15370 matches found
Grammarly: Config override using non-validated query parameter allows at least reflected XSS by injecting configuration into state
Hi, First, I just want to say after spending a few days on your assets that I'm really impressed by the high security standard of the apps exposed. It has not been easy to find issues. I really like the way you've structured your API-routes in a way that almost eliminates a bunch of access issues...
Palo Alto Software: [Bypass #870709] Unauthorised access to pagespeed global admin at https://webtools.paloalto.com/
Hi team, I found bypass of report 870709. Just by using X-Forwarded-For: 127.0.0.1 you can again get access to global admin page. Bypass request Request GET /pagespeed-global-admin/ HTTP/1.1 Host: webtools.paloalto.com X-Forwarded-For: 127.0.0.1...
TikTok: Multiple bugs leads to RCE on TikTok for Android
A series of WebView vulnerabilities were found including XSS which could have potentially led an attacker to achieve remote code execution. We thank @dphoeniixx for reporting this to our team and verifying the resolution!...
h1-ctf: Solution for hackyholiday
Summary: Since there is a reward for the first 10 submissions, I'll start by providing the flags: flag48104912-28b0-494a-9995-a203d1e261e7 flagb7ebcb75-9100-4f91-8454-cfb9574459f7 flagb705fb11-fb55-442f-847f-0931be82ed9a flag972e7072-b1b6-4bf7-b825-a912d3fd38d6...
Automattic: [intensedebate.com] SQL Injection Time Based On /js/commentAction/
intensedebate.com SQLi Time Based On /js/commentAction/ Summary: Hello, I have found a SQLI Injection Time Based on /js/commentAction/. When a user want to submit/reply to a comment, a JSON payload was send by a GET request. GET...
Automattic: XSS in Email Input [intensedebate.com]
Summary: I found an XSS in Email input. This input is not sanitized like other inputs allowing user to execute xss payloads. Platforms Affected: https://www.intensedebate.com/edit-user-account Steps To Reproduce: 1. Navigate to your account. 2. In email address, add the below payload next to your...
U.S. Dept Of Defense: IDOR + Account Takeover [UNAUTHENTICATED]
1- Open the burp suite. 2- Switch the "Repeater" tab. 3- Paste the content of the attached request into the repeater. 4- Replace the "UID2 = 4820041" value in the cookie with the ID value of the user to be attacked. Also write the user's email in the "userName" input. 5- Replace the victim user's...
curl: Connect-only connections can use the wrong connection
Summary: If a connect-only easy handle is not read from or written to, its connection can time out and be closed. If a new connection is created it can be allocated at the same address, causing the easy handle to use the new connection. This new connection may not be connected to the same server ...
Zomato: Availing Zomato gold by using a random third-party `wallet_id`
We received a report from @pandaaaa wherein he demonstrated a way to avail Zomato Gold membership using random Zomato User's wallet. The report was triaged and rewarded with critical severity with a CVSS score of 9.3. It was considered critical since a random user's wallet could have been used fo...
Nextcloud: Formula Injection vulnerability in CSV export feature
Dear Nextcloud Team – I have identified a formula injection vulnerability 12 in the CSV export feature of the Forms App. I am aware that the Forms app is not part of this bug bounty program but was advised to disclose it via hackerone anyway. Description. When a n Excel-/Calc- formula is sent as...
Node.js third-party modules: Server-side Template Injection in lodash.js
I would like to report Server-side Template Injection in lodash.js .template function It allows the execution of code on the server Module module name: lodash version: 4.17.15 npm page: https://www.npmjs.com/package/lodash Module Description The Lodash library exported as Node.js modules. Module...
Shopify: Subdomain takeover in help.tictail.com pointing to Zendesk (a Shopify acquisition)
Hello, Description: --------------------- The subdomain at https://help.tictail.com has an unclaimed CNAME record tictail.zendesk.com . I checked the username availability in the signup process at zendesk, it was observed that the subdomain is vulnerable to a subdomain takeover which allows an...
Nord Security: Password Reset Link Works Multiple Times
Background: Normally, a secure way to handle password reset links is to invalidate the link/token upon usage. Additionally, if multiple reset links are requested, older & unused tokens should also be invalidated i.e., if 2 reset tokens were requested, the 2nd token should be invalid upon your usa...
Mail.ru: XSS на сайте https://warofdragons.my.games/.
Reflected XSS via GET parameter in https://warofdragons.my.games...
Node.js third-party modules: Prototype pollution attack (lodash)
I would like to report a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype Module module name: lodash version: 4.17.15 npm page: https://www.npmjs.com/package/lodash Module Description The Lodash library exported as Node.js modules. Module...
