Avito: reflected XSS avito.ru

Привет, авито Я нашел у вас хсс. 1. Переходим по этой ссылке https://www.avito.ru/sankt-peterburg?verifyUserLocation=1login?next=javascript:alert;// 2. Логинимся через ОК, ВК и т.д. 3. XSS выполнена. Impact XSS...

LocalTapiola: Flash-based XSS on mediaelement-flash-audio-ogg.swf of www.lahitapiolarahoitus.fi

Basic report information Summary: The lahitapiolarahoitus.fi contains an SWF-file which is vulnerable to reflected cross-site scripting attacks via crafted URL. Description: The file https://www.lahitapiolarahoitus.fi/wp-includes/js/mediaelement/mediaelement-flash-audio-ogg.swf contains a...

Node.js third-party modules: [pdfinfojs] Command Injection on filename parameter

Hello , there is a Command Injection vulnerability on the "pdfinfojs" module. Module module name: pdfinfojs version: 0.3.6 npm page: https://www.npmjs.com/package/pdfinfojs Module Description pdfinfo shell wrapper for Node.js Module Stats 10 downloads in the last day 61 downloads in the last week...

Node.js third-party modules: [mcstatic] Path Traversal allows to read content of arbitrary files

Hi Guys, There is Path Traversal in mcstatic module. It allows to read content of arbitrary files on the remote server. Module mcstatic This is a general file server made by nodejs. It will be easy for you to access the files on the server through the browser. https://www.npmjs.com/package/mcstat...

Internet Bug Bounty: Out of bounds read in libcurl's IMAP FETCH response parser

Reported to the curl security mailing list on 6 October 2017. Acknowledged on 6 October 2017. Patched on 8 October 2017. Reported to distros@openwall on 17 October 2017. Public release on 23 October 2017. CVE Pending. Vulnerability An IMAP FETCH response line indicates the size of the returned...

WordPress: Information / sensitive data disclosure on some endpoints

Hello team! While doing a preliminary recon on .wordpress.org I've come across a few sensitive files that should not be facing the public web; I'll leave you a list organized by criticality and some proof. High priority .travis.yml configuration file with credentials php maintenance/install.php...

Shopify: ShopifyAPI is vulnerable to timing attacks.

Dear Shopify bug bounty team, The Python ShopifyAPI library is vulnerable to timing attacks, because the validatehmac falls back to a non-constant time comparison when hmac.comparedigest is not available. I am perfectly aware that this issue is out of scope, but your Shopify Guru Jack P. kindly...

LocalTapiola: SQL Injection on /webApp/omatalousuk (viestinta.lahitapiola.fi)

I would like to report a SQL Injection vulnerability on viestinta.lahitapiola.fi Vulnerable Request: GET /webApp/omatalousuk?email=aaaaa HTTP/1.1 Host: viestinta.lahitapiola.fi User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.12; rv:49.0 Gecko/20100101 Firefox/49.0 Accept: text/html, /; q=0.0...

Legal Robot: CORS (Cross-Origin Resource Sharing)

Title: CORS Cross-Origin Resource Sharing Category: Others Affected URL: https://app.legalrobot.com/sockjs/info?cb=pcgb37npst Description: The application implements an HTML5 cross-origin resource sharing CORS policy for this request which allows access from any domain. Allowing access from all...

Internet Bug Bounty: EBCDIC overread (CVE-2016-2176)

https://github.com/openssl/openssl/commit/ea96ad5a206b7b5f25dad230333e8ff032df3219...

Snapchat: Subdomain takeover in http://support.scan.me pointing to Zendesk (a Snapchat acquisition)

harrymg helped us identify an issue in which support.scan.me's CNAME was pointing to scan.zendesk.com. Normally there would be a Zendesk instance there, but in this case, the Zendesk instance was no longer in use. As such, harrymg was able to "claim" scan.zendesk.com from Zendesk. As such, any...

Souq.com: reflected xss on search bar (uae.souq.com)

the xss is executed in android phone or you can download user-agent switcher for google chrome then click Current: Android Handset to reproduce this bug as you see in pic 2.PNG steps: 1 go to http://uae.souq.com 2 put this payload on search bar : xss'+alert1+' 3the payload xss is executed 4 this...

Pornhub: Multiple endpoints are vulnerable to XML External Entity injection (XXE)

The researcher discovered multiple endpoints which were vulnerable to XML External Entity injection. The researcher was successful in initiating arbitrary requests from a production server...

Internet Bug Bounty: mod_lua: Crash in websockets PING handling

A stack recursion crash in the modlua module was found. A Lua script executing the r:wsupgrade function could crash the process if a malicious client sent a carefully crafted PING request. This issue affected releases 2.4.7 through 2.4.12 inclusive...

Internet Bug Bounty: heap buffer overflow in enchant_broker_request_dict()

https://bugs.php.net/bug.php?id=68552...

