Mail.ru: connect.mail.ru: SSRF

Можно лазить по внутренним ресурсам в сети mail.ru : POST /ajax?ajaxcall=1&funcname=perlfetchconnectpage HTTP/1.1 Host: connect.mail.ru User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.9; rv:29.0 Gecko/20100101 Firefox/29.0 Accept: text/javascript, text/html, application/xml, text/xml, /...

HackerOne: Flooding mailbox of user

There seems to be no prevention from sending multiple password reset links to a selected e-mail. As a result mailbox of the user can be flooded with these mails. I would recommend to add CAPTCHA in forgot password functionality...

Cloudflare: Content spoofing /CSRF at https://www.cloudflare.com/ajax/modal-dialog.html

Hi there, I noticed two things on the following url: https://www.cloudflare.com/ajax/modal-dialog.html 1. CSRF There are some csrf countermeasures in place e.g. X-Requested-With: XMLHttpRequest, however they're not validated on the server. This leads to an uncritical csrf: 2. Content spoofing Usi...

Mail.ru: Clickjacking

URL :- http://promo.calendar.mail.ru/ POC :- Clickjack test page Website is vulnerable to clickjacking!...

IRCCloud: Host Header is not validated resulting in Open Redirect

Please see the attached screenshot where I am sending a request to irccloud.com with an invalid HOST header and I am getting redirected to that domain. This is because the HOST header is not validated to ensure that the request is originating from that target host or not...

Yahoo!: reflected XSS, http://extprodweb11.cc.gq1.yahoo.com/, 4/8/14, #SpringClean

Thank you for your submission to the Yahoo Bug Bounty program. We were able to reproduce the issue you reported and have implemented appropriate fixes. We appreciate your adherence to responsible disclosure guidelines and look forward to your future participation in the program...

Slack: Stored XSS in Slackbot Direct Messages

Whenever a new team is created, Slackbot uses automated profile completion by asking a few questions from the user like the first name, last name, skype account etc. But instead of providing the correct details we provide as input then Slackbot will cause the data go inside the anchor tag ... so...

HackerOne: Control Characters Not Stripped From Username on Signup

Hey, To be honest, I'm not sure if there is any real security implications of this bug, but it's IMO something which should be fixed at some point since it'll be pretty easy. On signup, the username you chose has to be alphanumeric. If you submit someone else's username, followed by a null-byte...

Yahoo!: Yahoo mail login page bruteforce protection bypass

Thank you for your submission to Yahoo’s Bug Bounty program. While we recognize the effort that you put into the research and writing of a report for us to evaluate, we will take your report into consideration for any future releases. We appreciate your adherence to responsible disclosure...

Yahoo!: Flickr: Invitations disclosure (resend feature)

Thank you for your submission to the Yahoo Bug Bounty program. We were able to reproduce the issue you reported and have implemented appropriate fixes. We appreciate your adherence to responsible disclosure guidelines and look forward to your future participation in the program...

curl: Path Traversal Bypass in file:// URLs Due to Incomplete URL-Encoded Path Normalization

Summary: The dedotdotify function in lib/urlapi.c is responsible for removing path traversal sequences ../ and ./ from URLs according to RFC 3986. However, the function only recognizes literal forward slashes / when identifying path segments and does not handle URL-encoded slashes %2f or %2F. Thi...

AWS VDP: Amazon Kendra Intelligent Ranking Service Reporting "AWS Internal" for CloudTrail Events Generated from FIPS Endpoints

The AWS Kendra Intelligent Ranking service was found to incorrectly report the user-agent and network information as "AWS Internal" for four API endpoints that are FIPS endpoints. This issue can lead to the obscuring of request information that may be used to track down an adversary...

Cosmos: Heap-Buffer-Overread in contains_whitespace when calling parser_validate after supplying a maliciously crafted buffer to parser_parse

A heap-buffer-overread vulnerability was discovered in the containswhitespace function when calling parservalidate after supplying a maliciously crafted buffer to parserparse. The vulnerability was not exploitable in the primary use case of the library, but a length check was added to prevent thi...

U.S. Dept Of Defense: IDOR : Modify other users demographic details

The IDOR vulnerability allowed a malicious user to modify other user's demographic details on the vulnerable domain www.█████████. The vulnerability was present in the /JOINOnline/Board/SubmitDoc endpoint, where the user ID parameter was not properly validated, allowing an attacker to update the...

HackerOne: [ Spot Check ] Team members can edit a user's write-up

Team members could edit a user's spot check write-up. The write-up could be modified through a GraphQL request, even though there was no option to edit the write-up in the user interface. This was considered unintended functionality, as HackerOne had previously fixed vulnerabilities where team...

Liberapay: Unsafe yaml load can lead to remote code execution

The YAML load function can lead to remote code execution vulnerability. The vulnerability allows the construction of arbitrary Python objects from untrusted YAML data, which can be exploited by an attacker...

