15370 matches found
PlayStation: Authorization Token on PlayStation Network Leaks via postMessage function
Description After some analysis on how playstation network authentication work, I came across a certain pattern of how authorization tokens are handled. The web application utilizes postMessage function to exchange authorization tokens between windows/frames. To simplify this, let's follow on one...
Kubernetes: Compromise of auth via subset/superset namespace names.
Report Submission Form Summary: Use of nginx.ingress.kubernetes.io/auth annotations results in a file named namespace-ingress.passwd. If user knows the namespace and ingress of an ingress they want to compromise they need to be able to create a namespace that is some subset of namespace-ingress...
h1-ctf: [h1-415 2020] I got the flag
Hey guys, The flag is: h1ctfy3s1mc0sm1cn0w I'll submit a well written writeup later today or tomorrow. I now have a lot of work to catch up thanks to this devilish ctf hehehe. Thanks Ben and the rest of the team for this awesome challenge. Impact Getting the flag...
8x8: Reflected xss on 8x8.com subdomain
The Beta version of a new chat API was discovered to contain a reflected XSS flaw. With the help of the researcher we were able to resolve the issue and ensure the future chat product will not contain this flaw. Write-up for beginners like me.. hackwithcommunity...
Nord Security: Password Reset Link Leaked In Refer Header In Request To Third Party Sites
The reporter has identified that the web application is leaking password reset token in the HTTP referrer header. By obtaining a token, malicious user would be able to reset the passwords for a particular user. It is worth to mention that the attack must be highly personalised and requires prior...
Clario: XSS in https://affiliates.kromtech.com
Summary XSS in https://affiliates.kromtech.com Vulnerable URL: https://affiliates.kromtech.com/monetize-mac-traffic/adgroup/affiliatefixhello%22%3Ehello/type/affiliate Vulnerable Parameter: "URL Path" XSS Payload: hello"hello Steps To Reproduce: Navigate to the Vulnerable URL Notice the pop-up...
Node.js third-party modules: Filesystem Writes via `yarn install` via symlinks and tar transforms inside a crafted malicious package
I would like to report an arbitrary filesystem write vulnerability in Yarn when installing a malicious package from the default repositories. This vulnerability has the potential for RCE -- even if --ignore-scripts is disabled. It allows a malicious package, upon install, to write to any path on...
8x8: Publicly accessible .svn repository - aastraconf.packet8.net
The server contained artifacts from an old SVN repository. The files were removed...
Ruby: Variant of CVE-2013-0269 (Denial of Service and Unsafe Object Creation Vulnerability in JSON)
During my recent keyword argument separation work on rbscanargs in the master branch, I discovered what I now think is a vulnerability. While the CVE-2013-0269 change fixed most usage of JSON.parse, it ended up not fixing KernelJSON. The reason behind this is that internally, in...
Nextcloud: Only the file extensions are checked, not the MIME types as configured
The tool is not working as hoped. File access control speaks of MIME types that are blocked or not blocked. In fact, only the file extensions are checked. If a user renames an unauthorized file to an allowed file, he can upload and download it. The MIME type of the current file is insignificant,...
curl: krb5: double-free in read_data() after realloc() fail
Summary: In 'lib/security.c', there is a double-free of the reference 'buf-data' on the teardown path if 'Curlsaferealloc' fails. Also, since we read 'len' from the 'fd', the sender might be able to remotely trigger a realloc failure, and then the double-free, by sending the value 0x7fffffff...
Grammarly: Can register any mobile number in MFA without current code.
@chackmate identified a vulnerability that allows a user to connect arbitrary phone numbers with their account. No users affected...
Mail.ru: Publicly Accessible Harshi Corp Consul
Consul interface was available from outside on one of my.com subdomains...
QIWI: Обход комиссии на переводы
Доброго времени суток. Не так давно мне на кошелек подключили тариф «Активный пользователь кошелька» Этот тариф подразумевает 2% комиссии на переводы. Меня, соответственно, это крайне не устроило и я решил пойти искать обход. После недолгих поисков удалось найти дыру вот здесь...
