15372 matches found
AlienVault : [www.threatcrowd.org] - reflected XSS
Summary: I have found a reflected XSS in https://www.threatcrowd.org/graphHtml.php, in GET parameter email. Browsers Verified In: Firefox 56.0.1 Steps To Reproduce: 1. Browse to https://www.threatcrowd.org/graphHtml.php?email=%27-alertdocument.domain-%27 2. Click on the embed functionnality in th...
Infogram: XSS on infogram.com
Hello, There is a XSS on Report templates. Free templates : Report Classic When we modify the values of table we can put XSS Payload. Payload used : " "/...
Infogram: Password Reset Token Not Expired
Hello Team, Here in this scenario, I've found that the there's a kind of server side invalidation of Password Reset tokens. Like if I've requested for password reset token token1 and I don't use it, after I will make another request for password reset token token2. This time I'll use the token2...
VK.com: Stored xss в /lead_forms_app.php
XSS в "Форме сбора заявок". Жесть...
Inflection: XST(Cross Site Tracing)
Researcher reported that OPTIONS and TRACE HTTP methods are enabled. HTTP configuration best practices are not currently in scope for our HackerOne program, so we closed the report. Researcher requested that we disclose it...
Mail.ru: [health.mail.ru] Раскрытие SSI сценариев
SSI template content leaked on invalid HTTP request in health.mail.ru and few more projects. On the moment of reporting, health.mail.ru was in Main scope of bug bounty program...
Infogram: Login Cross Site Request Forgery
Login form is not protected against Cross Site Request Forgery. An attacker can craft html page containing POST information to have victim sign into an attacker's account, where the victim can add information assuming he/she is logged into the correct account, where in reality, the victim is sign...
X (Formerly Twitter): Open Redirect Protection Bypass
Hi Report 281538 is fixed but Attacker can Bypass this Open Redirect Protection. Give this link https://twitter.com/teams/authorize?targetscreenname=&authorizecallback=//www.facebook.com to authorized victim.Twitter will say him to authorize a different account for create team.After authorization...
Mavenlink: [app.mavenlink.com] IDOR to view sensitive information
The researcher found an IDOR that when exploited would result in an error message that was too verbose. The verbose error message included the title of the workspace that the user was attempting to access and being denied persmission to...
RecargaPay: IDOR exposes receipts of all users.
@cablej found an insecure direct object reference IDOR that could expose receipts from external users. Thanks for helping us make RecargaPay more secure!...
HackerOne: Private partial disclosure of h1 infrastructure
Description I've found that following servers & services can be potentially interesting when attacking h1-infrastructure: Payments Admin ██████ API Docs ██████████ API █████████ MailCatcher ██████████ Story Book ███ Karma ████████ Core Test Server █████████ Core Staging ████ Core Production...
HackerOne: Private Program all members disclosed
After receiving an invite to a private program, it was possible to view all of its team members: https://hackerone.com/invitations/invitation code.json "teammembers":"username":"","username":"","username":"","username":"","username":"","username":""...
Infogram: A10 – Unvalidated Redirects and Forwards
https://infogram.com/login Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation. when i intercept the twitter request and change it to the google then it will redirect you to the...
IRCCloud: [IRCCloud Android] XSS in ImageViewerActivity
Hi, I'd like to report HTML/JS injection in activity com.irccloud.android.activity.ImageViewerActivity which is exported: xml so can be launched by arbitrary apps installed on the same device. On the newest Androids could be exploited also by Android Instant Apps directly from a web-browser...
IRCCloud: [IRCCloud Android] Opening arbitrary URLs/XSS in SAMLAuthActivity
Hi, I'd like to report a bug which allow to open arbitrary URLs in com.irccloud.android.activity.SAMLAuthActivity This activity is exported: xml it means that it can be accessed by any third-party apps installed on the same device. On the newest Androids it also could be exploited by Android...
HackerOne: View Any Program's Team Members through GET https://hackerone.com/invitations/
@nickcas discovered that it was possible to view all the team members of a program through a JSON response that is sent when a user is invited to collaborate on a report via the /invitations/ endpoint. He was able to provide a very clear PoC, which consisted of a list showing all the members of t...
