15369 matches found
GoCD: Open S3 Bucket Accessible by any Aws User
Description: It has been observed that the amazon s3 bucket which i believe belongs to GoCD as it contains data related to GoCD █████ documents and all is misconfigured as a result any unauthenticated users can access it without any restrictions Step-by-step Reproduction Instructions 1.Access...
Basecamp: Subdomain Takeover due to ████████ NS records at us-east4.37signals.com
Description Hi! I have discovered that us-east4.37signals.com was pointing to an unclaimed ████ NS zone and I've managed to claim it in my account. POC http://nagli.us-east4.37signals.com/takeover.html F1451587 Remediation Make sure to configure the DNS records under us-east4.37signals.com Best...
Twitter Algorithmic Bias: Economic Harm through Twitter's Cropping Algorithm
Bounty Hunter Name: CyberQueenMeg About You: Megan, also known as CyberQueenMeg, is a passionate rising cybersecurity professional who is interested in programming, cybersecurity, and web development. Megan is a high school senior in a rigorous computer science program at her high school where sh...
GitHub Security Lab: [Java] BeanShell Injection
This bug was reported directly to GitHub Security Lab...
Shopify: Stored XSS on apps.shopify.com
Steps to reProduce: 1 Write payload luc1d"@wearehackerone.com as Store contact email in General Settings page.myshopify.com/admin/settings/general F1202181 -- Wait here around 60 mins maybe more idk, it was 60 mins for me for the change to reflect -- You can confirm the change on here...
HackerOne: Open Redirect on http://events.hackerone.com/redirect?url=https://naglinagli.github.io
@nagli found an open redirect vulnerability in a 3rd party vendor that was used by HackerOne. This system did not contain any data related to reports submitted and stored on hackerone.com. HackerOne worked with the vendor to remediate the vulnerability. The report is partially disclosed to...
TikTok: Blind SSRF in ads.tiktok.com
A Server Side Request Forgery SSRF vulnerability was reported on the TikTok ads portal. This flaw has since been remediated. We thank @chihuahua for reporting this vulnerability to our team and confirming the resolution...
Open-Xchange: Failed assert in `mail_index_transaction_lookup`
To reproduce, run test suite on following input : require"vnd.dovecot.testsuite";require "fileinto";require "mailbox";test"" fileinto:create "Folder"; if testresultexecute testmessage:folder "Folder" 2; Output is with ASAN enabled stack trace testsuite: Panic: file mail-index-transaction-update.c...
Dropcontact: Registering with email [ +70 Chars ] Lead to Disclose some informations [Django Debug Mode ]
We were displaying / leaking sytems information in case of app crash...
Acronis: Arbitrary DLL injection in mmsminisrv (Acronis Managed Machine Service Mini)
During initialization, mmsmini.exe service binary of mmsminisrv loads library C:\Program Files x86\Common Files\Acronis\Home\libssl10.dll. The library then tries to load non-existing file: C:\bshudson\workspace\mod-openssl-fips-win\205\product\out\standard\vs2013release\OpenSSL\ssl\openssl.cnf. T...
Topcoder: Reflected XSS on https://apps.topcoder.com/wiki/pages/createpage.action
Summary: Hi : A reflected XSS occurs on https://apps.topcoder.com/wiki/pages/createpage.action when creating wiki pages. Steps To Reproduce: A user can create wiki pages on https://apps.topcoder.com/wiki/pages/createpage.action?spaceKey=tcwiki. In this url parentPageString and labelsString...
HackerOne: Improper UUID validation results in bypass of #419896
This was found while evaluating the vulnerability and patch identified in 419896. I determined the deployed patch to be effective. However, I noticed tracer values could be sent which didn't conform to the UUID specification as characters outside of the a-f and 0-9 ranges could be used. For...
Upserve : reports.breadcrumb.com is vulnerable for Arbitrary file existence disclosur CVE-2014-7829
A directory traversal vulnerability in a third-party ruby gem allowed a remote actor to determine the existence but not the contents of files outside of the application root...
Electroneum: Hackerone [Mainsite Vulnerability]
96 Hello, I was checking out the website Electroneum – Crowdfunding Token Sale – Electroneum – the mobile based cryptocurrency for any vulnerabilities through hackerone. I would like to submit a vulnerability for consideration towards a bounty. Currently you have the file...
Valve: LFI in pChart php library
Local File Inclusion LFI vulnerability in the pChart php library...
Gratipay: Reflected SQL Execution
my friend are the best hackers hackerone.com/rashidziaur hackerone.com/smziaurrashid hackerone.com/s4k16 they teach me how to hack a toaster F234731 Please Giv us $$$$$ for our family we are pooor . please consider this bug in your site F234733...
Gratipay: Missing Certificate Authority Authorization rule
Certificate Authority Authorization supported by LetsEncrypt and other CAs allows a domain owner to specify which Certificate Authorities should be allowed to issue certificates for the domain. All CAA-compliant certificate authorities should refuse to issue a certificate unless they are the CA o...
