MTN Group: Wordpress users Disclosure [ /wp-json/wp/v2/users/ ] Not Resolved ()

On this report's 735586 You closed the report and changed the status to Resolved. But it's Not Resolved The Bug It's Still there url: https://www.mtn.com/wp-json/wp/v2/users/ Sorry to say this still i can reproduce this issue please remove /wp-json/wp/v2/users/ file if your domain dont use that...

Rocket.Chat: Rocket.Chat Server RCE

Vulnerability description not provided...

Internet Bug Bounty: CVE-2022-32206: HTTP compression denial of service

curl supports "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited...

Internet Bug Bounty: CVE-2022-27781: CERTINFO never-ending busy-loop

Published Advisory: https://curl.se/docs/CVE-2022-27781.html Original Report: https://hackerone.com/reports/1555441 Impact Due to an erroneous function, a malicious server could make libcurl built with NSS get stuck in a never-ending busy-loop when trying to retrieve that information...

U.S. Dept Of Defense: [CVE-2021-29156] LDAP Injection at https://██████

Description: https://█████ is vulnerable to CVE-2021-29156 References https://hackerone.com/reports/1278050 https://nvd.nist.gov/vuln/detail/CVE-2021-29156 https://portswigger.net/research/hidden-oauth-attack-vectors...

GitHub Security Lab: [codeql-go]: Add CWE-79: HTML template escaping passthrough

This bug was reported directly to GitHub Security Lab...

Concrete CMS: Phar Deserialization Vulnerability via Logging Settings

Vulnerability Description: The vulnerable code is located within the concrete/controllers/singlepage/dashboard/system/environment/logging.php script. Specifically, into the Logging::updatelogging method: public function updatelogging $config = $this-app-make'config'; $request = $this-request; if...

curl: CVE-2020-8284: trusting FTP PASV responses

Summary: The issue here arises from the fact that curl by default has the option CURLOPTFTPSKIPPASVIP disabled by default. As a result, an attacker controlling the URL used by curl, can perform port scanning on behalf of the server where curl is running. This can be achieved by setting up a custo...

Showmax: WordPress admin is accessible without HTTP authentication

The wordpress instance stories.showmax.com is a complementary system of the Showmax platform. We enforce 2FA for all user accounts that have access to the administration and that's why we decided not to require Basic Auth and/or IP whitelisting for it...

Kubernetes: IPv4 only clusters susceptible to MitM attacks via IPv6 rogue router advertisements

This bug report mostly concerns the default CNI plugins https://github.com/containernetworking/plugins but I believe affects many K8S clusters. Because the CNI team still doesn’t provide an explicit way to report security bugs, I hope the K8S security team doesn’t mind doing the coordination job...

HackerOne: Account creation with invalid email addresses / email is accepting % and %0d%0a line termination chars

An account creation vulnerability was found where invalid email addresses containing '%' and '%0d%0a' line termination characters were accepted, allowing multiple unverified accounts to be created...

Node.js third-party modules: [express-laravel-passport] Improper Authentication

I would like to report Improper Authentication in express-laravel-passport It allows to forge user's identity Module module name: express-laravel-passport version: 1.1.2 npm page: https://www.npmjs.com/package/express-laravel-passport Module Description You want a middleware support express get...

Node.js: HTTP header values do not have trailing OWS trimmed

I suspect I may have tagged the wrong vulnerability type -I'm failing to find "insufficient validation of user input" According to the HTTP-spec, http values are field-value = field-content | LWS httpparser does not appear to trim trailing LWS. This means if a user sends "Host: foo\r\n" the strin...

Omise: Found Origin IP's Lead To Access To [ Grafana Instance , PgHero Instance [ Can SQL Injection ]

Hello through RECON for on go.exchange i found origin ip's on https://censys.io/ipv4?q=go.exchange That's allow to the attacker to access to Many Instances Like Grafana But Need Crediantles And Access To PgHero and TokenModel · GO.Exchange where the attacker can use pghero to Execute postgresql...

Node.js third-party modules: `atob` allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below

I would like to report an uninitialized Buffer allocation issue in atob. It allows to extract sensitive data from uninitialized memory or to cause a DoS by passing in a large number, in setups where typed user input can be passed e.g. from JSON, on Node.js 4.x and lower. Module module name: atob...

Node.js third-party modules: Prototype pollution attack (Hoek)

As discussed in 309391, here's the separate report for each of the library. This one is the information for the Hoek library. Module: hoek Summary: Utilities function in all the listed modules can be tricked into modify the prototype of "Object" when the attacker control part of the structure...

Node.js third-party modules: [html-janitor] Passing user-controlled data to clean() leads to XSS

Module: Name: html-janitor Version: 2.0.2 Summary: Passing user-controlled data to the module's clean function can result in arbitrary JS execution, because of unsafe DOM operations. The description "Cleans up your markup and allows you to take control of your HTML. HTMLJanitor uses a defined...

