GitHub Security Lab: [Python] CWE-943: Add NoSQL Injection Query

This bug was reported directly to GitHub Security Lab...

Automattic: SQL Injection intensedebate.com

hello dear support I have found SQL Injection on intensedebate.com parameters injectable ?acctid=1 URL:https://www.intensedebate.com/js/importStatus.php?acctid=1 I'm used sqlmap to injection command sqlmap --url https://www.intensedebate.com/js/importStatus.php?acctid=1 --dbs F1140562 available...

h1-ctf: A Visit from The Grinch ~ 'Twas the night before Hackmas...

Foreword This was an amazing CTF! The first from Hackerone that I've finished and one that I have enjoyed the most. Huge shout out to @adamtlangley for creating this downright poetic challenge. My whopping 20+ invitations are already being put to good use. Hacky Holidays and Merry Hackmas! Flag 1...

U.S. Dept Of Defense: Subdomain takeover due to an unclaimed Amazon S3 bucket on ███

Summary: An unclaimed Amazon S3 bucket on █████████ gives an attacker the possibility to gain full control over this subdomain. Description: ███████ pointed to an S3 bucket that did no longer exists. The bucket points to an Amazon S3 website bucket in the US East region. I claimed this bucket and...

GitHub Security Lab: CodeQL query for disabled revocation checking

This bug was reported directly to GitHub Security Lab...

8x8: PHPinfo page on http://█████.callstats.io

PHPInfo file was exposed on legacy system. phpinfo was available at callstats.io subdomain. It disclosing information on a server and PHP version information...

h1-ctf: [H1-2006 2020] Writeup

^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$ Prologue The CTF was announced in a Hacker0x01 tweet. The goal is to make payments from Marten Mickos' account on BountyPayHQ. The announcement tweet was followed shortly by a retweet of BountypayHQ, an account made for the event. BountypayHQ has one...

HackerOne: program_analytics_benchmarks query shows information not visible in public

Summary: programanalyticsbenchmarks is displaying information i don't see yet in public profile of a program. Description: I tried querying programanalyticsbenchmarks for the program security and ██████ and it showing information i cannot find in public profile especially in ███████ Steps To...

Mail.ru: [windows10.hi-tech.mail.ru] Blind SQL Injection

Доброе утро! Сегодня удалось найти у вас слепую скулю, правда она снова вне скопа походу URL: https://windows10.hi-tech.mail.ru/api/tweets?cityid=select0fromselectsleep25v Request: GET /api/tweets?cityid=select0fromselectsleep25v HTTP/1.1 Host: windows10.hi-tech.mail.ru User-Agent: Mozilla/5.0 X1...

Internet Bug Bounty: mod_remoteip stack buffer overflow and NULL pointer dereference

Versions Affected: httpd 2.4.32 to 2.4.39 Summary: When modremoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol, a specially crafted PROXY v1 or PROXY v2 header could trigger a stack buffer overflow or NULL pointer deference. This was assigned CVE-2019-100...

Pornhub: CRITICAL ISSUE : Leak of all accounts mail login md5 pass and more

The researcher has found a critical issue on a specific endpoint allowing him to leak usernames and hashed passwords. I reported here a critical issue on a specific endpoint allowing to collect easily all tube8 accounts sensitive information, including email and password. The report could be easi...

Liberapay: twitter api access token leaked on github

sensitive token were leaked on GitHub page of liberapay . also mixpanel token was leaked TWITTERCONSUMERKEY=QBB9vEhxO4DFiieRF68zTA TWITTERCONSUMERSECRET=mUymh1hVMiQdMQbduQFYRi79EYYVeOZGrhj27H59H78 +TWITTERACCESSKEY=34175404-G6W8Hh19GWuUhIMEXK0LyZsy7N9aCMcy1bYJ9rI...

Cuvva: CRLF Injection [vpn.corp.cuvva.com]

Hi team, Found a CRLF injection in vpn.corp.cuvva.com Poc https://vpn.corp.cuvva.com/sessionstart/%0aSet-Cookie:NEWCOOKIE123 Response: HTTP/1.1 302 Found Date: Wed, 24 May 2017 18:13:57 GMT Connection: close Content-Type: text/html; charset=UTF-8 Location: https://vpn.corp.cuvva.com/...

Nextcloud: Wordpress Vulnerable to Potential Unauthorized Password Reset

Hi Team, Yesterday, a new 0day on wordpress core has been discovered by Dawid Golunski, so i want you guys to be aware of it to take an immediate action since nextcloud was using wordpress. Wordpress has a password reset feature that contains a vulnerability which might in some cases allow...

Internet Bug Bounty: SOAP serialize_function_call() type confusion / RCE

https://bugs.php.net/bug.php?id=70388...

U.S. Dept Of Defense: Unauthorized Access Exposing Sensitive Data

The identified page allowed unauthorized access to a user's profile management functionality without requiring authentication. Sensitive user details, such as name, email address, and EDIPI, were exposed upon accessing the page...

