15370 matches found
New Relic: Login CSRF vulnerability
Hi New Relic security team, While doing pentesting on your website, I found that while logging into the account the "authenticitytoken" was not properly validated. I was able to login into my account even without "authenticitytoken". Impact: High Steps to Reproduce: 1 Login to your account. 2 Whi...
Uber: XSS At "pages.et.uber.com"
Vulnerable Domain : ------------------- https://pages.et.uber.com/ Vulnerable Link : ----------------- https://pages.et.uber.com/icecream/?langid=5 Edited Link With Payload : -------------------------- https://pages.et.uber.com/icecream/?langid=5%22%20onmouseover%3dpromptdocument.domain%20bad%3d%...
Nextcloud: Uploading files to a folder where invited user don't have any EDIT privilege
Hi, Any invited user to a shared folder with no edit privilege can create files in it through copy feature of Nextclod android app. Steps to reproduce it + Create any folder and invite a user in it without any edit privilege. + Now login from invited user account through android app. + Copy any...
Uber: Bruteforce INVITE codes easy way
As soon as i read the vulnerability disclosed on h1 regarding Possibility to brute force invite codes in riders.uber.com "https://hackerone.com/reports/125505" . I have found similar & easy way to bruteforce invite codes but in different manner . Also, 1680 public invites are waiting for...
Zomato: Instagram OAuth2 Implementation Leaks Access Token; Allows for Cross-Site Script Inclusion (XSSI)
Once a user connects his Zomato account to Instagram via OAuth2, the page https://www.zomato.com/php/instagramtagrelay leaks the Instagram OAuth2 Access Token issued to Zomato: PoC: https://www.zomato.com/php/instagramtagrelay?callback=aaabc Result personal data x'ed: HTTP/1.1 200 OK...
Sucuri: CRLF/HTTP header injection www.sucuri.net
I would like to report a security vulnerability on www.sucuri.net. The domain appears to be vulnerable for CRLF or HTTP header injection. This allows attackers to construct a URL that injects HTTP headers in the server's response. One of the things an attacker can do is injecting a "Set-Cookie"...
Bumble: AWS S3 Bucket hotornot-images permissions allow for listing and removing files
We do not use amazon AWS but @yaworsk wanted to disclose his report anyway. Why not, we can do. ---- Hi All, Though I'm not 100% sure you own the bucket - and if not, I would appreciate being able to close this myself - I believe you may own the S3 bucket hotornot-images. If so, using the AWS CLI...
Slack: Authentication bypass leads to sensitive data exposure (token+secret)
@secalert discovered an information disclosure on our server which took advantage of an authorization error that allowed the viewing of sensitive information on the server. We mitigated the issue and no longer expose such information, and performed an investigation to verify that no unauthorized...
Uber: LIsting of http://archive.uber.com/pypi/simple/
Hope the below link is not for public Directory/File listing with all files Sample files http://archive.uber.com/pypi/simple/...
Xero: Vulnerability : XSS Vulnerability
A single instance of self-XSS was reported in the Xero application, which affected a text field behind Authentication. This was relatively easy to mitigate and no risk to Customer Data was identified...
Mail.ru: [allods.my.com] SSRF / XSPA
Доброго времени суток. Уязвимость находится в функции загрузки аватара. Можно загрузить аватарку с удаленного хоста. PoC http://allods.my.com/forum/index.php?form=AvatarEdit Download avatar: http://localhost:80 - You have selected a corrupt image. порт открыт http://localhost:3306 - You have...
Ruby on Rails: Validation bypass for Active Record and Active Model
Possible Input Validation Circumvention in Active Model There is a possible input validation circumvention vulnerability in Active Model. This vulnerability has been assigned the CVE identifier CVE-2016-0753. Versions Affected: 4.1.0 and newer Not affected: 4.0.13 and older Fixed Versions:...
Square Open Source: Unsafe usage of Ruby string interpolation enabling command injection in git-fastclone
While testing git-fastclone for the ext protocol issues in my other report, I looked at the source code and immediately noticed you're using the Cocaine0 library unsafely. Cocaine will protect from command injection but it "only does that for arguments interpolated via run, NOT arguments passed...
ownCloud: Full Path Disclosure
When I was trying to upload a html file as profile picture as a non admin user. then it popped up with a message containing full path . Like that "Could not obtain lock type 1 on "/opt/lampp/htdocs/owncloud/data/12/files/opt/lampp/htdocs/owncloud/data/12/cache/avatarupload"." Thanks...
Coinbase: Two-factor authentication (via SMS)
Hello Coinbase Security Team I just found a problem in Two-factor authentication mechanism, here is the details and how to reproduce this issue: I have two accounts with two emails on coinbase.com i active 2FA on the both of two emails with this phone number +201066462288. From Chrome i will try ...