Mail.ru: Account Takeover at vseapteki.ru
Insufficient protection against SMS code bruteforcing allowed account takeover in vseapteki.ru Common flaws of SMS auth: https://blog.deteact.com/common-flaws-of-sms-auth/...
curl: Active Mixed Content over HTTPS
Summary: Resources Loaded from Insecure Origin HTTP Steps To Reproduce: Vulnerability Details detected that an active content loaded over HTTP within an HTTPS page Remedy There are two technologies to defense against the mixed content issues: HTTP Strict Transport Security HSTS is a mechanism tha...
HackerOne: Custom Field Attributes may be created and updated for customers with Custom Field Trial enabled
The Custom Field feature is currently only available for customers on the Enterprise product edition. A trial period can be given by enabling the custom-fields-trial feature for programs who are not on that product edition yet. However, when enabling this feature, the incorrect ordering of an ACL...
GitLab: Bypass Email Verification using Salesforce -- Reproducible in gitlab.com
Summary The salesforce login integration allows attacker to bypass email verification -- user is able to signup with any email domain they want, effectively bypass all email domain whitelist/blacklist restriction or any other 3rd party using gitlab instance's email address. It is possible because...
GitLab: Local files could be overwritten in GitLab, leading to remote command execution
Summary Arbitrary file overwrite A new feature download a directory of a repository in GitLab 11.11 introduced some changes in ./internal/service/repository/archive.go of Gitaly. go func handleArchivectx context.Context, writer io.Writer, in gitalypb.GetArchiveRequest, compressCmd exec.Cmd, forma...
Grammarly: Account takeover through the combination of cookie manipulation and XSS
Summary: A cookie based XSS on www.grammarly.com exists due to reflection of a cookie called gnarcontainerId in DOM without any sanitization. Normally, gnarcontainerId is being set by the server however a vulnerable endpoint at gnar.grammarly.com called "/cookies" allows us to manipulate cookies...
Internet Bug Bounty: Local Privilege Escalation during execution of VeraCryptExpander.exe (UAC bypass)
Summary: Your VeraCryptExpander.exe is vulnerable to a Local Privilege Escalation UAC BYPASS during execution. The issue is located here: https://github.com/veracrypt/VeraCrypt/blob/a108db7c85248a3b61d0c89c086922332249f518/src/ExpandVolume/VeraCryptExpander.manifest...
Mail.ru: Rails application running in development mode
autodiscover.staging.geekbrains.ru was running Ruby on Rails in development mode...
Omise: Failure to Invalid Session after Password Change
While conducting my researching I discovered that the application Failure to invalidate session after password. In this scenario changing the password doesn't destroys the other sessions which are logged in with old passwords. Steps to Reproduce: ---------------------- Video PoC attached Step By...
Phabricator: Issue:Form does not contain an anti-CSRF token
============================= Form does not contain an anti-CSRF token ============================= -------------------------------------------------------------------------------------------------------------------- There are 15 instances of this issue == / /Z1336 /applications/ /auth/start/...
Capital One: Heartbleed Bug
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over th...
Nextcloud: Missing DNSSEC
The nextcloud.com domain does not have DNSSEC enabled...
Upserve : Open redirect on https://hq-api.upserve.com/
The returnto parameter on https://hq-api.upserve.com/auth/auth0?prompt=none&returnto= was not validated and allowed an open redirect...
Internet Bug Bounty: efree() on uninitialized Heap data in imagescale leads to use-after-free
The core bug: https://bugs.php.net/bug.php?id=77269 This bugfix actually involves two vulnerabilities: a call to efree on uninitialized data and another free based vulnerability. What is described below is a bug that was fixed in libgd two years ago CVE-2016-10166, but the patch was never applied...
RATELIMITED: Server Header disclose The Os and Web server Version
Server header was present and disclosed the version of the web server and OS in HTTP responses. Server header was present and disclosed the version of the web server and OS...
Zendesk: Blind XSS via Suspended Ticket Recovery
A cross-site scripting XSS vulnerability was reported to us. We validated the issue, investigated to ensure it wasn't exploited, and implemented a remediation to all customers. Big thanks to @trimatra-sec who was a pleasure to work with!...
Khan Academy: Creating Unlimited Fake Accounts.
Hello @khanacademy, Anyone can create unlimited fake accounts using temp mails. i,e https://temp-mail.org/en/ 1- Go to https://temp-mail.org/en/ 2- Select an mail 3- Enter that mail while creating an account in khanacademy 4- You will get confirm mail from khanacademy on https://temp-mail.org/en/...
Tor: Expose user IP if TOR crashs
Greetings, I have noticed that for unpredictable reason a TOR relay can exposes the IP of an user. I noticed this by going to the server http://195.176.3.24/ and getting information about the headers. I arrived to this header who is : "X-Your-Address-Is" . How : -- - So I went to this tor-relay...
Weblate: flood of comment no rate limit on commnets >> by using different user agent
It was possible to post 200- 300 of comments within minutes, there was no rate limiting applied...
