GitHub Security Lab: porcupiney.hairs : Java/Android - Insecure Loading of a Dex File

This bug was reported directly to GitHub Security Lab...

Nextcloud: Potential DDoS when posting long data into workflow validation rules

A missing input validation in Nextcloud Server 20.0.1 allowed users to store unlimited data in workflow rules causing load and potential DDoS on later interactions and usage with those rules...

Internet Bug Bounty: Long filenames cause OOM and temp files are not cleaned

https://bugs.php.net/bug.php?id=78875 Impact Disk could be filled up completely by remote attacker without privileges...

Node.js third-party modules: [wappalyzer] ReDoS allows an attacker to completely break Wappalyzer

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! I would like to report VULNERABILITY in...

Topcoder: Stored XSS on https://apps.topcoder.com/wiki/plugins/socialbookmarking/updatebookmark.action

Summary: Hi : Adding javascript url causes to stored XSS when creating bookmark. Steps To Reproduce: Go to https://apps.topcoder.com/wiki/plugins/socialbookmarking/updatebookmark.action . Write javascript:alertdocument.domain on url input and fill other areas. After create, go...

GitHub Security Lab: Java (Maven): Actually fix the use of insecure protocol to download/upload artifacts

This bug was reported directly to GitHub Security Lab...

Mail.ru: vk.com profile page takeover on https://cabinet.am.ru/

Description Hi team, While exploring https://cabinet.am.ru/ domain I found this site points to some social media accounts, One of them was a vk.com profile as https://vk.com/amrusocial but when I opened that link it showed me a 404 error so I successfully could register an account on vk.com and...

Nord Security: Password Reset Link not expiring after changing the email Leads To Account Takeover

The researcher has identified an issue in our password reset workflow where the password reset URL was not expiring correctly after the user has requested a password change 1 Go to this website : https://ucp.nordvpn.com/lost-password 2 Enter your main account [email protected] 3 Go to [email protected]...

Razer: Reflected XSS at http://promotion.molthailand.com/index.php via promotion_id parameter

The tester discovered a reflected XSS vulnerability on https://easytopup.in.th related to a URL parameter. This issue affected the Firefox browser. Razer thanks the tester for the report and the clear proof of concept...

Starbucks: sdrc.starbucks.com - Information Disclosure via unsecured attachment directory

l00ph0le submitted a valid high severity XSS vulnerability report for sdrc.starbucks.com. After Starbucks confirmed this vulnerability and advised this asset was not in scope; l00ph0le performed additional analysis and research to uncover an unsecured attachment directory which elevated this to a...

QIWI: какой-то исходный код в корне сайта

Можно было просматривать часть исходных файлов хоста. Нашел этот файл, в нем PHP код. adminer.php.swp F607459 https://shop.tochka.com/%2eadminer%2ephp%2eswp...

Infogram: Privilege escalation allows to use iframe functionality w/o upgrade

Hello team! I've found a privilege escalation issue which allows to set iframes to the projects w/o upgrading. Steps to reproduce - Login - Navigate to the project - Choose integrations and click the IFrame - See that you'll get upgrade now notification F501019 - Inspect the page with developer...

curl: Heap Buffer Overflow at lib/tftp.c

Summary: A heap buffer overflow can occur at line 1114 in file lib/tftp.c due to the fact of state-blksize containing the default size instead of containing the one specified in the --tftp-blksize parameter. This bug could lead to a crash or maybe to RCE in the case the attacker also had a memory...

CFP Time: Content spoofing on error pages or text injection

Poc: https://www.cfptime.org/%20is%20not%20available%20anymore%20,%20pls%20go%20to%20WWW.EVIL.COM%20because%20this%20site. Steps to reproduce: 1: Just browse this target on any browser 2: Target: http://www.cfptime.org/ 3: add any content after For example: this is not available anymore pls check...

Mail.ru: source code leak

A fragment of source code was available for download on flash.terrhq.ru...

Mail.ru: XSS in touch.mail.ru

Browser specific user assisted DOM based XSS in message editor undo functionality via quoted content. Vulnerability did not affected mobile browsers used by majority of touch.mail.ru web interface users...

HackerOne: DOM Based XSS in www.hackerone.com via PostMessage

Summary: The Marketo contact form available on the www.hackerone.com website is affected by a cross-site scripting vulnerability, caused by an insecure 'message' event listener installed on the page. Whilst this could allow an attacker to execute JavaScript in the context of the www.hackerone.com...

Semmle: Docker Registry HTTP API v2 exposed in HTTP without authentication leads to docker images dumping and poisoning

Summary: Docker Registry HTTP API v2 is exposed in HTTP without authentication. An attacker can use it to dump your docker images and poison them. Description: While digging into the environment that hosts the sandboxed build container, I came across the port 5000 open on another machine probably...

Avito: reflected XSS avito.ru

Привет, авито Я нашел у вас хсс. 1. Переходим по этой ссылке https://www.avito.ru/sankt-peterburg?verifyUserLocation=1login?next=javascript:alert;// 2. Логинимся через ОК, ВК и т.д. 3. XSS выполнена. Impact XSS...

