RubyGems: No limit of summary length allows Denail of Service

Currently, there is no limit for summary length. I think, pushing a gem whose summary is huge, will make gem search unavailable. This is not Arbitrary Code Execution, but really easy to attack. According to CVSS v3.0 Calculator, the severity is High 7.5. How to attack 1 An attacker creates a gem...

Weblate: Open SMTP port can let anyone send email from mail.chihar.com

An open SMTP port 587 can let anyone connect and send emails impersonating someone in your the company if he could enumerate the email addresses. POC - 1. I performed an nmap scan and was able to find an open port 587 for SMTP 2. I did a netcat connection to it and was able to run commands such a...

OWOX, Inc.: Direct IP Access

I can access the website through its IP following its default port which is port 80 .. it means that the hacker can Execute a DDOS on your website.. Actual IP and Port accessible:: 104.155.10.15:80 just copy and paste it in URL address bar...

Nextcloud: Expired SSL certificate

I would like to inform you that the SSL certificate for www.nextcloud.org is expired at: 24. August 2016 15:03 Thanks...

Uber: Enumerating userIDs with phone numbers

Fyi, this is my second account since the other one r0t is limited to 4 reports and they are all in triage. So about this issue, when a user is on a trip and invites other users to split the fare, the server responds with info about his number, like: Name, UserID and his picture, and info about th...

Bumble: Password modification without knowing actual password & httpOnly bypass

Two issues: Session cookie is returned in HTML source code of /encounters page, which would allow an XSS attacker to steal it, even if httpOnly is activated. A secret value, present in HTML source code of some api.phtml pages, can be used to modify user's password without knowing actual one...

Zaption: Open redirect filter bypass

Hi , An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it. its possible to bypass your redirect filter using :...

Snapchat: Captcha Bypass in Snapchat's Geofilter Submission Process

Hi, Overview: Snapchat provides a form in which users can submit "Geofilters". These are filters which get applied to users snaps when they are in specific geolocations. The form https://www.snapchat.com/geofilters/submit.html allows for the submission of these "Geofilters" as an anonymous user...

Internet Bug Bounty: Adobe Flash Player FileReference Use-after-Free Vulnerability

Adobe Flash Player FileReference Use-after-Free Vulnerability ------------------------------------------------------------------ I. Summary Adobe Flash Player is prone to a vulnerability which leads to Use-after-Free. The FileReference Object which is used to access local files, when wrapped insi...

IBM: Exposed Logs and Bearer Tokens on Test Endpoint

Exposed Logs and Bearer Tokens on Test Endpoint were reported to IBM, analyzed, and have been remediated...

Nextcloud: Insecure randomness for default password in file sharing when password policy app is disabled

The password generation function used for protecting shared links in Nextcloud was using an insecure random number generator, which could allow an attacker to access the shared files without knowledge of the password...

GitLab: New /add_contacts /remove_contacts quick commands susseptible to XSS from Customer Contact firstname/lastname fields

Summary In Gitlab 15.0.0 a new Customer Relations feature was added that allows us to use quick actions to find the contact we wish to select. However, I noticed that if I set the contact's first name or last name to alertdocument.domain we can get the XSS to trigger when we are attempting to use...

Recorded Future: Storage of old passwords in plain text format

Summary: Server response from app.recordedfuture.com has old passwords for a logged in account in plain text format. Storage of passwords in any readable format or using weak hashes put the account or system at great risk. What's interesting is how RecordedFuture store multiple passwords not just...

Ian Dunn: Multiple server ssh usernames leaked in your github repository

hi security team,while searching on github,I have found multiple ssh usernames that belongs to your organization are exposed in the organization github repository STEPS TO REPRODUCE:- 1.Go to this repository. you will see the leaked multiple server ssh usernames...

HackerOne: Information disclosure - Feedback is accessible on Public profile even after 'disallowed' at https://hackerone.com/settings/feedback

Summary: Hi team, I noticed one possible information disclosure scenario related to My Feedback managed at https://hackerone.com/settings/feedback Description: In current scenario even after uncheck the option "Show this blurb on my profile" I can access the feedback using one one requestPOST...

curl: Proxy-Authorization header carried to a new host on a redirect

hi cURL team I am not entirely sure this is an issue, please feel free to close of it isn't. I noticed that when making an HTTP GET request with Proxy-Authorization header, together with the "-L" flag to follow redirects curl -H "Authorization-Proxy: Basic xxx==" http://host:8000 -L If the remote...

CS Money: Able to upload backgrounds before entering 2FA

Summary: Hi Team, I am able to see and use uploaded backgrounds and able to upload new ones without proper authentication of 2FA. I hope you remember this report 993786. Steps To Reproduce: 1. Login with a steam account and enable 2FA. 1. Now logout your account. Clear all the cookies. 1. Now aga...

GitHub Security Lab: Java : add fastjson detection. Improve RemoteFlowSource class, support SpringMvc

This bug was reported directly to GitHub Security Lab...

