Home
Clickjacking at app.lemlist.com
Account Takeover, Account Deletion and Password Change
### Summary
An attacker can create a Jupyter notebook that will make arbitrary POST requests as the victim user. In the "worst case" an attacker could make an admin create a new admin account for the attacker. Other possible attack vectors are forcing invites to private projects etc. Every POST request is possible.
This research is loosely based on the issue with Rails Ujs data-* parameters....
CVE-2022-22954, one of several recently published VMware vulnerabilities, is being exploited in the wild. Read our observations and recommendations.
Pwn2Own Vancouver for 2022 is underway, and the 15th anniversary of the contest has already seen some amazing research demonstrated. Stay tuned to this blog for updated results, picture, and videos from the event. Well be posting it all here - including the most recent Master of Pwn leaderboard.
Posted by GKE and Anthos Platform Security Teams At the KubeCon EU 2022 conference in Valencia, security researchers from Palo Alto Network...
Huawei Baseband Memory Access Permission Bypass And DMSS Memory Access Management Configuration Unathorized Rewrite Via LPMCU
Huawei Peripheral DMA Memory Access Permission Bypass
Huawei DMSS Memory Access Management Configuration Unathorized Rewrite Via ASP DMA
Huawei OTA Insecure SSL Configuration Man-In-The-Middle Vulnerability
Huawei Recovery Update Zip Signature Verification Bypass
Huawei DMSS Memory Access Management Configuration Unathorized Rewrite Via Peripheral DMA
Huawei Baseband MPU Security Protection Bypass via EDMA
Huawei Kernel Memory Access Permission Bypass via EDMA
Welcome to Pwn2Own Vancouver 2022! This year marks the 15th anniversary of the contest, and we plan on celebrating by putting some amazing research on display. For this years event, we have 17 contestants attempting to exploit 21 targets across multiple categories. As always, we began our contest w
## Summary:
In one of my previous reports i send parameter tampering report vulnerability. Then you asked me to send PoC and you just closed it, that's why i'm sending you this new report with exactly name of vulnerability. Integer Overflows are closely related to other conditions that occur when manipulating integers. An Integer Overflow is the condition that occurs when the result of an...
## Summary:
Hello Team,
I truly hope it treats you awesomely on your side of the screen :)
due to improper handling of payment methods, an attacker can easily bypass the payment and benefit from a paid plan.
## Steps To Reproduce:
1. Log to your account
1. Go to the billing page
1. Fill in the address tab
1. Go to the next tab `Payment Card`
1. ==Now the interesting step Make sure you don't...
Information about 0-days exploited in-the-wild!
Discovered by Piotr Bania of Cisco Talos. Summary A memory corruption vulnerability exists in the shader DCL_RESOURCE_STRUCTURED functionality of NVIDIA D3D10 Driver, version 496.76, 30.0.14.9676. ...
Discovered by Piotr Bania of Cisco Talos. Summary A memory corruption vulnerability exists in the shader DCL_UNORDERED_ACCESS_VIEW_STRUCTURED functionality of NVIDIA D3D10 Driver version 496.76, 30...
Discovered by Piotr Bania of Cisco Talos. Summary A memory corruption vulnerability exists in the shader dcl_indexable functionality of NVIDIA D3D10 Driver version 496.76, 30.0.14.9676. A specially...
Discovered by Piotr Bania of Cisco Talos. Summary A memory corruption vulnerability exists in the shader DCL_INDEXRANGE functionality of NVIDIA D3D10 Driver version 496.76, 30.0.14.9676. A speciall...
A step-by-step guide on how to hack a web application from an ethical hacker so your security team can better learn what threats to consider.
Reverse engineering and analysis of a fiscal printer device for fun and (real) profit.
## Description :
When we request a magic link to login into the application, and use that same link in multiple browsers, it working there isn't any limit on use of link.
Steps to reproduce :
1. go to app.lemilist.com
2. create a magic link
3. use it to login
4. now open another browser or incognito window
5. use that same magic link
And You'll be logged in in your account.
## Impact
If...
The Edge Rules engine used by Cloudflare Transform Rules features string modifying functions like lower() and concat(), which accepted hexadecimal-encoded characters such as \x0a\x0d. This allowed for manipulation of request headers (e.g. injecting an additional header) and, as a consequence, made HTTP smuggling attack (TE.CL) possible. This vulnerability enabled an attacker to bypass...
The Kwikset/Weiser Kevo line of smart locks support Bluetooth Low Energy (BLE) passive entry through their Touch-to-Open functionality. When a user touches the exterior portion of the lock, the lock checks that an authorized BLE device is exterior to and within a short distance of the smart lock, and then performs a cryptographic handshake over a BLE connection to verify the identity of the device
The Tesla Model 3 and Model Y employ a Bluetooth Low Energy (BLE) based passive entry system. This system allows users with an authorized mobile device or key fob within a short range of the vehicle to unlock and operate the vehicle, with no user interaction required on the mobile device or key fob. This system infers proximity of the mobile device or key fob based on signal strength (RSSI) and latency measurements of cryptographic challenge-response operations conducted over BLE
NCC Group has developed a tool for conducting a new type of BLE relay attack operating at the link layer, for which added latency is within the range of normal GATT response timing variation, and which is capable of relaying encrypted link layer communications. This approach can circumvent the existing relay attack mitigations of latency bounding or link layer encryption, and bypass localization defences commonly used against relay attacks that use signal amplification.
