defense: SQLi in login form of █████
Summary The following is vulnerable to a sqli, due to a limited char set this is t██████████y to demonstrate and not picked up by sqlmap. POST /██████████.asp HTTP/█████.████ Host: ███████ Description POST /██████.asp HTTP/████.███ Host: █████ Connection: close Content-Length: 45 Cache-Control:...
BugPoC: XSS Challenge #2 Solution
Summary: An attacker can achieve arbitrary JavaScript execution in the context of the user's session on calc.buggywebsite.com. This is possible due to a weak origin check in the message event handler in http://calc.buggywebsite.com/frame.js as well as improper handling of the message data, allowi...
QIWI: CVE-2020-3187 - unauthenticated arbitrary file deletion in Cisco
Steps to reproduce: I could delete arbitrary files from https://79.142.21.220/ using CVE-2020-3187. POC video is attached. Browser/OS: Chrome/Windows ALSO Cisco ASA - Arbitary File Read - CVE-2020-3452 the file downloaded also attached here for poc Impact Impact: RCE is P1 critical vulnerability,...
PayPal: RCE via npm misconfig -- installing internal libraries from the public registry
A Bug Bounty researcher identified an issue where certain development projects defaulted to the public NPM registry, instead of using the intended internal packages. Since the packages on the public registry did not exist, the researcher created these and observed they were downloaded. Had these...
Node.js third-party modules: Fastify uses allErrors: true ajv configuration by default which is susceptible to DoS
I would like to report a denial of service vulnerability in fastify It allows to cause a DoS with some schemas that were otherwise assumed to be secure against DoS by their authors Module module name: fastify version: 2.14.1, 3.0.0-rc.4 npm page: https://www.npmjs.com/package/fastify Module...
h1-ctf: [H1-2006 2020] CTF write-up
Hello, thank you for the awesome CTF! I definetly learned a lot. For now I will submit just the Flag. I am going to follow up with the Writeup as soon as possible. ^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$ Kind regards, Alex - hackingfish Attached: A screenshot of the site which is showing the...
Visma Public: Read-only user can access payroll information without having access to payroll.
The researcher found that a read-only user without having access to payroll can still access all the data in payroll tab, by visiting the url directly, thus resulting into an unauthorized access...
Reddit: registering with the same email address multiple times leads to account takeover
i'm not sure if this issue is in scope or not or if it's intended , kindly if you don't accept this issue please close it as informative , thanks in advance Summary: the ability of the user to register many times using the same mail address can lead to account take over Steps To Reproduce: 1...
GitHub Security Lab: CodeQL query for finding CSRF vulnerabilities in Spring applications
This bug was reported directly to GitHub Security Lab...
Pornhub: SSRF and local file disclosure by video upload on https://www.redtube.com/upload
The researcher was successful in exploiting a vulnerability in 3rd party encoding library resulting in the execution of SSRF attacks and Local File Disclosure...
Upserve : Open redirect at https://inventory.upserve.com/http://google.com/
The following URL is vulnerable to an open redirect it will redirect to stanko.sh: https://inventory.upserve.com/http://stanko.sh/ Impact Users could get redirected to malicious domain...
HackerOne: Self DOM-Based XSS in www.hackerone.com
Summary: There is a 'self' DOM-based cross-site scripting vulnerability in the contact form available on the www.hackerone.com website. This could allow an attacker to perform cross-site scripting, or other client-side attacks, against users of the application. However, the risk presented by this...
Rootstock Labs: JSON RPC methods for debugging enabled by default allow DoS
A vulnerability was discovered in the RSK JSON-RPC server that allowed an attacker to cause a denial of service DoS attack by sending the evmreset command. The server would hang, become slow, and eventually become synced to block 0, resulting in a loss of service and responsiveness to all users...
Coinbase: Stored CSS Injection
When creating a product, users can upload a logo. The logourl was not escaped properly, allowing an attacker to inject malicious characters into a style tag. This vulnerability did not allow for XSS due to our CSP, however, it did allow for CSS injection...
