15273 matches found
U.S. Dept Of Defense: Remote Code Execution via Insecure Deserialization in Telerik UI
Hello, I found an outdated version of Telerik Web UI v2016.2.607.40 at the following URL: https://███/Telerik.Web.UI.WebResource.axd?type=rau. This means that we can achieve full RCE by chaining two different CVEs: CVE-2017-11317, which allows us to upload arbitrary files on the server, and...
Mendix: Reflected XSS in "*.mendix.com/openid/*"
The endpoint at https://sprintr.home-accp.mendix.com/openid/ suffers from a Cross-Site Scripting vulnerability via the URL path. This is caused by the reflection of user-supplied data without appropriate HTML escaping or output encoding. As a result, a JavaScript payload may be injected into the...
Internet Bug Bounty: mb_strtolower (UTF-32LE): stack-buffer-overflow at php_unicode_tolower_full (CVE-2020-7065)
PHP bug report made public by the maintainers at the time of writing: https://bugs.php.net/bug.php?id=79371 Mitre CVE page: https://vulners.com/cve/CVE-2020-7065 Link to the release notes: https://www.php.net/ChangeLog-7.php7.4.4 Impact One of impacts is that the issue allows an attacker to...
Liberapay: Leaking Of Sensitive Information on Github
Summary: Sensitive Data were leaked in https://github.com/liberapay/liberapay.com Steps To Reproduce: 1. Install gitleaks from https://github.com/zricethezav/gitleaks 2. Run the following command in a Linux terminal gitleaks -v --pretty -r=https://github.com/liberapay/liberapay.com The following...
Shopify: Session works after logout from Shopify account and password of online store is displayed
When a user creates a Shopify Lite Plan account, in the product creation stage when the account has not been upgraded, the store's password is enabled such that any visitor who wants to access the store is required to enter password before being granted access to view the products listed in the...
Elastic: Create an account on auth-sandbox.elastic.co with email @elastic.co or any other @domain.com
Summary: Dear Team, Today when doing some recon steps and found this subdomain https://54.246.136.164/ Its not loaded correctly and viewing the source code exposed some other links interesting https://elasticsandbox.docebosaas.com/pages/14/learner-dashboard https://auth-sandbox.elastic.co Go to...
Semrush: IDOR in the https://market.semrush.com/
Insecure direct object references in marketplace due to a length restrictions in chosen hashing function...
Quantopian: Ability to perform various POST requests on quantopian.com as a different user - insecure by design.
Summary: Due to excessive control of victim's UI over algorithm collaboration feature one is able to force algorithm collaborator to issue malicious POST requests. Description: Hello again my favorite VDP! WebSockets again. Following vulnerability can be abused to attack a person that we...
WordPress: Improper Access Control in Buddypress core allows reply,delete any user's activity
Description: Improper Access Control in Buddypress core allows reply,delete any user's activity in other public group,which they don't join. Steps To Reproduce: Step 1: Create two account A, B with two public groups Step 2: In group A-account A, create a new activity idA Step 3: In group B-accoun...
Mail.ru: Stored XSS on {https://calendar.mail.ru/}
Stored XSS via event fields in calendar.mail.ru...
WordPress: Privilege Escalation in BuddyPress core allows Moderate to Administrator
Description: BuddyPress core allows Moderate to Administrator in Manage Group Members module Steps To Reproduce: Step 1 : Create two account with two groups Step 2 : In account A, create group abc with this two users. Step 3 : Administrator in group abc promote account B to Moderator Step 4 : In...
Informatica: XXE through injection of a payload in the XMP metadata of a JPEG file
Users are able to change their avatar picture. The avatar picture upload functionality is prone to a XXE attack when parsing the image file. Specifically, the XXE attack is executed through the injection of a payload in the "XMP metadata" of the uploaded JPEG file. Proof of concept note the "Burp...