GitLab: Attacker is able to access commit title and team member comments which are supposed to be private
Summary: add summary of the vulnerability Description: add more details about this vulnerability Steps To Reproduce: To reproduce this vulnerability, we need two accounts, lets say those accounts are: - [email protected] - [email protected] - Create a project from account [email protected] with th...
X (Formerly Twitter): url that twitter mobile site can not load
Summary: A url that twitter mobile site can not load, crushes any page containing this url Description: Invalid hex characters crushes twitter mobile site as example go to https://mobile.twitter.com/?%xx twitter won't load. 1 Sending such url on a direct message, twitter will no longer be able to...
HackerOne: report id is exposed for undisclosed reports in Hacktivity
Summary: This is similar to https://hackerone.com/reports/127620 where the report Id of undisclosed report is visible on graphql query Description: The new hacktivity graphql query includes undisclosed reports, but part of the query result is the report id which is included in private information...
Nextcloud: Retrieval and alteration of exposed media on Android Oreo
Good afternoon. Any media downloaded from the cloud server within the Android app is subject to third party modification and server re-upload without explicit user consent. This happens at least on Android Oreo, as data is automatically stored on shared folder...
HackerOne: A user can bypass approval step in Hacker Publishing feature, allowing them to publish reports immediately
Summary: Hi team Description: Hacker can request agree-on-going-public publish report Steps To Reproduce 1. Create publish report 2. https://hackerone.com/reports/bulk POST...
GitLab: GitLab's GitHub integration is vulnerable to SSRF vulnerability
The GitHub service is vulnerable to a SSRF vulnerability. An attacker may be able to leverage this to make arbitrary POST requests in a GitLab instance's internal network. It can also be used to connect to cloud provider's instance metadata API, which may result in the ability to execute commands...
Node.js third-party modules: Prototype pollution attack in just-extend
I would like to report a prototype pollution vulnerability in just-extend It allows an attacker to inject properties on Object.prototype. Module module name: just-extend version: 2.1.0, and 3.0.0 npm page: https://www.npmjs.com/package/just-extend Module Description Part of a library of...
Valve: Malformed .BMP file in Counter-Strike 1.6 may cause shellcode injection
With the vulnerability of the GoldSource Engine, the server is able to perform remote code execution on the client, overwriting the stack when reading the BMP file. The problem is in the LoadBMP8 function, which is executed when the player connects to the server, by loading the...
Chaturbate: Account Takeover via billing
The hacker found that when subscribing to a fanclub the parameters could be manipulated to purchase a fanclub subscription for another user. This will set the email of the target account if they had no email on file. This could then be used to reset the password for the target user. The purchasin...
Internet Bug Bounty: linkinfo - openbasedir bypass on Windows PHP
Upstream bug - windows linkinfo lacks openbasedir check === https://bugs.php.net/bug.php?id=76459 Summary == Description: ------------ linkinfo function on windows doesn't implement openbasedir check, it can be seen by reviewing the source code. This could be abused to find files on paths outside...
Nextcloud: Accessing to download.nextcloud.com from original ip adreess | insecure Download
Hi team , Summary I found that when I can access from original ip to the web site ,.This disable Https secure connection. Description First I make DNS Lookup to find the ip adress download.nextcloud.com has address 88.198.160.133 F313820 Now When I open The website from download.nextcloud.com I s...
Reverb.com: Api token exposed in Reverb.com's public github repository
An access token of a user account was available in a public github repo. The token was tied to an experimental project, and the account was only used for that project, so no sensitive information was able to be obtained...
Internet Bug Bounty: Silent omission of certificate hostname verification in LibreSSL and BoringSSL
Abstract LibreSSL and BoringSSL implemented X509VERIFYPARAMset1host differently than OpenSSL. All applications that use the preferred and documented way to configure a TLS connection for hostname validation, silently neglect to perform hostname validation at all. As a consequence, they are...
