15372 matches found
Ruby: 'net/ftp': Uncontrolled Resource Consumption (Memory/CPU)
Current TIMEPARSER implementation allows attackers to cause a denial of service memory consumption via a large integer value for the fractions property. The problem code: ruby TIMEPARSER = -value, local = false unless /\A?\d4?\d2?\d2 ?\d2?\d2?\d2 ?:.?\d+?/x = value raise FTPProtoError, "invalid...
GitHub Security Lab: [codeql-go]: Add CWE-79: HTML template escaping passthrough
This bug was reported directly to GitHub Security Lab...
Concrete CMS: Phar Deserialization Vulnerability via Logging Settings
Vulnerability Description: The vulnerable code is located within the concrete/controllers/singlepage/dashboard/system/environment/logging.php script. Specifically, into the Logging::updatelogging method: public function updatelogging $config = $this-app-make'config'; $request = $this-request; if...
Basecamp: SSL expired subdomain leads to API swap with main and flagged cookies. Unable to log device ids and certain session tokens.
SUMMARY - Replacing the login page of launchpad.37signals.com with subdomain help-basecamphq.37signals.com greats you to a login page in which is unsecure and with header sec-fetch-site: same-origin injected into your headers you can disable cookies such as . STEPS TO REPRODUCE 1. Visit...
Avito: link.avito.ru - Bypass of restrictions on external links.
Hello Avito! On "link.avito.ru" subdomain of "www.avito.ru" attacker able to bypass restriction for dangerous external links via trusted domain google.com. This scenario may be also possible with all other trusted subdomains of avito such as "yandex.ru" and so on, but in this example i'm used...
Stripo Inc: Integer Overflow (CVE_2017_7529)
Integer Overflow - The issue affects nginx 0.5.6 - 1.13.2...
Stripo Inc: CORS on my.stripo.email
Hey Team i don't know if it's valid or not i just want to let you know about this thanks. following the HTML File .. var req = new XMLHttpRequest; req.onload = reqListener; req.open'get','https://my.stripo.email/cabinet/stripo-ws/v1/stripo-websocket/info?t=1587908666898',true; req.withCredentials...
BTFS: .git file accessible on remote.bittorrent.com
Hi team, i detected your .git file accessible for any unauthorized user. url : https://remote.bittorrent.com/static/webui/.git/config HTTP/1.1 200 OK Set-Cookie: BTURT=talon-i-0837bbfadd509c546-2; path=/; domain=.utorrent.com Server: TornadoServer/2.1.1git Connection: keep-alive Content-Length: 2...
Kubernetes: IPv4 only clusters susceptible to MitM attacks via IPv6 rogue router advertisements
This bug report mostly concerns the default CNI plugins https://github.com/containernetworking/plugins but I believe affects many K8S clusters. Because the CNI team still doesn’t provide an explicit way to report security bugs, I hope the K8S security team doesn’t mind doing the coordination job...
Node.js third-party modules: [express-laravel-passport] Improper Authentication
I would like to report Improper Authentication in express-laravel-passport It allows to forge user's identity Module module name: express-laravel-passport version: 1.1.2 npm page: https://www.npmjs.com/package/express-laravel-passport Module Description You want a middleware support express get...
Node.js: HTTP header values do not have trailing OWS trimmed
I suspect I may have tagged the wrong vulnerability type -I'm failing to find "insufficient validation of user input" According to the HTTP-spec, http values are field-value = field-content | LWS httpparser does not appear to trim trailing LWS. This means if a user sends "Host: foo\r\n" the strin...
Node.js third-party modules: [npm-git-publish] RCE via insecure command formatting
I would like to report a RCE issue in the npm-git-publish module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: npm-git-publish version: 0.2.4-beta npm page: https://www.npmjs.com/package/npm-git-publish Module Description Share/publish private packag...
Mail.ru: Bash History file log
Researcher found a publicly accessible .bashhistory file on one of servers. File contained commands without sensitive data in them...
Ed: DOM XSS in edoverflow.com/tools/respond due to unsafe usage of the innerHTML property.
Hi, There's a DOM XSS vulnerability on edoverflow.com. This cannot be exploited without user-interaction so I had to make a clickjacking PoC to trick the user in triggering the payload her/himself. Reproduction Steps 1. Open the attached HTML document in FireFox. 2. Drag Frog 1 to the other two...
Node.js third-party modules: Prototype pollution attack (Hoek)
As discussed in 309391, here's the separate report for each of the library. This one is the information for the Hoek library. Module: hoek Summary: Utilities function in all the listed modules can be tricked into modify the prototype of "Object" when the attacker control part of the structure...
Node.js third-party modules: [html-janitor] Passing user-controlled data to clean() leads to XSS
Module: Name: html-janitor Version: 2.0.2 Summary: Passing user-controlled data to the module's clean function can result in arbitrary JS execution, because of unsafe DOM operations. The description "Cleans up your markup and allows you to take control of your HTML. HTMLJanitor uses a defined...
