15369 matches found
HackerOne: Accidental Access to Programs Information via SAML Login
On November 8th, 2018, HackerOne released software to production that contained a bug which impacted our Security Assertion Markup Language SAML authentication system. As a result of the bug, the SAML JIT Just-In-Time provisioning mechanism granted users of one customer program read-only access t...
Ubiquiti Inc.: CORS Misconfiguration leading to Private Information Disclosure
Due to mistake on te CORS policy configuration, the sites https://client.amplifi.com and https://protect.ubnt.com/ CORS policy allowed HTTP requests to be made from certain sites outside the .ubnt.com and .ui.com domains. This bug could be used to steal users information or force the user to...
HackerOne: Missing Certificate Authority Authorization rule
Certificate Authority Authorization supported by LetsEncrypt and other CAs allows a domain owner to specify which Certificate Authorities should be allowed to issue certificates for the domain. All CAA-compliant certificate authorities should refuse to issue a certificate unless they are the CA o...
Zomato: [www.zomato.com] SQLi - /php/██████████ - item_id
Thanks @gerbenjavado for helping us keep @zomato secure : Thanks to the entire @Zomato team for doing this challenge. Its a pleasure to be back in the bug bounty game after a while. Introduction So I managed to find SQLi on https://www.zomato.com/php/██████████ in the POST parameter itemid...
Automattic: RCE via Print function [Simplenote 1.1.3 - Desktop app]
In Simplenote 1.1.3 - Desktop app there is a stored XSS vulnerability that can be used to execute arbitrary code. If there is malicious code in the note and the user tries to print it for example to save it as a PDF, the malicious code runs. This report is based on the report 291539, by Yasin...
VK.com: [Привязка email к странице] by [email protected] | email-flood
Отсутствие некоторых проверок при привязке почты. Impact: e-mail flood Флуд. █.vk.com/█?act=█&█=█&█=█&█=█&█=█&█=█&█=█&[email protected]&█=█&ref=█ Status: fixed Флуда больше нет. █.vk.com/█?act=█&█=█&█=█&█=█&█=█&chash=█&█=█&ref=█...
Internet Bug Bounty: CVE-2018-6797: A crafted regular expression can cause a heap buffer write overflow in Perl 5 giving a remote attacker control over bytes written
An attacker supplies a regular expression containing one or more \xDF characters after an escape putting the regexp into unicode matching mode, such as a \N escape. Each \xDF character adds one byte of overflow, and any other text in the regular expression is written in order, providing the...
Open-Xchange: SSRF in /appsuite/api/autoconfig
FYI: This was conducted on a local install of App Suite and not the sandbox. App Suite version was: 7.8.4 Rev14 Hello, There is a possible SSRF vulnerability in the following App Suite API endpoint that will primarily allow blind port scanning of the App Suite server and any internal servers...
WakaTime: Session Duplication due to Broken Access Control
Due to improper validation of user before generating an API-KEY and improper measures taken at the time of password reset, it is possible to generate a parallel session at the attacker's end. Proof of concept video is attached to confirm the vulnerability and to demonstrate the Impact of this...
Snapchat: Open prod Jenkins instance
@prebenve found a Jenkins instance where they could login with any valid Google account. Once logged in, they gained access to sensitive API tokens. The access also included some source code disclosure for public apps and the ability to execute arbitrary code via the Jenkins Script Console...
HackerOne: IE 11 Self-XSS on Jira Integration Preview Base Link
I wasn't sure if you would accept this report due to it being Self-XSS, but I figured it might be useful information because it breaks one of the flows used to validate URLs. Steps ==================== 1. Launch IE 11 2. Log into a HackerOne account that has admin on a program. 3. Go to the...
Bumble: Leave inaccessible messaging system with a message (https://us1.badoo.com)
Hello, to test the messaging system I found a vulnerability that allows Inaccessible leave mensajaria system to another user only required to send a message. The vulnerability is in the system as the mobile version smiles and app do not have that system is only vulnerable version desktop VULNERAB...
GoCD: X-Content-Type-Options header missing at Auth Login
Hello Again, The doesn't have a header settings for X-Content-Type Options which means it is vulnerable to MIME sniffing. The only defined value, "nosniff", prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. This also applies to Google...
Nextcloud: nextcloud.com: Mail Bombing ( No Rate Limiting On Sending Emails On Contact us Page)
Hello, We can bomb spam any email by using your website. Please Check attack success poc image in attached file you will understand : POC : 1.go to. Link :- 2. in details fill , all things in email option enter victim email. 4.replay the same request many time , the victim's email will be spammed...
Mail.ru: [upload-X.my.mail.ru] /uploadphoto Insecure Direct Object References
При загрузке аудио-файла с помощью сценария https://upload-14.my.mail.ru/uploadaudio отсутствует проверка принадлежности указанного playlistid текущему пользователю. Пример добавленного файла в чужой плейлист: https://my.mail.ru/music/playlists/18226273862 Пример запроса: POST /uploadaudio HTTP/1...
