15368 matches found
Automattic: woocommerce - prevent_caching() bug / bypass
As guest visit the following links and look at the headers. Yup there are not caching headers in the response. https://woocommerce.com/.cart/https://woocommerce.com/.cart/ https://woocommerce.com/+cart/https://woocommerce.com/+cart/ https://woocommerce.com/-cart/https://woocommerce.com/-cart/...
Automattic: SSRF and local file disclosure in https://wordpress.com/media/videos/ via FFmpeg HLS processing
Summary FFmpeg is a video encoding software that appears to be used by wordpress.com for video processing for paid accounts. FFmpeg is known to process HLS playlists that may contain references to external files. I was able to fire this feature using GAB2 subtitle chunks inside an AVI file. After...
Gratipay: CSP "script-src" includes "unsafe-inline" in https://gratipay.com
SUMMARY: Related Report: 225833 Gratipay is using unsafe-inline in script-src csp headers which allows the use of inline resources, such as inline elements, javascript: URLs, inline event handlers, and inline elements. Proof Of Concept By Using cURL: curl -I https://gratipay.com The results See m...
Weblate: Incorrect HTTPS Certificate
Weblate appears to have a public facing git repository located at git.weblate.org that utilises HTTPS when viewed in the browser. As a side note, netcat to port 80 results in the default debian landing page. 77.78.107.252 - git.weblate.org The site has an incorrectly configured certificate, and...
Automattic: Cross Domain leakage of sensitive information - Leading to Account Takeover at Instagram Brand
Product / URL https://instagram-brand.com/register/reset/?email= Description and Impact After a user clicks on the password reset link obtained in inbox, the page for password resetting functionality opens. If you monitor the HTTP Requests that are done while that page is loaded, you will come to...
Rockstar Games: <- Critical IDOR vulnerability in socialclub allow to insert and delete comments as another user and it discloses sensitive information ->
In this report, the researcher found an insecure direct object reference that allowed a malicious user to impersonate another user in the comment section under Newswire articles. This meant that an attacker could leave abusive comments that appeared to have been made by another user, or delete a...
Pornhub: Account hijack via deleted PH account
The researcher identified a faulty Oauth implementation allowing YouPorn accounts to be hijacked. The researcher exploited a feature which links Pornhub and YouPorn accounts together by leveraging old accounts which were previously deleted, or where username was changed. A faulty Oauth auth...
LocalTapiola: Reflected XSS and Open Redirect in several parameters (viestinta.lahitapiola.fi)
Basic report information Summary: Hi, The values within the ctx tag, are not filtered, they are reflected inside a javascript code in http://viestinta.lahitapiola.fi/webApp/APP3242, which can be exploited to perform an XSS Attack. The parameter are: ctxothersDrivingmagallupcount...
X (Formerly Twitter): CRLF and XSS stored on ton.twitter.com
Hey, 1 CRLF: It's similar to 52042 but weaker to reproduce go to: https://ton.twitter.com/1.1/ton/data/dm/x/%E5%98%8A%E5%98%8Dset-cookie%3A%20test%3Dtest%3B%20Domain%3D.twitter.com%3B%20Path%3D%2F%3B%20Expires%3DSat%2C%2015-Dec-2018%2009%3A45%3A55%20UTC you will find that test cookie with the val...
LocalTapiola: SQL Injection /webApp/oma_conf ctx parameter (viestinta.lahitapiola.fi)
Vulnerable script: /webApp/omaconf Vulnerable parameter: ctxvarsemail Database: PostgreSQL PoC http POST /webApp/omaconf HTTP/1.1 Host: viestinta.lahitapiola.fi Content-Type: application/x-www-form-urlencoded Content-Length: 1131...
Yelp: Verification of E-Mail address possible on https://biz.yelp.com/login and https://biz.yelp.com/forgot
On pages https://biz.yelp.com/login and https://biz.yelp.com/forgot a malicious user can verify if a particular E-mail address is registered on biz.yelp.com. Steps to reproduce for https://biz.yelp.com/login: 1. Open https://biz.yelp.com/login 2. Enter non existing E-Mail Address 3. Enter any...
Instacart: WordPress Authentication Denial of Service
Hi, I found out that you are using WordPress version 4.5.3. Researchers found out 5 days ago, that this version has a vulnerability, a Path traversal in WordPress Core Ajax handlers. Intro WordPress is web software that can be used to create a website, blog, or app. A path traversal vulnerability...
Internet Bug Bounty: stack buffer overflows in the curses module
I found two stack buffer overflows in the curses module. These vulnerabilities have been reported to the PSRT and were fixed here: https://hg.python.org/cpython/rev/d5f6bc45b376 https://hg.python.org/cpython/rev/85b35300f200 Below are copies of the mails I sent to the PSRT. They describe the...
Trello: File access using image tragick
While Trello had patched our image libraries to prevent the RCE vulnerability in ImageMagick, we had not applied a patch to prevent arbitrary file reads via labels in mvg files. After resolving the issue, we were able to determine that no files had actually been accessed using this vulnerability,...
