15305 matches found
Legal Robot: CORS (Cross-Origin Resource Sharing)
Title: CORS Cross-Origin Resource Sharing Category: Others Affected URL: https://app.legalrobot.com/sockjs/info?cb=pcgb37npst Description: The application implements an HTML5 cross-origin resource sharing CORS policy for this request which allows access from any domain. Allowing access from all...
Internet Bug Bounty: EBCDIC overread (CVE-2016-2176)
https://github.com/openssl/openssl/commit/ea96ad5a206b7b5f25dad230333e8ff032df3219...
Snapchat: Subdomain takeover in http://support.scan.me pointing to Zendesk (a Snapchat acquisition)
harrymg helped us identify an issue in which support.scan.me's CNAME was pointing to scan.zendesk.com. Normally there would be a Zendesk instance there, but in this case, the Zendesk instance was no longer in use. As such, harrymg was able to "claim" scan.zendesk.com from Zendesk. As such, any...
Souq.com: reflected xss on search bar (uae.souq.com)
the xss is executed in android phone or you can download user-agent switcher for google chrome then click Current: Android Handset to reproduce this bug as you see in pic 2.PNG steps: 1 go to http://uae.souq.com 2 put this payload on search bar : xss'+alert1+' 3the payload xss is executed 4 this...
Shopify: TCP Source Port Pass Firewall
Affects: yourshop.myshopify.com Your firewall policy seems to let TCP packets with a specific source port pass through. Some types of requests can pass through the firewall. The port number 80 is the source port that unauthorized users can use to bypass your firewall. Suggestion to fix: Make sure...
Pornhub: Multiple endpoints are vulnerable to XML External Entity injection (XXE)
The researcher discovered multiple endpoints which were vulnerable to XML External Entity injection. The researcher was successful in initiating arbitrary requests from a production server...
Internet Bug Bounty: mod_lua: Crash in websockets PING handling
A stack recursion crash in the modlua module was found. A Lua script executing the r:wsupgrade function could crash the process if a malicious client sent a carefully crafted PING request. This issue affected releases 2.4.7 through 2.4.12 inclusive...
Internet Bug Bounty: heap buffer overflow in enchant_broker_request_dict()
https://bugs.php.net/bug.php?id=68552...
Mail.ru: OpenSSL HeartBleed (CVE-2014-0160)
Уязвимость существует на portal.sf.mail.ru Эта уязвимость позволяет читать оперативную память кусками размером до 64КБ. Причем уязвимость двусторонняя, это значит, что не только вы можете читать данные с уязвимого сервера, но и сервер злоумышленника может получить часть вашей оперативной памяти к...
Mail.ru: auth.mail.ru: XSS in login form
Привет! XSS присутствует прямо в форме логина, достаточно указать верные креды : Собственно, как повторить: Отправляем такой вот POST, свой пароль я затер, сорри. Но !! работает только если верные креды POST /cgi-bin/auth HTTP/1.1 Host: auth.mail.ru User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS...
Internet Bug Bounty: TLS Triple Handshake Attack
More details are at https://secure-resumption.com 2 Scenario ====== Consider a client C that normally authenticates to a server S using a client certificate. If C uses the same certificate to authenticate to a malicious server M, then we show that M can use C's certificate to authenticate its own...
Sandbox Escape: OSX ATS memory corruption may lead to App Sandbox bypass
This issue was reported directly to Apple and has been resolved in OSX Security Update 2014-001. http://support.apple.com/kb/HT6150 Available for: OS X Mavericks 10.9 and 10.9.1 Impact: The App Sandbox may be bypassed Description: A memory corruption issue existed in the handling of Mach messages...
GitLab: Login email verification bypass via `/oauth/token`.
Vulnerability description not provided...
Internet Bug Bounty: CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows
A potential denial of service vulnerability was discovered in the UsernameField component in Django before versions 4.2.7, 4.1.13, and 3.2.23. The vulnerability allowed a denial of service attack via malformed input containing a large number of Unicode characters. The issue was addressed by...
Internet Bug Bounty: [curl] CVE-2023-32001: fopen race condition
CVE-2023-32001 is a vulnerability in the curl library that allowed for a race condition between the stat and fopen functions. This race condition could be exploited to trick users into overwriting protected files or to steal sensitive data, such as cookies. The vulnerability was fixed in a recent...
Internet Bug Bounty: CVE-2023-28321: IDN wildcard match
CVE-2023-28321 is a vulnerability in curl that allowed for improper validation of certificates with host mismatch. The private wildcard matching function in curl could match IDN International Domain Name hosts incorrectly, potentially accepting patterns that should have mismatched. This issue was...
