15372 matches found
Semrush: XSS on redirection page( Bypassed)
Hello Semrush Team, In this report id 311330, I was filled duplicate and redirection url is fixed which made me feel happy as deserving bounty hunter gets a reward. However, after fixing from last night, I finally bypassed the redirection method which not only Triggered Xss, but also it redirects...
Coinbase: Prepopulation of email address and name leaks information provided to other merchants
Users of the commerce widget that have entered their name and email into the widget and moved to the currency selection step were vulnerable to a clickjacking attack that revealed name and email to an attacker due to pre-population of the widget's fields. After a user filled out the name / email...
Starbucks: Open Redirect on /account/signin?ReturnUrl
The attacker can redirect the victim just after the authentication. Open redirect on Login page: https://www.starbucks.com/account/signin?ReturnUrl= Steps to reproduce Go to Login Page. https://www.starbucks.com/account/signin?ReturnUrl=%2faccount%2fHome The paramter: ReturnUrl can be modified as...
VK.com: Обходим 2FA и/или получаем access_token, если мы когда-либо были на аккаунте жертвы
Частичный обход 2FA в некоторых случаях, имея доступ к странице. Была возможность всего один раз побывав на аккаунте в последующих случаях обходить 2FA. Хеши на https://login.vk.com/?act=grantaccess не имели срока действия и привязки к значимым параметрам аккаунта включена ли 2фа, когда посл. раз...
X (Formerly Twitter): CVE-2017-15277 on Profile page
Hi security team, Summary: Please refer to 302885 for more details. Uploading a .gif produces significantly different images every time which means the server is leaking information. Steps To Reproduce: 1. Clone https://github.com/neex/gifoeb 2. Generate exploitable gif with ./gifoeb gen 5120x512...
Starbucks: Able to reset other user's password in https://card.starbucks.com.sg/
Description In the website https://card.starbucks.com.sg/ there is a password reset function https://card.starbucks.com.sg/forgetPassword.php that sends the password reset link to the user's email. By using a web proxy to monitor the request, the email address can be changed to allow the attacker...
Coinbase: Stored CSS Injection
When creating a product, users can upload a logo. The logourl was not escaped properly, allowing an attacker to inject malicious characters into a style tag. This vulnerability did not allow for XSS due to our CSP, however, it did allow for CSS injection...
Coalition, Inc.: Non-Cloudflare IPs allowed to access origin servers
Hello Security Team, Summary: Like report 255978 It is possible to access origin servers served by nginx and not cloudflare. Description: Even though these IP's don't serve a functional version of the app it is possible to enable DDoS attacks by bypassing cloudflare protections. Steps To Reproduc...
Mail.ru: blind XXE in autodiscover parser
Как воспроизвести: 1 Закинуть на сервер атакующего xml должен быть доступен на сервере атакующего по адресу /autodiscover/autodiscover.xml: Я сделал такой ответ при запросе любой xml'ки: obmhld.com/autodiscover/autodiscover.xml email settings SMTP 52.34.103.214 1191 off [email protected] yandex....
Node.js third-party modules: Remote Command Execution vulnerability in pullit
I would like to report Remote Command Execution vulnerability in pullit It allows remote command execution such as reading or writing to the file system, and executing other programs under the current user running the pullit node executable. Module pullit https://www.npmjs.com/package/pullit...
Node.js third-party modules: Path Traversal on Resolve-Path
The author of resolve-path told me that I can submit this to here. The vulnerability already reported to the author and got a fixed! Module module name: resolve-path version: 1.3.3 npm page: https://www.npmjs.com/package/resolve-path Description Resolve a relative path against a root path with...
VK.com: Общий CSRF токен для сообщений сообществ, или как подставить соседа-редактора
Ошибка в генерации CSRF-токена. В разделе Group IM сообщения сообществ, /alim.php?gid=XXX для почти всех действий отправка сообщения, удаление диалога, etc hash привязывался к groupid, и был одним и тем же для всех пользователей, которые имели доступ к личке этой группы. Таким образом, имея hash...
Coalition, Inc.: No authentication on email address for password reset functionality/ https://platform.thecoalition.com/forgot-password
NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: It was observed that the forgo...
Valve: ImageMagick GIF coder vulnerability leading to memory disclosure
Due to CVE-2017-15277, portions of server memory on some steamcommunity web servers could be leaked via image updates. An attacker would not be able to control what memory would be returned, but system information could be obtained. I was able to arbitrarily disclose server memory on...
Greenhouse.io: Debug information disclosure on oauth-redirector.services.greenhouse.io
Summary: The configuration of the Sintra framework application hosted at oauth-redirector.services.greenhouse.io exposes internal information when exceptions occur. The application is configured with the showexceptions setting which causes internal application configuration, environment variables...