U.S. Dept Of Defense: Reflected Cross-site Scripting via search query on ██████

The summary is as follows: A reflected cross-site scripting vulnerability was discovered in the search query functionality of the ████████ website. An attacker could execute arbitrary JavaScript code in the victim's browser by injecting malicious payload into the search query parameter...

U.S. Dept Of Defense: Parâmetro XSS: Nome de usuário - █████████

The report describes a cross-site scripting XSS vulnerability in the username parameter of an application. The vulnerability was demonstrated using Burp Suite, where the attacker was able to inject malicious JavaScript code into the username field. No further details were provided about the...

U.S. Dept Of Defense: User automatically logged in as Sys Admin user on https://███/Administration/Administration.aspx

A vulnerability was discovered where any user could be automatically logged in as a system administrator on a web application. This allowed unrestricted access and privileges could be abused to modify user privileges, add or delete users, and upload files, jeopardizing the integrity of the...

Mozilla: Subdomain takeover on one of the subdomain under mozgcp.net

A subdomain takeover was reported on a subdomain under mozgcp.net due to a dangling DNS record that had been registered by researchers, allowing them to host content under the subdomain...

Nextcloud: Mail app - Blind SSRF via Sierve server fonctionnality and sieveHost parameter

A blind SSRF vulnerability was discovered in the Nextcloud Mail application, allowing an attacker to map the server and internal network by sending a crafted request to an unexpected destination. The vulnerability was found in the sieveHost parameter when adding a filter via a sieve filter server...

Internet Bug Bounty: Disabling context isolation, nodeIntegrationInSubFrames using an unauthorised frame.

Details can be found in the following github advisory: https://github.com/electron/electron/security/advisories/GHSA-mq8j-3h7h-p8g7 Impact Using a renderer exploit, context isolation and nodeIntegrationInSubFrames can be disabled, which enables an attacker to leak IPC module and communicate with...

U.S. Dept Of Defense: Found Origin IP's Lead To Access ████

Discovered that the ██████ site exposed its Non-Cloudflare IP which could allow bypassing of anti-DDoS mechanisms. Your origin servers are not blocking access from non-Cloudflare servers.This way crawlers can find your origin servers' IPs by checking random IPs until they found your origin server...

Nextcloud: Nextcloud Deck : Possibility for anyone to add a stack with existing tasks on anyone's board

Hi everyone, Hope you are well ! I found an IDOR vulnerability, allowing any user without privilege to add lists with tasks in any user board. This was tested on a Nextcloud Hub II server v23 with the Deck application in version 1.6.0. Steps To Reproduce: Beforehand: - Have an A user with a board...

Evernote: [34.96.80.155] Server Logs Disclosure lead to Information Leakage

Summary: In this case server log is available for any in /server-status Steps To Reproduce: 1. Go to https://34.96.80.155/server-status/ and follow attack scenario's Attack Scenario's: Serg.io 1. User go to server and enter sensitive info that can be logged example : http://host/login?privatekey=...

Nextcloud: When sharing a Deck card in conversation the metaData can be manipulated to open arbitrary URL

Summary: This report is similar to 1337178 In Nextcloud Deck a user can post their decks in to a conversation via nextcloud talk. The link in metaData can be manipulated to point to a another URL. Steps To Reproduce: 0. Setup burpsuite to proxy 1. Go to Nextcloud Deck and pick a board 2. Pick any...

Nextcloud: User files is disclosed when someone called while the screen is locked

Summary: User files in the server is disclosed while the screen is locked when someone called. Steps To Reproduce: add details for how we can reproduce the issue 1. Make 2 Accounts, Lets call them Account A and Account B 2. Using Account A login to https://nextcloud/apps/spreed/ 3. Using Account ...

TikTok: Information Disclosure on TikTok Unplugged Site

An attacker could have retrieved information such as a list of installed packages and their versions due to improper information disclosure on the TikTik Unplugged site. We thank @nanwn for reporting this to our team and confirming the resolution...

Rockstar Games: Cache Poisoning DoS on updates.rockstargames.com

In this report, the researcher discovered that there was a cache poisoning weakness on updates.rockstargames.com due to an unkeyed header, trailer. By sending this header, an attacker could cause the cache to save a malformed response with status code 400. An example of such a request, as provide...

BlockFi: credentials found in config file on github

Summary: Hi, credentials belonging to blockfi.com was found exposed on github, these credentials can lead to attackers gaining access into the network and stealing information and destroying servers Steps To Reproduce:...

CS Money: Blind Based SQL Injection in 3d.sc.money

Greetings, Hope Y'all good and fine! Summary: I found a Boolean Blind based SQL Injection in your website = 3d.cs.money It's a URI path injection. The vulnerability tested on the Original IP behind the CloudflareWAF and I've already reported this in my other report 1105673 The Affected URI :...

Concrete CMS: Stored unauth XSS in calendar event via CSRF

crayons Description The description parameter in the scenario /index.php/ccm/calendar/dialogs/event/add/save is affected by Stored XSS due to lack of user supplied data filtration. Also in should be mentioned that this endpoint does not verify CSRF token ccmtoken, which leads to an ability to...

