15267 matches found
Sifchain: No valid SPF record found
Email spoofing is possible To verify: visit : https://www.kitterman.com/spf/validate.html and type your domain name to check SPF records you can see the results as: No valid SPF record found. POC: 1. visit: https://emkei.cz/ 2. fill the from email as [email protected] 3.To email as victim ema...
Sifchain: Possibility of DoS attack at https://sifchain.finance// via CVE-2018-6389 exploitation
There is possibility in /wp-admin/load-scripts.php script to generate large 3Mb amount of data via simple non-authenticated request to server. The vulnerability is registered as https://vulners.com/cve/CVE-2018-6389 Details Detailed attack scenario is described for example here:...
Sifchain: Flaws In Social media Icon on error page which can lead to financial loss to a company.
Here, i found an issue on sifchain.finance that will direct impact to the customer of sifchain company which can be great loss in business as well as there will be problem regarding to communication with the genuine customer of a company. I know that sifchain.finance is not in scope but i saw thi...
Sifchain: Open S3 Bucket | information leakage
Hi I found an Open S3 Bucket. - POC : aws s3 ls s3://amazon-eks/ Source : https://github.com/Sifchain/sifnode/blob/bebbe9883560bbde4f452f81a2d85bdbc243636a/deploy/rake/dependencies.rake21 regards oos Impact information leakage...
Sifchain: Misconfiguration Certificate Authority Authorization Rule
Hello,Sifchain Security Team, I found a bug called Missing CAA. Certificate Authority Authorization supported by LetsEncrypt and other CAs allows a domain owner to specify which Certificate Authorities should be allowed to issue certificates for the domain. All CAA-compliant certificate authoriti...
MCUboot: DMARC and DNS Records not found on mcuboot.com
Found no DMARC and DNS record on mcuboot.com . I am also able to send an email to me on your behalf . The mail sent didnot even landed in spam folder which could make the users believe on the attacker as a legitimate person or authority. Any attacker could do so by using any fake mailer .For exmp...
Sifchain: Clickjacking Vulnerability in sifchain.finance
Hello team - Greetings! Hope you are fine. sifchain.finance website is vulnerable to Clickjacking. NOT ONLY THE HOME PAGE IS VULNERABLE, ALL THE PAGES IN THE WEBSITE IS VULNERABLE TO CLICKJACKING. And it has to be fixed because, Clickjacking is an attack that tricks the user to click a webpage...
Sifchain: No Rate Limit in email leads to huge Mass mailings
steps to reproduce: 1.go to https://medium.com/sifchain-finance, click sign in. 2.click sign in with email,enter email and click continue 3.intercept the request in burp, POST /m/account/authenticate-email HTTP/2 Host: medium.com Cookie: optimizelyEndUserId=lo4bda3b4cea4e;...
CS Money: Previously created sessions continue being valid after MFA activation
Summary: Hi, team. This is the same issue of 667739. Please take a look. I found one issue related to your 2FA system on https://cs.money/security/ Steps To Reproduce: 1. access the same account on https://cs.money/ in two devices 1. on device 'A' go to https://cs.money/security/ complete all ste...
Kaspersky: Several domains on kaspersky.com are vulnerable to Web Cache Deception attack
Reported security issue allowed a potential attacker to steal potentially sensitive information of users of a website, because multiple subdomains of the Kaspersky domain were vulnerable to web cache deception attack. In this scenario the user needs to open a phishing link in a web browser. The...
U.S. Dept Of Defense: [www.███] Reflected Cross-Site Scripting
Description: Good morning, there's a reflected cross-site scripting vulnerability on https://www.██████████/█████ There was some difficult in making a payload for this vulnerability, mainly due to the WAF blocking some vectors; But exploitation is still possible. Here's a proof of concept showing...
Brave Software: XSS on Brave Today through custom RSS feed
A vulnerability was discovered in Brave iOS's custom RSS feed feature that allowed for cross-site scripting XSS attacks. Attackers could add a malicious RSS feed containing a javascript: URL, which could execute arbitrary code when a user clicked on a link in Brave Today. The vulnerability was...