Shopify: Cross-site scripting on api.collabs.shopify.com
Summary: Shopify collabs collabs.shopify.com is a new platform for content creators / influencers to discover and advertise the millions of brands of Shopify. The content creators can apply for different brands on this platform and get paid affiliate marketing. I discovered a cross-site scripting...
Internet Bug Bounty: CVE-2022-32205: Set-Cookie denial of service
A malicious server can serve excessive amounts of Set-Cookie: headers in a HTTP response to curl and curl stores all of them. A sufficiently large amount of big cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the...
Internet Bug Bounty: DoS via lua_read_body() [zhbug_httpd_94]
Greetings. I have found a bug that can crash httpd 2.4.53, causing a denial of service. The bug is that luareadbody modules/lua/luarequest.c uses the value of the Content-Length header to allocate memory. While apreadrequest limits Content-Length's value to a non-negative |aprofft| via a call to...
U.S. Dept Of Defense: ██████████ vulnerable to CVE-2022-22954
I found that one of the targets belongs to DOD vulnerable to CVE-2022-22954 where an attacker may be able to execute any malicious code like escalating Remote code execution is also possible Technical Summary: CVE-2022-22954 is a server-side template injection vulnerability in the VMware Workspac...
MTN Group: firebase credentials leaks @ https://mtnhottseat.mtn.com.gh
Hello. I found firebase credentials leaks at https://mtnhottseat.mtn.com.gh. Steps To Reproduce: Visit https://mtnhottseat.mtn.com.gh Right click view source code. Supporting Material/References: // Your web app's Firebase configuration // For Firebase JS SDK v7.20.0 and later, measurementId is...
Brave Software: Information disclosure
Vulnerability tested on:- Brave 1.29.81 Chromium: 93.0.4577.82 Official Build 64-bit Vulnerability description:- For security measures and for privacy purposes, Brave has the ability to open a normal tab of the Brave when we navigate to: chrome://wallet, chrome://history etc. due to the reason th...
U.S. Dept Of Defense: XSS DUE TO CVE-2020-3580
Hello Team, During my research, I found the following host to be vulnerable to CVE 2020-3580 which is POST BASED XSS. Vulnerable URL: https://█████/+CSCOE+/saml/sp/acs?tgname=a Impact Attackers can steal cookies and even takeover accounts and perform different malicious activities. System Hosts █...
GitHub Security Lab: [JavaScript]: CWE-1004: Sensitive cookie without HttpOnly
This bug was reported directly to GitHub Security Lab...
curl: CVE-2021-22925: TELNET stack contents disclosure again
Summary: CVE-2021-22898: TELNET stack contents disclosure 1176461 issue was recently reported for curl and it was addressed in curl 7.77.0: https://curl.se/docs/CVE-2021-22898.html https://github.com/curl/curl/commit/39ce47f219b09c380b81f89fe54ac586c8db6bde https://hackerone.com/reports/1176461...
Sifchain: Social media links not working
Summary: Hey team when i research i found business Logic issue and i will explain to you Steps To Reproduce: POC:- 1. Goto https://sifchain.finance/ 2.Try to add anything after https://sifchain.finance/ 3. Now you will show 404 page not found. 4. Look below in the page you will show links of soci...
MCUboot: DMARC and DNS Records not found on mcuboot.com
Found no DMARC and DNS record on mcuboot.com . I am also able to send an email to me on your behalf . The mail sent didnot even landed in spam folder which could make the users believe on the attacker as a legitimate person or authority. Any attacker could do so by using any fake mailer .For exmp...
Algolia: PHP-FPM status page disclosure
A page leaking debug information was publicly accessible...
8x8: DNS Misconfiguration (Subdomain Takeover) █.staging.█.8x8.com
An EC2 instance was terminated but the DNS record was initially not updated/removed. The issue has been rectified. Same technique mentioned on https://melbadry9.medium.com/dangling-dns-aws-ec2-e2d801701e8...
Logitech: Moderator user has access to owner's support portal and tickets
Summary: Hi there, In https://streamlabs.com, there's a function where users can share his account to other users to manage their dashboard via following link. https://streamlabs.com/dashboard/settings/shared-access. In shared-access setting, user can invite other user with two roles Moderator an...
h1-ctf: CTF Writeup
Hi, First of all, thanks for this amazing CTF!. I will post my writeup soon, it is time to sleep now : F1129602 By the way, the creator of challenge 11 is crazy. Impact Grinch Network is finally down...
VK.com: XSS in vk.link
XSS на vk.link...
Shopify: Self XSS
I have found self xss in myshopify.com/admin/apps/import-store/ POC 1 - Go to yourstore.myshopify.com 2 - Go to settings App - Import maybe ask you for your platform select any one 3 - Upload file csv with file name payload xss " Impact XSS Attack...
