15267 matches found
HackerOne: How the Arch Angel stole Live Events
A vulnerability in a live hacking event's infrastructure allowed an attacker to impersonate an administrator, close valid bug reports, and disrupt the event. The attacker was able to log in as an administrator and invalidate bug reports, but the event proceeded successfully regardless...
Node.js: Denial of Service by resource exhaustion in fetch() brotli decoding
A denial of service vulnerability was identified in Node.js related to resource exhaustion when using the fetch function to retrieve content from an untrusted URL. The issue stems from fetch always decoding Brotli content, allowing an attacker controlling the URL to cause resource exhaustion...
Teleport: access list owner can escalate his role to the highest roles
Summary: 1. Go to your-domain.teleport.sh/web/accesslists. 2. Create a new access list and add a role to "Roles Granted," e.g., "reviewer" role. 3. Add a user as the Access List Owner. 4. The user, as the Access List Owner, can escalate the role of the list to higher roles, thereby escalating the...
TikTok: RXSS on TikTok endpoints
A cross-site scripting vulnerability was discovered in two TikTok incentive endpoints due to improper output encoding of user-supplied data. This allowed JavaScript code injection into the affected endpoints...
Internet Bug Bounty: Possibility of Request smuggling attack
A vulnerability in Apache Tomcat allowed request smuggling due to incorrect parsing of HTTP trailer headers. A specially crafted trailer header exceeding the size limit could cause Tomcat to treat a single request as multiple requests, enabling request smuggling attacks when behind a reverse prox...
MetaMask: total Failure of password protection while extracting seed phrase! increases attack surface area for scammers
The MetaMask browser extension UI was able to access a user's seed phrase without requiring password confirmation, which violated expected security boundaries between the UI and background process. The issue was resolved in MetaMask Extension version 11.7.1, which now enforces password confirmati...
Internet Bug Bounty: curl HSTS long file name clears contents
When saving HSTS data using curl, a vulnerability was found where using an excessively long file name could result in the clearing of all contents. This caused subsequent requests using that file to be unaware of the HSTS status they should have used. The reason was that curl appended a suffix to...
Shopify: HTTP Response Header Injection in shopify/pitchfork + Rack 3
The HTTP response header injection vulnerability was discovered in the Pitchfork library version 0.10.0 when used with Rack 3. The issue stemmed from improper handling of header values containing newline characters in the appendheader method of the HTTP response module. When Rack 3 was used, the...
PortSwigger Web Security: CSP bypass on PortSwigger.net using Google script resources
A cross-site scripting vulnerability was discovered on PortSwigger.net. The site's content security policy allowed resources from Google's reCAPTCHA domain, which contains AngularJS. This could be abused to bypass the CSP and load arbitrary scripts from other domains. The issue allowed an attacke...
PortSwigger Web Security: Changing the administrator password via admin console does not invalidate other sessions
The vulnerability is that changing the administrator password via the admin console does not invalidate other active sessions. This means that even after changing the password, the previous sessions can still be used to access the administrator account...
PortSwigger Web Security: A user with only [MODIFY_SETTINGS] permmision could takeover any user accounts
The vulnerability allowed a user with only the "MODIFYSETTINGS" permission to take over any user accounts. By configuring the email settings to use a public SMTP server, the attacker could capture the email and password reset link whenever an administrator or user with permissions to edit or add...
HackerOne: Some limited confidential information can still be accessed after a user exits a private program
Vulnerability description not provided...
PortSwigger Web Security: The role "CI-driven scan initiator" provides excessive read access
The reporter noticed that all authenticated users were able to access certain non-sensitive information such as metadata about third-party integrations. This was found to be by design, and the documentation was updated to clarify the information available to all authenticated users...
Internet Bug Bounty: curl cookie mixed case PSL bypass
A vulnerability in curl allowed a malicious HTTP server to set "super cookies" that bypassed the Public Suffix List check, enabling cookies to be sent to unrelated sites and domains...
Internet Bug Bounty: ASAR Integrity bypass via filetype confusion
A vulnerability was discovered in Electron that allowed bypassing ASAR integrity checks via filetype confusion. Maliciously crafted directories could trick apps into loading non-validated code. This impacted apps with certain fuses enabled on macOS that relied on filesystem protections. The issue...
