15306 matches found
Duolingo: RCE in TinyCards for Android
We found and confirmed an RCE bug in TinyCards for Android. Is it in scope, and if not how do we report this security issue to DuoLingo...
Mail.ru: Unupdated ImageMagic leads to uninitialized server memory disclosure
It was possible to disclosure the part of server memory from uncontrolled location on account.my.com project via uploaded GIF image header manipulation. account.my.com is not currently in the Bug Bounty scope, reward was paid as a bonus due to potential severity. CVE-2017-15277...
Internet Bug Bounty: Out of Bounds Memory Read in unserialize()
The finishnesteddata function in ext/standard/varunserializer.re in PHP before 5.6.31, 7.0.x before 7.0.21, and 7.1.x before 7.1.7 is prone to a buffer over-read while unserializing untrusted data. Exploitation of this issue can have an unspecified impact on the integrity of PHP. This has been...
Legal Robot: Profile shows incorrect account creation date
Hi Team, I get to know that you are using showing joined time. it's contain design issue. I think that you show for once user login in to their account and it should show from howmany minutes that user logged in? but i can see here a design issue, is that whenever we refresh page...
Internet Bug Bounty: PHP OpenSSL zif_openssl_seal() heap overflow (wild memcpy)
Description: A wild memcpy is discovered in the openssl package included in stable PHP release. During parsing a PEM certificate in opensslseal, an invalid key length is produced after parsing, eskl0 value is -1 after the call to EVPSealInit, subsequently causing a heap overflow via a wild memcpy...
Nextcloud: help.nextcloud.com: Known DoS condition (null pointer deref) in Nginx running
The https://help.nextcloud.com sub-site is running Nginx/1.10.0 which is vuln to a known issue CVE-2016-4450 which allows a remote malformed HTTP request to cause the Nginx process to crash. DoS testing is mentioned as not requested, but if you know of an issue give it a go .. You can determine t...
Mail.ru: reflected in xss
hello i found vulnerability cross site scripting https://touch.mail.ru This vulnerability affects /cgi-bin/passremind. Attack details Cookie input VID was set to 14svrC28zu5Q1MWh0r"prompt979663" The input is reflected inside tag between single quotes. Request GET /cgi-bin/passremind HTTP/1.1...
X (Formerly Twitter): Open Redirect leak of authenticity_token lead to full account take over.
Hey guys URL: https://mobile.twitter.com/messages/follow?recipient=/example.com when I click 'Follow' I will send my POST request to https://example.com witch contains my authenticitytoken that can be used for anything like tweeting, following, sending messages, changing username.,.,.etc it can b...
IRCCloud: "SESSION" Cookie without HttpOnly flag set
Vulnerability description This cookie does not have the HTTPOnly flag set. When a cookie is set with the HTTPOnly flag, it instructs the browser that the cookie can only be accessed by the server and not by client-side scripts. This is an important security protection for session cookies. This...
Publitas: CORS Misconfiguration on █████
A cross-origin resource sharing misconfiguration was found that could allow an attacker to steal sensitive user information or force unwanted actions. The misconfiguration allowed credentials and enabled CORS for external domains. A proof of concept was shown that could exploit this to exfiltrate...
curl: CVE-2024-0853: OCSP verification bypass with TLS session reuse
A vulnerability was identified in cURL version 8.5.0 that allowed revoked certificates to be accepted when reusing a TLS session. The issue was caused by a correction that inadvertently skipped OCSP stapling verification during TLS session reuse. This allowed revoked certificates to be accepted i...
Internet Bug Bounty: Misconfiguration in AWS CloudFront CDN configuration makes rubygems.org serve (and cache) content from a unclaimed S3-bucket
A misconfiguration in the AWS CloudFront CDN configuration for rubygems.org caused content to be served from an unclaimed S3 bucket. This could have enabled an attacker to serve malicious content and affect availability. Artifactory instances were observed accessing files, presenting a potential...
Internet Bug Bounty: CVE-2023-28322: more POST-after-PUT confusion
Libcurl, a popular open-source library for transferring data over HTTPS, had a vulnerability CVE-2023-28322 that could allow an attacker to inject data or cause the application to misbehave. The vulnerability was caused by a logic flaw that could cause libcurl to use the wrong callback function...
curl: CVE-2023-28320: siglongjmp race condition
A race condition vulnerability existed in libcurl's siglongjmp call when using the USEALARMTIMEOUT codepath for DNS resolution. If two threads performed DNS resolving, a wrong register context could be used on the signal handler siglongjmp call if DNS timeout occurred, resulting in a segmentation...
U.S. Dept Of Defense: Unauthenticated SQL Injection at █████████ [HtUS]
Summary Hi team, I found Unauthenticated SQL Injection at ██████. Because of non-filter and non-escape input at API /api/organizations/, attacker can inject malicious payload after single quote ' to exploit and extract database. Step to Reproduce: Execute Request GET...
Reddit: Able to bypass email verification and change email to any other user email
The reporter discovered they were able to hijack invites to other ads teams by adding the extra field, email, to a request that would allow them to bypass email verification. By doing so they were able to accept invites to ads teams on behalf of others and assume the role of the invitee with thei...
