Smule: Possible Subdomain Takeover For Inbound Emails

The affected URL email.smule.com pointed to sendgrid.net via a DNS CNAME record. As a result, a subdomain takeover was possible by registering the subdomain email.smule.com on Sendgrid...

curl: Incorrect Type Conversion in interpreting IPv4-mapped IPv6 addresses and below `curl` results in indeterminate SSRF vulnerabilities.

Vulnerability description not provided...

Internet Bug Bounty: CVE-2024-2398: HTTP/2 push headers memory-leak

A memory leak was found in libcurl when handling HTTP/2 push headers. The vulnerability was caused by libcurl's failure to properly release the allocated memory when aborting a server push due to the maximum allowed limit being exceeded. This could lead to denial of service due to memory exhausti...

Internet Bug Bounty: Ruby CVE-2021-41819: Cookie Prefix Spoofing in CGI::Cookie.parse

Release note: https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/ The old versions of CGI::Cookie.parse applied URL decoding to cookie names. An attacker could exploit this vulnerability to spoof security prefixes in cookie names, which may be...

HackerOne: Dangling cloud instance at vpn.inverselink.com

Summary: vpn.inverselink.com points to 54.202.130.246, which is currently serving a TLS certificate for Workday, Inc. This seems to indicate that the subdomain is no longer controlled by HackerOne. Optional: Supporting Material/References Screenshots % dig vpn.inverselink.com +short 54.202.130.24...

Nextcloud: [nextcloud.com] Control character allowed in Submit Question

Issue descriptions We found that the maximum length of the first and last name fields was not set to 32 characters at registration and to 1000 characters when using the profile update form. The attacker can use this method as a malware attack, the user will redirect to a website that contains...

h1-ctf: H1 Hackyholidays CTF - The Grinch was defeated

The following writeup will underline all the steps and tools used to solve the 12 challenges of the H1 Holidays CTF. The theme of the competition was the Grinch. How it is possible to read from the competition blog post https://www.hackerone.com/blog/12-days-hacky-holidays-ctf , the goal was to...

CS Money: ReDoS at wiki.cs.money graphQL endpoint (AND probably a kind of command injection)

Summary: The endpoint /graphql has a vulnerable query operation named "search", that can I send a Regex malformed parameter, in order to trick the original regular expression to a regex bomb expression. + Payload with a "common" search, querying the value "AAA": query a searchq: "AAA", lang: "en"...

U.S. Dept Of Defense: Reflected XSS on ███████ page

Summary: The page at https://█████/NtMView.php is vulnerable to reflected cross-site scripting. Description: The page takes a user input in the form of a drop down list, then uses that text in the resulting page ███████ . An attacker can intercept the query to the page and insert an XSS payload, ...

Open-Xchange: [XSS] select/onchange in TinyMCE via set body

Hi. TinyMCE allow insert . For set this content need special link: mailto:aaa?body=. Steps: 1. Go to compose mail 2. Insert URL: mailto:aaa?body=%3Cselect%20onchange%3D%22alertdocument.cookie%22%3E%3Coption%3E2%3C%2Foption%3E%3Coption%3E2%3C%2Foption%3E%3C%2Fselect%3E 3. Save Mail 4. Open this ma...

Paragon Initiative Enterprises: [Critical] billion dollars issue

Hey, My name is El-Sisi also i have famous name is بلحه Balaha and i have found documents that confirm you the github inc belong to you. if you need this documents give me reward and i will give u that documents. why i'm doing this because my mother tell me if you see some things like that you mu...

Nextcloud: Response Header injection using redirect_uri together with PHP that utilizes Header Folding according to RFC1945 and Internet Explorer 11

Hi, I noticed that the redirecturi used to redirect users to any location on the page, passes in all data into a header"Location.. without any validation. The problem is that PHP current PHP-versions of Debian/Ubuntu, there seem to be a patch properly in place in other dists actually built the...

Phabricator: Bypass auth.email-domains

Email addresses are stored as VARCHAR128. However, Phabricator does not verify the length of an email address upon registration. This allows attackers to bypass the allowed email-domains defined in auth.email-domains. Exploiting this is rather straightforward: get an email address of 128 characte...

Sandbox Escape: .NET Type Traversal Vulnerability

This issue was reported directly to Microsoft and has been resolved in MS14-009. https://technet.microsoft.com/library/security/ms14-009ID0E3PCI...

Lichess: Improper Authentication Throttling Allows Attacker-Controlled Account Lockouts

The application lacks sufficient safeguards in its authentication throttling logic. It permits arbitrary users to trigger lockouts on any account by submitting multiple failed login attempts using a known or guessed username. Because the system does not verify the request origin or impose...

Snapchat: Delete anyone's content spotlight remotely.

A vulnerability was discovered in Snapchat's Spotlight feature that allowed anyone to delete another user's content remotely. By intercepting and modifying the delete request, an attacker could replace the ID parameter with that of another user's video, resulting in the deletion of their content...