Open-Xchange: Privilege escalation possible in dovecot when similar passdbs are used

Summary --------- Privilege escalation is possible as a result of incorrect security code logic for dovecot passdb definitions. Description ------------ When two passdb configuration entries exist in the dovecot configuration which have the same driver and args settings, the incorrect...

h1-ctf: CCC H1 June 2021 CTF Writeup

CTF Summary This was my first H1 CTF and I was excited to work with several others to collaborate on the CTF and find the flag. I'll write up the solution process and vulnerabilities involved in the solution: Knowledge basic of S3 operations XML External Entities and Local File Exfiltration SQL...

Kubernetes: csi-snapshot-controller crashes when processing VolumeSnapshot with non-existing PVC

Report Submission Form I was asked by Kubernetes Product Security and H1 Employee @turtleshell to open a new report with the same details as report 995699. Summary: csi-snapshot-controller crashes when processing VolumeSnapshot with non-existing PVC Kubernetes Version: 1.19 Component Version:...

U.S. Dept Of Defense: Stored XSS at ██████userprofile.aspx

Summary: Stored XSS vulnerability exists at ██████████userprofile.aspx under "say something about yourself...". XSS can be used for a variety of attacks. Impact XSS can be used to steal cookies, password or to run arbitrary code in the victim's browser. Step-by-step Reproduction Instructions 1...

Semrush: OAuth `redirect_uri` bypass using IDN homograph attack resulting in user's access token leakage

Issue Summary: It was found that SEMrush OAuth implementation fails to properly validate the value of redirecturi parameter which was bypassed using IDN homograph attack which results in leaking the user's access token to an attacker-controlled domain name. IDN homography attack exploits the fact...

Starbucks: Information disclosure on sim.starbucks.com

Description: Hi,there.I found the sim.starbucks.com host deployed the jira server which version is 7.9.2,there is many public vulnerability on this low version. Information disclosured vulnerability 1.CVE-2019-3403https://jira.atlassian.com/browse/JRASERVER-69242 visit the URL address,you can che...

Node.js third-party modules: flatmap-stream malicious package (distributed via the popular events-stream)

I would like to report a case of malicious package flat-stream that made it's way into many other npm packages. One such popular package is event-stream user dominictarr transferred the ownership of an npm module to another user because he wasn't actively maintaining it. That user then added...

Shopify: Shopify admin authentication bypass using partners.shopify.com

@uzsunny reported that by creating two partner accounts sharing the same business email, it was possible to be granted "collaborator" access to any store without any merchant interaction. We tracked down the bug to incorrect logic in a piece of code that was meant to automatically convert an...

Pornhub: Stored XSS in photo comment functionality

The photo comment functionality is vulnerable to stored cross site scripting: an attacker can craft a comment that contains malicious code and get it stored. This can be reproduced on my test account at http://www.pornhub.com/photo/166952961. Interestingly, differently from 171901 where i could...

HackerOne: Possible CSRF during joining report as participant

Hi, I think i found a possible csrf issue with joining report as participant endpoint, Actually one of the bug got duplicated and the company added me into the original bug as a participant. then, I got invitation from hackerone to joing the report. After opening the invitation link, there was tw...

Internet Bug Bounty: Request line injection via HTTP/2 in Apache mod_proxy

I've written this issue up fully here: https://portswigger.net/research/http2request In case it's useful, here's the original report as sent to Apache: I'd like to report a vulnerability in Apache modproxy when used with HTTP/2 enabled. It fails to reject HTTP requests that contain spaces in the...

HackerOne: CSV injection in the credentials export

Summary: Hello team! We have found out that a hacker can inject malicious excel formulas into the credentials details which will be executed when program user exports the credentials details via https://hackerone.com/hackeroneh1pbbp3/credentials - export credentials and opens this CSV using MS...

GitHub Security Lab: Java : Add a query to detect Spring View Manipulation Vulnerability

This bug was reported directly to GitHub Security Lab...

TikTok: Cross-Tenant IDOR ( graphql `AddRulesToPixelEvents` query ) allowing to add, update, and delete rules of any Pixel events on the platform

Due to an Insecure Direct Object Reference IDOR vulnerability, an attacker could have potentially added, deleted, or updated rules for other users' pixel events in the TikTok ads portal. We thank @bubbounty for reporting this to our team and confirming the resolution. This report is one of my...

Mail.ru: Reflected XSS on http://info.ucs.ru/settings/check/

Reflected XSS due to unsafe usage of POST parameter in info.ucs.ru...

BlockDev Sp. Z o.o: load scripts DOS vulnerability

load scripts DOS vulnerability...

HackerOne: Email address of any user can be queried on Report Invitation GraphQL type when username is known

Summary: Email id of all hackerone users disclosure Description: There is an flaw , with that i can get all hackerone users email id Steps To Reproduce 1. Invoke the below graphql call POST /graphql HTTP/1.1 "query":"mutation Revokecredentialmutation$input0:AddReportParticipantInput!...

Semrush: IDOR in semrush academy

INTRODUCTION I used two accounts to search for this vulnerability: - id: 5410425 email: ████[email protected] - id: 5407773 email: ████@anosimple.com IP used: ███ Endpoint URL: https://www.semrush.com/academy/courses/userEnroll EXPLOITATION Description of Security Issue: When a user clicks on the...

