15302 matches found
HackerOne: homograph attack. IDNs displayed in unicode in bug reports and on external link warning page
the IDN: http://ebаy.com/ is a homograph for the latin ebay.com. if you click that first link, youm might think that you are going to ebay.com. in fact, you are going to a homograph url http://xn--eby-7cd.com/ more info http://www.chromium.org/developers/design-documents/idn-in-google-chrome more...
Internet Bug Bounty: SPL ArrayObject/SPLObjectStorage Unserialization Type Confusion Vulnerabilities
This vulnerability was reported directly to the PHP development team. A detailed summary is available here: https://www.sektioneins.de/en/blog/14-08-27-unserialize-typeconfusion.html...
Internet Bug Bounty: Flash Sandbox Bypass
Adobe Flash Player issue 2719 and 2720. Exploit of this bug uses 2 separate vulnerabilities. 2720 is a bug which is able to, from the local-with-file sandbox, default local sandbox, open both local and remote files, local files and http/https resources. An attacker could for example read your...
Reddit: Regression on dest parameter sanitization doesn't check scheme/websafe destinations
A vulnerability was discovered in Reddit's login page where the "dest" parameter was not properly sanitized, allowing an attacker to perform a JavaScript-based Open Redirect attack. This could lead to Cross-Site Scripting XSS injection and potential cookie theft. An attacker could exploit this...
Internet Bug Bounty: CVE-2023-27533: TELNET option IAC injection
A vulnerability CVE-2023-27533 was found in curl versions 7.7 to 7.88.1 that allowed users to pass on user name and "telnet options" for server negotiation without proper input scrubbing, potentially allowing for the injection of unintended TELNET commands to the telnet connection. The severity o...
curl: CVE-2022-27781: CERTINFO never-ending busy-loop
Summary: Curl is prone to a DoS attack in case the NSS TLS library is used and the CERTINFO option is enabled. Using maliciously crafted certificates on a server, an attacker can make curl run into an endless loop when connecting to the server. The bug is located in the following code segment...
U.S. Dept Of Defense: XSS due to CVE-2020-3580 [██████]
Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to conduct cross-site scripting XSS attacks against a user of the web services interface of an...
GitHub Security Lab: [JavaScript]: add query for Express-HBS LFR
This bug was reported directly to GitHub Security Lab...
Weblate: Send Empty CSRF leads to log out user on [https://hosted.weblate.org/accounts/profile]
Hi There is a CSRF bug on your Website leads to logout user from the dashboard. If the user click on the attached file CSRF.html redirect to another page and see the following error and the user log out immediately: F1029146 Steps to reproduce: 1- Login to your account via Login page 2- Click on...
HackerOne: Recently added 'Country' field doesn't send email notification when changed
Summary: Hi team, This is a small bug report. Actually I think there is no important security issue but I wanted to report it ¯\ツ/¯ If you change your 'Country' information on account settings, HackerOne doesn't send Your profile was recently changed email. Description: There is an email...
U.S. Dept Of Defense: [CVE-2020-3452] Unauthenticated file read in Cisco ASA
Hey, I found out that host ████████.mil was vulnerable to CVE-2020-3452. You can test it by visiting the URL: https://██████████.mil/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=%2bCSCOE%2b/portalinc.lua To try it with CURL please run the following command:...
lemlist: stored xss in app.lemlist.com
Hi there, I found a stored xss app.lemlist.com. Steps To Reproduce: 1. go to https://app.lemlist.com/. 1. create or edit campaigns. 1. visit tab Buddies-to-Be. 1. click Add one on the right Top. 1. Fill in the input 1. add / Icebreaker and companyName 1. click create . POC F901411 Impact Stealing...
Cuvva: Time-limit Bypassing, Rate-limit Bypassing and Spamming at https://ops.cuvva.co
Hello cuvva secteam, Hope you are well and safe Summary When trying to sign in at https://ops.cuvva.com: 1. There is no checking if supplied email is valid before sending login link Note: the sent login links do not work but this bug can be used for spamming any supplied email. 2. The time-limit...
Visma Bug Bounty Program: A non-administrator user can change his email even when it is restricted by an administrator
A non-administrator user can change his email, even when it is restricted by an administrator, by tampering with the response data. Steps to Reproduce Login as a normal user and goto "My details" tab in Profile. Click on Edit icon in Account section. If this functionality is locked by your...
PayPal: IDOR to add secondary users in www.paypal.com/businessmanage/users/api/v1/users
PayPal Business Accounts allow account owners to create multiple secondary users with specific privileges assigned to their employees. This submission identified a method that made it possible for a Business Account owner to assign secondary users from other accounts. The new secondary user would...
HackerOne: DOM Based XSS in www.hackerone.com via PostMessage
Summary: The Marketo contact form available on the www.hackerone.com website is affected by a cross-site scripting vulnerability, caused by an insecure 'message' event listener installed on the page. Whilst this could allow an attacker to execute JavaScript in the context of the www.hackerone.com...
