15305 matches found
VK.com: Open redirect в карусели сообщения бота
Открытое перенаправление в каруселях чат-ботов. Уязвимость позволяет перенаправить пользователя на вредоносную ссылку из карусели, минуя away.php...
Nextcloud: Unexpected federated shares added via public link
So I'm not 100% sure if this is an security issue or not. But it is in my opinion at least unexpected and could be handled better to make sure people trust the system. 1. Get a public link share again plenty of those around 2. Click the 'add to your Nextcloud' 3. A federated share is added/create...
VK.com: Stored XSS при удалении группы из беседы (m.vk.com)
Недостаточная фильтрация символов в названии сообщества...
Mail.ru: Path traversal on bank.mail.ru ( CVE-2013-3827 )
Defects in Oracle’s JSF2 implementation allowed limited path traversal in tbank.mail.ru...
Topcoder: Reflected XSS on https://apps.topcoder.com/wiki/page/
Summary: Hi : A reflected XSS occurs on https://apps.topcoder.com/wiki/pages/doeditattachment.action when editing wiki pages attachments. Steps To Reproduce: A user can add attachments on https://apps.topcoder.com/wiki/pages/viewpageattachments.action?pageId=165871793 a wiki page and can edit on...
Mail.ru: XSS in [community.my.games]
Crossite scripting in community.my.games via post comments All we say is Thank You for an Account Takeover Flaw!...
Staging.every.org: Private account causes displayed through API
Summary: Any authenticated user can see which causes a private account user is interested in, by sending a GET request to the API, even though this information is not displayed anywhere on the profile page. In the profile settings, the following message is displayed for "Private Supporter" option...
Ubiquiti Inc.: Web Server Predictable Session ID on EdgeSwitch
In EdgeSwitch legacy web interface the SIDSSL cookie for admin can be guessed, enabling the attacker to obtain high privileges and get a root shell by a Command injection. These vulnerabilities were found on EdgeSwitch 1G switch ESWH and EdgeSwitch 10G switch ESGH firmware v1.9.0. The fix for the...
Mail.ru: SSRF in clients.city-mobil.ru
Limited non-blind SSRF in clients.city-mobil.ru the report was submitted before the launch of dedicated bug bounty scope for Citymobil Non-blind SSRF in apt-cacher, used for getting software updates, allowing limited requests to internal services...
Ruby: WEBrick::HTTPAuth::DigestAuth authentication is vulnerable to regular expression denial of service (ReDoS)
The private instance method splitparamvalue in class WEBrick::HTTPAuth::DigestAuth uses a regular expression that is vulnerable to denial of service due to catastrophic backtracking. The regular expression is: ^\s\w-.\%!+=\s"\.|^""\s,? Source:...
Internet Bug Bounty: DOS in stream filters
see bug report https://bugs.php.net/bug.php?id=76249 as simple as one process running in an endless loop Impact DOS, process ends up in an endless loop, CPU or available php processes or both of affected system get easily exhausted...
Mail.ru: sql
SQL interface for web analytics was available at terrhq.ru subdomain...
BOHEMIA INTERACTIVE a.s.: Weak Password Policy on Signup at https://accounts.bistudio.com/auth
Hi, I found that you are using a weak password policy! Because user can set his password same as Email address! Steps To reproduce: 1. Register an account with Email address "[email protected]" 2. Also password "[email protected]". You can see both values are same. You will become successfully register...
Khan Academy: SignUp With Fake Email
Hello KhanAcademy Security Team, I'm rootbakar, I found an oddity that allows a user to register with Khanacademy using an invalid or fake email. In this trial I used the email '[email protected]' and after pressing the SIGN UP button it will automatically enter the user dashboard pag...
pixiv: RCE due to ImageTragick v2
Hello Pixiv team! Your Image processing process suffering from ImageTragick v2. Issue is caused by ghostscript RCE findnings. How to reproduce: PATCH /design Host: manage.booth.pm send following image: ------WebKitFormBoundaryXX05yrKS4g8d9CWh Content-Disposition: form-data; name="shopheader";...
Node.js third-party modules: [samsung-remote] Command injection
I would like to report a command injection vulnerability in the samsung-remote npm module. It allows arbitrary shell command execution through a maliciously crafted argument. Module module name: samsung-remote version: 1.2.5 npm page: https://www.npmjs.com/package/samsung-remote Module Descriptio...
HackerOne: TeamProfile exposes partially sensitive information through GraphQL
I noticed there is new field teamprofile added and using the graphql below the latest serious report and reports received in three months were exposed "query":"query Dashboardreportseveritybreakdowntable$first0:Int! \n query \n id,\n ...F0\n \n\nfragment F0 on Query \n...
Coinbase: User provided values trusted in sensitive actions
In the Coinbase zencart open source library, a researcher observed two issues related to making calls based on user provided values. The reporter observed that these issues could allow a malicious user to perform an open redirect and a CRLF injection in any PHP version =5.4.1. Unfortunately,...
U.S. Dept Of Defense: 2 vulnerabilities of arbitrary code in ████████ - CVE-2017-5929
Summary: GitHub repo: https://github.com/████████ QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components. High Severity Arbitrary Code Execution Vulnerable module: ch.qos.logback:logback-core Introduced through:...