Ruby: Path traversal in Tempfile on windows OS due to unsanitized backslashes

Hi team, Summary We've noticed that both arguments basename and ext of Tempfile on Windows are vulnerable to a path traversal which could allow unintentional file creating in arbitrary writable directories. Tempfile often has a user control either by basename or ext or both. PoC irbmain:029:0...

Stripo Inc: Cross-Site WebSocket Hijacking Lead to Steal XSRF-TOKEN

The WebSocket handshake request was vulnerable to CSRF, WebSocket content was contain many sensitive data for the user It was like the PortSwigger Lab...

Open-Xchange: null dereference in `sieve_address_do_validate` (or redundant null check)

Function sieveaddressdovalidate in file sieve-address.c does dereference errorr if address == NULL errorr = "null address"; return FALSE; and then later checks for it being NULL : if errorr != NULL errorr = strcctx.error; So either, there is a first null check missing Or the later ones are...

X (Formerly Twitter): Periscope iOS app CSRF in follow action due to deeplink

Summary This issue is mainly in the Periscope iOS app against CSRF follow action using deeplink. as the report 583987 the CSRF work on iOS app POC 1 QR code to follow periscope profile pscp://user/periscopeco/follow ███████ POC2 by kunal94 /follow"CSRF DEMO video █████████ Impact CSRF Follow...

Mapbox: Stored XSS | api.mapbox.com | IE 11 | Styles name

On December 24, 2019, user @renekroka reported a stored XSS injection vulnerability on api.mapbox.com that affected users in Internet Explorer 11. An attacker could store XSS injections on Mapbox servers, and then exploit them in IE11 due to JSON responses not including the X-Content-Type-Options...

Semrush: User Controllable Cookie

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report! User Controllable Cooki...

Yelp: Yelp.com is vulnerable to SWEET32 attack

Researchers have found new attack against 3DES-CBC cipher in TLS,that they can decrypt customer data using a method called SWEET32 Birthday Attack. This Vulnerability has got CVE-2016-2183 and has cvss score 5.0 This vulnerability can be found manually by simply using nmap script nmap -Pn -p...

Internet Bug Bounty: BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)

For certain inputs OpenSSL's BNmodexp function which is used for RSA and Diffie Hellman can produce wrong results. The issue has been fixed by OpenSSL and rated moderate severity: https://openssl.org/news/secadv/20151203.txt A code example is here:...

Phabricator: SSRF vulnerability (access to metadata server on EC2 and OpenStack)

In bug 50537, haquaman reported a SSRF vulnerability in the meme creation section of Phabricator. Ticket T6755 was created and the HackerOne issue was closed as "Won't fix". T6755 states that "attackers can use the machine's ability to access the network, which may allow them to find services and...

U.S. Dept Of Defense: [XSS] Reflected XSS via POST request

A reflected XSS vulnerability was found on a subdomain of a website. The vulnerability was found in a POST request to a specific page, where the flddisplaytype parameter was vulnerable to XSS. Although a WAF was deployed on the endpoint to prevent such attacks, the payload was successfully...

U.S. Dept Of Defense: Wordpress Takeover using setup configuration at http://████.edu [HtUS]

A vulnerability was found in the WordPress 'setup-config.php' installation page, which allowed a malicious user to install WordPress in a remote MySQL database without valid credentials on the target system. This could lead to remote code execution and total system compromise, as well as other...

Internet Bug Bounty: Controllable read beyond bounds in lua_websocket_readbytes() [zhbug_httpd_126]

Greetings. I have found a read-beyond-bounds bug in luawebsocketreadbytes that permits an attacker to exfiltrate a controllable amount of heap data if the victim site runs a suitable LUA program. The bug is due to misuse of apgetbrigade and aprbucketread. The following code from v2.4.53 assumes...

Nextcloud: Nextcloud update checks leaks information

Hi, I think this is more of a privacy concern than a security concern. However I wanted to check here first. Please direct me to an other suitable location if needed. It is in relation to https://github.com/nextcloud/server/blob/master/lib/private/Updater/VersionCheck.phpL78 This is sending sever...

GitHub Security Lab: Java : Add query for detecting Log Injection vulenrabilities

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: [Java] CWE-755: Query to detect Local Android DoS caused by NFE

This bug was reported directly to GitHub Security Lab...

Exodus: Exposed Configuration Files at https://www.exodus.io/keybase.txt

Summary: Username, uid information is present in txt file. Steps To Reproduce: 1. Open This link https://www.exodus.io/keybase.txt 2. Search for username, uid 3. You will get some usernames with uid. Impact This information may help attacker in further attacks...

Figma: Race condition while removing the love react in community files.

The researcher found that the server-side code for handling the "unlike" function for community pages was vulnerable to a race condition. While logically one person is only allowed to remove the one like they had, a hundred requests at the same time could allow one person to do a hundred unlikes...

Mail.ru: HTTP-Response-Splitting leads to information disclosure (email, firstname, lastname) at https://tz.mail.ru

CRLF injection via GET paramaters in tz.mail.ru Clientside vulnerabilities in tz.mail.ru is not currently covered by Bug Bounty program...

