15372 matches found
Razer US: Reflected XSS in deals.razerzone.com via the interesting parameter.
Summary --- deals.razerzone.com is vulnerable to Reflected XSS via the interesting parameter. Affected Code --- html var ThisPageOn = "recommended", pageNum = 2, isLoading = false, delIntresItem = 0, delNotIntresItem = 0, delOwnedItem = 0, intres = -1 abba alert1 ; var ownedLang = "OWNED",...
Razer US: Reflected XSS on the https://deals.razerzone.com/json/translation endpoint
Thanks to SP1D3RS for the great report and working with the team on this one. This was a trivial POST-XSS, caused by using text/html Content-Type on the JSON endpoint, and ability to control the part of the response using unsanitized input. Why I disclosed it if this is a trivial issue? I pretty...
Internet Bug Bounty: Interger overflow in eval trigger write out of bound
Hi security team, i reported some samples triggered crash in eval funtion in perl. The bug come because variable start and items used type I32 which takes half the range of linet and folds it into negative numbers, leading to trying to store the lines at negative indexes...
GSA Bounty: SSRF/XSPA in labs.data.gov/dashboard/validate
Hi. This vulnerability allows access to all ports locally. Which is not visible from the web. 1We need an interim site file index.php 2Next we write in index.php 3Next go to https://labs.data.gov/dashboard/validate And write url - for example http://example/index.php If the port will be open...
Dropbox: Android - Access of some not exported content providers
The report indicates a flaw in our Android application that would allow a malicious app to gain read/write access to some cached files provided the attacker knows the name of the files and other minor pieces of information. The vulnerability was caused by not validating the package name of an...
Rockstar Games: Client-side Template Injection in Search, user email/token leak and maybe sandbox escape
In this report, the researcher was able to perform AngularJS Template Injection on our Support site in order to retrieve data, including email address, userid and tokens. Typically, a user is always able to retrieve this information about themselves and on its own, this is known behavior. However...
Legal Robot: Improper Implementation of Password strength checker
Hi, I have seen Improper Implementation of Password strength checker for registration and login page. Once it suggest complex password, one can alter the password but the complexity remain the same Its usually related to Ajax or auto-reload implementation. PoC ------------------------------------...
MapsMarker.com e.U.: facebook button URL should be HTTPS
hi team .. l click to facebook button on https://www.mapsmarker.com/ outgoing links not use HTTPS please fix soon This is just for the awareness to use HTTPS everywhere, even for outgoing links - where it's possible. Treat this report with some salt, not as in hashes. POC screenshot...
New Relic: Bypass of my two other reports #267636 + #255894 - (IDOR) Ability to see full name associated with other New Relic accounts
@jonbottarini discovered an issue where names associated with arbitrary existing email addresses can be revealed in the Alerts Notification Channel UI. As with similar previously-reported issues, this was resolved by obfuscating that information before it's presented...
Shopify: Stored XSS in partners dashboard
Hello Stored XSS and UI redressing on https://partners.shopify.com/partnerID/confirm. PoC: 1.Change your First Name and Last Name with XSS payload on https://accounts.shopify.com/account 2.Create an account on https://partners.shopify.com/ or if you have an account on...
Rockstar Games: Leak IP internal
The researcher found an old marketing web application for one of our previous titles that was not properly decommissioned. As a result, an internal IP address and a set of DB credentials were being exposed. Fortunately, the database in question had already been decommissioned so the credentials...
Instacart: Bruteforcing password reset tokens, could lead to account takeover
Hey Instacart security team, Description When resetting a new password on https://shoppers.instacart.com/password you will receive an email with a reset link. when clicking on this link. you go to this page: https://shoppers.instacart.com/password/edit?resetpasswordtoken=YourToken when entering a...
HackerOne: Banned researcher gets email updates on a private program.
Hi Team, I found out that after getting banned from the program, I still getting email updates about the private program, e.g. access of beta product, new scope changes etc. Those private messages can contain some important data that program doesn't want to share with the banned researcher for ex...
Zomato: Admin Access to a domain used for development and admin access to internal dashboards on that domain
@prateek0490 Was able to find our development server without any authentication. Which leads to leak the user data and some internal dashboards...
New Relic: NR Internal_API call allows me to read the events/violations/policies/messages of ANY New Relic account (AND pull data from infrastructure)
@jonbottarini identified an issue with an API used to populate the UI across different products. This API wasn't properly validating the account ID for certain requests, returning information for any ID presented. I wrote up a quick overview about this issue here:...
Zomato: Potential server misconfiguration leads to disclosure of vendor/ directory
Hi, Apologies for the weakness label, it was the closest I could find for what appears to be a server misconfiguration. Typically, in MVC frameworks like Slim which I see you are using here, Symfony, Laravel, etc., the front controller is the only thing exposed, leaving vendor/, logs/, and others...
