15306 matches found
Instacart: API OAuth Public Key disclosure in mobile app
Our Android/iOS app can be decompiled and the OAuth Public token can be accessed. Contrary to Instacart's summary, the API private key is also leaked, allowing anyone to use Instacart's private API without restriction. Instacart which I have found to be great in general ignored my additional...
Veris: SSL/TLS BEAST ATTACK VULNERABILITY
hello, i m pentesting sandbox.veris.in and found that it is vulnerable to SSL/TLS BEAST ATTACK vulnerability at port 443. PoC Supported versions: TLSv1.0 TLSv1.1 TLSv1.2 Deflate compression: no Supported cipher suites ORDER IS NOT SIGNIFICANT: TLSv1.0 RSAWITH3DESEDECBCSHA DHERSAWITH3DESEDECBCSHA...
X (Formerly Twitter): [Critical] - Steal OAuth Tokens
Hi, This bug is caused because of the same mis-configuration as 128119. Only this time Microsoft Outlook auth is vulnerable instead of Facebook. this time I will try to be as clear as possible. after sign up of Twitter, Twitter asks users to import contacts and it only requires on authorization -...
Informatica: [informatica.com] Blind SQL Injection
Hi guys! JSON POST parameter "docId" is vulnerable to Blind SQL Injection attack PoC Raw query POST /vtibin/RatingsCalculator/RatingsCalculator.asmx/CalculateRatings HTTP/1.1 User-Agent: Opera/9.80 Windows NT 6.1; WOW64 Presto/2.12.388 Version/12.17 Host: kb-test.informatica.com Accept-Language:...
Shopify: Apps can access 'channels' beta api
Hello, As documented here, an app can access to the following scopes : https://docs.shopify.com/api/authentication/oauthscopes. But an app can request/get access to a lots more scopes, and some of those scope shouldn't be accessible. PoC...
Coinbase: Blacklist bypass on Callback URLs
In bug 47368, I was able to reach private IP addresses via the "Test Now" button of the "Callback URL" feature. Exploiting this flaw allowed me to reach the metadata server of your outbound proxy which is, afaik, maintained by Proximo. A comment by aianus states that callbacks are now restricted...
Yahoo!: Bypass of the Clickjacking protection on Flickr using data URL in iframes
Thank you for your submission to the Yahoo Bug Bounty program. We were able to reproduce the issue you reported and have implemented appropriate fixes. We appreciate your adherence to responsible disclosure guidelines and look forward to your future participation in the program...
Phabricator: OAuth Stealing Attack (New)
Hi Evan, I found a new and more dangerous way to steal phabricator facebooks oauth tokens,codes, In this case, I exploited the behavior of Phabricator OAuth Dialog, If you provide a differnet scope in phabricator OAuth Dialog...
Internet Bug Bounty: Request Smuggling in Apache Tomcat (Important, CVE-2023-45648)
A vulnerability in Apache Tomcat versions 11.0.0-M1 to 11.0.0-M11, 10.1.0-M1 to 10.1.13, 9.0.0-M1 to 9.0.80, and 8.5.0 to 8.5.93 allowed HTTP request smuggling due to improper parsing of trailer headers. This could be exploited by a remote attacker to bypass security controls when Tomcat was...
U.S. Dept Of Defense: XSS in Cisco Endpoint
Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software were found that could allow cross-site scripting attacks against a user of the affected device's web services interface. By exploiting...
pixiv: Stealing Users OAuth authorization code via redirect_uri
A path traversal vulnerability in the OAuth redirecturi parameter allowed attackers to redirect authenticated users to their product page with their OAuth credentials, potentially leading to account takeover. This could occur due to the leakage of the user's authorization code via the query strin...
U.S. Dept Of Defense: Reflected XSS at ████████
A reflected cross-site scripting XSS vulnerability was discovered in the dochelper feature of a certain domain. An attacker could inject a crafted script into the userId parameter, which would execute when the victim user accessed the page, potentially allowing the attacker to steal the victim's...
