Internet Bug Bounty: libtiff 4.0.6 segfault / read outside of buffer (CVE-2016-9297)

segfault and read outside of buffer in libtiff 4.0.6 and possibly earlier. This library is baked into web browsers used by millions and also devices like the PlayStation Portable and the iPhone. http://bugzilla.maptools.org/showbug.cgi?id=2590 Reported to the vendor on 7 November 2016: ASAN:SIGSE...

Coinbase: Window.opener bug at www.coinbase.com

Window.Opener Bug Description: When you open a link in a new tab target="blank" , the page that opens in a new tab can access the initial tab and change it's location using the window.opener property. Browsers Verified In: Mozilla Firefox Steps To Reproduce: 1. Visit https://www.coinbase.com/ 2. ...

Starbucks: Reflected XSS by exploiting CSRF vulnerability on teavana.com wishlist comment module. (wishlist-comments)

User can add comments on their wishlist item. The http request which adds comment on wishlist item, looks like: http POST /on/demandware.store/Sites-Teavana-Site/default/Wishlist-Comments/:id HTTP/1.1 Host: www.teavana.com User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.12; rv:49.0...

Snapchat: Incoming email hijacking on sc-cdn.net

Hey guys! Really interesting find here. Summary These dangling MX records on sc-cdn.net have allowed me to purchase an email account with GoDaddy owner of these servers and send/receive email from an account on this domain. sc-cdn.net. 3599 IN MX 0 smtp.secureserver.net. sc-cdn.net. 3599 IN MX 10...

Khan Academy: Sensitive information/action is stored/done is done using a GET request

Description: The action to remove an email from account is done using a GET request and it has security token. The URL is : https://www.khanacademy.org/settings/unlinkaccount?email=134hackerone%40gmail.com&fkey= It is never a good practice to have sensitive information in URL. Following are the...

OLX: SQLi in Payment Request

Hi there, I have found out that one request in your API is vulnerable to SQL injection. PoC: Invalid Request: GET /api/v1.0/payments/items?ids=891048367'"&platform=desktop HTTP/1.1 Host: www.olx.com.ar User-Agent: Mozilla/5.0 Windows NT 6.3; WOW64; rv:46.0 Gecko/20100101 Firefox/46.0 Accept:...

VK.com: DOM XSS в /activation.php?act=activate_mobile

Поинтересовался тут функцией showOrderBox в API. Увидел там "Тестовое спецпредложение. Тестовое спецпредложение для разработчиков приложений." При щелчке по кнопке "перейти в группу" попал на страницу...

Internet Bug Bounty: CVE-2015-8874 Stack overflow with imagefilltoborder

Reported in 2014 https://bugs.php.net/bug.php?id=66387 A variation was rediscovered this year and reported to PHP and LIBGD: https://bugs.php.net/bug.php?id=72350 https://github.com/libgd/libgd/issues/215 Patches for both issues:...

Uber: Self-XSS on partners.uber.com

Hi, I found a reflected XSS vulnerability in password reset page https://partners.uber.com/reset-password. I have tested this vulnerability in the latest Chrome and Firefox browsers. Reproduction Steps: 1- Go to https://login.uber.com/forgot-password and reset password. Then, Click password reset...

Internet Bug Bounty: EVP_EncryptUpdate overflow (CVE-2016-2106)

https://github.com/openssl/openssl/commit/3f3582139fbb259a1c3cbb0a25236500a409bf26...

Internet Bug Bounty: EVP_EncodeUpdate overflow (CVE-2016-2105)

https://github.com/openssl/openssl/commit/ee1e3cac2e83abc77bcc8ff98729ca1e10fcc920...

GitLab: SSRF when importing a project from a git repo by URL

Fixed in 8.17.4, 8.16.8, and 8.15.8 SSRF when importing a project from a Repo by URL GitLab instances that have enabled project imports using "Repo by URL" were vulnerable to Server-Side Request Forgery attacks. By specifying a project import URL of localhost an attacker could target services tha...

Uber: reopen #128853 (Information disclosure at lite.uber.com)

Issue in 128853 occurs again. 1. go to https://login.uber.com/oauth/v2/authorize?responsetype=code&redirecturi=https%3A%2F%2Flite.uber.com%2Fauth%2Fcallback&scope=profile%20history%20places%20historylite%20requestreceipt%20request%20paymentbaiduwallet&clientid=y-JJyZRABnEwbJQq4VdQPORo4EKqv0j 2...

GlassWire: DLL Hijacking Vulnerability in GlassWireSetup.exe

GlasswireSetup.exe is subject to the attack described here: http://textslashplain.com/2015/12/18/dll-hijacking-just-wont-die/ You can get a simple demo with this harmless DLL: https://bayden.com/dl/shfolder.dll See attached image for proof of execution...

ok.ru: Обход защиты от csrf-ок в m.ok.ru

Здравствуйте! Нашел еще способ обхода защиты от csrf-ок через параметр st.rtu Тогда можно было обойти через dlgId и через ссылки на страницах Сейчас заметил что можно сделать ajax запрос с токеном X-XTKN через параметр st.rtu Его можно отправить через редактирование заметки, записи в группе, при...

