Sifchain: Cross-site Scripting (XSS) possible at https://sifchain.finance// via CVE-2019-8331 exploitation

Summary: https://sifchain.finance is using Bootstrap framework version 4.0.0 which is =4.0.0 4. Visit https://sifchain.finance/wp-content/themes/icos/assets/js/vendor/bootstrap.min.js?ver=5.7.2 5. You'll get the Bootstrap Version, Which is v4.0.0 and its vulnerable to Cross-site Scripting XSS...

Slack: Remote file Inclusion - RFI in upload

Hello, Everysite has a RFI vulnerability. Everysite i.e .slack.com is having this vulnerability. Proof of concept / Steps to Reproduce : ================================= 1. Sign in to your account on slack eg. I signed in https://pran3hiva.slack.com 2. Now, go to 'Change photo'. i.e...

Node.js: Undici does not use CONNECT or otherwise validate upstream HTTPS certificates when using a proxy

Summary: When using Undici with its ProxyAgent, it does not use CONNECT or correctly verify the upstream server's HTTPS certificate. Description: This affects both Undici itself and global fetch in Node 18 when used with Undici's ProxyAgent. I've submitted this here for Node as it affects global...

Ruby on Rails: ActionController::Parameters .each returns an unsafe hash

Rails 5.1.4 The goal of ActionController::Parameters's permit method strong parameters is to prevent accidental trust in the parameters sent by the client. We can therefore not simply create a hash of all the parameters in the params without permitting them first. When we really want to do this...

Instacart: Brute force login and bypass locked account restrictions via iOS app

When logging in to an account on the website, a user's account gets locked out after 15 tries to prevent an attacker from brute forcing access to the account. These same restrictions do not apply to the mobile sign-in endpoint a POST request to https://www.instacart.com/oauth/token, which allows ...

Mail.ru: Subdomain takeover on tilda.geekbrains.ru and fl-change.geekbrains.ru

Few unused subdomains of geekbrains.ru were delegated to tilda.cc and were not claimed...

Radancy: Application error message

Attack details HTTP Header input X-Forwarded-For was set to 12345'"'";|%00%0d%0a%bf%27'??? Error message found: Warning: inetpton function.inet-pton: Unrecognized address 12345'"\'\";|%00%0d%0a%00%bf%27' in...

OLX: Bypassing Phone Verification For Posting AD On OLX

Overview In computer networks, rate limiting is used to control the rate of traffic sent or received by a network interface controller. It can be induced by the network protocol stack of the sender due to a received ECN-marked packet and also by the network scheduler of any router along the way...

Insulet Corporation: Subdomain Takeover due to unclaimed domain pointing to Acquia Cloud

ssue Details The consultant identified that subdomain http:// or https://qa.myomnipod.com Web Site Not Found Sorry, we could not find any content for this web address. Please check the URL. If you are an Acquia Cloud customer and expect to see your site at this address, you'll need to add this...

Valve: [Portal 2] Remote Code Execution via voice packets

Description RCE can be achieved on other players via voice packets due to the lack of length validation when reading into a stack based buffer. POC 1. As the victim, invite the attacker into a game. 2. Wait until both players have loaded into the game. 3. Inject the following DLL into the attacke...

Showmax: lack of rate limit on athentification login page & forgot password page

We received a report about missing rate-limiting functionality that is explicitly mentioned as out-of-scope of our security program. Since migrating our backends to AWS, we have no proper rate-limiting functionality in place. Due to complexity of our infra stack, we cannot use the standard WAF...

Internet Bug Bounty: [CVE-2025-27219] Denial of Service in CGI::Cookie.parse

A denial-of-service vulnerability was discovered in the CGI::Cookie.parse method of the Ruby cgi gem. The vulnerability was caused by the method taking super-linear time to parse a maliciously crafted cookie string. This could have led to service disruptions. The vulnerability was assigned the CV...

MTN Group: Reflected XSS on gamesclub.mtn.com.g

hello dear I have found Reflected XSS on gamesclub.mtn.com.g parameters injectable /header.aspx my payload "; HTTP Header input Referer was set to https://www.google.com/search?hl=en&q=testing'"&%gQmT9082 HTTP request =========== GET /header.aspx HTTP/1.1 Host: gamesclub.mtn.com.gh...