Unikrn: [unikrn.com] Profile updated with error":true,"success":false"
Greetings, We noticed that even if the https://unikrn.com/apiv2/user/updateprofile gave an answer that the code is on error , the post is proceeded : PoC : -- curl 'https://unikrn.com/apiv2/user/updateprofile' -XPOST -H 'Referer: https://unikrn.com/profile' -H 'Content-Type: application/json' -H...
Uber: Configuration and/or source code files on uchat-staging.uberinternal.com can be viewed without OneLogin SSO Authentication
Summary Configuration file and/or source code information leakage without Uber OneLogin SSO authentication. Security Impact Misconfiguration on the server results in information leakage without authentication. Reproduction Steps...
Deriv.com: Leaking Referrer in Reset Password Link
On 12th Dec flex0geek reported that binary.com was leaking password reset tokens through referer headers . At first this sight the report was closed as we had fixed this earlier and our code base seemed fine . Later on the researcher sent a video POC which did show that we were leaking password...
Internet Bug Bounty: Exim use-after-free vulnerability while reading mail header involving BDAT commands
Original article is here Use-after-free in receivemsg leads to RCE Vulnerability Analysis To explain this bug, we need to start with the memory management of exim. There is a series of functions starts with store such as storeget, storerelease, storereset. These functions are used to manage...
AlienVault : [www.threatcrowd.org] - reflected XSS in report.php
Summary: I have found a reflected XSS in https://www.threatcrowd.org/report.php in GET parameter report Browsers Verified In: Firefox 56.0.1 Steps To Reproduce: 1. Browse to https://www.threatcrowd.org/report.php?report=javascript%3aalertdocument.domain 2. Click on Visit...
RubyGems: Request Hijacking Vulnerability in RubyGems 2.6.13 and earlier
We received this report via security@ from [email protected], I'm filing here for tracking and visibility purposes... "I was looking at commit 8d91516fb7037ecfb27622f605dc40245e0f8d32, which was the fix for the DNS hijacking issue CVE-2017-0902. The function still handles the DNS response in ...
Aspen: client_secret Token disclosure
Greetings, I think I've discovered a clientsecret token disclosure. Proof of concept: 1. Go to https://github.com/AspenWeb/experimental-javascript-version/blob/master/www/blog/index.html 2. At the line 6, a clientsecret token it's disclosed...
Brave Software: Download of (later executed) .NET installer over insecure channel
NOTE! Thanks for submitting a report! Please fill all sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty. Summary: Execution of file NDP-KB2901954-Web.exe fetched via...
Razer US: Reflected XSS on the https://deals.razerzone.com/json/translation endpoint
Thanks to SP1D3RS for the great report and working with the team on this one. This was a trivial POST-XSS, caused by using text/html Content-Type on the JSON endpoint, and ability to control the part of the response using unsanitized input. Why I disclosed it if this is a trivial issue? I pretty...
Razer US: Open redirect on oauth2.razerzone.com caused by server misconfiguration when using triple slash after hostname
Another solid report form this tester, who helped us nail down the issue when it was only intermittently reproducible. We appreciate the hard work. I discovered the Open Redirect on the oauth2.razerzone.com due to improper handling of multiple/encoded slashes and dots in the URL path. POC link:...
Concrete CMS: 'cnvID' parameter vulnerable to Insecure Direct Object References
Installation Information === IIS 8, PHP 5.5, Concrete5 5.7.5.7 Default install Issue POC An unauthenticated user can enumerate comments from all blog posts by POSTing requests to /index.php/tools/required/conversations/viewajax with incremental 'cnvID' integers. 1. An example blog with permission...
Legal Robot: Null Byte Injection in all fields of Profile
Hi Team, Null byte injection is possible in all the fields of Edit Profile functionality. Affected URL: https://app.legalrobot.com/account Description: Possible Injection of control characters, such as Null Byte 0x00, \000, \x00, \z, or the Unicode representation \u0000 into vulnerable fields in...
