15365 matches found
Booking.com: Default Admin Account lead to full access control at https://desk-demo.fareharbor.engineering
Login to the application at https://desk-demo.fareharbor.engineering/login with [email protected], password: test F3271060 2. Realizing that the login is successful, the attacker can use all functions in the application. F3271059 Impact attacker can use all admin functions...
Internet Bug Bounty: CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words()
The django.utils.text.Truncator.words method with html=True and truncatewordshtml template filter were found to be vulnerable to a potential regular expression denial-of-service attack. The vulnerability was caused by regular expressions stored in variables that were susceptible to ReDoS attacks,...
Node.js: Denial of Service by resource exhaustion in fetch() brotli decoding
A denial of service vulnerability was identified in Node.js related to resource exhaustion when using the fetch function to retrieve content from an untrusted URL. The issue stems from fetch always decoding Brotli content, allowing an attacker controlling the URL to cause resource exhaustion...
Internet Bug Bounty: (CVE-2023-32006) Permissions policies can impersonate other modules in using module.constructor.createRequire()
A vulnerability was discovered in Node.js that allowed permissions policies to impersonate other modules using the module.constructor.createRequire function. This could bypass the policy mechanism and enable the loading of modules outside of the defined policy. The vulnerability affected all user...
Cloudflare Public Bug Bounty: Ability to bypass Admin override on Cloudflare WARP Android
A security vulnerability allowed an attacker with local access to an Android device running Cloudflare WARP to bypass the Admin override feature by changing the device's date and time settings. This allowed the attacker to extend the maximum allowed disconnected time of the WARP client granted by...
Kubernetes: The `io.kubernetes.client.util.generic.dynamic.Dynamics` contains a code execution vulnerability due to SnakeYAML
A code execution vulnerability was found in the io.kubernetes.client.util.generic.dynamic.Dynamics class of the Kubernetes Java Client version 17.0.0. The vulnerability was due to the use of SnakeYAML parser without safe constructor, which allowed an attacker to achieve code execution inside the...
Cloudflare Public Bug Bounty: Completely remove VPN profile from locked WARP iOS cient.
It was possible for a user to delete VPN profile from WARP mobile client on iOS platform despite the Lock WARP switch feature being enabled on Zero Trust Platform. This led to bypassing policies and restriction enforced for enrolled devices by the Zero Trust platform. The issue was fixed in Warp...
Acronis: unauth mosquitto ( client emails, ips, license keys exposure )
Hi team Summary connect.acronis.com ip 88.99.142.45:1883 has unauth mosquitto mqtt, anyone can connect and read\write messages Steps To Reproduce add details for how we can reproduce the issue 1. https://github.com/bapowell/python-mqtt-client-shell 1. python3 mqttclientshell.py 1. connection 1...
Panther Labs: Broken subdomain takeover of runpanther which was pointing towards herokuapp
An outdated link on our public blog pointed to a decommissioned Slack sign-up app hosted on Heroku for our also-decommissioned open source Slack community. The reporter was able to re-register the decommissioned subdomain with his own Heroku account...
IBM: Remote Code Execution at https://169.38.86.185/ (edst.ibm.com)
A discovered Gitlab server was running an old version affected by RCE. This vulnerability could have allowed an unauthenticated attackers to compromise the server by public exploit in ExifTool. The issue was reported to IBM and remediated...
Mail.ru: [185.30.178.57:8080] - Vulnerable to Jetleak
sfpc.euits.dev-my.games contains a vulnerable to JetLeak web server Jetty...
VK.com: Open redirect в карусели сообщения бота
Открытое перенаправление в каруселях чат-ботов. Уязвимость позволяет перенаправить пользователя на вредоносную ссылку из карусели, минуя away.php...
Nextcloud: Unexpected federated shares added via public link
So I'm not 100% sure if this is an security issue or not. But it is in my opinion at least unexpected and could be handled better to make sure people trust the system. 1. Get a public link share again plenty of those around 2. Click the 'add to your Nextcloud' 3. A federated share is added/create...
VK.com: Stored XSS при удалении группы из беседы (m.vk.com)
Недостаточная фильтрация символов в названии сообщества...
Imgur: Stored XSS in Post title (PoC)
Hello, Stored XSS in Post title, example: https://imgur.com/gallery/Y5JUzv3, Thanks Impact steal cookies and session...
Nextcloud: No rate limiting on sinup page
Hi Team, Summary: As a best practice a login page should have a rate limiting. Below is the captured request of respective login page of nextcloud.com -------------------------------------------------------------------------------------------------------------------- POST...
Internet Bug Bounty: IP-in-IP protocol routes arbitrary traffic by default - CVE-2020-10136
Many machines 150K-180K on the internet accept and route IP over IP by default. IP-in-IP encapsulation is a tunneling protocol specified in RFC 2003 that allows for IP packets to be encapsulated inside another IP packets. This is very similar to IPSEC VPNs in tunnel mode, except in the case of...