Ruby: DoS in bigdecimal's sqrt function due to miscalculation of loop iterations
Vulnerability description not provided...
Valve: Web API key registration allows registering multiple keys by reusing `request_id`
A vulnerability was found in the Steam API key registration process that allowed multiple API keys to be registered for an account by reusing the request ID. The issue was fixed by updating the request ID after successful confirmation. Accounts with multiple keys were corrected...
Internet Bug Bounty: OpenSSL vulnerable to the Marvin Attack (CVE-2022-4304)
A timing side channel vulnerability in OpenSSL RSA decryption was discovered that could allow plaintext recovery. By measuring decryption time, an attacker could recover RSA plaintext from captured ciphertexts after a large number of decryption attempts. All RSA padding modes were affected. The...
Deriv.com: Mailgun subdomain takeover
Summary: I have found an unclaimed subdomain of deriv.cloud. Which is successfully claimable. Platforms Affected: email.mailgun.deriv.cloud Steps To Reproduce: You just need a mailgun account and the you can successfully claim this domain. Supporting Material/References:...
CS Money: Authentication Bypass to (CVE-2023-2982)
An authentication bypass vulnerability was discovered in an older version of the WordPress plugin WordPress Social Login and Register Discord, Google, Twitter, LinkedIn...
Mozilla: Subdomain takeover on one of the subdomain under mozaws.net
A subdomain takeover vulnerability was identified on a mozaws.net subdomain due to a dangling DNS record. The researchers were able to host content under the affected subdomain...
Node.js: Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding)
A timing side-channel vulnerability in the crypto library's privateDecrypt API allowed attackers to remotely exploit and decrypt or forge signatures when processing encrypted messages...
Mars: Blind SQL Injection on █████ via URI Path
The vulnerability involved a time-based SQL injection attack on the target system via the URI path. The attack capitalized on vulnerabilities in the application's interactions with the database, allowing the attacker to extract information by purposefully delaying database processing and observin...
Fastly VDP: Open Redirect on ███████
The vulnerability was an open redirect issue on the website. A user could be redirected to a malicious site by modifying the "redirecturl" parameter. This could have been exploited for phishing attacks or malware infections...
Glassdoor: Web Cache Deception
A web caching issue was discovered on an endpoint which inappropriately cached a user's feed page under certain conditions...
SideFX: Port 587 SMPT Open: Can send any mail remotely from the internal mail users to company mail id's.
Port 587 SMTP open. Attacker can send emails remotely to company email addresses. This allows phishing, spamming, or other malicious emails to be sent from what appears to be a legitimate internal company email account...
EXNESS: Unrestricted Access to Celery Flower Instance
The publicly accessible Celery Flower instance allowed unrestricted access, exposing sensitive information, and the ability to manipulate tasks...
HackerOne: Cloud Computer Hackerone Triager can be Accessible for everyone [[email protected]] computer
Vulnerability description not provided...
Nextcloud: Open redirect in user_saml via RelayState parameter
An open redirect vulnerability was reported in the usersaml authentication module of Nextcloud. The vulnerability allowed redirecting users to arbitrary URLs via the RelayState parameter...
Internet Bug Bounty: Misconfiguration in AWS CloudFront CDN configuration makes rubygems.org serve (and cache) content from a unclaimed S3-bucket
A misconfiguration in the AWS CloudFront CDN configuration for rubygems.org caused content to be served from an unclaimed S3 bucket. This could have enabled an attacker to serve malicious content and affect availability. Artifactory instances were observed accessing files, presenting a potential...
Mars: Critical Unauthenticated Access to Sensitive Employee and Customer Data Including Invoice Details at ████
During a reconnaissance phase, a directory named 'SSO' was discovered on the website ████████. Upon accessing this directory, it redirected to ██████████, where sensitive employee and customer data, including usernames, emails, purchase history, payment history, bills, phone numbers, customer...
HackerOne: Server Side Request Forgery (SSRF) via Analytics Reports
We recently received a critical server-side request forgery SSRF vulnerability report through our bug bounty program. The issue allowed attackers to make internal requests from our application servers by exploiting a lack of output sanitization in an error message. By crafting malicious requests,...
