Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect

Impact If an attacker can alter the integrity option passed to fetch, they can let fetch accept requests as valid even if they have been tampered. Patches Fixed in https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3. Fixes has been released in v5.28.4 and v6.11.1...

Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline

Impact Undici cleared Authorization and Proxy-Authorization headers for fetch, but did not clear them for undici.request. Patches This has been patched in https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75. Fixes has been released in v5.28.4 and v6.11.1. Workarounds...

HackerOne: Attachment disclosure via summary report

A critical vulnerability was discovered in the HackerOne platform that allowed an attacker to gain unauthorized access to attachments belonging to other users through the report summary editing functionality. By manipulating attachment IDs in the request, an attacker could view sensitive files th...

Internet Bug Bounty: CVE-2024-27281: RCE vulnerability with .rdoc_options in RDoc

A remote code execution vulnerability was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. The vulnerability was caused by the lack of restrictions on the classes that could be restored when parsing .rdocoptions as a YAML file. Additionally, object injection and...

Internet Bug Bounty: CVE-2024-2379: QUIC certificate check bypass with wolfSSL

CVE-2024-2379 was a vulnerability in libcurl's QUIC implementation where certificate verification was skipped under certain conditions when using the wolfSSL library. The vulnerability was caused by an error path that accidentally returned success when encountering unknown or unsupported ciphers ...

Internet Bug Bounty: CVE-2024-2466: TLS certificate check bypass with mbedTLS (reward request)

CVE-2024-2466: TLS certificate check bypass with mbedTLS. The vulnerability was reported in libcurl, where it did not check the server certificate of TLS connections made to a host specified as an IP address when built to use mbedTLS. This caused the certificate check to be completely skipped,...

HackerOne: Minor security issue with Hackerone Invitations from sandbox program

The Hackerone team had enabled the "Invite Users" feature to add users to an organization in a sandbox program. When inviting other users through email, there was no warning message in the email stating that the invitation was sent from an unverified program on Hackerone...

Internet Bug Bounty: Libuv: Improper Domain Lookup that potentially leads to SSRF attacks

The vulnerability in the libuv library was caused by the improper truncation of hostnames to 256 characters before calling the getaddrinfo function. This behavior allowed the creation of addresses like 0x00007f000001, which were considered valid by getaddrinfo, potentially leading to SSRF attacks...

HackerOne: Possible PII Disclosure via Advanced Vetting Process - ██████

Possible PII disclosure was identified in the HackerOne Advanced Vetting process. Unauthorized users were able to download a CSV file containing the names, usernames, and other personal details of users who had accepted the Advanced Vetting terms. The issue was observed in a sandboxed program, bu...

GitLab Tags RSS feed email disclosure

An issue has been discovered in GitLab affecting all versions before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. It is possible to read the user email address via tags feed although the visibility in the user profile has been disabled. Module Options msf use...

HackerOne: View any user email using the Team's audit log section

Vulnerability description not provided...

BIT-WORDPRESS-2021-39201 Authenticated cross-site scripting (XSS) in WordPress editor

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. Impact The issue allows an authenticated but low-privileged user like contributor/author to execute XSS in the editor. This bypasses the restrictions imposed on users who do n...

Rack has possible DoS Vulnerability with Range Header

Possible DoS Vulnerability with Range Header in Rack There is a possible DoS vulnerability relating to the Range request header in Rack. This vulnerability has been assigned the CVE identifier CVE-2024-26141. Versions Affected: = 1.3.0. Not affected: 1.3.0 Fixed Versions: 3.0.9.1, 2.2.8.1 Impact...

GHSA-8H22-8CF7-HQ6G Rails has possible Sensitive Session Information Leak in Active Storage

Possible Sensitive Session Information Leak in Active Storage There is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user's session cookie when serving blobs. It also sets Cache-Control to public. Certain proxi...

PortSwigger Web Security: CSP Bypass and escalation of https://hackerone.com/reports/2279346

Vulnerability description not provided...

HackerOne: Creation of bounties through Customer API leads to private email disclosure

The creation of bounties through the Customer API led to the disclosure of private email addresses. The vulnerability was demonstrated by using both the API and GraphQL requests to award a program bounty to a user, which then exposed the email address of that user in the response...

HackerOne: Ability to identify actual private from sandboxed programs using link hackerone.com/$handle/terms_acceptance_data.csv

The researcher discovered a vulnerability that allowed them to identify private programs on HackerOne by accessing the terms acceptance data CSV file for those programs. The vulnerability was confirmed to exist on HackerOne's own dummy invite-only program, as well as other private programs, but n...

MTN Group: CVE-2018-0296 Cisco ASA Denial of Service & Path Traversal vulnerable on [mtn.co.ug]

The Cisco Adaptive Security Appliance ASA was affected by a vulnerability in its web interface that could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service condition. In certain software releases, the vulnerability also could ha...

MTN Group: CVE-2010-1429 JBoss Insecure Storage of Sensitive Information on ips.mtn.co.ug

The JBoss Enterprise Application Platform 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 allowed remote attackers to obtain sensitive information about deployed web contexts via a request to the status servlet, as demonstrated by a full=true query string. This issue was caused by a regression fr...

HackerOne: Non Org Admin/Group Manager can create groups in an organization

The report described a privilege escalation vulnerability that allowed a user with "Program Admin" permissions to escalate their privileges to higher levels, such as "Report Manager" or full administrator privileges, under certain circumstances. The vulnerability existed due to a mutation in the...