Mail.ru: XSS in [community.my.games]
Crossite scripting in community.my.games via post comments All we say is Thank You for an Account Takeover Flaw!...
Staging.every.org: Private account causes displayed through API
Summary: Any authenticated user can see which causes a private account user is interested in, by sending a GET request to the API, even though this information is not displayed anywhere on the profile page. In the profile settings, the following message is displayed for "Private Supporter" option...
FileZilla: FileZilla 3.46.3 - 'Scale factor' Buffer Overflow
Summary: FileZilla in has a problem in the "Scale Factor" field is vulnerable to a Buffer Over Flow attack or a denial attack. Adding random characters in an entry that must accept only Float input type values. Steps To Reproduce: A python file of name generatepaste.py was generated for the...
Valve: [GoldSrc] RCE via 'spk' Console Command
Details: Description RCE can be achieved on clients via the 'spk' console command due to missing length checks before copying into a stack based buffer. POC 1. Place the attached cfg file in the root directory of the game: F676967 2. Launch the game and bring up the console with 3. Type in exec...
HackerOne: Total bounties paid amount is disclosed because of redesign of the Program Profiles
Description: On July 2 Hackerone redesigned the Program Profiles.After the new program page design, I noticed that it is disclosing total bounties paid amount. For some program total bounties paid amount was hidden ████. It used to show like $4000 if the bounty was $3990.But after the redesign, i...
Shopify: XSS on services.shopify.com
Hy security, i Got a stored xss in one of your sub-domain "services.shopify.com" steps: 1- Go to https://yourstore.myshopify.com/admin/apps/expertsmarketplace/servicesmarketplace 2- Then Go to All servicesMarketing and salesemail marketing Design custom email templates click select 3- fill al the...
Node.js third-party modules: [serve-here.js] List any file in the folder by using path traversal.
I would like to report Path Traversal in serve-here.js. It allows to list any file in another folder of web root. Module module name: serve-here.js version: 1.1.3 npm page: https://www.npmjs.com/package/serve-here.js Module Description Serve static files over HTTP Vulnerability Vulnerability...
TomTom: CSRF allows attacker to manage customer's shopping cart.
The following endpoint https://www.tomtom.com:443/enus/store/basket-add.html had no CSRF checks / tokens .. whatsoever , which allows a malicious user add massive amounts of a any product to a victim's cart or empty the cart. the CSRF POC file included adds 50 items of the giving product the a...
Shopify: Unpublished Product Images can be disclosed
Hi, This looks like a minor issue but felt like it was something worth reporting. Ideally, a product can be published or remain unpublished on any sales channel. If a product remains unpublished, then no information regarding it must be visible to public including product pictures. But I found an...
Mail.ru: Source code disclosure
PHP configuration file was available for download on few terrhq.ru subdomains...
Internet Bug Bounty: DOS in stream filters
see bug report https://bugs.php.net/bug.php?id=76249 as simple as one process running in an endless loop Impact DOS, process ends up in an endless loop, CPU or available php processes or both of affected system get easily exhausted...
Liberapay: Import of repositories from GitHub is tied to username instead of immutable ID
When a user verifies a Github account at /edit/elsewhere the final result is a Github username tied to a Liberapay account. The issue is Github usernames are mutable. Consider the scenario. 1. I create an account called ed-liberapay something likely to be claimed in the future 2. Verify that I ow...
Phabricator: TOTP Key is shorter than RFC 4226 recommended minimum
mongoose Observed Behavior: When creating a TOTP secret a 16 character base32 encoded string is presented to the user. Expected Behavior: I would expect a 32 character base32 secret to be presented. The RFC recommends 160 bits of entropy, which is 32 character x 5 bits per character in a base32...
Mail.ru: Найден build.sh в webagent.mail.ru
Source code of build script for web application was available for download. It could leak some non-sensitive information on internal build processes and configurations...
BOHEMIA INTERACTIVE a.s.: Weak Password Policy on Signup at https://accounts.bistudio.com/auth
Hi, I found that you are using a weak password policy! Because user can set his password same as Email address! Steps To reproduce: 1. Register an account with Email address "[email protected]" 2. Also password "[email protected]". You can see both values are same. You will become successfully register...
Khan Academy: SignUp With Fake Email
Hello KhanAcademy Security Team, I'm rootbakar, I found an oddity that allows a user to register with Khanacademy using an invalid or fake email. In this trial I used the email '[email protected]' and after pressing the SIGN UP button it will automatically enter the user dashboard pag...
Uber: Stored XSS on auth.uber.com/oauth/v2/authorize via redirect_uri parameter leads to Account Takeover
By getting an authenticated victim to visit a malicious link, an attacker can cause that victim to execute arbitrary JavaScript in the context of the login.uber.com or auth.uber.com domains...
HackerOne: TeamProfile exposes partially sensitive information through GraphQL
I noticed there is new field teamprofile added and using the graphql below the latest serious report and reports received in three months were exposed "query":"query Dashboardreportseveritybreakdowntable$first0:Int! \n query \n id,\n ...F0\n \n\nfragment F0 on Query \n...
