U.S. Dept Of Defense: [█████] Bug Reports allow for Unrestricted File Upload

Unrestricted file upload was possible through the bug report feature of a web page, allowing an attacker to attach a malicious file to a bug report and execute malware on the support agent's system. The web server did not validate the extension and size of the uploaded file...

GitHub Security Lab: [JAVA]: CWE-347 - Improper Verification of Cryptographic Signature : Potential for Auth Bypass

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: [codeql-go]: Add query to find use of constant state parameter in Oauth2 flow

This bug was reported directly to GitHub Security Lab...

Mail.ru: Unrestricted file upload on [ambassador.mail.ru]

PHP code execution was possible via file upload functionality in ambassador.mail.ru An attacker was able to execute arbitrary PHP code on the server through the image uploading functionality. The vulnerability was quickly fixed by the Mail.ru team...

Lyst: Subdomain takeover of storybook.lystit.com

Summary: The subdomain storybook.lystit.com had an CNAME record pointing to an unclaimed S3 bucket. This is a high severity security issue because an attacker can register the bucket on AWS and therefore can serve her own content on the subdomain. This allows for various attacks. Description: The...

Node.js third-party modules: [crypto-js] Insecure entropy source - Math.random()

Module module name: crypto-js version: 3.1.9-1 npm page: https://www.npmjs.com/package/crypto-js Module Description JavaScript library of crypto standards. Module Stats Replace stats below with numbers from npm’s module page: 184959 downloads in the last day 912568 downloads in the last week...

Zomato: [Zomato's Blog] POST based XSS on https://www.zomato.com/blog/wp-admin/admin-ajax.php?td_theme_name=Newspaper&v=8.2

Issue details: POST based XSS Vulnerable URL: https://www.zomato.com/blog/wp-admin/admin-ajax.php?tdthemename=Newspaper&v=8.2 Vulnerable Parameter: loopStatemoduleId Payload: promptdocument.domain Steps to reproduce: As this is a post based you need to create a html csrf to trigger xss. HTML code...

Nextcloud: bypass of 2FA

Improper protection of the 2FA login made a bypass of the 2FA possible. The bug required to know user credentials but effectively rendered the 2FA ineffective. The issue has been fixed by the Nextcloud team and has been validated by the reporter...

Trello: Full Sub Domain Takeover at help.trello.com.

Hey The subdomain http://help.trello.com./ uses helpscout to host docs While helpscout does not distinguish between help.trello.com. and help.trello.com Notice trailing dot I created a test page and hosted it for help.trello.com. and since DNS entry is already present http://help.trello.com./ now...

8x8: █.8x8.vc/index.js: Exposed Google Maps API Key Allowing Potential Abuse of Paid Services

The Google Maps API key was inadvertently exposed in client-side code, allowing potential unauthorized access to some Google Maps services. The issue was promptly addressed by implementing appropriate API key restrictions where feasible...

curl: CVE-2023-27534: SFTP path ~ resolving discrepancy

A vulnerability CVE-2023-27534 existed in libcurl's Curlgetworkingpath function, which resolved as remote users' home directory in an undocumented way for the sftp protocol. This could lead to unexpected final paths for sftp access, allowing an attacker with partial path access to gain access to...

Nextcloud: No password length limit when creating a user as an administrator

Hi, when I try to set the password while creating an account I noticed that you haven't kept any password limit. You need to decrease password length: There are two reasons for limiting the password size. For one, hashing a large amount of data can cause significant resource consumption on behalf...

U.S. Dept Of Defense: [███████] Remote Code Execution at ██████ [CVE-2021-44529] [HtUS]

IP Address used to find vulnerability: ██████ Vulnerable Website URL or Application: https://████ pomcldsvr2.████ Proof of ownership: ███ Summary: The server at https://███ is running a vulnerable version of CSA. A code injection vulnerability in the Ivanti EPM Cloud Services Appliance CSA allows...

Elastic: CVE-2021-40870 on [52.204.160.31]

An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal. The IP has a SSL certificate pointing to ElasticSearch. curl -kv...

8x8: Exposed PHP dependencies at ██.8x8.com

A limited amount of hosts were exposing the PHP vendor directory, which exposed names of internal packages & dependencies. The issue has been rectified...

GitHub Security Lab: ihsinme: CPP add query for CWE-788 Access of memory location after the end of a buffer using strlen.

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: [Java] CWE-489: Query to detect main() method in Java EE applications

This bug was reported directly to GitHub Security Lab...

U.S. Dept Of Defense: Exposed Docker Registry at https://████

Summary: The docker registry at https://██████ has no authentication in place and is therefore exposed to the public. This leads to full disclosure of all available docker containers, the possibility to upload docker container and manipulate and delete existing docker containers. Description: Fro...

Revive Adserver: Open redirection bypass in /www/admin/campaign-modify.php

Description - There is an open redirect on /www/admin/campaign-modify.php?returnurl= F713773 - By using //// at the start of the link, you can bypass the open redirect filter. - example: /www/admin/campaign-modify.php?clientid=&campaignid=&returnurl=%2F%2F%2F%2Fhackerone.com Impact This...

