15369 matches found
Acronis: Account Confirmation bypass leads to acess some fucntionality
STEPS: 1. Go to the URL https://account.acronis.com//auth/signup 2. Create a Business Account 3. Intercept the request using burp suite 4. Now intercept the response of given HTTP REQUEST below 5. Change the field "confirmed":false to true 6. Even you can bypass Accept term condition by changing...
U.S. Dept Of Defense: Unauthorized access to admin panel of the Questionmark Perception system at https://██████████
Summary: Due to the lack of access control, an anonymous attacker can compromise the administrator account on the Questionmark Perception system. Description: By using the service description which publicly accessible on the internet, and by bypassing the access control, an anonymous attacker can...
Basecamp: SSL expired subdomain leads to API swap with main and flagged cookies. Unable to log device ids and certain session tokens.
SUMMARY - Replacing the login page of launchpad.37signals.com with subdomain help-basecamphq.37signals.com greats you to a login page in which is unsecure and with header sec-fetch-site: same-origin injected into your headers you can disable cookies such as . STEPS TO REPRODUCE 1. Visit...
Mail.ru: Cross-site Scripting (XSS) - DOM on https://account.mail.ru/user/garage?back_url=https://mail.ru
Reflected XSS in account.mail.ru via backurl parameter...
GitHub Security Lab: Query to find TLS configurations supporting hardcoded insecure versions of the protocol and cipher suites
This bug was reported directly to GitHub Security Lab...
Dropcontact: Django should not have debug mode enabled
We were displaying sensitive information...
Mail.ru: [capsula.mail.ru] overriding order info
IDOR vulnerability in order editing functionality of capsula.mail.ru allowed to override the incomplete unsubmitted order saved for later...
Stripo Inc: [www.stripo.email] There is no rate limit for contact-us endpoints
Summary The speed limit for the https://stripo.email/es/contact-us endpoint has not been implemented. Steps To Reproduce 1. Go to the https://stripo.email/es/contact-us 2. Turn on blocking and fill out the contact form 3. Send request to Intruder. 4. Set your payloads and start attack. 5. There i...
Node.js third-party modules: [logkitty] RCE via insecure command formatting
I would like to report a RCE issue in the logkitty module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: logkitty version: 0.7.0 npm page: https://www.npmjs.com/package/logkitty Module Description Display pretty Android and iOS logs without Android...
Mail.ru: IDOR в списке пользователей по домену в relap.io
IDOR in relap.io allowed users enumeration for domain...
Stripo Inc: subdomain takeover at status0.stripo.email
Hi , The subdomain status0.stripo.email was pointed at uptimerobot.com whereas it was not being used , but having Cname record as stats.uptimerobot.com . Hence anyone can takeover it. I have parked it with atest account on uptimerobot.com F634639 F634636 thanks Impact Anyone can use this subdomai...
HackerOne: ActiveStorage throws exception when using whitespace as filename, may lead to denial of service of multiple pages
Summary: Hi team, I've found an issue on the profile picture upload feature of your asset - https://hackerone.com, which can allow a malicious attacker to perform an application wide denial of service attack. Description: I was playing with the profile picture upload feature, then i observed that...
PortSwigger Web Security: Clicking "http://burp" hyperlink on FireFox CA Installation guide redirects to "burp.com" (unclaimed website).
Executive Summary --------------------------------------------------- I was in the process of installing Burp suite community edition on my recent machine where I believe I stumbled across a potential open redirect issue on the CA certificate installation website. This is a security concern due t...
Starbucks: Subdomain takeover of datacafe-cert.starbucks.com
Summary: The subdomain datacafe-cert.starbucks.com had an CNAME record pointing to an unclaimed Azure webservice. This is a high severity security issue because an attacker can register the subdomain on Azure and therefore can own the subdomain datacafe-cert.starbucks.com. Description: The dangli...
X (Formerly Twitter): cookie injection allow dos attack to periscope.tv
Description: i find in periscope.tv a parameter "createuser" allow to inject "loginissignup" cookie, when tested with crlf payload get response "HTTP/1.1 504 GATEWAYTIMEOUT" Link Vulnerable: https://www.periscope.tv/i/twitter/login?createuser=payload&csrf=yourcsrftoken Steps To Reproduce: 1. go t...
Node.js third-party modules: A specifically malformed MQTT Subscribe packet crashes MQTT Brokers using the mqtt-packet module for decoding
I would like to report a buffer over-read in mqtt-packet respectively BufferList module. It allows triggering an out of range read on a buffer which throws a RangeError. MQTT Brokers like mosca and aedes using this module can be forced to crash by sending a specifically malformed MQTT Subscribe...
Internet Bug Bounty: Uninitialized read in exif_process_IFD_in_TIFF
This bug can be reproduced only in 32 bit PHP builds. This bug is present in exifprocessIFDinTIFF method of ext/exif/exif.c file. Detailed description and steps to reproduce for this bug is present in bug report submitted to php.net. Bug Report : https://bugs.php.net/bug.php?id=77509 PHP version ...
