15371 matches found
Basecamp: Navgraph confusion allows any 3p app to send and read requests from the server at app.hey.com
The vulnerability in the Navgraph system allowed any third-party app to send and read requests from the server at app.hey.com...
Node.js: Proxy-Authorization header not cleared on cross-origin redirect in undici.request
The Proxy-Authorization and x-auth-token headers were not cleared on cross-origin redirects in versions of undici up to and including 6.7.0. This issue was similar to a previously fixed security vulnerability where Authorization and Cookie headers were not cleared on such redirects...
curl: Buffer overflow and affected url:-https://github.com/curl/curl/blob/master/docs/examples/hsts-preload.c
Vulnerability description not provided...
Node.js: Code injection and privilege escalation through Linux capabilities
A vulnerability was found in Node.js on Linux where it incorrectly applied an exception for the CAPNETBINDSERVICE capability even when other capabilities were set. This allowed unprivileged users to inject code that inherited elevated privileges of the process...
Mozilla: Stored Xss on bugzilla.mozilla.org via comment edit feature from non-admin to admin.
A stored XSS vulnerability was discovered on the comment edit feature of bugzilla.mozilla.org. This allowed an attacker to execute malicious JavaScript code when an admin attempted to edit a comment. The vulnerability was reported and a bug report was filed...
Liberapay: Disavowed an email without any authentication
Vulnerability description not provided...
Internet Bug Bounty: jdbc apache airflow provider code execution vulnerability
A code execution vulnerability was discovered in the Apache Airflow JDBC Provider before version 4.0.0. The vulnerability allowed for privilege escalation by exploiting controllable parameters in the JDBC connection, enabling the execution of arbitrary Java code...
HackerOne: Hackerone All Private Program Name Leaked to Public Via Collaborator OR Attacker can Easily Dump all Private Program Names through Collaborator
A vulnerability was discovered in Hackerone that allowed an attacker to obtain the names of private programs. By manipulating the report ID and using the Collaborator feature, the attacker could determine if a program was private or public. This compromised the confidentiality of private programs...
inDrive: Stored XSS on promo.indrive.com
Vulnerability description not provided...
Teleport: robots.txt file
The web server includes a robots.txt file that serves a crucial role in providing instructions to web robots, such as search engine crawlers, about the permissible areas of the website that they can crawl and index. While the presence of this file does not pose a direct threat to the security of...
Automattic: Stored XSS on wordpress.com
A Stored XSS vulnerability was found on WordPress.com via app.crowdsignal.com. An attacker could execute malicious script code in the victim user's browser and redirect them to malicious sites by creating a poll with a specific payload and sharing the link on a WordPress post. The vulnerability w...
Internet Bug Bounty: [CVE-2022-44572] Possible Denial of Service Vulnerability in Rack’s RFC2183 boundary parsing
A denial of service vulnerability was discovered in the multipart parsing component of Rack. This vulnerability could be exploited by carefully crafted input to cause the RFC2183 multipart boundary parsing in Rack to consume an unexpected amount of time, potentially leading to a denial of service...
Cloudflare Public Bug Bounty: Privilege escalation to root in Pages build image v2
Vulnerability description not provided...
Sony: SQL Injection at https://████ via ███ parameter
Vulnerability description not provided...
Nextcloud: Reflected XSS vulnerability with full CSP bypass in Nextcloud installations using recommended bundle
A reflected XSS vulnerability with full CSP bypass was discovered in Nextcloud installations using the recommended bundle. The vulnerability allowed attackers to inject malicious code into web pages, which could be executed in the context of the victim's browser session, leading to a trivial...
LinkedIn: Unauthorized access to resumes stored on LinkedIn
Researcher found an IDOR on an endpoint where a recruiter could download resumes without the appropriate access - This security issue was unintentionally introduced in late-October 2022 - The reporter reached out and provided details to LinkedIn on this security issue in November 2022 - LinkedIn...
Nextcloud: [user_oidc] Unencrypted Communications
The OpenID Connect User Backend allows users to login to Nextcloud using SSO and is - according to the policy - part of the main scope of this program. The implementation supports plain HTTP without TLS and transfers sensitive information such as OIDC clientsecrets in an unencrypted manner...
Ruby on Rails: ReDoS (Rails::Html::PermitScrubber.scrub_attribute)
I have confirmed that ReDoS occurs on Rails::Html::PermitScrubber.scrubattribute. https://github.com/rails/rails-html-sanitizer/blob/v1.4.3/lib/rails/html/scrubbers.rbL134 ruby def scrubattributenode, attrnode attrname = if attrnode.namespace "attrnode.namespace.prefix:attrnode.nodename" else...
curl: CVE-2022-35252: control code in cookie denial of service
Summary: I took a look at https://github.com/curl/curl/pull/9048/commits/d7bcbc7d8d4b6d972d3da12d54819169a19c287b a sneak peek on a vulnerability to be announced tomorrow. My guess for that vulnerability is that since cookies are persistent, someone who can trick curl into storing cookies can sto...
