15371 matches found
Twitter Algorithmic Bias: Underrepresentation Bias through Twitter's Cropping Algorithm #2: Favoring Animals over Black People
Bounty Hunter Name: CyberQueenMeg About You: Megan, also known as CyberQueenMeg, is a passionate rising cybersecurity professional who is interested in programming, cybersecurity, and web development. Megan is a high school senior in a rigorous computer science program at her high school where sh...
X (Formerly Twitter): Bypass t.co link shortener in Twitter direct messages
The researcher demonstrated a way to create a link that will not be replaced with safe shortened t.co url, by sending Direct Messages containing more than 50 t.co links to another Twitter user. If the recipient views the message using Twitter’s Android app, and clicks the 51st link in the...
curl: CVE-2021-22890: TLS 1.3 session ticket proxy host mixup
Summary: I don't think that this can be easily exploitable, but I am submitting it as a security issue for precaution. I am not looking for a bounty. Commit 549310e907e82e44c59548351d4c6ac4aaada114 enables session resumption with TLS 1.3. Curl connections maintain two SSL contexts, one for the...
U.S. Dept Of Defense: CSRF to Cross-site Scripting (XSS)
hello dear support I have found csrf to XSS on█████████ my payload "; Impact Malicious JavaScript has access to all the same objects as the rest of the web page, including access to cookies and local storage, which are often used to store session tokens. If an attacker can obtain a user's session...
Revive Adserver: Reflected XSS on /admin/campaign-zone-zones.php
I found a reflected XSS attack on /admin/campaign-zone-zones.php. Revive-Adserver version is revive-adserver-5.1.1. - Go to http://revive-adserver.loc/admin/campaign-zone-zones.php?=&clientid=1&campaignid=1&status=available%22%3E%3Cimg%20src=1%20onerror=alertdocument.domain%3E&text= - Malicious...
U.S. Dept Of Defense: IDOR leads to Leakage an ██████████ Login Information
Hi security team, According to my report 1092618, The VDP team agreed that █████████ and it's subdomains is in the scope of the DoD program I continue testing that domain . . Issue Description: There is an IDOR in██████.███████ that connected with ████████.███████ highly protected encryption chat...
VK.com: XSS в обработчике ссылок
XSS в парсере ссылок...
Mail.ru: file read on MCS servers via supplying a QCOW2 image with external backing file
Local file read in mcs.mail.ru by providing QCOW2 disk image with backing image pointing to external file Mail.ru Cloud Solutions allows uploading custom images for disks. This functionality supported QCOW2 disk images. A QCOW2 disk image can have a so-called "backing image" - a file to read...
TikTok: RCE on TikTok Ads Portal
The video upload endpoint on the TikTok Ads portal was potentially susceptible to remote code execution RCE due to a ffmpeg misconfiguration. We thank @ bubbounty for reporting this to our team and confirming the resolution. During my research on the TikTok Ads portal I found a RCE thought the...
Basecamp: HEY.com email stored XSS
An attacker can bypass the HEY.com HTML sanitizer and inject arbitrary unsafe HTML in emails. To reproduce the bug you have to send raw HTML-formatted email. You can do it e.g. with the Sendmail tool on Linux. Example email: plain From: [email protected] To: [email protected] Subject: HackerOne test...
Node.js third-party modules: [json8-merge-patch] Prototype Pollution
I would like to report a Prototype Pollution vulnerability in json8-merge-patch The apply function fails to restrict access to prototypes of objects, allowing for modification of prototype behavior. Module module name: json8-merge-patch version: v1.0.1 npm page:...
OWOX, Inc.: Unrestricted File Upload in Chat Window
Summary: The application allows the attacker to upload dangerous file types that can be automatically processed within the product's environment. Steps To Reproduce: - Hit the browser and navigate to https://bi.owox.com and sign in. - Open The Chat window. - Upload any .rb or .php file . - Click ...
Shopify: XSS / SELF XSS
I found xss but i think its self xss POC 1. Go to yourstore.myshopify.com 2. Go to settings import 3. Upload wrong file csv with file name payload xss " Impact xss attack...
Mail.ru: Cross-Site Request Forgery (CSRF) in my.games API
CSRF vulnerability allowed to add/delete/edit store.my.games comments...
X (Formerly Twitter): Twitter Source Label allow 'mongolian vowel separator' U+180E (app name)
Summary: Twitter app-names which are shown in the Tweet source label are supposed to be unique and because of that they must not include invisible unicode characters. However, you can use the mongolian vowel separator in these app-name, which allows to fake a app-name. Description: Every tweet ha...
Omise: Email enumeration at SignUp page
Hi. There's bad security practise at https://trade.go.exchange/en/auth/sign-up against User enumeration. Description: At the signup page here https://trade.go.exchange/en/auth/sign-up , when you enter an existing user's mail , a msg box says "Email is invalid." F546294 The problem is that any use...
Unikrn: Full Path Disclosure
HI security team! we can see path on your resource. https://crm.unikrn.com/app/bundles/CampaignBundle/EventListener/LeadSubscriber.php You must create a ban on viewing the script from the outside using .htaccess Impact Full Path Disclosure https://www.owasp.org/index.php/FullPathDisclosure...
