15306 matches found
GitHub Security Lab: CPP: Out of order Linux permission dropping without checking return codes
This bug was reported directly to GitHub Security Lab...
Node.js third-party modules: [sapper] Path Traversal
I would like to report a critical path traversal vunerability in the sapper module It allows an attacker to simply obain arbitrary files from the remote server, exploiting a simple path traversal using URL-encoded "../". Module module name: sapper version: 0.27.10 npm page:...
Semrush: IDOR in marketing calendar tool
INTRODUCTION I used two accounts to search for this vulnerability: Id: █████ Email: ██████ Id: ███ Email: ███ IP used: 78.194.169.36 Endpoint URL: https://ec.semrush.com/api/v1/ga/userstatus/?calendarid=CALENDARID EXPLOITATION Description of Security Issue: When a marketing calendar is loaded in...
Localize: 2-factor authentication can be disabled when logged in without confirming account password
Description === When users wants to Disable his/her TwoFactor Authentication, they have to know their account password. But using this vulnerability They don't need password to disable it. this will allow hacker who get someone cookie to disabling twofactor auth and also Fullytakeover the account...
U.S. Dept Of Defense: Examples directory is PUBLIC on https://████████mil, leading to multiple vulns
Description: Hello, In an effort to consolidate reporting. I have located 4 issues with having the Examples Directory openmy require just 1 solution to mitigate The following URLs that show concern are the following: 1. https://█████mil/examples/servlets/servlet/SessionExample --Will lead to...
Starbucks: Subdomain takeover of d02-1-ag.productioncontroller.starbucks.com
Summary: I was able to claim the subdomain: d02-1-ag.productioncontroller.starbucks.com using Azure Cloud Service Platforms Affected: Subdomain Azure Cloud Service Steps To Reproduce: 1. Using dig, I was able to determine that the subdomain 'd02-1-ag.productioncontroller.starbucks.com' was...
HackerOne: Account recovery text message is sending a wrong domain to users.
Hey, I hope you're fine. : Summary: When users setup Account recovery at Authentication section Hackerone sends them text message to their updated phone number with a wrong domain link. Description: When users adds phone number at Account recovery, they get a text message on their phone number,...
HackerOne: Self DOM-Based XSS in www.hackerone.com
Summary: There is a 'self' DOM-based cross-site scripting vulnerability in the contact form available on the www.hackerone.com website. This could allow an attacker to perform cross-site scripting, or other client-side attacks, against users of the application. However, the risk presented by this...
Open-Xchange: SSRF - Blacklist bypass for mail account addition
FYI - Tested on local installation of App Suite 7.8.4-Rev19, on CentOS 7.4 Hello, There appears to be a vulnerability with the way the IP blacklist works for adding servers for a new mail account. The default blacklist is designed to stop connections to the localhost address, but these can be...
Internet Bug Bounty: Excessive allocation of memory in tls_get_message_header() (CVE-2016-6307)
A TLS message includes 3 bytes for its length in the header for the message. This would allow for messages up to 16Mb in length. Messages of this length are excessive and OpenSSL includes a check to ensure that a peer is sending reasonably sized messages in order to avoid too much memory being...
Alvosec: [ns2.████] Vulnerable to DNS Zone Transfer
This server is misconfigured, as a result allowed the consultant to initiate a zone transfer the following shows the output: ██████████. 3600 IN SOA ns1.██████████. webmaster.█████. 2017041813 ;serial 10800 ;refresh 3600 ;retry 604800 ;expire 3600 ;minimum ███. 3600 IN A ██████████ █████. 3600 IN...
Concrete CMS: Stored XSS in Image Alt. Text
XSS payload can be executed and saved permanently in Image Alt. Text. Poc Code: "click me!"...
Secret: Content Sniffing not disabled
URL :- https://www.secret.ly/ Issue description :- There was no "X-Content-Type-Options" HTTP header with the value nosniff set in the response. The lack of this header causes that certain browsers, try to determine the content type and encoding of the response even when these properties are...
HackerOne: Support Tickets can be created on behalf of other users using spoofed email | Bypass of #2001913
A vulnerability allowed an attacker to create support tickets on behalf of other users by sending a fake email to [email protected]. This bypassed a previous fix implemented by HackerOne to prevent support tickets from being created via email...
Internet Bug Bounty: CVE-2023-27533: TELNET option IAC injection
A vulnerability CVE-2023-27533 was found in curl versions 7.7 to 7.88.1 that allowed users to pass on user name and "telnet options" for server negotiation without proper input scrubbing, potentially allowing for the injection of unintended TELNET commands to the telnet connection. The severity o...
curl: CVE-2023-23916: HTTP multi-header compression denial of service
An HTTP multi-header compression denial of service vulnerability was discovered that allowed an attacker to send an HTTP response with many occurrences of Transfer-Encoding and/or Content-Encoding headers, consuming all available memory and causing a denial of service. The vulnerability was patch...
curl: CVE-2022-27780: percent-encoded path separator in URL host
Summary: URL decoding the entire proxy string could lead to SSRF filter bypasses. For example, When the following curl specifies the proxy string http://example.com%2F127.0.0.1 - If curl URL parser or another RFC3986 compliant parser parses the initial string http://127.0.0.1%2F.example.com, it...