Rockstar Games: Reflected XSS via Double Encoding

The researcher found a Reflected XSS vulnerability in the search query on support.rockstargames.com. This exploit worked by using double-encoding to bypass our filters. With the researcher's help we were able to resolve this vulnerability...

Shopify: IDOR [partners.shopify.com] - User with ONLY Manage apps permission is able to get shops info and staff names from inside the shop

SUMMARY ---------- Hello, I have found a permission problem in https://partners.shopify.com that allows a member with only "Manage apps" permission to get various show information and also list the staff account from inside that shop without having access the shop's admin area REPLICATION STEPS...

Nextcloud: Content Spoofing in "files" app

@ahsantahir reported a Content Spoofing Vulnerability in the Nextcloud Server. The related security advisory can be found at https://nextcloud.com/security/advisory/?id=nc-sa-2017-006 On request of the reporter the issue has only been disclosed limitedly...

Unikrn: Urgent: Server side template injection via Smarty template allows for RCE

Hi All, I've found an issue which has allowed me to execute filegetcontents and extract your /etc/passwd file. Description It appears as though you are using smarty on the backend for templating. Entering a malicious payload as my firstname, lastname and nickname and then inviting a user to join...

Uber: XSS in getrush.uber.com

'' 'https://getrush.uber.com/business?utmcampaign=tttttt%27%3C/script%3E%3Cscript%3Ealert0%3C/script%3E&utmmedium=top&utmsource=website''' You need to escape the utmcampaign parameter before rendering it in the HTML. Thanks, David Dworken...

Internet Bug Bounty: Adobe Flash Player Out-of-Bound Access Vulnerability

I. Summary Adobe Flash Player is prone to a vulnerability which leads to Out-of-Bound memory access memory via carefully crafted regular expression. An attacker can exploit this issue to defeat ASLR protection or even execute arbitrary code in the context of affected application Internet Explorer...

Internet Bug Bounty: moderate: Apache HTTP Server: mod_rewrite proxy handler substitution (CVE-2024-39573) CWE-20 Improper Input Validation

moderate: Apache HTTP Server proxy encoding problem CVE-2024-38473 An encoding problem was discovered in modproxy in Apache HTTP Server versions 2.4.59 and earlier. This issue allowed request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via...

Internet Bug Bounty: CVE-2024-2379: QUIC certificate check bypass with wolfSSL

CVE-2024-2379 was a vulnerability in libcurl's QUIC implementation where certificate verification was skipped under certain conditions when using the wolfSSL library. The vulnerability was caused by an error path that accidentally returned success when encountering unknown or unsupported ciphers ...

Glassdoor: Web Cache Deception

A web caching issue was discovered on an endpoint which inappropriately cached a user's feed page under certain conditions...

curl: CVE-2023-46219: HSTS long file name clears contents

Vulnerability description not provided...

Tor: 'Request English versions of web pages for enhanced privacy' keeps previous (grayed out) settings

The vulnerability allowed an attacker to identify users who had changed their language settings in the Tor Browser. By exploiting JavaScript and HTTP fingerprinting techniques, the attacker could determine the user's language preferences, even if the user had enabled the "Request English versions...

WakaTime: Waketime Payment Gateway Vulnerability

Vulnerability description not provided...

U.S. Department of State: Impact of Using the PHP Function "phpinfo()" on System Security - PHP info page disclosure

Sensitive information such as the exact PHP version, operating system and its version, internal IP addresses, server environment variables, and loaded PHP extensions and their configurations could be revealed by using the PHP function "phpinfo". This could potentially be exploited by attackers to...

Glassdoor: [CRITICAL] Full account takeover without user interaction on sign with Apple flow

An account takeover was detected with our sign-up with Apple flow where an email parameter was manipulated in the request flow to our servers. This scenario can only be performed on a previously unlinked apple ID account with Glassdoor. Changing the email in the request flow allowed the researche...

Internet Bug Bounty: Node.js - DLL Hijacking on Windows

Full Node.js Security Releases - summarizing the issue is here:https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/ The original Node.js HackerOne report is here: https://hackerone.com/bugs?reportid=1447455 ----- Node.js versions earlier than 16.16.0 LTS and 14.20.0 are vulnerabl...

Internet Bug Bounty: Read beyond bounds in ap_strcmp_match() [zhbug_httpd_47.7]

Greetings. I have found a read-beyond-bounds attack against httpd that allows an attacker to search httpd's memory for strings matching an attacker-specified pattern 1. The attack arises from an overflow in apstrcmpmatch server/util.c. 2 The vulnerability can be reached via an LUA program that us...

