15267 matches found
Mozilla: IDOR: Account Deletion via Session Misbinding – Attacker Can Delete Victim Account
A critical vulnerability was identified in the Firefox Accounts API that allowed an authenticated attacker to permanently delete any user's account by sending a POST /v1/account/destroy request using the attacker's session, but including the victim's email and password hash in the JSON payload. T...
curl: Stack Buffer Overflow in curl's OpenSSL Provider Handling
Summary Hello curl Team, I found a stack buffer overflow in curl's OpenSSL provider handling code. The bug is in osslsetprovider function located in lib/vtls/openssl.c. When a provider name longer than MAXPROVIDERLEN is passed, the function copies it to a fixed-size buffer without proper length...
curl: CVE-2025-5025: No QUIC certificate pinning with wolfSSL
Summary: When using wolfSSL as the TLS backend, certificate pinning does not work when using HTTP/3. The code should invoke wsslverifypinned, but it has not been implemented. Affected version curl -V WARNING: this libcurl is Debug-enabled, do not use in production curl 8.13.0 x8664-pc-linux-gnu...
LinkedIn: Previous commentor on post can still comment even after comment permission is changed to disabled
A logic error existed in the comment permission system that allowed users who had previously commented on a post to continue posting additional comments even after the post owner disabled commenting functionality. The vulnerability occurred when an account created a post with comments enabled,...
curl: CVE-2025-4947: QUIC certificate check skip with wolfSSL
Summary: When using WolfSSL as the TLS backend, there is an issue where the CN or SAN in the certificate is not verified when connecting to an IP address over HTTP/3. wolfSSLX509checkhost is only called when peer-sni is not NULL. However, when an IP address is specified, peer-sni is NULL, so the...
curl: `Curl_socketpair()` fallback vulnerable to man-in-the-middle attack
In Curlsocketpair in curl/lib/socketpair.c if the operating system lacks a native socketpair function, libcurl will create its own pair of sockets. To do this, libcurl first creates a listening socket, then it creates a client socket, which it then connects to the listening socket. During the tim...
Mars: [XSS] Reflected XSS via POST request in (███████)
A reflected Cross-Site Scripting XSS vulnerability was identified in the celular parameter of a POST request to the homepage of a Mars-owned website. The vulnerability was classified as medium severity with a CVSS score of 6.2. The application failed to properly sanitize user input before renderi...
Nextcloud: Tables app allowed users to view columns metadata information of any table
The Tables app allowed users to view columns metadata information of any table...
Nextcloud: Missing ownership check in Tables app allows moving columns into tables of other users
The Tables app in the specified software had a vulnerability that allowed moving columns into tables of other users without proper ownership checks...
curl: Memory Leak
in getparameter via strdup in toolgetparam.c SIGSEGV Project: cURL File: src/toolgetparam.c Function: getparameter → indirectly via getstr Detected By: AddressSanitizer ASan Command Used: ASANOPTIONS="detectleaks=1:verbosity=2:malloccontextsize=50" ./curl -K Overview A memory leak vulnerability h...
U.S. Dept Of Defense: Cross-Site Scripting via 'wikitext' parameter
A Cross-Site Scripting XSS vulnerability was discovered in the 'wikitext' parameter of a web application. The vulnerability allowed an attacker to inject malicious scripts that could be executed by the application. No further details were provided regarding the impact or the affected product...
U.S. Dept Of Defense: Cross-Site Scripting via 'description_extra' parameter
A Cross-Site Scripting XSS vulnerability was discovered in the 'descriptionextra' parameter of the application. The vulnerability allowed an attacker to inject malicious scripts that could be executed, potentially leading to unintended consequences. The vulnerability was reported and the necessar...
U.S. Dept Of Defense: Cross-Site Scripting via 'return_link_url' parameter
A Cross-Site Scripting XSS vulnerability was discovered on a website. The vulnerability was found in the 'returnlinkurl' parameter, which allowed an attacker to inject malicious scripts that could be executed. Exploitation of this vulnerability could have led to consequences such as cookie theft...
