15369 matches found
Yelp: Clickjacking lead to remove review
Steps To Reproduce: 1. Open iframe F960017 2. You can remove reviews from this iframe Impact Clickjacking lead to remove reviews...
MTN Group: [mtn.com.af] Multiple vulnerabilities allow to Application level DoS
Issue Description Unauthenticated attackers can cause a denial of service resource consumption by using the large list of registered .js files from wp-includes/script-loader.php to construct a series of requests to load every file many times. The vulnerability is registered as CVE-2018-6389 76172...
GitLab: Full Read SSRF on Gitlab's Internal Grafana
Apparently, Grafana is bundled with Gitlab by default. So the grafana instance that is accessible via /-/grafana/is vulnerable to the SSRF outlined below. Summary By chaining together some redirects and a URL decoding bug, it is possible to achieve a full-read, unauthenticated, SSRF from your...
Internet Bug Bounty: UrnState Heap Overflow
Summary: When handling a URN Request an attacker controlled response can cause Squid to overflow a heap buffer. The buffer exist within a struct so not only does it allow an attacker to overflow adjacent memory, but also control a pointer that follows the buffer enabling them to free arbitrary...
Internet Bug Bounty: Cache Poisoning
Summary: An attacker can cause Squid to return to the user attacker controlled data, for any domain. From Squid-4.7 and below both HTTPS and FTP could be poisoned. This is due to Squid URL decoding parts of the Request URL and using that to create a hash. Request that decode to the same URL will...
Shopify: Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation to Any Shop Owner by Taking Advantage of the Shopify SSO
I told Pete I would take a look at Spotify, hi Pete. Summary It's possible to take over any store account through bypassing the email confirmation step in .myshopify.com. I found a way to confirm arbitrary emails, and after confirming arbitrary email in .myshopify.com, user is able to integrate...
Visma Bug Bounty Program: Stored XSS in 'Notes'
A logged-in user can inject JavaScript code into a specifically crafted Note on a document, such as a Invoice, which will be executed when another user, logged in to the same company, edits the Note...
Node.js third-party modules: Several simple remote code execution in pdf-image
I would like to report "A simple remote code execution" in "pdf-image". It allows "a remote attacker to execute arbitrary code when several functions of the PDFImage class are called and the class loaded from user-input value". Module module name: pdf-image version: latest npm page:...
Internet Bug Bounty: Out of Bounds Memory Read in php_jpg_get16
I have found and reported an out of bounds memory read in PHP phpjpgget16 When PHP EXIF extension is parsing EXIF information from an image, e.g. via exifreaddata function, in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 it is possible to supply it with data what will...
Node.js third-party modules: Yarn transfers npm credentials over unencrypted http connection
Module module name: yarn version: 1.16.0 npm page: https://www.npmjs.com/package/yarn Module Description Fast, reliable, and secure dependency management. Module Stats Replace stats below with numbers from npm’s module page: 166 703 downloads in the last day 849 928 downloads in the last week 3 7...
U.S. Dept Of Defense: Remote OS command Execution in the 3 more Oracle Weblogic on the ████████, ████, ███████ [CVE-2017-10352]
Description Hello. I was able to identify 3 more RCE vulnerabilities due to the outdated Oracle Weblogic instance on the █████████, ███, █████ After my previous discoveries I decided to dig deeper into the ███.mil scope/IP space and found other instances of vulnerable Oracle WebLogic. I decided t...
HackerOne: Password not checked when disabling 2FA on HackerOne
Hi, when I was submitted a report to a program that request 2FA ON, I notice that if you try to disable this option will ask for backup code - password and if you enter a random password in the request filed and a correct backup code it will be successfully disabled the 2FA without check if the...
Cuvva: Clickjacking in ops.cuvva.com
Hi, Description: Clickjacking User Interface redress attack, UI redress attack, UI redressing is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking contr...
ownCloud: Remote Code Execution through Deserialization Attack in OwnBackup app.
I found a deserialization vulnerability in the OwnBackup app, this vulnerability allows to execute remote code in the server. An administrator user could install the vulnerable app, or take advantage of this vulnerability if the OwnBackup application is installed. Below are the steps to properly...
Shopify: STAFF member with NO Explicit permissions can view `ActivityFeed` via GraphQL
Hi, This is similar to 95589. I noticed that ActivityFeeds are now being fetched by GraphQL call on Shopify. But from my testing, I noticed that STAFF member with NO EXPLICIT permissions can fetch store's activity feed by calling the vulnerable endpoint. STEPS 1.STAFF member is not assigned any...
Mail.ru: SSRF
SSRF via URI injection in hou.my.com...
Valve: Vulnerability in GoldSource Engine allows to upload and run an arbitrary DLL on client
Introduction Greetings. In GoldSource Engine there is a vulnerability that allows to run an arbitrary DLL on the client, using the flaws in the file downloading system. Description Part of the problem is hidden in the CLBatchResourceRequest function. This is a client function that is responsible...