Concrete CMS: Local File Inclusion Vulnerability in Concrete5 version 5.7.3.1
Concrete5 is vulnerable to a Local File Inclusion because it fails to properly validate the path for incoming requests during the dispatching process. This vulnerability exists because the path is retrieved using the Request::getPathInfo method from the Symfony framework, which allows to specify...
Internet Bug Bounty: Multiple issues in looking-glass software (aka from web to BGP injections)
During the month of May 2014 we performed an offensive security analysis, trying to find how hard would it be for a low-to-medium skilled attacker to disrupt the core of the Internet ie. achieve the largest possible impact at the lowest common layer, with minimal resource. This is a confidential...
Coinbase: CSRF on "Set as primary" option on the accounts page
On navigating to the Accounts page, a Coinbase user can create multiple accounts. The user can then make any of these accounts as their primary account. There are also other options of renaming and deleting these accounts. Although there is a CSRF token being sent as a POST parameter for the dele...
HackerOne: Flooding mailbox of user
There seems to be no prevention from sending multiple password reset links to a selected e-mail. As a result mailbox of the user can be flooded with these mails. I would recommend to add CAPTCHA in forgot password functionality...
Automattic: Session Cookie without Secure flag set
vulnerability-Session Cookie without Secure flag set Vulnerability description This cookie does not have the Secure flag set. When a cookie is set with the Secure flag, it instructs the browser that the cookie can only be accessed over secure SSL channels. This is an important security protection...
Yahoo!: From Unrestricted File Upload to Remote Command Execution
Thank you for your submission to the Yahoo Bug Bounty program. We were able to reproduce the issue you reported and have implemented appropriate fixes. We appreciate your adherence to responsible disclosure guidelines and look forward to your future participation in the program...
Slack: Open Redirect in Slack
This link shall redirect to google.co.in: http://prakhar.slack.com/link?url=http%3A%2F%2Fgoogle.co.in Straight, open redirection! Thanks!...
Yahoo!: XSS Vulnerability (my.yahoo.com)
Thank you for your submission to the Yahoo Bug Bounty program. We were able to reproduce the issue you reported and have implemented appropriate fixes. We appreciate your adherence to responsible disclosure guidelines and look forward to your future participation in the program...
Phabricator: CSRF token valid even after the session logout of a particular user
Hi, To reproduce the issue: 1 Login to your https://secure.phabricator.com account and copy your Anti CSRF token. 2 Now logout and again login after sometime. 3 Open up your burp suite to modify the request and now submit any form with your old CSRF token. The request will be completed. So let's...
Rocket.Chat: Autotranslate DDP Method Exposes Private Messages Without Authentication or Room Access Check
Vulnerability description not provided...
curl: MQTT Protocol Packet Injection via Unchecked CONNACK Remaining Length
I'm not sure if this is a vulnerability or intended behavior, but I noticed that curl MQTT implementation accepts CONNACK packets with Remaining Length values greater than 2, which appears to violate the MQTT v3.1.1 specification. According to the MQTT spec, CONNACK packets should have a Remainin...
U.S. Dept Of Defense: [ CVE-2018-1000129 ] RXSS At `https://███████` via the URI
The CVE-2018-1000129 vulnerability allowed remote cross-site scripting RXSS at the specified URL. The vulnerability was due to improper sanitization of user input, which enabled the execution of arbitrary scripts in the victim's browser...
HackerOne: Session Not Expire / 2FA Bypass
Vulnerability description not provided...
curl: HTTP/2 PUSH_PROMISE DoS
Vulnerability description not provided...
HackerOne: Creation of bounties through Customer API leads to private email disclosure
The creation of bounties through the Customer API led to the disclosure of private email addresses. The vulnerability was demonstrated by using both the API and GraphQL requests to award a program bounty to a user, which then exposed the email address of that user in the response...
MTN Group: CVE-2010-1429 JBoss Insecure Storage of Sensitive Information on ips.mtn.co.ug
The JBoss Enterprise Application Platform 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 allowed remote attackers to obtain sensitive information about deployed web contexts via a request to the status servlet, as demonstrated by a full=true query string. This issue was caused by a regression fr...
Mars: Datadog api keys exposed can be used to do all the read and write access to the instance
A vulnerability was identified where Datadog API keys were exposed in a JavaScript file, which could have enabled unauthorized access to Datadog services. The issue was responsibly disclosed along with a proof-of-concept demonstration...
Teleport: access list owner can escalate his role to the highest roles
Summary: 1. Go to your-domain.teleport.sh/web/accesslists. 2. Create a new access list and add a role to "Roles Granted," e.g., "reviewer" role. 3. Add a user as the Access List Owner. 4. The user, as the Access List Owner, can escalate the role of the list to higher roles, thereby escalating the...