Zenly: Google Maps API key stored as plain text leading to DOS and financial damage

The researcher highlighted the fact that the Google Maps API key which is by design easily retrievable from the .apk was missing some restrictions. It then could be used by anyone to query the Google Static Map API, and possibly lead to financial damage. Resolved by enforcing missing restrictions...

TikTok: Lack of rate limitation on careers site allows the attacker to brute force the verification code

An attacker could have potentially attempted to brute force the verification code needed to reset a candidate's password by leveraging a lack of rate limiting on the TikTok careers portal. We thank @iambouali for reporting this to our team and confirming the resolution...

h1-ctf: Writeup Hackyholiday CTF

Hi there, Find my writeup on attached : F1128138 Thanks adam for making the CTF, Really PAIN for my head! Impact Hackerone Hoodie ? 😍😍...

Stripo Inc: No rate limit in email subscription

I managed to bypass the following report 1029723 please follow the steps below: Description: No rate limit in Email Subscription, you just have to add a fixed throttle in Burp Suite to avoid the 429 response. Note: I will use tempmail in the screenshots PoC Steps: 1. Go to https://stripo.email/ a...

Informatica: Improper Sanitization leads to XSS Fire on admin panel

Summary Because the HTML is not sanitized when taking the input on https://accounts.informatica.com/registration.html, the input is vulnerable to XSS. When a payload such as " is put into the form under company it triggers a blind xss. When the payload successfully is loaded, it dumps information...

TikTok: Bypass "Industry Documents" Validation

The researcher found that the attacker can bypass the review process and mark the document as "approved" when a user adds Industry Documents. The attacker will bypass only the qualification status at frontend, the form status is still under review, and it will be reviewed by an employee...

RBKmoney: Apple Pay cryptogram replay and amount tampering

During Apple Pay in-app or on-site payments the device generates a payment cryptogram, which contains a transaction ID, encrypted payment data, etc. This is an example of the cryptogram which the phone passes to the internet acquiring service on api.transferwise.com: "token": "paymentData":...

Basecamp: stored XSS in hey.com message content

Hi I found a stored xss using messagecontent parameter when forwarding an email or saving it as draft , and when the victim click on the email to view it, it gets executed . I used this payload as the message content : From: "f" To: [email protected] Message-ID: Subject:...

Mail.ru: Stored XSS in address on [corporate.city-mobil.ru]

Stored XSS in address setting functionality on corporate.city-mobil.ru...

Mail.ru: Открытая админка Tarantool

Testing installation of internal Tarantool admin inteface without actual users data was available from external network...

h1-ctf: [H1-2006 2020] 36 hours of brain cycles utilized on solving a neat puzzle

Here we go: F852423 Recon: The given scope is: .bountypay.h1ctf.com Found subdomains: bountypay.h1ctf.com api.bountypay.h1ctf.com app.bountypay.h1ctf.com software.bountypay.h1ctf.com staff.bountypay.h1ctf.com www.bountypay.h1ctf.com Relevant GitHub repository:...

h1-ctf: [H1-2006 2020] I made the CEO's bounty payment!

^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$ I will write the details in comment. Impact I have headache now...

Shopify: Session works after logout from Shopify account and password of online store is displayed

When a user creates a Shopify Lite Plan account, in the product creation stage when the account has not been upgraded, the store's password is enabled such that any visitor who wants to access the store is required to enter password before being granted access to view the products listed in the...

GitLab: Stored XSS in blob viewer

Summary I found a Stored-XSS in blob viewer when viewing a json file. In particular, when viewing an openapi file, openapiviewer is called to transfer the file's data to SwaggerUIBundle to render. SwaggerUIBundle does its job when rending graphical representation of the openapi's content. It also...

Ruby on Rails: ActiveStorage direct upload fails to sign content-length header for S3 service

When a user makes a direct upload using ActiveStorage, the browser makes a request to the DirectUploadsController containing the directupload parameters filename, contenttype, bytesize, and checksum. These are used to generate a presigned url that is then passed back to the browser, allowing the...

Nord Security: Past payments using the Direct Debit method keep subscriptions active even if payments fail

I think this is a vulnerability that has no impact but it violates I found many accounts that are actively subscribed even though the payment failed, this is because the payment uses the Direct Debit method, and you have deleted it. Because Direct Debit payments have been deleted and no longer wo...

██████: Directory Traversal in uftpd 2.6-2.10

Description It is possible for an unauthenticated user to perform a directory traversal attack using multiple different FTP commands and read and write to arbitrary locations on the filesystem due to improper path sanitization in the chroot jail implementation in common.c's composeabspath. Impact...

U.S. Dept Of Defense: Unrestricted File Upload

Summary: The endpoint at https://███████/ui/core/index.html required authentication, but navigating to https://█████/ui/core/index.html?mode=publicexpl-tabl./SHARED/rpchllmd/CSAT allow for read/write access. Description: The endpoint at...