15369 matches found
Valve: Malformed .BSP Access Violation in CS:GO can lead to Remote Code Execution
A malformed .BSP can trigger an Access Violation on CS:GO that can lead to arbitrary code execution on a remote computer. I have attached a copy of the malformed .BSP which reliably triggers an Access Violation on CS:GO. Impact An attacker hosting a malicious server could compromise a remote clie...
ExpressionEngine: RCE By import channel field
The reporter determined that a malicious Channel Set could be used to allow an administrator to upload a PHP file that they might otherwise not have permission to upload. Combined with the temporary folder name algorithm being available in the source code, the malicious administrator could...
Rockstar Games: Stored XSS on support.rockstargames.com
In this report, the researcher demonstrated an AngularJS injection that allowed them to leave Stored XSS attacks on Support Community threads. We were able to resolve this issue and others by updating the version of AngularJS we run on the Support site...
Gratipay: Gratipay rails secret token (secret_key_base) publicly exposed in GitHub
Summary Gratipay's Rails secret token is publicly exposed on GitHub. Knowing the secret token allows an attacker to impersonate any user in the application. Thanks to EdOverflow for sharing the tips for finding security issues in GitHub projects, below is the referenced github for the analysis...
Weblate: Null Password - Setting a new password doesn't check for empty spaces
Hi Again! As seen your website at https://demo.weblate.org/accounts/password/ Your password can't be too similar to your other personal information. Your password must contain at least 6 characters. Your password can't be a commonly used password. Your password can't be entirely numeric. I found...
Boozt Fashion AB: Email spoofing at booztlet.com
Hello : This There is an Email Spoofing Vulnerability. Steps to reproduce: 1 Go to http://emkei.cz/ 2 Fill "From Email" field to [email protected] or any other booztlet email. 3 Fill the victim's address your address to "TO" field and fill in other details as you wish. You will receive email fro...
Shopify: Unauthorized access to Zookeeper on http://locutus-zk3.ec2.shopify.com:2181
What is Zookeeper? ==================== Zookeeper is a coordination service for distributed applications. It allows common services such as naming, synchronisation, configuration management and group services to be managed by a simple interface and It uses a data model of File System on an...
Coinbase: XSSI (Cross Site Script Inclusion)
Hi, https://www.coinbase.com/pusher/auth returns sensetive a json auth-token response that can be parsed by javascript JSON.parse from external site. this can easily be mitigated by putting // or // chars at the beginning of the json response and thus making functions like JSON.parse unable to ge...
Shopify: amazon aws s3 bucket content is public :- http://shopify.com.s3.amazonaws.com/
An Amazon S3 bucket http://shopify.com.s3.amazonaws.com/ was unintentionally left with directory listing enabled. Even though the files in the bucket were all publicly accessible, it was not intended for the directory listing to be visible...
Eobot: Multiple information disclosure
This script can help hackers check leaked email bases on registration with eobot without ban and etc.. https://www.eobot.com/[email protected] email disclosure in google google dork: site:eobot.com inurl:"widget.aspx" in result we see requests with email of your users...
Yahoo!: Bypass of the Clickjacking protection on Flickr using data URL in iframes
Thank you for your submission to the Yahoo Bug Bounty program. We were able to reproduce the issue you reported and have implemented appropriate fixes. We appreciate your adherence to responsible disclosure guidelines and look forward to your future participation in the program...
Phabricator: OAuth Stealing Attack (New)
Hi Evan, I found a new and more dangerous way to steal phabricator facebooks oauth tokens,codes, In this case, I exploited the behavior of Phabricator OAuth Dialog, If you provide a differnet scope in phabricator OAuth Dialog...
curl: curl leaks destination IP via glibc getaddrinfo() UDP connect, bypassing SOCKS5/Tor
Summary: When using curl with a SOCKS5 proxy e.g. Tor on 127.0.0.1:9050, glibc getaddrinfo performs direct UDP connect probes to the target’s IP:443. These syscalls bypass the proxy and expose the user’s route to the destination, breaking anonymity expectations. The IPs I got in my case:...
Internet Bug Bounty: Request Smuggling in Apache Tomcat (Important, CVE-2023-45648)
A vulnerability in Apache Tomcat versions 11.0.0-M1 to 11.0.0-M11, 10.1.0-M1 to 10.1.13, 9.0.0-M1 to 9.0.80, and 8.5.0 to 8.5.93 allowed HTTP request smuggling due to improper parsing of trailer headers. This could be exploited by a remote attacker to bypass security controls when Tomcat was...
Bitwarden: Biometric key is stored in Windows Credential Manager, accessible to other local unprivileged processes
A vulnerability in Bitwarden Desktop for Windows allowed a local attacker to access the biometric master key used for unlocking the vault through Windows Hello. The key was stored in plaintext in the Windows Credential Manager, accessible to any local unprivileged process. This allowed an attacke...
