15275 matches found
Semrush: Github information leaked
Researcher has found the third-party repository with test data for internal services development...
Valve: [GoldSrc] Remote Code Execution using malicious WAD list in BSP file
Summary TEXInitFromWad function calls COMFileBase to get file name from a path into a buffer on the stack. Since COMFileBase does not have boundary checks and the buffer is small, long WAD file name can trigger a Stack Buffer Overflow, leading to arbitrary code execution. Steps to reproduce...
Mail.ru: Delete images of users with clickjacking in https://pw.mail.ru
Researcher found site-wide Clickjacking on https://pw.mail.ru which potentially could be used to trick user to delete avatar or change his/her profile data...
Internet Bug Bounty: Out of Bounds Memory Read in exif_process_user_comment
I have found and reported an out of bounds memory read in PHP exifprocessusercomment When PHP EXIF extension is parsing EXIF information from an image, e.g. via exifreaddata function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with dat...
Internet Bug Bounty: Out of Bounds Memory Read in exif_scan_thumbnail
I have found and reported an out of bounds memory read in PHP exifscanthumbnail When PHP EXIF extension is parsing EXIF information from an image, e.g. via exifreaddata function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data wha...
WakaTime: [invalid][false-positive] csrftoken on profile page
step of reproduce- 1. Go to https://wakatime.com and create account. 2. login account after that go public profile. 3. after that change the full name and intercept brup suite and delete csrftoken. 4. After forward then you see name was changed. Impact Violation of Secure Design Principles...
Vanilla: Conversation API Leaks Details Of UnAuthorized Conversations
Summary: If a user creates a conversations, and then leaves, all API calls and web access to that conversation is locked down. Except for one particular API call which allows you to see details about ongoing conversations you have since left as long as you created the conversation in the first...
U.S. Dept Of Defense: SQL Injection - https://███/█████████/MSI.portal
Summary: https://███████/███████/MSI.portal has a form page which is vulnerable to SQL injection. Description: URL: https://████/██████/MSI.portal?nfpb=true&pageLabel=msiportalpage61query The above url has a form where the field MSIqueryType is vulnerable to time based blind SQL injection. I...
Valve: /applications/dpc_(get|post) provide full access to api.steampowered.com with the Dota2 API key
The vulnerability allowed attackers to call arbitrary API methods using an API key with elevated privileges for Dota2...
X (Formerly Twitter): AppLovin API Key hardcoded in a Github repo
Hello, I found a Sensitive Data Exposure in github/mopub-android-mediation project, the AppLovin UI API key is hardcoded in source code. And in the comment it's mentioned that "This is a unique SDK Key from AppLovin. Get yours from the AppLovin UI". Github Link:-...
HackerOne: Total Paid Bounty Paid can be disclose
Summary: Hello HackerOne Bug Bounty Team, I noticed that HackerOne recently updated their interface. Indeed, when a hacker hover his mouse over a program, it now disclose some new information : F556858 The one that interested us is "Bounties sent in the last 90 days" value Description: This new...
U.S. Dept Of Defense: Examples directory is PUBLIC on https://████████mil, leading to multiple vulns
Description: Hello, In an effort to consolidate reporting. I have located 4 issues with having the Examples Directory openmy require just 1 solution to mitigate The following URLs that show concern are the following: 1. https://█████mil/examples/servlets/servlet/SessionExample --Will lead to...
Internet Bug Bounty: mod_remoteip stack buffer overflow and NULL pointer dereference
Versions Affected: httpd 2.4.32 to 2.4.39 Summary: When modremoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol, a specially crafted PROXY v1 or PROXY v2 header could trigger a stack buffer overflow or NULL pointer deference. This was assigned CVE-2019-100...
Vanilla: XSS For Profile Name
Summary: In short, if your username is something as simple as alert1 this will not be filtered when viewing your profile page. The unfiltered script alert is echo'd underneath your image in your profile. This can be viewed by anyone viewing your profile Although in some cases the browser will...
GitLab: Stealing data from customers.gitlab.com without user interaction
Summary An attacker can link her own customers.gitlab.com account to the one of the victim, and these give access to 3 different vulnerabilities: - destroying subscriptions of the victim - buying new subscriptions using victim credit card for its own groups - some minor information disclosure abo...
Nextcloud: Circle email-members have still access to a shared folder/file after they are removed from the circle
If a email-address is added to a circle, the email user has still access after the email-address is removed from the circle. Requirements ------- circles app and share by mail app enabled Steps to reproduce ------------- 1. add an email address to a circle 2. share a folder/file with the circle 3...
Trint Ltd: Leak of Internal IP addresses
Summary: The leak of Internal IP Addresses. IP Addresses:- 10.6.96.4 10.6.136.194 10.6.127.182 Assessment: add your assessment of the vulnerability Steps To Reproduce: 1. Open request page of graphql2.trint.com with "getUser" Operation name. 2. Remove "authorization: Bearer" line and error will...
GSA Bounty: xmlrpc.php file enabled - data.gov
Wordpress that have xmlrpc.php enabled for pingbacks, trackbacks, etc. can be made as a part of a huge botnet causing a major DDOS. this website www.data.gov has the xmlrpc.php file enabled. Impact This can be automated from multiple hosts and be used to cause a mass DDOS attack on the victim...
