15371 matches found
PayPal: Stored XSS on https://paypal.com/signin via cache poisoning
Due to a configuration in frontend, caching servers, it was possible for a researcher to use request smuggling to convert a page request into a cached redirect. If the cached redirect were accessed by a legitimate user, an attacker's content would be rendered instead of the requested page. While...
Weblate: Tab nabbing via window.opener
Details: When you open a link in a new tab target="blank" , the page that opens in a new tab can access the initial tab and change it's location using the window.opener property. Attack scenario: here i have provided 2 videos, in video 1 i have my editorial link set. to show that tabnapping is...
Node.js third-party modules: [sexstatic] HTML injection in directory name(s) leads to Stored XSS when malicious file is embed with <iframe> element used in directory name
I would like to report HTML Injection vulnerability in sexstatic module. It is possible to use HTML in directory names, which might lead to run arbitrary JavaScript code in the browser. Module module name: sexstatic version: 0.6.2 npm page: https://www.npmjs.com/package/sexstatic Module Descripti...
Ubiquiti Inc.: CRLF Injection on openvpn.svc.ubnt.com
The researcher reported the vulnerability CVE-2017-5868 in one of our server, it got promptly mitigated, once no oficial patch was available at the time of submit. Ubiquiti's employee VPN server was vulnerable to CVE-2017-5868, the issue was reported to them by me and quickly patched. Thank you...
Internet Bug Bounty: Use After Free Vulnerability in unserialize()
https://bugs.php.net/bug.php?id=70172...
U.S. Dept Of Defense: Email Takeover leads to permanent account deletion
The security vulnerability found allowed an attacker to change the email address of a victim's account, leading to the permanent deletion of the victim's account. The vulnerability was caused by improper authentication on the change email functionality...
Basecamp: Path traversal in deeplink query parameter can expose any user's private info to a public directory (one click)
The Basecamp mobile application was found to be vulnerable to a path traversal issue. By crafting a malicious deeplink with a specific "filename" parameter, an attacker could force the application to save user data to any directory on the device, including locations accessible to other applicatio...
Yelp: yelp.com and biz.yelp.com ATO via XSS + Cookie Bridge
The researcher discovered an XSS vulnerability on biz.yelp.com where the unverified email was reflected in a message, allowing for arbitrary JavaScript execution. This XSS was combined with Yelp's cookie bridge functionality to target other users, leaking HttpOnly session cookies and enabling...
Internet Bug Bounty: CVE-2023-36617: ReDoS vulnerability in URI (Ruby)
A ReDoS vulnerability was discovered in the URI component of the Ruby uri gem versions 0.12.1 and earlier. The vulnerability allowed for the mishandling of invalid URLs with specific characters, resulting in an increase in execution time for parsing strings to URI objects. This issue was a result...
Internet Bug Bounty: HTTP Request Smuggling via Empty headers separated by CR
The llhttp parser in the Node.js http module did not strictly use the CRLF sequence to delimit HTTP requests, which allowed for HTTP Request Smuggling HRS. This vulnerability affected all active versions of Node.js...
U.S. Dept Of Defense: [U.S. Air Force] Information disclosure due unauthenticated access to APIs and system browser functions
Multiple information exposure vulnerabilities were found in a Jira Server instance, allowing unauthenticated attackers to access APIs and system browser functions, leading to unauthorized access to sensitive data. The vulnerability was registered as CVE-2020-14179...
Krisp: Log4j CVE-2021–44228
The researcher's canary token got DNS interaction, which raised a false sense of log4shell vulnerability. $hostName would be exfiltrated if any of the processing servers were vulnerable, but as seen in the video submitted by the researcher just a plain DNS resolving was made...
U.S. Dept Of Defense: XSS due to CVE-2020-3580 [██████]
Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to conduct cross-site scripting XSS attacks against a user of the web services interface of an...
UPchieve: Full account takeover of any user through reset password
Summary: Hi Security team members, Usually, If we reset our password on https://app.upchieve.org that time we got a password reset link on the email. And through that password reset link, we can reset our password. But, I noticed that if we add another email in the request of forgot password...
GitHub Security Lab: ihsinme: CPP Add query for CWE-570 detect and handle memory allocation errors.
This bug was reported directly to GitHub Security Lab...
Weblate: Send Empty CSRF leads to log out user on [https://hosted.weblate.org/accounts/profile]
Hi There is a CSRF bug on your Website leads to logout user from the dashboard. If the user click on the attached file CSRF.html redirect to another page and see the following error and the user log out immediately: F1029146 Steps to reproduce: 1- Login to your account via Login page 2- Click on...
