15273 matches found
Node.js: Weak randomness in WebCrypto keygen
https://github.com/nodejs/node/pull/35093 introduced a call to EntropySource in SecretKeyGenTraits::DoKeyGen in src/crypto/cryptokeygen.cc. There are two problems with this: 1. It does not check the return value, it assumes EntropySource always succeeds, but it can and sometimes will fail. 2. The...
Nintendo: [MK8DX] Improper metadata parsing
Vulnerability description not provided...
Nextcloud: Database resource exhaustion for logged-in users via sharee recommendations with circles
Summary: Registered users can generate massive database load Steps To Reproduce: 1. create 9 circles and 6 folders circles folder 50 2. share all created folders with all created circles 3. open an other folder and open the share tab, so the URI...
U.S. Dept Of Defense: IDOR when editing email leads to Mass Full ATOs (Account Takeovers) without user interaction on https://██████/
Dear DoD team, I found one critical bug on your domain: https://██████/ It's IDOR. Also this domain is from Hack US program. What is that IDOR? Insecure direct object references IDOR are a type of access control vulnerability that arises when an application uses user-supplied input to access...
Nextcloud: [user_oidc] Stored XSS via Authorization Endpoint - Safari-Only
Summary: The OpenID Connect User Backend allows users to login to Nextcloud using SSO. A workaround that was apparently implemented for the Safari browser enables stored Cross-Site-Scripting XSS. The vulnerability only affects user agents that include "Safari" within their user agent string and i...
Nextcloud: [user_oidc] Unencrypted Communications
The OpenID Connect User Backend allows users to login to Nextcloud using SSO and is - according to the policy - part of the main scope of this program. The implementation supports plain HTTP without TLS and transfers sensitive information such as OIDC clientsecrets in an unencrypted manner...
Internet Bug Bounty: CVE-2022-35252: control code in cookie denial of service
https://hackerone.com/reports/1613943 Impact control code in cookie denial of service...
Mattermost: DoS via Playbook
An attacker could create a playbook with a large value for the runsummarytemplate attribute, which doesn't have any size check or validation. This could cause the server to consume an abnormal amount of computing resources and ultimately crash, leading to a denial of service attack. The attack is...
Stripe: Mass Accounts Takeover Without any user Interaction at https://app.taxjar.com/
@mrasg discovered an improper access control issue in TaxJar. This could have allowed for account takeover using the email change functionality. The vulnerability was caused by not correctly validating whether or not the reset password token was connected to the user being reset and was resolved ...
GitLab: RepositoryPipeline allows importing of local git repos
Summary When importing a project via the BulkImports, the response field httpUrlToRepo from the client is used to fetch the repo: https://gitlab.com/gitlab-org/gitlab/-/blob/v15.3.1-ee/lib/bulkimports/projects/pipelines/repositorypipeline.rbL17 ruby def loadcontext, data url = data'httpUrlToRepo'...
ResMed: [shop.resmed.com]CSRF leads to Unsubscribe victim from Communication and Reward Membership
Hello, Team While testing on your main domain I discovered CSRF Attack which lead to unsubscribe victims from Communication/Reward Membership. This more like in-depth security issue with reasonable attack scenario. Description: It is possible to unsubscribe a logged-in user from any subscribed...
Ruby on Rails: ReDoS (Rails::Html::PermitScrubber.scrub_attribute)
I have confirmed that ReDoS occurs on Rails::Html::PermitScrubber.scrubattribute. https://github.com/rails/rails-html-sanitizer/blob/v1.4.3/lib/rails/html/scrubbers.rbL134 ruby def scrubattributenode, attrnode attrname = if attrnode.namespace "attrnode.namespace.prefix:attrnode.nodename" else...
TikTok: XSS at TikTok Ads Endpoint
Vulnerability description not provided...
GitLab: Dependecy Confusion via Lookup Request Forwarding to PyPi.org
Summary pip is probably the most popular Python package manager and can be used to install packages from the publicly available Python Package Index PyPi at pypi.org or form internal package repositories. In the beginning of 2021, a vulnerability type called Dependency Confusion attracted some...
U.S. Dept Of Defense: XSS DUE TO CVE-2022-38463 in https://████████
Description: During my research, I found one of the host running ServiceNow vulnerable to CVE-2022-38463 . ServiceNow through San Diego Patch 4b and Patch 6 allows reflected XSS in the logout functionality. Impact Attacker is able to steal victims cookies, redirect victim to attacker controlled...
U.S. Dept Of Defense: Reflected XSS at https://██████/
A reflected XSS vulnerability was discovered in the logout functionality of ServiceNow, allowing an unauthenticated remote attacker to execute arbitrary JavaScript code...
