bug-bounty448
google354
xss341
microsoft283
facebook246
apple171
exploit163
rce160
malware102
account-takeover95
cve91
bragging-post84
csrf83
browser77
writeup76
privilege-escalation68
react60
authentication-bypass57
cloudflare54
dos53
node52
ssrf51
docker51
phishing50
aws48
access-control47
oauth45
smart-contract45
supply-chain44
ethereum43
defi42
web342
sql-injection41
lfi37
idor35
smart-contract-vulnerability32
vulnerability-disclosure32
web-application31
burp-suite31
reverse-engineering31
clickjacking31
race-condition31
info-disclosure31
wordpress30
cloud29
input-validation29
information-disclosure29
web-security27
solidity27
cors26
0
8/10
A critical RCE vulnerability in Sucuri's server-side scanner was discovered where disabled SSL certificate verification (CURLOPT_SSL_VERIFYPEER=false) allowed a MiTM attacker to inject arbitrary PHP code execution on customer servers. The report also documents Sucuri's poor handling of the disclosure, including six months of silence, underpayment of the bounty, and dismissal of legitimate attack scenarios.
rce
ssl-certificate-validation
mitm-attack
curl-vulnerability
php-code-execution
bug-bounty-program
vulnerability-disclosure
server-side-request-forgery
credential-handling
security-reporting
vendor-response
Sucuri
HackerOne
Julien Ahrens
CURLOPT_SSL_VERIFYPEER
NSA
Google
PCI DSS
0
7/10
vulnerability
TinyCards Android app loaded initial web content over HTTP instead of HTTPS, allowing MITM attackers to inject malicious JavaScript into the WebView and achieve code execution. The vulnerability was fixed in v1.0 (version code 10) by switching to SSL for initial content loading.
content-injection
webview-vulnerability
mitm-attack
android
ssl-bypass
javascript-injection
mobile-security
duolingo
tinycards
CVE-2017-16905
DuoLingo
TinyCards
Google Play Security Reward Program
Nightwatch Cybersecurity
Yakov Shafranovich
wwws.nightwatchcybersecurity.com
·
devanshbatham/Awesome-Bugbounty-Writeups
·
19 hours ago
·
details