15371 matches found
Versa Networks: Privilege Escalation Using Cron Jobs
In Versa Analytics, the cron jobs are used for scheduling tasks by executing commands at specific dates and times on the server. If the job is run as the user root, there is a potential privilege escalation vulnerability. In this case, the job runs a script as root that is writable by users who a...
Node.js: Node.js HTTP/2 Large Settings Frame DoS
Hi, I would like to report a vulnerability in the http2 module of Node.js. In section 10.5 of the HTTP/2 RFC an attack is described where an attacker is sending large SETTINGS frames that includes many settings inside it. We tested this scenario by opening many connections to the server and sendi...
GitLab: GitLab's GitHub integration is vulnerable to SSRF vulnerability
The GitHub service is vulnerable to a SSRF vulnerability. An attacker may be able to leverage this to make arbitrary POST requests in a GitLab instance's internal network. It can also be used to connect to cloud provider's instance metadata API, which may result in the ability to execute commands...
GitLab: Exfiltrate and mutate repository and project data through injected templated service
The GitLab import feature contains a vulnerability that allows an attacker to import a project that creates a service template. Service templates can normally only be created by a GitLab instance Administrator. When a new project is created, service templates are automatically initialized for the...
Mail.ru: [o2.mail.ru] nginx alias traversal
Invalid nginx configuration allowed limited path traversal in o2.mail.ru...
OLX: SQL Injection https://www.olx.co.id
I found the SQL Injection security hole on the website https://www.olx.co.id, this is a critical finding. here is the POC from the findings that I got Affectect:https://www.olx.co.id/ajax/buybundle/getbundle/ POC: Request DATA POST /ajax/buybundle/getbundle/ HTTP/1.1 Host: www.olx.co.id User-Agen...
X (Formerly Twitter): CRLF injection
Hello twiiter security team, on the domain ads.twitter.com http response splitting is vulnerability. PoC: https://ads.twitter.com/subscriptions/mobile/landing?ref=gl-tw-tw-promote-mode?t=%0d%0atest:tested Impact an attacker can set new header...
GitLab: EXIF metadata not stripped from JPG group logos
Summary: When uploading JPEG images as group logos on Gitlab, the EXIF metadata is not removed or changed in any way. Description: When setting up a group on Gitlab, you can upload a logo, and if you upload a JPEG with EXIF metadata on it, it isn't stripped. This can lead to disclosure of locatio...
Khan Academy: Take over of accounts created using Google or Facebook
When a user creates an account using Google or Facebook and does not set an additional password, it is possible to set their passwords via CSRF. Since the account is created using a social media account, no existing password check is needed and the CSRF check on the endpoint is broken. To...
HackerOne: Notifications sent due to "Transfer report" functionality may be sent to users who are no longer authorized to see the report
Hi Hackerone team, I am still able to access other program details etc. when i'm authenticated to HackerOne through SAML . I'm not sure if it's the same bug i reported earlier or there is some weak authorization check in place. PFA for more info i can access related to ██████████ etc. See the dat...
QIWI: https://teamplay.qiwi.com/ накрутка баллов => финансовые убытки для компании
Накрутка баллов в teamplay.qiwi.com...
Smule: Missing Rate Limit in Forgot Password can Lead to email address leakage of all smule accounts
Hello Smule, I have found a vulnerability by which an attacker can get access of all the gmail accounts associated with Smule. The forgot password parameter can be brute forced through which an attacker can get the email address. Steps to Reproduce Enter your email address and for the forgot...
GitLab: CRLF injection & SSRF in git:// protocal lead to arbitrary code execution
Summary: The implementation of git:// protocal in GitLab is vulnerable to CRLF injection and Server-Side Request Forgery. If the redis server is configured to listen on TCP socket eg. port 6379, an attacker can abuse SSRF to manipulate redis server, injecting malicious payload into systemhookpush...
PortSwigger Web Security: Privilege Escalation by abusing non-existent path. (Windows)
Vulnerability Overview When Burpsuite runs, it tries to load some DLLs in the path C:\Program%20Files. Because the folder doesn't exists, it can be created by a low-privileged user which can inject arbitrary DLL into the process when another privileged user runs Burpsuite. I have verified the...
Valve: Potential buffer overflow in demoplayer module of GoldSource Engine
Introduction Hey. There's a potential vulnerability in the GoldSource Engine that allows to write data to stack of arbitrary size, thereby causing a buffer overflow and the ability to execute assembler code using .dem files. Description The problem is located in the DemoPlayer::ReadDemoMessage...
Mail.ru: [Mail.Ru Android] Typo in permission name allows to write contacts without user knowledge
Hi, Mail.Ru app registers permission writecontacts xml but uses write xml which is unclaimed, has normal protection level by default and automatically granted to all apps. It means that any third-party apps have ability to insert any data into that database PoC xml java ContentValues contentValue...
Starbucks: Starbucks China Android app cloud storage service leaks a credential.
k3mlol found a credential encoded in the Starbucks China mobile application for Android phones, which provided access to a cloud-hosted service that was used to upload information for customer service requests. This credential allowed for read/write access. The credential has since been disabled,...
