Node.js: Improper handling of untypical characters in domain names

Description Missing input validation of host names returned by Domain Name Servers in node's dns library can lead to output of wrong hostnames leading to Domain Hijacking and injection vulnerabilities in applications using the library leading to Remote Code Execution, XSS, Applications crashes,...

Ruby: 'net/http': HTTP Header Injection in the set_content_type method

The set\content\type's parameter is not filtered to prevent the injection from altering the entire request. The vulnerable code: ruby def setcontenttypetype, params = @header'content-type' = type + params.map|k,v|"; k=v".join'' end PoC 1. ruby require 'net/http' uri = URI'http://127.0.0.1:8080' r...

U.S. Dept Of Defense: Reflected XSS on https://█████████html?url

Vulnerable Website URL or Application: https://███████html?url=javascript:alert"nagli" Description of Security Issue: please limit to one site/app per submission Reflected XSS due to no input validation █████████ Remediation Sanitize the input on the that parameter Best Regards nagli Impact...

New Relic: IDOR - User is able to download charts/dashboards from cross accounts

@k3ne described an issue where a user on an account could access data concerning dashboards for another user on the same account. While this appeared to be a cross-account access issue, both users on the account have access to the same data by design...

Razer: 🐞 OS Command Injection at https://sea-web.gold.razer.com/lab/ws-lookup via IP parameter

The tester discovered a Razer Gold Thailand site that suffered from a service with a command injection vulnerability. Razer thanks the tester for his report and clear PoC. a real world CTF-Like challenge 😅 Burpsuite Collaborator Client was very helpful Thanks @Razer for the bounty 🥳...

X (Formerly Twitter): iOS app crashed by specially crafted direct message reactions

Summary: iOS app crashed by specially crafted direct message reactions Description: Twitter does not properly sanitize direct message reactions, making it possible for arbitrary reaction text to be shown to the user via the message preview in the direct message list. Special characters such as \r...

MTN Group: Information Disclosure Microsoft IIS Server service.cnf in a mtn website

Hi there i found a information disclosure Microsoft IIS Server service.cnf file in the website https://www.mtn.co.za/ using firefox. In the following steps i will demonstrate how to reproduce the vulnerability. POC: 1ºGo to the following url: https://www.mtn.co.za/vtipvt/service.cnf you will see:...

InnoGames: Blind SQL Injection

Summary of the Issue A Time Based Blind SQL injection vulnerability was detected on www.innogames.com. Using a specifically crafted payload it was possible to extract database entries. Vulnerable endpoint: https://www.innogames.com/ Steps to reproduce: 1. Getting two states for boolean based sql...

Mail.ru: OOB XXE

Limited XXE on XML request processing led to blind SSRF possibility OOB XXE on one of Ext. B Mail.ru domains, which could be exploited as blind SSRF...

U.S. Dept Of Defense: [CVE-2019-11510 ] Path Traversal on ████████ leads to leaked passwords, RCE, etc

Summary / Description: █████ is vulnerable to Path Traversal which can lead to remote code execution. Impact Critical Step-by-step Reproduction Instructions 1. Run the following cURL command to get the file /etc/hosts curl --path-as-is -k -D-...

Central Security Project: OS Command Injection in Nexus Repository Manager 2.x

Maven artifact groupId: org.sonatype.nexus.plugins artifactId: nexus-yum-repository-plugin version: 2.14.9-01 Vulnerability Vulnerability Description The Nexus Yum Repository Plugin is vulnerable to Remote Code Execution. All instances using CommandLineExecutor.java with user-supplied data is...

WordPress: Stored XSS Vulnerability

Hi there, I found a stored xss @ https://core.trac.wordpress.org/ Steps: 1. Go to https://core.trac.wordpress.org/ and login. open new private window and login with another account 2. Go to https://core.trac.wordpress.org/newticket and set a summary and description. 3. Select a Workflow Keyword a...

Tor: Detect Tor Browser's language

Summary Some error pages uses Tor Browser's language based text, and iframe can steal it. Details Since the language of Tor Browser is used for the title of the link tag on 404 error page, an attacker can obtain the language of Tor Browser even if the user has set privacy.spoofenglish to 2. I...

QIWI: [*.rocketbank.ru] Web Cache Deception & XSS

Практически все сайты .rocketbank.ru, основанные на readymag.rocketbank.ru, уязвимы к Web Cache Deception и XSS. Пример запроса: http GET /?xx HTTP/1.1 Host: wknd.rocketbank.ru X-Forwarded-Host: cacheattack'"alertdocument.domain HTTP ответ: html alertdocument.domain/friends/" alertdocument.domain...

Trello: Stored XSS in Treeview plugin

There was a potential XSS issue in a third party power-up. While issues with third party apps are generally out of scope for our bug bounty program, in this case we opted to award a small bounty...

Shopify: myshopify.com domain takeover

Hello Shopify Security Team, I just received your email and I'm sorry for any inconvenience. Yes, it was me. Basically, I just tried to audit your website using some black box testing. Unfortunately, I didn't read about those guidelines, such as creating a store on https://partners.shopify.com/ a...

