Homebrew: Bypass of the installation sandbox by injecting keystrokes with TIOCSTI

While doing some internal testing recently, we ran into installation sandboxing and found a way to bypass it so that a formula's install script can execute commands outside of the sandbox. I understand from https://github.com/Homebrew/brew/issues/2986 that the sandbox is intended to prevent...

GitHub Security Lab: Java: QL Query Detector for JHipster Generated CVE-2019-16303

This bug was reported directly to GitHub Security Lab...

TikTok: Cross-Tenant IDOR ( graphql `AddRulesToPixelEvents` query ) allowing to add, update, and delete rules of any Pixel events on the platform

Due to an Insecure Direct Object Reference IDOR vulnerability, an attacker could have potentially added, deleted, or updated rules for other users' pixel events in the TikTok ads portal. We thank @bubbounty for reporting this to our team and confirming the resolution. This report is one of my...

Zomato: The vulnerabilities found were XSS, Public disclosure, Network enumeration via CSRF, DLL hijacking.

Summary IP found using ping command- 52.77.124.190 Then I used nmap tool to find the indepth information. I used burp suite and DNS scanner but it was not fruitful. Then I explored some GitHub repositories to perform thorough web-application testing. Using Aquatone I found some hidden domains. Th...

Showmax: [stories.showmax.com] Cross Origin Misconfiguration - Sensitive Information Exposure

The hacker reported user enumaration on https://stories.showmax.com/wp-json/wp/v2/users/ and CORS. The user enumeration didn't disclose any sensitive information except usernames which are not problematic because we have 2FA login in place and the usernames could be obtained even from standard...

New Relic: CRLF Injection in email address

The researcher discovered an issue where control characters can be used when intercepting a request to update an email address. This would result in an inaccessible account without intervention by our Support team. As denial-of-service is out of scope for our program, and since it is scoped to a...

Visma Bug Bounty Program: A 'Read only' user can modify the company logotype and invoice background image

A 'Read only' user can modify the company logotype and invoice background image in his own company, which should not be allowed for this permission level...

Ruby: Source code disclosed via S3 Bucket

Summary The Ruby having an Amazon S3 bucked named http://rubyci.s3.amazonaws.com/ which lists some of their log files. Those logs having some informations to check the source code server side directories. Steps to Reproduce 1. direct to http://rubyci.s3.amazonaws.com/ which having READ Permission...

X (Formerly Twitter): AppLovin API Key hardcoded in a Github repo

Hello, I found a Sensitive Data Exposure in github/mopub-android-mediation project, the AppLovin UI API key is hardcoded in source code. And in the comment it's mentioned that "This is a unique SDK Key from AppLovin. Get yours from the AppLovin UI". Github Link:-...

Khan Academy: [critical] sql injection by GET method

Hey there, after tampering a bit with the values, since I figured out your backend is not php most likely django or nodejs, I found an SQL injection . You can view my steps to reproduce, if you need additional screenshots, please let me know. Regards Gabriel Kimiaie Impact If I dig deeper, I may ...

HackerOne: Hacker.One Subdomain Takeover

Hello HackerOne Sec Team, Description : This report is about domain takeover of hacker.one via instapage 0day issue which i just found . Step To Verify : + Visit : https://www.hacker.one + You will see some html updated by me. Impact : + as its one of offical website of hackerone , so attacker ca...

Ubiquiti Inc.: Shell Injection via Web Management Console (dl-fw.cgi)

NCC Group Security Advisory https://www.nccgroup.trust -------------------------------------------- Shell Injection via Web Management Console Vendor: Ubiquiti Networks Vendor URL: https://www.ubnt.com Versions affected: airOS XM board line potentially all airOS lines, unverified Systems Affected...

withinsecurity: WordPress Failure Notice page will generate arbitrary hyperlinks

Description: When the "WordPress Failure Notice" page is returned, if the parameter wphttpreferer was supplied with a valid URL, this URL will be used as the "Please try again." link see attachment. A way to reliably generate this page, is to append ?wpcspReceiveCSPviol=1&wphttpreferer=example.co...

Whisper: Insecure Local Data Storage : Application stores data using a binary sqlite database

Android provides several options for developers to save persistent application data. The local DB should store data depending on whether the data should be private to your application or accessible to other applications and users. In any case, sensible data always have to be encrypted to avoid...

Mail.ru: e.mail.ru: File upload "Chapito" circus

Начинаем пихать зиробайты в имя файла на загрузке и поведение сервера неадекватно. Пока ничего страшнее чем local path disclosure, но боюсь импакт больше чем кажется. В имени файла в примере "������t123123", в хексе "220000000000007431323331323322" POST...

U.S. Dept Of Defense: XSS found in https://www.████████.mil

The security researcher found a reflected cross-site scripting XSS vulnerability on the www.████████.mil website. The vulnerability was demonstrated using a proof-of-concept link that triggered a JavaScript alert. The affected product was identified as the web server, and the vulnerable code was...

