15369 matches found
VK.com: Обход 2ух-шаговой авторизации / 2FA Bypass
Недостаточная проверка пользователя при сбросе сессий. Был косяк в функционале завершения сессий. При обращении на login.vk.com с resethash любого пользователя, мы получали доступ к аккаунту жертвы минуя 2FA...
Nextcloud: Information Disclosure of .htaccess file in Private Server/Subdomain
@ahsantahir reported a missing permission check on an internal service allowing the extraction of the .htaccess file. We've fixed this by adjusting the Apache configuration and putting Basic Auth in front of the page. On request of the reporter this is disclosed limitedly. Non-Critical, small...
Phabricator: Passphrase credential lock bypass
mongoose :D Testing was performed on our own installed testing environment, with a standard installation and configuration of Phabricator. The Passphrase application has feature where stored credentials can be locked. When you lock a credential, it claims "This credential will be locked and the...
Concrete CMS: Stored XSS in Image Alt. Text
XSS payload can be executed and saved permanently in Image Alt. Text. Poc Code: "click me!"...
Secret: Content Sniffing not disabled
URL :- https://www.secret.ly/ Issue description :- There was no "X-Content-Type-Options" HTTP header with the value nosniff set in the response. The lack of this header causes that certain browsers, try to determine the content type and encoding of the response even when these properties are...
U.S. Dept Of Defense: Unauthenticated File Read Adobe ColdFusion
A vulnerability allowing unauthenticated arbitrary file read in Adobe ColdFusion was discovered. This could result in unauthorized access to sensitive data on affected systems. The vulnerability impacts ColdFusion versions 2021 Update 5 and earlier, and 2018 Update 15 and earlier. Mitigation is t...
Internet Bug Bounty: CVE-2022-23519: Rails::Html::SafeListSanitizer vulnerable to XSS when certain tags are allowed (math+style || svg+style)
The following is from: https://hackerone.com/reports/1656627 Intro The Rails HTML sanitzier allows to set certain combinations of tags in it's allow list that are not properly handled. Similar to the report 1530898, which identified the combinationselect and style as vulnerable, my fuzz testing...
TikTok: Stored XSS in the ticketing system
A Stored Cross-Site Scripting XSS vulnerability was found on a TikTok Seller endpoint, which could have resulted in a JavaScript payload injected into the endpoint causing it to be executed within the context of the victim's browser. We thank @codeslayer137 for reporting this to our team...
GitHub Security Lab: C++: Support Pqxx connector to search for sql injections to Postgres
This bug was reported directly to GitHub Security Lab...
Liberapay: Login CSRF : Login Authentication Flaw on https://liberapay.com/
Description: There is no csrf validation while logging in which leads to csrf. An attacker can craft an HTML page containing information to have the victim sign into an attacker's account, where the victim may add sensitive payment information to the attacker's new account assuming he/she is logg...
h1-ctf: HackyHolidays H1 CTF Writeup
HackyHolidays Day 1 Once the CTF started and the Grinch released the scope hackyholidays.h1ctf.com, I started the CTF by a good old Nmap scan, to see whats running on the server. So the nmap command looked like nmap -sC -sV -oA nmap hackyholidays.h1ctf.com/. The result showed a promising entry...
curl: CVE-2020-8285: FTP wildcard stack overflow
Summary: User 'xnynx' on github filed PR 6255 highlighting this problem. Filed publicly My first gut reaction was that this had to be a problem with curlfnmatch as that has caused us grief in the past and on most platforms we use the native fnmatch now, but not on Windows IIRC and this is a...
Kubernetes: Development Application Credentials + Information Exposed
Issue Description When I browsed through all the JS files on prow.k8s.io I came across a link called /config which contains a configuration disclosure for the development files URL Vulnerabilities https://prow.k8s.io/config Proof On Concept javascript - continuous-integration/travis-ci kubespray:...
Informatica: Cross-site Scripting (XSS) - DOM - iqcard.informatica.com
Hello all I found a DOM based XSS at iqcard.informatica.com Description After finding the path iqcard.informatica.com/pub/fujitsu/fm3v2/player/attach.html. I noticed that the code inside attach.html was vulnerable to DOM XSS, due to the fact of the javascript document.location function. search. T...
U.S. Dept Of Defense: Access to Unclassified / FOUO Advanced Motion Platform of █████████.mil
Hey, I have recently found a website in the namespace of the Amazon Web Services cloud for the US government which exposes a classification header of Unclassified / FOUO. Hence, I thought it might be a good idea to report this vulnerability to you. Furthermore, the source code tells us that the...
h1-ctf: [H1-2006 2020] [Multiple Vulnerability] CTF Writeup - @abdilahrf_
As there is a private invite for the first 10 solver, i send only the flag now F851115 will complete my writeup on the next comment. Impact Controlling martenmickos account...
BTFS: xss on bittorrent.com
hi team i realized xss bug on headers.php. https://www.bittorrent.com/scripts/site/headers.php?=1586521900793&callback= https://www.bittorrent.com/scripts/social/gettweet.php?=1586521900791&callback= its works on IE browsers. Impact fix them...
