15372 matches found
Mail.ru: Unupdated ImageMagic leads to uninitialized server memory disclosure
It was possible to disclosure the part of server memory from uncontrolled location on account.my.com project via uploaded GIF image header manipulation. account.my.com is not currently in the Bug Bounty scope, reward was paid as a bonus due to potential severity. CVE-2017-15277...
Paragon Initiative Enterprises: Invited user to a Author profile can remove the owner of that Author
SUMMURY: ------------------------------------- A user invite another user to his author by giving ownership. ------------------ Later invited user can completely remove the real owner from that author . ------------------- ----------------------------------- STEP TO REPRODUCE:...
Grab: stored xss in comments : driver exam
@pareshparmar found a Stored XSS vulnerability in an out-of-scope third party web application use by Grab. We decided to make an exception of our bug bounty policy here and accepted this out-of-scope finding because we believed that the stored-XSS was a real risk for our customers. With the...
Snapchat: Subdomain Takeover via Unclaimed WordPress site
@ysx found a bitstripsforschools CNAME entry pointing to an unclaimed WordPress domain, which could be taken over by an external party. The CNAME entry was for a product that is no longer active. An unclaimed WordPress domain mapping upgrade could be leveraged to assume the...
Legal Robot: cross site web socket hijacking
In the below web-socket request successful 101 protocol handshake is working with the origin:https://app.legalrobot.com, but if you place the malicious origin in the place of https://thisdata.com which is http://evil.com or any page containing the malware, the web socket server is still giving 10...
Tor: https://get.ooni.torproject.org/
Vulnerability description not provided...
RubyGems: Request Hijacking Vulnerability in RubyGems 2.6.13 and earlier
We received this report via security@ from [email protected], I'm filing here for tracking and visibility purposes... "I was looking at commit 8d91516fb7037ecfb27622f605dc40245e0f8d32, which was the fix for the DNS hijacking issue CVE-2017-0902. The function still handles the DNS response in ...
Rockstar Games: Your support community suffers from angularjs injection and must be fixed immediately [CRITICAL]
In this report, the researcher found that due to our implementation of AngularJS on our Support site, we were susceptible to limited-scope code injection attacks. Particularly, they found that by injecting ... blocks in the comment body parameter, they were able to cause errors that could be...
VK.com: Хранимая XSS в функционале добавления аудио в WYSIWYG
XSS в Wiki...
Legal Robot: Allowance of Meta/Null characters
Dear sir, I am very happy to report a vulnerability to legalrobot. Recently, the report 260468 is disclosed publicly and that report describes about the restriction lengths of profile fields "first name and last name". Now, i am reporting an another vulnerability regarding those profile fields...
Paragon Initiative Enterprises: CSRF token does not valided during blog comment
SUMMURY ================= i tested that all post request has CSRF token. During Author profile creation also a CSRF token is posted. Now when i removed this CSRF token , show s error like bellow CSRF validation failed 0 /var/www/csprng/src/Cabin/Bridge/Controller/Author.php52:...
VK.com: Хранимая XSS на странице "Виджет для авторизации"
Self-XSS на странице документации виджета. На счет того Self-XSS это или нет - оставляю на усмотрение общественности. Но лично мое мнение - команда vk тут все же ошибается. Для эксплуатации уязвимости атакующий должен был: Создать приложение с именем javascript:alert1;// Добавить атакуемого...
Grab: www.drivegrab.com SQL injection
Summary: The website uses a WordPress plugin called Formidable Pro. I found an SQL injection in the plugin code. Description: The plugin allows the site admin to create forms to be filled by users. For this end it implements some AJAX functions, including one to preview or actually just view a...
Automattic: Invalidate session after password reset on https://polldaddy.com
Hi there, I found broken session bug on your website.Your website is unable to validate the session.That may lead takeover victims account. Reproduce: 1.Go to https://polldaddy.com and log into your account from two different browsers. 2.Now change password from any browser you already logged in...
Tor: Content spoofing on
Vulnerability description not provided...
Paragon Initiative Enterprises: Improper access control lead To delete anyone comment
SUMMURY ======================== Here server dont check the owner of any comment. During Comment deletion it does not check whether the comment is created by user or not. so i can delete a comment of others user. STEP TO REPRODUCE ======================= 1. goto https://localhost:8080/blog/commen...
Radancy: [werkenbijmcdonalds.nl] Unsafe-inline in "script-src" results in "bootstrapping" or passing data to JavaScript from HTML pages.
Hi Dear Maximum Team Hope you are good! Vulnerablity Summary The HTTP header of the werkenbijmcdonalds.nl website includes an unsafe-inline parameter for "script-src". Impact: However, the "script-src" parameter is set to "unsafe-inline" or "unsafe-eval", which allows injection of user passed...
