Internet Bug Bounty: CVE-2023-36617: ReDoS vulnerability in URI (Ruby)

A ReDoS vulnerability was discovered in the URI component of the Ruby uri gem versions 0.12.1 and earlier. The vulnerability allowed for the mishandling of invalid URLs with specific characters, resulting in an increase in execution time for parsing strings to URI objects. This issue was a result...

HackerOne: [CVE-2022-44268] Arbitrary Remote Leak via ImageMagick

A Local File Inclusion vulnerability was discovered in an outdated version of ImageMagick used for image resizing on a website. An attacker could exploit this vulnerability by uploading a malicious PNG image, which would include the local file as content of the resized image in a hexadecimal...

U.S. Dept Of Defense: [U.S. Air Force] Information disclosure due unauthenticated access to APIs and system browser functions

Multiple information exposure vulnerabilities were found in a Jira Server instance, allowing unauthenticated attackers to access APIs and system browser functions, leading to unauthorized access to sensitive data. The vulnerability was registered as CVE-2020-14179...

MTN Group: Download full backup [Mtn.co.rw]

Summary: I discovered few critical vulnerabilities here, one of them is exposed backup files via directory listing. Steps To Reproduce: go to https://mtn.co.rw/mtn.zip and download the file extract the file and open you will see the full backup of the website Similar report:...

8x8: Exposed kubernetes dashboard

The researcher found an exposed Kubernetes Dashboard. It was short lived as our developers were doing some testing and terminated the instance shortly after. The related instance did not contain anything sensitive...

MTN Group: CVE-2021-38314 @ https://www.mtn.ci

Summary: Hello. I your domain https://www.mtn.ci was vulnerable to CVE-2021-38314 Description: The Gutenberg Template Library & Redux Framework plugin = 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the includes function in...

GitHub Security Lab: Java: CodeQL query for unsafe RMI deserialization

This bug was reported directly to GitHub Security Lab...

curl: CVE-2021-22923: Metalink download sends credentials

Summary: When compiled --with-libmetalink and used with --metalink and --user curl will use the credentials for any further transfers performed. This includes different hosts and protocols, even ones without transport layer security such as http and ftp. As a result the credentials only intended...

Zego: Firebase Database Takeover in Zego Sense Android app

Hello Team, Summary: publicly available Firebase Database api-project-615509201590.firebaseio.com Platform Affected: android com.zegocover.zego Steps To Reproduce: in res/values/strings.xml https://api-project-615509201590.firebaseio.com POC: Go to...

Logitech: Stored XSS in [https://streamlabs.com/dashboard#/*goal] pages

Heyy there, I have found a stored xss vulnerability in the following goals setting pages. https://streamlabs.com/dashboard/followergoal https://streamlabs.com/dashboard/bitgoal https://streamlabs.com/dashboard/subgoal https://streamlabs.com/dashboard/tiltifydonationgoal...

Logitech: GET based Open redirect on [streamlabs.com/content-hub/streamlabs-obs/search?query=]

Summary: Description: in the following link, the parameter query is reflecting in multiple places, one of them is in the tag in the head section of the HTML source, the reflection is in the content attribute to be precise check the below image F983200 And i was able to break out of the content...

Node.js third-party modules: [supermixer] Prototype pollution

I would like to report a Prototype pollution in supermixer, It allows an attacker to modify the prototype of a base object which can vary in severity depending on the implementation. Module module name: supermixer version: 1.0.3 npm page: https://www.npmjs.com/package/supermixer Module Descriptio...

Topcoder: Post Based Reflected XSS on https://apps.topcoder.com/wiki/plugins/socialbookmarking/updatebookmark.action

Summary: Hi : A post based reflected XSS occurs when creating bookmarks. Steps To Reproduce: Title and Labels parameters are vulnerable to XSS on https://apps.topcoder.com/wiki/plugins/socialbookmarking/updatebookmark.action. This form uses POST request so i added HTML file below. When someone...