Nextcloud: Expired reshare links allow access to all files in share
After a reshared subfolder link has expired, the link allows access to the full folder. I found the Problem in Nextcloud 14.0.3, but it still persists in 14.0.4 Steps: 1. share folder "A" with an nextcloud group 2. reshare a subfolder "B" of this folder with another user on this group in this cas...
Valve: XSS in steam react chat client
The Steam chat client both sends and receives bbcode format chat messages. These map to HTML elements, and notably the url bbcode tag is supported for arbitrary URLs. React has strong XSS mitigations but does not mitigate javascript: URI based XSS. This is rather difficult to exploit as the clien...
Starbucks: svcardproxydevus.starbucks.com Subdomain take over
You have left a dns record pointing to a dead cloudapp vm. svcardproxydevus.starbucks.com - s00307ntmp0svcardproxydev0.trafficmanager.net - s00307dpipsvcardproxy00.eastus.cloudapp.azure.com = Dead Impact 1 Attacker takes over subdomain and then puts something like porn or something that shouldn't...
Internet Bug Bounty: CVE-2018-12882: heap-use-after-free in PHP 7.2 through 7.2.6, possible 7.2.7
exifreaddata in PHP 7.2 through 7.2.6 and possibly 7.2.7 is vulnerable to a heap use after free when fed a specially crafted JPEG. Any online service that uses PHP 7.2 and reads EXIF data from uploaded JPEGs is potentially vulnerable to this flaw. USEZENDALLOC=0 ./php-e147eb2 -r...
Slack: Internal SSRF bypass using slash commands at api.slack.com
@albatraoz found a bypass to report 61312, allowing information leakage via SSRF in Slash commands. We fixed the vulnerability and performed a through investigation. Thanks @albatraoz!...
Valve: Malformed .BSP Access Violation in CS:GO can lead to Remote Code Execution
A malformed .BSP can trigger an Access Violation on CS:GO that can lead to arbitrary code execution on a remote computer. I have attached a copy of the malformed .BSP which reliably triggers an Access Violation on CS:GO. Impact An attacker hosting a malicious server could compromise a remote clie...
Mapbox: Admin Panel Accessed (OAuth Bypassed )
On December 4, 2017, @aneeskhan reported an authentication bypass vulnerability on a Mapbox internal portal. The vulnerability allowed them to bypass OAuth authentication and generate a valid session for the site. This session was then used by @aneeskhan to access information on the portal which...
Legal Robot: Coding error !
here this is my mail id : [email protected] and pass : [email protected] i am able to set password as same as gmail address , but cant able to login , this was the issue here...
Gratipay: Gratipay rails secret token (secret_key_base) publicly exposed in GitHub
Summary Gratipay's Rails secret token is publicly exposed on GitHub. Knowing the secret token allows an attacker to impersonate any user in the application. Thanks to EdOverflow for sharing the tips for finding security issues in GitHub projects, below is the referenced github for the analysis...
Weblate: Null Password - Setting a new password doesn't check for empty spaces
Hi Again! As seen your website at https://demo.weblate.org/accounts/password/ Your password can't be too similar to your other personal information. Your password must contain at least 6 characters. Your password can't be a commonly used password. Your password can't be entirely numeric. I found...
Homebrew: Stack Trace on jenkins.brew.sh
221833 is not fully patched. Kindly take a look at https://jenkins.brew.sh/jacegisecuritycheck still stack traces are visible. Let me know if any further info required. Best Regards, MrR3boot...
Uber: Authentication bypass on auth.uber.com via subdomain takeover of saostatic.uber.com
Summary This is not a standard vulnerability, but a chain of two more exotic vulnerabilities leading to a full authentication bypass of your SSO login system at auth.uber.com via saostatic.uber.com. The root cause of this authentication bypass is two-fold: 1. Subdomain saostatic.uber.com was...
Boozt Fashion AB: Email spoofing at booztlet.com
Hello : This There is an Email Spoofing Vulnerability. Steps to reproduce: 1 Go to http://emkei.cz/ 2 Fill "From Email" field to [email protected] or any other booztlet email. 3 Fill the victim's address your address to "TO" field and fill in other details as you wish. You will receive email fro...
Shopify: Unauthorized access to Zookeeper on http://locutus-zk3.ec2.shopify.com:2181
What is Zookeeper? ==================== Zookeeper is a coordination service for distributed applications. It allows common services such as naming, synchronisation, configuration management and group services to be managed by a simple interface and It uses a data model of File System on an...
Coinbase: XSSI (Cross Site Script Inclusion)
Hi, https://www.coinbase.com/pusher/auth returns sensetive a json auth-token response that can be parsed by javascript JSON.parse from external site. this can easily be mitigated by putting // or // chars at the beginning of the json response and thus making functions like JSON.parse unable to ge...
Eobot: Multiple information disclosure
This script can help hackers check leaked email bases on registration with eobot without ban and etc.. https://www.eobot.com/[email protected] email disclosure in google google dork: site:eobot.com inurl:"widget.aspx" in result we see requests with email of your users...
