15273 matches found
Yelp: CORS Misconfiguration on Yelp
Entry An cross-origin resource sharing CORS policy controls whether and how content running on other domains can perform two-way interaction with the domain that publishes the policy. The policy is fine-grained and can apply access controls per-request based on the URL and other features of the...
Internet Bug Bounty: CVE-2022-40604: Apache Airflow: Format String Vulnerability
There is a format string vulnerability in Apache Airflow versions 2.3.0 through 2.3.4 in the src/airflow/utils/log/filetaskhandler.py file. The vulnerability was caused by unnecessary formatting of a URL, which could allow for information extraction...
Nextcloud: Guests can continue to receive video streams from call after being removed from a conversation
Summary: If the HPB is used and a guest is removed from a conversation while said guest is in a call the guest will no longer appear in the participant list and the call will appear as ended for the other participants. However, for the guest the call UI is still shown. If other participants start...
Hyperledger: POOL_UPGRADE request handler may allow an unauthenticated attacker to remotely execute code on every node in the network.
This issue is related to the https://github.com/hyperledger/indy-node. The issue was found in the indy-node code that handles the write request of type POOLUPGRADE in file indy-node/indynode/server/requesthandlers/configreqhandlers/poolupgradehandler.py. The additionaldynamicvalidation function...
U.S. Dept Of Defense: AWS Credentials Disclosure at ███
Sensitive AWS credentials were disclosed through a config.json file found on a server. An attacker could have used these credentials to gain access to sensitive information on the AWS account or perform arbitrary modifications on AWS resources. The affected system host was not disclosed. No CVE...
U.S. Dept Of Defense: External service interaction ( DNS and HTTP ) in www.████████
An External Service Interaction vulnerability was found in www.█████████, allowing an attacker to induce the application to interact with arbitrary external services such as DNS and HTTP. This could lead to various attacks, including DDoS, OS Command Injection, DOS, and Code Manipulation...
curl: CVE-2022-32221: POST following PUT confusion
Summary: The bug I submitted at https://github.com/curl/curl/issues/9507 can have at least a few unintended security issues: - Information Disclosure: this bug causes an HTTP PUT to occur when the user intends for an HTTP POST to occur. The user, who intended an HTTP POST, expects the POSTed...
MTN Group: Exposure Of Admin Username & Password
Hello Team, Ther an exposure of your username and password on this subdomain https://engage2.mtnonline.com/nc/ Exposed Credentials uid: "mtnng", passwd: "bd31568138edbfc0552a1ecc6886ea5c", Steps To Reproduce: Visit https://engage2.mtnonline.com/nc/ Now, press CTRL+U to view the source code of thi...
Nextcloud: SSRF via filter bypass due to lax checking on IPs
A lax checking on IPs in NextCloud allowed for a filter bypass vulnerability that could be exploited by attackers to gain SSRF. The filtration technique failed when met with some of the more advanced SSRF payloads like the alphanumeric ones, allowing attackers to bypass IP filters and gain access...
Ruby on Rails: Unexpected deserialization in Kredis
Unexpected classes could be deserialized in Kredis due to the use of JSON.load, potentially leading to security vulnerabilities...
LY Corporation: iOS group chat denial of service
Vulnerability description not provided...
Rocket.Chat: Bypassing 2FA with conventional session management - open.rocket.chat
The vulnerability allowed bypassing two-factor authentication in open.rocket.chat by exploiting the email confirmation flow. An attacker could sign up, enable two-factor authentication, change the email, and then use the email confirmation link to log in without providing the two-factor...
U.S. General Services Administration: access nagios dashboard using default credentials in ** omon1.fpki.gov, 3.220.248.203**
Summary: when i performing recon on fpki.gov i found nagios dashboard in omon1.fpki.gov, 3.220.248.203 and i accessed it using default credentials username: nagiosadmin password : nagiosadmin Steps To Reproduce: 1. visit these urls : https://omon1.fpki.gov/nagios/side.php...
Shopify: Shop App - Attacker is able to intercept authorization code during authentication (OAuth) and is able to get access to Microsoft Outlook email account
A vulnerability was discovered in the Shop App's Microsoft Outlook OAuth flow, where a malicious app could intercept the authorization code during authentication due to the use of deep links. This could allow an attacker to gain access to the victim's emails. The issue was mitigated by implementi...
Cloudflare Public Bug Bounty: Take over subdomains of r2.dev using R2 custom domains
███████ ████ ████ ███████████████████████████ ███ ██████████ It is possible to take over any subdomain of r2.dev possible also the base domain and have it serve the contents of an R2 bucket in your account. Requirements Access to R2 public buckets in the dashboard is currently behind a flag. The...
U.S. Dept Of Defense: XSS in ServiceNow logout https://████:443
An XSS vulnerability was discovered in ServiceNow logout, allowing an unauthenticated remote attacker to execute code in the user's browser context by clicking on a malicious link. The vulnerability was present in ServiceNow versions prior to SanDiego SP6 and has been assigned CVE-2022-38463...