Node.js third-party modules: [localhost-now] Path Traversal allows to read content of arbitrary file

Hi Guys, There is Path Traversal in localhost-now module. It allows to read content of arbitrary files on the remote server. Module localhost-now This is a general file server made by nodejs. It will be easy for you to access the files on the server through the browser...

Pornhub: pornhub.com/user/welcome/basicinfo nickname field is vulnerable on xss

The researcher discovered a stored XSS in the user's basic info page...

Zomato: Amazon S3 bucket misconfiguration (share)

Hi, Description I have discovered one of your Amazon S3 bucket and tested it via the AWS command line tool on Linux. It looks like permissions are not well configured and allow dangerous actions to everyone. The vulnerable bucket is: zomato-share PoC: aws s3 ls s3://zomato-share aws s3 cp test...

Phabricator: Autoclose can close any task regardless of policies/spaces

Description If a user can push to a repository that has autoclose enabled, they can close //any// Maniphest task on the install, including tasks whose policies otherwise restrict the user from viewing or editing, and tasks inside Spaces that the user can't view. I don't think this rises to the...

WordPress: Infrastructure - Photon - SSRF

Description ------------------------ The service Photon located at http://i0.wp.com/ and described at https://code.trac.wordpress.org/browser/photon/ is vulnerable to Http SSRF via. redirect. The redirect can go to any IP including inside of any firewall photon might be inside any port and can ad...

Automattic: [bbPress] Stored XSS in any forum post.

Intro: Encouraged by the success of cure53 and their reward, i start the research plugins in your scope. And almost immediately i found critical Stored XSS, which of course leeds to privelege escalation or PHP code execution. This vulnerability doesnt requres "special" preveleges like...

Internet Bug Bounty: Bad Write in TTF font parsing (win32k.sys)

This bug was originally reported through Project Zero at Google. Alex Rice suggested to me that I could potentially receive a bounty through Hacker One so I am also opening a report here. The vulnerability reference numbers are MS15-010 CVE-2015-0059 The original bug report is...

Mobile Vikings: Stored XSS in Direct debit name

Make new or edit old Direct debit for example https://mobilevikings.be/en/account/easypay/correct-direct-debit-mandate/111366/ 2. Fill owners name with payload asdf'"alertdocument.cookie 3. Save form. We got Stored XSS in pages: https://mobilevikings.be/en/account/easypay/...

Yahoo!: REMOTE CODE EXECUTION/LOCAL FILE INCLUSION/XSPA/SSRF, view-source:http://sb*.geo.sp1.yahoo.com/, 4/6/14, #SpringClean

Thank you for your submission to the Yahoo Bug Bounty program. We were able to reproduce the issue you reported and have implemented appropriate fixes. We appreciate your adherence to responsible disclosure guidelines and look forward to your future participation in the program...

Internet Bug Bounty: Handling of jar: URIs bypasses AllowScriptAccess=never

This bug was reported directly to Adobe. http://helpx.adobe.com/security/products/flash-player/apsb14-02.html...

Internet Bug Bounty: important: Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect (CVE-2024-38476)

The Apache HTTP Server vulnerability CVE-2024-38476 was discovered in versions 2.4.0 through 2.4.59. The vulnerability allowed the use of exploitable or malicious backend application output to run local handlers via internal redirect. Users were recommended to upgrade to version 2.4.60, which fix...

Node.js: Bypass incomplete fix of CVE-2024-27980

The CVE-2024-27980 was identified as an incomplete fix for the BatBadBut vulnerability. This vulnerability arose from improper handling of batch files with all possible extensions on Windows via childprocess.spawn and childprocess.spawnSync. A malicious command line argument could have been used ...

curl: CVE-2024-2379: QUIC certificate check bypass with wolfSSL

The vulnerability in vquic-tls.c in the curlwsslinitctx function allowed for a certificate check bypass when using the WolfSSL backend. The error handling was not properly implemented, resulting in a potential bypass of the certificate verification requirements...

Internet Bug Bounty: CVE-2023-27535: FTP too eager connection reuse

A vulnerability was found in libcurl versions 7.13.0 to 7.88.1 that allowed the reuse of previously created FTP connections even when one or more options had been changed, leading to the second transfer being done with wrong credentials. This was due to several FTP settings being left out from th...

Node.js: CRLF Injection in Nodejs ‘undici’ via host

A CRLF injection vulnerability existed in the 'host' header of undici.request API, allowing an attacker to inject arbitrary HTTP headers and conduct various attacks. The vulnerability impacted undici library versions up to 5.14.0...

Cloudflare Public Bug Bounty: Using special IPv4-mapped IPv6 addresses to bypass local IP ban

Vulnerability description not provided...

Fastify: Deny of service via malicious Content-Type

Summary: I found a way to crash a [email protected] server with a single query on a minimal setup. The function ContentTypeParser.getParser do not check properly if the requested content-type parser exists. /lib/contentTypeParser.js:94 javascript ContentTypeParser.prototype.getParser = function...

