15372 matches found
Udemy: teach.udemy.com log poison vulnerability through wordpress debug.log being publically available
Hello udemy your site teach.udemy.com has its debug.log publically available consisting of 1 gb of debug logs. The logs don't expose critical information except for some user ip addresses, mail-addresses and other info, but it may lead to remote code execution,since the logs also store user agent...
U.S. Dept Of Defense: Adobe ColdFusion - Access Control Bypass [CVE-2023-38205] at ██████
An access control bypass vulnerability was discovered in Adobe ColdFusion, allowing attackers to bypass the restriction on external access to the ColdFusion Administrator...
Node.js: process.binding() can bypass the permission model through path traversal
The use of the deprecated API process.binding allowed for bypassing the permission model in Node.js 20.x through path traversal...
Fastly VDP: CVE-2018-6389 exploitation - using scripts loader
Vulnerability description not provided...
EXNESS: SSRF in graphQL query (pwapi.ex2b.com)
An SSRF vulnerability was discovered in the GraphQL query for allTicks on the pwapi.ex2b.com website. This vulnerability allowed an attacker to set the source parameter to perform arbitrary GET requests, potentially compromising internal services exposed to internal network requests...
curl: curl file writing susceptible to symlink attacks
Summary: If curl command is used to download a file with predictable file name to a world writable directory such as /tmp, a local attacker is able to mount a symlink attack to either A redirect the target file writing to another file writable by the user or B replace the downloaded file contents...
curl: CVE-2022-27780: percent-encoded path separator in URL host
Summary: URL decoding the entire proxy string could lead to SSRF filter bypasses. For example, When the following curl specifies the proxy string http://example.com%2F127.0.0.1 - If curl URL parser or another RFC3986 compliant parser parses the initial string http://127.0.0.1%2F.example.com, it...
Reddit: Regular Expression Denial of Service vulnerability
Summary: The vulnerability I have found is classified as a Regular Expression Denial of Service. While inspecting the source code file RealtimeGQLSubscriptionAsync.js I came across the nodemodule subscriptions-transport-ws See Screenshot 1. The search result of the subscriptions-transport-ws...
curl: CVE-2021-22946: Protocol downgrade required TLS bypassed
Summary: In imap and pop3, --ssl-reqd is silently ignored if the capability command failed. In ftp, a non-standard 230 response preauthentication? in the greeter message forces curl to continue unencrypted, even if TLS has been required. Steps To Reproduce: Use a parameterizable test server to fa...
Sifchain: Clickjacking Vulnerability in sifchain.finance
Hello team - Greetings! Hope you are fine. sifchain.finance website is vulnerable to Clickjacking. NOT ONLY THE HOME PAGE IS VULNERABLE, ALL THE PAGES IN THE WEBSITE IS VULNERABLE TO CLICKJACKING. And it has to be fixed because, Clickjacking is an attack that tricks the user to click a webpage...
Kaspersky: Several domains on kaspersky.com are vulnerable to Web Cache Deception attack
Reported security issue allowed a potential attacker to steal potentially sensitive information of users of a website, because multiple subdomains of the Kaspersky domain were vulnerable to web cache deception attack. In this scenario the user needs to open a phishing link in a web browser. The...
QIWI: SSRF на https://qiwi.com с помощью "Prerender HAR Capturer"
Здравствуйте! На сайте https://qiwi.com вы используете Prerender HAR Capturer 5.6.0 на основе Headless Chrome для рендеринга HTML, снимков экрана, PDF-файлов и файлов HAR с любой веб-страницы https://github.com/prerender/prerender. Если на qiwi.com послать запрос с измененным юзер-агентом...
Shopify: XSS at https://exchangemarketplace.com/blogsearch
There is an XSS vulnerability on https://exchangemarketplace.com/blogsearch page through the q parameters. https://exchangemarketplace.com/blogsearch?q=OnMoUsEoVeR=prompt/hacked/// F1251282 Impact XSS at https://exchangemarketplace.com/blogsearch...
Liberapay: Login CSRF : Login Authentication Flaw on https://liberapay.com/
Description: There is no csrf validation while logging in which leads to csrf. An attacker can craft an HTML page containing information to have the victim sign into an attacker's account, where the victim may add sensitive payment information to the attacker's new account assuming he/she is logg...
Informatica: Cross-site Scripting (XSS) - DOM - iqcard.informatica.com
Hello all I found a DOM based XSS at iqcard.informatica.com Description After finding the path iqcard.informatica.com/pub/fujitsu/fm3v2/player/attach.html. I noticed that the code inside attach.html was vulnerable to DOM XSS, due to the fact of the javascript document.location function. search. T...
h1-ctf: [H1-2006 2020] The Story of Making Bounty Hunters Happy
Disclaimer: I will try to make this post a fun read, given that whoever triagges will be probably going through similar write-ups again and again. The beginning: Being away from HackerOne over a month had made me rusty. Although the call to arms for Mr. Mickos and the community could not be left...