TikTok: HTML Injection on Company Name on Email

By changing the company name to any HTML code on the TikTok Creator Marketplace, an attacker could potentially use this to send phishing emails to users containing injected HTML payload. We thank @gnux for reporting this to our team and confirming the resolution!...

Stripo Inc: weak password poilicy in signup password leak to account takeover

Summary: add summary of the vulnerability i create account with weak password Steps To Reproduce: add details for how we can reproduce the issue 1.i create account with weak password qwerty123 2- account create done without validation 3- it should have protected users from attack and have policy...

Brave Software: Arbitrary file download due to bad handling of Redirects in WebTorrent

Summary: Previously I reported 963155 how an attacker can trick user into downloading malicious files using ".save torrent" feature, In this report I am going to reproduce the same behavior but by abusing a different feature. Description While I was testing webtorrent on brave I noticed that...

h1-ctf: [H1-2006 2020] Exploiting multiple vulnerabilities to get hacker's payment ensured

Last week, Hackerone’s CEO Marten lost his credentials for BountyPay. A tweet from hackerone’s official twitter account asked for help from ethical hackers and bounty hunters to help the CEO recover his credentials and insure May’s payments. As an active bug hunter on Hackerone, I decided to take...

h1-ctf: [H1-2006 2020] Multiple vulnerabilities leading account takeover

I'm posting flag and will send my write up upcoming days when I clear my mind after this rabbit holes! :D ^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$ Impact Multiple vulnerabilities leading attacker to takeover any bounty pay user...

Nextcloud: Denial of Service by requesting to reset a password

Description: I believe that this is posible due to the brute force protection that makes all request last for 30 seconds which in this case is using all the PHP workers avalible in the pool, so the only way to defend yourself is setting up a limit or having a lot of resources. How to reproduce: I...

Kubernetes: Route53 Subdomain Takeover on test-cncf-aws.canary.k8s.io

Summary: I discovered that it was possible to takeover test-cncf-aws.canary.k8s.io by assigning a zone to that name with one of the following nameservers in Route53: test-cncf-aws.canary.k8s.io. 3600 IN NS ns-265.awsdns-33.com. test-cncf-aws.canary.k8s.io. 3600 IN NS ns-687.awsdns-21.net...

MyCrypto: URL is vulnerable to clickjacking

i'm not sure if this vulnerability is in scope or not , kindly if you don't accept this report please close it as informative or allow me to self close it thanks in advance Summary: URLs missing CSP headers they are vulnerable to clickjacking. Steps To Reproduce: run the below code that i had...

Shopify: Bypass report #416983 - Removed Staff members who had "Apps" permission can still modify flow app connections

The following report intends to disclose a bypass for 416983. It's been found that removed staff members who had "Apps" permission can still modify flow app connection settings due to improper authorization. Description Signed URLs generated by Shopify Flow https://apps.shopify.com/flow use a...

Mail.ru: XSS via Cookie in Mail.ru

Unfiltered cookie content was used in DOM manipulation, leading to XSS possibility...

OLX: SQL Injection on https://www.olx.co.id

I found the SQL Injection on the website https://www.olx.co.id Affectected URL : https://www.olx.co.id/ajax/buybundle/getbundle/ POC: 1 In this below request i got SQL injection vulnerability in location parameter post method POST /ajax/buybundle/getbundle/ HTTP/1.1 Host: www.olx.co.id User-Agent...

LocalTapiola: F5 BigIP Backend Cookie Disclosure

Basic report information Summary: The Same issue was reported on www.myynti.lahitapiolarahoitus.fi by another reporter. It was fixed for that. But when I test the same issue on lahitapiolarahoitus.fi. It is also causing leakage of information. Description: I just identify F5 BigIP load balancers...

Nextcloud: Extremly simple way to bypass Nextcloud-Client PIN/Fingerprint lock

I'm sorry for my bad English, I'm German How to reproduce this security bug. Step 1: Take a normal Android smartphone maybe it also works on iOS, but I have not tested it yet. Step 2: Install the official nextcloud-client. Step 3: Set up nextcloud: Open the nextcloud app, tap on "Skip", enter the...

VK.com: Stored XSS в личных сообщениях

Lack of data filtration, which leads to stored XSS in instant messenger service. Stored XSS in personal messages. The vulnerability exists due to the lack of filtering data which is taken from the META tags for demonstration preview of the site...

Nextcloud: Content (Text) Injection at NextCloud Server 9.0.52 - via http://custom_nextcloud_url/remote.php/dav/files/

Dear Next Cloud Security Team, I would like to report an issue. This is not a critical issue since the affect and not even "touch" something sensitive that stored at the server via the application. As a summary, this is issue need the user interaction for exploiting the "target". So, based on thi...

Shopify: File name and folder enumeration.

Hello, An attacker can enumerate your sensitive files and folder such as configuration files name via the timezone parameter in cube.csv: GET...

