15306 matches found
New Relic: Java RMI (Remote Code Execution)
hello Guys while i was testing your site i found an interesting domain of newrelic which is pinger-master.newrelic.com and when i visit that domain it says unable to connect with the host the i quickly do nslookup and i got this results fish@punt $ nslookup pinger-master.newrelic.com Server:...
Instacart: Authentication Bypass in Updating Personal Information
Hello Instacart, Firstly, I would like to remind you that I made this report by mail 2 days ago, Sat, 16-08-2016 before I got the invite here. Although a user is expected to input password before updating their personal information. This is not so anyway as I have found that one could actually...
Urban Dictionary: Infinite Upvoting/Downvoting: Lockout Bypass, Plus: Exposed API Documentation
By sending an extra parameter kind=1 in the upvote/downvote API request, a user can vote as many times as he wants without any IP address restriction: http://api.urbandictionary.com/v0/vote?kind=1&direction=up&defid=94413 Seems harmless enough, but your site does depend on the accuracy of the...
LocalTapiola: Source Code Disclosure on out of scope domain viestinta.lahitapiola.fi
Issue The reporter had found an open .git folder on one of our out of scope domains. Fix The issue was investigated and found to be valid. The source code was removed from the public server. The source code did not contain any business critical information and customer information was never at...
jsDelivr: Pretty Photo Dom XSS
Hi Team, Javascript for http://www.jsdelivr.com/!prettyphoto hosted on the website points to 3.1.5 which is vulnerable to DOMXSS the upstream released an update 3.1.6 7 days back still the CDN is serving vulnerable edition effectively making all the websites vulnerable to DoMXSS Details about the...
Internet Bug Bounty: rsync hash collisions may allow an attacker to corrupt or modify files
The rsync algorithm synchronizes remote files in 3 steps: - The receiver divides the basis file into 700-byte blocks, performing two checksums on each block a rolling checksum based on Addler32 and an md5 sum - The sender then scans it's version of the file byte-by-byte looking for matches agains...
AWS VDP: Non-Production API Endpoints for the cloudwatch Service Fail to Log to CloudTrail Resulting in Silent Permission Enumeration
The vulnerability allows adversaries to silently enumerate permissions of compromised AWS credentials for the CloudWatch service without generating logs in CloudTrail. Two non-production API endpoints were identified that can be accessed with standard IAM credentials but do not log the activity...
U.S. Dept Of Defense: reflected xss [CVE-2020-3580]
The application was vulnerable to cross-site scripting XSS due to insufficient input validation. This allowed an attacker to inject malicious scripts that could be executed in the victim's browser...
Internet Bug Bounty: Proxy-Authorization header not cleared on cross-origin redirect in undici.request
The Proxy-Authorization header was not cleared on cross-origin redirects in the Undici HTTP client library. This issue was reported and patched in later versions of Undici...
Internet Bug Bounty: Usage of disabled protocol in curl
CVE-2024-2004 was a vulnerability in the usage of disabled protocols in curl. When a protocol selection parameter option disabled all protocols without adding any, the default set of protocols remained in the allowed set due to an error in the logic for removing protocols. This flaw was assessed ...
Mattermost: Uninstalling Mattermost Launcher for Windows (64-bit), then reinstalling keeps you logged in without authentication
The Mattermost Desktop App for Windows 64-bit had a vulnerability where uninstalling and then reinstalling the app would automatically log the user back in without requiring authentication, allowing unauthorized access to the user's account and data. The uninstall process did not remove session...
Nextcloud: [nextcloud/server] Moment.js vulnerable to Inefficient Regular Expression Complexity
Describe the bugs: 🐛 moment is a lightweight JavaScript date library for parsing, validating, manipulating, and formatting dates. affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the preprocessRFC2822 function in from-string.js, when processing a...
