15365 matches found
Chaturbate: Open redirect on chaturbate.com (tipping/purchase_success)
Hi, I would like to report an open redirect issue on https://chaturbate.com/ Description An attacker can redirect a user to any external website using the parameter prejoindata, this parameter seems to miss sanitization. Steps to Reproduce Visit the following url:...
Vanilla: Vanilla Forums domGetImages getimagesize Unserialize Remote Code Execution Vulnerability (critical)
Summary: An unauthenticated attacker can inject an serialized payload into a phar archive and trigger read access to it via an unprotected getimagesize. The attacker can leverage this to deserialize untrusted data and gain remote code execution. Notes: - THIS BUG IS UNAUTHENTICATED, however you...
Shopify: Potential SSRF and disclosure of sensitive site on *shopifycloud.com
Note: I am reporting this after talking with @shopify-peteryaworski Summary There is a staging/testing site for payment cancellations and refunds at shopifycloud.com. This site allows sending post request and fetching the response back to the user. This leads to SSRF because it allows fetching...
Node.js third-party modules: Prototype pollution attack (mixin-deep)
As discussed in 309391, here's the separate report for each of the library. This one is the information for the mixin-deep library. Module: mixin-deep Summary: Utilities function in all the listed modules can be tricked into modify the prototype of "Object" when the attacker control part of the...
Snapchat: Subdomain Takeover via Unclaimed WordPress site
@ysx found a bitstripsforschools CNAME entry pointing to an unclaimed WordPress domain, which could be taken over by an external party. The CNAME entry was for a product that is no longer active. An unclaimed WordPress domain mapping upgrade could be leveraged to assume the...
Legal Robot: Bypass email verification when register new account
Hi Legalrobot, I have found a way to ignore Activate your account in my mailbox. Here is my new acc: [email protected] and the activate link: https://app.legalrobot-uat.com/email-verify?v=1Y5wiWwcvGcxznjlUsO-TuyEZgFpVbxMmQdfpEKrVTp I never click on that link and i can still log in at...
Legal Robot: Improper validation of parameters while creating issues
Heya LegalRobot Team, There is some Improper Access Control on the /Issues/insert endpoint, which leads to three notable vulnerabilities. ----- The first allows attackers to create public issues without undergoing review by setting state: "Open" and public: true. A sample request is given below:...
Internet Bug Bounty: PHP WDDX Deserialization Heap OOB Read in timelib_meridian()
Description: While deserializing an invalid dateTime value, wddxdeserialize would result in a heap out-of-bounds read in timelibmeridian. As wddxdeserialize is exposed to network data, and sometimes echo the results back to client, this issue could potentially allow remote peeking of the process...
WakaTime: Running 2 accounts with a single email
Hi, While testing, I found a logic flaw which made me to make two accounts with a single email Reproduction Steps 1-Create one account with [email protected] 2-another with [email protected] or [email protected] etc 3-Emails of both accounts will come at [email protected] fix: Dont allow "+" in emails. Thank...
Shopify: Stored XSS in *.myshopify.com
Hello, First of all in noticed that this is out of scope "Any issue related to the storefront area being displayed in a element in the admin area, for example in the Theme Editor." This is not in the store front and this will be set in an XSS payload. 1. Go to https://YOUR...
Internet Bug Bounty: Excessive allocation of memory in dtls1_preprocess_fragment() (CVE-2016-6308)
This issue is very similar to CVE-2016-6307. The underlying defect is different but the security analysis and impacts are the same except that it impacts DTLS. A DTLS message includes 3 bytes for its length in the header for the message. This would allow for messages up to 16Mb in length. Message...
Rockstar Games: Login form on non-HTTPS page
Summary: ======= A page on a microsite is not fully protected by an SSL certificate. This could allow an attacker in a Man-in-the-Middle position to obtain usernames and passwords of users visiting the site. Description: ======= On the Red Dead Redemption subpage, the comments section on news...
