15371 matches found
Internet Bug Bounty: OpenSSH: Memory corruption in AES-GCM support
Vulnerability A memory corruption vulnerability exists in the post- authentication sshd process when an AES-GCM cipher [email protected] or [email protected] is selected during kex exchange. If exploited, this vulnerability might permit code execution with the privileges of the...
U.S. Dept Of Defense: CVE-2023-26347 in https://████.mil/hax/..CFIDE/adminapi/administrator.cfc?method=getBuildNumber&_cfclient=true
CVE-2023-26347 was discovered in Adobe ColdFusion versions 2023.5 and earlier and 2021.11 and earlier. The vulnerability was an Improper Access Control issue that could result in a Security feature bypass. Unauthenticated access was possible to the administration CFM and CFC endpoints...
Nextcloud: RCE on Wordpress website
A remote code execution vulnerability was exploited on a WordPress website due to unsafe deserialization of user input. This allowed arbitrary code execution as the web server user...
Internet Bug Bounty: Integrity checks according to policies can be circumvented in Node.js 20 and Node.js 18
Integrity checks according to Node.js policies can be circumvented, allowing untrusted code to execute with elevated permissions. This affects Node.js 18.x and 20.x when using the experimental policy feature. The vulnerability was reported by Tobias Nießen, who also provided a patch that has been...
Mars: Test 4 █████
This is test team summary with limited disclosure...
PlayStation: Remote vulnerabilities in spp
A vulnerability was discovered in the spp PPPoE implementation on the PS4/PS5. The vulnerability could allow a malicious PPPoE server to cause a heap buffer overwrite and overread, potentially leading to denial-of-service or remote code execution in kernel context. The vulnerability was caused by...
Mozilla: Mozilla Mastodon Staging Instance Admin API Key Disclosure Through Slack
Admin Mastodon API keys were inadvertently disclosed in the trust-and-safety-eng channel on Mozilla's Slack workspace, potentially granting unauthorized access to the Mastodon server and compromising user data. Immediate action is required to mitigate this vulnerability...
inDrive: Unlimited fake rate to the passenger in city to city, Affected endpoint `/api/v1/reviews/ride/<ID>/driver`
The vulnerability allowed an unlimited increase of the passenger's rating in the city-to-city shared ride feature. The request to the /api/v1/reviews/ride//driver endpoint was manipulated by changing the rating value to a higher number, which was accepted by the application and resulted in an...
HackerOne: Register & create a ticket as somebody else on HackerOne Support
A vulnerability was discovered on HackerOne Support that allowed an attacker to register and create tickets as different individuals. The issue was resolved by adjusting a setting in the Freshdesk Software...
U.S. Dept Of Defense: CVE-2023-24488 xss on https://██████/
Vulnerability description not provided...
HackerOne: Create miscellaneous support ticket on anyone's account through [email protected] email
A vulnerability was discovered where an attacker could create support tickets on anyone's account by sending a fake email to [email protected]. This allowed the attacker to create tickets on behalf of victims or even HackerOne staff. The issue was resolved internally and the created tickets...
Consensys: CSV Injection at https://assets-paris-demo.codefi.network/
Summary: Hi consensys Security Team. I have found CSV Injection when generate report at https://assets-paris-demo.codefi.network/ CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. When a spreadsheet program such as Microsoft Excel or...
U.S. Dept Of Defense: External service interaction ( DNS and HTTP ) in www.████████
An External Service Interaction vulnerability was found in www.█████████, allowing an attacker to induce the application to interact with arbitrary external services such as DNS and HTTP. This could lead to various attacks, including DDoS, OS Command Injection, DOS, and Code Manipulation...
Node.js: DNS rebinding in --inspect (insufficient fix of CVE-2022-32212 affecting macOS devices)
Summary: This is an insufficient fix of CVE-2022-32212, which itself is a fix of CVE-2018-7160. There exists a specific behaviour in browsers on macOS devices when handling the http://0.0.0.0URL that allows an attacker-controlled DNS server to bypass the DNS rebinding protection by resolving host...
Internet Bug Bounty: Renderers can obtain access to random bluetooth device without permission
With the default configuration in Electron, renderer processes which should not have access to system resources by default can gain read/write access to a nearby bluetooth device. To reproduce: Run the electron-quick-start app with a vulnerable version of Electron:...
TikTok: Impersonation of tiktok account via Broken Link in TikTok Newsroom
A broken link was found on TikTok Newsroom, which could have allowed an attacker to claim the associated username and hijack the link. We thank @bushidobrown200 for reporting this to our team and confirming its resolution...
