15372 matches found
Legal Robot: Non-HTTPS link on blog
Hi, @legalrobot I found another venturebeat.com URL without HTTPS in https://www.legalrobot-uat.com/press/ I hope you fix this Screenshot attached bellow Cheers, Ph0b0s...
WePay: [stage-go.wepay.com] XSS via Request URI
PoC Open URL in Internet Explorer. This vulnerability only works in Internet Explorer and possibly in Edge, since it is necessary to send a Request-URI without a URL Encode, which is only possible in this browser via redirect...
Inflection: Business Logic Flaw allowing Privilege Escalation
Researcher misunderstood the names and permissions assigned to various roles in the GoodHire application - the permissions are working as intended. Nevertheless, the researcher requested for the report to be disclosed...
QIWI: apache access.log leakage via long request on https://rapida.ru/
Issue access.log is leaked by attacker who trying send many requests. Explain: Honestly i don't know how the bug is happened, but i guess if the access.log is too large, it will dump some part into the response, and attacker happily get it. Reproduce: 1. Access to https://rapida.ru/search/?q= 2...
Infogram: Non Critical Code Quality Bug / Self XSS on Map Editor
Hi Team, I've found non-critical XSS on map editor. It is not for bounty just for code quality. This is my url: https://infogram.com/app/edit/c024c717-31c2-4c31-8491-1cc9534e9adb When i added map on form then edit Country name and replace with "alert1;" it is executed. Attached screenshots...
Mail.ru: Stored self-XSS pubg.mail.ru в нескольких местах
Stored self-XSS in pubg.mail.ru via account name if login via social network is used. pubg.mail.ru is not currently in bug bounty scope...
Razer US: Heart-bleed Vulnerability that leads to disclose sensitive information from the memory
Summary: Upon doing penetration testing on the Rezar domains, I have found that on of the domains is vulnerable to the heartbleed vulnerability, but I am not sure that careers.razerzone.com is in scope. Because of the dangerous of the vulnerability, I took further step to report. The Heartbleed B...
Inflection: Fake mailing reports using mail service on [URL : mail-txn.identity.com]
Researcher discovered an unused subdomain that served as an alias for Mandrill's third-party transactional email service. Mandrill's relay server could be used to send bounceback/failed delivery messages to an arbitrary "sender", although the contents of the message itself are limited to Mandrill...
HackerOne: Search query text, including from potentially undisclosed reports, sent to Google Analytics on Inbox query page
Summary: Search query text, including from potentially undisclosed reports, sent to Google Analytics on Inbox query page Description Include Impact: Since search query text can both include content of private vulnerabilities, it shouldn't be sent to Google Analytics. Furthermore, the information...
LocalTapiola: High server resource usage on captcha (viestinta.lahitapiola.fi)
Short summary Hi, I noticed that the following report has been fixed and closed, however the bug has reappeared in different parameters: https://hackerone.com/reports/204208 Basic report information Summary: It is possible to generate a simple request which creates a high cpu/bandwidth consumptio...
Boozt Fashion AB: No Session change on Password change
Your system does not change session id after password is changed. Reusing same session ids, after password is changed is highly risky. Example scenario: Hacker has successfully brute forced the password of a victim and has access to the account. The victim notices that something's off and chooses...
Infogram: No Rate Limit on account deletion request(Leads to huge email flooding/email bombing)
Dear sir, At first,i want to say that this sensitive action definitely should be set with rate limit. Note:-This is about huge bombing/brute force on any endpoints. Vulnerability:- -No rate limit has been set for generating account deletion emails for accounts on above selected domain. -As there ...
Infogram: Incorrect Functionality of Password reset links
Vulnerability:- -Password reset links should work in such a way that "only the last generated password reset link should be valid" i.e; if two tokens are generated at a time, then 2nd token must work and 1st token must be invalid. -If not, another case is that "if some number of reset links are...
Infogram: Email notification is not being sent while changing passwords
Vulnerabilities:- 1.Use of old passwords is possiblecurrent password can be used as new password. 2.Email notification is not being sent to linked mail account while changing passwords. Impact:- Case-1:- -whenever a user requests a reset token for recovery of his account,a reset token is being to...
Infogram: Server Side Request Forgery on JSON Feed
Hi Team, I would like to report SSRF issue. PoC: 1. Navigate to https://infogram.com/app/user-project. 2. Click on edit logo fields and click on add JSON Data. 3. Enter urlopenport response is Download failed 4. Enter urlclosedport response is Invalid data source Fix: Don't give permission to por...
Infogram: User Enumeration
Vulnerability:- -User enumeration is possible through forgot password feature. steps to reproduce:- -Go to the above selected domain and go to forgot password. -You can submit a mail address and check whether it is existing in your database or not. Remediation:- -It should display like "if that...
Infogram: Weak Password Policy on Signup
Hi Team, i would like to let you know about password management issue. PoC: 1. Navigate to signup page. 2. Fill you details and give password as simple as 123123. 3. You can see you will be registered and there is no strong enforcement. Fix: Use complex password management. Regards, Mr.R3boot...