Algolia: subdomain take over at recommendation.algolia.com
Description hello sir, your subdomain recommendation.algolia.com cname is recommendation.us and recommendation.us is for sell which can lead to subdomain take over steps to reproduce 1. check the cname of recommendation.algolia.com 2. see that the cname "recommendation.us" is for sell using looku...
BlockDev Sp. Z o.o: Steal collateral during `end` process, by earning DSR interest after `flow`.
Summary: The end contract in MCD controls the process of shutting down the MCD contracts and allowing for users to redeem their DAI for collateral -- presumably to migrate to a new implementation of DAI. The process, however, doesn't prevent the continued functioniong of DAI savings accounts pot...
U.S. Dept Of Defense: Online training material disclosing username and password
Summary: A training document is revealing username and password details for what appears to be a DoD training system Description: Using the google dork site:.mil ext:ppt intext:password, I was able to find a number of powerpoint documents on .mil websites that include username and passwords. This...
Nextcloud: Username and Access Token Disclousure
Versions ===================== Nextcloud Server Version: 16.0.3.0 it.tsweb.Nextcloud iOS App Version: 2.23.7 Description ===================== While logging in to an owncloud instance the iOS client sends the Username and password to the ressource /login?redirecturl=/login/flow/grant and recieves...
Vanilla: Stealing the ip addres from users
Hi team! Summary Pixel that steals your data. By creating an image in https://iplogger.org/ and inserting it in the forum we can steal some data ip, language, geo location of the users who see the message. Steps to reproduce + Set "wyswyg" on + Create an image from https://iplogger.org/ and use t...
Curve: Business Logic Flaw - A non premium user can change/update retailers to get cashback on all the retailers associated with Curve
Hi, While testing your android application I've found a business logic flaw by using which a non premium user can update/change the retailers when ever and what ever retailers he wants to. Curve application has a functionality called "Earn curve cash". A non premium user can select only 3 retaile...
Internet Bug Bounty: Use After Free in GC with Certain Destructors
The bug submitted at: https://bugs.php.net/bug.php?id=72530 The fix committed at: http://git.php.net/?p=php-src.git;a=commit;h=60a7e60b61b8e4a3d455974c83f76a26546ce117 Impact The bug can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely via PHP’s object deserializin...
Informatica: accounts.informatica.com - RCE due to exposed Groovy console
Researcher identified a misconfigured "Groovy" panel on an AEM web application that was vulnerable to RCE. The panel was subsequently disabled...
Mail.ru: Bash History file log
Researcher found a publicly accessible .bashhistory file on one of servers. File contained commands without sensitive data in them...
Slack: SSRF via Office file thumbnails
On August 12, 2019, a group of researchers reported an exploit path for a vulnerability in LibreOffice. Slack uses LibreOffice to process certain file types for preview. A specially crafted file uploaded to Slack could permit local file access and expose an internal Slack AWS credential for the...
U.S. Dept Of Defense: [CVE-2019-11510 ] Path Traversal on ████████ leads to leaked passwords, RCE, etc
Summary / Description: █████ is vulnerable to Path Traversal which can lead to remote code execution. Impact Critical Step-by-step Reproduction Instructions 1. Run the following cURL command to get the file /etc/hosts curl --path-as-is -k -D-...
U.S. Dept Of Defense: Pulse Secure File disclosure, clear text and potential RCE
Summary: Pulse Secure has two main vulnerabilities that allow file disclosure and post auth RCE Description: CVE-2019-11510 is a file disclosure due to some normalization issues in pulse secure. I was able to reproduce this by grabbing in the etc/passswd...
Mail.ru: Avatar upload allows arbitrary file overwriting
Directory traversal via filename extension for avatar upload allowed to overwrite arbitrary files in S3-compatible bucket for static files in pandao.ru. Pandao.ru belongs to extended scope...
Priceline: Account takeover via Google OneTap
Summary: It's possible to take over any priceline.com user's account knowing their email. The only requirement is that the victim's email domain is not registered with Google's Gsuite. The root cause of this issue is that the backend does not verify whether the email provided is a confirmed one...
Mail.ru: [agent.33slona.ru] Recovery code bruteforce
It was possible to bruteforce mobile recovery code...
U.S. Dept Of Defense: Account takeover through CSRF in http://███████/██████████/default.asp
Summary: Hi team, I have found a CSRF vulnerability in http://██████/████/default.asp that leads to account takeover. Step-by-step Reproduction Instructions 1. Go to http://██████████/████████/default.asp and login 2. Copy the below HTML code 3. Submit the request and see your profile 4. Try to...
Node.js third-party modules: Lodash "difference" (possibly others) Function Denial of Service Through Unvalidated Input
NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! I would like to report a denial of...
GitLab: Uncontrolled Resource Consumption in any Markdown field using Mermaid
Summary I found a bypass for the mitigation of DoS via Mermaid CVE-2019-9220. As the mitigation for CVE-2019-9220, the input limit of 5000 characters is currently applied to a Mermaid code block, but it can be bypassed by simply splitting the longer payload to many code blocks. Steps to reproduce...