GitHub Security Lab: [JAVA]: CWE-347 - Improper Verification of Cryptographic Signature : Potential for Auth Bypass
This bug was reported directly to GitHub Security Lab...
GitHub Security Lab: ihsinme: CPP Add query for CWE-691 Insufficient Control Flow Management After Refactoring The Code
This bug was reported directly to GitHub Security Lab...
GitHub Security Lab: [Java] CWE-348: Use of less trusted source
This bug was reported directly to GitHub Security Lab...
Sifchain: mongodb credentials leaked in github
Steps To Reproduce: add details for how we can reproduce the issue 1. Go to values.yaml file file. 2.Check from line 23: blockExplorer: args: mongoUsername: "mongodb" mongoPassword: mongoDatabase: "blockexplorer" env: rootURL: "http://localhost:3000" chainnet: "" genesisURL: "" remote: rpcURL: ""...
UPchieve: Cross-origin resource sharing misconfig | steal user information
Summary An HTML5 cross-origin resource sharing CORS policy controls whether and how content running on other domains can perform two-way interaction with the domain that publishes the policy. The policy is fine-grained and can apply access controls per-request based on the URL and other features ...
Sifchain: RSA PRIVATE KEY discloser
hi, https://github.com/Sifchain/sifnode/blob/4fb7523322f74e70600a10fff4dbdd42425c077f/ui/.vagrant/machines/default/virtualbox/privatekey disclosing RSA PRIVATE KEY. Impact might give access to sensitive data protected with this key...
Sifchain: Private RSA key for Vagrant exposed in GitHub repository
Summary: The private RSA key used for SSH on Vagrant is exposed in sifnode GitHub repository. Steps To Reproduce: 1. Visit this link which shows the privatekey file used for your Vagrant virtual machine Suggested solution Remove the private key from the repository. Even though you remove it, it...
U.S. Dept Of Defense: SSRF due to CVE-2021-27905 in www.████████
Apache Solr is vulnerable to SSRF using the parameter "masterUrl". This issue is registered as CVE-2021-27905. Impact A successful SSRF attack can often result in unauthorized actions or access to data within the organization, either in the vulnerable application itself or on other back-end syste...
MTN Group: Cross-site Scripting (XSS) - Reflected
hello dear support Cross-site Scripting XSS refers to client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS occurs when a web application makes use of unvalidated or unencoded user input within the output it generates...
Stripe: Object injection in `stripe-billing-typographic` GitHub project via /auth/login
An object injection vulnerability was discovered in the stripe-billing-typographic GitHub project, which allowed an attacker to bypass authentication and perform a SQL injection attack. The vulnerability was caused by a dependency called sqlstring, which mishandled objects in queries. The impact ...
Nextcloud: Default Nextcloud allows http federated shares
userA on serverA runs on http only 2. userA sends a federated share to userB on serverB 3. userB is a normal user so he has no clue that there is no secure transport used and accepts the share 4. all the data written to and read from is now no longer protected by TLS Impact While maybe a bit far...
Sifchain: Subdomain Takeover At the Main Domain Of Your Site
Hello, I Know that isn't in the Scope But this The Only Way I can Report With And This Issue Is Very High It Belongs to the Main Domain this is pretty serious security issue in some context, so please act as fast as possible. overview the Main Domain sifchain.finance is pointing to wix.com, which...
Sifchain: ETHEREUM_PRIVATE_KEY leaked
Summary: I found below private key for ethereum wallet leaked via public code in github repository ETHEREUMPRIVATEKEY="c87509a1c067bbde78beb793e6fa76530b6382a4c0241e5e4a9ec0a0f44dc0d3" Steps To Reproduce: You can find private key via below link :...
