15372 matches found
GitHub Security Lab: [Java] CWE-295 - Incorrect Hostname Verification - MitM
This bug was reported directly to GitHub Security Lab...
U.S. Dept Of Defense: Sensitive data exposure via https://███/secure/QueryComponent!Default.jspa - CVE-2020-14179
Summary: Information Disclosure vulnerability in outdated Jira. Description: Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the...
VK.com: Path Traversal в iOS приложении
Передача файлов из внутреннего каталога iOS приложения. С помощью хакерской атаки можно было угнать файлы из внутреннего каталога IOS приложения...
Stripo Inc: No rate limiting for subscribe email + lead to Cross origin misconfiguration
Summary: I found bypass no rate limiting using Access-Control-Allow-Origin: and look the response as 200 vulnerable No rate limit means their is no mechanism to protect against the requests you made in a short frame of time. If the repetition doesn't give any error after 50, 100, 1000 repetitions...
CS Money: IDOR in https://3d.cs.money/
Summary: Hello, I found an IDOR in https://3d.cs.money/ which will allow you to save, edit, delete build of victim account without any grant on the victim account Steps To Reproduce: This bug based on steamID which is reflected on Steam or you can use any Steam ID Finder software to find...
h1-ctf: [H1-2006 2020] CTF writeup
Context Well, against all expectations you finally get it, you got the flag! Let's go back in time to remember how. --- Twitter Once upon a time As always the CTF starts with a tweet: F855948 --- Subdomains According to the policy page, .bountypay.h1ctf.com is in scope. You decide to scan...
Razer: 🐞 OS Command Injection at https://sea-web.gold.razer.com/lab/ws-lookup via IP parameter
The tester discovered a Razer Gold Thailand site that suffered from a service with a command injection vulnerability. Razer thanks the tester for his report and clear PoC. a real world CTF-Like challenge 😅 Burpsuite Collaborator Client was very helpful Thanks @Razer for the bounty 🥳...
Nord Security: The Linux binaries (nordvpn and nordvpnd) don't use PIE/ASLR
Summary: The Linux binaries nordvpn and nordvpnd don't have PIE/ASLR enabled. A such feature is used to harden programs against the exploitation of memory corruption bugs and should be enabled. The use of ASLR has long been debated among the Golang community. However, it seems that it's becoming...
X (Formerly Twitter): iOS app crashed by specially crafted direct message reactions
Summary: iOS app crashed by specially crafted direct message reactions Description: Twitter does not properly sanitize direct message reactions, making it possible for arbitrary reaction text to be shown to the user via the message preview in the direct message list. Special characters such as \r...
MTN Group: Information Disclosure Microsoft IIS Server service.cnf in a mtn website
Hi there i found a information disclosure Microsoft IIS Server service.cnf file in the website https://www.mtn.co.za/ using firefox. In the following steps i will demonstrate how to reproduce the vulnerability. POC: 1ºGo to the following url: https://www.mtn.co.za/vtipvt/service.cnf you will see:...
PUBG: Reflected XSS in pubg.com
Summary: PUBG's main website https://www.pubg.com has an endpoint that is vulnerable to an injection vulnerability - namely a reflected injection of JavaScript, also known as Reflected Cross Site Scripting XSS. As per OWASP's definition: "Cross-Site Scripting XSS attacks are a type of injection, ...
Mail.ru: OOB XXE
Limited XXE on XML request processing led to blind SSRF possibility OOB XXE on one of Ext. B Mail.ru domains, which could be exploited as blind SSRF...
U.S. Dept Of Defense: [CVE-2019-11510 ] Path Traversal on ████████ leads to leaked passwords, RCE, etc
Summary / Description: █████ is vulnerable to Path Traversal which can lead to remote code execution. Impact Critical Step-by-step Reproduction Instructions 1. Run the following cURL command to get the file /etc/hosts curl --path-as-is -k -D-...
WordPress: Stored XSS Vulnerability
Hi there, I found a stored xss @ https://core.trac.wordpress.org/ Steps: 1. Go to https://core.trac.wordpress.org/ and login. open new private window and login with another account 2. Go to https://core.trac.wordpress.org/newticket and set a summary and description. 3. Select a Workflow Keyword a...
U.S. Dept Of Defense: SQL Injection in ████
Summary There is an SQL injection vulnerability in ████████ in the /█████/recruiter/updapp.aspx page, exploitable through the appid form parameter. Impact An attacker could use this vulnerability to control the content in the database, exfiltrate information, and obtain remote code execution...
QIWI: [*.rocketbank.ru] Web Cache Deception & XSS
Практически все сайты .rocketbank.ru, основанные на readymag.rocketbank.ru, уязвимы к Web Cache Deception и XSS. Пример запроса: http GET /?xx HTTP/1.1 Host: wknd.rocketbank.ru X-Forwarded-Host: cacheattack'"alertdocument.domain HTTP ответ: html alertdocument.domain/friends/" alertdocument.domain...