U.S. Dept Of Defense: Default Admin Username and Password on ███
A vulnerability was found where default administrator credentials could be used to access an application. This could have allowed unauthorized access...
Mars: CSRF to delete a pet on ██████
The /pets/delete endpoint on ████ was susceptible to Cross-Site Request Forgery CSRF attacks. This vulnerability enabled the deletion of a pet from the targeted user's account without authorization...
Mozilla: MozillaVPN: Elevation of Privilege via a Race Condition Vulnerability
A race condition vulnerability was discovered in Mozilla VPN that led to local privilege escalation to root on macOS. The vulnerability existed during the installation or update process, where a local attacker could replace the VPN binary with a malicious one that would execute as root. The issue...
Node.js: Permissions can be bypassed via arbitrary code execution through abusing libuv signal pipes
Vulnerability description not provided...
Node.js: Multiple permission model bypasses due to improper path traversal sequence sanitization
A vulnerability in the path traversal sanitization of Node.js versions 20 and 21 allowed bypass of the experimental filesystem permission model through path traversal attacks...
Automattic: Timeline API returns private post when target of a push notification
The Timeline API was able to return private posts when the target of a push notification, even though the user did not have access to the post...
Internet Bug Bounty: CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows
A potential denial of service vulnerability was discovered in the UsernameField component in Django before versions 4.2.7, 4.1.13, and 3.2.23. The vulnerability allowed a denial of service attack via malformed input containing a large number of Unicode characters. The issue was addressed by...
X (Formerly Twitter): Bypassing x profile verification to receive instant blue checkmark and unlimited profile changes
The vulnerability allowed users to bypass the profile verification process on X by upgrading and downgrading their plan immediately after changing their profile picture. This permitted continuous profile picture changes without review...
Node.js: Improper handling of wildcards in --allow-fs-read and --allow-fs-write
A vulnerability was found in the Node.js permission model documentation regarding improper handling of wildcards in the --allow-fs-read and --allow-fs-write options. The documentation did not make clear that wildcards should only be used as the last character of a file path. This could result in...
GitLab: Stored-XSS injected in Wiki page via Banzai pipeline
A vulnerability was found in the AbstractReferenceFilter class of the GitLab project that could be exploited to inject arbitrary HTML elements, leading to a stored cross-site scripting XSS vulnerability. The issue was caused by the way the application handled the processing of wiki page content,...
Mozilla: Exposure of account recovery hint by querying by user email
The account recovery hint was exposed by querying the API with a user email. This allowed obtaining the hint and could enable phishing attacks...
Internet Bug Bounty: Path traversal through path stored in Uint8Array in Node.js 20
A path traversal vulnerability was discovered in Node.js 20 through paths stored in Uint8Array objects. The vulnerability allowed bypassing path sanitization protections and reading arbitrary files outside of a restricted directory. The issue was addressed by properly sanitizing Uint8Array paths ...
Sony: SQL injection at ███████
A Sony website was vulnerable to an error-based SQL injection that allowed data extraction...
Hyperledger: CVE-2023-46132
A vulnerability was discovered in which the way transactions were hashed in Fabric blockchain blocks allowed an attacker to manipulate the transaction data while keeping the block hash unchanged. This could enable an adversary to fork the blockchain network state through malicious blocks that...
Mozilla: Remote code execution and exfiltration of secret tokens by poisoning the mozilla/fxa CI build cache
Remote code execution and data exfiltration were possible by poisoning a cache used in a CI build process. A proof of concept demonstrated the ability to exfiltrate sensitive data by re-uploading a modified cache artifact. The vulnerability required access to the source code repository to be...
Nextcloud: Notes app can be tricked into using a received share created before the user logged in
The Nextcloud Notes app was found to be vulnerable to a security issue that allowed it to be tricked into using a received share created before the user logged in...
curl: Buffer overflow and affected url:-https://github.com/curl/curl/blob/master/docs/examples/hsts-preload.c
Vulnerability description not provided...
TikTok: RXSS via region parameter
A cross-site scripting vulnerability was discovered in a TikTok endpoint. User-supplied data in the 'region' parameter was reflected without appropriate escaping, allowing JavaScript injection...