15371 matches found
Chaturbate: Open redirect on chaturbate.com (tipping/purchase_success)
Hi, I would like to report an open redirect issue on https://chaturbate.com/ Description An attacker can redirect a user to any external website using the parameter prejoindata, this parameter seems to miss sanitization. Steps to Reproduce Visit the following url:...
Chaturbate: Reflected XSS on secure.chaturbate.com
The hacker found that an external asset used for fraud detection on secure.chaturbate.com was not sanitizing input parameters and could be used for reflected XSS. This external asset was removed...
Ruby on Rails: Untrusted strings that are cache fetched with raw option are automatically marshal loaded
This vulnerability effects application code that caches a string from an untrusted source using the raw: true option. For example, vulnerable application code might looks something like the following ruby body = Rails.cache.fetchkey, raw: true, expiresin: ttl do res = Net::HTTP.getresponseremoteu...
Mail.ru: Блокированный ящик ( Обход )
It was possible to bypass administrative lock for mailbox e.g. lock set by biz.mail.ru domain administrator by pre-requesting recovery link...
Dropbox: Stored XSS in dropboxforum.com
This report described a vulnerability where an attacker could put a specially crafted payload into the reply section of threads on dropboxforum.com to bypass the HTML filter on the site. This enabled a stored XSS attack against anyone viewing the message. This was an issue in Lithium forum...
8x8: CRLF injection agentcrm.8x8.com
The agent application was vulnerable to a response splitting attack when parsing line feed characters in a given URL...
8x8: Stored Cross Site Scripting.
Hellow team I got Stored based XSS on your web :D Here Is Step : 1. Go to https://www.easycontactnow.com/ 2. Click "Try For Free" Sign Up 3. It will told you "Enter your details to get started". So Enter your full name like : "alert1 Then put all the other details. 4. Then Confirm your id and...
HackerOne: Hacker can request mediation for published reports
Hi team, @jobert Summary: After creating the publish report, we do not have a field to send the requested meditation from HackerOne Support Description: Steps To Reproduce 1. Create publish report for any program ████████ 2. Use query https://hackerone.com/reports/numberpublishreport/hackerhelp M...
8x8: Hardcoded credentials in Android App
The mobile applications contained a URL that included credentials to a third party bug capture API. Access was restricted to pushing bug information...
8x8: XSS (Cross site scripting) on https://apimgr.8x8.com
The domain apimgr.8x8.com hosted an outdated version of WSO2 Data Analytics Server...
Khan Academy: Creating Unlimited Fake Accounts.
Hello @khanacademy, Anyone can create unlimited fake accounts using temp mails. i,e https://temp-mail.org/en/ 1- Go to https://temp-mail.org/en/ 2- Select an mail 3- Enter that mail while creating an account in khanacademy 4- You will get confirm mail from khanacademy on https://temp-mail.org/en/...
Internet Bug Bounty: XML hash collision DoS vulnerability in Python's xml.etree module
Python's standard library uses libexpat to parse XML. Internally the expat library has a hash table implementation to efficiently store and lookup DTD elements like entities, elements, attributes, etc. Hash tables are potentially vulnerable to hash collision Denial-of-Service attacks, which turns...
Chaturbate: No rate limit in stats api token endpoint
Brute force on statsapi endpoint to view stats of an user Steps To Reproduce: 1. Stats api token can be generated at https://chaturbate.com/statsapi/authtoken/ https://chaturbate.com/statsapi/?username=hackeronetestchat&token=vulnerable I've used my profile and and my token to check brute force T...
Grammarly: Permissive CORS policy trusting arbitrary extensions origin
@foobar7 identified that misconfigurations in CORS and CSRF handling allowed malicious browser extensions, which have permission to interact with grammarly.com domain, to impersonate the user. The vulnerability was resolved with improved CSRF/CORS handling...
Starbucks: China - ecjobsdc.starbucks.com.cn html/shtml file upload vulnerability
1, Summary During the test, I found ecjobsdc.starbucks.com.cn this site has an upload vulnerability, you can upload html and shtml format files, so you can read the server's intranet IP, the physical address of the website application and read the website web.config file. 2, Vulnerability scope...
HackerOne: User with privilege to maintain External Programs can update certain churned HackerOne programs
Summary: You wrote that some programs are behind, but you are trying to get them back sorry maybe bad translation Description: Apparently because of a system error, I have access to change information in the public program. This option is given only for external programs.But here is a public...
Chaturbate: Leaking Username and Password in the URLs via Virustotal, can leads to account takeover
Hi Dear @chaturbate team Vulnerability Type Critical Information Leakage in URLs via Virustotal. Vulnerability Severity High. Description During my regular testing, went to https://www.virustotal.com/%2Fdomain%2Fchaturbate.com After reviewing all URLs more and more, I got 2 Interesting and Critic...
