15372 matches found
New Relic: Captcha Bypass on SignUp Form
The g-recaptcha-response parameter was not validated on the server side when submitting a form to the /signups endpoint. Any or no value could be provided for this parameter...
New Relic: Newrelic s3 bucket is writeable and deleteable by authorized AWS users
@kunalbahl discovered an open S3 bucket that appeared to belong to us. It was determined that this belonged to another company and this information was forwarded to Amazon for remediation...
Informatica: [marketplace.informatica.com] - Stored XSS
The researcher has identified and reported a Stored XSS in Informatica website and helped us in resolving the issue...
Legal Robot: Two accounts can be made with same password
A really nice bug to look into i found this while i was making my own account as i was testing for some serious bug i decided to just look into that how Legal Robot behaves when two account are made with the same password. Hacker Scenario: Person1 makes a account with a password called password n...
Radancy: xss flash on http://presentatie.werkenbijmcdonalds.nl/
A vulnerability in a flash file caused javascript to be executed in banners hosted on presentatie.werkenbijmcdonalds.nl...
Inflection: Host Header Injection and Cache Poisoning
Researcher submitted a report duplicating an issue that had already been reported to us, and then requested that we disclose this report publicly. So here we are...
Mail.ru: XSS Π² ΡΠ΅Π»Π΅ ΠΏΠΈΡΡΠΌΠ°, Π² Π±Π»ΠΎΡΠ½ΡΡ ΡΡΠΈΠ»ΡΡ .
ΠΠ΄ΡΠ°Π²ΡΡΠ²ΡΠΉΡΠ΅! ΠΠ°Π³Π° Π² ΡΠ΅ΡΡΠΈΡΡΠ΅ΠΌΠΎΠΌ HTML ΠΏΠ°ΡΡΠ΅ΡΠ΅. Π Π±Π»ΠΎΡΠ½ΡΡ ΡΡΠΈΠ»ΡΡ Π Π°Π±ΠΎΡΠΈΠΉ ΠΊΠΎΠ΄: \test background-image:url'//\27\29\3Bcw:;a:'\3b\3C/style/\20;a:\28\27\27'; background-image:url'//\27\29\3Bcw:;a:'\3b;a:\28\27\27'; \p background-image:url'//\27\29\3Bcw:;a:'\3b;a:\28\27\27'; Π Π°ΡΡΠ°ΡΠ΅ txt ΡΠ°ΠΉΠ» Ρ...
Inflection: Privilege Escalation: Read-Only to Admin
While the interface hides the users page from read-only users, they can still perform PUT requests to the API to change their privileges where they only have read-only permissions...
Inflection: Goodhire Open Redirect
Researcher reported a duplicate issue...
Inflection: Information Disclosure and Privilege Escalation in app.goodhire.com/member/developers/api-settings
Researcher reported a missing authorization check when purchasing a report. As a result, any valid user with ordering privileges could place an order on behalf of any other account although would not be able to receive the results of the order. We added an authorization check to ensure that users...
Inflection: No password confirmation on changing primary email address
Users may change the primary email address associated with their account without being required to confirm their password again. The security researcher reporting this proposed that we add a password confirmation field when performing an email change. After considering the issue, we don't intend ...
Avito: CSS injection in avito.ru via IE11
Hi Team Security @avito I discovered CSS Injection on avito.ru in form search via IE11 Description CSS injection vulnerabilities arise when an application imports a style sheet from a user-supplied URL, or embeds user input in CSS blocks without adequate escaping. They are closely related to...
Mail.ru: reflected XSS on healt.mail.ru
Reflected XSS via GET paramters in quiz game on promo site in health.mail.ru subdomain. .health.mail.ru was in the bug bounty program's scope on the moment of report submission...
Mail.ru: XSS Π½Π° e.mail.ru Π² ΠΌΠΎΠ±ΠΈΠ»ΡΠ½ΠΎΠΌ ΠΏΡΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΠΈ!
Cross application scripting via message content in mobile mail application. Vulnerability affected a limited number of external domains connected in Mail.Ru mail application. Users of Mail.Ru mailboxes and largest mailbox providers were not affected, no access to confidential data was possible as...
Semrush: Email Spoofing
Hey SemRush, It appears that spoofed email can be sent from 1 of your emails. The following email is vulnerable: [email protected] Information: Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source...
International Islamic University Chittagong: Stored Xss on IIUC
NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then deploy fix, so be sure to take your time filling out the report! Summary: add summary of the vulnerabili...
International Islamic University Chittagong: SQL Injection On iiuc
NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report! Summary: add summary of...
Razer US: XSS vulnerability on amp.razerzone.com
The tester discovered a reflected XSS vulnerability on a media content server, exploitable via Firefox. This content server was used by Razer employees and close partners to store media related to Razer products. We appreciate the tester's hard work and as a courtesy we granted reputation for thi...
