lemlist: Authentication Token Theft via Open Redirect in Callback URL Parameter

A vulnerability was identified in the email signup flow of a website that enabled authentication token theft through manipulation of the callback URL parameter. The vulnerability occurred when an attacker modified the callbackUrl parameter during the email signup process to point to an...

curl: Hash exposed in public repository

An image hash is publicly exposed on Github Steps to reproduce: See at https://github.com/curl/curl/blob/master/Dockerfile Solution: If you want to keep the hash, the repository should be private Use official tags without specific hashes or environment variables Best, @skymander Impact An attacke...

AWS VDP: AWS Auto Scaling Service Reporting "AWS Internal" for CloudTrail Events Generated from Specific Endpoints

A vulnerability was discovered in the AWS Auto Scaling service, where 6 API endpoints incorrectly reported the user-agent and network information as "AWS Internal" in CloudTrail logs. This allowed the adversary to perform API calls using these endpoints and evade the logging of their IP address a...

AWS VDP: Non-Production API Endpoints for the AI Ops Service Fails to Log to CloudTrail Resulting in Silent Permission Enumeration

The vulnerability found that there are 5 non-production endpoints for the AI Ops service that can be used with standard IAM credentials and do not log to CloudTrail. While the endpoints do not appear to provide access to customer partition data, they can be used for permission enumeration without...

curl: libcurl FTP path normalization flaw allows decoded %2e%2e → CWD .. and directory escape (Path Traversal, CWE-22)

ftpparseurlpath in lib/ftp.c URL-decodes FTP path segments e.g. %2e%2e and then splits the decoded path into components using an ad-hoc loop that skips empty components produced by //. The code does not perform canonical path normalization no stack-based handling of . or ... As a result, encoded...

curl: Silent TLS Trust Model Hijacking via `CURL_CA_BUNDLE` Environment Variable Leads to MITM

Summary: curl is vulnerable to silent Man-in-the-Middle MITM attacks due to its design, which implicitly trusts the CA certificate path specified in the CURLCABUNDLE environment variable. This mechanism allows the entire TLS trust model chain of trust of curl to be hijacked without any warning or...

curl: Command Injection - CRITICISM

Description: The $openssl code in curl 8.17.0.1 allows exploitation. Steps to reproduce: 1 Extract and install curl on Windows. 2 See the code in mk-ca-bundle. Affected: curl:8.17.0.1 SO:Windows 11/10/8 Helped analized: Deep Seek perl $result = "$openssl" dgst -r -sha256 "$0"; Problem: The $0...

curl: Arbitrary Configuration File Inclusion: via External Control of File Name or Path

Summary: The Arbitrary Configuration File Inclusion ACFI vulnerability was identified in the curl utility via the --config option. This flaw is a form of External Control of File Name or Path CWE-73, occurring due to the lack of adequate validation on the user-supplied configuration file path. An...

curl: SMTP CRLF Injection in curl/libcurl via MAIL FROM/RCPT TO parameters

SMTP CRLF Injection Vulnerability in curl/libcurl Vulnerability ID: CURL-SMTP-CRLF-2024 CWE-93: Improper Neutralization of CRLF Sequences Executive Summary curl/libcurl contains a CRLF injection vulnerability in its SMTP implementation that allows attackers to inject arbitrary SMTP commands by...

curl: Unsafe use of strcpy in Curl_ldap_err2string (packages/OS400/os400sys.c) — stack-buffer-overflow (PoC + ASan)

I've provided the detailed description and clear steps previously, but it seems you need the content tailored directly for the submission form's fields. I will present the complete, professional, and detailed response suitable for reporting a memory corruption vulnerability to a vendor or bug...

Rocket.Chat: Open Redirect in Rocket.Chat

An open redirect vulnerability was identified in Rocket.Chat. The /saml/sloRedirect/:provider endpoint included the redirect query string value directly in the Location header for a 302 redirect without any server-side validation. This issue was fixed in v8.4.0...

Django: Potential SQL Injection when annotating FilteredRelation on PostgreSQL

A potential SQL injection vulnerability was discovered in Django's annotation of FilteredRelation on PostgreSQL. The vulnerability was caused by an incomplete regular expression filter in the FORBIDDENALIASPATTERN. This allowed user input to be interpreted as raw strings, potentially enabling the...

