15369 matches found
Rocket.Chat: Stored XSS in any message (leads to priv esc for all users and file leak + rce via electron app)
Persistent XSS flaw using nested markdown tags allows remote attacker to inject arbitrary JavaScript to message. This flaw leads to arbitrary file read and RCE on Rocket.Chat desktop app. Patched on 3.11, 3.10.5, 3.9.7, 3.8.8...
Revive Adserver: Reflected XSS on /www/delivery/afr.php (bypass of report #775693)
It is possible to bypass the first fix of this XSS by closing the script tag, and then opening a new one. cURL PoC is trivial : curl "https://revive-instance/www/delivery/afr.php?refresh=10000&alert1" The response will be : Advertisement alert1&loc="', 10000000; // -- body margin:0; height:100%;...
Open-Xchange: A specially crafted message sent to the local delivery agent (LMTP) causes the LMTP child process to issue a panic (call i_panic)
Summary Sending a message to the local delivery agent with the number of MIME parts more than the dovecot core threshold of MIME parts results in ipanic. In the case of LMTP server it causes the child to abort connection. I believe that this can be quite problematic, if such a message lands in th...
pixiv: Open Redirect at https://oauth.secure.pixiv.net
Summary: Hello @pixiv security team, i hope you are well, i noticed you can redirect users to another domain if you send an invalided scope. Vulnerable Url...
Node.js third-party modules: [arpping] Remote Code Execution
I would like to report RCE in arpping It allows to execute arbitrary commands on the victim's PC Module module name: arpping version: 2.0.0 npm page: https://www.npmjs.com/package/arpping Module Description Discover and search for internet-connected devices locally using ping and arp Module Stats...
IBM: CVE-2020-3452 Cisco ASA / Firepower Read-Only Path Traversal Vulnerability - https://esccvc.de.ibm.com
A vulnerability in the interface of Cisco Adaptive Security Appliance and Cisco Firepower Threat Defense FTD was reported to IBM, analyzed and have been remediated. Thank you to Khaled 0xelkomy...
Mail.ru: Open Redirect at "city-mobil.ru"
Open redirection in city-mobil.ru via URI path with '@'...
Omise: Authenticity token doesnt expire after single use leading to CSRF
Summary Once you said that you ruby framework for making the authenticity-token which acts as a CSRF protection. You also send me this as to help me understand https://medium.com/rubyinside/a-deep-dive-into-csrf-protection-in-rails-19fa0a42c0ef . After finding i found that an authenticity-token c...
HackerOne: GraphQL field on Team node can be used to determine if External Program runs invite-only program
On 19th May, A new parameter policymarkdownhtml been introduced inside the team Graphql query. Using Graphql query, We can able to determine External program running privately on Hackerone as policymarkdownhtml parameter was able to fetch private internal policy. Note: Using this parameter, it wa...
U.S. Dept Of Defense: Admin Login Credential Leak for DoD Gitlab EE instance
Summary A DoD employee/contractor exposed the ███ password in a GitHub repository █████████ leading to full ███ access in a DoD DISA-associated private Gitlab EE instance ███. Description The IP address ████ recently hosted the subdomain █████████ as of 2019-09-23. ██████ Now port 80 points to a...
Shopify: [Part II] Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation
Summary In 791775, I submitted a bug at Sunday 5pm Canada time, it was triaged two hours later, and I got the temp fix message at around 3am the next day in Canada time. Truly awesome, the next day I retested after the first fix, and found that I - Cannot receive the email confirmation in the ema...
Internet Bug Bounty: Squid as reverse proxy RCE and data leak
Summary: This was a very difficult experience as Squid maintainers took a long time to answer. I tried getting help from HackerOne support, Dropbox support and the Internet Bug Bounty never e-mailed me back to no avail. What could have taken a few days took months. The vulnerability concerns a...
Rocket.Chat: API Keys Hardcoded in Github repository
NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report! Summary: API Keys is ha...