Tools for Humanity: Unlock underage blocked app without support interaction using airplane mode
The vulnerability allowed users to bypass the support requirement to unlock their blocked accounts in the iOS app. By changing the date of birth to an underage value, the app would lock the account and require contacting support for unlocking. However, by using airplane mode, users could initiate...
U.S. Dept Of Defense: Cross-Site Scripting via 'autoPlay' parameter
A Cross-Site Scripting XSS vulnerability was discovered on a website through the 'autoPlay' parameter in the GET method. Exploitation of this vulnerability allowed the injection of malicious scripts that could be executed. A proof-of-concept was provided demonstrating an alert pop-up...
U.S. Dept Of Defense: Cross-Site Scripting via 'currentImage' parameter
A Cross-Site Scripting XSS vulnerability was discovered on a website from the U.S. Navy through the 'currentImage' parameter in the GET method. The vulnerability allowed for the injection of malicious scripts that could potentially be executed. A proof of concept was provided that demonstrated th...
curl: curl -OJ allows creating custom .curlrc file which allows exfiltrating private data, among other things
Summary: If someone convinces someone to use curl -OJ http://example.com/somefile.txt, the Content-Disposition header can be used to create a .curlrc file if one doesn't exist and one is running curl from the home directory. From that point on, the attack controls any argument to all curl...
U.S. Dept Of Defense: Reflected XSS in `Telerik.ReportViewer.axd` with F5 BIG-IP ASM Bypass on `████`
A reflected cross-site scripting XSS vulnerability was discovered in the Telerik.ReportViewer.axd endpoint on the staging subdomain. The vulnerability was exploited by leveraging an unsupported event handler that was not filtered by the F5 BIG-IP Application Security Manager ASM WAF. An obfuscate...
curl: CRLF Injection in `--proxy-header` allows extra HTTP headers (CWE-93)
Hello Team, There is a bug in curl where a user can inject new HTTP headers into a proxy request by using special characters in the --proxy-header option. This is done by adding \r\n carriage return + line feed inside the header value. This breaks the HTTP format and lets the user create more...
curl: curl_easy_header runs at O(N) or worse and can be abused to use minute(s) of CPU time
Summary: The implementation of curleasyheader can be abused by a malicious server that puts all headers under a single key. Imagine a server response like: HTTP/1.1 200 OK a: a: a: a: repeat until MAXHTTPRESPHEADERSIZE bytes are used As a developer, if you want to loop through the headers you do...
Node.js: HashDoS in V8
The V8 release used in Node.js v24.0.0 changed how string hashes were computed using rapidhash. This implementation reintroduced the HashDoS vulnerability, where an attacker who could control the strings to be hashed could generate many hash collisions without knowing the hash-seed...
Informatica: EXIF metadata not stripped from profile image
The EXIF metadata was not stripped from the profile images uploaded to the platform. This could have resulted in the disclosure of location or other personal information associated with the uploaded images...
U.S. Dept Of Defense: SQL Injection via URL
A SQL injection vulnerability was discovered in the website's URL. The vulnerability allowed manipulation of SQL queries executed by the backend database. The vulnerability was demonstrated by changing the sleep value, which resulted in longer or shorter delays in the page loading...
U.S. Dept Of Defense: SQL Injection - entryid parameter in 'formbuilderv2-confirmation.php'
A SQL injection vulnerability was discovered in the 'entryid' parameter of the 'formbuilderv2-confirmation.php' script on the website. The vulnerability allowed for the manipulation of SQL queries executed by the backend database...
U.S. Dept Of Defense: POST XSS - fields[account][lastname] parameter
A cross-site scripting XSS vulnerability was discovered in the fieldsaccountlastname parameter of the POST request. The vulnerability allowed an attacker to inject malicious scripts that could be executed. This could potentially lead to consequences such as cookie theft and session hijacking...