Chaturbate: Blind SSRF at https://chaturbate.com/notifications/update_push/
In the application at https://chaturbate.com/notifications/updatepush/ there is a functionality to subscribe any cam model which will trigger the provided request. Using this Request an attacker can execute SSRF attack and also steal sensitive Token / Keys of the internal web server Steps to...
Chaturbate: Password protected rooms total number of viewers disclosure to unauthorized members
Summary Password protected rooms are supposed to be completely private, no information should be exposed if you do not have the room's password, and the UI looks like this. F348826 However, through the following endpoint, It is possible to know the total number of viewers of the room even if it i...
Chaturbate: Open redirection at https://chaturbate.com/auth/login/
Hi, Summary An attacker can redirect vicitm on an external website using https://chaturbate.com/auth/login/ endpoint because next parameter is not being validated properly. There is a protection existed but it's weak and can be bypassed. http keyword is detected and protection works if payload...
Alliance of American Football : Stored xss in address field in billing activity at https://shop.aaf.com/Order/step1/index.cfm
Dear Team, Summary: add summary of the vulnerability After looking into https://shop.aaf.com/Order/step1/index.cfm i get to know that there is address field is vulnerable to stored xss which can lead to steal any user's cookie and can lead to complete account takeover Description: add more detail...
Chaturbate: View Failed Approval and Pending videos other users
See videos uploaded by a user. The video is available when it waits for confirmation or is not accepted. Steps To Reproduce: 1 - Go victim page : https://chaturbate.com/p/akaxanxa/?tab=bio 2 - Open video : https://chaturbate.com/photovideos/photo/big/username/contentid/ 3 - Get random requests -...
Chaturbate: Form Replay in customer information form
The hacker found that the server replays some form field data back in the response when there were form validation errors, which could be cached or viewed by someone with physical access to the same device used to complete the form. The fix was to delete the form data from showing in the response...
RubyGems: DNS SRV lookup of file:// sources enables local hijacking of gems
Summary gem makes a DNS SRV query for each of its configured sources; the response is allowed to override the source URL in certain ways. The SRV query happens not only for http:// and https:// sources, but also for s3:// and file://. In the case of file://, the SRV response may add a prefix to t...
Mail.ru: Чтение файлов на сервере и раскрытие директорий mediator.media
It was possible to access some internal addresses and special URI schemes due to lack of URI filteint on page submission. mediator.media it not in the Bug Bounty scope, the bounty was issued due to problem severity...
Node.js third-party modules: [http-live-simulator] Path traversal vulnerability
Module module name: http-live-simulator version: 1.0.6 npm page: https://www.npmjs.com/package/http-live-simulator Description this vulnerability is a bypass for the one found in this report in version 1.0.5 Steps To Reproduce: 1- Install the module : npm install -g http-live-simulator 2- Run the...
Hyperledger: Brute Force of fabric-ca server admin account
fabric-ca server - Default configuration maxenrollments value -1enable outside enrollment - Listening 0.0.0.0:7054easily discoved and can be reached - No limit to wrong password try Above conditions result in brute force to CA server admin account Impact Attack gain a high-level permissioned...
Chaturbate: Forget password link not expiring after email change.
I found a token miss configuration flaw in chaturbate.com, When we reset password for a user a link is sent to the registered email address but incase it remain unused and email is updated by user from setting panel then too that old token reset link sent at old email address remains valid. A...
Valve: code injection, steam chat client
The steam chat client allows oEmbed, apparently based on a whitelist. One of the whitelisted oEmbedis codepen. When a codepen is created, it can be sent as a link to another steam user, and the code inside the codepen will execute within the privileged Steam Chat context. You can send these codep...
Informatica: Cisco RCE
The researcher was able to complete RCE attack and download sensitive files. We have mitigated it by hardening the machine and port. There are opened classical cisco smart install service, which was successfully exploited. Informatica is a fAsTeSt!!! bug fixer in my life. Closing vulnerability in...
Vanilla: Vanilla Forums AddonManager getSingleIndex Directory Traversal File Inclusion Remote Code Execution Vulnerability
Summary: An authenticated admin user can trigger a directory traversal to require call leading to local file inclusion which can allow an attacker to gain remote code execution. Notes: - You need to have an admin session to run this poc. - You can use the directory traversal to reach outside of t...
Vanilla: Abusing "Report as abuse" functionality to delete any user's post.
Hi Team, Greetings!! Description: I would like to report a vulnerability that can be used to delete any user’s post by abusing “Report an abuse” function within application. After specific number of reports submitted to server, it automatically deletes that post of user. Application has...
ExpressionEngine: License verification mechanism can be bypassed
@unbaiat discovered that an invalid license file could be accepted as valid in certain circumstances. @unbaiat gave a detailed report with step-by-step instructions for replicating, enabling a speedy resolution to the issue...
ExpressionEngine: Persistent XSS via malicious license file
@unbaiat discovered that the display of the license file information was not properly sanitized leaving it vulnerable to XSS. @unbaiat gave a detailed report with step-by-step instructions for replicating, enabling a speedy resolution to the issue...
