15278 matches found
Vanilla: Vanilla Forums Xenforo password splitHash Unserialize Remote Code Execution Vulnerability
Summary: An authenticated admin user can inject an unserializable password in a another users account. Later when attempting a login with that user, the attacker can trigger a call to an unserialize in the splitHash function. By using a custom pop chain to write into the constants.php file, an...
Uber: Full Path and internal information disclosure+ SQLNet.log file disclose internal network information
The site at lab.usuppliers.uber.com was intended only for authenticated users, but certain internal pages did not enforce an authentication requirement. The log file at /OAHTML/bin/sqlnet.log disclosed internal Uber IP addresses, hostnames, and one internal username. Thanks again for this report...
U.S. Dept Of Defense: Account takeover due to CSRF in "Account details" option on █████████
Summary: Hi DoD team, similarly to the previous CSRF that I've reported, I've found another CSRF in the same domain, but on the Account details option. Description: The CSRF issue allows me to modify the datas of every victim that is targeted using the CSRF file, and leading to account takeover...
Tor: Expose user IP if TOR crashs
Greetings, I have noticed that for unpredictable reason a TOR relay can exposes the IP of an user. I noticed this by going to the server http://195.176.3.24/ and getting information about the headers. I arrived to this header who is : "X-Your-Address-Is" . How : -- - So I went to this tor-relay...
HackerOne: Discrepancy in hacker profile report count may reveal existence of a private program by publishing a report
Hi team , @pei, @jobert , @bencode Summary: Again We have publish report page https://hackerone.com/hacktivity/publish But we have bypass query 401476 this description The profile page counts the number of created your reports. But it does not consider the reports that are created in the sandbox...
Internet Bug Bounty: Improper handling of Chunked data request in sapi_apache2.c leads to Reflected XSS
Hey, Chunked requests can trigger xss and html injection at any end point because the APRBRIGADEINSERTTAILbrigade, bucket is getting destroyed by other handlers. Affected versions: Any OS: Any https://bugs.php.net/bug.php?id=76 Prashanths-MacBook-Pro: prashanthvarma$ nc localhost 80 POST /lol.php...
Shopify: Some store settings/data are accessible to "No Access" permission users on GraphQL LiveView operation
Summary GraphQL LiveView operation doesn't properly check for permissions before returning data. This allows "No Access" users to access some store settings and data by providing complete Shop schema fields in the request string. Steps to reproduce 1. Log into an attacker account of a test store...
Node.js: Http request splitting
Hi, I came upon the following tweet today: https://twitter.com/YShahinzadeh/status/1039396394195451904 which details a http request splitting vulnerability in NodeJS. You can confirm it with the following repro script: const http = require'http' const server = http.createServerreq, res =...
Valve: XSS in steam react chat client
The Steam chat client both sends and receives bbcode format chat messages. These map to HTML elements, and notably the url bbcode tag is supported for arbitrary URLs. React has strong XSS mitigations but does not mitigate javascript: URI based XSS. This is rather difficult to exploit as the clien...
Shopify: SSRF in hatchful.shopify.com
This vulnerability similar to https://hackerone.com/reports/156877 , that I found in your old version of your logo-creator. During logo-creating process the user can select logo in wysiwyg editor, then enter email address and wait. In this moment server send to user's browser large amount of data...
Grammarly: "More on Wikipedia" link disclose "Referrer" and leak `window.opener` reference for arbitrary websites
Summary: "Referrer" leak http:// link to Wikipedia transferring Referrer header allows a remote attacker with MITM access to sniff Referrer URL for important tokens after following "More on Wikipedia" link. Controllable page MITM with window.opener pointing to the navigation-initiated webpage...
Internet Bug Bounty: mod_userdir CRLF injection (CVE-2016-4975)
Possible CRLF injection allowing HTTP response splitting attacks for sites which use moduserdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header key or value. Reported to security team 24th July 2016 Issu...
Mail.ru: XSS in touch.mail.ru
Browser specific user assisted DOM based XSS in message editor undo functionality via quoted content. Vulnerability did not affected mobile browsers used by majority of touch.mail.ru web interface users...
GitLab: Bypass of GitLab CI runner slash fix in YAML validation
Hi Gitlab Security, I notice the bug 301432 that Jobert reported earlier is could be bypassed by setting variable in environment. The reason is that the fix in place preventing url normalization is performed by doing the YAML validation, however this could be bypassed by setting the environment...
GitLab: Stored XSS in merge request pages
Summary: I found a Stored XSS in merge request pages. Description: The exploit is via the parameter mergerequestsourcebranch of the request to create a New Merge Request. Steps To Reproduce: 1. Sign ikn to GitLab. 2. Click the "+" icon. 3. Click "New Project". 4. Fill out "Project name" form with...
HackerOne: Denial of service via cache poisoning
An attacker can persistently block access to any/all redirects on www.hackerone.com by using cache poisoning with the X-Forwarded-Port or X-Forwarded-Host headers to redirect users to an invalid port. To replicate: curl -H 'X-Forwarded-Port: 123'...
