Node.js third-party modules: Prototype pollution attack (merge-objects)

As discussed in 309391, here's the separate report for each of the library. This one is the information for the merge-objects library. Module: merge-object Summary: Utilities function in all the listed modules can be tricked into modifying the prototype of "Object" when the attacker control part ...

Internet Bug Bounty: Potential infinite loop in gdImageCreateFromGifCtx!

Description ----- It is easy to trigger in web application if the web use GD as its image library. For example, It can be triggered if a website resize the user-uploaded GIF, and ALL PHP version are affected! Original bug report ----- - https://bugs.php.net/bug.php?id=75571 Note ----- -...

LocalTapiola: Secure Client-Initiated Renegotiation

Renegotiation can open the door to attacks. There are two primary worries: CVE-2009-3555: This vulnerability allows a “man-in-the-middle” attacker to inject data into an HTTPS session and execute requests on behalf of the victim. Refer to CVE-2009-3555 for more details. Denial of Service DoS:...

Legal Robot: Non-HTTPS link on blog

Hi, @legalrobot I found another venturebeat.com URL without HTTPS in https://www.legalrobot-uat.com/press/ I hope you fix this Screenshot attached bellow Cheers, Ph0b0s...

Legal Robot: No alert in verify email address with wrong input

Hello team @legalrobot, In your verify email address sector, I got something different. in that sector if I click on "Resend verification email" option and see the request. There is a parameter named email. So when I input something in that parameter it's show me done on output. I have show all i...

X (Formerly Twitter): [dev.twitter.com] XSS and Open Redirect

Description === XSS via Request-URI which requires user interaction. The vulnerability is caused by the difference in the Request-URI processing in the Location header and in the link on the page. By creating an incorrect port in the link on the Location header, you can block the redirection for...

Legal Robot: Update any profile

A security researcher discovered that profile fields first name, last name, title, company, bio could be modified by another authenticated user, if the other user had access to the victim's randomly generated user id. Thanks to @samczsun for an excellent and detailed report!...

Stellar.org: HTTP - Basic Authentication on https://www.stellar.org/wp-login.php

Greetings, noticed https://www.stellar.org/wp-login.php using basic authentication. PoC: YWRtaW46YWRtaW4= is base64 encode of admin:admin Impact: Vulnerable to client side attacks. Vulnerable to MITM attack. Vulenrable to Eavesdropping attack. Vulnerable to Brute force attacks. Fix: HTTP-Basic...

Internet Bug Bounty: Certificate message OOB reads (CVE-2016-6306)

In OpenSSL 1.0.2 and earlier some missing message length checks can result in OOB reads of up to 2 bytes beyond an allocated buffer. There is a theoretical DoS risk but this has not been observed in practice on common platforms. The messages affected are client certificate, client certificate...

Nextcloud: Reflected XSS in Gallery App

Go to: nextcloud/index.php/apps/gallery/%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3Ejavascript:alert%280%29//%00 Tested on: Firefox 43.0.1 If you need more information then write me...

HackerOne: Race Conditions Exist When Accepting Invitations

Hi All, Further to my last two comments on report 118312 and realizing that tokens are being stored in the DB, I realized there is probably a race condition vulnerability which allows invitation tokens to be consumed at least twice depending on the server/database response time. I tested it tonig...

Ubiquiti Inc.: Read-Only user can execute arbitraty shell commands on AirOS

On the last version of AirOS including the 8.0 beta is possible to a read-only user to inject shell commands. Is possible to exploit the vulnerability using the following URL adjusting the airosid value to a valid session:...

Gratipay: X-Content-Type Header Missing For aspen.io

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared...

Zendesk: [CRITICAL] HTML injection issue leading to account take over

Hi , I have found an HTML injection issue in https://.zendesk.com/people/tags that could lead to account take over. I can't get malicious scripts executed , but an attacker can take over the admin's account by injecting the following HTML code. html CLICK HERE the data-method attribute is not...

Django: CSRF protection bypass on any Django powered site via Google Analytics

I shall explain all the steps to create the final PoC in order to be more clear. Part 1. Cookie Injection via Google Analytics --------------------- Reported to Google, rewarded, still working Google Analytics sets the cookie to track user source:...

Yahoo!: Local File Include on marketing-dam.yahoo.com

Thank you for your submission to the Yahoo Bug Bounty program. We were able to reproduce the issue you reported and have implemented appropriate fixes. We appreciate your adherence to responsible disclosure guidelines and look forward to your future participation in the program. Local File Includ...

Internet Bug Bounty: SPDY memory corruption

A bug in the experimental SPDY implementation in nginx 1.5.10 was found, which might allow an attacker to corrupt worker process memory by using a specially crafted request, potentially resulting in arbitrary code execution CVE-2014-0088. The problem only affects nginx 1.5.10 on 32-bit platforms,...

Phabricator: Login CSRF using Twitter OAuth

This bug is related to bug report 774 Log in a user to another account by @dawidczagan as this bug also allows a user to be logged in as the attacker. The main reason is that no state is maintained in the authentication flow. Although the Twitter flow still uses OAuth 1.0A, which has no state...