Mail.ru: OpenSSL HeartBleed (CVE-2014-0160)

Уязвимость существует на portal.sf.mail.ru Эта уязвимость позволяет читать оперативную память кусками размером до 64КБ. Причем уязвимость двусторонняя, это значит, что не только вы можете читать данные с уязвимого сервера, но и сервер злоумышленника может получить часть вашей оперативной памяти к...

Mail.ru: auth.mail.ru: XSS in login form

Привет! XSS присутствует прямо в форме логина, достаточно указать верные креды : Собственно, как повторить: Отправляем такой вот POST, свой пароль я затер, сорри. Но !! работает только если верные креды POST /cgi-bin/auth HTTP/1.1 Host: auth.mail.ru User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS...

Internet Bug Bounty: TLS Triple Handshake Attack

More details are at https://secure-resumption.com 2 Scenario ====== Consider a client C that normally authenticates to a server S using a client certificate. If C uses the same certificate to authenticate to a malicious server M, then we show that M can use C's certificate to authenticate its own...

Sandbox Escape: OSX ATS memory corruption may lead to App Sandbox bypass

This issue was reported directly to Apple and has been resolved in OSX Security Update 2014-001. http://support.apple.com/kb/HT6150 Available for: OS X Mavericks 10.9 and 10.9.1 Impact: The App Sandbox may be bypassed Description: A memory corruption issue existed in the handling of Mach messages...

curl: CVE-2026-4873: connection reuse ignores TLS requirement

A vulnerability was discovered in libcurl's connection reuse for cleartext-upgrade mail protocols. The vulnerability was that the later transfer's CURLOPTUSESSL option was not properly included if a plaintext connection was already open and reusable. This affected the smtp://, pop3://, and imap:/...

GitLab: Login email verification bypass via `/oauth/token`.

Vulnerability description not provided...

Internet Bug Bounty: CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows

A potential denial of service vulnerability was discovered in the UsernameField component in Django before versions 4.2.7, 4.1.13, and 3.2.23. The vulnerability allowed a denial of service attack via malformed input containing a large number of Unicode characters. The issue was addressed by...

FetLife: fetlife.com/signup_step_profile expose access_token of mapbox.com

Vulnerability description not provided...

Internet Bug Bounty: [curl] CVE-2023-32001: fopen race condition

CVE-2023-32001 is a vulnerability in the curl library that allowed for a race condition between the stat and fopen functions. This race condition could be exploited to trick users into overwriting protected files or to steal sensitive data, such as cookies. The vulnerability was fixed in a recent...

Shopify: Cross-site scripting on api.collabs.shopify.com

Summary: Shopify collabs collabs.shopify.com is a new platform for content creators / influencers to discover and advertise the millions of brands of Shopify. The content creators can apply for different brands on this platform and get paid affiliate marketing. I discovered a cross-site scripting...

Internet Bug Bounty: CVE-2022-32205: Set-Cookie denial of service

A malicious server can serve excessive amounts of Set-Cookie: headers in a HTTP response to curl and curl stores all of them. A sufficiently large amount of big cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the...

Internet Bug Bounty: DoS via lua_read_body() [zhbug_httpd_94]

Greetings. I have found a bug that can crash httpd 2.4.53, causing a denial of service. The bug is that luareadbody modules/lua/luarequest.c uses the value of the Content-Length header to allocate memory. While apreadrequest limits Content-Length's value to a non-negative |aprofft| via a call to...

U.S. Dept Of Defense: ██████████ vulnerable to CVE-2022-22954

I found that one of the targets belongs to DOD vulnerable to CVE-2022-22954 where an attacker may be able to execute any malicious code like escalating Remote code execution is also possible Technical Summary: CVE-2022-22954 is a server-side template injection vulnerability in the VMware Workspac...

MTN Group: firebase credentials leaks @ https://mtnhottseat.mtn.com.gh

Hello. I found firebase credentials leaks at https://mtnhottseat.mtn.com.gh. Steps To Reproduce: Visit https://mtnhottseat.mtn.com.gh Right click view source code. Supporting Material/References: // Your web app's Firebase configuration // For Firebase JS SDK v7.20.0 and later, measurementId is...

Brave Software: Information disclosure

Vulnerability tested on:- Brave 1.29.81 Chromium: 93.0.4577.82 Official Build 64-bit Vulnerability description:- For security measures and for privacy purposes, Brave has the ability to open a normal tab of the Brave when we navigate to: chrome://wallet, chrome://history etc. due to the reason th...

GitHub Security Lab: [JavaScript]: CWE-1004: Sensitive cookie without HttpOnly

This bug was reported directly to GitHub Security Lab...

curl: CVE-2021-22925: TELNET stack contents disclosure again

Summary: CVE-2021-22898: TELNET stack contents disclosure 1176461 issue was recently reported for curl and it was addressed in curl 7.77.0: https://curl.se/docs/CVE-2021-22898.html https://github.com/curl/curl/commit/39ce47f219b09c380b81f89fe54ac586c8db6bde https://hackerone.com/reports/1176461...

