15369 matches found
Infogram: Stored XSS in infogram.com via language
The stored XSS was found in the language profile parameter. POC: Change profile settings with following request: http PUT /api/users/me HTTP/1.1 Host: infogram.com User-Agent: Mozilla/5.0 X11; Linux x8664; rv:63.0 Gecko/20100101 Firefox/63.0 Accept: / Accept-Language: en-US,en;q=0.5...
HackerOne: Unauthenticated user can upload an attachment to the last updated report draft
The newly launched beta embedded submissions form introduced the concept of anonymous submissions. When an anonymous user starts writing a report through an embedded form, a UUID will be generated to track their submission. Any object that is created will reference this UUID. We call this a trace...
Zomato: Reflected XSS on developers.zomato.com
There is a vulnerability in https://developers.zomato.com/documentation due to an old version of Swagger UI Step to reproduce: - Create an endpoint containing : json "swagger":"2.0","info":"description":"This is a sample server Petstore server. You can find out more about Swagger at...
Brave Software: Field Day With Protocol Handlers
Summary ===================== When launching a protocol such as mailto:, SEARCH:, or bitcoin:, Brave only asks to allow the protocol to be opened by an external application. You can select on whether or not to remember the decision or not and to allow or deny it. The issue is that upon selecting...
Khan Academy: Creating Unlimited Fake Accounts.
Hello @khanacademy, Anyone can create unlimited fake accounts using temp mails. i,e https://temp-mail.org/en/ 1- Go to https://temp-mail.org/en/ 2- Select an mail 3- Enter that mail while creating an account in khanacademy 4- You will get confirm mail from khanacademy on https://temp-mail.org/en/...
Tor: Expose user IP if TOR crashs
Greetings, I have noticed that for unpredictable reason a TOR relay can exposes the IP of an user. I noticed this by going to the server http://195.176.3.24/ and getting information about the headers. I arrived to this header who is : "X-Your-Address-Is" . How : -- - So I went to this tor-relay...
Node.js third-party modules: [apex-publish-static-files] Command Injection on connectString
I would like to report a command injection vulnerability in the apex-publish-static-files npm module. It allows arbitrary shell command execution through a maliciously crafted argument. Module module name: apex-publish-static-files version: 2.0.0 npm page:...
WordPress: xss - reflected
vulnerable url: http://masterplan.wordpress.net/store/checkout/ payload: 1 Main Streetzbn0b"alertdocument.cookiek8ez0 vulnerable parameter: billing-address Request: POST /store/checkout/ HTTP/1.1 Host: masterplan.wordpress.net Accept-Encoding: gzip, deflate Accept: / Accept-Language: en...
Slack: SSRF in api.slack.com, using slash commands and bypassing the protections.
Bypassing the reports 61312 and 356765 Tutorial: Go to api.slack.com and create an application with your own slash command. F320014 Enter your own domain: in your own domain: index.php location: http://:::22/ F320019 And save. Go to your Slack and type /youslash Try with my server...
Monero: Trusted daemon check fails when proxied through torsocks or proxychains
Summary: If torsocks1 or proxychains1 is enforced when using Monero wallet with a remote node without explicit --untrusted-daemon arguments given, the application will assume the daemon is trusted. Description: By default, the wallet checks if the daemon address can be trusted by calling...
Zomato: XSS in "explore-keywords-dropdown" results.
It seems that people have exploited this vulnerability before on this website, however, it remains unpatched, so here I am reporting the vulnerability. A XSS vulnerability exists when a restaurant or dish is created with a malicious name. The title of the dish or restaurant is not properly filter...
Mail.ru: LFI in beta.mail.ru
Local file read via file:// URI in report's image in beta.mail.ru. beta.mail.ru is not currently covered by bug bounty program. Чтение произвольных файлов сервера путем недостаточной проверки прикрепленных изображений...
Node.js third-party modules: Command injection in 'pdf-image'
I would like to report command injection in pdf-image It allows executing commands on the server Module module name: pdf-image version: 1.0.5 npm page: https://www.npmjs.com/package/pdf-image Module Description Provides an interface to convert PDF's pages to png files in Node.js by using...