Radancy: RC4 cipher suites detected

A group of researchers Nadhem AlFardan, Dan Bernstein, Kenny Paterson, Bertram Poettering and Jacob Schuldt have found new attacks against TLS that allows an attacker to recover a limited amount of plaintext from a TLS connection when RC4 encryption is used. The attacks arise from statistical fla...

Vimeo: API: missing invalidation of OAuth2 Authorization Code during access revocation causes authorization bypass

OAuth2 API makes it possible for users to grant access to their accounts to some third-side applications. Of course, users are able to manage such applications' access to their accounts and may deny access for any application. When some user denies access for the application, all accesstokens are...

Mail.ru: Same Origin Policy bypass

Hi, After small investigation I've probably found something that can be exploited to bypass Same Origin Policy on mail.ru services specially your main domain and e.mail.ru. First of all - let's take a look about your crossdomain.xml both for mail.ru and e.mail.ru: After time spent on searching...

X (Formerly Twitter): Insecure Data Storage in Vine Android App

Hi Twitter, - Vulnerability Class:OWASP M2 : Insecure Data Storage Every application needs to store something secret, like a website username,password, cookies etc. , internal storage is the place to do it, android sandbox prevents other applications from accessing this data but,In vine android a...

X (Formerly Twitter): XSS platform.twitter.com

Since you have fixed a few problems with the FlashTransport on platform.twitter.com already, I though I would also take a look at the JavaScript around it. Problem URL: https://platform.twitter.com/widgets/hub.html Description: The mentioned page opens URLs send to it via postMessage or...

Automattic: Missing HSTS header in https://app.simplenote.com

Hi, Vulnerable Website: https://app.simplenote.com I tested the website using firefox add-on called: Strict Transport Security Detector https://addons.mozilla.org/en-US/firefox/addon/strict-transport-security-d/ HSTS addresses the following threats: User bookmarks or manually types...

Yahoo!: Yahoo! Messenger v11.5.0.228 emoticons.xml shortcut Value Handling Stack-Based Buffer Overflow

Thank you for your submission to Yahoo’s Bug Bounty program. While we recognize the effort that you put into the research and writing of a report for us to evaluate, we will take your report into consideration for any future releases. We appreciate your adherence to responsible disclosure...

Yahoo!: https://caldav.calendar.yahoo.com/ - XSS (STORED)

Thank you for your submission to the Yahoo Bug Bounty program. We were able to reproduce the issue you reported and have implemented appropriate fixes. We appreciate your adherence to responsible disclosure guidelines and look forward to your future participation in the program...

Yahoo!: Out of date version

Thank you for your submission to Yahoo’s Bug Bounty program. While we recognize the effort that you put into the research and writing of a report for us to evaluate, but unfortunately this bug has already been reported to us. We appreciate your adherence to responsible disclosure guidelines and...

Yahoo!: Clickjacking at surveylink.yahoo.com

Thank you for your submission to Yahoo’s Bug Bounty program. While we recognize the effort that you put into the research and writing of a report for us to evaluate, but unfortunately this bug has already been reported to us. We appreciate your adherence to responsible disclosure guidelines and...

Internet Bug Bounty: libcurl: freeing stack buffer during x509 certificate parsing

The libcurl's ASN1 parser had a vulnerability in the utf8asn1str function used for parsing an ASN.1 UTF-8 string. The function could detect an invalid field and return an error, which would trigger a free of a 4-byte local stack buffer. This could lead to a crash or potential memory corruption,...

curl: Denial of Service in curl Request - HTTP headers eat all memory

Vulnerability description not provided...

Internet Bug Bounty: CVE-2024-0853: OCSP verification bypass with TLS session reuse

CVE-2024-0853 was a vulnerability in the cURL library where OCSP verification was bypassed when reusing a TLS session. The vulnerability was caused by cURL inadvertently keeping the SSL session ID in its cache even when the OCSP stapling verification failed. This allowed subsequent transfers to t...

Internet Bug Bounty: Denial of Service caused by HTTP/2 CONTINUATION Flood

A denial of service vulnerability was discovered in Apache Tomcat versions 11.0.0-M1 to 11.0.0-M16, 10.1.0-M1 to 10.1.18, 9.0.0-M1 to 9.0.85, and 8.5.0 to 8.5.98. The vulnerability was caused by the way Tomcat processed HTTP/2 requests that exceeded configured limits for headers. A fix was releas...

U.S. Dept Of Defense: authentication bypass

An authentication bypass vulnerability was discovered in the login page of a web portal, allowing unauthorized access without providing valid credentials...

Mars: Html injection

The consultant identified that the show parameter can reflect into the HTML page. An attacker could have crafted a malicious query that resulted in the inclusion of attacker-controlled HTML elements on the web page, changing the content presented to users. The vulnerability was assessed to have a...

GitHub Security Lab: [Python] Unsafe Unpacking and TarSlip bug slaying

Vulnerability description not provided...

