15372 matches found
VK.com: Missing Server Side Rate Limiting can Lead to VK Account Take over
Insufficient flood control...
Pornhub: Account hijack via deleted PH account
The researcher identified a faulty Oauth implementation allowing YouPorn accounts to be hijacked. The researcher exploited a feature which links Pornhub and YouPorn accounts together by leveraging old accounts which were previously deleted, or where username was changed. A faulty Oauth auth...
Uber: lert.uber.com: Few default folders/files of AURA Framework are accessible
There were a few default folders/files of the AURA Framework accessible on lert.uber.com. The specified files/folders in the AURA framework were supposed to be accessible, so we did not make any changes here. However, we do appreciate the time taken to submit this report and are disclosing per th...
LocalTapiola: Reflected XSS and Open Redirect in several parameters (viestinta.lahitapiola.fi)
Basic report information Summary: Hi, The values within the ctx tag, are not filtered, they are reflected inside a javascript code in http://viestinta.lahitapiola.fi/webApp/APP3242, which can be exploited to perform an XSS Attack. The parameter are: ctxothersDrivingmagallupcount...
X (Formerly Twitter): CRLF and XSS stored on ton.twitter.com
Hey, 1 CRLF: It's similar to 52042 but weaker to reproduce go to: https://ton.twitter.com/1.1/ton/data/dm/x/%E5%98%8A%E5%98%8Dset-cookie%3A%20test%3Dtest%3B%20Domain%3D.twitter.com%3B%20Path%3D%2F%3B%20Expires%3DSat%2C%2015-Dec-2018%2009%3A45%3A55%20UTC you will find that test cookie with the val...
LocalTapiola: SQL Injection /webApp/oma_conf ctx parameter (viestinta.lahitapiola.fi)
Vulnerable script: /webApp/omaconf Vulnerable parameter: ctxvarsemail Database: PostgreSQL PoC http POST /webApp/omaconf HTTP/1.1 Host: viestinta.lahitapiola.fi Content-Type: application/x-www-form-urlencoded Content-Length: 1131...
Internet Bug Bounty: Heap overflow caused by type confusion vulnerability in merge_param()
Since the original report is still marked as private in the PHP bug tracker please find the copy & pasted bug report below edited for readability and to include correct bug tracker id. See the references section for a link to the issue in the PHP bug tracker! The maintainer already fixed the issu...
Yelp: Verification of E-Mail address possible on https://biz.yelp.com/login and https://biz.yelp.com/forgot
On pages https://biz.yelp.com/login and https://biz.yelp.com/forgot a malicious user can verify if a particular E-mail address is registered on biz.yelp.com. Steps to reproduce for https://biz.yelp.com/login: 1. Open https://biz.yelp.com/login 2. Enter non existing E-Mail Address 3. Enter any...
Instacart: WordPress Authentication Denial of Service
Hi, I found out that you are using WordPress version 4.5.3. Researchers found out 5 days ago, that this version has a vulnerability, a Path traversal in WordPress Core Ajax handlers. Intro WordPress is web software that can be used to create a website, blog, or app. A path traversal vulnerability...
OLX: SQLi in Payment Request
Hi there, I have found out that one request in your API is vulnerable to SQL injection. PoC: Invalid Request: GET /api/v1.0/payments/items?ids=891048367'"&platform=desktop HTTP/1.1 Host: www.olx.com.ar User-Agent: Mozilla/5.0 Windows NT 6.3; WOW64; rv:46.0 Gecko/20100101 Firefox/46.0 Accept:...
Nextcloud: Nextcloud server software: Content Spoofing
In Nextcloud the "dir" parameter is vulnerable to content spoofing attack. If anyone puts a valid directory name in dir parameter then it goes that directory other wise it redirects to the home directory / By putting ../../ in dir parameter I was able to stop the redirect then I had put some...
Internet Bug Bounty: CVE-2016-2177 Undefined pointer arithmetic in SSL code
1.0.2 version here: https://github.com/openssl/openssl/commit/a004e72b95835136d3f1ea90517f706c24c03da7 1.0.1 version here: https://github.com/openssl/openssl/commit/6f35f6deb5ca7daebe289f86477e061ce3ee5f46 These will get listed in the next security advisory and rolled up in the next release...
Uber: Self-XSS on partners.uber.com
Hi, I found a reflected XSS vulnerability in password reset page https://partners.uber.com/reset-password. I have tested this vulnerability in the latest Chrome and Firefox browsers. Reproduction Steps: 1- Go to https://login.uber.com/forgot-password and reset password. Then, Click password reset...
Internet Bug Bounty: Adobe Flash Player ContentFactory class Memory Corruption Vulnerability
I. Summary Adobe Flash Player is prone to a vulnerability which leads to memory corruption because of improper validation of ContentFactory.retrieveAdPolicySelector. ------------------------------------------------------------------ II. Description Adobe Flash is a multimedia and software platfor...
