Node.js third-party modules: Server Side Request Forgery in Uppy npm module

Hi Team, While we were testing our security engine at Shieldfy https://shieldfy.io, We found a server side request forgery SSRF vulnerability in Uppy npm package. It allows hacker to easily extract inside information from the server or take control of internal services. Module module name: Uppy...

X (Formerly Twitter): POODLE SSLv3 bug on multiple twitter smtp servers (mx3.twitter.com,199.59.148.204,199.16.156.108 and 199.59.148.204)

Summary: POODLE SSLv3 bug on multiple twitter smtp servers Description: CVE-2014-3566: The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle...

WakaTime: Impersonation of Wakatime user using Invitation functionality.

Hi wakatime team, I have found a vulnerability in your leaderboard invitation functionality which can be used to trick the victims on the name of wakatime. Anyone can sign up with any email id and use the leadersboard invitation to invite anyone. This loophole can be leveraged for impersonation o...

U.S. Dept Of Defense: Default page exposes admin functions and all metods and classes available. on https://██████/█████/dwr/index.html

Summary: https://████/██████/dwr/index.html is a default installation page of DWR engine that exposes all classes and methods available to the user. Description: https://█████████/██████████/dwr/index.html is a default installation page of DWR engine that exposes all classes and methods available...

Deriv.com: login to any user's cashier account and full account information disclosure

Hi , I have found an issue allowing an attacker to login to any user's cashier account and view sensitive user information by just knowing the user account ID. Steps to reproduce: 1. open 2 browsers and create 2 accounts , login with each account on a browser. 2. let's call account 1 , the victim...

Mars: [XSS] Reflected XSS via POST request in (███████)

A reflected Cross-Site Scripting XSS vulnerability was identified in the celular parameter of a POST request to the homepage of a Mars-owned website. The vulnerability was classified as medium severity with a CVSS score of 6.2. The application failed to properly sanitize user input before renderi...

U.S. Dept Of Defense: AEM misconfiguration leads to Information disclosure

Sensitive information was disclosed due to a misconfiguration in AEM, allowing access to internal usernames and webroot directories by appending /.1.json to certain URLs. This could lead to unauthorized access, social engineering attacks, and reputation damage...

Nextcloud: No password length restriction in reset password endpoint

There was no password length restriction in the reset password endpoint of the Nextcloud platform, which could allow an attacker to perform a denial of service attack by entering a large number of characters as a password. The vulnerability has been mitigated by restricting users to use less than...

TikTok: bypass two-factor authentication in Android apps and web

A vulnerability was found where a random timeout issue on a Two-Step Verification endpoint could have resulted in a potential bypass of authentication if multiple incorrect attempts were entered in quick succession. It was found that this vulnerability required access to the user's email/password...

Sifchain: Cross Origin Resource Sharing Misconfiguration | Lead to sensitive information.

hii team, i found a cors bug in your https://sifchain.finance/ website . Steps To Reproduce: 1. goto https://sifchain.finance/ website and enter email and click signup. 2. intercept via burp ,you will get a request . send to repeater. 3.change the request as POST /==wp-json== HTTP/2 Host:...

GitHub Security Lab: Java: Query for detecting unsafe deserialization with Spring exporters

This bug was reported directly to GitHub Security Lab...

Yelp: X-Forward-For Header allows to bypass access restrictions

Summary: If the "X-Forward-For: 127.0.0.1" header is used, it allows to bypass restrictions of the web application and access endpoints that are restricted otherwise. This allows for example to access the "Business Owner App backend API". The responding server thinks, he is accessed by an interna...

Endless Group: CVE-2020-14179 on https://jira.theendlessweb.com/secure/QueryComponent!Default.jspa leads to information disclosure

Hello theendlessweb team, Summary: the Jira instance on jira.theendlessweb.com is vulnerable to CVE-2020-14179 which allows remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability F1029731 Steps To Reproduce: Navigate to...

lemlist: app.lemlist.com : Admin Panel Access

hi team, Steps To Reproduce: While doing some analyse for javascript files in app.lemlist.com i found interesting endpoints . is the admin panal and is not protected , any normal user can access the panel . Steps To Reproduce: Add details for how we can reproduce the issue 1. Log into your accoun...

h1-ctf: @shakedko H1-2006 CTF writeup

TL;DR Flag is: ^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$. Thank you for this awesome challenge! Introduction I have participated in this CTF as I wanted to see how far I'd be able to get considering the fact that I'm doing bug bounty for a relatively short time. Coming from the software...

h1-ctf: [H1-2006 2020] Connecting the dots to send hackers their Bug Bounty

Hello team Thank you so much for organising the ctf it has helped a lot to learn and improve my knowledge now lets got to solution i have preapred short videos as a refrence for each part and broken down ctf in 8 challenges. So the ctf was broken into: 1. Gathering leaking to gain login credentia...

U.S. Dept Of Defense: Full Account Take-Over of ████████ Members via IDOR

Summary https://███████ is a Social Network Site belonging to US DoD. Membership is open to anyone, I have found a method to fully take-over any members' account by exploiting an IDOR bug in the ██████████ end-point. By changing the following values in the POST request to the affected end-point:...

