15369 matches found
curl: CVE-2021-22946: Protocol downgrade required TLS bypassed
Summary: In imap and pop3, --ssl-reqd is silently ignored if the capability command failed. In ftp, a non-standard 230 response preauthentication? in the greeter message forces curl to continue unencrypted, even if TLS has been required. Steps To Reproduce: Use a parameterizable test server to fa...
Sifchain: Clickjacking Vulnerability in sifchain.finance
Hello team - Greetings! Hope you are fine. sifchain.finance website is vulnerable to Clickjacking. NOT ONLY THE HOME PAGE IS VULNERABLE, ALL THE PAGES IN THE WEBSITE IS VULNERABLE TO CLICKJACKING. And it has to be fixed because, Clickjacking is an attack that tricks the user to click a webpage...
Kaspersky: Several domains on kaspersky.com are vulnerable to Web Cache Deception attack
Reported security issue allowed a potential attacker to steal potentially sensitive information of users of a website, because multiple subdomains of the Kaspersky domain were vulnerable to web cache deception attack. In this scenario the user needs to open a phishing link in a web browser. The...
QIWI: SSRF на https://qiwi.com с помощью "Prerender HAR Capturer"
Здравствуйте! На сайте https://qiwi.com вы используете Prerender HAR Capturer 5.6.0 на основе Headless Chrome для рендеринга HTML, снимков экрана, PDF-файлов и файлов HAR с любой веб-страницы https://github.com/prerender/prerender. Если на qiwi.com послать запрос с измененным юзер-агентом...
Shopify: XSS at https://exchangemarketplace.com/blogsearch
There is an XSS vulnerability on https://exchangemarketplace.com/blogsearch page through the q parameters. https://exchangemarketplace.com/blogsearch?q=OnMoUsEoVeR=prompt/hacked/// F1251282 Impact XSS at https://exchangemarketplace.com/blogsearch...
Liberapay: Login CSRF : Login Authentication Flaw on https://liberapay.com/
Description: There is no csrf validation while logging in which leads to csrf. An attacker can craft an HTML page containing information to have the victim sign into an attacker's account, where the victim may add sensitive payment information to the attacker's new account assuming he/she is logg...
Informatica: Cross-site Scripting (XSS) - DOM - iqcard.informatica.com
Hello all I found a DOM based XSS at iqcard.informatica.com Description After finding the path iqcard.informatica.com/pub/fujitsu/fm3v2/player/attach.html. I noticed that the code inside attach.html was vulnerable to DOM XSS, due to the fact of the javascript document.location function. search. T...
h1-ctf: [H1-2006 2020] The Story of Making Bounty Hunters Happy
Disclaimer: I will try to make this post a fun read, given that whoever triagges will be probably going through similar write-ups again and again. The beginning: Being away from HackerOne over a month had made me rusty. Although the call to arms for Mr. Mickos and the community could not be left...
Topcoder: IDOR on deleting drafts on https://apps.topcoder.com/wiki/users/viewmydrafts.action via discardDraftId parameter
Hi : On https://apps.topcoder.com/wiki/users/viewmydrafts.action, you can see your drafts, edit or delete them. Users can delete their own drafts on https://apps.topcoder.com/wiki/users/viewmydrafts.action?discardDraftId=. But there is no check and an attacker can change discardDraftId and delete...
Cuvva: Time-limit Bypassing, Rate-limit Bypassing and Spamming at https://ops.cuvva.co
Hello cuvva secteam, Hope you are well and safe Summary When trying to sign in at https://ops.cuvva.com: 1. There is no checking if supplied email is valid before sending login link Note: the sent login links do not work but this bug can be used for spamming any supplied email. 2. The time-limit...
GitHub Security Lab: CPP: Out of order Linux permission dropping without checking return codes
This bug was reported directly to GitHub Security Lab...