Railto LLC: Administrator access to staging.railto.com
Summary: Hey team, While doing some recon for railto sub-domains. i came across a most critical bug which lets me complete access of https://staging.railto.com. i can add anything and removing anythings as i got the ADMIN level privilege. Steps 1. Go to https://staging.railto.com/admin url. 2. Se...
Ruby: OS Command Injection via egrep in Rake::FileList
When a file which has command file name of stating with | is in Rake::FileList, then egrep will execute the command. How to reproduce PoC pocrake.rb is the following. ruby require 'rake' list = Rake::FileList.newDir.glob'' p list list.egrep/something/ Example of executing. % ls -1 Gemfile...
Radancy: Wrong link on corne.maximum.nl
Domain and URL: corne.maximum.nl Hello, I noticed that your subdomain corne.maximum.nl links to the website "maximum.com" instead of "maximum.nl" "maximum.com" is in control of a Chinese organization as you said in your description. I think you've made a little mistake, but there is no impact :...
Internet Bug Bounty: Invalid Read on exif_process_SOFn
This bug is present in exifscanthumbnail method of ext/exif/exif.c file. Detailed description and steps to reproduce for this bug is present in bug report submitted to php.net. Bug Report : https://bugs.php.net/bug.php?id=77540 PHP version : 7.1.26 CVE-ID : 2019-9640 Impact This bug may allow an...
OLX: XSS inside HTML Link Tag
Hello, i discovered XSS in sharjah.dubizzle.com. XSS is reflected inside HTML Link tag so it need some condition to trigger the payload. Step to Reproduce - Visit https://sharjah.dubizzle.com/property-for-sale/land" accesskey="X" onclick=alert1337...
Node.js third-party modules: [bower] Arbitrary File Write through improper validation of symlinks while package extraction
I would like to report file write in arbitrary locations via install command in bower It allows attackers to write arbitrary files when a malicious package is extracted. Module module name: bower version: 1.8.4 npm page: https://www.npmjs.com/package/bower Module Description Bower offers a generi...
RubyGems: 65534 times efficient, Brute-force attack for api_key
I have found that type checking for apikey is insufficient in rubygems.org's source code. https://github.com/rubygems/rubygems.org/blob/master/app/controllers/applicationcontroller.rbL63 ruby def authenticatewithapikey apikey = request.headers"Authorization" || params:apikey @apiuser =...
Ubiquiti Inc.: Two Factor Authentication Bypass
The researcher found a method to brute-force the 2FA code request in the www.ubnt.com login page. This method still requires the username/password from the account...
U.S. Dept Of Defense: Remote Code Execution (RCE) in a DoD website
SUMMARY: ==================== The DoD https://██████/psc/EXPROD1/ Web System uses the Oracle PeopleSoft platform which is vulnerable to Remote Code Execution RCE and Denial of Service Attacks DoS over a Java Object Deserialization CWE-502 in the “monitor” service. Thus an attacker can generate an...
VK.com: Просмотр приватных видео записей у Пользователей
Просмотр некоторых приватных видеозаписей. VK решил заплатить 100$ , но я переубедил.... ███████████████████████████ ███████▀▀▀░░░░░░░▀▀▀███████ ████▀░░░░░░░░░░░░░░░░░▀████ ███│░░░░░░░░░░░░░░░░░░░│███ ██▌│░░░░░░░░░░░░░░░░░░░│▐██ ██░└┐░░░░░░░░░░░░░░░░░┌┘░██ ██░░└┐░░░░░░░░░░░░░░░┌┘░░██...
Starbucks: Able to reset other user's password in https://card.starbucks.com.sg/
Description In the website https://card.starbucks.com.sg/ there is a password reset function https://card.starbucks.com.sg/forgetPassword.php that sends the password reset link to the user's email. By using a web proxy to monitor the request, the email address can be changed to allow the attacker...
International Islamic University Chittagong: Improper error handler
during the analysis it was found that when we submit the form and try to upload a txt file then it show a error page with internal path disclosure...