Mars: ████ ' can change any account email and cannot retrieve his account and access it ' at ███

The security vulnerability described a method to change the email address of any user account, preventing the original user from accessing their account. The vulnerability involved manipulating the user profile update functionality to modify the email address. Despite an error message when...

Bumble: Race Condition on "Get free Badoo Premium" which allows to get more days of free premium for Free.

Summary: On Badoo when a user wants to delete his account it prompts for a Free 3 days premium or the user can proceed to delete his account. But when user choose to get free 3 day premium he can click Get free Badoo Premium and can enjoy free premium for three days, Here i found a race condition...

GitHub Security Lab: CodeQL query to detect OGNL injections

This bug was reported directly to GitHub Security Lab...

h1-ctf: [H1-2006 2020] How I solved my first H1 CTF

Introduction: Hello! My name is @cr33pbp0y and I going to tell you how I resolved my first HackerOne CTF. Prelude One day, I was reading some tweets about some new vulnerabilities and new hunters adquisitions when the Great H tweeted: F861267 I thought: "WoW, a new virtual event!! It could be...

curl: Invalid write (or double free) triggers curl command line tool crash

Summary: Whilst fuzzing libcurl built from git commit a158a09, a crash triggered by an invalid write or maybe a double/invalid free was found. Steps To Reproduce: Run: echo "LVQvCnVyIDA=" | base64 -d test0000 ./curl --verbose -q -K test0000 file:///dev/null Stack: valgrind -q src/curl --verbose -...

GlobaLeaks: Since no defined tries for incorrect answer, an attacker can brute the answers and post a submission

Logic of the attack pass 50 answers for per token.. if within the 50 answers this can be increased for more success rate, if there's a valid. the token becomes usable. and then submit the submission POST data. Screenshot of script running F733033 Screenshot of inbox F733034 Mitigation This can be...

U.S. Dept Of Defense: Remote code execution vulnerability on a DoD website

A remote code execution RCE vulnerability was found on a DoD website which could have enabled an attacker to execute remote commands on the web server. Thank you @n0rb3r7 for notifying us of this vulnerability! I was able to leverage a recent, well-known vulnerability to achieve arbitrary, remote...

U.S. Dept Of Defense: SQL injection on ██████████ via 'where' parameter

An SQL injection vulnerability was discovered in the 'where' parameter of the ArcGIS server. The vulnerability allowed an attacker to retrieve database content by injecting malicious SQL queries into the 'where' parameter. Esri released an update to ArcGIS Server 10.1 Service Pack 1 to address th...

HackerOne: Tab nabbing in Hackerone inbox.

Description: Tab nabbing vulnerability occurs When you open a link in a new tab target="blank" , the page that opens in a new tab can access the initial tab and change its location using the window.opener property and from this a lot of phishing attacks could happen. This scenario occurs on...

Instacart: Hyperlink Injection in Friend Invitation Emails

Description A user can change their name to a URL in order to send email invitations containing malicious hyperlinks. Steps to Reproduce 1. Create a new Instacart account with the first name http://example.com 2. Navigate to https://www.instacart.com/store/referrals 3. Send an email invitation to...

Internet Bug Bounty: Use After Free Vulnerability in session deserializer

https://bugs.php.net/bug.php?id=70219...

Shopify: [h1-2102] [Yaworski's Broskis] Low privilege user can read POS PINs via graphql and elevate his privilege

Summary: A low privilege user both in the shop and in the POS can read POS PINs via graphql and elevate his privilege with a physical access to the POS. Steps To Reproduce: 1. Log in to your shop and install the POS app https://apps.shopify.com/shopify-pos 2. Log in Shopify Plus as an org owner a...

U.S. Dept Of Defense: Read-only path traversal (CVE-2020-3452) at https://████████

Summary: I discovered a vulnerability Read-only path traversal CVE-2020-3452 at https://████████ Description: A vulnerability in the web services interface of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote...

Weblate: Secret_key in GitHub

hello I have found secretkey in GitHub is public and noticed something this key have comment Make this unique, and don't share it with anybody. and it's public in GitHub also I noticed this file has coding to do the payment.db I think information like this must be private SECRETKEY =...

Visma Bug Bounty Program: [IDOR]Ability to Pause & Resume the Invoice of other users If GUID is known.

Insecure Direct Object Reference IDOR vulnerability is discovered via a certain endpoint and the application exposes a reference to an internal implementation object. It reveals the real identifier and format/pattern used of the element in the storage backend side...

Stripo Inc: Password token leak via Host header

Password token leak via Host header -------------- Vulnerability Description: Token will be leaked by the Server to that third party site and that token can be used by third parties to reset the password and take over the account & directly login in your account Steps To Reproduce: 1 Send reset...

Legal Robot: [Cross-domain Referer leakage] Password reset token leakage via referer

A security researcher discovered that sensitive information, like password reset tokens could still be leaked to analytics services like Google Analytics or via the Referer sic header. Even though tokens were immediately invalidated, we decided to re-engineer the process to eliminate any...