HackerOne: Confidential data of users and limited metadata of programs and reports accessible via GraphQL

Summary: The GraphQL endpoint doesn't have access controls implemented properly. Description: Any attacker can get personally identifiable information of users of Hackerone such as email address, backup hash codes, facebookuserid, accountrecoveryphonenumberverifiedat, totpenabled, etc. These are...

Smule: Missing Rate Limit in Forgot Password can Lead to email address leakage of all smule accounts

Hello Smule, I have found a vulnerability by which an attacker can get access of all the gmail accounts associated with Smule. The forgot password parameter can be brute forced through which an attacker can get the email address. Steps to Reproduce Enter your email address and for the forgot...

Liberapay: Insecure Account Deletion

Hi Team, The removal of account is one of the sensitive part of a web application that needs to protect, therefore removing an account should validate the authenticity of the user, however i have found that when removing an account, the system did not require the user to input the account passwor...

HackerOne: Team object in GraphQL discloses team group names and permissions

Summary: Hi team. We can disclosed your team member groups ; Description: Because of the communications error, we can disclose the data - teammembergroupsid,name,permissions Steps To Reproduce 1. "query": "query...

VK.com: ПРОСМОТР ЛЮБЫХ ПРИВАТНЫХ ФОТО + ПРЕВЬЮ ЛЮБОГО ПРИВАТНОГО ВИДЕО.

Просмотр закрытых фотографий. Уязвимость была обнаружена в редакторе статей. Уязвимость позволяла смотреть любые приватные фотографии и любое превью приватного видео...

HackerOne: Broken Authentication and session management OWASP A2

Description: Session management issue in https://www.hackerone.com Cookies are used to maintain session of the particular user and they should expire once the user logs out of his hackerone account.In secure web application,Cookies immediately expire once the user logs out of his account. But thi...

HackerOne: information disclosure of another company bug on video.

An information disclosure vulnerability was discovered in a company's system and reported on a bug bounty platform. The vulnerability allowed access to sensitive information about the company and its subdomain. The vulnerability was disclosed publicly, potentially causing harm to the affected...

Nextcloud: @nextcloud/logger NPM package brings vulnerable ansi-regex version

Summary: Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS due to the sub-patterns \;? and ?:;-a-zA-Z\d\/&.:=?%@. Details: Denial of Service DoS describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate...

U.S. Dept Of Defense: ██████████ running a vulnerable log4j

Description: https://vulners.com/cve/CVE-2021-44228 Impact Probably arbitrary code execution System Hosts ████████ Affected Products and Versions CVE Numbers CVE-2021-44228 Steps to Reproduce 1. Browse to https://████████/███████https%3A%2F%2F█████████%2F 2. Enter a...

U.S. Dept Of Defense: Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464)

RCE is possible thanks to unsafe Java deserialization in the Jato framework used by OpenAM. Impact An unauthenticated, 3rd-party attacker or adversary can execute remote code Supporting Material/References - https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464 System...

Sifchain: Found a url on source code which was disclosing different juicy informations like ip addresses and available endponts

Summary: I found a link in " https://github.com/Sifchain/sifnode/blob/develop/deploy/rake/cluster.rake" page which was exposing ip adresses and different endpoints which could be missused by hackers. Link Is=https://rpc.sifchain.finance/ Steps To Reproduce: 1. Visit https://rpc.sifchain.finance/...

h1-ctf: How The Hackers Saved Christmas

F1139789 Challenge I 🤖 "What are you doing?" I asked myself. I was about to trespass a clear warning to keep out. F1139744 "Have you lost your mind?" But I couldn't help it. I was born for this. And I wasn't going to back down. There are 12 more days until Christmas Eve, and I wasn't going to let...

Courier: disable test send feature if user's email address isn't verified

Summary: There is no mechanism to limit the request in places while send the preview email Steps To Reproduce: There is a weak account registration process, which allow user to register and login without any email confirmation. L'say say for example that i'm the user A that want to send a phishin...

h1-ctf: [h1-2006 CTF] Multiple vulnerabilities leading to account takeover and two-factor authentication bypass allows to send pending bounty payments

Hi, First things first, the flag of the CTF challenge. F863095 Write-Up I've published my write-up at https://kapytein.nl/texts/2020-06-10-h1-2006-ctf-writeup-2cf34abd3ed/, in order to avoid a lengthy report 😅. TL;DR 1 2FA bypass as we control both values on the comparison. 2 SSRF to...

HackerOne: Unauthorized access to metadata of undisclosed reports that were retested

Summary: reportretests object in User node discloses some information about undisclosed report Description: An attacker can get some infomation such as "assetname" , "assettype" , "severityrating" , "weaknessname" of undisclosed report Steps To Reproduce 1. Invoke the below graphql call POST...

Staging.every.org: Improper email address verifiation while saving Account Details

Summary: Attacker could be able change its email to any email address even already created another user's email address.Even though UI doesnot allow it Steps To Reproduce: 0. Set up proxy. 1. Singup with any email address 2. Go to profile section 3. Click on update button 4. Monitor call in rever...