Nextcloud: Calendar and addressbook names disclosed (NC-SA-2017-012)
Calendar and addressbook names disclosed NC-SA-2017-012 Risk level: Low CVSS v3 Base Score: 3.5 AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N CWE: Information Exposure Through Directory Listing CWE-548 Description A logical error caused disclosure of calendar and addressbook names to other logged-in users...
Boozt Fashion AB: Bypass email validity in newsletter field
Hi, I think i've discovered a little vulnerability on your website i don't know if she is outside the bug bounty program. In the newsletter field, the incorrect email addresses for example with special characters it's not accpeted. But with a specific HTTP request it's possible to bypass this...
Zendesk: a stored xss in web widget chat
The researcher found a stored XSS vulnerability where an end-user was able to execute arbitrary Javascript against the Zendesk agent via the chat integration. The researcher participated in the Zendesk 2016 holiday promotion and was awarded the Zendesk promotional bounty...
Nextcloud: Content Spoofing in "files" app
@ahsantahir reported a Content Spoofing Vulnerability in the Nextcloud Server. The related security advisory can be found at https://nextcloud.com/security/advisory/?id=nc-sa-2017-006 On request of the reporter the issue has only been disclosed limitedly...
Unikrn: Urgent: Server side template injection via Smarty template allows for RCE
Hi All, I've found an issue which has allowed me to execute filegetcontents and extract your /etc/passwd file. Description It appears as though you are using smarty on the backend for templating. Entering a malicious payload as my firstname, lastname and nickname and then inviting a user to join...
LocalTapiola: Content Spoofing or Text Injection (404 error page injection on yrityspalvelu)
Vulnerability Description: Application allows users to inject any content on the 404 not found webpage Vulnerable Location: https://yrityspalvelu.tapiola.fi/a1/has%20been%20changed%20by%20a%20new%20one%20https://www.attacker.com%20so%20go%20to%20the%20new%20one%20since%20this%20one Fix : just use...
Uber: XSS in getrush.uber.com
'' 'https://getrush.uber.com/business?utmcampaign=tttttt%27%3C/script%3E%3Cscript%3Ealert0%3C/script%3E&utmmedium=top&utmsource=website''' You need to escape the utmcampaign parameter before rendering it in the HTML. Thanks, David Dworken...
Internet Bug Bounty: moderate: Apache HTTP Server: mod_rewrite proxy handler substitution (CVE-2024-39573) CWE-20 Improper Input Validation
moderate: Apache HTTP Server proxy encoding problem CVE-2024-38473 An encoding problem was discovered in modproxy in Apache HTTP Server versions 2.4.59 and earlier. This issue allowed request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via...
Mozilla: Jira Credential Disclosure within Mozilla Slack
The Jira admin API keys were disclosed within a Mozilla Slack channel by a staff member. The exposed credentials allowed for the verification of the user's elevated privileges, including being a Jira Administrator, Administrator, and Jira Service Desk user...
Internet Bug Bounty: CVE-2024-2379: QUIC certificate check bypass with wolfSSL
CVE-2024-2379 was a vulnerability in libcurl's QUIC implementation where certificate verification was skipped under certain conditions when using the wolfSSL library. The vulnerability was caused by an error path that accidentally returned success when encountering unknown or unsupported ciphers ...
Teleport: Improper session management - Failure to invalidate old session after password change
Failure to Invalidate Session on Password Change Failure to invalidate a session after a password change is a vulnerability which allows an attacker to maintain access on a service. Most users have the expectation that when they reset their password, no one else can access their account. When...
curl: CVE-2023-46219: HSTS long file name clears contents
Vulnerability description not provided...
WakaTime: Waketime Payment Gateway Vulnerability
Vulnerability description not provided...
Internet Bug Bounty: [CVE-2023-27531] Possible Deserialization of Untrusted Data vulnerability in Kredis JSON
A deserialization vulnerability was discovered in the Kredis JSON deserialization code, allowing for the potential deserialization of untrusted data. This could result in unexpected objects being deserialized in the system. The vulnerability has been assigned the CVE identifier CVE-2023-27531...
TikTok: CRLF to XSS & Open Redirection
Due to inadequate input validation, a vulnerability allowed for the injection of CRLF HTTP Response Splitting into a parameter on a TikTok seller endpoint. This could have resulted in Reflective XSS Cross-Site Scripting and open redirection attacks. The vulnerability has been resolved...
Node.js: Permissions policies can be bypassed via process.mainModule
A vulnerability was discovered in Node.js permission policies that allowed a script to include any non-whitelisted module by calling process.mainModule.require. This could allow an attacker to bypass the limited whitelist and access internal file systems or run child processes. The vulnerability...
Node.js: HTTP Request Smuggling Due to Incorrect Parsing of Multi-line Transfer-Encoding (improper fix for CVE-2022-32215)
Summary: Due to an incomplete fix for CVE-2022-32215, the llhttp parser in the http module in Node v16.16.0 and 18.7.0 still does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling HRS. Description: add more details about this vulnerability We have...
Internet Bug Bounty: Node.js - DLL Hijacking on Windows
Full Node.js Security Releases - summarizing the issue is here:https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/ The original Node.js HackerOne report is here: https://hackerone.com/bugs?reportid=1447455 ----- Node.js versions earlier than 16.16.0 LTS and 14.20.0 are vulnerabl...
