15369 matches found
Nextcloud: Vulnerable W3 Total Cache plugin version in use on nextcloud.com
Hi there, I noticed you are currently using a vulnerable version of W3 Total Cache, as the changelog containing the plugin version is publicly reachable: https://nextcloud.com/wp-content/plugins/w3-total-cache/changelog.txt W3 Total Cache makes the site vulnerable to a series of attacks, includin...
pixiv: Open redirect protection (https://www.pixiv.net/jump.php) is broken for novels
Summary: I found that pixiv has a open redirect protection, any external link in illustration is converted to https://www.pixiv.net/jump.php?. For example https://i3mx4usociis8twimpcu2ty0erkh86.burpcollaborator.net/abc in https://www.pixiv.net/memberillust.php?mode=medium&illustid=74148892 is...
OLX: web cache deception in https://tradus.com lead to name/user_id enumeration and other info
summary Hi OLX team, i found a web cache deception vulnerability in https://tradus.com. With this vulnerability an attacker can gain access to the name of the victim user, the userid and other informations. Attack scenario 1 an attacker send to the victim a link to the malicious page like the PoC...
Node.js third-party modules: environment variable leakage in error reporting
NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! I would like to report the leak of...
Internet Bug Bounty: Heap-buffer-overflow in Perl__byte_dump_string (utf8.c) could lead to memory leak
With crafted regex match, I have found a heap-over-flow in function Perlbytedumpstring, which would lead to memory leak. Reported to the Perl security mailing list on 11 Sep 2017. Confirmed as a security flaw by TonyC on 24 Feb 2018 CVE-2018-6797 assigned to this flaw on 7 Feb 2018 Public securit...
Valve: RCE on Steam Client via buffer overflow in Server Info
Introduction In Steam and other valve games CSGO, Half-Life, TF2 there is a functionality to find game servers called the server browser. In order to retrieve the information about these servers the server browser communicates with a specific UDP protocol called server queries. The protocol is we...
PayPal: Unsafe deserialization leads to token leakage in PayPal & PayPal for Business [Android]
A Bug Bounty researcher identified an issue where a JSON wrapper could be used to instantiate arbitrary Java objects. This could lead to circumstances where a class called in the PayPal Android app could be read by a malicious app on the same mobile device. A specific user’s session data could...
VK.com: Узнаем несколько цифр номера телефона юзера (можно флудить смс), всего раз узнав его remixsid и его ид юзера, и установка оффлайна юзерам.
Недостаточные проверки сессии. Было можно узнать часть номера телефона юзера и отправлять ему смс с ссылкой на приложение https://vk.com/mobile всего раз узнав его remixsid, вне зависимости сколько раз были ресетнуты сессии. Самый давний валидный для этой темы remixsid был давности май 2016 года...
Open-Xchange: store xss in calendar via upload filename
reproduce step 1.access url https://sandbox.open-xchange.com/appsuite/app=io.ox/calendar/scheduling 2.create appointment 3.upload file ,the file name with payload '"img src=x onerror=alertdocument.domain.svg' 4.access...
Node.js third-party modules: Prototype pollution attack (extend)
I would like to report prototype pollution in extend It allows an attacker to inject properties on Object.prototype. Module module name: extend version: 3.0.1 npm page: https://www.npmjs.com/package/extend Module Description node-extend is a port of the classic extend method from jQuery. It behav...
Monero: Attcker can trick monero wallet into reporting it recived twice as much with alternative tx_keypubs
Summary: multiple identical txpubkeys were patched, but you can still use alternative txpubkeys to get the same result. Description: An attacker can craft an XMR transaction which causes the receiving wallet to report that it received twice as much XMR as the attacker actually sent. The balance o...
Upserve : OLO Total price manipulation using negative quantities
Manipulating an order request JSON object, containing an additional item with a negative quantity directly manipulates the total amount of the order. In the following JSON request, an order is submitted for 2 ChickenBurgers $12 each, as well as -1 BreadPuddings $9 each. The total price after tax...