IBM: sql injection via https://setup.p2p.ihost.com/
A SQL Injection against an IBM domain was reported to IBM, analyzed and has been remediated. Thank you to exploitmsf...
TikTok: Reflected xss on ads.tiktok.com using `from` parameter.
A XSS cross-site scripting vulnerability was found on a TikTok ads endpoint using the "from" parameter. We thank @imrannisar for reporting this to our team and confirming its resolution...
PortSwigger Web Security: Information disclosure on error message
Hai team, First of all , Thank you creating a wonderful place for learning web app pentesting : . In accessing a lab at the academy , my internet connection suddenly went down, I dont know the problem is on the lab or in academy, But the error message reveals some node codes.I attached a screensh...
U.S. Dept Of Defense: Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464)
A vulnerability in ForgeRock OpenAM allowed unauthenticated remote code execution due to unsafe Java deserialization in the Jato framework. The vulnerability, tracked as CVE-2021-35464, could be exploited by sending a crafted request to the /openam/ccversion/Version endpoint with a malicious...
Elastic: RCE hazard in reporting (via Chromium)
Summary: Reporting embeds a Chromium that is susceptible to RCEs Description: Reporting uses a headless Chromium to generate PNGs and PDFs. This is invoked at least on Elastic Cloud, ECE and ECK with --no-sandbox to work at all. There are RCEs readily available for Chrome, and at least the versio...
VK.com: Отправляем смс на любой номер от имени vk.com. (Сообщение в смс всегда одно и то же, его менять нельзя.)
Отправка SMS на любой номер для установки официальных приложений есть лимиты...
Automattic: SSRF & Blind XSS in Gravatar email
Nathan Cavitt rockybandana reported a blind XSS issue in the Gravatar service, which was due to incorrect/insufficient sanitization on adding emails to one's profile. The report was of good quality and the issue was fixed within a couple of days of report...
h1-ctf: [ Hacky Holidays CTF ] Completely taken down the Grinch Networks
Day 1 - Robot flag We're presented with sample ui page without any function. So I guessed content discovery is the best way to find flag. And robots.txt came to my mind and found the flag. https://hackyholidays.h1ctf.com/robots.txt Response User-agent: Disallow: /s3cr3t-ar3a Flag:...
h1-ctf: Grinch Networks compromised!
Grinch Networks compromised! For fast triage/validation and inspired by @manoelt in other CTF, I made a bash script to find and print all the 12 flags of this CTF. The script uses curl, wget, google-chrome headless for flag 2, unzip, grep and sed. If any of these commands is missing, the script...
GitHub Security Lab: codeql-go: Expand Go standard library taint-tracking models to 63 packages, 554 models and 733 tests (from ~13 packages, ~103 models, ~50 tests)
This bug was reported directly to GitHub Security Lab...
Internet Bug Bounty: Heap buffer overflow vulnerability while processing a malformed TIFF file.
A heap buffer overflow vulnerability occurs in magick while processing of a malformed TIFF file.Following is the version/build details: $ magick -version Version: ImageMagick 7.0.10-45 Q16 x8664 2020-11-30 https://imagemagick.org Copyright: © 1999-2020 ImageMagick Studio LLC License:...
h1-ctf: [H1-2006 2020] H1-2006 CTF Writeup
Hi! The challenges were really great. I had a lot of fun and I can honestly say I learned a few tricks during this journey. I will be submitting the flag now and will work on a very good writeup until the deadline. My reasoning is that there are two different prizes, one for the first ten and...
Mail.ru: Http Response Splitting on thumb.cloud.mail.ru
Limited CRLF injection at thumb.cloud.mail.ru allowed to manipulate cookies...
Shopify: *.shopify.com - Authentication bypass
I´ve found a flaw in the authentication process when accessing the website https://upcoming.shopify.com. There seems to be an HTTP Authentication in place to prevent access without authentication. Please follow below POC to get access to https://upcoming.shopify.com without login. The website is...
GSA Bounty: open redirect in eb9f.pivcac.prod.login.gov
poc: https://eb9f.pivcac.prod.login.gov/?nonce=wI0UglN84A06Q4z4JnkZVc3i1V8%3D&redirecturi=https%3A%2F%2Fgoogle.com%23%40secure.login.gov%2Flogin%2Fpivcac visit this and will redirect to google.com Impact phishing...
Mail.ru: PHP code injection at tz.mail.ru
A chain of bugs involving unsafe usage of PHP unserialize led to possibility of code execution in tz.mail.ru...