Rockstar Games: Modifying Sprunk vs eCola crew data
In this report, the researcher demonstrated an Insecure Direct Object Reference vulnerability that was exploitable in certain Rockstar Official Crews on the Social Club website. Rockstar Official Crews, unlike user-made Crews, use a flat hierarchy where all members are set to the same effective...
Mattermost: DoS via Automatic Response Message
Summary: A user can enable and modify its automatic response message, that is automatically sent when the user has the "Out of Office" status. This response message doesn't have any size check or validation, which allows an attacker to set an almost unlimited number of characters as the response...
U.S. Dept Of Defense: Host Header Injection on https://███/████████/Account/ForgotPassword
Dear DoD Team, I found one high bug on your another domain. This is from Hack US Program. Affected domain is https://█████/ An attacker can manipulate the Host header as seen by the web application and cause the application to behave in unexpected ways. Very often multiple websites are hosted on...
Shopify: Account Takeover Vulnerability in Shopify Collabs Platform Due to Missing Email Verification
The account takeover vulnerability in the Shopify Collabs platform was caused by the lack of email verification during the signup process. A victim's account could be hijacked if their email address was used to create a new Shopify ID, as the platform did not require email verification. This...
GitLab: Remote Command Execution via Github import
Summary This is very similar to https://about.gitlab.com/releases/2022/08/22/critical-security-release-gitlab-15-3-1-released/Remote%20Command%20Execution%20via%20Github%20import and allows arbitrary redis commands to be injected when imported a GitHub repository. When importing a GitHub repo the...
Automattic: IDOR able to buy a plan with lesser fee
Summary IDOR allows you to pay with the same amount but different currency. For example, paying 35000$ instead of 35000€ Steps To Reproduce 1. Go to https://account.mailpoet.com/ and select a plan 2. For example I have selected this plan; https://account.mailpoet.com/orders/new?p=214 3. Now, as y...
Nextcloud: Desktop client does not verify received singed certificate in end to end encryption
Vulnerability description not provided...
Stripe: Unauthorized Canceling/Unsubscribe TaxJar account & Payment information DIsclosure
@mrasg discovered that users of an account with member permissions were improperly allowed to view certain subscription details and cancel the subscription for that account. I discovered a Vulnerability that allows the user who has member privileges to unsubscribe Cancel the account instead of th...
GitHub Security Lab: [JAVA]: Partial Path Traversal
This bug was reported directly to GitHub Security Lab...
Stripe: Fully TaxJar account control and ability to disclose and modify business account settings Due to Broken Access Control in /current_user_data
Improper access control at app.taxjar.com/currentuserdata allows a user with member role to invite themselves to the account as an admin...
PortSwigger Web Security: Business Logic, currency arbitrage - Possibility to pay less than the price in USD
Currency fluctuate all the time. Theses days EUR / USD key pair is around 1for1. It was even 1:0.99 when I was writing this report. Portswigger doesn't change dynamically the price and exchange rate dynamically. Vulnerability at the following link: https://portswigger.net/buy/pro When you want to...
MTN Group: Remote code execution via crafted pentaho report uploaded using default credentials for pentaho business server
A remote code execution vulnerability was discovered in Pentaho Business Analytics Server. By uploading a specially crafted Pentaho report file using default credentials, an attacker could achieve arbitrary code execution...
Cloudflare Public Bug Bounty: Password Policy Restriction Bypass
Due to insufficient input validation on the backend side, It was possible to bypass the Password Policy Restrictions for Cloudflare accounts by intercepting the request and modifying the content of the password field. This way, a user could set up weak passwords for their account. The password...
LinkedIn: An Attacker Can Flag Draft Job Posts And Can Disclose The Draft Job Posts Details [ Similar to #1581528 Resolved Report]
A vulnerability was discovered on LinkedIn that allowed attackers to flag and report draft job posts of other users. This resulted in the disclosure of sensitive job details, even for posts that were not yet published...
MercadoLibre: Stored XSS in reclamos
Stored XSS vulnerability was discovered in the reclamos section of MercadoLibre. The issue was reported by @valent1ne, who provided clear steps to reproduce the vulnerability and a proof-of-concept code. MercadoLibre acknowledged the issue and implemented a fix...
Node.js: HTTP Request Smuggling Due to Incorrect Parsing of Header Fields
Summary: The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling. Description: The following chunked request is processed. It should be rejected as Transfer-Encoding header obfuscatio...
Nextcloud: Profile of disabled user stays accessible
Userprofiles of disabled users keep staying accessible. on DOMAIN/u/USERID This is quite undesirable as this user has no way to clear or modify this data in case they do not want it exposed anymore. I'd assume profiles of disabled users would not be visible to ensure they can always be in control...
