15275 matches found
Hiro: Invalidate active sessions after password change
Vulnerability description not provided...
Node.js third-party modules: Stored XSS (Hexo-admin plugin)
I would like to report Stored XSS in Hexo-admin It allows The Post editor functionality in the hexo-admin plugin 3.9.0 for Node.js is vulnerable to stored XSS via the content of a post. Module module name: Hexo-admin version: 3.9.0 npm page: https://www.npmjs.com/package/hexo-admin Module...
Rockstar Games: Unquoted Service Path in "Rockstar Game Library Service"
In this report, the researcher discovered a flaw in a Registry entry created by the Rockstar Service, which is used to install, update, and uninstall Rockstar Games titles on Windows PCs. Specifically, the ImagePath setting used by the entry was not enclosed in quotation marks. Using quotation...
Starbucks: JumpCloud API Key leaked via Open Github Repository.
Summary: Open Github Repo Leaking Starbucks JumbCloud API Key Description: Team, While going through Github search I discovered a public repository which contains Jumbcloud API Key of Starbucks. Repo: https://github.com/██████████/Project. File:...
X (Formerly Twitter): http request smuggling in twitter.com
Summary: the same vulnerability reported in other domain , see this report here Description: the Description of HTTP request smuggling attacks : here Detect HTTP request smuggling attack subdomains vulnerable: -to detect HTTP request smuggling attack with add header Transfer-Encoding: chunked and...
U.S. Dept Of Defense: [HTA2] XXE on https://███ via SpellCheck Endpoint.
A full read XXE vulnerability was discovered on a website via the SpellCheck endpoint, allowing an attacker to read local files, make HTTP requests to internal applications and read the responses, steal NTLM hashes, and also completely deny service to the application...
U.S. Dept Of Defense: [HTA2] Receiving████ access request on @wearehackerone.com email address
Hi, Description I'm not exactly sure what happened, but it seems that my researcher email [email protected] has been added in a group that receives new user access request from MIDRP. ████████ ██████████ Steps to reproduce I'm honestly not sure what happened. I did test a few .███...
curl: curl successfully matches IP address literal in URL against IP address literal in certificate Common Name
Summary: A user may invoke the curl command line utility with an IP address literal in the URL, such as https://192.168.124.2/... If the HTTPS server presents a certificate whose Common Name matches this IP address literal as a string that is, Common Name is the ASCII string 192.168.124.2, then...
HackerOne: Private program disclosure via `vpn_suspended` GraphQL query
Summary: vpnsuspended of Team object got exposed Description: An attacker can get vpnsuspended value of any program including external program which also have private program eg. █████ and external program which does not have private program What an attacker can do with this ? If an external...
Starbucks: China - IDOR on Reservation Staging/Non Production Site - https://reservation.stg.starbucks.com.cn
xmfc discovered that the staging/non production site at https://reservation.stg.starbucks.com.cn/api/customer/reservation/history allowed anyone to retrieve fabricated test user reservation data by providing a OTP of 111111. @xmfc — thank you for reporting this vulnerability and for confirming th...
Mail.ru: [dobro.city-mobil.ru] Недостаточная аутентификация (доступ к панели администратора)
Authentication bypass for admin interface access on dobro.city-mobil.ru the report was submitted before the launch of dedicated bug bounty scope for Citymobil...
Stripo Inc: stripo.email reflected xss
hello securitty team tested windows 10 and firefox 69.0.3 64 bit test url: payload: %3E%22%27%3E%3Cscript%3Ealert%281578%29%3C%2Fscript%3E Proof Url :...
curl: curl on Windows can be forced to execute code via OpenSSL environment variables
Preface: While I have an interest in security, I am not a professional security researcher, so please be forgiving of any lack of convention in this submission. The intent is to help improve security of the OpenSSL and curl projects, their consumers and end users. I will be sending this same...
QIWI: Раскрытие чувствительной информации composer.lock docker-compose.yml
Sensitive information disclosure in composer.lock and docker-compose.yml i die ███████████████████████████ ███████▀▀▀░░░░░░░▀▀▀███████ ████▀░░░░░░░░░░░░░░░░░▀████ ███│░░░░░░░░░░░░░░░░░░░│███ ██▌│░░░░░░░░░░░░░░░░░░░│▐██ ██░└┐░░░░░░░░░░░░░░░░░┌┘░██ ██░░└┐░░░░░░░░░░░░░░░┌┘░░██...
QIWI: какой-то исходный код в корне сайта
Можно было просматривать часть исходных файлов хоста. Нашел этот файл, в нем PHP код. adminer.php.swp F607459 https://shop.tochka.com/%2eadminer%2ephp%2eswp...
curl: Only OpenSSL handles a CRL when passed in via CApath
Summary: Code in vtls/nss.c interprets CApath option differently than OpenSSL-using code, user can be mislead to unsecure use of curl/libcurl easily. CApath directory can contain CRL files in addition to CA certificate files and they are used for certificate verification when curl calls OpenSSL...
