Dust: Privilege Escalation leads to Unauthorized Access to Private Conversations By any Regular user [Read , Edit and Delete]

Summary: A normal authenticated user on dust.tt can escalate their privileges by accessing, modifying, and deleting any chat threads belonging to other users — including administrators — through a vulnerable API endpoint without having the appropriate permissions. Vulnerability Details: Reading...

Dust: Improper Session Invalidation – Auto Sign-In Without Credentials After Logout (Affects Chrome & Firefox)

The session was not invalidated properly when the user logged out. Revisiting the login page allowed automatic re-authentication without user input, as the session remained active or was improperly restored across multiple browsers...

Dust: User Limit Bypass via Pending Invitations in Workspace System

The platform's workspace user limit was found to be vulnerable to bypass through the use of pending invitations. Users were able to join a workspace by signing up with an invited email, even after the workspace had reached its user limit for the current subscription tier. This allowed an unlimite...

U.S. Dept Of Defense: Applicant security exam Attachments/Documents accessible through an IDOR/BAC on the custom Apex controller on https://█████.mil

The applicant security exam contained an Insecure Direct Object Reference IDOR vulnerability on the custom Apex controller on the https://█████.mil portal. The vulnerability allowed an attacker to switch the ownership of any Attachment record and access the files, which contained sensitive...

New Relic: Leaking license key in source code

Restricted role user has no way to view the license key, but the license key is leaking in the source code. Steps to reproduce Assume userA is owner, userB is restricted user. Login as userB and go to https://rpm.newrelic.com/accounts/accid/applications/setup Select any Web agent, view page sourc...

Internet Bug Bounty: Possible Sensitive Session Information Leak in Active Storage

There was a possible sensitive session information leak in Active Storage. Active Storage incorrectly sent the user's session cookie along with a Cache-Control: public header when serving files blobs. This allowed certain caching proxies to cache the response, including the Set-Cookie header,...

Shopify: SSRF via 'Insert Image' feature of Products/Collections/Frontpage

Hi Security team, I would like to report an another SSRF issue like my previous bug 67377 https://hackerone.com/reports/67377. The description, threats, risks, exploatations are the same. The base request is the following POST /admin/settings/files.json HTTP/1.1 Host: test-4925.myshopify.com...

Internet Bug Bounty: Denial of Service by memory exhaustion in net/imap

A vulnerability was discovered in the net-imap library that allowed denial of service by memory exhaustion. The vulnerability was caused by the library automatically reading and allocating memory for the size of "literal" strings sent by the server, without any limit on the size. This could be...

Internet Bug Bounty: CVE-2024-56374 Potential denial-of-service in IPv6 validation

CVE-2024-56374: Potential denial-of-service vulnerability in IPv6 validation A potential denial-of-service vulnerability was discovered in the IPv6 validation functions of Django. The lack of an upper bound limit on the length of input strings passed to the private functions cleanipv6address and...

Pornhub: CSRF Full Account Takeover - https://redtube.com/settings

The researcher was able to account takeover by exploiting a vulnerability within 'User Settings' where the form was not authenticated by CSRF token. An attacker could take over any user account :...

IBM: Information disclosure on IBM training service endpoint

The IBM training service endpoint had an information disclosure vulnerability that was reported to IBM, analyzed, and remediated. The vulnerability was discovered and reported by an external researcher...

Pornhub: [Android API] SQL injection ( errortoken.json )

The researcher discovered a blind SQL injection on the YouPorn Android app download link...

Informatica: XXE through injection of a payload in the XMP metadata of a JPEG file

Users are able to change their avatar picture. The avatar picture upload functionality is prone to a XXE attack when parsing the image file. Specifically, the XXE attack is executed through the injection of a payload in the "XMP metadata" of the uploaded JPEG file. Proof of concept note the "Burp...

WakaTime: Broken Access Control Exposes Email Verification Status and Privacy Settings via API Endpoint

The /api/v1/users/username endpoint leaked sensitive email-related metadata, such as the user's email confirmation status and privacy settings, without proper authorization checks. This allowed attackers to determine whether an account's email address was confirmed and the user's email privacy...

curl: Use of a Broken or Risky Cryptographic Algorithm (CWE-327) in libcurl

Summary: The DES cipher Data Encryption Standard is used in the curlntlmcore.c file of libcurl. DES is considered insecure due to its short key length 56 bits and its susceptibility to brute-force attacks. Modern cryptographic standards recommend replacing DES with AES Advanced Encryption Standar...

curl: Double Free Vulnerability in `libcurl` Cookie Management (`cookie.c`)

Description: Two Double Free vulnerabilities have been identified in the cookie.c file of the libcurl library. These issues occur due to improper memory management, where the same memory area is freed multiple times under certain conditions. Below are clear steps to reproduce each vulnerability...