Node.js third-party modules: [sapper] Path Traversal
I would like to report a critical path traversal vunerability in the sapper module It allows an attacker to simply obain arbitrary files from the remote server, exploiting a simple path traversal using URL-encoded "../". Module module name: sapper version: 0.27.10 npm page:...
Semrush: IDOR in marketing calendar tool
INTRODUCTION I used two accounts to search for this vulnerability: Id: █████ Email: ██████ Id: ███ Email: ███ IP used: 78.194.169.36 Endpoint URL: https://ec.semrush.com/api/v1/ga/userstatus/?calendarid=CALENDARID EXPLOITATION Description of Security Issue: When a marketing calendar is loaded in...
Automattic: Theme Assets uploader allows HTML content
The reporter submitted a report highlighting that specially formatted yet valid HTML files were able to be uploaded as theme assets. Even though we allow for JavaScript on our blog network, we don't allow HTML files to be uploaded here so that we can restrict JavaScript execution to the blog...
Automattic: [IDOR] Attacker user can Approve/Decline AFK on the behalf of other users
Summary: Hi team Hope you are good Missing proper authorization checks on the vulnerable request allows an attacker to approve/decline afk of users on the behalf of other user who is a member of other organization. This can be exploited simply by changing the responderuserid in the vulnerable...
OWOX, Inc.: Session is not expire after logout
Reproduction: step no 1:Open URL:https://www.owox.com/products/ or open your user account step no 2: copy URL or paste another tab step no 3:Go back again first tab or logout your account step no 4: And check the copied URL section is working properly Reference From :244875 Reference From :263873...
U.S. Dept Of Defense: Examples directory is PUBLIC on https://████████mil, leading to multiple vulns
Description: Hello, In an effort to consolidate reporting. I have located 4 issues with having the Examples Directory openmy require just 1 solution to mitigate The following URLs that show concern are the following: 1. https://█████mil/examples/servlets/servlet/SessionExample --Will lead to...
Starbucks: Subdomain takeover of d02-1-ag.productioncontroller.starbucks.com
Summary: I was able to claim the subdomain: d02-1-ag.productioncontroller.starbucks.com using Azure Cloud Service Platforms Affected: Subdomain Azure Cloud Service Steps To Reproduce: 1. Using dig, I was able to determine that the subdomain 'd02-1-ag.productioncontroller.starbucks.com' was...
Uber: Arbitrary File Reading on Uber SSL VPN
The hacker has found a series of 0 day related to Pulse Secure SSL VPN...
Ian Dunn: Security issue: Github repo's wiki publicly editable
Hello Team, Github repo's wiki page is publicly editable. This enables an attacker to edit the wiki pages of the affected repo's. Adding content that may link to malicious code libraries that would be installed and used by developers or information that may mislead users. POC Links:...
Node.js third-party modules: Arbitrary File Write Through Archive Extraction
I would like to report arbitrary file write vulnerability in adm-zip module It allows attackers to write arbitrary files when a malicious archive is extracted. More info here: https://snyk.io/research/zip-slip-vulnerability https://github.com/snyk/zip-slip-vulnerabilityaffected-libraries Module...
VK.com: local file disclosure via FFmpeg hls processing
Vulnerability in FFmpeg. FFmpeg is video encoding software that is used by VK for preview generation and video conversion. FFmpeg is known to process HLS playlists that may contain references to external files. I was able to fire this feature using GAB2 subtitle chunks inside an AVI file. After...
Internet Bug Bounty: Excessive allocation of memory in tls_get_message_header() (CVE-2016-6307)
A TLS message includes 3 bytes for its length in the header for the message. This would allow for messages up to 16Mb in length. Messages of this length are excessive and OpenSSL includes a check to ensure that a peer is sending reasonably sized messages in order to avoid too much memory being...
ownCloud: User Information Disclosure via REST API
Hello, REST-API, allows anonymous access to functionality that allows a hacker to list all users who have published a post on a WordPress site. Unfortunately, this generally includes the admin account POC: https://owncloud.com/wp-json/wp/v2/users/ https://owncloud.com/wp-json/wp/v2/users/1/ Kind...
