U.S. Dept Of Defense: SQLi in login form of █████

Summary The following is vulnerable to a sqli, due to a limited char set this is t██████████y to demonstrate and not picked up by sqlmap. POST /██████████.asp HTTP/█████.████ Host: ███████ Description POST /██████.asp HTTP/████.███ Host: █████ Connection: close Content-Length: 45 Cache-Control:...

BugPoC: XSS Challenge #2 Solution

Summary: An attacker can achieve arbitrary JavaScript execution in the context of the user's session on calc.buggywebsite.com. This is possible due to a weak origin check in the message event handler in http://calc.buggywebsite.com/frame.js as well as improper handling of the message data, allowi...

QIWI: CVE-2020-3187 - unauthenticated arbitrary file deletion in Cisco

Steps to reproduce: I could delete arbitrary files from https://79.142.21.220/ using CVE-2020-3187. POC video is attached. Browser/OS: Chrome/Windows ALSO Cisco ASA - Arbitary File Read - CVE-2020-3452 the file downloaded also attached here for poc Impact Impact: RCE is P1 critical vulnerability,...

lemlist: Stored XSS in app.lemlist.com

Summary: add summary of the vulnerability Steps To Reproduce: - Go to Company Buddies-to-Be Custom variables - Add malicious code: " onmouseover="confirmdocument.domain" a=" F915718 - Go to Company Messages Blank email - In the WYSIWYG editor select Custom variables - Malicious code executed...

PayPal: RCE via npm misconfig -- installing internal libraries from the public registry

A Bug Bounty researcher identified an issue where certain development projects defaulted to the public NPM registry, instead of using the intended internal packages. Since the packages on the public registry did not exist, the researcher created these and observed they were downloaded. Had these...

Node.js third-party modules: Fastify uses allErrors: true ajv configuration by default which is susceptible to DoS

I would like to report a denial of service vulnerability in fastify It allows to cause a DoS with some schemas that were otherwise assumed to be secure against DoS by their authors Module module name: fastify version: 2.14.1, 3.0.0-rc.4 npm page: https://www.npmjs.com/package/fastify Module...

Reddit: registering with the same email address multiple times leads to account takeover

i'm not sure if this issue is in scope or not or if it's intended , kindly if you don't accept this issue please close it as informative , thanks in advance Summary: the ability of the user to register many times using the same mail address can lead to account take over Steps To Reproduce: 1...

GitHub Security Lab: CodeQL query for finding CSRF vulnerabilities in Spring applications

This bug was reported directly to GitHub Security Lab...

Brave Software: Stored XSS in localhost:* via integrated torrent downloader

Summary: Due to filename of downloading torrent file isn't sanitized, an attacker is able to execute arbitrary JavaScript on localhost: by abusing crafted torrent file. Products affected: Brave 0.68.131 Chromium: 76.0.3809.100 Official Build Steps To Reproduce: 1. Open...

Upserve : Open redirect at https://inventory.upserve.com/http://google.com/

The following URL is vulnerable to an open redirect it will redirect to stanko.sh: https://inventory.upserve.com/http://stanko.sh/ Impact Users could get redirected to malicious domain...

Node.js third-party modules: [crud-file-server] Path Traversal allows to read arbitrary file from the server

Hi Guys, There is Path Traversal vulnerability in crud-file-server module, which allows to read arbitrary file from the remote server. Module crud-file-server This package exposes a directory and its children to create, read, update, and delete operations over http...

WakaTime: Failure to check password history

I discovered that old passwords could be reused and believe that wakatime.com could benefit if there was a check for old passwords in your database. Because password reuse is an important concern in any organization. Many users want to reuse the same password for their account over a long period ...

Ubiquiti Inc.: Wordpress directories/files visible to internet

Issue During my testing I noticed that ubnt website https://directory.corp.ubnt.com seems to leak some data into internet. Wordpress directory https://directory.corp.ubnt.com/wp-content/uploads/ is showing files which I suppose shouldn't be visible to internet. I noticed that these files include...

ok.ru: [insideok.ru] Database Dump

http://insideok.ru/db.sql Внутри - учётки админов на 2016 год. -- Хост: localhost -- Время создания: Сен 03 2016 г., 12:00 -- Версия сервера: 5.5.47-cll-lve -- Версия PHP: 5.4.45 Структура таблицы users CREATE TABLE IF NOT EXISTS users id int11 unsigned NOT NULL, █████ ███████ ███████ ██████████...

Moneybird: Malicious File Upload

This researcher found a vulnerability in which it was possible to upload attachments with malicious extensions. We have implemented a security filter to prevent these attachments to be uploaded...

HackerOne: Bypassing the victim's phone number OTP in the account recovery process on the https://hackerone.com/settings/auth/setup_account_recovery

Vulnerability description not provided...

