15372 matches found
HackerOne: Information Disclosure when /invitations/<token>.json is not yet accepted
Hi Team, Summary: First, i just want to clarify that this finding seems a purely human mistake from one of the hackerone member team who created a summary of this report: 283309 --- I have found that you guys HackerOne was disclosing email address and private program as part of this report summar...
Aspen: Session does't get expired after changing the password in https://readthedocs.org
Session does't get expired after changing the password in https://readthedocs.org...
Infogram: Persistent XSS in share button
Persistent XSS in "Share" button was found: 1. In custom link field for "Share" button add: ". 2. Share the infographic publicly, navigate to its public URL and click the "Share" button. 3. See that pop-up window activates...
Mail.ru: CSRF на biz.mail.ru
ŠŠ“ŃŠ°Š²ŃŃŠ²ŃŠ¹ŃŠµ, ŠÆ обнаŃŃŠ¶ŠøŠ» CSRF на biz.mail.ru PoC: ŃŠøŃŃŠµŠ¼Š° Š“ŃŠ¼Š°ŠµŃ ŃŃŠ¾ Š¼Ń Ń Š¾ŃŠµŠ»Šø ГобавиŃŃ ŃŃŠø Š“Š¾Š¼ŠµŠ½Ń Š² ŃŠ²Š¾Š¹ Š°ŠŗŠŗŠ°ŃŠ½Ń ŃŠµŃез ŃŠ°Ń Š¼Ń ŠæŠ¾Š»ŃŃŠøŠ¼ майли: "ŠŃжна помоŃŃ Ń ŠæŠ¾Š“ŃŠ²ŠµŃжГением Гомена .com?" F239336 ŠŠ»Š°Š³Š¾Š“аŃŃ Š·Š° внимание. Š” ŃŠ²Š°Š¶ŠµŠ½ŠøŠµŠ¼, ŠŠ¶ŠµŠ¹Ń ŃŠ½ ŠŠ¶Š°ŃŠ°ŃŠ¾Š² c37hun...
Trello: Able to run script on https://trello-attachments.s3.amazonaws.com/ [N/A]
HI Trello Security Team this pratik From India ------------------------------------------------------------------------------ I have Founded Stored XSS On your Website critical issue need to be patched before someoneattacker exploit this...
U.S. Dept Of Defense: X-XSS-Protection -> Misconfiguration
Hi there, URL: https://www.sfl-tap.army.mil/ I have seen that the website is using the X-XSS-Protection Header. But it has a strange configuration. When I take a look at securityheaders, I've seen that you guys use this as configuration. X-XSS-Protection: DENY DENY is used for the X-Frame Option...
Automattic: Improper markup sanitization.
Summary One can inject HTML into a note and create a login form that sends the user's details to a third-party server. This was a fun issue to play around with. I will let the PoC do most of the talking for a change. PoC Paste the following HTML into a Simplenote. I am using the Simplenote app...
HackerOne: Program profile metrics endpoint contains mean time to triage, even when turned off
Description Include Impact: when a bug bounty program disables its profile metrics which shows the Response Efficiency, there still some data leaked in the response of the the following endpoint: hackerone.com/PROGRAMHANDLE/profilemetrics.json this endpoint leaks the meantimetotriage although the...
Concrete CMS: Reflected XSS vulnerability in Database name field on installation screen
"Leave me in a room with some crayons and I'll draw on the wall." Platform information Issue: Core CMS issue Version: Concrete5 - 8.2.1 md500080d5a625ddbaece643894f67d57b1 downloaded today from official download site2 Short description There is reflected XSS vulnerability in Database Name filed o...
RubyGems: [gem server] Stored XSS via crafted JavaScript URL inclusion in Gemspec
Hi, A JavaScript URL injection in the homepage field within a Gemspec file can be leveraged to achieve stored XSS on the default gem server web interface, referenced here. When you install RubyGems, it adds the gem server command to your system. This is the fastest way to start hosting gems. As...