Node.js: FS Permissions Bypass

A flaw was discovered in Node.js's Permissions model that allowed attackers to bypass --allow-fs-read and --allow-fs-write restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory could escape the allowed path a...

lemlist: Authentication Bypass in Subscription Management Endpoint

A vulnerability was identified in the subscription management functionality that allowed unauthorized access to customer billing information. The issue stemmed from insufficient authentication and authorization controls on an API endpoint. The vulnerability was classified as an Insecure Direct...

curl: libcurl MQTT `CURLOPT_POSTFIELDSIZE_LARGE` overflow leads to immediate DoS

Summary An attacker can crash or forcefully abort any application that uses libcurl's MQTT support by setting an excessively large value for CURLOPTPOSTFIELDSIZELARGE. The MQTT publish logic lib/mqtt.c::mqttpublish trusts this value without validating it against the protocol's maximum remaining...

curl: SMTP CRLF Command Injection in CURLOPT_MAIL_FROM and CURLOPT_MAIL_RCPT

libcurl's SMTP implementation accepts CR \r and LF \n bytes in mailbox address inputs without validation. These control characters are inserted directly into SMTP commands, allowing attackers to inject arbitrary SMTP protocol commands. This enables envelope manipulation, adding unauthorized...

U.S. Dept Of Defense: DNN - Unrestricted Arbitrary File Upload #████████

A vulnerability was discovered in versions of DNN formerly DotNetNuke prior to 10.1.1. The vulnerability was caused by the default HTML editor provider allowing unauthenticated file uploads and overwriting of existing files. This could have led to website defacement and cross-site scripting attac...

Revive Adserver: Unrestricted setPerPage allows huge result sets / resource exhaustion / mass log retrieval

Description: The setPerPage query parameter controls pagination for the log viewer but is not validated or capped on the server. An attacker can supply an extremely large numeric value for example setPerPage=100000000000000000 and the application will attempt to honor that value when building the...

Revive Adserver: Username normalization missing allows visually indistinguishable accounts (Whitespace-Based Impersonation)

Version: ==revive-adserver 6.0.2== Summary: Revive Adserver allows creation of usernames containing leading or trailing whitespace e.g. "admin" or " admin". The UI does not visibly differentiate such usernames from admin, producing visually identical accounts. This can be used to impersonate...

Revive Adserver: Stored-XSS in campaign name displayed in Banners modal

Description: A low-privilege authenticated user can create or edit advertiser/campaign names containing HTML/JavaScript. Those values are stored in the application and later rendered without proper HTML escaping in the admin Inventory → Banners advertiser/campaign picker. When an administrator...

curl: HackerOne

HackerOne Impact HackerOne...

curl: Hi Hacker

Hi Hacker Impact Summary:...

curl: Directory Traversal Vulnerability in cURL via Content-Disposition Header Processing

Vulnerability Description The parsefilename function in src/toolcbhdr.c does not adequately validate and sanitize filenames extracted from HTTP Content-Disposition headers, allowing directory traversal attacks when the -O remote-name and -J remote-header-name options are used together. Vulnerable...

curl: curl built with GnuTLS backend defaults to weak crypto parameters

Summary: Curl configured with GnuTLS backend --with-gnutls defaults using "NORMAL" as the base level of the library cryptographic security. From GnuTLS documentation: The message authenticity security level is of 64 bits or more, and the certificate verification profile is set to GNUTLSPROFILELOW...

curl: Buffer over-read,, Missing NUL termination in addvariable() causes undefined behavior

Summary: In addvariable used by setvariable, the code allocates memory for p-name without space for a null-terminator and copies nlen bytes directly. Later, functions like varcontent call strlen on this name, assuming it is null-terminated. This can lead to out-of-bounds memory reads, causing...

Node.js: Timeout-based race conditions make Uint8Array/Buffer.alloc non-zerofilled

A flaw in Node.js's buffer allocation logic was discovered, where buffers allocated with Buffer.alloc and other TypedArray instances like Uint8Array may contain leftover data from previous operations under specific timing conditions...

