15273 matches found
Nextcloud: Passcode bypass on Talk Android app
Summary: It is possible to bypass the passcode protection in nextcloud android talk by clicking the notification of a message. Talk App Android version: 15.0.2 RC1 Steps To Reproduce: 1. Create two users 1. Using User A login it to the web interface while User B on Talk App Android 1. Using User ...
Node.js: Regular Expression Denial of Service in Headers
The Headers.set and Headers.append methods in the undici package were vulnerable to Regular Expression Denial of Service ReDoS attacks due to the inefficient regular expression used to normalize the values in the headerValueNormalize utility function. An attacker could exploit this vulnerability ...
Nextcloud: Messages can still be seen on conversation after expiring when cron is misconfigured
A vulnerability in Nextcloud Talk allowed expired chat messages to still be visible to anyone with access to the conversation, even after the message expiration time had passed...
Nextcloud: OAuth2 "authorization_code" is valid indefinetly
A security advisory reported that the OAuth2 endpoint was not following best practices, as the authorization code was generated without a timeout, allowing an attacker with access to obtain and redeem the code in the future...
Urban Company: Host header injection that bypassed protection and allowed accessing multiple subdomains
NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report! Name of...
TikTok: Ability to change permissions across seller platform
An Insecure Direct Object Reference IDOR vulnerability was found on the "Post" request on a TikTok Seller endpoint, which could have resulted in any user having the ability to change the "Finance Specialist" role permission. We thank @imrannisar for reporting this to our team...
Internet Bug Bounty: CVE-2022-45402: Apache Airflow: Open redirect during login
In Apache Airflow versions prior to 2.4.3, there was an open redirect in the webserver's /login endpoint. my initial email to [email protected]: Hi, In Apache Airflow, there is a parameter "next" on the Login page. And after a successful login, we're redirected to this parameter's value. I see...
inDrive: Disclosure of users' ip address whenever they view my fright offer on image preview (Without interaction)
A vulnerability was disclosed where users' IP addresses were leaked when they viewed freight offers, without any interaction required. By changing post image URLs to external sites, the external site received the user's IP when they viewed the post. This leaked user IPs and location, enabling...
Nextcloud: Ability to control the filename when uploading a logo or favicon on theming
A vulnerability existed in Nextcloud that allowed an attacker to control the filename of a logo or favicon when uploading it, by modifying the key. This could result in the attacker uploading any files directly in the webapp and path disclosure. The vulnerability has been fixed...
Rocket.Chat: Cross-Site-Scripting in "Search Messages"
Vulnerability description not provided...
Rocket.Chat: Insecure use of shell.openExternal() leads to RCE in Rocket.Chat-Desktop
Rocket.Chat-Desktop passes the parameter url of openInternalVideoChatWindow to shell.openExternal, which may lead to remote code execution internalVideoChatWindow.tsL17. To exploit the vulnerability, the internal video chat window must be disabled or a Mac App Store build must be used...
Cloudflare Public Bug Bounty: 💥💥Crash report -Cloudflare WARP doesn't verify text length in "Excluded Host" name input data💥💥
Vulnerability description not provided...
MTN Group: No rate limit in OTP code sending
The submission describes a vulnerability in the OTP One-Time Password code sending functionality of the MTN Play website. The vulnerability allows an attacker to send an unlimited number of OTP codes without any rate limiting, potentially flooding the victim's mobile inbox. The vulnerability was...
MTN Group: Reflected - XSS
The Reflected XSS vulnerability was discovered on the website www.mtn.bj. The vulnerability was triggered by entering a malicious payload in the Messages section, which resulted in the execution of the payload on the client-side...
LinkedIn: Unauthorized access to resumes stored on LinkedIn
Researcher found an IDOR on an endpoint where a recruiter could download resumes without the appropriate access - This security issue was unintentionally introduced in late-October 2022 - The reporter reached out and provided details to LinkedIn on this security issue in November 2022 - LinkedIn...
Khan Academy: S3 bucket takeover [learn2.khanacademy.org]
The subdomain learn2.khanacademy.org was pointed to Amazon S3, but no bucket with that name was registered learn2.khanacademy.org. This meant that anyone could sign up for Amazon S3, claim the bucket as their own and then serve content. Steps to reproduce Check the following url:...
ZeroBounce: API tokens and Emails leaked lead to sensitive information Disclosure
Summary: "Salam alikoum " Hi team i hope you are well t is a pleasure to work in your program. I will begin to present the vulnerability that I found it: Information Disclosure via ?email parameter and ?apikey Steps To Reproduce: 1. waybackurls zerobounce.net | grep gmail Response :...