PUBG: RXSS to Stored XSS - forums.pubg.com | URL parameter

René Kroka found a Reflected XSS vulnerability that could be chained to a Stored XSS attack in the Invision Community forums software used by PUBG. By crafting a malicious URL the attacker is able to trigger Javascript to execute on their own page; known as Reflected XSS. The attacker then create...

Nextcloud: Nextcloud Clickjacking Vulnerability

hi! Test domain : https://nextcloud.com Summary ====== https://nextcloud.com/ A clickjacking vulnerability was detected because the X-Frame-Options Header was not set.More Steps To Reproduce == 1. Create a new HTML file 2. Include the following payload Trusted web page https://nextcloud.com 3. Op...

Snapchat: CRLF Injection at vpn.bitstrips.com

HI I found that the site https://vpn.bitstrips.com/ is vulnerable to a CRLF Injection. By injecting a Carriage Return and Line Feed character, we are able to make the server issue a set-cookie header. GET Request : https://vpn.bitstrips.com/sessionstart/%0aSet-Cookie:maliciouscookie1 Host:...

Nextcloud: WordPress Vulnerabilities: User Enumeration, Vulnerable Akismet Plugin, XML-RPC Interface available

User Enumeration: It is possible to enumerate four WordPress usernames jancborchardt, jos, lukasreschke, frank. An attacker can use these username to carry out brute-force attack in order to forcefully authenticate. 2. Akismet Plugin2.5.0-3.1.4 vulnerable to unauthenticated Stored Cross Site...

Uzbey: Breach Attack Vulnerability

Breach Attack Vulnerability Respected Sir/Madam I Hope Your Cooperate With Me Cause It's Not Easy To Find Vulnerability On Your Official Website. Vulnerability description This web application is potentially vulnerable to the BREACH attack.An attacker with the ability to: Inject partial chosen...

Node.js: Multiple OpenSSL error handling issues in nodejs crypto library

Multiple OpenSSL error handling issues were discovered in the Node.js crypto library up to version 19.2.0. The library did not clear the OpenSSL error stack after operations that may set it, which could lead to false positive errors during subsequent cryptographic operations that happen to be on...

Automattic: GET /api/v2/url_info endpoint is vulnerable to Blind SSRF

Summary: GET /api/v2/urlinfo endpoint is vulnerable to Blind SSRF. I am able to hit both Internal and External services via url parameter by replacing with internal and external url. Platforms Affected: https://www.tumblr.com/ Steps To Reproduce: 1. Login to https://www.tumblr.com/ 2. Follow any...

h1-ctf: [h1-415 2020] Multiple chained vulnerabilities lead to leaking secret document

Hi! Summary Multiple chained vulnerabilities lead to leaking secret documents. Improper sanitization in registration allows an attacker to create a QR recover code for any email address. This leads to an account takeover. Using that technique on jobert's account, attacker can access the support...

Shopify: Stored XSS in Shopify Chat

1.install app Shopify Chat 2.Click chat on the shop homepage or Shopify Ping to send poc javascript:alert1//https://dqdqdqdqdq.myshopify.com 3.Click url, alert F657395 Impact 1.Front end user Self-XSS 2.Administrator XSS foreground user...

Smule: stored xss in https://www.smule.com

hi team , I found a stored xss in www.smule.com Summary: add summary of the vulnerability The most damaging type of XSS is Stored XSS Persistent XSS. An attacker uses Stored XSS to inject malicious content referred to as the payload, most often JavaScript code, into the target application. If the...

U.S. Dept Of Defense: sql injection on /messagecenter/messagingcenter at https://www.███████/

Hi , i would like to report an issues that lead to SQL injection in search box at https://www.████/messagecenter/messagingcenter , if you add the character ' that usually used to test if the site have in sql injection the site will return with Incorrect syntax error that can confirm the site is...

Node.js third-party modules: Prototype pollution attack (lodash / constructor.prototype)

I would like to report a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype. Module module name: lodash version: 4.17.10 npm page: https://www.npmjs.com/package/lodash Module Description The Lodash library exported as Node.js modules. Modul...

Ruby: Open aws s3 bucket s3://rubyci

Hello team, Description: Ruby amazon aws bucket https://rubyci.s3.amazonaws.com is open with read only privilege which allows any authenticated aws user to read private files. PFA screenshot. Thanks, Sandeep...

Ruby on Rails: Active Record SQL Injection Vulnerability Affecting PostgreSQL

This vulnerability was reported directly to Rails. https://groups.google.com/forum/!msg/rubyonrails-security/wDxePLJGZdI/WP7EasCJTA4J...

Mozilla: Private Emails of Moz Workers Leaked in Public file

Vulnerability description not provided...