Infogram: Report Design Critical Stored DOM XSS Vulnerability
Hi Team, Another XSS vulnerability in report designer but this one is critical. Problem Point Report's Overview Table Report Creation Url https://infogram.com/app/edit/e7b161f1-f708-48e5-bab7-de9887ae202a Sample Data Click for Detail Sample URL https://infogram.com/report-classic-1g57pr0g3xdvp01...
WordPress: UnResolved ChangeSet are Visible to Public That also Causes Information Disclosure
Hello, While testing Your Security I Observed that the Security Report Reported to You After Validation arranged for fix or you can say that a public repository created for the code powering the site at https://code.trac.wordpress.org/changeset/ID that Leaks Following Things 1.UnResolved Bugs 2.P...
Weblate: no notification send to victim if attacker hacks/accesses his victims WebLate account.
hello team, when a hacker hacks into his victims WebLate account, the victim does not get any notifications. via email for example this means that the victim therefore won't take action to change his password for example in order to secure his account. Risk: very, very dangerous a hacker can now ...
Tor: Detecting Tor Browser UI Language
Suppose that a user downloads a non-English version of Tor Browser from https://www.torproject.org/projects/torbrowser.html.en, there is a way to detect which UI language the user is using. I don't think you want websites to detect this info, because at the first time I launched non-English Tor...
X (Formerly Twitter): OS Command Execution on User's PC via CSV Injection
Summary: Twitter is vulnerable to CSV Injection. If an attacker can successfully exploit this, then they will compromise the PC of the user. The injection point is via a tweet on the main twitter.com site while the retrieval point is via the “Export Data” option on the analytics site. Description...
Rockstar Games: Stored XSS on profile page via Steam display name
The researcher was able to demonstrate a XSS vulnerability by using their Steam nickname as the payload vector. This was due to insufficient filtering on Linked Account name fields. We pushed out an update that replaces suspicious Linked Account names with a generic string in order to prevent...
Mail.ru: XSS через подгрузку ссылки.
Доброго времени суток. Я нашел новую xss в https://connect.mail.ru/ POC: 1. Переходим на неизвестную ветку википедии, например эту https://io.wikipedia.org/wiki/Nenufaro 2. Вставляем туда скрипт " F232448 3. Подгружаем страничку википедии через наш сервис...
Ruby: Take back my all data from [email protected]
Attack...
Infogram: No Confirmation or Notification During Email Change which can leads to account takeover
Hi Team, I have noticed that, when user change his email through account setting, user doesn't get any notification or confirmation to change an email from xxxx to yyyyy. If user kept his/her account logged-in into PC, cafe, college systems then attacker can change his/her email to own mail and c...
Infogram: No notification on Password Change
Hi Team, Description : I noticed there is an issue with password reset functionality user is not receiving notification when he reset password. Even though when user change password through profile, not getting an email notification. Issue: user not always gets a notification about password chang...
Infogram: User enumeration via forgot password error message
Hi Team, Vulnerable URL : https://infogram.com/forgot Description: During testing forgot password field whether it's rate limiting is working or not, I noticed forgot password field is vulnerable to user enumeration. When user enter email id which is not available into database it shows an error ...
Infogram: XSS on Report Classic
hi team ... i found XSS on https://infogram.com/app//library step .. 1- go to https://infogram.com/app//library 2- choose Report Templates . 3- Use Report Classic 4- click to editdata 5- payload //" “alertdocument.cookie 6-execute XSS and which you edit data XSS stared...
Infogram: Memory Corruption via Large Pixels
A memory corruption vulnerability was reported in an image processing service. By uploading a maliciously crafted image with extremely large dimensions, an attacker could cause the service to allocate an excessive amount of memory during image processing, potentially leading to memory corruption...
Infogram: Application Vulnerable to CSRF - Remove Invited user
POC: 1. Login to the application with a business account. 2. Go to Manage teams, where we can send invites to a team member. Send a Invite to a team member 3. After the invite is sent to a user, the admin has option to Remove User. 4. While trying to remove the user, capture the request in burp ,...
Infogram: Sensitive information is publicly available
During the analysis it was found that some sensitive information like ip is available on this url .https://infogram.com/ip/...
Infogram: Outdated jQuery Version
During analysis, it was observed that the application is using outdated jQuery version i.e. 1.11.2...
Tor: Cross-domain linkability when system time changed in Tor Browser
This report is inspired by 257942. That report uses languagechange event as an indicator for different tabs to link multiple visits to a single user. This report uses another trick to achieve the same thing. Malicious websites keeps reading Date.now inside a setInterval loop with a short interval...
