VK.com: Обход 2ух-шаговой авторизации / 2FA Bypass

Недостаточная проверка пользователя при сбросе сессий. Был косяк в функционале завершения сессий. При обращении на login.vk.com с resethash любого пользователя, мы получали доступ к аккаунту жертвы минуя 2FA...

Nextcloud: Information Disclosure of .htaccess file in Private Server/Subdomain

@ahsantahir reported a missing permission check on an internal service allowing the extraction of the .htaccess file. We've fixed this by adjusting the Apache configuration and putting Basic Auth in front of the page. On request of the reporter this is disclosed limitedly. Non-Critical, small...

Phabricator: Passphrase credential lock bypass

mongoose :D Testing was performed on our own installed testing environment, with a standard installation and configuration of Phabricator. The Passphrase application has feature where stored credentials can be locked. When you lock a credential, it claims "This credential will be locked and the...

Internet Bug Bounty: CVE-2022-23519: Rails::Html::SafeListSanitizer vulnerable to XSS when certain tags are allowed (math+style || svg+style)

The following is from: https://hackerone.com/reports/1656627 Intro The Rails HTML sanitzier allows to set certain combinations of tags in it's allow list that are not properly handled. Similar to the report 1530898, which identified the combinationselect and style as vulnerable, my fuzz testing...

TikTok: Stored XSS in the ticketing system

A Stored Cross-Site Scripting XSS vulnerability was found on a TikTok Seller endpoint, which could have resulted in a JavaScript payload injected into the endpoint causing it to be executed within the context of the victim's browser. We thank @codeslayer137 for reporting this to our team...

Internet Bug Bounty: Read beyond bounds in mod_isapi.c [zhbug_httpd_41]

Greetings. I have found a read-beyond-bounds bug in httpd that arises from an apparent logic error. The bug is in /modules/arch/win32/modisapi.c, on lines 979 and/or 983, which use the length of the path to the ISAPI DLL |strlenr-filename| to index into the string specified by the ISAPI DLL itsel...

Unikrn: Open URL Redirection

Open URL Redirect Steps To Reproduce: 1 Go to the following link & Register for new account https://unikrn.com/██████ 2 After registering It will redirect to example.com Reference: https://www.owasp.org/index.php/UnvalidatedRedirectsandForwardsCheatSheet Impact The attacker can force the user to...

Liberapay: Login CSRF : Login Authentication Flaw on https://liberapay.com/

Description: There is no csrf validation while logging in which leads to csrf. An attacker can craft an HTML page containing information to have the victim sign into an attacker's account, where the victim may add sensitive payment information to the attacker's new account assuming he/she is logg...

U.S. Dept Of Defense: [████] SQL Injections on Referer Header exploitable via Time-Based method

Summary: SQL Injections on Referer Header exploitable via Time-Based method Description: https://owasp.org/www-community/attacks/SQLInjection Impact https://owasp.org/www-community/attacks/SQLInjection Step-by-step Reproduction Instructions First, vulnerable points:...

CS Money: Bypass Filter on link of build

Summary: Hello team, I found that a valid build will have a link with the following format https://3d.cs.money/item/0UkWN8vh2R If you save a build with /api/build/save. It will return a link to sync with your save builds The bug occurs when web app sync, you can custom the link of build with...

Zomato: Solr Injection in `user_id` parameter at :/v2/leaderboard_v2.json

@zzzhacker13 identified a Solr Injection on the userid parameter at :/v2/leaderboardv2.json. Our team analyzed internally and found that only fq=injection was possible on the Solr endpoint, hence the Solr injection was of low impact since there was no way to escalate it to exfiltrate data, one...

U.S. Dept Of Defense: [CVE-2020-3452] Unauthenticated file read in Cisco ASA

Hey, I found out that host ████████.mil was vulnerable to CVE-2020-3452. You can test it by visiting the URL: https://██████████.mil/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=%2bCSCOE%2b/portalinc.lua To try it with CURL please run the following command:...

h1-ctf: [H1-2006 2020] CTF write-up

Summary: Hello HackerOne team! I finally managed to solve this long but really nice CTF! Here is the flag: ^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$. You can access my writeup at https://diego95root.github.io/posts/H1-2006-CTF/. It's password protected, the password is the flag. Thank you so...

Imgur: self-xss with ClickJacking can leads to account takeover in Firefox

Description Hi, i think i found a valid chaining issues here ClickJacking issue I discovered that have some endpoints that permits to frame imgur.com with some limitations, but even in this case, it is possible to carry out a proof of concept. One of the cases is in the /all/ directory of...

h1-ctf: [H1-2006 2020] [Multiple Vulnerability] CTF Writeup - @abdilahrf_

As there is a private invite for the first 10 solver, i send only the flag now F851115 will complete my writeup on the next comment. Impact Controlling martenmickos account...