Dropcontact: Information Disclosure through DEBUG at Subscription [https://app.dropcontact.io/app/subscription?connector=salesforce](CRITICAL)
We were displaying some sytem information in case of app crashing...
lemlist: stored xss in app.lemlist.com
Hi there, I found a stored xss app.lemlist.com. Steps To Reproduce: 1. go to https://app.lemlist.com/. 1. create or edit campaigns. 1. visit tab Buddies-to-Be. 1. click Add one on the right Top. 1. Fill in the input 1. add / Icebreaker and companyName 1. click create . POC F901411 Impact Stealing...
Mail.ru: XSS on https://deti.mail.ru/
deti.mail.ru allowed to insert javascript: links into post content leading to self XSS possibility on message editing...
GitHub Security Lab: Go/CWE-643: XPath Injection Query in Go
This bug was reported directly to GitHub Security Lab...
Visma Bug Bounty Program: A non-administrator user can change his email even when it is restricted by an administrator
A non-administrator user can change his email, even when it is restricted by an administrator, by tampering with the response data. Steps to Reproduce Login as a normal user and goto "My details" tab in Profile. Click on Edit icon in Account section. If this functionality is locked by your...
Visma Bug Bounty Program: A user can view the name and number of a customer in another company if the GUID is known
An IDOR vulnerability exists in /api/internal/customerlabels/, allowing an attacker to add a label to a customer in a another company if he has previous knowledge about the UUID. The result is that the name and number of the customer is shown in the attackers context. As all objects in the API ar...
Genasys Technologies: Ability to bypass social OAuth and take over any account [d2c-api]
Summary: An attacker is able to login to any email account that doesn't belong to him through using the OAuth functionality https://staging.genasystech.co.uk/d2c-api/v1/account/login/provider Steps To Reproduce: 1. Register an account with an email and verify it using the one time code that is...
PayPal: IDOR to add secondary users in www.paypal.com/businessmanage/users/api/v1/users
PayPal Business Accounts allow account owners to create multiple secondary users with specific privileges assigned to their employees. This submission identified a method that made it possible for a Business Account owner to assign secondary users from other accounts. The new secondary user would...
VK.com: CVE-2018-0296
Path traversal...
Bitvise: The POODLE attack (SSLv3 supported)
Hi Bitvise security Team The url https://massmail.bitvise.com/ is vulnerable to ssl poodle attack. Websites that support SSLv3 and CBC-mode ciphers are potentially vulnerable to an active MITM Man-in-the-middle attack. This attack, called POODLE, is similar to the BEAST attack and also allows a...
WakaTime: Missing SPF Flags
I am just looking at your SPF records then found following. SPF Records missing safe check which can allow me to send mail and phish easily any victim. PoC: The TXT records found for your domain are: v=spf1 include:spf.google.com include:mailgun.org include:spf.sendinblue.com all Checking to see ...
VK.com: Обход: "Аудиозапись недоступна для прослушивания в Вашем регионе."
Обход региональных ограничений на аудиозаписи через аттачи в мобильной версии сайта...
ExpressionEngine: Filename and directory enumeration
Hello, The "Import File Converter" can be abused by an admin to map the server directories and files, because the "File location" field doesn't sanitize the user input and allows access to root directories and files. Steps to reproduce: 1- Go to...
Internet Bug Bounty: ASN.1 BIO excessive memory allocation (CVE-2016-2109)
On 4 April 2016 I reported a bug to the OpenSSL Security Team where I was able to force OpenSSL to use large amounts of cpu time, memory and swap space. They confirmed receipt on 6 April 2016 and on 22 April 2016 I was notified that they were assigning CVE-2016-2109 to this flaw and the fix was...
ownCloud: The csrf token remains same after user logs in
As the CSRF token doesn't change after login. Any other user that uses the same workstation is vulnerable. A safer way would be to use dynamic CSRF token or just change the token after login, so attacker doesnt get hold of this. Details of the attacks scenario in a shared workstation environment...
withinsecurity: DDOS using xmlrpc.php
Wordpress blogs that have xmlrpc.php enabled for pingbacks, trackbacks, etc. can be made as a part of a huge botnet causing a major DDOS. The blog at withinsecurity.com has the xmlrpc.php file enabled and could thus be potentially used for such an attack against other victim hosts. In order to...
HackerOne: CSV Injection with the CVS export feature
The "Download as a CSV" feature of HackerOne does not properly "escape" fields. This allows an adversary to turn a field into active content so when a response team download the csv and opens it, the active content gets executed. Here is more information about this issue:...