Chaturbate: Unrestricted POST request size on roomlogin endpoint

POST requests to endpoint /roomlogin/ are not limited in size. While the main website login endpoint correctly limits the size of request, this endpoint does not. This can be a mean to perform a DOS attack. Steps To Reproduce: 1. has a password-protected stream. 2. Send a large POST request to...

UPchieve: No Valid SPF Records/don't have DMARC record

I have already reported this isssue through email and the company has accepted my report. Hiii, There is any issue No valid SPF Records on https://app.upchieve.org Desciprition : There is a email spoofing vulnerability.Email spoofing is the forgery of an email header so that the message appears t...

HackerOne: DNS Misconfiguration

Your localhost.hackerone.com has address 127.0.0.1 and this may lead to "Same- Site" Scripting. Here is detailed description of this minor security issue by Tavis Ormandy: http://www.securityfocus.com/archive/1/486606/30/0/threaded...

PortSwigger Web Security: Activat burp suite pro with the old license after transfared to anothe account

Hi team. I made 2 accounts and purchased burpsuite pro. The first account with this email :- ███████ The second account with this email :- ██████ I have opened a support ticket on Jun 13, 2018 05:26PM and the message is :- Hi Could you please add this account to my existing account ████ ███████ t...

Shopify: None permission staff member can identify installed application and products attached to it

Hello, To see if a store has application installed and which products its configured the staff member should have application permission otherwise nothing is visible but i found a way that let none permission staff member to identify if the store has installed Digital Downloads and if the...

DuckDuckGo: DOM XSS on 50x.html page

Hello, The is a DOM XSS vulnerability on https://duckduckgo.com/50x.html, it seems like the sink is DIV.innerHTML and the source is location.search. The PoC url is: https://duckduckgo.com/50x.html?e=&atb=test%22/%3E%3Cimg%20src=x%20onerror=alertdocument.domain;%3E The code that is causing this XS...

LocalTapiola: PHPMYADMIN Setup is accessible without authentication on https://lml.lahitapiola.fi/

Vulnerability Detail PhpMyAdmin setup page is accessible over the internet in which it's possible for the user setup the servers with required details. Vulnerable Endpoint https://lml.lahitapiola.fi/admin/phpMyAdmin/setup/index.php Attached screenshots F246247 F246248 Impact Its possible for an...

Hanno's projects: Open redirect on https://blog.fuzzing-project.org

Summary: There is an Open Redirect on https://blog.fuzzing-project.org/exit.php?url= due to the application not checking the value passed by the user to the "url" parameter. Description: Unchecked redirects occur when an application redirects to a destination controlled by attackers. This often...

Shopify: SVG Server Side Request Forgery (SSRF)

I found an issue which seems to be regression of the following issue: https://hackerone.com/reports/97501 . It seems your input validaton is not sufficient and the file is getting processed before your implemented check for valid file types. When adding a new product in the store, images for the...

Internet Bug Bounty: SPDY heap buffer overflow

A bug in the experimental SPDY implementation in nginx was found, which might allow an attacker to cause a heap memory buffer overflow in a worker process by using a specially crafted request, potentially resulting in arbitrary code execution CVE-2014-0133. The problem affects nginx 1.3.15 -...

Roblox: Malformed string sent through FireServer leads to server freezing/hanging

This was found an hour ago so if I get any information wrong, please comment and I'll get back to you! A cheater/exploiter can hang any Roblox gameserver due to a 5 line script which sends a big malformed string through SayMessageRequest resulting in the server to hang itself. This works in any...

OLX: load scripts DOS vulnerability

1 vulnerability description WordPress allows users to load multiple JS files and CSS files through load-scripts.php files at once. For example, https://wpwebsite.com/wp-admin/load-scripts.php?c=1&load%5B%5D=jquery-ui-core,editor&ver=4.9.1, file load-scripts.php will load jquery-ui-core and editor...

X (Formerly Twitter): Bypass Password Authentication for updating email and phone number - Security Vulnerability

Summary: Additional requirement for authentication is an extra layer of security for a person's Twitter account. Instead of only entering the password at the time of log in, twitter further Introduces additional layer of security by prompting users to enter their password before attempting to...

curl: Credential leak on redirect

Summary: add summary of the vulnerability Curl can be coaxed to leak user credentials to third-party host by issuing HTTP redirect , like the Proxy-Authorization 、x-auth-token header. It is a bypass of fix https://hackerone.com/reports/1547048 , CVE-2022-27776 . Steps To Reproduce: add details fo...