Internet Bug Bounty: Certificate message OOB reads (CVE-2016-6306)
In OpenSSL 1.0.2 and earlier some missing message length checks can result in OOB reads of up to 2 bytes beyond an allocated buffer. There is a theoretical DoS risk but this has not been observed in practice on common platforms. The messages affected are client certificate, client certificate...
Blockchain: HTTP Header Injection/HTTP_Response_Splitting
Submitter observed that CloudFlare-protected sites will serve content from other CloudFlare-protected sites when the "Host" HTTP request header is modified in transit. A PoC for an attacker to modify a victim user's "Host" HTTP request header could not be presented by the submitter; consequently...
Internet Bug Bounty: Out of bounds memory read in unserialize()
I have found and reported an out of bounds memory read in PHP: https://bugs.php.net/bug.php?id=73825 It affected all three supported versions and has been fixed with the latest updates: https://secure.php.net/ChangeLog-5.php5.6.30 https://secure.php.net/ChangeLog-7.php7.0.15...
Internet Bug Bounty: DoS vulnerability in mod_auth_digest CVE-2016-2161
Malicious input to modauthdigest will cause the server to crash, and each instance continues to crash even for subsequently valid requests. http://httpd.apache.org/security/vulnerabilities24.html...
Harvest: CSRF token fixation in Sign in with Google
Hi There is CSRF token fixation in Sign in with Google at https://id.getharvest.com/sessions/new The state parameter is same for any time login https://id.getharvest.com/oauth2/callback?state=%7B%22intent%22:%22sign-in%22%7D&code=code Steps to reproduce 1. Go to...
Gratipay: X-Content-Type Header Missing For aspen.io
The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared...
Square Open Source: git-fastclone allows arbitrary command execution through usage of ext remote URLs in submodules
I recently discovered a security vulnerability in git that also affects other programs that manually reimplement submodule-like operations. The recent security update to git0 concerning git-remote-ext URLs in submodules affects git-fastclone similarly. This bug was patched in Git v2.6.1, v2.5.4,...
QIWI: Session Cookie without HttpOnly and secure flag set
vulnerable URL:https://portal.int.qiwi.com/login.php The PHPSESSID cookie does not have the HTTPOnly flag set. When a cookie is set with the HTTPOnly flag, it instructs the browser that the cookie can only accessed by the server and not by client-side scripts. This is an important security...
Django: CSRF protection bypass on any Django powered site via Google Analytics
I shall explain all the steps to create the final PoC in order to be more clear. Part 1. Cookie Injection via Google Analytics --------------------- Reported to Google, rewarded, still working Google Analytics sets the cookie to track user source:...
Internet Bug Bounty: SPDY memory corruption
A bug in the experimental SPDY implementation in nginx 1.5.10 was found, which might allow an attacker to corrupt worker process memory by using a specially crafted request, potentially resulting in arbitrary code execution CVE-2014-0088. The problem only affects nginx 1.5.10 on 32-bit platforms,...
Localize: open redirected by host header
An Open Redirect vulnerability occurs when an application allows users to be redirected to an external, untrusted URL without validating the redirection target. By controlling the Host header and observing a redirection to the specified external site, you may have found an open redirect...
Internet Bug Bounty: Apache Airflow: Sensitive Information Exposure in DAG Run Logs
The Apache Airflow platform was vulnerable to sensitive information exposure in DAG run logs. Passwords, secrets, and the Fernet key were logged in plain text, which could have resulted in the disclosure of this sensitive information to unauthorized users...
Internet Bug Bounty: CVE-2024-38875: Denial-Of-Service through uncontrolled resource consumption caused by poor time complexity of strip_punctuation .
The vulnerability CVE-2024-38875 was discovered in the strippunctuation function used by the urlize and urlizetrunc filters. The function had a poor time complexity of On^2 in the worst case, which could lead to uncontrolled resource consumption when processing input with a large number of openin...
Internet Bug Bounty: moderate: Apache HTTP Server: HTTP response splitting (CVE-2023-38709)
moderate: Apache HTTP Server: HTTP response splitting CVE-2023-38709 Faulty input validation in the core of Apache allowed malicious or exploitable backend/content generators to split HTTP responses. This issue affected Apache HTTP Server through version 2.4.58...
Internet Bug Bounty: CVE-2023-47037: Airflow Broken Access Control Vulnerability
A broken access control vulnerability in Apache Airflow versions before 2.7.3 allowed authenticated users with DAG view authorization to modify some DAG run detail values when submitting notes, potentially altering details such as configuration parameters and start date...
HackerOne: IDOR - Delete all Licenses and certifications from users account using CreateOrUpdateHackerCertification GraphQL query
All licenses and certifications in HackerOne could be deleted by changing the ID number in the CreateOrUpdateHackerCertification GraphQL query...