Vimeo: OAuth 2 Authorization Bypass via CSRF and Cross Site Flashing
Hello Vimeo Security Team, There is a vulnerability in api.vimeo.com/oauth which allows an attacker to gain full App privilege over a Vimeo victim user account without user approval, just by having the victim open a link to the attacker webpage. Proof of Concept link :...
VK.com: Внедрение внешних сущностей в функционале импорта пользователей YouTrack
Уязвимость существует из-за возможности использования внешних сущностей XML разметки в функционале импорта пользователей YouTrack. Веб-приложение доступно по адресу youtrack.vk-cdn.net Исходя из документации https://confluence.jetbrains.com/display/YTD6/Import+Users поддерживает импорт данных...
Mail.ru: [api.login.icq.net] Open Redirect
https://api.login.icq.net/auth/cancel?f=1&k=1&supportedIdType=1&succUrl=http://example.com...
Ubiquiti Inc.: Arbritrary file Upload on AirMax
It's possible to upload arbitrary files to airMAX devices via HTTP because of a vulnerability in the airOS web server. An attacker can bypass the device's authentication mechanisms by exploiting this vulnerability...
Coinbase: OAuth authorization page vulnerable to clickjacking
Due to a misconfiguration, the 'authorize' button on the OAuth authorization page was vulnerable to clickjacking. The bug was fixed by ensuring our OAuth-related responses included the same security headers including X-Frame-Options as the rest of the site...
VK.com: Page replacement and redirect loop
Открытие страницы через параметр в запросе и циклическое перенаправление. This report includes a description of two vectors: 1. Page replacement via hidden vulnerable parameter that may lead to phishing attacks. 1. Infinite redirect loop...
HackerOne: Reflected Filename Download
First of all congratulations on awesome bounty system. Big fan here! I found out that it's possible run a RFD attack on Hackerone. If we visit: https://hackerone.com/dsopas We see the normal HTML webpage. Nothing new here. But if we add ?format=json to the URL we can see the JSON file generated b...
Internet Bug Bounty: ZIP Integer Overflow leads to writing past heap boundary
https://bugs.php.net/bug.php?id=69253 Integer overflow in the zipcdirnew function in zipdirent.c in libzip 0.11.2 and earlier, as used in the ZIP extension in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 and other products, allows remote attackers to cause a denial of service...
Internet Bug Bounty: libcurl: URL request injection
libcurl: URL request injection CVE-2014-8150...
Coinbase: New Device Confirmation, token is valid until not used.
New Device Confirmation token sends to the logged in user from unconfirmed device. Now If Click on Account or Settings or Profile email of new token will send to that person and same if user click multiple times, more and more confirmation emails user received. On each reload each confirmation...
Internet Bug Bounty: Adobe Flash Player MP4 Use-After-Free Vulnerability
I. Summary Adobe Flash Player is prone to a vulnerability which leads to Use-After-Free. After parsing a malformed mp4 file, Flash will not free the NetStream object properly. Such memory block is still accessed even the page containing Flash is closed, which leads to a memory crash...
Coinbase: New Device confirmation tokens are not properly validated.
Hi, team I noticed that the new device confirmation code sent by your server is not validated . POC: 1 Login to a new computer and ask for confirmation code two times. Say around at 12.00 PM and at 12.01 PM 2 Now verify the device with the confirmation token which arrived at 12.01 PM and after...
WePay: CSRF & Nonce Token Weak Implementation
Hello, this report is a copy of my previous reports sent to your email [email protected] some days ago. Please note that everything written below are copied and pasted from the report. Ticket 437212 : As part of your responsible disclosure program, I am reporting this leakage weak implementation...
joola.io: X-Content-Type-Options header missing
Hello Team The doesn't have a header settings for X-Content-Type Options which means it is vulnerable to MIME sniffing. The only defined value, "nosniff", prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. This also applies to Google...
Mail.ru: rs.mail.ru - Flash Based XSS
Hi, I found a flash based XSS in rs.mail.ru. Vulnerable link: http://rs.mail.ru/b27161485.swf?link1=javascript:alertdocument.domain Just click on the page and you will see the alert. Tested on Mozilla Firefox Regards, Florin...
InVision: TLS Renegotiation and Denial of Service Attacks on InVision.
Hi, I found a Bug in your website.It's a TLS Renegotiation and Denial of Service Attacks. Description:- A group of hackers known as THC The Hacker's Choice last week released an interesting DoS tool that works at the SSL/TLS layer. The tool is exploiting the fact that, when a new SSL connection i...
Khan Academy: Lighttpd version disclosure / directory listing
Hello there, the website at http://graphite.khanacademy.org/ isn't configured correctly. It displays the lighttpd version as well the directory contents. You should disable these features in your lighttpd.conf / php.ini. PoC: Index of / Name Last Modified Size Type Parent Directory/ - Directory...
Slack: csrf
Hi, Anti CSRF token to prevent CSRF attacks are missing on this link https://sehacure.slack.com/help/requests/new A new request can be submitted by an malicious guy to the support team on behalf of the user. The victim will never get to know. 1 Go to this link...