Internet Bug Bounty: EVP_EncryptUpdate overflow (CVE-2016-2106)
https://github.com/openssl/openssl/commit/3f3582139fbb259a1c3cbb0a25236500a409bf26...
Internet Bug Bounty: EVP_EncodeUpdate overflow (CVE-2016-2105)
https://github.com/openssl/openssl/commit/ee1e3cac2e83abc77bcc8ff98729ca1e10fcc920...
Uber: reopen #128853 (Information disclosure at lite.uber.com)
Issue in 128853 occurs again. 1. go to https://login.uber.com/oauth/v2/authorize?responsetype=code&redirecturi=https%3A%2F%2Flite.uber.com%2Fauth%2Fcallback&scope=profile%20history%20places%20historylite%20requestreceipt%20request%20paymentbaiduwallet&clientid=y-JJyZRABnEwbJQq4VdQPORo4EKqv0j 2...
Mail.ru: bgplay.mail.ru
Potential RCE via Java object deserialization in out-of-scope service...
Internet Bug Bounty: BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797)
https://openssl.org/news/secadv/20160301.txt...
Informatica: [rev-app.informatica.com] - XXE via SAML
Request: POST /sso HTTP/1.1 Host: rev-app.informatica.com Connection: keep-alive Content-Length: 8669 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Origin: https://infapassport.okta.com Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5....
GlassWire: DLL Hijacking Vulnerability in GlassWireSetup.exe
GlasswireSetup.exe is subject to the attack described here: http://textslashplain.com/2015/12/18/dll-hijacking-just-wont-die/ You can get a simple demo with this harmless DLL: https://bayden.com/dl/shfolder.dll See attached image for proof of execution...
QIWI: [rubm.qiwi.com] Yui charts.swf XSS
Yui charts.swf XSS...
Radancy: RC4 cipher suites detected
A group of researchers Nadhem AlFardan, Dan Bernstein, Kenny Paterson, Bertram Poettering and Jacob Schuldt have found new attacks against TLS that allows an attacker to recover a limited amount of plaintext from a TLS connection when RC4 encryption is used. The attacks arise from statistical fla...
Radancy: Version Disclosure (NginX)
Hi, I found a version disclosure Nginx in the your web server's HTTP response. Extracted Version: 1.8.0 This information might help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of Nginx. Impact An attacker...
InVision: Deleting a Project for which the user is not owner but a normal member
A Project member who is not the owner of the project does not have delete option. But using proxy tool like Burp Suite, a low privilege Project member user can delete the Project, Where only the project owner has the privilege to delete the project. Pre-Requisite: A project where current user is...
Gratipay: DKIM records not present, Email Hijacking is possible
Your SPF record is v=spf1 include:email.freshdesk.com include:spf.mandrillapp.com include:spf.google.com -all Which very well shows that you don't want spoofed email to be sent from your domains, but you just forget one thing: DKIM DomainKeys Identified Mail is an important authentication mechani...
VK.com: Issue in the implementation of captcha and race condition
Reuse of captcha. The researcher was able to find a misconfiguration in the captcha mechanism which allowed him to reuse any captcha and bypass the uniquness of the same . Furthermore the race condition bypassed the no. of retries...
Vimeo: API: missing invalidation of OAuth2 Authorization Code during access revocation causes authorization bypass
OAuth2 API makes it possible for users to grant access to their accounts to some third-side applications. Of course, users are able to manage such applications' access to their accounts and may deny access for any application. When some user denies access for the application, all accesstokens are...
Mail.ru: XSS in ad.mail.ru
The XSS vulnerability is located here: https://ad.mail.ru/adi/3030 and is triggered by setting referer to: "alert0 The problem is that the referer is being loaded like so: html alert0 " I am aware that this is out of scope, but I am still reporting it since I just happened to spot it while lookin...
Internet Bug Bounty: Use After Free in Flash MessageChannel.send can cause arbitrary code execution
Sending messages between workers while having the animation reloaded can cause an object to be freed while a reference remains in memory. An attacker can use this issue to control eip and potentially execute arbitrary code. Identified as CVE-2015-0320, and reported to Adobe via Chrome VRP:...
X (Formerly Twitter): Insecure Data Storage in Vine Android App
Hi Twitter, - Vulnerability Class:OWASP M2 : Insecure Data Storage Every application needs to store something secret, like a website username,password, cookies etc. , internal storage is the place to do it, android sandbox prevents other applications from accessing this data but,In vine android a...
X (Formerly Twitter): twitter android app Fragment Injection
com.twitter.android.WidgetSettingsActivity extend PreferenceActivity and export. By entering the appropriate extra intent can call any of its internal fragment. So do not export com.twitter.android.WidgetSettingsActivity...