Internet Bug Bounty: Apache Airflow: Sensitive Information Exposure in DAG Run Logs

The Apache Airflow platform was vulnerable to sensitive information exposure in DAG run logs. Passwords, secrets, and the Fernet key were logged in plain text, which could have resulted in the disclosure of this sensitive information to unauthorized users...

Internet Bug Bounty: [CVE-2024-26146] Header Parsing leads to Possible Denial of Service Vulnerability

The Rack header parsing library in Ruby on Rails was found to have a potential denial of service vulnerability. The vulnerability was assigned the identifier CVE-2024-26146. It was discovered that carefully crafted headers could cause the header parsing routines to take longer than expected,...

U.S. Dept Of Defense: Unathenticated file read (CVE-2020-3452)

A vulnerability was found that allowed unauthenticated remote attackers to conduct directory traversal attacks and read sensitive files on affected Cisco Adaptive Security Appliance and Cisco Firepower Threat Defense systems. This was due to a lack of proper input validation of URLs in HTTP...

Node.js: HTTP Request Smuggling via Empty headers separated by CR

HTTP Request Smuggling HRS was possible in Node.js v20.2.0 due to the llhttp parser in the http module not strictly using the CRLF sequence to delimit HTTP requests. The CR character without LF was sufficient to delimit HTTP header fields in the llhttp parser, which is not compliant with RFC7230...

U.S. Dept Of Defense: Docker Registry without authentication leads to docker images download

An exposed Docker Registry HTTP API allowed attackers to download Docker images and potentially access confidential source code without authentication. The vulnerability was caused by a lack of access control on the registry and could have been mitigated by implementing proper access controls or...

curl: CVE-2022-42915: HTTP proxy double-free

This is a finding that Trail of Bits found in their ongoing curl security audit. Reported at a status meeting today. Summary: curl frees memory twice in some cleanup function related to HTTP proxies. It as simple as curl -x http://localhost:80 dict://127.0.0.1 Using valgrind on the current git...

Internet Bug Bounty: Pause-based desync in Apache HTTPD

Apache was vulnerable to a pause-based desync. This vulnerability is described in detail in my whitepaper here: https://portswigger.net/research/browser-powered-desync-attackspause Impact This enables server-side HTTP Request Smuggling when Apache is deployed as a back-end server, and it also...

curl: --libcurl code injection via trigraphs

Summary: curl command --libcurl option can be tricked to generate C code that when compiled contains arbitrary code execution. Steps To Reproduce: 1. curl --libcurl client.c --user-agent "??/";char c='i','d',' ','','x',0,m='r',0;fclosepopenc,m;//" http://example.invalid 2. gcc -trigraphs client.c...

Adobe: Log4j Java RCE in [beta.dev.adobeconnect.com]

Hello Security Team, Summary Log4j versions prior to 2.15.0 are subject to a remote code execution vulnerability via the ldap JNDI parser. As per Apache's Log4j security guide: Apache Log4j2 =2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker...

Brave Software: unclaimed s3 bucket takeover in the 3 js file located on the github page of brave software

Summary: There is a unclaimed s3 bucket i.e brave-extensions.s3.amazonaws.com located in the 3 .js file on official brave software github page https://github.com/search?q=org%3Abrave+brave-extensions+language%3AJavaScript&type=Codethe attacker can takeover the bucket and create file that is used ...

Grammarly: Bypassing the Grammarly plagiarism checker by simply replacing characters in the source text

Summary: Replacing the characters i, a, e, o, p, c, x in the text with similar ones in the Ukrainian keyboard layout leads to the fact that plagiarism detectors Grammarly plagiarism checker and others skip such text, mark it as unique without any plagiarism and do not even signal that the...

h1-ctf: ccc.h1ctf.com CTF

Summary: Claiming the flag, writeup to follow. ██████████ ██████ Impact...

curl: Parallel upload hangs curl if upload file not found

Attempting to upload -T a not found file with parallel -Z flag present, will cause curl to get stuck and never terminate, potentially stalling scripts that make use of this particular flags. curl -T blabla-notexists -Z upload.example.com www.google.com www.cnn.com www.apple.com Same issue occurs ...

Shopify: Bypass For #997350 your-store.myshopify.com preview link is leak on third party website Via Online Store

Hi Security Team, Description Full Description in 997350 The owner of that website can perform a security compromise by grabbing those links. Solution: The solution is very very SIMPLE. Just include the following HTML code in the following in code between tags of the html of the page: This will n...

Nextcloud: Recently change email but still login with old email

Hi team, I have been found vulnerability on email verification which can be account takeover Authentication bypass Recently I have been change my email [email protected] but still login with old email [email protected] --https://efss.qloud.my/index.php/settings/user Impact Impact If victim's email...

GitLab: GraphQL Query leads to sensitive information disclosure

NOTE! Thanks for submitting a report! Please replace all the parenthesized sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary Graphql Query mentioned...