Slack: Bypass of the SSRF protection in Event Subscriptions parameter.
The vulnerability is present in the "Event Subscriptions" parameter where: "Your app can subscribe to be notified of events in Slack for example, when a user adds a reaction or creates a file at a URL you choose. ". URL: https://api.slack.com/apps/YOUAPPCODE/event-subscriptions? When we add a sit...
Instacart: View & add to cart unlisted items via IDOR
Access Control vulnerability that would let an attacker order certain items from the API, even though they are missing from the Web catalog...
Node.js third-party modules: [sexstatic] HTML injection in directory name(s) leads to Stored XSS when malicious file is embed with <iframe> element used in directory name
I would like to report HTML Injection vulnerability in sexstatic module. It is possible to use HTML in directory names, which might lead to run arbitrary JavaScript code in the browser. Module module name: sexstatic version: 0.6.2 npm page: https://www.npmjs.com/package/sexstatic Module Descripti...
Marktplaats: Content Spoofing - http://aanbieding.marktplaats.nl/wp-admin/admin-ajax.php
Hello, Content spoofing, also referred to as content injection or virtual defacement, is an attack targeting a user made possible by injection vulnerability in a web application. When an application does not properly handle user supplied data, an attacker can supply content to a web application,...
Eobot: OPTIONS METHOD ENABLED
URL: https://www.eobot.com/chat/ Summary: I detected that OPTIONS method is allowed. This issue is reported as extra information. Impact: Information disclosed from this page can be used to gain additional information about the target system. Fix: Disable OPTIONS method in all production systems...
HackerOne: Insecure Direct Object Reference (IDOR) Allows Viewing Private Report Details via /bugs.json Endpoint
The Insecure Direct Object Reference IDOR vulnerability allowed viewing private report details through the /bugs.json endpoint. Any private reports could be accessed by sending a POST request to the endpoint with the organization ID and a single-digit text query. This gave access to sensitive...
Internet Bug Bounty: Libuv: Improper Domain Lookup that potentially leads to SSRF attacks
The vulnerability in the libuv library was caused by the improper truncation of hostnames to 256 characters before calling the getaddrinfo function. This behavior allowed the creation of addresses like 0x00007f000001, which were considered valid by getaddrinfo, potentially leading to SSRF attacks...
inDrive: Blind SQL injection on id.indrive.com
A blind SQL injection vulnerability was found where user input was not sanitized before being used in SQL queries. This allowed arbitrary SQL commands to be injected, revealing details of the backend database...
Internet Bug Bounty: [CVE-2022-35949]: undici.request vulnerable to SSRF using absolute / protocol-relative URL on pathname
GHSA: https://github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3 Report: https://hackerone.com/reports/1642017 Impact SSRF...
Glassdoor: Web Cache Poisoning leads to XSS and DoS
@nokline and @bombon were able to utilize URL parser confusion in combination with reflected XSS under https://glassdoor.com/Job/ and https://glassdoor.com/mz-survey/interview/collectQuestionsinput.htm/ by caching XSS payloads via cookie and header params into a stored XSS for URLs /Award/ and...
Internet Bug Bounty: OAUTH2 bearer not-checked for connection re-use
libcurl might reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protcols: SMTPS, IMAPS, POP3S and LDAPS openldap only. libcurl maintains a pool of connections afte...
Krisp: Log4j CVE-2021–44228
The researcher's canary token got DNS interaction, which raised a false sense of log4shell vulnerability. $hostName would be exfiltrated if any of the processing servers were vulnerable, but as seen in the video submitted by the researcher just a plain DNS resolving was made...
Elastic: Fix for CVE-2021-22151 (Kibana path traversal issue) can be bypassed on Windows
Summary Hello team, I hope you're doing well! I was combing through your GitHub repository to look at the fixes for recent security releases and found the fix for CVE-2021-22151 to be incomplete. The current fix makes assumptions that are true on Linux but that don't hold on Windows. Details The...
GitHub Security Lab: [Java]: CWE 295 - Insecure TrustManager - MiTM
This bug was reported directly to GitHub Security Lab...
GitHub Security Lab: [Java] CWE-078: Add JSch lib OS Command Injection sink
This bug was reported directly to GitHub Security Lab...
Sifchain: No Rate Limit protection in user subscription form
Summary: Hello I found your form that user can subscribe for any update has no rate limit protection. Step to reproduce 1. Visit http://sifchain.finance and move to subscribe form and enter email 2. click on sign-up button. 3. use burpsuite to intercept the request and send to intruder. 4. Clear...
Logitech: GET based Open redirect on [streamlabs.com/content-hub/streamlabs-obs/search?query=]
Summary: Description: in the following link, the parameter query is reflecting in multiple places, one of them is in the tag in the head section of the HTML source, the reflection is in the content attribute to be precise check the below image F983200 And i was able to break out of the content...
