Palo Alto Software: IDOR on notes to HTML injection

Summary: Team member with role USER can change notes of any users and also we able to inject some html tags Steps To Reproduce: 1. Login in with role owner create note 1. login team member with role users 1. add note and capture with burp suite and change the uuid of notes PUT...

Shopify: Email Confirmation Bypass in your-store.myshopify.com which leads to privilege escalation

Hello Shopify, I have found a bug by which I can verify any email on .myshopify.com, the bug is very strange but it works. Also I can take over the accounts but only the ones which do not have SSO. To reproduce please follow the steps exactly as I written otherwise you will not be able to reprodu...

imagemagick:ping_mvg_fuzzer: Heap-buffer-overflow in DrawPrimitive

Project: https://github.com/imagemagick/imagemagick.git Detailed Report: https://oss-fuzz.com/testcase?key=5681725698211840 Project: imagemagick Fuzzing Engine: libFuzzer Fuzz Target: pingmvgfuzzer Job Type: libfuzzerasanimagemagick Platform Id: linux Crash Type: Heap-buffer-overflow READ 8 Crash...

skia:svg_dom: Stack-buffer-overflow in SkParse::FindNamedColor

Project: https://skia.googlesource.com/skia.git Detailed Report: https://oss-fuzz.com/testcase?key=5132315302035456 Project: skia Fuzzing Engine: honggfuzz Fuzz Target: svgdom Job Type: honggfuzzasanskia Platform Id: linux Crash Type: Stack-buffer-overflow WRITE 4 Crash Address: 0x7fad59a57330...

CVE-2017-9105

CVE-2017-9105 affects the adns library (pre-1.5.2). The issue is that it corrupts a pointer when a nameserver speaks first due to an incorrect number of pointer dereferences, and the bug may be exploitable for remote code execution. Public assessments across multiple advisories describe this as e...

log4j: improper validation of certificate with host mismatch in SMTP appender

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1...

GitLab: An attacker can run pipeline jobs as arbitrary user

Summary An attacker can run arbitrary pipeline jobs as a victim user. This means the attacker can access the user private repositories, member only repositories, registry, etc... by using the victim CIJOBTOKEN token. This is only my recent research and I wanted to report it as soon as possible. I...

CVE-2020-13625

PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or any mail relay processing the message...

CVE-2020-13625

PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or any mail relay processing the message...

wirelessync.com Cross Site Scripting vulnerability

Open Bug Bounty ID: OBB-1188764 Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website...

WhatsApp Phone Numbers Pop Up in Google Search Results — But is it a Bug?

UPDATE A researcher is warning that a WhatsApp feature called “Click to Chat” puts users’ mobile phone numbers at risk — by allowing Google Search to index them for anyone to find. But WhatsApp owner Facebook says it is no big deal and that the search results only reveal what the users have chose...

CVE-2020-13765

romcopy in hw/core/loader.c in QEMU 4.0 and 4.1.0 does not validate the relationship between two addresses, which allows attackers to trigger an invalid memory copy operation...

CVE-2020-13361

In QEMU 5.0.0 and earlier, es1370transferaudio in hw/audio/es1370.c does not properly validate the frame count, which allows guest OS users to trigger an out-of-bounds access during an es1370write operation...

firestore:firestore_serializer_fuzzer: Crash in pb_release_single_field

Detailed Report: https://oss-fuzz.com/testcase?key=5691535105720320 Project: firestore Fuzzing Engine: afl Fuzz Target: serializerfuzzer Job Type: aflasanfirestore Platform Id: linux Crash Type: UNKNOWN WRITE Crash Address: 0xfffffffffffffff1 Crash State: pbreleasesinglefield pbrelease pbdecode...

Critical GitLab Flaw Earns Bounty Hunter $20K

A critical GitLab vulnerability, which could be leveraged by a remote attacker to execute code, recently netted a researcher a $20,000 bug-bounty award. The flaw was reported to GitLab by software developer William Bowling via the HackerOne bug bounty platform on March 23. It was then disclosed...

Elastic: Remote Code Execution in coming Kibana 7.7.0

Summary: Kibana 7.7.0 as per commit c5f682cb is vulnerable to a remote code execution vulnerability that is similar to the one reported in https://hackerone.com/reports/852613 Kibana 7.7.0 is not released, so this is an experiment. I know that getting these reports is more valuable to Elastic pri...

sqlite: mishandling of certain uses of SELECT DISTINCT involving a LEFT JOIN in flattenSubquery in select.c leads to a NULL pointer dereference

flattenSubquery in select.c in SQLite 3.30.1 mishandles certain uses of SELECT DISTINCT involving a LEFT JOIN in which the right-hand side is a view. This can cause a NULL pointer dereference or incorrect results...

RLSA-2020:1650 Moderate: container-tools:rhel8 security, bug fix, and enhancement update

The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fixes: runc: volume mount race condition with shared mounts leads to information leak/integrity manipulation CVE-2019-19921 containers/image: Container images read entire ima...

Important: Red Hat Security Advisory: Ansible security and bug fix update (2.9.7)

An update for ansible is now available for Ansible Engine 2.9 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE...

Brave Software: No rate limiting for confirmation email lead to email flooding and leads to enumeration of emails in publishers.basicattentiontoken.org

There is no bruteforce protection here https://publishers.basicattentiontoken.org/publishers when i try to changes email's contact account. Also the actual thing is when I put an existing email in the above url's "publisherpendingemail" parameter I get an error response status 400 Bad Request But...