15369 matches found
Midpoint (European Commission - DIGIT): Attacker can read password from log data
Summary: Attacker can read plain text password from log data. Steps To Reproduce: 1. From application dashboard choose Users section, I simultaneously ran process hacker to see the process disk write and read behavior. 2. change the password of one of the users, and you see in process hacker wind...
Monero: (remote) exabyte allocation via load_from_binary() (DoS)
Changes introduced in commit b82efa32e can result in a denial of service if epee::serialization::portablestorage::loadfrombinary is called with untrusted data. The 'reserve' method implemented here:...
Algolia: Web Cache Deception Attack (XSS)
@testingforbugs identified an issue related to web caching which could lead to XSS attacks...
GitLab: Attacker is able to access commit title and team member comments which are supposed to be private
Summary: add summary of the vulnerability Description: add more details about this vulnerability Steps To Reproduce: To reproduce this vulnerability, we need two accounts, lets say those accounts are: - [email protected] - [email protected] - Create a project from account [email protected] with th...
X (Formerly Twitter): url that twitter mobile site can not load
Summary: A url that twitter mobile site can not load, crushes any page containing this url Description: Invalid hex characters crushes twitter mobile site as example go to https://mobile.twitter.com/?%xx twitter won't load. 1 Sending such url on a direct message, twitter will no longer be able to...
HackerOne: report id is exposed for undisclosed reports in Hacktivity
Summary: This is similar to https://hackerone.com/reports/127620 where the report Id of undisclosed report is visible on graphql query Description: The new hacktivity graphql query includes undisclosed reports, but part of the query result is the report id which is included in private information...
Internet Bug Bounty: Buffer over-write in finfo_open with malformed magic file.
https://bugs.php.net/bug.php?id=71527 This bug causes a segfault when running with environment variable USEZENDALLOC set to 0, and also when compiled with ASAN with USEZENDALLOC set and unset. To reproduce, run the following PHP file, with the example magic file below. $ cat magic-open.php Magic...
Nextcloud: Retrieval and alteration of exposed media on Android Oreo
Good afternoon. Any media downloaded from the cloud server within the Android app is subject to third party modification and server re-upload without explicit user consent. This happens at least on Android Oreo, as data is automatically stored on shared folder...
HackerOne: A user can bypass approval step in Hacker Publishing feature, allowing them to publish reports immediately
Summary: Hi team Description: Hacker can request agree-on-going-public publish report Steps To Reproduce 1. Create publish report 2. https://hackerone.com/reports/bulk POST...
GitLab: GitLab's GitHub integration is vulnerable to SSRF vulnerability
The GitHub service is vulnerable to a SSRF vulnerability. An attacker may be able to leverage this to make arbitrary POST requests in a GitLab instance's internal network. It can also be used to connect to cloud provider's instance metadata API, which may result in the ability to execute commands...
Node.js third-party modules: Prototype pollution attack in just-extend
I would like to report a prototype pollution vulnerability in just-extend It allows an attacker to inject properties on Object.prototype. Module module name: just-extend version: 2.1.0, and 3.0.0 npm page: https://www.npmjs.com/package/just-extend Module Description Part of a library of...
Mail.ru: Bypass security fixes by downgrading version of application
Version downgrade attack was possible in webagent web application webagent.mail.ru. It could allow attacker to force user to visit an older version of web application with known vulnerabilities...
Miniclip: xss in miniclip.com
I know this is out of scope but I thought maybe you would like to know about it. video attached Impact Steal session cookies, install keylogger etc etc...
BOHEMIA INTERACTIVE a.s.: Stealing Users OAUTH Tokens via redirect_uri
Hi, I would like to report an Open redirection on oauth redirecturi which can lead to users oauth tokens being leaked to any malicious user. Detail During the OAUTH flow, the redirecturi on https://accounts.bistudio.com is not properly validating that the URL given is proper, as such a bypass of...
Valve: Malformed .BMP file in Counter-Strike 1.6 may cause shellcode injection
With the vulnerability of the GoldSource Engine, the server is able to perform remote code execution on the client, overwriting the stack when reading the BMP file. The problem is in the LoadBMP8 function, which is executed when the player connects to the server, by loading the...
Chaturbate: Account Takeover via billing
The hacker found that when subscribing to a fanclub the parameters could be manipulated to purchase a fanclub subscription for another user. This will set the email of the target account if they had no email on file. This could then be used to reset the password for the target user. The purchasin...
Internet Bug Bounty: linkinfo - openbasedir bypass on Windows PHP
Upstream bug - windows linkinfo lacks openbasedir check === https://bugs.php.net/bug.php?id=76459 Summary == Description: ------------ linkinfo function on windows doesn't implement openbasedir check, it can be seen by reviewing the source code. This could be abused to find files on paths outside...
Nextcloud: Accessing to download.nextcloud.com from original ip adreess | insecure Download
Hi team , Summary I found that when I can access from original ip to the web site ,.This disable Https secure connection. Description First I make DNS Lookup to find the ip adress download.nextcloud.com has address 88.198.160.133 F313820 Now When I open The website from download.nextcloud.com I s...
