Reddit: Getting access of mod logs from any public or restricted subreddit with IDOR vulnerability

Summary: There's no check if the user is moderator of the particular subreddit or not while trying to access the mod logs via gql.reddit.com by using operation id. You can change the parameter subredditName to any target subreddit name which is public or restricted and get access to mod logs of...

Reddit: XSS via Mod Log Removed Posts

Summary: I have discovered an XSS vulnerability regarding the mod notes feature. Specifically, the XSS payload executes when the victim removes a post in a subreddit and opens up the mod notes of the attacker. Steps To Reproduce: 1. The attacker creates a new post with the title containing the XS...

Reddit: Outsider can affect Upvote Percentage of private subreddit post by calling /api/vote API

Summary: Attacker that does not have access to a private subreddit, can still affect Upvote Percentage of any posts in this private subreddit. He does that by calling /api/vote API and passing post id directly. What is Upvote Percentage?: F1407175 Impact: - Attacker can affect Upvote Percentage o...

Subreddit Home Automation 操作系统命令注入漏洞

Subreddit Home Automation is an automation device for the Subreddit community. An automated electric light. A security vulnerability exists in Subreddit Home Automation 3.3.2, which stems from authenticated OS command execution in the custom command v0.1 plugin...

Reddit Says Influence Campaign is Behind Leaked U.S.-U.K. Trade Documents

Reddit has revealed that key U.S.-U.K. trade documents posted on its site were likely done so as part of a broader political-influence campaign that first appeared on Facebook and tied to Russia-based operatives. The online media aggregator says it has linked documents that were leaked on its sit...