GitLab: [Markdown] Stored XSS via character encoding parser bypass
Hi @briann and team, A carefully crafted injection used against the Markdown input parser can be leveraged to store and execute arbitrary JavaScript on GitLab 10.0 hosts. Given the nature of this injection, which makes use of a rather esoteric filter bypass, the scope for exploitation may vary...
X (Formerly Twitter): Remote Unrestricted file Creation/Deletion and Possible RCE.
Hello Gents, During my research on Twitter BBP, I found below domain name: Reverb.twitter.com Background: We worked with Twitter to develop TwitterReverb, an application that reveals how conversations arise and reverberate across the entire Twitter landscape. The custom application allows visitor...
Internet Bug Bounty: cURL / libcURL - CVE-2016-8624 invalid URL parsing with '#'
invalid URL parsing with '' ============================ Project cURL Security Advisory, November 2, 2016 - Permalink https://curl.haxx.se/docs/adv20161102J.html VULNERABILITY ------------- curl doesn't parse the authority component of the URL correctly when the host name part ends with a ''...
Bumble: No rate-limit in SERVER_SECURITY_CHECK
Hi, When you login in another Ip address Badoo will ask to confirm mobile number to authenticate. The problem is that there is no limit of tries. This make this feature useless since it can be brute forced. In the video you can see at request 56 we found the right number which lead to...
Ubiquiti Inc.: UniFi Video v3.2.2 (Windows) Local Privileges Escalation due to weak default install directory ACLs
The UniFi Video Windows installation v3.7.3 and prior create directories with insecure permission, allowing unprivileged users to modify UniFi Video files and consequently escalate privileges. This vulnerability does affect all UniFi video versions up to and including 3.7.3 and is referenced by...
Ruby: SMTP command injection
Net::SMTP is vulnerable to RCPT TO/MAIL FROM injection due to lack of input validation and conformance to the SMTP protocol. Publicly disclosed already: http://www.mbsd.jp/Whitepaper/smtpi.pdf People are wrongly assigning this to the mail gem http://rubysec.com/advisories/OSVDB-131677/ and thinki...
Internet Bug Bounty: Internet-based attacker can run Flash apps in local sandboxes by using special URL schemes (PSIRT-3299, CVE-2015-3079)
Some of the sandbox logic of Flash Player can be circumvented on most web browsers by using special URL schemes. A website can deploy an SWF file via the data: or blob: URL schemes perhaps others. An app started in this way runs in the "local with files" or "local with networking" sandbox,...
Mail.ru: touch.mail.ru XSS via message id
воспроизводится в IE11 уязвимы элементы принимающие значение id письма. к примеру https://touch.mail.ru/cgi-bin/msglistreadmsg/14112810510000000915"...
Square: CRITICAL Account takeover via AngularJS template injection in connect.squareup.com
Hi! The OAUTH prompt at https://connect.squareup.com/oauth2/authorize?clientid=EXAMPLE prints out the current OAUTH appname without sanitizing it from -style AngularJS templates. This makes it possible for an attacker to add an AngularJS template to his/her appname that calls the $scope.allow...
Internet Bug Bounty: CVE-2024-49761: ReDoS vulnerability in REXML
CVE-2024-49761 was a ReDoS vulnerability in the REXML gem. The vulnerability was caused by the parsing of XML input with many digits between "&" and "x...;" in a hex numeric character reference. This issue was resolved by updating the REXML gem to version 3.3.9 or later...
U.S. Dept Of Defense: Time based SQL injection at████████
A time based SQL injection vulnerability was found in the /pubs/index.php endpoint on ██████. The 'years' and 'authors' parameters were vulnerable, allowing time delays to be introduced in database queries. This could have led to sensitive data exfiltration from the database. The issue could be...
Node.js: Denial of Service by resource exhaustion in fetch() brotli decoding
A denial of service vulnerability was identified in Node.js related to resource exhaustion when using the fetch function to retrieve content from an untrusted URL. The issue stems from fetch always decoding Brotli content, allowing an attacker controlling the URL to cause resource exhaustion...
HackerOne: Organization members can delete reports in teams they have no access to
Reports in teams could be deleted by organization members without access to those teams. The vulnerability allowed deletion of analytics reports for restricted teams through a GraphQL mutation even when members lacked permissions to view or edit those reports...
Internet Bug Bounty: (CVE-2023-32006) Permissions policies can impersonate other modules in using module.constructor.createRequire()
A vulnerability was discovered in Node.js that allowed permissions policies to impersonate other modules using the module.constructor.createRequire function. This could bypass the policy mechanism and enable the loading of modules outside of the defined policy. The vulnerability affected all user...
Cloudflare Public Bug Bounty: Ability to bypass Admin override on Cloudflare WARP Android
A security vulnerability allowed an attacker with local access to an Android device running Cloudflare WARP to bypass the Admin override feature by changing the device's date and time settings. This allowed the attacker to extend the maximum allowed disconnected time of the WARP client granted by...