Shopify: Stored XSS in private message
1.Open customer function https://mosuan-img-src-x.myshopify.com/admin/customers 2.Click on the customer's email address F625957 3.Click the sent message on the current page F625959 Impact admin...
curl: SMB access smuggling via FILE URL on Windows
Summary: While CURL 7.62 parses URLs that have an ? parameter separator char after the fragment separator, CURL urlapi code treats the path with the hash part as it being the same one, this may allow some problem on specific protocols that may have a security impact. On HTTP, an attacker may be...
New Relic: Can fake content email of newrelic to any user
@lamscun reported an issue where an arbitrary account name, including special characters and anchor tags, would show up in an invitation email. While we've seen this issue several times, we've decided not to change how account names are formatted. Ultimately, the email client determines how the...
Internet Bug Bounty: heap-buffer-overflow (READ of size 48) in exif_read_data()
exifreaddata in PHP 5.6.36, 7.1.x and 7.2.x is vulnerable to a heap buffer overflow when fed a specially crafted JPEG. Any online service that reads EXIF data from uploaded JPEGs is potentially vulnerable to this flaw. This has been fixed with the release of PHP 7.2.8 today. Other releases are...
Semrush: Stored XSS in '' Section and WAF Bypass
Summary Stored Cross-site Scripting XSS is the most dangerous type of Cross Site Scripting. Web applications that allow users to store data are potentially exposed to this type of attack. stored XSS occurs when a web application gathers input from a user which might be malicious, and then stores...
Grab: [growth.grab.com] Reflected XSS via Base64-encoded "q" param on "my.html" Valentine's microsite
Hi, An encoded injection in the q parameter on my.html can be used to reflect JavaScript in the growth.grab.com context. This microsite creates a "Grab's Valentine" card for a driver over the past year, and carries its data in Base64 format. Proof of concept Please visit the following URL, scroll...
Internet Bug Bounty: Use-after-free in XML::LibXML::Node::replaceChild
Hi security team, I have reported a bug in Perl https://rt.cpan.org/Public/Bug/Display.html?id=122246 this bug was assigned CVE-2017-10672 https://nvd.nist.gov/vuln/detail/CVE-2017-10672...
LocalTapiola: SQL Injection /webApp/cancel_iltakoulu regId parameter (viestinta.lahitapiola.fi)
Basic report information Summary: There is a SQL Injection vulnerability on http://viestinta.lahitapiola.fi/webApp/canceliltakoulu?regId=478836614&locationId=464559674 Domain: viestinta.lahitapiola.fi Steps To Reproduce: Tested on sqlmap framework with following command: ./sqlmap.py -u...
Nextcloud: Login Hints on Admin Panel
Hi, Hope you are doing fine. I wanted to inform you regarding the enabling of the login hints on your wp-admin panelhttps://nextcloud.com/wp-login.php. Vulnerability: The admin panel shows very "specific" hint information if a hacker tries for a bruteforcing attack. Steps to reproduce: 1. Navigat...
Informatica: [product360.informatica.com] Unauthenticated Apache Tomcat 8 Installation
The consultant identified that the affected url and port leads to an unprotected default Apache X configuration, this service should be protected or removed if not required. The affected link is as follows: http://product360.informatica.com:8443/ Upon visiting the URL, the consultant was presente...
Uber: OneLogin authentication bypass on WordPress sites via XMLRPC
When a user logs on one of your WordPress sites via OneLogin, the authentication plugin creates a new entry in the WordPress user database with the default password @@@nopass@@@. This wouldn't be a problem if the plugin disabled all normal WordPress authentication methods, but it doesn't. The...
Mail.ru: Admin panel access restrictions bypass [poll.mail.ru/admin/]
Access to http://poll.mail.ru/admin/ could be obtained. poll.mail.ru is not currently in the Bug Bounty scope, but reward was issued due to problem significance...
Internet Bug Bounty: Malformed ECParameters causes infinite loop
Malformed ECParameters causes infinite loop CVE-2015-1788 =========================================================== Severity: Moderate When processing an ECParameters structure OpenSSL enters an infinite loop if the curve specified is over a specially malformed binary polynomial field. This can...
Internet Bug Bounty: Read beyond bounds in mod_isapi.c [zhbug_httpd_41]
Greetings. I have found a read-beyond-bounds bug in httpd that arises from an apparent logic error. The bug is in /modules/arch/win32/modisapi.c, on lines 979 and/or 983, which use the length of the path to the ISAPI DLL |strlenr-filename| to index into the string specified by the ISAPI DLL itsel...
Internet Bug Bounty: Time-of-check to time-of-use vulnerability in the std::fs::remove_dir_all() function of the Rust standard library
The implementation of std::fs::removedirall in the Rust standard library is vulnerable to a time-of-check to time-of-use link replacement attack. This applies to all versions of Rust before 1.58.1. Vulnerability details The documentation of std::fs::removedirall guarantees that the function does...
Unikrn: Open URL Redirection
Open URL Redirect Steps To Reproduce: 1 Go to the following link & Register for new account https://unikrn.com/██████ 2 After registering It will redirect to example.com Reference: https://www.owasp.org/index.php/UnvalidatedRedirectsandForwardsCheatSheet Impact The attacker can force the user to...
