Node.js third-party modules: Prototype pollution attack in node.extend

I would like to report a prototype pollution vulnerability in node.extend. It allows an attacker to inject properties on Object.prototype. Module module name: node.extend version: 2.0.0 npm page: https://www.npmjs.com/package/node.extend Module Description A port of jQuery.extend that actually...

DuckDuckGo: SSRF on duckduckgo.com/iu/

Normally, a call to https://duckduckgo.com/iu contains a query parameter u with some path using the domain yimg.com. This call will succeed in most cases. F337121 And if we change that path to something like https://google.com it's rejected. F337118 However, it appears that the check that ensures...

Internet Bug Bounty: memory corruption while parsing HTTP response

In the network interfacing PHP API filegetcontents, a mechanism is implemented to parse the HTTP/S response from the remote host. A vulnerability is found when the vulnerable PHP build processes certain malformed HTTP/S response packets, resulting an array negative indexing. Vulnerable code at:...

Coinbase: Captcha Bypass in Coinbase SignUp Form

Vulnerability description: The g-recaptcha-response is not validated on the server-side when submitting a Signup form to the endpoint. Any or no value can be provided for this header Step to reproduce: 1. https://www.coinbase.com/signup 2. Fill the input field and Validate the captcha. 3. Trun on...

WakaTime: Missing Account Deletion Notification

Currently, there is no email notification sent out when the account was deleted. I understand it asks for the password to delete but when an attacker somehow get's the credentials, he can only 'read' users data without alarming the user. It would stop him if he knows the user would come to know...

WakaTime: Session Not Expired On Logout

Hi Wakatime Security Team, There is a session management vulnerability in your website. i.e. user's session is not expiring immediately after the logout. You can get more information of the vulnerability here -...

Nextcloud: Shared file link - password protection bypass under certain conditions

Summary An unauthenticated remote attacker can bypass password protection on certain shared file types through the file sharing app's publicpreview.php function. Vulnerable URL http://server/nextcloud/index.php/apps/filessharing/ajax/publicpreview.php?x=width&y=height&t=share ID Description...

Pornhub: Blind Stored XSS against Pornhub employees using Amateur Model Program

The researcher discovered a stored XSS attack vector via the amateur model settings page on Pornhub. I was able to turn Stored Self-XSS in the MPP Model Payment Program application input form field into the Blind Stored XSS without user interaction against employees who process the MPP...

Nextcloud: IDOR - Disable sharing

Decription: ----- Users are shared files or folder. can disable this sharing. Detail: ------ + use request: DELETE /nextcloud/ocs/v2.php/apps/filessharing/api/v1/shares/share-id?format=json HTTP/1.1 Host: your-host User-Agent: Mozilla/5.0 Windows NT 10.0; WOW64; rv:47.0 Gecko/20100101 Firefox/47....

HackerOne: Null byte injection

Hi , I would like to report an issue that I have noticed in https://hackerone.com/users/signin?invitationtoken= . I am not sure if this is a valid security issue , but I have decided to report it anyway and see what you guys think. Details: - When you go to...

Internet Bug Bounty: invalid pointer free() in phar_tar_process_metadata()

https://bugs.php.net/bug.php?id=69443...

Ruby on Rails: RCE due to Web Console IP Whitelist bypass in Rails 4.0 and 4.1

With the release of Ruby on Rails 4.2 the so called Web Console was introduced. As the Web Console documentation states: Web Console is built explicitly for Rails 4. By default the Web Console is available in the Rails Development Environment and allows only the IPs 127.0.0.1 and ::1 to access th...

HackerOne: Session Hijacking attack (Different Scenario)

Hey I was able to replay a cookie of a current active session and hijack that by replaying the cookie. Now this is different from any conventional vanilla session hijacking because it works even when the user is not logged in. But the condition is that the victim's session must be active at the...

Nextcloud: Weak ssh algorithms and CVE-2023-48795 Discovered on various subdomains of nextcloud.com

Security researchers discovered a vulnerability in the Secure Shell SSH cryptographic network protocol, known as Terrapin CVE-2023-48795. This vulnerability could have allowed an attacker to downgrade the security of the secure channel. Weak SSH algorithms were also identified on various subdomai...

Internet Bug Bounty: CVE-2023-40273: Session fixation in Apache Airflow web interface

A session fixation vulnerability was discovered in Apache Airflow web interface. This vulnerability allowed an authenticated user to continue accessing the webserver even after their password had been reset by the admin. The issue has been addressed in version 2.7.0 of Apache Airflow...

U.S. Dept Of Defense: Sensitive Data Exposure via wp-config.php file

Sensitive data exposure occurred via the wp-config.php file, which contained confidential information such as MySQL and AWS credentials and various keys. The vulnerability was found on a specific endpoint, and it could potentially provide unauthorized access to sensitive information to users who ...

Shopify: Stored XSS in SVG file as data: url

A stored XSS vulnerability was discovered in Shopify's rich text editor on July 24, 2021. Attackers were able to insert an XSS payload encoded in an SVG file using data: URLs. The vulnerability was fixed by preventing the conversion of data: URLs into blob: URLs...