BTFS: xss on bittorrent.com

hi team i realized xss bug on headers.php. https://www.bittorrent.com/scripts/site/headers.php?=1586521900793&callback= https://www.bittorrent.com/scripts/social/gettweet.php?=1586521900791&callback= its works on IE browsers. Impact fix them...

Mail.ru: Boolean-based SQL Injection on relap.io

Boolean/error based SQLi in relap.io due to insecure use of GET parameters...

HackerOne: Revoking user session in https://hackerone.com/settings/sessions does not revoke the GraphQL query session

Hi Team, Summary: I have found an Insufficient Session Expiration on implementation of the new Revoke user session feature of HackerOne here: https://hackerone.com/settings/sessions Description: The new REVOKE session feature will destroy the session of the selected device, that means any request...

Semrush: Stored XSS in '' Section and WAF Bypass

Summary Stored Cross-site Scripting XSS is the most dangerous type of Cross Site Scripting. Web applications that allow users to store data are potentially exposed to this type of attack. stored XSS occurs when a web application gathers input from a user which might be malicious, and then stores...

Grab: [growth.grab.com] Reflected XSS via Base64-encoded "q" param on "my.html" Valentine's microsite

Hi, An encoded injection in the q parameter on my.html can be used to reflect JavaScript in the growth.grab.com context. This microsite creates a "Grab's Valentine" card for a driver over the past year, and carries its data in Base64 format. Proof of concept Please visit the following URL, scroll...

Monero: remote access to localhost daemon, can issue jsonrpc commands

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report! Summary: Remotely use...

Internet Bug Bounty: Use-after-free in XML::LibXML::Node::replaceChild

Hi security team, I have reported a bug in Perl https://rt.cpan.org/Public/Bug/Display.html?id=122246 this bug was assigned CVE-2017-10672 https://nvd.nist.gov/vuln/detail/CVE-2017-10672...

Ubiquiti Inc.: CRLF Injection on openvpn.svc.ubnt.com

The researcher reported the vulnerability CVE-2017-5868 in one of our server, it got promptly mitigated, once no oficial patch was available at the time of submit. Ubiquiti's employee VPN server was vulnerable to CVE-2017-5868, the issue was reported to them by me and quickly patched. Thank you...

VK.com: local file disclosure via FFmpeg hls processing

Vulnerability in FFmpeg. FFmpeg is video encoding software that is used by VK for preview generation and video conversion. FFmpeg is known to process HLS playlists that may contain references to external files. I was able to fire this feature using GAB2 subtitle chunks inside an AVI file. After...

Internet Bug Bounty: OOB write in MDC2_Update() (CVE-2016-6303)

An overflow can occur in MDC2Update either if called directly or through the EVPDigestUpdate function using MDC2. If an attacker is able to supply very large amounts of input data after a previous call to EVPEncryptUpdate with a partial block then a length check can overflow resulting in a heap...

Informatica: [product360.informatica.com] Unauthenticated Apache Tomcat 8 Installation

The consultant identified that the affected url and port leads to an unprotected default Apache X configuration, this service should be protected or removed if not required. The affected link is as follows: http://product360.informatica.com:8443/ Upon visiting the URL, the consultant was presente...

Uber: OneLogin authentication bypass on WordPress sites via XMLRPC

When a user logs on one of your WordPress sites via OneLogin, the authentication plugin creates a new entry in the WordPress user database with the default password @@@nopass@@@. This wouldn't be a problem if the plugin disabled all normal WordPress authentication methods, but it doesn't. The...

Mail.ru: Admin panel access restrictions bypass [poll.mail.ru/admin/]

Access to http://poll.mail.ru/admin/ could be obtained. poll.mail.ru is not currently in the Bug Bounty scope, but reward was issued due to problem significance...

Internet Bug Bounty: Use After Free Vulnerability in unserialize()

https://bugs.php.net/bug.php?id=70172...

Internet Bug Bounty: Malformed ECParameters causes infinite loop

Malformed ECParameters causes infinite loop CVE-2015-1788 =========================================================== Severity: Moderate When processing an ECParameters structure OpenSSL enters an infinite loop if the curve specified is over a specially malformed binary polynomial field. This can...

U.S. Dept Of Defense: Email Takeover leads to permanent account deletion

The security vulnerability found allowed an attacker to change the email address of a victim's account, leading to the permanent deletion of the victim's account. The vulnerability was caused by improper authentication on the change email functionality...

Basecamp: Path traversal in deeplink query parameter can expose any user's private info to a public directory (one click)

The Basecamp mobile application was found to be vulnerable to a path traversal issue. By crafting a malicious deeplink with a specific "filename" parameter, an attacker could force the application to save user data to any directory on the device, including locations accessible to other applicatio...

HackerOne: Insecure Direct Object Reference (IDOR) Allows Viewing Private Report Details via /bugs.json Endpoint

The Insecure Direct Object Reference IDOR vulnerability allowed viewing private report details through the /bugs.json endpoint. Any private reports could be accessed by sending a POST request to the endpoint with the organization ID and a single-digit text query. This gave access to sensitive...

