15305 matches found
Paragon Initiative Enterprises: Github wikis are editable by anyone https://github.com/paragonie/password_lock/wiki
submitted a misconfiguration in some of our GitHub repositories to us. Wikis are inherently editable for all users, but for some repositories an organization may want to restrict this access. In some cases it was possible for GitHub users . Github wikis on the following project...
Rockstar Games: The return of the <
In this report, the researcher was able to demonstrate a Stored XSS vulnerability in our Message system on the Social Club website. By taking advantage of the fact that '<' characters are normalized to '.͓̮̮ͅ=sW&͉̹̻͙̫̦̮̲͏̼̝̫́̕...
Shopify: any staff members have the ability to comment in [discounts] he/she can disable comment section it to other staff even the admin of the store
Hi, I found this cool behavior by mistake when I was testing for some GraphQL, any user have ability to comment in discounts code at discounts section can turn off comments to the other staff members include the admin/manager of the store. this happens because when the GraphQL used to create a...
TomTom: Reflected Cross Site Scripting vuln in tomtom.com
Hello Tomtom security team I found a reflected cross site scripting security vulnerability in tomtom.com https://www.tomtom.com/nlnl/search/?q=27%22--%3E%3CDetails%20Open%20OnToggle=confirmdocument.domain%3E This payload when loaded displays the domain the XSS vulnerability occurs in www.tomtom.c...
Mail.ru: phpinfo
phpinfo was available at terrhq.ru subdomain...
Mail.ru: Phpinfo
phpinfo was available at terrhq.ru subdomain...
Razer US: Razer Synapse 3 Chromasdk.io Root CA with Private Key Re-use
The researcher found that a root certificate was preinstalled with the Chroma SDK with a exposed private key. He assisted us in testing a fix. This was integrated into the codebase in May and published at the end of June. We appreciate his assistance working with us on this issue. Razer Synapse 3...
Mail.ru: CSRF на загрузку изображения Pandao
Domain, site, application https://pandao.ru/ -- Don't forget to include site address / application name / version information https://pandao.ru/ Testing environment -- OS version, browser information, settings and prerequisites to reproduce vulnerability, testing tools used, etc Parrot OS Steps t...
Ruby on Rails: Specially constructed multi-part requests cause multi-second response times; vulnerable to DoS
The multi-part body parsing in Rack and consequently Rails has a worse-than-linear performance relative to the number of parts in the request body. In small scale i.e. non-disruptive tests on a variety of Rails applications on the internet, including my own, GitHub.com, Heroku API, Instacart,...
h1-5411-CTF: MemeCTF serial exploitation to local file read to Papertrail access via API-token leakage and more
Hi there dear CTF staff! First of all a huge thank you for the great challenge you put up! I've found it super exciting and the learning curve has been steep. For this case, I was first wondering if this is a part of the actual CTF, but after some inspecting, it surely doesn't seem so! I did even...
PayPal: [Venmo Android] Remote theft of user session
A URL activity in the Venmo application used the built-in android.net.Uri parser, which has a known logic problem with certain characters. If an external URL were passed from a website or other app on the device to the application activity, the app would open the URL without properly validating t...
DuckDuckGo: SSRF vulnerability on proxy.duckduckgo.com (access to metadata server on AWS)
Hello, I saw that SSRF on proxy.duckduckgo.com is out of scope but because of the severity I wanted to report this. The payload is simple: curl "https://proxy.duckduckgo.com/iur/?f=1&imagehost=http://169.254.169.254/latest/meta-data/" Response from the server: ami-id ami-launch-index...
VK.com: Доступ к администраторским faq
Просмотр некоторых закрытых статей FAQ. Уязвимость позволяла получить доступ к талмудам vk.com/tlmdXXX в которых хранится информация для администраторов и модераторов социальной сети ВКонтакте... Получение доступа к адм. информации... @ 500$...
Valve: Stored XXS @ https://steamcommunity.com/search/users/#text= via Profile Name
Dear Valve security staff, Short description --------------------- There is a stored cross-site-scripting vulnerability present at the user search endpoint which can be exploited by modifying profile name of the would be attacking account. See POC picture. Steps to reproduce ---------------------...
HackerOne: Program metrics disclosed response_efficiency_percentage via /program_name json response despite the team decided not to show on their profile
Hi Team, Summary: First of all, i am not sure if a private program or any program have the capability to not show their response efficiency, but i assume they have because i saw some private programs that do not show response efficiency percentage on their public page. Description: Below list of...
Mail.ru: api.icq.com / возможность отредактировать текст любого пользователя или группы переслав его.
Нашёл лютую дырку дело в том что при пересылке сообщения пользователя группы текст стоит в параметре конечно же я пробовал его отредактировать и послать пакет но никак не выходило и тут я использовал один старый метод, обычно же идёт GET запрос его мы и меняем, но после идёт POST запрос который...