GitHub Security Lab: CodeQL query to detect XSLT injections
This bug was reported directly to GitHub Security Lab...
Yelp: IDOR in locid parameter allowing to view others accounts Profile Locations
The application transmits in many occasions the locid parameter via URL, which means that this parameter may be being logged in plan text in the Apache server access.log, if not in others also. The fact that this happens, makes this parameter vulnerable not only to be read from this log file, but...
New Relic: "Basic user" which can only access a limited subset of the platform can access certain pages which are restricted to the user by the account owner.
@jhimansh described an issue where forced browsing could be used to visit restricted pages as an unprivileged user. As our web application is shipped as client side JavaScript, there is no way to prevent viewing all pages within that code. However, checks are done server-side to ensure that...
Dropcontact: Django debug enabled showing information about system, database, configuration files.
We were displaying sensitive information...
RGhost: Idor on the DELETE /comments/
Summary: Idor on /comments Steps To Reproduce: Make sure you have 2 different ID's to maintain 2 different session for ensurity 1. The request can be tamper with the ID of different comment both the functions of edit/delete can be used 2. Delete gets hampered with the Captcha which is thrown but...
MTN Group: Disclosure of internal information using hidden NTLM authentication leading to an exploit server
By using a request get on the url http://www.mtncongo.net/fr/Pages/ of the blog. we collect sensitive information from blogs step Typically, when visiting a website http://www.mtncongo.net/ or directory http://www.mtncongo.net/fr/Pages/ requiring privileged access, the server will initiate a logi...
Bumble: On Singing up with a Phone number , The 4 digit OTP does not expires for a long time leading to an easy attack and make a verified account easilty
Hello there how are you doing ? Go to sign up page and enter a new phone number and you will be redirected to https://bumble.com/registration/confirm-phone . You will receive a easy breakable 4 digit OTP Code . I waited for about 4 hours and the OTP did not expired , This shows that the OTP can b...
Polymail, Inc.: Reflected XSS by changing url parameters on the user invite onboarding links.
@renekroka Discovered a potential reflected XSS by changing url parameters on the user invite onboarding links. 1...
PUBG: Reflected XSS in https://lite.pubg.com
The researcher found an XSS vulnerability caused by query parameters not being properly sanitized before being displayed on the page...
Stripo Inc: Clickjacking on my.stripo.email for MailChimp credentials
Clickjacking is a malicious hacking technique where attackers can acquire sensitive data. Through simple social engineering techniques these links can be sent out to unsuspecting customers to steal their credentials or perform actions on their accounts. For this example I saw that where I goto...
Imgur: De-anonymization Attack: Cross Site Information Leakage
Dear Imgur Security Team, We are researchers at the IMDEA Software Institute in Madrid, Spain. We have been working on analyzing Cross-Site Browser Leaks xsleaks and building a tool for finding instances of it on target web sites. Recently we tested imgur.com and discovered a flaw that can affect...
Razer: Reflected XSS at https://pay.gold.razer.com escalated to account takeover
Summary: Due to the parameter err is injected to the body of the page without any sanitization a victim could be tricked to visit the page and get his account stolen. Steps To Reproduce: 1.Visit the specially crafted url Firefox | IE11...
Node.js: Hostname spoofing
Summary: I found that url.parse is vulnerable to hostsplit that causes hostname spoofing. Description: Steps To Reproduce: url.parse'http://evil.c℀.victim.test/?' returns evil.ca/c.victim.test as hostname, so this hostname matches .victim.test but will access evil.ca. Welcome to Node.js v12.9.0...
Internet Bug Bounty: Out of Bounds Memory Read in exif_process_user_comment
I have found and reported an out of bounds memory read in PHP exifprocessusercomment When PHP EXIF extension is parsing EXIF information from an image, e.g. via exifreaddata function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with dat...
U.S. Dept Of Defense: Root Remote Code Execution on https://███
Summary: Atlassian Crowd is a centralized identity management application that allows companies to "Manage users from multiple directories - Active Directory, LDAP, OpenLDAP or Microsoft Azure AD - and control application authentication permissions in one single location." A DOD installation is...
Imgur: Stored XSS on imgur profile
Hello, I submitted a report on imgur, but the staff marked it as duplicate. 482841 I reviewed the report of the first submitted report. 381553 We are on the same situation and his case is already fixed because I tried visiting his site too which is https://12test.imgur.com/ and even redoing his...
Internet Bug Bounty: Use after free and out of bounds read in xmlrpc_decode()
Malformed input can lead to use after free and out of bounds memory errors. This has been fixed with the latest updates of PHP 7.1.26/7.2.14/7.3.1. Note: I reported those as separate bugs to PHP, but they had the same underlying bug and were fixed by the same commit. The release notes only mentio...