International Islamic University Chittagong: Reflected XSS
Summary: add summary of the vulnerability Description: search mechanism uses POST method to request for search . So if we change it to get normally the XSS dosen't popup . But if we break it with " this we can get XSS . Platforms Affected: https://ieeeiiucsb.org/search/" Steps To Reproduce: Visit...
Legal Robot: Legal Robot
well i m hacker in the messag you secktor in your fuckingt...
Razer US: [amp.razerzone.com] SQL injection via resource_type parameter
The tester discovered multiple SQL Injection vulnerabilities on a media content server. One used exploited a single quote and the other the cookie parameter. This content server was used by Razer employees and close partners to store media related to Razer products. We appreciate the tester's har...
Mail.ru: Blind XXE on my.mail.ru
Blind XXE in my.mail.ru Moi Mir avatar upload feature. Moi Mir is not covered by regular Bug Bounty program, a bounty was awarded as a bones due to high potential impact. Blind OOB XXE issue was found in upload avatar feature...
Starbucks: Multiple Subdomain takeovers via unclaimed instances
Hacker @benoculars was able to successfully faciliate multiple subdomain takeovers by taking advantage of a process flow to use some of the space provided for germany.openapi.starbucks.com, psv.openapi.starbucks.com, stage-psv.openapi.starbucks.com, and test-psv.openapi.starbucks.com. While we we...
Tor: Use of unitialized value in token_check_object (src/or/parsecommon.c:224)
Triggered in 22139c0, compiled with -fsanitize=memory and clang 6.0.0-trunk. ./fuzz-consensus test00d68 =9591==WARNING: MemorySanitizer: use-of-uninitialized-value 0 0x55ca86e51348 in tokencheckobject /root/tor/src/or/parsecommon.c:224:13 1 0x55ca86e51348 in getnexttoken...
Tor: Use of uninitialized value in networkstatus_parse_vote_from_string (src/or/routerparse.c:3533)
Triggered in 22139c0, compiled with -fsanitize=memory and clang 6.0.0-trunk. ./fuzz-consense test000bbb ==9293==WARNING: MemorySanitizer: use-of-uninitialized-value 0 0x5611f7f7e4de in networkstatusparsevotefromstring /root/tor/src/or/routerparse.c:3533:23 1 0x5611f75bbbd1 in fuzzmain...
Legal Robot: Broken links for stale domains may be leveraged for Phishing, Misinformation, Defaming
Hi, URL: https://www.legalrobot.com/press/2016/07/07/tech4good-on-a-global-scale/ Broken link for an expired domain which is available for sale: http://ecotechfoundation.net/ You may verify that it is available for sale @...
New Relic: [NR Infrastructure] Bypass of #200576 through GraphQL query abuse - allows restricted user access to root account license key
@jonbottarini discovered an issue with our GraphQL implementation. This allowed a user without the proper authorization access to privileged account information on the same account. The writeup for this issue can read here: https://labs.detectify.com/2018/03/14/graphql-abuse/...
ownCloud: Password Complexity Not Enforced On Password Change
Hi! Owncloud does not enforce password complexity on password change, so it's possible to use passwords of any size or form. In example I can set my password to be "a" or "qwerty". How to reproduce: Change your password to something that does not match your required complexity. Proof Of Concept:...
WordPress: Stored XSS in WordPress
Hi, Introduction --------------- The upload mechanism in WordPress works by the role of the user who's trying to upload something. So every role has a permission to upload certain files. For the lowest role like author can upload harmless file such as txt, png, gif, jpg, zip, with this file the...
Zendesk: Secret API Key Leakage via Query String
See title...
Rocket.Chat: Remote Code Execution in Rocket.Chat Desktop
Summary: The Markdown parser can be tricked into allowing arbitrary Javascript leading to "remote code execution". Description: By combining the "link" and inline code block we can trick the parser into breaking out of the current HTML attribute. This allows us to control other attributes of the...
Tor: Address Bar Spoofing on TOR Browser
Hi TOR team, I would like to report a security bug in your browser: Step 1: Goto http://www.ΥΈokia.com/http://jsbin.com/wuyikedaxi/1/edit?html,output Step 2: Observe that address bar points to http://www.ΥΈokia.com/ which actually to be pointing to http://xn--okia-zgf.com, however browser displays...
Starbucks: Subdomain takeover on developer.openapi.starbucks.com
Hi team, Summary: Subdomain developer.openapi.starbucks.com is vulnerable to subdomain takeover via Mashery service. The reason why it's worked unfortunately not fully clear to me. Details: Doing my recent research on starbucks.com subdomains, I stumbled upon http://developer.openapi.starbucks.co...