OLX: SQLi in Payment Request
Hi there, I have found out that one request in your API is vulnerable to SQL injection. PoC: Invalid Request: GET /api/v1.0/payments/items?ids=891048367'"&platform=desktop HTTP/1.1 Host: www.olx.com.ar User-Agent: Mozilla/5.0 Windows NT 6.3; WOW64; rv:46.0 Gecko/20100101 Firefox/46.0 Accept:...
Uber: Self-XSS on partners.uber.com
Hi, I found a reflected XSS vulnerability in password reset page https://partners.uber.com/reset-password. I have tested this vulnerability in the latest Chrome and Firefox browsers. Reproduction Steps: 1- Go to https://login.uber.com/forgot-password and reset password. Then, Click password reset...
Internet Bug Bounty: Adobe Flash Player ContentFactory class Memory Corruption Vulnerability
I. Summary Adobe Flash Player is prone to a vulnerability which leads to memory corruption because of improper validation of ContentFactory.retrieveAdPolicySelector. ------------------------------------------------------------------ II. Description Adobe Flash is a multimedia and software platfor...
Internet Bug Bounty: EVP_EncryptUpdate overflow (CVE-2016-2106)
https://github.com/openssl/openssl/commit/3f3582139fbb259a1c3cbb0a25236500a409bf26...
Internet Bug Bounty: BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797)
https://openssl.org/news/secadv/20160301.txt...
Cakebet: Sender policy framework (SPF) records evaluation return (Too many DNS lookups) error
Hi Security Team , Your SPF record suffers from a “too many lookups” error. The specifications for the SPF record limit the number of lookups such as, translating a name to an IP address to 10. An SPF record like what is shown below will have the too many lookup errors : Found v=spf1 record for...
QIWI: [rubm.qiwi.com] Yui charts.swf XSS
Yui charts.swf XSS...
HackerOne: Internal bounty and swag details disclosed as part of JSON response
Hello Hackerone team !!!! If Some company take option like this : Show minimum bounty on the program page? Do not display the minimum bounty on the program page. for example : https://hackerone.com/███████████ Private bounty details "basebounty":10 https://hackerone.com/████ Private swag details...
VK.com: Issue in the implementation of captcha and race condition
Reuse of captcha. The researcher was able to find a misconfiguration in the captcha mechanism which allowed him to reuse any captcha and bypass the uniquness of the same . Furthermore the race condition bypassed the no. of retries...
Mail.ru: XSS in ad.mail.ru
The XSS vulnerability is located here: https://ad.mail.ru/adi/3030 and is triggered by setting referer to: "alert0 The problem is that the referer is being loaded like so: html alert0 " I am aware that this is out of scope, but I am still reporting it since I just happened to spot it while lookin...
Internet Bug Bounty: Use After Free in Flash MessageChannel.send can cause arbitrary code execution
Sending messages between workers while having the animation reloaded can cause an object to be freed while a reference remains in memory. An attacker can use this issue to control eip and potentially execute arbitrary code. Identified as CVE-2015-0320, and reported to Adobe via Chrome VRP:...
Vimeo: XSS on any site that includes the moogaloop flash player | deprecated embed code
The moogaloop flash player includes in most cases http://f.vimeocdn.com/p/flash/moogaloop/6.0.30/controllers/videoControllerProgressive.swf. In that flash file we can find functionality that looks into the SharedObject "com.conviva.livePass" for recently loaded swf-URLs under the key "lastSwfUrls...
X (Formerly Twitter): twitter android app Fragment Injection
com.twitter.android.WidgetSettingsActivity extend PreferenceActivity and export. By entering the appropriate extra intent can call any of its internal fragment. So do not export com.twitter.android.WidgetSettingsActivity...
Vimeo: Vimeo.com Insecure Direct Object References Reset Password
Hello, my name is Toufik Airane. This is Responsible Disclosure and Silent Disclosure. Thanks you to opened bug bounty program! Please find a proof of concept for IDOR attack on famous vimeo.com. With this IDOR, attacker can reset any password, of any account and take controle of it. Please, find...
QIWI: Metadata in hosted files is disclosing Usernames, Printers, paths, admin guides. emails
Hi - vulnerable hosts; agent.qiwi.com static.qiwi.com visa.qiwi.com w.qiwi.com www.qiwi.com • the type of vulnerability; Information disclosure • where exactly; There are multiple locations for documents with valuable metadata attached. These are both Qiwi documents and documents uploaded by...
X (Formerly Twitter): URGENT - Subdomain Takeover on media.vine.co due to unclaimed domain pointing to AWS
Hi, This is an urgent issue and I hope you will act on it likewise. Your subdomain media.vine.co is pointing to AWS S3, but no bucket was connected to it. Actually, the reason to it is due to the CNAME of the meda.vine.co-DNS-entry: media.vine.co - media.vine.co is an alias for...
curl: OpenSSL TLS 1.2 session resumption accepts expired server certificates in libcurl
Summary curl's OpenSSL backend can accept a new TLS 1.2 HTTPS connection after the server certificate has expired if the connection resumes a previously cached TLS session. A full handshake made at the same time with the same certificate fails with CURLEPEERFAILEDVERIFICATION, but the resumed...