QIWI: Unauthenticated SSRF in jira.tochka.com leading to RCE in confluence.bank24.int
Summary This report describes a combination of two separate vulnerabilities in two separate services. This chain of vulnerabilities allows unauthenticated attacker to run arbitrary code on a server inside the company's internal network. Vulnerability 1 Jira at https://jira.tochka.com is vulnerabl...
HackerOne: ActiveStorage throws exception when using whitespace as filename, may lead to denial of service of multiple pages
Summary: Hi team, I've found an issue on the profile picture upload feature of your asset - https://hackerone.com, which can allow a malicious attacker to perform an application wide denial of service attack. Description: I was playing with the profile picture upload feature, then i observed that...
Monero: Exploiting Network and Timing Side-Channels to Break Monero Receiver Anonymity
Summary: We present various examples of side-channel leakage in the communication between a Monero wallet and P2P node. Communication patterns and timing leak whether the wallet is the payee of a transaction that is sent into the transaction pool or mined in a block—thereby breaking transaction...
X (Formerly Twitter): http request smuggling in pscp.tv and periscope.tv
Description: the Description of HTTP request smuggling attacks : here seems that many subdomains in pscp.tv and periscope.tv vulenrable 1-Detect HTTP request smuggling attack 504 response with delay 30 s, 60s "DoS" POC & Steps To Reproduce: in this video F606648 Resource:...
Keybase: Keybase client (Windows 10): Write files anywhere in userland using relative path in "download attachement" feature
Summary I've tested this vulnerability on Windows 10, with last keybase client. If a user click on "Download file" during a chat, an attacker can write files anywhere in userland. When downloading a file from a chat, the file should always be written in "Downloads" folder. Proof of concept You ne...
X (Formerly Twitter): Creating malformed URLs via new line character in-between two URLs leads to misrepresented hyperlinks in Tweets/DMs
Summary When composing a tweet or a direct message it is possible to use a new line character %0d to seperate two URLs within the actual hyperlinking process, but not the URL displaying process. The new line character acts as an invisible character that disrupts the actual hyperlinking process,...
MyCrypto: URL is vulnerable to clickjacking
i'm not sure if this vulnerability is in scope or not , kindly if you don't accept this report please close it as informative or allow me to self close it thanks in advance Summary: URLs missing CSP headers they are vulnerable to clickjacking. Steps To Reproduce: run the below code that i had...
X (Formerly Twitter): [Bypass fixed #664038 and #519059] Application settings change settings that have been set by the user
I have reported this bug in report 681361 so that you make a FULL fix, but you refused considered duplicate and I have to wait for report 664038 to be resolved, now I come again to report the bug. The settings for "protected tweets" that have been set from another application accidentally change...
Top Echelon Software: Disable xmlrpc.php file
Summary: xmlrpc.php can be used for portscanning or bruteforce attacks. Better is to hide this file. Steps To Reproduce: 1. Go to https://www.topechelon.com/xmlrpc.php 2. send a post request. POST /xmlrpc.php HTTP/1.1 Host: www.topechelon.com User-Agent: Mozilla/5.0 X11; Linux x8664; rv:60.0...
Top Echelon Software: able to login into login.topechelon.com
The support login for our administrative account was using insecure credentials, allowing access to our administrative account. These credentials are not used, so we chose to deactivate the login to prevent access...
Mail.ru: SSRF in clients.city-mobil.ru
Limited non-blind SSRF in clients.city-mobil.ru the report was submitted before the launch of dedicated bug bounty scope for Citymobil Non-blind SSRF in apt-cacher, used for getting software updates, allowing limited requests to internal services...
Node.js third-party modules: Prototype pollution attack (lodash)
I would like to report a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype Module module name: lodash version: 4.17.15 npm page: https://www.npmjs.com/package/lodash Module Description The Lodash library exported as Node.js modules. Module...
Razer: Request Smuggling vulnerability due a vulnerable skipper reverse proxy running in the environment.
The tester discovered that a server was using Skipper as a reverse proxy that was not fully patched, allowing a request smuggling vulnerability. We thank the tester for his report and excellent PoC and his patience with the slow response of the engineering team...
U.S. Dept Of Defense: default ████ creds on https://████████
Description: I can log into https://███ using █████ as credentials Impact Can do anything an ██████████ can do in this application, Server Now Step-by-step Reproduction Instructions 1. go to https://███████ 2. log in using ██████████ Suggested Mitigation/Remediation Actions use proper...
Mail.ru: Blind SQL Injection in city-mobil.ru domain
Error-based SQLi due to insecure use of POST paramter in city-mobil.ru the report was submitted before the launch of dedicated bug bounty scope for Citymobil...
Nextcloud: Nextcloud Clickjacking Vulnerability
hi! Test domain : https://nextcloud.com Summary ====== https://nextcloud.com/ A clickjacking vulnerability was detected because the X-Frame-Options Header was not set.More Steps To Reproduce == 1. Create a new HTML file 2. Include the following payload Trusted web page https://nextcloud.com 3. Op...