U.S. Dept Of Defense: Broken Authentication
Summary: IDOR Description: It is possible to access other user account by changing the parameter 'email' to another valid e-mail, i managed to guess an existing user '███████@███.com' which discloses the ███ Name and Surname. Impact Information Disclosure Step-by-step Reproduction Instructions...
U.S. Dept Of Defense: Cross Site Scripting (XSS) – Reflected
Reflected Cross-site Scripting XSS occur when an attacker injects browser executable code within a single HTTP response.When a web application is vulnerable to this type of attack, it will pass unvalidated input sent through requests back to the client. The value of request parameter is copied in...
Mail.ru: Cross-site Scripting (XSS) - Reflected vseapteki.ru
Reflected XSS via GET parameters in vseapteki.ru...
Mail.ru: Stored XSS
XSS in "Undo" functionality of message editing on replying to malformed message...
Mail.ru: ДОБАВЛЕНИЕ СВОИХ ДАТ В КАЛЕНДАРЬ ПОЛЬЗОВАТЕЛЮ !
Reporter pointed to possibility to mark scheduled meeting request sent via ICS file as accepted in calendar via CSRF by bruteforcing attachment id. Currently, this behavior is not believed to introduce real additional security risks, because meeting can be added anyway without user's intervention...
BOHEMIA INTERACTIVE a.s.: Weak Password Policy on Signup at https://accounts.bistudio.com/auth
Hi, I found that you are using a weak password policy! Because user can set his password same as Email address! Steps To reproduce: 1. Register an account with Email address "[email protected]" 2. Also password "[email protected]". You can see both values are same. You will become successfully register...
Valve: [help.steampowered.com] Account takeover bruteforcing SteamGuard
Due to a missing protection on a support endpoint, email verification codes could be bruteforced - leading to possible account takeover. The endpoint issue has been corrected...
GitLab: Unauthorized users may be able to view almost all informations related to Private projects.
Summary: On the most of pages related to Private projects, cache control is inadequate, so the contents of Private projects may leak to unauthorized users. Description: For visibility of projects, you can select Public, Internal, and Private. Among them, Private projects can only be viewed from...
Vanilla: Vanilla Forums Gdn_Format unserialize() Remote Code Execution Vulnerability
Summary: An authenticated admin user can trigger a call to unserialize which can allow an attacker to gain remote code execution. Description: Please bare with me on this one, it's heavy. Ok, so after setting a Garden.TouchIcon setting it can be several settings, this is just an example of one we...
Greenhouse.io: Subdomain Takeover on demo.greenhouse.io pointing to unbouncepages
Actuall this report is same as of this one:- https://hackerone.com/reports/38007 Subdomain takeover vulnerabilities occur when a subdomain subdomain.example.com is pointing to a service e.g. GitHub pages, Heroku, etc. that has been removed or deleted. This allows an attacker to set up a page on t...
Ruby on Rails: ActiveStorage service's signed URLs can be hijacked via AppCache+Cookie stuffing trick when using GCS or DiskService
ActiveStorage tries to force content-disposition: attachment for a list of content-types, including text/html. However, response-content-type and response-content-disposition in GCS and DiskService's URLs aren't signed, which means an attacker can modify them at will. This is not the case for Azu...
Valve: XSS @ store.steampowered.com via agecheck path name
Hi, I found a Cross-Site Scripting XSS in store.steampowered.com because the path after /agecheck/ is not sanitized as it should. https://store.steampowered.com/agecheck/appmhuh2', sessionid: gsessionID, ageDay: '', ageMonth: '', ageYear: '' .done function response %20 ;alertXSS-by-TvM;function...
Mail.ru: ICQ 10.0.12371 icq: Uri Handler '-testability' URL File Insecure Library Loading Code Execution Vulnerability
An exploitation of combination of unsafe URI handler and insecure DLL loading could result in code execution via DLL injection in ICQ desktop application for Windows if user executes malformed .url file...
Ubiquiti Inc.: Resource Consumption DOS on Edgemax v1.10.6
Resource consumption Denial of service. 1: The request below shows that when you feed the beaker.session.id cookie variable a payload of 250 characters or more, the web management portal will produce an error page showing full path disclosure and more as shown in screenshots error1.png and...
HackerOne: Self DOM-Based XSS in www.hackerone.com
Summary: There is a 'self' DOM-based cross-site scripting vulnerability in the contact form available on the www.hackerone.com website. This could allow an attacker to perform cross-site scripting, or other client-side attacks, against users of the application. However, the risk presented by this...
Starbucks: Thailand – a small number of alarm system portals accessible with the default credentials
radoooz discovered that a small number of AAP IP Module alarm system portals in Thailand were accessible, utilizing their default credentials. @radoooz — thank you for reporting this vulnerability and confirming the resolution...
BOHEMIA INTERACTIVE a.s.: Apache Server Version Disclousure
Hello Team, I would like to report a bug for https://forums.bohemia.net/ Banner Grabbing is a technique used to get information about remote servers. In addition, this directory is used to find information about remote servers. Proof of concept : 1. Go to https://forums.bohemia.net/applications/...