Node.js third-party modules: Arbitrary File Write through archive extraction
I would like to report arbitrary file write vulnerability in adm-zip module It allows attackers to write arbitrary files when a malicious archive is extracted. More info here: https://snyk.io/research/zip-slip-vulnerability https://github.com/snyk/zip-slip-vulnerabilityaffected-libraries Module...
Starbucks: Information Leak - Github - JMS Information
Hi, After some research, I found a leak on GitHub that might lead to accessing sensitive data of employees or clients not sure based on the code. There is also a SAP S-user to access a cloud based HANA service. I have not confirmed what kind of data is in there to avoid potential legal issues. I...
DuckDuckGo: SSRF in proxy.duckduckgo.com via the image_host parameter
Description https://proxy.duckduckgo.com/iur/ endpoint is vulnerable to ssrf via imagehost get parameter. Vulnerable URL: https://proxy.duckduckgo.com/iur/?f=1&imagehost=https://tudomanyok.hu/ Some internal URL: https://proxy.duckduckgo.com/iur/?f=1&imagehost=https://127.0.0.1:18091/...
Mail.ru: Clickjacking Vulnerability on https://support.my.com/games/ticket/xxxx/
Hi There, I have found a Clickjacking vulnerability on your site. Steps to reproduce: 1.Go to https://support.my.com this site 2.Generate a Clickjacking script, save it as .html and run into your browser Script: iframe width: 800px; height: 500px; position: absolute; top: 0; left: 0; filter:...
Mail.ru: Modifying application settings via clickjacking on o2.mail.ru
It was possible to edit application information or delete application via clickjacking on o2.mail.ru...
Avito: Open Redirect via login avito.ru | Protection bypass
Open-redirect using the following vector and social auth: https://www.avito.ru/rossiyalogin?next=///...
Ubiquiti Inc.: 3x Reflected XSS vectors for services.cgi (XM.v6.1.6, build 32290)
There are certain end-points containing functionalities that are vulnerable to reflected cross site scripting XSS, allowing attackers to abuse the user' session information and/or account takeover of the admin user. Authenticated users can be persuaded to visit malicious web pages, which allows...
LocalTapiola: Reflected XSS (myynti.lahitapiolarahoitus.fi)
Basic report information Summary: There is an Reflected XSS on myynti.lahitapiolarahoitus.fi. Description: There is an Reflected XSS on myynti.lahitapiolarahoitus.fi website. redirect parameter is vulnerable to XSS. Impact: Steals cookies from other logged in users. Browsers / Apps Verified In:...
Keybase: Fix bypass of different processing of usernames on Hackernews
Description In report https://hackerone.com/reports/307670 the reported identified a flow which abuses parsing differences between Keybase and Hackernews. Also the original reports is resolved there appears to be a bypass having the same impact by abusing upper-case letters. Steps to reproduce 1...
Nextcloud: twofactor_auth bypassable if provider fails to load
Just want to preface this by saying that this is probably not a significant vulnerability, as it requires that the server either have recently been incorrectly upgraded or otherwise misconfigured. However in the administration of my own personal NextCloud instance I have hit this several times...
VK.com: self-xss ads_easy_promote vk.com
Self-XSS в рекламе...
Ubiquiti Inc.: Triggering RCE using XSS to bypass CSRF in PowerBeam M5 300
In AirOS 6.1.5 and prior, due to lack of validation is possible to bypass the CSRF in certain web pages. If an authenticated user access an attacker controlled web page, it could trigger the CSRF and the resulting request could modify the device configuration and creating stored-XSS, with the XSS...
International Islamic University Chittagong: Union Based SQL injection in https://ieeeiiucsb.org/registration/details
Due to the lack of proper sanitization on our registration system, the researcher able to find a sql vulnerability which expose the database name & user id. We'd like to thank him for a nice catch on our system...