U.S. Dept Of Defense: Web Cache Poisoning on █████
Description: The web application https://████████ uses a web cache to more efficiently serve its pages to the users. An attacker can send a malformed request which the server caches the response of and sends it to the users. Impact An attacker can alter the web cache, making the web application...
MTN Group: Cross-Site Request Forgery (CSRF) to xss
hello dear support i have found csrf to xss on https://dailydeals.mtn.co.za/index.cfm?GO=DEALS URL:https://dailydeals.mtn.co.za/index.cfm?GO=DEALS URL encoded POST input CFID was set to fbe8c86c-c0b2-4421-8ca2-dcfc14763d6e" HTTP request ============ POST /index.cfm?GO=DEALS HTTP/1.1 Host:...
Zomato: Subdomain takeover of fr1.vpn.zomans.com
Summary fr1.vpn.zomans.com points to an AWS EC2 instance at 52.47.57.107 that no longer exists. I was able to take control of this IP address and run my own EC2 instance. I can now serve content on this domain, obtain a TLS certificate for this domain, etc. If any customers or servers are pointin...
Reddit: Vulnerability Name: URL Redirection / Unvalidate Open Redirect
Summary: visit this URL it will redirect you to http://bing.com. https://reviewnic.com/redirect.php?url=http://bing.com. Note: Attacker could change http://bing.com to http://evilsite-of-attacker.com and hence can steal user credentials. Impact: URL Redirection or Invalidate Open Redirect are...
Acronis: IDOR on www.acronis.com API lead to steal private business user information
Summary Hi acronis team, i found an endpoint : www.acronis.com/en-us/api/v1/lead/id:929-HVV-335&token:mch-acronis.com- that is vulnerable to IDOR. with this vulnerability an attacker can steal private info such as company name, user name and surname, telephone number etc... Steps To Reproduce 1...
MTN Group: Email verification bypassed during sing up (https://developers.mtn.com/profile)
Summary: Normally https://developers.mtn.com ask users to verify their email during registration but i found a way to bypass this so than an attacker can create accounts with emails that are not his own abusing the intigrity of MTN. Steps To Reproduce: 1. Create an account with you owned email,...
Nextcloud: Session fixation on public talk links
userA shares a talk room and protects it with a password 2. userB opens links but doesn't enter the password yet 3. Attacker steals the cookies from userB 4. userB logs in 5. attacker is now also able to read the conversation etc Impact In short the attacker is able to take over the session of...
HackerOne: Static files on HackerOne.com can be made inaccessible through Cache Poisoning attack
Summary: Hi, The host hackerone.com uses cloudlfare to cache static files. The header x-forwarded-scheme can be used to cause a redirect loop, which will be cached by cloudflare. By taking down a JS file, it is possible to cause a total loss of availability on hackerone.com Disclaimer No actual...
8x8: Subdomain takeover of ███.wavecell.com
An EC2 instance was terminated but the DNS record was initially not updated/removed. The issue has been rectified...
U.S. General Services Administration: e-mail verification bypass through interception & modification of response status
Hi, During registration of account at https://tams.preprod.gsa.gov, e-mail verification code validation can be bypassed through intercepting & modifying the response status-from "success":false to "success":true Video F1284281 is for reference. Steps To Reproduce 1. Open User Registration Url -...
Sifchain: Private eth key found
Hello, team! Found private ethereum key at file: https://github.com/Sifchain/sifnode/blob/develop/smart-contracts/.env.example This key points to wallet balance: F1284232 As I understood, private key allows to spend this coins, so it may need to be masked or hidden. Impact eth private key disclos...
Zego: Subdomain takeover of v.zego.com
Summary v.zego.com points to an AWS EC2 instance at 52.214.138.192 that no longer exists. I was able to take control of this IP address and run my own EC2 instance. I can now serve content on this domain, obtain a TLS certificate for this domain, etc. If any customers or servers are pointing to...
