15302 matches found
Tron Foundation: DOS attack by consuming all CPU and using all available memory
Summary: A single request to submit a post to /wallet/deploycontract with several megabytes of bytecode along with CPU intensive long parsing will consume CPU for about 10 minutes while still holding several megabytes of bytecode in heap. With enough requests lets say 1K-10K depending upon...
MyCrypto: SPF Records (SMTP protection not used)
Hello MyCrypto Team , I am checking your website and found something is missing in SPF record.I don't find you have applied strict SMTP policy to stop spoofed email sending from your domain. I would like to recommend you to read the following article :...
GitLab: CRLF injection & SSRF in git:// protocal lead to arbitrary code execution
Summary: The implementation of git:// protocal in GitLab is vulnerable to CRLF injection and Server-Side Request Forgery. If the redis server is configured to listen on TCP socket eg. port 6379, an attacker can abuse SSRF to manipulate redis server, injecting malicious payload into systemhookpush...
Valve: XSS in steam react chat client
The Steam chat client both sends and receives bbcode format chat messages. These map to HTML elements, and notably the url bbcode tag is supported for arbitrary URLs. React has strong XSS mitigations but does not mitigate javascript: URI based XSS. This is rather difficult to exploit as the clien...
Ubiquiti Inc.: Public Jenkins instance with /script enabled
Hi, First of all. I'm not 100% able to verify that this server is actually owned by Ubnt as there are multiple DNS Name's in the SSL certificate. DNS Name: .uum.com DNS Name: .ubnt.com DNS Name: .svc.ubnt.com DNS Name: .api.uum.com DNS Name: .svc.uum.com DNS Name: uum.com So, the server hosted on...
Automattic: RCE via Print function [Simplenote 1.1.3 - Desktop app]
In Simplenote 1.1.3 - Desktop app there is a stored XSS vulnerability that can be used to execute arbitrary code. If there is malicious code in the note and the user tries to print it for example to save it as a PDF, the malicious code runs. This report is based on the report 291539, by Yasin...
VK.com: [Привязка email к странице] by [email protected] | email-flood
Отсутствие некоторых проверок при привязке почты. Impact: e-mail flood Флуд. █.vk.com/█?act=█&█=█&█=█&█=█&█=█&█=█&█=█&[email protected]&█=█&ref=█ Status: fixed Флуда больше нет. █.vk.com/█?act=█&█=█&█=█&█=█&█=█&chash=█&█=█&ref=█...
Node.js third-party modules: [m-server] HTML Injection in filenames displayed as directory listing in the browser allows to embed iframe with malicious JavaScript code
I would like to report Stored XSS vulnerability in m-server module. m-server displays content of selected directory as HTML in the browser. However, no escape is implemented which allows malicious user to embed executable JavaScript or HTML code eg. to load HTML document into iframe element and...
Brave Software: Bypassing Homograph Attack Using /@ [ Tested On Windows ]
Summary: Bypassing Homograph Attack Using /@ I look at on my previous report on 268984 and see patch code in the github https://github.com/brave/browser-laptop/commit/f2e438d6158fbc62e2641458b6002a72d223c366 I look at code at it'returns the punycode URL when given a valid URL', function...
Ruby on Rails: Path Traversal on Default Installed Rails Application (Asset Pipeline)
There is an information leak vulnerability in Sprockets. This vulnerability has been assigned the CVE identifier CVE-2018-3760. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Not affected: NONE Fixed Versions: 4.0.0.beta8, 3.7.2, 2.12.5 Impact ------ Specially crafte...
HackerOne: Submitted reports state logs leakage
Hi team, Summary ---------- The endpoint https://hackerone.com/ returns a JSON response containing some informations about the , the parameter signal is returned as a high precision float number up to 14 digits after the comma, the fractional part of this JSON parameter can be used to disclose so...
Tor: solving TOR vulnerability, in other to make bruteforce difficult
Vulnerability description not provided...
WakaTime: Session Duplication due to Broken Access Control
Due to improper validation of user before generating an API-KEY and improper measures taken at the time of password reset, it is possible to generate a parallel session at the attacker's end. Proof of concept video is attached to confirm the vulnerability and to demonstrate the Impact of this...
HackerOne: Lack of input sanitization in Marketo form leads to execution of HTML in lead emails
Hi, There is SSRF vulnerability due to img tag injection in "Contact HackerOne Sales" form. Since vulnerability triggers after 18-20 minutes so I am not sure which site it affects. It might affect hackerone or marketo. So I thought it would be better to report it first on hackerone. POC 1. Naviga...
Gratipay: Secure Pages Include Mixed Content
Hello, The page includes mixed content, that is content accessed via HTTP instead of HTTPS. tag=img src=http://www.gravatar.com/avatar/abbcd6344e160597fb2694f25c46149f.jpg?s=256&d=http%3A%2F%2Fwww.openstreetmap.org%2Fassets%2Fusers%2Fimages%2Flarge-8d2e51c2ddd01eb899f4bfb0bca3cf5e.png Evidence:...
