Liberapay: Leaking Of Sensitive Information on Github

Summary: Sensitive Data were leaked in https://github.com/liberapay/liberapay.com Steps To Reproduce: 1. Install gitleaks from https://github.com/zricethezav/gitleaks 2. Run the following command in a Linux terminal gitleaks -v --pretty -r=https://github.com/liberapay/liberapay.com The following...

Internet Bug Bounty: [CVE-2024-54133] Possible Content Security Policy bypass in Action Dispatch

A vulnerability was discovered in the contentsecuritypolicy helper in Action Pack of Ruby on Rails. Carefully crafted inputs were able to inject new directives into the Content-Security-Policy CSP header, potentially leading to a bypass of the CSP and its protection against cross-site scripting X...

Top Echelon Software: Public and secret api key leaked in JavaScript source

Summary: Summary the vulnerabilities I am surfing on the bb3jobboard.topechelon.com website. I found a sensitive data including authentication key written in public accessible javascript file. URL Vulnerability https://bb3jobboard.topechelon.com/!/search?page=1 Steps To Reproduce: Open...

Pornhub: SSRF and local file disclosure by video upload on https://www.tube8.com/

The researcher was successful in exploiting a vulnerability in 3rd party encoding library resulting in the execution of SSRF attacks and Local File Disclosure...

Internet Bug Bounty: netrc and redirect credential leak

The netrc file in curl could lead to the unintentional leakage of a password to a different host when following HTTP redirects, if the netrc file had an entry matching the redirect target hostname but omitting either just the password or both login and password...

Cloudflare Public Bug Bounty: Take over subdomains of r2.dev using R2 custom domains

███████ ████ ████ ███████████████████████████ ███ ██████████ It is possible to take over any subdomain of r2.dev possible also the base domain and have it serve the contents of an R2 bucket in your account. Requirements Access to R2 public buckets in the dashboard is currently behind a flag. The...

Mattermost: html injection via invite members can be leads account takeover

An HTML injection vulnerability was found on the website that allowed an attacker to inject HTML code into an email invitation sent to a victim. This could lead to the victim being redirected to a malicious site or tricked into giving away login credentials...

Fastify: Remote Code Execution via unsafe usage of `reply.view({ raw })` in @fastify/view (EJS template engine)

The @fastify/view plugin, when used with the EJS engine and the reply.view raw: pattern, allowed arbitrary EJS execution. This vulnerability arose from the fact that Fastify trusted the raw template string without sanitization or restrictions when passed directly to EJS's compile method, leading ...

Internet Bug Bounty: Multiple HTTP Smuggling reports

Theses reports spreads other several years and are all about HTTP Smuggling issues HTTP Requests or Responses splitting, Cache Poisoning, Security filter bypass. I've made reports on a wide range of open source projects, explaining the not always easy problems to the various security maintainers...

JamieWeb: Insecure Transportation Security Protocol Supported (TLS 1.0) on https://www.jamieweb.net

Summary: https://www.jamieweb.net still support TLS 1.0 protocol which has several flaws. Vulnerability: With a SSL security scanner i was able to identify that an insecure transportation security protocol TLS 1.0 is still supported by your web server. TLS 1.0 has several flaws. An attacker can...

Weblate: CSV export filter bypass leads to formula injection.

Dear Weblate bug bounty team, Summary --- The new filter can be bypassed using: %0A-3+3+cmd|' /C calc'!D2. python text = "%0A-3+3+cmd|' /C calc'!D2" def csvfilterbypass: if text and text0 in '=', '+', '-', '@': return "'" + text return text How can this be fixed? --- You need to escape and detect...

Pornhub: XSS Vulnerability at https://www.pornhubpremium.com/premium_signup? URL endpoint

The researcher discovered an XSS-vulnerable parameter at the premiumsignup endpoint...

Zomato: Clickjacking: Delete Account, Change privacy settings, Rate business, follow/unfollow (IE)

Inspired by report 337219. Please note that this report includes a clear security impact as well as a proof of concept. CVSS ---- medium 5.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L Description ----------- The application does not send a X-Frame-Options header, thus allowing pages to be...

LocalTapiola: DoS of www.lahitapiolarahoitus.fi via CVE-2018-6389 exploitation

Description There is possibility in /wp-admin/load-scripts.php script to generate large 3Mb amount of data via simple non-authenticated request to server. The vulnerability is registered as https://vulners.com/cve/CVE-2018-6389 Details Detailed attack scenario is described for example here:...

Node.js: CRLF Injection in legacy url API (url.parse().hostname)

Summary: There is CRLF Injection in legacy url.hostname API. Description: During the recent penetration test, I have found a whitelist bypass using CRLF Injection. We did a code review and determined the issue is in a legacy url.hostname API. Not sure if it's a known issue or not, I wasn't able t...