Node.js third-party modules: [crud-file-server] Stored XSS in filenames when directory index is served by crud-file-server
Hi Guys, crud-file-server allows to embed HTML in file names, which in certain conditions might lead to execute malicious JavaScript. Module crud-file-server This package exposes a directory and its children to create, read, update, and delete operations over http...
Khan Academy: CSRF token fixation and potential account takeover
Hi Team, Details: I have found that the csrftoken fkey parameter which prevent CSRF attacks is fixed in same browser and didn't changed even user login or logout , a lot of users can use the same CSRFtoken , this can be exploited such 2 ways : Shared computers: - attacker open...
Trello: Trello Gold accounts free for 1 year
It is possible to create Trello Gold accounts and use it for free for 1 year. The issue lies in credit card validation. PoC: 1. Create a new trello account 2. After verification, go to Profile Trello Gold 3. Choose billed annually, enter a valid credit card number with $0 on it. and click on...
GitLab: GitHub import allows user to create child group under existing namespace
When importing a GitHub repository on GitLab, a request is made to /import/github. The user is allowed to pass along a target namespace where they want to add the repository. In this process, the code will create the namespace if it doesn't exist already. However, this can be used to create a...
Semrush: Single Sing On - Clickjacking
Description: Clickjacking User Interface redress attack, UI redress attack, UI redressing is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on. Browsers Verified In: Any Steps To Reproduce: Create HTML file containg...
Coursera: No Password Verification on Changing Email Address Cause Account takeover
In coursera.org website, there is no password verification on changing email id. Generally when user try to change the password , they were asked to verify the request by entering old password. For the same reason a verification should be there on changing email. But the worst part is, when user...
Gratipay: xss
xss fo this page and form type https://gratipay.com/apply...
Legal Robot: 2FA Error Handling on Google Authenticator
While searching for bugs in a recently launched 2FA feature, a security researcher discovered that client-side error handling for 2FA was incomplete and could cause confusing results for users. When 2FA failed, there was no error message returned to the client and the login progress spinner...
Weblate: Rate Limit Bypass on login Page
Hi, Your web authentication endpoint, https://demo.weblate.org/accounts/login/ POST, currently protects against credentials brute-force attacks only by requests rate-limiting based on IP. It was found that if an attacker sends login requests faster than every 4 seconds from the same IP address, i...
Udemy: Subdomain Takeover (and Stored XSS) via Trailing Dot at https://coding-exercises.udemy.com
Hello @Udemy! Summary ===== I previously reported a cross-site scripting vulnerability 222337 at coding-exercises.udemy.com. I recently discovered that GitBook-hosted sites are also vulnerable to subdomain takeovers due to a trailing dot vulnerability in the GitBook "Custom Domain" feature seen...
OLX: Public Vulnerable Version of Confluence https://confluence.olx.com
The public server is vulnerable to Insecure Direct Object Reference, allowing any authenticated user to read configuration files from the application such as the content of webapp directory in confluence. Link to the public issue: https://jira.atlassian.com/browse/CONF-39704 PoC: GET:...
Zomato: Unauthorised Access to Anyone's User Account
When we do Login with Facebook on the Zomato app, you're doing zero authentication of the user. I'm able to hack into the targeted user's accounts by just using the Facebook ID. Affected API raw request: POST...
Discourse: Stored XSS in posts because of absence of oembed variables values escaping
Hello! Steps to reproduce: 1. Paste this payload URL in the post: http://89.223.28.48/oembedvideo.html?uncache 2. Save the post and you will see the XSS will fire. F151922 The vulnerability exists because of absence of oembed variables values escaping. There is the oembed link in the payload page...
Uber: IDOR on partners.uber.com allows for a driver to override administrator documents
An IDOR in the /p3/drivers/uploadDocument endpoint on partners.uber.com allowed a driver to upload and overwrite documents for other drivers on a multi-driver account. In addition to this, there was an access control issue where a driver account could also upload and overwrite documents for the...
Uber: Reflected XSS in lert.uber.com
Due to a lack of input validation from the search field on lert.uber.com, it was possible to obtain a Reflected XSS from the URL path, e.g. https://lert.uber.com/s/search/All/Home"PAYLOAD. Thanks, @hussain0x3c!...
Pushwoosh: Administrator Access To Management Console
Malicious user had the administrator access to RabbitMQ...
Pushwoosh: Spoof Email with Hyperlink Injection via Invites functionality
Email Spoofing via hyperlink injection. Design Issue, Missing Best Practice, Low severity...
GitLab: Mailgun misconfiguration leads to email snooping and postmaster@-access on email.mg.gitlab.com
Hi, Previously a blog post went out about Uber's Sendgrid issues: http://blog.pentestnepal.tech/post/149985438982/reading-ubers-internal-emails-uber-bug-bounty Also, a report from @uranium238 went out due to a similar issue with Slack that I know uses Mailgun: https://hackerone.com/reports/163938...