HackerOne: Race condition in joining CTF group
Summary: A race condition in https://ctf.hacker101.com/group/join allows a user to join the same CTF group multiple times. The user will show up in the group member list multiple times, and affect the group statistics. Description: Interestingly a race condition in this feature was reported in...
U.S. Dept Of Defense: CVE-2020-3452 on https://█████/
Hello team, I hope you're doing well, healthy & wealthy. I found a CVE-2020-3452 path traversal and here is the explanation. A vulnerability in the web services interface of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an...
Fastify: 1-click DOS in fastify-static via directly passing user's input to new URL() of NodeJS without try/catch
Summary: When fastify-static is mounted at root and registered the option redirect: true default of redirect option is false, the following line directly feed user's input which is req.raw.url to URL API without try/catch: https://github.com/fastify/fastify-static/blob/master/index.jsL439. A remo...
GitHub Security Lab: [Java]: Add XXE sinks
This bug was reported directly to GitHub Security Lab...
U.S. Dept Of Defense: XSS DUE TO CVE-2020-3580
Hello Team, During my research, I found the following host to be vulnerable to CVE 2020-3580 which is POST BASED XSS. Vulnerable URL: https://████/+CSCOE+/saml/sp/acs?tgname=a Impact Attackers can steal cookies and even takeover accounts and perform different malicious activities. System Hosts ██...
U.S. Dept Of Defense: ████████ portal is open to enumeration once authenticated. Session ID's appear static. All PII available once a valid session ID is found.
Description: Once Authenticated to █████████ portal with valid credentials you can type in another members session id and you can see any service members data as if you were authenticated as them. https://█████████ I did not see if there was a way to dump all session id's, but wouldn't be too...
GitLab: RCE via unsafe inline Kramdown options when rendering certain Wiki pages
Summary When rendering wiki content with certain extensions such as .rmd, renderwikicontent will call othermarkupunsafe which will end up calling GitHub::Markup.render from the github-markup gem. Files with any extension can be uploaded by checking out the wiki with git, commiting the files and...
U.S. Dept Of Defense: CSRF to Cross-site Scripting (XSS)
hello dear support I have found csrf to XSS on https://██████ my payload "; url: POST ██████████ post data answer=A"; Impact Malicious JavaScript has access to all the same objects as the rest of the web page, including access to cookies and local storage, which are often used to store session...
Automattic: Reflected XSS due to vulnerable version of sockjs
Summary: There is reflected XSS on .simperium.com. The bug exists due to a vulnerable version of sockjs library. Platforms Affected: simperium.com js.simperium.com Steps To Reproduce: 1. Visit https://simperium.com/sock/1/0/0/0/htmlfile?c=alert'XSS'// 2. You will see an alert message because of...
Snapchat: CSRF when unlocking lenses leads to lenses being forcefully installed without user interaction
Hi, The url below allows a user to unlock a particular lens. Once they have opened the URL on their phone, Snapchat opens up and prompts the user to unlock this lens. https://www.snapchat.com/unlock/?type=SNAPCODE&uuid=6ff5a565fca249a1948b1963ee2881b4&metadata=01 By changing the value of type in...
Mail.ru: unclaimed subdomain special.rkeeper.ru to takeover from tilda.cc
Domain, site, application -- http://special.rkeeper.ru/ Testing environment -- OS version, browser information, settings and prerequisites to reproduce vulnerability, testing tools used, etc Steps to reproduce: 1. create account on tilda.cc 1. create a aproject then a domain will be assigned to...
OPPO: Information Disclosure at https://portal.finzfin.com/1.txt
Leaking internal network information Summary: While performing recon work on websites owned by oppo i came up with finzfin website which is leaking sensitive information. Description: The above website is leaking information , This is a high severity issue and requires immediate fixation. I look...
Internet Bug Bounty: [CVE-2020-27194] Linux kernel: eBPF verifier bug in `or` binary operation tracking function leads to LPE
CVE-2020-27194 is a eBPF verifier bug that allows an unprivileged attacker to create BPF socket filter programs that can read and write Out of Bounds, trough which an arbitrary kernel read write can be achieved. I'm taking the root cause explanation from the patch email: Simon reported an issue...
Internet Bug Bounty: Use after free vulnerability in phar_parse_zipfile
Malformed phar file with cache configuration leads freed memory as hash key when it inserts into the hash table. More detail information and original report is here: https://bugs.php.net/bug.php?id=79797 and it was assigned CVE-2020-7068. Impact Through this vulnerability that inserts freed memor...
TikTok: Open Redirect Vulnerability on TikTok Ads Portal
An Open Redirect vulnerability was found that could expose the user session cookie potentially allowing an attacker to obtain access to an account on the TikTok ads portal...
Shopify: Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation to Any Shop Owner by Taking Advantage of the Shopify SSO
I told Pete I would take a look at Spotify, hi Pete. Summary It's possible to take over any store account through bypassing the email confirmation step in .myshopify.com. I found a way to confirm arbitrary emails, and after confirming arbitrary email in .myshopify.com, user is able to integrate...