Ubiquiti Inc.: Triggering RCE using XSS to bypass CSRF in PowerBeam M5 300
In AirOS 6.1.5 and prior, due to lack of validation is possible to bypass the CSRF in certain web pages. If an authenticated user access an attacker controlled web page, it could trigger the CSRF and the resulting request could modify the device configuration and creating stored-XSS, with the XSS...
Semrush: Following links are vulnerable to clickjacking
NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report! Summary: The below list...
Legal Robot: Exposes a series of other private credentials
Hi, I found a Javascript file where have many private credentials. JS File https://app.legalrobot.com/meteorruntimeconfig.js Code meteorruntimeconfig = "meteorRelease":"[email protected]","meteorEnv":"NODEENV":"production","TESTMETADATA":"","PUBLICSETTINGS":"analyticsSettings":"Google...
AlienVault : DNS pinning SSRF
Hello there, this is for the otx.alienvault.com domain, but I couldn't mark it in the drop down menu. I saw the note about the 2 weeks so I decide to report this. Summary: I've found that you can perform a SSRF attackwith DNS pinning and read the response from url http://169.254.169.254 Browsers...
Urban Dictionary: Stored XSS on urbandictionary.com
hi team, I have found an XSS flaw on your site in add page. POC in this video...
GSA Bounty: Subdomain Takeover
@picklepwns discovered a subdomain takeover attack. Technically, the domain was out of scope for our Vulnerability Disclosure Policy. We want to remind hackers to please limit their testing to domains explicitly listed in that scope which is repeated on our HackerOne program page for convenience...
Bitwarden: Vulnerable exported broadcast receiver
Good evening, This is actually in your code base this time. : Since the following broadcast receiver has export=true it can be exploited by 3rd parties. Vulnerability com.x8bit.bitwarden.PackageReplacedReceiver has exported set to true making the receiver vulnerable to tampering. F238236 POC I wa...
Internet Bug Bounty: SSL_peek() hang on empty record (CVE-2016-6305)
As described here: https://www.openssl.org/news/secadv/20160922.txt...
X (Formerly Twitter): POODLE SSLv3 bug on multiple twitter smtp servers (mx3.twitter.com,199.59.148.204,199.16.156.108 and 199.59.148.204)
Summary: POODLE SSLv3 bug on multiple twitter smtp servers Description: CVE-2014-3566: The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle...
IRCCloud: [IRCCloud Android] Theft of arbitrary files leading to token leakage
Bug description Hi, I'd like to report a vulnerability which allows to theft arbitrary protected files and as a result takeover account, because all tokens will be leaked, similar to my bug reported to Harvest https://hackerone.com/reports/161710 This one is really tricky, passed two days to...
HackerOne: Additional bypass allows SSRF for internal netblocks
It turns out there is another bypass in the privateaddresscheck gem. The gem does not include 0.0.0.0 in the exclusion list in the first place. irbmain:001:0 require 'privateaddresscheck' = true irbmain:002:0 PrivateAddressCheck.privateaddress?"0.0.0.0" = false I was able to bypass your filter by...
Semrush: Cross-origin resource sharing
Issue:Cross-origin resource sharing: arbitrary origin trusted The application implements an HTML5 cross-origin resource sharing CORS policy for this request that allows access from any domain. The application allowed access from the requested origin https://hhgdhgjgbrg.com Since the Vary: Origin...
Infogram: Bruteforcing Coupons
Hi, while i was fuzzing for an API endpoints i found this endpoint: https://infogram.com/api/discounts the first thing came on my mind is bruteforcing the coupon codes so i gave it a try and it worked! there's no rate limit on that endpoint so an attacker could use it to bruteforce the coupon cod...