Stripe: [Broken Access Control ] Unauthorized Linking accounts & Linked Accounts info DIsclosure
@mrasg discovered that users of an account with member permissions were improperly allowed to see activated linked accounts and connect new carts to the account. I discovered a Vulnerability that allows the user who has member privileges to connect new carts to the Taxjar account , like...
Shopify: Cross-site scripting on api.collabs.shopify.com
Summary: Shopify collabs collabs.shopify.com is a new platform for content creators / influencers to discover and advertise the millions of brands of Shopify. The content creators can apply for different brands on this platform and get paid affiliate marketing. I discovered a cross-site scripting...
GitLab: RCE via github import
Hello, While continuing mining on github import, I found a vulnerability on gitlab.com allowing to execute remotely arbitrary commands. Gitlab uses Octokit to get data from github.com. Octokit uses Sawyer::Resource to represent results. Sawyer is a crazy class that converts a hash to an object...
Internet Bug Bounty: CVE-2022-38362: Apache Airflow Docker Provider <3.0 RCE vulnerability in example dag
Apache Airflow Docker's Provider shipped with an example DAG that was vulnerable to authenticated remote code exploit of code on the Airflow worker host. Vulnerability summary: In DAG script of airflow 2.3.3, there is a command injection vulnerability RCE in the script exampledockercopydata.py of...
IBM: Cleartext storage of sensitive information at https://staging.status.ai-apps-comms.ibm.com/env can lead to account takeover of several IBM employees
Cleartext storage of sensitive information was reported to IBM, analyzed and has been remediated. Thank you to zere...
Krisp: Card requirement bypass for business trial
Researcher found a way to bypass mandatory card attachment for business trial. The issue has been fixed now. We would like to thank @n0m3rcy for clear and detailed report...
Hyperledger: Cross Site Scripting Vulnerability in fabric-sdk-py source code
See this fix on GitHub https://github.com/hyperledger/fabric-sdk-py/pull/175 Impact Some old affected versions of this package are vulnerable to Cross-site Scripting XSS. Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods i.e. .html,...
SideFX: Stored XSS in messages
The security issue described involves a stored cross-site scripting XSS vulnerability in the message functionality of the system. The vulnerability allowed an attacker to inject malicious code into messages, which could be executed when the victim viewed the message. This resulted in the attacker...
GitLab: Unauthorized access
Hello Gents, I would like to report an issue where attackers are able to: 1. List about.gitlab.com GS bucket. 2. Access all resales through https://about.gitlab.com/all-releases.xml & https://about.gitlab.com/security-releases.xml, which contains undisclosed HackerOne reports. For Example: This...
Brave Software: Persistent user tracking is possible using window.caches, by avoiding Brave Shields
A vulnerability was discovered in Brave for iOS version 1.41.1 that allowed for persistent user tracking using window.caches, even when Brave Shields were enabled to block cookies. This could potentially allow for user tracking without their consent or knowledge...
Brave Software: Security token and handler name leak from window.braveBlockRequests
Vulnerability description not provided...
Insightly: CSRF vulnerability allows disabling Gmail contacts link for user referrals
The CSRF vulnerability allowed users to disable Gmail contacts link for user referrals. The vulnerable endpoint did not sufficiently verify that the requests were intentionally performed by the user, allowing an attacker to generate a PoC that could be used to disable the victim's linked account...
Monero: Reentrancy attack in eth-monero atomic swap
A reentrancy vulnerability was found in the eth-xmr atomic swap smart contract, allowing an attacker to drain almost all of the ethers from the smart contract. The vulnerability was fixed in a later version of the smart contract...
Nextcloud: XSS in Desktop Client in the notifications
Summary: The Nextcloud Desktop Client application does not properly neutralize the names of files before using them. Steps To Reproduce: Server Machine 1. Install the Nextcloud Server application 2. Log into your account Client Machine 3. Install the Nextcloud Desktop Client application onto a...
KAYAK: 1 click Account takeover via deeplink in [com.kayak.android]
Vulnerability description not provided...
Internet Bug Bounty: Pause-based desync in Apache HTTPD
Apache was vulnerable to a pause-based desync. This vulnerability is described in detail in my whitepaper here: https://portswigger.net/research/browser-powered-desync-attackspause Impact This enables server-side HTTP Request Smuggling when Apache is deployed as a back-end server, and it also...
U.S. Dept Of Defense: stored cross site scripting in https://███████
It was observed that the application is vulnerable to cross-site scripting XSS. XSS is a type of attack that involves running a malicious scripts on a victim’s browser. poc attached another parameter at 1636345 q13787 payload: %22%27%3e%3csvg%2fonload%3dconfirm666%3e Impact Cookie Stealing - A...