MTN Group: Information Disclosure FrontPage Configuration Information /_vti_inf.html in https://www.mtn.co.za/
Hi there i found a information disclosure Microsoft FrontPage configuration in the subdomain https://www.mtn.co.za/ that allows me to see version number and scripting paths off sharepoint using firefox. POC: Go to the following url: https://www.mtn.co.za/vtiinf.html and you will see a blank page...
Node.js third-party modules: [treekill] RCE via insecure command concatenation (only Windows)
I would like to report a RCE issue in the treekill module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: treekill version: 1.0.0 npm page: https://www.npmjs.com/package/treekill Module Description treekill process and it's all children and child...
Node.js third-party modules: gitlabhook OS Command Injection
I would like to report OS Command Injection in gitlabhook. It allows execution of arbitrary code on the remote server, that waits for instructions from gitlab. Module module name: gitlabhook version: 0.0.17 npm page: https://www.npmjs.com/package/gitlabhook Module Description This is an easy to u...
GSA Bounty: Information disclosure (system username, server info) in the x-amz-meta-s3cmd-attrs response header on data.gov
Hi Team, I noticed, that the x-amz-meta-s3cmd-attrs response header returns sensitive information, like system username on data.gov x-amz-meta-s3cmd-attrs: uid:0/gname:root/uname:root/gid:0/mode:33184/mtime:1513269652/atime:1513269652/md5:2049644b6b833f5dbb826f60a4721f64/ctime:1513269652 Server:...
GitLab: Private System Note Disclosure using GraphQL
Summary When you use the REST API or UI to view an issue's discussion/notes, private system note is hidden to member's only. Such as moving an issue to a private project, making issue as duplicate of a confidential issue, someone mentioned this issue in a confidential issue. They are properly...
Starbucks: Blind SQLi leading to RCE, from Unauthenticated access to a test API Webservice
@geekjeremy, at the same time as other hackers who submitted their own reports, discovered a browsable WSDL service on an API endpoint under the starbucks.com.cn domain, running on a non-standard port. @geekjeremy demonstrated that the service had several functions that executed without any...
phpBB: CSS injection via BB code tag "█████"
The input to the "█████" BBcode tag is not properly filtered. It gets converted into a CSS style attribute for a span HTML element. Quotes " are removed, so there's no way to break out of the CSS style attributed. However it is possible to arbitrarily dress the resulting span element. To illustra...
WePay: Active mixed content issues on the site https://stage-go.wepay.com.
Hello. Summary: Page https://stage-go.wepay.com/static/ contains active mixed content: Description: Passive mixed content is content sent over HTTP that is contained on the HTTPS page, but which can not change other parts of the page. For example, an attacker can replace a picture sent via HTTP...
Starbucks: RCE and Complete Server Takeover of http://www.█████.starbucks.com.sg/
This report from @spaceraccoon demonstrated a valid attack resulting in RCE and full compromise of the target. The detailed and thorough report was especially helpful throughout the triage process, and ultimately helped us reproduce and resolve the issue as quickly as possible. The vulnerable sit...
U.S. Dept Of Defense: [Critical] Full local fylesystem access (LFI/LFD) as admin via Path Traversal in the misconfigured Java servlet on the https://███/
Description Hello. I discovered a Path Traversal issue on the https://██████████/ I was able to turn it to the local file read, and after series of the test determined that it's possible to reach sensitive system files with administrator rights. POC The next request will read the...
Notepad++: No SearchEngine sanatizing can lead to command injection
Information: Summary: Notepad++ is vulnerable to a command injection vulnerability. Debug Info: Notepad++ v7.6.3 32-bit Build time : Jan 27 2019 - 17:20:30 Path : C:\Program Files x86\Notepad++\notepad++.exe Admin mode : ON Local Conf mode : OFF OS : Windows 10 64-bit Plugins : none Description:...
Semrush: XSS Reflected on my_report
Еще раз привет. На этот раз, кроме HTML-инъекции проходит полноценный XSS в дашбоарде пользователя. Payload: https://www.semrush.com/myreports/api/v1/document%22%3E%3Cimg%20src=x%20onerror=alertdocument.cookie%3E/4007861 PoC: На скрине Impact Кража сессионных куков...
Mail.ru: [e.mail.ru] Stored xss in Mpop cookie
XSS on e.mail.ru domain via cookie content XSS in cookie via mitm. Good article - https://habr.com/en/post/460101/ by @w2w...
Mail.ru: сервант статус
Apache server status was available at jw-cn-test-1.ext.terrhq.ru...
Mail.ru: Bypass security fixes by downgrading version of application
Version downgrade attack was possible in webagent web application webagent.mail.ru. It could allow attacker to force user to visit an older version of web application with known vulnerabilities...