Trello: Stored XSS in Treeview plugin
There was a potential XSS issue in a third party power-up. While issues with third party apps are generally out of scope for our bug bounty program, in this case we opted to award a small bounty...
VK.com: Определение id по номеру телефона
Недостаточность проверок в определенных запросах...
Node.js third-party modules: [serve] Directory listing and File access even when they have been set to be ignored
I would like to report a vulnerability in serve on macOS. It allows listing directory and reading local files on the target server. Module module name: serve version: 6.5.3 npm page: https://www.npmjs.com/package/serve Module Description Ever wanted to share a project on your network by running...
Node.js third-party modules: [localhost-now] Path Traversal allows to read content of arbitrary file
Hi Guys, There is Path Traversal in localhost-now module. It allows to read content of arbitrary files on the remote server. Module localhost-now This is a general file server made by nodejs. It will be easy for you to access the files on the server through the browser...
Phabricator: Autoclose can close any task regardless of policies/spaces
Description If a user can push to a repository that has autoclose enabled, they can close //any// Maniphest task on the install, including tasks whose policies otherwise restrict the user from viewing or editing, and tasks inside Spaces that the user can't view. I don't think this rises to the...
Phabricator: User with only Viewing Privilege can send message to Room
Hey, mongoose When the owner of a chat room gives any user Viewing Privilege, that user can then send messages to the room. As expected, there's no form to send messages when the user access the room since in theory it shouldn't be possible. However, messages via POST requests can still be sent a...
Yelp: Password reset token not expiring
Hello Yelp, Old unused Password reset tokens are not expiring on yelp.com after the issuance of a new token. EXPLANATION: Suppose at 09:00 hrs I used password reset options of yelp and got a token on my email.Lets call it token01. But i did not use it. And at 09:04 hrs I used again the password...
Uber: Subdomain takeover of translate.uber.com, de.uber.com and fr.uber.com
Limited disclosure at @rojanr's request Subdomains including translate.uber.com, fr.uber.com and de.uber.com were pointing to a CNAME for a site that was not claimed. I was able to claim the site and add any content. For PoC purposes, I showcased my blog on translate.uber.com and de.uber.com...
HackerOne: Improperly validated fields allows injection of arbitrary HTML via spoofed React objects
Note: I haven't yet investigated the implications of this fully, so this may be more severe than I'm currently aware of. Right now the only exploits I'm aware of allow a team member to attack other team members. I've found a couple fields that I'd expect to be limited to string values, but which...
Internet Bug Bounty: Bad Write in TTF font parsing (win32k.sys)
This bug was originally reported through Project Zero at Google. Alex Rice suggested to me that I could potentially receive a bounty through Hacker One so I am also opening a report here. The vulnerability reference numbers are MS15-010 CVE-2015-0059 The original bug report is...
Mobile Vikings: Stored XSS in Direct debit name
Make new or edit old Direct debit for example https://mobilevikings.be/en/account/easypay/correct-direct-debit-mandate/111366/ 2. Fill owners name with payload asdf'"alertdocument.cookie 3. Save form. We got Stored XSS in pages: https://mobilevikings.be/en/account/easypay/...
HackerOne: No email verification on username change
Hello Hackerone People This is an issue that i discovered in the username change option. Basically anyone can ask your system to change anyone's username on hackerone. I tested this by mailing at [email protected] to change the username of my friend's account from yhunterz to yahoohuntz whose...
Mail.ru: XXE and SSRF on webmaster.mail.ru
SSRF request: POST /domain/metadata HTTP/1.1 Host: webmaster.mail.ru User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.9; rv:29.0 Gecko/20100101 Firefox/29.0 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate...
Yahoo!: REMOTE CODE EXECUTION/LOCAL FILE INCLUSION/XSPA/SSRF, view-source:http://sb*.geo.sp1.yahoo.com/, 4/6/14, #SpringClean
Thank you for your submission to the Yahoo Bug Bounty program. We were able to reproduce the issue you reported and have implemented appropriate fixes. We appreciate your adherence to responsible disclosure guidelines and look forward to your future participation in the program...
Internet Bug Bounty: Handling of jar: URIs bypasses AllowScriptAccess=never
This bug was reported directly to Adobe. http://helpx.adobe.com/security/products/flash-player/apsb14-02.html...
Node.js: Bypass incomplete fix of CVE-2024-27980
The CVE-2024-27980 was identified as an incomplete fix for the BatBadBut vulnerability. This vulnerability arose from improper handling of batch files with all possible extensions on Windows via childprocess.spawn and childprocess.spawnSync. A malicious command line argument could have been used ...
curl: CVE-2024-2379: QUIC certificate check bypass with wolfSSL
The vulnerability in vquic-tls.c in the curlwsslinitctx function allowed for a certificate check bypass when using the WolfSSL backend. The error handling was not properly implemented, resulting in a potential bypass of the certificate verification requirements...