U.S. Dept Of Defense: POST XSS - fields[account][firstname] parameter
A cross-site scripting XSS vulnerability was discovered in a parameter named "fieldsaccountfirstname" that was processed via the POST method. The vulnerability allowed the injection of malicious scripts that could be executed when the affected page was loaded. The impact of the vulnerability was...
U.S. Dept Of Defense: POST XSS - data[type] parameter
A Cross-Site Scripting XSS vulnerability was discovered on a certain system. The vulnerable parameter was datatype, which allowed an attacker to inject malicious scripts that could be executed. The vulnerability was reported and referenced...
U.S. Dept Of Defense: SQL Injection - data[account][id] parameter
A SQL injection vulnerability was discovered in the "dataaccountid" parameter on the website. The vulnerability allowed for the manipulation of SQL queries executed by the backend database. The impact of this vulnerability was not specified...
U.S. Dept Of Defense: POST XSS - data[account][id] parameter
A Cross-Site Scripting XSS vulnerability was discovered in the POST method through the "dataaccountid" parameter. The vulnerability allowed the injection of malicious scripts that could be executed. The affected system was located on a system host. The vulnerability was not assigned a CVE number...
Mars: RXSS on ██████ via customerId parameter
A Reflected Cross-Site Scripting XSS vulnerability was identified on the Mars website at ██████. The vulnerability was located in the customerId parameter, which was inadequately sanitized before being reflected back to users in the HTTP response. When the parameter was manipulated with malicious...
curl: HTTP/3 Stream Dependency Cycle Exploit
Penetration Testing Report: HTTP/3 Stream Dependency Cycle Exploit --- 0x00 Overview A novel exploit leveraging stream dependency cycles in the HTTP/3 protocol stack was discovered, resulting in memory corruption and potential denial-of-service or remote code execution scenarios when used against...
curl: HTTP/2 CONTINUATION Flood Vulnerability
0x00 Vulnerability Overview: Fatal Flaw in HTTP/2 Protocol Stack 1. HTTP/2 Header Block Fragmentation Mechanism RFC 7540 Specification: Header blocks are transmitted using a HEADERS frame followed by one or more CONTINUATION frames. All frames must belong to the same stream and be sent...
GitHub: Arbitrary Read of Another Users private repository without Authorization
An improper access control vulnerability was identified in GitHub Enterprise Server that allowed users with access to any repository to retrieve limited code content from another repository by creating a diff between the repositories. This vulnerability affected all versions of GitHub Enterprise...
curl: Speculative Execution Side-Channel in `curl`
🛡️ Penetration Testing Report ========== Speculative Execution Side-Channel in curl Date: May 2025 --- 🧭 Executive Summary This report outlines a speculative execution side-channel vulnerability found in curl versions 7.12.0 to 8.9.0, specifically within builds supporting experimental QUIC...
U.S. Dept Of Defense: Swagger UI Injection via Config URL - `███`
A Swagger UI injection vulnerability was identified on a specific endpoint. The issue allowed an attacker to inject custom JSON configuration into the Swagger UI, potentially leading to unspecified consequences...
Fastify: Remote Code Execution via unsafe usage of `reply.view({ raw })` in @fastify/view (EJS template engine)
The @fastify/view plugin, when used with the EJS engine and the reply.view raw: pattern, allowed arbitrary EJS execution. This vulnerability arose from the fact that Fastify trusted the raw template string without sanitization or restrictions when passed directly to EJS's compile method, leading ...
curl: [High] Arbitrary File Write via Path Traversal in cURL CLI (`-o`, `--output`) (CWE-22: Improper Limitation of a Pathname to a Restricted Directory)
Summary: The -o / --output parameter in cURL does not restrict or sanitize file paths. When passed relative traversal sequences e.g., ../../, cURL writes files outside the current working directory, allowing arbitrary file overwrite. In automated or privileged environments CI/CD, root containers,...
curl: [High] MITM via Insecure CA Path Handling in cURL (--capath, CURLOPT_CAPATH) (CWE-494: Download of Code Without Integrity Check)
Summary: The --capath option in cURL and CURLOPTCAPATH in libcurl accept any directory path without validation. If an attacker provides a custom CA path containing a fake root certificate, cURL will trust malicious HTTPS endpoints signed with that fake root. This allows for full Man-in-the-Middle...
