Vimeo: Disclosure of sensitive information through Google Cloud Storage bucket

An insecure bucket was discovered on the GCP platform that had some debug information in it. Steps were taken to secure the bucket and it's contents...

Nextcloud: Bypassing quota limit

Hi an user can upload files despite having a limited quota by changing value of "OC-Total-Length" in header to "A" or adding "X-Expected-Entity-Length" in header with "A" value in normal insuffisant storage we have: PUT /remote.php/webdav/a.jpg HTTP/1.1 Content-Type: application/octet-stream...

Nextcloud: Reflected XSS in Gallery App

Go to: nextcloud/index.php/apps/gallery/%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3Ejavascript:alert%280%29//%00 Tested on: Firefox 43.0.1 If you need more information then write me...

Harvest: CSRF token fixation in Sign in with Google

Hi There is CSRF token fixation in Sign in with Google at https://id.getharvest.com/sessions/new The state parameter is same for any time login https://id.getharvest.com/oauth2/callback?state=%7B%22intent%22:%22sign-in%22%7D&code=code Steps to reproduce 1. Go to...

HackerOne: Race Conditions Exist When Accepting Invitations

Hi All, Further to my last two comments on report 118312 and realizing that tokens are being stored in the DB, I realized there is probably a race condition vulnerability which allows invitation tokens to be consumed at least twice depending on the server/database response time. I tested it tonig...

HackerOne: Minor Bug: Public un-compiled CSS with original sass, versioning, source map, comments, etc.

A stylesheet is available in a non-minified, non-compiled format. It includes sass, versioning, a source map, a style guide, comments, etc. see base64 encoded string at the very end of the document. https://hackerone.com/assets/application.css This alone is obviously not an exploit. However, it c...

Anghami: [CRITICAL] Login To Any Account Linked With Google+ With Email Only

Hello, This is CRITICAL .. I Can Login To Any Account Linked With Google+ With Email Only And Without Password!! PoC: html And To Make This PoC Work .. You Have To Follow The Same Bypass in My Previous Report 86428. If Your Page URL is http://localhost/login.html Make IT Look Like...

Yahoo!: Local File Include on marketing-dam.yahoo.com

Thank you for your submission to the Yahoo Bug Bounty program. We were able to reproduce the issue you reported and have implemented appropriate fixes. We appreciate your adherence to responsible disclosure guidelines and look forward to your future participation in the program. Local File Includ...

Phabricator: Login CSRF using Twitter OAuth

This bug is related to bug report 774 Log in a user to another account by @dawidczagan as this bug also allows a user to be logged in as the attacker. The main reason is that no state is maintained in the authentication flow. Although the Twitter flow still uses OAuth 1.0A, which has no state...

Internet Bug Bounty: Apache Airflow: Sensitive Information Exposure in DAG Run Logs

The Apache Airflow platform was vulnerable to sensitive information exposure in DAG run logs. Passwords, secrets, and the Fernet key were logged in plain text, which could have resulted in the disclosure of this sensitive information to unauthorized users...

Basecamp: Account takeover via insecure intent handling

The Basecamp app was vulnerable to account takeover due to insecure intent handling. A malicious app installed on the same device could obtain the user's Oauth2 token and take over their account...

Reddit: Infromation Disclosure To Use of Hard-coded Cryptographic Key

Vulnerability description not provided...

HackerOne: IDOR - Delete all Licenses and certifications from users account using CreateOrUpdateHackerCertification GraphQL query

All licenses and certifications in HackerOne could be deleted by changing the ID number in the CreateOrUpdateHackerCertification GraphQL query...

Node.js: fs.openAsBlob() bypasses permission system

The fs.openAsBlob method in Node.js, when used with the --experimental-permission flag, allowed bypassing the permission system and reading files without the required permissions...

Rockstar Games: Modifying Sprunk vs eCola crew data

In this report, the researcher demonstrated an Insecure Direct Object Reference vulnerability that was exploitable in certain Rockstar Official Crews on the Social Club website. Rockstar Official Crews, unlike user-made Crews, use a flat hierarchy where all members are set to the same effective...

HackerOne: June 2022 Incident Report

Intro Since the founding of HackerOne, we have kept a steadfast commitment to disclosing security incidents because we believe that sharing security information far and wide is essential to building a safer internet. HackerOne's culture is to disclose more often, and in more detail than the rest ...

Brave Software: unclaimed s3 bucket takeover in the 3 js file located on the github page of brave software

Summary: There is a unclaimed s3 bucket i.e brave-extensions.s3.amazonaws.com located in the 3 .js file on official brave software github page https://github.com/search?q=org%3Abrave+brave-extensions+language%3AJavaScript&type=Codethe attacker can takeover the bucket and create file that is used ...

