15273 matches found
HackerOne: Banned user still has access to their deleted account via HackerOne's API using their API key
The user's banned account could still be accessed using their previously generated API token, allowing them to perform actions such as retrieving reports, balance, earnings, payouts, weaknesses, and program information. This vulnerability was discovered and exploited on a test account...
Trellix: Sensitive Information Disclosure
Sensitive information, including Personally Identifiable Information PII data, was being disclosed through JEB 4.2.0.202106271614 licensed to a specific user. The vulnerability allowed unauthorized access to the information and could potentially lead to data breaches...
TikTok: Unrestricted File Upload Blind Stored Xss in subdomain ads.tiktok.com
A blind stored Cross-Site Scripting XSS vulnerability was found on a TikTok Ads domain via uploaded file. We thank @mrzheev for reporting this to our team...
Cloudflare Public Bug Bounty: HTTP request smuggling with Origin Rules using newlines in the host_header action parameter
The hostheader action parameter available to rulesets in the Origin Rules API lacked sufficient input validation i.e., allowing CRLF characters. Because of this, it was possible to inject arbitrary headers and, as a consequence, smuggle HTTP requests. This vulnerability enabled bypassing security...
TikTok: Internal Employee informations Disclosure via TikTok Athena api
A vulnerability was found where internal employee email address could be disclosed on a TikTok Ads endpoint API by adding an "employeeemail" value to the "metrics" field/array in the request body. We thank @heinthant for reporting this to our team...
Yelp: xmlrpc file enabled
Summary: Hello team, I have found a security vulnerability in restaurants.yelp.com/xmlrpc.php which lets attacker to: 1: XSPA or PortScan 2: Bruteforce 3:DOS and much more Platforms Affected: https://restaurants.yelp.com Steps To Reproduce: 1: Go to https://restaurants.yelp.com/xmlrpc.php to chec...
Stripe: Limited path traversal in Node.js SDK leads to PII disclosure
A limited path traversal vulnerability in the Node.js SDK allowed an attacker to retrieve personally identifiable information PII of users. By using . and .. as identifiers in API methods, the attacker could call parent API methods and access sensitive data such as email addresses, names, and...
Node.js: DNS rebinding in --inspect (again) via invalid IP addresses
A vulnerability was discovered in the Node.js debugger that allowed an attacker to gain access to the debugger and potentially execute remote code. This was possible due to a flaw in the IsAllowedHost check, which did not properly validate invalid IP addresses, allowing for DNS rebinding attacks...
lemlist: Clickjacking at app.lemlist.com
Hi team, While performing security testing of your website i have found the vulnerability called Clickjacking. Many URLS are in scope and vulnerable to Clickjacking. What is Clickjacking ? Clickjacking User Interface redress attack, UI redress attack, UI redressing is a malicious technique of...
curl: CVE-2022-32207: Unpreserved file permissions
Summary: Curl fails to preserve file permissions when writing: - CURLOPTCOOKIEJAR database - CURLOPTALTSVC database - CURLOPTHSTS database Instead the permissions is always reset to 0666 & umask if the file is updated. As a result a file that was before protected against read access by other user...
LinkedIn: Privilege Escalation - "Analyst" Role Can View Email Domains of a Company - [GET /voyager/api/voyagerOrganizationDashEmailDomainMappings]
Summary: Hey team, During the security assessment, I came across an endpoint - GET /voyager/api/voyagerOrganizationDashEmailDomainMappings, which is vulnerable to privilege escalation. A lower privileged user can abuse this to view the list of approved domains for email verification even though i...
GitHub Security Lab: [python]: Zip Slip Vulnerability
This bug was reported directly to GitHub Security Lab...
curl: curl "globbing" can lead to denial of service attacks
Summary: add summary of the vulnerability The curl "globbing" allows too much scope, which can cause the server to be denied service or used to attack third-party websites. The globbing allow 1-9999999999999999999 to parse in the url. So when curl request for...
TikTok: Create product discounts of any shop
An Insecure Direct Object Reference IDOR vulnerability was found on a TikTok seller endpoint, which could have resulted in any user to create product discounts for shops they did not own. We thank @datph4m for reporting this to our team...
Cloudflare Public Bug Bounty: Arbitrary file read from Cloudflare Pages build environment
A vulnerability in Cloudflare Pages allowed attackers to escalate privileges during the build process, enabling arbitrary file reads. Cloudflare implemented more restrictive input validation on the redirects and headers feature to resolve the issue. The build environment is scoped to each Pages...
curl: CVE-2022-32206: HTTP compression denial of service
Summary: Curl does not prevent resource consumption when processing certain header types, but keeps on allocating more and more resources until the application terminates or the system crashes, see below. The attack vectors include at least: - Sending many Transfer-Encodingwith repeated encodings...
curl: CVE-2022-32205: Set-Cookie denial of service
Summary: Curl fails to limit the number of cookies that can be set by a single host/domain. It can easily lead to a situation where constructing the request towards a host will end up consuming more than DYNHTTPREQUEST memory, leading to instant CURLEOUTOFMEMORY. Any host in a given domain can...