Gratipay: CSP "script-src" includes "unsafe-inline" in https://gratipay.com
SUMMARY: Related Report: 225833 Gratipay is using unsafe-inline in script-src csp headers which allows the use of inline resources, such as inline elements, javascript: URLs, inline event handlers, and inline elements. Proof Of Concept By Using cURL: curl -I https://gratipay.com The results See m...
Weblate: Incorrect HTTPS Certificate
Weblate appears to have a public facing git repository located at git.weblate.org that utilises HTTPS when viewed in the browser. As a side note, netcat to port 80 results in the default debian landing page. 77.78.107.252 - git.weblate.org The site has an incorrectly configured certificate, and...
Automattic: Cross Domain leakage of sensitive information - Leading to Account Takeover at Instagram Brand
Product / URL https://instagram-brand.com/register/reset/?email= Description and Impact After a user clicks on the password reset link obtained in inbox, the page for password resetting functionality opens. If you monitor the HTTP Requests that are done while that page is loaded, you will come to...
Uber: lert.uber.com: Few default folders/files of AURA Framework are accessible
There were a few default folders/files of the AURA Framework accessible on lert.uber.com. The specified files/folders in the AURA framework were supposed to be accessible, so we did not make any changes here. However, we do appreciate the time taken to submit this report and are disclosing per th...
X (Formerly Twitter): CRLF and XSS stored on ton.twitter.com
Hey, 1 CRLF: It's similar to 52042 but weaker to reproduce go to: https://ton.twitter.com/1.1/ton/data/dm/x/%E5%98%8A%E5%98%8Dset-cookie%3A%20test%3Dtest%3B%20Domain%3D.twitter.com%3B%20Path%3D%2F%3B%20Expires%3DSat%2C%2015-Dec-2018%2009%3A45%3A55%20UTC you will find that test cookie with the val...
LocalTapiola: SQL Injection /webApp/oma_conf ctx parameter (viestinta.lahitapiola.fi)
Vulnerable script: /webApp/omaconf Vulnerable parameter: ctxvarsemail Database: PostgreSQL PoC http POST /webApp/omaconf HTTP/1.1 Host: viestinta.lahitapiola.fi Content-Type: application/x-www-form-urlencoded Content-Length: 1131...
Yelp: Verification of E-Mail address possible on https://biz.yelp.com/login and https://biz.yelp.com/forgot
On pages https://biz.yelp.com/login and https://biz.yelp.com/forgot a malicious user can verify if a particular E-mail address is registered on biz.yelp.com. Steps to reproduce for https://biz.yelp.com/login: 1. Open https://biz.yelp.com/login 2. Enter non existing E-Mail Address 3. Enter any...
Instacart: WordPress Authentication Denial of Service
Hi, I found out that you are using WordPress version 4.5.3. Researchers found out 5 days ago, that this version has a vulnerability, a Path traversal in WordPress Core Ajax handlers. Intro WordPress is web software that can be used to create a website, blog, or app. A path traversal vulnerability...
Internet Bug Bounty: stack buffer overflows in the curses module
I found two stack buffer overflows in the curses module. These vulnerabilities have been reported to the PSRT and were fixed here: https://hg.python.org/cpython/rev/d5f6bc45b376 https://hg.python.org/cpython/rev/85b35300f200 Below are copies of the mails I sent to the PSRT. They describe the...
Trello: File access using image tragick
While Trello had patched our image libraries to prevent the RCE vulnerability in ImageMagick, we had not applied a patch to prevent arbitrary file reads via labels in mvg files. After resolving the issue, we were able to determine that no files had actually been accessed using this vulnerability,...
Internet Bug Bounty: Adobe Flash Player ContentFactory class Memory Corruption Vulnerability
I. Summary Adobe Flash Player is prone to a vulnerability which leads to memory corruption because of improper validation of ContentFactory.retrieveAdPolicySelector. ------------------------------------------------------------------ II. Description Adobe Flash is a multimedia and software platfor...