Node.js: CVE-2022-32213 bypass via obs-fold mechanic
Summary The fix for CVE-2022-32213 can be bypass using an obs-fold, which Node's http parser supports Proof-Of-Concept const http = require'http'; http.createServerrequest, response = let body = ; request.on'error', err = response.end"error while reading body: " + err .on'data', chunk =...
HackerOne: June 2022 Incident Report
Intro Since the founding of HackerOne, we have kept a steadfast commitment to disclosing security incidents because we believe that sharing security information far and wide is essential to building a safer internet. HackerOne's culture is to disclose more often, and in more detail than the rest ...
Internet Bug Bounty: CVE-2022-32207: Unpreserved file permissions
When curl saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name. In that rename operation, it might accidentally widen the permissions for the target file, leaving the update...
Internet Bug Bounty: Regexes with large repetitions on empty sub-expressions take a very long time to parse
Rust's regex crate guarantees a linear time complexity with regex length for compilation of untrusted regexes. However, existing mitigations for known malicious regexes are based on memory usage and, as such, do not mitigate repetitions of empty sub-expressions. For example, the following payload...
OneWeb: Subdomain Takeover - pmp.oneweb.net
Summary The issue happens due to using EC2 public DNS instead of using Elastic IPs as CNAME or A record. If the EC2 instance is killed or terminated and the DNS not updated this will lead to creating a dangling DNS record for the subdomain. The EC2 IP will be released to AWS IPs pool, This mean...
Reddit: S3 bucket Upload on studio.redditinc.com (s3-r-w.ap-east-1.amazonaws.com)
Greetings team, Found a s3 bucket that belongs to studio.redditinc.com and properly not configured. bucket name:- s3-r-w.ap-east-1.amazonaws.com Bucket Source:-studio.redditinc.com Steps To reproduce:- In terminal , " dig studio.redditinc.com " will get the CNAME as d326d3e45wj426.cloudfront.net...
HackerOne: Changing the 2FA secret key and backup codes without knowing the 2FA OTP
Summary: After the setup of 2FA, disabling or editing it should require the 2FA OTP. But it can be bypassed. Steps To Reproduce: 1 Sign in to a new HackerOne account. 2 Setup 2FA; and 3 Try to disable it without knowing the OTP. You can't, you need to know the Authentication Code or Backup Code...
Acronis: licenses key disclosure
Summary Hi team i found the licenses key stored as cleat text i think it important Steps To Reproduce 1. Go to this link https://dl.acronis.com/u/pdf/workstationlicenses.txt 2.And this link https://dl.acronis.com/u/pdf/serverlicenses.txt 3. You can see all licenses key Impact I think I can use th...
Zomato: SQL Injection in www.hyperpure.com
Vulnerable Request : PUT /consumer/onboarding/saleslead/6b6a8a5a-4a74-46db-b2fe-32a46f927ecc HTTP/1.1 Host: api.hyperpure.com User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:83.0 Gecko/20100101 Firefox/83.0 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.5...
U.S. Dept Of Defense: Blind stored XSS due to insecure contact form at https://█████.mil leads to leakage of session token and
Summary: I have discovered a blind stored cross site scripting vulnerability due to an insecure Contact form available here https://███████.mil/ This form does not properly sanitize user input allowing for the insertion and submission of dangerous characters such as angle brackets. I was able to...
Nextcloud: PIN for passwordless WebAuthn is asked for but not verified
Nextcloud introduced WebAuthn passwordless authentication with version 19. As far as we understand, you assume that your implementation provide two-factor authentication: "The server asking for authentication can request verification of multiple factors, so that a configured key requires the user...
Kubernetes: Node disk DOS by writing to container /etc/hosts
Report Submission Form Summary: Pod files /etc/hosts, /etc/hostname, /etc/resolve.conf are not readonly. A normal pod running in kubernetes cluster can kil a host through write data to /etc/hosts. Not only /etc/hosts, but also /etc/resolve.conf and /etc/hostname can do this. Kubernetes Version:...
