International Islamic University Chittagong: Information Exposure Through Directory Listing

Hi Team, I would like to report Information Exposure Through Directory Listing bug which is presented in iiucbd.com PoC: Navigate to the following Link: 'http://119.18.148.140/hrd/js/' internal pages are exposed. FIX: Disable the directory listing. Regards, mrroot...

International Islamic University Chittagong: XSS Via error message

Hi Team, found xss via error message. PoC: Navigate to http://119.18.148.140/hrd/login.php?error=%3Cscript%3Econfirm1%3C/script%3E%20ID%20or%20Password%20does%20not%20find. Regards, Mr.R3boot...

International Islamic University Chittagong: Information Exposure Through Directory Listing

Hi Team, I would like to report Information Exposure Through Directory Listing bug which is presented in iiucbd.com PoC: Navigate to the following Link: http://www.iiucbd.com/assets/admin/js/datables/src/ There are some sensitive API methods disclosed via above link. If you feel there is no...

International Islamic University Chittagong: Email HTML Injection and Possible Stored Cross-Site Scripting in ieeeiiucsb.org

Hello International Islamic University Chittagong I found a Email HTML Injection in ieeeiiucsb.org Summary: add summary of the vulnerability This attack can be use to create a phishing email using your email app Steps To Reproduce: 1. Go to https://ieeeiiucsb.org/registration/ 2. Choose any event...

Mavenlink: Uninitialized server memory disclosure via ImageMagick gif parser

A CVE in ImageMagick allowed an attacker to recover random server memory via GIF upload. GIF processing has since been disabled...

HackerOne: Reverse Tabnabbing Vulnerability in Outgoing Links

The external links in the reports are not properly handled, using the issue the links can access the openers and replace them with some other page. To Verify the issue, just go to any report which do have any external link and inspect the proceed button. Where the issue lies: rel="noreferrer"...

Infogram: Javascript Payload reflected Back in Report Embed Code

1Create new Report template 2Spoof its name with payload " My Report alertdocument.cookie;div id=" 3Visit Back to your library list https://infogram.com/app//library 4Select The Created report and click view on web,Click the Share Button 5Copy & embed the code somewhere in html file you ll triage...

Gratipay: Bypassing X-frame options

bypass X-Frame-Options Proxy protection NOT used DomainUsing: gratipay.com Proxy protection NOT used , i can bypass X-Frame-Options header and recreate clickjacking on the whole domain. I see that you don't have a reverse proxy protection this allows all users to proxy your website rather than...

HackerOne: GraphQL sessions aren't immediately invalidated when user password is changed

Summary: While changing password, once user clicks on "Change password" button after giving necessary values, on https://hackerone.com/settings/pass/edit, the session expires and the user is redirected to https://hackerone.com/users/signin for logging in again with the updated/changed password. A...

Infogram: Multiple xss on infogram templates

Hello Team, There is a multiple xss on some templates. Payload used : "...

Infogram: XSS when Shared

Introduction XSS on an embedded piece of code that, when shared, may make it seem as if it was infogram.com that was doing the malicious act. Proof of Concept 1. Create an account 2. Create a project titled "scriptalert1;" 3. Click on share Here's an example of the share embedded code:...

Inflection: Host Header Injection or cache poisoning in multiple domains

Researcher submitted a report related to host header injection, which is currently considered out of scope for our program, so we closed the report. Researcher requested public disclosure...

Infogram: HTML injection

hi team ... i found HTML i on https://infogram.com/app//library step .. 1- go to https://infogram.com/app//library 2- choose Report Templates . 3- Use Report Classic 4- click to editdata 5- edit cell Employee ID 5- payload hacked hacked hacked 6-execute HTML .. POC .. video on attached...

Razer US: XSS on Saved Carts page

The saved cart endpoint was vulnerable to a reflective XSS due to lack of sanitization of cartcode which is inserted back in the HTML document, which could allow execution of malicious Javascript on the client...

Razer US: Customer's e-mail disclosure

It was found that sharing saved cart to Facebook leaks the user e-mail, thus the audience can retrieve it from the link. We appreciate the contribution by @gdinar in helping keep Razer's online properties secure...

AlienVault : [www.threatcrowd.org] - reflected XSS in graphViewMap.php

Summary: I have found a reflected XSS in https://www.threatcrowd.org/graphViewMap.php in GET parameter email. This is similar to report 283633 Browsers Verified In: Firefox 56.0.1 Steps To Reproduce: 1. Browse to https://www.threatcrowd.org/graphViewMap.php?email=-alertdocument.domain- 2. Click o...