Reverb.com: Api token exposed in Reverb.com's public github repository
An access token of a user account was available in a public github repo. The token was tied to an experimental project, and the account was only used for that project, so no sensitive information was able to be obtained...
Internet Bug Bounty: Silent omission of certificate hostname verification in LibreSSL and BoringSSL
Abstract LibreSSL and BoringSSL implemented X509VERIFYPARAMset1host differently than OpenSSL. All applications that use the preferred and documented way to configure a TLS connection for hostname validation, silently neglect to perform hostname validation at all. As a consequence, they are...
Unikrn: [unikrn.com] Profile updated with error":true,"success":false"
Greetings, We noticed that even if the https://unikrn.com/apiv2/user/updateprofile gave an answer that the code is on error , the post is proceeded : PoC : -- curl 'https://unikrn.com/apiv2/user/updateprofile' -XPOST -H 'Referer: https://unikrn.com/profile' -H 'Content-Type: application/json' -H...
Uber: Configuration and/or source code files on uchat-staging.uberinternal.com can be viewed without OneLogin SSO Authentication
Summary Configuration file and/or source code information leakage without Uber OneLogin SSO authentication. Security Impact Misconfiguration on the server results in information leakage without authentication. Reproduction Steps...
Deriv.com: Leaking Referrer in Reset Password Link
On 12th Dec flex0geek reported that binary.com was leaking password reset tokens through referer headers . At first this sight the report was closed as we had fixed this earlier and our code base seemed fine . Later on the researcher sent a video POC which did show that we were leaking password...
Internet Bug Bounty: Exim use-after-free vulnerability while reading mail header involving BDAT commands
Original article is here Use-after-free in receivemsg leads to RCE Vulnerability Analysis To explain this bug, we need to start with the memory management of exim. There is a series of functions starts with store such as storeget, storerelease, storereset. These functions are used to manage...
HackerOne: GraphQL sessions aren't immediately invalidated when user password is changed
Summary: While changing password, once user clicks on "Change password" button after giving necessary values, on https://hackerone.com/settings/pass/edit, the session expires and the user is redirected to https://hackerone.com/users/signin for logging in again with the updated/changed password. A...
AlienVault : [www.threatcrowd.org] - reflected XSS in report.php
Summary: I have found a reflected XSS in https://www.threatcrowd.org/report.php in GET parameter report Browsers Verified In: Firefox 56.0.1 Steps To Reproduce: 1. Browse to https://www.threatcrowd.org/report.php?report=javascript%3aalertdocument.domain 2. Click on Visit...
Infogram: Login Cross Site Request Forgery
Login form is not protected against Cross Site Request Forgery. An attacker can craft html page containing POST information to have victim sign into an attacker's account, where the victim can add information assuming he/she is logged into the correct account, where in reality, the victim is sign...
RubyGems: Remote code execution on rubygems.org
When parsing a gem POSTed to the /api/v1/gems endpoint, the rubygems.org application immediately calls Gem::Package.newbody.spec inside app/models/pusher.rb. The authors of the application correctly observed that parsing untrusted YAML is dangerous since it can serialize more or less arbitrary...
RubyGems: Request Hijacking Vulnerability in RubyGems 2.6.13 and earlier
We received this report via security@ from [email protected], I'm filing here for tracking and visibility purposes... "I was looking at commit 8d91516fb7037ecfb27622f605dc40245e0f8d32, which was the fix for the DNS hijacking issue CVE-2017-0902. The function still handles the DNS response in ...
Aspen: client_secret Token disclosure
Greetings, I think I've discovered a clientsecret token disclosure. Proof of concept: 1. Go to https://github.com/AspenWeb/experimental-javascript-version/blob/master/www/blog/index.html 2. At the line 6, a clientsecret token it's disclosed...
Brave Software: Download of (later executed) .NET installer over insecure channel
NOTE! Thanks for submitting a report! Please fill all sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty. Summary: Execution of file NDP-KB2901954-Web.exe fetched via...
Razer US: Reflected XSS on the https://deals.razerzone.com/json/translation endpoint
Thanks to SP1D3RS for the great report and working with the team on this one. This was a trivial POST-XSS, caused by using text/html Content-Type on the JSON endpoint, and ability to control the part of the response using unsanitized input. Why I disclosed it if this is a trivial issue? I pretty...
Razer US: Open redirect on oauth2.razerzone.com caused by server misconfiguration when using triple slash after hostname
Another solid report form this tester, who helped us nail down the issue when it was only intermittently reproducible. We appreciate the hard work. I discovered the Open Redirect on the oauth2.razerzone.com due to improper handling of multiple/encoded slashes and dots in the URL path. POC link:...
Concrete CMS: 'cnvID' parameter vulnerable to Insecure Direct Object References
Installation Information === IIS 8, PHP 5.5, Concrete5 5.7.5.7 Default install Issue POC An unauthenticated user can enumerate comments from all blog posts by POSTing requests to /index.php/tools/required/conversations/viewajax with incremental 'cnvID' integers. 1. An example blog with permission...
