15369 matches found
Valve: Xss was found by exploiting the URL markdown on http://store.steampowered.com
Hello guys I found an xss vulnerability on store.steampowered.com markdown POC http://store.steampowered.com/widget/386360/?t=url=google.com:/onclick=%27alertdocument.domain%27url=xss/url Here is my exploit url=google.com:/onclick='alertdocument.domain'url=xss/url Steps 1 - go to any product 2 -...
Mail.ru: Error in processing gif images
Application crash on malformed GIF image parsing in ICQ for Desktop...
Node.js third-party modules: [general-file-server] Path Traversal vulnerability allows to read content on arbitrary file on the server
Hi Guys, There is Path Traversal in general-file-server module. It allows to read content of arbitrary files on the remote server. Module general-file-server This is a general file server made by nodejs. It will be easy for you to access the files on the server through the browser...
Open-Xchange: SSRF - RSS feed, blacklist bypass (301 re-direct)
FYI - Tested on local installation of App Suite 7.8.4 REV 17 Hello, There appears to be another SSRF re-direct vulnerability, similar to my earlier reports that will allow scanning of the App Suite local ports or internal hosts, regardless of blacklist protection in place. The endpoint is the...
VK.com: self-xss ads_easy_promote vk.com
Self-XSS в рекламе...
International Islamic University Chittagong: Full Path Disclosed
Hi, i want to say that you have not fixed the previous report properly i can still find the path fix it properly the paths should be hidden text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://119.18.148.140/hrd/login.php? Cookie:...
Mail.ru: XSS on https://account.mail.ru/login via postMessage
Обработчик сообщений на страничке https://account.mail.ru/login не проверяет источник, что позволяет вызвать любую доступную команду с произвольного ресурса: js // https://img.imgsmail.ru/ag/0.3.3/authGate.js:formatted function ca a = a || window.event; var c, d, h = , i = a.data, j = a.source; i...
Rockstar Games: Stored XSS on support.rockstargames.com
In this report, the researcher was able to demonstrate a proof-of-concept exploit for a Stored XSS vulnerability on our Support site at support.rockstargames.com. The POC consisted of two parts; the setup and the trigger. The setup required entering a particular XSS payload in the Title for a new...
Slack: The Custom Emoji Page has a Reflected XSS
The Custom Emoji Page has a Reflected XSS in building flash message. The following is the PoC. https://team.slack.com/customize/emoji?added=1&name=vuln"alert0;...
Phabricator: Credential gets exposed
Create a repo 2. Mirror it to an URL 3. Assign a credential to the mirror 4. I've now had an existing repo, and wanted to change it to mirror only, so that phabricator pulls from an URL instead of self-hosting. I now recived this error msg: Pull of 'Luke081515Bot' failed: Working copy at...
Legal Robot: [New Feature] Password history check
A security researcher discovered that old passwords could be reused and suggested that Legal Robot check new passwords against previous passwords. i discovered that old passwords could be reused and suggested that Legal Robot check new passwords against previous passwords. i really thank legal...
ExpressionEngine: Image lib - unescaped file path
Under ./system/ee/legacy/libraries/Imagelib.php There are function from CodeIgniter to manipulate images. The issue is that the PHP function exec is used two times in two different functions: imageprocessimagemagick and imageprocessnetpbm In both cases the fullsrcpath and fulldstpath are given...
Nextcloud: Password of failed (2FA) login attempt is stored in log
If I try to log in on Webdav with my usual Nextcloud password, it doesn't work due to 2FA. I need an application password. The password of a failed login attempt by any user is stored plain text in the log: ...OCA\\DAV\\Connector\\Sabre\\Auth-validateUserPass'matthes', 'THEPASSWORD'... Even...
Weblate: API Does Not Apply Access Controls to Translations
Summary ======= The /api/ does not enforce access control on the translation files, allowing anyone to download full translation files. See the screenshot for an example project being viewed by an anonymous account that is configured to have no permissions. Description ======= On my local setup...
Coinbase: Open redirect on sign in
Sir I make a video for clear understand. Watch that video. Thanks Best Regards Anirban Singha...
Instacart: Reverse Tab-nabbing at www.instacart.com/store/partner_recipe?recipe_url=
Summary Instacart at /store/partnerrecipe?recipeurl= endpoint is vulnerable to reverse tabnabbing, since the injected link use target="blank" , this means the page that opens in a new tab can access the initial tab and change its location using the window.opener property. example: Reproduction...
Harvest: [platform.harvestapp.com] Reflected XSS in Error Message via URL parameters
Hi @jorgeleria, I came across a potential reflected XSS vector while exploring platform.harvestapp.com functionality. At present, I have been unable to locate a functional payload, so would like to report this as HTML injection. Proof of Concept Steps to reproduce 1. Visit the below Demonstration...
Weblate: Bypassing captcha in registration on Hosted site
Hello again, I believe the captcha on the user registration form is very simple and can be easily bypassed to automatically register any number of accounts. A program can read the math captcha, solve it and submit the form with the answer and the other required parameters & headers. Note: I read...
