Razer US: Database credentials leak at http://drivers.razersupport.com/.bash_history

The researcher discovered that the .bashhistory on this server had improper permissions, which allowed public viewing of the files. When a DB admin eventually executed a command involving clear text credentials for the database, this exposed the password for that database a Kayako DB used for...

Starbucks: Time-based Blind SQLi on news.starbucks.com

Hi, I just found that the post parameter "groupid" for a particularly crafted http request is being vulnerable to injection due to missing parameter sanitization. PoC: POST / HTTP/1.1 Host: news.starbucks.com Connection: close Content-Length: 81 Cache-Control: max-age=0 Origin:...

Pornhub: Reflected cross-site scripting (XSS) vulnerability in pornhub.com allows attackers to inject arbitrary web script or HTML.

The researcher discovered a reflected cross-site scripting vulnerability on the users' page. Short Description --- I managed to bypass the fix to ZephrFish's report by encoding the = symbol %3D. Therefore, pornhub.com was still vulnerable to reflected XSS, a form of client-side code injection...

Mail.ru: Time-based sql-injection на https://puzzle.mail.ru

SQL injection via GET parameter in puzzle.mail.ru. puzzle.mail.ru is out of current bug bounty program's scope, but this report was awarded due to high severity...

Mail.ru: Information Disclosure of Garbage Collection Cycle 'Again'

Performance metrics were available at youla.ru...

QIWI: gifts.flocktory.com/phpmyadmin is vulnerable csrf

Summary: Hello Team, I found that the PHPMyAdmin login panel is publicly accessible on https://gifts.flocktory.com and it is using the 4.6.6 version of PHPMyAdmin, which is vulnerable to several CVEs...

Nextcloud: Nextcloud Desktop Client RCE via malicious URI schemes

Nextcloud Desktop utilizes QT's QDesktopServices::openUrl to open URLs. This function invokes the OS'/Desktop environment's default application to handling the URI scheme and file extension. During the Nextcloud Add Account flow, the server's login website is opened within a native window/WebView...

BugPoC: XSS PoC for the wacky.buggywebsite.com challenge

Summary: https://wacky.buggywebsite.com/frame.html is vulnerable to DOM-based XSS. Steps To Reproduce: 1. Navigate to https://oembed.dev.ipwnedyour.net/wacky.buggywebsite.com.xss.html 1. Verify the document's origin is displayed in an alert box. PoC code details: The PoC page at...

Brave Software: Brave Browser potentially logs the last time a Tor window was used

Summary: A vulnerability in the Brave Browser allows an attacker to view the last time a Tor session was used in incognito mode. A local, on-disk attacker could read the Brave Browser's "Local State" json file and identify the last time a Tor session was used, affecting the confidentiality of a...

BugPoC: LFI from bypassing image parser and faking HEAD response with redirection

Summary: add summary of the vulnerability By specially crafted request, a fake python3 http server and exploit.py we can read any files from the server Supporting Material/References: list any additional material e.g. screenshots, logs, etc. Bugpoc id: bp-HdMxEwwr bp-HdMxEwwr Bugpoc pass:...

Mail.ru: This Github Repository Seems Leaking "nino.samokat.ru" Source Code

nino.samokat.ru promo site source code was leaked on github.com...

Dropcontact: No Valid SPF Records

Hiii, There is any issue No valid SPF Records Desciprition : There is a email spoofing vulnerability.Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email spoofing is a tactic used in phishing...

GitHub Security Lab: [Java] CWE-295 - Incorrect Hostname Verification - MitM

This bug was reported directly to GitHub Security Lab...

Automattic: [tumblr.com] 69< Firefox Only XSS Reflected

Description : Hello, i have found a XSS Reflected in https://www.tumblr.com/abuse/start?prefill= But the XSS only works in versions of firefox that are below 70. Because its been blocked by CSP, but the version below 69 of firefox is vulnerable. Here's a great article about this subject...

