15371 matches found
Internet Bug Bounty: Uninitialized read in exif_process_IFD_in_TIFF
This bug can be reproduced only in 32 bit PHP builds. This bug is present in exifprocessIFDinTIFF method of ext/exif/exif.c file. Detailed description and steps to reproduce for this bug is present in bug report submitted to php.net. Bug Report : https://bugs.php.net/bug.php?id=77509 PHP version ...
Valve: Malformed playlist.txt in GoldSrc games leads to Access Violation & arbitrary code execution
A crafted playlist.txt can be used to exploit a stack overflow vulnerability in GameUI.dll that can lead to arbitrary code execution. Reproduction Place attached playlist.txt in game directory valve, cstrike, etc.. The game will crash when it tries to play Splash track. Exploitability The file ca...
Starbucks: Sidekiq web UI (Ruby background processing) accessible unauthenticated via https://gift-test.starbucks.co.jp/sidekiq/busy
Summary: I found the following URL, which appears to be running an Sidekiq web UI instance that is accessible unauthenticated: https://gift-test.starbucks.co.jp/sidekiq/busy Description: Sidekiq is used for Ruby background processing as I've learned, I'm not really familiar with it. The web UI ca...
RubyGems: Malware in `active-support` gem
This was sent to RubySec: The gem duplicates official activesupport no hyphen code, but adds a compiled extension. The extension attempts to resolve a base64 encoded domain 29faea63.planfhntage.de, downloads a payload, and executes...
Ruby: NET::Ftp allows command injection in filenames
Hi While using NET::Ftp I realised you could get command execution through "malicious" file names. The problem lies in the gettextfileremotefile, localfile = File.basenameremotefile method. When looking at the source code, you'll note: def gettextfileremotefile, localfile = File.basenameremotefil...
Internet Bug Bounty: Out-Of-Bounds Read in timelib_meridian()
Description While deserializing an invalid dateTime value, wddxdeserialize would result in a heap out-of-bounds read in timelibmeridian. As wddxdeserialize is exposed to network data, and sometimes echo the results back to client, this issue could potentially allow remote peeking of the process...
Rockstar Games: Reflected XSS via Double Encoding
The researcher found a Reflected XSS vulnerability in the search query on support.rockstargames.com. This exploit worked by using double-encoding to bypass our filters. With the researcher's help we were able to resolve this vulnerability...
arxius: Missing Rate Limit for Password Reset Verification - Vulnerable to brute force
Description The password reset verification do not seem to contain rate limit which is implemented in the email verification on sign up. The password reset link looks like this: https://arxius.io/password/EMAIL%40DOMAIN.COM/RESTTOKEN On clicking the link, it prompts to enter a new password. When...
Unikrn: Urgent: Server side template injection via Smarty template allows for RCE
Hi All, I've found an issue which has allowed me to execute filegetcontents and extract your /etc/passwd file. Description It appears as though you are using smarty on the backend for templating. Entering a malicious payload as my firstname, lastname and nickname and then inviting a user to join...
LocalTapiola: Content Spoofing or Text Injection (404 error page injection on yrityspalvelu)
Vulnerability Description: Application allows users to inject any content on the 404 not found webpage Vulnerable Location: https://yrityspalvelu.tapiola.fi/a1/has%20been%20changed%20by%20a%20new%20one%20https://www.attacker.com%20so%20go%20to%20the%20new%20one%20since%20this%20one Fix : just use...
Uber: Unsubscribe any user from receiving email
hi, At url https://www.uber.com/unsubscribe you can unsubscribe any email of any user, which is bit of concern for the people who wants to receive emails from uber. only people who gets email from uber should be allowed to unsubscribe themselves from uber emails rather than anybody unsubscribing...
Imgur: XSS via React element spoofing
Hello, I noticed an XSS on imgur. Proof of concept: visit the URL http://imgur.com/vidgif/ticket/aaaaaaaa?errorpropsdangerouslySetInnerHTMLhtml=%3Cimg%20src=a%20onerror=%22alert%27XSS%20on%20%27%2bdocument.domain%22%3E&errorisReactElement=true&errortype=body It's not the simplest case as it...
Shopify: Stored XSS in https://checkout.shopify.com/
STEPS TO REPRODUCE 1. Go to http://hardware.shopify.com/products/custom-gift-card?variant=976094353 and Design your own gift card. 2. Change file type to url on the upload field. 3. Add the payload...
Pornhub: [xss, pornhub.com] /user/[username], multiple parameters
The researcher identified that the following URL for the Pornhub user was vulnerable to reflected/semi-stored cross site scripting, which enabled the researcher to craft a URL that pops an alert box upon mousing over the language selection at bottom of page. The affected url can be seen below:...
