Internet Bug Bounty: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default...

Khan Academy: Possible Take Over Subdomain For Inbound Emails

Hello KhanAcademy Security Team, I'm rootbakar, The researcher identified that the affected url points to sendgrid.net, via a DNS CNAME record. As a result of this an attacker could potentially initate a subdomain take over by registering the subdomain sendgrid.khanacademy.org on sendgrid and...

U.S. Dept Of Defense: External Service Interaction (HTTP/DNS) on https://www.███ (██████████ parameter)

Greetings, i've find a External service interaction HTTP/DNS on https://www.███████ External service interaction arises when it is possible to induce an application to interact with an arbitrary external service, such as a web or mail server. The ability to trigger arbitrary external service...

Whisper: Bypass pin(4 digit passcode on your android app)

i have found that this activities are exported Package: sh.whisper sh.whisper.WMainActivity sh.whisper.WWhisperBrowserActivity sh.whisper.WRelatedActivity sh.whisper.WDiscoverActivity sh.whisper.WCategoryFeedActivity sh.whisper.WSettingsActivity Parent Activity: sh.whisper.WMainV4Activity...

Razer: Misconfigured s3 Bucket exposure

Found a s3 bucket that belongs to razer and properly not configured. bucket name:- http://rzimageupload.s3.amazonaws.com/ Bucket Source:- https://api.razer.com Steps To reproduce:- 1. Go to https://api.razer.com and create a project . 2. In the project icon select an image from your computer. 3...

GitLab: Arbitrary file read via the UploadsRewriter when moving and issue

Summary The UploadsRewriter does not validate the file name, allowing arbitrary files to be copied via directory traversal when moving an issue to a new project. The pattern used to look for references is : MARKDOWNPATTERN = %r!?.?\/uploads/?0-9a-f32/?.?.freeze This is used by the...

IBM: There is a POST based CSRF issue over IBM endpoint leading to modification of contact information.

There was a CSRF vulnerability found in an IBM endpoint that allowed modification of contact information through a POST request...

Nextcloud: Exposing debug.log file leads to server full path disclosure

At the following address i have found debug.log file disclose the application full path on the server. https://nextcloud.com/wp-content/debug.log Impact The server should not expose this log file as it could help an attacker to understand the environment that may lead to further attacks...

Sifchain: Subdomain Takeover on proxies.sifchain.finance pointing to vercel

Hello Team, Subdomain takeover vulnerabilities occur when a subdomain subdomain.example.com is pointing to a service e.g. GitHub pages, Heroku, etc. that has been removed or deleted. This allows an attacker to set up a page on the service that was being used and point their page to that subdomain...

U.S. Dept Of Defense: RCE on █████ via CVE-2017-10271

Summary: Happy Friday! The server at ██████ is vulnerable to CVE-2017-10271 "Oracle WebLogic Server Remote Command Execution". Description: The following request takes 12 seconds 12000 milliseconds to complete: POST /wls-wsat/RegistrationPortTypeRPC HTTP/1.1 Host: ██████████ Content-Length: 423...

UPchieve: Vulnerability Report - sweet32 UPchieve

Hello Team. I run the nmap with ssl-enum script to look for new Vulnerability that is known as "SWEET32" Detail about sweet32 vuln: Cryptographic protocols like TLS, SSH, IPsec, and OpenVPN commonly use block cipher algorithms, such as AES, Triple-DES, and Blowfish, to encrypt data between client...

HackerOne: Missing Certificate Authority Authorization rule

Certificate Authority Authorization supported by LetsEncrypt and other CAs allows a domain owner to specify which Certificate Authorities should be allowed to issue certificates for the domain. All CAA-compliant certificate authorities should refuse to issue a certificate unless they are the CA o...

curl: `Curl_socketpair()` fallback vulnerable to man-in-the-middle attack

In Curlsocketpair in curl/lib/socketpair.c if the operating system lacks a native socketpair function, libcurl will create its own pair of sockets. To do this, libcurl first creates a listening socket, then it creates a client socket, which it then connects to the listening socket. During the tim...