GitHub Security Lab: [Java] CWE-918: Added URLClassLoader and WebClient SSRF sinks

This bug was reported directly to GitHub Security Lab...

Glassdoor: Reflected XSS on https://help.glassdoor.com/GD_HC_EmbeddedChatVF

Hi there, I have found the xss vulnerability at: https://help.glassdoor.com/GDHCEmbeddedChatVF Browsers tested: Firefox, Chrome, Edge latest version Steps To Reproduce: Go to: https://help.glassdoor.com/GDHCEmbeddedChatVF?FirstName=l0cpd%22;a=alert,b=document.domain,ab// Supporting...

GitHub Security Lab: ihsinme: CPP Add query for CWE-783 Operator Precedence Logic Error When Use Bool Type

This bug was reported directly to GitHub Security Lab...

curl: CVE-2021-22922: Wrong content via metalink not discarded

Summary: When compiled --with-libmetalink and used with --metalink curl does check the cryptographics hash of the downloaded files. However, the only indication that the hash was incorrect is a message displayed to the user. The files with incorrect hashes are left to the disk as-is. Since curl...

U.S. Dept Of Defense: Remote Code Execution via Insecure Deserialization in Telerik UI (CVE-2019-18935)

Description: https://██████/██████████/Telerik.Web.UI.WebResource.axd?type=rau is vulnerable to CVE-2017-11317 and CVE-2019-18935, allowing an attacker to upload arbitrary files and gain remote code execution on the underlying system. References...

U.S. Dept Of Defense: Sensitive data exposure via https://███████/jira//secure/QueryComponent!Default.jspa - CVE-2020-14179

Description: Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. Impact...

Logitech: Stored XSS on oslo.io in notifications via project name change

Hey Logitech team. Summary: It is possible for an editor on a project to rename a project to a malicious HTML element, which when opened in the notification dropdown will render and fire javascript. Steps To Reproduce: add details for how we can reproduce the issue 1. Invite user to join the...

HackerOne: Pentester can obtain information about other pentesters who applied for the same test, but weren't accepted

Hi team, I don't know your policy about pentestersabout their visibility on the platform, But I couldn't find any other pentesters before. 1 For example: GraphQL has the h1pentester attribute that would explicitly point us to the pentester, but if we make a query, it doesn't reveal the pentester ...

Shopify: Stored XSS in my staff name fired in another your internal panel

Hi all, I had lots of tests for bug bounty in my test store "trstore-3.myshopify.com" created about 4 years ago and then one of your developers noticed that a stored cross-site scripting payload in my staff name fired in another your internal panel. I have attached the email sent to me by your...

Open-Xchange: Panic in file smtp-address.c: line 684 (smtp_address_write): assertion failed: (smtp_char_is_qpair(*p))

Reproducer is running test suite against file crash2.txt and getting following output : ./src/testsuite/testsuite crash2.txt Test case: crash2.txt: testsuitecatena: Panic: file smtp-address.c: line 684 smtpaddresswrite: assertion failed: smtpcharisqpairp Abort trap: 6 Content or crash2.txt is...

Internet Bug Bounty: DirectoryIterator class silently truncates after a null byte

The bug submitted at: https://bugs.php.net/bug.php?id=78863 The security advisory at: https://nvd.nist.gov/vuln/detail/CVE-2019-11045 There's an issue with SPL PHP extension on splfilesystemobjectconstruct function. When creating a new DirectoryIterator object splfilesystemobjectconstruct functio...

Stripo Inc: Authorization for wp-admin directory are vulnerable to brute force.

The domain https://my.stripo.email in the directory /wp-admin are not blocking amount of request in the authorization form, this leads to bruteforce attack. Where the attacker are able to guess tons of passwords without getting blocked or the password field gets locked. This attack make it possib...

Stripo Inc: Able to change password by entering wrong old password

Vulnerability Name: Able to change password by entering wrong old password. Description: The password change mechanism which is located at https://my.stripo.email/cabinet//profile is insecure as the password can be changed without knowing the old password. Any unauthorized user can access the...

Node.js third-party modules: Path traversal using symlink

I would like to report Path Traversal in statics-server Module module name: statics-server version: 0.0.9 npm page: https://www.npmjs.com/package/statics-server Module Description npm install statics-server -g Go to the folder you want to statics-server Run the server statics-server Module Stats...

Central Security Project: OS Command Injection in Nexus Repository Manager 2.x(bypass CVE-2019-5475)

OS Command Injection in Nexus Repository Manager 2.xbypass CVE-2019-5475 Maven artifact groupId: org.sonatype.nexus.plugins artifactId: nexus-yum-repository-plugin version: 2.14.14-01 Vulnerability Vulnerability Description The Nexus Yum Repository Plugin is vulnerable to Remote Code Execution. A...

Mail.ru: [authdl.mail.ru] Spoofing IP address

Client IP address could be spoofed via X-Forwarded-For headers in authdl.mail.ru. While no direct impact were identified, this issue could potentially lead to issues with logging, limitations or ABF protection...