Topcoder: IDOR on deleting drafts on https://apps.topcoder.com/wiki/users/viewmydrafts.action via discardDraftId parameter
Hi : On https://apps.topcoder.com/wiki/users/viewmydrafts.action, you can see your drafts, edit or delete them. Users can delete their own drafts on https://apps.topcoder.com/wiki/users/viewmydrafts.action?discardDraftId=. But there is no check and an attacker can change discardDraftId and delete...
Cuvva: Time-limit Bypassing, Rate-limit Bypassing and Spamming at https://ops.cuvva.co
Hello cuvva secteam, Hope you are well and safe Summary When trying to sign in at https://ops.cuvva.com: 1. There is no checking if supplied email is valid before sending login link Note: the sent login links do not work but this bug can be used for spamming any supplied email. 2. The time-limit...
GitHub Security Lab: CPP: Out of order Linux permission dropping without checking return codes
This bug was reported directly to GitHub Security Lab...
Node.js third-party modules: [sapper] Path Traversal
I would like to report a critical path traversal vunerability in the sapper module It allows an attacker to simply obain arbitrary files from the remote server, exploiting a simple path traversal using URL-encoded "../". Module module name: sapper version: 0.27.10 npm page:...
Semrush: IDOR in marketing calendar tool
INTRODUCTION I used two accounts to search for this vulnerability: Id: █████ Email: ██████ Id: ███ Email: ███ IP used: 78.194.169.36 Endpoint URL: https://ec.semrush.com/api/v1/ga/userstatus/?calendarid=CALENDARID EXPLOITATION Description of Security Issue: When a marketing calendar is loaded in...
Localize: 2-factor authentication can be disabled when logged in without confirming account password
Description === When users wants to Disable his/her TwoFactor Authentication, they have to know their account password. But using this vulnerability They don't need password to disable it. this will allow hacker who get someone cookie to disabling twofactor auth and also Fullytakeover the account...
Automattic: Theme Assets uploader allows HTML content
The reporter submitted a report highlighting that specially formatted yet valid HTML files were able to be uploaded as theme assets. Even though we allow for JavaScript on our blog network, we don't allow HTML files to be uploaded here so that we can restrict JavaScript execution to the blog...
Automattic: [IDOR] Attacker user can Approve/Decline AFK on the behalf of other users
Summary: Hi team Hope you are good Missing proper authorization checks on the vulnerable request allows an attacker to approve/decline afk of users on the behalf of other user who is a member of other organization. This can be exploited simply by changing the responderuserid in the vulnerable...
OWOX, Inc.: Session is not expire after logout
Reproduction: step no 1:Open URL:https://www.owox.com/products/ or open your user account step no 2: copy URL or paste another tab step no 3:Go back again first tab or logout your account step no 4: And check the copied URL section is working properly Reference From :244875 Reference From :263873...
U.S. Dept Of Defense: Examples directory is PUBLIC on https://████████mil, leading to multiple vulns
Description: Hello, In an effort to consolidate reporting. I have located 4 issues with having the Examples Directory openmy require just 1 solution to mitigate The following URLs that show concern are the following: 1. https://█████mil/examples/servlets/servlet/SessionExample --Will lead to...
Starbucks: Subdomain takeover of d02-1-ag.productioncontroller.starbucks.com
Summary: I was able to claim the subdomain: d02-1-ag.productioncontroller.starbucks.com using Azure Cloud Service Platforms Affected: Subdomain Azure Cloud Service Steps To Reproduce: 1. Using dig, I was able to determine that the subdomain 'd02-1-ag.productioncontroller.starbucks.com' was...
Uber: Arbitrary File Reading on Uber SSL VPN
The hacker has found a series of 0 day related to Pulse Secure SSL VPN...
HackerOne: Account recovery text message is sending a wrong domain to users.
Hey, I hope you're fine. : Summary: When users setup Account recovery at Authentication section Hackerone sends them text message to their updated phone number with a wrong domain link. Description: When users adds phone number at Account recovery, they get a text message on their phone number,...
Internet Bug Bounty: heap-buffer-overflow (READ of size 48) in exif_read_data()
exifreaddata in PHP 5.6.36, 7.1.x and 7.2.x is vulnerable to a heap buffer overflow when fed a specially crafted JPEG. Any online service that reads EXIF data from uploaded JPEGs is potentially vulnerable to this flaw. This has been fixed with the release of PHP 7.2.8 today. Other releases are...
Node.js third-party modules: Arbitrary File Write Through Archive Extraction
I would like to report arbitrary file write vulnerability in adm-zip module It allows attackers to write arbitrary files when a malicious archive is extracted. More info here: https://snyk.io/research/zip-slip-vulnerability https://github.com/snyk/zip-slip-vulnerabilityaffected-libraries Module...
Open-Xchange: SSRF - Blacklist bypass for mail account addition
FYI - Tested on local installation of App Suite 7.8.4-Rev19, on CentOS 7.4 Hello, There appears to be a vulnerability with the way the IP blacklist works for adding servers for a new mail account. The default blacklist is designed to stop connections to the localhost address, but these can be...