GSA Bounty: Email Spoofing - SPF record set to Neutral
Hi, Introduction: There is a email spoofing vulnerability.Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email spoofing is a tactic used in phishing and spam campaigns because people are more...
Mail.ru: [new.wf.mail.ru] XSS Request-URI
Reflected XSS via GET parameters in new.wf.mail.ru wf.mail.ru is not currently covered with bug bounty program...
Trello: A CRLF injection into the redirect URL of https://trello.com/1/authorize can be used to cause a denial of service when later redirected to
Just found this, tested it on a whim and deeply regretted it. Sorry! So to recreate the issue: 1. Visit...
Dropbox: Missing URL sanitization in comments can be leveraged for phishing
The report points out that a link in shared file's comments could say one thing in the text but actually point to another website. This is a risk we have always accepted: the document preview could also contain links, the legit links could point to shorteners. Additionally, Dropbox Paper supports...
U.S. Dept Of Defense: CRLF Injection on ███████
Summary: The web application hosted on the "█████" domain is affected by a carriage return line feeds CRLF injection vulnerability that could be used in combination with others. This issue could allow XSS via Cookie, bypass Double Submit Cookie csrf protection or Session Fixation on .█████████...
Grab: CSV Injection https://hub.grab.com
@Poison had pointed out that it was possible to perform CSV Injection on hub.grab.com which was tested on Microsoft Excel 2016. Injection occurred by adding the payload in customer name field in Grab mobile application. The payload used was =cmd|' /C calc'!A0. We fixed this issue by properly...
Cuvva: Clickjacking vulnerability in support-dashboard.corp.cuvva.co
Hi i found a clickjacking vulnerability in the subdomain of cuvva.com i.e, support-dashboard.corp.cuvva.co Impact: The resource without X-Frame-Options potentially vulnerable to the Clickjacking. The vulnerability exist only for authenticated users possible UI redressing in the Dashboard PoC: 1. ...
Instacart: Reverse Tab-nabbing at www.instacart.com/store/partner_recipe?recipe_url=
Summary Instacart at /store/partnerrecipe?recipeurl= endpoint is vulnerable to reverse tabnabbing, since the injected link use target="blank" , this means the page that opens in a new tab can access the initial tab and change its location using the window.opener property. example: Reproduction...
Instacart: XSS at in instacart.com/store/partner_recipe
Summary Hi team, i found that this endpoint - https://www.instacart.com/store/partnerrecipe? at param imageurl is vulnerable to XSS Reproduction Steps & PoC 1Go to...
Paragon Initiative Enterprises: Broken Authentication & Session Management - Failure to Invalidate Session on all other browsers at Password change
Broken Authentication & Session Management - Failure to Invalidate Session on all other browsers at Password change ========================================================== Hello Team, While I was testing your web application "Paragon Initiative Enterprises", I came to know that it is vulnerabl...
Nextcloud: I am because bug
I'm because I hacker found bug because I report this bug I want to report a bug and because want some $$$$ so please because you are telling me how much you pay money so I give you bug. Me because very poor :' want money because father :' F181820 Thank you wish you because pay lots $$$$$$$$...
HackerOne: Subdomain takeover #4 at info.hacker.one
Summary: Hi team, looking the last fix released from unbounce team at https://hackerone.com/reports/217358 i've been able to bypass it and takeover the subdomain info.hacker.one with a new vulnerable ENDPOINT + PARAM COMBINATION at UnbouncePages App Actual Dns Entry: F174718 Reproduction Steps fo...
Slack: Bypass to postMessage origin validation via FTP
@a1kmm- discovered a bypass to our postMessage origin check, wherein an attacker with existing MITM capabilities could use FTP to bypass validation and view XOXS tokens of victims on the local network. This was related to, and investigated at the same time as, a previous report. This issue is now...
Open-Xchange: RTLO character in file names
DESCRIPTION ------- Hello, I have noticed that you allow the RTLO Right-To-Left-Override character is not filtered from the names of the files saved to drive, or in the attachement names, thus allowing 2 things : 1. Someone sends a malicious file html or exe or something esle via email that...