Avito: [avito.ru] Утекают креды от платежных провайдеров
Происходила утечка реквизитов от внешних систем в исходном коде страницы сайта...
Avito: [avito.ru] ImageMagick uninitialized image palette
Привет! При подаче объявления можно загружать фотографии. Они обрабатываются уязвимой версией ImageMagick. Для эксплуатация запускаем https://github.com/neex/gifoeb Генерируем payload. r=640x480 mkdir -p forupload && for i in seq 1 10; do ./gifoeb gen $r forupload/$i.gif; done Загружаем наши...
Internet Bug Bounty: Format string implementation vulnerability, resulting in code execution
In a security audit to the sprintf implementation in perl version 5.24.1 I found a major security vulnerability, here are the full details. Timeline: ====== 6th of May, 2017 - disclosure to the PERL security mailing list 8th of May, 2017 - vulnerability confirmed by PERL's security group, found...
HackerOne: Homograph fix Bypass
Hello Hackerone! I have possibly found a way to bypass your current Homograph Attack Fix. Lets look at two HACKERONE Redirect URL: CASE 1: https://hackerone.com/redirect?signature=829727b4188c43dcf394fd841fd19a8b7f391bd1&url=https%3A%2F%2Fwww.yelp.com%2F Got the above link generated by posting...
Nextcloud: NextCloud is also Accepting OCTET-STREAM Type of Documents instead of jpg or Imge Files Only
Summary: I noticed that NextCloud is accepting OCTET-STREAM Type of Files Where you have Background/Logo Upload Option. I Believe that NextCloud is Checking for Such Type of Files but i can upload application/octet-stream Type of Documents by Crafting a Special Type of File In this case i created...
Zomato: SSRF in https://www.zomato.com████ allows reading local files and website source code
@nbsp found a SSRF vulnerability which leads to read local files from the web server source code & system files. We have resolved the issue quickly and rewarded the researcher...
Lyst: Bypassing one-time checkout router page (revealing payment information)
Description: ======== When user submits for a checkout, the checkout router page /checkout-router/ID/ is accessible only once, which can be bypassed by crafting the checkout ID in cookie basketkey send to the page /new/checkout/order/. combining with brute-force attack, if the ID is valid a resul...
Automattic: [app.simplenote.com] Stored XSS via Markdown SVG filter bypass
Hi, A carefully crafted injection used against the Markdown input parser can be leveraged to store and execute arbitrary JavaScript in the app.simplenote.com context. Proof of concept Before proceeding to reproduce this vulnerability, please log in to app.simplenote.com and create a new note with...
GitLab: [Markdown] Stored XSS via character encoding parser bypass
Hi @briann and team, A carefully crafted injection used against the Markdown input parser can be leveraged to store and execute arbitrary JavaScript on GitLab 10.0 hosts. Given the nature of this injection, which makes use of a rather esoteric filter bypass, the scope for exploitation may vary...
HackerOne: resolved bugs in a program are public despite the program settings
Summary: when navigating to https://hackerone.com/YOURPROGRAMHANDLE/displayoptions and unchecking the Reports resolved checkbox, the resolved bugs number won't be public at the program page, but going to https://hackerone.com/directory?query=YOURPROGRAMHANDLE , the number of the resolved bug will...
Shopify: Shopify admin authentication bypass using partners.shopify.com
@uzsunny reported that by creating two partner accounts sharing the same business email, it was possible to be granted "collaborator" access to any store without any merchant interaction. We tracked down the bug to incorrect logic in a piece of code that was meant to automatically convert an...
Informatica: [marketplace.informatica.com] - Sensitive Data Exposure
The researcher has identified and reported a Sensitive Data Exposure vulnerability in one of the Informatica's domain, and helped us in resolving the issue...
Legal Robot: Clickjacking in Legalrobot app
Dear Team, POC Please find attached screenshots Steps to reproduce: create index.html file with following content: Open index.html in browser Actual result: Legalrobot email verification page is viewed in iframe. Remediation: Frame busting technique is the better framing protection technique...
Razer US: Reflected XSS in razer-id.razerzone.com
The researcher discovered a reflective XSS that allowed the injection of a javascript scheme into a URL on the razer-id server. This was reported on 9/21 and the fix deployed to production on 10/19...
VK.com: Узнаем название и аватарку частной группы, по ID приложения.
Просмотр названия и аватарки частной группы. Отображение названия частной группы и миниатюры аватарки...
RubyGems: Unpacker improperly validates symlinks, allowing gems writes to arbitrary locations
Unpacker improperly validates symlinks, allowing gems writes to arbitrary locations The RubyGems installer attempts to prevent a gem from writing any files outside the install directory; however it is possible to bypass the check with a symbolic link in a crafted gem. Example structure of malicio...