Expedia Group Bug Bounty: https://www.wotif.com/vc/blog/info.php script is prone to reflected HTML/CSS injection and COOKIE leak
The info.php script on https://www.wotif.com was vulnerable to reflected HTML/CSS injection and COOKIE leak due to caching of HTTP headers. An attacker could inject malicious HTML/CSS code and steal victim cookies. The vulnerability was reported to the vendor...
Kubernetes: The `io.kubernetes.client.util.generic.dynamic.Dynamics` contains a code execution vulnerability due to SnakeYAML
A code execution vulnerability was found in the io.kubernetes.client.util.generic.dynamic.Dynamics class of the Kubernetes Java Client version 17.0.0. The vulnerability was due to the use of SnakeYAML parser without safe constructor, which allowed an attacker to achieve code execution inside the...
HackerOne: Ability to escape database transaction through SQL injection, leading to arbitrary code execution
HackerOne has an internal backend interface that gives debugging capabilities to its engineers. One of the features is the ability to run EXPLAIN ANALYZE queries against a connected database. This feature is accessible by a handful of engineers. The feature is vulnerable to a SQL injection that...
Cloudflare Public Bug Bounty: Completely remove VPN profile from locked WARP iOS cient.
It was possible for a user to delete VPN profile from WARP mobile client on iOS platform despite the Lock WARP switch feature being enabled on Zero Trust Platform. This led to bypassing policies and restriction enforced for enrolled devices by the Zero Trust platform. The issue was fixed in Warp...
Acronis: unauth mosquitto ( client emails, ips, license keys exposure )
Hi team Summary connect.acronis.com ip 88.99.142.45:1883 has unauth mosquitto mqtt, anyone can connect and read\write messages Steps To Reproduce add details for how we can reproduce the issue 1. https://github.com/bapowell/python-mqtt-client-shell 1. python3 mqttclientshell.py 1. connection 1...
Judge.me : The response shows the nginx version
Summary: On visiting the https://cache.judge.me/ .It show the nginx version Steps To Reproduce: ==send :== GET / HTTP/1.1 Host: cache.judge.me Cookie: ga=GA1.2.907415772.1636450777; gid=GA1.2.1767694824.1636450777; fbp=fb.1.1636450778172.127612364; hjid=00598a42-40f4-48cb-84ec-20b9bd4273cd;...
Nextcloud: High memory usage for generating preview of broken image
When the attached file is uploaded and a preview is generated e.g. in the folder overview of the files app, the PHP process allocates a very large amount of memory on my machine it was shortly around 5 GByte and CPU. Tested with latest master 1366b35081f1d92429787696f4175c19a602858a on Ubuntu 20....
Shopify: Stored XSS in /admin/product and /admin/collections
Hello Security Team, I was going through previous reports of XSS and I have found this, https://hackerone.com/reports/978125 As stated by team on this page even on https://hackerone.com/shopify?type=team under Known issues that we can now report XSS under Rich Text Editor on Product description a...
Nextcloud: Acting under any different user via DB-stored credentials
The issue is related to all Nextcloud versions. It is not patched yet. All versions 18-20 seems to be vulnerable. The issue came up in the following environment: - nextcloud docker image 20.0.2 and 20.0.3 - LDAP authentication - external SMB shares via DB stored credentials The problem came up...
Imgur: Bypass subscription
Hello team! You can bypass avatar subscriptions. Thus, without connecting a subscription - it's free. A list of all avatars is available at the address below, with a GET request: :method: GET :authority: api.imgur.com :scheme: https :path: /account/v1/accounts/me/avatars?clientid=YOU CLIENT ID...
BugPoC: csp bypass leads to xss on wacky.buggywebsite.com
Summary: report will be uploaded later - need some sleeps █████████ ███ Steps To Reproduce: PoC above Thanks for the challenge. I tried to use bugpoc for everything but ended up using aws to host the js file - seemed fitting as well and served the purpose. F1065889 Impact taking over all the whac...
Imgur: Stored XSS in Post title (PoC)
Hello, Stored XSS in Post title, example: https://imgur.com/gallery/Y5JUzv3, Thanks Impact steal cookies and session...
Nextcloud: Access control missing while viewing the attachments in the "All boards"
The vulnerability lies in the "view attachment" of the tasks . When a user uploads the file to the Task, the attachment is given a numeric number and is increased +1 on further uploads. It is easy for any user to view and download all the files uploaded to the tasks by any user. The access is not...
Snapchat: CreatorID leaked from public content posted to SnapMaps
TL;DR - the Snap Map media responses unnecessarily return a creatorId. The creator's Snap username cannot be immediately derived from creatorId, but users can use the creatorId to correlate multiple public snaps with that creator. The impact is limited by the fact that all Our Story Snaps that...
Mail.ru: SQL LIKE clauses wildcard injection
LIKE clause was misused for session validation in one of https://c-api.city-mobil.ru/v2 API calls, allowing character-by-character session bruterofce. The session validation logic mistakenly allowed wildcards in the authorization token...
Google: CVE-2020-8913 - Persistent arbitrary code execution in Android's Google Play Core Library: details, explanation and the PoC
██████████████████████████...