U.S. Dept Of Defense: Sensitive data exposure via /secure/QueryComponent!Default.jspa endpoint on ████████

Description: Hi, While going through the testing of DoD assets, I have came across a subdomain that is vulnerable to CVE-2020-14179. Some of the internal fields that are exposed are Project, Status, Limits, Creator, Query, Created Date, Updated Date, Resolution Date, etc. References...

Glovo: Reflected XSS on delivery.glovoapp.com

Summary: Hi, there's a reflected XSS vulnerability present on the https://delivery.glovoapp.com/referrals/ endpoint. Steps To Reproduce: Opening the following URL should trigger the prompt window specified in the request parameters, indicating that arbitrary javascript can be injected into the...

Reddit: critical file found etc/passwd on www.reddit.com

1.go to this link https://www.reddit.com/etc%2fpasswd 2.youll find all the etc/passwd files this data should be protected. 3.these passwd can be used for many illegal purpose and can damage the comapny poc attched: HTTP/2 200 OK Content-Type: text/plain; charset=UTF-8 X-Ua-Compatible: IE=edge...

Ruby: lib/net/ftp.rb: trusting PASV responses allow client abuse

When net/ftp performs a passive FTP transfer, it tries to using PASV. Passive mode is what net/ftp uses by default. A server response to a PASV command includes the IPv4 address and port number for the client to connect back to in order to perform the actual data transfer. This is how the FTP...

GitHub Security Lab: Java: CWE-346 Queries to detect remote source flow to CORS Headers

This bug was reported directly to GitHub Security Lab...

DuckDuckGo: Reflected/Stored XSS on duckduckgo.com

Hi DuckDuckGo, While browsing normally since I use DuckDuckGo on a daily basis, I discovered an interesting stored XSS on the duckduckgo main search engine. A payload that somebody had left on urbandictionary.com had triggered a HTML injection, and a stored XSS as a result. Steps to Reproduce 1...

HackerOne: HackerOne Jira integration plugin Leaked JWT to unauthorized jira users

Summary: HackerOne provides an application tool HackerOne for Jira, an application that allows programs to track security issues through a jira instance. After testing the integration feature in the application, it was found that the application leads to the leakage of the JWT to unauthorized...

Kubernetes: kubectl creating secrets from stringData leaves secret in plain text

Report Submission Form Summary: kubectl creating secrets from stringData leaves secret in plain text Kubernetes Version: $ kubectl version Client Version: version.InfoMajor:"1", Minor:"19", GitVersion:"v1.19.3", GitCommit:"1e11e4a2108024935ecfcb2912226cedeafd99df",GitTreeState:"clean",...

Rocket.Chat: SAML authentication bypass through unauthenticated `addSamlProvider` Meteor Call

Summary: Rocket.Chat exposes an unauthenticated Meteor method addSamlProvider, which allows disabling SAML signature verification. Description: The addSamlProvider Meteor method sets a number of settings, among them a boolean flag that defaults to false: js export const addSamlService =...

Basecamp: Information Disclosure of Garbage Collection Cycle 'Again'

A diagnostic subdomain was still available publicly after being reported https://hackerone.com/reports/981796 and remediation. Subsequently a researcher was able to access the subdomain. Disclosure has been limited as the report contains low sensitive information, but sensitive none the less...

Shopify: Low Privileged Staff Member Can Export Billing Charges

Details I'm not 100% sure about this because i don't have billing transactions on my account. However, from my experience on how Shopify backend respond, i think this is a valid finding just need confirmation from Shopify's security team. A GraphQL mutation billingChargesExport can be used by a...

CS Money: Improper authentication in the load sell inventory page

Summary: Hello team, I found an endpoint response all data relate to sell mode inventory that doesn't have improper authentication in the link: https://cs.money/loadsellmodeinventory Steps To Reproduce: add details for how we can reproduce the issue 1. Open directly the link:...

U.S. Dept Of Defense: Read-only path traversal (CVE-2020-3452) at https://██████.mil

Summary: I discovered a vulnerability Read-only path traversal CVE-2020-3452 at https://██████████.mil Description: A vulnerability in the web services interface of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remot...

Dropcontact: Idor for firstpromoter service

An IDOR has been detected on firstpromoter service...

Mail.ru: Public access to Sidekiq dashboard at shopper.sbermarket.ru

Anonymous access to Sidekiq process dashboard was available on shopper.sbermarket.ru...

Snapchat: Improper Authentication - any user can login as other user with otp/logout & otp/login

'/scauth/otp/droid/logout' request contains userid parameter. Usually it is equal to current user userid, but if an attacker passes userid of victim account he can login as victim. I will demonstrate the problem on two accounts. Victim: ███ Attacker: ██████████ - Attacker perform a usuall login t...

Mail.ru: [account.mail.ru] XSS-уязвимость в форме авторизации

User-assisted XSS in account.mail.ru due to unsafe usage of GET parameter Думаю, что данная XSS'шка является отличным примером того, что фильтрация HTML-символов во входных данных не всегда достаточная мера защиты. Если будем раскрывать уязвимость, то вот более удачная демонстрация, без моих куко...

