15267 matches found
Open-Xchange: Null dereference or redundant null check in `mail_crypt_load_global_private_key` for plugin mail-crypt
In this function, we check once if errorr is not NULL in if enctype == DCRYPTKEYENCRYPTIONTYPEPASSWORD / Fail here if password is not set since openssl will prompt for it otherwise / if keypassword == NULL if errorr != NULL errorr = tstrdupprintf"%s: %s unset, no " "password to decrypt the key",...
Kubernetes: Private IP addresses Disclosure
The following URL leaks the Private IP Addresses:- kubernetes.io/feed.xml The following Server’s Cluster RFC 1918 IP addresses were disclosed in the response: • 10.1.2.3 • 10.104.207.136 • 10.224.0.0 • 10.250.0.0 • 10.250.112.0 • 10.250.96.0 • 10.55.252.216 • 10.96.0.0 • 10.96.0.1 • 10.96.15.180 ...
Mail.ru: [ICQ] nwwwstg-d01.ops.icq.com check mk agent exposed to public
System information disclose on nwwwstg-d01.ops.icq.com...
Acronis: Acronis True Image Local Privilege Escalation via insecure folder permissions
Note: This has been submitted via service desk earlier, and I got a call from Acronis customer service that it's up on H1 and I should submit it there as well. All of the Acronis LaunchDaemons except the price helper which can be found here: /Library/LaunchDaemons/com.acronis. start an app / scri...
Mail.ru: HTML/iframe/XSS injection on https://www.ucs.ru/online/shelter/settings/check/
Potential XSS via POST parameters in www.ucs.ru...
Mail.ru: Blind SSRF in magnum upgrade_params
Method for magnum cluster creation accepted arbitrary values for container hostname leading to SSRF possibility to internal services in Mail.ru Cloud Computing service...
8x8: PHPinfo page on http://█████.callstats.io
PHPInfo file was exposed on legacy system. phpinfo was available at callstats.io subdomain. It disclosing information on a server and PHP version information...
Node.js third-party modules: [meemo-app] Denial of Service via LDAP Injection
I would like to report Denial of service via LDAP Injection vulnerability in meemo-app module. It allows a malicious attacker to send a crafted input that is interpreted as an LDAP filter, leading to Denial of Service. Module module name: meemo-app version: 1.9.2 npm page:...
Node.js third-party modules: [cloudron-surfer] Denial of Service via LDAP Injection
I would like to report Denial of service via LDAP Injection vulnerability in cloudron-surfer module. It allows a malicious attacker to send a malformed input that is interpreted as an LDAP filter, leading to Denial of Service. Module module name: cloudron-surfer version: 5.9.0 npm page:...
IRCCloud: IDOR with Geolocation data not stripped from images
Vulnerable URL :- https://usercontent.irccloud-cdn.com/file/0wXMTrPu/hgjbk Vulnerability Discription: When an image is taken using a smartphone or camera certain metadata fields are often attached to it. These fields could include the model of the camera, the time it was taken, whether the flash...
Mail.ru: SSRF in www.ucs.ru
Blind SSRF in www.ucs.ru...
Acronis: Account Takeover on unverified emails in File Sync & Share
Summary The name change functionality in File Sync & Share is expected to change the name in File Sync & Share. But the API endpoint used in it also allows changing email to any email without having to verify the email. The login email stays the same but the email within File Sync & Share...
X (Formerly Twitter): Android WebViews in Twitter app are vulnerable to UXSS due to configuration and CVE-2020-6506
Summary: CVSS score: 8.1 / High / CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N Embargo notice: Do Not Disclose publicly until https://crbug.com/1083819 is disclosed. Twitter for Android is affected by a UXSS vulnerability due to its configuration of Android WebView and CVE-2020-6506. Vendor...
Visma Public: Improper access control allows sales only user to view bank balance of company accounts.
The researcher has found an access control issue that allowed a sales only user to view the bank balance of company accounts. This details should not be visible for missing permissions users...
Nextcloud: Github wikis are editable by anyone https://github.com/nextcloud/bookmarks/wiki
Github wikis on the following projects https://github.com/nextcloud/bookmarks/wiki can be edited by any logged in user in the system. This poses security and reputation risk for the company. Impact As wikis listed above can be edited by any person on the internet, a malicious actor can accurately...
Courier: disable test send feature if user's email address isn't verified
Summary: There is no mechanism to limit the request in places while send the preview email Steps To Reproduce: There is a weak account registration process, which allow user to register and login without any email confirmation. L'say say for example that i'm the user A that want to send a phishin...
Shopify: XSS / SELF XSS
I found xss but i think its self xss POC 1. Go to yourstore.myshopify.com 2. Go to settings import 3. Upload wrong file csv with file name payload xss " Impact xss attack...