Yahoo!: Bypass of the Clickjacking protection on Flickr using data URL in iframes
Thank you for your submission to the Yahoo Bug Bounty program. We were able to reproduce the issue you reported and have implemented appropriate fixes. We appreciate your adherence to responsible disclosure guidelines and look forward to your future participation in the program...
Phabricator: OAuth Stealing Attack (New)
Hi Evan, I found a new and more dangerous way to steal phabricator facebooks oauth tokens,codes, In this case, I exploited the behavior of Phabricator OAuth Dialog, If you provide a differnet scope in phabricator OAuth Dialog...
Publitas: CVE-2018-6389 exploitation - using scripts loader
An unauthenticated denial of service vulnerability in WordPress was discovered, tracked as CVE-2018-6389. By requesting a large number of JavaScript files through the load-scripts.php endpoint, an attacker could consume excessive resources on the server. This vulnerability could allow denial of...
Bitwarden: Biometric key is stored in Windows Credential Manager, accessible to other local unprivileged processes
A vulnerability in Bitwarden Desktop for Windows allowed a local attacker to access the biometric master key used for unlocking the vault through Windows Hello. The key was stored in plaintext in the Windows Credential Manager, accessible to any local unprivileged process. This allowed an attacke...
GitLab: Unauthenticated IP allowlist bypass when accessing job artifacts through gitlab pages at `{group_id}.gitlab.io`
Summary An owner of a group can restrict access to the group, subgroups and projects to only work from a specific IP range. See documentation link To ensure only people from your organization can access particular resources, you can restrict access to groups by IP address. This will restrict most...
Aiven Ltd: Zero day path traversal vulnerability in Grafana 8.x allows unauthenticated arbitrary local file read
Summary: Hi team, I've found a path traversal issue in the Grafana instances hosted on the Aiven platforms. With the path traversal it's possible for an unauthenticated user to read arbitrary files on the server. Steps To Reproduce: 1. Login at https://console.aiven.io 1. Create a new Grafana...
Nextcloud: Sensitive files/ data exists post deletion of user account
In the latest android app ,I created an account in the name of [email protected]. After few activities,deleted the account . Files containing user emails and tokens still exist.Relevant files not deleted upon deletion of account. Content of files post deletion of account:...
Internet Bug Bounty: "urllib" will result to deny of service
if a client request a http/https/ftp service which is controlled by attacker, attacker can make this client hang forever, event client has set "timeout" argument. maybe this client also will consume more and more memory. i does not test on this conclusion. client.py import urllib.request req =...
UPchieve: User enumeration through forget password
Vulnerability:- -User enumeration is possible through forgot password feature. steps to reproduce:- -Go to the above selected domain and go to forgot password. -submit random email and then intercept request by burp suit -in response you will get HTTP/1.1 500 Internal Server Error with "err":"No...
U.S. Dept Of Defense: Self stored Xss + Login Csrf
Description: User can set username between 8-20 alphanumeric characters, but with the help of inspect element attacker can manipulate ██████= & can insert a xss payload resulting in self stored xss & with the help of login csrf attacker can force the victim into attacker's account causing...
Mail.ru: CVE-2016-6415 on api-staging.plazius.ru [46.148.201.218]
Unpatched CVE-2016-6415 vulnerability could potentially lead to information disclosure on the host in plazius.ru infrastructure...
Node.js third-party modules: [keyd] Prototype pollution
I would like to report a prototype pollution vulnerability in keyd module. It allows an attacker to inject properties on Object.prototype. Module module name: keyd version: 1.3.4 npm page: https://www.npmjs.com/package/keyd Module Description A small library for using and manipulating key paths i...
X (Formerly Twitter): XSS via referrer parameter
Description Hi, i would like to report an XSS via javascript scheme in https://www.twitterflightschool.com/student/award/ID?referer=, the payload e need just a click of user to be triggered because the link will be placed in a tag...
Lark Technologies: SSRF with information disclosure
A SSRF server side request forgery vulnerability was identified in the messenger endpoint of Lark Suite which could have exposed internal credentials used by the server. We thank @jin0ne for reporting this to our team...
Internet Bug Bounty: PHP link() silently truncates after a null byte on Windows
The bug submitted at: https://bugs.php.net/bug.php?id=78862 The security advisory at: https://nvd.nist.gov/vuln/detail/CVE-2019-11044 The issue allow remote attackers to read or write arbitrary files via crafted input to an application that calls the vulnerable function. As demonstrated by a...
Node.js: napi_get_value_string_X allow various kinds of memory corruption
Summary: napigetvaluestringlatin1, napigetvaluestringutf8, napigetvaluestringutf16 are vulnerable to buffer overflows, partially due to an integer underflow. Description: napigetvaluestringlatin1, napigetvaluestringutf8, and napigetvaluestringutf16 behave like this: 1. If the output pointer is...
BlockDev Sp. Z o.o: xmlrpc.php FILE IS enable it will used for Bruteforce attack
xmlrpc.php FILE IS enable it will used for Bruteforce attack...