Sifchain: Private KEY of crypto wallet

Summary: Hello, I'm writing in order to inform you that in your source code is stored the Private key of your crypto wallet that contains some money, as EOS, FNDR, and more. Your wallet address is this: 0x627306090abaB3A6e1400e9345bC60c78a8BEf57 Steps To Reproduce: The key is stored in "those...

HackerOne: Parameter pollution in social sharing buttons

Hello! For example we have a link https://hackerone.com/blog/introducing-signal-and-impact, and we will change it to https://hackerone.com/blog/introducing-signal-and-impact?&u=https://vk.com/durov. If you send a link to the user and he wants to share a link to facebook, the content will change...

HackerOne: Account takeover via leaked session cookie

Summary: You are disclose for me you session Description: you are gevi me your session on last report I am can use your sessionsorry ███ ████████ █████████ Impact HackerOneStaff Access, i can read all reports @security and more program...

Trello: XSS and Open-Redirect via SVG

Hi Trello, When I was uploading image attachments from my computer,I've realized that I can upload SVG files and then I've tried to look SVG file that I attached,and I understood you execute SVG files which is can be malicious redirecting to a website or executing javascript codes for members...

OLX: Subdomain Takeover (http://docs.olx.ph/ , http://calendar.olx.ph/, http://sites.olx.ph/)

Hello There, I found Sub-Domain Takeover in olx.ph , Kindly take a look sir. These subdomains http://docs.olx.ph/ , http://calendar.olx.ph/, http://sites.olx.ph/ is pointing towards docs.olx.ph is an alias for ghs.googlehosted.com. ghs.googlehosted.com has address 216.58.201.179...

curl: Memory Leak in libcurl via Location Header Handling (CWE-770)

Summary: This report details a memory leak vulnerability in libcurl that occurs when processing HTTP 3xx redirect responses containing a Location: header. Specifically, the memory allocated for the Location: header's value is not properly deallocated when the Curleasy handle is reused for...

VK.com: Способ узнать имя человека и ВУЗ удаленной страницы

Выбираем любую удаленную страницу. 2. Например, открываем http://vk.com/id55555 3. Видим сообщение о том, что "Страница удалена, либо еще не создана" и никакой информации более. 4. Воспользуемся widgetsubscribe.php с одним лишь параметром oid 5. https://vk.com/widgetsubscribe.php?oid=55555 6...

Sifchain: ETHEREUM_PRIVATE_KEY leaked via Open Github Repository

Summary: GitHub is a truly awesome service but it is unwise to put any sensitive data in code that is hosted on GitHub and similar services as I was able to find internal data as responsible disclosure I wanted to share it like this the only channel to do so, and it's related to your sensitive...

Legal Robot: SWEET32 TLS attack

Researchers have found new attack against 3DES-CBC cipher in TLS,that they can decrypt customer data using a method called SWEET32 Birthday Attack. This Vulnerability has got CVE-2016-2183 and has cvss score 5.0 This vulnerability can be found manually by simply using nmap script nmap -Pn -p...

AWS VDP: Non-Production API Endpoints for the Glue Service Fail to Log to CloudTrail Resulting in Silent Permission Enumeration

The AWS Glue service was found to have 12 non-production API endpoints that could be accessed using standard IAM credentials without generating any CloudTrail logs. This allowed for silent permission enumeration, where an adversary could determine the permissions of compromised credentials withou...

Cosmos: Groups module can halt chain when handling a proposal with malicious group weights

The Cosmos SDK's groups module contained a vulnerability that could cause a chain to halt when handling a proposal with malicious group weights. The issue was triggered by a division operation that could fail due to the exponent of the resulting value being out of range, leading to a panic and...

Zomato: OTP Bypass via Response Manipulation

OTP One-Time Password bypass via response manipulation is a technique where an attacker intercepts and alters the server's response to bypass the OTP verification step. Response Manipulation: The attacker manipulates the server's response. For example, they might change a response indicating OTP...