HackerOne: Bypass of #2035332 RXSS at image.hackerone.live via the `url` parameter
A reflected cross-site scripting RXSS vulnerability was discovered on the image.hackerone.live website. The vulnerability allowed an attacker to bypass the fix implemented for a previous RXSS issue. By modifying the server's response to a HEAD request, the attacker could change the Content-Type a...
Node.js: HTTP Request Smuggling via Empty headers separated by CR
HTTP Request Smuggling HRS was possible in Node.js v20.2.0 due to the llhttp parser in the http module not strictly using the CRLF sequence to delimit HTTP requests. The CR character without LF was sufficient to delimit HTTP header fields in the llhttp parser, which is not compliant with RFC7230...
GitHub Security Lab: [python]: Zip Slip Vulnerability
This bug was reported directly to GitHub Security Lab...
Node.js: HTTP Request Smuggling Due to Flawed Parsing of Transfer-Encoding
Summary: The llhttp parser in the http module in Node v17.8.0 does not correctly parse and validate Transfer-Encoding headers. This can lead to HTTP Request Smuggling HRS. Description: After 1501679, I did a bit more digging into the issue, and found that there were more flaws in the parsing of...
Adobe: Log4j Java RCE in [beta.dev.adobeconnect.com]
Hello Security Team, Summary Log4j versions prior to 2.15.0 are subject to a remote code execution vulnerability via the ldap JNDI parser. As per Apache's Log4j security guide: Apache Log4j2 =2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker...
Revive Adserver: Use of a Broken or Risky Cryptographic Algorithm
revive-adserver utilizes a PRNG for session-token generation, this means that an attacker could theoretically be able to generate session tokens at random and take over accounts at random. This function does not generate cryptographically secure values, and should not be used for cryptographic...
UPchieve: Failed to validate Session after Password Change
While conducting my research I discovered that the application Failed to validate session after password change. In this scenario changing the password doesn't destroys the other sessions which are logged in with old passwords in another browser. Steps To Reproduce: 1 Login with the same account ...
Nextcloud: Notification implicit PendingIntent in com.nextcloud.client allows to access contacts
When the victim downloads files in nextcloud.A notification will be triggered. The content of the notification is "Downloaded".This notification is used to remind the user that the download is complete.The pendingintent in this notification is an implicit intent. At this time a malicious app with...
VK.com: Path Traversal в iOS приложении
Передача файлов из внутреннего каталога iOS приложения. С помощью хакерской атаки можно было угнать файлы из внутреннего каталога IOS приложения...
Logitech: One Click Account takeover using Ouath CSRF bypass by adding Null byte %00 in state parameter on www.streamlabs.com
Summary Hello Team I have found a bypass to the this report. 1039749 Steps To Reproduce: 1. Login to attacker's account and go to settings -- account settings. 2. Intercept the request in burp suite and click on merge twitch account. 3. Allow twitch access and once you see a get request in burp...
Shopify: damage to the timeline so that comment fields cannot be displayed or not available to all members in the store
see https://a-alert-b-y000-b-finda.myshopify.com/admin/discounts/416981811222 I tried to make a discount code with a product name and a discount code like: ± ± when I havehtag the product name on the timeline comment and I get a "server error" reply and it causes crashes to the timeline, so...
Mail.ru: [https://youdrive.today/] Nginx directory traversal
Invalid nginx configuration allowed limited path traversal in youdrive.today and leaking sensitive application data in configuration files. Nginx directory traversal via misconfigured alias leads for disclosing all the configuration. Exploit: https:///static../config.js...
Nord Security: Denial of Service with Cookie Bomb
Summary: This is Denial of Service attack by using which an attacker can make an user unable to access nordvpn.com website. For more information you can read this article. https://blog.innerht.ml/tag/cookie-bomb/ Steps To Reproduce: This will usually work on user's fresh session for which we can...
Automattic: Follow by email allows for following by unverified emails
The initial report outlined being able to add any email to a Tumblr account without verifying it first which is expected behavior that does not pose a security risk. However, the reporter also reported that these unverified emails were able to be used in our “follow by email” feature which we did...
OWOX, Inc.: The URL in "Choose a data source'' at "https://bi.owox.com/ui/settings/connected-services/setup/" is not filtered => reflected XSS.
Hi team, This is another report with 732987. Because it is completely independent Detail -- In the process of selecting the data source at https://bi.owox.com/ui/settings/connected-services/setup/, I found a reflected XSS. Specifically, when you click on Google Analytics, a page will appear for y...
Ed: Domain takeover on http://doesfranshaveashell.com/ due to expiration
Summary Hi Ed, I'm not so sure if registrar inform your domain had expired or it will auto renew upon reaching. To be safe, I decide to manual inform you. Step to Reproduce So lately I notice that http://doesfranshaveashell.com/ is no longer operate. It will show some advertisements there. F57967...
Monero: Remote Daemon RPC Attack
Remote Daemon RPC Attack https://www.activism.net/cypherpunk/manifesto.html...