Ubiquiti Inc.: Reflected cross-site scripting (XSS) vulnerability in scores.ubnt.com allows attackers to inject arbitrary web script via p parameter.
Dear Ubiquiti Networks bug bounty team, Short Description --- scores.ubnt.com is still vulnerable to reflected XSS, a form of client-side code injection wherein one can execute malicious scripts into a page. The fix to https://hackerone.com/reports/158484 does not suffice for some browsers mainly...
U.S. Dept Of Defense: Insecure Direct Object Reference (IDOR) vulnerability in a DoD website
A Department of Defense website was vulnerable to an IDOR attack which may allow an attacker to modify web content or certain database parameters. @eugui was able to demonstrate this vulnerability by manipulating web objects in a clever way. Very well done. Thank you!...
Internet Bug Bounty: NULL Pointer Dereference while unserialize php object
Because no checking result of objectinitex so that if user passing implement class, abstract class the result of this is FALSE and args is NULL, so that lead program crash if UNEXPECTEDclasstype-ceflags & ZENDACCINTERFACE|ZENDACCTRAIT|ZENDACCIMPLICITABSTRACTCLASS|ZENDACCEXPLICITABSTRACTCLASS if...
Discourse: XSS vulnerability on Audio and Video parsers
Just like in the XSS vulnerability on Image parser, there is the same vulnerability on Audio https://github.com/discourse/onebox/blob/394409ca319cc1a1cd31fefa50c9468c990531a3/lib/onebox/engine/audioonebox.rb and Video...
PortSwigger Web Security: XSS in IE11 on portswigger.net via Flash
Hello Portswigger Security Team, There is a reflective XSS vulnerability in portswigger.net. The flash file https://portswigger.net/burp/tutorials/video-js/video-js.swf is from an old video.js library version 3.2.0 which is vulnerable to XSS. This XSS will be blocked by CSP instruction object-src...
Informatica: [parc.informatica.com] Reflected Cross Site Scripting and Open Redirect
Hi ! I just want to report you a vulnerability in your subdomain ,,parc'' Description In this link https://parc.informatica.com/partners/apex/Cloudchat?endpoint= the vulnerable parameter is ,,endpoint''. Once the parameter takes the value of a XSS vector or a website link the code is executed aft...
Bumble: Unvalidated redirect on team.badoo.com
Domain affected: https://team.badoo.com/ corp.badoo.com PoC Tested on Firefox: https://team.badoo.com/%0d%0adata:text/html;text,%3Csvg%2fonload%3Dprompt%281%29%3E F129735 Describe: team.badoo.com may vulnerable to CRLF injection, when we inject %0d%0a into url, the Location header, entire content...
Mindoktor: XSS at endpoint clinic.mindoktor.se in flash cookie
Issue : XSS found at endpoint clinic.mindoktor.se/user/login Endpoint :clinic.mindoktor.se/user/login Steps of reproduction 1 . Go to above Endoint 2. enter random email and password 3. Intercept the request with a sniffer Like Burp Suit 4. Change the email parameter to...
VK.com: Второй способ обхода 2FA
Недостаточная проверка пользователя при смене IP-адреса. Лазейка с релогином при смене IP у пользователя...
Internet Bug Bounty: Additional information for CVE-2016-5699
I was not the first to report this issue, but the fix languished for quite some time, since no one realized quite how bad it was. I wasn't aware of the original bug report and discovered the issue independently. I was the first to report the much more serious consequences of it. The vulnerability...
Instacart: Seemingly sensitive information at /api/v2/zones
Overview == https://www.instacart.com/api/v2/zones is accessible by a regular Instacart user and seems to return sensitive information such as names, emails, phone numbers, money amounts and dates. GET /api/v2/zones "meta": "code": 200 , "data": "zones": ... "id": 73, "name": "████", "createdat":...