Internet Bug Bounty: Rack CVE-2022-30122: Denial of Service Vulnerability in Rack Multipart Parsing
ReDoS in Rack::Multipart::BROKENQUOTED and Rack::Multipart::BROKENUNQUOTED. https://groups.google.com/g/ruby-security-ann/c/L2Axto442qk Carefully crafted multipart POST requests can cause Rack's multipart parser to take much longer than expected, leading to a possible denial of service...
Nextcloud: SSRF via potential filter bypass with too lax local domain checking
Summary: Hi. Reviewing the code for filtering for ssrf, in preventLocalAddress, we can see that it calls the function ThrowIfLocalAddress. It has three common checks, first, it checks if the string is localhost, or if it ends in .local or .localhost php // Disallow localhost and local network if...
Internet Bug Bounty: Read beyond bounds in ap_strcmp_match() [zhbug_httpd_47.7]
Greetings. I have found a read-beyond-bounds attack against httpd that allows an attacker to search httpd's memory for strings matching an attacker-specified pattern 1. The attack arises from an overflow in apstrcmpmatch server/util.c. 2 The vulnerability can be reached via an LUA program that us...
EXNESS: Verification process done using different documents without corresponding to user information / User information can be changed after verification
A business logic flaw in the Exness trading platform allowed a verified user to change their profile information Name, DoB, and Address after identity verification. Additionally, a user could verify their account with official documents that did not correspond to their provided information. This...
Concrete CMS: A bypass of adding remote files in concrete5 FIlemanager leads to remote code execution
Hi, I 'm currently testing the latest concretecms on my own pc and found some security problems of file manager. Concretecms allows user to upload remote files via file manager. With some techniques to bypass restriction of this function, a evil user will be able to download arbitary php file int...
Brave Software: unclaimed s3 bucket takeover in the 3 js file located on the github page of brave software
Summary: There is a unclaimed s3 bucket i.e brave-extensions.s3.amazonaws.com located in the 3 .js file on official brave software github page https://github.com/search?q=org%3Abrave+brave-extensions+language%3AJavaScript&type=Codethe attacker can takeover the bucket and create file that is used ...
Weblate: No rate Limit on Add new Translation Project
Attacker able to create unlimited Translation projects which lead to no more project name for the users who wanted to create new project on hosted.weblate.org Below is the POC video which ,you can go through Impact Other users cant use the project names there wanted and attacker can occupy space...
Node.js: Improper handling of untypical characters in domain names
Description Missing input validation of host names returned by Domain Name Servers in node's dns library can lead to output of wrong hostnames leading to Domain Hijacking and injection vulnerabilities in applications using the library leading to Remote Code Execution, XSS, Applications crashes,...
Homebrew: Broken parsing of Git diff allows an attacker to inject arbitrary Ruby scripts to Casks on official taps
Description Due to improper parsing of Git diff in Homebrew/actions/review-cask-pr, it's possible to confuse parser to ignore additional lines. Which leads injection of malicious Ruby scripts. Root cause review-cask-pr uses the git diff file to check if the pull request is "simple" enough to...
Moneybird: Access control issue on invoice documents downloading feature.
Reporter has found a way to download exports as an unauthorized user. This was only possible after changing the permissions for the user and having a certain page open during this change. The issue has been resolved by adding extra permission checks during the download action...
Basecamp: Bypass of image rewriting / tracking blocker via srcset
CVSS ---- Medium 4.7 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N Description ----------- One of the security features of Hey is blocking of tracking pixels to preserve users privacy. As such, img tags and similar are rewritten by the app to point to gopher.hey.com. However, an attacker can bypas...
DRIVE.NET, Inc.: [www.drive2.ru] Insufficient Security Configurability - Notification message not sent when account is deleted
Email notifications are not sent when account is deleted. Email notifications are not sent when account is deleted. Best Practices As recommended practices, For security reasons, users should be able to be notified via email notification of changes to important operations such as account deletion...
Visma Public: Bypassing Business ID/VAT # validation during registration to create accounts with duplicate Business ID/VAT #
The security researcher was able to bypass the Business ID/VAT validation that is required during registration. By doing this he was able to create accounts with duplicate Business ID/VAT...
Topcoder: Stored XSS on https://apps.topcoder.com/wiki/pages/editpage.action
Summary: Hi : There is a stored XSS on wiki pages and it executes when editing page. Steps To Reproduce: After I submitted 867125, i realized that the vote macro causes stored XSS on wiki edit page. A user can edit wiki pages on https://apps.topcoder.com/wiki/pages/editpage.action?pageId=. Users...
Mail.ru: [capsula.mail.ru] overriding order info
IDOR vulnerability in order editing functionality of capsula.mail.ru allowed to override the incomplete unsubmitted order saved for later...
Node.js third-party modules: [logkitty] RCE via insecure command formatting
I would like to report a RCE issue in the logkitty module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: logkitty version: 0.7.0 npm page: https://www.npmjs.com/package/logkitty Module Description Display pretty Android and iOS logs without Android...