Internet Bug Bounty: Fragmentation and Aggregation Flaws in Wi-Fi

I discovered three design flaws in the Wi-Fi standard and widespread related implementation flaws see GitHub overview and test tool. Here I'll specifically cover open source software. These findings have not received bug bounties from other sources. Implementation flaws allowing trivial packet...

HackerOne: Subdomain takeover #2 at info.hacker.one

Summary: Hi team, looking the fix released from unbounce team at https://hackerone.com/reports/202767 i've been able to bypass it and takeover again the subdomain info.hacker.one with a new Vulnerable-Endpoint at UnbouncePages App Actual Dns Entry: F164154 Steps To Reproduce & New PoC for HackerO...

h1-ctf: h1-ctf : 12 days of hack holiday writeup

Summary This was a real fun CTF and I really enjoyed solving the challenges. Great job on creating the challenges. This is my writeup for the "12 Days of Hacky Holidays CTF". I hope you enjoy reading it, and I hope others reading it will pick up a trick or two. Flags: This is all the flags found...

Daimler Truck: CSRF + XSS REFLECT

Hello Daimler Truck Team! I found a reflected XSS at https://www.truck-privilege.daimlertruck.com/auth/lostLogin To make it reflected, CSRF - Cross-Site request Forgery was used together. An attacker can create a malicious website and trick the user into opening it, when the user opens it, he is...

Rocket.Chat: Pre-Auth Blind NoSQL Injection leading to Remote Code Execution

Summary: The getPasswordPolicy method is vulnerable to NoSQL injection attacks and does not require authentication/authorization. It can be used to take over accounts by leaking password reset tokens. Taking over an admin account leads to Remote Code Execution. Description: The getPasswordPolicy...

U.S. Dept Of Defense: Sensitive data exposure via https://████████.mil/secure/QueryComponent!Default.jspa - CVE-2020-14179

Summary: Information Disclosure vulnerability in outdated Jira. Description: Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the...

Rockstar Games: Unquoted Service Path in "Rockstar Game Library Service"

In this report, the researcher discovered a flaw in a Registry entry created by the Rockstar Service, which is used to install, update, and uninstall Rockstar Games titles on Windows PCs. Specifically, the ImagePath setting used by the entry was not enclosed in quotation marks. Using quotation...

Phabricator: Broken Authentication and Session Management lead to take over account

Hello, I found vulnerability using phone Summary : Session token weakness, allowing attackers to take over accounts Tools : Lightning.apk Browser SandroProxy.apk or you can use all available proxies Steps to Reproduce: 1 Create a phacility account. 2 Go to...

Sifchain: Possibility of DoS attack at https://sifchain.finance// via CVE-2018-6389 exploitation

There is possibility in /wp-admin/load-scripts.php script to generate large 3Mb amount of data via simple non-authenticated request to server. The vulnerability is registered as https://vulners.com/cve/CVE-2018-6389 Details Detailed attack scenario is described for example here:...

Node.js third-party modules: Server-Side Request Forgery (SSRF) in Ghost CMS

I would like to report about SSRF vulnerability in CMS Ghost blog It allows attacker able to send a crafted GET request from a vulnerable web application Module module name: ghost version: 3.5.2 npm page: https://www.npmjs.com/package/ghost website page https://ghost.org/ Module Description Ghost...

Nextcloud: Sensitive Information Disclosure via Back Button Post Logout on https://apps.nextcloud.com/account/

A cache control vulnerability was identified on the https://apps.nextcloud.com/account/ page. After logging out, sensitive information such as the user's first name, last name, and email address remained accessible by using the browser's back button. This occurred due to improper caching of...

h1-ctf: Grinch-Networks taken down - hacky holidays CTF

Summary: CTF Submission Day 1: flag48104912-28b0-494a-9995-a203d1e261e7 Day 2: flagb7ebcb75-9100-4f91-8454-cfb9574459f7 Day 3: flagb705fb11-fb55-442f-847f-0931be82ed9a Day 4: flag972e7072-b1b6-4bf7-b825-a912d3fd38d6 Day 5: flag2e6f9bf8-fdbd-483b-8c18-bdf371b2b004 Day 6:...