Internet Bug Bounty: CVE-2022-32214 - HTTP Request Smuggling Due To Improper Delimiting of Header Fields
Original Report: https://hackerone.com/reports/1524692 Impact Depending on the specific web application, HRS can lead to cache poisoning, bypassing of security layers, stealing of credentials and so on...
Shopify: Exposed Cortex API at https://cortex-ingest.shopifycloud.com/
Hi there, to be honest this is the first time I have seen this type of asset, but I think it is interesting/not supposed to be exposed. There is a Cortex metrics server running without authentication on https://cortex-ingest.shopifycloud.com/. This allows us to see the config for the server, call...
Acronis: bypass sql injection #1109311
hello dear support i have found SQL injection and bypass this case 1109311 Tests performed: 0'XORifnow=sysdate,sleep15,0XOR'Z = 20.002 0'XORifnow=sysdate,sleep6,0XOR'Z = 7.282 0'XORifnow=sysdate,sleep0,0XOR'Z = 0.912 0'XORifnow=sysdate,sleep15,0XOR'Z = 16.553 0'XORifnow=sysdate,sleep3,0XOR'Z =...
Nextcloud: Sensitive files/ data exists post deletion of user account
In the latest android app ,I created an account in the name of [email protected]. After few activities,deleted the account . Files containing user emails and tokens still exist.Relevant files not deleted upon deletion of account. Content of files post deletion of account:...
Internet Bug Bounty: "urllib" will result to deny of service
if a client request a http/https/ftp service which is controlled by attacker, attacker can make this client hang forever, event client has set "timeout" argument. maybe this client also will consume more and more memory. i does not test on this conclusion. client.py import urllib.request req =...
UPchieve: User enumeration through forget password
Vulnerability:- -User enumeration is possible through forgot password feature. steps to reproduce:- -Go to the above selected domain and go to forgot password. -submit random email and then intercept request by burp suit -in response you will get HTTP/1.1 500 Internal Server Error with "err":"No...
GitHub Security Lab: [Java] CWE-297: Insecure LDAP endpoint configuration
This bug was reported directly to GitHub Security Lab...
U.S. Dept Of Defense: Self stored Xss + Login Csrf
Description: User can set username between 8-20 alphanumeric characters, but with the help of inspect element attacker can manipulate ██████= & can insert a xss payload resulting in self stored xss & with the help of login csrf attacker can force the victim into attacker's account causing...
Open-Xchange: Null dereference in `cmd_denotify_operation_execute`
To reproduce, run test suite on following input : require "vnd.dovecot.testsuite"; require "notify"; require "envelope"; test "D Middle" // notify :options "timo@exat"; denotify :is "noot"; if not testresultexecute testfail "fat"; Output is with ASAN enabled stack trace...
Mail.ru: CVE-2016-6415 on api-staging.plazius.ru [46.148.201.218]
Unpatched CVE-2016-6415 vulnerability could potentially lead to information disclosure on the host in plazius.ru infrastructure...
X (Formerly Twitter): XSS via referrer parameter
Description Hi, i would like to report an XSS via javascript scheme in https://www.twitterflightschool.com/student/award/ID?referer=, the payload e need just a click of user to be triggered because the link will be placed in a tag...
Internet Bug Bounty: Cache Poisoning
Summary: An attacker can cause Squid to return to the user attacker controlled data, for any domain. From Squid-4.7 and below both HTTPS and FTP could be poisoned. This is due to Squid URL decoding parts of the Request URL and using that to create a hash. Request that decode to the same URL will...
Lark Technologies: SSRF with information disclosure
A SSRF server side request forgery vulnerability was identified in the messenger endpoint of Lark Suite which could have exposed internal credentials used by the server. We thank @jin0ne for reporting this to our team...
Visma Bug Bounty Program: Stored XSS in 'Notes'
A logged-in user can inject JavaScript code into a specifically crafted Note on a document, such as a Invoice, which will be executed when another user, logged in to the same company, edits the Note...
BlockDev Sp. Z o.o: xmlrpc.php FILE IS enable it will used for Bruteforce attack
xmlrpc.php FILE IS enable it will used for Bruteforce attack...
Nord Security: Host header injection/redirection | signup and login page
Hey Team. There's a host header injection vulnerability in signup and login page. If possible, the application should avoid incorporating user-controllable data into redirection targets. In many cases, this behavior can be avoided in two ways: Remove the redirection function from the application,...
Nextcloud: Wordpress Users Disclosure
Information Using REST API, we can see all the WordPress users/author with some of their information. Step to Reproduce You can get user info by entering below url in your browser: https://nextcloud.com/wp-json/wp/v2/users Reference: 356047 Impact Authors : LTR , LTREditor can be created scenario...
TomTom: Reflected XSS on www.tomtom.com
Summary: XSS on www.tomtom.com is very dangerous, if this vulnerability misused by Attacker to steal cookie it will be fatal for other users. Proof of Concept: - I tried to visit https://www.tomtom.com/enau/search/ - Then, search using keyword: TEST" - I realized double quote " is reflected - So,...
