15372 matches found
Uzbey: Information Disclosure (phpinfo())
URL :- https://staging.uzbey.com/phpinfo.php Description :- phpinfo is a debug functionality that prints out detailed information on both the system and the PHP configuration. An attacker can obtain information such as: •Exact PHP version. •Exact OS and its version. •Details of the PHP...
Localize: Login page password-guessing attack
Login page password-guessing attack Vulnerability description A common threat web developers face is a password-guessing attack known as a brute force attack. A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and...
Adobe: Unauthenticated Varnish Cache Purge
Vulnerability description not provided...
Hyperledger: Remote denial of service in HyperLedger Fabric
This issue was caused by a missing check of nil. An orderer to orderer consensus message that contains an empty inner message crashes the node because it attempts to figure out its type and the mere action of determining the type of a nil pointer, causes a panic. Thank you to Haosheng Wang of OPP...
curl: CVE-2022-32208: FTP-KRB bad message verification
Summary: libcurl handles gssunwrap GSSSBADSIG error incorrectly. This enables malicious attacker to inject arbitrary FTP server responses to GSSAPI protected FTP control connection and/or make the client consume unrelated heap memory as a FTP command response. The defective krb5decode function is...
Internet Bug Bounty: CVE-2022-27780: percent-encoded path separator in URL host
Advisory: https://curl.se/docs/CVE-2022-27780.html Original Report: https://hackerone.com/reports/1553841 Impact URL filter bypasses...
curl: CVE-2022-27775: Bad local IPv6 connection reuse
Summary: Curl doesn't consider IPv6 address zone index when doing connection reuse. if connection exists to specific IPv6 address and other conditions for connection reuse are fulfilled it will be reused for connections regardless of the zone index. Steps To Reproduce: 1.Set up a fake server: ech...
GitHub Security Lab: [Python] CWE-522: Insecure LDAP Authentication
This bug was reported directly to GitHub Security Lab...
Lark Technologies: Improper Access Control on Lark Footer Feature
Due to improper access control within Lark's footer feature, an attacker could have potentially accessed private files. We thank @imrannisar for reporting this to our team and confirming the resolution...
Ruby: 'net/http': HTTP Header Injection in the set_content_type method
The set\content\type's parameter is not filtered to prevent the injection from altering the entire request. The vulnerable code: ruby def setcontenttypetype, params = @header'content-type' = type + params.map|k,v|"; k=v".join'' end PoC 1. ruby require 'net/http' uri = URI'http://127.0.0.1:8080' r...
Zivver: Cross-site Scripting (XSS) - Reflected
This issue is out of scope per our policy. It would require very unlikely user involvement, such as getting the victim to directly copy and paste malicious code into the search bar as the search query can not be passed dynamically, e.g. as a URL parameter. vulnerabal url : = docs.zivver.com...
Shopify: Stored XSS on apps.shopify.com
Steps to reProduce: 1 Write payload luc1d"@wearehackerone.com as Store contact email in General Settings page.myshopify.com/admin/settings/general F1202181 -- Wait here around 60 mins maybe more idk, it was 60 mins for me for the change to reflect -- You can confirm the change on here...
GitLab: FogBugz import attachment full SSRF requiring vulnerability in *.fogbugz.com
Summary: Hi Team, a bit of a odd one here. The FogBugz import code uses CarrierWave::Uploader::Base:download! to download attachments from fogbugz.com when importing a FogBugz repository. CarrierWave::Uploader::Base:download! ultimately uses Kernel.Open to download the provided attachment URL...
U.S. Dept Of Defense: Reflected XSS on https://█████████html?url
Vulnerable Website URL or Application: https://███████html?url=javascript:alert"nagli" Description of Security Issue: please limit to one site/app per submission Reflected XSS due to no input validation █████████ Remediation Sanitize the input on the that parameter Best Regards nagli Impact...
New Relic: IDOR - User is able to download charts/dashboards from cross accounts
@k3ne described an issue where a user on an account could access data concerning dashboards for another user on the same account. While this appeared to be a cross-account access issue, both users on the account have access to the same data by design...
Nextcloud: Remote code execution via path traversal in Zip extraction in the Extract app
I realise this doesn't qualify for a reward, as it's a vulnerability in a third-party app, but as the app is part of the "official" VM image provided by Hansson IT, I think it's well worth fixing. The Extract app doesn't validate the path or filename of a zip file to be extracted, allowing an...
InnoGames: Blind SQL Injection
Summary of the Issue A Time Based Blind SQL injection vulnerability was detected on www.innogames.com. Using a specifically crafted payload it was possible to extract database entries. Vulnerable endpoint: https://www.innogames.com/ Steps to reproduce: 1. Getting two states for boolean based sql...
