Semrush: Post Based XSS On Upload Via CK Editor [semrush.com]

Summary: XSS Via Post Method When Upload via CKEditor Description: This XSS is execute by error message when upload some image on https://www.semrush.com/my-posts/api/image/upload/?CKEditor=text&CKEditorFuncNum=0&langCode=en Browsers Verified In: Firefox Steps To Reproduce: - This is POST based...

Node.js third-party modules: [node-srv] Path Traversal allows to read arbitrary files from remote server

Hi Guys, node-srv contains Path Traversal vulnerability, which allows malicious user to read content of any file with known path. Module: Simple static node.js server. Supports Heroku and Grunt.js https://www.npmjs.com/package/node-srv Description node-srv does not sanitize path in the correct wa...

TikTok: URL Scheme misconfiguration on TikTok for IOS

A misconfigured URL schema on a TikTok iOS endpoint could have resulted in a user being forced to follow other accounts by visiting a malicious website or HTML page. We thank @glassplant for reporting this to our team...

GitHub Security Lab: [Java] CWE-598: Use of GET Request Method with Sensitive Query Strings

This bug was reported directly to GitHub Security Lab...

U.S. Dept Of Defense: Remote Code Execution on █████████

Summary: An unauth solr lead to RCE on ██████████ Description: Hello, I found a solr unauth at https://██████/solr/ This version is 5.5.1, vulnerable with CVE-2019-0192 and CVE-2019-0193, i have try CVE-2019-0193 and successful RCE. Impact Attacker can get shell on server. Step-by-step Reproducti...

HackerOne: How the Bug stole hacking

In light of the season - here's a story I wrote for you: Every hacker down in Hackerone liked hacking alot, But the Bug who lived down in the source code, did not! The Bug hating hacking! The whole Bug-hunt season! Now please don’t ask why. No one quite knows the reason. It could be perhaps, that...

Brave Software: DMARC RECORD MISSING

VULNERABILITY TYPE- DMARC RECORD MISSING. HOW TO REPRODUCEPOC-ATTACHED IMAGE:- 1.GO TO- https://mxtoolbox.com 2.ENTER THE WEBSITEbrave.org.CLICK GO. 3.YOU WILL SEE THE FAULTNo DMARC Record found 4.In the new page that loads change MXLookup to DMARCLookup I HAVE ALREADY INFORMEDD THEM.THEY TOLD TO...

Node.js third-party modules: [html-janitor] Bypassing sanitization using DOM clobbering

Module: Name: html-janitor Version: 2.0.2 Summary: Arbitrary HTML can pass the sanitization process, which can be unexpected and dangerous XSS in case user-controlled input is passed to the clean function. Description: Proof of concept: javascript var myJanitor = new HTMLJanitortags:p:; var...

GitHub Security Lab: CodeQL query for MVEL injections

This bug was reported directly to GitHub Security Lab...

Internet Bug Bounty: Use of uninitialized value in ftp_getrc_msg method of mod_proxy_ftp.c

This is a Security Bug Report for modproxyftp. This bug is present in ftpgetrcmsg method of modules/proxy/modproxyftp.c file. This is the line which causes this bug. c ... mb = aprcpystrnmb, response + 4, me - mb; ... If ftp server returns a response like "\r\n", which has 3 characters with...

Visma Bug Bounty Program: Stored XSS when uploading files to an invoice

I've found a stored XSS from the fileupload. The parameter fileID is vulnerable and will be stored to the page. Steps To Reproduce Login Navigate to one of your invoices Upload some file and intercept the traffic Once you see the JSON payload like this "id":"abcabccabcabc","name":"file-name" modi...

Alibaba BBP: SSRF / Arbitrary File Read on Alibaba Cloud Academy

Summary: Alibaba Cloud Academy certificate download function is vulnerable with SSRF bug. It can also read arbitrary file on the server. Steps To Reproduce: - Login to your https://edu.alibabacloud.com/ account - Click the url to Ping external...

Starbucks: JumpCloud API Key leaked via Open Github Repository.

Summary: Open Github Repo Leaking Starbucks JumbCloud API Key Description: Team, While going through Github search I discovered a public repository which contains Jumbcloud API Key of Starbucks. Repo: https://github.com/██████████/Project. File:...

Mail.ru: [sj.my.com] Source Code Disclosure /.svn/wc.db

Available SVN files for sj.my.com led to source code disclosure. sj.my.com is not currently covered by Bug Bounty program...

Whisper: CVE-2014-0224 openssl ccs vulnerability

your site is vulnerable to CVE-2014-0224 OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL...

U.S. Dept Of Defense: Splunk Sensitive Information Disclosure @████████

A vulnerability in Splunk through version 7.0.1 allowed for information disclosure by appending a specific query to a URL, which could result in the exposure of sensitive information, such as license keys...