Internet Bug Bounty: Secrets not masked in UI when sensitive variables are set via Airflow cli
A vulnerability was discovered in Apache Airflow where sensitive variables set using the Airflow CLI were not properly masked in the UI, specifically in the Audit logs page. This issue was addressed in the 2.10.3 release of Apache Airflow...
Internet Bug Bounty: important: Apache HTTP Server: Crash resulting in Denial of Service in mod_proxy via a malicious request (CVE-2024-38477)
important: Apache HTTP Server: Crash resulting in Denial of Service in modproxy via a malicious request CVE-2024-38477 A null pointer dereference vulnerability was discovered in modproxy in Apache HTTP Server versions 2.4.59 and earlier. This vulnerability allowed an attacker to crash the server ...
Node.js: Proxy-Authorization header is not cleared in cross-domain redirect in undici
A vulnerability was found in undici prior to version 6.5.0 where the Proxy-Authorization header was not cleared during cross-domain redirects, potentially leaking credentials to third party sites...
TikTok: Multiple Open Redirect on TikTok domains
An open redirect vulnerability was discovered in the login process on TikTok Seller domains. This could have allowed takeover of a TikTok Seller account. The issue was reported privately and has been resolved...
Node.js: Permission model bypass by specifying a path traversal sequence in a buffer,
A vulnerability was discovered in Node.js version 20, specifically within the experimental permission model. This flaw allowed for the bypassing of file permissions by specifying a path traversal sequence in a buffer. The vulnerability affected all users utilizing the experimental permission mode...
HackerOne: An attacker can can view any hacker email via /SaveCollaboratorsMutation operation name
An attacker could view any hacker or normal user's email on HackerOne by sending an invitation via a dummy report, thereby disclosing their private email...
Internet Bug Bounty: [CVE-2023-22796] Possible ReDoS based DoS vulnerability in Active Support’s underscore
A regular expression based Denial of Service DoS vulnerability was discovered in Active Support. The vulnerability allowed for a specially crafted string to cause the regular expression engine to enter a state of catastrophic backtracking, leading to excessive CPU and memory usage. The...
LinkedIn: Information disclosure by sending a GIF
Critical information about LinkedIn users, including their operating system, browser, IP address, device ID, phone model, and time zone, could be obtained by an attacker through the use of a GIF sent via the messaging feature. The vulnerability affected all platforms where the link could be used,...
HackerOne: HTML Injection in email via Name field
Hello Gents, I would like to report an issue where attackers are able to inject HTML into the Name field at app.qualified.dev. Steps to reproduce: 1. Please register at https://app.qualified.dev/signup 2. Inject the Namefield with any HTML payload. 3. Open the victim's test email, HTML will be...
curl: CVE-2022-30115: HSTS bypass via trailing dot
curl allows users to load a HSTS cache which will cause curl to use HTTPS instead of HTTP given a HTTP URL for a given site specified in the HSTS cache. If the trailing dot is used, the HSTS check will be bypassed. If a user has a preloaded hsts.txt: Your HSTS cache. https://curl.se/docs/hsts.htm...
U.S. Dept Of Defense: CORS Misconfiguration
Vulnerable Url: www.█████████ Summary: Cross-origin resource sharing CORS is a browser mechanism that enables controlled access to resources located outside of a given domain. However, it also provides a potential for cross-domain-based attacks, if a website's CORS policy is poorly configured and...
Reddit: Missing rate limit in current password change settings leads to Account takeover
Summary: Happy Wednesday, I've found a missing rate limit protection in https://reddit.com and https://vip.reddit.com in password change settings. Enter the current password security mechanism is implemented to prevent the the cyber attackers not to change the password without knowing the current...
Rocket.Chat: Post-Auth Stored XSS with User Interaction leads to Remote Code Execution
Summary: Unsafe usage of the toastr library leads to Stored XSS when combined with a validation bypass in the createRoom function. Targeting an admin account leads to Remote Code Execution. Description: The frontend uses the toastr library to display error messages to the user. However, it is use...
h1-ctf: HackyHolidays 2020 Full Write-up: Information Disclosure of 12 Flags
Intro This is my report for the 2020 Hacky Holidays HackerOne CTF. I managed to find all 12 flags with the assistance of my little helper, Jake. He specialises in brute-forcing via a unique keyboard mashing technique: F1134543 Anywho, let's get started... Flag 1: Robots The first one was a nice...
TikTok: RCE on TikTok Ads Portal
The video upload endpoint on the TikTok Ads portal was potentially susceptible to remote code execution RCE due to a ffmpeg misconfiguration. We thank @ bubbounty for reporting this to our team and confirming the resolution. During my research on the TikTok Ads portal I found a RCE thought the...
Nextcloud: Stored XSS in markdown file with Nextcloud Talk using Internet Explorer
While editing a markdown file through the text app, users can create link elements that have a javascript URL such as javascript:alert1. Steps to reproduce: While editing a markdown file, select some text and click the "Add Link" button. Using a web proxy, intercept the request and change the hre...
Moneybird: Stored XSS on add project
The researcher found a way to store a snippet that was served to him and or other users of his administration. Subsequently the snippet was executed by his browser, making it a viable XSS vulnerability...