LocalTapiola: Flash-based XSS on mediaelement-flash-audio-ogg.swf of www.lahitapiolarahoitus.fi

Basic report information Summary: The lahitapiolarahoitus.fi contains an SWF-file which is vulnerable to reflected cross-site scripting attacks via crafted URL. Description: The file https://www.lahitapiolarahoitus.fi/wp-includes/js/mediaelement/mediaelement-flash-audio-ogg.swf contains a...

Node.js third-party modules: [pdfinfojs] Command Injection on filename parameter

Hello , there is a Command Injection vulnerability on the "pdfinfojs" module. Module module name: pdfinfojs version: 0.3.6 npm page: https://www.npmjs.com/package/pdfinfojs Module Description pdfinfo shell wrapper for Node.js Module Stats 10 downloads in the last day 61 downloads in the last week...

Node.js third-party modules: [mcstatic] Path Traversal allows to read content of arbitrary files

Hi Guys, There is Path Traversal in mcstatic module. It allows to read content of arbitrary files on the remote server. Module mcstatic This is a general file server made by nodejs. It will be easy for you to access the files on the server through the browser. https://www.npmjs.com/package/mcstat...

WordPress: Information / sensitive data disclosure on some endpoints

Hello team! While doing a preliminary recon on .wordpress.org I've come across a few sensitive files that should not be facing the public web; I'll leave you a list organized by criticality and some proof. High priority .travis.yml configuration file with credentials php maintenance/install.php...

Internet Bug Bounty: RCE via ssh:// URIs in multiple VCS

I'd like to submit an RCE issue within Git SVN and Mercurial, the CVEs are: CVE-2017-9800 Subversion CVE-2017-1000116 Mercurial hg CVE-2017-1000117 Git Further Info can be found at: http://blog.recurity-labs.com/2017-08-10/scm-vulns And product specific:...

Shopify: ShopifyAPI is vulnerable to timing attacks.

Dear Shopify bug bounty team, The Python ShopifyAPI library is vulnerable to timing attacks, because the validatehmac falls back to a non-constant time comparison when hmac.comparedigest is not available. I am perfectly aware that this issue is out of scope, but your Shopify Guru Jack P. kindly...

Phabricator: An unsafe design practice in the Passphrase may result in Secret being accidentally changed.

Summary: An unsafe design practice in the Passphrase may result in Secret being accidentally changed. Preface: If a user wants to share his/hers secrets, he/she may use the Passphrase. But when he/she created the credential and setted who can view it and who can edit it, they will soon discover...

LocalTapiola: SQL Injection on /webApp/omatalousuk (viestinta.lahitapiola.fi)

I would like to report a SQL Injection vulnerability on viestinta.lahitapiola.fi Vulnerable Request: GET /webApp/omatalousuk?email=aaaaa HTTP/1.1 Host: viestinta.lahitapiola.fi User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.12; rv:49.0 Gecko/20100101 Firefox/49.0 Accept: text/html, /; q=0.0...

Legal Robot: CORS (Cross-Origin Resource Sharing)

Title: CORS Cross-Origin Resource Sharing Category: Others Affected URL: https://app.legalrobot.com/sockjs/info?cb=pcgb37npst Description: The application implements an HTML5 cross-origin resource sharing CORS policy for this request which allows access from any domain. Allowing access from all...

Internet Bug Bounty: EBCDIC overread (CVE-2016-2176)

https://github.com/openssl/openssl/commit/ea96ad5a206b7b5f25dad230333e8ff032df3219...

Snapchat: Subdomain takeover in http://support.scan.me pointing to Zendesk (a Snapchat acquisition)

harrymg helped us identify an issue in which support.scan.me's CNAME was pointing to scan.zendesk.com. Normally there would be a Zendesk instance there, but in this case, the Zendesk instance was no longer in use. As such, harrymg was able to "claim" scan.zendesk.com from Zendesk. As such, any...

Souq.com: reflected xss on search bar (uae.souq.com)

the xss is executed in android phone or you can download user-agent switcher for google chrome then click Current: Android Handset to reproduce this bug as you see in pic 2.PNG steps: 1 go to http://uae.souq.com 2 put this payload on search bar : xss'+alert1+' 3the payload xss is executed 4 this...

Pornhub: Multiple endpoints are vulnerable to XML External Entity injection (XXE)

The researcher discovered multiple endpoints which were vulnerable to XML External Entity injection. The researcher was successful in initiating arbitrary requests from a production server...

Internet Bug Bounty: mod_lua: Crash in websockets PING handling

A stack recursion crash in the modlua module was found. A Lua script executing the r:wsupgrade function could crash the process if a malicious client sent a carefully crafted PING request. This issue affected releases 2.4.7 through 2.4.12 inclusive...

X (Formerly Twitter): URGENT - Subdomain Takeover on users.tweetdeck.com , the same issue of report #32825

hi twitter security team . This is an urgent issue the same of report 32825 Your subdomain users.tweetdeck.com is pointing to AWS S3, but no bucket was connected to it. an attacker can claim the domain and takeover the full subdomain. Please fix it as soon as possible , and let me know if you nee...