WHO COVID-19 Mobile App: Probably unexploitable XSS via Header Injection
Summary: The Who-Platform header is reflected in the output of the page if it's not one of the recognized Who-Platform values IOS, ANDROID, WEB. While this is probably no longer exploitable as of 2015, it may be exploitable on less well implemented browsers not Chrome/Firefox/Edge. In general,...
GitLab: Stored XSS in markdown when redacting references
Summary It's possible to inject arbitrary html into the markdown by abusing the ReferenceRedactorFilter. This is due to the data-original attribute allowing html encoded data to be stored, which is then extracted and used as the link content. If the original data already is html encoded then it...
WordPress: CSRF in Profile Fields allows deleting any field in BuddyPress
Description: CSRF in Profile Fields allows deleting any field in BuddyPress Version: Latest Steps To Reproduce: Step1: Using a form like so to create the CSRF: history.pushState'', '', '/' Change your domain and idfield Step 2: When admin click with step 1 was hidden in images,.... Step1 will all...
Mail.ru: mailer.i.bizml.ru viber service preprod information disclosure
DEBUG mode enabled on http://52.29.101.127:1060/ leading to DB login and passwd leaks...
LY Corporation: Insufficient access control on all BCRM instances leading to the ability to create admin accounts using the API
BCRM is a service that helps manage and analyze your LINE Official Account, and provide useful insights. Due to insufficient access control checks in the /admins API endpoint, it was possible for an attacker to create admin accounts. These accounts are "super"-admin accounts meant for internal us...
Zomato: [www.zomato.com] Blind SQL Injection in /php/widgets_handler.php
Disclosing it as per the request from @zzzhacker13. This report is identical to 838855 but it was just on a different endpoint. POC - - :/php/widgetshandler.php?method=getResWidgetButton&resid=51-CASE//WHENLENGTHversion=10THENSLEEP61END Zomato Security Team...
Open-Xchange: Buffer overread in parse_angle_addr called from message_address_parse_path
Call messageaddressparsepathpooldatastackcreate, data0, size0, &addr2; with input 0x3c,0x40,0x5b,0x40,0x40,0x28, ie parser.data == '@' if parsedomainlistctx 0 && ctx-parser.data == ':' ctx-parser.data++; - else if parsingpath && ctx-parser.data != ':' + else if parsingpath && ctx-parser.data...
Open-Xchange: Multiple buffer over reads in mbox_from_parse
Vulnerabilities were found fuzzing mboxfromparse Different inputs reproducing the behavior are 0xe7,0xdf,0x1,0x0,0x30,0x3f,0x20,0x32,0x20,0x30,0x3a,0x32,0x39,0x20,0x3f,0x3f,0x3f,0x20,0x34,0x39,0x30,0x34,0xdb,0x32,0x32,0x3a,0x32,0x36,...
DRIVE.NET, Inc.: [www.drive2.ru] Insufficient Security Configurability - Notification email is not sent when email is changed.
A notification email is not sent when the email address is changed. Notification email is not sent when email is changed. Best Practices As recommended practices, Important tasks like changing emails should have notification emails. |Technical severity|VRT category| Specific vulnerability...
PlayStation: Access Token Smuggling from my.playstation.com via Referer Header
I discovered a way to smuggle an access token from my.playstation.com via Referer header through chain of open redirection vulnerability. On my investigation of authentication flow I found this endpoint with potential site for open redirect vulnerability...
DRIVE.NET, Inc.: [www.drive2.ru] Insufficient Security Configurability - The user's can set an existing password as a new password.
An application is allowing user to set new password same as that of the old password. Passwords are entirely user's responsibility but As the old password may be exposed to other users, depending on the security password policy application, it should not be possible to set a new password value...
DRIVE.NET, Inc.: [www.drive2.ru] There is no rate limit for comments endpoints.
The "add comment" endpoint was improperly rate-limited so the potential attacker could post a large number of comments, overloading the server and the notification system. Summary The add comment endpoint was improperly rate-limited so the potential attacker could post a large number of comments,...
