Topcoder: CSRF on https://apps.topcoder.com/wiki/plugins/socialbookmarking/updatebookmark.action

Summary: Hi : There is a CSRF on creating bookmarks form. Steps To Reproduce: There is no CSRF token or anything like that on https://apps.topcoder.com/wiki/plugins/socialbookmarking/updatebookmark.action. I added the poc html file below. When someone opens this html file, or we can add it into o...

Nextcloud: Remote code execution via path traversal in Zip extraction in the Extract app

I realise this doesn't qualify for a reward, as it's a vulnerability in a third-party app, but as the app is part of the "official" VM image provided by Hansson IT, I think it's well worth fixing. The Extract app doesn't validate the path or filename of a zip file to be extracted, allowing an...

PUBG: Reflected XSS in pubg.com

Summary: PUBG's main website https://www.pubg.com has an endpoint that is vulnerable to an injection vulnerability - namely a reflected injection of JavaScript, also known as Reflected Cross Site Scripting XSS. As per OWASP's definition: "Cross-Site Scripting XSS attacks are a type of injection, ...

OWOX, Inc.: Reflected XSS

Hi team, I have found an XSS at https://bi.owox.com/ui/6177527534dc114eb07fa829e4ce4d28/dashboard/?trial=activated Because the input is not properly filtered, resulting in XSS being executed Vulnerable area: ----- 6177527534dc114eb07fa829e4ce4d28 The URL will now be:...

U.S. Dept Of Defense: SQL Injection in ████

Summary There is an SQL injection vulnerability in ████████ in the /█████/recruiter/updapp.aspx page, exploitable through the appid form parameter. Impact An attacker could use this vulnerability to control the content in the database, exfiltrate information, and obtain remote code execution...

New Relic: DNS misconfiguration on email.alerts.newrelic.com

While checking the subdomains i found that the subdomain email.alerts.newrelic.com upon navigating downloads a file saying "Mailgun Magnificent API" And has the following DNS info screenshot attached The problem lies in this issue: You add the domain email.alerts.newrelic.com to Mailgun Mailgun...

VK.com: Определение id по номеру телефона

Недостаточность проверок в определенных запросах...

Node.js third-party modules: [serve] Directory listing and File access even when they have been set to be ignored

I would like to report a vulnerability in serve on macOS. It allows listing directory and reading local files on the target server. Module module name: serve version: 6.5.3 npm page: https://www.npmjs.com/package/serve Module Description Ever wanted to share a project on your network by running...

Mavenlink: Password reset link injection allows redirect to malicious URL

@cablej found a vulnerability in our password reset functionality that allowed an attacker using an HTTP request with a modified Host header to cause a password reset link to be emailed to the target user that would navigate to the attacker's domain. Because the password reset emails are sent fro...

Phabricator: User with only Viewing Privilege can send message to Room

Hey, mongoose When the owner of a chat room gives any user Viewing Privilege, that user can then send messages to the room. As expected, there's no form to send messages when the user access the room since in theory it shouldn't be possible. However, messages via POST requests can still be sent a...

WordPress: XSS via unicode characters in upload filename

Wordpress has a vulnerability that could lead to javascript execution and thus privileged escalation via an admin visiting the wrong page via specially crafted JavaScript. Unicode characters are escaped by javascript but they are not escaped serverside. I've checked the latest version 4.6.1 at th...

Sucuri: SSRF in sitecheck.sucuri.net

Hi, Sucuri Security Team. I found a SSRF in https://sitecheck.sucuri.net/ Although there was already an protection to prevent SSRF, but it can be bypassed by 302 redirection! ssrf.php https://sitecheck.sucuri.net/results/orange.tw/ssrf.php And your port will receive "HELLO WORLD" orange@z:$ nc -v...

HackerOne: SPF whitelist of mandrill leads to email forgery

I just sent a forged email to [email protected] that appears to originate from [email protected]. I was able to do this because of the following SPF record: dig txt hackerone.com hackerone.com. 299 IN TXT "v=spf1 include:spf.google.com include:sendgrid.net include:mail.zendesk.com...

Internet Bug Bounty: Buffer Over flow when parsing tar/zip/phar in phar_set_inode

https://bugs.php.net/bug.php?id=69441 Multiple stack-based buffer overflows in the pharsetinode function in pharinternal.h in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allow remote attackers to execute arbitrary code via a crafted length value in a 1 tar, 2 phar, or 3 ZIP...

X (Formerly Twitter): XSS in twitter.com/safety/unsafe_link_warning

The following page has XSS. https://twitter.com/safety/unsafelinkwarning?unsafelink=vulnerableparam Steps to reproduce: 1. Go to the following URL using IE:...

Mail.ru: XXE and SSRF on webmaster.mail.ru

SSRF request: POST /domain/metadata HTTP/1.1 Host: webmaster.mail.ru User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.9; rv:29.0 Gecko/20100101 Firefox/29.0 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate...