Starbucks: SQL Injection Proof of Concept for Starbucks URL
browser: firefox quantum 60.0.1 64 bit os: windows 10 sqli type: char formula injection info found: oracle database system url: https://www.starbucks.de/coffee/our-coffees/format/whole-bean injected url using oracle concatenation and char functions:...
Nextcloud: Disclosed Version of PORTS SSH|HTTP|SSL
I found Version of ports are disclosed ,But the intersting that SSH port is open and showing his version == OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 Ubuntu Linux; protocol 2.0 F:302383 Searching I have found that this version has common vulunrablitie https://vuldb.com/?id.89622 So it's not good to disclos...
Node.js third-party modules: [simplehttpserver] List any file in the folder by using path traversal.
I would like to report Path Traversal in simplehttpserver. It allows to list any file in another folder of web root. Module module name: simplehttpserver version: 0.1.1 npm page: https://www.npmjs.com/package/simplehttpserver Module Description 'simpehttpserver' is an simple imitation of python's...
U.S. Dept Of Defense: Remote Code Execution (RCE) in a DoD website
An application deserialization vulnerability was found in a misconfigured Department of Defense DoD website by @joaomatosf via POST/GET request. Impressive work. This showcases your skills! Thank you for supporting the DoD Vulnerability Disclosure Program!...
Node.js third-party modules: [m-server] Path Traversal allows to display content of arbitrary file(s) from the server
I would like to report Path Traversal in m-server module. It allows to read content of any arbitrary file from the server where m-server is installed and run. Module module name: m-server version: 1.4.0 npm page: https://www.npmjs.com/package/m-server Module Description M-Server is a mini http...
LocalTapiola: Securemail server used to internal spam and resource exhaustion
Basic report information Summary: Confidential message systems fails to restrict large amount of receivers. This might lead to hardware exhausting and/or attacking localtapiola internal employees as securemail recipient. Description: Despite https://secure.lahitapiola.fi/ is designed to send...
HackerOne: Query parameter reordering causes redirect page to render unsafe URL
Hello hackerone team I want to report I bypass w/c lead to XSS but limited only for IE due to CSP block on chrome Here is the POC ------------------ https://hackerone.com/redirect?signature=c9304cadaeabca0bfb7b92503c0318da5c42a86b&url=http%3A%2F%2Fbuglabs.me&url=JAVASCRIPT:alert%09document.domain...
Rockstar Games: Client-side Template Injection in Search, user email/token leak and maybe sandbox escape
In this report, the researcher was able to perform AngularJS Template Injection on our Support site in order to retrieve data, including email address, userid and tokens. Typically, a user is always able to retrieve this information about themselves and on its own, this is known behavior. However...
Zomato: SSRF in https://www.zomato.com████ allows reading local files and website source code
@nbsp found a SSRF vulnerability which leads to read local files from the web server source code & system files. We have resolved the issue quickly and rewarded the researcher...
GitLab: [Markdown] Stored XSS via character encoding parser bypass
Hi @briann and team, A carefully crafted injection used against the Markdown input parser can be leveraged to store and execute arbitrary JavaScript on GitLab 10.0 hosts. Given the nature of this injection, which makes use of a rather esoteric filter bypass, the scope for exploitation may vary...
Radancy: [Cross Domain Referrer Leakage] Password Reset Token Leaking to Third party Sites.
Domain and URL: https://werkenbijdefensie.nl Summary:: Password Reset Token Leaking to Third party Sites from the link in the footer Description: Hello, I found that the if a user request for a password reset link and open it but don't change the password and click on the Third Parties Sites link...
Roblox: Subdomain Takeover at creatorforum.roblox.com
Hello. A few days ago, I was looking at Roblox subdomains, and I noticed an unusual one called creatorforum.roblox.com. Upon further investigation, I visited it and saw that creatorforum.roblox.com's CNAME was a nonexistant Discourse website. I immediately reported to [email protected], and...
Mixmax: SSRF via webhook
Hi, There exists an SSRF vulnerability with the account webhook feature, allowing an attacker to verify the existence of the EC2 metadata url and enumerate URL's. POC: 1. Create a webhook at https://app.mixmax.com/dashboard/settings/rules with url http://169.254.169.254/latest/meta-data/. 2...
Ubiquiti Inc.: CSRF: Replacing the router configuration backup having an 'operator' user and bypassing the "Referer:' whitelist protection
EdgeOS version 1.9.1 and prior, the researcher was able to bypass the CSRF protection. An attacker with access to an operator read-only account, can lure an admin root user to access the attacker controlled page, doing so will allow the attacker to gain admin privileges in the system...
Shopify: [out-of-scope] toxiproxy: Lack of CSRF protection allows an attacker to gain access to internal Shopify network
Disclaimer In case this report ever becomes public I wanted to start it out with a disclaimer so it doesn't become referenced an example for out-of-scope/policy violating submissions in the future: At the time of submission this report is out-of-scope and as such I have no expectations of reward...