Shopify: XSS in www.shopify.com/markets?utm_source=
Hello, hope you are having a good day : Summary: I found a reflected XSS in www.shopify.com/markets using the utmsource parameter Reflected XSS vulnerabilities arise when the application accepts a malicious input script from a user and then it is executed in the victim's browser. Since the XSS is...
Nextcloud: nextcloudcmd incorrectly trusts bad TLS certificates
Ref: https://github.com/nextcloud/desktop/issues/4927 Bug description I have a self hosted Nextcloud instance using my own private CA for TLS certs. When running nextcloudcmd without the --trust, it disregards the cert validation failure as "This is not an actual error" and proceeds with the sync...
Linktree: [song.link] Open Redirect
Vulnerability description not provided...
Linktree: XSS in SocialIcon Link
XSS in SocialIcon Link There was no validation of the url provided for the SocialIcon Link , which allowed to include javascript uri . As the cookies were marked as httponly , I couldn't steal them directly via the xss so instead I found an endpoint which was leaking the accessToken used for...
Expedia Group Bug Bounty: Cache Deception Allows Account Takeover
A vulnerability allowed an attacker to extract a user's session token from a cacheable page, leading to account takeover. The session token was reflected in the response of a cacheable URL, and the server responded with a 200 OK. The caching server saw the response as cacheable due to the file...
MTN Group: IDOR [mtnmobad.mtnbusiness.com.ng]
Steps To Reproduce: 1. Go to https://mtnmobad.mtnbusiness.com.ng//dashboard/home with burp proxy 1. Intercept a POST request to /app/dashboardData and review its response you will see emails and ids 1. Go to https://mtnmobad.mtnbusiness.com.ng//userProfile 1. change name, mobile, address etc. and...
TikTok: Remotely Accessible Container Advisor exposed performance metrics and resource usage
A vulnerability was found that caused cAdvisor Container Advisor to be publicly accessible through an 8080 port. We thank @tw4v3sx for reporting this to our team...
8x8: Subdomain Takeover at http://██.get8x8.com/
@testingforbugs reported to us a possible subdomain takeover which was achievable due to a misconfiguration of a Netlify target. The issue has been rectified...
Nextcloud: Name collision of shared folders
Vulnerability description not provided...
GitLab: No Restriction on password
Note- 1: When I report this issue to another program, the triaged expert said The server is now only hashing a reasonable size password, this should not cause a Denial of Service . Since there does not appear to be evidence of DoS occurring here So they will take action, Only when ddos appear...
Glassdoor: XSS in www.glassdoor.com
Summary: Browser: Chrome Affected URL https://www.glassdoor.com/Location/All-Tesla-Office-Locations-E43129.htm?DIFFICULT=%3E%3Csvg%20onload%3d%26%23x00000000061;%26%23x0000000006c%26%23x0000000065%26%23x0000000072%26%23x000000000741%26%230000000000000041;%20%3C%2fscript%20 Steps To Reproduce: 1. ...
Shopify: DoS Vulnerability via Cache Poisoning on cdn.shopify.com and shopify-assets.shopifycdn.com
There was a web cache poisoning vulnerability on Shopify's CDN domains that allowed an attacker to block access to any file hosted on the website. The vulnerability existed because the cache server treated backslashes and forward slashes as equivalent, while the origin server returned 404 errors...
Node.js: Node 18 reads openssl.cnf from /home/iojs/build/... upon startup on MacOS
NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: Similar to...
Hyperledger: DOS validator nodes of blockchain to block external connections
Attack was documented in the in the github repo: https://github.com/hyperledger/indy-node/security/advisories/GHSA-x996-7qh9-7ff7 Attack: The attacker sends 500 read requests to each node and opens a new one when holding 500 parallel connections. Every user is able to send read requests since it'...
Automattic: IDOR in API applications (able to see any API token, leads to account takeover)
Summary: Hi, @ehtis, thank you for the test account. Here is a critical report. : On Pressable, we can create API applications at https://my.pressable.com/api/applications, and we can access many things using the API token via following the API docs I created an API application and tried to updat...
X (Formerly Twitter): Able to see Twitter Circle tweets due to improper access control on the "FavoriteTweet" endpoint
An attacker was able to view private Twitter Circle posts by liking them through the /FavoriteTweet endpoint and then downloading their Twitter data archive, which contained the full content of the liked posts...
Ruby on Rails: ActionView sanitize helper bypass leading to XSS using SVG tag.
An HTML sanitization bypass vulnerability was discovered in the ActionView sanitize helper. This allowed an attacker to bypass sanitization and execute cross-site scripting XSS attacks by using the use tag of the SVG element. By embedding a base64 encoded SVG with malicious code, an attacker coul...
Revive Adserver: Multiple cross-site scripting (XSS) vulnerabilities in Revive Adserver
Vulnerability description not provided...
