15369 matches found
Pornhub: Race Condition Vulnerability On Pornhubpremium.com
The researcher discovered a race condition which allowing for gift code reuse across using multiple accounts to gain Premium access. I was able to create unlimted accounts and redeem already used gift cards to give the accounts as many days of subscription as I wanted to which could then be used ...
Udemy: Completed Compromise & Source Code Disclosure via Exposed Jenkins Dashboard at https://jenkins101.udemy.com
Howdy, @udemy! Summary: ======= I am writing to inform you of a critical information disclosure bug via an exposed Jenkins dashboard located at https://jenkins101.udemy.com. Upon navigating to this address, I was asked to authenticate with my Github account. After authenticating, I was surprised ...
Open-Xchange: Tab nabbing via window.opener
Details: When you open a link in a new tab target="blank" , the page that opens in a new tab can access the initial tab and change it's location using the window.opener property. POC: Edit your contact details, with the website URL of http://davenport.net.nz/test.html, which has the following htm...
Envoy: Abuse of API can Lead to DoS
Issue Description The researcher identified that it is possible to abuse the manual creation of employees via the api, meaning that a malicious attacker can create a trial account and use this to mass spam users' with emails, the screenshot below shows the mass amount of emails that can be sent i...
Nextcloud: Authentication Issue
UserA creates a password protected share 2. UserA shares this link with UserB 3. UserB accessed the share with the password 4. UserA changes the password 5. Now userB can still access the share. At step 5 userB should be prompted to authenticate again...
drchrono: SSL/TLS BEAST ATTACK
Supported versions: TLSv1.0 TLSv1.1 TLSv1.2 Deflate compression: no Supported cipher suites ORDER IS NOT SIGNIFICANT: TLSv1.0 RSAWITH3DESEDECBCSHA RSAWITHAES128CBCSHA RSAWITHAES256CBCSHA TLSECDHERSAWITH3DESEDECBCSHA TLSECDHERSAWITHAES128CBCSHA TLSECDHERSAWITHAES256CBCSHA TLSv1.1: idem TLSv1.2...
Zomato: Instagram OAuth2 Implementation Leaks Access Token; Allows for Cross-Site Script Inclusion (XSSI)
Once a user connects his Zomato account to Instagram via OAuth2, the page https://www.zomato.com/php/instagramtagrelay leaks the Instagram OAuth2 Access Token issued to Zomato: PoC: https://www.zomato.com/php/instagramtagrelay?callback=aaabc Result personal data x'ed: HTTP/1.1 200 OK...
Automattic: WordPress Flash XSS in *flashmediaelement.swf*
Intro == WordPress is vulnerable against a reflected XSS that stems from an insecure URL sanitization problem performed in the file flashmediaelement.swf. The code in the file attempts to remove flashVars ¹ in case they have been set GET parameters but fails to do so, enabling XSS via...
Zendesk: XSS In /zuora/ functionality
Hello there, I wanted to report a XSS vulnerability in the /zuora/ functionality on the zendesk application. Affected URL: -...
Bumble: AWS S3 Bucket hotornot-images permissions allow for listing and removing files
We do not use amazon AWS but @yaworsk wanted to disclose his report anyway. Why not, we can do. ---- Hi All, Though I'm not 100% sure you own the bucket - and if not, I would appreciate being able to close this myself - I believe you may own the S3 bucket hotornot-images. If so, using the AWS CLI...
HackerOne: New hacktivity view discloses report IDs of non-public reports
url: https://hackerone.com/hacktivity.json this url reveals information of reporters Report id ./...
Uber: LIsting of http://archive.uber.com/pypi/simple/
Hope the below link is not for public Directory/File listing with all files Sample files http://archive.uber.com/pypi/simple/...
Xero: Vulnerability : XSS Vulnerability
A single instance of self-XSS was reported in the Xero application, which affected a text field behind Authentication. This was relatively easy to mitigate and no risk to Customer Data was identified...
Bumble: Broken Authentication on Badoo
Please watch the attached video. It contains all necessary steps and demo of this vulnerability. Please fix this issue as soon as possible, it is highly severe. Looking forward for reply. Best Regards, Darshit varotaria...
Radancy: RC4 cipher suites detected
A group of researchers Nadhem AlFardan, Dan Bernstein, Kenny Paterson, Bertram Poettering and Jacob Schuldt have found new attacks against TLS that allows an attacker to recover a limited amount of plaintext from a TLS connection when RC4 encryption is used. The attacks arise from statistical fla...
Shopify: CSV Excel Macro Injection Vulnerability in export list of current users - app.shopify.com
Hi , I have found that when a user tries to Export list of current users who installed his apps through: https://app.shopify.com/services/partners/apiclients//exportinstalledusers the fields of the CSV file are not properly escaped. which makes them vulnerable to CSV Excel Macro Injection...