Shopify: XSS seems to work again after change to linkpop at https://linkpop.com/testnaglinagli
Summary My XSS seems to work again at https://linkpop.com/testnaglinagli Best Regards @nagli Impact XSS...
curl: Credential leak when use two url
Summary: Curl can leak user credentials if use two url. Steps To Reproduce: 1. curl -I -v -u aaa:bbb hackerone.com curl.se 2. the output is: Connected to hackerone.com 104.16.100.52 port 80 0 Server auth using Basic with user 'aaa' HEAD / HTTP/1.1 Host: hackerone.com Authorization: Basic...
curl: Credential leak on redirect
Summary: add summary of the vulnerability Curl can be coaxed to leak user credentials to third-party host by issuing HTTP redirect , like the Proxy-Authorization 、x-auth-token header. It is a bypass of fix https://hackerone.com/reports/1547048 , CVE-2022-27776 . Steps To Reproduce: add details fo...
GitHub Security Lab: [Java]: CWE-321 - Query to detect hardcoded JWT secret keys
This bug was reported directly to GitHub Security Lab...
IBM: sql injection via https://setup.p2p.ihost.com/
A SQL Injection against an IBM domain was reported to IBM, analyzed and has been remediated. Thank you to exploitmsf...
curl: Memory leak in CURLOPT_XOAUTH2_BEARER
Summary: Once a bearer token is set with CURLOPTXOAUTH2BEARER, each HTTP request done with the same handler leaks the token itself. Steps To Reproduce: Given the following code: c include int mainvoid curlglobalinitCURLGLOBALALL; CURL curl = curleasyinit; curleasysetoptcurl, CURLOPTHTTPAUTH,...
Reddit: One-click account hijack for anyone using Apple sign-in with Reddit, due to response-type switch + leaking href to XSS on www.redditmedia.com
Hi, Description I've been researching new ways to steal OAuth codes and access-tokens using postMessage, and I found a way for me to steal the code and/or access-token from Apple-sign-in on reddit.com allowing a full account hijack of the account in Reddit. The way it works is this: 1. Attacker...
U.S. Dept Of Defense: The dashboard is exposed in https://███
Description: At first, hello, after searching in sub-domains, the dashboard was accessed by Google Dorking Which is supposed to be protected https://█████████l/arsys/forms/arpcp/ARPC%3AWeb%3AHier%3ADashboard/Default+Admin+View/?F536871388=1&mode=Submit&cacheid=c66791da References...
curl: error parse uri path in curl
Summary: add summary of the vulnerability The uri path error could lead to security filter bypasses. For example, we can use curl -vv 'fh-jle:///etc/passwd' to bypass file protocol black list we can use curl -vv 'http://1.1.1.1:80-9000' to scan the open port in the host etc ... Steps To Reproduce...
Phabricator: Conduit feed.publish API allows you to spoof other users or make it look like you have access to a restricted object
The Conduit feed.publish API allows a user to publish stories to the feed. The API accepts a parameter "type" which will be set to PhabricatorTokenGivenFeedStory and accepts JSON in the "data" parameter such as the following: "authorPHID": "PHID-USER-uyg3nn764yetx6nglnbx", "tokenPHID":...
Judge.me : Race condition on https://judge.me/people
summary:An attacker can increase the followers of the users of judge.me Tools required : 1.burpsuit 2.turbo intruder steps to reproduce: 1.visit https://judge.me/people 2.like a user and intercept the request 3.now send it to turbo intruder and configure the script to race.py Impact The attacker...
Internet Bug Bounty: CVE-2022-27782: TLS and SSH connection too eager reuse
Summary: Curl fails to consider some security related options when reusing TLS connections. For example: TLS CURLOPTSSLOPTIONS CURLOPTPROXYSSLOPTIONS CURLOPTCRLFILE CURLOPTPROXYCRLFILE CURLOPTTLSAUTHTYPE CURLOPTTLSAUTHUSERNAME CURLOPTTLSAUTHPASSWORD CURLOPTPROXYTLSAUTHTYPE...
Internet Bug Bounty: CVE-2022-27778: curl removes wrong file on error
Summary: Curl command has a logic flaw that results in removal of a wrong file when combining --no-clobber and --remove-on-error if the target file name exists and an error occurs. Steps To Reproduce: 1. echo "important file" foo 2. echo -ne "HTTP/1.1 200 OK\r\nContent-Length: 666\r\n\r\nHello\n"...
Internet Bug Bounty: CVE-2022-30115: HSTS bypass via trailing dot
Advisory: https://curl.se/docs/CVE-2022-30115.html Original Report: https://hackerone.com/reports/1557449 Impact HSTS bypass...
Internet Bug Bounty: CVE-2022-27780: percent-encoded path separator in URL host
Advisory: https://curl.se/docs/CVE-2022-27780.html Original Report: https://hackerone.com/reports/1553841 Impact URL filter bypasses...