Semrush: Reflected XSS on https://www.semrush.com/my_reports/externalSource/callback/googleAccountsGMB
Researcher found reflected XSS vulnerability on https://www.semrush.com/myreports/externalSource/callback/googleAccountsGMB Report: The parameter status is missing sanitization in the following url: https://www.semrush.com/myreports/externalSource/callback/googleAccountsGMB?status=xssalert//...
Nextcloud: Bypass configured 2FA provider with another provider that can be set up at login
In Nextcloud 17 there is the possibility to set up 2FA providers at login. A missing check allows the following steps 1 Enforce 2FA for all users 2 As a user, configure a 2FA provider via settings or at login 3 Log out 4 Log in again password only 5 When prompted with the earlier set up provider,...
HackerOne: Password not checked when disabling 2FA on HackerOne
Hi, when I was submitted a report to a program that request 2FA ON, I notice that if you try to disable this option will ask for backup code - password and if you enter a random password in the request filed and a correct backup code it will be successfully disabled the 2FA without check if the...
Cuvva: Clickjacking in ops.cuvva.com
Hi, Description: Clickjacking User Interface redress attack, UI redress attack, UI redressing is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking contr...
GitLab: Bypass Email Verification -- Able to Access Internal Gitlab Services that use Login with Gitlab and Perform Check on email domain
Summary Hi, I found the new SCIM provisioning function allows any group owner in gitlab to create any user with verified email address. i.e. I can create user with email address [email protected], and gitlab.com will think [email protected] is verified already. This will bring problem to the clie...
Automattic: Insufficient DKIM record with RSA 512-bit key used on WordPress.com
What is DomainKeys Identified Mail DKIM ? DKIM allows the receiver to check that an email claimed to have come from a specific domain was indeed authorized by the owner of that domain. It achieves this by affixing a digital signature, linked to a domain name, to each outgoing email message. The...
Mail.ru: SSRF
SSRF via URI injection in hou.my.com...
Grammarly: Grammarly Keyboard for Android <4.1 leaks user input through logs (except for sensitive input fields)
@homelander identified that Grammarly for Android on Android 4.1 was leaking user-entered text to device logs. Currently, Grammarly for Android doesn't support devices with platform versions less than Android 5.0...
Slack: Internal SSRF bypass using slash commands at api.slack.com
@albatraoz found a bypass to report 61312, allowing information leakage via SSRF in Slash commands. We fixed the vulnerability and performed a through investigation. Thanks @albatraoz!...
Internet Bug Bounty: ACME TLS-SNI-01/02 challenge vulnerable when combined with shared hosting providers
The ACME TLS-SNI-01 and TLS-SNI-02 specification assumed wrong in terms of how current major cloud providers routed and validated domains. This was reported earlier this week to Let's Encrypt, and they decided to disable the method. Today Let's Encrypt decided to sunset both TLS-SNI-01 and...
Node.js third-party modules: [augustine] Static Web Server Directory Traversal via Crafted GET Request
Hi, A crafted GET request can be leveraged to traverse the directory structure of a host using the augustine web server package, and request arbitrary files outside of the specified web root. Module specification Name: augustine Version: 0.2.3 latest release build Verified conditions Test server:...
Internet Bug Bounty: CVE-2017-13090 wget heap smash
The retr.c:fdreadbody function is called when processing OK responses. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to read the chunk in piec...
Instacart: Bruteforcing password reset tokens, could lead to account takeover
Hey Instacart security team, Description When resetting a new password on https://shoppers.instacart.com/password you will receive an email with a reset link. when clicking on this link. you go to this page: https://shoppers.instacart.com/password/edit?resetpasswordtoken=YourToken when entering a...
Rockstar Games: Stored XSS on support.rockstargames.com
In this report, the researcher demonstrated an AngularJS injection that allowed them to leave Stored XSS attacks on Support Community threads. We were able to resolve this issue and others by updating the version of AngularJS we run on the Support site...
Legal Robot: design issue exists on login page
legalrobot allows an user to set email as password only by resetting password either by logged in and changing it into profile password changed succesfully but the user couldn't log in to the app.legalrobot.com because js checks with email and password and it states it couldn't be same also not...
Weblate: Null Password - Setting a new password doesn't check for empty spaces
Hi Again! As seen your website at https://demo.weblate.org/accounts/password/ Your password can't be too similar to your other personal information. Your password must contain at least 6 characters. Your password can't be a commonly used password. Your password can't be entirely numeric. I found...
Nextcloud: Files Drop: WebDAV endpoint is leaking existence of resources
The new WebDAV endpoint implementation in 11 is leaking too many informations if one executes a MKCOL or a PUT against an existing item. With Files Drop one should only be able to upload files but not leak any existence of items. Leaking existence using PUT When doing a PUT the expectation is to...
Shopify: password less login token expiration issue
Log into Shopify iOS app as Alice and grab the token. 2. Send the below request to generate the password less login token The token expires after a single use. So don't use the token. Request: POST /admin/api/graphql HTTP/1.1 Host: seclearn.myshopify.com Content-Type: application/graphql...