AlienVault : [www.threatcrowd.org] - reflected XSS in report.php

Summary: I have found a reflected XSS in https://www.threatcrowd.org/report.php in GET parameter report Browsers Verified In: Firefox 56.0.1 Steps To Reproduce: 1. Browse to https://www.threatcrowd.org/report.php?report=javascript%3aalertdocument.domain 2. Click on Visit...

Internet Bug Bounty: Out-Of-Bounds Read in timelib_meridian()

Description While deserializing an invalid dateTime value, wddxdeserialize would result in a heap out-of-bounds read in timelibmeridian. As wddxdeserialize is exposed to network data, and sometimes echo the results back to client, this issue could potentially allow remote peeking of the process...

AlienVault : [www.threatcrowd.org] - reflected XSS

Summary: I have found a reflected XSS in https://www.threatcrowd.org/graphHtml.php, in GET parameter email. Browsers Verified In: Firefox 56.0.1 Steps To Reproduce: 1. Browse to https://www.threatcrowd.org/graphHtml.php?email=%27-alertdocument.domain-%27 2. Click on the embed functionnality in th...

Infogram: XSS on infogram.com

Hello, There is a XSS on Report templates. Free templates : Report Classic When we modify the values of table we can put XSS Payload. Payload used : " "/...

Infogram: Password Reset Token Not Expired

Hello Team, Here in this scenario, I've found that the there's a kind of server side invalidation of Password Reset tokens. Like if I've requested for password reset token token1 and I don't use it, after I will make another request for password reset token token2. This time I'll use the token2...

VK.com: Stored xss в /lead_forms_app.php

XSS в "Форме сбора заявок". Жесть...

Inflection: XST(Cross Site Tracing)

Researcher reported that OPTIONS and TRACE HTTP methods are enabled. HTTP configuration best practices are not currently in scope for our HackerOne program, so we closed the report. Researcher requested that we disclose it...

Mail.ru: [health.mail.ru] Раскрытие SSI сценариев

SSI template content leaked on invalid HTTP request in health.mail.ru and few more projects. On the moment of reporting, health.mail.ru was in Main scope of bug bounty program...

Infogram: Login Cross Site Request Forgery

Login form is not protected against Cross Site Request Forgery. An attacker can craft html page containing POST information to have victim sign into an attacker's account, where the victim can add information assuming he/she is logged into the correct account, where in reality, the victim is sign...

X (Formerly Twitter): Open Redirect Protection Bypass

Hi Report 281538 is fixed but Attacker can Bypass this Open Redirect Protection. Give this link https://twitter.com/teams/authorize?targetscreenname=&authorizecallback=//www.facebook.com to authorized victim.Twitter will say him to authorize a different account for create team.After authorization...

Mavenlink: [app.mavenlink.com] IDOR to view sensitive information

The researcher found an IDOR that when exploited would result in an error message that was too verbose. The verbose error message included the title of the workspace that the user was attempting to access and being denied persmission to...

RecargaPay: IDOR exposes receipts of all users.

@cablej found an insecure direct object reference IDOR that could expose receipts from external users. Thanks for helping us make RecargaPay more secure!...

HackerOne: Private partial disclosure of h1 infrastructure

Description I've found that following servers & services can be potentially interesting when attacking h1-infrastructure: Payments Admin ██████ API Docs ██████████ API █████████ MailCatcher ██████████ Story Book ███ Karma ████████ Core Test Server █████████ Core Staging ████ Core Production...

HackerOne: Private Program all members disclosed

After receiving an invite to a private program, it was possible to view all of its team members: https://hackerone.com/invitations/invitation code.json "teammembers":"username":"","username":"","username":"","username":"","username":"","username":""...

Infogram: A10 – Unvalidated Redirects and Forwards

https://infogram.com/login Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation. when i intercept the twitter request and change it to the google then it will redirect you to the...

IRCCloud: [IRCCloud Android] XSS in ImageViewerActivity

Hi, I'd like to report HTML/JS injection in activity com.irccloud.android.activity.ImageViewerActivity which is exported: xml so can be launched by arbitrary apps installed on the same device. On the newest Androids could be exploited also by Android Instant Apps directly from a web-browser...

IRCCloud: [IRCCloud Android] Opening arbitrary URLs/XSS in SAMLAuthActivity

Hi, I'd like to report a bug which allow to open arbitrary URLs in com.irccloud.android.activity.SAMLAuthActivity This activity is exported: xml it means that it can be accessed by any third-party apps installed on the same device. On the newest Androids it also could be exploited by Android...