Internet Bug Bounty: CVE-2022-27779: cookie for trailing dot TLD
Published Advisory: https://curl.se/docs/CVE-2022-27779.html Original Report: https://hackerone.com/reports/1553301 Impact This can allow arbitrary sites to set cookies that then would get sent to a different and unrelated site or domain. ie. conduct session fixation attacks...
curl: Integer overflows in unescape_word()
Summary: A similiar issue to CVE-2019-5435 Steps To Reproduce: analysis DICT protocol can use one url like "dict://localhost:3306", and function unescapeword is used to deal with the character in url like this comment c / According to RFC2229 section 2.2, these letters need to be escaped with...
GitHub Security Lab: [CPP]: Add query for CWE-190: Integer Overflow or Wraparound when using transform after operation
This bug was reported directly to GitHub Security Lab...
GitHub Security Lab: [Java]: CWE-552 Add sources and sinks to detect unsafe getResource calls in Java EE applications
This bug was reported directly to GitHub Security Lab...
Shopify: One Click XSS in [www.shopify.com]
Steps To Reproduce: 1. You need a web server, put F1722320 to www 2. visit it: http://:/poc.html?x=$alert1 3. click it 4. you will see the alert Supporting Material: F1722333 Impact Cookie Stealing - A malicious user can steal cookies and use them to gain access to the application. Arbitrary...
Phabricator: Slowvote and Countdown can cause Denial of Service due to recursive inclusion
Similar to 85011, if you edit a Slowvote or Countdown object and include its own object ID in the description, then it will recursively include and prevent the page from loading. mongoose Impact Denial of Service. You can include the Slowvote or Countdown object on any other object to also preven...
Phabricator: Global default settings page is accessible to non-administrators
If you go to /settings/, it correctly redirects to /settings/user/username/ and does not give you the option to change global default settings. However if you go straight to /settings/builtin/global/, any user can edit the global default settings. According to https://secure.phabricator.com/D1604...
curl: Certificate authentication re-use on redirect
Summary: Curl will reuse existing certificate for further TLS requests when following redirects. This is similar to CVE 2022-27774 but with narrower impact, as the secret private key is not leaked. Steps To Reproduce: 1. Configure a site targetsite.tld to require client certificates for...
Glovo: Integer overflow vulnerability
Summary: In one of my previous reports i send parameter tampering report vulnerability. Then you asked me to send PoC and you just closed it, that's why i'm sending you this new report with exactly name of vulnerability. Integer Overflows are closely related to other conditions that occur when...
TikTok: TikTok Account Creation Date Information Disclosure
A vulnerability was found where the date of a user's account creation would be able to be obtained without logging into that account. We thank @f15 for reporting this to our team...
Open-Xchange: Privilege escalation possible in dovecot when similar passdbs are used
Summary --------- Privilege escalation is possible as a result of incorrect security code logic for dovecot passdb definitions. Description ------------ When two passdb configuration entries exist in the dovecot configuration which have the same driver and args settings, the incorrect...
Nextcloud: Password disclosure in initial setup of Mail App
Summary: https://github.com/nextcloud/mail/issues/823 Steps To Reproduce: https://github.com/nextcloud/mail/issues/823 Impact Complete access to a IMAP account and possibly if the password is the same for the NC account, complete account control...
UPchieve: Postgres Admin Username and Password in Plain text
Summary: Gitlab commit contains password in plain text Steps To Reproduce: Navigate to https://gitlab.com/upchieve/subway/-/commit/e0e039496321c9d62a591504d387589224660a5c Supporting Material/References: Recommendations for Fixing/Mitigation Do not disclose passwords in gitlab. Implement a check...
Glovo: Django debug enabled showing information about system, database, configuration files
Summary: Hi team, This subdomain pulpo.it.glovoint.com is a Django application running with debug mode turned on DEBUG = True . One of the main features of debug mode is the display of detailed error pages to help developers. If your app raises an exception when DEBUG is True, Django will display...
TikTok: disclosure the live_analytics information of any livestream.
A possible disclosure of the liveanalytics information for any livestream was found by accessing the roomid parameter via devtools. We thank @datph4m for reporting this to our team...
Phabricator: Possible to make restricted files public on Phabricator via Diffusion
Files on Phabricator are always viewable to a user if they are attached to an object that they can view. It seems Phabricator does check if you can view a file before allowing you to a attach it. If you don't have access to the file, it will just look like this F99999999999 in plaintext. It seems...
curl: Cookie injection from non-secure context
Summary: Curl allows injecting cookies over insecure HTTP connection that will then be sent to the target site when connecting over HTTPS. As documented in lib/cookie.c https://github.com/curl/curl/blob/a04f0b961333e1a19848d073d8c7db9c20b2a371/lib/cookie.cL1039 this should not be possible: / A...
Stripe: Tomcat Servlet Examples accessible at https://44.240.33.83:38443 and https://52.36.56.155:38443
Tomcat Servlet Examples were accessible from the internet. This report demonstrated that it was possible to disclose IP addresses of internal application servers...