WordPress: Information / sensitive data disclosure on some endpoints
Hello team! While doing a preliminary recon on .wordpress.org I've come across a few sensitive files that should not be facing the public web; I'll leave you a list organized by criticality and some proof. High priority .travis.yml configuration file with credentials php maintenance/install.php...
X (Formerly Twitter): Unauthorized Access to Protected Tweets via niche.co API
Hello, Summary: Normally If user victim set to private / protect their tweets in setting Tweet privacy, other people/user will not able to see their recent or their pass status/twits when they visit his/her victim profile. people only can see their victim profile images and information about how...
Gratipay: Adding Used Primary Email Address to attacker account and Account takeover
Summary I just found that the Gratipay is vulnerable for adding used Primary Email Address to attacker account and Account takeover of the Gratipay. Description I was looking at the source code of the application and I found that, "If the email address [email protected] is already added in the X...
Yelp: Leaking sensitive information lead to compromise employer API keys
The configuration file of an internal IRC bot which included credentials to internal services and some external services used by Yelp developers was inadvertently included by an employee in a personal public GitHub repository. The repository was taken down and the affected credentials rotated...
WakaTime: Validation of Password reset tokens
Dear sir, At first, i am very happy to report an issue. Before three months, i reported to wakatime and again i am reporting another issue now. Note:-This report is similar to 244614 which was previously reported at the start of this bug bounty program. Vulnerability:- -If two password reset toke...
Shopify: ability to install paid themes for free
Hi, Discription while searching for access control issues on shopify I noticed a subdomain of shopify https://themes.shopify.io which gave me the opportunity to install and download paid themes for free. POC 1. go to https://themes.shopify.io/login and login 2. select one of the paid themes and...
Ubiquiti Inc.: Authenticated RCE in ToughSwitch
In ToughSwitch v1.3.5 and prior, due to lack of validation is possible to execute an CSRF. If an authenticated user access an attacker controlled web page, it could trigger the CSRF and the resulting request could trigger an RCE. An RCE vulnerability existed in the ToughSwitch that could be...
Tor: Multiple Path Transversal Vulnerabilites
Vulnerability description not provided...
VK.com: XSS в товарах
Отсутствие фильтрации при поиске в товарах. Не было фильтрации некоторых символов в поиске товаров. Из-за еще одного встроенного фильтра все приравнивалось к ="" и не получалось выполнить js. Выход из ситуации был найден в тот же день, получилось выполнить js:...
Shopify: User with removed manage shops permissions is still able to make changes to a shop
Description it has been noticed that when a partner account user with manage shops permissions installs app in the one of the managed shops he can still be able to make changes to the shop through that app although his manage shops permissions were revoked on partners.shopify.com. POC 1. create...
Rockstar Games: Stored XSS via Send crew invite
In this report, the researcher was able to demonstrate a vulnerability in our Crew Invite mechanism that could have allowed an attacker to carry out a Stored XSS attack. By modifying a request in-flight and injecting unexpected characters in the Invitation message body, it was possible to escape...
Aspen: Information leakage on django.aspen.io
Hi Team, I got a error message that disclose the version of nginx with OS detail, since The version of nginx is vulnerable to integer overflow. Impact: By seeing this information attacker can throw only interger overflow attack in order to get sensitive information Finally Request you to remove...
U.S. Dept Of Defense: 2 vulnerabilities of arbitrary code in ████████ - CVE-2017-5929
Summary: GitHub repo: https://github.com/████████ QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components. High Severity Arbitrary Code Execution Vulnerable module: ch.qos.logback:logback-core Introduced through:...
Legal Robot: External links should be served in HTTPS.
Summary: This is just for the awareness to use HTTPS everywhere, even for outgoing links - where it's possible. Treat this report with some salt, not as in hashes. Navigate to: https://www.legalrobot.com/events/2017/06/12/ICAIL/ Some of the External Links on that Page redirects to HTTPS after...
Unikrn: Weak Session ID Implementation - No Session change on Password change
Summary: Weak session id implementation Description: Unikrn does not change session id after password is changed. Reusing same session ids, after password is changed is highly risky. Example scenario: Hacker has successfully brute forced the password of a victim and has access to the account. The...
Boozt Fashion AB: Bruteforce Unlimited number of password attempts
Hi team, This is my first ever report. So, thank you for your patience! URL: https://www.boozt.com/login Browser: Mozilla Firefox 55.0.2 64-bit on Ubuntu Tool: Burp Intruder Boozt account created for testing purposes only. I noticed that on your login page, an attacker can Brute force a login...
Aspen: client_secret Token disclosure
Greetings, I think I've discovered a clientsecret token disclosure. Proof of concept: 1. Go to https://github.com/AspenWeb/experimental-javascript-version/blob/master/www/blog/index.html 2. At the line 6, a clientsecret token it's disclosed...