Smule: Missing Rate Limit in Password Change
Incorrect or missing rate limits related to account features...
Smule: Open Redirect on smule.com
NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: Open Redirect at smule.com You...
Shopify: Stored XSS on demo app link
Hi, I found stored XSS in apps.shopify.com in the DEMO URL of the apps you create. POC 1. go to your partner account and create a new app 2. go to DEMO link in https://apps.shopify.com/services/appsubmissions/edit of your app put the payload you see below: F374863 and when pressing on preview...
Nextcloud: Event privacy level does not work in Thunderbird
Events in shared calendar with changed privacy level to any other than public are shown in Thunderbird as public anyway with all details How to reproduce: 1 - create an event in user A's calendar shared to user B 2 - change privacy setting of this event to any other than public 3 - open Thunderbi...
GitLab: Add and Access to Labels of any Private Projects/Groups of Gitlab(IDOR)
Summary & Description : If you have a private project or private group then no non member should be able to access any information.But Adding Labels in your Private boards API request is vulnerable to IDOR attack which is leading to add private group/project labels and access it. Vulnerable Reque...
OLX: Cross-site Scripting (XSS) - Reflected
Dear Security OLX team, I want to report the findings of the security gap on the olx.co.id website, the detailed findings are as follows: impact:https://www.olx.co.id/adminpanel/login/ Payload : ope8i"alert1grpo8 POC: paramter = userpassword POST /adminpanel/login/?ref0action=index&ref0method=ind...
Uber: Access to SQL server of ubergreen.pt through password disclosure from different domain on same IP
The uber microsite http://ubergreen.pt has an open MYSQL port on 3306. ubergreen.pt itself is hosted on the IP 109.71.41.173. After some research, it was found that this IP also hosts many other domains. As of yesterday 11/10/18, this included the domain apps.etnos.co. This domain existed on the...
QIWI: account takeover https://teamplay.qiwi.com
Здравствуйте. Нашел баг, как украсть аккаунт на данном сайте. Для того, чтобы это провернуть нам нужно знать эмайл вашего пользователя. Предположим что пользователь зашел на ваш сайт через аккаунт ВКонтакте, к его странице привязана почта [email protected] Мы идем на https://www.faceit.com и...
HackerOne: Verbose PHP error messages exposed on a blog article
Hey guys! For what its worth, warning messages aren't suppressed on the /blog/ endpoint, giving verbose PHP error messages when visiting a blog article such as https://www.hackerone.com/blog/H1-702-2018-makes-history-over-500K-bounties-paid. F374066 Impact Not much impact, just disclosures of pat...
Node.js third-party modules: Prototype pollution attack (upmerge)
Hi team, I would like to report a prototype pollution vulnerability in upmerge that allows an attacker to inject properties on Object.prototype. Module module name: upmerge version: 0.1.7 npm page: https://www.npmjs.com/package/upmerge Module Description JavaScript Object Merge and Clone for Clie...
Node.js third-party modules: Prototype pollution attack (lutils-merge)
Hi team, I would like to report a prototype pollution vulnerability in lutils-merge that allows an attacker to inject properties on Object.prototype. Module module name: lutils-merge version: 0.2.6 npm page: https://www.npmjs.com/package/lutils-merge Module Description Merge javascript objects...
Node.js third-party modules: Prototype pollution attack (mergify)
Hi team, I would like to report a prototype pollution vulnerability in mergify that allows an attacker to inject properties on Object.prototype. Module module name: mergify version: 1.0.2 npm page: https://www.npmjs.com/package/mergify Module Description Merge objects deeply Vulnerability...
HackerOne: Open redirect vulnerability in index.php
Summary: Hello Team i would like to report an open redirect on hackerone.com with reference to report 320376. In report 320376 it shows vulnerability i mitigated but still i am able to reproduce it. so all the summary and description remains the same. Redirection is performed by HackerOne website...
Semrush: Web cache deception attack - expose earning state information
Hello, I have found new Vulnerability in your website which called Web cache deception attack. It's found first time in Paypal. Web Cache Deception Attack Websites often tend to use web cache functionality to store files that are often retrieved, to reduce latency from the web server. Let's see a...
Khan Academy: Cross site scripting (content-sniffing)
Your website may be vulnerable to cross site scripting attacks HTTP request: GET...
HackerOne: Accidental Access to Programs Information via SAML Login
On November 8th, 2018, HackerOne released software to production that contained a bug which impacted our Security Assertion Markup Language SAML authentication system. As a result of the bug, the SAML JIT Just-In-Time provisioning mechanism granted users of one customer program read-only access t...
X (Formerly Twitter): Information Exposure Through Directory Listing vulnerability on 8 vcache**.usw2.snappytv.com websites
Summary: Researcher has found directory listing exposure to several vcache.usw2.snappytv.com websites. A directory listing provides an attacker with the complete index of all the resources located inside of the directory as well as download or access its contents. While the researcher did not dig...