TikTok: Stored XSS in the ticketing system
A Stored Cross-Site Scripting XSS vulnerability was found on a TikTok Seller endpoint, which could have resulted in a JavaScript payload injected into the endpoint causing it to be executed within the context of the victim's browser. We thank @codeslayer137 for reporting this to our team...
LinkedIn: A Unverified User Can Post Newsletter (Which Is Not Allowed Through Application UI)
A vulnerability was discovered in LinkedIn that allowed unverified users to create newsletters, even though this feature was not accessible to them through the application's user interface. By sending a specific request with the unverified user's cookie, the newsletter creation API could be...
GitLab: Bypass: Stored-XSS with CSP-bypass via scoped labels' color
A Stored-XSS with CSP-bypass vulnerability was discovered in GitLab that allowed attackers to execute arbitrary actions on behalf of victims at the client side. The vulnerability was caused by a missing mitigation for scoped labels, which allowed attackers to create a Stored-XSS with CSP-bypass o...
Shopify: Attacker is able to query Github repositories of arbitrary Shopify Hydrogen Users
Private GitHub repositories of arbitrary Shopify Hydrogen users were accessible to attackers due to a vulnerability in the Hydrogen app. Attackers could query the GitHub account of any Hydrogen user and obtain sensitive information such as private repositories...
8x8 Bounty: Jitsi Desktop Client RCE By Interacting with Malicious URL Schemes on Windows
A command injection vulnerability was found in Jitsi Desktop Client before commit 8aa7be58522f4264078d54752aae5483bfd854b2 on Windows. This vulnerability could allow an attacker to execute arbitrary code by interacting with malicious URL schemes when launching browsers. The vulnerability has been...
MTN Group: Firebase credentials leak
Summary: This report is regarding the fix of 1351329. The fix is not patched fully, comments are visible to anyone and an attacker can utilize this for further attacks. Steps To Reproduce: go to : view-source:https://mpulse.mtn.ng/ search for 'Initialize Firebase' as you can see the firebase...
U.S. Dept Of Defense: Blind SSRF via image upload URL downloader on https://██████/
Description: Dear DoD, I found Blind SSRF on one domain from Hack US program. Original domain is https://█████/ but when you make account and login it redirects you to https://███/my/. Here's the video PoC: ██████ Thank you! Impact In a typical SSRF attack, the attacker might cause the server to...
Nextcloud: Missing rate limiting on password reset functionality allows to send lot of emails
A missing rate limiting on password reset functionality in Nextcloud allowed an attacker to send a large number of emails, potentially resulting in financial loss and service disruption. The vulnerability was exploited using the IP rotate extension of Burp Suite. The issue was resolved by adding ...
Shopify: Subdomain Takeover at course.oberlo.com
Hi, I was able to takeover your subdomain course.oberlo.com via using kajabi services. Poc : visit https://course.oberlo.com/ you will see my poc https://web.archive.org/web/20220904143512/https://course.oberlo.com/ Suggested Fix : Clear your subdomain DNS. Impact Subdomains Takeovers can be use ...
U.S. Dept Of Defense: Authentication bypass leads to Information Disclosure at U.S Air Force "https://███"
Hi Hackerone Triage team, I'm new in this program, what i understood that every Web Owned/Operated by DoD is in scope , so i did some google searches , exactly in wikipedia and i've find this PNG that confirms that U.S Air Force is in scope :...
Nextcloud: the complete server installation path is visible in cloud/user endpoint
Sensitive internal information, including the complete server installation path, was visible in the cloud/user endpoint of Nextcloud server versions prior to 20.0.8, 21.0.2, and 22.0.0RC2. An attacker could obtain this information by making a GET request on the endpoint while logged in. A securit...
GitHub: Managing Pages
An improper privilege management vulnerability was identified in GitHub Enterprise Server that allowed users with improper privileges to create or delete pages via the API. To exploit this vulnerability, an attacker would need to be added to an organization's repo with write permissions. This...
Hyperledger: Relative Path Traversal vulnerability in fabric-private-chaincode
Unsanitized input from os.Args3 : 75 CLI argument flows into os.OpenFile, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to open arbitrary files. The following steps of code lines with respective code confirm the issue: -...
Internet Bug Bounty: Airflow Daemon Mode Insecure Umask Privilege Escalation
Apache Airflow prior to 2.3.4 had multiple components with an insecure daemon umask of 0, resulting in critical files and directories to be world writable. As such, any local user can infer Airflow to process specially crafted input and ultimately perform a privilege escalation to user executing...
GitHub Security Lab: [Java]: CWE-625 - Query to detect regex dot bypass
This bug was reported directly to GitHub Security Lab...
U.S. Dept Of Defense: IDOR leaking PII data via VendorId parameter
Description: Dear DoD, I found one bug on your domain from Hack US program: █████ It's IDOR bug. Make sure to know that I didn't test many funcs here for IDOR. I didn't test for ATO Account Takeover. But you should fix this. Here's the PoC: ██████████ Thank you DoD! Impact An attacker could steal...