Node.js third-party modules: Media parsing in canvas is at least vulnerable to Denial of Service through multiple vulnerabilities
There is at least a DoS vulnerability in canvas. It segfaults node.js which leads to a Denial of Service, but according to !exploitable it could possibly be worse Module canvas node-canvas is a Cairo backed Canvas implementation for NodeJS. https://www.npmjs.com/package/canvas version: 1.6.9 Stat...
Razer US: Razer Synapse 3 Local Privilege Escalation
Excellent report from @achapman. We appreciate the time, effort, technical skill, and professionalism of the researcher in helping us find and fix this issue...
Semrush: [oauth token leak] at oauth.semrush.com
Domain, site, application --- oauth.semrush.com Steps to reproduce --- 1 Create following html at attacker.com/postmessage.html function listenerevent alertJSON.stringifyevent.data; var dest =...
Reverb.com: Full account takeover
Hello Team, I got a security issue in reverb ios application which allows an attacker hack all users account. Since iOS application is not in the scope but still I am reporting this, because this vulnerability may compromise all users account. Please resolve this quickly. Desription: Reverb ios...
Snapchat: Takeover 2 MAIN DOMAINS of a company Acquired by Snapchat
Hi, As you may realize I noted "Domain" and not subdomain because actually, I was able to take over the MAIN domain of a company Acquired by Snapchat. As you can see in the screenshot below, when you type "Addlive" in Google https://goo.gl/EAxBaj , the first two results will be: F261984 First one...
LocalTapiola: Reflected XSS+CSRF on secure.lahitapiola.fi
Basic report information Summary: The secure.lahitapiola.fi -mail application contains a reflected XSS vulnerability which can be exploited for example with CSRF-attack. Description: As mentioned in the summary, the site contains a reflected cross-site scripting vulnerability. This vulnerability ...
Open-Xchange: [XSS] Style/Event Filter Bypass v3.0
Hi. New ways to bypass filter in the mail. Previous reports 279073, 244821 1. onEvent filter bypass - If add in style, then onEvents filter disabled. Send e-mail: json "content": "", Response: json "content":"" 2. Without onEvents - Without you can using : json "content": "aaa", Response: json...
Zomato: Blind XSS - Report review - Admin panel
Introduction In the Zomato Business app there is the functionality to report a review and give additional details as to why you did report the review. Because I knew this reason would be read by Zomato admins I did insert a blind XSS payload here, which ended up executing on...
Snapchat: Publicly accessible Continuous Integration Tool
@apfeifer27 found an internal Continuous-Integration instance, which disclosed internal source code and credentials for some of our instances...
Valve: Xss was found by exploiting the URL markdown on http://store.steampowered.com
Hello guys I found an xss vulnerability on store.steampowered.com markdown POC http://store.steampowered.com/widget/386360/?t=url=google.com:/onclick=%27alertdocument.domain%27url=xss/url Here is my exploit url=google.com:/onclick='alertdocument.domain'url=xss/url Steps 1 - go to any product 2 -...
Ubiquiti Inc.: Code Execution in restricted CLI of EdgeSwitch
In EdgeSwitch 1.7.3 and prior, an user with admin credentials can make use of specially crafted commands to execute arbitrary shell instructions, bypassing the SSH/TELNET CLI interface. A command injection vulnerability existed in the restricted CLI of the EdgeSwitch. Exploiting this vulnerabilit...
HackerOne: Information Disclosure which violate program privacy
Summary: please refer to the following report: https://hackerone.com/reports/311289 It was noticed that TTS changed the summary and set the domain to example.gov as not to reveal to the public. But at the bottom of the page, "britta changed the scope from https://ci.fr.cloud.gov to None."...
Zomato: IDOR in treat subscriptions
The treat subscriptions tab in my profile has an IDOR. The corresponding api: POST /php/filterusertabcontent.php HTTP/1.1 userid=██████&tab=treatsubscription&orderhistoryoffset=0&orderhistorylimit=20 You can give any user id and you will be able to see the treat subscriptions of that user. Impact...
U.S. Dept Of Defense: Blind SQL injection on ████████
Summary: I discovered that a post request made to https://████████/elist/viewem6.php is vulnerable to SQL injection and is quite clearly vulnerable as I was able to induce a 2 second hang on the web page. Additionally I was able to discover the mysql version with a true/false condition...
Node.js third-party modules: [public] Path Traversal allows to read content of arbitrary files
Hi Guys, There is Path Traversal in public module. It allows to read content of arbitrary files on the remote server. Module public Run static file hosting server with specified public dir & port. Support a "direcotry index" like Apache httpd. https://www.npmjs.com/package/public version: 0.1.2...
Node.js third-party modules: [mcstatic] Path Traversal allows to read content of arbitrary files
Hi Guys, There is Path Traversal in mcstatic module. It allows to read content of arbitrary files on the remote server. Module mcstatic This is a general file server made by nodejs. It will be easy for you to access the files on the server through the browser. https://www.npmjs.com/package/mcstat...
Node.js third-party modules: [localhost-now] Path Traversal allows to read content of arbitrary file
Hi Guys, There is Path Traversal in localhost-now module. It allows to read content of arbitrary files on the remote server. Module localhost-now This is a general file server made by nodejs. It will be easy for you to access the files on the server through the browser...