GitLab: Remote Command Execution via Github import
Summary This is very similar to https://about.gitlab.com/releases/2022/08/22/critical-security-release-gitlab-15-3-1-released/Remote%20Command%20Execution%20via%20Github%20import and allows arbitrary redis commands to be injected when imported a GitHub repository. When importing a GitHub repo the...
Internet Bug Bounty: Invalid handling of X509_verify_cert() internal errors in libssl (CVE-2021-4044)
Internally libssl in OpenSSL calls X509verifycert on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error for example out of memory. Such a negative return value is mishandled by OpenSSL and will cause an IO...
Twitter Algorithmic Bias: Underrepresentation Bias through Twitter's Cropping Algorithm
Bounty Hunter Name: CyberQueenMeg About You: Megan, also known as CyberQueenMeg, is a passionate rising cybersecurity professional who is interested in programming, cybersecurity, and web development. Megan is a high school senior in a rigorous computer science program at her high school where sh...
Acronis: bypass sql injection #1109311
hello dear support i have found SQL injection and bypass this case 1109311 Tests performed: 0'XORifnow=sysdate,sleep15,0XOR'Z = 20.002 0'XORifnow=sysdate,sleep6,0XOR'Z = 7.282 0'XORifnow=sysdate,sleep0,0XOR'Z = 0.912 0'XORifnow=sysdate,sleep15,0XOR'Z = 16.553 0'XORifnow=sysdate,sleep3,0XOR'Z =...
U.S. Dept Of Defense: CVE-2019-3403 on https://████/rest/api/2/user/picker?query=
Description: The endpoint at https://████████/rest/api/2/user/picker?query= Suffers from CVE-2019-3403 Due to old version of jira. F125281 References https://nvd.nist.gov/vuln/detail/CVE-2019-3403 @naglinagli Impact The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from...
GitHub Security Lab: [Java] CWE-297: Insecure LDAP endpoint configuration
This bug was reported directly to GitHub Security Lab...
HackerOne: "Bounty splitting enabled" can discloses if public VDPs are running private VRP
Hello Everyone, I hope all is safe and you're safe in this pandemic, and I hope this won't bother you like my previous submitions lol , Description : The "allowsprivatedisclosure" resource in team for private team that have a public profile is shown there which discloses that this program have a...
Doppler VDP: User Access Control in Community Plan
Summary: Hello, I have found a logical issue in the Billing Subscription section. A given user is able to maintain User Access Control UAC feature in Community Plan. Steps To Reproduce: Setup two accounts let's say Alice and Bob 1. Login using Alice account and create a workspace with any name sa...
Open-Xchange: Null dereference in `cmd_denotify_operation_execute`
To reproduce, run test suite on following input : require "vnd.dovecot.testsuite"; require "notify"; require "envelope"; test "D Middle" // notify :options "timo@exat"; denotify :is "noot"; if not testresultexecute testfail "fat"; Output is with ASAN enabled stack trace...
Yelp: Clickjacking lead to remove review
Steps To Reproduce: 1. Open iframe F960017 2. You can remove reviews from this iframe Impact Clickjacking lead to remove reviews...
MTN Group: [mtn.com.af] Multiple vulnerabilities allow to Application level DoS
Issue Description Unauthenticated attackers can cause a denial of service resource consumption by using the large list of registered .js files from wp-includes/script-loader.php to construct a series of requests to load every file many times. The vulnerability is registered as CVE-2018-6389 76172...
GitLab: Full Read SSRF on Gitlab's Internal Grafana
Apparently, Grafana is bundled with Gitlab by default. So the grafana instance that is accessible via /-/grafana/is vulnerable to the SSRF outlined below. Summary By chaining together some redirects and a URL decoding bug, it is possible to achieve a full-read, unauthenticated, SSRF from your...
Helium: unpermitted user can change the device name of admin account
Invited user with only the read-only permission can change the device name in admin account 1.create two account 'A 'and 'B ' in console.helium 2.Invited the account 'B' with 'A' by giving the read-only permission 3.In account 'B' trying to delete the organization created by admin account 'A' and...