GitHub Security Lab: cpp: if (a+b>c) a=c-b is incorrect if a+b overflows

Vulnerability description not provided...

HackerOne: Asset Inventory Internal Descriptions are leaked in CSV export

An internal asset description in the Asset Inventory feature of HackerOne was leaked in the CSV export, potentially exposing sensitive information stored in the description...

Cloudflare Public Bug Bounty: Cloudflare CASB Confused Deputy Problem

A vulnerability was found in Cloudflare CASB on Microsoft and GitHub integrations, allowing an attacker to create a new integration and access sensitive information if they were able to enumerate a valid tenant UUID or domain. The issue was resolved by disallowing the creation of multiple...

Nextcloud: Mail app stores cleartext password in database until OAUTH2 setup is done

A vulnerability was found in the Nextcloud Mail app where the password for XOAUTH2 accounts was stored in clear text in the database during the setup process, until the OAUTH2 setup was completed. This could have allowed a database administrator to read the plaintext password...

Nextcloud: CSRF vulnerability in Nextcloud Desktop Client 3.6.1 on Windows when clicking malicious link

Summary It is possible to make a user send any POST request with an arbitrary body given they click on a malicious deep link. e.g. in an email, chat link, etc This vulnerability was introduced in an attempt to fix 1720043. The patch however can be bypassed and also introduced a CSRF vulnerability...

U.S. Dept Of Defense: AWS Credentials Disclosure at ███

Sensitive AWS credentials were disclosed through a config.json file found on a server. An attacker could have used these credentials to gain access to sensitive information on the AWS account or perform arbitrary modifications on AWS resources. The affected system host was not disclosed. No CVE...

U.S. Dept Of Defense: IDOR leaking PII data via VendorId parameter

Description: Dear DoD, I found one bug on your domain from Hack US program: █████ It's IDOR bug. Make sure to know that I didn't test many funcs here for IDOR. I didn't test for ATO Account Takeover. But you should fix this. Here's the PoC: ██████████ Thank you DoD! Impact An attacker could steal...

curl: CVE-2022-35252: control code in cookie denial of service

Summary: I took a look at https://github.com/curl/curl/pull/9048/commits/d7bcbc7d8d4b6d972d3da12d54819169a19c287b a sneak peek on a vulnerability to be announced tomorrow. My guess for that vulnerability is that since cookies are persistent, someone who can trick curl into storing cookies can sto...

Internet Bug Bounty: Undici ProxyAgent vulnerable to MITM

Full GitHub advisory summarizing the issue is here: https://github.com/nodejs/undici/security/advisories/GHSA-pgw7-wx7w-2w33 The original Node.js HackerOne report is here: https://hackerone.com/bugs?reportid=1583680 This was fixed & disclosed in Undici v5.5.1. This primarily affects Undici, a...

curl: curl "globbing" can lead to denial of service attacks

Summary: add summary of the vulnerability The curl "globbing" allows too much scope, which can cause the server to be denied service or used to attack third-party websites. The globbing allow 1-9999999999999999999 to parse in the url. So when curl request for...

IBM: sql injection via https://setup.p2p.ihost.com/

A SQL Injection against an IBM domain was reported to IBM, analyzed and has been remediated. Thank you to exploitmsf...

curl: curl proceeds with unsafe connections when -K file can't be read

Summary: I'm using curl 7.82.0 on Linux. When the file specified by the -K option can't be read, curl sends network traffic as specified by the other options that are explicitly included on the command line in other words, there's only a warning and I'd like it to be a fatal error. This behavior...

IBM: Public Jenkins instance with /script enabled

An RCE/LFI due to Public Jenkins instance with /script enabled was reported to IBM February 26th, analyzed and has been remediated since March 3rd, 2022. Thank you to Sanjok Karki thesanjok for the finding. RCE/LFI due to Public Jenkins instance with /script enabled...

GitHub Security Lab: [Java] CWE-552: Query to detect unsafe request dispatcher usage

This bug was reported directly to GitHub Security Lab...

HackerOne: HackerOne Staging uses Production data for testing

Summary: Today I received an email related to smart rewards from HackerOne. This included staging environment details, such as: sender: [email protected] Privacy / Terms links pointing to domain: https://www.enorekcah.com/... This basically tells us that HackerOne is using hacker dat...

TikTok: Reflected XSS on TikTok Website

A cross-site scripting XSS vulnerability was found on TikTok.com via multiple parameters. We thank @homosec for reporting this to our team and confirming its resolution...

U.S. Dept Of Defense: RCE in ███ [CVE-2021-26084]

A vulnerability in affected versions of Confluence Server and Data Center allowed authenticated users, and in some cases unauthenticated users, to execute arbitrary code. The vulnerability was due to an OGNL injection issue affecting endpoints that could be accessed by non-administrators when use...

GitLab: Stored XSS in custom emoji

Summary I found Stored XSS with a feature of custom emoji. This feature hasn't been rolled out yet and need to set feature flags in self management installation. https://gitlab.com/gitlab-org/gitlab/-/issues/231317 The problem is the code here...