Localize: Stored XSS in Name of Team Member Invitation

hello team i have found an stored in add team member Step to reproduce 1. Go to https://localizestaging.com/organization/team?filter=all 2. click on add team member 3. On the name, enter payload: 4. and in the email add your victim email 4. when he join the team the xss will trigger. F701271 now...

Roblox: Insecure redirect rule results in bypassing ban redirect on certain pages

Description Account bans on Roblox work via redirect rules. If an user attempts go to a page that's outside a whitelisted set of rules, they'll be redirected back to the ban page. After researching, I've found that the following rules are whitelisted and bypass this redirect: - Any URLs ending in...

EXNESS: [com.exness.android.pa Android] Universal XSS in webview. Lead to steal user cookies

Details: Package: com.exness.android.pa Name: Exness Version: 1.7.5-real-release Description: Third-app may use exported activity to load any url in internal webView. This leads to steal cookies used in trading app, including cookies of payment system Vulnerability description: Application has...

ExpressionEngine: Remote Code Execution in the Import Channel function

Hello, Administrators are allow to import channels by visiting http://HOST/PATHTOEE/admin.php?/cp/channels/sets and uploading .zip archives that contain the information about the channels to be imported. The archives are then extracted into temporary directories, which are kept in the...

Nextcloud: IDOR unsubscribe Anyone from NextClouds Newsletters by knowing their Email

Hi Team, I Was Looking around your website and then I found a subdomain newsletter.nextcloud.com on the main page it shows us 3 Options i choose 1st that was Subscribe to our newsletter , Then I click on this Option and I was Taken to https://newsletter.nextcloud.com/?p=subscribe&id=1 The page...

Coinbase: coinbase Email leak while sending and requesting

Due to a bug first reported by another researcher, when one coinbase user sent bitcoin to another coinbase user, the receiving user had the sending user's email address silently added to their contact list. While this does not raise PII exposure concerns under our Privacy Policy, we felt it was...

Slack: Bypass two-factor authentication

If a user set 2FA, a user has to enter verification code when a user tries to reset password. Under the "Password Reset" page, a user can enter wrong two-factor authentication code many times. I said "many times" because your bug bounty policy stated... Exclusions Issues found through automated...

Cloudflare: Flash-based XSS in cdnjs.cloudflare.com subdomain

Hi, There's a Flash-based XSS on cdnjs.cloudflare.com. Proof-of-Concept: 1.Click on the link: https://cdnjs.cloudflare.com/ajax/libs/zeroclipboard/1.0.8/ZeroClipboard.swf?id=%22catcheif!self.aself.a=!alertdocument.domain//&width&height 2.You shall see a Javascript alertfunction executing in...

inDrive: SSRF in https://couriers.indrive.com/api/file-storage

A server side request forgery vulnerability was present in the url parameter of the https://couriers.indrive.com/api/file-storage endpoint, allowing arbitrary external websites to be requested and their content returned in responses...

Internet Bug Bounty: CVE-2023-30587 Process-based permissions can be bypassed with the "inspector" module.

A vulnerability in Node.js version 20 allowed for the bypassing of restrictions set by the --experimental-permission flag using the built-in inspector module. This vulnerability affected Node.js users who were using the permission model mechanism in Node.js 20...

curl: libssh backend CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 validation bypass

Summary: If libcurl is built against libssh CURLOPTSSHHOSTPUBLICKEYSHA256 is quietly ignored. As a result a SSH connection will be established even if the SHA256 key set doesn't match. Steps To Reproduce: 1. configure libcurl with libssh and build it 2. curl --hostpubsha256 HOSTFINGERPRINTHERE...

U.S. Dept Of Defense: Host Header Injection on https://███/████████/Account/ForgotPassword

Dear DoD Team, I found one high bug on your another domain. This is from Hack US Program. Affected domain is https://█████/ An attacker can manipulate the Host header as seen by the web application and cause the application to behave in unexpected ways. Very often multiple websites are hosted on...