Passit: password rest link not expired after change the password
Hi, this is my first report and bug .. i found password rest link not expired after change the password by resiver my e-mail Proof of Concept: 1Go to https://app.passit.io/account/reset-password and ask for password reset link. 2go to Email inbox. 3clicke to link from inbox example // Recovery li...
Internet Bug Bounty: Heap Buffer Overflow (READ: 4) in phar_parse_pharfile
Phar files with HALTCOMPILER; in unexpected places can lead to a buffer overrun. This is something I found while fuzzing with AFL using an ASAN instrumented PHP. The issue can be observed by disabling the ZEND allocator and using ASAN or valgrind/etc? with a crafted phar as input. I have prepared...
GitLab: CRLF injection & SSRF in git:// protocal lead to arbitrary code execution
Summary: The implementation of git:// protocal in GitLab is vulnerable to CRLF injection and Server-Side Request Forgery. If the redis server is configured to listen on TCP socket eg. port 6379, an attacker can abuse SSRF to manipulate redis server, injecting malicious payload into systemhookpush...
HackerOne: User login page doesn't implement any form of rate limiting
Hi Team, Summary: As a best practice a login page should have a rate limitting just like hackerone.com Vulnerable Request POST /auth/postlogin HTTP/1.1 Host: ctf.hacker101.com User-Agent: Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://ctf.hacker101.com/...
HackerOne: Missing Certificate Authority Authorization rule
Certificate Authority Authorization supported by LetsEncrypt and other CAs allows a domain owner to specify which Certificate Authorities should be allowed to issue certificates for the domain. All CAA-compliant certificate authorities should refuse to issue a certificate unless they are the CA o...
Zomato: [www.zomato.com] SQLi - /php/██████████ - item_id
Thanks @gerbenjavado for helping us keep @zomato secure : Thanks to the entire @Zomato team for doing this challenge. Its a pleasure to be back in the bug bounty game after a while. Introduction So I managed to find SQLi on https://www.zomato.com/php/██████████ in the POST parameter itemid...
Internet Bug Bounty: CVE-2018-6797: A crafted regular expression can cause a heap buffer write overflow in Perl 5 giving a remote attacker control over bytes written
An attacker supplies a regular expression containing one or more \xDF characters after an escape putting the regexp into unicode matching mode, such as a \N escape. Each \xDF character adds one byte of overflow, and any other text in the regular expression is written in order, providing the...
Open-Xchange: SSRF in /appsuite/api/autoconfig
FYI: This was conducted on a local install of App Suite and not the sandbox. App Suite version was: 7.8.4 Rev14 Hello, There is a possible SSRF vulnerability in the following App Suite API endpoint that will primarily allow blind port scanning of the App Suite server and any internal servers...
Snapchat: Open prod Jenkins instance
@prebenve found a Jenkins instance where they could login with any valid Google account. Once logged in, they gained access to sensitive API tokens. The access also included some source code disclosure for public apps and the ability to execute arbitrary code via the Jenkins Script Console...
HackerOne: IE 11 Self-XSS on Jira Integration Preview Base Link
I wasn't sure if you would accept this report due to it being Self-XSS, but I figured it might be useful information because it breaks one of the flows used to validate URLs. Steps ==================== 1. Launch IE 11 2. Log into a HackerOne account that has admin on a program. 3. Go to the...
Bumble: Leave inaccessible messaging system with a message (https://us1.badoo.com)
Hello, to test the messaging system I found a vulnerability that allows Inaccessible leave mensajaria system to another user only required to send a message. The vulnerability is in the system as the mobile version smiles and app do not have that system is only vulnerable version desktop VULNERAB...
Nextcloud: nextcloud.com: Mail Bombing ( No Rate Limiting On Sending Emails On Contact us Page)
Hello, We can bomb spam any email by using your website. Please Check attack success poc image in attached file you will understand : POC : 1.go to. Link :- 2. in details fill , all things in email option enter victim email. 4.replay the same request many time , the victim's email will be spammed...
Vimeo: OAuth 2 Authorization Bypass via CSRF and Cross Site Flashing
Hello Vimeo Security Team, There is a vulnerability in api.vimeo.com/oauth which allows an attacker to gain full App privilege over a Vimeo victim user account without user approval, just by having the victim open a link to the attacker webpage. Proof of Concept link :...
VK.com: Внедрение внешних сущностей в функционале импорта пользователей YouTrack
Уязвимость существует из-за возможности использования внешних сущностей XML разметки в функционале импорта пользователей YouTrack. Веб-приложение доступно по адресу youtrack.vk-cdn.net Исходя из документации https://confluence.jetbrains.com/display/YTD6/Import+Users поддерживает импорт данных...
Mail.ru: [api.login.icq.net] Open Redirect
https://api.login.icq.net/auth/cancel?f=1&k=1&supportedIdType=1&succUrl=http://example.com...
Ubiquiti Inc.: Arbritrary file Upload on AirMax
It's possible to upload arbitrary files to airMAX devices via HTTP because of a vulnerability in the airOS web server. An attacker can bypass the device's authentication mechanisms by exploiting this vulnerability...