U.S. Dept Of Defense: [████] SQL Injections on Referer Header exploitable via Time-Based method
Summary: SQL Injections on Referer Header exploitable via Time-Based method Description: https://owasp.org/www-community/attacks/SQLInjection Impact https://owasp.org/www-community/attacks/SQLInjection Step-by-step Reproduction Instructions First, vulnerable points:...
CS Money: Bypass Filter on link of build
Summary: Hello team, I found that a valid build will have a link with the following format https://3d.cs.money/item/0UkWN8vh2R If you save a build with /api/build/save. It will return a link to sync with your save builds The bug occurs when web app sync, you can custom the link of build with...
Zomato: Solr Injection in `user_id` parameter at :/v2/leaderboard_v2.json
@zzzhacker13 identified a Solr Injection on the userid parameter at :/v2/leaderboardv2.json. Our team analyzed internally and found that only fq=injection was possible on the Solr endpoint, hence the Solr injection was of low impact since there was no way to escalate it to exfiltrate data, one...
h1-ctf: [H1-2006 2020] CTF write-up
Summary: Hello HackerOne team! I finally managed to solve this long but really nice CTF! Here is the flag: ^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$. You can access my writeup at https://diego95root.github.io/posts/H1-2006-CTF/. It's password protected, the password is the flag. Thank you so...
Imgur: self-xss with ClickJacking can leads to account takeover in Firefox
Description Hi, i think i found a valid chaining issues here ClickJacking issue I discovered that have some endpoints that permits to frame imgur.com with some limitations, but even in this case, it is possible to carry out a proof of concept. One of the cases is in the /all/ directory of...
Yelp: No rate limiting for confirmation email lead to email flooding
Description: There is no rate limiting implemented in sending the confirmation email. Thus, attacker can use this vulnerability to bomb out the email inbox of the victim. Affected URL: https://biz.yelp.com/welcome/resendconfirmation with POST method Details: 1. Login to biz.yelp.com 2. Go to...
Mail.ru: Public available Sensitive Information about drivers
Domain, site, application -- API for client app Citimobil https://c-api.city-mobil.ru/ Version 4.33.0 and others Testing environment -- Device on any OS with internet connection Any software to send https requests Steps to reproduce -- Send POST request to url...
Nord Security: Open redirect
The following URL is vulnerable to an open redirect it will redirect to google.com: https://support.nordvpn.com//path///google.com vulnerable code: if window.location.href.indexOf'/path' !== -1 console.log"document.URL", document.URL window.location.href =...
Mail.ru: Boolean-based SQL Injection on relap.io
Boolean/error based SQLi in relap.io due to insecure use of GET parameters...
Weblate: Tab nabbing via window.opener
Details: When you open a link in a new tab target="blank" , the page that opens in a new tab can access the initial tab and change it's location using the window.opener property. Attack scenario: here i have provided 2 videos, in video 1 i have my editorial link set. to show that tabnapping is...
Ubiquiti Inc.: Reflected XSS in Nanostation Loco M2 - AirOS ver=6.1.7
AirMax XW.v6.2.0 and prior containing multiple end-points with parameters vulnerable to reflected cross site scripting XSS, allowing attackers to abuse the user' session information and/or account takeover of the admin user. These vulnerabilities were found on AirMax AirMax AirOS v6.2.0 and prior...
Node.js third-party modules: [sexstatic] HTML injection in directory name(s) leads to Stored XSS when malicious file is embed with <iframe> element used in directory name
I would like to report HTML Injection vulnerability in sexstatic module. It is possible to use HTML in directory names, which might lead to run arbitrary JavaScript code in the browser. Module module name: sexstatic version: 0.6.2 npm page: https://www.npmjs.com/package/sexstatic Module Descripti...
Ubiquiti Inc.: CRLF Injection on openvpn.svc.ubnt.com
The researcher reported the vulnerability CVE-2017-5868 in one of our server, it got promptly mitigated, once no oficial patch was available at the time of submit. Ubiquiti's employee VPN server was vulnerable to CVE-2017-5868, the issue was reported to them by me and quickly patched. Thank you...
Internet Bug Bounty: Use After Free Vulnerability in unserialize()
https://bugs.php.net/bug.php?id=70172...
U.S. Dept Of Defense: Email Takeover leads to permanent account deletion
The security vulnerability found allowed an attacker to change the email address of a victim's account, leading to the permanent deletion of the victim's account. The vulnerability was caused by improper authentication on the change email functionality...
Basecamp: Path traversal in deeplink query parameter can expose any user's private info to a public directory (one click)
The Basecamp mobile application was found to be vulnerable to a path traversal issue. By crafting a malicious deeplink with a specific "filename" parameter, an attacker could force the application to save user data to any directory on the device, including locations accessible to other applicatio...
Internet Bug Bounty: [CVE-2023-38546] cookie injection with none file
A vulnerability was found in the libcurl library. By duplicating an easy handle with cookies enabled but no cookies loaded, and a nonexistent cookie file specified, an attacker could potentially inject cookies into a program using libcurl if a file named "none" was present and readable in the...