U.S. Dept Of Defense: Unauthenticated File Read Adobe ColdFusion

A vulnerability allowing unauthenticated arbitrary file read in Adobe ColdFusion was discovered. This could result in unauthorized access to sensitive data on affected systems. The vulnerability impacts ColdFusion versions 2021 Update 5 and earlier, and 2018 Update 15 and earlier. Mitigation is t...

Internet Bug Bounty: [CVE-2023-38546] cookie injection with none file

A vulnerability was found in the libcurl library. By duplicating an easy handle with cookies enabled but no cookies loaded, and a nonexistent cookie file specified, an attacker could potentially inject cookies into a program using libcurl if a file named "none" was present and readable in the...

Yelp: yelp.com and biz.yelp.com ATO via XSS + Cookie Bridge

The researcher discovered an XSS vulnerability on biz.yelp.com where the unverified email was reflected in a message, allowing for arbitrary JavaScript execution. This XSS was combined with Yelp's cookie bridge functionality to target other users, leaking HttpOnly session cookies and enabling...

Internet Bug Bounty: HTTP Request Smuggling via Empty headers separated by CR

The llhttp parser in the Node.js http module did not strictly use the CRLF sequence to delimit HTTP requests, which allowed for HTTP Request Smuggling HRS. This vulnerability affected all active versions of Node.js...

Acronis: mail.acronis.com is vulnerable to zero day vulnerability CVE-2022-41040

Hello Acronis team, Please run curl -ksL -m5 -o /dev/null -I -w "%httpcode" "https://mail.acronis.com/autodiscover/autodiscover.json?Email=autodiscover/[email protected]&Protocol=ActiveSync" curl -ksL -m5...

Internet Bug Bounty: Time-of-check to time-of-use vulnerability in the std::fs::remove_dir_all() function of the Rust standard library

The implementation of std::fs::removedirall in the Rust standard library is vulnerable to a time-of-check to time-of-use link replacement attack. This applies to all versions of Rust before 1.58.1. Vulnerability details The documentation of std::fs::removedirall guarantees that the function does...

UPchieve: Full account takeover of any user through reset password

Summary: Hi Security team members, Usually, If we reset our password on https://app.upchieve.org that time we got a password reset link on the email. And through that password reset link, we can reset our password. But, I noticed that if we add another email in the request of forgot password...

GitHub Security Lab: ihsinme: CPP Add query for CWE-570 detect and handle memory allocation errors.

This bug was reported directly to GitHub Security Lab...

Revive Adserver: Reflected XSS on /admin/stats.php

Linked to the report https://hackerone.com/reports/1083376 I found a reflected XSS attack on /admin/stats.php. Revive-Adserver version is revive-adserver-5.1.1. This time I found the parameter statsBreakdown - Go to...

Weblate: Send Empty CSRF leads to log out user on [https://hosted.weblate.org/accounts/profile]

Hi There is a CSRF bug on your Website leads to logout user from the dashboard. If the user click on the attached file CSRF.html redirect to another page and see the following error and the user log out immediately: F1029146 Steps to reproduce: 1- Login to your account via Login page 2- Click on...

Dropcontact: Information Disclosure through DEBUG at Subscription [https://app.dropcontact.io/app/subscription?connector=salesforce](CRITICAL)

We were displaying some sytem information in case of app crashing...

lemlist: stored xss in app.lemlist.com

Hi there, I found a stored xss app.lemlist.com. Steps To Reproduce: 1. go to https://app.lemlist.com/. 1. create or edit campaigns. 1. visit tab Buddies-to-Be. 1. click Add one on the right Top. 1. Fill in the input 1. add / Icebreaker and companyName 1. click create . POC F901411 Impact Stealing...

Kubernetes: Compromise of node can lead to compromise of pods on other nodes

Hi Kubernetes team, Summary: If an attacker manages to escape a eg. privileged container and gains access to the underlying node it can replace the Kubelet process listening on port 10250/10255 on the node. A fake Kubelet server issueing 301 redirects can trick 'kubectl' or other clients into...

Mail.ru: XSS on https://deti.mail.ru/

deti.mail.ru allowed to insert javascript: links into post content leading to self XSS possibility on message editing...

GitHub Security Lab: Go/CWE-643: XPath Injection Query in Go

This bug was reported directly to GitHub Security Lab...

Visma Bug Bounty Program: A user can view the name and number of a customer in another company if the GUID is known

An IDOR vulnerability exists in /api/internal/customerlabels/, allowing an attacker to add a label to a customer in a another company if he has previous knowledge about the UUID. The result is that the name and number of the customer is shown in the attackers context. As all objects in the API ar...

Genasys Technologies: Ability to bypass social OAuth and take over any account [d2c-api]

Summary: An attacker is able to login to any email account that doesn't belong to him through using the OAuth functionality https://staging.genasystech.co.uk/d2c-api/v1/account/login/provider Steps To Reproduce: 1. Register an account with an email and verify it using the one time code that is...