Deriv.com: Mailgun subdomain takeover

Summary: I have found an unclaimed subdomain of deriv.cloud. Which is successfully claimable. Platforms Affected: email.mailgun.deriv.cloud Steps To Reproduce: You just need a mailgun account and the you can successfully claim this domain. Supporting Material/References:...

U.S. Dept Of Defense: Unrestricted File Upload Leads to XSS & Potential RCE

Summary: Unrestricted file upload at████████/request?openform. When the user wants to upload a file the app allows the user to upload a HTML file leading to stored XSS and creation of a simple php script. A user can upload the HTML file and trigger XSS and trigger potential RCE with php shell...

Dropcontact: Django DEBUG mode enabled and leaked system information.

We were leaking / showing system information. Django DEBUG mode was enabled and showing some information on some errors.I just follow the errors and finally got some sensitive system information such as configuation ,API keys ,Database users ,System Directories,etc...

Khan Academy: Weak Ciphers Enabled

Vulnerability Details:- I detected that weak ciphers are enabled during secure communication SSL. You should allow only strong ciphers on your web server to protect secure communication with your visitors. Impact:- Attackers might decrypt SSL traffic between your server and your visitors. Remedy:...

Krisp: SQL Injection + Insecure Deserialization leads to Remote Code Execution on https://krisp.ai

The tenweb-speed-optimizer WordPress plugin prior to version 2.12.22 was vulnerable to unauthenticated SQL injection in /wp-json/tenwebio/v2/compress-one, which could be exploited to gain remote code execution by chaining it with insecure deserialization...

██████: Golden techniques to bypass host validations in Android apps

███...

Starbucks: Java Deserialization RCE via JBoss on card.starbucks.in

The researcher discovered that a Starbucks online system running on the domain http://card.starbucks.in/ performs deserialization of java objects that are submitted by users on a specific path belonging to JBOSSMQ without sanitizing/validating the data. As a result, an attacker can inject a...

U.S. Dept Of Defense: springboot actuator is leaking internals at ██████████

Proof of Concept If you go to https://█████████/actuator you'll get a complete overview of all the endpoints that are accessable Suggestion: Use a Firefox Browser if possible, its json representation is well formed and the links are clickable ██████████ Impact Information Disclosure...

U.S. Dept Of Defense: CVE-2020-3187 - Unauthenticated Arbitrary File Deletion

A vulnerability in the web services interface of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and obtain read and delete access to sensitive files on a targeted...

U.S. Dept Of Defense: [CVE-2020-3452] Unauthenticated file read in Cisco ASA

I found out that https://███/ was vulnerable to CVE-2020-3452. The IP has a SSL certificate pointing to DoD. curl -kv https://██████████/ Output: Server certificate: subject: █████ Impact Anyone can read any file present on the server. System Hosts ████ Affected Products and Versions CVE Numbers...

Node.js: Node Installer Local Privilege Escalation

Node is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking. To demonstrate thi...

Rockstar Games: Bypass CAPTCHA protection

In this report, the researcher found that it was possible to bypass our CAPTCHA check by injecting a random value into the X-Forwarded-For header in the sign in POST request. At the time the researcher submitted this report, we only enforced CAPTCHA checks on sign-in requests that had failed...

Shopify: Subdomain takeover on s3.shopify.com

Preword I know that this is not explicitly in scope, but I still felt it was serious enough to justify a report and let you decide the potential impact. Description The subdomain s3.shopify.com was pointed using CNAME to Amazon S3, but no bucket with that name was registered. This meant that anyo...

ownCloud: Apache Range Header Denial of Service Attack (Confirmed PoC)

owncloud.com is vulnerable to Apache range header denial of service. This was confirmed by injecting Range: header payloads and analyzing the request vs. response times to an arbitrary page. The results confirm that processing times took up to 50,000 milliseconds per request when the range header...

Sifchain: CORS Misconfiguration

Summary: An cross-origin resource sharing CORS policy controls whether and how content running on other domains can perform two-way interaction with the domain that publishes the policy. The policy is fine-grained and can apply access controls per-request based on the URL and other features of th...

Mail.ru: [mobs.mail.ru] nginx path traversal via misconfigured alias

Domain, site, application -- mobs.mail.ru Steps to reproduce -- http://mobs.mail.ru/media../mobs/settings.py Actual results -- py ... SECRETKEY = '████████████' ... DISTIMOPRIVATEKEY = '████████████' ... PoC, exploit code, screenshots, video, references, additional resources --...

Omise: Facebook Username Takeover via Broken Link in Footer

The Facebook username associated with the broken link in the footer was available for takeover. This could have allowed an attacker to create a fake Facebook page and mislead users into trusting it...

Acronis: Subdomains takeover of register.acronis.com, promo.acronis.com, info.acronis.com and promosandbox.acronis.com

Summary: The Subdomains https://register.acronis.com, https://promo.acronis.com, https://info.acronis.com and https://promosandbox.acronis.com are vulnerable to takeover due to unclaimed marketo CNAME records. Anyone is able to own these subdomains at the moment. This vulnerability is called...