Node.js third-party modules: Prototype pollution attack (smart-extend)
Hi team, I would like to report a prototype pollution vulnerability in smart-extend that allows an attacker to inject properties on Object.prototype. Module module name: smart-extend version: 1.7.3 npm page: https://www.npmjs.com/package/smart-extend Module Description smart-extend is an extensio...
Starbucks: Reflected Cross site Scripting (XSS) on www.starbucks.com
Summary: Reflected Cross site Scripting XSS on https://www.starbucks.com/account/signin?ReturnUrl Description: The attacker can execute javascript on the victims account just after the authentication process. Platforms Affected: www.starbucks.com www.starbucks.ca www.starbucks.com.br...
Concrete CMS: SVG file that HTML Included is able to upload via File Manager
Concrete5 has the whitelist for restricting that malicious file is uploaded. concrete/config/concrete.php, Line no. 8688 The extension whitelist allows to upload SVG file. However, SVG can has the HTML elements in its code. Ref. https://www.w3.org/TR/SVG2/intro.htmlW3CCompatibility If web browser...
FanDuel: Passive mixed content issues on the site https://*.fanduel.com
Hello. Summary: While browsing the sites https://www.fanduel.com and https://subscriptionapi.fanduel.com found a mixed content error on the site with HTTPS. This error is located at https://www.fanduel.com/press and https://subscriptionapi.fanduel.com/press. Image are uploaded to the site via HTT...
GitLab: Instant open redirect on Live preview WEB Ide opening
Hello Gitlab team! Asset is my own gitlab installation for Ubuntu. The issue I want to report is lack of sandbox attribute in iframe pointing to codesandbox. This results content inside iframe redirect top level window on load. How to reproduce: 1. create index.js with following content:...
WordPress: RCE as Admin defeats WordPress hardening and file permissions
This vulnerability was found when I found myself in the following scenario: My collegue set up WordPress on his local machine and challenged me to hack it. Before he gave me admin access he used the following hardeing mechanisms: 1. PHP Safe mode 2. The entire web directory was not writable 3...
Phabricator: TOTP Key is shorter than RFC 4226 recommended minimum
mongoose Observed Behavior: When creating a TOTP secret a 16 character base32 encoded string is presented to the user. Expected Behavior: I would expect a 32 character base32 secret to be presented. The RFC recommends 160 bits of entropy, which is 32 character x 5 bits per character in a base32...
Kaspersky: Kaspersky Password Manager is vulnerable to HTML injection in the browser action pop-up via user name
Note: According to https://www.securityweek.com/kaspersky-adds-password-manager-bug-bounty-program and some other sources, Kaspersky Password Manager is in scope for this program. The program description doesn't reflect this however. Summary There is a stored XSS vulnerability in popover.html the...
Imgur: Ability to login to the Nexus Repo Manager from https://nexus.imgur.com/
Hello Imgur Administrators, I am not sure if this falls in your scope but I wanted to alert you that your Nexus Repository Manager can be accessed through https://nexus.imgur.com/ Usually the default user/pass for the NRM are admin/admin123 but there is an alternative way to login using the below...
Grammarly: Reflected Cross Site Scripting (XSS)
hi there, here is the link that fired XSS https://www.grammarly.com/blog/search/" Impact stealing cookies stealing data etc...
HackerOne: SQL injection in GraphQL endpoint through embedded_submission_form_uuid parameter
The embeddedsubmissionformuuid parameter in the /graphql endpoint is vulnerable to a SQL injection. Execute the following command to reproduce the behavior: Locally: curl -X POST http://localhost:8080/graphql?embeddedsubmissionformuuid=1%27%3BSELECT%201%3BSELECT%20pgsleep\30%3B--%27...
X (Formerly Twitter): Incorrect details on OAuth permissions screen allows DMs to be read without permission
NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: The OAuth screen can be tricke...
Open-Xchange: No session expiry after log-out and session id exposed in URL
Hi, There is no session expiry after log-out which can help an attacker to take-over the full account by reusing it. The JSESSIONID which is vulnerable can be used unlimited times even after the password change. The server will keep on creating an unlimited number of sessions after each log-in...
X (Formerly Twitter): Global defaming of any twitter user
Private tweets can be used to keep any user's tweet secret from rest of twitter world. Once the user changes his setting from private tweets to public tweets, all his secret tweets become visible. This can become a major issue causing global distributed attacks Steps to Reproduce 1. Assume the...
Hanno's projects: Text injection at https://media.hboeck.de
Text injection possible at https://media.hboeck.de if we craft url like this: https://media.hboeck.de/?c=http://www.example.com We can see the output on web app. Impact Defacement of website by following crafted link...
X (Formerly Twitter): Opportunity to post hidden comments
Twitter allows to comment on anyone's tweet. While testing this feature, observed that one can post comment on tweet which will be invisible to the victim whom the reply was posted and would be visible to any other twitter user. This can allow an Attacker to abuse victim on a tweet. The catch her...