15302 matches found
Node.js: GOAWAY HTTP/2 frames cause memory leak outside heap
A memory leak could occur when a remote peer abruptly closed the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could have led to increased memory...
Ruby: DoS in bigdecimal's sqrt function due to miscalculation of loop iterations
Vulnerability description not provided...
Nextcloud: Missing brute force protection for passwords of password protected share links
A missing brute force protection vulnerability was found in the password protection feature of shared files, allowing an attacker to bypass the password protection of the shared files due to the lack of rate limit. This could lead to unauthorized access to protected files...
Internet Bug Bounty: CVE-2022-32205: Set-Cookie denial of service
A malicious server can serve excessive amounts of Set-Cookie: headers in a HTTP response to curl and curl stores all of them. A sufficiently large amount of big cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the...
Paragon Initiative Enterprises: Recaptcha Secret key Leaked
Greeting from @kashifinfo90, I hope Paragonie Security Team is doing great, Following Secret Keys are leaked: "secret-key": "6Ldy5BYTAAAAAPBh868BMm2nGZelOUyXJHTUE4no", "site-key": "6Ldy5BYTAAAAACk3Tj8wDUBLcVxSL2JXFBw-Dtj3" "secret-key": "6Ld27iETAAAAAF6tsd5SaoCgc5cFX-tkfHqx7FtX", "site-key":...
h1-ctf: It's just a man on a mission
Preface --------------------- Like any other good stories, this adventure has also begun with a few long days of preparation leading up to the start of the challenge. Tools were sharpened, command lines were dusted-off and one-too-many cups of coffee were consumed. The morale was high and the...
Topcoder: CSRF on https://apps.topcoder.com/wiki/users general and email preferences
Summary: Hi : There is a CSRF on setting general and email preferences. Steps To Reproduce: There is no CSRF token or anything like that on https://apps.topcoder.com/wiki/users/editmypreferences.action and https://apps.topcoder.com/wiki/users/editemailpreferences.action . I added the poc html fil...
LocalTapiola: CORS misconfiguration allows to steal client's "password", Authorization token and the customer details e.g. names, SSN, bank account etc.
Issue The reporter found that ext-gw.lahitapiola.fi had a faulty CORS configuration. Fix Logic and processing around CORS was improved and the issue was fixed. Reasoning The issue is real. CORS as a bug and flaw has real impact. The report was well written and had a good working PoC. This is...
PortSwigger Web Security: Misconfiguration: Missing Custom Error Page (CWE-12 & CWE-756)
Hi I found that custom errors for http://portswigger.net application framework are not configured., so application vulnerable to CWE-756 & CWE-12 https://cwe.mitre.org/data/definitions/12.html https://cwe.mitre.org/data/definitions/756.html - Impact: Default error pages gives detailed information...
Pornhub: IDOR - disclosure of private videos - /api_android_v3/getUserVideos
An API endpoint exposed private video links when a user added the video to their profile favourites. An API endpoint allowed to obtain a link to any private video by adding it to ones profile favourites. Check out the infrastructure monitoring platform BugLabs.me for bounty hunters -...
Internet Bug Bounty: Argo CD CSRF leads to Kubernetes cluster compromise
Cross-Site Request Forgery CSRF in github.com/argoproj/argo-cd CVE-2024-22424 Severity: High Impact The Argo CD API prior to versions 2.10-rc2, 2.9.4, 2.8.8, and 2.7.16 are vulnerable to a cross-server request forgery CSRF attack when the attacker has the ability to write HTML to a page on the sa...
Internet Bug Bounty: Permissions policies can be bypassed via Module._load and require.extensions (High) (CVE-2023-30587)
A vulnerability in the experimental permissions policy mechanism in Node.js was reported. The use of Module.load could bypass the policy and require unauthorized modules. This affected all active release lines. The vulnerability was reported by a researcher and fixed by the Node.js security team...
Reddit: sensitive data exposure
Summary: A Password hash entry was found in /etc/passwd. This is a major vulnerability since /etc/passwd is a world-readable file by default. Once the password hash is found, an attacker may extract the password using a program like crack. Impact: it is high impact vulnerability .once hacker foun...
Internet Bug Bounty: CVE-2022-35252: control code in cookie denial of service
https://hackerone.com/reports/1613943 Impact control code in cookie denial of service...
Internet Bug Bounty: CVE-2022-32215 - HTTP Request Smuggling Due to Incorrect Parsing of Multi-line Transfer-Encoding
Original Report: https://hackerone.com/reports/1501679 Impact Depending on the specific web application, HRS can lead to cache poisoning, bypassing of security layers, stealing of credentials and so on...