WakaTime: Can link to websites from profile
when I input a website to my profile it creates tag link: test.org this is a flaw, how? if the owner of the profile and a malicious link it is possible to redirect the user to a phishing page of wakatime. Here's the scenario of this attack: 1 Attacker put a malicious link on his profile. 2 Once t...
WakaTime: Failure to check password history
I discovered that old passwords could be reused and believe that wakatime.com could benefit if there was a check for old passwords in your database. Because password reuse is an important concern in any organization. Many users want to reuse the same password for their account over a long period ...
Internet Bug Bounty: OOB write in MDC2_Update() (CVE-2016-6303)
An overflow can occur in MDC2Update either if called directly or through the EVPDigestUpdate function using MDC2. If an attacker is able to supply very large amounts of input data after a previous call to EVPEncryptUpdate with a partial block then a length check can overflow resulting in a heap...
Ubiquiti Inc.: Wordpress directories/files visible to internet
Issue During my testing I noticed that ubnt website https://directory.corp.ubnt.com seems to leak some data into internet. Wordpress directory https://directory.corp.ubnt.com/wp-content/uploads/ is showing files which I suppose shouldn't be visible to internet. I noticed that these files include...
Starbucks: Open redirect / Reflected XSS payload in root that affects all your sites (store.starbucks.* / shop.starbucks.* / teavana.com)
Hello, during some open redirects testing, I have noticed a very strange redirect that occured when I had modified a parameter using something like cofee. I have digged up further and then I have noticed that one can make a redirect by modifying GET parameters with this structure : //google.com...
Bumble: [CRITICAL] Full account takeover using CSRF
Hi , I have found a CSRF issue that allows an attacker to link his gmail , facebook ... or any social account to the victim's account and hijack the whole account. Details: When a user tries to link a gmail account with his account , after he authorizes badoo to use his gmail account he will be...
U.S. Dept Of Defense: Adobe ColdFusion - Access Control Bypass [CVE-2023-38205] at ██████
An access control bypass vulnerability was discovered in Adobe ColdFusion, allowing attackers to bypass the restriction on external access to the ColdFusion Administrator...
Fastly VDP: CVE-2018-6389 exploitation - using scripts loader
Vulnerability description not provided...
EXNESS: SSRF in graphQL query (pwapi.ex2b.com)
An SSRF vulnerability was discovered in the GraphQL query for allTicks on the pwapi.ex2b.com website. This vulnerability allowed an attacker to set the source parameter to perform arbitrary GET requests, potentially compromising internal services exposed to internal network requests...
curl: curl file writing susceptible to symlink attacks
Summary: If curl command is used to download a file with predictable file name to a world writable directory such as /tmp, a local attacker is able to mount a symlink attack to either A redirect the target file writing to another file writable by the user or B replace the downloaded file contents...
Internet Bug Bounty: potential denial of service attack via the locale parameter
In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a denial of service attack via the locale parameter, which is treated as a regular expression. Impact By crafting a Python regex, a vulnerable site could suffer a DOS attack. The attack was...
Glassdoor: Web Cache Poisoning leads to XSS and DoS
@nokline and @bombon were able to utilize URL parser confusion in combination with reflected XSS under https://glassdoor.com/Job/ and https://glassdoor.com/mz-survey/interview/collectQuestionsinput.htm/ by caching XSS payloads via cookie and header params into a stored XSS for URLs /Award/ and...
Cloudflare Public Bug Bounty: HTTP request smuggling with Origin Rules using newlines in the host_header action parameter
The hostheader action parameter available to rulesets in the Origin Rules API lacked sufficient input validation i.e., allowing CRLF characters. Because of this, it was possible to inject arbitrary headers and, as a consequence, smuggle HTTP requests. This vulnerability enabled bypassing security...
Tor: Tor Browser using --log or --verbose logs the exact connection time a client connects to any v2 domains.