Informatica: F5 BIG-IP Cookie potentially reveal BigIP pool name, backend's IP address and port, routed domain.

Hi Team, I hope everything is well. I am Kabeer Saxena a Security Researcher and I have found a bug Issue: ---------- F5 BIG-IP Cookie Remote Information Disclosure Vulnerable IP: ---------------- ██████:443 Certificate Information: ==X509v3 Subject Alternative Name:== ==DNS:████████== Summary:...

Mail.ru: Path traversal, SSTI and RCE on a MailRu acquisition

Unpatched CVE-2019-3396 and few more in publicly accessible Atlassian Confluence instance in ESForce domain...

AWS VDP: Non-Production API Endpoint for the ElastiCache Service Fails to Log to CloudTrail Resulting in Silent Permission Enumeration

The ElastiCache service contains a non-production API endpoint that allows for permission enumeration without logging to CloudTrail. This could enable an adversary with compromised credentials to silently test the permissions of the credentials...

Acronis: Found multiple SAP NetWeaver vulnerable services

Summary: Hello Team, I found two redapi.acronis.com and redapi2.acronis.com sap Netweaver vulnerable services. They do not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system,...

XVIDEOS: Lack of Rate Limiting on Account Creation Endpoint

A vulnerability was identified in the account creation process. The affected endpoint lacked proper rate limiting mechanisms, allowing for the automated creation of multiple user accounts without restrictions. This security flaw could be exploited using tools to generate a large number of fake...

Stripo Inc: Open memory dump method leaking customer information ,secret keys , password , source code & admin accounts

Summary: Stripo uses Spring boot for the backend API development , and misconfigured the application to open actuator APIs to the public. This issue is found in 3 domains , don't know if I need to publish 3 reports for that, or just one report , but the domains are :...

Stripo Inc: SSRF in /cabinet/stripeapi/v1/siteInfoLookup?url=XXX

Summary: SSRF vulnerability allows mapping the internal network. Steps To Reproduce: It is possible to run internal requests with the siteInfoLookup service. GET /cabinet/stripeapi/v1/siteInfoLookup?url=http://10.0.0.100:8080 HTTP/1.1 Host: my.stripo.email Based on the response we know if the ip ...

Glassdoor: Reflected XSS on https://www.glassdoor.com/employers/sem-dual-lp/

Summary: There is a reflected XSS on https://www.glassdoor.com/employers/sem-dual-lp/ through the utmsource parameter. By using URL encoding I was able to bypass the WAF. Affected URL or select Asset from In-Scope: https://www.glassdoor.com/ Affected Parameter: utmsource Vulnerability Type: XSS...

LocalTapiola: F5 BIG-IP Cookie Remote Information Disclosure

Basic report information Summary: The remote host for myynti.lahitapiolarahoitus.fi is appears to be an F5 BIG-IP load balanceror behind load balancer and the unencrypted cookie may disclose BigIP pool name, backend's IP address and port, routed domain. Description: The remote host appears to be ...

curl: CVE-2025-0167: netrc and default credential leak

Summary: The fix for CVE-2024-11053 seems to be incomplete.The information leak problem could be reproduced again if use netrc in step1. Affected version all Steps To Reproduce: 1. Adapt test479 to use netrc like belowboth of user and password are not provided for b.com: machine a.com login alice...

Chaturbate: Web cache deception attack - expose token information

Hello, I have found new Vulnerability in your website which called Web cache deception attack. It's found first time in Paypal. Web Cache Deception Attack Websites often tend to use web cache functionality to store files that are often retrieved, to reduce latency from the web server. Let's see a...

Ruby on Rails: The authenticity_token can be reversed and used to forge valid per_form_csrf_tokens for arbitrary routes

When performcsrftokens is set to true, each form should protected against CSRF with a unique token that is not predictable by an attacker. Theperformcsrftoken is generated using a HMAC SHA-256 using a key that is exposed in a reversed authenticitytoken. The authenticitytoken is a Base64 encoding ...