AlienVault : DOM Based XSS in https://threatcrowd.org
Hello AlienVault security team, I found a DOM Based XSS in https://threatcrowd.org via report function. Proof of Concept Steps to reproduce: 1. https://threatcrowd.org/report.php?report= 2. Fill in with this payload: javascript:promptdocument.domain 3. Send link to victim, when victim click in to...
Nextcloud: Banner Grabbing - Apache Server Version Disclousure
Hello Nextcloud, I'd like to report a nice little bug. Banner Grabbing is a technique used to gain information about a remote server. Additionally, this technique is use to get information about remote servers. I've captured the HTTP request while visiting https://customerupdates.nextcloud.com an...
Internet Bug Bounty: CVE-2017-13008 The IEEE 802.11 parser in tcpdump before 4.9.2 has a buffer over-read in print-802_11.c:parse_elements().
Reported to the devs on 6 March 2017. Tcpdump 4.9.2 released on 8 September 2017. Patch: https://github.com/the-tcpdump-group/tcpdump/commit/5edf405d7ed9fc92f4f43e8a3d44baa4c6387562 The IEEE 802.11 parser in tcpdump before 4.9.2 has a buffer over-read in print-80211.c:parseelements. ./tcpdump -n ...
Algolia: SAUCE Access_key and User_name leaked in Travis CI build logs
hello algolia team, I founded the SAUCE AccessKey and Username was leaked in Travis CI build logs of instantsearch.js product Line-249-&-250. This can be used to perform every API calls of sauce-lab.e.g Creating a Sub account. I created a test account for testing. sorry for this ; . You should...
Internet Bug Bounty: heap-buffer-overflow (READ of size 61) in Perl_re_intuit_start()
Reported to the Perl security mailing list on 25 August 2016. ==17057==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60800000b978 at pc 0x0000004a9201 bp 0x7ffe97551890 sp 0x7ffe97551048 READ of size 61 at 0x60800000b978 thread T0 0 0x4a9200 in interceptormemcmp...
Automattic: Broken Authentication - Security token gets captured via man in the middle attack
Product / URL http://en.instagram-brand.com/register/reset/?email= Description and Impact The password reset links issues by Instagram Brand gets delivered to users inbox with a http scheme and NOT https scheme. This causes an attacker stealing those links and performing mass account takeovers an...
Nextcloud: Missing SPF Flags on nextcloud.com
Hello NextCloud Details i just test your domain which is nextcloud.com and i surprised that i can send a legit email to a user. Impact Attacker can use this to send a Legit Email to the Victim and attacker can send a Malicious Web Links and Phishing Sites. Video Proof of Concept...
Nextcloud: Group admin can remove user from all his groups via API
Steps 1. As admin make user1 group admin for group1 and group2 2. As user1 create a new user user2 3. As user1 try to remove the user from both groups via the UI 4. Take the first togglegroup.php request and replay it with group2 on curl Expected Should not work Actual The group-admin can escape...
Boozt Fashion AB: Email link poisoning / Host header attack
Description ------------- It is possible to poison the link of the password reset email. This is generally done by altering the Host header, but in this case, the WAF is successfully blocking it. The trick here is to add an X-Forwarded-Host header in the request so the server is using this value...
Udemy: Completed Compromise & Source Code Disclosure via Exposed Jenkins Dashboard at https://jenkins101.udemy.com
Howdy, @udemy! Summary: ======= I am writing to inform you of a critical information disclosure bug via an exposed Jenkins dashboard located at https://jenkins101.udemy.com. Upon navigating to this address, I was asked to authenticate with my Github account. After authenticating, I was surprised ...
Open-Xchange: Tab nabbing via window.opener
Details: When you open a link in a new tab target="blank" , the page that opens in a new tab can access the initial tab and change it's location using the window.opener property. POC: Edit your contact details, with the website URL of http://davenport.net.nz/test.html, which has the following htm...