Internet Bug Bounty: Null Pointer Dereference in PHP Session Upload Progress
Affected Versions ------------ Affected is all of PHP5.4/5.5/5.6 Affected is all of PHP7 Credits ------------ This vulnerability was disclosed by Taoguang Chen. Description ------------ session.c static int phpsessionrfc1867callbackunsigned int event, void eventdata, void extra / / ... switcheven...
Mail.ru: turboslim.lady.mail.ru - Blind sql-injection.
Blind time based SQL injection in turboslim.lady.mail.ru promo page due to insecure use of GET parameter Уязвимость была в GET-параметре...
Mail.ru: [Web ICQ Client] XSS-inj in polls
Domain, site, application: WEB ICQ Client - https://web.icq.com/ Testing environment: Browser firefox Steps to reproduce - Создаем новый опрос - Указываем в варианты ответов произвольный HTML код - Отправляем Actual results - Введенный HTML код срабатывает Демонстрация работы: █████ Impact...
Shopify: XSS on product comments in transfers
summery: You are able to copy and paste stored XSS code into the comment section of a product in the transfers tab and receive the error. Reproduce: 1. Create a product with the name '"'' 2. add a transfer with that product 3. now go back to the product use the code button and type the same code...
Mail.ru: JMX RMI command injection on 195.211.131.82(Mail.ru Gaming)
Externally available Jolokia interface in Mail.Ru Gaming network allowed JMX RMI commands injection Сommand injection in Jolokia JMX. Reading the docs helps. A lot. Also, having good friends who can help you when you need it:...
Trint Ltd: IDOR to update folder name of other user
Summary There is an IDOR to update folder name of other user Steps To Reproduce: - user A login to the application and see the folder name F494331 - user B login to the application and call the API with the projectId of user A POST / HTTP/1.1 Host: graphql2.trint.com User-Agent: Mozilla/5.0 Windo...
Shopify: DOM XSS via Shopify.API.remoteRedirect
hi, team, after I read the report 422043, I found another monitor postmessage, and did not correctly verify the origin, leading to dom xss, using the store theme can write js this feature, we can modify a theme for the following Payload, function attack var...
Pornhub: SSRF and local file disclosure by video upload on http://www.youporn.com/
The researcher was successful in exploiting a vulnerability in 3rd encoding party library resulting in the execution of SSRF attacks and Local File Disclosure...
Central Security Project: Pippo XML Entity Expansion (Billion Laughs Attack)
Maven artifact groupId: ro.pippo artifactId: pippo-jaxb version: 1.12.0 Vulnerability Vulnerability Description Pippo unsafely parses user provided XML. The fromString in the ro.pippo.jaxb.JaxbEngine class allows user provided DTDs that the rest of the XML may reference. This can lead to recursiv...
DuckDuckGo: XXE on https://duckduckgo.com
An XML External Entity XXE injection vulnerability was discovered in the x.js endpoint on https://duckduckgo.com via u parameter. This was due to improper sanitation of external XML entities. The results was a leak of certain world readable files on the system. This issue was patched. Additionall...
Zomato: [www.zomato.com] CORS Misconfiguration, could lead to disclosure of sensitive information
Summary: Cross Origin Resource Sharing Misconfiguration | Lead to sensitive information. Description: An HTML5 cross-origin resource sharing CORS policy controls whether and how content running on other domains can perform two-way interaction with the domain that publishes the policy. The policy ...
Mail.ru: api.icq.com / возможность смотреть аватарку и название приватного чата
It was possible to manipulate chat ID in forward message to get meta-data chat name of private group chat...
Mail.ru: api.icq.com / отсутсвие лимита на отправку сообщений удаляя параметр защиты "&r"
Researcher reported removing r= parameter from request allows to bypass rate limits. This claim was not confirmed, r= paramter protects message from intermediate caching and prevents sending the same message twice in the case of network failure, it does not affect any ratelimits, no security...