Nextcloud: Limitation of app specific password scope can be bypassed (NC-SA-2017-009)
Limitation of app specific password scope can be bypassed NC-SA-2017-009 Risk level: Low CVSS v3 Base Score: 3 AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N CWE: Improper Authorization CWE-285 Description Improper session handling allowed an application specific password without permission to the files...
Snapchat: [render.bitstrips.com] Stored XSS via an incorrect avatar property value
While modifying an avatar, an attacker has the opportunity to submit XSS payloads as its property values. The resulting png file will return a 500 error with the payload in the response body. The response has a text/html content type, which makes the XSS attack possible. PoC: 1. Go to...
Udemy: teach.udemy.com log poison vulnerability through wordpress debug.log being publically available
Hello udemy your site teach.udemy.com has its debug.log publically available consisting of 1 gb of debug logs. The logs don't expose critical information except for some user ip addresses, mail-addresses and other info, but it may lead to remote code execution,since the logs also store user agent...
curl: TLS conn reuse and session cache ignore fsslctx callback and ssl_config_data flags ( incomplete fix variant of 7541ae569 )
Summary matchsslprimaryconfig in lib/vtls/vtls.c:194 and the session-cache key built by cfsslpeerkeybuild in lib/vtls/vtlsscache.c:240 both compare only struct sslprimaryconfig fields when deciding whether to reuse a TLS connection or cached session. Several fields that materially change the TLS...
Internet Bug Bounty: [curl] CVE-2023-38039: HTTP header allocation DOS
CVE-2023-38039 is a security vulnerability in the curl library that allowed a malicious server to send an unlimited number of headers in an HTTP response, causing curl to exhaust heap memory and potentially leading to a denial-of-service condition...
curl: CVE-2023-23916: HTTP multi-header compression denial of service
An HTTP multi-header compression denial of service vulnerability was discovered that allowed an attacker to send an HTTP response with many occurrences of Transfer-Encoding and/or Content-Encoding headers, consuming all available memory and causing a denial of service. The vulnerability was patch...
Internet Bug Bounty: CVE-2022-23519: Rails::Html::SafeListSanitizer vulnerable to XSS when certain tags are allowed (math+style || svg+style)
The following is from: https://hackerone.com/reports/1656627 Intro The Rails HTML sanitzier allows to set certain combinations of tags in it's allow list that are not properly handled. Similar to the report 1530898, which identified the combinationselect and style as vulnerable, my fuzz testing...
Internet Bug Bounty: Read beyond bounds in mod_isapi.c [zhbug_httpd_41]
Greetings. I have found a read-beyond-bounds bug in httpd that arises from an apparent logic error. The bug is in /modules/arch/win32/modisapi.c, on lines 979 and/or 983, which use the length of the path to the ISAPI DLL |strlenr-filename| to index into the string specified by the ISAPI DLL itsel...
curl: CVE-2022-27780: percent-encoded path separator in URL host
Summary: URL decoding the entire proxy string could lead to SSRF filter bypasses. For example, When the following curl specifies the proxy string http://example.com%2F127.0.0.1 - If curl URL parser or another RFC3986 compliant parser parses the initial string http://127.0.0.1%2F.example.com, it...
Urban Company: Exposed data of credit card details to hacker or attacker.
NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report! Name of Vulnerability:...
GitHub Security Lab: C++: Support Pqxx connector to search for sql injections to Postgres
This bug was reported directly to GitHub Security Lab...
GitHub Security Lab: [Python] CWE-400: Regular Expression Injection
This bug was reported directly to GitHub Security Lab...
Sifchain: Wrong Url in Main Page
Hello, There is no linkedin account belonging to the url you added to your homepage and this link can be easily captured by someone else. Misunderstandings may occur. F1293094 https://www.linkedin.com/company/kns-group/about/ Impact Broken Link Hijack...