Envoy: Abuse of API can Lead to DoS
Issue Description The researcher identified that it is possible to abuse the manual creation of employees via the api, meaning that a malicious attacker can create a trial account and use this to mass spam users' with emails, the screenshot below shows the mass amount of emails that can be sent i...
Coinbase: Application error message
poc url:https://developers.coinbase.com/api/%e3h This page contains an error/warning message that may disclose sensitive information.The message can also contain the location of the file that produced the unhandled exception.This may be a false positive if the error message is found in...
Nextcloud: Authentication Issue
UserA creates a password protected share 2. UserA shares this link with UserB 3. UserB accessed the share with the password 4. UserA changes the password 5. Now userB can still access the share. At step 5 userB should be prompted to authenticate again...
drchrono: SSL/TLS BEAST ATTACK
Supported versions: TLSv1.0 TLSv1.1 TLSv1.2 Deflate compression: no Supported cipher suites ORDER IS NOT SIGNIFICANT: TLSv1.0 RSAWITH3DESEDECBCSHA RSAWITHAES128CBCSHA RSAWITHAES256CBCSHA TLSECDHERSAWITH3DESEDECBCSHA TLSECDHERSAWITHAES128CBCSHA TLSECDHERSAWITHAES256CBCSHA TLSv1.1: idem TLSv1.2...
Automattic: WordPress Flash XSS in *flashmediaelement.swf*
Intro == WordPress is vulnerable against a reflected XSS that stems from an insecure URL sanitization problem performed in the file flashmediaelement.swf. The code in the file attempts to remove flashVars ¹ in case they have been set GET parameters but fails to do so, enabling XSS via...
Zendesk: XSS In /zuora/ functionality
Hello there, I wanted to report a XSS vulnerability in the /zuora/ functionality on the zendesk application. Affected URL: -...
HackerOne: New hacktivity view discloses report IDs of non-public reports
url: https://hackerone.com/hacktivity.json this url reveals information of reporters Report id ./...
Bumble: Broken Authentication on Badoo
Please watch the attached video. It contains all necessary steps and demo of this vulnerability. Please fix this issue as soon as possible, it is highly severe. Looking forward for reply. Best Regards, Darshit varotaria...
Pornhub: Unprotected Memcache Installation running
The consultant was able to connect to the stage.pornhub.com subdomain via port 60893, it was determined that the target host was running memcached and required no authentication...
Radancy: RC4 cipher suites detected
A group of researchers Nadhem AlFardan, Dan Bernstein, Kenny Paterson, Bertram Poettering and Jacob Schuldt have found new attacks against TLS that allows an attacker to recover a limited amount of plaintext from a TLS connection when RC4 encryption is used. The attacks arise from statistical fla...
Shopify: CSV Excel Macro Injection Vulnerability in export list of current users - app.shopify.com
Hi , I have found that when a user tries to Export list of current users who installed his apps through: https://app.shopify.com/services/partners/apiclients//exportinstalledusers the fields of the CSV file are not properly escaped. which makes them vulnerable to CSV Excel Macro Injection...
Internet Bug Bounty: Misusing of FPU Instruction Could Cause Security Vulnerabilities in Adobe Flash Player
Misusing of FPU Instruction Could Cause Security Vulnerabilities in Adobe Flash Player This vulnerability CVE-2015-3100 was reported to Adobe on March 10, 2015 and has been patched today via APSB15-11 https://helpx.adobe.com/security/products/flash-player/apsb15-11.html. Following is the original...
Sandbox Escape: Internet Explorer Enhanced Protected Mode sandbox escape via a broker vulnerability
Internet Explorer Enhanced Protected Mode sandbox escape via a broker vulnerability =================================================================================== Full source code demonstrating the escape from IE's sandbox -- by launching a medium-integrity calc at login -- is attached with...
Vimeo: subdomain takeover 1511493148.cloud.vimeo.com
The researcher found a DNS entry pointing to an unused IP address. This was a domain hijacking issue and was resolved by removing the DNS entry...