Ruby: HTTP header can split /[\r\n]/ instead of /\r\n/
https://www.ruby-lang.org/ja/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/...
Node.js third-party modules: Prototype pollution attack (mixin-deep)
As discussed in 309391, here's the separate report for each of the library. This one is the information for the mixin-deep library. Module: mixin-deep Summary: Utilities function in all the listed modules can be tricked into modify the prototype of "Object" when the attacker control part of the...
Node.js third-party modules: [serve] Directory index of arbitrary folder available due to lack of sanitization of %2e and %2f characters in url
Hi, This report is about Arbitrary Directory Listing vulnerability I found in serve module. Vulnerability does not allow to open arbitrary file due to send module which handles file reading and implements its own validation and protection against Path Traversal attacks. However serve handles...
Ubiquiti Inc.: Unrestricted File System Access via Twig Template Injection on dev-ucrm-billing-demo.ubnt.com
The researcher found a Local File inclusion vulnerability, this could be exploited by using Twig templates available on the system. This vulnerability only have the potential to affect dev-ucrm-billing-demo.ubnt.com, although is limited by the restricted environment docker with don't allow any...
Duolingo: RCE in TinyCards for Android
We found and confirmed an RCE bug in TinyCards for Android. Is it in scope, and if not how do we report this security issue to DuoLingo...
Mail.ru: Unupdated ImageMagic leads to uninitialized server memory disclosure
It was possible to disclosure the part of server memory from uncontrolled location on account.my.com project via uploaded GIF image header manipulation. account.my.com is not currently in the Bug Bounty scope, reward was paid as a bonus due to potential severity. CVE-2017-15277...
Internet Bug Bounty: Out of Bounds Memory Read in unserialize()
The finishnesteddata function in ext/standard/varunserializer.re in PHP before 5.6.31, 7.0.x before 7.0.21, and 7.1.x before 7.1.7 is prone to a buffer over-read while unserializing untrusted data. Exploitation of this issue can have an unspecified impact on the integrity of PHP. This has been...
Legal Robot: Profile shows incorrect account creation date
Hi Team, I get to know that you are using showing joined time. it's contain design issue. I think that you show for once user login in to their account and it should show from howmany minutes that user logged in? but i can see here a design issue, is that whenever we refresh page...
Internet Bug Bounty: PHP OpenSSL zif_openssl_seal() heap overflow (wild memcpy)
Description: A wild memcpy is discovered in the openssl package included in stable PHP release. During parsing a PEM certificate in opensslseal, an invalid key length is produced after parsing, eskl0 value is -1 after the call to EVPSealInit, subsequently causing a heap overflow via a wild memcpy...
Nextcloud: help.nextcloud.com: Known DoS condition (null pointer deref) in Nginx running
The https://help.nextcloud.com sub-site is running Nginx/1.10.0 which is vuln to a known issue CVE-2016-4450 which allows a remote malformed HTTP request to cause the Nginx process to crash. DoS testing is mentioned as not requested, but if you know of an issue give it a go .. You can determine t...
Mail.ru: reflected in xss
hello i found vulnerability cross site scripting https://touch.mail.ru This vulnerability affects /cgi-bin/passremind. Attack details Cookie input VID was set to 14svrC28zu5Q1MWh0r"prompt979663" The input is reflected inside tag between single quotes. Request GET /cgi-bin/passremind HTTP/1.1...
X (Formerly Twitter): XSS on OAuth authorize/authenticate endpoint
Hi, I would like to report an issue where certain endpoints on twitter.com and api.twitter.com is vulnerable to XSS. Detail The redirection page after authorization/authentication does not sanitize the oauthcallback parameter. PoC 1. Go to http://innerht.ml/pocs/twitter-oauth-xss Please use IE or...
Internet Bug Bounty: Files extracted from archive may be placed outside of destination directory
https://bugs.php.net/bug.php?id=70019...