QIWI: account takeover https://qiwi.me

It was possible to takeover user account by sending wrong code parameter in /sms/confirm request. Problem is that code didn't have relation with current user session...

Node.js third-party modules: Path Traversal on Resolve-Path

The author of resolve-path told me that I can submit this to here. The vulnerability already reported to the author and got a fixed! Module module name: resolve-path version: 1.3.3 npm page: https://www.npmjs.com/package/resolve-path Description Resolve a relative path against a root path with...

Internet Bug Bounty: putty pscp client-side post-auth stack buffer overwrite when processing remote file size

Not sure if this will qualify but it may impact a pretty broad audience given the fact that putty code is part of many other apps filezilla, ... and it is the defacto standalone ssh client for windows administrators besides openssh cygwin putty = 0.66; affects putty versions dating back 9 years...

Internet Bug Bounty: out of bounds read crashes php-cgi

I found and disclosed CVE-2014-9427 to the PHP dev team on 17 December 2014 https://bugs.php.net/bug.php?id=68618 and a patch was committed on 30 December 2014 http://git.php.net/?p=php-src.git;a=commit;h=f9ad3086693fce680fbe246e4a45aa92edd2ac35 and the flaw is now fixed. Details of the flaw:...

Ionity GmbH: HTML injection in swagger UI

A vulnerability was discovered in the Swagger UI that allowed for HTML injection. This vulnerability existed because the application failed to properly sanitize user-supplied input before rendering it in the HTML context. An attacker could have exploited this issue to execute arbitrary scripts in...

Internet Bug Bounty: CVE-2022-28738: Double free in Regexp compilation

Due to a bug in the Regexp compilation process, creating a Regexp object with a crafted source string could cause the same memory to be freed twice. This is known as a “double free” vulnerability. Note that, in general, it is considered unsafe to create and use a Regexp object generated from...

GitLab: Installing Gitlab runner with Docker-In-Docker allows root access

Summary Installing a Gitlab runner using official documents: https://docs.gitlab.com/ee/ci/docker/usingdockerbuild.htmluse-docker-socket-binding allows any user with access to Gitlab CI to have root access on Gitlab Runner server. Steps to reproduce Install Gitlab-runner binary using official...

GitHub Security Lab: [Java] CWE-079: Query to detect XSS with JavaServer Faces (JSF)

This bug was reported directly to GitHub Security Lab...

Palo Alto Software: DNS Miconfiguration Leads to Subdomain Takeover - max1.liveplan.com

Summary The issue happens due to using EC2 public DNS instead of using Elastic IPs as CNAME record. This report is simliar to report 1069795 Misconfiguration - DNS Records json "host": "max1.liveplan.com", "resolver": "1.0.0.1:53" , "a": "54.68.121.128" , "cname":...

Node.js: HTTP Request Smuggling due to accepting space before colon

Summary: The llhttp parser in the httpmodule in Node 16.3.0 accepts requests with a space SP right after the header name before the colon. This can lead to HTTP Request Smuggling HRS. Description: When Node receives the following request: GET / HTTP/1.1 Host: localhost:5000 Content-Length : 5 hel...

GitHub Security Lab: [Java] CWE-1004: Query to check sensitive cookies without the HttpOnly flag set

This bug was reported directly to GitHub Security Lab...

WordPress: Stored XSS on Wordpress 5.3 via Title Post

I have identified a WordPress security vulnerability , a Stored XSS vulnerability that affects latest version of WordPress 5.3 POC: 1 Login to wordpress website 2 Make a post with title payload xss like example alertdocument.domain; 3 Publish then open the post, XSS Will trigger Impact Can steali...

Nord Security: No Rate Limit On Forgot Password Page Of NordVPN

Introduction A little bit about Rate Limit: A rate limiting algorithm is used to check if the user session or IP-address has to be limited based on the information in the session cache. In case a client made too many requests within a given timeframe, HTTP-Servers can respond with status code 429...

Grammarly: Previously created sessions continue being valid after MFA activation

Hi team, I found one issue related to your 2FA system on https://account.grammarly.com/security POC 1 access the same account on https://account.grammarly.com in two devices 2 on device 'A' go to https://account.grammarly.com/security complete all steps to activate the 2FA system Now the 2FA is...

Starbucks: Blind SQL Injection on starbucks.com.gt and WAF Bypass :*

Starting with a blind SQL Injection on http://www.starbucks.com.gt/menu/beverage/detail, @d3417 was able to dump schema on several database tables. Initially closed as N/A because of our exclusion on automated tools, reopened to investigate the data reported in the tables, and because the casual...

GitLab: SSRF vulnerability in gitlab.com webhook

1、 Login to your GitLab account and create a new project, then go to--https://gitlab.com/username/project/settings/integrations 2、 You can add url to ssrf.following are the steps to reproduce: If you enter http://127.0.0.1:80/haha.txt as url,we will get --Hook executed successfully but returned...