U.S. Dept Of Defense: Unauthenticated Access to Admin Panel Functions at https://███████/███
Description: The admin panel at https://██████████/████████ and all its functions can be accessed without authentication. This is basically the same vulnerability as in 1394910, just on another system. Impact An attacker is able to use the administrative functions in order to upload, delete or...
Stripe: User can pay using archived price by manipulating the request sent to `POST /v1/payment_pages/for_plink`
@gregxsunday discovered a way to purchase a product with an archived price using a payment link. The bypass was possible because of missing validation. A change was shipped to ensure both the payment link and price are active. Note: This bug was accepted and received before our minimum bounty...
UPchieve: OTP reflecting in response sensitive data exposure leads to account take over
Summary: Sensitive data that is otp is reflecting in the response of phone number otp verification in https://app.upchieve.org Steps To Reproduce: 1. Signin with a account 2.After signin it will ask for phone number for otp verification. 3.Capture the request using burpsuite and see the response...
h1-ctf: 100K CTF's Writeup
Limited disclosure based on researcher's request. Hello everyone, We are one of the winners of 100k CCC CTF and we would like to congratulate all the other winners of the CTF as well. Here is the link to our write-up https://blog.dexter0us.com/posts/ccc-h1ctf/ hope you guys enjoy reading it and...
CS Money: Previously created sessions continue being valid after MFA activation
Summary: Hi, team. This is the same issue of 667739. Please take a look. I found one issue related to your 2FA system on https://cs.money/security/ Steps To Reproduce: 1. access the same account on https://cs.money/ in two devices 1. on device 'A' go to https://cs.money/security/ complete all ste...
GitHub Security Lab: [Java] Query for detecting Jakarta Expression Language injections
This bug was reported directly to GitHub Security Lab...
GitHub Security Lab: ihsinme: CPP Add query for CWE-691 Insufficient Control Flow Management When Using Bit Operations
This bug was reported directly to GitHub Security Lab...
GitHub Security Lab: [Java] CWE-759: Query to detect password hash without a salt
This bug was reported directly to GitHub Security Lab...
8x8: DNS Misconfiguration (Subdomain Takeover) ███████.8x8.com
An EC2 instance was replaced but the DNS record was initially not updated/removed. The issue has been rectified. https://medium.com/bugbountywriteup/dangling-dns-aws-ec2-e2d801701e8...
Shopify: Open Redirect on Login Page of Stocky App
Vulnerable app is Stocky, 1. Visit login page of app with vulnerable parameter & malicious website address?returnto=//evil.com like https://stocky.shopifyapps.com/users/login?returnto=//evil.com 2. Then login to account 3. Open Redirect is executed PoC Video: F1172071 Impact Open Redirect...
h1-ctf: [hackyholidays] CTF write-up
hi, this is my write-up for hackyholidays CTF. I attached the write-up in PDF format. thanks, REND Impact saving the Christmas... fix this otherwise people would be happy...
Shopify: Informations disclosure - Access to some checkout informations
It came to my attention that using the CheckoutStatus query on https://arrive-server.shopifycloud.com/graphql it is possible to access some checkout details, specifically the query can be called with an ID value ranging from 1 up to 48908. Unfortunately, as I could not figure out how to create a...
GoCD: XSS In https://docs.gocd.org/current/
Searches on docs.gocd.org were subject to a client-side XSS issue...
Acronis: Clickjacking on cas.acronis.com login page
Steps To Reproduce: Create a new HTML file Source code: I Frame Clickjacking Vulnerability Save the file as whatever.html Open document in browser Reference: https://hackerone.com/reports/591432 FIX- The vulnerability can be fixed by adding "frame-ancestors 'self';" to the CSP...
Dropcontact: User registration using public domain email like gmail in place of professional email.
Like sais in the title, we were only checking and restricting professional email in frontend, which led to being able to register with an email which is not pro because we were not checking this info in the backend. User was able to register with public domain email like gmail by response...
GitHub Security Lab: Golang : Improvements to Golang SSRF query
This bug was reported directly to GitHub Security Lab...
Localize: The password limit is not set, [DoS].
Summary: You can create a very long password until you get the last user to put and aries or DoS. Normally passwords have 8-10-24 digits Impact DoS...
Mail.ru: OOB XXE
Limited XXE on XML request processing led to blind SSRF possibility OOB XXE on one of Ext. B Mail.ru domains, which could be exploited as blind SSRF...
Mail.ru: PHP-FPM Status Page
PHP-FPM status page was available at guild.live.ro.gmru.net...