Sifchain: Vulnerability : Email Spoofing
Hi Team Hope you are doing well. I found vulnerability. Issue: Email Spoofing I just sent a forged email to [email protected] that appears to originate from [email protected] I was able to do this because of SPF Soft Fail and I could not find DMARC record of this domain. SPF record...
curl: CVE-2021-22901: TLS session caching disaster
Summary: lib/vtls/openssl.c osslconnectstep1 sets up the osslnewsessioncb sessionid callback with SSLCTXsesssetnewcb, and adds association from dataidx and connectdataidx to current conn and data respectively: SSLCTXsetsessioncachemodebackend-ctx, SSLSESSCACHECLIENT | SSLSESSCACHENOINTERNAL;...
Valve: Buffer overrun in Steam SILK voice decoder
Vulnerability The SteamWorks SDK has a function available named DecompressVoice, which takes as input some compressed voice data, and returns the raw audio data. The format for the input voice data is as follows: 8 bytes - steamid 1 byte - payload type 2 bytes - payload size 4 bytes - CRC checksu...
HackerOne: Private program disclosure of `██████████` through notifications
Summary: Private program disclosure of ██████ through notifications Description: It looks like there is a private program called ████████ - https://hackerone.com/████████ which I'm not yet invited yet. However, I received a notification alert in my H1 account notification box indicating the priva...
CS Money: Able to blocking users with 2fa from login into their accounts by just knowing the SteamID
A vulnerability was discovered where an attacker could block users with two-factor authentication from logging into their accounts on a website by modifying the steamid cookie in the two-factor authentication code confirmation request. By changing the steamid cookie to the victim's and sending...
Palo Alto Software: Subdomain takeover of www2.growasyouplan.com
Summary www2.growasyouplan.com points to an AWS EC2 instance at 67.202.62.93 that no longer exists. I was able to take control of this IP address and run my own EC2 instance. I can now serve content on this domain, obtain a TLS certificate for this domain, etc. If any customers or servers are...
Ruby: imap: StartTLS stripping attack (CVE-2016-0772).
net/imap does not seem to raise an exception when the remote end imap server fails to respond with taggedresponse NO/BAD or OK to an explicit call of imap.starttls. This may allow a malicious MITM to perform a starttls stripping attack if the client code does not explicitly set usessl = true on...
Node.js: Improper handling of untypical characters in domain names
Description Missing input validation of host names returned by Domain Name Servers in node's dns library can lead to output of wrong hostnames leading to Domain Hijacking and injection vulnerabilities in applications using the library leading to Remote Code Execution, XSS, Applications crashes,...
Logitech: session takeover via open protocol redirection on streamlabs.com
Summary: Hi Logitech team, on streamlabs.com the endpoint: streamlabs.com/global/identity?popup=1&r=protocol://merch.streamlabs.com redirect any authenticated user to a arbitrary protocol, and it merge the redirect link with an accesstoken. F1281409 this means that if a malicious app that handle...
Mail.ru: [geekbrains.ru] Node modules path disclosure due to lack of error handling
Full stack error trace at HTTP 404-error on nexus.geekbrains.ru discloses the full path of the Node.js module directory on the server...
Mail.ru: [mcs.mail.ru] Пользователь с ролью наблюдателя может создавать ключи доступа для очереди сообщений (sqs.mcs.mail.ru)
IDOR for X-Pid header allowed user with observer role to elevate privileges for SQS service of MCS sqs.mcs.mail.ru by using role from the different project. Insecure check of header parameter leaded to ability of account creation in SQS service by project observer...
Uber: pam_ussh does not properly validate the SSH certificate authority
The pamussh module that Uber open-sourced in https://github.com/uber/pam-ussh does not validate that the SSH certificate presented by a user is actually signed by a trusted CA listed in the configured cafile...
UPchieve: Password reset token leak on third party website via Referer header
Summary: It has been identified that the application is leaking referrer token to third party sites. In this case it was found that the password reset token is being leaked to third party sites which is a issue knowing the fact that it can allow any malicious users to use the token and reset the...