Infogram: Stored Cross-Site scripting in the infographics using Data Objects links
Description Hello. This stored XSScase is different from early reported 280495, but has a very similar root cause and reproduction steps. Upon pasting the link to the Text Object not in the Add Media section, like in previous report, we can intercept the request, and change the link source to the...
Infogram: Tabnabbing via window.opener
Hi Team, i would like to report tab nabbing issue on your domain. Details: When you open a link in a new tab target="blank" , the page that opens in a new tab can access the initial tab and change it's location using the window.opener property. PoC: 1.Navigate to...
Infogram: Stored Cross-Site scripting in the infographics using links
Description Hello. I discovered, that it is possible to conduct Stored XSS attack in the public infographics pages. Upon pasting the link, we can intercept the request, and change the link source to the malicious - which will result to the Stored XSS POC...
Infogram: SPF Misconfiguration
I am just looking at your SPF records then found following. SPF Records missing safe check which can allow me to send mail on behalf of infogram. PoC: The TXT records found for your domain are: "v=spf1 include:spf.google.com include:spf.mandrillapp.com include:mailgun.org all" Simply anyone can u...
Infogram: No Rate limit on Password Reset Function
Hello Infogram Security Team Description:- I have identified that when resetting the password, the request has no rate limit which then can be used to brute force through one request. Which can be annoying to the infogram users. Steps to reproduce:- Request for password reset link. Catch the abov...
Boozt Fashion AB: No Confirmation During Email Change
Hello Team, Your system is letting to change email address without confirmation. User can change the password without any confirmation. Anyone can access or make change to any account if that account is logged in public computer. So, it is better to send email to user email and confirm the change...
Tor: Enforce minimum master password complexity
Hi Team, Actual results: There is no password complexity set for Master password in about:preferencessecurity , Because I was able to set my password like 123,123456,www, admin etc which is really common, apart from that we can use spaces as well in master password i was able to set space as my...
Weblate: Improper validation of unicode characters#2
It was reported that some Unicode chars cause Weblate to crash. Upon further investigation it has shown that the issue was unrelated to Unicode. The reported was just unlucky to perform testing while there was temporary error on the database...
Inflection: Malicious callback url can be set while creating application in identity
Researcher found that while creating any application in identity, you are required to provide callback url. If you provide a malicious callback url then javascript will stop you from submitting form. But their is no server side validation and we can use an application proxy to bypass the javascri...
Boozt Fashion AB: Users Unable to login using Gmail/Facebook on https://boozt-stage1.booztx.com/login
Hi Team, when i try to login in this subdomainhttps://boozt-stage1.booztx.com/login using gmail or facebook,the login form does not redirect me to gmail/facebook,it is giving the error message since it is blacklisted by the server. Steps to Reproduce: 1 Goto https://boozt-stage1.booztx.com/login ...
HackerOne: Issue with password change in Disabled Account
Hello Hackerone, Summary: I have found that 38343 is not yet fully fixed, disabled user is not always gets notification about password change when a password is changed via password reset link, then such a notification is not send to the disabled user. Description Include Impact: When a password...
Nextcloud: Broken link for wrong domain entry may be leveraged for Phishing, Misinformation, Serving Malware
Hi Team, Page: https://nextcloud.com/news/16/ Broken link for incorrect DNS entry: It seems like a typo and makes the tld as .comg instead of .com. Now other than usability issue for users, it poses security risk as .comg can be claimed as a gTLD since it is not a reserved TLD Similar to...
Gratipay: Broken link for stale DNS entry may be leveraged for Phishing, Misinformation, Serving Malware
Hi Team, Page: https://gratipay.com/Breadcrumbel/ Broken link for stale DNS entry: Homepage Root domain breadcumbry.com has expiration date: Registrar Registration Expiration Date: 2018-06-10T18:18:30Z And also from whois: Domain Status: OK https://icann.org/eppok OK status means it has no...
Legal Robot: Chat exposed using cookie
Hello Broken authentication and session management: Attacker can use cookies of an authenticated user to reads and write the chat on the behalf of user and miss guide the legalrobot team. Steps to reproduce: Sign-in https://app.legalrobot.com/sign-in Check the cookies of domain legaltobot.com...
Weblate: Improper validation of unicode characters
unicode characters are not properly being validated on the https://demo.weblate.org/accounts/profile/preferences in specical character Screenshot showing this is attached below...
Internet Bug Bounty: Out of bounds read in libcurl's IMAP FETCH response parser
Reported to the curl security mailing list on 6 October 2017. Acknowledged on 6 October 2017. Patched on 8 October 2017. Reported to distros@openwall on 17 October 2017. Public release on 23 October 2017. CVE Pending. Vulnerability An IMAP FETCH response line indicates the size of the returned...
