15368 matches found
Stripo Inc: [Critical] Unauthorized Cross-Tenant Data Access in Stripo AI Hub Campaign via Deleted Project.
An unauthorized cross-tenant data access vulnerability was discovered in the Stripo AI Hub Campaign. The vulnerability allowed access to data from a deleted project. The issue was resolved...
IBM: [RCE] Remote Code Execution via React Server Components Vulnerability CVE-2025-55182
Vulnerability description not provided...
Node.js: Uncatchable "Maximum call stack size exceeded" error on Node.js via async_hooks leads to process crashes bypassing error handlers
A vulnerability was identified in Node.js error handling where "Maximum call stack size exceeded" errors became uncatchable when asynchooks.createHook was enabled. Instead of reaching process.on'uncaughtException', the process terminated, making the crash unrecoverable...
Node.js: Unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion
A vulnerability was discovered in the Fetch API of Node.js that allowed an unbounded number of links in the decompression chain for HTTP responses. This could lead to resource exhaustion, as the default maxHeaderSize allowed a malicious server to insert thousands of compression steps, resulting i...
curl: Certificate Hostname Validation Bypass via Leading Dot in Hostname
Summary A hostname validation bypass in libcurl's wildcard certificate matching. The hostmatch function fails to handle hostnames starting with a dot, causing .example.com to match .example.com. When hostname starts with ., memchr returns position 0, so the entire hostname including the leading d...
curl: Title: Use-After-Free in cURL Test Suite via Improper Cleanup of Global Handle
Title: Use-After-Free in cURL Test Suite via Improper Cleanup of Global Handle c / Project | | | | | | / | | | | | | | | | || | , et al. This software is licensed as described in the file COPYING, which you should have received as part of this distribution. The terms are also available at...
PlayStation: PS4 BD-J privilege escalation using nested JAR
A PS4 vulnerability was discovered in the Blu-ray Disc Java BD-J privilege escalation using nested JAR files. The vulnerability was found in the PS4 system software versions 13.00 to the latest version 13.02. The vulnerability was caused by a discrepancy between the security policy's path...
Enjin: Unauthenticated GraphQL access by prepending __schema to private operations
A security vulnerability was identified in the GraphQL schema of the Enjin Platform. The vulnerability allowed unauthorized access to the GraphQL schema by prepending "schema" to private operations. The vulnerability was discovered and reported by a security researcher. The specific location of t...
curl: SMTP Protocol Injection via CRLF in CURLOPT_MAIL_FROM leading to Email Spoofing
Voici le rapport complet et finalisé. J'ai intégré la version spécifique de curl que vous avez fournie et j'ai ajouté une section détaillée "Vulnerable Code Analysis" avec les extraits de code expliqués, comme demandé. J'ai retiré la section Impact conformément à votre consigne. Summary: A critic...
Node.js: CVE-2024-36137 Patch Bypass - FileHandle.chmod/chown
Vulnerability description not provided...
Automattic: XSS Vulnerability on Pressable/Atomic Hosting Platform via unescaped admin notices leads to code execution
A cross-site scripting XSS vulnerability was discovered in the Pressable/Atomic Hosting Platform's admin notices feature. Unescaped text output in the atomic-platform.php file allowed arbitrary JavaScript code execution when an administrator updated or set the atomicsingleoptionlimiternotices...
Basecamp: Link unfurling calls out to arbitrary URLs and the private-network guard misses link-local addresses
A vulnerability was discovered in the application that allowed authenticated users to supply a URL that the server would fetch for OpenGraph data. The "private network" guard only blocked certain IP ranges, but ignored link-local addresses, enabling server-side requests to be made to those hosts...
Revive Adserver: Broken Access Control allows advertiser accounts to delete trackers they do not own
Vulnerability description not provided...