Aspen: Email Spoofing
There is an Email Spoofing Vulnerability. Steps to reproduce: 1 Go to http://emkei.cz/ 2 Fill "From Email" field to [email protected] or any other aspen email. 3 Fill the victim's address your address to "TO" field and fill in other details as you wish. You will receive email from aspen admin...
Phabricator: Command injection on Phabricator instance with an evil hg branch name
Hi phabricator, I found an evil branch name of hg a repo can lead to arbitrary command injection on phabricator instance. Here is the reproduction steps: 1. Monitor a remote mercurial repo with phabricator; 2. Create a branch and called "--config=hooks.pre-log=wget" on the remote; 3. After...
AlienVault : Puplic .htaccess/.htpasswd/.canvas files leads to password disclosure.
iam a big fan of fuzzing/bruteforcing after my last submission 288533 on http://data.alienvault.com, i decided to go further, after some bruteforcing i came across this directory which looked kinda interesting for me http://data.alienvault.com/snort/ when u try to access the directory you will ge...
Zomato: User Profiles Leak PII in HTML Document for Mobile Browser User Agents
@chriszielinski found that user personal information was leaking when you make a request using mobile user agent...
VK.com: CSRF ŃŠ¾Š·Š“ание Š¾ŠæŃоŃа Š¾Ń имени ŠæŠ¾Š»ŃŠ·Š¾Š²Š°ŃелŃ, Š·Š½Š°Ń id ŠæŃŠøŠ»Š¾Š¶ŠµŠ½ŠøŃ. + неболŃŃŠ¾Š¹ ŃŠ»ŃŠ“ ŃŠ¾Š¾Š±ŃŠµŠ½ŠøŃŠ¼Šø на ŃŃŠµŠ½Ń
CSRF на ŃŠ¾Š·Š“ание Š¾ŠæŃоŃа Š¾Ń ŠæŃŠøŠ»Š¾Š¶ŠµŠ½ŠøŃ...
AlienVault : Server Side Request Forgery protection bypass ā 2
Hi, you haven't fixed the vulnerability.The bypass of this report 287762 This is a classic example of url bypass. POC https://www.threatcrowd.org/domain.php?domain=173.0302.0x2c.70 https://www.threatcrowd.org/domain.php?domain=0xad.0xc2.0x2c.0x46...
Rockstar Games: SMB SSRF in emblem editor exposes taketwo domain credentials, may lead to RCE
In this report, the researcher found that by submitting crafted SVG files, he was able to establish a listener on our server that enabled SSRF attacks. This potentially could have been pivoted to carry out more damaging attacks as well. We improved our validation of user-submitted SVG files to...
Valve: LFI in pChart php library
Local File Inclusion LFI vulnerability in the pChart php library...
AlienVault : SSRF bypass #2 (using octal encoding) on the https://www.threatcrowd.org/domain.php
Description The latest SSRF fixes can be bypassed, using octal encoding of the AWS IP. There is other more general bypass, which can't be fixed using blacklisting - it's reported in the 288183. POC https://www.threatcrowd.org/domain.php?domain=0251.00376.000251.0000376 F237500 Suggested fix As wa...
Moneybird: Open Redirection while saving User account Settings
Hi team , I got a Open redirection while saving account setting . This could lead to serious issues . Endpoint :- https://moneybird.com/user/edit?returnto=//evil.com Reproduce :- Visit https://moneybird.com/user/edit?returnto=//evil.com and click on Save . You will be take to evil.com . Impact :-...
AlienVault : DNS pinning SSRF bypass
Summary: this issue is a bypass for this report: https://hackerone.com/reports/285380 . It is a SSRF bypass with DNS pinning. Description: We can bypass the SSRF protection with a simple domain that is resolving to 169.254.169.254 , like: ssrf-cloud.localdomain.pw Browsers Verified In: Firefox 56...