Engel & Völkers Technology GmbH: [service.engelvoelkers.com] XSS in /video/id

Summary: The YouTube video page at https://service.engelvoelkers.com/video/id/ is vulnerable to reflected XSS attacks. Description: A dynamic part of the URL is printed to the page without proper encoding, causing a reflected XSS vulnerability. Steps to reproduce Visit the following link:...

Semrush: Unrestricted file upload in www.semrush.com > /my_reports/api/v1/upload/image

@zcashi found vulnerability in My Reports Tool. You can read the full write-up here: How I earned 500$ by uploading a file: write-up of one of my first bug bounty...

Mail.ru: [ RCE ] Through stopping the redirect in /admin/* the attacker able to bypass Authentication And Upload Malicious File

Combination of improper access control and unrestricted files upload in non-production service led to RCE possibility...

Mail.ru: Disable 2FA via CSRF (Leads to 2FA Bypass)

CSRF vulnerability in pandao.ru allowed to disable 2FA. pandao.ru belongs to extended scope...

Internet Bug Bounty: Linux kernel: CVE-2017-6074: DCCP double-free vulnerability

Hi! CVE-2017-6074 1 is a double-free vulnerability I found in the Linux kernel. It can be exploited to gain kernel code execution from an unprivileged processes. The kernel needs to be built with CONFIGIPDCCP for the vulnerability to be present. A lot of modern distributions enable this option by...

HackerOne: Stealing contact form data on www.hackerone.com using Marketo Forms XSS with postMessage frame-jumping and jQuery-JSONP

Hi, I just discovered that there's a scenario where the Marketo Forms solution being used on www.hackerone.com can actually be abused, using a few fun techniques, to trigger an XSS in the Cross-Origin-iframe being used by Marketo. This results in eavesdropping of the data being sent in the...

Vimeo: Downloading password protected / restricted videos

Using: https://vimeo.com/api/atv/clip/VideoID it is possible to get the title, description & download the file regardless on any privacy settings this includes both setting the video to 'Only me' and using a password For proof using my own video: https://vimeo.com/171116158 which has the password...

Mail.ru: [afisha.mail.ru] SQL Injection

Добрый день. Параметр id попадает в SQL запрос без фильтрации. Вектор атаки - Union Based SQLi PoC http://mmkf.afisha.mail.ru/imgview.html?id=3713444279+and0unionselectconcatws0x2c,version,@@versioncompileos вывод в сорцах страницы - 5.0.92-community-log:unknown-linux-gnu...

Mail.ru: Reflected XSS.

XSS in aa.mail.ru aa.mail.ru is not currently in bug bounty scope...

Affirm: Subdomain takeover of www█████████.affirm.com

Summary Hi there, assuming you want this report as your policy mentions Affirm resources with third-parties, but the scope was a little unclear. Regardless, www█████.affirm.com points to an AWS S3 bucket affirm-prod-www-cms█████████ that no longer exists. I was able to take control of this bucket...

Doppler VDP: No rate limit into email change leads to email notification boombing to its victim.

hello team, I have tested your application and found no any rate limit into password changing mechanism which allow attacker to send unlimited number of email notification to his victim, Basically in every part of your application has implemented rate limit block system but email changing area do...

Mail.ru: Reflected XSS on https://e.mail.ru/compose/ via Body parameter

Reflected XSS in e.mail.ru via GET parameter for mailto handler...

Mail.ru: Broken twitter link hijacking at https://games.mail.ru/pc/search/

Link on https://games.mail.ru/pc/search/ page was pointing to invalid twitter account...

New Relic: Getting API access key Through Introspection query Graphql

The introspection query should only be allowed internally and should not be allowed to the general public. If we can fetch the entire back-end API documentation and calls available on a server then that can be very dangerous is many cases what if we could get our hands on some API calls only mean...

