15267 matches found
Imgur: xss reflected on imgur.com
Steps to reproduce : - i log in to my account and navigate to see other profile - i intercept the request then click Give Emerald F1115658 Request look like : POST /account/v1/gifting/purchase?clientid=546c25a59c58ad7 HTTP/1.1 Host: api.imgur.com User-Agent: Mozilla/5.0 X11; Linux x8664; rv:83.0...
LY Corporation: DoS of LINE client for Android via message containing multiple unicode characters (0x0e & 0x0f)
Due to an improper Unicode character processing, the recipient's LINE client for Android may terminate abnormally when an attacker sends large quantities of unicode characters 0x0e and 0x0f characters and the recipient opens the message containing them...
MTN Group: Developer Mistake
Check this path https://mtn.cm/components/ Impact Admin Mistake...
U.S. Dept Of Defense: Full account takeover on https://████████.mil
Description The flow in application is to sign up and wait for an email containing a one-time password, as soon as you login using that password, it asks you to change it. I took that password change request and applied on any email changing their password and it worked Steps to produce: 1- Copy...
Mail.ru: XSS на странице "Создать водителя" [city-mobil.ru/taxiserv]
Stored XSS on city-mobil.ru/taxiserv driver page via firstname and lastname of driver...
Automattic: GET /api/v2/url_info endpoint is vulnerable to Blind SSRF
Summary: GET /api/v2/urlinfo endpoint is vulnerable to Blind SSRF. I am able to hit both Internal and External services via url parameter by replacing with internal and external url. Platforms Affected: https://www.tumblr.com/ Steps To Reproduce: 1. Login to https://www.tumblr.com/ 2. Follow any...
Stripo Inc: Permanent DOS for new users!
Summary: Hi team its me Akash Hamal, and while testing my.stripo.email website which is in scope of your program i was able to DOS permanently any new mail,user which might use your service in future but they won't be able to use ! While registration on my.stripo.email there are three fields...
U.S. Dept Of Defense: Reflected XSS on ███
Summary Reflected XSS on █████████ for invalid paths. Description Requesting a non-existent path on █████, such as https://██████████/chron0x the site responds with No jsonpage404 is /chron0x versus /chron0x./chron0x does not exist. As it can be seen, the path is reflected. This can be exploited...
U.S. Dept Of Defense: PII Information Leak at https://████████.mil/
Summary: While making use of some recon techniques I came across this file which is leaking PII information publically on the Internet. In the description section, I explain the contents of the file and why it shouldn't be public like this. Description: The file in the POC section contains more...
Ruby on Rails: Regex Injection from request header (Rack::Sendfile, send_file)
I have confirmed that Rack::Sendfile and the Rails sendfile that handles it have a problem handling custom headers for request. It is expected that the X-Sendfile-type and X-Accel-Mapping headers will be sent from nginx, but these headers can also be sent from a user agent such as a browser. This...
VK.com: XSS в названии звонка
XSS в сниппете звонка. Уязвимость позволяла выполнить скрипт на стороне пользователя, позвонив ему...
VK.com: Обход приватности у фотографий/документов
Просмотр некоторых фотографий и документов через вики-страницы. Интересный баг в wiki-страницах позволял достать почти любую приватную фотографию и любой приватный документ...
Mail.ru: Bypass the reverse proxy. Request admin
Incorrect configuration of nginx led to path restrictions bypass...
MTN Group: Unauthenticated Arbitrary File Deletion (CVE-2020-3187)
Summary: A vulnerability in the web services interface of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and obtain read and delete access to sensitive files on a...
Acronis: Acronis True Image (Windows) does not validate server certificate on a TLS connection
Acronis True Image prior to 2021 Update 4 for Windows, Acronis True Image prior to 2021 Update 5 for Mac did not implement SSL certificate validation. The issue was assigned CVE-2021-32581. We have seen no signs of the exploitation of this vulnerability...
Helium: SSRF By adding a custom integration on console.helium.com
A Server Side Request Forgery vulnerability was found in the Add a custom Integration feature on console.helium.com. By creating a custom HTTP integration, and setting the integration endpoint to http://169.254.169.254/latest/meta-data private meta-data from the AWS EC2 instance running can be...