Chaturbate: Chaturbate "/chat_ignore_list/" endpoint does not check for Account status: Disabled before adding Ignore via POST
Summary Chaturbate.com provides the ability for its users when in chat to ignore other users in chat rooms via DM etc by adding their camhandle name to ignorelist via HUI Actually this is just a POST to /chatignorelist/ getting as a parameter the username which is the camhandle name in order to a...
Ruby: NET::Ftp allows command injection in filenames
Hi While using NET::Ftp I realised you could get command execution through "malicious" file names. The problem lies in the gettextfileremotefile, localfile = File.basenameremotefile method. When looking at the source code, you'll note: def gettextfileremotefile, localfile = File.basenameremotefil...
WakaTime: Validation of Password reset tokens
Dear sir, At first, i am very happy to report an issue. Before three months, i reported to wakatime and again i am reporting another issue now. Note:-This report is similar to 244614 which was previously reported at the start of this bug bounty program. Vulnerability:- -If two password reset toke...
Zomato: Amazon S3 bucket misconfiguration (share)
Hi, Description I have discovered one of your Amazon S3 bucket and tested it via the AWS command line tool on Linux. It looks like permissions are not well configured and allow dangerous actions to everyone. The vulnerable bucket is: zomato-share PoC: aws s3 ls s3://zomato-share aws s3 cp test...
WordPress: Infrastructure - Photon - SSRF
Description ------------------------ The service Photon located at http://i0.wp.com/ and described at https://code.trac.wordpress.org/browser/photon/ is vulnerable to Http SSRF via. redirect. The redirect can go to any IP including inside of any firewall photon might be inside any port and can ad...
Imgur: XSS via React element spoofing
Hello, I noticed an XSS on imgur. Proof of concept: visit the URL http://imgur.com/vidgif/ticket/aaaaaaaa?errorpropsdangerouslySetInnerHTMLhtml=%3Cimg%20src=a%20onerror=%22alert%27XSS%20on%20%27%2bdocument.domain%22%3E&errorisReactElement=true&errortype=body It's not the simplest case as it...
Shopify: Stored XSS in https://checkout.shopify.com/
STEPS TO REPRODUCE 1. Go to http://hardware.shopify.com/products/custom-gift-card?variant=976094353 and Design your own gift card. 2. Change file type to url on the upload field. 3. Add the payload...
HackerOne: SPF whitelist of mandrill leads to email forgery
I just sent a forged email to [email protected] that appears to originate from [email protected]. I was able to do this because of the following SPF record: dig txt hackerone.com hackerone.com. 299 IN TXT "v=spf1 include:spf.google.com include:sendgrid.net include:mail.zendesk.com...
HackerOne: CSP Bypass: Click handler for links with data-method="post" can cause authenticity_token to be sent off domain
Background - There has been at least one case where an attacker was able to insert arbitrary HTML into a submitted report - HackerOne uses a very strict Content Security Policy that prevents inline script and script from other origins - HackerOne uses an authenticitytoken in its POSTs to guard...
Uzbey: Information Disclosure (phpinfo())
URL :- https://staging.uzbey.com/phpinfo.php Description :- phpinfo is a debug functionality that prints out detailed information on both the system and the PHP configuration. An attacker can obtain information such as: •Exact PHP version. •Exact OS and its version. •Details of the PHP...
Localize: Login page password-guessing attack
Login page password-guessing attack Vulnerability description A common threat web developers face is a password-guessing attack known as a brute force attack. A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and...
ReddAPI: No Captcha or rate limit on Login Page
Hello ReddApi Security Team, Vulnerability Detail's:- Login page can be brute forced due to lack of captcha or backoff Impact:- An attacker can bruteforce for a particular username and can get a possibly a account takeover. POC:- I have made a proof of concept video of the same:-...
Adobe: Unauthenticated Varnish Cache Purge
Vulnerability description not provided...
curl: CVE-2024-7264: ASN.1 date parser overread
Vulnerability description not provided...
Mozilla: Jira Credential Disclosure within Mozilla Slack
The Jira admin API keys were disclosed within a Mozilla Slack channel by a staff member. The exposed credentials allowed for the verification of the user's elevated privileges, including being a Jira Administrator, Administrator, and Jira Service Desk user...
Internet Bug Bounty: CVE-2024-2466: TLS certificate check bypass with mbedTLS (reward request)
CVE-2024-2466: TLS certificate check bypass with mbedTLS. The vulnerability was reported in libcurl, where it did not check the server certificate of TLS connections made to a host specified as an IP address when built to use mbedTLS. This caused the certificate check to be completely skipped,...
Teleport: Improper session management - Failure to invalidate old session after password change
Failure to Invalidate Session on Password Change Failure to invalidate a session after a password change is a vulnerability which allows an attacker to maintain access on a service. Most users have the expectation that when they reset their password, no one else can access their account. When...