Internet Bug Bounty: Buffer Overflow in optimized_escape_html method

This report is a copy of bug report https://hackerone.com/reports/1328463. I was asked to submit this bug here, because Ruby bug bounty program is moved to this new Internet Bug Bounty program. Operating System ================ Windows 10 This should reproduce in any other operating system where...

GitHub Security Lab: [GO] CWE-1004: Sensitive cookie without HttpOnly

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: [Java] BeanShell Injection

This bug was reported directly to GitHub Security Lab...

Kryptor: Kryptor/SECURITY.md missing HACKERONE program update.

Hi Team, I was going through code and found that in this https://github.com/samuel-lucas6/Kryptor/blob/master/SECURITY.md , "Security Policy" is missing update regrading Hackerone platform that "Security Bug now be submitted @ https://hackerone.com/kryptor/ this . Please update the policy...

GitHub Security Lab: ihsinme: CPP add query for: CPP Add query for CWE-20 Improper Input Validation

This bug was reported directly to GitHub Security Lab...

Shopify: Stored XSS on apps.shopify.com

Steps to reProduce: 1 Write payload luc1d"@wearehackerone.com as Store contact email in General Settings page.myshopify.com/admin/settings/general F1202181 -- Wait here around 60 mins maybe more idk, it was 60 mins for me for the change to reflect -- You can confirm the change on here...

GitLab: FogBugz import attachment full SSRF requiring vulnerability in *.fogbugz.com

Summary: Hi Team, a bit of a odd one here. The FogBugz import code uses CarrierWave::Uploader::Base:download! to download attachments from fogbugz.com when importing a FogBugz repository. CarrierWave::Uploader::Base:download! ultimately uses Kernel.Open to download the provided attachment URL...

U.S. Dept Of Defense: Sensitive data exposure via https://███/secure/QueryComponent!Default.jspa - CVE-2020-14179

Summary: Information Disclosure vulnerability in outdated Jira. Description: Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the...

Stripo Inc: No rate limiting for subscribe email + lead to Cross origin misconfiguration

Summary: I found bypass no rate limiting using Access-Control-Allow-Origin: and look the response as 200 vulnerable No rate limit means their is no mechanism to protect against the requests you made in a short frame of time. If the repetition doesn't give any error after 50, 100, 1000 repetitions...

CS Money: IDOR in https://3d.cs.money/

Summary: Hello, I found an IDOR in https://3d.cs.money/ which will allow you to save, edit, delete build of victim account without any grant on the victim account Steps To Reproduce: This bug based on steamID which is reflected on Steam or you can use any Steam ID Finder software to find...

Dropcontact: Sensitive Information Disclosure

we were displaying sensitive information. While testing the site i was able to disclose sensitive information such as username, passwords, api keys, etc due to DEBUG = True .This bug arose due to default configuration at the backend. Now the bug is fixed. Thanks to the team for the quick fix!...

h1-ctf: [H1-2006 2020] CTF writeup

Context Well, against all expectations you finally get it, you got the flag! Let's go back in time to remember how. --- Twitter Once upon a time As always the CTF starts with a tweet: F855948 --- Subdomains According to the policy page, .bountypay.h1ctf.com is in scope. You decide to scan...

Topcoder: CSRF on https://apps.topcoder.com/wiki/plugins/socialbookmarking/updatebookmark.action

Summary: Hi : There is a CSRF on creating bookmarks form. Steps To Reproduce: There is no CSRF token or anything like that on https://apps.topcoder.com/wiki/plugins/socialbookmarking/updatebookmark.action. I added the poc html file below. When someone opens this html file, or we can add it into o...

Nord Security: The Linux binaries (nordvpn and nordvpnd) don't use PIE/ASLR

Summary: The Linux binaries nordvpn and nordvpnd don't have PIE/ASLR enabled. A such feature is used to harden programs against the exploitation of memory corruption bugs and should be enabled. The use of ASLR has long been debated among the Golang community. However, it seems that it's becoming...

Nextcloud: Remote code execution via path traversal in Zip extraction in the Extract app

I realise this doesn't qualify for a reward, as it's a vulnerability in a third-party app, but as the app is part of the "official" VM image provided by Hansson IT, I think it's well worth fixing. The Extract app doesn't validate the path or filename of a zip file to be extracted, allowing an...

PUBG: Reflected XSS in pubg.com

Summary: PUBG's main website https://www.pubg.com has an endpoint that is vulnerable to an injection vulnerability - namely a reflected injection of JavaScript, also known as Reflected Cross Site Scripting XSS. As per OWASP's definition: "Cross-Site Scripting XSS attacks are a type of injection, ...

OWOX, Inc.: Reflected XSS

Hi team, I have found an XSS at https://bi.owox.com/ui/6177527534dc114eb07fa829e4ce4d28/dashboard/?trial=activated Because the input is not properly filtered, resulting in XSS being executed Vulnerable area: ----- 6177527534dc114eb07fa829e4ce4d28 The URL will now be:...