15371 matches found
h1-ctf: [H1-2006 2020] CTF write-up
Hello, thank you for the awesome CTF! I definetly learned a lot. For now I will submit just the Flag. I am going to follow up with the Writeup as soon as possible. ^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$ Kind regards, Alex - hackingfish Attached: A screenshot of the site which is showing the...
Starbucks: Cross-Site Scripting (XSS) on www.starbucks.com | .co.uk login pages
Hi team, Summary: There is a cross-site scripting vulnerability on the login page of www.starbucks.com and various regions, due to improper escaping on the URL path. Description: The login page at https://www.starbucks.com/account/signin builds several links by the relative URL path. An attacker...
Starbucks: Thailand - IDOR on www.starbuckscardth.in.th: A logged in user could view any Thailand Starbucks card balance if they knew that Starbucks card number
nnez discovered that after a successful card balance transfer between two of their own registered Thailand Starbucks cards, they could update the 2nd card number URL parameter to another known Thailand Starbucks card number and view that 2nd card balance. @nnez — thank you for reporting this...
Reddit: registering with the same email address multiple times leads to account takeover
i'm not sure if this issue is in scope or not or if it's intended , kindly if you don't accept this issue please close it as informative , thanks in advance Summary: the ability of the user to register many times using the same mail address can lead to account take over Steps To Reproduce: 1...
Pornhub: SSRF and local file disclosure by video upload on https://www.redtube.com/upload
The researcher was successful in exploiting a vulnerability in 3rd party encoding library resulting in the execution of SSRF attacks and Local File Disclosure...
HackerOne: Disclosure of h1 challenges name through the calendar
Summary: It seems like the Calendar somehow grabs the name of the target for a h1 challenge even though the target name is not public. Description: h1challenges do not disclose the name of the target until the time it starts. For example for this challenge: █████ the name of the target is not...
OLX: Cross-site Scripting (XSS) - Reflected
Dear Security OLX team, I want to report the findings of the security gap on the olx.co.id website, the detailed findings are as follows: impact:https://www.olx.co.id/adminpanel/login/ Payload : ope8i"alert1grpo8 POC: paramter = userpassword POST /adminpanel/login/?ref0action=index&ref0method=ind...
Coinbase: Stored CSS Injection
When creating a product, users can upload a logo. The logourl was not escaped properly, allowing an attacker to inject malicious characters into a style tag. This vulnerability did not allow for XSS due to our CSP, however, it did allow for CSS injection...
Node.js third-party modules: [crud-file-server] Path Traversal allows to read arbitrary file from the server
Hi Guys, There is Path Traversal vulnerability in crud-file-server module, which allows to read arbitrary file from the remote server. Module crud-file-server This package exposes a directory and its children to create, read, update, and delete operations over http...
WakaTime: Can link to websites from profile
when I input a website to my profile it creates tag link: test.org this is a flaw, how? if the owner of the profile and a malicious link it is possible to redirect the user to a phishing page of wakatime. Here's the scenario of this attack: 1 Attacker put a malicious link on his profile. 2 Once t...
Zomato: [www.zomato.com] Union SQLi + Waf Bypass
Summary @gerbenjavado found a SQL Injection vulnerability in one of our end point and he was able to bypass our WAF...
Starbucks: Open redirect / Reflected XSS payload in root that affects all your sites (store.starbucks.* / shop.starbucks.* / teavana.com)
Hello, during some open redirects testing, I have noticed a very strange redirect that occured when I had modified a parameter using something like cofee. I have digged up further and then I have noticed that one can make a redirect by modifying GET parameters with this structure : //google.com...
Eobot: No password length restriction
Hello Eobot, I am able to sign up on your web application using a long 100000 characters password which may lead to website becoming unavailable or unresponsive. Usually this problem is caused by a vulnerable password hashing implementation. When a long password is sent, the password hashing...
X (Formerly Twitter): csp bypass + xss
Hi, On my previous report number 126464 I've mentioned that analytics.twitter.com has a CSP bypass which I couldn't exploit that time. Now, I've found a reflected XSS on careers.twitter.com which again I couldn't exploit by itself. Because you have CSP, and I've combined two of them to successful...
Pornhub: [RCE] Unserialize to XXE - file disclosure on ams.upload.pornhub.com
Researcher was able to exploit a serialization error in the SimpleXMLElement class to perform object injection using the callbackUrl parameter. Researcher was successful in achieving the following: SSRF Local file inclusion Limited execution of database commands without output I exploited the...
Moneybird: Malicious File Upload
This researcher found a vulnerability in which it was possible to upload attachments with malicious extensions. We have implemented a security filter to prevent these attachments to be uploaded...
Uzbey: CMS Information Disclosure
Hi, I noticed that the CHANGELOG.txt disclose Drupal vesion. It might help an attacker to perform information gathering and help an attacker to find the vulnerabilties from the version. PoC: https://staging.uzbey.com/CHANGELOG.txt...