Shopify: Potential to abuse pricing errors in saved carts
If someone abandons a shopping cart and the price changes between that time and when the abandoned cart recovery email is sent, the saved cart will always show the old price. If saved carts do not expire, this can create a situation where bad actors can fill and save shopping carts with sale pric...
Node.js third-party modules: Prototype pollution attack (defaults-deep)
As discussed in 309391, here's the separate report for each of the library. This one is the information for the defaults-deep library. Module: https://www.npmjs.com/package/defaults-deep Summary: Utilities function in all the listed modules can be tricked into modifying the prototype of "Object"...
RBKmoney: Open Redirection on auth.rbk.money
An open redirect vulnerability was found in KeyCloak. Find writeup soon in my website ; Edit , Write is here : http://abartandhakal.com.np/main/2018/01/27/open-redirection-on-rbk-money/...
AlienVault : DNS pinning SSRF bypass
Summary: this issue is a bypass for this report: https://hackerone.com/reports/285380 . It is a SSRF bypass with DNS pinning. Description: We can bypass the SSRF protection with a simple domain that is resolving to 169.254.169.254 , like: ssrf-cloud.localdomain.pw Browsers Verified In: Firefox 56...
International Islamic University Chittagong: Default credentials on http://119.18.148.140/hrd/
Hello, When the mentioned URL is opened, the user is presented with a login form that logs them into the "HR & Payroll" system of the university. The issue here is that the credentials used are the application's default credentials, which are mentioned here...
AlienVault : [www.threatcrowd.org] - reflected XSS
Summary: I have found a reflected XSS in https://www.threatcrowd.org/graphHtml.php, in GET parameter email. Browsers Verified In: Firefox 56.0.1 Steps To Reproduce: 1. Browse to https://www.threatcrowd.org/graphHtml.php?email=%27-alertdocument.domain-%27 2. Click on the embed functionnality in th...
Inflection: Unsubscribe Any User
Researcher reported that HubSpot's "unsubscribe" feature allows any user to unsubscribe from marketing emails without having to confirm their email address. Inflection does not consider this a vulnerability, as we want to make it as easy as possible for users to stop receiving marketing emails th...
Legal Robot: cross site web socket hijacking
In the below web-socket request successful 101 protocol handshake is working with the origin:https://app.legalrobot.com, but if you place the malicious origin in the place of https://thisdata.com which is http://evil.com or any page containing the malware, the web socket server is still giving 10...
Internet Bug Bounty: Perl $ENV Key Stack Buffer Overflow
The CPerlHost::Add method in win32\perlhost.h is vulnerable to a stack buffer overflow. void CPerlHost::AddLPCSTR lpStr char szBuffer1024; LPSTR lpPtr; int index, length = strlenlpStr+1; forindex = 0; lpStrindex != '\0' && lpStrindex != '='; ++index szBufferindex = lpStrindex; szBufferindex = '\0...
Internet Bug Bounty: Heap Use After Free in unserialize()
ext/standard/varunserializer.re in PHP 7.0.x before 7.0.21 and 7.1.x before 7.1.7 is prone to a heap use after free while unserializing untrusted data, related to the zvalgettype function in Zend/zendtypes.h. Exploitation of this issue can have an unspecified impact on the integrity of PHP. This...
Rockstar Games: CSRF Vulnerability allows attackers to steal SocialClub private token.
The researcher was able to combine a Flash exploit with a CSRF vulnerability in order to obtain sensitive user tokens from https://socialclub.rockstargames.com/profileedit/GetTokens. This page is ordinarily only called in a secure fashion such that an attacker is unable to see another user's...
WakaTime: No notificatoin sent on email after account deletion.
Hi again, Description: I've just noticed that there's no email notification received after successfully removal of account. Fixation: User should be notified by email notification at his email after removal of an account. Cheers Mansoor...