Internet Bug Bounty: CVE-2022-40127: RCE in Apache Airflow <2.4.0 bash example
airflow-2.3.3/airflow/exampledags/examplebashoperator.py has a command injection vulnerability. I can control the runid in the following codeexamplebashoperator.py,So I can inject custom commands. alsorunthis = BashOperator taskid='alsorunthis', bashcommand='echo "runid= runid | dagrun= dagrun "'...
GitHub Security Lab: [CPP]Add query to detect bugs like CVE-2017-5123
Vulnerability description not provided...
GitHub Security Lab: [python] TarSlip vulnerability improvements
Vulnerability description not provided...
Linktree: XSS in linktr.ee - on link thumbnail adding
XSS on link thumbnail adding...
Internet Bug Bounty: Leak of sensitive values to Airflow rendered template
I’m just getting started with Airflow, but seem to have got into a situation where sensitive values e.g. connection passwords end up in my task’s rendered template. Here’s how my DAG starts, having set up a connection called “secret” with a password specified: t1 = BashOperator...
MTN Group: IDOR at mtnmobad.mtnbusiness.com.ng leads to PII leakage.
The IDOR vulnerability at mtnmobad.mtnbusiness.com.ng allowed the personal information of users, such as their phone numbers and account details, to be accessed by an attacker who knew the user's email address. The vulnerable request was a POST to the /app/getUserNotes endpoint, which accepted th...
GitLab: ReDoS due to device-detector parsing user agents
A ReDoS vulnerability was discovered in how GitLab parsed user agents, which could lead to Denial of Service on affected instances...
AMBER AI: Open redirect that can lead to malicious websites
go to a picture in website inspect that picture and you can see a tag change the tag with the command it will redirect !! kindly watch the POC attaching to it Impact redirect to any malicious web sites may have a chance for account takeover...
U.S. Dept Of Defense: CORS Misconfiguration in https://████████/accounts/login/
A CORS misconfiguration vulnerability was discovered in the login page of a website, allowing an attacker to exfiltrate sensitive data of a victim. The vulnerability was caused by a poorly configured CORS policy that trusted any arbitrary domain attacker-controlled domain name and sent the data t...
8x8: Directory Listing at https://█.█.█.█
@shuvam321 reported to us an enabled Directory Listing at https://█.█.█.█/cobbler/ & https://█.█.█.█/cblr/. The directories exposed open source files related to the Spacewalk project. The server instance was initially installed as a preview of a Spacewalk. No sensitive information had been...
Semrush: IDOR vulnerability reveals additional information
An issue was identified in the Content Outline Builder product. Changing a user ID in a GraphQL request could reveal additional information about users. A subsequent internal review revealed no evidence of exploitation by unauthorized parties...
HackerOne: adding h1_analyst_* to username for normal users
Vulnerability description not provided...
MetaMask: Arbitrary file write triggered by deeplink abuse - MetaMask Android
A vulnerability was discovered in the MetaMask Android app that allowed for arbitrary files to be written to disk. Attackers were able to exploit this vulnerability by deeplinking into MetaMask's in-app browser and triggering the immediate download of an attacker-supplied file. Users were not...
Nextcloud: Reference caching can leak data to unauthorized users
A vulnerability existed in Nextcloud's ReferenceManager that allowed unauthorized users to access data if the reference was cached and the user had knowledge of the boardId/cardId. The cachePrefix used in deck was independent of the user, which allowed any user to access the information of a deck...
Nextcloud: Exposed Log File Lead to Full Internal path disclosure at [https://nextcloud.com/wp-content/debug.log]
Hi team , i found wp-content/debug.log endpoint public accessible That lead to full path disclosure Steps : Open : https://nextcloud.com/wp-content/debug.log You can See Internal paths disclosed and date is : 02-Nov-2022 02-Nov-2022 08:50:36 UTC PHP Fatal error: Uncaught Error: Call to undefined...
Uber: DOM based XSS via insecure parameter on [ https://uberpay-mock-psp.uber.com ]
Vulnerability description not provided...
AMBER AI: Support Portal Takeover via Leaked API KEY
Thanks @khizer47 for the report. Insecure zendesk API token hardcoded in JS file, causing Support portals to lose control of administrator rights. We removed dangerous token and controlled permissions by using more secure OAuth token. An API key & associated Email was Hardcoded into a JS file...