X (Formerly Twitter): Bypass Password Authentication to Update the Password

Summary:This additional security measure from twitter provides protection to the victim's account, considering that a victim's session may have been hijacked by a hacker, however, due to this additional layer of security Implemented by twitter the hacker would not be able to change the victim's...

Open-Xchange: Assert failed in `edit_mail_istream_read`

To reproduce, run test suite on following input : require "vnd.dovecot.testsuite"; require "variables"; require "editheader"; testset "message" "$mege"; test "" addheader :last "der" "Her-3"; if not testresultexecute Output is with ASAN enabled stack trace testsuite: Panic: file edit-mail.c: line...

MTN Group: SQL injection [futexpert.mtngbissau.com]

Summary: add summary of the vulnerability Steps To Reproduce: add details for how we can reproduce the issue 1. Poc Request POST /signin/ HTTP/1.1 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Referer: https://futexpert.mtngbissau.com/ Cookie:...

Topcoder: Reflected XSS on https://apps.topcoder.com/wiki/plugins/socialbookmarking/updatebookmark.action

Summary: Hi : A reflected XSS occurs when creating bookmarks. Steps To Reproduce: A user can create bookmarks on https://apps.topcoder.com/wiki/plugins/socialbookmarking/updatebookmark.action. In this url redirect and url parameters are vulnerable to XSS. PoC:...

U.S. Dept Of Defense: Previously Compromised PulseSSL VPN Hosts

Hi again!! Back in 2019, I had reported that a pulseSSL VPN server owned by US DoD can be compromised by a publicly available exploit. The report is 681249. As a result, the userid and passwd db was also compromised. I found that at least 1 userid and password combination from that compromised db...

Internet Bug Bounty: HTTP Smuggling multiple issues in Squid 3.x & squid 4.x

Hello, as can be seen on a recent public security update by Squid I reported several smuggling issues. If you want some background on impact of Smuggling issues You can check the current works of James Keetle or my own previous published works. https://www.youtube.com/watch?v=upEMlJeUIk HTTP Desy...

OWOX, Inc.: The URL in "Choose a data source'' at "https://bi.owox.com/ui/settings/connected-services/setup/" is not filtered => reflected XSS.

Hi team, This is another report with 732987. Because it is completely independent Detail -- In the process of selecting the data source at https://bi.owox.com/ui/settings/connected-services/setup/, I found a reflected XSS. Specifically, when you click on Google Analytics, a page will appear for y...

Mail.ru: Blind SQL Injection in city-mobil.ru domain

Error-based SQLi due to insecure use of POST paramter in city-mobil.ru the report was submitted before the launch of dedicated bug bounty scope for Citymobil...

BlockDev Sp. Z o.o: Earn free DAI interest (inflation) through instant CDP+DSR in one tx

Summary: The MCD contracts contain different mechanisms for accumulating rates in different contracts, namely pot and jug corresponding to the cost of a loan and interest earned on savings. Because these rates are not synchronised, and depend on the call to the drip method to be calculated, it's...

Mail.ru: Cross site scripting vulnerability in JW Player SWF

Flash-based XSS in aw-xbox.my.com...

Chaturbate: Open redirect on chaturbate.com (tipping/purchase_success)

Hi, I would like to report an open redirect issue on https://chaturbate.com/ Description An attacker can redirect a user to any external website using the parameter prejoindata, this parameter seems to miss sanitization. Steps to Reproduce Visit the following url:...

Vanilla: Vanilla Forums domGetImages getimagesize Unserialize Remote Code Execution Vulnerability (critical)

Summary: An unauthenticated attacker can inject an serialized payload into a phar archive and trigger read access to it via an unprotected getimagesize. The attacker can leverage this to deserialize untrusted data and gain remote code execution. Notes: - THIS BUG IS UNAUTHENTICATED, however you...

Shopify: Admin bar: Incomplete message origin validation results in XSS

This issue is very similar to https://hackerone.com/reports/381192, identical logic in a different script. The JavaScript code at https://cdn.shopify.com/s/assets/storefront/bars/adminbarinjector-7461c2cab955bf9ef3df40acd10741df8c4e27c86d9dc323f65a4e786a1786f2.js loaded by the shop front when the...

Node.js third-party modules: url-parse package return wrong hostname

Jul 19th 2018 - lolwaleet submitted a report to Node.js third-party modules. I would like to report url-parse package return wrong hostname in url-parse. Module module name: url-parse version: 1.4.1 npm page: https://www.npmjs.com/package/url-parse Module Description The url-parse method exposes...

Shopify: Potential SSRF and disclosure of sensitive site on *shopifycloud.com

Note: I am reporting this after talking with @shopify-peteryaworski Summary There is a staging/testing site for payment cancellations and refunds at shopifycloud.com. This site allows sending post request and fetching the response back to the user. This leads to SSRF because it allows fetching...

Hanno's projects: blind sql injection

Summary: There exists a possibility that your Serendipity installation is vulnerable to a blind sql injection. Description: By sending specially crafted SQL commands to /plugin/tag/ and timing how long it takes for the server to respond, it is quite possible that the blog backend is interepreting...