Node.js: Permissions policies can be bypassed via process.mainModule
A vulnerability was discovered in Node.js permission policies that allowed a script to include any non-whitelisted module by calling process.mainModule.require. This could allow an attacker to bypass the limited whitelist and access internal file systems or run child processes. The vulnerability...
Internet Bug Bounty: Rack CVE-2022-30122: Denial of Service Vulnerability in Rack Multipart Parsing
ReDoS in Rack::Multipart::BROKENQUOTED and Rack::Multipart::BROKENUNQUOTED. https://groups.google.com/g/ruby-security-ann/c/L2Axto442qk Carefully crafted multipart POST requests can cause Rack's multipart parser to take much longer than expected, leading to a possible denial of service...
Hyperledger: Remote denial of service in HyperLedger Fabric
This issue was caused by a missing check of nil. An orderer to orderer consensus message that contains an empty inner message crashes the node because it attempts to figure out its type and the mere action of determining the type of a nil pointer, causes a panic. Thank you to Haosheng Wang of OPP...
curl: CVE-2022-32208: FTP-KRB bad message verification
Summary: libcurl handles gssunwrap GSSSBADSIG error incorrectly. This enables malicious attacker to inject arbitrary FTP server responses to GSSAPI protected FTP control connection and/or make the client consume unrelated heap memory as a FTP command response. The defective krb5decode function is...
curl: CVE-2022-27775: Bad local IPv6 connection reuse
Summary: Curl doesn't consider IPv6 address zone index when doing connection reuse. if connection exists to specific IPv6 address and other conditions for connection reuse are fulfilled it will be reused for connections regardless of the zone index. Steps To Reproduce: 1.Set up a fake server: ech...
Weblate: No rate Limit on Add new Translation Project
Attacker able to create unlimited Translation projects which lead to no more project name for the users who wanted to create new project on hosted.weblate.org Below is the POC video which ,you can go through Impact Other users cant use the project names there wanted and attacker can occupy space...
Lark Technologies: Improper Access Control on Lark Footer Feature
Due to improper access control within Lark's footer feature, an attacker could have potentially accessed private files. We thank @imrannisar for reporting this to our team and confirming the resolution...
Ruby: 'net/http': HTTP Header Injection in the set_content_type method
The set\content\type's parameter is not filtered to prevent the injection from altering the entire request. The vulnerable code: ruby def setcontenttypetype, params = @header'content-type' = type + params.map|k,v|"; k=v".join'' end PoC 1. ruby require 'net/http' uri = URI'http://127.0.0.1:8080' r...
Zivver: Cross-site Scripting (XSS) - Reflected
This issue is out of scope per our policy. It would require very unlikely user involvement, such as getting the victim to directly copy and paste malicious code into the search bar as the search query can not be passed dynamically, e.g. as a URL parameter. vulnerabal url : = docs.zivver.com...
Moneybird: Access control issue on invoice documents downloading feature.
Reporter has found a way to download exports as an unauthorized user. This was only possible after changing the permissions for the user and having a certain page open during this change. The issue has been resolved by adding extra permission checks during the download action...
New Relic: IDOR - User is able to download charts/dashboards from cross accounts
@k3ne described an issue where a user on an account could access data concerning dashboards for another user on the same account. While this appeared to be a cross-account access issue, both users on the account have access to the same data by design...
Internet Bug Bounty: Uncovering file quarantine and UX security issues in macOS apps ( .terminal, .fileloc and .url)
Slides : https://docs.google.com/presentation/d/19WeQbqcOKnrSv1I3Z4sm-oNAf6IVzHwRyQP4i9BvY/editslide=id.g758ad3e04223231 See Blogpost for more details - https://medium.com/@metnew/exploiting-popular-macos-apps-with-a-single-terminal-file-f6c2efdfedaa Summary Popular macOS apps with a file-sharing...
Stripo Inc: HTTP Request Smuggling on my.stripo.email
Summary: HTTP request smuggling vulnerabilities arise when websites route HTTP requests through webservers with inconsistent HTTP parsing. By supplying a request that gets interpreted as being different lengths by different servers, an attacker can poison the back-end TCP/TLS socket and prepend...
Nextcloud: Remote code execution via path traversal in Zip extraction in the Extract app
I realise this doesn't qualify for a reward, as it's a vulnerability in a third-party app, but as the app is part of the "official" VM image provided by Hansson IT, I think it's well worth fixing. The Extract app doesn't validate the path or filename of a zip file to be extracted, allowing an...
HackerOne: Disclosure of Email title report in quick award paypout email (no content mode)
Hello H1 Security Team Description In report 645264 and 669776, email title disclosure has been fixed in no content settings. However, there is one more area which needs to be fix - "Instant bounty Award Email". In this email, even though email settings have been set as "No content", still it's...
Khan Academy: RTL override char allowed at khanacademy redirect page
Summary Attacker can embed RTLO character at the following URL https://www.khanacademy.org/computer-programming/linkredirector?url= to trick the user to download suspicious files. Steps to reproduce Visit https://www.khanacademy.org/computer-programming/linkredirector?url= add the following paylo...