Stripo Inc: No rate limiting for confirmation email lead to huge Mass mailings
this Report based on 997070 Issue Description No rate limit means their is no mechanism to protect against the requests you made in a short frame of time. If the repetition doesn't give any error after 50, 100, 1000 repetitions then their will be no rate limit set. vulnerable has registred in...
Mail.ru: [supportlocal.delivery-club.ru] Subdomain Takeover
It was possible to claim unused delivery-club.ru subdomain delegated to external cloud service...
Automattic: Stored XSS in wordpress.com
Summary: Hello Team, I found the Stored XSS vulnerability in the Custom Style section, this vulnerability can result in an attacker to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, performing requests in the...
PortSwigger Web Security: HTML Injection in Swing can disclose netNTLM hash or cause DoS
The vulnerability is like a SSRF but on the client side, where an attacker can force an unsolicited hidden request made by Burp Suite when the victim performs some actions. During normal browsing to a website through Burp Suite Pro or Community, if the website makes a request with HTML code in a...
ownCloud: Protocol Smuggling over LDAP password field
Privileges required: Admin Hi, "userldap" plugin can be leveraged to interact with internal services over various protocols. LDAP password field can be exploited with newline chars \r\n in order to communicate with protocols like SMTP, Redis and, generally speaking, with all services those speak...
GitHub Security Lab: [javascript] CWE-614: CodeQL query to detect if cookies are sent without the flag secure being set
This bug was reported directly to GitHub Security Lab...
VK.com: Reflected XSS в /video
XSS в поиске по видеозаписям. xss в параметрах date, len, order при поиске видеозаписи с указанием параметров...
Mail.ru: subdomain takeover disney.samokat.ru
Unused disney.samokat.ru subdomain was delegated to readymag.com and not claimed...
GitHub Security Lab: Java: CWE-600 Uncaught servlet exception
This bug was reported directly to GitHub Security Lab...
Mail.ru: [com.icq.mobile.client] Любое стороннее приложение может отправить произвольное сообщение от имени пользователя
ICQ for Android could be tricked by malicious local application to send a message on behalf of user...
U.S. Dept Of Defense: Insecure ███████ credentials on staging app at ████ leads to application takeover
Summary: A ██████████ application called "████" has an old endpoint that accepts insecure/test ████████ credentials despite being a publicly-accessible IP. This endpoint also provides the ability to view information that may be FOUO, to exfiltrate information on registered personnel or contractor...
Automattic: [intensedebate.com] No Rate Limit On The report Functionality Lead To Delete Any Comment When it is enabled
Hello Summary: I have found a no rate limit issue on the report functionality. When you enabled the report functionality on your site, you can set a number of reports before deleting the comment reported. By default, this functionality is unable, but if you enabled this and you set a $x number of...
Engel & Völkers Technology GmbH: Blind SSRF on infodesk.engelvoelkers.com via proxy.php
Summary: The application has a proxy.php file which basically accepts a parameter via url query parameter and passes it to fopen. However, it doesn't validate the parameter value prior to passing it to fopen- making it possible to influence what's being done. That said, because of code following...
Reddit: XSS Reflected on reddit.com via url path
Hi I found a XSS-R To reproduce the issue please click the poc link and then press the "verify email" button PoC: https://www.reddit.com/verification/asd',%20alertdocument.location,%20%27 Impact With the help of XSS an attacker can steal your cookies, in many cases steal sessions, download malwar...
U.S. Dept Of Defense: Blind Stored XSS Payload fired at the backend on https://█████████/
Summary: I have just gotten an email notification from my XSSHunter payload that my blind stored XSS has been triggered by an administrator on the █████████ site, in the following URL: javascript https://█████/████ Admin IP address: ████████ User-Agent: █████████ Cookies: javascript ██████...
Kubernetes: Code Injection via Insecure Yaml.load
Report Submission Form Summary: The Kubernetes repo and tool, test-infra, uses the insecure yaml.load function to set or update the Gubernator configuration with a yaml file which allows for code injection. Vulnerable Line of Code:...
Top Echelon Software: Public and secret api key leaked in JavaScript source
Summary: Summary the vulnerabilities I am surfing on the bb3jobboard.topechelon.com website. I found a sensitive data including authentication key written in public accessible javascript file. URL Vulnerability https://bb3jobboard.topechelon.com/!/search?page=1 Steps To Reproduce: Open...
