15371 matches found
Node.js: Http request splitting
Hi, I came upon the following tweet today: https://twitter.com/YShahinzadeh/status/1039396394195451904 which details a http request splitting vulnerability in NodeJS. You can confirm it with the following repro script: const http = require'http' const server = http.createServerreq, res =...
Valve: XSS in steam react chat client
The Steam chat client both sends and receives bbcode format chat messages. These map to HTML elements, and notably the url bbcode tag is supported for arbitrary URLs. React has strong XSS mitigations but does not mitigate javascript: URI based XSS. This is rather difficult to exploit as the clien...
Shopify: SSRF in hatchful.shopify.com
This vulnerability similar to https://hackerone.com/reports/156877 , that I found in your old version of your logo-creator. During logo-creating process the user can select logo in wysiwyg editor, then enter email address and wait. In this moment server send to user's browser large amount of data...
Grammarly: "More on Wikipedia" link disclose "Referrer" and leak `window.opener` reference for arbitrary websites
Summary: "Referrer" leak http:// link to Wikipedia transferring Referrer header allows a remote attacker with MITM access to sniff Referrer URL for important tokens after following "More on Wikipedia" link. Controllable page MITM with window.opener pointing to the navigation-initiated webpage...
Internet Bug Bounty: mod_userdir CRLF injection (CVE-2016-4975)
Possible CRLF injection allowing HTTP response splitting attacks for sites which use moduserdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header key or value. Reported to security team 24th July 2016 Issu...
Mail.ru: XSS in touch.mail.ru
Browser specific user assisted DOM based XSS in message editor undo functionality via quoted content. Vulnerability did not affected mobile browsers used by majority of touch.mail.ru web interface users...
GitLab: Bypass of GitLab CI runner slash fix in YAML validation
Hi Gitlab Security, I notice the bug 301432 that Jobert reported earlier is could be bypassed by setting variable in environment. The reason is that the fix in place preventing url normalization is performed by doing the YAML validation, however this could be bypassed by setting the environment...
GitLab: Stored XSS in merge request pages
Summary: I found a Stored XSS in merge request pages. Description: The exploit is via the parameter mergerequestsourcebranch of the request to create a New Merge Request. Steps To Reproduce: 1. Sign ikn to GitLab. 2. Click the "+" icon. 3. Click "New Project". 4. Fill out "Project name" form with...
HackerOne: Denial of service via cache poisoning
An attacker can persistently block access to any/all redirects on www.hackerone.com by using cache poisoning with the X-Forwarded-Port or X-Forwarded-Host headers to redirect users to an invalid port. To replicate: curl -H 'X-Forwarded-Port: 123'...
U.S. Dept Of Defense: Broken Authentication
Summary: IDOR Description: It is possible to access other user account by changing the parameter 'email' to another valid e-mail, i managed to guess an existing user '███████@███.com' which discloses the ███ Name and Surname. Impact Information Disclosure Step-by-step Reproduction Instructions...
U.S. Dept Of Defense: Cross Site Scripting (XSS) – Reflected
Reflected Cross-site Scripting XSS occur when an attacker injects browser executable code within a single HTTP response.When a web application is vulnerable to this type of attack, it will pass unvalidated input sent through requests back to the client. The value of request parameter is copied in...
Mail.ru: Cross-site Scripting (XSS) - Reflected vseapteki.ru
Reflected XSS via GET parameters in vseapteki.ru...
Mail.ru: Stored XSS
XSS in "Undo" functionality of message editing on replying to malformed message...
Mail.ru: ДОБАВЛЕНИЕ СВОИХ ДАТ В КАЛЕНДАРЬ ПОЛЬЗОВАТЕЛЮ !
Reporter pointed to possibility to mark scheduled meeting request sent via ICS file as accepted in calendar via CSRF by bruteforcing attachment id. Currently, this behavior is not believed to introduce real additional security risks, because meeting can be added anyway without user's intervention...
BOHEMIA INTERACTIVE a.s.: Weak Password Policy on Signup at https://accounts.bistudio.com/auth
Hi, I found that you are using a weak password policy! Because user can set his password same as Email address! Steps To reproduce: 1. Register an account with Email address "[email protected]" 2. Also password "[email protected]". You can see both values are same. You will become successfully register...
Valve: [help.steampowered.com] Account takeover bruteforcing SteamGuard
Due to a missing protection on a support endpoint, email verification codes could be bruteforced - leading to possible account takeover. The endpoint issue has been corrected...
GitLab: Unauthorized users may be able to view almost all informations related to Private projects.
Summary: On the most of pages related to Private projects, cache control is inadequate, so the contents of Private projects may leak to unauthorized users. Description: For visibility of projects, you can select Public, Internal, and Private. Among them, Private projects can only be viewed from...
Vanilla: Vanilla Forums Gdn_Format unserialize() Remote Code Execution Vulnerability
Summary: An authenticated admin user can trigger a call to unserialize which can allow an attacker to gain remote code execution. Description: Please bare with me on this one, it's heavy. Ok, so after setting a Garden.TouchIcon setting it can be several settings, this is just an example of one we...