HackerOne: View Any Program's Team Members through GET https://hackerone.com/invitations/

@nickcas discovered that it was possible to view all the team members of a program through a JSON response that is sent when a user is invited to collaborate on a report via the /invitations/ endpoint. He was able to provide a very clear PoC, which consisted of a list showing all the members of t...

Infogram: Report Design Critical Stored DOM XSS Vulnerability

Hi Team, Another XSS vulnerability in report designer but this one is critical. Problem Point Report's Overview Table Report Creation Url https://infogram.com/app/edit/e7b161f1-f708-48e5-bab7-de9887ae202a Sample Data Click for Detail Sample URL https://infogram.com/report-classic-1g57pr0g3xdvp01...

WordPress: UnResolved ChangeSet are Visible to Public That also Causes Information Disclosure

Hello, While testing Your Security I Observed that the Security Report Reported to You After Validation arranged for fix or you can say that a public repository created for the code powering the site at https://code.trac.wordpress.org/changeset/ID that Leaks Following Things 1.UnResolved Bugs 2.P...

Weblate: no notification send to victim if attacker hacks/accesses his victims WebLate account.

hello team, when a hacker hacks into his victims WebLate account, the victim does not get any notifications. via email for example this means that the victim therefore won't take action to change his password for example in order to secure his account. Risk: very, very dangerous a hacker can now ...

Tor: Detecting Tor Browser UI Language

Suppose that a user downloads a non-English version of Tor Browser from https://www.torproject.org/projects/torbrowser.html.en, there is a way to detect which UI language the user is using. I don't think you want websites to detect this info, because at the first time I launched non-English Tor...

X (Formerly Twitter): OS Command Execution on User's PC via CSV Injection

Summary: Twitter is vulnerable to CSV Injection. If an attacker can successfully exploit this, then they will compromise the PC of the user. The injection point is via a tweet on the main twitter.com site while the retrieval point is via the “Export Data” option on the analytics site. Description...

Rockstar Games: Stored XSS on profile page via Steam display name

The researcher was able to demonstrate a XSS vulnerability by using their Steam nickname as the payload vector. This was due to insufficient filtering on Linked Account name fields. We pushed out an update that replaces suspicious Linked Account names with a generic string in order to prevent...

Mail.ru: XSS через подгрузку ссылки.

Доброго времени суток. Я нашел новую xss в https://connect.mail.ru/ POC: 1. Переходим на неизвестную ветку википедии, например эту https://io.wikipedia.org/wiki/Nenufaro 2. Вставляем туда скрипт " F232448 3. Подгружаем страничку википедии через наш сервис...

Ruby: Take back my all data from [email protected]

Attack...

Infogram: No Confirmation or Notification During Email Change which can leads to account takeover

Hi Team, I have noticed that, when user change his email through account setting, user doesn't get any notification or confirmation to change an email from xxxx to yyyyy. If user kept his/her account logged-in into PC, cafe, college systems then attacker can change his/her email to own mail and c...

Infogram: No notification on Password Change

Hi Team, Description : I noticed there is an issue with password reset functionality user is not receiving notification when he reset password. Even though when user change password through profile, not getting an email notification. Issue: user not always gets a notification about password chang...

Infogram: User enumeration via forgot password error message

Hi Team, Vulnerable URL : https://infogram.com/forgot Description: During testing forgot password field whether it's rate limiting is working or not, I noticed forgot password field is vulnerable to user enumeration. When user enter email id which is not available into database it shows an error ...

Infogram: XSS on Report Classic

hi team ... i found XSS on https://infogram.com/app//library step .. 1- go to https://infogram.com/app//library 2- choose Report Templates . 3- Use Report Classic 4- click to editdata 5- payload //" “alertdocument.cookie 6-execute XSS and which you edit data XSS stared...

Infogram: Memory Corruption via Large Pixels

A memory corruption vulnerability was reported in an image processing service. By uploading a maliciously crafted image with extremely large dimensions, an attacker could cause the service to allocate an excessive amount of memory during image processing, potentially leading to memory corruption...

Infogram: Application Vulnerable to CSRF - Remove Invited user

POC: 1. Login to the application with a business account. 2. Go to Manage teams, where we can send invites to a team member. Send a Invite to a team member 3. After the invite is sent to a user, the admin has option to Remove User. 4. While trying to remove the user, capture the request in burp ,...

Infogram: Sensitive information is publicly available

During the analysis it was found that some sensitive information like ip is available on this url .https://infogram.com/ip/...

Infogram: Outdated jQuery Version

During analysis, it was observed that the application is using outdated jQuery version i.e. 1.11.2...