Revive Adserver: Stored-XSS in Banner Name field

Version: ==revive-adserver 6.0.0== Summary: A stored Cross-Site Scripting XSS vulnerability exists in the Banner → Name field. An attacker can create or edit a banner with a malicious payload in the Name field; that payload is stored and later executed in the browser of users who were added to th...

curl: SOCKS5 Heap Buffer Overflow via Malicious HTTP Redirect with Oversized Hostname

Summary: A heap-based buffer overflow vulnerability exists in curl's SOCKS5 proxy handshake implementation when processing HTTP redirects containing hostnames exceeding 255 characters. When curl is configured to use SOCKS5 with hostname resolution socks5h:// scheme and follows an HTTP redirect to...

curl: Logical Flaw in curl_url_set Leads to Inconsistent Query Parameter Encoding

Hello curl security team, First, thank you for your incredible work on maintaining such a critical and robust piece of software. We have been conducting a deep-dive source code audit of libcurl and believe we have identified a subtle logical flaw in the curlurlset API that has security...

Revive Adserver: Reflected XSS in /admin/banner-zone.php (v6.0.0+)

Description: A Reflected Cross-Site Scripting Reflected XSS vulnerability. User-supplied input from the banner search fields "Website" is reflected into the page without proper context-aware encoding Step: 1. When I create Banners, I click it and click 'Linked Zones'. At that, I insert payload...

Revive Adserver: Information Disclosure via Verbose Error Messages

Version: ==revive-adserver 6.0.0== Summary: Revive Adserver v6.0.0 exposes sensitive technical details through verbose error messages, revealing the exact MySQL/MariaDB version, SQL queries, and PHP environment details. Attackers can use this information to identify known vulnerabilities or craft...

Revive Adserver: IDOR Vulnerability in Banner Deletion

Summary I found an IDOR vulnerability in Revive Adserver's banner deletion endpoint that lets any Manager delete banners belonging to other Managers. The code validates access to the parent campaign but doesn't check if the user owns the specific banner being deleted. This means Manager A can...

Revive Adserver: Information Disclosure via “Add user” lookup in Account Management (User Access)

Version: ==revive-adserver 6.0.0== Flow Administrator Account ├── Management 1 │ ├── User A1 │ └── User A2 └── Management 2 ├── User B1 leak email, contacname └── User B2 leak email, contacname Summary: When a user under Management 1 navigates to User Access → Add user and enters a username, the...

curl: CURLX_SET_BINMODE(NULL) can call fileno(NULL) and cause undefined behavior / crash

Summary ------- Calling the CURLXSETBINMODEstream macro with stream == NULL leads to an unguarded call to filenoNULL in toolbinmode.h, which is undefined behavior and may crash the process. This is a robustness/UB issue and should be corrected by guarding against NULL streams before calling filen...

curl: curl’s persistence files inherit world-readable/writable perms from umask, leaking and tampering with cookies/HSTS/Alt-Svc caches

Executive Summary Curlfopen clones the permissions of any pre-existing persistence file when creating its temporary file. When the persistence file does not exist, it first creates one with the process umask typically 022, i.e., 0644. That mode is then copied to the temp file via 0600 | sb.stmode...

Revive Adserver: Stored XSS in Conversion Statistics via Tracker Name

I found stored XSS on the conversion statistics page. Advertisers can inject malicious JavaScript through tracker names, which executes when admins view conversion reports www/admin/stats-conversions.php:356. I was able to steal admin session cookies using this vulnerability. This is a privilege...

Nextcloud: Credential Disclosure via Unvalidated directDownloadUrl (Missing DontAddCredentialsAttribute)

The Nextcloud Desktop Client was found to automatically include user credentials Authorization header with username and password in Base64 when downloading files via the "directDownloadUrl" feature. This allowed a malicious Nextcloud server to specify an attacker-controlled URL, causing the clien...

Revive Adserver: Stored XSS on inventory-retrieve.php

A Cross-site Scripting XSS vulnerability was discovered on the inventory-retrieve.php and campaign-edit.php pages. The vulnerability allowed an attacker to inject malicious code that would be executed when the page was loaded...

curl: Integer Overflow to Heap Overflow in DoH Response Handling

Summary: An integer overflow vulnerability exists in the dohprobewritecb function in lib/doh.c. This function is used as a write callback for DNS-over-HTTPS DoH responses. When a malicious DoH server sends a response with a crafted size, the multiplication of size and nmemb can overflow. This lea...