Nextcloud: Potential directory traversal in OC\Files\Node\Folder::getFullPath
A potential directory traversal vulnerability was found in the getFullPath function of the OC\Files\Node\Folder class in Nextcloud Server before version 20.0.8, 21.0.2, and 22.0.0. An attacker could exploit this vulnerability to create paths outside of their own space and overwrite files belongin...
curl: CVE-2022-43552: HTTP Proxy deny use-after-free
Issues reported by Trail of Bits. This is either one or two issues. Summary: ./src/curl 0 -x0:80 telnet:/j-uj-u//0 -m 01 ./src/curl 0 -x0:80 smb:/j-uj-u//0 -m 01 Both command line ends up having libcurl access and use already freed heap-memory. For read and write. Steps To Reproduce: See above, r...
Node.js: Take over subdomain undici.nodejs.org.cdn.cloudflare.net
Hello, this is a pretty serious security issue in some contexts, so please act as soon as possible Summary: I just went to undici.nodejs.org, and I've also checked the IP of the main domain it goes to cdn.cloudflare.net which means if it's not added it can be added to any github account your...
Kubernetes: Git Arg Injection in kubernetes-sigs/release-sdk
A command injection vulnerability was found in the LSRemoteExec function of the kubernetes-sigs/release-sdk Git package. An attacker could exploit this vulnerability by injecting malicious arguments, allowing them to execute arbitrary commands. The impact of this vulnerability could be severe...
U.S. Dept Of Defense: xss on reset password page
target:https://█████/Default.aspx?TabId=81&ctl=SendPassword&returnurl=%252fUOTSHelpDesk When a user goes on the forget password page and enters a username it is reflected onto the page. An attacker could simply enter a username like alert1 and it would execute an alert not to mention there is no...
Hyperledger: Dependency confusion in https://github.com/hyperledger/aries-mobile-agent-react-native
Vulnerability description not provided...
Yelp: Public Github Repo Leaking Internal Credentials
Summary: In Github I found some credentials to use in a mesos.apache.org Github: https://github.com/Yelp/Tron/blob/master/yelppackage/itestdockerfiles/mesos/mesos-secrets https://github.com/Yelp/Tron/blob/master/yelppackage/itestdockerfiles/mesos/mesos-slave-secret POC ss F2021070 F2021071 Login...
Reddit: api keys leaked
Summary: Disclosure of valid private keys may lead to unauthorized access to any systems that use them for authentication. Verify whether any keys disclosed are actually valid, and whether their disclosure within the application is appropriate Impact: Disclosure of valid private keys may lead to...
Expedia Group Bug Bounty: Sensitive information for phpinfo.php at https://products.ean.com/
Vulnerability description not provided...
GitHub: Improper handling of null bytes in GitHub Actions Runner allows an attacker to set arbitrary environment variables
A vulnerability in GitHub Actions Runner allowed an attacker to set arbitrary environment variables by exploiting improper handling of null bytes. The vulnerability affected all versions of GitHub Enterprise Server prior to 3.8.0 and was fixed in versions 3.4.15, 3.5.12, 3.6.8, 3.7.5. The...
XVIDEOS: Self-XSS on Suggest Tag dialog box
Summary: Stored cross-site scripting arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way. vulnerable URL : https://www.xvideos.com/video57921571/friendb.ifd. Vulnerability Description : Application have a add ta...
Linktree: Account takeover - improper validation of jwt signature (with regards to experiation date claim)
Some backend services did not properly validate JWTs. As a result JWT validation could be bypassed by setting the expiration date claim to a unix timestamp in the past, and abusing this for account takeover. The expiration date claim of the JWT token was not properly handled. I was able to bypass...
Expedia Group Bug Bounty: Cache Poisoning Allows Stored XSS Via hav Cookie Parameter (To Account Takeover)
A cache poisoning vulnerability allowed for stored cross-site scripting XSS attacks via the "hav" cookie parameter on abritel.fr, leading to account takeover. The server had a protection mechanism that hid double quotes, but not greater than and less than symbols, which allowed the attacker to...
Slack: Unauthorized access to GovSlack
An unauthorized user could create a workspace on GovSlack by copying and sending a fetch request payload from slack.com to slack-gov.com, which would bypass the disabled option to create a workspace for new users. This could result in unauthorized access to GovSlack...
Khan Academy: xss due to incorrect handling of postmessages
Due to Insecure handling of create link tags a tags in a function called autolink found in 7Bmt.af733e428f9f986dfc96.js js e = n.autolinke, !0; const n = function const e = /\b?:?:https?://|www\d0,3.|a-z0-9.-+.a-z2,4/?:^\s&+|&|?:^\s|?:^\s+\+?:?:^\s|?:^\s+\|^\s!\;:'".,?«»“”‘’&/gi; return...
Rocket.Chat: NoSQL injection in listEmojiCustom method call
Vulnerability description not provided...