15267 matches found
Nextcloud: Sensitive Information Disclosure via Back Button Post Logout on https://apps.nextcloud.com/account/
A cache control vulnerability was identified on the https://apps.nextcloud.com/account/ page. After logging out, sensitive information such as the user's first name, last name, and email address remained accessible by using the browser's back button. This occurred due to improper caching of...
curl: Authorization Header Leak via --location-trusted in Curl
Curl's --location-trusted Option Leaks Authorization Header Across Domains The --location-trusted option in Curl forwards the Authorization header when following cross-origin redirects, exposing Basic Authentication credentials to untrusted hosts. - If an attacker controls a redirecting endpoint,...
Yelp: Unauthorized Reservation Cancellation Through IDOR Vulnerability
Vulnerability description not provided...
curl: Elevation of Privileges (EoP) vulnerabilities related to the some easy_options on Windows
Summary An Elevation of Privileges EoP vulnerability can occur in a Windows privileged process that uses CURLOPTCOOKIEJAR, CURLOPTHSTS, or CURLOPTALTSVC. This vulnerability arises due to the differences in the implementation of the unlink function between Windows and Linux, as well as the behavio...
Internet Bug Bounty: CVE-2024-56374: Denial-of-service vulnerability in IPv6 validation
A denial-of-service vulnerability was discovered in Django's IPv6 validation. The lack of an upper bound limit enforcement in strings passed during IPv6 validation could lead to a potential denial-of-service attack. The vulnerable functions, cleanipv6address and isvalidipv6address, as well as the...
Internet Bug Bounty: CVE-2024-56374 Potential denial-of-service in IPv6 validation
CVE-2024-56374: Potential denial-of-service vulnerability in IPv6 validation A potential denial-of-service vulnerability was discovered in the IPv6 validation functions of Django. The lack of an upper bound limit on the length of input strings passed to the private functions cleanipv6address and...
HackerOne: Public GitHub repositories for multiple HackerOne managed triage team profiles contain private HackerOne reports information
Publicly available GitHub repositories for HackerOne-managed triage team profiles were found to contain private HackerOne vulnerability reports. Several repositories were identified that reproduced exploits for private bug bounty programs. The disclosed information included details such as access...
Stripo Inc: [my.stripo.email] Blind SSRF Vulnerability in Stripo App Export via Missing Endpoints Export Email Message to Zapier
A critical Blind SSRF Server-Side Request Forgery vulnerability was identified in the export service of the Stripo app. The vulnerability existed in the endpoint /exportservice/v3/exports/WEBHOOK/accounts, where malicious input could be provided in the webhookUrl parameter, triggering SSRF and...
Basecamp: Improper Cache Handling Allows Access to Post-Logout Pages
The report detailed how some browsers' bfcache allowed access to post-logout pages...
Internet Bug Bounty: #2931639 ActionView sanitize helper bypass with math-related tags
There is a vulnerability in Rails-HTML-Sanitizer 1.6.0, which is also used by Rails ActionView. The vulnerability allows for bypassing the sanitization process when certain math-related tags, such as "math", "mtext", "table", "style", and "mglyph" or "malignmark", are allowed. This could lead to...
Internet Bug Bounty: ActionView sanitize helper bypass with style
The Rails-html-sanitizer, which Rails ActionView also uses, failed to sanitize input when the style tag was allowed, leading to a potential XSS vulnerability. The vulnerability affected version 1.6.0 of the sanitizer and was addressed in version 1.6.1...
Internet Bug Bounty: ActionView sanitize helper bypass with style and math
The Rails-html-sanitizer version 1.6.0 was affected by a vulnerability that could lead to a bypass of the sanitization process, resulting in potential cross-site scripting XSS attacks. The vulnerability was addressed in version 1.6.1...
Internet Bug Bounty: ActionView sanitize helper bypass with 'style' and 'svg' tags
The Rails-html-sanitizer, which Rails ActionView also uses, failed to sanitize input when svg and style or math and style tags were allowed. This resulted in a potential XSS vulnerability in applications that used the sanitize helper...
Internet Bug Bounty: ActionView sanitize helper bypass with noscript
The Rails-html-sanitizer 1.6.0 contained a vulnerability that allowed bypassing the sanitization process when the noscript tag was used. This could have led to potential cross-site scripting XSS attacks in applications that used the vulnerable version of the sanitizer, including those using the...
Cosmos: Attacker can use any non-enabled capability
The Capabilites implementation in CosmWasm contracts was found to have a vulnerability. Even if the executing chain did not allow a specific capability, a CosmWasm contract could still execute actions that required that capability. This was due to a naive implementation of capabilities and...
U.S. Dept Of Defense: ASP.NET Application Trace Enabled
The ASP.NET application trace feature was enabled on a public-facing URL, which exposed sensitive internal information, including Session ID values and the physical file paths of server-side resources. This vulnerability could have allowed attackers to gain unauthorized insights into the server...