Zomato: Improper validation allows user to unlock Zomato Gold multiple times at the same restaurant within one day

Summary: Using this vulnerability, a user can use his account to claim Zomato Gold benefit several times in the same restaurant within one day. Description: Based on Zomato Gold terms and condition, Zomato Gold can be used only once at each partner restaurant in a day. But I think it doesn't work...

Internet Bug Bounty: imagecolormatch Out Of Bounds Write on Heap

The link to the PHP bug: https://bugs.php.net/bug.php?id=77270 This is possible to exploit in PHP 7.0.33 and 5.6.39. I used this vulnerability to write a local safe mode bypass exploit. It is possible to write up to 1200 bytes over the boundaries of a buffer allocated in the imagecolormatch...

X (Formerly Twitter): CVE-2017-15277 on Profile page

Hi security team, Summary: Please refer to 302885 for more details. Uploading a .gif produces significantly different images every time which means the server is leaking information. Steps To Reproduce: 1. Clone https://github.com/neex/gifoeb 2. Generate exploitable gif with ./gifoeb gen 5120x512...

Ruby: Parsing invalid unicode codepoints using json c extension (2.0.1+) triggers a segfault

Using the default json library packaged with ruby, one can trigger a segmentation fault by submitting a string with a unicode escape sequence in the range between \ud800-\udbff https://en.wikipedia.org/wiki/UTF-16U.2BD800toU.2BDFFF. This is can lead to a denial of service attack by segmentation...

Shopify: Shopify GitHub Login and Password exposed all private source code might be available.

Sello com.shopify.Sello https://itunes.apple.com/us/app/sello/id947038847?mt=8 ios Mobile Application Versions 1.0.1, 1.1, 1.1.2, 1.1.3, 1.2, Podfile left inside application exposes GitHub Password for Shopify. username: shopify-dep password: 1910c92631a81a4c41dafbf96d537e3f24506b11 Impact: Acces...

Zendesk: Stored XSS via Angular Expression injection on developer.zendesk.com

developer.zendesk.com is vulnerable to stored XSS via Angular template injection. To replicate: Browse to https://developer.zendesk.com Sign up with an arbitrary email address and the following name: "'a'.constructor.prototype.charAt=.join;$eval'x=alert1';" Observe the popup. This is a stored...

HackerOne: Reflected File Download attack allows attacker to 'upload' executables to hackerone.com domain

Hi hackerone team, I'm a friend of Peiying and am looking for a position at hackerone. While playing around with your product, I found a serious vulnerability in your application: it allows attackers to craft executables on the hackerone.com domain rather than the sandboxed one on S3. 1. attacker...

Internet Bug Bounty: Deadlock in x86 HVM standard VGA handling

The Xen hypervisor contained a vulnerability in its handling of standard VGA memory accesses for HVM guests. The locking mechanism used had an unusual discipline that could lead to a deadlock when emulating an instruction with two memory accesses to VGA memory. The vulnerability was acknowledged ...

Internet Bug Bounty: CVE-2024-27281: RCE vulnerability with .rdoc_options in RDoc

A remote code execution vulnerability was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. The vulnerability was caused by the lack of restrictions on the classes that could be restored when parsing .rdocoptions as a YAML file. Additionally, object injection and...

Mail.ru: CVE-2020-11110: Grafana Unauthenticated Stored XSS -████.bizml.ru

Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot. PoC - Send the following HTTP request http POST...

GitHub Security Lab: [Java] JShell Injection

This bug was reported directly to GitHub Security Lab...

Sifchain: Open S3 Bucket | information leakage

Hi I found an Open S3 Bucket. - POC : aws s3 ls s3://amazon-eks/ Source : https://github.com/Sifchain/sifnode/blob/bebbe9883560bbde4f452f81a2d85bdbc243636a/deploy/rake/dependencies.rake21 regards oos Impact information leakage...

Mail.ru: mrgs.my.games account takeover

A chain of different bugs and misconfigurations invalid handling of arrays-like names in cookies, stored session with NULL ids allowed to login to mrgs.my.games with few different accounts...

h1-ctf: [H1-2006 2020] CTF write-up

Hello, thank you for the awesome CTF! I definetly learned a lot. For now I will submit just the Flag. I am going to follow up with the Writeup as soon as possible. ^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$ Kind regards, Alex - hackingfish Attached: A screenshot of the site which is showing the...

GitLab: Stored XSS in markdown when redacting references

Summary It's possible to inject arbitrary html into the markdown by abusing the ReferenceRedactorFilter. This is due to the data-original attribute allowing html encoded data to be stored, which is then extracted and used as the link content. If the original data already is html encoded then it...

Node.js third-party modules: Prototype pollution in dot-prop

I would like to report a parameter pollution in dot-prop It allows an attacker to modify the prototype of a base object which can vary in severity depending on the implementation DoS, access to sensitive data, RCE. Module module name: dot-prop version: 5.1.1 npm page:...

Node.js third-party modules: [reveal.js] XSS by calling arbitrary method via postMessage

I would like to report XSS in reveal.js It allows gaining access to the victim's account and performing actions on his behalf Module module name: reveal.js version: 3.8.0 npm page: https://www.npmjs.com/package/reveal.js Module Description A framework for easily creating beautiful presentations...