Internet Bug Bounty: CVE-2016-5157 OpenJPEG opj_dwt_interleave_v Out-of-Bounds Write Vulnerability
OpenJPEG opjdwtinterleavev Out-of-Bounds Write Vulnerability 1. About OpenJPEG OpenJPEG is an open-source JPEG 2000 codec written in C language. It's widely used in lots of Linux OSes such as Ubuntu, RedHat, Debian, Fedora, and so on. The official repository of the OpenJPEG project is available a...
Nextcloud: nextcloud.com: Mail Bombing ( No Rate Limiting On Sending Emails On Contact us Page)
Hello, We can bomb spam any email by using your website. Please Check attack success poc image in attached file you will understand : POC : 1.go to. Link :- 2. in details fill , all things in email option enter victim email. 4.replay the same request many time , the victim's email will be spammed...
Mail.ru: [upload-X.my.mail.ru] /uploadphoto Insecure Direct Object References
При загрузке аудио-файла с помощью сценария https://upload-14.my.mail.ru/uploadaudio отсутствует проверка принадлежности указанного playlistid текущему пользователю. Пример добавленного файла в чужой плейлист: https://my.mail.ru/music/playlists/18226273862 Пример запроса: POST /uploadaudio HTTP/1...
Bumble: Account Takeover
Hello this is regarding an account takeover via import image from facebook option, when we import fb photos a link with a token generated which is valid for any user and it can be use to replace user linked fb account to attacker fb account And then login via fb to takeover account Note: I tested...
Pornhub: [crossdomain.xml] Dangerous Flash Cross-Domain Policy
The researcher identified a permissive Flash cross-domain policy allowing access from any domain on a Pornhub-related property...
Instacart: Cookie-Based Injection
Hi Security Team instacart I'm Found Vulnerability Cookie-Based Injection It's may be possible to steal or manipulate session and cookies if attacker can injection XSS . details --- in path /help/ contain header in cookie paramter ahoyvisitor and ahoyvisit it's allow injection because re request...
HackerOne: Homograph attack
Hi, I would like to report an incomplete fix of 58612 is. In short, backslash is not taken in consideration. PoC \http://ebay.com http://ebay.com...
Coinbase: New Device Confirmation, token is valid until not used.
New Device Confirmation token sends to the logged in user from unconfirmed device. Now If Click on Account or Settings or Profile email of new token will send to that person and same if user click multiple times, more and more confirmation emails user received. On each reload each confirmation...
Localize: Business logic Failure - Browser cache management and logout vulnerability.
Vulnerability class: Business logic Failure - Browser cache management and logout vulnerability. Vulnerability impact: Logging out from an application does not clear the browser cache of any sensitive information that have been stored. Steps to reproduce: 1. Login to portal. 2.browse few tabs 3...
Yahoo!: SQLi on http://sports.yahoo.com/nfl/draft
Thank you for your submission to the Yahoo Bug Bounty program. We were able to reproduce the issue you reported and have implemented appropriate fixes. We appreciate your adherence to responsible disclosure guidelines and look forward to your future participation in the program...
HackerOne: Enumeration of users
As I can see, you prevent enumeration of users actually e-mails of registered users in Sign In https://hackerone.com/users/signin and Forgot password https://hackerone.com/users/password/new functionalities. However, the users can be enumerated in Sign Up https://hackerone.com/users/signup - just...
Automattic: Authentication & Registration Bypass in Newspack Extended Access
The Newspack Extended Access plugin failed to validate the JWT signing on the registration and login JSON endpoint. This allowed for the registration of accounts with arbitrary user-supplied details and authentication bypass if a target account email was known...
Node.js: Proxy-Authorization header is not cleared in cross-domain redirect in undici
A vulnerability was found in undici prior to version 6.5.0 where the Proxy-Authorization header was not cleared during cross-domain redirects, potentially leaking credentials to third party sites...
Internet Bug Bounty: SSRF Vulnerability through Connection test feature
A security vulnerability was found in Apache Airflow versions prior to 2.7.0. An authenticated user with Connection edit privileges could exploit this vulnerability to access connection information and perform a denial of service attack on the server. Upgrading to version 2.7.0 or newer is...
Internet Bug Bounty: (CVE-2023-32004) Permission model bypass by specifying a path traversal sequence in a Buffer
A vulnerability was discovered in Node.js version 20, specifically within the experimental permission model. It allowed for a bypass of the permission model by specifying a path traversal sequence in a Buffer, leading to improper handling of file permissions...
inDrive: #2 XSS on watchdocs.indriverapp.com
An XSS vulnerability was discovered on watchdocs.indriverapp.com. The vulnerability allowed execution of JavaScript on the user's browser...
Brave Software: Open redirect due to scanning QR code via brave browser
An open redirect vulnerability was discovered in Brave's QR code scanner, which allowed attackers to direct users to malicious sites without their consent or knowledge. This vulnerability put the security of Brave users at risk and allowed them to be exposed to phishing and malware attacks. The...
Shopify: Subdomain Takeover at course.oberlo.com
Hi, I was able to takeover your subdomain course.oberlo.com via using kajabi services. Poc : visit https://course.oberlo.com/ you will see my poc https://web.archive.org/web/20220904143512/https://course.oberlo.com/ Suggested Fix : Clear your subdomain DNS. Impact Subdomains Takeovers can be use ...