Courier: Logout page does not prevent CSRF
Summary: Cross-Site Request Forgery CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. ... If the victim is an administrative account, CSRF can compromise the entire web application. Steps To Reproduce: 1.Create a...
Automattic: No Rate Limit when accessing "Password protection" enabled surveys leads to bypassing passwords via "pd-pass_surveyid" cookie
Summary: Hi team, If you write the right password on any password protected survey, you will see this request : F878934 This request is protected with rate limit, that's great. But if you look to response, you will see a cookie. The password protection feature is cookie-based system. In my survey...
Mail.ru: Access admin interface via bad credentials
Staging testing version of plazius.ru manager's interface was available from external network with guessable default credentials. This interface had no access to production data...
Shopify: Open Redirect - www.shopify.com
Hello Shopify team, I found an open redirect in www.shopify.com Link: - https://www.shopify.com/plus/get-cdn-asset?asset=http://evil.com/? Vulnerable parameter: asset Impact - Open redirect that can lead to phishing and other type of attacks. Have a good day, zonduu...
Courier: Missing rate limit in signup Form
Hello Team , Description When signing up for an account, you enter your email. When this email is already in use, the server responds with "UserConfirmed":true,"UserSub":"ae294fff-6d55-407d-9676-1f3518029037" This in not a problem, but the fact that you could send this request unlimited times is...
U.S. Dept Of Defense: PII Leak via /██████
Summary: An attacker is able to access ServiceNow e-mail notification modules via █████/██████████. Once on this page, the attacker can click any of the notifications, select Preview Notification, and choose a user to view their profile data to include Full Name, rank, organization, e-mail addres...
U.S. Dept Of Defense: PII Leak via /████████
Summary: An attacker is able to view PII Full name/address/e-mail/phone of all website users via █████████/████████ Step-by-step Reproduction Instructions 1. Browse to ████ and login or create an account. 2. Browse to ████/███████ 3. Begin typing a name in the Select User field, and click the i...
Courier: [OPEN S3 BUCKET] All uploaded files are public.
Hi I found open s3 bucket : backend-production-librarybucket-1izigk5lryla9 Step to reproduce : 1- Go to notification and click to create notification 2- Add new image also allows svg & xss then copy image location...
CS Money: [cs.money] Open Redirect Leads to Account Takeover
Summary: I found an open redirect on https://cs.money domain, using this payload https://cs.money///google.com we can redirect into any domain that we want, you can see the request and response from this image below : ███ Steps To Reproduce: The final payload is having an account takeover as the...
Shopify: Low Privileged user can add or remove cash to/from sales register
Low privileged user having no access to Shopify POS and very low permission set is not allowed to add cash to the sales register or remove cash from the sales register. But missing server-side permission checks on the vulnerable request allows a low privileged user to do this. A low privileged ca...
Mail.ru: Improper Restriction of Excessive Authentication Attempts at https://ucs.ru/login
Login functionality on ucs.ru was not sufficiently protected against bruteforce...
Internet Bug Bounty: Long filenames cause OOM and temp files are not cleaned
https://bugs.php.net/bug.php?id=78875 Impact Disk could be filled up completely by remote attacker without privileges...
Node.js third-party modules: Server-side Template Injection in lodash.js
I would like to report Server-side Template Injection in lodash.js .template function It allows the execution of code on the server Module module name: lodash version: 4.17.15 npm page: https://www.npmjs.com/package/lodash Module Description The Lodash library exported as Node.js modules. Module...
U.S. Dept Of Defense: Access to requests and approvals via /█████ allows sensitive information gathering
Summary: An adversary is able to view/modify requests and approvals via ████████/████████. Step-by-step Reproduction Instructions 1. Browse to █████ and create an account or sign in. 2. Browse to ███████/██████████. You can now view current/past requests. 3. Clicking on these requests seems to...
U.S. Dept Of Defense: PII Leak via /███████
Summary: The ██████████ website allows access to PII of all site users via faulty access control to the /██████ endpoint. Step-by-step Reproduction Instructions 1. Browse to ████████ and login or create an account. 2. Browse to ███████/████████. You will be able to access PII of all site users...
U.S. Dept Of Defense: Dashboard sharing enables code injection into ████ emails
Summary: An attacker is able to share their dashboard with other █████████ users. When sharing their dashboard, the message is not fully sanitized for HTML characters before sending to the recipient. This allows the attacker to craft a believable spearphishing e-mail coming from an e-mail address...