U.S. Dept Of Defense: Public google drive link Exposes Military Orders Containing PII (Name, SSN etc..) and Operational Details
A public Google Drive link was found that exposed military orders containing personally identifiable information PII such as full names, Social Security numbers, home addresses, and security clearance levels. The vulnerability was discovered on a website located at...
AWS VDP: Non-Production API Endpoints for the ssm Service Fail to Log to CloudTrail Resulting in Silent Permission Enumeration
The non-production API endpoints for the ssm service were found to fail to log to CloudTrail, resulting in silent permission enumeration. Eighteen non-production endpoints were identified that can be used with standard IAM credentials without generating CloudTrail logs...
Nextcloud: Blind SSRF Vulnerability in Appstore Release Upload Form
Vulnerability description not provided...
1Password - Enterprise Password Manager: API Key Exposed in JavaScript File on 1Password Developer Site
An API key has been exposed in the JavaScript file accessible via the public developer documentation for 1Password. This exposure could potentially allow unauthorized access to APIs or services that rely on this key, leading to a range of security issues, including data leakage or unauthorized...
Doppler: WAF bypass and java script incomplete handling of Unicode characters might leads to dom-xss
hello, WAF : doppler uses cloudfare firewall to prevent unwanted malicous injections "https://share.doppler.com/ext/jquery/dist/jquery.min.js?c=%22%3Cscript%3Ealert%27XSS%27%3C/script%3E%22" by accessing the endpoint you'll get to know that! But I found that this code ""%0D%0A%0D%0A" bypass the...
TikTok: Unauthorized Access to Private Video Description via Translation API for Private Accounts
A vulnerability was discovered in the TikTok translation API endpoint that could have allowed unauthorized access to video descriptions contained in private accounts...
Internet Bug Bounty: Deadlock in x86 HVM standard VGA handling
The Xen hypervisor contained a vulnerability in its handling of standard VGA memory accesses for HVM guests. The locking mechanism used had an unusual discipline that could lead to a deadlock when emulating an instruction with two memory accesses to VGA memory. The vulnerability was acknowledged ...
IBM: There is a POST based CSRF issue over IBM endpoint leading to modification of contact information.
There was a CSRF vulnerability found in an IBM endpoint that allowed modification of contact information through a POST request...
Informatica: XSS1
The XSS vulnerability was discovered in the search functionality of the Informatica website. The vulnerability allowed an attacker to inject arbitrary JavaScript code into the search results, which could be executed by the user's browser...
Cosmos: Replacing ICA active channel during the upgrade and a bit more
The active channel on the ICA controller was set during the channel acknowledgement, which was a check-then-act operation that was not atomic. The active channel on the ICA host was set during the channel open confirmation, but the check for the channel existence was not atomic. This allowed an...
curl: CVE-2025-0167: netrc and default credential leak
Summary: The fix for CVE-2024-11053 seems to be incomplete.The information leak problem could be reproduced again if use netrc in step1. Affected version all Steps To Reproduce: 1. Adapt test479 to use netrc like belowboth of user and password are not provided for b.com: machine a.com login alice...
Trendyol: Cache Poisoning Allows Zero Interaction Store XSS
The vulnerability allowed an attacker to perform a cache poisoning attack, which resulted in a zero-interaction stored cross-site scripting XSS vulnerability on the Trendyol website. The attack was achieved by modifying the User-Agent header and adding a malicious parameter to the URL, which was...
Mozilla: Netlify Authentication Token Exposed in Public Mozilla CI Logs
A critical vulnerability was discovered involving the exposure of a Netlify authentication token within publicly accessible logs. The token provided full access to the "Mozilla IT Web SRE" Netlify account, bypassing all restrictions. The token's permissions encompassed roles such as Owner,...
XVIDEOS: Lack of Rate Limiting on Account Creation Endpoint
A vulnerability was identified in the account creation process. The affected endpoint lacked proper rate limiting mechanisms, allowing for the automated creation of multiple user accounts without restrictions. This security flaw could be exploited using tools to generate a large number of fake...
curl: Git repository found
Summary: Hello team , When i research I found domain vuln to downliad git repository and i will explain that. Steps To Reproduce: 1. Add DotGit extention on your browser 2. Now try to access to that domain https://curl.dev/ 3. You will show that extention is alert and can download that bucket...
Cosmos: Making transfer v2 channel unupgradable through the forwarding
The transfer v2 channel can become unupgradable through the forwarding functionality. The forwarding process can create packet commitments on a legitimate channel, which cannot be deleted due to the lack of acknowledgments from a malicious channel. This results in the legitimate channel being...
U.S. Dept Of Defense: Secret Access Key of AWS Firehose Disclosure
The domain had an endpoint that contained the secret access key of an AWS Firehose delivery stream encoded in base64. The secret access key was disclosed, allowing the record to be put into the Firehose delivery stream...