Mail.ru: Stored XSS using SVG on subdomain infra.mail.ru
It was possible to execute the script in the context of https://infra.mail.ru:8080/ by publishing static script-containing file such as SVG or XML in "Infra" service. This context doesn't use cookies for authentication, but XSS could allow phishing / content spoofing. This problem was addressed b...
X (Formerly Twitter): Blind XSS in Mobpub Marketplace Admin Production | Sentry via demand.mopub.com (User-Agent)
Summary: I've identified a Blind XSS vulnerability that fires in the Mobpub Marketplace Admin Production | Sentry dashboard and can be triggered by sending a HTTPS request to an endpoint from the domain demand.mopub.com. Description: I've sent the following HTTPS request to the following URL...
Ubiquiti Inc.: Stored XSS in dev-ucrm-billing-demo.ubnt.com In Client Custom Attribute
Hey, Was Testing the subdomins when I came Accross the subdomain https://dev-ucrm-billing-demo.ubnt.com/ I logged in as an Administrator and while testing i added a User and In Client Custom Attribute 1 i added the Payload: """"/ and Save the Client and Then on client page i.e:...
IRCCloud: Missing robots exclusion header for user uploads
User uploaded text files can be linked from external websites and end up appearing in search engine result pages if you perform a search such as: site:.irccloud-cdn.com ext:txt It's not possible to completely prevent such listings on all search engines, but some search crawlers support the...
Automattic: Stored XSS Using Media
Hi, Summary: This exploits an XSS vulnerability on polldaddy.com Steps to Reproduce: 1. Create a multiple-choice question quiz on Polldaddy 2. Insert stored XSS payload into Media Embed such that it matches the shortcode format Payload: 3. When someone goes on the quiz page through the quiz share...
Weblate: Account Restore / Reactivating an old email via old reset link
Hi, I noticed you now send a confirmation link after loading the reset link, below is a screenshot showing the email and highlighting the error. F227060 Best Regards, @footstep...
HackerOne: Pending member invitations are not revoked on program name change
Summary: When private program updates the handle of the hackerone program, former team members can see the new updated handles using old invitation link. The invitation link looks like https://hackerone.com/invitations/ This may also be true for participants participating in private programs but ...
Mail.ru: touch.mail.ru/messages - Stored XSS
XSS in touch.mail.ru image preview feature via crafted attachment filename...
RubyGems: Gem signature forgery
Summary Inconsistencies in how gem processes gem files make it possible to reuse a signature from an existing signed gem and apply it to arbitrary contents. The forged gem will install even with -P HighSecurity. The attached file multijson-1.12.2.gem is a forged version of the genuine...
WakaTime: Can link to websites from profile
when I input a website to my profile it creates tag link: test.org this is a flaw, how? if the owner of the profile and a malicious link it is possible to redirect the user to a phishing page of wakatime. Here's the scenario of this attack: 1 Attacker put a malicious link on his profile. 2 Once t...
WakaTime: password token validation
Hello, when I reset password all tokens are valid can be used, should keep valid only token in the last request or you can invalidate all reset links after using one of the requests successfully. Steps: 1 go to the password reset page and request more than one request. 2 go to your email and use...
Instacart: Get all instacart emails - missing rate limit on /accounts/register
Hey Instacart team, When signing up for an account, you enter your email. When this email is already in use, the server responds with ""errors":"email":"has already been taken"" This in not a problem, but the fact that you could send this request unlimited times is the issue. This way we can easi...
Tor: Use of unitialized value in crypto_pk_num_bits (src/common/crypto.c:971)
Vulnerability description not provided...
Tor: Use of uninitialized value in memarea_strdup (src/common/memarea.c:369)
Triggered in 51e4748 , compiled with clang 6.0.0-trunk and -fsanitize=memory. ./fuzz-hsdescv2 test001 Uninitialized bytes in interceptorstrlen at offset 0 inside 0x7fff5525ff80, 51 ==19693==WARNING: MemorySanitizer: use-of-uninitialized-value 0 0x5570edfe5fbd in memareastrdup...
RubyGems: Remote code execution on rubygems.org
When parsing a gem POSTed to the /api/v1/gems endpoint, the rubygems.org application immediately calls Gem::Package.newbody.spec inside app/models/pusher.rb. The authors of the application correctly observed that parsing untrusted YAML is dangerous since it can serialize more or less arbitrary...
Imgur: Xss on community.imgur.com
Hello Team Description: I found a reflected cross site scripting on community.imgur.com Steps To Reproduce: Visit https://community.imgur.com/email/[email protected]%27%22%3E%3Csvg/onload=alertdocument.domain%3E F226739 Regards Santhosh...
Mail.ru: Stored XSS when you read eamils. <style>
Hello team, I have found stored XSS when you read emails via html tag. PoC: div background-image: url"data:image/jpg;base64,"; background-color: cccccc; lol F226715...