Alvosec: Alvocrypt uses a cryptographically insecure PRNG.
Dear Alvosec bug bounty team, Summary --- A PRNG is an algorithm used to produce random-looking numbers with certain desirable statistical properties. In order for a PRNG to be cryptographically secure it must be resistant to prediction. The generatepass function in Alvocrypt currently uses...
Vimeo: Disclosure of sensitive information through Google Cloud Storage bucket
An insecure bucket was discovered on the GCP platform that had some debug information in it. Steps were taken to secure the bucket and it's contents...
Internet Bug Bounty: CVE-2016-7418 PHP Out-Of-Bounds Read in php_wddx_push_element
CVE-2016-7418 PHP Out-Of-Bounds Read in phpwddxpushelement 1. Affected Version + PHP 7.0.10 + PHP 5.6.25 2. Credit This vulnerability was discovered by Ke Liu of Tencent's Xuanwu LAB. 3. Testing Environments + OS: Ubuntu + PHP: 7.0.10 + Compiler: Clang + CFLAGS: -g -O0 -fsanitize=address 4. PoC...
New Relic: Java RMI (Remote Code Execution)
hello Guys while i was testing your site i found an interesting domain of newrelic which is pinger-master.newrelic.com and when i visit that domain it says unable to connect with the host the i quickly do nslookup and i got this results fish@punt $ nslookup pinger-master.newrelic.com Server:...
Uber: Authentication Issue for easter egg on bonjour.uber.com
This probably ok, almost definitely is just informative but thought I would throw it out here anyways. : bonjour.uber.com hosts an easter egg view source and scroll down where the passcode is insecurely stored as a javascript variable. The source for the easter egg is: html //error easter egg -...
Gratipay: Prevent content spoofing on /~username/emails/verify.html
Hi, When an user add his email then a verification link has been sent to that email. the link looks like this https://gratipay.com/exampleuser/emails/verify.html?email=example%40gmail.com&nonce=cb2487f6-61cf-4a8a-81af-c8fab6fe0f90 The link has three changeable things. 1. Username ex: exampleuser ...
Ubiquiti Inc.: Subdomain Takeover in http://assets.goubiquiti.com/
Hi there, Its urgent issue about your subdomain http://assets.goubiquiti.com pointing to AWS S3 but no such website configuration is made. This unused subdomain can claim by anyone and fully take over it. An attacker can fully takeover this subdomain and do whatever he wants. this can cause huge...
Internet Bug Bounty: Multiple Use After Free Vulnerabilites in unserialize()
https://bugs.php.net/bug.php?id=70166 https://bugs.php.net/bug.php?id=70168 https://bugs.php.net/bug.php?id=70169...
Internet Bug Bounty: rsync hash collisions may allow an attacker to corrupt or modify files
The rsync algorithm synchronizes remote files in 3 steps: - The receiver divides the basis file into 700-byte blocks, performing two checksums on each block a rolling checksum based on Addler32 and an md5 sum - The sender then scans it's version of the file byte-by-byte looking for matches agains...
Internet Bug Bounty: Proxy-Authorization header not cleared on cross-origin redirect in undici.request
The Proxy-Authorization header was not cleared on cross-origin redirects in the Undici HTTP client library. This issue was reported and patched in later versions of Undici...
curl: CVE-2024-0853: OCSP verification bypass with TLS session reuse
A vulnerability was identified in cURL version 8.5.0 that allowed revoked certificates to be accepted when reusing a TLS session. The issue was caused by a correction that inadvertently skipped OCSP stapling verification during TLS session reuse. This allowed revoked certificates to be accepted i...
Valve: Web API key registration allows registering multiple keys by reusing `request_id`
A vulnerability was found in the Steam API key registration process that allowed multiple API keys to be registered for an account by reusing the request ID. The issue was fixed by updating the request ID after successful confirmation. Accounts with multiple keys were corrected...