HackerOne: CSP Bypass: Click handler for links with data-method="post" can cause authenticity_token to be sent off domain
Background - There has been at least one case where an attacker was able to insert arbitrary HTML into a submitted report - HackerOne uses a very strict Content Security Policy that prevents inline script and script from other origins - HackerOne uses an authenticitytoken in its POSTs to guard...
ReddAPI: No Captcha or rate limit on Login Page
Hello ReddApi Security Team, Vulnerability Detail's:- Login page can be brute forced due to lack of captcha or backoff Impact:- An attacker can bruteforce for a particular username and can get a possibly a account takeover. POC:- I have made a proof of concept video of the same:-...
Internet Bug Bounty: CVE-2024-2466: TLS certificate check bypass with mbedTLS (reward request)
CVE-2024-2466: TLS certificate check bypass with mbedTLS. The vulnerability was reported in libcurl, where it did not check the server certificate of TLS connections made to a host specified as an IP address when built to use mbedTLS. This caused the certificate check to be completely skipped,...
PortSwigger Web Security: [portswigger.net] Path Traversal al /cms/audioitems
Vulnerability description not provided...
Teleport: Improper session management - Failure to invalidate old session after password change
Failure to Invalidate Session on Password Change Failure to invalidate a session after a password change is a vulnerability which allows an attacker to maintain access on a service. Most users have the expectation that when they reset their password, no one else can access their account. When...
Internet Bug Bounty: CVE-2023-23919: Multiple OpenSSL error handling issues in nodejs crypto library
Multiple OpenSSL error handling issues were found in the Node.js crypto library. In some cases, Node.js did not clear the OpenSSL error stack after operations that may have set it, which could lead to false positive errors during subsequent cryptographic operations on the same thread and...
GitHub Security Lab: [Java]: CWE-321 - Query to detect hardcoded JWT secret keys
This bug was reported directly to GitHub Security Lab...
Brave Software: unclaimed s3 bucket takeover in the 3 js file located on the github page of brave software
Summary: There is a unclaimed s3 bucket i.e brave-extensions.s3.amazonaws.com located in the 3 .js file on official brave software github page https://github.com/search?q=org%3Abrave+brave-extensions+language%3AJavaScript&type=Codethe attacker can takeover the bucket and create file that is used ...
h1-ctf: HackerOne’s 100K CTF Writeup
Greetings team It has been a great challenge, thank you very much for the fun moments and also for the annoying ones : ██████████ P.S. I will put my writeup in my next comment. Impact ---...
Acronis: Account Confirmation bypass leads to acess some fucntionality
STEPS: 1. Go to the URL https://account.acronis.com//auth/signup 2. Create a Business Account 3. Intercept the request using burp suite 4. Now intercept the response of given HTTP REQUEST below 5. Change the field "confirmed":false to true 6. Even you can bypass Accept term condition by changing...
U.S. Dept Of Defense: Unauthorized access to admin panel of the Questionmark Perception system at https://██████████
Summary: Due to the lack of access control, an anonymous attacker can compromise the administrator account on the Questionmark Perception system. Description: By using the service description which publicly accessible on the internet, and by bypassing the access control, an anonymous attacker can...
Mail.ru: Cross-site Scripting (XSS) - DOM on https://account.mail.ru/user/garage?back_url=https://mail.ru
Reflected XSS in account.mail.ru via backurl parameter...
GitHub Security Lab: Query to find TLS configurations supporting hardcoded insecure versions of the protocol and cipher suites
This bug was reported directly to GitHub Security Lab...
Dropcontact: Django should not have debug mode enabled
We were displaying sensitive information...
Stripo Inc: [www.stripo.email] There is no rate limit for contact-us endpoints
Summary The speed limit for the https://stripo.email/es/contact-us endpoint has not been implemented. Steps To Reproduce 1. Go to the https://stripo.email/es/contact-us 2. Turn on blocking and fill out the contact form 3. Send request to Intruder. 4. Set your payloads and start attack. 5. There i...
Node.js third-party modules: [logkitty] RCE via insecure command formatting
I would like to report a RCE issue in the logkitty module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: logkitty version: 0.7.0 npm page: https://www.npmjs.com/package/logkitty Module Description Display pretty Android and iOS logs without Android...
Stripo Inc: HTTP Request Smuggling on my.stripo.email
Summary: HTTP request smuggling vulnerabilities arise when websites route HTTP requests through webservers with inconsistent HTTP parsing. By supplying a request that gets interpreted as being different lengths by different servers, an attacker can poison the back-end TCP/TLS socket and prepend...
Stripo Inc: subdomain takeover at status0.stripo.email
Hi , The subdomain status0.stripo.email was pointed at uptimerobot.com whereas it was not being used , but having Cname record as stats.uptimerobot.com . Hence anyone can takeover it. I have parked it with atest account on uptimerobot.com F634639 F634636 thanks Impact Anyone can use this subdomai...
