15371 matches found
Mail.ru: Stored xss in calendar via call link
Call link URI schema in calendar.mail.ru web application was filtered improperly, allowing malicious javascript: links...
Concrete CMS: Stored unauth XSS in calendar event via CSRF
crayons Description The description parameter in the scenario /index.php/ccm/calendar/dialogs/event/add/save is affected by Stored XSS due to lack of user supplied data filtration. Also in should be mentioned that this endpoint does not verify CSRF token ccmtoken, which leads to an ability to...
OpenMage: Very long names on demo.openmage.org could redirect victim users to malicious url redirects via email contacts.
Summary: We found that the maximum length of the first and last name fields was not set to 32 characters at registration and to 1000 characters when using the profile update form. The attacker can use this method as a malware attack, the user will redirect to a website that contains malware or...
TikTok: [CSRF] TikTok Careers Portal Account Takeover
A missing CSRF protection and open redirect vulnerability was reported in the TikTok Careers portal single sign on flow which is used by applicants to apply for TikTok positions. This flaw was quickly remediated and does not impact TikTok.com or mobile application. We thank @lauritz for reporting...
RBKmoney: Apple Pay cryptogram replay and amount tampering
During Apple Pay in-app or on-site payments the device generates a payment cryptogram, which contains a transaction ID, encrypted payment data, etc. This is an example of the cryptogram which the phone passes to the internet acquiring service on api.transferwise.com: "token": "paymentData":...
Mail.ru: Stored XSS through fileupload
Stored XSS in view uploaded file functionality on static.donationalerts.ru...
Basecamp: stored XSS in hey.com message content
Hi I found a stored xss using messagecontent parameter when forwarding an email or saving it as draft , and when the victim click on the email to view it, it gets executed . I used this payload as the message content : From: "f" To: [email protected] Message-ID: Subject:...
Concrete CMS: Fetching the update json scheme from concrete5 over HTTP leads to remote code execution
Hi, I noticed that concrete5 fetches the update JSON scheme from www.concrete5.org over HTTP. The fetched json defines the download URL, so we can simply tamper with this JSON in order to make the update URL point to a server controlled by us. Combining this with the possibility to set an arbitra...
Mail.ru: Path traversal lead to LFR via [CVE-2019-3394]
Path traversal lead to Local File Read via CVE-2019-3403 in confluence.plazius.ru...
Mail.ru: Stored XSS in address on [corporate.city-mobil.ru]
Stored XSS in address setting functionality on corporate.city-mobil.ru...
Zomato: [api.zomato.com] Abusing LocalParams (city_id) to Inject SOLR query
Disclosing it as per the request from @zzzhacker13. This report is identical to 844428 but this one was on a different endpoint. POC - - :v2/red/homepage.json?lat=&lon=&cityid=!dismax+df=cityid86&androidcountry=US&lang=en&androidlanguage=en Zomato Security Team...
Nextcloud: The password of a mail share is not hashed if the password is given when the share is created
Create a new mail share with a password by using the OCS endpoint with something like: curl -u admin:admin -X POST -H "OCS-APIRequest: true" "http://localhost/ocs/v1.php/apps/filessharing/api/v1/shares?path=welcome.txt&shareType=4&[email protected]&password=plainTextPassword" - Check the...
Mail.ru: MySQL username and password leaked on [2017.russianaicup.ru]
Configuration file available via web interface could disclosure potenrially sensitive inormation Configuration file available via web interface could disclosure potentially sensitive information...
Concrete CMS: Stored XSS in the file search filter
Download Concrete5 8.5.2 and install it 2. Log into your Concrete5 instance as admin 3. Go to Dashboard Files Search 4. In the file search bar, click Advanced 5. In the window that appears, enter a phrase and click the save button, paste the following payload: and click the save button 6. In the...
X (Formerly Twitter): 暴力破解用户密码没有速率控制
http://www.twitter.com的登录功能存在一个问题,只限制了单个用户尝试登录系统的错误次数,并不限制用固定的密码去尝试登录不同用户,或者是撞库 请您跟着视频操作,否则无法复现到此问题 Impact 暴力破解用户密码没有速率控制...
Shopify: Session works after logout from Shopify account and password of online store is displayed
When a user creates a Shopify Lite Plan account, in the product creation stage when the account has not been upgraded, the store's password is enabled such that any visitor who wants to access the store is required to enter password before being granted access to view the products listed in the...
HackerOne: Attacker may be able to bounce enough emails which suspend HackerOne's SES service and cause a DoS of HackerOne's email service
This was a DoS based on triggering a lot of bounced emails via SES service which could put our email sending up for review with AWS. The vulnerability was due to unrestricted invitations on sandbox programs which allowed an attacker to generate an infinite number of bounced emails. We had applied...