AlienVault : SSRF bypass for https://hackerone.com/reports/285380 (query AWS instance)
Description The SSRF fix can be bypassed, using domain, pointed to the AWS IP 169.254.169.254, like metadata.nicob.net. POC https://www.threatcrowd.org/domain.php?domain=metadata.nicob.net F237437 Suggested fix While there is no 100% way to validate the domains using only string-based checks, you...
BOHEMIA INTERACTIVE a.s.: 217.147.95.145 NFS Exposed with Zeus Server configs
NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report! Description:...
Ruby: Resolv::getaddresses bug that can be abused to bypass security measures.
Description Resolv::getaddresses is OS-dependent, therefore by playing around with different IP formats one can return blank values. This bug can be abused to bypass exclusion lists often used to protect against SSRF. | š» Machine 1 | š» Machine 2 | |--------------|---------------| | ruby 2.3.3p222...
BOHEMIA INTERACTIVE a.s.: IDOR to view User Order Information
NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report! Description: There is a...
AlienVault : SSRF protection bypass
As said in report 285380, using the decimal IP notation is bypassing the fix : https://www.threatcrowd.org/domain.php?domain=2852039166...
Infogram: Bypass insecure password validation
Hi Team, Summary: Registration is checking the password creation if the password is insecure , but the password reset page was not doing the same validation, so when i input an insecure password using the password reset, the validation on the password creation can be bypass because the password...
Infogram: Stored XSS On Wordpress Infogram plugin
Hello Team, There is a Stored XSS Vulnerability On Wordpress Infogram plugin. Wordpress version : 4.5 Infogram plugin version : 1.5.1 After installing wordpress and infogram plugin. I created a project to infogram with the following name " and I Created a simple report. Then I go back to my...
Internet Bug Bounty: CVE-2017-13090 wget heap smash
The retr.c:fdreadbody function is called when processing OK responses. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to read the chunk in piec...
Internet Bug Bounty: CVE-2017-13089 wget stack smash
The http.c:skipshortbody function is called in some circumstances, such as when processing redirects. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then...
Infogram: Stored XSS in content when Graph is created via API
Summary It is possible for an attacker to insert javascript code into Graphs by creating a project via the API Steps to reproduce Login Go to API Settings Copy your Key + Secret Go to API Documentation Download one of the official libraries I chose JAVA In the "main" method add the Key + Secret y...
Infogram: Internal Ports Scanning via Blind SSRF (URL Redirection to beat filter)
Summary --------------------- This is a blind SSRF that lets you scan internal ports. Technical Details -------------------- Inspired by 281950, I found a way to evade the filter for the api endpoint webresource by using a URL Redirection service. I used tinyurl to create a url that linked to...
Mail.ru: Self-xss via drag&drop in email form
User-assisted XSS in message composer's drag-n-drop feature via alt property of emoji-style image...
Mail.ru: Possibility to view subdepartments for arbitrary domain
By directly referencing to department ID in biz.mail.ru, it was possible to see the names of departments without knowledge of which organization this department belongs to Leakage of every existing department/unit of every domain via changing parameters directly in http request...
HackerOne: Blind SSRF in "Integrations" by abusing a bug in Ruby's native resolver.
Summary HackerOne allows bug bounty programs to integrate their reports queue with issue tracking tools such as Jira and Phabricator. By abusing a bug that I discovered in Ruby's native resolver, I am able to bypass the SSRF filter and could potentially scan your internal network. Vulnerability...
Trello: CSV injection [N/A]
Hello, We can inject commands in the name field of a board =210 or =cmd|'/C calc'!AO for example, and when it's exported to CSV it will be evaluated to 20 in the corresponding cell, this enables an attacker to spread malware and execute system level commands on a victim's machine if the victim...
Trello: Subdomain Takeover Possible [N/A]
Hello , Team Trello Security Today == 04/11/2017 , 03:52 , I Discovred A Issue in Your Website , i found this error In : http://d2k1ftgv7pobq7.cloudfront.net/ ======================================================= ERROR The request could not be satisfied. Bad request. Generated by cloudfront...