Urban Company: Exposed data of credit card details to hacker or attacker.
NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report! Name of Vulnerability:...
GitHub Security Lab: C++: Support Pqxx connector to search for sql injections to Postgres
This bug was reported directly to GitHub Security Lab...
GitHub Security Lab: [Python] CWE-400: Regular Expression Injection
This bug was reported directly to GitHub Security Lab...
Sifchain: Wrong Url in Main Page
Hello, There is no linkedin account belonging to the url you added to your homepage and this link can be easily captured by someone else. Misunderstandings may occur. F1293094 https://www.linkedin.com/company/kns-group/about/ Impact Broken Link Hijack...
Logitech: Privilege Escalation Leads to Control The Owner Access Token Which leads to control the stream [streamlabs.com]
Hi Security team, Summary: I was able as Administrator to change the account owner access token Description: As Administrator i have high privileges but i have some restricted areas F1278364 For example i got invitation from MrX with Administrator role. When i navigated to MrX account as...
Nextcloud: Password policy changes not enforced for existing passwords
So this is two reports in one. Sort of. But they are the same issue, or at least related. 1. When you setup your nextcloud there is no password policy at all. There is the strength indicator. I get the password policy app is not yet active at that point. But a minimum length would not be that...
QIWI: SSRF на https://qiwi.com с помощью "Prerender HAR Capturer"
Здравствуйте! На сайте https://qiwi.com вы используете Prerender HAR Capturer 5.6.0 на основе Headless Chrome для рендеринга HTML, снимков экрана, PDF-файлов и файлов HAR с любой веб-страницы https://github.com/prerender/prerender. Если на qiwi.com послать запрос с измененным юзер-агентом...
h1-ctf: HackyHolidays H1 CTF Writeup
HackyHolidays Day 1 Once the CTF started and the Grinch released the scope hackyholidays.h1ctf.com, I started the CTF by a good old Nmap scan, to see whats running on the server. So the nmap command looked like nmap -sC -sV -oA nmap hackyholidays.h1ctf.com/. The result showed a promising entry...
curl: CVE-2020-8285: FTP wildcard stack overflow
Summary: User 'xnynx' on github filed PR 6255 highlighting this problem. Filed publicly My first gut reaction was that this had to be a problem with curlfnmatch as that has caused us grief in the past and on most platforms we use the native fnmatch now, but not on Windows IIRC and this is a...
Kubernetes: Development Application Credentials + Information Exposed
Issue Description When I browsed through all the JS files on prow.k8s.io I came across a link called /config which contains a configuration disclosure for the development files URL Vulnerabilities https://prow.k8s.io/config Proof On Concept javascript - continuous-integration/travis-ci kubespray:...
Informatica: Cross-site Scripting (XSS) - DOM - iqcard.informatica.com
Hello all I found a DOM based XSS at iqcard.informatica.com Description After finding the path iqcard.informatica.com/pub/fujitsu/fm3v2/player/attach.html. I noticed that the code inside attach.html was vulnerable to DOM XSS, due to the fact of the javascript document.location function. search. T...
U.S. Dept Of Defense: Access to Unclassified / FOUO Advanced Motion Platform of █████████.mil
Hey, I have recently found a website in the namespace of the Amazon Web Services cloud for the US government which exposes a classification header of Unclassified / FOUO. Hence, I thought it might be a good idea to report this vulnerability to you. Furthermore, the source code tells us that the...
Visma Public: Information disclosure to "Permission as auditor" user
Inside the same company, the researcher was able to view information that that was not supposed to with the Auditor role associated with the user...
U.S. Dept Of Defense: Сode injection host █████████
Good day, security team. Host █████████ vulnerable to code injection. POC The server makes a time delay. POST /cgi-bin/gMapBuild.py HTTP/1.1 Host: ███ Accept: / Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded...
h1-ctf: [H1-2006 2020] Includes 1 free content discovery
Summary Got it! Thanks guys for going through the trouble to make these. Best regards @nahamsec @adamtlangley @B3nac for hosting and @hackingfish @zonkism and @clos for peer support to make it. Writeup to follow, but let's have the flag first! F859962 Impact Participating in CTFs can cause...
Radancy: [www.werkenbijbakertilly.nl] Information Disclosure
the 50x status code server responded with an html page containing the nginx version. an update of the loadbalancer fixed the issue. Summary When the web server encountered a 502 GateWay error, I discovered a strange bug in which internal information was exposed. Description When web server 502...
h1-ctf: [H1-2006 2020] The Story of Making Bounty Hunters Happy
Disclaimer: I will try to make this post a fun read, given that whoever triagges will be probably going through similar write-ups again and again. The beginning: Being away from HackerOne over a month had made me rusty. Although the call to arms for Mr. Mickos and the community could not be left...