HackerOne: Insecure Direct Object Reference (IDOR) Allows Viewing Private Report Details via /bugs.json Endpoint
The Insecure Direct Object Reference IDOR vulnerability allowed viewing private report details through the /bugs.json endpoint. Any private reports could be accessed by sending a POST request to the endpoint with the organization ID and a single-digit text query. This gave access to sensitive...
Internet Bug Bounty: CVE-2023-27533: TELNET option IAC injection
A vulnerability CVE-2023-27533 was found in curl versions 7.7 to 7.88.1 that allowed users to pass on user name and "telnet options" for server negotiation without proper input scrubbing, potentially allowing for the injection of unintended TELNET commands to the telnet connection. The severity o...
MTN Group: CVE-2021-38314 @ https://www.mtn.co.rw
Summary: Hello. I your domain https://www.mtn.co.rw was vulnerable to CVE-2021-38314 Description: The Gutenberg Template Library & Redux Framework plugin = 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the includes function in...
Basecamp: Information Disclosure .htaccess accesible for public
Hello team! While doing a preliminary recon on the sub domain of "launchpad.37signals.com" I've come across a few sensitive files that should not be facing the public web; I'll leave you a list organized by criticality and some proof. Information disclosure of path .htaccess on the subdomain of...
Urban Company: Broken Link on Urban Company's Vulnerability Submission Form
Summary: - Urban Company has an unclaimed broken link on their HackerOne security page which can be claimed by any malicious user. And then later the malicious user can exploit this issue to deceive new researchers to submit their legitimate findings to the wrong hands. Steps To Reproduce: 1.Visi...
Nextcloud: Password policy changes not enforced for existing passwords
So this is two reports in one. Sort of. But they are the same issue, or at least related. 1. When you setup your nextcloud there is no password policy at all. There is the strength indicator. I get the password policy app is not yet active at that point. But a minimum length would not be that...
GitHub Security Lab: Java: CWE-652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
This bug was reported directly to GitHub Security Lab...
h1-ctf: Taking Grinch Down To Save Holidays
Hi thank you Hackerone and Adam for organizing the CTF, this had honestly helped me to learn good skills and techniques. The CTF began with the scope: hackyholidays.h1ctf.com and mission to take down grinch So here's a quick visual summary of all the challenges F1131175 F1131176 1. Grinch Robots ...
GitHub Security Lab: Java: Detect remote source from Android intent extra
This bug was reported directly to GitHub Security Lab...
U.S. Dept Of Defense: SQLi in login form of █████
Summary The following is vulnerable to a sqli, due to a limited char set this is t██████████y to demonstrate and not picked up by sqlmap. POST /██████████.asp HTTP/█████.████ Host: ███████ Description POST /██████.asp HTTP/████.███ Host: █████ Connection: close Content-Length: 45 Cache-Control:...
BugPoC: XSS Challenge #2 Solution
Summary: An attacker can achieve arbitrary JavaScript execution in the context of the user's session on calc.buggywebsite.com. This is possible due to a weak origin check in the message event handler in http://calc.buggywebsite.com/frame.js as well as improper handling of the message data, allowi...
lemlist: Stored XSS in app.lemlist.com
Summary: add summary of the vulnerability Steps To Reproduce: - Go to Company Buddies-to-Be Custom variables - Add malicious code: " onmouseover="confirmdocument.domain" a=" F915718 - Go to Company Messages Blank email - In the WYSIWYG editor select Custom variables - Malicious code executed...
PayPal: RCE via npm misconfig -- installing internal libraries from the public registry
A Bug Bounty researcher identified an issue where certain development projects defaulted to the public NPM registry, instead of using the intended internal packages. Since the packages on the public registry did not exist, the researcher created these and observed they were downloaded. Had these...
Node.js third-party modules: Fastify uses allErrors: true ajv configuration by default which is susceptible to DoS
I would like to report a denial of service vulnerability in fastify It allows to cause a DoS with some schemas that were otherwise assumed to be secure against DoS by their authors Module module name: fastify version: 2.14.1, 3.0.0-rc.4 npm page: https://www.npmjs.com/package/fastify Module...
Visma Public: Read-only user can access payroll information without having access to payroll.
The researcher found that a read-only user without having access to payroll can still access all the data in payroll tab, by visiting the url directly, thus resulting into an unauthorized access...
GitHub Security Lab: CodeQL query for finding CSRF vulnerabilities in Spring applications
This bug was reported directly to GitHub Security Lab...
Upserve : Open redirect at https://inventory.upserve.com/http://google.com/
The following URL is vulnerable to an open redirect it will redirect to stanko.sh: https://inventory.upserve.com/http://stanko.sh/ Impact Users could get redirected to malicious domain...