U.S. Dept Of Defense: Sensitive information on '████████'

Hi team, i found a sensitive file hosted on '█████████' that i think must be not public accessible due to the wording "███████" Vulnerable Endpoint: https://█████████/████████ ██████████ Impact Sensitive information pubblicy accessible System Hosts ████████ Affected Products and Versions CVE...

curl: CVE-2021-22924: Bad connection reuse due to flawed path name checks

Summary: Curlsslconfigmatches attempts to compare whether two SSL connections have identical SSL security options or not. The idea is to avoid reusing a connection that uses less secure, or completely different security options such as capath, cainfo or certificate/issuer pinning. Unfortunately...

Mail.ru: Improper Restriction of Excessive Authentication Attempts at https://top.mail.ru/edit? for site counter (Rate Limit bypass via IP Rotation)

Password at top.mail.ru counters was not sufficiently protected against bruteforce...

Avito: link.avito.ru - Bypass of restrictions on external links.

Hello Avito! On "link.avito.ru" subdomain of "www.avito.ru" attacker able to bypass restriction for dangerous external links via trusted domain google.com. This scenario may be also possible with all other trusted subdomains of avito such as "yandex.ru" and so on, but in this example i'm used...

Stripo Inc: Integer Overflow (CVE_2017_7529)

Integer Overflow - The issue affects nginx 0.5.6 - 1.13.2...

Topcoder: Stored XSS on https://apps.topcoder.com/wiki/pages/editpage.action

Summary: Hi : There is a stored XSS on wiki pages and it executes when editing page. Steps To Reproduce: After I submitted 867125, i realized that the vote macro causes stored XSS on wiki edit page. A user can edit wiki pages on https://apps.topcoder.com/wiki/pages/editpage.action?pageId=. Users...

Stripo Inc: CORS on my.stripo.email

Hey Team i don't know if it's valid or not i just want to let you know about this thanks. following the HTML File .. var req = new XMLHttpRequest; req.onload = reqListener; req.open'get','https://my.stripo.email/cabinet/stripo-ws/v1/stripo-websocket/info?t=1587908666898',true; req.withCredentials...

Mail.ru: [capsula.mail.ru] overriding order info

IDOR vulnerability in order editing functionality of capsula.mail.ru allowed to override the incomplete unsubmitted order saved for later...

Mail.ru: IDOR в списке пользователей по домену в relap.io

IDOR in relap.io allowed users enumeration for domain...

Node.js third-party modules: [npm-git-publish] RCE via insecure command formatting

I would like to report a RCE issue in the npm-git-publish module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: npm-git-publish version: 0.2.4-beta npm page: https://www.npmjs.com/package/npm-git-publish Module Description Share/publish private packag...

HackerOne: ActiveStorage throws exception when using whitespace as filename, may lead to denial of service of multiple pages

Summary: Hi team, I've found an issue on the profile picture upload feature of your asset - https://hackerone.com, which can allow a malicious attacker to perform an application wide denial of service attack. Description: I was playing with the profile picture upload feature, then i observed that...

PortSwigger Web Security: Clicking "http://burp" hyperlink on FireFox CA Installation guide redirects to "burp.com" (unclaimed website).

Executive Summary --------------------------------------------------- I was in the process of installing Burp suite community edition on my recent machine where I believe I stumbled across a potential open redirect issue on the CA certificate installation website. This is a security concern due t...

Semmle: Worker container escape lead to arbitrary file reading in host machine

Summary: Because lack of security, attacker will be able to remove original log file and replace it will a symlink to other file, After finishing job, host machine copy file from docker container. Because the original log file has been removed, the host machine will copy the symlink file. But the...

Mail.ru: Bash History file log

Researcher found a publicly accessible .bashhistory file on one of servers. File contained commands without sensitive data in them...

X (Formerly Twitter): cookie injection allow dos attack to periscope.tv

Description: i find in periscope.tv a parameter "createuser" allow to inject "loginissignup" cookie, when tested with crlf payload get response "HTTP/1.1 504 GATEWAYTIMEOUT" Link Vulnerable: https://www.periscope.tv/i/twitter/login?createuser=payload&csrf=yourcsrftoken Steps To Reproduce: 1. go t...

TomTom: Exposed Git Repo at http://betaforum.tomtom.com/.git/{subfolders}

Dear Security team, I found a git repository on http://betaforum.tomtom.com/.git. This endpoint allows an attacker to retrieve much of the source code and git history for this service which could potentially reveal sensitive information, it all depends what is stored there. Example: 1...

Internet Bug Bounty: Uninitialized read in exif_process_IFD_in_TIFF

This bug can be reproduced only in 32 bit PHP builds. This bug is present in exifprocessIFDinTIFF method of ext/exif/exif.c file. Detailed description and steps to reproduce for this bug is present in bug report submitted to php.net. Bug Report : https://bugs.php.net/bug.php?id=77509 PHP version ...