QIWI: Account takeover just through csrf in https://booking.qiwi.kz/profile

Hello Team: after register by any account, we can found that we can change email in profile to another one, by just using a GET request https://booking.qiwi.kz/ajaxconfirmcontact?type=emailconfirmed&[email protected]&iframePopupMode=1 but without verification, attacker can steal account...

WHO COVID-19 Mobile App: Improper Input Validation on User's Location on PUT /WhoService/putLocation Could Affect Availability/Falsify Users

Summary: Note: I noticed that that the team has fixed issues like an XSS that's caused only from a header value typically OOS since it's not directly exploitable https://github.com/WorldHealthOrganization/app/pull/855, so in the spirit of this I'm also reporting another "good-to-fix" issue. On th...

GitLab: Injection of `http.<url>.*` git config settings leading to SSRF

Summary When import a repo with credentials via a URL, gitaly generates the git clone command with a -c flag to add the Authorization header: https://gitlab.com/gitlab-org/gitaly/-/blob/master/internal/service/repository/createfromurl.goL37 go flags = appendflags, git.ValueFlagName: "-c", Value:...

Lark Technologies: Reflected XSS on Lark Suite

A reflected cross-site scripting XSS vulnerability was found at the Lark Suite log-in endpoint via the redirecturi parameter which could have potentially allowed an attacker to inject malicious code. We thank @jin0ne for reporting this to our team and confirming the resolution...

Imgur: Password Reset Link not expiring after changing the email Leads To Account Takeover

Vulnerability: Password Reset Link not expiring after changing the email Proof Of Concept: 1.Send the password reset link to your email. 2.Dont open the password link just copy it and paste into any editor. 3.Open your account. 4.Go to your account settings. 5.Under account, you will see Account...

HackerOne: DOM Based XSS in www.hackerone.com via PostMessage

Summary: The Marketo contact form available on the www.hackerone.com website is affected by a cross-site scripting vulnerability, caused by an insecure 'message' event listener installed on the page. Whilst this could allow an attacker to execute JavaScript in the context of the www.hackerone.com...

Valve: MySQL username and password leaked in developer.valvesoftware.com via source code dislosure

Hey there it looks like you are relying on a script that cleans up your backup process on developer.valvesoftware.com: /scripts/finalcleanup.sh: Remove files post cleanup rm -r $SITEPATH/data rm $SITEPATH/.sql rm $SITEPATH/.sql.gz rm $SITEPATH/.tgz rm $SITEPATH/.tar.gz rm $SITEPATH/.log rm -r...

Pornhub: Partial disclosure of Private Videos through data-mediabook attribute information leak

The researcher discovered a bug where the direct urls of private video thumbnails were leaked in the data-mediabook attribute of the cover image. There was a possibility to view the short version of any private video due to the leaking of direct URL in the data-mediabook attribute of the thumbnai...

Pornhub: Reflected XSS in login redirection module

The researcher discovered an XSS in the redirect parameter of the front controller which executes upon redirection...

Boozt Fashion AB: Host header poisoning leads to account password reset links hijacking

Hi, Issue Summary : While conducting my regular testing I discovered that the mobile version of boozt.com application relies on the host header when constructing password reset links emailed to the user. Thus, an attacker can inject a arbitrary host header which leads to password reset leakage...

Internet Bug Bounty: CVE-2016-0772 - python: smtplib StartTLS stripping attack

python smtplib starttls stripping attack affects: basically all versions of smtplib with starttls support and projects relying on it python 2.7.2 - 2.7.11 dates back 14 years python 3.0 - 3.5.1 dates back 7 years Python's implementation of smtplib fails to raise an exception upon an unexpected...

New Relic: No Rate Limitation on Promo Code

Hello, there is no rate limitation on entering "promo code" while upgrading the subscription. an attacker can bruteforce the promo code and could get a lot of benefits with that. https://rpm.newrelic.com/accounts/XXXXXXX/products i have tested this bug by attempting 500+ invalid promo code. and g...