OLX: Name, email, phone and more disclosure on user ID (API)

Hello, When I checked the OLX.pl app, I found out that when I click on a profile, personal information like email or phonenumber is exposed. GET https://ssl.olx.pl/api/v1/users/1/ HTTP/1.1 Host: ssl.olx.pl Cookie: PHPSESSID=hb6utlcj860nd7p2jt6ha0tu71 Connection: keep-alive Accept: / Version: v1.1...

Pornhub: Unsecured Grafana instance

The researcher has found a Grafana instance accessible to the public. User sign-up was left open which allowed him to open an account and access charts on various server resource usage. This report is considered out-of-scope but Pornhub chose to reward the researcher due to the severity of the...

Internet Bug Bounty: Use of uninitialized value of in req_parsebody method of lua_request.c

Software Versions Ubuntu - 18.04 64-bit Apache 2.4.51 - 64 bit Cause of Bug This bug is present in the reqparsebody method of luarequest.c file. Below mentioned lines of code cause this bug. cpp const char data; int i; sizet vlen = 0; sizet len = 0; if luareadbodyr, &data, aprofft &size,...

Urban Company: Insufficient Session Expiration

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report! Name of Vulnerability:...

GitHub Security Lab: 3,880 Pull Requests Generated to fix JHipster RNG Vulnerability CVE-2019-16303

This bug was reported directly to GitHub Security Lab...

Nord Security: Email address is not validated, No Rate Limit and RCE On Forgot Password Page Of affiliates.nordvpn.com

Go to https://affiliates.nordvpn.com/users/forgotpassword. Enter arbitrary string like %0a or %0a%0d as email. It says, No user account was found for the address given, which proves the query are going till the database. Intercept request using Burp Interceptor, copy to intruder Copy some 300...

Semrush: Open redirect in semrush.com

Summary: There is an open redirect on https://www.semrush.com/login/?redirectto=. By using /\ at the start of the link, you can bypass the open redirect filter. Description: An attacker can control the value of the "redirectto" parameter and make it redirect to a malicious endpoint. Steps To...

Shopify: Reverse Proxy misroute leading to steal X-Shopify-Access-Token header

Hello Shopify team! I found out that on /admin/api/graphql endpoint server fetches content of Host header value $HTTPHost + /admin/api/graphql. If my own host was sent to server, request comes from ██████████or ██████████ your google cloud cluster. Also I can grab all reverse proxy headers...

Discourse: XSS Vulnerability on Image link parser

I found a XSS Cross-Site Scripting vulnerability, and it is present in the markdown parser when it tries to parse an image URL. To reproduce the vulnerability you need to add a fake image url like: http://host/path/to/image'onerror=alert1;//.png As you can see, we have an invalid image URL which...

ok.ru: Multiple critical vulnerabilities in Odnoklassniki Android application

Hello, I have recently found several critical vulnerabilities in Odnoklassniki Android application, which is one of your projects, thus I am reporting it here. The first vulnerability is so called Intent spoofing. The vulnerability lies in ability to start the video upload activity of Odnoklassni...

Greenhouse.io: SMTP protection not used (please read carefully )

Details: Companies like Coinbase, Yahoo,Google,Facebook and even hackerone implemented a strict email security policy combining SPF, DKIM, and DMARC but I don't see taht from mailgreenhouse.ioru , You should apply strict SMPT policy to stop spoofed email sending from your domain. POC is attached...

Coinbase: Improper Validation of the Referrer header leading to Open URL Redirection

Using a proxy tool such as Burp, set the Target as https://coinbase.com. Then, send the following request: GET /cdn-cgi/l/chkjschl HTTP/1.1 Host: coinbase.com Referer: http://attacker.com Content-Length: 2 Notice the attacker's domain in the Referrer header. This value is not being validated on t...

HackerOne: Server Side Request Forgery (SSRF) via Analytics Reports

We recently received a critical server-side request forgery SSRF vulnerability report through our bug bounty program. The issue allowed attackers to make internal requests from our application servers by exploiting a lack of output sanitization in an error message. By crafting malicious requests,...

U.S. Dept Of Defense: [█████] Bug Reports allow for Unrestricted File Upload

Unrestricted file upload was possible through the bug report feature of a web page, allowing an attacker to attach a malicious file to a bug report and execute malware on the support agent's system. The web server did not validate the extension and size of the uploaded file...

GitHub Security Lab: [JAVA]: CWE-347 - Improper Verification of Cryptographic Signature : Potential for Auth Bypass

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: [codeql-go]: Add query to find use of constant state parameter in Oauth2 flow

This bug was reported directly to GitHub Security Lab...

Lyst: Subdomain takeover of storybook.lystit.com

Summary: The subdomain storybook.lystit.com had an CNAME record pointing to an unclaimed S3 bucket. This is a high severity security issue because an attacker can register the bucket on AWS and therefore can serve her own content on the subdomain. This allows for various attacks. Description: The...