GitHub Security Lab: CodeQL query to detect weak (duplicated) encryption keys for ASP.NET Telerik Upload
This bug was reported directly to GitHub Security Lab...
Yelp: No rate limiting for confirmation email lead to email flooding
Description: There is no rate limiting implemented in sending the confirmation email. Thus, attacker can use this vulnerability to bomb out the email inbox of the victim. Affected URL: https://biz.yelp.com/welcome/resendconfirmation with POST method Details: 1. Login to biz.yelp.com 2. Go to...
Automattic: Theme Assets uploader allows HTML content
The reporter submitted a report highlighting that specially formatted yet valid HTML files were able to be uploaded as theme assets. Even though we allow for JavaScript on our blog network, we don't allow HTML files to be uploaded here so that we can restrict JavaScript execution to the blog...
Mail.ru: Public available Sensitive Information about drivers
Domain, site, application -- API for client app Citimobil https://c-api.city-mobil.ru/ Version 4.33.0 and others Testing environment -- Device on any OS with internet connection Any software to send https requests Steps to reproduce -- Send POST request to url...
Nord Security: Open redirect
The following URL is vulnerable to an open redirect it will redirect to google.com: https://support.nordvpn.com//path///google.com vulnerable code: if window.location.href.indexOf'/path' !== -1 console.log"document.URL", document.URL window.location.href =...
Shopify: Stored XSS in private message
1.Open customer function https://mosuan-img-src-x.myshopify.com/admin/customers 2.Click on the customer's email address F625957 3.Click the sent message on the current page F625959 Impact admin...
curl: SMB access smuggling via FILE URL on Windows
Summary: While CURL 7.62 parses URLs that have an ? parameter separator char after the fragment separator, CURL urlapi code treats the path with the hash part as it being the same one, this may allow some problem on specific protocols that may have a security impact. On HTTP, an attacker may be...
New Relic: Can fake content email of newrelic to any user
@lamscun reported an issue where an arbitrary account name, including special characters and anchor tags, would show up in an invitation email. While we've seen this issue several times, we've decided not to change how account names are formatted. Ultimately, the email client determines how the...
Mail.ru: Information Disclosure - Получаем доступ к работам и к приватным презентациям к курсам
Access to course training materials was possible in Geekbrains due to read access to S3-compatible bucket. Geekbrains belongs to extended Ext. B scope...
Pornhub: SSRF and local file disclosure by video upload on https://www.redtube.com/upload
The researcher was successful in exploiting a vulnerability in 3rd party encoding library resulting in the execution of SSRF attacks and Local File Disclosure...
Internet Bug Bounty: heap-buffer-overflow (READ of size 48) in exif_read_data()
exifreaddata in PHP 5.6.36, 7.1.x and 7.2.x is vulnerable to a heap buffer overflow when fed a specially crafted JPEG. Any online service that reads EXIF data from uploaded JPEGs is potentially vulnerable to this flaw. This has been fixed with the release of PHP 7.2.8 today. Other releases are...
Internet Bug Bounty: Multiple issues in Libxml2 (2.9.2 - 2.9.5)
Libxml2 is the XML C parser and toolkit developed for the Gnome project. Due to its flexible C implementation and continuous development, Libxml2 is known to be very portable, the library builds and works on a variety of systems Linux, Unix, Windows, CygWin, MacOS, MacOS X, RISC Os, OS/2, VMS, QN...
LocalTapiola: SQL Injection /webApp/cancel_iltakoulu regId parameter (viestinta.lahitapiola.fi)
Basic report information Summary: There is a SQL Injection vulnerability on http://viestinta.lahitapiola.fi/webApp/canceliltakoulu?regId=478836614&locationId=464559674 Domain: viestinta.lahitapiola.fi Steps To Reproduce: Tested on sqlmap framework with following command: ./sqlmap.py -u...
Nextcloud: Limitation of app specific password scope can be bypassed (NC-SA-2017-009)
Limitation of app specific password scope can be bypassed NC-SA-2017-009 Risk level: Low CVSS v3 Base Score: 3 AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N CWE: Improper Authorization CWE-285 Description Improper session handling allowed an application specific password without permission to the files...
Nextcloud: Login Hints on Admin Panel
Hi, Hope you are doing fine. I wanted to inform you regarding the enabling of the login hints on your wp-admin panelhttps://nextcloud.com/wp-login.php. Vulnerability: The admin panel shows very "specific" hint information if a hacker tries for a bruteforcing attack. Steps to reproduce: 1. Navigat...
X (Formerly Twitter): Twitter iOS fails to validate server certificate and sends oauth token
Twitter on iOS newest two versions 6.62 and 6.62.1 are affected, other versions not tested. Tested independently on two different iPhone 6 with iOS version 9.3.3 and 9.3.5 without Jailbreak. The iPhone were without any mobileconfig profiles installed - no we did not install any CA certificate in...