Summary: A vulnerability in the Tor Browser 78.11.0esr and below allows a local or physical attacker to view metadata about v2 domains, namely the exact timestamp that a user connected to a v2 onion address while using either the --log or --verbose command line options. A local or physical attack...
Basecamp: Information Disclosure .htaccess accesible for public
Hello team! While doing a preliminary recon on the sub domain of "launchpad.37signals.com" I've come across a few sensitive files that should not be facing the public web; I'll leave you a list organized by criticality and some proof. Information disclosure of path .htaccess on the subdomain of...
Sifchain: Clickjacking Vulnerability in sifchain.finance
Hello team - Greetings! Hope you are fine. sifchain.finance website is vulnerable to Clickjacking. NOT ONLY THE HOME PAGE IS VULNERABLE, ALL THE PAGES IN THE WEBSITE IS VULNERABLE TO CLICKJACKING. And it has to be fixed because, Clickjacking is an attack that tricks the user to click a webpage...
Kaspersky: Several domains on kaspersky.com are vulnerable to Web Cache Deception attack
Reported security issue allowed a potential attacker to steal potentially sensitive information of users of a website, because multiple subdomains of the Kaspersky domain were vulnerable to web cache deception attack. In this scenario the user needs to open a phishing link in a web browser. The...
QIWI: SSRF на https://qiwi.com с помощью "Prerender HAR Capturer"
Здравствуйте! На сайте https://qiwi.com вы используете Prerender HAR Capturer 5.6.0 на основе Headless Chrome для рендеринга HTML, снимков экрана, PDF-файлов и файлов HAR с любой веб-страницы https://github.com/prerender/prerender. Если на qiwi.com послать запрос с измененным юзер-агентом...
Shopify: XSS at https://exchangemarketplace.com/blogsearch
There is an XSS vulnerability on https://exchangemarketplace.com/blogsearch page through the q parameters. https://exchangemarketplace.com/blogsearch?q=OnMoUsEoVeR=prompt/hacked/// F1251282 Impact XSS at https://exchangemarketplace.com/blogsearch...
Ruby on Rails: redirect_to(["string"]) remote code execution
For example, redirecttoparams:userinput with a URL of ?userinput=something calls the method somethingurl and tries to redirect the return value of the method. If this call is on an unauthenticated route, it would allow an external user to test if a route name exists by determining if the app 500s...
Doppler VDP: Access page must be reloaded to perform multiple requests
Hello team, I have found a authorization issues in your website. With this issue Low privileged user's like collaborator users can still access DEV environment even workplace owner unchecked dev access permission from owner account. With this issue collaborator user can unlimited access that dev...
Shopify: Self xss in product reviews
1、install app Product Reviews F1070556 2、Open a product and write a review 3、Press F12 on the keyboard,Change the type of email to text. 4、Write in email"[email protected]. F1070565 5、Write other required fields,then submit. F1070566 Impact Self xss...
lemlist: Stored XSS in app.lemlist.com
Summary: add summary of the vulnerability Steps To Reproduce: - Go to Company Buddies-to-Be Custom variables - Add malicious code: " onmouseover="confirmdocument.domain" a=" F915718 - Go to Company Messages Blank email - In the WYSIWYG editor select Custom variables - Malicious code executed...
lemlist: stored xss via Campaign Name.
Summary: Hi, I found a stored xss https://app.lemlist.com Steps To Reproduce: 1. go to https://app.lemlist.com/. 2. create or edit campaigns. 3. set the payload / in the Campaign Name. 4. visit Buddies-to-Be tab . 5. click Add one on the right Top . or click on one of the list of Contact 6. you...
h1-ctf: [H1-2006 2020] The Story of Making Bounty Hunters Happy
Disclaimer: I will try to make this post a fun read, given that whoever triagges will be probably going through similar write-ups again and again. The beginning: Being away from HackerOne over a month had made me rusty. Although the call to arms for Mr. Mickos and the community could not be left...