Gratipay: The POODLE attack (SSLv3 supported) for https://grtp.co/

Websites that support SSLv3 and CBC-mode ciphers are potentially vulnerable to an active MITM Man-in-the-middle attack. This attack, called POODLE, is similar to the BEAST attack and also allows a network attacker to extract the plaintext of targeted parts of an SSL connection, usually cookie dat...

U.S. Dept Of Defense: Reflected xss on https://█████████

The website was vulnerable to a reflected XSS attack due to a flaw in the check that verifies the validity of the redirect URL. Attackers could exploit this vulnerability to execute malicious scripts on the victim's browser, leading to potential account takeover, phishing, and other malicious...

IBM: Subdomain Takeover Affecting at vex.weather.com

Vulnerability description not provided...

Internet Bug Bounty: JWT audience claim is not verified

An improper authorization vulnerability existed in all versions of Argo CD starting with v1.8.2, allowing the API to accept certain invalid tokens due to the lack of validation of the audience claim in signed tokens. This could allow an attacker to use a stolen token intended for a different...

Internet Bug Bounty: Ruby - Regular Expression Denial of Service Vulnerability of Date Parsing Methods

Official report: https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/ CVE-2021-41817 Here are the details from the official article: Date’s parsing methods including Date.parse are using Regexps internally, some of which are vulnerable against regular...

Acronis: IDOR vulnerability (Price manipulation)

Target: acronis.cz Step to Reproduce 1.Go to acronis.cz 2.buy any product in this case i am going to buy this https://www.acronis.cz/produkt/acronis-cyber-protect-home-office/ for test 3.fill up details 4.go to burpsuite turn on intercept 5.click on buy now 6.check request in intercept change pri...

UPchieve: Business logic error

Hi UPCHIEVE SECURITY TEAM I'm Anto Vulnerability : Business logic error There is no password verification while changing a password. Steps to Reproduce : 1. Go to https://hackers.upchieve.org/resetpassword. 2. Click the change password. 3. If your old password was ex: hacker and in new password...

Acronis: No Rate Limit On Forgot Password Page

Summary A little bit about Rate Limit: A rate limiting algorithm is used to check if the user session or IP-address has to be limited based on the information in the session cache. In case a client made too many requests within a given time frame, HTTP-Servers can respond with status code 429: To...

Clario: rXSS on https://mackeeperapp.mackeeper.com/landings/download-blue/

Summary: Founded XSS on https://mackeeperapp.mackeeper.com/landings/download-blue/ PoC https://mackeeperapp.mackeeper.com/landings/download-blue/?affid=b450fb80-0136-11eb-a01d-50cf6001b201-zzb&epayId=;alertdocument.domain;//&guid=xxx Impact An attacker can run any malicious javascript code on a...

Revive Adserver: Reflected XSS on /admin/userlog-index.php

I found a reflected XSS attack on /admin/userlog-index.php. Revive-Adserver version is revive-adserver-5.1.0. - Go to...

Internet Bug Bounty: Some build dependencies are downloaded over an insecure channel (without subsequent integrity checks)

Summary: Build jobs mingw64 | openssl-1.1.1d and mingw32 | openssl-1.0.2u download dependencies from build.openvpn.net and www.oberhumer.comover an insecure channel http, not https and do not check their integrity in any way. This opens the door to person-in-the-middle attacks, whereby an attacke...

Weblate: Reset password cookie leads to account takeover

Hi There are 3 issues on this report lead to account takeover. 1- When the user requests a reset password link, server sends a link for the user via email, whenever the user click on the link for the first time redirects to Reset password page but if the user close browser or tab and click again ...

CS Money: Bypass restrict of member subscription to use custom background in https://3d.cs.money without prime subscription

Summary: In website https://3d.cs.money you need to subscribe prime to have a custom background for skin F999661 But with this vulnerability, we can use custom background without any fee required Steps To Reproduce: add details for how we can reproduce the issue - Grab a build of skin - Save it...

Bitwarden: Rate limits too low for email 2FA

NO RATE LIMIT ON 2FA CAN LEAD TO ACCOUNT COMPROMISE! 1. Create account on vault.bitwarden.com if you don't have. 2.Setup 2FA via email 3.Logout and log in again. This time along with password you have to fill the 2fa code which is sent to the email. 4.Type Any Random number, intercept request wit...

Dropcontact: Unrestricted File Upload on https://app.dropcontact.io/app/upload/

hi team, I found Unrestricted File Upload Vulnerabilities on https://app.dropcontact.io/app/upload/. Steps To Reproduce: 1. Create an account in https://app.dropcontact.io/app/ 1. go to https://app.dropcontact.io/app/upload/ 1. try to upload html file , you will see message only : .csv, .txt, .xl...

X (Formerly Twitter): Denial of Service [Chrome]

Hi Team, Summary: I encountered such an error while creating a new account: F903872 But I don't remember where I found this last point. I remember only when I was a new member. I created a url using the load %xx as in 500686 reports as follows. https://twitter.com/i/flow/%00 I got a result like t...