RubyGems: `/names.nsf` and all `/names*` files route to public API on rubygems.org

During the security assessment of the application hosted at https://rubygems.org/names.nsf, it was discovered that a sensitive file "names.nsf", is publicly accessible without proper authentication and it is supposed to be protected by authentication mechanisms to ensure that unauthorized users d...

Semrush: Password reset token leakage via referer

Hi Team, I have found that if user open the link of reset password and than click on any external links within the reset password page its leak password reset token in referer header. Steps to reproduce: 1.Open Password reset page from email. 2.Click on any social media linkon follow us section...

Dust: Privilege Persistence via Cloned Agent

The vulnerability allowed a member to clone an agent managed by the admin by modifying the agent's unique identifier sid. This resulted in the admin being unable to effectively disable the agent, as the cloned version could still be used by the member even after the original agent was disabled...

IBM: Middleware Authentication Bypass on IBM Portal

The vulnerability of middleware authentication bypass on the IBM Portal endpoint was reported, analyzed, and remediated. The discovery was reported by an external researcher...

WakaTime: Session Replay Attack Allows Authentication Bypass via Captured Login Responses Allowing Bypass of 429 Too many attempts for Multiple Failed Logins

Summary An attacker can bypass authentication by capturing a valid login response including session cookies/tokens and replaying it during a failed login attempt with incorrect credentials. The server fails to invalidate or validate session tokens properly, allowing unauthorized access even after...

U.S. Dept Of Defense: Pulse Secure File disclosure, clear text and potential RCE

Summary: Pulse Secure has two main vulnerabilities that allow file disclosure and post auth RCE Description: CVE-2019-11510 is a file disclosure due to some normalization issues in pulse secure. I was able to reproduce this by grabbing in the etc/passswd...

Dust: Stored XSS in File Upload Leads to Privilege Escalation and Full Workspace Takeover

A stored cross-site scripting XSS vulnerability was discovered in the Dust platform's file upload functionality. An attacker could upload a malicious HTML file to a conversation. When another user, including an admin, visited the uploaded file, JavaScript was executed in their authenticated brows...

HackerOne: Pixel flood attack

Hey guys, I just found a way to make your service timeout. I didn't know if I should put this under the Internet section of just the HackerOne section, because the exploit also crashes my Windows Image Viewer. A lot of other services should be vulnerable as well. For the sake of responsible...

Internet Bug Bounty: #2931639 ActionView sanitize helper bypass with math-related tags

There is a vulnerability in Rails-HTML-Sanitizer 1.6.0, which is also used by Rails ActionView. The vulnerability allows for bypassing the sanitization process when certain math-related tags, such as "math", "mtext", "table", "style", and "mglyph" or "malignmark", are allowed. This could lead to...

curl: HTTP/3 Stream Dependency Cycle Exploit

Penetration Testing Report: HTTP/3 Stream Dependency Cycle Exploit --- 0x00 Overview A novel exploit leveraging stream dependency cycles in the HTTP/3 protocol stack was discovered, resulting in memory corruption and potential denial-of-service or remote code execution scenarios when used against...

Autodesk: Stored Cross-Site Scripting found in custom integration app on https://admin.b360.autodesk.com.

Stored Cross-Site Scripting was found in custom integration app on https://admin.b360.autodesk.com. The vulnerability could have allowed an attacker to inject malicious JavaScript code when viewed by users. The issue was fixed by Autodesk...

Pornhub: XSS vulnerability using GIF tags

The researcher discovered a way to use the tag parameter when generating a GIF to achieve a stored cross-site scripting...

MTN Group: SQLi | in URL paths

The vulnerability summary is as follows: A SQL injection vulnerability was discovered in the customerId parameter of the URL path. The vulnerability was demonstrated by adding a quote in the customerId parameter, which resulted in an error indicating that the application was vulnerable to SQL...

Valve: Link filter protection bypass

Description Hi, there is a protection bypass in the linkfilter function. By using the character 。 %E3%80%82 url encoded instead of a normal dot in urls, it is possible to bypass the blocking. PoC Normal request : https://steamcommunity.com/linkfilter/?url=pornhub.com F240919 Bypass :...

Informatica: ..; bypass leading to tomcat scripts [Unauthenticated]

Hello all Using the technique ..; i was able to bypass the protection mechanism to access Tomcat Example Scripts hosted at https://███/. Steps to reproduce 1 - Open all URL's bellow inside your browser https://█████████/..;/examples/servlets/servlet/SessionExample | Will lead to Session...

Chaturbate: Password protected rooms total number of viewers disclosure to unauthorized members

Summary Password protected rooms are supposed to be completely private, no information should be exposed if you do not have the room's password, and the UI looks like this. F348826 However, through the following endpoint, It is possible to know the total number of viewers of the room even if it i...

U.S. Dept Of Defense: [CVE-2020-3452] Unauthenticated file read in Cisco ASA

i found out that https://█████/ was vulnerable to CVE-2020-3452 The IP has a SSL certificate pointing to ██████████ curl -kv https://███████/ Output; Server certificate: ███ Impact Anyone can read any file present on the server. System Hosts █████ Affected Products and Versions CVE Numbers...