Node.js third-party modules: [Limited bypass of #793704] Blind SSRF in Ghost CMS
Blind SSRF vulnerability in Ghost allows for internal port scanning, or reading oembed contents from internal network...
GitLab: Stored XSS in blob viewer
Summary I found a Stored-XSS in blob viewer when viewing a json file. In particular, when viewing an openapi file, openapiviewer is called to transfer the file's data to SwaggerUIBundle to render. SwaggerUIBundle does its job when rending graphical representation of the openapi's content. It also...
Nord Security: Past payments using the Direct Debit method keep subscriptions active even if payments fail
I think this is a vulnerability that has no impact but it violates I found many accounts that are actively subscribed even though the payment failed, this is because the payment uses the Direct Debit method, and you have deleted it. Because Direct Debit payments have been deleted and no longer wo...
Nord Security: Blind SSRF on debug.nordvpn.com due to misconfigured sentry instance
Summary: The debug subdomain uses Sentry for application monitoring and error tracking. This software comes with a feature known as source code scraping turned on by default which makes it is possible to make blind get requests from the server on which it is running. Steps To Reproduce: add detai...
U.S. Dept Of Defense: Unrestricted File Upload
Summary: The endpoint at https://███████/ui/core/index.html required authentication, but navigating to https://█████/ui/core/index.html?mode=publicexpl-tabl./SHARED/rpchllmd/CSAT allow for read/write access. Description: The endpoint at...
Nextcloud: Talk - Leak of password-protected room name via already existent resource addition
CVSS ---- Medium 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Description ----------- Affected: Talk / Spreed 6.0.3 The name of shared but password-protected rooms leaks to low-privileged authenticated users. An attacker does not need to guess room IDs, but can simply iterate over IDs to gath...
Kaspersky: Stored credentials instantly autofilled within sandboxed iframes
Summary Stored credentials are instantly autofilled within sandboxed iframes, disregarding effective origin of sandboxed iframes and the expected cross-origin restrictions Description Kaspersky is expected to obey cross-origin restrictions which apply to sandboxed iframes. However, the Kaspersky...
Starbucks: Reflected cross-site scripting on multiple Starbucks assets.
NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Please indicate NA, if not applicable. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling...
Nextcloud: Vulnerable W3 Total Cache plugin version in use on nextcloud.com
Hi there, I noticed you are currently using a vulnerable version of W3 Total Cache, as the changelog containing the plugin version is publicly reachable: https://nextcloud.com/wp-content/plugins/w3-total-cache/changelog.txt W3 Total Cache makes the site vulnerable to a series of attacks, includin...
OLX: web cache deception in https://tradus.com lead to name/user_id enumeration and other info
summary Hi OLX team, i found a web cache deception vulnerability in https://tradus.com. With this vulnerability an attacker can gain access to the name of the victim user, the userid and other informations. Attack scenario 1 an attacker send to the victim a link to the malicious page like the PoC...
Node.js third-party modules: environment variable leakage in error reporting
NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! I would like to report the leak of...
Valve: RCE on Steam Client via buffer overflow in Server Info
Introduction In Steam and other valve games CSGO, Half-Life, TF2 there is a functionality to find game servers called the server browser. In order to retrieve the information about these servers the server browser communicates with a specific UDP protocol called server queries. The protocol is we...
Node.js third-party modules: Prototype pollution attack (extend)
I would like to report prototype pollution in extend It allows an attacker to inject properties on Object.prototype. Module module name: extend version: 3.0.1 npm page: https://www.npmjs.com/package/extend Module Description node-extend is a port of the classic extend method from jQuery. It behav...
Upserve : OLO Total price manipulation using negative quantities
Manipulating an order request JSON object, containing an additional item with a negative quantity directly manipulates the total amount of the order. In the following JSON request, an order is submitted for 2 ChickenBurgers $12 each, as well as -1 BreadPuddings $9 each. The total price after tax...
DuckDuckGo: SSRF in proxy.duckduckgo.com via the image_host parameter
Description https://proxy.duckduckgo.com/iur/ endpoint is vulnerable to ssrf via imagehost get parameter. Vulnerable URL: https://proxy.duckduckgo.com/iur/?f=1&imagehost=https://tudomanyok.hu/ Some internal URL: https://proxy.duckduckgo.com/iur/?f=1&imagehost=https://127.0.0.1:18091/...
Mail.ru: Clickjacking Vulnerability on https://support.my.com/games/ticket/xxxx/
Hi There, I have found a Clickjacking vulnerability on your site. Steps to reproduce: 1.Go to https://support.my.com this site 2.Generate a Clickjacking script, save it as .html and run into your browser Script: iframe width: 800px; height: 500px; position: absolute; top: 0; left: 0; filter:...