CodeIgniter: If the developer forgets to remove the built in controller welcome.php it helps the attacker to identify that the site is built with Codeigniter
The attacker can check the website's backend technology simply by typing sitename/index.php/welcome/index it will display the codeigniter welcome page if the developer dosen't removed the built in controller and view welcome.php and welcomemessage.php i attaching a screenshot below as a proof of...
Inflection: Limited arbitrary text inclusion in user invite emails
When creating a GoodHire account, a fairly wide range of ASCII characters are permitted in certain fields like Company Name. This field is included in email templates that are automatically sent to new users when an account owner invites them to join a GoodHire account. Theoretically, spam conten...
X (Formerly Twitter): Listing of Amazon S3 Bucket accessible to any amazon authenticated user (metrics.pscp.tv)
Summary: It's possible to get a listing of every files in the S3 bucket metrics.pscp.tv Description: The problem is using the AWS command line, it's possible to get a listing of files in the Amazon S3 Bucket with an AWS authentication. See screenshot F230035. This user authentication is easy to g...
Dropbox: Dropbox employee benefits documents are available in a test Dropbox folder
This report pointed out that we had left a shared link to a copy of our employee benefits documentation in a particular iOS build. This link was likely used for ad-hoc testing at some point and accidentally left in the build. While there is little security risk here, we removed the link from...
WordPress: Content Spoofing @ https://irclogs.wordpress.org/
Hello, Greetings, Today I was Free So I Decided to Do Pentest WordPress So i Found a SubDomain which is Vulnerable to Plain text Content Spoofing. PoC:- Url:- https://irclogs.wordpress.org/chanlog.php?channel=wordpress&day=Message Goes Here&sort=asca Example:-...
HackerOne: Invalid Host detection at https://hackerone.com/redirect
Hello,99 Summary: Host detection at https://hackerone.com/redirect is invalid and insecure. Description : On redirection page, host is detected and highlighted to prevent phishing attacks. But that protection is weak and can be bypassed. So an attacker can redirect victim on another host instead ...
arxius: API leaking infinite amount of valid Tokens.
Hi, I have found a leaking token API for the domain "https://arxius.io/" that is generating infinite amount of random valid tokens. Reproduce: 1. Go to the url: "https://arxius.io/api/account/token" 2. You can see the token generated. 3. Every time you reload the page a new random valid token is...
Mail.ru: [lk-cdn.3igames.mail.ru] apc.php
APC UPS status monitoring script was available from outside on lk-cdn.3igames.mail.ru 3igames.mail.ru is not currently covered with bug bounty program...
Ian Dunn: Timing Attack in Google Authenticator - Per User Prompt
Google Authenticator - Per User Prompt contains a timing attack vulnerability in how it validates the application password for a user account. if sha1 $attemptedpasswordplaintext === $validpasswordhash || wpcheckpassword $attemptedpasswordplaintext, $validpasswordhash...
Ian Dunn: Formula injection via CSV exports in WordCamp Talks plugin
The WordCamp Talks plugin does not attempt to sanitize CSV exports, which can lead to spreadsheet formula injection via malicious inputs. POC ======== Submit a new talk with the title of =1+1. Visit the All Talks page /wp-admin/edit.php?posttype=talks Click the CSV Export link Open the downloaded...
WordPress: [BuddyPress 2.9.1] Open Redirect via "wp_http_referer" parameter on "bp-profile-edit" endpoint
Hi, In a similar manner to 228569, it is currently possible to execute authenticated open redirections via the wphttpreferer parameter used in the BuddyPress extended user edit screen. Proof of concept Upon accessing the below URL, please select the "Update Profile" button, then select the "←Back...
Legal Robot: XSS on app.legalrobot.com
Go to app.legalrobot.com 2. Open the browser's javascript console 3. Type alert/xss!/ and press enter 4. Profit!...
Unikrn: Email abuse and Referral Abuse
Summary: Abuse of Email Invite and Referral Abuse Description: Logic Flaws : 1. Users have been provided with an option to invite friends as referrals. It is possible to abuse your email invite service by repeating the same request. It is a discredit to unikrn if someone repeatedly sends the...
U.S. Dept Of Defense: SQL Injection on █████
Background: It looks like the patch for 231338 has been reverted and this subdomain is yet again vulnerable to SQL injection. Summary: An Airforce subdomain is vulnerable to SQL Injection because the application does not produce sufficient validation on user input. This allows an attacker to...
Inflection: Amount Manipulation Buy Unlimited Credits in just $1.00
Researcher filed a duplicate report of an issue that had already been identified by another researcher and then requested public disclosure when we closed this as a duplicate...
Inflection: HTTP Host Header Injection on app.goodhire.com
Researcher reported an issue that was previously reported by a different researcher and subsequently removed from program scope and then requested that we publicly disclose the report after closing it as a duplicate...
Mail.ru: blind XXE when uploading avatar in mymail phone app
Blind XML external ENTITY / DTD injection via avatar upload feature in My.Com's MyMail backend results in potential SSRF...