U.S. Dept Of Defense: PHP info page disclosure
Summary: phpinfo is a debug functionality that prints out detailed information on both the system and the PHP configuration. Step-by-step Reproduction Instructions 1.Go to https://███████phpinfo Impact An attacker can obtain information such as: •Exact PHP version. •Exact OS and its version...
Azbuka Vkusa: Endpoint without access control leads to order informations and status changes
Closed...
Automattic: [sub.wordpress.com] - XSS when adjust block Poll - Confirmation Message - On submission:Redirect to another webpage - Redirect address:[xss_payload]
Summary: Dear Wordpress Team, Today when I tried to create a post with block "Poll" and I have found at Poll Block - Confirmation Message - On submission:Redirect to another webpage and Redirect address:xsspayload At Redirect address line, I can save the javascript:alertdocument.cookie as an URL...
GitHub Security Lab: codeql-go: Expand Go standard library taint-tracking models to 63 packages, 554 models and 733 tests (from ~13 packages, ~103 models, ~50 tests)
This bug was reported directly to GitHub Security Lab...
GitHub Security Lab: [javascript] CWE-90: CodeQL to detect LDAP Injection
This bug was reported directly to GitHub Security Lab...
GitHub Security Lab: Java : add fastjson detection. Improve RemoteFlowSource class, support SpringMvc
This bug was reported directly to GitHub Security Lab...
Basecamp: Bypass Tracking Blocker Protection Using Slashes Without Protocol On The Image Source.
Summary: - Some Way Has Been Discovered To Bypass Image Rewriting On HeyMail Using Slashes Without Protocol /\www.evil.com That Allows Bypassing Tracking Blocker And Collect Users Information Via Emails. Description: - While Searching I Found That The Image Rewriting Function On Heymail Could Be...
U.S. Dept Of Defense: Sensitive data exposure via https://███/secure/QueryComponent!Default.jspa - CVE-2020-14179
Summary: Information Disclosure vulnerability in outdated Jira. Description: Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the...
Nextcloud: Two-factor authentication enforcement bypass
the attacker could bypass the two-factor authentication enforcement Steps to reproduce 1. Login with an Administrator account. 2. Click on your administrator profile icon. 3. Users - Add group - group name: Enforcement. 4. New User - Username: Bypass - Password: NextCloudEnforcement - Add User in...
VK.com: Path Traversal в iOS приложении
Передача файлов из внутреннего каталога iOS приложения. С помощью хакерской атаки можно было угнать файлы из внутреннего каталога IOS приложения...
U.S. Dept Of Defense: PII Leak of ████████ Personal at https://www.█████████
Hello DoD Team, Summary: PII Leakage of approx 1000 personal is being disclosed through the pdf at https://www.████████which had been uploaded at the 7th of October, this includes Personal phone number and email address. Description: The list presented at the "████████" contains personal info suc...
Automattic: [intensedebate.com] Open Redirect
Hello Summary: I have found a Open Redirect on https://intensedebate.com//fb-connect/logoutRedir.php?goto=, the parameters $GET'goto' is reflected to the HTTP-Header Response Location HTTP Request GET /fb-connect/logoutRedir.php?goto=\http://\ HTTP/1.1 Host: intensedebate.com User-Agent:...
Mail.ru: Stored XSS на странице "Почты" [city-mobil.ru/taxiserv]
Stored XSS on city-mobil.ru/taxiserv mail page via firstname and lastname of driver...
Mail.ru: Stored XSS на странице "Изменить клиента", вкладка "История" [city-mobil.ru/taxiserv]
Stored XSS on city-mobil.ru/taxiserv driver page via firstname and lastname of driver...
Mail.ru: Stored XSS на странице "Измененить водителя" [city-mobil.ru/taxiserv]
Stored XSS on city-mobil.ru/taxiserv driver page via firstname and lastname of driver...
Mail.ru: Stored XSS на странице "Изменить клиента" [city-mobil.ru/taxiserv]
Stored XSS on city-mobil.ru/taxiserv client page via firstname and lastname of driver...
Mail.ru: Stored XSS в профиле водителя [city-mobil.ru/taxiserv]
Stored XSS on city-mobil.ru/taxiserv driver cabinet via firstname and lastname of driver...