RubyGems: Installer can modify other gems if gem name is specially crafted
Installer can modify other gems if gem name is specially crafted The installlocation function allows writing to certain files outside the installation directory. The installlocation function in lib/rubygems/package.rb attempts to ensure that files are not installed outside destinationdir. However...
WordPress: Reflected Swf XSS In ( plugins.svn.wordpress.org )
Hello , I have found XSS in flash File video-js.swf in plugins.svn.wordpress.org and Content Spoofing Vulnerability in moxieplayer.swf POC https://plugins.svn.wordpress.org/1player/tags/1.3/players/video-js/video-js.swf?readyFunction=alert%27Hello%27 F222664...
Internet Bug Bounty: Denial of service in libxml2, using malicious lzma file to consume available system memory
Reported to the libxml2 devs on 23 August 2017 Patched on 7 September 2017 It was discovered through fuzzing that malicious LZMA compressed files could consume large amounts of memory when decompressed thus posing a DoS risk. I am unsure if a CVE will be assigned in this case. od -tx1 ./test000...
Razer US: Database credentials leak on the https://razer-id.razerzone.com/
The tester discovered database parameters left around in a YAML file that was publicly visible. The credentials were for a database that was no longer in use and never stored sensitive data, but we consider this a good find anyway because this was out of bounds of our security practices. I...
Razer US: Open redirect on oauth2.razerzone.com due to missing verification of redirect-uri paramether on /thirdparty endpoint
Thanks to SP1D3RS for a great report. Although there was some initial difficulty verifying this vulnerability in triage, he was very professional and helpful working with the team to make sure this was understood. This was fixed in production on 10/16. I discovered the Open Redirect on the...
Razer US: Open redirect on oauth2.razerzone.com caused by server misconfiguration when using triple slash after hostname
Another solid report form this tester, who helped us nail down the issue when it was only intermittently reproducible. We appreciate the hard work. I discovered the Open Redirect on the oauth2.razerzone.com due to improper handling of multiple/encoded slashes and dots in the URL path. POC link:...
VK.com: XSS в приглашении в группу
Отсутствие фильтрации параметров при приглашении в группу. Дыра в меню приглашения друзей в группу, позволявшая встраивать код через url...
Zomato: [www.zomato.com] IDOR - Leaking all Personal Details of all Zomato Users through an endpoint
Hacker is able to get the PIPersonal Information of any Zomato user...
Kaspersky: Keys
Check the attachment...
Nextcloud: WordPress < 4.8.2 vulnerable to multiple attacks
Hello team, Summary: I observed that your website https://nextcloud.com still uses WP less than 4.8.2 which is vulnerable to multiple attacks, i reported it so that the team will be aware of it, below are the new discovered bug that you can find on this release:...
Internet Bug Bounty: Optionsbleed / CVE-2017-9798
Bug has been disclosed here: https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html poc code: https://github.com/hannob/optionsbleed Apache is currently preparing 2.4.28, which will contain the fix, a patch is available in their svn repo...
HackerOne: Report Private Links Leaks to Google Analytics via Query String Param
Hello HackerOne Team, According to HackerOne privacy HackerOne sometimes partners with third-party services which may use various tracking technologies to provide certain services or features, including targeted online marketing. These technologies allow a partner to recognize your computer or...
ownCloud: Banner Grabbing - Apache Server Version Disclousure
Hello ownCloud, I'd like to report a nice little bug. Banner Grabbing is a technique used to gain information about a remote server. Additionally, this technique is use to get information about remote servers. I've captured the HTTP request while visiting https://marketplace.owncloud.com/ and...
Mail.ru: XSS в письме, в теле письма.
Здравствуйте! XSS срабатывает на e.mail.ru, m.mail.ru, light.mail.ru и в мобильном приложении. Уязвимость присутствует в параметрах стилей, в ...здесь... срабатывает, если экранировать символы. Рабочий вектор здесь одиночные бэкслэш, в примере ещё ниже хостинг обрезал до одиночных: i\\ Отправка...
Nextcloud: Banner Grabbing - Apache Server Version Disclousure
Hello Nextcloud, I'd like to report a nice little bug. Banner Grabbing is a technique used to gain information about a remote server. Additionally, this technique is use to get information about remote servers. I've captured the HTTP request while visiting https://customerupdates.nextcloud.com an...
Tor: Tor Project - Full Path Disclosure
Vulnerability description not provided...
Mail.ru: XSS on https://account.mail.ru/login via postMessage
Обработчик сообщений на страничке https://account.mail.ru/login не проверяет источник, что позволяет вызвать любую доступную команду с произвольного ресурса: js // https://img.imgsmail.ru/ag/0.3.3/authGate.js:formatted function ca a = a || window.event; var c, d, h = , i = a.data, j = a.source; i...
Tor: SQL Injection in parameter REPORT
Vulnerability description not provided...