Shopify: Xss triggered in Your-store.myshopify.com/admin/apps/shopify-email/editor/****
Hi team, I have found Store Xss in shopify-email Reproduction Instructions / 1.Configure shopify-email for Shopify stores at https://apps.shopify.com/shopify-email 2.Goto Your-store.myshopify.com/admin/apps/shopify-email/template-branding 3.Change F1607675 with " click Save. 4.Now Select any...
JetBlue: Open Redirect
Vulnerability description not provided...
VK.com: Reflected Xss On https://vk.com/search
XSS in Search...
Zomato: Race condition in User comments Likes
The researcher found a Race Condition to artificially inflate the upvotes of user comments in the Restaurant's review section...
Traffic Factory: WordPress Plugin Update Confusion at trafficfactory.com
Hi, I'm currently researching a "novel" supply chain attack affecting WordPress plugins, and I believe your website might be vulnerable. The way it works is similar to a recent Dependency Confusion attack, where a malicious actor can take over internal packages unclaimed on PyPI / npm registry. I...
TikTok: Reflected XSS in TikTok endpoints
Cross site scripting vulnerability was found in few TikTok endpoints using the region parameter. We thank @sh1yo for reporting this to our team...
Bumble: Exfiltrating a victim's exact location (to within 5m)
I used Bumble's distance feature to exfiltrate the exact location to within approx 5m of a victim. I did this by using the Bumble API to move my attacker account's location around the approximate area of the victim. I was able to obtain the exact distance between attacker and victim at 3 separate...
HackerOne: Report Bulk endpoint "agree-on-going-public" action may reveal Report disclosure state for invite-only programs
Hello, Hope you are doing well, SUMMARY -In hackerone user doesn't have permission to do any action like "disclosing/undiclosing" in disclosed report. -Here user can send the "cancel-disclosure-request" request to the server and server accepts the request gave 200ok response with ""flash":"The...
Mattermost: Mattermost Server OAuth Flow Cross-Site Scripting
Summary: The vulnerability is a reflected Cross-Site Scripting XSS via the OAuth flow. A victim clicking a malicious link pointing to the target Mattermost host will trigger the XSS. If the victim is a regular user, it is possible to obtain all of their Mattermost chat contents; if it’s an...
Nextcloud: Virtual Data Room / Hide download on collabora is easy to bypass
So, let me start with saying I'm not sure if this is a security issue or if it is by design. The reason I'm reporting it here is since Nextcloud promotes this Virtual Data Room a lot...
Exodus: Cache Poisoning DoS on downloads.exodus.com
Summary: Hello, The subdomain downloads.exodus.com hosts all files meant to be downloaded by exodus users. A few of the file I found are: https://downloads.exodus.com/releases/exodus-linux-x64-21.4.9.zip https://downloads.exodus.com/releases/hashes-exodus-21.2.12.txt...
Homebrew: Brew bootstrap process is insecure
The process described in this page is not secure - no checksum / PGP signature is published and there is no way to check the download is legit: https://brew.sh/ "/bin/bash -c "$curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh"" This can lead to supply chain attacks su...
WordPress: Privilege Escalation via REST API to Administrator leads to RCE
Kien Hoang reported a privilege escalation vulnerability in the BuddyPress REST-API. Through this issue, if registrations for new users is enabled, a non-admin user can gain administrator access on the site. The administrator access can then lead to remote code execution, as admins have the right...
Topcoder: IDOR at https://fast.trychameleon.com/observe/v2/profiles/ via uid parameter discloses users' PII data
Summary: Hello, A API on apps.topcoder.com/forums/ exposes the email of any user on topcoder.com and some PIIs name, surname, id. Steps To Reproduce: 1 Create a profile at topcoder.com 2 Go to apps.topcoder.com/forums and login forum 3 Entery any topic example:...
GitLab: GitLab-Runner on Windows `DOCKER_AUTH_CONFIG` container host Command Injection
Summary GitLab-Runner, when running on Windows with a docker executor, is vulnerable to Command Injection via the DOCKERAUTHCONFIG build variable. Injected commands are executed on the container host, not within a Docker container, as such could compromise all future builds which are executed by...
Kubernetes: CVE-2019-11250 remains in effect.
Report Submission Form Summary: "CVE-2019-11250: TOB-K8S-001: Bearer tokens are revealed in logs" remains in effect. Kubernetes Version: Effects at least all versions since 1.4. - This was determined with some git archaeology. This was determined by following the code snippet from it's current...