X (Formerly Twitter): HTTP 401 response injection on "amp.twimg.com/amplify-web-player/prod/source.html" through "image_src" parameter
Overview The imagesrc parameter on amp.twimg.com accepts images from any arbitrary host, therefore, enabling attackers to supply image destinations that respond with a "HTTP 401 Unauthorized" response. Description HTTP 401 attacks occur when there is no whitelisting or proxying images and/or page...
Nextcloud: Delete All Data of Any User
If you are user have permission manage useradmin group, you can delete all data off website. step: 1. Create new user with username is '.'. 2. Delete user, who just have been created. Cause: when you create new use, nextcloud app will make a new folder same name with username, which have been...
VK.com: Возможность взлома любого пользователя, не использующего двухфакторной аутентификации, через получения кода восстановления на чужой номер.
Уязвимость в библиотеке приложения VK на Android, позволяющая получить на свой номер код для восстановления некоторых страниц. Из-за уязвимости можно было отправить код восстановления любой страницы на чужой номер, спасала только двухфакторная аутентификация...
Shopify: XSS in $shop$.myshopify.com/admin/ via twine template injection in "Shopify.API.Modal.input" method when using a malicious app
Description The Shopify Embedded App SDK is used to facilitate limited interactions with parent page /admin/apps/$id from an embedded app within the shop admin interface. The SDK has multiple methods which allow an app to interact with the user which execute in the context of the admin domain and...
shopify-scripts: SIGABRT - in free
PoC ------------------- The following code triggers the bug attached as free.rb: a= h=""=0 ha,"h00000000h000000=0000000 0000ht00000=00t0000 0000h000000=000000 00000"=0 a0="z" ha,"h00000000h000000=0000000 0000ht00000=00t0000 0000h000000=000000 00000"=0 h.dup Backtrace - mirb -------------------...
Slack: Bypass to postMessage origin validation via FTP
@a1kmm- discovered a bypass to our postMessage origin check, wherein an attacker with existing MITM capabilities could use FTP to bypass validation and view XOXS tokens of victims on the local network. This was related to, and investigated at the same time as, a previous report. This issue is now...
Pornhub: XSS via login cookie
The researcher discovered a persistent client-side XSS using the session cookie as a vector. The researcher demonstrated a plausible exploit scenario by crafting a link which exploits an unrelated a meta tag injection vulnerability to arbitrarily modify the user's cookie...
GitLab: [Textile] XSS in project README files
Hi, Another parser bypass here – I discovered that Textile markup can be used to inject a stored JavaScript payload into a project README.textile file : Steps to Reproduce 1. Create a new GitLab project 2. Initialise the project by creating a README file 3. Set the file title to README.textile 4...
Grab: Authorization bypass using login by phone option+horizontal escalation possible on Grab Android App
Description: After my previous report about 2FA bypass on the Profile Edit endpoint i was interested to find enpoint, which will allow me horizontal privileges escalation. So, I found the endpoint using android app https://p.grabtaxi.com/api/passenger/v2/profiles/activationsms which allow me to...
Internet Bug Bounty: CVE-2017-3730: Bad (EC)DHE parameters cause a client crash
https://www.openssl.org/news/secadv/20170126.txt https://guidovranken.wordpress.com/2017/01/26/cve-2017-3730-openssl-1-1-0-remote-client-denial-of-service-affects-servers-as-well-poc/...
Discourse: XSS vulnerability on Audio and Video parsers
Just like in the XSS vulnerability on Image parser, there is the same vulnerability on Audio https://github.com/discourse/onebox/blob/394409ca319cc1a1cd31fefa50c9468c990531a3/lib/onebox/engine/audioonebox.rb and Video...
Starbucks: Subdomain takeover on happymondays.starbucks.com due to non-used AWS S3 DNS record
Hi, I discovered that happymondays.starbucks.com DNS CNAME record is pointing to S3 AWS bucket which doesn't exist. Here's the screenshot of vulnerable domain: F138556 As happymondays.starbucks.com was free to register on AWS S3 service and DNS-setup is already correct set-up: F138557 I was able ...
Pushwoosh: Nginx server version disclosure
Design Issue, Information Disclosure, Low Severity...
Mail.ru: [qpt.mail.ru] CRLF Injection / Open Redirect
Уязвимый сценарий: /tests/ Уязвимый параметр: qptquestionurl Пример Open Redirect:...
Shopify: Able to Login deactivated staff account in shopify app mobile
Hi Shopify, Deactivated staff account is able to login in shopify mobile app. STEPS 1. Login your owner account 2. Go to Staff Accounts and deactivate your staff account 3. Login to your staff account in your shopify mobile app As you can see you were able to login even the staff account was...
Internet Bug Bounty: CVE-2016-7163 OpenJPEG opj_pi_create_decode Integer Overflow Vulnerability
OpenJPEG opjpicreatedecode Integer Overflow Vulnerability 1. About OpenJPEG OpenJPEG is an open-source JPEG 2000 codec written in C language. It's widely used in lots of Linux OSes such as Ubuntu, RedHat, Debian, Fedora, and so on. The official repository of the OpenJPEG project is available at...