Mail.ru: Modifying application settings via clickjacking on o2.mail.ru
It was possible to edit application information or delete application via clickjacking on o2.mail.ru...
Ubiquiti Inc.: 3x Reflected XSS vectors for services.cgi (XM.v6.1.6, build 32290)
There are certain end-points containing functionalities that are vulnerable to reflected cross site scripting XSS, allowing attackers to abuse the user' session information and/or account takeover of the admin user. Authenticated users can be persuaded to visit malicious web pages, which allows...
Keybase: Fix bypass of different processing of usernames on Hackernews
Description In report https://hackerone.com/reports/307670 the reported identified a flow which abuses parsing differences between Keybase and Hackernews. Also the original reports is resolved there appears to be a bypass having the same impact by abusing upper-case letters. Steps to reproduce 1...
Nextcloud: twofactor_auth bypassable if provider fails to load
Just want to preface this by saying that this is probably not a significant vulnerability, as it requires that the server either have recently been incorrectly upgraded or otherwise misconfigured. However in the administration of my own personal NextCloud instance I have hit this several times...
Ubiquiti Inc.: Triggering RCE using XSS to bypass CSRF in PowerBeam M5 300
In AirOS 6.1.5 and prior, due to lack of validation is possible to bypass the CSRF in certain web pages. If an authenticated user access an attacker controlled web page, it could trigger the CSRF and the resulting request could modify the device configuration and creating stored-XSS, with the XSS...
International Islamic University Chittagong: Union Based SQL injection in https://ieeeiiucsb.org/registration/details
Due to the lack of proper sanitization on our registration system, the researcher able to find a sql vulnerability which expose the database name & user id. We'd like to thank him for a nice catch on our system...
Brave Software: Homograph Attack Bypass [ Tested on Linux & Windows ]
Summary: at 175286 you has been patched, and i try it work, but i've another way to bypass it. when we add a site to our Homepage with @, it's not validate a url properly, make sure it's display the punycode. Products affected: Brave 0.18.36 Linux & Windows Steps To Reproduce: 1. In browser add...
GSA Bounty: Email Spoofing - SPF record set to Neutral
Hi, Introduction: There is a email spoofing vulnerability.Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email spoofing is a tactic used in phishing and spam campaigns because people are more...
Mail.ru: [new.wf.mail.ru] XSS Request-URI
Reflected XSS via GET parameters in new.wf.mail.ru wf.mail.ru is not currently covered with bug bounty program...
Trello: A CRLF injection into the redirect URL of https://trello.com/1/authorize can be used to cause a denial of service when later redirected to
Just found this, tested it on a whim and deeply regretted it. Sorry! So to recreate the issue: 1. Visit...
Dropbox: Missing URL sanitization in comments can be leveraged for phishing
The report points out that a link in shared file's comments could say one thing in the text but actually point to another website. This is a risk we have always accepted: the document preview could also contain links, the legit links could point to shorteners. Additionally, Dropbox Paper supports...
Legal Robot: User enumeration
A security researcher discovered that an unrelated upgrade in our authentication process caused a potential user enumeration vulnerability. The vulnerability was mitigated by existing rate limiting processes, but an attacker could determine which users already had an account based on the error co...
U.S. Dept Of Defense: CRLF Injection on ███████
Summary: The web application hosted on the "█████" domain is affected by a carriage return line feeds CRLF injection vulnerability that could be used in combination with others. This issue could allow XSS via Cookie, bypass Double Submit Cookie csrf protection or Session Fixation on .█████████...
Grab: CSV Injection https://hub.grab.com
@Poison had pointed out that it was possible to perform CSV Injection on hub.grab.com which was tested on Microsoft Excel 2016. Injection occurred by adding the payload in customer name field in Grab mobile application. The payload used was =cmd|' /C calc'!A0. We fixed this issue by properly...
Cuvva: Clickjacking vulnerability in support-dashboard.corp.cuvva.co
Hi i found a clickjacking vulnerability in the subdomain of cuvva.com i.e, support-dashboard.corp.cuvva.co Impact: The resource without X-Frame-Options potentially vulnerable to the Clickjacking. The vulnerability exist only for authenticated users possible UI redressing in the Dashboard PoC: 1. ...
Nextcloud: Email Spoofing Vulnerability from nextcloud.
Hi nextcloud, Here is Shaifullah Shaon BlackEyE, An Ethical Hacker. a white hat cyber security researcher from Bangladesh reporting a serious 3'rd ranking in OWASP security vulnerability on your system. There is an Email Spoofing Vulnerability from nextcloud. Steps to reproduce: 1 Go to...
Instacart: XSS at in instacart.com/store/partner_recipe
Summary Hi team, i found that this endpoint - https://www.instacart.com/store/partnerrecipe? at param imageurl is vulnerable to XSS Reproduction Steps & PoC 1Go to...