Internet Bug Bounty: CVE-2022-35948: CRLF Injection in Nodejs ‘undici’ via Content-Type
undici library should be protects HTTP headers from CRLF injection vulnerabilities. However, CRLF injection exists in the ‘content-type’ header of undici.request api. Impact = [email protected] users are vulnerable to CRLF Injection on headers when using unsanitized input as request headers, more...
Ruby on Rails: Incomplete fix for CVE-2022-32209 (XSS in Rails::Html::Sanitizer under certain configurations)
While building a PoC for CVE-2022-32209, I noticed that I could not fix my vulnerable application by updating https://github.com/rails/rails-html-sanitizer from 1.4.2 to 1.4.3 even though the Hackerone report about this vulnerability suggested that this should fix it see here:...
Internet Bug Bounty: CVE-2022-32213 - HTTP Request Smuggling Due to Flawed Parsing of Transfer-Encoding
Original Report: https://hackerone.com/reports/1524555 Impact Depending on the specific web application, HRS can lead to cache poisoning, bypassing of security layers, stealing of credentials and so on...
curl: Binary output bypass
Binary output check bypass Summary: When curl outputs content, it checks for binary output. If the output is large enough, it bypasses the check for binary output. This can mess with the terminal. Steps To Reproduce: 1. Setup a server of your choice. 2. Create a function f with these arguments:...
8x8: 8x8pilot.com: Reflected XSS in Apache Tomcat /jsp-examples example directory
A single host in the pilot environment exposed the Apache Tomcat /jsp-examples example directory. The issue has been rectified, as we removed the directory from the host...
Nextcloud: SQL injextion via vulnerable doctrine/dbal version
Summary: SQL injection via limit parameter on user facing APIs Steps To Reproduce: Run security scanner: 1. REPORT /remote.php/dav/comments/files/1985 1. XML input oc:filter-comments.oc:limittext was set to 1'" 1. You have an error in your SQL syntax Supporting Material/References: For more detai...
GitHub Security Lab: [Python] CWE-348: Client supplied ip used in security check
This bug was reported directly to GitHub Security Lab...
8x8: Authentication Bypass & ApacheTomcat Misconfiguration in [██]
A single host in the pilot environment exposed the Apache Tomcat /admin and /manager endpoints. The issue has been rectified, as access to these endpoints has been restricted...
Twitter Algorithmic Bias: Underrepresentation Bias through Twitter's Cropping Algorithm #2: Favoring Animals over Black People
Bounty Hunter Name: CyberQueenMeg About You: Megan, also known as CyberQueenMeg, is a passionate rising cybersecurity professional who is interested in programming, cybersecurity, and web development. Megan is a high school senior in a rigorous computer science program at her high school where sh...
X (Formerly Twitter): Blind XSS on Twitter's internal Big Data panel at █████████████
An attacker appears to be able to send an XSS payload to Twitter staff members, using a Support Form. This XSS payload will execute in the context of an internal subdomain, allowing it to exfiltrate sensitive internal Twitter information...
curl: CVE-2021-22901: TLS session caching disaster
Summary: lib/vtls/openssl.c osslconnectstep1 sets up the osslnewsessioncb sessionid callback with SSLCTXsesssetnewcb, and adds association from dataidx and connectdataidx to current conn and data respectively: SSLCTXsetsessioncachemodebackend-ctx, SSLSESSCACHECLIENT | SSLSESSCACHENOINTERNAL;...
UPchieve: Zero click account Takeover due to Api misconfiguration 🏂🎩
Hacker reported that full account takeover was possible through exploitation of one our forms. Hacker provided sufficient information to prove capability and how to remediate. Our team remediated the issue so that the takeover is no longer possible. i was able to take over any account without any...
X (Formerly Twitter): Bypass t.co link shortener in Twitter direct messages
The researcher demonstrated a way to create a link that will not be replaced with safe shortened t.co url, by sending Direct Messages containing more than 50 t.co links to another Twitter user. If the recipient views the message using Twitter’s Android app, and clicks the 51st link in the...
U.S. Dept Of Defense: CSRF to Cross-site Scripting (XSS)
hello dear support I have found csrf to XSS on█████████ my payload "; Impact Malicious JavaScript has access to all the same objects as the rest of the web page, including access to cookies and local storage, which are often used to store session tokens. If an attacker can obtain a user's session...
U.S. Dept Of Defense: IDOR leads to Leakage an ██████████ Login Information
Hi security team, According to my report 1092618, The VDP team agreed that █████████ and it's subdomains is in the scope of the DoD program I continue testing that domain . . Issue Description: There is an IDOR in██████.███████ that connected with ████████.███████ highly protected encryption chat...
Algolia: email verification bypass
An issue in the way email modification was handled during the email verification process allowed the creation of account with arbitrary email address, bypassing the email verification step. A logical flaw resulting in email verification bypass! :D...
VK.com: XSS в обработчике ссылок
XSS в парсере ссылок...