Sifchain: Social media links not working

Summary: Hey team when i research i found business Logic issue and i will explain to you Steps To Reproduce: POC:- 1. Goto https://sifchain.finance/ 2.Try to add anything after https://sifchain.finance/ 3. Now you will show 404 page not found. 4. Look below in the page you will show links of soci...

MCUboot: DMARC and DNS Records not found on mcuboot.com

Found no DMARC and DNS record on mcuboot.com . I am also able to send an email to me on your behalf . The mail sent didnot even landed in spam folder which could make the users believe on the attacker as a legitimate person or authority. Any attacker could do so by using any fake mailer .For exmp...

Algolia: PHP-FPM status page disclosure

A page leaking debug information was publicly accessible...

8x8: DNS Misconfiguration (Subdomain Takeover) █.staging.█.8x8.com

An EC2 instance was terminated but the DNS record was initially not updated/removed. The issue has been rectified. Same technique mentioned on https://melbadry9.medium.com/dangling-dns-aws-ec2-e2d801701e8...

Logitech: Moderator user has access to owner's support portal and tickets

Summary: Hi there, In https://streamlabs.com, there's a function where users can share his account to other users to manage their dashboard via following link. https://streamlabs.com/dashboard/settings/shared-access. In shared-access setting, user can invite other user with two roles Moderator an...

h1-ctf: CTF Writeup

Hi, First of all, thanks for this amazing CTF!. I will post my writeup soon, it is time to sleep now : F1129602 By the way, the creator of challenge 11 is crazy. Impact Grinch Network is finally down...

Yelp: IDOR in locid parameter allowing to view others accounts Profile Locations

The application transmits in many occasions the locid parameter via URL, which means that this parameter may be being logged in plan text in the Apache server access.log, if not in others also. The fact that this happens, makes this parameter vulnerable not only to be read from this log file, but...

New Relic: "Basic user" which can only access a limited subset of the platform can access certain pages which are restricted to the user by the account owner.

@jhimansh described an issue where forced browsing could be used to visit restricted pages as an unprivileged user. As our web application is shipped as client side JavaScript, there is no way to prevent viewing all pages within that code. However, checks are done server-side to ensure that...

Dropcontact: Django debug enabled showing information about system, database, configuration files.

We were displaying sensitive information...

RGhost: Idor on the DELETE /comments/

Summary: Idor on /comments Steps To Reproduce: Make sure you have 2 different ID's to maintain 2 different session for ensurity 1. The request can be tamper with the ID of different comment both the functions of edit/delete can be used 2. Delete gets hampered with the Captcha which is thrown but...

MTN Group: Disclosure of internal information using hidden NTLM authentication leading to an exploit server

By using a request get on the url http://www.mtncongo.net/fr/Pages/ of the blog. we collect sensitive information from blogs step Typically, when visiting a website http://www.mtncongo.net/ or directory http://www.mtncongo.net/fr/Pages/ requiring privileged access, the server will initiate a logi...

Polymail, Inc.: Reflected XSS by changing url parameters on the user invite onboarding links.

@renekroka Discovered a potential reflected XSS by changing url parameters on the user invite onboarding links. 1...

PUBG: Reflected XSS in https://lite.pubg.com

The researcher found an XSS vulnerability caused by query parameters not being properly sanitized before being displayed on the page...

Stripo Inc: Clickjacking on my.stripo.email for MailChimp credentials

Clickjacking is a malicious hacking technique where attackers can acquire sensitive data. Through simple social engineering techniques these links can be sent out to unsuspecting customers to steal their credentials or perform actions on their accounts. For this example I saw that where I goto...

Imgur: De-anonymization Attack: Cross Site Information Leakage

Dear Imgur Security Team, We are researchers at the IMDEA Software Institute in Madrid, Spain. We have been working on analyzing Cross-Site Browser Leaks xsleaks and building a tool for finding instances of it on target web sites. Recently we tested imgur.com and discovered a flaw that can affect...

Razer: Reflected XSS at https://pay.gold.razer.com escalated to account takeover

Summary: Due to the parameter err is injected to the body of the page without any sanitization a victim could be tricked to visit the page and get his account stolen. Steps To Reproduce: 1.Visit the specially crafted url Firefox | IE11...

Node.js: Hostname spoofing

Summary: I found that url.parse is vulnerable to hostsplit that causes hostname spoofing. Description: Steps To Reproduce: url.parse'http://evil.c℀.victim.test/?' returns evil.ca/c.victim.test as hostname, so this hostname matches .victim.test but will access evil.ca. Welcome to Node.js v12.9.0...

Internet Bug Bounty: Out of Bounds Memory Read in exif_process_user_comment

I have found and reported an out of bounds memory read in PHP exifprocessusercomment When PHP EXIF extension is parsing EXIF information from an image, e.g. via exifreaddata function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with dat...