Vanilla: Bypassing the Trusted Link Alert System
Summary: I have discovered a means of bypassing the system that will alert users of an untrusted link utilizing the Right to Left Overrride unicode character. The alert looks like this: https://i.imgur.com/9rp1K7b.mp4 Description: For this demonstration, I have added "facebook.com" to the trusted...
Slack: SSRF in api.slack.com, using slash commands and bypassing the protections.
Bypassing the reports 61312 and 356765 Tutorial: Go to api.slack.com and create an application with your own slash command. F320014 Enter your own domain: in your own domain: index.php location: http://:::22/ F320019 And save. Go to your Slack and type /youslash Try with my server...
Mail.ru: Вывод значений переменных Nginx в теле страницы
При обращении к url вида: https://biz.mail.ru/$имяпеременнойnginx Значение этой переменной попадет в страницу ответа 404, во все места вида: e.mail.ru/login?lang=ruRU&Page=https%3A%2F%2Fbiz.mail.ru%2Fзначениепеременнойnginx Примеры запросов: 1 https://biz.mail.ru/test$realpathroot в ответе:...
Liberapay: csrf token did not changed after login/logout many times
hello team, your csrf token did not expired and after login and logout many times , i found that your csrf token is generated same as last one. Impact if an attacker found an xss on your domain and you fixed it but attacker still has csrf token of user, attacker can use it to perform any action...
Mail.ru: Открытая информация phpinfo() на сайте https://agent.mail.ru
phpinfo was available on agent.mail.ru. agent.mail.ru is not currently covered with bug bounty program...
Mail.ru: LFI in beta.mail.ru
Local file read via file:// URI in report's image in beta.mail.ru. beta.mail.ru is not currently covered by bug bounty program. Чтение произвольных файлов сервера путем недостаточной проверки прикрепленных изображений...
Node.js third-party modules: Prototype pollution attack (defaults-deep)
As discussed in 309391, here's the separate report for each of the library. This one is the information for the defaults-deep library. Module: https://www.npmjs.com/package/defaults-deep Summary: Utilities function in all the listed modules can be tricked into modifying the prototype of "Object"...
VK.com: Монипулирование на страницах пользоватлей значением "Подсказывать стикеры в полях ввода"
Отсутствовал hash в запросах при изменении настроек стикеров. Ошибочка в репорте включить на конце 1 Включить https://m.vk.com/attachments?ajax=1&act=stickershintsenabled&value=1 CSRF - ОТСУСТВИЕ HASH дает возможность совершать переключение в мобильной версии ВК , подсказок в полях ввода ! Тем...
GitLab: SQL injection in MilestoneFinder order method
The MilestoneFinder is a class used to find milestones based on group or project identifiers. The class is used in multiple controllers. It allows to filter based on state and can be used to order the result set. One of the uses can be found in the Groups::MilestonesController. When the index...
RBKmoney: Open Redirection on auth.rbk.money
An open redirect vulnerability was found in KeyCloak. Find writeup soon in my website ; Edit , Write is here : http://abartandhakal.com.np/main/2018/01/27/open-redirection-on-rbk-money/...
Open-Xchange: Adding external participants to unaccessible appointments
Description When making an appointment users are able to invite additional participants which do not have an open-xchange account. However, it appears than any user can invite external participants to any appointment even this appointment is not accessible for him. Additionaly using the same bug...
International Islamic University Chittagong: Default credentials on http://119.18.148.140/hrd/
Hello, When the mentioned URL is opened, the user is presented with a login form that logs them into the "HR & Payroll" system of the university. The issue here is that the credentials used are the application's default credentials, which are mentioned here...
AlienVault : [www.threatcrowd.org] - reflected XSS
Summary: I have found a reflected XSS in https://www.threatcrowd.org/graphHtml.php, in GET parameter email. Browsers Verified In: Firefox 56.0.1 Steps To Reproduce: 1. Browse to https://www.threatcrowd.org/graphHtml.php?email=%27-alertdocument.domain-%27 2. Click on the embed functionnality in th...
Inflection: Unsubscribe Any User
Researcher reported that HubSpot's "unsubscribe" feature allows any user to unsubscribe from marketing emails without having to confirm their email address. Inflection does not consider this a vulnerability, as we want to make it as easy as possible for users to stop receiving marketing emails th...
Aspen: No Rate Limit (Leads to huge email flooding/email bombing)
Dear sir, At first,i want to say that this sensitive action definitely should be set with rate limit. Note:-This is about huge bombing/brute force on any endpoints. Vulnerability:- -No rate limit has been set for generating account confirmation emails for accounts on above selected domain which i...
Internet Bug Bounty: Perl $ENV Key Stack Buffer Overflow
The CPerlHost::Add method in win32\perlhost.h is vulnerable to a stack buffer overflow. void CPerlHost::AddLPCSTR lpStr char szBuffer1024; LPSTR lpPtr; int index, length = strlenlpStr+1; forindex = 0; lpStrindex != '\0' && lpStrindex != '='; ++index szBufferindex = lpStrindex; szBufferindex = '\0...