Revive Adserver: INI Format string injection in Revive Adserver 6.0.4 settings
Vulnerability description not provided...
curl: Path Traversal in file:// protocol allows Arbitrary File Read
Summary: The file:// protocol handler in curl does not properly sanitise or block path traversal sequences ../. This allows a maliciously crafted file:// URL to escape the intended directory and access arbitrary files on the filesystem with the permissions of the user running curl. When curl is...
curl: Heap Buffer Overflow in TFTP
Summary: A heap buffer overflow vulnerability exists in the TFTP implementation of libcurl. The vulnerability is triggered when a malicious TFTP server sends an OACK Option acknowledgment packet with a blksize option that is larger than the default block size 512 bytes. libcurl updates its intern...
Nextcloud: Roundcube Webmail Style Sanitizer can be bypassed using CSS Character Escapes
A vulnerability was discovered in the style sanitizer of Roundcube Webmail that allowed bypassing the sanitizer using CSS character escapes. This enabled the use of arbitrary inline CSS, such as the url function, which could be used to retrieve the IP address and user agent of the person reading...
curl: Infinite loop issue in the state machine of the curl project
Summary: Vulnerability impact: When curl attempts to download files from a malicious FTP server, it triggers an infinite loop in the code execution. I discovered this issue in the FTP functionality of the curl project .As described in...
curl: runs javascript on powershell when it shouldnt
On windows, if I run a curl on powershell for a script that should show alert1 it just executes the script when it shouldn't. I did not use AI to find or report this bug. Affected version on CMD I ran curl --version curl 8.16.0 Windows libcurl/8.16.0 Schannel zlib/1.3.1 WinIDN on powershell it...
U.S. Dept Of Defense: Cross-Site Scripting via URL on ████████
A Cross-Site Scripting XSS vulnerability was discovered on a specific system through the GET method. The vulnerability allowed the injection of malicious scripts that could be executed. The provided payload demonstrated the vulnerability. The system host and affected products and versions were no...
curl: Arbitrary free in curl's config file parsing.
Summary: arbitrary free leading to possible double-free / use-after-free / memory corruption, depending on the program and the ability of what a we can do after freeing the pointer we control. Statement clarifying if an AI was used to find the issue or generate the report: Yes I used AI to list...
curl: Out-of-bounds read in HTTP method handling causes undefined behavior and potential crash This is sharp, Gaurav. We’ve got a real memory-safety bug ins
Summary - Component: libcurl core HTTP handling HTTP/2 request translation and CONNECT detection - Type: out-of-bounds read resulting from missing null-termination - Impact: Behavior not defined by the specification, the program can crash DoS and CONNECT requests can be...
Revive Adserver: Username Validation Bypass
Cricetinae Executive Summary The security patch in commit d239a0845e4f64fbacd25fff2854426734d43aa2 is INSUFFICIENT. Testing confirms that 3 out of 4 exploit vectors still bypass validation. --- Vulnerability Details Affected Component: Username validation in user registration/creation File:...
curl: [SFTP] TOCTOU Race Condition in Upload Resume Logic Leads to Arbitrary File Append
Summary: A Time-of-check to Time-of-use TOCTOU race condition exists in the SFTP upload resume functionality of libcurl. When resuming an upload with CURLOPTRESUMEFROM set to -1 the equivalent of the curl -C - command-line flag, libcurl first performs a STAT operation to determine the remote file...
IBM: Path Traversal vulnerability identified on IBM endpoint.
A Path Traversal vulnerability was identified on an IBM endpoint. The vulnerability was reported to IBM, analyzed, and has been remediated...
curl: Double free in tool_ssls_load()
Summary: There is a double-free bugs in toolsslsload, which can happen at line 83-84 or 129-130 toolssls.c: c curlfreeshmac; curlfreesdata; The root cause is that line 83-84 did not reset shmac and sdata to NULL. If the seesion is malformed, the double-free will be triggerd. No AI was used to fin...
curl: Double-free vulnerability in libcurl with rustls via NoServerCertVerifier condition leads to application crash
Summary: There is a double-free in libcurl with rustls. The root cause is reported and it is fixed in https://github.com/curl/curl/pull/19425, while I did not try to evaluate the actual triggering at that time. No AI was used to find the issue or generate the report. Affected version It was...
curl: Incorrect sizeof() in Rustls Backend Memory Allocation
Summary There's a bug in lib/vtls/rustls.c where malloc uses sizeofciphersuites instead of sizeofciphersuites. This allocates memory based on pointer size rather than element size. Steps To Reproduce 1. Look at lib/vtls/rustls.c line 530: c const struct rustlssupportedciphersuite ciphersuites =...