HackerOne: Private information exposed through GraphQL search endpoints aggregates

Private information could be exposed through the aggs argument on the search and opportunitiessearch endpoints on the GraphQL root node, allowing for the potential exposure of private program handles and other data that can be aggregated...

GoCD: Open S3 Bucket Accessible by any Aws User

Description: It has been observed that the amazon s3 bucket which i believe belongs to GoCD as it contains data related to GoCD █████ documents and all is misconfigured as a result any unauthenticated users can access it without any restrictions Step-by-step Reproduction Instructions 1.Access...

Hyperledger: Remote denial of service in HyperLedger Fabric

This issue was caused by a missing check of nil. An orderer to orderer consensus message that contains an empty inner message crashes the node because it attempts to figure out its type and the mere action of determining the type of a nil pointer, causes a panic. Thank you to Haosheng Wang of OPP...

Internet Bug Bounty: CVE-2022-27778: curl removes wrong file on error

Summary: Curl command has a logic flaw that results in removal of a wrong file when combining --no-clobber and --remove-on-error if the target file name exists and an error occurs. Steps To Reproduce: 1. echo "important file" foo 2. echo -ne "HTTP/1.1 200 OK\r\nContent-Length: 666\r\n\r\nHello\n"...

Concrete CMS: A bypass of adding remote files in concrete5 FIlemanager leads to remote code execution

Hi, I 'm currently testing the latest concretecms on my own pc and found some security problems of file manager. Concretecms allows user to upload remote files via file manager. With some techniques to bypass restriction of this function, a evil user will be able to download arbitary php file int...

Basecamp: Subdomain Takeover due to ████████ NS records at us-east4.37signals.com

Description Hi! I have discovered that us-east4.37signals.com was pointing to an unclaimed ████ NS zone and I've managed to claim it in my account. POC http://nagli.us-east4.37signals.com/takeover.html F1451587 Remediation Make sure to configure the DNS records under us-east4.37signals.com Best...

UPchieve: Failed to validate Session after Password Change

While conducting my research I discovered that the application Failed to validate session after password change. In this scenario changing the password doesn't destroys the other sessions which are logged in with old passwords in another browser. Steps To Reproduce: 1 Login with the same account ...

Twitter Algorithmic Bias: Economic Harm through Twitter's Cropping Algorithm

Bounty Hunter Name: CyberQueenMeg About You: Megan, also known as CyberQueenMeg, is a passionate rising cybersecurity professional who is interested in programming, cybersecurity, and web development. Megan is a high school senior in a rigorous computer science program at her high school where sh...

VK.com: Path Traversal в iOS приложении

Передача файлов из внутреннего каталога iOS приложения. С помощью хакерской атаки можно было угнать файлы из внутреннего каталога IOS приложения...

HackerOne: Open Redirect on http://events.hackerone.com/redirect?url=https://naglinagli.github.io

@nagli found an open redirect vulnerability in a 3rd party vendor that was used by HackerOne. This system did not contain any data related to reports submitted and stored on hackerone.com. HackerOne worked with the vendor to remediate the vulnerability. The report is partially disclosed to...

Open-Xchange: Failed assert in `mail_index_transaction_lookup`

To reproduce, run test suite on following input : require"vnd.dovecot.testsuite";require "fileinto";require "mailbox";test"" fileinto:create "Folder"; if testresultexecute testmessage:folder "Folder" 2; Output is with ASAN enabled stack trace testsuite: Panic: file mail-index-transaction-update.c...

Dropcontact: Registering with email [ +70 Chars ] Lead to Disclose some informations [Django Debug Mode ]

We were displaying / leaking sytems information in case of app crash...

Topcoder: Reflected XSS on https://apps.topcoder.com/wiki/pages/createpage.action

Summary: Hi : A reflected XSS occurs on https://apps.topcoder.com/wiki/pages/createpage.action when creating wiki pages. Steps To Reproduce: A user can create wiki pages on https://apps.topcoder.com/wiki/pages/createpage.action?spaceKey=tcwiki. In this url parentPageString and labelsString...

PlayStation: Access token stealing.

Summary: https://my.playstation.com/auth/response.html suffers from a misconfiguration which leads to access token stealing. Description: The page...

Automattic: Follow by email allows for following by unverified emails

The initial report outlined being able to add any email to a Tumblr account without verifying it first which is expected behavior that does not pose a security risk. However, the reporter also reported that these unverified emails were able to be used in our “follow by email” feature which we did...

Ed: Domain takeover on http://doesfranshaveashell.com/ due to expiration

Summary Hi Ed, I'm not so sure if registrar inform your domain had expired or it will auto renew upon reaching. To be safe, I decide to manual inform you. Step to Reproduce So lately I notice that http://doesfranshaveashell.com/ is no longer operate. It will show some advertisements there. F57967...