Cloudflare Public Bug Bounty: Using special IPv4-mapped IPv6 addresses to bypass local IP ban
Vulnerability description not provided...
Fastify: Deny of service via malicious Content-Type
Summary: I found a way to crash a [email protected] server with a single query on a minimal setup. The function ContentTypeParser.getParser do not check properly if the requested content-type parser exists. /lib/contentTypeParser.js:94 javascript ContentTypeParser.prototype.getParser = function...
Yelp: No rate limit on subscribe form
Summary: Hi team, I found that you missing a rate limit protection for subscribe form Platforms Affected: https://business.yelp.com/?source=consumersiteheader&utmcontent=header&utmmedium=www&utmsource=conshome Steps To Reproduce: 1. go to...
Internet Bug Bounty: CVE-2022-27778: curl removes wrong file on error
Summary: Curl command has a logic flaw that results in removal of a wrong file when combining --no-clobber and --remove-on-error if the target file name exists and an error occurs. Steps To Reproduce: 1. echo "important file" foo 2. echo -ne "HTTP/1.1 200 OK\r\nContent-Length: 666\r\n\r\nHello\n"...
Basecamp: Subdomain Takeover due to ████████ NS records at us-east4.37signals.com
Description Hi! I have discovered that us-east4.37signals.com was pointing to an unclaimed ████ NS zone and I've managed to claim it in my account. POC http://nagli.us-east4.37signals.com/takeover.html F1451587 Remediation Make sure to configure the DNS records under us-east4.37signals.com Best...
UPchieve: Failed to validate Session after Password Change
While conducting my research I discovered that the application Failed to validate session after password change. In this scenario changing the password doesn't destroys the other sessions which are logged in with old passwords in another browser. Steps To Reproduce: 1 Login with the same account ...
GitHub Security Lab: [GO] CWE-1004: Sensitive cookie without HttpOnly
This bug was reported directly to GitHub Security Lab...
GitHub Security Lab: [Java] BeanShell Injection
This bug was reported directly to GitHub Security Lab...
Kryptor: Kryptor/SECURITY.md missing HACKERONE program update.
Hi Team, I was going through code and found that in this https://github.com/samuel-lucas6/Kryptor/blob/master/SECURITY.md , "Security Policy" is missing update regrading Hackerone platform that "Security Bug now be submitted @ https://hackerone.com/kryptor/ this . Please update the policy...
Shopify: Bypass For #997350 your-store.myshopify.com preview link is leak on third party website Via Online Store
Hi Security Team, Description Full Description in 997350 The owner of that website can perform a security compromise by grabbing those links. Solution: The solution is very very SIMPLE. Just include the following HTML code in the following in code between tags of the html of the page: This will n...
Dropcontact: Sensitive Information Disclosure
we were displaying sensitive information. While testing the site i was able to disclose sensitive information such as username, passwords, api keys, etc due to DEBUG = True .This bug arose due to default configuration at the backend. Now the bug is fixed. Thanks to the team for the quick fix!...
Mail.ru: [https://youdrive.today/] Nginx directory traversal
Invalid nginx configuration allowed limited path traversal in youdrive.today and leaking sensitive application data in configuration files. Nginx directory traversal via misconfigured alias leads for disclosing all the configuration. Exploit: https:///static../config.js...
Topcoder: CSRF on https://apps.topcoder.com/wiki/plugins/socialbookmarking/updatebookmark.action
Summary: Hi : There is a CSRF on creating bookmarks form. Steps To Reproduce: There is no CSRF token or anything like that on https://apps.topcoder.com/wiki/plugins/socialbookmarking/updatebookmark.action. I added the poc html file below. When someone opens this html file, or we can add it into o...
PlayStation: Access token stealing.
Summary: https://my.playstation.com/auth/response.html suffers from a misconfiguration which leads to access token stealing. Description: The page...
Trint Ltd: SSO bypass in zendesk using trint organization able to leak internal ticket information
Summary hello there because in app.trint.com there's no email verification i able to login in your zendesk SSO using your organization your organization using domain @trint.com because there's no email verification i able to read and takeover + claim this email [email protected] and i able to...
Central Security Project: Unrestricted File Upload Leading to Remote Code Execution
Description As an administrator user it is possible to create files and directories in any location on the file system of the server. This can be abused to write files to any sensitive location on the Windows file system because the Nexus process runs with SYSTEM privileges. This can allows an...
Node.js third-party modules: [uppy] Stored XSS due to crafted SVG file
NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Module: Uppy. Affected version: 0.22.2...