Revive Adserver: Improper sanitisation of input in the settings could cause DoS

A vulnerability was found in the settings functionality of the application where attacker-controlled values in the emailfromName and emailfromCompany fields were persisted and later rendered to pages without proper output encoding. This could have led to the execution of arbitrary JavaScript in t...

Revive Adserver: Reflected XSS in account-preferences-plugin.php

A reflected cross-site scripting RXSS vulnerability was discovered in revive-adserver-6.0.1/www/admin/account-preferences-plugin.php via the group query parameter. Untrusted input was reflected without proper output encoding or context-aware escaping, allowing injection of JavaScript into the...

Nextcloud: Improper input validation On Exported deep-link handler crashes `FileDisplayActivity` on crafted external URL — Denial-of-Service

A vulnerability was discovered in the Nextcloud Android client application where improper input validation in the exported deep-link handler caused a null dereference in the FileDisplayActivity component. This resulted in an unhandled NullPointerException and application crash when the deep-link...

Revive Adserver: Authorization bypass allows changing email address of other users

The Revive Adserver 6.0.0 was found to have an authorization bypass vulnerability that allowed changing the email address of other users without requiring the account password. The vulnerability was present in the admin panel endpoint /admin/agency-user.php, which accepted a POST request that...

curl: libcurl MQTT PUBLISH length overflow (heap overflow)

Summary: Heap-based buffer overflow in libcurl’s MQTT PUBLISH assembly lib/mqtt.c::mqttpublish due to unchecked sizet arithmetic when computing the MQTT “Remaining Length”. If payloadlen + 2 + topiclen wraps sizet, libcurl allocates a too-small buffer and then memcpy’s payloadlen bytes into it,...

curl: Use of Deprecated strcpy() with User-Controlled Environment Variable in Memory Debug Initialization

Discovery Method Step 1: Initial Security Scan Find all files using dangerous string functions find src/ -name ".c" -exec grep -l "strcpy|strcat|sprintf|gets" ; OUTPUT: src/toolprogress.c src/toolmain.c Step 2: Locate Vulnerable Code in Main.c Find exact strcpy usage in toolmain.c grep -n...

Revive Adserver: Error-Based & Time-Based SQL Injection in 'keyword' Parameter of admin-search.php Allowing Full Database Access in Revive Adserver v6.0.0

==Cricetinae== Summary: A critical SQL Injection vulnerability has been identified in Revive Adserver's administrative search functionality, specifically in the admin-search.php file. The vulnerability exists in the handling of the keyword GET parameter, which is passed to multiple database queri...

curl: Use of Deprecated strcpy() with Fixed-Size Buffers in Progress Time Formatting

Step 2: Locate Vulnerable Code in Progress.c Find exact strcpy usage in toolprogress.c grep -n "strcpy" ./src/toolprogress.c OUTPUT: 94: strcpyr, "--:--:--"; Step 3: Analyze the Vulnerable Function View complete time2str function sed -n '/^static void time2str/,/^/p' ./src/toolprogress.c Vulnerab...

curl: Memory leak in Curl_auth_create_ntlm_type3_message

Summary: When handling NTLMv2, if the decoded type-2 “TargetInfo” is large enough that ntresplen+headersize exceeds NTLMBUFSIZE 1024, the code returns early without freeing ntlmv2resp, causing a memory leak...

curl: Buffer Overflow in WebSocket Handshake (lib/ws.c:1287)

Summary: Buffer overflow vulnerability in curl's WebSocket implementation due to unsafe use of strcpy in the handshake process. The vulnerability is located at lib/ws.c:1287 where strcpykeyval, randstr is called without proper bounds checking, despite having a bounds check earlier in the code. AI...

Node.js: fs.futimes() Bypasses Read-Only Permission Model

A flaw in Node.js's permission model was discovered that allowed a file's access and modification timestamps to be changed via futimes even when the process had only read permissions. Unlike utimes, futimes did not apply the expected write-permission checks, which meant file metadata could be...