Greenhouse.io: Subdomain Takeover using blog.greenhouse.io pointing to Hubspot

Hi, Your subdomain blog.greenhouse.io is pointing to the service called Hubspot. However, your account at Hubspot has expired or has been cancelled. This basically means that anyone can claim your subdomain pointing to Hubspot and create their own site at this URL. This is EXTREMELY dangerous as...

Pornhub: DOM-based XSS on youporn.com (main page)

The researcher found a DOM-based XSS on the youporn.com main page. The malicious input could be injected into JS comment section //jscomment. Using CRLF %0d%0a in the , it was possible to escape from JS comment section, and execute arbitrary JavaScript. Simple alert box, and crossdomain request...

Brave Software: https://publishers.basicattentiontoken.org/favicon.ico is Vulnerable to CVE-2017-7529

ou can verify the vulnerability by executing attached POC. python CVE20177529.py https://publishers.basicattentiontoken.org/favicon.ico command. All details available at https://nvd.nist.gov/vuln/detail/CVE-2017-7529 https://gist.github.com/thehappydinoa/bc3278aea845b4f578362e9363c51115 Please do...

Myndr: Open Redirect filter bypass through '\' character via URL parameter

Hi, I hope I find you all safe and good regarding those hard times nowadays. Summary: Found an Open Redirect vulnerability on http://meta.myndr.net by bypassing the trusted domain filter using a '' character. I was able to get the original redirection URL from the register button located at...

Nextcloud: URI scheme bypass in mail app lead to HTML content spoof and opener control

Bug When we load a HTML mail from mailbox via api, etc http://nextcloud/index.php/apps/mail/accounts//folders/SU5CT1g=/messages//html Our content will be passed to HTML Purifier to strip malicious XSS patterns. After that, an filter will apply to transform acceptable URI schemes http, https, ftp,...

Nord Security: Hard-coded API keys at NordVpn Android App

Hello NordVpn, APK Version : 4.6.2 API'S at res/values/strings.xml Google googleapikey = AIzaSyBySEqk7WWee9bxpw5BM1eJeUx1TWdHE Stripe stripepublishableapikey = pklivej1Mt911wyZwAhATA9TYdA8q2 Referance; https://stripe.com/docs/keys Impact Cleartext Storage of Sensitive Information...

HackerOne: Upload profile photo from URL

Using this vulnerability users can upload images from any image URL. Just change upload type using inspect element from "type=file" to "type=url" , paste URL in text field and hit enter or click on "Update Profile". Your profile photo will be changed to photo from URL. P.S Im sorry for my bad...

Revive Adserver: Reflected XSS on www/delivery/afr.php

At line 4381, $SERVER'QUERYSTRING', which is an untrusted user input, is assigned to the $dest variable. Then at lines 4386-4387 $dest is printed into HTML code in two separate places. PoC: curl "domain.com/www/delivery/afr.php?refresh=10000&"',10000000;alert1;setTimeout'alert"" Advertisement --...

Kubernetes: Half-Blind SSRF found in kube/cloud-controller-manager can be upgraded to complete SSRF (fully crafted HTTP requests) in vendor managed k8s service.

Hello, Who we are : We’re two French security researchers and our respective names are Brice Augras and Christophe Hauquiert, we worked and found the vulnerability together. Brice Augras from https://www.groupe-asten.fr/ company - https://hackerone.com/reeverzax Christophe Hauquiert -...

Chaturbate: No rate limit in affiliate statsapi endpoint

Brute force at affiliate statsapi Steps To Reproduce: 1. The affiliate stats api link is vulnerable to brute force https:// chaturbate.com/affiliates/apistats/?username=hackeronetestchat&token=vulnerable I've used my profile and and my token to check brute force The correct token returned with 20...

h1-ctf: ctf walkthrough

Hi, finally managed to solve all challenges, this was my first h1ctf, some challenges were pretty nice, some others had some frustrating guessing parts, but overall it was fun. Here goes day1 to day12 walkthroughs: Day 1 we have only one asset in scope hackyholidays.h1ctf.com the main page at...