TSEC NEWS: 10.04.21 - Back again ||| cooming soon - 1. TSec-Accounts 2.comments 3. personalized feed... if i have the time

❈ "Saw 10": Nächster Teil im Serienkiller-Universum kommt

Nachrichten chip.de

"Nach 'Sieben' kommt nicht acht, sondern 'Saw'" war damals ein Werbespruch zum ersten Teil der Horrorfilmreihe. Mittlerweile gibt es schon neun Teile, die jedoch bald um einen zehnten ergänzt werden....


Kompletten Artikel lesen (externe Quelle: https://www.chip.de/news/Saw-10-Naechster-Teil-im-Serienkiller-Universum-kommt_183492339.html)

Zur Team IT Security IT Sicherheit Nachrichtenportal Startseite

➤ Weitere Beiträge von Team Security | IT Sicherheit (tsecurity.de)

Automattic: [intensedebate.com] SQL Injection Time Based On /js/commentAction/

vom 509.24 Punkte
[intensedebate.com] SQLi Time Based On /js/commentAction/ Summary: Hello, I have found a SQLI Injection Time Based on /js/commentAction/. When a user want to submit/reply to a comment, a JSON payload was send by a GET request. GET /js/commentAction/?data

HackerOne: Pentester can obtain information about other pentesters who applied for the same test, but weren't accepted

vom 477.26 Punkte
Hi team, I don't know your policy about pentesters(about their visibility on the platform), But I couldn't find any other pentesters before. 1) For example: GraphQL has the h1_pentester attribute that would explicitly point us to th

h1-ctf: [H1-2006 2020] "Swiss Cheese" design style leads to helping Mårten Mickos pay poor hackers

vom 364.12 Punkte
Summary: Several vulnerabilities in the bountypay application leads to unauthorised access, information disclosure, SSRF and other fun stuff. Steps To Reproduce: This is how I helped Mårten Mickos pay the poor hackers who had been waiting so long fo

Keybase: SOP bypass using browser cache

vom 342.3 Punkte
Summary An attacker has the ability to extract sensitive information from user's accounts, due to a CORS issue. On a minor note, this also is a cross-site leak as we can fingerprint what exact keybase user has accessed the attacker'

NordVPN: Disclosure of User Information

vom 301.29 Punkte
Hi Team, We can get information about the users registered (such as: id, name, login name, etc.) and employees of NordVPN without authentication on https://www.nordvpn.com Vulnerable URL: https://nordvpn.com/wp-json/wp/v2/users/ Vulnerable URL: https://nordvpn.com/?rest

Apple presents the best of 2018

vom 290.81 Punkte
Apple presents the best of 2018<br/>The Apps, Games, Music, Movies, TV Shows, Podcasts and More That Shaped Entertainment and Culture Around the World This Year<br/>As the year comes to a close there are so many unanswered questions: Who is

Apple presents the best of 2018

vom 290.81 Punkte
Apple presents the best of 2018<br/>The Apps, Games, Music, Movies, TV Shows, Podcasts and More That Shaped Entertainment and Culture Around the World This Year<br/>As the year comes to a close there are so many unanswered questions: Who is

Agoric: Improper Input Validation allows an attacker to "double spend" or "respend", violating the integrity of the message command history or causing DoS

vom 284.98 Punkte
Summary: Improper Input Validation allows an attacker to &quot;double spend&quot; or &quot;respend&quot;, violating the integrity of the message command history or causing DoS Steps To Reproduce: I was curling random integers and found

CS Money: ReDoS at wiki.cs.money graphQL endpoint (AND probably a kind of command injection)

vom 284.1 Punkte
Summary: The endpoint /graphql has a vulnerable query operation named &quot;search&quot;, that can I send a Regex malformed parameter, in order to trick the original regular expression to a regex bomb expression. Payload with a &quot;com

U.S. Dept Of Defense: Self XSS + CSRF Leads to Reflected XSS in https://████/

vom 281.79 Punkte
Hi Security Team, The form inputs in https://███/ Vulnerable to Self XSS Either the form was vulnerable to CSRF When these two bugs available and attacker could combine them to Perform a Reflected XSS Attack Impact Reflected XSS Execute JS Code

HackerOne: Unauthorized user can obtain `report_sources` attribute through Team GraphQL object

vom 269.17 Punkte
Summary: Hi team. And Happy New Year! Description: If I am not mistaken, then through this parameter we can define private programs with an external link. If this parameter is not empty, then the program is private. - [&quot;HackerOne Platform&qu

Shopify: Ability to publish a paid theme without purchasing it.

vom 232.99 Punkte
Hi, Description I kept looking for alternatives to my report #927567 and I found another way to publish a paid theme without having to purchase it. This time the trick is to send &quot;ThemePublishLegacy&quot; XHR request while the theme is be

Team Security Diskussion über &quot;Saw 10&quot;: Nächster Teil im Serienkiller-Universum kommt