Shopify: Password protection can be removed for newly created development store

Details Per https://help.shopify.com/en/partners/dashboard/managing-stores/development-storesthe-development-store-password-page, it states that the password can only be removed once the store has been transferred or switch to a paid plan. You can remove the password page only after you transfer...

h1-ctf: [H1-2006 2020] [CTF Writeup] A story about Bounty Payments, Collaboration & Community

H1-2006 CTF Writeup This is a story about both solving a CTF and, most importantly, on how to make friends during the journey and learn a lot a valuable things for the future. On a Friday evening I saw this tweet from HackerOne: F853545 Honestly, last CTF was really hard so I didn't really though...

Nextcloud: Veracode and security audit record are publicly available

Leakage of sensitive data through open endpoint Risk management and Compliance Document written by NCC Here is what the document says: 𝘗𝘳𝘰𝘱𝘳𝘪𝘦𝘵𝘢𝘳𝘺 𝘐𝘯𝘧𝘰𝘳𝘮𝘢𝘵𝘪𝘰𝘯 𝘛𝘩𝘪𝘴 𝘥𝘰𝘤𝘶𝘮𝘦𝘯𝘵 𝘤𝘰𝘯𝘵𝘢𝘪𝘯𝘴 𝘥𝘦𝘵𝘢𝘪𝘭𝘦𝘥 𝘤𝘰𝘮𝘮𝘦𝘳𝘤𝘪𝘢𝘭, 𝘧𝘪𝘯𝘢𝘯𝘤𝘪𝘢𝘭 𝘢𝘯𝘥 𝘭𝘦𝘨𝘢𝘭 𝘪𝘯𝘧𝘰𝘳𝘮𝘢𝘵𝘪𝘰𝘯, 𝘸𝘩𝘪𝘤𝘩 𝘪𝘴 𝘤𝘰𝘯𝘧𝘪𝘥𝘦𝘯𝘵𝘪𝘢𝘭 𝘢𝘯𝘥 𝘤𝘰𝘮𝘮𝘦𝘳𝘤𝘪𝘢𝘭𝘭𝘺 𝘴𝘦𝘯𝘴𝘪𝘵𝘪𝘷𝘦. 𝘛𝘩𝘦 𝘳𝘦𝘭𝘦𝘢𝘴𝘦...

Shopify: Stored - XSS

Hello Security Team, I have Found Stored XSS Vulnerability POC : Step1: Go to https://app.oberlo.com/suppliers Step2: Click on any product you will be redirected to URL as i have given for example...

Gratipay: 400 Bad Request [Use a third-party provider to sign in or create an account on Gratipay]

hi team .. i can not login or sign up with third-party social media like facebook , google , twitter ... i check one of them it show me message error 400 Bad Request please fixed soon...

Internet Bug Bounty: PHP mbstring / Oniguruma multiple remote heap/stack corruptions

Oniguruma 1 by K. Kosako is a BSD licensed regular expression library that supports a variety of character encodings. The Ruby programming language, in version 1.9, as well as PHP's multi-byte string module since PHP5, use Oniguruma as their regular expression engine. It is also used in products...

Vimeo: CRITICAL vulnerability - Insecure Direct Object Reference - Unauthorized access to `Videos` of Channel whose privacy is set to `Private`.

Hello, This time I found a IDORInsecure Direct Object Reference vulnerability. It allows an attacker to get unauthorized access to Videos of Channel whose privacy is set to Only moderators and people I choose without being a member. In simple words, we can access videos of private channel without...

Adobe: Main Domain Takeover at https://www.marketo.net/

Resolved valid subdomain takeover report on Marketo. We appreciate the collaboration with the researcher...

Internet Bug Bounty: CVE-2022-27774: Credential leak on redirect

Summary: curl/libcurl can be coaxed to leak user credentials to third-party host by issuing HTTP redirect to ftp:// URL. Steps To Reproduce: 1. Configure for example Apache2 on firstsite.tld to perform redirect with modrewrite: RewriteCond %HTTPUSERAGENT "^curl/" RewriteRule ^/redirectpoc...

