Yahoo!: Yahoo mail login page bruteforce protection bypass

Thank you for your submission to Yahoo’s Bug Bounty program. While we recognize the effort that you put into the research and writing of a report for us to evaluate, we will take your report into consideration for any future releases. We appreciate your adherence to responsible disclosure...

Yahoo!: Flickr: Invitations disclosure (resend feature)

Thank you for your submission to the Yahoo Bug Bounty program. We were able to reproduce the issue you reported and have implemented appropriate fixes. We appreciate your adherence to responsible disclosure guidelines and look forward to your future participation in the program...

AWS VDP: Amazon Kendra Intelligent Ranking Service Reporting "AWS Internal" for CloudTrail Events Generated from FIPS Endpoints

The AWS Kendra Intelligent Ranking service was found to incorrectly report the user-agent and network information as "AWS Internal" for four API endpoints that are FIPS endpoints. This issue can lead to the obscuring of request information that may be used to track down an adversary...

Cosmos: Heap-Buffer-Overread in contains_whitespace when calling parser_validate after supplying a maliciously crafted buffer to parser_parse

A heap-buffer-overread vulnerability was discovered in the containswhitespace function when calling parservalidate after supplying a maliciously crafted buffer to parserparse. The vulnerability was not exploitable in the primary use case of the library, but a length check was added to prevent thi...

U.S. Dept Of Defense: IDOR : Modify other users demographic details

The IDOR vulnerability allowed a malicious user to modify other user's demographic details on the vulnerable domain www.█████████. The vulnerability was present in the /JOINOnline/Board/SubmitDoc endpoint, where the user ID parameter was not properly validated, allowing an attacker to update the...

HackerOne: [ Spot Check ] Team members can edit a user's write-up

Team members could edit a user's spot check write-up. The write-up could be modified through a GraphQL request, even though there was no option to edit the write-up in the user interface. This was considered unintended functionality, as HackerOne had previously fixed vulnerabilities where team...

Liberapay: Unsafe yaml load can lead to remote code execution

The YAML load function can lead to remote code execution vulnerability. The vulnerability allows the construction of arbitrary Python objects from untrusted YAML data, which can be exploited by an attacker...

U.S. Dept Of Defense: Reflected Cross-site Scripting via search query on ██████

The summary is as follows: A reflected cross-site scripting vulnerability was discovered in the search query functionality of the ████████ website. An attacker could execute arbitrary JavaScript code in the victim's browser by injecting malicious payload into the search query parameter...

Publitas: Unauthorized Access to Offline Publication Cover Pages via SOURCE_DOCUMENT_ID

A vulnerability was discovered that allowed unauthorized access to offline publication cover pages by sending requests with specific source document IDs. This exposed cover pages and associated user and publication IDs that were intended to be private...

U.S. Dept Of Defense: Parâmetro XSS: Nome de usuário - █████████

The report describes a cross-site scripting XSS vulnerability in the username parameter of an application. The vulnerability was demonstrated using Burp Suite, where the attacker was able to inject malicious JavaScript code into the username field. No further details were provided about the...

Internet Bug Bounty: ASAR Integrity bypass via filetype confusion

A vulnerability was discovered in Electron that allowed bypassing ASAR integrity checks via filetype confusion. Maliciously crafted directories could trick apps into loading non-validated code. This impacted apps with certain fuses enabled on macOS that relied on filesystem protections. The issue...

U.S. Dept Of Defense: User automatically logged in as Sys Admin user on https://███/Administration/Administration.aspx

A vulnerability was discovered where any user could be automatically logged in as a system administrator on a web application. This allowed unrestricted access and privileges could be abused to modify user privileges, add or delete users, and upload files, jeopardizing the integrity of the...

Mozilla: Subdomain takeover on one of the subdomain under mozgcp.net

A subdomain takeover was reported on a subdomain under mozgcp.net due to a dangling DNS record that had been registered by researchers, allowing them to host content under the subdomain...

Nextcloud: Mail app - Blind SSRF via Sierve server fonctionnality and sieveHost parameter

A blind SSRF vulnerability was discovered in the Nextcloud Mail application, allowing an attacker to map the server and internal network by sending a crafted request to an unexpected destination. The vulnerability was found in the sieveHost parameter when adding a filter via a sieve filter server...

GitHub: Github Apps can use Scoped-User-To-Server Tokens to Obtain Full Access to User's Projects in Project V2 GraphQL api

An incorrect authorization vulnerability was found in GitHub Enterprise Server that allowed GitHub Apps to gain access to and modify most organization-level resources that are not tied to a repository, regardless of granted permissions. This vulnerability affected all versions of GitHub Enterpris...

Internet Bug Bounty: Disabling context isolation, nodeIntegrationInSubFrames using an unauthorised frame.

Details can be found in the following github advisory: https://github.com/electron/electron/security/advisories/GHSA-mq8j-3h7h-p8g7 Impact Using a renderer exploit, context isolation and nodeIntegrationInSubFrames can be disabled, which enables an attacker to leak IPC module and communicate with...