Zomato: Lack of Password Confirmation for Account Deletion

Description: Issue in the zomato android application is that the user account can be deleted without confirming user password or re authentication. The removal of account is one of the sensitive part of any application that needs to protect, therefore removing an account should validate the...

HackerOne: Introspection query leaks sensitive graphql system information.

Summary: Interospection query leaks sensitive data. Introduction As we know graphql was initially developed and used by facebook as an internal query language and so the features of graphql mostly revolve around internal and development areas. Graphql executes queries using a type system with the...

1Password - Enterprise Password Manager: #**CSV Injection in shared passwords leads to complete Private Vault Exfiltration**

Vulnerability description not provided...

Basecamp: Improper Cache Handling Allows Access to Post-Logout Pages

The report detailed how some browsers' bfcache allowed access to post-logout pages...

Node.js: Http request splitting

Hi, I came upon the following tweet today: https://twitter.com/YShahinzadeh/status/1039396394195451904 which details a http request splitting vulnerability in NodeJS. You can confirm it with the following repro script: const http = require'http' const server = http.createServerreq, res =...

FetLife: Google API key leaked to Public

Hi team, I found a bunch of endpoints that is leaking you Google Api key. I tested the key and found it is vulnerable to Geocode Api. List of vulnerable endpoints https://ass0.fetlife.com https://ass2.fetlife.com https://app.fetlife.com https://ass1.fetlife.com https://ass3.fetlife.com...

Chaturbate: No rate limit in stats api token endpoint

Brute force on statsapi endpoint to view stats of an user Steps To Reproduce: 1. Stats api token can be generated at https://chaturbate.com/statsapi/authtoken/ https://chaturbate.com/statsapi/?username=hackeronetestchat&token=vulnerable I've used my profile and and my token to check brute force T...

h1-ctf: [h1-415 2020] SSRF in a headless chrome with remote debugging leads to sensible information leak

Summary: Converter is using headless chrome with remote debbuging by rendring a page where we have out name, with which we can get xss leads to ssrf By using the remote debbugging with that ssrf we can grab the info all tabs in that chrome wher we can get even the flag document. Steps To Reproduc...

Internet Bug Bounty: ActionView sanitize helper bypass with style

The Rails-html-sanitizer, which Rails ActionView also uses, failed to sanitize input when the style tag was allowed, leading to a potential XSS vulnerability. The vulnerability affected version 1.6.0 of the sanitizer and was addressed in version 1.6.1...

Liberapay: Cross site scripting (content-sniffing)

This type of XSS can only be triggered on and affects content sniffing browsers. This script is possibly vulnerable to Cross Site Scripting XSS attacks. This vulnerability affects /sign-up URL encoded POST input sign-in.currency was set to USDG8OAI!+! The input is reflected inside a text element...

Zivver: XXE Injection through SVG image upload leads to SSRF

While uploading photos to my profile picture, I noticed that if I included an svg image, your server would parse and upload it to my profile. Through this, I explored more and found that this same functionality was also vulnerable to an XXE attack, where I could define my own entities, and your...

New Relic: Cache purge requests are not authenticated

Hello there, Anyone can issue a PURGE request for any resource and invalidate your caches. That can lead to increased bandwidth costs but also potential Denial of Service attacks. Proof Fetching the resource headers, we can see in the X-Cache that the resource was a HIT with X-Cache-Hits: 50: $...

Internet Bug Bounty: ActionView sanitize helper bypass with style and math

The Rails-html-sanitizer version 1.6.0 was affected by a vulnerability that could lead to a bypass of the sanitization process, resulting in potential cross-site scripting XSS attacks. The vulnerability was addressed in version 1.6.1...

Autodesk: Reflected XSS Vulnerability in SVG File at area-resources-stg.autodesk.com

A reflected cross-site scripting XSS vulnerability was found on files stored on an Autodesk AREA server. The vulnerability could have allowed an attacker to inject malicious JavaScript code when the files were viewed by users. Autodesk has fixed the vulnerability...

U.S. Dept Of Defense: 403 Forbidden Bypass at www.██████.mil

Hi team, I managed to bypass 403 forbidden pages in www.████████.mil Reproduce 1 Click https://www.████████.mil/███████ Example Forbidden page. If you click you will redirect to 403 "forbidden" page. 2 But you can bypass this. 3 type this command: curl -H "Content-Length:0" -X POST...

Hemi VDP: Cloudflare WAF Bypass - Origin IP Exposure

The Cloudflare WAF was bypassed, exposing an IP address belonging to a server operated by Hemi...

Dust: BAC – Bypass chatbot restrictions via unauthorized mention injection

The Gemini chatbot was found to have a vulnerability that allowed unauthorized users to bypass permission restrictions and interact with the chatbot. The vulnerability was discovered when a user manually edited the request by changing the "mention" and "configurationId" fields, which allowed them...