Shopify: STAFF member with NO Explicit permissions can view `ActivityFeed` via GraphQL
Hi, This is similar to 95589. I noticed that ActivityFeeds are now being fetched by GraphQL call on Shopify. But from my testing, I noticed that STAFF member with NO EXPLICIT permissions can fetch store's activity feed by calling the vulnerable endpoint. STEPS 1.STAFF member is not assigned any...
Keybase: Privilege Escalation via Keybase Helper (incomplete security fix)
In the previous report, about the privileged helper lacks of validation so any applications can abuse it to gain root privilege. But the security fix is incomplete. I can describe 3 different ways to bypass possibly 4, I doubt. All the poc are simplified to not sending the actual attack payload,...
Internet Bug Bounty: null pointer dereference in imap_mail
in imapmail if message args is null, in phpimapmail no check wheater message can get, so crash. fprintfsendmail, "\n%s\n", message; /usr/local/php/bin/php ./craxxx.php Warning: imapmail: No message string in mail command in /home/fan/github/php-7.2.10/myselffuzz/craxxx.php on line 3 sh: 1: -t: no...
Liberapay: Broken Authentication and session management OWASP A2
Hello @liberapay, Description: It seems now if attacker has csrf token & victim cookies then attacker can easily login to victim account without any login details. No need Of Any Username/Password Theory Proof-Of-Concept: - Go to https://liberapay.com/admin.101/edit/username any username/Self...
Smule: Open Redirect on smule.com
NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: Open Redirect at smule.com You...
Valve: XSS in steam react chat client
The Steam chat client both sends and receives bbcode format chat messages. These map to HTML elements, and notably the url bbcode tag is supported for arbitrary URLs. React has strong XSS mitigations but does not mitigate javascript: URI based XSS. This is rather difficult to exploit as the clien...
Starbucks: svcardproxydevus.starbucks.com Subdomain take over
You have left a dns record pointing to a dead cloudapp vm. svcardproxydevus.starbucks.com - s00307ntmp0svcardproxydev0.trafficmanager.net - s00307dpipsvcardproxy00.eastus.cloudapp.azure.com = Dead Impact 1 Attacker takes over subdomain and then puts something like porn or something that shouldn't...
Internet Bug Bounty: CVE-2018-12882: heap-use-after-free in PHP 7.2 through 7.2.6, possible 7.2.7
exifreaddata in PHP 7.2 through 7.2.6 and possibly 7.2.7 is vulnerable to a heap use after free when fed a specially crafted JPEG. Any online service that uses PHP 7.2 and reads EXIF data from uploaded JPEGs is potentially vulnerable to this flaw. USEZENDALLOC=0 ./php-e147eb2 -r...
Node.js third-party modules: Prototype pollution attack (assign-deep)
As discussed in 309391, here's the separate report for each of the library. This one is the information for the assign-deep library. Module: assign-deep Summary: Utilities function in all the listed modules can be tricked into modifying the prototype of "Object" when the attacker control part of...
Pornhub: xss
The researcher found a GET parameter, the value of which was output in the page source, resulting in XSS...
Legal Robot: Coding error !
here this is my mail id : [email protected] and pass : [email protected] i am able to set password as same as gmail address , but cant able to login , this was the issue here...
Cuvva: Missing Rate limiting on https://underwriter.partner.cuvva.com/login
Duplicate of 231380...
Homebrew: Stack Trace on jenkins.brew.sh
221833 is not fully patched. Kindly take a look at https://jenkins.brew.sh/jacegisecuritycheck still stack traces are visible. Let me know if any further info required. Best Regards, MrR3boot...
Uber: Authentication bypass on auth.uber.com via subdomain takeover of saostatic.uber.com
Summary This is not a standard vulnerability, but a chain of two more exotic vulnerabilities leading to a full authentication bypass of your SSO login system at auth.uber.com via saostatic.uber.com. The root cause of this authentication bypass is two-fold: 1. Subdomain saostatic.uber.com was...
Gratipay: Gratipay uses the random module's cryptographically insecure PRNG.
Dear Gratipay bug bounty team, Summary --- Gratipay currently uses the random module's pseudo-random number generator which is not a cryptographically secure PRNG as stated in the docs: The pseudo-random generators of this module should not be used for security purposes. For security or...
HackerOne: Internal attachments can be exported via "Export as .zip" feature
Hello HackerOne Team This newly disclosed report: 182358 Partial disclosure of report activity through new "Export as .zip" feature was not completely fix. I have found that i can still view the attachment after it is being removed on the thread. Best PoC is this 182358 since this is the newly fi...
Ubiquiti Inc.: Subdomain Takeover (moderator.ubnt.com)
Hello Team This report is same as 179110 One of your subdomain http://moderator.ubnt.com is pointing towards 216.58.203.243 moderator.ubnt.com 216.58.203.243 ghs.google.com 216.58.203.243 ghs.l.google.com F134183 And it is unclaimed When I open it it is showing F134184 Impact :- An attacker can...