Mixmax: Security Vulnerability - SMTP protection not used
Hi, I'm checking your website found SPF record there. You should apply strict SMPT policy to stop spoofed email sending from your domain. An attacker would send a Fake email from [email protected] saying that Please change your password, The victim is aware of phishing attacks, But when he sees...
Homebrew: Host header Injection
HI SECURITY TEAM Here is host header injection. Request changing host to www.google.com GET / HTTP/1.1 Host: www.google.com User-Agent: Mozilla/5.0 Windows NT 6.1; rv:24.0 Gecko/20100101 Firefox/24.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language:...
Internet Bug Bounty: OOB write in BN_bn2dec() (CVE-2016-2182)
The function BNbn2dec does not check the return value of BNdivword. This can cause an OOB write if an application uses this function with an overly large BIGNUM. This could be a problem if an overly large certificate or CRL is printed out from an untrusted source. TLS is not affected because reco...
Mail.ru: Cross-Site Request Forgery
CSRF in whiskas.ny.mail.ru "like" feature. whiskas.ny.mail.ru is not currently in the bug bounty scope...
Ruby: sprintf combined format string attack
In a ticket that was also reported to "shopify-scripts" regarding "MRuby", I reported in details a combined attack against the sprintf gem: Information leak Heap buffer underflow The full ticket details can be found in: Ticket 212239 The ticked was opened several minutes ago but I add it in case ...
Internet Bug Bounty: CVE-2017-5482 The Q.933 parser in tcpdump before 4.9.0 has a buffer overflow in print-fr.c:q933_print().
Reported to the project maintainers in 2016. Regardless of CVE-2016-8575 q933print still could overread the buffer trying to parse a short packet. Fixed by https://github.com/the-tcpdump-group/tcpdump/commit/c39c1d99ac3b6d5d9519b39da6717180651650d3...
Nextcloud: User Information Disclosure via REST API
Hello, I found out that you are using WP 4.6.2 on your domain which is outdated. https://nextcloud.com/readme.html Description:- WordPress versions 4.7 and earlier are affected by multiple security issues. Kindly check https://wpvulndb.com/wordpresses/462 for the vulnerabilities and in detailed...
Shopify: apps.shopify.com - CSRF token leakage through Google Analytics
Description: When a user tries to send a support a message to an app developer in apps.shopify.com , he will be asked to login and once he is logged in , he will be redirected to apps.shopify.com/appid?authenticitytoken=currentuserauthenticitytoken. Developers can track their app page view in...
Starbucks: Persistent XSS in www.starbucks.com
There is a persistent XSS in https://www.starbucks.com/coffee/espresso/latte-macchiato It is caused by loading scripts from: //starbucksmacchiato-prod.elasticbeanstalk.com/scripts/bn-v1.0.0-Release-min.js Note that starbucksmacchiato-prod.elasticbeanstalk.com is not registered on elastic beanstal...
OLX: Multiple vulnerabilities in http://blog.dubizzle.com/uae
http://blog.dubizzle.com/uae/ uses outdated Yoast Seo plugin which has following vulnerabilities: ! Title: Yoast SEO = 3.2.4 - Subscriber Settings Sensitive Data Exposure Reference: https://wpvulndb.com/vulnerabilities/8487 ! Title: Yoast SEO = 3.2.5 - Unspecified Cross-Site Scripting XSS...
PortSwigger Web Security: Order-phishing via Payment ID URL
Hello. I discovered the endpoint, which allows the attacker conduct the fishing attack to other users and they can pay for attacker's order. Why this can happen? On the site, order id parameter sends to the https://portswigger.net/CCPayment.aspx as POST, but attacker can append it as GET and it...
LocalTapiola: XSS and open redirect in verkkopalvelu.lahitapiola.fi
Summary: Dears, Kindly note that after submitting CSRF vulnerability in the subject subdomain which is still triaged https://hackerone.com/reports/178811 I Noticed After more testing to the subject domain that there is multiple endpoints vulnerable to an XSS and those are the same endpoints i...