Localize: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.

Go to http://www.localize.im/index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 This effectively makes it a security issue since it allows an attacker to scan for a specific vulnerable module and then exploit it...

Internet Bug Bounty: CVE-2025-24813: Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet

The Apache Tomcat vulnerability CVE-2025-24813 allowed remote code execution and information disclosure. The vulnerability was caused by a combination of features, including writes enabled for the default servlet, support for partial PUT requests, and the use of Tomcat's file-based session...

Starbucks: Store Development Resource Center was vulnerable to a Remote Code Execution - Unauthenticated Remote Command Injection (CVE-2019-0604)

l00ph0le discovered an endpoint on the Store Development Resource Center site at https://sdrc.starbucks.com/layouts/15/picker.aspx was vulnerable to a deserialization RCE in Microsoft Sharepoint per CVE-2019-0604. @l00ph0le — thank you for reporting this vulnerability, your patience while we...

Enjin: Cloudflare /cdn-cgi/ path allows resizing images from unauthorised sources on enjinusercontent.com

The Cloudflare /cdn-cgi/ path on enjinusercontent.com was discovered to allow resizing and rendering of images from unauthorized sources without restriction. This behavior could have led to HTML injection, SSRF, and portal scanning attacks, as well as the unrestricted display of external resource...

HackerOne: h1-202 leaderboard photo discloses local wifi password

Summary: the h1-202 event took several photos for the event that rotate on the public leaderboard. One of these photos disclosed the local wifi SSID and Password. Description: SSID: HackerOne Password: █████████ Steps To Reproduce 1. Look at the photo attached Remediation Have your staff...

IBM: Path Traversal Vulnerability found on IBM Cloud

The path traversal vulnerability on IBM Cloud was reported by an external researcher, analyzed, and remediated. The vulnerability has been addressed...

Hiro: EXIF Geolocation Data Not Stripped From Uploaded Images

The Blockstack Browser does not strip EXIF data on avatar uploads...

Bumble: Расшифровка всех типов шифрованных ID

Привет! Обнаружил багу, которая позволяет очень серьезно обойти логику сайта. Данная уязвимость позволяет расшифровать любой зашифрованный ID, который идентифицирует профиль пользователя. Для каждого пользователя генерируется несколько видов ID, например для отображения в "Знакоства", "Live...

U.S. Dept Of Defense: Remote Code Execution (RCE) in a DoD website

A remote code execution RCE vulnerability was found on a DoD website which could have enabled an attacker to execute remote commands on the web server. @0daystolive and @dly were able to demonstrate this vulnerability by developing a custom script that caused the webserver to execute a benign...

Node.js: Usage of unsafe random function in undici for choosing boundary

The vulnerability in the Undici library involves the use of an unsafe random function to choose the boundary for a multipart/form-data request. The use of Math.random to generate this boundary can be predicted if several of its generated values are known. This could potentially allow an attacker ...

Ruby: Bug Report : [ No Valid SPF Records ]

Hi Team, Hope you are doing well. I found vulnerability in your web app URL : https://www.ruby-lang.org/en/s Description : There is an email spoofing vulnerability. Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than...

ok.ru: web.xml configuration file disclosure

Several source files were accessible at .mycdn.me https://st.mycdn.me//WEB-INF/web.xml https://st.mycdn.me/WEB-INF/web.xml https://groupava1.mycdn.me/redirect.jsp https://groupava1.mycdn.me/index.jsp...

Chaturbate: Stored XSS in chat topic due to insecure emoticon parsing on any message type

Description The funcitonality for adding emoticons into the chat from the serverside perspective is based on a string in the following format: %%%emoticon NAME|EMOTICONURL|WIDTH|HEIGHT|REPORTURL%%% The EMOTICONURL must conform to the following regex: javascript...