HackerOne: Disclosure of Email title report in quick award paypout email (no content mode)
Hello H1 Security Team Description In report 645264 and 669776, email title disclosure has been fixed in no content settings. However, there is one more area which needs to be fix - "Instant bounty Award Email". In this email, even though email settings have been set as "No content", still it's...
Tor: Detect Tor Browser's language
Summary Some error pages uses Tor Browser's language based text, and iframe can steal it. Details Since the language of Tor Browser is used for the title of the link tag on 404 error page, an attacker can obtain the language of Tor Browser even if the user has set privacy.spoofenglish to 2. I...
Node.js third-party modules: A specifically malformed MQTT Subscribe packet crashes MQTT Brokers using the mqtt-packet module for decoding
I would like to report a buffer over-read in mqtt-packet respectively BufferList module. It allows triggering an out of range read on a buffer which throws a RangeError. MQTT Brokers like mosca and aedes using this module can be forced to crash by sending a specifically malformed MQTT Subscribe...
Chaturbate: Chaturbate "/chat_ignore_list/" endpoint does not check for Account status: Disabled before adding Ignore via POST
Summary Chaturbate.com provides the ability for its users when in chat to ignore other users in chat rooms via DM etc by adding their camhandle name to ignorelist via HUI Actually this is just a POST to /chatignorelist/ getting as a parameter the username which is the camhandle name in order to a...
WakaTime: Validation of Password reset tokens
Dear sir, At first, i am very happy to report an issue. Before three months, i reported to wakatime and again i am reporting another issue now. Note:-This report is similar to 244614 which was previously reported at the start of this bug bounty program. Vulnerability:- -If two password reset toke...
Zomato: Amazon S3 bucket misconfiguration (share)
Hi, Description I have discovered one of your Amazon S3 bucket and tested it via the AWS command line tool on Linux. It looks like permissions are not well configured and allow dangerous actions to everyone. The vulnerable bucket is: zomato-share PoC: aws s3 ls s3://zomato-share aws s3 cp test...
WordPress: Infrastructure - Photon - SSRF
Description ------------------------ The service Photon located at http://i0.wp.com/ and described at https://code.trac.wordpress.org/browser/photon/ is vulnerable to Http SSRF via. redirect. The redirect can go to any IP including inside of any firewall photon might be inside any port and can ad...
HackerOne: SPF whitelist of mandrill leads to email forgery
I just sent a forged email to [email protected] that appears to originate from [email protected]. I was able to do this because of the following SPF record: dig txt hackerone.com hackerone.com. 299 IN TXT "v=spf1 include:spf.google.com include:sendgrid.net include:mail.zendesk.com...
Coinbase: Blacklist bypass on Callback URLs
In bug 47368, I was able to reach private IP addresses via the "Test Now" button of the "Callback URL" feature. Exploiting this flaw allowed me to reach the metadata server of your outbound proxy which is, afaik, maintained by Proximo. A comment by aianus states that callbacks are now restricted...
Uzbey: Information Disclosure (phpinfo())
URL :- https://staging.uzbey.com/phpinfo.php Description :- phpinfo is a debug functionality that prints out detailed information on both the system and the PHP configuration. An attacker can obtain information such as: •Exact PHP version. •Exact OS and its version. •Details of the PHP...
Localize: Login page password-guessing attack
Login page password-guessing attack Vulnerability description A common threat web developers face is a password-guessing attack known as a brute force attack. A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and...
Adobe: Unauthenticated Varnish Cache Purge
Vulnerability description not provided...
curl: CVE-2024-7264: ASN.1 date parser overread
Vulnerability description not provided...
Hyperledger: Remote denial of service in HyperLedger Fabric
This issue was caused by a missing check of nil. An orderer to orderer consensus message that contains an empty inner message crashes the node because it attempts to figure out its type and the mere action of determining the type of a nil pointer, causes a panic. Thank you to Haosheng Wang of OPP...
curl: CVE-2022-32208: FTP-KRB bad message verification
Summary: libcurl handles gssunwrap GSSSBADSIG error incorrectly. This enables malicious attacker to inject arbitrary FTP server responses to GSSAPI protected FTP control connection and/or make the client consume unrelated heap memory as a FTP command response. The defective krb5decode function is...
curl: CVE-2022-27775: Bad local IPv6 connection reuse
Summary: Curl doesn't consider IPv6 address zone index when doing connection reuse. if connection exists to specific IPv6 address and other conditions for connection reuse are fulfilled it will be reused for connections regardless of the zone index. Steps To Reproduce: 1.Set up a fake server: ech...
GitHub Security Lab: [Python] CWE-522: Insecure LDAP Authentication
This bug was reported directly to GitHub Security Lab...
Lark Technologies: Improper Access Control on Lark Footer Feature
Due to improper access control within Lark's footer feature, an attacker could have potentially accessed private files. We thank @imrannisar for reporting this to our team and confirming the resolution...