Logitech: Privilege Escalation Leads to Control The Owner Access Token Which leads to control the stream [streamlabs.com]
Hi Security team, Summary: I was able as Administrator to change the account owner access token Description: As Administrator i have high privileges but i have some restricted areas F1278364 For example i got invitation from MrX with Administrator role. When i navigated to MrX account as...
Bitso: Broken link hijack
Hello sir My name is Mohit kumar i found a bug known as broken link hijack on telegram Steps to view bug -- Navigate to -- https://bitso.com/ -- go down and click on language and then click on Espanol-Argentina you can now see the telgram link click on that I have attached a video poc too There's...
Revive Adserver: Reflected XSS on /admin/stats.php
Linked to the report https://hackerone.com/reports/1083376 I found a reflected XSS attack on /admin/stats.php. Revive-Adserver version is revive-adserver-5.1.1. This time I found the parameter statsBreakdown - Go to...
Stripo Inc: Permanent DOS for new users!
Summary: Hi team its me Akash Hamal, and while testing my.stripo.email website which is in scope of your program i was able to DOS permanently any new mail,user which might use your service in future but they won't be able to use ! While registration on my.stripo.email there are three fields...
curl: CVE-2020-8285: FTP wildcard stack overflow
Summary: User 'xnynx' on github filed PR 6255 highlighting this problem. Filed publicly My first gut reaction was that this had to be a problem with curlfnmatch as that has caused us grief in the past and on most platforms we use the native fnmatch now, but not on Windows IIRC and this is a...
Kubernetes: Development Application Credentials + Information Exposed
Issue Description When I browsed through all the JS files on prow.k8s.io I came across a link called /config which contains a configuration disclosure for the development files URL Vulnerabilities https://prow.k8s.io/config Proof On Concept javascript - continuous-integration/travis-ci kubespray:...
U.S. Dept Of Defense: Access to Unclassified / FOUO Advanced Motion Platform of █████████.mil
Hey, I have recently found a website in the namespace of the Amazon Web Services cloud for the US government which exposes a classification header of Unclassified / FOUO. Hence, I thought it might be a good idea to report this vulnerability to you. Furthermore, the source code tells us that the...
Visma Public: Information disclosure to "Permission as auditor" user
Inside the same company, the researcher was able to view information that that was not supposed to with the Auditor role associated with the user...
U.S. Dept Of Defense: Сode injection host █████████
Good day, security team. Host █████████ vulnerable to code injection. POC The server makes a time delay. POST /cgi-bin/gMapBuild.py HTTP/1.1 Host: ███ Accept: / Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded...
U.S. Dept Of Defense: [CVE-2020-3452] Unauthenticated file read in Cisco ASA
Hey, I found out that host ████████.mil was vulnerable to CVE-2020-3452. You can test it by visiting the URL: https://██████████.mil/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=%2bCSCOE%2b/portalinc.lua To try it with CURL please run the following command:...
h1-ctf: [H1-2006 2020] Includes 1 free content discovery
Summary Got it! Thanks guys for going through the trouble to make these. Best regards @nahamsec @adamtlangley @B3nac for hosting and @hackingfish @zonkism and @clos for peer support to make it. Writeup to follow, but let's have the flag first! F859962 Impact Participating in CTFs can cause...
Radancy: [www.werkenbijbakertilly.nl] Information Disclosure
the 50x status code server responded with an html page containing the nginx version. an update of the loadbalancer fixed the issue. Summary When the web server encountered a 502 GateWay error, I discovered a strange bug in which internal information was exposed. Description When web server 502...
Localize: 2-factor authentication can be disabled when logged in without confirming account password
Description === When users wants to Disable his/her TwoFactor Authentication, they have to know their account password. But using this vulnerability They don't need password to disable it. this will allow hacker who get someone cookie to disabling twofactor auth and also Fullytakeover the account...