Node.js third-party modules: Prototype pollution attack through jQuery $.extend
I would like to report prototype pollution in jQuery. It allows an attacker to inject properties on Object.prototype. Module module name: jquery version: 3.3.1 npm page: https://www.npmjs.com/package/jquery Module Description jQuery is a fast, small, and feature-rich JavaScript library. Module...
h1-5411-CTF: Remote Command Execution in a internal server to get the flag file
Summary: After source code disclosure using a LFI vulnerability and using PHP object injection with XXE I was able to find an internal service at port 1337. Using the SSRF through XXE I sent a HTTP request to this internal service and discovered a python object injection using status parameter,...
Augur: Subdomain takeover on slack.augur.net pointing to GitHub Pages
Summary The slack.augur.net record wasn't removed from the DNS after the migration to Discord invite.augur.net and was pointing to a non-existent page on GitHub Pages. So a subdomain takeover was possible and a proof-of-concept has been done to confirm this. Description Searching for subdomains o...
X (Formerly Twitter): Account Takeover in Periscope TV
Summary: When you login periscope.tv using twitter, and change the host header from www.periscope.tv to attacker.com/www.periscope.tv, the oauth redirect destination will be attacker.com/www.periscope.tv, thus allowing attacker to send the oauth authorize link to victim, and takeover their accoun...
GSA Bounty: HTML injection (with XSS possible) on the https://www.data.gov/issue/ using media_url attribute
Description Hello. I discovered Cross-Site scripting issue on the https://www.data.gov/issue/ endpoint. Akamai WAF and bypass At the srart i was not able to do the XSS due to Akamai Waf XSS filters, but later, i was able to bypass it. POC HTML injection...
Pornhub: Private videos can be added to our playlists
The researcher discovered a way to add a user's private videos to a different user's playlist by way of a specially crafted request. Note that it is not possible to view another user's private video using this method IDOR/application logic flaw...
Instacart: XSS in instacart.com/store/partner_recipe
Please open the following url...
Gratipay: Content type incorrectly stated
Hello, Issue detail: The response contains the following Content-type statement: Content-Type: image/jpeg The response states that it contains a JPEG image. However, it actually appears to contain unrecognized content. Issue background: If a web response specifies an incorrect content type, then...
Zomato: CORS Misconfiguration on www.zomato.com
The website at https://www.zomato.com tries to use Cross-Origin Resource Sharing CORS to allow cross-domain access from all subdomains of zomato.com. However, due to a flaw in the implementation, it actually allows cross-domain access from all domains ending in zomato.com including notzomato.com ...
Pornhub: Reflected XSS by way of jQuery function
The researcher identified a path which exposed a vulnerable jQuery sinkhole allowing XSS. Additionally, the researcher was able to demonstrate a variety of attacks possible by way of arbitrary Javascript execution. Depending on the OS and browser implementation, the researcher demonstrated that h...
Localize: X-Content-Type-Options header missing
URL : http://www.localize.io/ Description : The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff' Solution : This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type head...
Internet Bug Bounty: Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames
The Apache HTTP Server vulnerability CVE-2024-27316 was recently discovered. HTTP/2 incoming headers exceeding the limit were temporarily buffered in nghttp2 to generate an HTTP 413 response. However, if the client did not stop sending headers, this led to memory exhaustion. The vulnerability was...
HackerOne: View Titles of Private Reports with pending email invitation
A vulnerability was discovered where anonymous users could view the titles of private reports with pending email invitations for collaboration. This was possible by sending a GraphQL request or running JavaScript code while logged out. It only worked for anonymous users when the collaboration...
Internet Bug Bounty: CVE-2023-42663: Apache Airflow: Bypass permission verification to view task instances of other dags
In Apache Airflow versions before 2.7.2, a vulnerability existed that allowed authorized users with access to read specific DAGs to view task instance information from other DAGs by bypassing permission verification. Upgrading to Apache Airflow version 2.7.2 or newer addressed this issue...
Nextcloud: CSRF protection on OIDC login is broken
The OIDC login CSRF protection in Nextcloud was broken, as the state code was being provided in the JSON response in case of a mismatch, making it easy for attackers to obtain the correct state. The impact of this vulnerability was that the CSRF protection provided with the state was practically...
curl: CVE-2023-23914: curl HSTS ignored on multiple requests
A vulnerability was found in curl tool's HSTS feature, where it failed to work correctly when multiple requests were made within a single invocation, resulting in requests being performed over insecure channels, potentially leading to loss of confidentiality and integrity...