Infogram: Stored XSS in the Custom Logo link (non-Basic plan required)
Description Hello. Recently i contacted with Infogram, and requested trial of the Business version to test some features, which was unavailable in the Basic version. I discovered the stored cross-site scripting issue in the Custom Logo link. F232084 There was some URL checks in place, but i was...
WordPress: Unauthenticated hidden groups disclosure via Ajax groups search
Note: this issue was previously submitted to [email protected], because I did not have the rep to submit it here. That was cleared up with HackerOne, so I am now submitting the issue here, at @aaroncampbell's direction. Summary It is possible for an unauthenticated user to view the title,...
Infogram: Internal Ports Scanning via Blind SSRF
Introduction: I found a Blind SSRF issue that allows scanning internal ports. How to reproduce: Login Send the request https://infogram.com/api/webresource/url?q=TARGETURI Look up the response. If valid, it returns status code 200 and the website's title will be exposed, or 404 for otherwise. For...
Ruby: Bugs
Account info...
VK.com: XSS в личных сообщениях
XSS в ссылках в личных сообщениях, приходящих в реалтайме...
Ruby: Provide a security sistem most fit to our team
Now we want to proof that our security sistem is most fit in this year...
Tor: Crashes/Buffer at 0x2C0086,name=PBrowser::Msg_Destroy
Hi Team, Steps to Reproduce: 1. Open Tor 2. Navigate to string.html Where string.html : function tor var uristring = unescape"%u4141%u4141"; fori=0; i 3. 'Gah! This tab has crashed. However, running it to debug mode generates the below exception : !!! ParentMessageChannel Error:...
Duolingo: RCE in TinyCards for Android
We found and confirmed an RCE bug in TinyCards for Android. Is it in scope, and if not how do we report this security issue to DuoLingo...
Tor: Preferred language option fingerprinting issue in Tor Browser
I'm not so sure if this is an in-scope issue or by-design. But based on my understanding of 1, I feel that Tor doesn't want to make user configuration details of Tor Browser detectable by websites. But in about:preferencescontent, there's a "Languages" section that allows users to "choose your...
Mavenlink: Password reset link injection allows redirect to malicious URL
@cablej found a vulnerability in our password reset functionality that allowed an attacker using an HTTP request with a modified Host header to cause a password reset link to be emailed to the target user that would navigate to the attacker's domain. Because the password reset emails are sent fro...
Inflection: Unsubscribe Any User
Researcher reported that HubSpot's "unsubscribe" feature allows any user to unsubscribe from marketing emails without having to confirm their email address. Inflection does not consider this a vulnerability, as we want to make it as easy as possible for users to stop receiving marketing emails th...
Inflection: Limited Account Takeover via Backup codes
Researcher submitted a duplicate of a previously-submitted report and requested public disclosure of this report...
Stellar.org: xss
content on a server is including Javascript content from an unrelated domain. When this script code is fetched by a user browser and loaded into the DOM, it will have complete control over the DOM, bypassing the protection offered by the same-origin policy. Even if the source of the script code i...
Uber: No rate limiting on https://biz.uber.com/confirm allowed an attacker to join arbitrary business.uber.com accounts
A lack of rate limiting on the "/confirm" endpoint made it possible for an attacker to add themselves to arbitrary business.uber.com accounts by brute forcing confirmation codes. If they were able to successfully brute force the correct confirmation code, this would allow an attacker to take ride...
RubyGems: Negative size in tar header causes infinite loop
Proof of concept The attached file loop.gem causes an infinite loop in any command that tries to iterate over the entries in the tar container. gem install loop.gem gem unpack loop.gem gem specification loop.gem Summary Gem::Package::TarHeader.from uses oct to parse fields in the tar header. oct...
RBKmoney: IDOR in merchant.rbmonkey.com allows deleting eShops of another user
Website merchant.rbmonkey.com was exposed to an insecure direct object reference vulnerability IDOR which may allow an attacker to deleting shop objects of another user...
Uber: XSS on partners.uber.com due to no user input sanitisation
The /p3/drivers/vehicles/add endpoint on partners.uber.com was vulnerable to cross site scripting, since the endpoint did not validate the data it received, it did not perform encoding on the data to remove or make harmless HTML-sensitive characters such as . The page response was not served with...