Mail.ru: Same origin policy bypass on e.mail.ru via Cross-Site Flashing
Hello Mail.Ru Security Team, There is a Cross-Site Flashing vulnerability in e.mail.ru. this vulnerability is similar to XSS except it is Flash script execution. Ref : https://www.owasp.org/index.php/TestingforCrosssiteflashingOTG-CLIENT-008 This allow an attacker to execute requests to the...
Internet Bug Bounty: Out of bound read in exif_process_IFD_in_MAKERNOTE
I have found some vulnerable code that lacks check size of buffer may lead to memory out of read or write. Take a look at : static int exifprocessIFDinMAKERNOTEimageinfotype ImageInfo, char valueptr, int valuelen, char offsetbase, sizet IFDlength, sizet displacement SNIP switch makernote-offsetmo...
Ubiquiti Inc.: Reflected Xss in AirMax [Nanostation Loco M2]
Dear James, I've found a reflected xss in nanostation Loco M2. just open this link and xss will execute. http://172.98.67.89:22057/survey.cgi?iface=%22%3E%3Cimg%20src=x%20onerror=promptdocument.cookie%3E F103333 Best Regard Shubham...
Veris: Security Vulnerability - SMTP protection not used
Hi, I'm checking your website found SPF record there. You should apply strict SMPT policy to stop spoofed email sending from your domain. An attacker would send a Fake email from [email protected] saying that Please change your password, The victim is aware of phishing attacks, But when he sees...
Internet Bug Bounty: Adobe Flash Player ASnative(900,1).call(TextField) Use-After-Free Vulnerability
I. Summary Adobe Flash Player is prone to a vulnerability which leads to Use-After-Free. ------------------------------------------------------------------ II. Description If the ASnative900,1 is invoked with TextField instance and getter properties associated with swfRoot where the getter method...
Uber: Open Redirection on Uber.com
There seems to be an open redirection on Uber.com When a user uses https://www.uber.com//google.com/cities it will lead to a Page Not Found on the Uber website but if the google.com is changed to an IP address such as https://www.uber.com//216.58.217.206/param it will lead to either a 404 or an S...
X (Formerly Twitter): Tweet Deck XSS- Persistent- Group DM name
Hello Group names in tweetdeck.twitter.com aren't filtered properly, giving scope for Cross site vulnerability attacks. Challenge I have faced while escalating the xss: - group name can only be 9 character long. How i bypassed it: Set multiple group names with different payloads, which means we c...
HackerOne: CSV Injection at the CSV export feature
Hi there, I have find a way to bypass the mitigation done in 72785 and 111192. What happens if an attacker creates a Ticket with the Tittle ":";-3+3+cmd|' /C calc'!D2. The ; will break the field making excel think that there are two fields. Although, you are using "" to encapsulate a field and , ...
Udemy: CSRF in Udemy.com
The investigator removed cookies that are not used by our site and thought he had found a bypass. We were greatly delayed in getting this response to him...
ok.ru: Same-Origin Policy bypass on main domain - ok.ru
Hello, I've just found a way to bypass Same-Origin Policy mechanism using vulnerability in one of swf files on your cdn. Let me explain this in details: 1. First of all - your Crossdomain which defines from what domains Flash files can read content on ok.ru. Crossdomain file is located here -...
HackerOne: Cross-domain AJAX request
Hi, Two weeks ago, I found a Cross-domain AJAX request, but due to the fact that you uses a very strict Content Security Policy, I hesitated to send this. Today, I noticed that bug has been fixed. But this fix can be bypassed. This example not working now screenshot 1:...
Bumble: Tokens from services like Facebook can be stolen
Description This file https://mus1.badoo.com/cb.html looks for the parameters accesstoken, token and code in the URL and send the value back to the window.opener using window.opener.postMessagemessage, '';. Because you specified as the value of the second parameter of postMessage, the browser is...
Shopify: www.shopify.com XSS on blog pages via sharing buttons
social sharing buttons facebook and linkedin vulnerable to xss at www.shopify.com/guides/ www.shopify.com/videos/ and www.shopify.com/success-stories/ steps to reproduce: - go to page https://www.shopify.com/videos/pop-up-shop?x=';alert1// - share this page by clicking facebook or linkedin sharin...
ownCloud: apps.owncloud.com: SSL Session cookie without secure flag set
URL: https://apps.owncloud.com/usermanager/login.php Issue detail The following cookie was issued by the application and does not have the secure flag set: PHPSESSID=27caghhkfjvuso3mmiqajqt2n4; path=/; HttpOnly The cookie appears to contain a session token, which may increase the risk associated...
ownCloud: owncloud.com: Content Sniffing not disabled
URL :- https://owncloud.com Issue description :- There was no "X-Content-Type-Options" HTTP header with the value nosniff set in the response. The lack of this header causes that certain browsers, try to determine the content type and encoding of the response even when these properties are define...
Mail.ru: Possible xWork classLoader RCE: shared.mail.ru
Ее похоже аффектит https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2014-05-21 classLoader пролетает, то есть фикса на уровне регулярок нет версия в уязвимом скоупе Я конечно попробую в выходные реально код исполнить, но по внешним признакам оно там есть Все версии меньше...