Node.js: process.binding() can bypass the permission model through path traversal

The use of the deprecated API process.binding allowed for bypassing the permission model in Node.js 20.x through path traversal...

curl: curl file writing susceptible to symlink attacks

Summary: If curl command is used to download a file with predictable file name to a world writable directory such as /tmp, a local attacker is able to mount a symlink attack to either A redirect the target file writing to another file writable by the user or B replace the downloaded file contents...

Internet Bug Bounty: potential denial of service attack via the locale parameter

In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a denial of service attack via the locale parameter, which is treated as a regular expression. Impact By crafting a Python regex, a vulnerable site could suffer a DOS attack. The attack was...

Cloudflare Public Bug Bounty: HTTP request smuggling with Origin Rules using newlines in the host_header action parameter

The hostheader action parameter available to rulesets in the Origin Rules API lacked sufficient input validation i.e., allowing CRLF characters. Because of this, it was possible to inject arbitrary headers and, as a consequence, smuggle HTTP requests. This vulnerability enabled bypassing security...

curl: CVE-2021-22946: Protocol downgrade required TLS bypassed

Summary: In imap and pop3, --ssl-reqd is silently ignored if the capability command failed. In ftp, a non-standard 230 response preauthentication? in the greeter message forces curl to continue unencrypted, even if TLS has been required. Steps To Reproduce: Use a parameterizable test server to fa...

Tor: Tor Browser using --log or --verbose logs the exact connection time a client connects to any v2 domains.

Summary: A vulnerability in the Tor Browser 78.11.0esr and below allows a local or physical attacker to view metadata about v2 domains, namely the exact timestamp that a user connected to a v2 onion address while using either the --log or --verbose command line options. A local or physical attack...

Sifchain: Clickjacking Vulnerability in sifchain.finance

Hello team - Greetings! Hope you are fine. sifchain.finance website is vulnerable to Clickjacking. NOT ONLY THE HOME PAGE IS VULNERABLE, ALL THE PAGES IN THE WEBSITE IS VULNERABLE TO CLICKJACKING. And it has to be fixed because, Clickjacking is an attack that tricks the user to click a webpage...

Shopify: XSS at https://exchangemarketplace.com/blogsearch

There is an XSS vulnerability on https://exchangemarketplace.com/blogsearch page through the q parameters. https://exchangemarketplace.com/blogsearch?q=OnMoUsEoVeR=prompt/hacked/// F1251282 Impact XSS at https://exchangemarketplace.com/blogsearch...

GitHub Security Lab: Java: CWE-652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')

This bug was reported directly to GitHub Security Lab...

Shopify: Self xss in product reviews

1、install app Product Reviews F1070556 2、Open a product and write a review 3、Press F12 on the keyboard，Change the type of email to text. 4、Write in email"[email protected]. F1070565 5、Write other required fields，then submit. F1070566 Impact Self xss...

Topcoder: IDOR on deleting drafts on https://apps.topcoder.com/wiki/users/viewmydrafts.action via discardDraftId parameter

Hi : On https://apps.topcoder.com/wiki/users/viewmydrafts.action, you can see your drafts, edit or delete them. Users can delete their own drafts on https://apps.topcoder.com/wiki/users/viewmydrafts.action?discardDraftId=. But there is no check and an attacker can change discardDraftId and delete...

Starbucks: Thailand - IDOR on www.starbuckscardth.in.th: A logged in user could view any Thailand Starbucks card balance if they knew that Starbucks card number

nnez discovered that after a successful card balance transfer between two of their own registered Thailand Starbucks cards, they could update the 2nd card number URL parameter to another known Thailand Starbucks card number and view that 2nd card balance. @nnez — thank you for reporting this...

Visma Public: Read-only user can access payroll information without having access to payroll.

The researcher found that a read-only user without having access to payroll can still access all the data in payroll tab, by visiting the url directly, thus resulting into an unauthorized access...

Automattic: [IDOR] Attacker user can Approve/Decline AFK on the behalf of other users

Summary: Hi team Hope you are good Missing proper authorization checks on the vulnerable request allows an attacker to approve/decline afk of users on the behalf of other user who is a member of other organization. This can be exploited simply by changing the responderuserid in the vulnerable...

OWOX, Inc.: Session is not expire after logout

Reproduction: step no 1:Open URL:https://www.owox.com/products/ or open your user account step no 2: copy URL or paste another tab step no 3:Go back again first tab or logout your account step no 4: And check the copied URL section is working properly Reference From :244875 Reference From :263873...

Uber: Arbitrary File Reading on Uber SSL VPN

The hacker has found a series of 0 day related to Pulse Secure SSL VPN...

Ian Dunn: Security issue: Github repo's wiki publicly editable

Hello Team, Github repo's wiki page is publicly editable. This enables an attacker to edit the wiki pages of the affected repo's. Adding content that may link to malicious code libraries that would be installed and used by developers or information that may mislead users. POC Links:...