Internet Bug Bounty: heap buffer overflow in enchant_broker_request_dict()

https://bugs.php.net/bug.php?id=68552...

Mail.ru: OpenSSL HeartBleed (CVE-2014-0160)

Уязвимость существует на portal.sf.mail.ru Эта уязвимость позволяет читать оперативную память кусками размером до 64КБ. Причем уязвимость двусторонняя, это значит, что не только вы можете читать данные с уязвимого сервера, но и сервер злоумышленника может получить часть вашей оперативной памяти к...

Mail.ru: auth.mail.ru: XSS in login form

Привет! XSS присутствует прямо в форме логина, достаточно указать верные креды : Собственно, как повторить: Отправляем такой вот POST, свой пароль я затер, сорри. Но !! работает только если верные креды POST /cgi-bin/auth HTTP/1.1 Host: auth.mail.ru User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS...

Concrete CMS: https://concrete5.org ::: HeartBleed Attack (CVE-2014-0160)

Pls see attachment files for details: python ssltest.py concrete5.org 443|more impact: critical, pls patch it ASAP References: https://www.openssl.org/news/secadv20140407.txt http://heartbleed.com https://github.com/openssl/openssl/commit/96db9023b881d7cd9f379b0c154650d6c108e9a3 g4mm4...

Internet Bug Bounty: TLS Triple Handshake Attack

More details are at https://secure-resumption.com 2 Scenario ====== Consider a client C that normally authenticates to a server S using a client certificate. If C uses the same certificate to authenticate to a malicious server M, then we show that M can use C's certificate to authenticate its own...

Sandbox Escape: OSX ATS memory corruption may lead to App Sandbox bypass

This issue was reported directly to Apple and has been resolved in OSX Security Update 2014-001. http://support.apple.com/kb/HT6150 Available for: OS X Mavericks 10.9 and 10.9.1 Impact: The App Sandbox may be bypassed Description: A memory corruption issue existed in the handling of Mach messages...

Internet Bug Bounty: CVE-2024-41937: Apache Airflow: Stored XSS Vulnerability on provider link

CVE-2024-41937: Apache Airflow: Stored XSS Vulnerability on Provider Link A stored cross-site scripting XSS vulnerability was discovered in Apache Airflow versions before 2.10.0. The vulnerability allowed the developer of a malicious provider to execute arbitrary script code when a user clicked o...

GitLab: Login email verification bypass via `/oauth/token`.

Vulnerability description not provided...

Internet Bug Bounty: CVE-2024-42005: Potential SQL injection in QuerySet.values() and values_list()

CVE-2024-42005: Potential SQL injection in QuerySet.values and valueslist A vulnerability was discovered in Django where the QuerySet.values and valueslist methods on models with a JSONField were subject to SQL injection in column aliases via a crafted JSON object key as a passed argument...

Teleport: SSRF in region parameter that leads to AWS Teleport role AWS account takeover

You have an Integration page in Teleport where one of the options is AWS OIDC which will allow people in Teleport to add resources fluently without actually having initial access to these resources or installing any agents on them. You will need to have connected and ready OIDC integration with A...

TikTok: Lynxview JS interfaces Takeover via deeplink traversal

The application had vulnerabilities that could have allowed the takeover of JavaScript interfaces via the application's exposed Webview. The issues were only present in older versions of the Android application and were addressed after the researcher reported them to the team...

Internet Bug Bounty: CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows

A potential denial of service vulnerability was discovered in the UsernameField component in Django before versions 4.2.7, 4.1.13, and 3.2.23. The vulnerability allowed a denial of service attack via malformed input containing a large number of Unicode characters. The issue was addressed by...

Internet Bug Bounty: [curl] CVE-2023-32001: fopen race condition

CVE-2023-32001 is a vulnerability in the curl library that allowed for a race condition between the stat and fopen functions. This race condition could be exploited to trick users into overwriting protected files or to steal sensitive data, such as cookies. The vulnerability was fixed in a recent...

Internet Bug Bounty: CVE-2023-28321: IDN wildcard match

CVE-2023-28321 is a vulnerability in curl that allowed for improper validation of certificates with host mismatch. The private wildcard matching function in curl could match IDN International Domain Name hosts incorrectly, potentially accepting patterns that should have mismatched. This issue was...

Shopify: Cross-site scripting on api.collabs.shopify.com

Summary: Shopify collabs collabs.shopify.com is a new platform for content creators / influencers to discover and advertise the millions of brands of Shopify. The content creators can apply for different brands on this platform and get paid affiliate marketing. I discovered a cross-site scripting...

Internet Bug Bounty: DoS via lua_read_body() [zhbug_httpd_94]

Greetings. I have found a bug that can crash httpd 2.4.53, causing a denial of service. The bug is that luareadbody modules/lua/luarequest.c uses the value of the Content-Length header to allocate memory. While apreadrequest limits Content-Length's value to a non-negative |aprofft| via a call to...