Internet Bug Bounty: UrnState Heap Overflow
Summary: When handling a URN Request an attacker controlled response can cause Squid to overflow a heap buffer. The buffer exist within a struct so not only does it allow an attacker to overflow adjacent memory, but also control a pointer that follows the buffer enabling them to free arbitrary...
Internet Bug Bounty: Cache Poisoning
Summary: An attacker can cause Squid to return to the user attacker controlled data, for any domain. From Squid-4.7 and below both HTTPS and FTP could be poisoned. This is due to Squid URL decoding parts of the Request URL and using that to create a hash. Request that decode to the same URL will...
Visma Bug Bounty Program: Stored XSS in 'Notes'
A logged-in user can inject JavaScript code into a specifically crafted Note on a document, such as a Invoice, which will be executed when another user, logged in to the same company, edits the Note...
Node.js third-party modules: Several simple remote code execution in pdf-image
I would like to report "A simple remote code execution" in "pdf-image". It allows "a remote attacker to execute arbitrary code when several functions of the PDFImage class are called and the class loaded from user-input value". Module module name: pdf-image version: latest npm page:...
X (Formerly Twitter): XSS and Open Redirect on MoPub Login
Summary: I found open redirect at the MoPub login page, https://app.mopub.com/login?next=https://google.com. It also allows javascript URIs, leading to XSS. Description: You can modify the "next" URL parameter to redirect to any website upon logging in on MoPub. Steps To Reproduce: 1. Take this...
Node.js third-party modules: Yarn transfers npm credentials over unencrypted http connection
Module module name: yarn version: 1.16.0 npm page: https://www.npmjs.com/package/yarn Module Description Fast, reliable, and secure dependency management. Module Stats Replace stats below with numbers from npm’s module page: 166 703 downloads in the last day 849 928 downloads in the last week 3 7...
U.S. Dept Of Defense: Remote OS command Execution in the 3 more Oracle Weblogic on the ████████, ████, ███████ [CVE-2017-10352]
Description Hello. I was able to identify 3 more RCE vulnerabilities due to the outdated Oracle Weblogic instance on the █████████, ███, █████ After my previous discoveries I decided to dig deeper into the ███.mil scope/IP space and found other instances of vulnerable Oracle WebLogic. I decided t...
ownCloud: Remote Code Execution through Deserialization Attack in OwnBackup app.
I found a deserialization vulnerability in the OwnBackup app, this vulnerability allows to execute remote code in the server. An administrator user could install the vulnerable app, or take advantage of this vulnerability if the OwnBackup application is installed. Below are the steps to properly...
Shopify: STAFF member with NO Explicit permissions can view `ActivityFeed` via GraphQL
Hi, This is similar to 95589. I noticed that ActivityFeeds are now being fetched by GraphQL call on Shopify. But from my testing, I noticed that STAFF member with NO EXPLICIT permissions can fetch store's activity feed by calling the vulnerable endpoint. STEPS 1.STAFF member is not assigned any...
Valve: Vulnerability in GoldSource Engine allows to upload and run an arbitrary DLL on client
Introduction Greetings. In GoldSource Engine there is a vulnerability that allows to run an arbitrary DLL on the client, using the flaws in the file downloading system. Description Part of the problem is hidden in the CLBatchResourceRequest function. This is a client function that is responsible...
Chaturbate: Blind SSRF at https://chaturbate.com/notifications/update_push/
In the application at https://chaturbate.com/notifications/updatepush/ there is a functionality to subscribe any cam model which will trigger the provided request. Using this Request an attacker can execute SSRF attack and also steal sensitive Token / Keys of the internal web server Steps to...