Mozilla: Subdomain takeover on one of the subdomain under mozaws.net
Vulnerability description not provided...
Mozilla: Subdomain takeover on one of the subdomain under mozaws.net
Vulnerability description not provided...
U.S. Dept Of Defense: Blind Sql Injection in https://█████/qsSearch.aspx
A blind SQL injection vulnerability was discovered in the qsSearch.aspx page of the application. An attacker could exploit this vulnerability to bypass authentication and retrieve sensitive information from the database. The vulnerability has been mitigated by implementing appropriate security...
Internet Bug Bounty: Privilege Esacalation at Apache Airflow 2.5.1
A vulnerability was found in Apache Airflow before version 2.6.0 that allowed local Linux users to access sensitive files, such as SSH private keys, owned by the account that operates Airflow. The issue was caused by Airflow setting log files to vulnerable privileges, allowing any Linux user on t...
Omise: Subdomain takeover http://accessday.opn.ooo/
Vulnerability description not provided...
Equifax-vdp: reflected XSS in [www.equifax.com]
A reflected XSS vulnerability was found in an endpoint of Equifax's website. An attacker could execute malicious JavaScript code on victims who visit a specially crafted link, potentially stealing their cookies...
Yelp: Public Github Repo Leaking Internal Credentials
Summary: In Github I found some credentials to use in a mesos.apache.org Github: https://github.com/Yelp/Tron/blob/master/yelppackage/itestdockerfiles/mesos/mesos-secrets https://github.com/Yelp/Tron/blob/master/yelppackage/itestdockerfiles/mesos/mesos-slave-secret POC ss F2021070 F2021071 Login...
Nextcloud: XSS in Desktop Client in call notification popup
Summary: The Nextcloud Desktop Client application does not properly neutralize the name of a group conversation before using it. Steps To Reproduce: Server Machine: 1. Install the Nextcloud Server application 2. Create an administrator account 3. Create a user account Client Machine: 4. Install t...
GitHub: Command injection in GitHub Actions ContainerStepHost
GitHub Actions Runner is the application that runs a job from a GitHub Actions workflow. The actions runner invokes the docker cli directly in order to run job containers, service containers, or container actions. A bug in the logic for how the environment is encoded into these docker commands wa...
Cloudflare Public Bug Bounty: Sign in with Apple generates long-life JWTs, seemingly irrevocable, that grant immediate access to accounts
The OIDC JWT token issued on a new Sign in with Apple ID to the Cloudflare Dashboard had an excessive lifetime. When intercepted by a malicious actor, it enabled impersonation of the affected user on multiple devices during the entire token validity period without the need to re-authenticate. The...
GitHub Security Lab: [Java]: CWE-200 - Query to detect insecure WebResourceResponse implementation
This bug was reported directly to GitHub Security Lab...
Evernote: Reflected XSS in the shared note view on https://evernote.com
Summary: There is a reflected XSS vulnerability on https://evernote.com, in the shared web note view, triggered through the view and ionUrl parameters of the /shard/sSHARDNUMBER/client/snv endpoint. Description: When a user creates a note and shares it, it is stored in the following endpoint, bei...
lemlist: [app.lemlist.com] Improper handling of payment lead to bypass payment
Summary: Hello Team, I truly hope it treats you awesomely on your side of the screen : due to improper handling of payment methods, an attacker can easily bypass the payment and benefit from a paid plan. Steps To Reproduce: 1. Log to your account 1. Go to the billing page 1. Fill in the address t...
Lark Technologies: Full read SSRF via Lark Docs `import as docs` feature
A SSRF server side request forgery vulnerability was found in the LarkDocs using the "import as docs" feature, which could have potentially been used to access services running on the internal network. We thank @sirleeroyjenkins for reporting this to our team and confirming the resolution...
U.S. Dept Of Defense: Rxss on █████████ via logout?service=javascript:alert(1)
Description: I found open redirect and xss Rxss at the ██████████ logout page, https://████/██████████/logout?service=https://google.com It also allows javascript URIs, leading to Xss Impact Attacker can trick users to visit malicious websites or can lead to phishing and many other type of attack...
Kubernetes: Ingress-nginx annotation injection allows retrieval of ingress-nginx serviceaccount token and secrets across all namespaces
I submitted the following report to [email protected]: I've been exploring CVE-2021-25742 and believe I've discovered a variant although it appears there may be many. Most template variables are not escaped properly in nginx.tmpl, leading to injection of arbitrary nginx directives. For...
GitLab: IDOR in "external status check" API leaks data about any status check on the instance
Summary The API endpoint for returning approval from an external status check contains an IDOR that lets a user list information about all external status checks on the GitLab instance. The feature is an Ultimate feature, but can be accessed by starting an Ultimate trial on GitLab.com. So the...