Discourse: Gaining access to private topics using quoting feature
Description Some topics have limited access to certain groups and users, and while there exists a validation for access on this topic, it can be bypassed by abusing a vulnerability in the "onebox" quoting feature. When pasting a link in a reply, if this link happens to be a link to another topic ...
Mail.ru: IDOR on mcs.mail.ru
CSRF tokens were static, CSRF token for arbitrary user's account can be obtained. No direct security implications were found, since token is transmitted in request headers and can not be sent crossite, but using static tokens was considered as a bad security practice. mcs.mail.ru was not in bug...
Mail.ru: XSS via Cookie in e.mail.ru
Привет! Нашел stored xss через куку VID. Обычно такое эксплуатируется через mitm. Сама кука не имеет атрибутов secure и samesite, что дает возможность выставить ее по http на сервере атакующего. Сценарий такой: 1. Жертва находится в сети атакующего 2. DNS сервер сети атакующего резолвит хост...
Semrush: XXE in Site Audit function exposing file and directory contents
Summary: The Project Site Audit function is vulnerable to XXE when parsing sitemap.xml files. Description: The Site Audit function spiders a given website and performs analysis on the discovered pages. In order to improve website spidering the URL of a sitemap.xml file can be provided. If provide...
Mail.ru: [mobs.mail.ru] nginx path traversal via misconfigured alias
Domain, site, application -- mobs.mail.ru Steps to reproduce -- http://mobs.mail.ru/media../mobs/settings.py Actual results -- py ... SECRETKEY = '████████████' ... DISTIMOPRIVATEKEY = '████████████' ... PoC, exploit code, screenshots, video, references, additional resources --...
Informatica: [https://life.informatica.com] - information disclose
Researcher had discovered and reported an issues that leads to information disclosure...
Mail.ru: Error in processing gif images
Application crash on malformed GIF image parsing in ICQ for Desktop...
GitLab: Using GitLab to monitor and hijack domains in mass quantity.
Vulnerability Description There is a logic flaw in how GitLab pages can set custom domains that allows an attacker to actively monitor domains and hijack them as soon as they point to 52.167.214.135. GitLab allows setting an unlimited number of domains for a single repository. First, I wrote a...
Node.js third-party modules: [uppy] Stored XSS due to crafted SVG file
NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Module: Uppy. Affected version: 0.22.2...
Pornhub: Stored XSS (client-side, using cookie poisoning) on the pornhubpremium.com
The researcher discovered that a parameter's value was stored in a cookie and that cookie's value was echoed in certain pages. The researcher was successful in providing an XSS payload as this parameter's value and having it execute. DOM XSS through cookie. Discovered by manual inspection of JS...
U.S. Dept Of Defense: SQL injection
Initially I discovered a Defunct admin panel with default credentials, admin/admin. This was vulnerable to a blind SQL Injection but I wasn't able to successfully exploit the login panel. I later google dorked for php files on the subdomain and ended up finding another end point that was vulnerab...
VK.com: Reflected XSS в m.vk.com
XSS в поиске по карте...
Ubiquiti Inc.: Format String Vulnerability in the EdgeSwitch restricted CLI
In EdgeSwitch 1.7.3 and prior, an user with admin credentials can make use of specially crafted commands to execute arbitrary shell instructions, bypassing the SSH/TELNET CLI interface. There was a format string vulnerability present in the Admin CLI for the EdgeSwitch. Exploiting this...
Mail.ru: CSRF на calendar.mail.ru
CSRF on ICS URI import in calendar.mail.ru Cцрф с обходом защиты через ORIGIN посредством размещения пока на одном из субдоменов...
Semrush: Cross-origin resource sharing misconfig
Description An HTML5 cross-origin resource sharing CORS policy controls whether and how content running on other domains can perform two-way interaction with the domain that publishes the policy. The policy is fine-grained and can apply access controls per-request based on the URL and other...
LocalTapiola: Securemail server used to internal spam and resource exhaustion
Basic report information Summary: Confidential message systems fails to restrict large amount of receivers. This might lead to hardware exhausting and/or attacking localtapiola internal employees as securemail recipient. Description: Despite https://secure.lahitapiola.fi/ is designed to send...
Zomato: Reflected XSS on https://www.zomato.com
Hello, I found an XSS issue due to the incorrect handling of the \ character in a context, the following link works as a PoC that alerts the location of the document: https://www.zomato.com/googleOAuth2Callback?alertlocation;%3C!--&state=\ The issue exists because, given that the \ character...
WePay: Reflected XSS in the IE 11 / Edge (latest versions) on the stage-go.wepay.com
Description Hello. I discovered Reflected XSS on the stage-go.wepay.com. Browsers & OS tested The XSS checked in the latest IE 11 and Edge on Windows 7. Not checked on Windows 10. POC IE 11 or Edge...