DRIVE.NET, Inc.: [www.drive2.ru] CSRF through FCTX token bypass
During login on the login page, login is attempted through the FCTX token. In addition, the login page was implemented through g-recaptcha-response captcha, but an attacker can bypass g-recaptcha-response captcha without FCTX tokens, and login CSRF is possible. The issue was fixed by enabling the...
DRIVE.NET, Inc.: [www.drive2.ru] Insufficient Security Configurability - Email notification is not being sent while changing passwords
Email notification was not sent while changing passwords. This issue was fixed. Best Practices As recommended practices, Due to missing notification email when changing password, If the password has been maliciously changed, the user will not be able to notice it, so immediate security measures...
Valve: ajaxgetachievementsforgame is not guarded for unreleased apps
Due to an access control bug in the 'ajaxgetachievementsforgame' method, a public profile could accidentally expose achievement names, display names, and descriptions for unreleased games. The caller would need to find a player with achievements for the unreleased app...
Helium: Organization Takeover via invitation API
Hello @helium, today I would like to show you how a malicious user could exploit an IDOR affecting the /invitations resource to gain Administrator privileges inside an organization of which he's part of as a reader. Steps to reproduce the bug Setup Let's assume that three accounts exist: -...
HackerOne: Login CSRF vulnerability on hackerone.com
Summary Hi. We found a CSRF token bypass on the Hacker One login page. So, this report describes Hacker One login CSRF Token Bypass. Exploitation process Hacker One uses the authenticitytoken token during login to prevent CSRF. However, the authenticitytoken token is not properly verified, so an...
Slack: XSS on link and window.opener
A vulnerability was found in Slack that allowed for cross-site scripting XSS attacks through a link and the window.opener property. This could lead to redirection to malicious sites or execution of JavaScript code. The impact of this vulnerability was potentially severe...
Mail.ru: Improper access control leading to deletion of Greeting videos on {https://smtp.8mar.mail.ru/}
smtp.8mar.mail.ru was pointing to partner-operated service where it was possible to delete uploaded greetings videos. No risks for Mail.ru users or active projects were identified...
Kubernetes: DoS for GCSArtifact.RealAll
Hi, I'm not be goot at english, if have anything don’t understand, please contact me. Thanks! Summary: attackers can control artifactName list make google storage client download large object cause denial of service. Component Version:...
Clario: Information disclosure of Internal php files on [mackeeper.com/blog/api/send-event]
Summary Vulnerable URL: https://mackeeper.com/blog/api/send-event contains service information Steps To Reproduce Step-1: Go to https://mackeeper.com/blog/api/send-event you will get MethodNotAllowedHttpException and different PHP files error info Step-2: After that, I have a change method to POS...
WordPress: Allow authenticated users can edit, trash,and add new in BuddyPress Emails function
Description: Allow author can edit, trash,and add new your posts in BuddyPress Emails function And editor can edit,trash, add new any posts in BuddyPress Emails default. Steps To Reproduce: Step 1 : Create two accounts: Admin and Author Step 2: Login with admin account. In admin account, give...
LY Corporation: Blind SSRF in social-plugins.line.me
LINE Social Plugins https://social-plugins.line.me/ is a service that provides LINE users with content sharing on the web. This Blind SSRF attack was caused by bypassing the DNS verification of the parameter value received. It could have made requests to internal servers or scanned internal netwo...
Acronis: Broken Access Controls
The End Point notary.acronis.com Blocks access to the panel if you are not an authenticated user. More is possible to access some functions of the panel by adding the .html at the end See Poc From Video Below Impact Broken access control vulnerabilities exist when a user can in fact access some...
Rocket.Chat: [Security Vulnerability Rocket.chat] HTML Injection into Email via Signup
Description Due to a lack of sanitization and validation in parameter affected, we can input HTML Tag and system will render it into Email victim. Affected Endpoint https://chat.oas.greenhost.net/home Parameter : Name Step to produce In textbox name, input HTML code like "\”@x.y " And in Email,...