Central Security Project: Unrestricted File Upload Leading to Remote Code Execution

Description As an administrator user it is possible to create files and directories in any location on the file system of the server. This can be abused to write files to any sensitive location on the Windows file system because the Nexus process runs with SYSTEM privileges. This can allows an...

Monero: Remote Daemon RPC Attack

Remote Daemon RPC Attack https://www.activism.net/cypherpunk/manifesto.html...

X (Formerly Twitter): Subdomain takeover on dev-admin.periscope.tv

Subdomain takeover on dev-admin.periscope.tv I takeover the subdomain and upload the index file : index.html Impact Subdomain takeover on dev-admin.periscope.tv Subdomain takeover on dev-admin.periscope.tv/index.html http://dev-admin.periscope.tv.s3-website-us-west-2.amazonaws.com/index.html...

Internet Bug Bounty: heap buffer overflow in phar_detect_phar_fname_ext

The original report is here https://bugs.php.net/bug.php?id=77247 txt USEZENDALLOC=0 ./php-src-PHP-7.2.13/sapi/cli/php -r "vardumpnew Pharfilegetcontents'poc.phar',0,'test.phar';" txt ================================================================= ==44888==ERROR: AddressSanitizer:...

HackerOne: Improper UUID validation results in bypass of #419896

This was found while evaluating the vulnerability and patch identified in 419896. I determined the deployed patch to be effective. However, I noticed tracer values could be sent which didn't conform to the UUID specification as characters outside of the a-f and 0-9 ranges could be used. For...

Zomato: IDOR to delete images from other stores

Summary: The parameter photoids in below request is vulnerable to IDOR /php/clientmanagehandler?██████████&case=remove-active-photo Description: Since there is no check for resid or ownership I was able to delete Gerben's image by just using the photoid from his store. This is a problem because i...

Chaturbate: Private and group tokens per minute endpoint active for disabled users

The hacker found that the private and group show rate endpoints where still active when an account was disabled. This was resolved. The endpoints only disclosed the rate for these shows...

WordPress: "Bad Protocols Validation" Bypass in "wp_kses_bad_protocol_once" using HTML-encoding without trailing semicolons

Description: The wpksesbadprotocolonce function https://developer.wordpress.org/reference/functions/wpksesbadprotocolonce/ is used to sanitise content from bad protocols and other characters. It detects the protocol URI scheme by using the first colon character. It compares the identified protoco...

Upserve : reports.breadcrumb.com is vulnerable for Arbitrary file existence disclosur CVE-2014-7829

A directory traversal vulnerability in a third-party ruby gem allowed a remote actor to determine the existence but not the contents of files outside of the application root...

Node.js third-party modules: [uppy] Stored XSS due to crafted SVG file

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Module: Uppy. Affected version: 0.22.2...

VK.com: Backup Source Code Detected

Старый сборщик логов. Старый сборщик логов. Который я увидел а также получил доступ к бд !...

Electroneum: Hackerone [Mainsite Vulnerability]

96 Hello, I was checking out the website Electroneum – Crowdfunding Token Sale – Electroneum – the mobile based cryptocurrency for any vulnerabilities through hackerone. I would like to submit a vulnerability for consideration towards a bounty. Currently you have the file...

Valve: LFI in pChart php library

Local File Inclusion LFI vulnerability in the pChart php library...

Gratipay: Reflected SQL Execution

my friend are the best hackers hackerone.com/rashidziaur hackerone.com/smziaurrashid hackerone.com/s4k16 they teach me how to hack a toaster F234731 Please Giv us $$$$$ for our family we are pooor . please consider this bug in your site F234733...

Legal Robot: Name can't be numbers or email

Hi Team, I observe a strange behaviour in your registration form. When we are making account and entering the first and last name. According to security concerns you should force user to write their first and last names which actually looks like name for example your should force users that the...

Trello: XML entity expansion using svg file

Hope you guys are doing great. I want to report xml entity expansion bug while uploading svg file . When adding a card in boards it also allows to upload attachments which can include svg files. Users or admin can then download those attachment but the problem is when svg file is uploaded, websit...

Blockchain: HTTP Header Injection/HTTP_Response_Splitting

Submitter observed that CloudFlare-protected sites will serve content from other CloudFlare-protected sites when the "Host" HTTP request header is modified in transit. A PoC for an attacker to modify a victim user's "Host" HTTP request header could not be presented by the submitter; consequently...

Internet Bug Bounty: Out of bounds memory read in unserialize()

I have found and reported an out of bounds memory read in PHP: https://bugs.php.net/bug.php?id=73825 It affected all three supported versions and has been fixed with the latest updates: https://secure.php.net/ChangeLog-5.php5.6.30 https://secure.php.net/ChangeLog-7.php7.0.15...