GitHub Security Lab: [C#]: HttpOnly and Secure Cookies for .NET Core and .NET

This bug was reported directly to GitHub Security Lab...

Courier: Rate limit function bypass can leads to occur huge critical problem into website.

Hello team, I have found a technique that can easily bypass rate limit system of website and with this bug we attacker can easily attack into login panel, Sent unlimited number of huge notification to victim, bypass OTP codes and takeover accounts etc. Basically i have added a header...

Automattic: Email Verification bypass on signup

Summary: This bug is related to wordpress.com. There is feature in wordpress.com which allow users to invite people. We have to enter email address to invite that particular person but the invite link and invite key is also available to the person who invited. This allow attackers to create the...

U.S. Dept Of Defense: Unauthenticated Arbitrary File Deletion ("CVE-2020-3187") in ████████

Description: A vulnerability in the interface of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and obtain read and delete access to sensitive files. Vulnerable...

Nextcloud: Stored XSS in collabora via user name

Affected: collabora and nextcloud Ubuntu 18.04.5 LTS Nextcloud 19.0.1 snap version collabora CODE The name of the user is displayed when him joins to edit the document allowing the attacker trigger xss. Impact Set the name of the attacker account to Create a new document → share the document with...

h1-ctf: h1-ctf writeup , finally paid the payments by chaining multiple bugs

Summary: Ultimate aim is to pay the payments of hackerone using bounty pay with no use privileges at starting. Given scope is : .bountypay.h1ctf.com Enumerated subdomains are : 1. www.bountypay.h1ctf.com 2. app.bountypay.h1ctf.com 3. staff.bountypay.h1ctf.com 4. api.bountypay.h1ctf.com 5...

Informatica: RXSS in http://procurement-businesscatalog.informatica.com

Hi, this is a simple XSS in the host below: Reproduction Steps Visit the following URL: http://procurement-businesscatalog.informatica.com/JPBC/login.hbc?lang=%3C/SCRIPT%3E%3CSCRIPT%3Ealertdocument.domain;%3C/SCRIPT%3E F760997 Impact Standard XSS impact...

Node.js third-party modules: [utils-extend] Prototype pollution

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! I would like to report prototype poluti...

Node.js third-party modules: Server Side Request Forgery in Uppy npm module

Hi Team, While we were testing our security engine at Shieldfy https://shieldfy.io, We found a server side request forgery SSRF vulnerability in Uppy npm package. It allows hacker to easily extract inside information from the server or take control of internal services. Module module name: Uppy...

X (Formerly Twitter): POODLE SSLv3 bug on multiple twitter smtp servers (mx3.twitter.com,199.59.148.204,199.16.156.108 and 199.59.148.204)

Summary: POODLE SSLv3 bug on multiple twitter smtp servers Description: CVE-2014-3566: The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle...

Mail.ru: filin.mail.ru user's e-mail address disclosure

Здравствуйте! Данный проект участвует в программе баунти? Я нашла проблему проекта вопросы/ответы. На сколько мне известно, то в данном проекте доступным является только ИД пользователя и его НИК для общего просмотра, НО можно посмотреть адрес почты каждого участника проекта дает адрес почты данн...

WakaTime: Impersonation of Wakatime user using Invitation functionality.

Hi wakatime team, I have found a vulnerability in your leaderboard invitation functionality which can be used to trick the victims on the name of wakatime. Anyone can sign up with any email id and use the leadersboard invitation to invite anyone. This loophole can be leveraged for impersonation o...

U.S. Dept Of Defense: Default page exposes admin functions and all metods and classes available. on https://██████/█████/dwr/index.html

Summary: https://████/██████/dwr/index.html is a default installation page of DWR engine that exposes all classes and methods available to the user. Description: https://█████████/██████████/dwr/index.html is a default installation page of DWR engine that exposes all classes and methods available...