Node.js third-party modules: Arbitrary File Write Through Archive Extraction

I would like to report arbitrary file write vulnerability in adm-zip module It allows attackers to write arbitrary files when a malicious archive is extracted. More info here: https://snyk.io/research/zip-slip-vulnerability https://github.com/snyk/zip-slip-vulnerabilityaffected-libraries Module...

Rootstock Labs: JSON RPC methods for debugging enabled by default allow DoS

A vulnerability was discovered in the RSK JSON-RPC server that allowed an attacker to cause a denial of service DoS attack by sending the evmreset command. The server would hang, become slow, and eventually become synced to block 0, resulting in a loss of service and responsiveness to all users...

ownCloud: User Information Disclosure via REST API

Hello, REST-API, allows anonymous access to functionality that allows a hacker to list all users who have published a post on a WordPress site. Unfortunately, this generally includes the admin account POC: https://owncloud.com/wp-json/wp/v2/users/ https://owncloud.com/wp-json/wp/v2/users/1/ Kind...

Snapchat: [render.bitstrips.com] Stored XSS via an incorrect avatar property value

While modifying an avatar, an attacker has the opportunity to submit XSS payloads as its property values. The resulting png file will return a 500 error with the payload in the response body. The response has a text/html content type, which makes the XSS attack possible. PoC: 1. Go to...

Bumble: [CRITICAL] Full account takeover using CSRF

Hi , I have found a CSRF issue that allows an attacker to link his gmail , facebook ... or any social account to the victim's account and hijack the whole account. Details: When a user tries to link a gmail account with his account , after he authorizes badoo to use his gmail account he will be...

Udemy: teach.udemy.com log poison vulnerability through wordpress debug.log being publically available

Hello udemy your site teach.udemy.com has its debug.log publically available consisting of 1 gb of debug logs. The logs don't expose critical information except for some user ip addresses, mail-addresses and other info, but it may lead to remote code execution,since the logs also store user agent...

inDrive: SSRF in https://couriers.indrive.com/api/file-storage

A server side request forgery vulnerability was present in the url parameter of the https://couriers.indrive.com/api/file-storage endpoint, allowing arbitrary external websites to be requested and their content returned in responses...

Internet Bug Bounty: [curl] CVE-2023-38039: HTTP header allocation DOS

CVE-2023-38039 is a security vulnerability in the curl library that allowed a malicious server to send an unlimited number of headers in an HTTP response, causing curl to exhaust heap memory and potentially leading to a denial-of-service condition...

U.S. Dept Of Defense: Adobe ColdFusion - Access Control Bypass [CVE-2023-38205] at ██████

An access control bypass vulnerability was discovered in Adobe ColdFusion, allowing attackers to bypass the restriction on external access to the ColdFusion Administrator...

Fastly VDP: CVE-2018-6389 exploitation - using scripts loader

Vulnerability description not provided...

Shopify: Shop App - Attacker is able to intercept authorization code during authentication (OAuth) and is able to get access to Microsoft Outlook email account

A vulnerability was discovered in the Shop App's Microsoft Outlook OAuth flow, where a malicious app could intercept the authorization code during authentication due to the use of deep links. This could allow an attacker to gain access to the victim's emails. The issue was mitigated by implementi...

Reddit: Regular Expression Denial of Service vulnerability

Summary: The vulnerability I have found is classified as a Regular Expression Denial of Service. While inspecting the source code file RealtimeGQLSubscriptionAsync.js I came across the nodemodule subscriptions-transport-ws See Screenshot 1. The search result of the subscriptions-transport-ws...

Kaspersky: Several domains on kaspersky.com are vulnerable to Web Cache Deception attack

Reported security issue allowed a potential attacker to steal potentially sensitive information of users of a website, because multiple subdomains of the Kaspersky domain were vulnerable to web cache deception attack. In this scenario the user needs to open a phishing link in a web browser. The...

Bitso: Broken link hijack

Hello sir My name is Mohit kumar i found a bug known as broken link hijack on telegram Steps to view bug -- Navigate to -- https://bitso.com/ -- go down and click on language and then click on Espanol-Argentina you can now see the telgram link click on that I have attached a video poc too There's...

Stripo Inc: Permanent DOS for new users!

Summary: Hi team its me Akash Hamal, and while testing my.stripo.email website which is in scope of your program i was able to DOS permanently any new mail,user which might use your service in future but they won't be able to use ! While registration on my.stripo.email there are three fields...

GitHub Security Lab: Java: Detect remote source from Android intent extra

This bug was reported directly to GitHub Security Lab...

lemlist: stored xss via Campaign Name.

Summary: Hi, I found a stored xss https://app.lemlist.com Steps To Reproduce: 1. go to https://app.lemlist.com/. 2. create or edit campaigns. 3. set the payload / in the Campaign Name. 4. visit Buddies-to-Be tab . 5. click Add one on the right Top . or click on one of the list of Contact 6. you...