U.S. Dept Of Defense: Found Origin IP's Lead To Access ████

Discovered that the ██████ site exposed its Non-Cloudflare IP which could allow bypassing of anti-DDoS mechanisms. Your origin servers are not blocking access from non-Cloudflare servers.This way crawlers can find your origin servers' IPs by checking random IPs until they found your origin server...

Nextcloud: Nextcloud Deck : Possibility for anyone to add a stack with existing tasks on anyone's board

Hi everyone, Hope you are well ! I found an IDOR vulnerability, allowing any user without privilege to add lists with tasks in any user board. This was tested on a Nextcloud Hub II server v23 with the Deck application in version 1.6.0. Steps To Reproduce: Beforehand: - Have an A user with a board...

Evernote: [34.96.80.155] Server Logs Disclosure lead to Information Leakage

Summary: In this case server log is available for any in /server-status Steps To Reproduce: 1. Go to https://34.96.80.155/server-status/ and follow attack scenario's Attack Scenario's: Serg.io 1. User go to server and enter sensitive info that can be logged example : http://host/login?privatekey=...

Nextcloud: When sharing a Deck card in conversation the metaData can be manipulated to open arbitrary URL

Summary: This report is similar to 1337178 In Nextcloud Deck a user can post their decks in to a conversation via nextcloud talk. The link in metaData can be manipulated to point to a another URL. Steps To Reproduce: 0. Setup burpsuite to proxy 1. Go to Nextcloud Deck and pick a board 2. Pick any...

Nextcloud: User files is disclosed when someone called while the screen is locked

Summary: User files in the server is disclosed while the screen is locked when someone called. Steps To Reproduce: add details for how we can reproduce the issue 1. Make 2 Accounts, Lets call them Account A and Account B 2. Using Account A login to https://nextcloud/apps/spreed/ 3. Using Account ...

TikTok: Information Disclosure on TikTok Unplugged Site

An attacker could have retrieved information such as a list of installed packages and their versions due to improper information disclosure on the TikTik Unplugged site. We thank @nanwn for reporting this to our team and confirming the resolution...

Rockstar Games: Cache Poisoning DoS on updates.rockstargames.com

In this report, the researcher discovered that there was a cache poisoning weakness on updates.rockstargames.com due to an unkeyed header, trailer. By sending this header, an attacker could cause the cache to save a malformed response with status code 400. An example of such a request, as provide...

BlockFi: credentials found in config file on github

Summary: Hi, credentials belonging to blockfi.com was found exposed on github, these credentials can lead to attackers gaining access into the network and stealing information and destroying servers Steps To Reproduce:...

CS Money: Blind Based SQL Injection in 3d.sc.money

Greetings, Hope Y'all good and fine! Summary: I found a Boolean Blind based SQL Injection in your website = 3d.cs.money It's a URI path injection. The vulnerability tested on the Original IP behind the CloudflareWAF and I've already reported this in my other report 1105673 The Affected URI :...

Concrete CMS: Stored unauth XSS in calendar event via CSRF

crayons Description The description parameter in the scenario /index.php/ccm/calendar/dialogs/event/add/save is affected by Stored XSS due to lack of user supplied data filtration. Also in should be mentioned that this endpoint does not verify CSRF token ccmtoken, which leads to an ability to...

Zenly: Google Maps API key stored as plain text leading to DOS and financial damage

The researcher highlighted the fact that the Google Maps API key which is by design easily retrievable from the .apk was missing some restrictions. It then could be used by anyone to query the Google Static Map API, and possibly lead to financial damage. Resolved by enforcing missing restrictions...

TikTok: Lack of rate limitation on careers site allows the attacker to brute force the verification code

An attacker could have potentially attempted to brute force the verification code needed to reset a candidate's password by leveraging a lack of rate limiting on the TikTok careers portal. We thank @iambouali for reporting this to our team and confirming the resolution...

h1-ctf: Writeup Hackyholiday CTF

Hi there, Find my writeup on attached : F1128138 Thanks adam for making the CTF, Really PAIN for my head! Impact Hackerone Hoodie ? 😍😍...

Informatica: Improper Sanitization leads to XSS Fire on admin panel

Summary Because the HTML is not sanitized when taking the input on https://accounts.informatica.com/registration.html, the input is vulnerable to XSS. When a payload such as " is put into the form under company it triggers a blind xss. When the payload successfully is loaded, it dumps information...

Basecamp: stored XSS in hey.com message content

Hi I found a stored xss using messagecontent parameter when forwarding an email or saving it as draft , and when the victim click on the email to view it, it gets executed . I used this payload as the message content : From: "f" To: [email protected] Message-ID: Subject:...

Mail.ru: Stored XSS in address on [corporate.city-mobil.ru]

Stored XSS in address setting functionality on corporate.city-mobil.ru...