Ian Dunn: Security issue: Github repo's wiki publicly editable
Hello Team, Github repo's wiki page is publicly editable. This enables an attacker to edit the wiki pages of the affected repo's. Adding content that may link to malicious code libraries that would be installed and used by developers or information that may mislead users. POC Links:...
HackerOne: Self DOM-Based XSS in www.hackerone.com
Summary: There is a 'self' DOM-based cross-site scripting vulnerability in the contact form available on the www.hackerone.com website. This could allow an attacker to perform cross-site scripting, or other client-side attacks, against users of the application. However, the risk presented by this...
Rootstock Labs: JSON RPC methods for debugging enabled by default allow DoS
A vulnerability was discovered in the RSK JSON-RPC server that allowed an attacker to cause a denial of service DoS attack by sending the evmreset command. The server would hang, become slow, and eventually become synced to block 0, resulting in a loss of service and responsiveness to all users...
WakaTime: Failure to check password history
I discovered that old passwords could be reused and believe that wakatime.com could benefit if there was a check for old passwords in your database. Because password reuse is an important concern in any organization. Many users want to reuse the same password for their account over a long period ...
Internet Bug Bounty: OOB write in MDC2_Update() (CVE-2016-6303)
An overflow can occur in MDC2Update either if called directly or through the EVPDigestUpdate function using MDC2. If an attacker is able to supply very large amounts of input data after a previous call to EVPEncryptUpdate with a partial block then a length check can overflow resulting in a heap...
Ubiquiti Inc.: Wordpress directories/files visible to internet
Issue During my testing I noticed that ubnt website https://directory.corp.ubnt.com seems to leak some data into internet. Wordpress directory https://directory.corp.ubnt.com/wp-content/uploads/ is showing files which I suppose shouldn't be visible to internet. I noticed that these files include...
ok.ru: [insideok.ru] Database Dump
http://insideok.ru/db.sql Внутри - учётки админов на 2016 год. -- Хост: localhost -- Время создания: Сен 03 2016 г., 12:00 -- Версия сервера: 5.5.47-cll-lve -- Версия PHP: 5.4.45 Структура таблицы users CREATE TABLE IF NOT EXISTS users id int11 unsigned NOT NULL, █████ ███████ ███████ ██████████...
ownCloud: User Information Disclosure via REST API
Hello, REST-API, allows anonymous access to functionality that allows a hacker to list all users who have published a post on a WordPress site. Unfortunately, this generally includes the admin account POC: https://owncloud.com/wp-json/wp/v2/users/ https://owncloud.com/wp-json/wp/v2/users/1/ Kind...
Bumble: [CRITICAL] Full account takeover using CSRF
Hi , I have found a CSRF issue that allows an attacker to link his gmail , facebook ... or any social account to the victim's account and hijack the whole account. Details: When a user tries to link a gmail account with his account , after he authorizes badoo to use his gmail account he will be...
Udemy: teach.udemy.com log poison vulnerability through wordpress debug.log being publically available
Hello udemy your site teach.udemy.com has its debug.log publically available consisting of 1 gb of debug logs. The logs don't expose critical information except for some user ip addresses, mail-addresses and other info, but it may lead to remote code execution,since the logs also store user agent...
curl: TLS conn reuse and session cache ignore fsslctx callback and ssl_config_data flags ( incomplete fix variant of 7541ae569 )
Summary matchsslprimaryconfig in lib/vtls/vtls.c:194 and the session-cache key built by cfsslpeerkeybuild in lib/vtls/vtlsscache.c:240 both compare only struct sslprimaryconfig fields when deciding whether to reuse a TLS connection or cached session. Several fields that materially change the TLS...
HackerOne: Support Tickets can be created on behalf of other users using spoofed email | Bypass of #2001913
A vulnerability allowed an attacker to create support tickets on behalf of other users by sending a fake email to [email protected]. This bypassed a previous fix implemented by HackerOne to prevent support tickets from being created via email...
U.S. Dept Of Defense: Adobe ColdFusion - Access Control Bypass [CVE-2023-38205] at ██████
An access control bypass vulnerability was discovered in Adobe ColdFusion, allowing attackers to bypass the restriction on external access to the ColdFusion Administrator...
Node.js: process.binding() can bypass the permission model through path traversal
The use of the deprecated API process.binding allowed for bypassing the permission model in Node.js 20.x through path traversal...
Fastly VDP: CVE-2018-6389 exploitation - using scripts loader
Vulnerability description not provided...
EXNESS: SSRF in graphQL query (pwapi.ex2b.com)
An SSRF vulnerability was discovered in the GraphQL query for allTicks on the pwapi.ex2b.com website. This vulnerability allowed an attacker to set the source parameter to perform arbitrary GET requests, potentially compromising internal services exposed to internal network requests...