Razer: DOM XSS at https://www.thx.com in IE/Edge browser
Summary: I just recently found easy exploitable DOM XSS vulnerability because of https://www.thx.com/assets/plugins/ultimate-social-media-icons/js/custom.js?ver=5.2.3 js file Steps To Reproduce: First i want to say this is vulnerable code function sfsimobilewechatshareurl if...
GitLab: SSRF In plantuml (on plantuml.pre.gitlab.com)
NOTE! Thanks for submitting a report! Please replace all the parenthesized sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary The site...
Central Security Project: OS Command Injection in Nexus Repository Manager 2.x
Maven artifact groupId: org.sonatype.nexus.plugins artifactId: nexus-yum-repository-plugin version: 2.14.9-01 Vulnerability Vulnerability Description The Nexus Yum Repository Plugin is vulnerable to Remote Code Execution. All instances using CommandLineExecutor.java with user-supplied data is...
Node.js third-party modules: Command Injection in npm module name passed as an argument to pm2.install() function
Hi Lads, I would like to report Command Injection possible when npm module name is passed into pm2.install. An attacker is able to attach OS commands to npm module name and those commands will be executed when payload reaches execution sink in continueInstall function in API/Modules/NPM.js file...
MariaDB: CRLF injection on https://buildbot.mariadb.org
A CRLF new line injection vulnerability has been discovered in the Buildbot.net software and reported to us. We have forwarded this to the Buildbot developers which coordinated a fix release and public disclosure. This vulnerability has been assigned CVE-2019-7313. More details in the advisory te...
Rocket.Chat: Blind XSS in the rocket.chat registration email
Note: This report was initially sent via email and I was invited to submit this here. Hi team, During an audit on a third-party, I discovered that rocket.chat Android client might be vulnerable to blind XSS. My XSS payload fired in the context of the target's rocket.chat client as you can see bel...
VK.com: XSS-уязвимость, связанная с загрузкой файлов
XSS в документах...
Shopify: myshopify.com domain takeover
Hello Shopify Security Team, I just received your email and I'm sorry for any inconvenience. Yes, it was me. Basically, I just tried to audit your website using some black box testing. Unfortunately, I didn't read about those guidelines, such as creating a store on https://partners.shopify.com/ a...
Ruby: Unix domain socket and a path containing a null character
Some methods on UNIX domain socket are not checked for null characters. vagrant@localhost $ ls /tmp vagrant@localhost $ irb irbmain:001:0 require 'socket' = true irbmain:002:0 UNIXServer.open"/tmp/socket\0ruby" |serv| irbmain:003:1 c = UNIXSocket.open"/tmp/socket\0sapphire" irbmain:004:1 s =...
Automattic: xss filter bypass [polldaddy]
Hi, previously reported xss https://hackerone.com/reports/107405 which is fixed, but i am able to bypass that fix. Payload for bypass : Click Here Steps: - Login into Polldaddy account polldaddy.com - go to POLLS and create new poll - in answers. enter xss payload Click Here F217173 - Save it - g...
Rockstar Games: Stored XSS with CRLF injection via post message to user feed
In this report, the researcher was able to demonstrate a Stored XSS vulnerability in User Feeds. This vulnerability leveraged CRLF injection in order to bypass existing filters and execute the payload. With their help we were able to improve our filtering and sanitization rules in order to preven...
Pornhub: pornhub.com/user/welcome/basicinfo nickname field is vulnerable on xss
The researcher discovered a stored XSS in the user's basic info page...
WordPress: Wordpress unzip_file path traversal
Summary The Wordpress unzipfile function https://codex.wordpress.org/FunctionReference/unzipfile is vulnerable to path traversal when extracting zip files. Extracting untrusted zip files using this function this could lead to code execution through placing arbitrary PHP files in the DocumentRoot ...
Pushwoosh: Unsecured Grafana instance
Unsecured Grafana instance...
Automattic: [bbPress] Stored XSS in any forum post.
Intro: Encouraged by the success of cure53 and their reward, i start the research plugins in your scope. And almost immediately i found critical Stored XSS, which of course leeds to privelege escalation or PHP code execution. This vulnerability doesnt requres "special" preveleges like...
Sucuri: SSRF in sitecheck.sucuri.net
Hi, Sucuri Security Team. I found a SSRF in https://sitecheck.sucuri.net/ Although there was already an protection to prevent SSRF, but it can be bypassed by 302 redirection! ssrf.php https://sitecheck.sucuri.net/results/orange.tw/ssrf.php And your port will receive "HELLO WORLD" orange@z:$ nc -v...
Pornhub: [stored xss, pornhub.com] stream post function
Stored Cross Site Scripting The user profile page is vulnerable to stored cross site scripting, a user can post a text post on their page with the following as the message body: http://url=http://www.pornhub.com/"/onmouseover="alertdocument.domain"/http://a/"/url This gets stored in a post and ca...