Phabricator: Markdown parsing issue enables insertion of malicious tags

mongoose By exploiting the URL markdown an attacker is able to add tags to an anchor-element. This is less impactfull since the default csp policy blocks inline javascript execution, but an attacker could deface individual pages, bypass the rel="norefferrer" tag to perform tab nabbing or perform...

Genasys Technologies: Login Bypass to OTP Enumeration

Summary: If an attacker gets access to the victim's username or know the email used for logging in to the application.He can bypass the login by enumeration og One Time Password. Steps To Reproduce: 1.Go to https://staging.genasystech.co.uk/d2c/ 2.Create an account ,Enter the relevant pin for...

Internet Bug Bounty: Heap Buffer Overflow (READ: 1786) in exif_iif_add_value

The exifreaddata function is prone to an out of bounds read while processing crafted JPG data. This was discovered using AFL. It can be reproduced as follows: USEZENDALLOC=0 php -r...

LocalTapiola: Internal IP Address Disclosure at https://www.lahitapiolarahoitus.fi/wp-json/wp/v2/pages

Basic report information Summary: Hello, i found an internal ip address at https://www.lahitapiolarahoitus.fi/wp-json/wp/v2/pages. Description: While digging the path in /wp-json/ directory, i found this url : https://www.lahitapiolarahoitus.fi/wp-json/wp/v2/pages and when i request this using Bu...

Node.js third-party modules: [anywhere] An iframe element with url to malicious HTML file (with eg. JavaScript malware) can be used as filename and served via anywhere

Hi Guys, anywhere allows to embed HTML in file names, which in certain conditions might lead to execute malicious JavaScript. Module: Running static file server anywhere. https://www.npmjs.com/package/anywhere Description To embed malicious tag with JavaScript code to execute, / character is...

X (Formerly Twitter): DOM based cookie bomb

Hi, I would like to report an issue that allows attackers to plant a "cookie bomb" on a victim's browser, so that the victim will be unable to access any Twitter services. PoC 1. Go to http://innerht.ml/pocs/twitter-dom-based-cookie-bomb/ 2. Click on the "DoS" link 3. Wait for a moment 4. Now...

U.S. Dept Of Defense: XSS DUE TO CVE-2022-38463 in https://████████

Description: During my research, I found one of the host running ServiceNow vulnerable to CVE-2022-38463 . ServiceNow through San Diego Patch 4b and Patch 6 allows reflected XSS in the logout functionality. Impact Attacker is able to steal victims cookies, redirect victim to attacker controlled...

Krisp: Visibility Robots.txt file

Issue detail:- The web server contains a robots.txt file. Issue background:- The file robots.txt is used to give instructions to web robots, such as search engine crawlers, about locations within the web site that robots are allowed, or not allowed, to crawl and index. The presence of the...

Sifchain: ETHEREUM_PRIVATE_KEY leaked via github

ETHEREUMPRIVATEKEY It is used to sign Ethereum transactions on the Blockchain. Steps To Reproduce: Open this url https://github.com/Sifchain/sifnode/blob/f96727748e1f44926d3bd72b1021f6c2461dee17/test/integration/start-integration-env.sh POC - screenshot attached Impact It shouldn’t be publicly...

Sifchain: Vulnerable for clickjacking attack

Summary: Hii Team, I know that I have reported to you outside of Scope. The report is related to the mentioned company and the vulnerability can endanger your business so I report this vulnerability to you. Clickjacking User Interface redress attack, UI redress attack, UI redressing is a maliciou...

Palo Alto Software: IDOR on update user preferences

Summary: Team member with role USER can change data of any user in the team, or steal his cookies, or steal the account of victim via forget password function. Steps To Reproduce: 1. Login in as user1 the user with role admin and invite user2 set his role to user. 2. Login in as user2, open Mail...

Endless Group: Lets Encrypt Certificates affected by CAA Rechecking Incident

Summary: Lets encrypt released a statement regarding 3 million certificates being revoked due to a issue in the CA signing process, Looking at your subdomains it appears that you are affected by this incident. When the revoking occurs the certificates the certificates are no longer valid. This ma...

Rocket.Chat: XSS (leads to arbitrary file read in Rocket.Chat-Desktop)

Description: Rocket.Chat allows administrative users to customize the home body. Since tags are removed, I think that running scripts should not be allowed. However, event handlers are not removed, allowing you to inject your own scripts. Releases Affected: Rocket.Chat-Desktop-Client: v2.15.5...

curl: SSRF via maliciously crafted URL due to host confusion

Summary: Curl is vulnerable to SSRF due to improperly parsing the host component of the URL compared to other URL parsers and the URL living standard. POC curl -sD - -o /dev/null "http://google.com:80\@yahoo.com/" Curl makes a request to yahoo.com instead of google.com. Supporting...

Node.js third-party modules: [jsreport] Remote Code Execution

I would like to report Remote Code Execution in jsreport It allows running js files remotely on a vulnerable server. Module module name: jsreport version: 2.5.0 npm page: https://www.npmjs.com/package/jsreport Module Description jsreport is a reporting server which lets developers define reports...