██████: Remote Code Execution on Proxy Service (as root)
The proxy service used to provide researchers with access to certain programs on ██████ allows access to AWS's Metadata API. This Metadata API in turn is configured to expose temporary AWS access credentials for the AWS EC2 Run Command role. When this role is assumed by an AWS client e.g. the CLI...
Aspen: No Rate Limit (Leads to huge email flooding/email bombing)
Dear sir, At first,i want to say that this sensitive action definitely should be set with rate limit. Note:-This is about huge bombing/brute force on any endpoints. Vulnerability:- -No rate limit has been set for generating account confirmation emails for accounts on above selected domain which i...
Unikrn: CSRF in Raffles Ticket Purchasing
Description: ======== An API endpoint get executed with no CSRF prevention, the endpoint did not verify sessionid required in the post form. An attacker can crafted malicious form Poc, which is executed by authenticated user action leading to huge balance lost. Poc: === Recommendations:...
Slack: Unauthenticated LFI revealing log information
@juji found a bug which allowed the disclosure of local files on certain servers - this included PHP files and logs. We performed a thorough investigation to ensure that this issue was not exploited, and as a precaution revoked tokens which were inadvertently logged. Thanks @juji! Write-up...
Bitwarden: Organization Admin Privilege Escalation To Owner
Summary It seems there is an issue with your roles which allows an admin to escalate his own privileges to owner and takeover the organization. Reproduce 1. Create an account, accountA 2. Create another account, accountB 3. Create an organization under accountA and invite accountB to that...
U.S. Dept Of Defense: SQL injections
Summary: An email is not well handeled and leads to sql injection. Description: This request POST /FileTransfer/Upload HTTP/1.1 Host: www.███████ The parameter from is injectable and leads to valid sql injection. Impact I didn't go all out and get a shell but, an attaker could exctract db...
Internet Bug Bounty: Perl $ENV Key Stack Buffer Overflow
The CPerlHost::Add method in win32\perlhost.h is vulnerable to a stack buffer overflow. void CPerlHost::AddLPCSTR lpStr char szBuffer1024; LPSTR lpPtr; int index, length = strlenlpStr+1; forindex = 0; lpStrindex != '\0' && lpStrindex != '='; ++index szBufferindex = lpStrindex; szBufferindex = '\0...
Aspen: Cross-origin resource sharing (CORS)
Cross-origin resource sharing CORS is a mechanism that allows restricted resources e.g. fonts on a web page to be requested from another domain outside the domain from which the resource originated. The Access-Control-Allow-Origin header indicates whether a resource can be shared based by returni...
Aspen: Server Path Disclosure
Hi Sir, I m Mahesh, Individual websecurity Researcher. i found server path disclosure in flask.io http://flask.aspen.io/en/latest/ http://flask.aspen.io/en/latest/index.html i found another path disclosure in django.io http://django.aspen.io/en/latest/ http://django.aspen.io/en/latest/index.html...
Razer US: DOM XSS and Open Redirect on the themes.razerzone.com
We appreciate the report and look forward to working with sp1d3rs in the future. I discovered the Open Redirect on the https://themes.razerzone.com/developers/signin endpoint. The root cause of the redirect was the insecure changing of window.location without validation - the original URL paramet...
Aspen: aspen | clickjacking
Hi Team, Found vulnerability of clickjacking on the domain "aspen.io". Please refer the below attached screenshot as POC. Clickjack test page Website is vulnerable to clickjacking! 2.save it as .html eg cj.html 3.and just simply open that in browser Issue Details :Clickjacking User Interface...
Aspen: Password reset token leak on third party website via Referer header
Hi Security Team, Description It has been identified that the application is leaking referrer token to third party sites. In this case it was found that the password reset token is being leaked to third party sites which is a issue knowing the fact that it can allow any malicious users to use the...
Bitwarden: Mailgun misconfiguration on email.bitwarden.com
Hi, While checking the subdomains i found that the subdomain email.bitwarden.com upon navigating downloads a file saying "Mailgun Magnificent API" And has the following DNS info DNS Records for email.bitwarden.com Hostname Type TTL Priority Content email.bitwarden.com SOA 899 ns-586.awsdns-09.net...
Bitwarden: Export vault feature is vulnerable to CSV injection
Hello guys I don't know if you care about this issue but it seems that the export feature in your https://vault.bitwarden.com//tools is vulnerable to CSV injection. If a CSV contains a malicious command it may have big impact Even though there is a popup notification for users before opening the...
Brave Software: Download of (later executed) .NET installer over insecure channel
NOTE! Thanks for submitting a report! Please fill all sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty. Summary: Execution of file NDP-KB2901954-Web.exe fetched via...
Brave Software: Arbitrary local code execution via DLL hijacking from executable installer
NOTE! Thanks for submitting a report! Please fill all sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty. Summary: The executable installer BraveSetup-ia32.exe is vulnerable to DLL hijacking: it...