Ruby on Rails: Open Redirect (6.0.0 < rails < 6.0.3.2)
Hello, I was looking at the change log https://github.com/rails/rails/commit/2121b9d20b60ed503aa041ef7b926d331ed79fc2 for CVE-2020-8185 and found another problem existed. https://github.com/rails/rails/blob/v6.0.3.1/actionpack/lib/actiondispatch/middleware/actionableexceptions.rbL21 ruby redirect...
ownCloud: Remote Code Execution through "Files_antivirus" plugin
Hi, I would like to report a Remote Code Execution in OwnCloud. The flaw is exploitable as an authenticated user and level of privileges required is "Administrator". Vulnerable component is the plugin "filesantivirus", freely downloadable via the market and available in owncloud github repository...
Hanno's projects: [bugs.fuzzing-project.org] HTML Injection via 'custom_field_7[]' parameter in '/view_all_set.php'
Vulnerable Website URL or Application: https://bugs.fuzzing-project.org/viewallset.php?f=3 Description of Security Issue: By not properly cleaning the information entered in the customfield7 field, an attacker could send emails to company customers, pointing to a legitimate fuzzing project domain...
X (Formerly Twitter): Denial of Service | twitter.com & mobile.twitter.com
Hi Team, Detail: I found a DoS that works on twitter.com and mobile.twitter.com, but it doesn't work on the mobile app. The user only needs to view the message or tweet in order to be exposed to this DoS. As far as I can remember, a report similar to this report has been sent to you before, but I...
Node.js third-party modules: Fastify uses allErrors: true ajv configuration by default which is susceptible to DoS
I would like to report a denial of service vulnerability in fastify It allows to cause a DoS with some schemas that were otherwise assumed to be secure against DoS by their authors Module module name: fastify version: 2.14.1, 3.0.0-rc.4 npm page: https://www.npmjs.com/package/fastify Module...
Nextcloud: SSL certificate not validated when registering with a provider
Description When running the desktop client for the first time, users can click the "Register with a provider" button to sign up for a Nextcloud account with a Nextcloud cloud provider. Clicking "Register..." opens a web page in a Nextcloud desktop client window with content from...
Smule: No Rate Limiting On Phone Number Login Leads to Login Bypass
Hey Team, Introduction: A rate limiting algorithm is used to check if the user session has to be limited based on the information in the session cache. In case a client made too many requests within a given time frame. Description: I was able to Bypass Authentication of any user by enumerating th...
GitHub Security Lab: [Java]: CWE-523 Insecure HSTS configuration
This bug was reported directly to GitHub Security Lab...
Node.js third-party modules: bunyan - RCE via insecure command formatting
I would like to report RCE in bunyan It allows arbitrary commands remotely inside the victim's PC Module module name: bunyan version: 1.8.12 npm page: https://www.npmjs.com/package/bunyan Module Description Bunyan is a simple and fast JSON logging library for node.js services: Module Stats 920,19...
Curve: Sensitive Info Leak - An Attacker Can Retrieve All the Users Mobile Numbers at https://website-api.production.curve.app/api/waitlist/us
Hi, When am going through all the JS files in curve.com I found a link called "/usa" is used to create Curve USA Waitlists by entering your name, email address, mobile number and address details. F874173 Then there is a functionality called "Track my Position" by using which joined users can view...
Mail.ru: Data URI Stored XSS on Donations Page
XSS in donationalerts.com on donations page while previewing the text data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIEhlcmUiKTs8L3NjcmlwdD4K...
RATELIMITED: Source code disclosure at ███
Summary: Source code disclosure at ███████ Steps To Reproduce: POC: link download source code: ███████ Supporting Material/References: █████ ███████ Impact Source Code Disclosure Sensitive Information Disclosure...
Mail.ru: Sensitive information exposure via git commit
Token for a test ICQ bot account was leaked via git commit data for opensource Jira plugin...
Mail.ru: SMTP Header Injection at http://abonement.ucs.ru
It was possible to abuse the functionality of abonement.ucs.ru to send messages to arbitrary e-mail via CRLF injection vulnerability...
U.S. Dept Of Defense: Stored XSS on ████████helpdesk
A Department of DefenseDoD asset was vulnerable to Stored XSS due to a file upload feature. This may have led to Local File Inclusion. The DoD Representatives were responsive and thorough when handling my report. A Department of DefenseDoD asset was vulnerable to Stored XSS due to a file upload...
Shopify: Get analytics token using only apps permission
It seems apps that can read "analytics" have embedded analytic token. In order to access the /admin/reportify/token.json endpoint explicit dashboard or reports permission is required. A staff member with just "apps" permission can leverage the permissions of apps that can read reports to extract...
Rockstar Games: SocialClub Account Take Over Through Import Friends feature
In this report, the researcher identified a vulnerability in a Social Club feature intended to allow users to import their friends list from Facebook and other social media sites. However, if a targeted victim were to visit a crafted site containing a specific malicious script that exploited this...