WakaTime: Session Replay Attack Allows Authentication Bypass via Captured Login Responses Allowing Bypass of 429 Too many attempts for Multiple Failed Logins
Summary An attacker can bypass authentication by capturing a valid login response including session cookies/tokens and replaying it during a failed login attempt with incorrect credentials. The server fails to invalidate or validate session tokens properly, allowing unauthorized access even after...
Omise: Facebook Username Takeover via Broken Link in Footer
The Facebook username associated with the broken link in the footer was available for takeover. This could have allowed an attacker to create a fake Facebook page and mislead users into trusting it...
curl: Potential XSS vector in curl via unsanitized URL parameter handling
Description Summary: During the analysis of the curl source code, a possible vector for Cross-Site Scripting XSS was identified through the globurl function and how URL input is handled via urlnode-url. Improper input validation or escaping could result in untrusted data being processed insecurel...
curl: Double Free Vulnerability in `libcurl` Cookie Management (`cookie.c`)
Description: Two Double Free vulnerabilities have been identified in the cookie.c file of the libcurl library. These issues occur due to improper memory management, where the same memory area is freed multiple times under certain conditions. Below are clear steps to reproduce each vulnerability...
curl: Use of a Broken or Risky Cryptographic Algorithm (CWE-327) in libcurl
Summary: The DES cipher Data Encryption Standard is used in the curlntlmcore.c file of libcurl. DES is considered insecure due to its short key length 56 bits and its susceptibility to brute-force attacks. Modern cryptographic standards recommend replacing DES with AES Advanced Encryption Standar...
Dust: Stored XSS in File Upload Leads to Privilege Escalation and Full Workspace Takeover
A stored cross-site scripting XSS vulnerability was discovered in the Dust platform's file upload functionality. An attacker could upload a malicious HTML file to a conversation. When another user, including an admin, visited the uploaded file, JavaScript was executed in their authenticated brows...
Dust: Privilege Persistence via Cloned Agent
The vulnerability allowed a member to clone an agent managed by the admin by modifying the agent's unique identifier sid. This resulted in the admin being unable to effectively disable the agent, as the cloned version could still be used by the member even after the original agent was disabled...
WakaTime: Broken Access Control Exposes Email Verification Status and Privacy Settings via API Endpoint
The /api/v1/users/username endpoint leaked sensitive email-related metadata, such as the user's email confirmation status and privacy settings, without proper authorization checks. This allowed attackers to determine whether an account's email address was confirmed and the user's email privacy...
Internet Bug Bounty: Denial of Service by memory exhaustion in net/imap
A vulnerability was discovered in the net-imap library that allowed denial of service by memory exhaustion. The vulnerability was caused by the library automatically reading and allocating memory for the size of "literal" strings sent by the server, without any limit on the size. This could be...
HackerOne: Internal Access to Hackerone confluence Docs
The vulnerability allowed external access to HackerOne's internal Confluence documentation through a support system misconfiguration. This configuration issue granted the ability to view and modify limited content within the Confluence instance...
Dust: BAC – Bypass chatbot restrictions via unauthorized mention injection
The Gemini chatbot was found to have a vulnerability that allowed unauthorized users to bypass permission restrictions and interact with the chatbot. The vulnerability was discovered when a user manually edited the request by changing the "mention" and "configurationId" fields, which allowed them...
Nextcloud: Calendar attachments of local files are offered to downloaded
A security vulnerability in calendar attachments of local files was discovered, where users were offered to download the attachments...