AWS VDP: Command Injection on Amazon Q Developer CLI via malicious .amazonq/mcp.json leads to arbitrary code execution
Asset URL: https://github.com/aws/amazon-q-developer-cli/ Summary: Running Q chat from Amazon Q Developer CLI from an attacker-controlled repository/directory that contains a crafted .amazonq/mcp.json enables arbitrary command injection/execution. Amazon Q Developer CLI automatically loads and...
curl: Off-by-One Buffer Overflow in SMB Path Handler
Summary Found an off-by-one buffer overflow in lib/smb.c when handling SMB file paths. The bounds check uses instead of =, allowing a path of exactly 1023 bytes to overflow the 1024-byte buffer by one byte when the null terminator is added. Details File: lib/smb.c Function: smbsendopen Lines: 784...
curl: Malicious server forces .curlrc creation via curl -OJ leading to local file exfiltration
Summary: When a user runs curl -OJ , a malicious server can force the response to be saved as .curlrc in the working directory. If the user executes the download from their home directory a common workflow, the attacker overwrites /.curlrc. Subsequent curl invocations automatically load this...
AWS VDP: Unlimited Reuse of Coupon Code Allows Free Shipping on All Orders on ██████████
A vulnerability was found in the coupon code system of the ██████████ online store. The coupon code for free shipping could be used multiple times on any number of orders without any restrictions or tracking. This allowed users to bypass shipping charges indefinitely, resulting in a direct...
M&T Bank Vulnerability Disclosure: HTML Injection in Emails on login.mtb.com via givenName parameter leads to phishing attacks
A vulnerability was found that allowed HTML injection in emails on login.mtb.com via the givenName parameter. This vulnerability could have enabled phishing attacks...
Django: ASGIRequest header concatenation quadratic CPU DoS on Django via repeated headers leads to worker exhaustion
ASGIRequest header concatenation quadratic CPU DoS Reporter: Jiyong Yang / BAEKSEOK University Target: Django current main, affects all versions with ASGI support Type: Denial of Service CPU exhaustion Summary django.core.handlers.asgi.ASGIRequest builds the META dictionary by iterating over the...
Cosmos: Economic DoS (Griefing) on IBC Relayers via `memo` Callback Gas Exploitation
Summary of Impact This vulnerability allows an attacker to bypass the relayer's simulation defense and force permissionless relayers to execute computationally expensive, but 'successful', transactions via the memo callback feature. This creates an asymmetric economic attack where the relayer's...
Cloudflare Public Bug Bounty: AI Playground XSS to steal user-chat messages and access to connected MCP Server
A reflected XSS vulnerability was discovered in the AI Playground OAuth handler due to unescaped interpolation of the errordescription parameter into a script tag. The issue has been patched, and users of the open-source Agents SDK should upgrade to v0.3.10...
Django: User enumeration via timing attack in Django mod_wsgi authentication backend leads to account discovery
A vulnerability was discovered in the checkpassword function in django/contrib/auth/handlers/modwsgi.py. When a non-existent username was provided, the function returned immediately without performing password verification, leading to a timing attack that allowed attackers to enumerate valid...
Cloudflare Public Bug Bounty: [Variation of #3321406] YetAnother 1-Click Chaining of Self-XSS, Cookie Tossing and AntiCSRF Token Prediction leads to auto approval in AccessTempAuth
A vulnerability in Cloudflare Access involving the Browser Isolation email field was discovered, which could allow for unauthorized approvals within the Temporary Auth workflow. The issue has been fully remediated...