Greenhouse.io: Subdomain Takeover on demo.greenhouse.io pointing to unbouncepages
Actuall this report is same as of this one:- https://hackerone.com/reports/38007 Subdomain takeover vulnerabilities occur when a subdomain subdomain.example.com is pointing to a service e.g. GitHub pages, Heroku, etc. that has been removed or deleted. This allows an attacker to set up a page on t...
Ruby on Rails: ActiveStorage service's signed URLs can be hijacked via AppCache+Cookie stuffing trick when using GCS or DiskService
ActiveStorage tries to force content-disposition: attachment for a list of content-types, including text/html. However, response-content-type and response-content-disposition in GCS and DiskService's URLs aren't signed, which means an attacker can modify them at will. This is not the case for Azu...
Valve: XSS @ store.steampowered.com via agecheck path name
Hi, I found a Cross-Site Scripting XSS in store.steampowered.com because the path after /agecheck/ is not sanitized as it should. https://store.steampowered.com/agecheck/appmhuh2', sessionid: gsessionID, ageDay: '', ageMonth: '', ageYear: '' .done function response %20 ;alertXSS-by-TvM;function...
Mail.ru: ICQ 10.0.12371 icq: Uri Handler '-testability' URL File Insecure Library Loading Code Execution Vulnerability
An exploitation of combination of unsafe URI handler and insecure DLL loading could result in code execution via DLL injection in ICQ desktop application for Windows if user executes malformed .url file...
Ubiquiti Inc.: Resource Consumption DOS on Edgemax v1.10.6
Resource consumption Denial of service. 1: The request below shows that when you feed the beaker.session.id cookie variable a payload of 250 characters or more, the web management portal will produce an error page showing full path disclosure and more as shown in screenshots error1.png and...
HackerOne: Self DOM-Based XSS in www.hackerone.com
Summary: There is a 'self' DOM-based cross-site scripting vulnerability in the contact form available on the www.hackerone.com website. This could allow an attacker to perform cross-site scripting, or other client-side attacks, against users of the application. However, the risk presented by this...
Starbucks: Thailand – a small number of alarm system portals accessible with the default credentials
radoooz discovered that a small number of AAP IP Module alarm system portals in Thailand were accessible, utilizing their default credentials. @radoooz — thank you for reporting this vulnerability and confirming the resolution...
BOHEMIA INTERACTIVE a.s.: Apache Server Version Disclousure
Hello Team, I would like to report a bug for https://forums.bohemia.net/ Banner Grabbing is a technique used to get information about remote servers. In addition, this directory is used to find information about remote servers. Proof of concept : 1. Go to https://forums.bohemia.net/applications/...
U.S. Dept Of Defense: SSRF on ████████
Summary: The web application hosted on the "███████" domain is affected by a Server Side Request Forgery SSRF vulnerability that could allows an attacker to force the application to make requests to arbitrary targets. Description: The affected handler is the "/xmlrpc/pingback/". This handler...
WordPress: Stored XSS on Broken Themes via filename
Hi, I've found something here, Description XSS Stored because filename of theme when broken, So when theme is broken, Wordpress will inform the name of theme who has been broken which is the folder name of theme and inform the error with description message. F342862 Looks like the filename is...
Shopify: Open redirection in OAuth
steps to reproduce: 1-Open your shopify partner account. 2-Create an app and click on test your app. 3-Select a development store you own. 4-Intercept the request using burpsuite and change the "installappSelect a store" parameter to any store with no validation. The request like this: POST...
Node.js third-party modules: [apex-publish-static-files] Command Injection on connectString
I would like to report a command injection vulnerability in the apex-publish-static-files npm module. It allows arbitrary shell command execution through a maliciously crafted argument. Module module name: apex-publish-static-files version: 2.0.0 npm page:...
BOHEMIA INTERACTIVE a.s.: Clickjacking at ylands.com
Hi team, While performing security testing of your website i have found the vulnerability called Clickjacking. Many URLS are in scope and vulnerable to Clickjacking. What is Clickjacking ? Clickjacking User Interface redress attack, UI redress attack, UI redressing is a malicious technique of...
DuckDuckGo: DOM XSS on 50x.html page
Hello, The is a DOM XSS vulnerability on https://duckduckgo.com/50x.html, it seems like the sink is DIV.innerHTML and the source is location.search. The PoC url is: https://duckduckgo.com/50x.html?e=&atb=test%22/%3E%3Cimg%20src=x%20onerror=alertdocument.domain;%3E The code that is causing this XS...
BOHEMIA INTERACTIVE a.s.: Stealing Users OAUTH Tokens via redirect_uri
Hi, I would like to report an Open redirection on oauth redirecturi which can lead to users oauth tokens being leaked to any malicious user. Detail During the OAUTH flow, the redirecturi on https://accounts.bistudio.com is not properly validating that the URL given is proper, as such a bypass of...