VK.com: Новый 2FA Bypass
Частичный обход проверки сессии. Косяк в функции смены пароля...
Slack: Rate-limit bypass
Hello Slack, This vulnerability is about a 2FA Bypass, On Slack Web Application there is rate limit implemented. After performing 4-6 failed 2FA Attempt, Rate limit logic will ge Triaged and ask user to wait for next attemptpreventing automated 2FA Attempts I tested the same using iOS AppiOS 9.3....
Internet Bug Bounty: urllib HTTP header injection CVE-2016-5699
https://bugs.python.org/issue22928 https://access.redhat.com/security/cve/cve-2016-5699...
QIWI: [lk.contact-sys.com] SQL Injection reset_password FP_LK_USER_LOGIN
Steps to reproduce 1 Открыть https://lk.contact-sys.com/index.php/LK/login 2 Нажать "Забыли пароль?" 3 Заполнить форму Код Участника: test Логин: ' and @@version=1 and '1'='1 HTTP Request http POST /index.php/LK/resetpassword HTTP/1.1 Host: lk.contact-sys.com Content-Type:...
Internet Bug Bounty: CVE-2015-8874 Stack overflow with imagefilltoborder
Reported in 2014 https://bugs.php.net/bug.php?id=66387 A variation was rediscovered this year and reported to PHP and LIBGD: https://bugs.php.net/bug.php?id=72350 https://github.com/libgd/libgd/issues/215 Patches for both issues:...
Nextcloud: Server side request forgery (SSRF) on nextcloud implementation.
An admin of nextcloud server can add other trusted nextcloud server in his own installation. The following request passes when a new add request is processed: http POST /nextcloud/index.php/apps/federation/trusted-servers HTTP/1.1 Host: myown.nextcloudserver.com User-Agent: Mozilla/5.0 Macintosh;...
Nextcloud: failure to invalidate session on password change
Steps to reproduce 1. Login as user1 in firefox browser 2. Go to http://localhost/nextcloud/index.php/settings/personal 3. Go to other browser chrome and login as user1 4. Change the password in chrome Observe that the session in firefox still works...
Mail.ru: AXFR на plexus.m.smailru.net работает
MacBook-Pro:subbrute isox$ dig @217.69.129.107 plexus.m.smailru.net axfr ; DiG 9.8.3-P1 @217.69.129.107 plexus.m.smailru.net axfr ; 1 server found ;; global options: +cmd plexus.m.smailru.net. 600 IN SOA ns1.mail.ru. hostmaster.mail.ru. 2300425875 900 900 1209600 300 plexus.m.smailru.net. 600 IN ...
GitLab: SSRF when importing a project from a git repo by URL
Fixed in 8.17.4, 8.16.8, and 8.15.8 SSRF when importing a project from a Repo by URL GitLab instances that have enabled project imports using "Repo by URL" were vulnerable to Server-Side Request Forgery attacks. By specifying a project import URL of localhost an attacker could target services tha...
HackerOne: External links should use rel="noopener" or use the redirect service
This is a rather low severity one and a successful exploitation relies on unlikely user interaction as well as the ability to control the HTML output of an remote host. Furthermore it is a kinda new hardening features in some browsers. Though one can work around this using "noreferrer" which is...
Shopify: Full access to Amazon S3 bucket containing AWS CloudTrail logs
An Amazon S3 bucket used internally by Shopify was misconfigured, allowing external users to read, write and list objects. The excess permissions have been removed...
VK.com: Checking whether user liked the media or not even when you are blocked
Poc : Take 2 accounts A and B 1. Now from A id make a random post say http://vk.com/id307083341?w=wall30708334136 2.Now from C id try to like the post of A . 3.Now from B id visit https://vk.com/dev/likes.getList 4. now put the owner id A and the post id == 307083341 which 36 in this case 5.and i...
Coinbase: HTML injection in apps user review
just watch this video https://www.dropbox.com/s/360cytluyiw2ym9/HTMLI.mp4?dl=0 this about full fake login exploit https://www.youtube.com/watch?v=5iRylyJTzWc...