Internet Bug Bounty: Path traversal through path stored in Uint8Array in Node.js 20

A path traversal vulnerability was discovered in Node.js 20 through paths stored in Uint8Array objects. The vulnerability allowed bypassing path sanitization protections and reading arbitrary files outside of a restricted directory. The issue was addressed by properly sanitizing Uint8Array paths ...

Nextcloud: CSRF vulnerability in Nextcloud Desktop Client 3.6.1 on Windows when clicking malicious link

Summary It is possible to make a user send any POST request with an arbitrary body given they click on a malicious deep link. e.g. in an email, chat link, etc This vulnerability was introduced in an attempt to fix 1720043. The patch however can be bypassed and also introduced a CSRF vulnerability...

Affirm: Subdomain takeover due to non registered TLD [ ██████████.█████.██████.com ]

Summary: I was looking at recent disclosed report 1297689 and I was thinking to take a look for the same issue on this asset as I love to test for subdomain takeover vulnerabilities. While testing I noticed a DNS entry for ███████.████.██████████.com is CNAME ████.███████████ which's TLD is not...

Rocket.Chat: Desktop app RCE (#276031 bypass)

Summary: 276031 fix bypass, two click remote code execution. Description: The security issue is in links preload file https://github.com/RocketChat/Rocket.Chat.Electron/blob/master/src/preload/links.js file. By rewriting RegExp.prototype.test method it is possible to prepare proper answers to get...

Kubernetes: Kubelet resource exhaustion attack via metric label cardinality explosion from unauthenticated requests

Report Submission Form Summary: Malicious clients can potentially DOS a kubelet by sending a high amount of specially crafted requests to the kubelet's HTTP server. For each request the kubelet updates/sets 3 metrics: - kubelethttprequeststotal Counter - kubelethttprequestsdurationseconds Histogr...

Friday Squid Blogging: Squidfall Safety

Watchmen supporting material. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...

Rocket.Chat: Guest Privilege Escalation to admin group

The vulnerability allowed a guest user to escalate privileges to the admin group. The guest user first added themselves to the bot group, which had the "manage-own-integrations" permission. Using this, the user created a malicious integration script that added the user to the admin group. The...

RATELIMITED: Hackerone1

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: add summary of the vulnerabili...

GitLab: DoS on the Issue page by exploiting Mermaid.

Summary: An attacker could exploit Mermaid available in Markdown and cause DoS. Description: Markdown supported by GitLab can generate diagrams and flowcharts from text using Mermaid. An Attacker can exploit this function to prevent users from successfully accessing some functions. For example, y...

Node.js third-party modules: [serve] Server Directory Traversal

I would like to report a Server Directory Traversal vulnerability in serve. It allows reading local files on the target server. Module module name: serve version: 7.0.1 npm page: https://www.npmjs.com/package/serve Module Description Assuming you would like to serve a static site, single page...

Node.js third-party modules: `whereis` concatenates unsanitized input into exec() command

I would like to report command injection in whereis It allows to inject arbitrary shell commands by trying to locate crafted filenames. Module module name: whereis version: 0.4.0 npm page: https://www.npmjs.com/package/whereis Module Description Simply get the first path to a bin on any system...

Node.js third-party modules: `macaddress` concatenates unsanitized input into exec() command

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! I would like to report code injection i...