HackerOne: Bypassing Two-Factor Authentication via Account Deactivation and Password Reset
Vulnerability description not provided...
Internet Bug Bounty: [CVE-2024-32464] ActionText ContentAttachment’s can Contain Unsanitized HTML
CVE-2024-32464 ActionText ContentAttachment's can Contain Unsanitized HTML Instances of ActionText::Attachable::ContentAttachment included within a richtextarea tag were discovered to potentially contain unsanitized HTML. This vulnerability was assigned the CVE identifier CVE-2024-32464. Versions...
U.S. Dept Of Defense: authentication bypass
An authentication bypass vulnerability was discovered in the login page of a web portal, allowing unauthorized access without providing valid credentials...
Internet Bug Bounty: (CVE-2023-32003) fs.mkdtemp() and fs.mkdtempSync() are missing getValidatedPath() checks
The fs.mkdtemp and fs.mkdtempSync functions in Node.js were found to be missing getValidatedPath checks, allowing for a path traversal attack. This vulnerability could be exploited to create arbitrary directories...
GitHub Security Lab: [Python] Unsafe Unpacking and TarSlip bug slaying
Vulnerability description not provided...
GitHub Security Lab: cpp: if (a+b>c) a=c-b is incorrect if a+b overflows
Vulnerability description not provided...
GitLab: Account takeover due to insufficient URL validation on RelayState parameter
An insufficient URL validation on the RelayState parameter in GitLab allowed attackers to steal Bitbucket access tokens and other third-party access tokens, such as Google, Salesforce, and Twitter. The vulnerability was due to an open redirect while logging in to GitLab via SAML, which saved the...
Nextcloud: Hide download previews are accessible without a watermark
A vulnerability was discovered in Nextcloud that allowed users to access download previews without a watermark, even when the watermark option was enabled. This could potentially compromise the privacy of the document and goes against the intended purpose of the feature...
Adobe: HTML INJECTION FOUND ON https://adobedocs.github.io/analytics-1.4-apis/swagger-docs.html DUE TO OUTDATED SWAGGER UI
Responsible disclosure of HTML injection. Swagger UI has an interesting feature that allows you to provide a URL to API specification - a yaml or json file that will be fetched and displayed to the user. To do that you have to add a query parameter ?url=https://yourapispec/spec.yaml or...
curl: curl "globbing" can lead to denial of service attacks
Summary: add summary of the vulnerability The curl "globbing" allows too much scope, which can cause the server to be denied service or used to attack third-party websites. The globbing allow 1-9999999999999999999 to parse in the url. So when curl request for...
U.S. Dept Of Defense: Found Origin IP's Lead To Access ████
Discovered that the ██████ site exposed its Non-Cloudflare IP which could allow bypassing of anti-DDoS mechanisms. Your origin servers are not blocking access from non-Cloudflare servers.This way crawlers can find your origin servers' IPs by checking random IPs until they found your origin server...
Reddit: Reflected xss in https://sh.reddit.com
Summary: Reflected cross-site scripting or XSS arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way. Impact: attacker can execute malicious java script and steal cookies Steps To Reproduce: add details for how we can...
HackerOne: An attacker can archive and unarchive any structured scope object on HackerOne
Summary: Hello, I have discovered an IDOR vulnerability that allows the scope of any program to be archived. Scopes are used to give information about the valid scopes of a program. For example HackerOne has the following scopes: https://hackerone.com https://api.hackerone.com ... Steps To...
IBM: Public Jenkins instance with /script enabled
An RCE/LFI due to Public Jenkins instance with /script enabled was reported to IBM February 26th, analyzed and has been remediated since March 3rd, 2022. Thank you to Sanjok Karki thesanjok for the finding. RCE/LFI due to Public Jenkins instance with /script enabled...
HackerOne: [Bypass] Ability to invite a new member in sandbox Organization
Summary: Able to bypass the restriction set in Organization sandbox automatically created when you created sandbox program to send an invite to another security researcher. Description: In the default UI of sandboxHackerone Organization, inviting another security researcher is restricted ex.:...
curl: Use of Unsafe function || Strcpy
Summary: It was observed that application is using strcpy function which may cause buffer overflow attacks. Affected Code https://github.com/curl/curl Affected Lines 1. Line 195 of curl-master\tests\libtest\stubgssapi.c 2. Line 204,212,216 curl-master\tests\server\socksd.c Steps To Reproduce: Let...
8x8: ████ api key exposed in github.com/███/███
@adnanmalikinfo identified a committed API key of a 3rd party SaaS platform for social marketing. We swiftly escalated to the repository owner, who restricted access...
GitHub Security Lab: [Java] CWE-552: Query to detect unsafe request dispatcher usage
This bug was reported directly to GitHub Security Lab...
New Relic: Reflected XSS in VPN Appliance
@mr-hakhak discovered an XSS vulnerability in a VPN appliance. While this appliance is not normally accessed via the browser, the web interface was disabled to prevent future issues...