Slack: Tricking the "Create snippet" feature into displaying the wrong filetype can lead to RCE on Slack users
An issue in Slack's Create snippet feature results in filetypes being displayed incorrectly. This can lead to RCE if a Slack user downloads an executable file thinking that it is a CSV or other benign file type. https://www.youtube.com/watch?v=cIlGfnn4iG8...
CS Money: SSRF via 3d.cs.money/pasteLinkToImage
Summary: SSRF via 3d.cs.money/pasteLinkToImage The functionality fails to validate URL in link-parameter allowing attacker to create server-side request forgery attacks. As the server does a full HTTP-request, this can for example be used to: - DDoS-attacks towards internal and external hosts. -...
Valve: Buffer overflow In hl.exe's launch -game argument allows an attacker to execute arbitrary code locally or from browser
Half Life 1 allows users to set various launch arguments when running the game from the command line, one of them is "-game" which specifies the game/mod to be launched. Documented here hl.exe -game The contents of this argument is copied via a call to strcpy onto the stack without any size...
Kubernetes: Clickjacking
Report Submission Form Summary: Clickjacking is an attack that tricks a user into clicking a webpage element which is invisible or disguised as another element Description: Clickjacking User Interface redress attack, UI redress attack, UI redressing is a malicious technique of tricking a Web user...
Mail.ru: Stored xss on https://go.mail.ru/
Reflected XSS via GET parameter in go.mail.ru...
Open-Xchange: Buffer over-reads in i_stream_zlib_read
This can be reproduced by a sample program using libcompression int mainint argc, char argv const unsigned char datadec; sizet sizedec; const uint8t data = argv1; sizet size = strlendata; struct istream testinput = testistreamcreatedatadata, size; const struct compressionhandler handler =...
Rocket.Chat: Android App Crashes while sending message to users/ on channel
Description I found a security vulnerability in Rocket's latest android app by which I was able to remotely crash any user’s app instantly just by just sending a simple message in private or in channel. The vulnerability require the victim open the message. Devices and Versions Rocket.Chat.Androi...
GitLab: XSS on Issue reference numbers
Dear team, I found an XSS that occurs when users move mouse over reference numbers of issues. This XSS occurs on Firefox. It does not occurs on Webkit-based ones such as Safari, Chrome. I haven't tested on Edge. It can be also occured in older browsers due to svg4everybody and...
Informatica: RXSS in http://procurement-businesscatalog.informatica.com
Hi, this is a simple XSS in the host below: Reproduction Steps Visit the following URL: http://procurement-businesscatalog.informatica.com/JPBC/login.hbc?lang=%3C/SCRIPT%3E%3CSCRIPT%3Ealertdocument.domain;%3C/SCRIPT%3E F760997 Impact Standard XSS impact...
Qulture.Rocks: XSS from arbitrary attachment upload.
Summary: The New Comment feature in the OKRs page allows a user to upload an arbitrary file. I was able to upload HTML file that contains Javascript code. The Javascript code will execute when victim access visits the attachment. Steps To Reproduce: 1. Upload an HTML file that contains javascript...
Mail.ru: [pulse.mail.ru] Доступ к статистике чужих площадок
Few API methods of pulse.mail.ru were not properly restricted and could be used to obtain statistics information for arbitrary domains...
Kubernetes: "Self" DOS with large deployment and scaling
Report Submission Form Summary: Good day! I was just messing around with some functions and trying to see what the impact was on my cluster. I found out that it took quite some resources to process a larger deployment, especially when scaling it. When I check your security release process I notic...
Internet Bug Bounty: tcpdump before 4.9.3 has a heap-based buffer over-read related to aoe_print in print-aoe.c and lookup_emem in addrtoname.c
There seems to be a heap-based buffer overread while running tcpdump on a crafted pcap file. A similar behavior is seen when tcpdump is listening on an interface and the contents of this file is relayed over the network. Please find the detailed report on github...