Quora: [Android] XSS via start ContentActivity

Summary: XSS via start ContentActivity using 'html' parameter. Description Include Impact: Arbitrary applications on Android can run the exported activities ContentActivity, ModalContentActivity and ActionBarContentActivity. Using intent extra parameter html we can pass javascript, which will be...

Bumble: Получение оригинала скрытого изображения

Здравствуйте! В вашем сервисе есть фотографии сильно низкого качества, чтобы было невозможно разобрать кто на нем изображен. например разделе "Кому вы нравитесь?" Наше способ получить оригинал. Берем адрес скрытой картинки:...

Square: Blind SQL injection in www.bookfresh.com

The resource at /reservations doesn't properly sanitise the "client" variable before putting it into a MySQL statement. This results in a Blind SQL Injection vulnerability. We can demonstrate the vulnerability by making the SQL server wait for a while before responding. PoC wait a while:...

U.S. Dept Of Defense: HAProxy stats panel exposed externally

An exposed web panel for HAProxy running on a system allowed external access to the statistics page at port 1024, potentially exposing sensitive information...

Internet Bug Bounty: Rails ActionView sanitize helper bypass leading to XSS using SVG tag.

Loofah versions between 2.1.0 and 2.19.1 were vulnerable to a cross-site scripting XSS attack via the image/svg+xml media type in data URIs. This allowed an attacker to bypass HTML sanitization and execute malicious code. The vulnerability was mitigated by upgrading to Loofah version 2.19.1 or...

Internet Bug Bounty: CVE-2022-32208: FTP-KRB bad message verification

When curl does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client. Impact Loss of integrity of FTP-KRB transfers...

GitHub Security Lab: [Python] CWE-090: LDAP Injection

This bug was reported directly to GitHub Security Lab...

Sifchain: Found key_adress and key_password in GitHub history

Summary: I found in your GitHub history keyadress and keypasswords Steps To Reproduce: 1. Open url https://github.com/Sifchain/sifnode/commit/f21dcf05c7953693b82bba119bba5ca48982b6d0diff-3b3ced8ca40f67dd52fd8031d9c2b5147c249a8c66b3aa066e355c0ee12fa14c 2. search for "keypassword" and you will find...

Nextcloud: No rate limiting for confirmation email lead to huge Mass mailings

Issue Description No rate limit means their is no mechanism to protect against the requests you made in a short frame of time. If the repetition doesn't give any error after 50, 100, 1000 repetitions then their will be no rate limit set. vulnerable has registred in 297359 774050 922470 URL Effect...

Courier: Bypass Too Many Requests Sign Up

Courier makes a rate limit check before allowing a user to register; this rate limit check can be bypassed and a user account can be created by sending a request directly to the AWS Cognito API – which is not rate limited...

h1-ctf: [H1-2006 2020] CTF Writeup

Just submitting Flag for now, Will soon submit Writeup : Impact Flag: ^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$...

Mail.ru: XSS at go.mail.ru

DOM-based self XSS in go.mail.ru social search functionality...

Nextcloud: Email Spoofing

An SPF/DMARC record is a type of Domain Name Service DNS record that identifies which mail servers are permitted to send email on behalf of your domain. The purpose of an SPF/DMARC record is to prevent spammers from sending messages on the behalf of your organization. Remediation: Create a SPF...

Bumble: Bruteforce password recovery code

Summary It's possible to bruteforce recovery code from SMS as iOS application doesn't have limits for incorrect inputs. I have tried 50+ different combinations until I reached code from SMS. Steps To Reproduce 1. Click "Use another option" on application startup view 1. Enter your phone number 1...

Liberapay: Private target account appears in search results

Summary At policy page, there are special tailor account, highly confidential & secret ! F600997 - Hide this profile from search results on Liberapay - Prevent this profile from being listed on Liberapay - Target account hackerone-target-team Description In this exploit, I found Privacy setting...

Starbucks: Reflected XSS in openapi.starbucks.com /searchasyoutype/v1/search?x-api-key=

Hi Starbucks team, While testing i founded Reflected XSS in openapi.starbucks.com that can also lead to Open redirect Vulnerable link ========== https://openapi.starbucks.com/searchasyoutype/v1/search?x-api-key=██████&query=coffe&partnerid=████:vwt2u5wngbk&siteBaseUrl= Vulnerable parameter...

GitLab: Gitlab.com is vulnerable to reverse tabnabbing.

Dear GitLab bug bounty team, Summary --- Gitlab.com is vulnerable to reverse tabnabbing, since you use target="blank" on links in the Environments section. F166659 Why does this vulnerability exist? --- The following link is vulnerable to reverse tabnabbing, because it uses target="blank": This...

Gratipay: HTTP trace method is enabled on gip.rocks

Hello, HTTP TRACE method is enabled on your server which should not be enabled. It can lead to cross site tracing ! Cross site tracing: https://www.owasp.org/index.php/CrossSiteTracing curl -X TRACE http://gip.rocks/ -vv Hostname was NOT found in DNS cache Trying 184.73.218.93... Connected to...