Internet Bug Bounty: Misusing of FPU Instruction Could Cause Security Vulnerabilities in Adobe Flash Player
Misusing of FPU Instruction Could Cause Security Vulnerabilities in Adobe Flash Player This vulnerability CVE-2015-3100 was reported to Adobe on March 10, 2015 and has been patched today via APSB15-11 https://helpx.adobe.com/security/products/flash-player/apsb15-11.html. Following is the original...
Sandbox Escape: Internet Explorer Enhanced Protected Mode sandbox escape via a broker vulnerability
Internet Explorer Enhanced Protected Mode sandbox escape via a broker vulnerability =================================================================================== Full source code demonstrating the escape from IE's sandbox -- by launching a medium-integrity calc at login -- is attached with...
Concrete CMS: Local File Inclusion Vulnerability in Concrete5 version 5.7.3.1
Concrete5 is vulnerable to a Local File Inclusion because it fails to properly validate the path for incoming requests during the dispatching process. This vulnerability exists because the path is retrieved using the Request::getPathInfo method from the Symfony framework, which allows to specify...
Vimeo: subdomain takeover 1511493148.cloud.vimeo.com
The researcher found a DNS entry pointing to an unused IP address. This was a domain hijacking issue and was resolved by removing the DNS entry...
Faceless: Account hijacking possible through ADB backup feature
It was found that if an attacker had access to an unlocked phone, they could take any data from the application's sandbox through ADB's backup feature. Normally ADB backup allows applications to be backed up to the cloud. This means that if a user replaces or wipes their phone, they can restore a...
Concrete CMS: XSS in Theme Preview Tools File
https://github.com/concrete5/concrete5/blob/master/web/concrete/tools/themes/preview.phpL7 Note that one of those values near the end is not escaped...
Rocket.Chat: NoSQL injection leaks visitor token and livechat messages
The Rocket.Chat application was affected by two NoSQL injection vulnerabilities. The first vulnerability allowed leaking visitor tokens by exploiting the livechat:loginByToken method, while the second vulnerability enabled leaking livechat messages by exploiting the livechat:loadHistory method...
HackerOne: Session Not Expire / 2FA Bypass
Vulnerability description not provided...
Internet Bug Bounty: CVE-2024-25128: Apache Airflow: Authentication Bypass when Legacy OpenID(2.0) is in use as AUTH_TYPE
CVE-2024-25128: Apache Airflow: Authentication Bypass when Legacy OpenID2.0 is in use as AUTHTYPE. When OpenID2.0 was used as the Authentication Type, an attacker could forge authentication to any existing account in the target Airflow installation by deceiving the backend to trust arbitrary Open...
Internet Bug Bounty: Proxy-Authorization header is not cleared in cross-domain redirect in undici
Proxy-Authorization header not cleared on cross-origin redirect in Undici. Impacted versions = v6.0.0 = v6.6.0. Patched in v5.28.3 and v6.6.1. No known workarounds...
Mars: Datadog api keys exposed can be used to do all the read and write access to the instance
A vulnerability was identified where Datadog API keys were exposed in a JavaScript file, which could have enabled unauthorized access to Datadog services. The issue was responsibly disclosed along with a proof-of-concept demonstration...
Teleport: access list owner can escalate his role to the highest roles
Summary: 1. Go to your-domain.teleport.sh/web/accesslists. 2. Create a new access list and add a role to "Roles Granted," e.g., "reviewer" role. 3. Add a user as the Access List Owner. 4. The user, as the Access List Owner, can escalate the role of the list to higher roles, thereby escalating the...
Nextcloud: App PIN code can be bypassed in Files iOS
A vulnerability was discovered in the PIN code implementation of the Files iOS app version 4.9.1 that allowed an attacker to bypass the PIN code protection via brute force due to lack of rate limiting, enabling unauthorized access to the app...
Mozilla: Subdomain takeover on one of the subdomain under mozaws.net
Vulnerability description not provided...
Internet Bug Bounty: Dependency Policy Bypass via process.binding
A vulnerability was discovered in Node.js that allowed for the bypassing of permissions policies via the use of the process.binding API. This vulnerability allowed an attacker to run arbitrary code outside of the limits defined in a policy.json file. The vulnerability affected all users using the...
U.S. Dept Of Defense: Blind Sql Injection in https://█████/qsSearch.aspx
A blind SQL injection vulnerability was discovered in the qsSearch.aspx page of the application. An attacker could exploit this vulnerability to bypass authentication and retrieve sensitive information from the database. The vulnerability has been mitigated by implementing appropriate security...
HackerOne: HackerOne Support System Doesn't Require Any Authentication May Lead Unauthorized Action
The HackerOne support system did not require any authentication, allowing anyone to open a support ticket for another user's account. This could potentially lead to unauthorized actions being taken on the account...