U.S. Dept Of Defense: SSRF on ████████
Summary: The web application hosted on the "███████" domain is affected by a Server Side Request Forgery SSRF vulnerability that could allows an attacker to force the application to make requests to arbitrary targets. Description: The affected handler is the "/xmlrpc/pingback/". This handler...
WordPress: Stored XSS on Broken Themes via filename
Hi, I've found something here, Description XSS Stored because filename of theme when broken, So when theme is broken, Wordpress will inform the name of theme who has been broken which is the folder name of theme and inform the error with description message. F342862 Looks like the filename is...
Shopify: Open redirection in OAuth
steps to reproduce: 1-Open your shopify partner account. 2-Create an app and click on test your app. 3-Select a development store you own. 4-Intercept the request using burpsuite and change the "installappSelect a store" parameter to any store with no validation. The request like this: POST...
Node.js third-party modules: [apex-publish-static-files] Command Injection on connectString
I would like to report a command injection vulnerability in the apex-publish-static-files npm module. It allows arbitrary shell command execution through a maliciously crafted argument. Module module name: apex-publish-static-files version: 2.0.0 npm page:...
BOHEMIA INTERACTIVE a.s.: Clickjacking at ylands.com
Hi team, While performing security testing of your website i have found the vulnerability called Clickjacking. Many URLS are in scope and vulnerable to Clickjacking. What is Clickjacking ? Clickjacking User Interface redress attack, UI redress attack, UI redressing is a malicious technique of...
DuckDuckGo: DOM XSS on 50x.html page
Hello, The is a DOM XSS vulnerability on https://duckduckgo.com/50x.html, it seems like the sink is DIV.innerHTML and the source is location.search. The PoC url is: https://duckduckgo.com/50x.html?e=&atb=test%22/%3E%3Cimg%20src=x%20onerror=alertdocument.domain;%3E The code that is causing this XS...
BOHEMIA INTERACTIVE a.s.: Stealing Users OAUTH Tokens via redirect_uri
Hi, I would like to report an Open redirection on oauth redirecturi which can lead to users oauth tokens being leaked to any malicious user. Detail During the OAUTH flow, the redirecturi on https://accounts.bistudio.com is not properly validating that the URL given is proper, as such a bypass of...
Grammarly: Emails from Grammarly missing sanitization(lack of validation?) -> HTML injection in emails
Summary: Emails from Grammarly e.g. "reset password" email missing HTML sanitization. That leads to content spoofing in emails. Steps To Reproduce: 1. Go to "Profile" 2. Find reset password tab if you're logged in using FB/Google, you won't see this menu 3. Change email to something like:...
Slack: AWS bucket leading to iOS test build code and configuration exposure
@kiyell discovered an open AWS bucket which hosted the source code of the iOS test application, as well as some configuration information and test data relating to that test build. No customer data was exposed or at risk, and we resolved and investigated this issue. Thank you @kiyell for a neat...
Zomato: IDOR to delete images from other stores
Summary: The parameter photoids in below request is vulnerable to IDOR /php/clientmanagehandler?██████████&case=remove-active-photo Description: Since there is no check for resid or ownership I was able to delete Gerben's image by just using the photoid from his store. This is a problem because i...
Weblate: 2nd issue>>> flood of email no rate limit on delete account confirmation email >>
There was no rate limit on delete account confirmation email, leading to user being able to send himself flood of emails...
WordPress: Logic flaw in the Post creation process allows creating posts with arbitrary types without needing the corresponding nonce
Simon discovered that authors could create posts of unauthorized post types with specially crafted input fixed. This was fixed in the 5.0.1 release, and Simon has published more details on his blog...
Node.js third-party modules: [buttle] Unsafe rendering of Markdown files
I would like to report Cross Site Scripting vulnerablity in buttle module It allows to execute arbitary javascript due to unsafe rendering of markdown files. Module module name: buttle version: 0.2.0 npm page: https://www.npmjs.com/package/buttle Module Description Another static file server? Why...
Weblate: flood of comment no rate limit on commnets >> by using different user agent
It was possible to post 200- 300 of comments within minutes, there was no rate limiting applied...
Nextcloud: Information Exposure Through Directory Listing - https://apps.nextcloud.com/static/
Hi Security Team, Url : https://apps.nextcloud.com/static/assets/ Dork : site:nextcloud.com intitle:index.of Hello I am Ismail Tasdelen. I was testing directory security and I saw many directories open. Thanks Impact A directory listing is inappropriately exposed, yielding potentially sensitive...
Weblate: Tab nabbing via window.opener
Details: When you open a link in a new tab target="blank" , the page that opens in a new tab can access the initial tab and change it's location using the window.opener property. Attack scenario: here i have provided 2 videos, in video 1 i have my editorial link set. to show that tabnapping is...
Khan Academy: Possible Take Over Subdomain For Inbound Emails
Hello KhanAcademy Security Team, I'm rootbakar, The researcher identified that the affected url points to sendgrid.net, via a DNS CNAME record. As a result of this an attacker could potentially initate a subdomain take over by registering the subdomain sendgrid.khanacademy.org on sendgrid and...