Nord Security: Version problem in wordpress leads to the many vulnearability

Title: WordPress 3.9-5.1 - Comment Cross-Site Scripting XSS Reference: https://wpvulndb.com/vulnerabilities/9230 Reference: https://github.com/WordPress/WordPress/commit/0292de60ec78c5a44956765189403654fe4d080b Reference:...

curl: curl on Windows can be forced to execute code via OpenSSL environment variables

Preface: While I have an interest in security, I am not a professional security researcher, so please be forgiving of any lack of convention in this submission. The intent is to help improve security of the OpenSSL and curl projects, their consumers and end users. I will be sending this same...

Nextcloud: Password authentication at newsletter.nextcloud.com discloses username list

summary: A vulnerability classified as problematic has been found in OpenSSH 7.2p2. check INFO.pngAffected is an unknown function of the component Authentication. The manipulation of the argument Password with an unknown input leads to a information disclosure vulnerability Username. CWE is...

Coinbase: Transactions visible on Unconfirmed devices

Pusher authentication did not take device confirmation into account. This would allow an attacker with a valid session but an unconfirmed device to snoop on pusher updates like incoming transactions. This issue was in the coinbase event notification Pusher, which allowed me to read notification o...

GitLab: Found Origin IP's lead to access to gitlab

@m-narayanan disclosed a known Origin IP / CloudFlare bypass issue, remediation for which was and is being tracked at https://gitlab.com/gitlab-com/gl-infra/reliability/-/issues/9945 The requested disclosure, then later requested it to be made private again...

Solana BBP: Heap memory can be accessible through metrics.solana.com

Summary: Heap memory can be accessable due to misconfiguration in one of the sub-domains. While doing recon i ended up downloading heap memory file. Steps To Reproduce: 1.Open https://metrics.solana.com:8086/debug/pprof/heap 2. now you can see heap memory accessible through it Supporting...

RATELIMITED: Source code disclosure at ███

Summary: Source code disclosure at ███████ Steps To Reproduce: POC: link download source code: ███████ Supporting Material/References: █████ ███████ Impact Source Code Disclosure Sensitive Information Disclosure...

Nutanix: AWS S3 bucket writeable for authenticated AWS users

S3 bucket permissions were not configured correctly, allowing any authenticated AWS user to delete and write files. Nutanix didn't properly configure one of their S3 buckets permissions and inadvertently allowed any authenticated AWS user to delete and write files. An attacker could post a...

U.S. Dept Of Defense: [██████] Cross-origin resource sharing misconfiguration (CORS)

Hi! In this report I want to describe High level bug which can seriously compromise a user account. If I am authorize on this site, I can steal user's sessions, some personal information or do some action. Steps for reproduce 1 Send this request GET...

MyEtherWallet: Development configuration file https://myetherwallet.com/

Vulnerability description A configuration file e.g. Vagrantfile, Gemfile, Rakefile, ... was found in this directory. This file may expose sensitive information that could help a malicious user to prepare more advanced attacks. It's recommended to remove or restrict access to this type of files fr...

Chaturbate: CSV Injection with the CSV export feature

Hi there, hope you are well, The "Download as a CSV" feature of does not properly "escape" fields. So that particular field is vulnerable to CSV injection. Steps of POC Step 1 : Go to any chat room and donate any token to some and in note insert =4+4. Step 2 : Now go to on this link and download...

Roblox: Reflected XSS through multiple inputs in the issue collector on Jira

Note I put this as Medium because that's what the CVE is. This vulnerability is known and it's classified under CVE-2018-5230. Here's a link to the thread on it by Atlassian: https://jira.atlassian.com/browse/JRASERVER-67289 Description --------------------- I noticed when testing that your Jira...

Zomato: Bypass OTP verification when placing Order

Description Attacker was able to bypass the OTP verification needed while placing an order with a restaurant...

U.S. Dept Of Defense: [██████] Reflected XSS via Keycloak on ██████

A cross-site scripting XSS vulnerability was discovered in Keycloak 8.0 and earlier versions. This vulnerability allowed an attacker to execute arbitrary script and potentially steal authentication credentials. The vulnerability was due to a lack of input validation, which allowed an attacker to...

GitHub Security Lab: CPP: Missing/incomplete TLS server certificate hostname validation

This bug was reported directly to GitHub Security Lab...

U.S. Dept Of Defense: No Rate Limiting on https://██████/██████████/accounts/password/reset/ endpoint leads to Denial of Service

Summary: No-Rate Limit on Password reset endpoint results mail-spam functionality to be abused. Additionally, the password-reset link remain the same after each request. Description: Malicious user could Spear-target █████████ user mail and Spam it for as many requests as he would like. Possible...