Internet Bug Bounty: Multiple issues in Libxml2 (2.9.2 - 2.9.5)
Libxml2 is the XML C parser and toolkit developed for the Gnome project. Due to its flexible C implementation and continuous development, Libxml2 is known to be very portable, the library builds and works on a variety of systems Linux, Unix, Windows, CygWin, MacOS, MacOS X, RISC Os, OS/2, VMS, QN...
VK.com: local file disclosure via FFmpeg hls processing
Vulnerability in FFmpeg. FFmpeg is video encoding software that is used by VK for preview generation and video conversion. FFmpeg is known to process HLS playlists that may contain references to external files. I was able to fire this feature using GAB2 subtitle chunks inside an AVI file. After...
Internet Bug Bounty: Excessive allocation of memory in tls_get_message_header() (CVE-2016-6307)
A TLS message includes 3 bytes for its length in the header for the message. This would allow for messages up to 16Mb in length. Messages of this length are excessive and OpenSSL includes a check to ensure that a peer is sending reasonably sized messages in order to avoid too much memory being...
Alvosec: [ns2.████] Vulnerable to DNS Zone Transfer
This server is misconfigured, as a result allowed the consultant to initiate a zone transfer the following shows the output: ██████████. 3600 IN SOA ns1.██████████. webmaster.█████. 2017041813 ;serial 10800 ;refresh 3600 ;retry 604800 ;expire 3600 ;minimum ███. 3600 IN A ██████████ █████. 3600 IN...
Nextcloud: Limitation of app specific password scope can be bypassed (NC-SA-2017-009)
Limitation of app specific password scope can be bypassed NC-SA-2017-009 Risk level: Low CVSS v3 Base Score: 3 AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N CWE: Improper Authorization CWE-285 Description Improper session handling allowed an application specific password without permission to the files...
Snapchat: [render.bitstrips.com] Stored XSS via an incorrect avatar property value
While modifying an avatar, an attacker has the opportunity to submit XSS payloads as its property values. The resulting png file will return a 500 error with the payload in the response body. The response has a text/html content type, which makes the XSS attack possible. PoC: 1. Go to...
Concrete CMS: Stored XSS in Image Alt. Text
XSS payload can be executed and saved permanently in Image Alt. Text. Poc Code: "click me!"...
Secret: Content Sniffing not disabled
URL :- https://www.secret.ly/ Issue description :- There was no "X-Content-Type-Options" HTTP header with the value nosniff set in the response. The lack of this header causes that certain browsers, try to determine the content type and encoding of the response even when these properties are...
Internet Bug Bounty: [curl] CVE-2023-38039: HTTP header allocation DOS
CVE-2023-38039 is a security vulnerability in the curl library that allowed a malicious server to send an unlimited number of headers in an HTTP response, causing curl to exhaust heap memory and potentially leading to a denial-of-service condition...
curl: CVE-2023-23916: HTTP multi-header compression denial of service
An HTTP multi-header compression denial of service vulnerability was discovered that allowed an attacker to send an HTTP response with many occurrences of Transfer-Encoding and/or Content-Encoding headers, consuming all available memory and causing a denial of service. The vulnerability was patch...
Internet Bug Bounty: CVE-2022-23519: Rails::Html::SafeListSanitizer vulnerable to XSS when certain tags are allowed (math+style || svg+style)
The following is from: https://hackerone.com/reports/1656627 Intro The Rails HTML sanitzier allows to set certain combinations of tags in it's allow list that are not properly handled. Similar to the report 1530898, which identified the combinationselect and style as vulnerable, my fuzz testing...
Internet Bug Bounty: Read beyond bounds in mod_isapi.c [zhbug_httpd_41]
Greetings. I have found a read-beyond-bounds bug in httpd that arises from an apparent logic error. The bug is in /modules/arch/win32/modisapi.c, on lines 979 and/or 983, which use the length of the path to the ISAPI DLL |strlenr-filename| to index into the string specified by the ISAPI DLL itsel...
Urban Company: Exposed data of credit card details to hacker or attacker.
NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report! Name of Vulnerability:...
GitHub Security Lab: C++: Support Pqxx connector to search for sql injections to Postgres
This bug was reported directly to GitHub Security Lab...
GitHub Security Lab: [Python] CWE-400: Regular Expression Injection
This bug was reported directly to GitHub Security Lab...
Sifchain: Wrong Url in Main Page
Hello, There is no linkedin account belonging to the url you added to your homepage and this link can be easily captured by someone else. Misunderstandings may occur. F1293094 https://www.linkedin.com/company/kns-group/about/ Impact Broken Link Hijack...
Logitech: Privilege Escalation Leads to Control The Owner Access Token Which leads to control the stream [streamlabs.com]
Hi Security team, Summary: I was able as Administrator to change the account owner access token Description: As Administrator i have high privileges but i have some restricted areas F1278364 For example i got invitation from MrX with Administrator role. When i navigated to MrX account as...
Bitso: Broken link hijack
Hello sir My name is Mohit kumar i found a bug known as broken link hijack on telegram Steps to view bug -- Navigate to -- https://bitso.com/ -- go down and click on language and then click on Espanol-Argentina you can now see the telgram link click on that I have attached a video poc too There's...