Legal Robot: Null Byte Injection in all fields of Profile
Hi Team, Null byte injection is possible in all the fields of Edit Profile functionality. Affected URL: https://app.legalrobot.com/account Description: Possible Injection of control characters, such as Null Byte 0x00, \000, \x00, \z, or the Unicode representation \u0000 into vulnerable fields in...
Gratipay: CSP "script-src" includes "unsafe-inline" in https://gratipay.com
SUMMARY: Related Report: 225833 Gratipay is using unsafe-inline in script-src csp headers which allows the use of inline resources, such as inline elements, javascript: URLs, inline event handlers, and inline elements. Proof Of Concept By Using cURL: curl -I https://gratipay.com The results See m...
Weblate: Incorrect HTTPS Certificate
Weblate appears to have a public facing git repository located at git.weblate.org that utilises HTTPS when viewed in the browser. As a side note, netcat to port 80 results in the default debian landing page. 77.78.107.252 - git.weblate.org The site has an incorrectly configured certificate, and...
Automattic: Cross Domain leakage of sensitive information - Leading to Account Takeover at Instagram Brand
Product / URL https://instagram-brand.com/register/reset/?email= Description and Impact After a user clicks on the password reset link obtained in inbox, the page for password resetting functionality opens. If you monitor the HTTP Requests that are done while that page is loaded, you will come to...
Uber: lert.uber.com: Few default folders/files of AURA Framework are accessible
There were a few default folders/files of the AURA Framework accessible on lert.uber.com. The specified files/folders in the AURA framework were supposed to be accessible, so we did not make any changes here. However, we do appreciate the time taken to submit this report and are disclosing per th...
X (Formerly Twitter): CRLF and XSS stored on ton.twitter.com
Hey, 1 CRLF: It's similar to 52042 but weaker to reproduce go to: https://ton.twitter.com/1.1/ton/data/dm/x/%E5%98%8A%E5%98%8Dset-cookie%3A%20test%3Dtest%3B%20Domain%3D.twitter.com%3B%20Path%3D%2F%3B%20Expires%3DSat%2C%2015-Dec-2018%2009%3A45%3A55%20UTC you will find that test cookie with the val...
LocalTapiola: SQL Injection /webApp/oma_conf ctx parameter (viestinta.lahitapiola.fi)
Vulnerable script: /webApp/omaconf Vulnerable parameter: ctxvarsemail Database: PostgreSQL PoC http POST /webApp/omaconf HTTP/1.1 Host: viestinta.lahitapiola.fi Content-Type: application/x-www-form-urlencoded Content-Length: 1131...
Yelp: Verification of E-Mail address possible on https://biz.yelp.com/login and https://biz.yelp.com/forgot
On pages https://biz.yelp.com/login and https://biz.yelp.com/forgot a malicious user can verify if a particular E-mail address is registered on biz.yelp.com. Steps to reproduce for https://biz.yelp.com/login: 1. Open https://biz.yelp.com/login 2. Enter non existing E-Mail Address 3. Enter any...
Instacart: WordPress Authentication Denial of Service
Hi, I found out that you are using WordPress version 4.5.3. Researchers found out 5 days ago, that this version has a vulnerability, a Path traversal in WordPress Core Ajax handlers. Intro WordPress is web software that can be used to create a website, blog, or app. A path traversal vulnerability...
Internet Bug Bounty: stack buffer overflows in the curses module
I found two stack buffer overflows in the curses module. These vulnerabilities have been reported to the PSRT and were fixed here: https://hg.python.org/cpython/rev/d5f6bc45b376 https://hg.python.org/cpython/rev/85b35300f200 Below are copies of the mails I sent to the PSRT. They describe the...
Trello: File access using image tragick
While Trello had patched our image libraries to prevent the RCE vulnerability in ImageMagick, we had not applied a patch to prevent arbitrary file reads via labels in mvg files. After resolving the issue, we were able to determine that no files had actually been accessed using this vulnerability,...
OLX: SQLi in Payment Request
Hi there, I have found out that one request in your API is vulnerable to SQL injection. PoC: Invalid Request: GET /api/v1.0/payments/items?ids=891048367'"&platform=desktop HTTP/1.1 Host: www.olx.com.ar User-Agent: Mozilla/5.0 Windows NT 6.3; WOW64; rv:46.0 Gecko/20100101 Firefox/46.0 Accept:...
Internet Bug Bounty: Adobe Flash Player ContentFactory class Memory Corruption Vulnerability
I. Summary Adobe Flash Player is prone to a vulnerability which leads to memory corruption because of improper validation of ContentFactory.retrieveAdPolicySelector. ------------------------------------------------------------------ II. Description Adobe Flash is a multimedia and software platfor...
Mail.ru: bgplay.mail.ru
Potential RCE via Java object deserialization in out-of-scope service...
Internet Bug Bounty: BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797)
https://openssl.org/news/secadv/20160301.txt...
Cakebet: Sender policy framework (SPF) records evaluation return (Too many DNS lookups) error
Hi Security Team , Your SPF record suffers from a “too many lookups” error. The specifications for the SPF record limit the number of lookups such as, translating a name to an IP address to 10. An SPF record like what is shown below will have the too many lookup errors : Found v=spf1 record for...