Qulture.Rocks: Server Name disclosure

Hi, I found a Server Name disclosure Cowboy in the your web server's HTTP response! This information might help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the Server! Request with Burp: GET / HTTP/1.1 Host: qa.qulture.rocks...

Khan Academy: https://www.khanacademy.org/login open-redirect

Hi, I found a bypass in the redirects : https://www.khanacademy.org/login?continue=http://www.olivierbeg.nl won't work. https://www.khanacademy.org/login?continue=http:/www.olivierbeg.nl will work :- Best regards, Olivier Beg...

GitHub Security Lab: Java: Query for detecting JEXL injections

This bug was reported directly to GitHub Security Lab...

HackerOne: Blind SSRF in "Integrations" by abusing a bug in Ruby's native resolver.

Summary HackerOne allows bug bounty programs to integrate their reports queue with issue tracking tools such as Jira and Phabricator. By abusing a bug that I discovered in Ruby's native resolver, I am able to bypass the SSRF filter and could potentially scan your internal network. Vulnerability...

Internet Bug Bounty: FREAK: Factoring RSA_EXPORT Keys to Impersonate TLS Servers

Many TLS servers, including those hosting sensitive websites such as www.nsa.gov and connect.facebook.net, support weak EXPORTRSA ciphersuites. By factoring their 512-bit ephemeral RSA keys, a network attacker is able to impersonate these websites to web browsers and more generally, to client...

Internet Bug Bounty: Use After Free Vulnerability in unserialize()

Use After Free Vulnerability in unserialize Taoguang Chen - Write Date: 2015.2.3 - Release Date: 2015.3.20 A use-after-free vulnerability was discovered in unserialize with a specially defined object's wakeup magic method that can be abused for leaking arbitrary memory blocks or execute arbitrary...

AMBER AI: Support Portal Takeover via Leaked API KEY

Thanks @khizer47 for the report. Insecure zendesk API token hardcoded in JS file, causing Support portals to lose control of administrator rights. We removed dangerous token and controlled permissions by using more secure OAuth token. An API key & associated Email was Hardcoded into a JS file...

GitHub: Delimiter injection in GitHub Actions core.exportVariable

The GitHub Actions ToolKit provides a set of packages to make creating actions easier. The core.exportVariable function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values t...

Sifchain: No Valid SPF Records/don't have DMARC record

Hiii, There is any issue No valid SPF Records on https://sifchain.finance/ Desciprition : There is a email spoofing vulnerability.Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email spoofing ...

GitHub Security Lab: Java: CWE-273 Unsafe certificate trust

This bug was reported directly to GitHub Security Lab...

BlockDev Sp. Z o.o: Email HTML injection

Email HTML injection...

Grab: [Grab Android/iOS] Insecure deeplink leads to sensitive information disclosure

A deeplink feature was found missing validation that led to sensitive information disclosure. Once triggered, the deeplink would direct users to load any attacker-controlled URL within a webview. The impact was further escalated as the webview contain sensitive information. A temporary patch was...

Nextcloud: Wordpress 4.7.1

Greetings, I observed that your website https://nextcloud.com still use wordpress 4.7.1 + WordPress version 4.7.1 Released on 2017-01-11 identified from advanced fingerprinting This version of wordpress is vulnerable to : ---- - WPQuery SQLi injection - XSS vulnerability was in the posts list tab...

Internet Bug Bounty: CVE-2024-21733 Apache Tomcat HTTP Request Smuggling (Client- Side Desync) (CWE: 444)

SECURITY CVE-2024-21733 Apache Tomcat - Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0-M11 to 9.0.43 Apache Tomcat 8.5.7 to 8.5.63 Description: Incomplete POST requests triggered an error response that could contain data fr...

U.S. Dept Of Defense: CVE-2023-29489 XSS in cpanel at [www.███] - Securado, Oman

A cross-site scripting XSS vulnerability was found on the cpanel application hosted on a website. The vulnerability allowed an attacker to steal cookies or hijack a browser session. The cpanel was not updated due to the disabled auto-update feature. The vulnerability was mitigated by enabling the...

GitHub Security Lab: CodeQL query for unsafe TLS versions

This bug was reported directly to GitHub Security Lab...

DRIVE.NET, Inc.: Same site Scripting

Same site scripting I have found an error of some misconfigured DNS in a subdomain of yours which causes same site scripting. PoC 1 Open a terminal and type ping localhost.drive2.ru You would see that it resolves back to 127.0.0.1 A screenshot has been attached Impact This may cause security issu...

Legal Robot: Email Length Verification

Hi Team, Hope you are good. I found your website app.legalrobot.com vulnerable to this vulnerability. Bug: Improper authentication - generic Description: Dont know much about the websites that how they stored email address.Email addresses are stored as VARCHAR128 But here your website legalrobot...