Coinbase: OAuth authorization page vulnerable to clickjacking
Due to a misconfiguration, the 'authorize' button on the OAuth authorization page was vulnerable to clickjacking. The bug was fixed by ensuring our OAuth-related responses included the same security headers including X-Frame-Options as the rest of the site...
VK.com: Page replacement and redirect loop
Открытие страницы через параметр в запросе и циклическое перенаправление. This report includes a description of two vectors: 1. Page replacement via hidden vulnerable parameter that may lead to phishing attacks. 1. Infinite redirect loop...
HackerOne: Reflected Filename Download
First of all congratulations on awesome bounty system. Big fan here! I found out that it's possible run a RFD attack on Hackerone. If we visit: https://hackerone.com/dsopas We see the normal HTML webpage. Nothing new here. But if we add ?format=json to the URL we can see the JSON file generated b...
Internet Bug Bounty: ZIP Integer Overflow leads to writing past heap boundary
https://bugs.php.net/bug.php?id=69253 Integer overflow in the zipcdirnew function in zipdirent.c in libzip 0.11.2 and earlier, as used in the ZIP extension in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 and other products, allows remote attackers to cause a denial of service...
Internet Bug Bounty: libcurl: URL request injection
libcurl: URL request injection CVE-2014-8150...
Internet Bug Bounty: Adobe Flash Player MP4 Use-After-Free Vulnerability
I. Summary Adobe Flash Player is prone to a vulnerability which leads to Use-After-Free. After parsing a malformed mp4 file, Flash will not free the NetStream object properly. Such memory block is still accessed even the page containing Flash is closed, which leads to a memory crash...
Coinbase: New Device confirmation tokens are not properly validated.
Hi, team I noticed that the new device confirmation code sent by your server is not validated . POC: 1 Login to a new computer and ask for confirmation code two times. Say around at 12.00 PM and at 12.01 PM 2 Now verify the device with the confirmation token which arrived at 12.01 PM and after...
WePay: CSRF & Nonce Token Weak Implementation
Hello, this report is a copy of my previous reports sent to your email [email protected] some days ago. Please note that everything written below are copied and pasted from the report. Ticket 437212 : As part of your responsible disclosure program, I am reporting this leakage weak implementation...
joola.io: X-Content-Type-Options header missing
Hello Team The doesn't have a header settings for X-Content-Type Options which means it is vulnerable to MIME sniffing. The only defined value, "nosniff", prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. This also applies to Google...
Mail.ru: rs.mail.ru - Flash Based XSS
Hi, I found a flash based XSS in rs.mail.ru. Vulnerable link: http://rs.mail.ru/b27161485.swf?link1=javascript:alertdocument.domain Just click on the page and you will see the alert. Tested on Mozilla Firefox Regards, Florin...
InVision: TLS Renegotiation and Denial of Service Attacks on InVision.
Hi, I found a Bug in your website.It's a TLS Renegotiation and Denial of Service Attacks. Description:- A group of hackers known as THC The Hacker's Choice last week released an interesting DoS tool that works at the SSL/TLS layer. The tool is exploiting the fact that, when a new SSL connection i...
Khan Academy: Lighttpd version disclosure / directory listing
Hello there, the website at http://graphite.khanacademy.org/ isn't configured correctly. It displays the lighttpd version as well the directory contents. You should disable these features in your lighttpd.conf / php.ini. PoC: Index of / Name Last Modified Size Type Parent Directory/ - Directory...
Slack: csrf
Hi, Anti CSRF token to prevent CSRF attacks are missing on this link https://sehacure.slack.com/help/requests/new A new request can be submitted by an malicious guy to the support team on behalf of the user. The victim will never get to know. 1 Go to this link...
Internet Bug Bounty: Secrets not masked in UI when sensitive variables are set via Airflow cli
A vulnerability was discovered in Apache Airflow where sensitive variables set using the Airflow CLI were not properly masked in the UI, specifically in the Audit logs page. This issue was addressed in the 2.10.3 release of Apache Airflow...
Internet Bug Bounty: important: Apache HTTP Server: Crash resulting in Denial of Service in mod_proxy via a malicious request (CVE-2024-38477)
important: Apache HTTP Server: Crash resulting in Denial of Service in modproxy via a malicious request CVE-2024-38477 A null pointer dereference vulnerability was discovered in modproxy in Apache HTTP Server versions 2.4.59 and earlier. This vulnerability allowed an attacker to crash the server ...
Node.js: "Assertion failed" in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash
A vulnerability was discovered in the Node.js HTTP/2 stack http2 package. An attacker could send a small amount of TCP packets with HTTP/2 frames, causing the Node.js server to crash due to an assertion failure in the Http2Session destructor. The issue occurred when headers with HTTP/2 CONTINUATI...
Internet Bug Bounty: [CVE-2023-22796] Possible ReDoS based DoS vulnerability in Active Support’s underscore
A regular expression based Denial of Service DoS vulnerability was discovered in Active Support. The vulnerability allowed for a specially crafted string to cause the regular expression engine to enter a state of catastrophic backtracking, leading to excessive CPU and memory usage. The...