KAYAK: 1 click Account takeover via deeplink in [com.kayak.android]
Vulnerability description not provided...
GitHub Security Lab: ihsinme: Add query for CWE-758 Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
This bug was reported directly to GitHub Security Lab...
U.S. Dept Of Defense: Sensitive data exposure via /secure/QueryComponent!Default.jspa endpoint on ████████
Description: Hi, While going through the testing of DoD assets, I have came across a subdomain that is vulnerable to CVE-2020-14179. Some of the internal fields that are exposed are Project, Status, Limits, Creator, Query, Created Date, Updated Date, Resolution Date, etc. References...
DuckDuckGo: Reflected/Stored XSS on duckduckgo.com
Hi DuckDuckGo, While browsing normally since I use DuckDuckGo on a daily basis, I discovered an interesting stored XSS on the duckduckgo main search engine. A payload that somebody had left on urbandictionary.com had triggered a HTML injection, and a stored XSS as a result. Steps to Reproduce 1...
HackerOne: HackerOne Jira integration plugin Leaked JWT to unauthorized jira users
Summary: HackerOne provides an application tool HackerOne for Jira, an application that allows programs to track security issues through a jira instance. After testing the integration feature in the application, it was found that the application leads to the leakage of the JWT to unauthorized...
Concrete CMS: Authenticated path traversal to RCE
crayons Description The bFilename parameter in the scenario index.php/ccm/system/dialogs/block/design/submit is vulnerable to remote code execution via path traversal vulnerability. Authenticated attacker with rights to edit web application pages can upload malicious PNG file containing PHP code...
Zomato: SQL Injection in www.hyperpure.com
Vulnerable Request : PUT /consumer/onboarding/saleslead/6b6a8a5a-4a74-46db-b2fe-32a46f927ecc HTTP/1.1 Host: api.hyperpure.com User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:83.0 Gecko/20100101 Firefox/83.0 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.5...
Basecamp: Information Disclosure of Garbage Collection Cycle 'Again'
A diagnostic subdomain was still available publicly after being reported https://hackerone.com/reports/981796 and remediation. Subsequently a researcher was able to access the subdomain. Disclosure has been limited as the report contains low sensitive information, but sensitive none the less...
Shopify: Low Privileged Staff Member Can Export Billing Charges
Details I'm not 100% sure about this because i don't have billing transactions on my account. However, from my experience on how Shopify backend respond, i think this is a valid finding just need confirmation from Shopify's security team. A GraphQL mutation billingChargesExport can be used by a...
Mail.ru: Public access to Sidekiq dashboard at shopper.sbermarket.ru
Anonymous access to Sidekiq process dashboard was available on shopper.sbermarket.ru...
Mail.ru: [account.mail.ru] XSS-уязвимость в форме авторизации
User-assisted XSS in account.mail.ru due to unsafe usage of GET parameter Думаю, что данная XSS'шка является отличным примером того, что фильтрация HTML-символов во входных данных не всегда достаточная мера защиты. Если будем раскрывать уязвимость, то вот более удачная демонстрация, без моих куко...
h1-ctf: [H1-2006 2020] CTF Writeup!
The Beginning ===================== The scope of the H1-2006 CTF was .bountypay.h1ctf.com. After opening https://bountypay.h1ctf.com, I noticed that on the top left of the screen there was a dropdown with two login pages: one for Customers https://app.bountypay.h1ctf.com/ and one for Staff...
Kubernetes: DoS for client-go jsonpath func
Summary: jsonpath recursive descent cause a DoS vul kubectl apiextensions-apiserver cli-runtime and kubernetes is depends on client-go I think evalRecursive cause of this vulnerability function pos: client-go/util/jsonpath/jsonpath.go:451 Component Version: client-go:master Steps To Reproduce: i...
Stripo Inc: XSRF Token is Not being validated when sending emails test request which lead to CSRF attack using the flash file + 307 redirect technique
XSRF Token is Not being validated when sending emails test request which lead to CSRF attack using the flash file + 307 redirect technique...