X (Formerly Twitter): DOMXSS in Tweetdeck

Hi, I would like to report a DOMXSS issue in TweetDeck. Details In Tweetdeck, a tweet contains info of what client app the user used to sent the tweet. The render process is vulnerable to DOMXSS. In https://ton.twimg.com/tweetdeck-web/web/dist/bundle.6f91b4e832.js, the following line is responsib...

Concrete CMS: https://concrete5.org ::: HeartBleed Attack (CVE-2014-0160)

Pls see attachment files for details: python ssltest.py concrete5.org 443|more impact: critical, pls patch it ASAP References: https://www.openssl.org/news/secadv20140407.txt http://heartbleed.com https://github.com/openssl/openssl/commit/96db9023b881d7cd9f379b0c154650d6c108e9a3 g4mm4...

Internet Bug Bounty: important: Apache HTTP Server weakness with encoded question marks in backreferences (CVE-2024-38474)

The Apache HTTP Server versions 2.4.0 through 2.4.59 were affected by a substitution encoding issue in modrewrite that allowed attackers to execute scripts in directories permitted by the configuration, but not directly reachable by any URL, or disclose the source of scripts meant to be executed ...

Teleport: SSRF in region parameter that leads to AWS Teleport role AWS account takeover

You have an Integration page in Teleport where one of the options is AWS OIDC which will allow people in Teleport to add resources fluently without actually having initial access to these resources or installing any agents on them. You will need to have connected and ready OIDC integration with A...

TikTok: Lynxview JS interfaces Takeover via deeplink traversal

The application had vulnerabilities that could have allowed the takeover of JavaScript interfaces via the application's exposed Webview. The issues were only present in older versions of the Android application and were addressed after the researcher reported them to the team...

Mozilla: DOS via cache poisoning on [developer.mozilla.org]

A vulnerability was discovered on the developer.mozilla.org website that allowed an attacker to perform a denial-of-service DoS attack by adding an "X-Forwarded-Host" header with a value causing a 404 error. The website's cache configuration allowed the error response to be saved and served to...

Internet Bug Bounty: Ruby's CGI library has HTTP response splitting (HTTP header injection), leaking confidential information

A vulnerability was found in Ruby's CGI library that allowed an attacker to inject a malicious HTTP response header and/or body if an application used untrusted user input to generate HTTP responses. The vulnerability was fixed in version 0.3.5, 0.2.2, and 0.1.0.2 of the cgi gem...

Khan Academy: S3 bucket takeover [learn2.khanacademy.org]

The subdomain learn2.khanacademy.org was pointed to Amazon S3, but no bucket with that name was registered learn2.khanacademy.org. This meant that anyone could sign up for Amazon S3, claim the bucket as their own and then serve content. Steps to reproduce Check the following url:...

Internet Bug Bounty: Leak of sensitive values to Airflow rendered template

I’m just getting started with Airflow, but seem to have got into a situation where sensitive values e.g. connection passwords end up in my task’s rendered template. Here’s how my DAG starts, having set up a connection called “secret” with a password specified: t1 = BashOperator...

Reddit: api keys leaked

Summary: Disclosure of valid private keys may lead to unauthorized access to any systems that use them for authentication. Verify whether any keys disclosed are actually valid, and whether their disclosure within the application is appropriate Impact: Disclosure of valid private keys may lead to...

GitHub Security Lab: [C#]: Deserialization sinks

This bug was reported directly to GitHub Security Lab...

HackerOne: Disclosure handle private program with external link

Summary: Hi team. It looks like we can identify private programs that have an external link Steps To Reproduce 1. http POST /graphql HTTP/1.1 Host: hackerone.com Connection: close Content-Length: 168 accept: / X-Auth-Token: yourtoken User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64...

U.S. Dept Of Defense: Reflected XSS - https://███

Greetings, I just found an XSS vulnerability on a page of one of your websites URL : https://████=%22%3E%3Cscript%3Ealert1%3C/script%3E https://███="alert1 By the way, could you look at my "duplicated" report when it is not? I don't mean any disrespect, but this is not the same page. thank you -...