Description This bug could allow a malicious actor to takeover a Facebook account after stealing a Gmail OAuth id_token/code used to login to Facebook. This happened due to multiple bugs that were ...
## Summary:
I discovered few critical vulnerabilities here, one of them is exposed backup files via directory listing.
## Steps To Reproduce:
go to https://mtn.co.rw/mtn.zip and download the file
extract the file and open
you will see the full backup of the website
## Similar report:
https://hackerone.com/reports/684838
## Impact
Source code & DB credentials leakage. Attacker can use it...
## Summary:
[add summary of the vulnerability]
The uri path error could lead to security filter bypasses.
For example,
we can use curl -vv 'f[h-j]le:///etc/passwd' to bypass file protocol black list
we can use curl -vv 'http://1.1.1.1:[80-9000]' to scan the open port in the host
etc ...
## Steps To Reproduce:
[add details for how we can reproduce the issue]
curl -vv...
Do you ever wonder about the vulnerabilities you've missed? Why didn't they show themselves - and will they be discovered by somebody else later? Certain vulnerabilities have a knack for evading audit
## Summary:
Curl allows injecting cookies over insecure HTTP connection that will then be sent to the target site when connecting over HTTPS.
As documented in lib/cookie.c https://github.com/curl/curl/blob/a04f0b961333e1a19848d073d8c7db9c20b2a371/lib/cookie.c#L1039 this should not be possible:
```
/*
* A non-secure cookie may not overlay an existing secure cookie.
...
Vulnerability research news
Posted by Eugene Liderman and Sara N-Marandi, Android Security and Privacy Team Every year at I/O we share the latest on privacy and secu...
# Summary
The PlayStation has a kernel PPPoE driver, that originates from NetBSD. This driver has a kernel heap overflow vulnerability, that an attacker can remotely trigger over the LAN, with the ability to control both the contents that are overflown and their sizes.
# Technical Details
## PPPoE Protocol
In short, the PlayStation (PS) will:
1. Send a PADI packet.
2. Expect to receive a...
Posted by Daniel Margolis, Software Engineer, Google Account Security Team Every year, security technologies improve: browsers get better ...
EIP-3b20d7b3 A command injection vulnerability exists within the web management interface of the D-Link DIR-1260 Wi-Fi router that allows for unauthenticated attackers to execute arbitrary commands on the device with root privileges. The flaw specifically exists within the SetDest/Dest/Target arguments to the GetDeviceSettings form. The management interface is accessible over HTTP and HTTPS on the local ... Read more
Advisory at https://github.com/nextcloud/security-advisories/security/advisories/GHSA-539w-xvpg-wj29
## Summary:
It's possible to take over any priceline.com user's account knowing their email. The only requirement is that the victim's email domain is not registered with Google's Gsuite. The root cause of this issue is that the backend does not verify whether the email provided is a confirmed one.
## Steps To Reproduce:
1. Create Account A (in my case `badca7@wearehackerone.com`) with...
Below are the writeups for two vulnerabilities I discovered in Solana rBPF, a self-described Rust virtual machine and JIT compiler for eBPF programs. These vulnerabilities were responsibly disclosed according to Solanas Security Policy and I have permission from the engineers and from the Solana Head of Business Development to publish these vulnerabilities as shown below.
By applying well-known fuzzing techniques to a popular target, I found several bugs that in total yielded over $200K in bounties. In this article I will demonstrate how powerful fuzzing can be when applied to software which has not yet faced sufficient testing.
CVE-2022-1388 is a critical vulnerability that needs immediate attention. We share observations and strategies for mitigation.
ieeexplore.ieee.org
May 09 2022 @ 6:06 PM
Intra-process memory isolation is a cornerstone technique of protecting the sensitive data in memory-corruption defenses, such as the shadow stack in control flow integrity (CFI) and the safe region in code pointer integrity (CPI). In this paper, we propose SEIMI, a highly efficient intra-process memory isolation technique for memory-corruption defenses. The core is to use the efficient Supervisor-mode Access Prevention (SMAP), a hardware feature that is originally used for preventing the kernel from accessing the user space, to achieve intra-process memory isolation. To leverage SMAP, SEIMI creatively executes the user code in the privileged mode. In addition to enabling the new design of the SMAP-based memory isolation, we further develop multiple new techniques to ensure secure escalation of user code. Extensive experiments show that SEIMI outperforms existing isolation mechanisms, including the Memory Protection Keys (MPK) based scheme and the Memory Protection Extensions (MPX)...
## Summary:
Reflected cross-site scripting (or XSS) arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way.
## Impact:
attacker can execute malicious java script and steal cookies
## Steps To Reproduce:
[add details for how we can reproduce the issue]
Hi team ,
Navigate to below url
scroll to page end find a option...