Nextcloud: SSRF on local storage of iOS mobile
The tester uploaded the text file, containing "test ssrf" message, in order to proof SSRF attack. 2. Next, the tester uploaded the common file and then manipulate the content and extension file to html format in order to find the application path: 3. The tester access that file and found the...
VK.com: Мини-уязвимость в обработке ссылок
Проблема с парсингом ссылок. В 2013 существовал баг, который позволял при нажатии на лайк к записи перенаправить пользователя по ссылке. Необходимо было закодировать любую ссылку в HTML-мнемонику типа & ; и после публикации разметка у поста сразу ломалась. Тогда эту, со стороны безобидную, дырку...
Valve: [CS 1.6] Map cycle abuse allows arbitrary file read/write
The CS 1.6 server has a feature of map cycle - i.e. automatic map change after specified period of time. This feature relies on data of the file specified in mapcyclefile cvar. Any user with RCON access to the server can set this variable to arbitrary value - no input sanitization applies. In ord...
Dropbox: Algorithmic complexity vulnerability in ZXCVBN leads to remote denial of service attack
@davidrenardy discovered that the ZXCVBN algorithm is quadratic in time complexity, which implies that the user can submit an arbitrarily long password to the library, leading to a potential denial of service attack if performed at scale. Given how ZXCVBN is used at Dropbox, we accept the Denial ...
HackerOne: Embedded submission form UUIDs can be enumerated through GraphQL node interface, exposing sensitive program details
It's possible for an attacker to enumerate embedded submission form UUIDs through HackerOne's GraphQL node interface. In normal application behavior, an embedded submission form is queried through GraphQL with a UUID. These UUIDs are random and they're not susceptible to brute force attacks...
Zomato: [www.zomato.com] CORS Misconfiguration, could lead to disclosure of sensitive information
Summary: Cross Origin Resource Sharing Misconfiguration | Lead to sensitive information. Description: An HTML5 cross-origin resource sharing CORS policy controls whether and how content running on other domains can perform two-way interaction with the domain that publishes the policy. The policy ...
Internet Bug Bounty: Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c
This bug was reported to PHP last month and a fix was public last week:https://bugs.php.net/bug.php?id=76423 Heap OverFlow in exifthumbnailextract of exif.c This vulnerability can be triggered by exifreaddata in any 32-bit system. exif.c:2947: if ImageInfo-Thumbnail.offset +...
New Relic: Drupal admin takeover via install.php not being performed prior to install.
@grampae discovered an uninitialized Drupal instance running on one of our properties being hosted by a third party provider, an issue we've seen previously. To prevent this issue from surfacing again, we decommissioned the related domains and contacted the provider with details of the issue...
Node.js third-party modules: [simplehttpserver] Stored XSS in file names leads to malicious JavaScript code execution when directory listing is output in HTML
Hi Guys, simplehttpserver allows to embed HTML in file names, which in certain conditions might lead to execute malicious JavaScript. Module: 'simpehttpserver' is simple imitiation of python's SimpleHTTPServer and intended for testing, development and debugging purposes...
Grab: Unrestricted access to https://██████.█████myteksi.net/
Hello again Grab Security Team ! Following my previous research, it seems that your Microservices architecture you are currently running on .█████myteksi.net is publicly exposed on another endpoint : https://█████████.█████myteksi.net. Summary: When researching and starting a new enumeration of...
Coursera: [www.coursera.org] Leaking password reset link on referrer header
Hi team, the user gets the email with a password reset link when opening it you will be redirected to password reset page when clicking on external links within the reset password page leaked password reset token in the referer header. steps: 1. open lost password page 2. enter your email and cli...
Internet Bug Bounty: CVE-2017-13090 wget heap smash
The retr.c:fdreadbody function is called when processing OK responses. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to read the chunk in piec...