Acronis: Subdomain Takeover – www.jet.acronis.com pointing to unclaimed Webflow services
Hi Team, Greetings! I've come across another subdomainwww.jet.acronis.com of acronis.com pointing to an unclaimed Webflow service. Visiting the www.jet.acronis.com returned the default 404 page for Webflow service, thereby making it potential for subdomain takeover. F940499 Similar to the previou...
Endless Group: Modify Host Header which is sent to email
Summary: Modify host header and include the fake website in password reset email. Password reset mail is taking source domain from request header host, which can be modified using burp suite and the modified link is sent to the victims email Steps To Reproduce: 1. Go to...
Semrush: CORS misconfiguration which leads to the disclosure of certain data concerning the user.
INTRODUCTION I used an account to search for this vulnerability: id: 5407773 email: [email protected] IP used: 2a01:e34:ec2a:9240:7d25:26c3:1449:bfe7 endpoint URL: https://www.semrush.com/content-paywall/api/accesslevel Summary: CORS policy too permissive. EXPLOITATION Description of...
Polymail, Inc.: XSPA on API service endpoint
Batch endpoint on the api was vulnerable to XSPA due to incorrect validation of url parameter in the request body...
HackerOne: Team object in GraphQL disclosed of private programs via the industry
Summary: Disclosure of private programs across the industry If the program is private, it will show industriy Steps To Reproduce "query": "query teamhandle:\"█████████\"id,industry" "data":"team":"id":"█████████","industry":"Computer Hardware \u0026 Peripherals" "query": "query...
HackerOne: Private information exposed through GraphQL filters
Summary: secure schema can be circumvented for graphql where filters by using or operator. Description: When passing a where clause to a collection in the graphql endpoint, like teamswhere: state: eq: softlaunched it queries the state through the secure schema - so it will not return any teams...
New Relic: CSTI fix (#587829) bypass leading to stored XSS at plugins again
@skavans discovered a workaround for previous XSS mitigations. This led to a more robust approach to filtering dangerous content in Angular templates...
Chaturbate: Form Replay in customer information form
The hacker found that the server replays some form field data back in the response when there were form validation errors, which could be cached or viewed by someone with physical access to the same device used to complete the form. The fix was to delete the form data from showing in the response...
Weblate: Tab nabbing via window.opener
Details: When you open a link in a new tab target="blank" , the page that opens in a new tab can access the initial tab and change it's location using the window.opener property. Attack scenario: here i have provided 2 videos, in video 1 i have my editorial link set. to show that tabnapping is...
Shopify: Stored XSS on activity
Hi security team members, Description I found a store xss on the activity which allows an attacker to steal admin account cookies. Step to reproduce 1-Create store 2- Add a member in a store 3- Member can choose any name 4- So change the any member name with hunter" 5- Now on admain account make...
Nextcloud: Access control issue -- [Allow file system access not validated when using session auth]
Obtain an App Token 2. Check that you can access the files with this token and save the cookies 3. Revoke filesystem access for this token 4. See that you can still access the files when using the cookies At step 4 there access to the files should also be forbidden...
Shopify: Preview bar: Incomplete message origin validation results in XSS
The JavaScript code at https://cdn.shopify.com/s/assets/storefront/bars/previewbarinjector-73a4756a265c637c998799750759ae548e7f68b136e8e93e83132904afc3d30d.js loaded by the shop front when a theme is previewed installs a message event listener. The following check is used to reject invalid event...
Node.js third-party modules: `protobufjs` is vulnerable to ReDoS when parsing crafted invalid *.proto files
I would like to report a ReDoS in protobufjs It allows to cause Denial of Service by trying to parse or load a crafted .proto file. Module module name: protobufjs version: 6.8.5 npm page: https://www.npmjs.com/package/MODULE NAME Module Description Protocol Buffers are a language-neutral,...
Node.js third-party modules: Prototype pollution attack (lodash)
As discussed in 309391, here's the separate report for each of the library. This one is the information for the lodash library. Module: lodash Summary: Utilities function in all the listed modules can be tricked into modify the prototype of "Object" when the attacker control part of the structure...
Nextcloud: IDOR unsubscribe Anyone from NextClouds Newsletters by knowing their Email
Hi Team, I Was Looking around your website and then I found a subdomain newsletter.nextcloud.com on the main page it shows us 3 Options i choose 1st that was Subscribe to our newsletter , Then I click on this Option and I was Taken to https://newsletter.nextcloud.com/?p=subscribe&id=1 The page...
Coinbase: coinbase Email leak while sending and requesting
Due to a bug first reported by another researcher, when one coinbase user sent bitcoin to another coinbase user, the receiving user had the sending user's email address silently added to their contact list. While this does not raise PII exposure concerns under our Privacy Policy, we felt it was...
Pornhub: Same-Origin Method Execution bug in plupload.flash.swf on /insights
The researcher discovered a Same-Origin Method Execution SOME vulnerability on Pornhub's Insights blog. An insecure URL sanitization process was performed in the file plupload.flash.swf. The code in the file attempts to remove flashVars in case they have been set GET parameters but fails to do so...