Vanilla: Vanilla Forums domGetImages getimagesize Unserialize Remote Code Execution Vulnerability (critical)
Summary: An unauthenticated attacker can inject an serialized payload into a phar archive and trigger read access to it via an unprotected getimagesize. The attacker can leverage this to deserialize untrusted data and gain remote code execution. Notes: - THIS BUG IS UNAUTHENTICATED, however you...
Mail.ru: [moba.my.com] phpinfo, logs
PHP info and fragment of access logs were available...
Mail.ru: [sj.my.com] Source Code Disclosure /.svn/wc.db
Available SVN files for sj.my.com led to source code disclosure. sj.my.com is not currently covered by Bug Bounty program...
Starbucks: Unauthorized access to a system used for CI/CD processes
@k3m reported a vulnerability allowing unauthorized access to a system used for CI/CD processes. Our teams quickly restricted access and fixed the vulnerability. Thank you @k3m for a detailed report...
HackerOne: User login page doesn't implement any form of rate limiting
Hi Team, Summary: As a best practice a login page should have a rate limitting just like hackerone.com Vulnerable Request POST /auth/postlogin HTTP/1.1 Host: ctf.hacker101.com User-Agent: Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://ctf.hacker101.com/...
IBM: Reflected XSS and Blind out of band command injection at subdomain dstuid-ww.dst.ibm.com
I found an XSS and Blind OS based injection issue due to the incorrect handling of the characters in THE EMAIL get& post parameters. A injected and a sleep command succesfully executed, the following link works as a PoC that alerts the string in the script: I reproduced the same on Firefox and IE...
HackerOne: Missing Certificate Authority Authorization rule
Certificate Authority Authorization supported by LetsEncrypt and other CAs allows a domain owner to specify which Certificate Authorities should be allowed to issue certificates for the domain. All CAA-compliant certificate authorities should refuse to issue a certificate unless they are the CA o...
Vanilla: Vanilla Forums ImportController index file_exists Unserialize Remote Code Execution Vulnerability
Summary: An authenticated admin user can inject an serialized payload into a phar archive and trigger read access to it via an unprotected fileexists. An attacker can leverage this to deserialize untrusted data and gain remote code execution. Notes: - You need to have an admin account to run this...
Valve: unlock self-lock by brute force
Due to a missing protection on the self account unlock feature, self unlock codes could be bruteforced - leading to unrestricted access to the account. The endpoint issue has been corrected...
Vanilla: Vanilla Forums Xenforo password splitHash Unserialize Remote Code Execution Vulnerability
Summary: An authenticated admin user can inject an unserializable password in a another users account. Later when attempting a login with that user, the attacker can trigger a call to an unserialize in the splitHash function. By using a custom pop chain to write into the constants.php file, an...
Uber: Full Path and internal information disclosure+ SQLNet.log file disclose internal network information
The site at lab.usuppliers.uber.com was intended only for authenticated users, but certain internal pages did not enforce an authentication requirement. The log file at /OAHTML/bin/sqlnet.log disclosed internal Uber IP addresses, hostnames, and one internal username. Thanks again for this report...
U.S. Dept Of Defense: Account takeover due to CSRF in "Account details" option on █████████
Summary: Hi DoD team, similarly to the previous CSRF that I've reported, I've found another CSRF in the same domain, but on the Account details option. Description: The CSRF issue allows me to modify the datas of every victim that is targeted using the CSRF file, and leading to account takeover...
Tor: Expose user IP if TOR crashs
Greetings, I have noticed that for unpredictable reason a TOR relay can exposes the IP of an user. I noticed this by going to the server http://195.176.3.24/ and getting information about the headers. I arrived to this header who is : "X-Your-Address-Is" . How : -- - So I went to this tor-relay...
HackerOne: Discrepancy in hacker profile report count may reveal existence of a private program by publishing a report
Hi team , @pei, @jobert , @bencode Summary: Again We have publish report page https://hackerone.com/hacktivity/publish But we have bypass query 401476 this description The profile page counts the number of created your reports. But it does not consider the reports that are created in the sandbox...
Internet Bug Bounty: Improper handling of Chunked data request in sapi_apache2.c leads to Reflected XSS
Hey, Chunked requests can trigger xss and html injection at any end point because the APRBRIGADEINSERTTAILbrigade, bucket is getting destroyed by other handlers. Affected versions: Any OS: Any https://bugs.php.net/bug.php?id=76 Prashanths-MacBook-Pro: prashanthvarma$ nc localhost 80 POST /lol.php...
Shopify: Some store settings/data are accessible to "No Access" permission users on GraphQL LiveView operation
Summary GraphQL LiveView operation doesn't properly check for permissions before returning data. This allows "No Access" users to access some store settings and data by providing complete Shop schema fields in the request string. Steps to reproduce 1. Log into an attacker account of a test store...