U.S. Dept Of Defense: Remote Code Execution in ██████
The vulnerability you reported has been resolved and this report is now closed. If you have any further questions or disagree that the report is resolved, please let us know. Thank you for your time and effort to improve the security of the DoD information network. Thanks @s3cr3tsdn for reporting...
U.S. Dept Of Defense: Able to log in with default ██████g creds at https█████████████████████.mil
Summary████ was able to use ████████████████████████ to log into this instance of Adobe Experience Manager, though it does not seem to be in used at the moment Description███████ while navigating to https█████████████████████████.mil, I performed some fuzzing and found that /repository was...
U.S. Dept Of Defense: XXE with RCE potential on the https://█████████ (CVE-2017-3548)
The security vulnerability CVE-2017-3548 was identified in the Oracle PeopleSoft application. The vulnerability allowed for the execution of XML External Entity XXE attacks, which could potentially lead to remote code execution. A proof of concept was demonstrated that created a new service on th...
New Relic: Cross-account stored XSS at notes (through "swf" note parameter)
Hey team, I've found one more stored XSS, this one is inside a note. Since notes could be published to be available for any NR user cross-accountly, the impact is quite severe. You can see the publicly-available payload here: https://rpm.newrelic.com/public/notes/4qovMmDXV7P F603334 Steps to...
8x8: Publicly accessible .svn repository - aastraconf.packet8.net
The server contained artifacts from an old SVN repository. The files were removed...
Razer: [razer-assets2] Listing of Amazon S3 Bucket accessible to any AWS cli
The tester determined that an S3 bucket had insecure permissions. No customer data was in danger, but thee was the potential for some Razer product collateral to be prematurely leaked, so Razer secured this bucket out of caution. Full writeup over at...
GitLab: Elasticsearch leaks data through the notes scope
Summary The Elasticsearch results, when filtering using the notes scope, leaks data about private groups, private projects, and private issues. Steps to reproduce 1. Search, as an anonymous user, nextbit in the Gitlab group, filtering for "comments" link 2. You will have as result a private note...
GitLab: Blind SSRF in FogBugz project import
Vulnerability description not provided...
New Relic: Cross-account stored XSS at embedded charts
Hey team, I've discovered one more stored XSS, this one is at the embedded chart page. Steps tp reproduce 1 Sign into NR, navigate to any Mobile app - Interactions 2 Click ... near any chart, then choose Embed. Select OK at the confirm box. 3 Intercept the chart embedding POST request: http POST...
Acronis: Delete any user's added Email,Telephone,Fax,Address,Skype via csrf in (https://academy.acronis.com/)
The vulnerability allowed an attacker to delete any user's added email, telephone, fax, address, and Skype via CSRF in a GET method without any CSRF protection on the Academy Acronis website. This could be exploited by an attacker to delete sensitive information of any user. The issue was fixed b...
OWOX, Inc.: Session is not expire after logout
Reproduction: step no 1:Open URL:https://www.owox.com/products/ or open your user account step no 2: copy URL or paste another tab step no 3:Go back again first tab or logout your account step no 4: And check the copied URL section is working properly Reference From :244875 Reference From :263873...
Shopify: Reflective Cross-site Scripting via Newsletter Form
.myshopify.com is vulnerable to a reflective cross-site scripting attack in the newsletter form. This can be crafted to trigger on a page load without any further user interaction. The following example url shows this vulnerability:...
U.S. Dept Of Defense: Null byte Injection in https://████/
Description: Microsoft .NET Framework is prone to multiple NULL-byte injection vulnerabilities because it fails to adequately sanitize user-supplied data. Vulnerable URL: https://████/%2F%20This%20website%20is%20vulnerable%20to%20NULL%20BYTE%20INJECTION/ Steps to Reproduce: 1 An attacker can...
Mail.ru: donationalerts.com limitations bypass
Domain limitation for CORS in api-awards.donationalerts.com were incorrectly checked, it allowed crossdomain API requests...
Automattic: Rate Limit Misconfiguration on tumblr login .
Summary: The Rate Limit should always be on the login endpoint and have an acceptable limit, for example, 20 rate limit, but when there is no limit or the limit is huge, for example, 5000, this is certainly dangerous because it is a Rate Limit Misconfiguration, for example . -------------- PoC :...
Mail.ru: looch.tv CORS crossite user information and stream_key access
Incorrect CORS settings on api.looch.tv allowed crossite access to user information and stream key...
GitLab: Group search with Elastic search enable leaks unrelated data
Summary Performing a group search when Elastic Search is enabled provides access to unrelated merge requests, issues activity, leaking the existence of private groups, plus their activity and MRs. This happens both on the GUI and with the APIs Steps to reproduce Let's take this search on the Gitl...
Liberapay: Private target account appears in search results
Summary At policy page, there are special tailor account, highly confidential & secret ! F600997 - Hide this profile from search results on Liberapay - Prevent this profile from being listed on Liberapay - Target account hackerone-target-team Description In this exploit, I found Privacy setting...