Starbucks: svcardproxydevus.starbucks.com Subdomain take over
You have left a dns record pointing to a dead cloudapp vm. svcardproxydevus.starbucks.com - s00307ntmp0svcardproxydev0.trafficmanager.net - s00307dpipsvcardproxy00.eastus.cloudapp.azure.com = Dead Impact 1 Attacker takes over subdomain and then puts something like porn or something that shouldn't...
Internet Bug Bounty: CVE-2018-12882: heap-use-after-free in PHP 7.2 through 7.2.6, possible 7.2.7
exifreaddata in PHP 7.2 through 7.2.6 and possibly 7.2.7 is vulnerable to a heap use after free when fed a specially crafted JPEG. Any online service that uses PHP 7.2 and reads EXIF data from uploaded JPEGs is potentially vulnerable to this flaw. USEZENDALLOC=0 ./php-e147eb2 -r...
Valve: Malformed .BSP Access Violation in CS:GO can lead to Remote Code Execution
A malformed .BSP can trigger an Access Violation on CS:GO that can lead to arbitrary code execution on a remote computer. I have attached a copy of the malformed .BSP which reliably triggers an Access Violation on CS:GO. Impact An attacker hosting a malicious server could compromise a remote clie...
Roblox: Subdomain Takeover to Authentication bypass
Vulnerability Type: ----------- Subdomain Takeover Description: ----------- Due to unclaimed or expired Hubspot instance an attacker is able to claim and serve content from devrel.roblox.com and perform different kind of attacks which i shared in impact section. Affected Area: -----------...
Reverb.com: Full account takeover
Hello Team, I got a security issue in reverb ios application which allows an attacker hack all users account. Since iOS application is not in the scope but still I am reporting this, because this vulnerability may compromise all users account. Please resolve this quickly. Desription: Reverb ios...
Node.js third-party modules: [angular-http-server] Path Traversal in angular-http-server.js allows to read arbitrary file from the remote server
Hi Guys, angular-http-server https://www.npmjs.com/package/angular-http-server contains Path Traversal vulnerability, which allows malicious user to read content of any file with known path. Module: A very simple application server designed for Single Page App SPA developers...
Legal Robot: Coding error !
here this is my mail id : [email protected] and pass : [email protected] i am able to set password as same as gmail address , but cant able to login , this was the issue here...
Cuvva: Missing Rate limiting on https://underwriter.partner.cuvva.com/login
Duplicate of 231380...
Homebrew: Stack Trace on jenkins.brew.sh
221833 is not fully patched. Kindly take a look at https://jenkins.brew.sh/jacegisecuritycheck still stack traces are visible. Let me know if any further info required. Best Regards, MrR3boot...
Boozt Fashion AB: Email spoofing at booztlet.com
Hello : This There is an Email Spoofing Vulnerability. Steps to reproduce: 1 Go to http://emkei.cz/ 2 Fill "From Email" field to [email protected] or any other booztlet email. 3 Fill the victim's address your address to "TO" field and fill in other details as you wish. You will receive email fro...
Dropbox: XSS in OAuth Redirect Url
Hello guys, I found a XSS vulnerability in the OAuth Redirect Url parameter . So deep into the bug : Go to https://www.dropbox.com/developers/ Create an application In Redirect URIs , if you try to add javascript:alert1 it will tell you that javascript protocol is not accepted. But if you try to...
Uber: Blind OOB XXE At "http://ubermovement.com/"
Test Summary : - POST data was set to &dtgmlf6ent; An HTTP request was initiated for the domain http://122.180.248.81/ which indicates that this script is vulnerable to XXE injection. NOTE : As it was Blind XXE Test I was Successful in Ping Test for XXE. But unable to retrieve any sensitive...
Coinbase: XSSI (Cross Site Script Inclusion)
Hi, https://www.coinbase.com/pusher/auth returns sensetive a json auth-token response that can be parsed by javascript JSON.parse from external site. this can easily be mitigated by putting // or // chars at the beginning of the json response and thus making functions like JSON.parse unable to ge...
Internet Bug Bounty: Improved fix for bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow)
https://bugs.php.net/bug.php?id=69545...