InnoGames: Stored XSS on recruit.innogames.de
Summary: When applying for a Supporter/Moderator job at recruit.innogames.de the drop-down field "Position" is vulnerable to a stored XSS as the content is not validated. Description: Steps To Reproduce: 1. Visit https://recruit.innogames.de/staemme/de/index/page/show/apply 2. Fill out all requir...
Snapchat: CreatorID leaked from public content posted to SnapMaps
TL;DR - the Snap Map media responses unnecessarily return a creatorId. The creator's Snap username cannot be immediately derived from creatorId, but users can use the creatorId to correlate multiple public snaps with that creator. The impact is limited by the fact that all Our Story Snaps that...
Open-Xchange: Blind SSRF in /appsuite/api/oxodocumentfilter&action=addfile
Summary Logic in AddFileAction.getImageDataFromUrl for fetching images from external URLs when handling /appsuite/api/oxodocumentfilter&action=addfile implemented here validates the redirected URLs only after following all redirects java response = httpClient.executegetRequest, context; int...
Mail.ru: Information Disclosure on {http://pro.tracker.my.com}
Prometheus performance metrics were publicly available on pro.tracker.my.com...
GitLab: SSRF on project import via the remote_attachment_url on a Note
Summary The Note model has an attachment which is provided by a CarrierWave uploader: ruby mountuploader :attachment, AttachmentUploader One of the features this provides is the ability to download and attach a file via a url, see...
Google: CVE-2020-8913 - Persistent arbitrary code execution in Android's Google Play Core Library: details, explanation and the PoC
██████████████████████████...
curl: Heap buffer overflow in TFTP when using small blksize
Summary: With a TFTP server that does not send OACK, but instead starts anyway with first block with 512 bytes block size, the curl library fails to assume default 512 bytes blocks. Instead it detects EOF and does not return an error code. Consequence is a truncated file that is 512 bytes without...
Internet Bug Bounty: Out of Bounds Memory Read in exif_scan_thumbnail
I have found and reported an out of bounds memory read in PHP exifscanthumbnail When PHP EXIF extension is parsing EXIF information from an image, e.g. via exifreaddata function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data wha...
Informatica: accounts.informatica.com - RCE due to exposed Groovy console
Researcher identified a misconfigured "Groovy" panel on an AEM web application that was vulnerable to RCE. The panel was subsequently disabled...
Nextcloud: SignUp using Fake Email
In this trial I used the email '[email protected]' and after pressing the SIGN UP button it will automatically redirect to https://ppp.woelkli.com/apps/preferredproviders/password/set/emailfakeforregister/H2qlEWHxQ3yiJgCsEXkR8, not through the account verification process first. For full the link Po...
Paragon Initiative Enterprises: Github wikis are editable by anyone https://github.com/paragonie/password_lock/wiki
submitted a misconfiguration in some of our GitHub repositories to us. Wikis are inherently editable for all users, but for some repositories an organization may want to restrict this access. In some cases it was possible for GitHub users . Github wikis on the following project...
TomTom: Reflected Cross Site Scripting vuln in tomtom.com
Hello Tomtom security team I found a reflected cross site scripting security vulnerability in tomtom.com https://www.tomtom.com/nlnl/search/?q=27%22--%3E%3CDetails%20Open%20OnToggle=confirmdocument.domain%3E This payload when loaded displays the domain the XSS vulnerability occurs in www.tomtom.c...
Mail.ru: phpinfo
phpinfo was available at terrhq.ru subdomain...
Mail.ru: Phpinfo
phpinfo was available at terrhq.ru subdomain...
Mail.ru: PHP-FPM Status Page
PHP-FPM Status Page available on pubg.my.com...
Shopify: Bypass GraphQL rate limit by abusing negative cost queries
Hi security team, While looking into the graphql app I noticed an interesting implementation where each app has a bucket of query cost they are allowed to used in a given time with a certain refresh rate associated with it. The details can be found at...
Zomato: Open Redirect On Your Login Panel
Summery Hey There are a open Redirect on your login panel Platforms Affected: Website Browsers Verified In If Applicable: Chrome For Android Firefox For Android Steps To Reproduce: 1. Go To This Url :- https://www.zomato.com/login?redirecturl=https://askdcodes.org 2. Then login there 3. boom you...
Ruby on Rails: Specially constructed multi-part requests cause multi-second response times; vulnerable to DoS
The multi-part body parsing in Rack and consequently Rails has a worse-than-linear performance relative to the number of parts in the request body. In small scale i.e. non-disruptive tests on a variety of Rails applications on the internet, including my own, GitHub.com, Heroku API, Instacart,...