Mail.ru: Открытая админка Tarantool

Testing installation of internal Tarantool admin inteface without actual users data was available from external network...

h1-ctf: [H1-2006 2020] 36 hours of brain cycles utilized on solving a neat puzzle

Here we go: F852423 Recon: The given scope is: .bountypay.h1ctf.com Found subdomains: bountypay.h1ctf.com api.bountypay.h1ctf.com app.bountypay.h1ctf.com software.bountypay.h1ctf.com staff.bountypay.h1ctf.com www.bountypay.h1ctf.com Relevant GitHub repository:...

h1-ctf: [H1-2006 2020] I made the CEO's bounty payment!

^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$ I will write the details in comment. Impact I have headache now...

Shopify: Session works after logout from Shopify account and password of online store is displayed

When a user creates a Shopify Lite Plan account, in the product creation stage when the account has not been upgraded, the store's password is enabled such that any visitor who wants to access the store is required to enter password before being granted access to view the products listed in the...

GitLab: Stored XSS in blob viewer

Summary I found a Stored-XSS in blob viewer when viewing a json file. In particular, when viewing an openapi file, openapiviewer is called to transfer the file's data to SwaggerUIBundle to render. SwaggerUIBundle does its job when rending graphical representation of the openapi's content. It also...

Nord Security: Past payments using the Direct Debit method keep subscriptions active even if payments fail

I think this is a vulnerability that has no impact but it violates I found many accounts that are actively subscribed even though the payment failed, this is because the payment uses the Direct Debit method, and you have deleted it. Because Direct Debit payments have been deleted and no longer wo...

██████: Directory Traversal in uftpd 2.6-2.10

Description It is possible for an unauthenticated user to perform a directory traversal attack using multiple different FTP commands and read and write to arbitrary locations on the filesystem due to improper path sanitization in the chroot jail implementation in common.c's composeabspath. Impact...

U.S. Dept Of Defense: Unrestricted File Upload

Summary: The endpoint at https://███████/ui/core/index.html required authentication, but navigating to https://█████/ui/core/index.html?mode=publicexpl-tabl./SHARED/rpchllmd/CSAT allow for read/write access. Description: The endpoint at...

Valve: Arbitrary file creation with semi-controlled content (leads to DoS, EoP and others) at Steam Windows Client

The vulnerability allows to create arbitrary file with some crafted text or append to existing file. Tested on actual version 5.31.28.21 SteamService.exe filevesion info. At start of the report I describe how to trigger vulnerability, than describe how to cause any consequences. How to trigger - ...

GitLab: Uncontrolled Resource Consumption in any Markdown field using Mermaid

Summary I found a bypass for the mitigation of DoS via Mermaid CVE-2019-9220. As the mitigation for CVE-2019-9220, the input limit of 5000 characters is currently applied to a Mermaid code block, but it can be bypassed by simply splitting the longer payload to many code blocks. Steps to reproduce...

Ping Identity: Internal Hostname disclosure from multiple Apache servers via blank host header method

This vulnerability was due to a general misconfiguration of Apache servers; this is a good example of the importance of "Secure Defaults" in open-source projects. An example of a generic request and response would be: openssl sclient -connect apache.example.com:443 GET apache.example.com/foo...

pixiv: Open redirect protection (https://www.pixiv.net/jump.php) is broken for novels

Summary: I found that pixiv has a open redirect protection, any external link in illustration is converted to https://www.pixiv.net/jump.php?. For example https://i3mx4usociis8twimpcu2ty0erkh86.burpcollaborator.net/abc in https://www.pixiv.net/memberillust.php?mode=medium&illustid=74148892 is...

Nextcloud: Arbitrary SQL command injection

When querying for users on the lookup server any unauthenticated user could perform an SQL Injection...

HackerOne: A small set of users were assigned someone else's payout preference

On December 20th, 2016, HackerOne introduced a new payout preference that allowed employee bounties to be paid through payroll. At the time, a feature was added to our support backend that allowed the IT department to provision this special payout preference for HackerOne employees. To help the I...

Slack: URL link spoofing

Words such as http://example.com and example.com included in the message are displayed by URL link. This URL link naturally links to example.com. However, we can spoof the link destination by changing the message post request. diff POST /api/chat.postMessage HTTP/1.1 Host: example.slack.com...

Eobot: Secure Pages Include Mixed Content Issue

Description The page includes mixed content, that is content accessed via HTTP instead of HTTPS. Steps 1 Enter these two URLs https://www.eobot.com/fee https://www.eobot.com/ad 2 Open Source Code viewer You will note and Mixed Content Error. http://bitcoin.sipa.be/speed-small-lin.png Fix A page...

Valve: RCE on Steam Client via buffer overflow in Server Info

Introduction In Steam and other valve games CSGO, Half-Life, TF2 there is a functionality to find game servers called the server browser. In order to retrieve the information about these servers the server browser communicates with a specific UDP protocol called server queries. The protocol is we...

Infogram: User account blocking by Internal Server error

If you send a language=en in https://infogram.com/api/users/me user be forever get an Internal Server error EVEN AFTER re-logining: https://youtu.be/AxYa11lEiWA I idk why does hackerone can't upload this video so I uploaded this video privately to the youtube! In this video, I'm trying to relogin...