HackerOne: homograph attack. IDNs displayed in unicode in bug reports and on external link warning page
the IDN: http://ebаy.com/ is a homograph for the latin ebay.com. if you click that first link, youm might think that you are going to ebay.com. in fact, you are going to a homograph url http://xn--eby-7cd.com/ more info http://www.chromium.org/developers/design-documents/idn-in-google-chrome more...
Internet Bug Bounty: SPL ArrayObject/SPLObjectStorage Unserialization Type Confusion Vulnerabilities
This vulnerability was reported directly to the PHP development team. A detailed summary is available here: https://www.sektioneins.de/en/blog/14-08-27-unserialize-typeconfusion.html...
Internet Bug Bounty: Flash Sandbox Bypass
Adobe Flash Player issue 2719 and 2720. Exploit of this bug uses 2 separate vulnerabilities. 2720 is a bug which is able to, from the local-with-file sandbox, default local sandbox, open both local and remote files, local files and http/https resources. An attacker could for example read your...
Internet Bug Bounty: Libuv: Improper Domain Lookup that potentially leads to SSRF attacks
The vulnerability in the libuv library was caused by the improper truncation of hostnames to 256 characters before calling the getaddrinfo function. This behavior allowed the creation of addresses like 0x00007f000001, which were considered valid by getaddrinfo, potentially leading to SSRF attacks...
FetLife: fetlife.com/signup_step_profile expose access_token of mapbox.com
Vulnerability description not provided...
Internet Bug Bounty: [CVE-2023-23913] DOM Based Cross-site Scripting in rails-ujs for contenteditable HTML Elements
A DOM-based cross-site scripting vulnerability was discovered in rails-ujs, affecting versions 5.1.0 and above. By pasting malicious HTML content with specific attributes into a contenteditable element, an attacker could execute arbitrary JavaScript on the affected origin. The vulnerability has...
inDrive: Blind SQL injection on id.indrive.com
A blind SQL injection vulnerability was found where user input was not sanitized before being used in SQL queries. This allowed arbitrary SQL commands to be injected, revealing details of the backend database...
Reddit: Regression on dest parameter sanitization doesn't check scheme/websafe destinations
A vulnerability was discovered in Reddit's login page where the "dest" parameter was not properly sanitized, allowing an attacker to perform a JavaScript-based Open Redirect attack. This could lead to Cross-Site Scripting XSS injection and potential cookie theft. An attacker could exploit this...
Internet Bug Bounty: [CVE-2022-35949]: undici.request vulnerable to SSRF using absolute / protocol-relative URL on pathname
GHSA: https://github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3 Report: https://hackerone.com/reports/1642017 Impact SSRF...
curl: CVE-2022-27781: CERTINFO never-ending busy-loop
Summary: Curl is prone to a DoS attack in case the NSS TLS library is used and the CERTINFO option is enabled. Using maliciously crafted certificates on a server, an attacker can make curl run into an endless loop when connecting to the server. The bug is located in the following code segment...
Internet Bug Bounty: OAUTH2 bearer not-checked for connection re-use
libcurl might reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protcols: SMTPS, IMAPS, POP3S and LDAPS openldap only. libcurl maintains a pool of connections afte...
Elastic: Fix for CVE-2021-22151 (Kibana path traversal issue) can be bypassed on Windows
Summary Hello team, I hope you're doing well! I was combing through your GitHub repository to look at the fixes for recent security releases and found the fix for CVE-2021-22151 to be incomplete. The current fix makes assumptions that are true on Linux but that don't hold on Windows. Details The...
MTN Group: CVE-2021-38314 @ https://www.mtn.ci
Summary: Hello. I your domain https://www.mtn.ci was vulnerable to CVE-2021-38314 Description: The Gutenberg Template Library & Redux Framework plugin = 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the includes function in...
GitHub Security Lab: [JavaScript]: add query for Express-HBS LFR
This bug was reported directly to GitHub Security Lab...
Logitech: GET based Open redirect on [streamlabs.com/content-hub/streamlabs-obs/search?query=]
Summary: Description: in the following link, the parameter query is reflecting in multiple places, one of them is in the tag in the head section of the HTML source, the reflection is in the content attribute to be precise check the below image F983200 And i was able to break out of the content...
HackerOne: Recently added 'Country' field doesn't send email notification when changed
Summary: Hi team, This is a small bug report. Actually I think there is no important security issue but I wanted to report it ¯\ツ/¯ If you change your 'Country' information on account settings, HackerOne doesn't send Your profile was recently changed email. Description: There is an email...
Polymail, Inc.: XSPA on API service endpoint
Batch endpoint on the api was vulnerable to XSPA due to incorrect validation of url parameter in the request body...