Grammarly: Emails from Grammarly missing sanitization(lack of validation?) -> HTML injection in emails
Summary: Emails from Grammarly e.g. "reset password" email missing HTML sanitization. That leads to content spoofing in emails. Steps To Reproduce: 1. Go to "Profile" 2. Find reset password tab if you're logged in using FB/Google, you won't see this menu 3. Change email to something like:...
Slack: AWS bucket leading to iOS test build code and configuration exposure
@kiyell discovered an open AWS bucket which hosted the source code of the iOS test application, as well as some configuration information and test data relating to that test build. No customer data was exposed or at risk, and we resolved and investigated this issue. Thank you @kiyell for a neat...
Zomato: IDOR to delete images from other stores
Summary: The parameter photoids in below request is vulnerable to IDOR /php/clientmanagehandler?██████████&case=remove-active-photo Description: Since there is no check for resid or ownership I was able to delete Gerben's image by just using the photoid from his store. This is a problem because i...
Weblate: 2nd issue>>> flood of email no rate limit on delete account confirmation email >>
There was no rate limit on delete account confirmation email, leading to user being able to send himself flood of emails...
WordPress: Logic flaw in the Post creation process allows creating posts with arbitrary types without needing the corresponding nonce
Simon discovered that authors could create posts of unauthorized post types with specially crafted input fixed. This was fixed in the 5.0.1 release, and Simon has published more details on his blog...
Node.js third-party modules: [buttle] Unsafe rendering of Markdown files
I would like to report Cross Site Scripting vulnerablity in buttle module It allows to execute arbitary javascript due to unsafe rendering of markdown files. Module module name: buttle version: 0.2.0 npm page: https://www.npmjs.com/package/buttle Module Description Another static file server? Why...
Weblate: flood of comment no rate limit on commnets >> by using different user agent
It was possible to post 200- 300 of comments within minutes, there was no rate limiting applied...
Nextcloud: Information Exposure Through Directory Listing - https://apps.nextcloud.com/static/
Hi Security Team, Url : https://apps.nextcloud.com/static/assets/ Dork : site:nextcloud.com intitle:index.of Hello I am Ismail Tasdelen. I was testing directory security and I saw many directories open. Thanks Impact A directory listing is inappropriately exposed, yielding potentially sensitive...
Weblate: Tab nabbing via window.opener
Details: When you open a link in a new tab target="blank" , the page that opens in a new tab can access the initial tab and change it's location using the window.opener property. Attack scenario: here i have provided 2 videos, in video 1 i have my editorial link set. to show that tabnapping is...
Khan Academy: Possible Take Over Subdomain For Inbound Emails
Hello KhanAcademy Security Team, I'm rootbakar, The researcher identified that the affected url points to sendgrid.net, via a DNS CNAME record. As a result of this an attacker could potentially initate a subdomain take over by registering the subdomain sendgrid.khanacademy.org on sendgrid and...
Khan Academy: SignUp With Fake Email
Hello KhanAcademy Security Team, I'm rootbakar, I found an oddity that allows a user to register with Khanacademy using an invalid or fake email. In this trial I used the email '[email protected]' and after pressing the SIGN UP button it will automatically enter the user dashboard pag...
Khan Academy: Stored 'undefined' Cross-site Scripting
Hello KhanAcademy Security Team, I'm rootbakar, I found an XSS bug on 'BIO' in the profile, I used payload XSS "/load=promptdocument.domain;"/load= prompt document.cookie; after I save it appears there is no trigger from the XSS, but when I try to change one of the values in the profile form and...
Zomato: [www.zomato.com] Tampering with Order Quantity and paying less amount then actual amount, leads to business loss
Hi, Team, Like discussed with Prateek I am dropping the report here. Summary: Like the title says using this vulnerability one could order food at negligible price or keep all delivery executives busy. Description: While fuzzing my way through the payment flow on Zomato orders I came across a...
Node.js third-party modules: [takeapeek] Path traversal allow to expose directory and files
I would like to report Path Travelsal in takeapeek It allows attacker to list directory and files. Module module name: takeapeek version: 0.2.2 npm page: https://www.npmjs.com/package/takeapeek Module Description A simple static webserver with only one command. Heavily inspired by glance, this is...
Node.js third-party modules: [knightjs] Path Traversal allows to read content of arbitrary files
I would like to report Path Travelsal in Knightjs It allows attacker to read content of arbitary file on remote server. Module module name: Knightjs version: 0.0.1 npm page: https://www.npmjs.com/package/knightjs Module Description knight is a simple static server without configuration on the top...
Node.js third-party modules: List any file in the folder by using path traversal
I would like to report Path Traversal in simplehttpserver. It allows to list any file in another folder of web root. Module module name: simplehttpserver version: v0.2.1 npm page: https://www.npmjs.com/package/simplehttpserver Module Description 'simpehttpserver' is an simple imitation of python'...
Node.js third-party modules: [tianma-static] Stored xss on filename
I would like to report stored xss in tianma-static It allows anyone to execute arbitary javascript for doing anything. Module module name: tianma-static version: 1.0.4 npm page: https://www.npmjs.com/package/tianma-static Module Description Provide a static file service. Vulnerability Vulnerabili...