Internet Bug Bounty: Insufficient shell characters filtering leads to (potentially remote) code execution (CVE-2016-3714)
The 1 EPHEMERAL, 2 HTTPS, 3 MVG, 4 MSL, 5 TEXT, 6 SHOW, 7 WIN, and 8 PLT coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to execute arbitrary code via shell metacharacters in a crafted image, aka "ImageTragick." See also:...
Uber: CBC "cut and paste" attack may cause Open Redirect(even XSS)
Hello, Uber Security Team I found an vulnerability in Uber URL redirect page. Vulnerability In page...
Ruby on Rails: Nested attributes reject_if proc can be circumvented by providing "_destroy" parameter
Nested attributes rejection proc bypass in Active Record. There is a vulnerability in how the nested attributes feature in Active Record handles updates in combination with destroy flags when destroying records is disabled. This vulnerability has been assigned the CVE identifier CVE-2015-7577...
Ruby on Rails: Arbitrary file existence disclosure in Action Pack
This bug was reported directly to the Rails team: https://groups.google.com/forum/!topic/rubyonrails-security/23fiuwb1NBA...
Internet Bug Bounty: TLS Virtual Host Confusion
I am a security researcher at INRIA Paris in team PROSECCO http://prosecco.inria.fr We have been investigating a new class of attacks against the deployment of TLS on the Web. The main idea behind these attacks is that when two servers host different domains but share the same certificate which...
Ruby: Ruby: Heap Overflow in Floating Point Parsing
Any time a string is converted to a floating point value, a specially crafted string can cause a heap overflow. This can lead to a denial of service attack via segmentation faults and possibly arbitrary code execution. Any program that converts input of unknown origin to floating point values...
Internet Bug Bounty: important: Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect (CVE-2024-38476)
The Apache HTTP Server vulnerability CVE-2024-38476 was discovered in versions 2.4.0 through 2.4.59. The vulnerability allowed the use of exploitable or malicious backend application output to run local handlers via internal redirect. Users were recommended to upgrade to version 2.4.60, which fix...
Internet Bug Bounty: CVE-2024-32760 in nginx
CVE-2024-32760 was discovered in the HTTP/3 QUIC module of NGINX Plus and NGINX OSS. When the module was configured, undisclosed HTTP/3 encoder instructions could cause NGINX worker processes to terminate or experience other potential impact...
Internet Bug Bounty: Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash
The Node.js HTTP/2 server was affected by a vulnerability that caused it to crash instantly after receiving a small number of HTTP/2 frames. The issue was caused by a race condition that occurred when the Http2Session destructor was triggered while header frames were still being processed, leavin...
PortSwigger Web Security: CSP Bypass and escalation of https://hackerone.com/reports/2279346
Vulnerability description not provided...
inDrive: #1 XSS on watchdocs.indriverapp.com
The security vulnerability found on watchdocs.indriverapp.com allowed for cross-site scripting XSS attacks. The vulnerability was triggered by crafting a specific URL that executed arbitrary JavaScript code when accessed by users...
Node.js: CRLF Injection in Nodejs ‘undici’ via host
A CRLF injection vulnerability existed in the 'host' header of undici.request API, allowing an attacker to inject arbitrary HTTP headers and conduct various attacks. The vulnerability impacted undici library versions up to 5.14.0...
Internet Bug Bounty: Buffer Overflow in optimized_escape_html method
This report is a copy of bug report https://hackerone.com/reports/1328463. I was asked to submit this bug here, because Ruby bug bounty program is moved to this new Internet Bug Bounty program. Operating System ================ Windows 10 This should reproduce in any other operating system where...
FetLife: Able to access private picture/video/writing when requesting for their JSON response
Description Endpoint https://fetlife.com/users/user-id/pictures/pic-id has 2 types of responses, HTML and JSON. The type of response depends on Accept header of request it get. If request contains Accept: application/json, then it will return JSON response. Other than that, it returns HTML...
U.S. Dept Of Defense: Sensitive information on ██████████
Hi team, i found a sensitive file hosted on '████' that i think must be not public accessible due to the wording "████████" Vulnerable Endpoint: https://██████ █████████ Regards Impact Sensitive information pubblicy accessible System Hosts ██████████ Affected Products and Versions CVE Numbers Ste...
curl: CVE-2021-22926: CURLOPT_SSLCERT mixup with Secure Transport
Summary: libcurl Secure Transport SSL backend fails to secure the CURLOPTSSLCERT against current directory file overriding the keychain nickname specified. This leads to the possibility of locally created file overriding the CURLOPTSSLCERT specified certificate and thus causing denial of service...