Nextcloud: nextcloudcmd incorrectly trusts bad TLS certificates

Ref: https://github.com/nextcloud/desktop/issues/4927 Bug description I have a self hosted Nextcloud instance using my own private CA for TLS certs. When running nextcloudcmd without the --trust, it disregards the cert validation failure as "This is not an actual error" and proceeds with the sync...

h1-ctf: [h1-2006 2020] CTF Walkthrough

h1-2006-ctf Writeup June 2020 https://hackerone.com/h1-ctf/ The Competition Begins! The tweet announces the CTF challenge. Looks like we will need to find a way to process some payments. F863442 Initial Exploring Reading up on the extended description at https://hackerone.com/h1-ctf/ reveals that...

Nextcloud: WordPress Plugin Insert or Embed Articulate Content into WordPress Remote Code Execution (UNAUTHORIZED)

because in the burp suite, the build request is complicated, I only use curl 1. Create file index.html and index.php Index.html : Hello world Index.php : 2. Once created enter into .zip COMPRESS 3. LETS UPLOAD CURL : curl site.com/index.php/wp-json/articulate/v1/upload-data -F "name=NAMAFILE" -F...

Chaturbate: Open redirection at https://chaturbate.com/auth/login/

Hi, Summary An attacker can redirect vicitm on an external website using https://chaturbate.com/auth/login/ endpoint because next parameter is not being validated properly. There is a protection existed but it's weak and can be bypassed. http keyword is detected and protection works if payload...

Chaturbate: Internal loop going to infinite for cb.setTimeout(func, msecs) for broadcast app.

Hi There, I am not sure about that this is vulnerability for @chaturbate or not but in my seeing i thought it can be vulnerable and attacker can use this vulnerability for exploitation on @chaturbate website with normal user so finally i decide to report. As i was just playing with Broadcast app...

Ruby on Rails: XSS vulnerability in sanitize-method when parsing link's href

Possible XSS vulnerability in rails-html-sanitizer There is a possible XSS vulnerability in rails-html-sanitizer. This vulnerability has been assigned the CVE identifier CVE-2018-3741. Versions Affected: 1.0.3 or older. Not affected: None. Fixed Versions: 1.0.4 Impact ------ There is a possible X...

Homebrew: [https://jenkins.brew.sh] Jenkins in Debug Mode with Stack Traces Enabled

The consultant identified that the affected host is running an instance of Jenkins in debug mode, as a result stack traces are enabled. The affected URL below displays a full strack trace from Jenkins: Affected URL: - https://jenkins.brew.sh/adjuncts/3a890183/ Recommendation Disable stack traces...

HackerOne: Unintended HTML inclusion as a result of https://hackerone.com/reports/110578

Hi, I was just reading https://hackerone.com/reports/110578 and testing out the changes. I had previously noticed that the editor would take something like: test and turn it into : test In other words, the code would recursively look at what should be the title string and use the first single or...

Mail.ru: touch.afisha.mail.ru: XSS

Там весь хост дыряв. Отстреливает тут: alert1ff243" class="portal-footerlink"Полная версия | Главная | Все проекты GET /?page=dab52"alert1ff243 HTTP/1.1 Host: touch.afisha.mail.ru Accept: / Accept-Language: en User-Agent: Mozilla/5.0 compatible; MSIE 9.0; Windows NT...

curl: CVE-2023-27536: GSS delegation too eager connection re-use

A vulnerability existed in libcurl that could allow the reuse of previously established connections when more strict or no delegation was requested, due to different CURLOPTGSSAPIDELEGATION options not being taken into consideration. An attacker could potentially exploit this vulnerability to...

TikTok: Unrestricted File Upload on https://partner.tiktokshop.com/wsos_v2/oec_partner/upload

Vulnerability description not provided...

U.S. Dept Of Defense: Authentication Bypass Using Default Credentials on █████

An authentication bypass vulnerability was discovered on the admin console of █████████, allowing unauthorized access to the portal and its data using default credentials. The suggested mitigation is to change the credentials. No CVE numbers or affected product versions were mentioned...

Nextcloud: Possibility to force an admin to install recommended applications

Summary: Endpoint /nextcloud/index.php/core/apps/recommended is accessible via GET http method and doesn't check anti-csrf token. If an admin visits this endpoint in a browser the process of installation of recommended applications begins immediately. Steps To Reproduce: 1. an attacker creates a...

Internet Bug Bounty: CVE-2021-3711: SM2 decrypt buffer overflow

CVE-2021-3711 In order to decrypt SM2 encrypted data an application is expected to call the API function EVPPKEYdecrypt. Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the...

U.S. Dept Of Defense: critical information disclosure

Description: hey all , I have found critical information through this endpoint ████ on ███████ DB credentials such as DBNAME,DBUSER,DBPASSWORD,DBHOST, etc.. Impact full access control on DB service on website System Hosts ███ Affected Products and Versions CVE Numbers Steps to Reproduce Go to...

Solana BBP: i don't the important and it's impact . the affected asset: https://github.com/solana-labs/solana/blob/master/.buildkite/env/secrets.ejson

Summary: add summary of the vulnerability Steps To Reproduce: add details for how we can reproduce the issue 1.i have browsed this source code of github: https://github.com/solana-labs/solana/tree/master/sdk 2. i have browsed the files and i found the file which called buildkite/env/secrets.ejson...