LY Corporation: page.line.me Open Redirect Leading to OAuth Authorization Code Exposure and Access Token Compromise
An open redirect vulnerability was identified in page.line.me because redirect destinations were not properly restricted to trusted domains. This vulnerability could have been abused within an OAuth 2.0 authorization flow to cause the authorization response to be sent to an attacker-controlled...
lemlist: Authentication Token Theft via Open Redirect in Callback URL Parameter
A vulnerability was identified in the email signup flow of a website that enabled authentication token theft through manipulation of the callback URL parameter. The vulnerability occurred when an attacker modified the callbackUrl parameter during the email signup process to point to an...
curl: Hash exposed in public repository
An image hash is publicly exposed on Github Steps to reproduce: See at https://github.com/curl/curl/blob/master/Dockerfile Solution: If you want to keep the hash, the repository should be private Use official tags without specific hashes or environment variables Best, @skymander Impact An attacke...
AWS VDP: AWS Auto Scaling Service Reporting "AWS Internal" for CloudTrail Events Generated from Specific Endpoints
A vulnerability was discovered in the AWS Auto Scaling service, where 6 API endpoints incorrectly reported the user-agent and network information as "AWS Internal" in CloudTrail logs. This allowed the adversary to perform API calls using these endpoints and evade the logging of their IP address a...
AWS VDP: Non-Production API Endpoints for the AI Ops Service Fails to Log to CloudTrail Resulting in Silent Permission Enumeration
The vulnerability found that there are 5 non-production endpoints for the AI Ops service that can be used with standard IAM credentials and do not log to CloudTrail. While the endpoints do not appear to provide access to customer partition data, they can be used for permission enumeration without...
curl: libcurl FTP path normalization flaw allows decoded %2e%2e → CWD .. and directory escape (Path Traversal, CWE-22)
ftpparseurlpath in lib/ftp.c URL-decodes FTP path segments e.g. %2e%2e and then splits the decoded path into components using an ad-hoc loop that skips empty components produced by //. The code does not perform canonical path normalization no stack-based handling of . or ... As a result, encoded...
curl: Silent TLS Trust Model Hijacking via `CURL_CA_BUNDLE` Environment Variable Leads to MITM
Summary: curl is vulnerable to silent Man-in-the-Middle MITM attacks due to its design, which implicitly trusts the CA certificate path specified in the CURLCABUNDLE environment variable. This mechanism allows the entire TLS trust model chain of trust of curl to be hijacked without any warning or...
curl: Command Injection - CRITICISM
Description: The $openssl code in curl 8.17.0.1 allows exploitation. Steps to reproduce: 1 Extract and install curl on Windows. 2 See the code in mk-ca-bundle. Affected: curl:8.17.0.1 SO:Windows 11/10/8 Helped analized: Deep Seek perl $result = "$openssl" dgst -r -sha256 "$0"; Problem: The $0...
curl: Arbitrary Configuration File Inclusion: via External Control of File Name or Path
Summary: The Arbitrary Configuration File Inclusion ACFI vulnerability was identified in the curl utility via the --config option. This flaw is a form of External Control of File Name or Path CWE-73, occurring due to the lack of adequate validation on the user-supplied configuration file path. An...
curl: SMTP CRLF Injection in curl/libcurl via MAIL FROM/RCPT TO parameters
SMTP CRLF Injection Vulnerability in curl/libcurl Vulnerability ID: CURL-SMTP-CRLF-2024 CWE-93: Improper Neutralization of CRLF Sequences Executive Summary curl/libcurl contains a CRLF injection vulnerability in its SMTP implementation that allows attackers to inject arbitrary SMTP commands by...
curl: Unsafe use of strcpy in Curl_ldap_err2string (packages/OS400/os400sys.c) — stack-buffer-overflow (PoC + ASan)
I've provided the detailed description and clear steps previously, but it seems you need the content tailored directly for the submission form's fields. I will present the complete, professional, and detailed response suitable for reporting a memory corruption vulnerability to a vendor or bug...
Rocket.Chat: Open Redirect in Rocket.Chat
An open redirect vulnerability was identified in Rocket.Chat. The /saml/sloRedirect/:provider endpoint included the redirect query string value directly in the Location header for a 302 redirect without any server-side validation. This issue was fixed in v8.4.0...