VK.com: Stored XSS вирус в al_video.php?act=a_choose_video_box
XSS в видео...
Mail.ru: Disable 2FA via CSRF (Leads to 2FA Bypass)
CSRF vulnerability in pandao.ru allowed to disable 2FA. pandao.ru belongs to extended scope...
HackerOne: Disclosure of Program email Title Report when being removed as contributor. Bypass for Report #645264
Summary: It is somehow related to this report 645264. But I found an alternative way to reproduce the issue even it is considered as resolved. Steps To Reproduce 1. As a Program admin, navigate to Program Settings 2. Click Program 3. Click Email Notifications 4. Make sure it is set to No Content ...
OLX: Bypass Rejected ads so user can view it as normal live ad.
A logic error allowed creating chats from ads that were still pending moderation or were rejected...
Brave Software: Link obfuscation bug
Summary: Link preview in the left bottom of Brave Browser will show the link where the user will be redirected after clicking it, but after clicking the link, the affected user will be redirected to other website. Products affected: Latest Version of Brave browser Steps To Reproduce: 1. Open...
HackerOne: [Bypass #645264] Report title disclosure despite the program settings for email notification is set to "No Content"
Hi Team, Summary: There is newly disclosed resolved report Program Email Nofication settings ignored when being added as an external contributor, However i found that the fix is incomplete. I have found that email invitation for a collaborator bounty splitting still disclosing the Report title in...
Nextcloud: Veracode and security audit record are publicly available
Leakage of sensitive data through open endpoint Risk management and Compliance Document written by NCC Here is what the document says: 𝘗𝘳𝘰𝘱𝘳𝘪𝘦𝘵𝘢𝘳𝘺 𝘐𝘯𝘧𝘰𝘳𝘮𝘢𝘵𝘪𝘰𝘯 𝘛𝘩𝘪𝘴 𝘥𝘰𝘤𝘶𝘮𝘦𝘯𝘵 𝘤𝘰𝘯𝘵𝘢𝘪𝘯𝘴 𝘥𝘦𝘵𝘢𝘪𝘭𝘦𝘥 𝘤𝘰𝘮𝘮𝘦𝘳𝘤𝘪𝘢𝘭, 𝘧𝘪𝘯𝘢𝘯𝘤𝘪𝘢𝘭 𝘢𝘯𝘥 𝘭𝘦𝘨𝘢𝘭 𝘪𝘯𝘧𝘰𝘳𝘮𝘢𝘵𝘪𝘰𝘯, 𝘸𝘩𝘪𝘤𝘩 𝘪𝘴 𝘤𝘰𝘯𝘧𝘪𝘥𝘦𝘯𝘵𝘪𝘢𝘭 𝘢𝘯𝘥 𝘤𝘰𝘮𝘮𝘦𝘳𝘤𝘪𝘢𝘭𝘭𝘺 𝘴𝘦𝘯𝘴𝘪𝘵𝘪𝘷𝘦. 𝘛𝘩𝘦 𝘳𝘦𝘭𝘦𝘢𝘴𝘦...
BCM Messenger: IDOR leading to downloading of any attachment
Description: Hey team, I came across an endpoint on your android app which could be used to download any attachment which is being uploaded onto your server. All the attacker needs to do is bruteforce the simple ID which surprisingly is a randomly generated number I personally think it's based on...
ForeScout Technologies: HTML Injection & Content Spoofing
Summary: The Main Search Box of the site "www.forescout.com" is Vulnerable for HTML Injection & Content Spoofing Steps To Reproduce: 1. Visit example link 2. in The Search Box enter HTML Code test 3. in the Result Page, the HTML code Will be render Impact 1. enter the Next Code In The Search Box...
New Relic: Stored XSS at APM transaction map (transactionName field)
Hey team, You've recently fixed my previous report about transaction map stored XSS 549084 and the fix is correct, I wasn't successful with finding a bypass. But I've discovered another vulnerable transaction map field transactionName. An attacker can inject a payload inside this field and then,...
Grammarly: Can register any mobile number in MFA without current code.
@chackmate identified a vulnerability that allows a user to connect arbitrary phone numbers with their account. No users affected...
Grammarly: Previously created sessions continue being valid after MFA activation
Hi team, I found one issue related to your 2FA system on https://account.grammarly.com/security POC 1 access the same account on https://account.grammarly.com in two devices 2 on device 'A' go to https://account.grammarly.com/security complete all steps to activate the 2FA system Now the 2FA is...
MyEtherWallet: Local Storage Custom Node Credentials Leak
Summary Credentials for a custom node are stored in plain text inside Local Storage on the user's machine. If this node is configured in a certain way this could lead to the theft of any funds in accounts attached to this node, by a local attacker. And if not configured this way, an attacker coul...
Nextcloud: Username Enumeration
Hi, it is possible to determine the existence of a user account. It reveals username which can open new attack vectors. Version: Nextcloud 16.0.3 Request for existing account: GET /avatar/admin/80?v=-472 HTTP/1.1 Host: localhost:8084 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.14; rv:68....