Vimeo: Vimeo.com Insecure Direct Object References Reset Password
Hello, my name is Toufik Airane. This is Responsible Disclosure and Silent Disclosure. Thanks you to opened bug bounty program! Please find a proof of concept for IDOR attack on famous vimeo.com. With this IDOR, attacker can reset any password, of any account and take controle of it. Please, find...
QIWI: Metadata in hosted files is disclosing Usernames, Printers, paths, admin guides. emails
Hi - vulnerable hosts; agent.qiwi.com static.qiwi.com visa.qiwi.com w.qiwi.com www.qiwi.com • the type of vulnerability; Information disclosure • where exactly; There are multiple locations for documents with valuable metadata attached. These are both Qiwi documents and documents uploaded by...
Block.io: SMPT Protection not used, I can hijack your email server.
Description Companies like Coinbase, Yahoo,Google,Facebook and even hackerone implemented a strict email security policy combining SPF, DKIM, and DMARC but I don't see taht from block.io , You should apply strict SMPT policy to stop spoofed email sending from your domain. POC is attached. Exploit...
X (Formerly Twitter): URGENT - Subdomain Takeover on media.vine.co due to unclaimed domain pointing to AWS
Hi, This is an urgent issue and I hope you will act on it likewise. Your subdomain media.vine.co is pointing to AWS S3, but no bucket was connected to it. Actually, the reason to it is due to the CNAME of the meda.vine.co-DNS-entry: media.vine.co - media.vine.co is an alias for...
Mavenlink: Login password guessing attack
I have found out that an attacker can perform brute force attack on your login panel because there is no rate limitation to prevent this attack...
Yahoo!: Testing for user enumeration (OWASP‐AT‐002) - https://gh.bouncer.login.yahoo.com
Thank you for your submission to the Yahoo Bug Bounty program. We were able to reproduce the issue you reported and have implemented appropriate fixes. We appreciate your adherence to responsible disclosure guidelines and look forward to your future participation in the program...
curl: OpenSSL TLS 1.2 session resumption accepts expired server certificates in libcurl
Summary curl's OpenSSL backend can accept a new TLS 1.2 HTTPS connection after the server certificate has expired if the connection resumes a previously cached TLS session. A full handshake made at the same time with the same certificate fails with CURLEPEERFAILEDVERIFICATION, but the resumed...
curl: Stack Buffer Overflow in cURL Cookie Parsing Leads to RCE
Summary I discovered a critical stack-based buffer overflow vulnerability in cURL's cookie parsing mechanism that can lead to remote code execution. The vulnerability occurs when processing maliciously crafted HTTP cookies, affecting all applications that use libcurl for HTTP requests. Descriptio...
curl: CVE-2024-6197: freeing stack buffer in utf8asn1str
The libcurl library at commit 04739054cdac5a0614fb94e3655e313c03399f35 contained an invalid invocation of the free function in the utf8asn1str function. The buffer being freed was located on the stack, which posed a security risk as the freed address could have been later returned by malloc calls...
curl: Denial of Service in curl Request - HTTP headers eat all memory
Vulnerability description not provided...
HackerOne: 2FA Bypass via Leaked Cookies
Vulnerability description not provided...
Nextcloud: Bruteforce protection in password verification can be bypassed
A vulnerability was found where the IP address used for brute force protection in Nextcloud server could be bypassed by adding a valid X-Forwarded-For header. This allowed an attacker to bypass the brute force protection and brute force login credentials...
Node.js: Path traversal by monkey-patching Buffer internals
A path traversal vulnerability was introduced in the experimental permission model in Node.js 20 and 21 by monkey-patching Buffer internals. This allowed modification of the result of path.resolve, leading to traversal beyond the expected path...
Internet Bug Bounty: CVE-2023-42780: Apache Airflow: Improper access control vulnerability in the "List dag warnings" feature
A vulnerability in Apache Airflow versions prior to 2.7.2 allowed authenticated users to list warnings for all DAGs, revealing dagids and stack traces even for DAGs the user did not have permission to access. Users should upgrade to Airflow 2.7.2 or newer...
U.S. Dept Of Defense: authentication bypass
An authentication bypass vulnerability was discovered in the login page of a web portal, allowing unauthorized access without providing valid credentials...
Internet Bug Bounty: (CVE-2023-32003) fs.mkdtemp() and fs.mkdtempSync() are missing getValidatedPath() checks
The fs.mkdtemp and fs.mkdtempSync functions in Node.js were found to be missing getValidatedPath checks, allowing for a path traversal attack. This vulnerability could be exploited to create arbitrary directories...
GitHub Security Lab: [Python] Unsafe Unpacking and TarSlip bug slaying
Vulnerability description not provided...
GitHub Security Lab: cpp: if (a+b>c) a=c-b is incorrect if a+b overflows
Vulnerability description not provided...