Glassdoor: Cache Poisoning allows redirection on JS files
A cache poisoning vulnerability was discovered in Glassdoor's design website. By sending a specific request, an attacker could redirect the /test.js file to a malicious website. This could potentially lead to a stored cross-site scripting XSS attack if other Glassdoor websites import javascript...
Hiro: Security Issue into Wallet lock protection
Description While testing wallet extension i generally try to test multiple endpoints, so 2 tabs were open of wallet on chrome-extension://ldinpeekobnhjjdofggfgjlcehhmanlj/popup.html So i tried to lock Wallet extension buti found that i can still use browser in 2nd tab, why i had already locked...
AMBER AI: Open redirect that can lead to malicious websites
go to a picture in website inspect that picture and you can see a tag change the tag with the command it will redirect !! kindly watch the POC attaching to it Impact redirect to any malicious web sites may have a chance for account takeover...
Nextcloud: Exposed Log File Lead to Full Internal path disclosure at [https://nextcloud.com/wp-content/debug.log]
Hi team , i found wp-content/debug.log endpoint public accessible That lead to full path disclosure Steps : Open : https://nextcloud.com/wp-content/debug.log You can See Internal paths disclosed and date is : 02-Nov-2022 02-Nov-2022 08:50:36 UTC PHP Fatal error: Uncaught Error: Call to undefined...
Yelp: Public Github Repo Leaking Internal Credentials
Summary: In Github I found some credentials to use in a mesos.apache.org Github: https://github.com/Yelp/Tron/blob/master/yelppackage/itestdockerfiles/mesos/mesos-secrets https://github.com/Yelp/Tron/blob/master/yelppackage/itestdockerfiles/mesos/mesos-slave-secret POC ss F2021070 F2021071 Login...
GitHub: Github app Privilege Escalation to Administrator/Owner of the Organization
Vulnerability description not provided...
Nextcloud: XSS in Desktop Client in call notification popup
Summary: The Nextcloud Desktop Client application does not properly neutralize the name of a group conversation before using it. Steps To Reproduce: Server Machine: 1. Install the Nextcloud Server application 2. Create an administrator account 3. Create a user account Client Machine: 4. Install t...
Node.js: Node 18 reads openssl.cnf from /home/iojs/build/... upon startup on MacOS
NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: Similar to...
Cloudflare Public Bug Bounty: Basic XSS [WAF Bypasses]
Vulnerability description not provided...
Cloudflare Public Bug Bounty: Sign in with Apple generates long-life JWTs, seemingly irrevocable, that grant immediate access to accounts
The OIDC JWT token issued on a new Sign in with Apple ID to the Cloudflare Dashboard had an excessive lifetime. When intercepted by a malicious actor, it enabled impersonation of the affected user on multiple devices during the entire token validity period without the need to re-authenticate. The...
Recorded Future: Dom Xss vulnerability
Summary: Dom Xss vulnerability Steps To Reproduce: add details for how we can reproduce the issue 1. Go to this link: https://api.recordedfuture.com/index.html 2. Open chrome devtool and go to console tab 3. Type: document.write'...alert1...'; 4. And boom! Alert 1! Impact XSS can have huge...
Lark Technologies: Full read SSRF via Lark Docs `import as docs` feature
A SSRF server side request forgery vulnerability was found in the LarkDocs using the "import as docs" feature, which could have potentially been used to access services running on the internal network. We thank @sirleeroyjenkins for reporting this to our team and confirming the resolution...
UPchieve: CORS origin validation failure
Hi team, I hope you are doing well on the other side. Summary: I found that https://hackers.upchieve.org/ is using cross-origin resource sharing in an insecure way. The web application fails to properly validate the Origin header and returns the header Access-Control-Allow-Credentials: true. This...
Nextcloud: Control character filtering misses leading and trailing whitespace in file and folder names
Summary: It is possible to create files and folders that have leading and trailing \n, \r, \t, and \v characters. The server rejects files and folders that have these characters in the middle of their names, so this might be an opportunity for injection. In lib/private/Files/Storage/Common.php, t...
Nextcloud: User files is disclosed when someone called while the screen is locked
Summary: User files in the server is disclosed while the screen is locked when someone called. Steps To Reproduce: add details for how we can reproduce the issue 1. Make 2 Accounts, Lets call them Account A and Account B 2. Using Account A login to https://nextcloud/apps/spreed/ 3. Using Account ...
Nextcloud: Cards in Deck are readable by any user
Sensitive deck card contents were readable by any user, allowing unauthorized access to the information...
Engel & Völkers Technology GmbH: HTML Injection in Email
Description: Hi team I have found a HTML Injection vulnerability in your system. Steps to Reproduce: 1. Navigate to https://seller-pages.engelvoelkers.com/ 2. Go to the bottom of the webpage and click on message box at right corner. 3. Fill out the form and enter the HTML payload in First Name an...