LocalTapiola: Oracle WebCenter Sites Support Tools available and Information disclosure (/cs/Satellite)
Oracle WebCenter Sites Support Tools are available in: www.lahitapiola.fi This software is password protected, but some pages are publicly available and reveal internal information. The welcome page is located at: http://www.lahitapiola.fi/henkilo?pagename=Support/Home This page reveal data as th...
Shopify: Access to Splunk at https://apt.ec2.shopify.com:8089
Description: Default Splunk admin credentials were found at https://apt.ec2.shopify.com:8089 Default credentials login:admin password:changeme See pic 1 as POC Resolution: Change credentials Please let me know if you need some extra information. Sorry if this report if out of scope, i thought it...
Instacart: Host Header Injection/Redirection in: https://www.instacart.com/
Hi, Your website is vulnerable to Host Header Injection because the host header can be changed to something outside the target domain In many cases, developers are trusting the HTTP Host header value and using it to generate links, import scripts and even generate password resets links with its...
Coinbase: No authorization required in iOS device web-application
Hey, this is Ahsan Tahir! I've found a authorization issue in coinbase! :- Issue ======= When we login to coinbase using PC not authorized it asks for authorization using a link, which is sent to our email and we have to authorize it by clicking on that email; but, when we login to a iOS device...
Nextcloud: Log pollution can lead to HTML Injection.
Hi Team, I was looking around in your app and on the log part accessed by the admin, I noticed that the log file is downloaded as an HTML file. Naturally I started trying to inject code I noticed that when HTML code is inserted, a HTML comment start tag is inserted. But I was able to bypass this...
Internet Bug Bounty: Adobe Flash Player ShimContentResolver.configure Memory Corruption Vulnerability
I. Summary Adobe Flash Player is prone to a vulnerability which leads to memory corruption because of improper validation of ShimContentResolver.configure. ------------------------------------------------------------------ II. Description Adobe Flash is a multimedia and software platform used for...
Internet Bug Bounty: Divide-and-conquer session key recovery in SSLv2 (CVE-2016-0703)
This is a retroactive submission of CVE-2016-0703, a.k.a. the "Extra Clear" bug, which can lead to the Special DROWN variant of the DROWN attack. After some discussion with the other DROWN authors, I'm submitting on behalf of myself David Adrian and J. Alex Halderman the vulnerability...
Uber: Possible to View Driver Waybill via Driver UUID
Due to an access control vulnerability it was possible to view the waybill of an arbitrary driver/partner by supplying their UUID to the /rt/drivers/DRIVERPARTNERUUID/waybill endpoint...
Pornhub: Public Facing Barracuda Login
The researcher identified that the mail.pornhub.com subdomain has a public facing web login for Barracuda Spam & Virus Firewall...
Internet Bug Bounty: Adobe Flash Player Race Condition Vulnerability
Adobe Flash Player is prone to a race condition vulnerability which leads to Use After Free. COM Object will be initialized twice and uninitialized when the count number decrement to zero by the main thread. As we could force the second initialization being called by a Worker thread, the...
Mail.ru: Утечка информации через JSONP (XXSI)
Information disclosure for logged-in user in out-of-scope service...
Ruby on Rails: Remote code execution using render :inline
Possible remote code execution vulnerability in Action Pack. There is a possible remote code execution vulnerability in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2016-2098. Versions Affected: 3.2.x, 4.0.x, 4.1.x, 4.2.x Not affected: 5.0+ Fixed Versions: 3.2.22.2,...
Mail.ru: [parapa.mail.ru] SQL Injection
Добрый день. Тип уязвимости - Time Based SQL Injection, Уязвимые параметры - куки parapauid и parapasid. Уязвимость воспроизводиться на многих страницах сайта, в том числе и на форуме. PoC GET /forums/ HTTP/1.1 User-Agent: Mozilla/5.0 Windows NT 6.1; WOW64 AppleWebKit/537.36 KHTML, like Gecko...
Slack: Stored XSS in Slack (weird, trial and error)
Hi slack. I found a weird, trial and error Stored XSS in Slack... I hope you can get clear of this and get it too.. and I hope you can find the XSS too. Anyway here it is according to what I did: 1. Go to your Slack or create a new Slack team. 2. In slackbot.. enter this payload: 3. Then, Create ...
Udemy: Reflected XSS and/or malicious redirection via JWPlayer 6 configuration modification
1 Malicious attacker by visiting course page e.g. https://www.udemy.com/overview-of-big-data-hadoop/ and intercepting browser's generated requests can find one to the following URL:...
Internet Bug Bounty: Arbitrary code execution in str_ireplace function
https://bugs.php.net/bug.php?id=70140...