Mail.ru: Blind SSRF on sentry.dev-my.com due to Sentry misconfiguration

Insufficient isolation of Sentry installation could potentially lead to blind SSRF...

U.S. Dept Of Defense: Remote Code Execution through DNN Cookie Deserialization

Summary: The application at https://████████ presents a deserialization vulnerability that permits RCE and file read/write Step-by-step Reproduction Instructions 1. Navigate to a random page that must return a 404 Error status like https://████/test 2. Add this cookie in the request header:...

Logitech: Host Header injection in oslo.io (using X-Forwarded-For header) leading to email spoofing

Hello team I hope it will be a happy year for you and for me 😇 Summary: I found Host Header injection in oslo.io I tried to use it to show the security effect on users And I found this Steps To Reproduce: 1. Well, first of all, enter your project 2.Make an invitation by email 3.Now through the...

AWS VDP: A potential risk in the aws-lambda-ecs-run-task which can be used to privilege escalation.

The aws-lambda-ecs-run-task application created a function with a role that had excessive permissions, including the AdministratorAccess policy. This allowed for potential privilege escalation by an attacker...

CS Money: Pixel Flood Attack leads to Application level DoS

Summary: Hello Team, I had gone through your policy and I saw that DoS is out of scope but I am not sure about Application level DoS. The another reason to report this attack because it affects real customers who want to chat with your support team. I had tested this with two accounts 1. From...

Pornhub: Blind XSS in redtube administering site my.reflected.net

Researcher was able to execute Blind XSS in Redtube WAF administering panel Blind XSS in Redtube WAF administering panel...

Imgur: SSRF in https://imgur.com/vidgif/url

Hello, Short description ======== https://imgur.com/vidgif/url endpoint is vulnerable to a SSRF vulnerability which allows an attacker to craft connections originating from imgur servers to any destination on the internet and imgur internal network and craft outgoing UDP-packets / telnet-based...

Internet Bug Bounty: mod_userdir CRLF injection (CVE-2016-4975)

Possible CRLF injection allowing HTTP response splitting attacks for sites which use moduserdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header key or value. Reported to security team 24th July 2016 Issu...

BTFS: Subdomain Takeover uptime

Hello Team: i can't report it to the company so i hope to accept it as a valid bug , i found subdomain takeover in your subdomain uptime.btfs.io , i found this subdomain pointed to uptimerobot and not claimed so i signedup in uptimerobot and claimed it. POC: ------ 1 - open https://uptime.btfs.io...

Yelp: DoS of https://blog.yelp.com/ and other WP instances via CVE-2018-6389

Description: There is possibility in /wp-admin/load-scripts.php script to generate large 3Mb amount of data via simple non-authenticated request to server. The vulnerability is registered as https://vulners.com/cve/CVE-2018-6389 Details: Detailed attack scenario is described for example here:...

U.S. Dept Of Defense: Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://████

Description Hello. Some time ago, researcher Orange Tsai from DEVCORE team had a talk on Defcon/BlackHat regarding Pulse Secure SSL VPN vulnerabilities fixed on 2019/4/25: CVE-2019-11510 - Pre-auth Arbitrary File Reading CVE-2019-11542 - Post-auth Stack Buffer Overflow CVE-2019-11539 - Post-auth...

QIWI: [send.qiwi.ru] Soap-based XXE vulnerability /soapserver/

An XML external entities injection vulnerability exists on the soap server hosted on send.qiwi.ru. The attack allows an attacker to open local files although perhaps not return the data, see below, leading at best to a DoS. Often this attack can be used to extract files from the server such as...

InVision: Backup of wordpress configuration file found. Leaking database users/passwords

Hi there, I noticed that there is a backup of the wordpress configuration file wp-config.php.orig publicly accessible. This file contains some sensitive information about your wordpress installation, including database users/passwords and secret tokens Proof curl...

MTN Group: Reflected XSS in chatbot

Reflected XSS attacks, also known as non-persistent attacks, occur when a malicious script is reflected off of a web application to the victim's browser. The script is activated through a link, which sends a request to a website with a vulnerability that enables execution of malicious scripts Pro...

HackerOne: RCE in profile picture upload

Issue ===== The profile picture upload at /settings/profile/edit is vulnerable to remote code execution due to the uploaded file being passed to ImageMagick without checking whether it's an actual image. Combined with the fact that ImageMagick parses ASCII text as so called MVG Magic Vector...

U.S. Dept Of Defense: XSS due to CVE-2020-3580 [███]

Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to conduct cross-site scripting XSS attacks against a user of the web services interface of an...

GitHub Security Lab: Java/CWE-036: Calling openStream on URLs created from remote source can lead to file disclosure

This bug was reported directly to GitHub Security Lab...