Node.js: Usage of unsafe random function in undici for choosing boundary
The vulnerability in the Undici library involves the use of an unsafe random function to choose the boundary for a multipart/form-data request. The use of Math.random to generate this boundary can be predicted if several of its generated values are known. This could potentially allow an attacker ...
curl: Hackers Attack Curl Vulnerability Accessing Sensitive Information
Summary: A critical security flaw in Curl. This is a data transfer tool and may potentially allow attackers to access sensitive information. Affected version 6.5 through 8.11.0 Steps To Reproduce: Security vulnerability when curl is used with a .netrc file for the credentials and also uses a HTTP...
Monero: Remote memory exhaustion in Epee RPC stack under zero Receive Window
The Epee RPC stack in Monero was vulnerable to memory exhaustion attacks. Delayed ACK or zero Receive Window advertisements could cause the server to keep responses in the send queue until memory was exhausted. This could lead to remote crashes of Monero nodes that exposed their RPC interfaces...
curl: bypass of this Fixed #2437131 [ Inadequate Protocol Restriction Enforcement in curl ]
Summary: A flaw has been identified in the curl command-line tool related to its protocol selection mechanism. Specifically, the protocol restrictions set by the --proto option can be bypassed, allowing unintended protocols to be used despite explicit restrictions. This flaw can result in plainte...
Internet Bug Bounty: [CVE-2024-54133] Possible Content Security Policy bypass in Action Dispatch
A vulnerability was discovered in the contentsecuritypolicy helper in Action Pack of Ruby on Rails. Carefully crafted inputs were able to inject new directives into the Content-Security-Policy CSP header, potentially leading to a bypass of the CSP and its protection against cross-site scripting X...
Internet Bug Bounty: [SECURITY] CVE-2024-50379 Apache Tomcat - RCE via write-enabled default servlet
A vulnerability was discovered in Apache Tomcat where a race condition could be triggered on a Windows machine with a write-enabled default servlet, leading to remote code execution. The issue was caused by the case-insensitive nature of the file system, which allowed an uploaded file to be treat...
curl: OS Command Injection (subprocess Module Usage)
Summary The Bandit tool flagged the usage of the subprocessmodule in the file curl.pyunder the B404:blacklist rule. This rule highlights potential security risks associated with using the subprocess module without proper sanitization of inputs, which can lead to command injection vulnerabilities...
Nextcloud: [nextcloud/mail] Blind SSRF to Internal Network via "List-Unsubscribe" SMTP Header when allow_local_remote_servers is allowed
Vulnerability description not provided...
PlayStation: sys_fsc2h_ctrl kernel stack free
The sysfsc2hctrl kernel function can lead to a kernel stack free vulnerability. The vulnerability is caused by a race condition involving multiple threads accessing a local stack buffer. This could potentially result in a privilege escalation...
Mozilla: Subdomain takeover on a subdomain under firefox.com
The subdomain ████ was vulnerable to a subdomain takeover due to its CNAME record pointing to a Fastly-hosted service that was not registered with Fastly. This allowed the researcher to claim and take control of the subdomain...
IBM: POST based Cross-Site Scripting on IBM research endpoint
The POST-based Cross-Site Scripting vulnerability on the IBM research endpoint was reported, analyzed, and remediated. The vulnerability was discovered by an external researcher...
Internet Bug Bounty: netrc and redirect credential leak
The netrc file in curl could lead to the unintentional leakage of a password to a different host when following HTTP redirects, if the netrc file had an entry matching the redirect target hostname but omitting either just the password or both login and password...
AWS VDP: A potential risk in the aws-lambda-ecs-run-task which can be used to privilege escalation.
The aws-lambda-ecs-run-task application created a function with a role that had excessive permissions, including the AdministratorAccess policy. This allowed for potential privilege escalation by an attacker...
Bykea: Lack of Feedback Validation Permits Arbitrary Driver Ratings
The vulnerability discovered by @bugbountywithmarco in Bykea's feedback system allowed authenticated passengers to submit feedback for drivers they had not actually ridden with. The exploit was limited to trips the attacker legitimately owned, and each trip could only affect one driver rating at ...
Yelp: Object Level access control leads to reading user's full requests, sessions, and error messages
The summary is as follows: A vulnerability was discovered in the Yelp internal administration tool called "Tailored Mail" hosted on the subdomain https://proze.yelp.com/. The vulnerability allowed unauthenticated attackers to read the internal admin's full HTTP requests, sessions, and other...
Nextcloud: admin_audit does not log actions on files in a group folder
The adminaudit app in Nextcloud versions prior to 24.0.4 did not log actions on files in a group folder...
U.S. Dept Of Defense: XSS vulnerability found in javascript code of https://███.mil
The XSS vulnerability was found in the JavaScript code of the website https://███.mil. The parameter "code" was not sufficiently sanitized, allowing the injection of malicious code. This vulnerability could have been exploited to execute arbitrary scripts in the context of the affected website...