WakaTime: Broken Authentication and session management OWASP A2

Hi, Security Team! i found vulnerability on https://wakatime.com/ Steps To Reproduce: 1. First log in into the account, website will create a session for current login. 2. Copy all Cookies and paste it on notepad. 3. Log out your account. 4. Open your chrome browser and right click on bookmark ba...

X (Formerly Twitter): User input validation can lead to DOS

Hi Security Team, Summary: There is no limit to the number of characters on phone numbers and using this you can perform a DOS Attack Description: On the input form of phone number in https://twitter.com/account/complete there's no Input validation using this you can send more payload and may cau...

Nextcloud: SSRF protection bypass

CVSS ---- High 7.7 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Description ----------- The filter which protects Nextcloud from SSRF can be bypassed using IPv6/IPv4 address embedding. SSRF protection is for example used in the calendar or dav apps. Successful exploitation of the issue will allow...

VK.com: Мини-уязвимость в обработке ссылок

Проблема с парсингом ссылок. В 2013 существовал баг, который позволял при нажатии на лайк к записи перенаправить пользователя по ссылке. Необходимо было закодировать любую ссылку в HTML-мнемонику типа & ; и после публикации разметка у поста сразу ломалась. Тогда эту, со стороны безобидную, дырку...

ecobee: Open API - AWS S3 GET Bucket (List Objects) Version 1

Summary: AWS S3 GET Bucket List Objects Version 1 API accesible Steps To Reproduce: navigate to: https://www.ecobee.com/wp-content/uploads/ Observe that you get a listbucketresponse https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGET.htmlRESTBucketGET-requests The truncated param is set...

ok.ru: Plain text password for 'unknown' user exist in URL when opening jira.apiok.ru

Documentation at https://api.mail.ru/docs/guides/billing/ has a link to http://apiok.ru/jira/documents/ which redirects to https://jira.apiok.ru/secure/CreateIssue.jspa?pid=-2&osusername=unknown&ospassword=X7:1OEh3 This pair of username & password - is effective login & password to JIRA system an...

Internet Bug Bounty: CVE-2019-0196: mod_http2 with scoreboard Use-After-Free (Read)

A crafted HTTP2 request can trigger reference to request data from a memory pool after its destruction. This memory is subsequently used as input to an sprintf type function for constructing a string value. This unsafe memory access ultimately means that the r-therequest string is poisoned with...

Mail.ru: [special.mail.ru] Information Disclosure

special.mail.ru was running misconfigured Laravel in debug mode, disclosing some sensitive information...

Internet Bug Bounty: [CVE-2018-18313] regcomp: heap-buffer-overflow read in S_grok_bslash_N

See: https://rt.perl.org/Public/Bug/Display.html?id=133192 CVE ID: CVE-2018-18313 Impact Potential information leakex: secret variables or source codes...

Starbucks: Webshell via File Upload on ecjobs.starbucks.com.cn

Summary: OS Command Injection which can let the attacker who get more important information of the server,such as disclosures internal source code of the webapp,database data and invade the internal network. Description: I found that users can upload asp/aspx and other dynamic files via the avata...

Shopify: Admin bar: Incomplete message origin validation results in XSS

This issue is very similar to https://hackerone.com/reports/381192, identical logic in a different script. The JavaScript code at https://cdn.shopify.com/s/assets/storefront/bars/adminbarinjector-7461c2cab955bf9ef3df40acd10741df8c4e27c86d9dc323f65a4e786a1786f2.js loaded by the shop front when the...

Coursera: [www.coursera.org] Leaking password reset link on referrer header

Hi team, the user gets the email with a password reset link when opening it you will be redirected to password reset page when clicking on external links within the reset password page leaked password reset token in the referer header. steps: 1. open lost password page 2. enter your email and cli...

Snapchat: Subdomain Takeover via Unclaimed WordPress site

@ysx found a bitstripsforschools CNAME entry pointing to an unclaimed WordPress domain, which could be taken over by an external party. The CNAME entry was for a product that is no longer active. An unclaimed WordPress domain mapping upgrade could be leveraged to assume the...

Gratipay: Missing Certificate Authority Authorization rule

Certificate Authority Authorization supported by LetsEncrypt and other CAs allows a domain owner to specify which Certificate Authorities should be allowed to issue certificates for the domain. All CAA-compliant certificate authorities should refuse to issue a certificate unless they are the CA o...

Legal Robot: Improper validation of parameters while creating issues

Heya LegalRobot Team, There is some Improper Access Control on the /Issues/insert endpoint, which leads to three notable vulnerabilities. ----- The first allows attackers to create public issues without undergoing review by setting state: "Open" and public: true. A sample request is given below:...

Internet Bug Bounty: PHP WDDX Deserialization Heap OOB Read in timelib_meridian()

Description: While deserializing an invalid dateTime value, wddxdeserialize would result in a heap out-of-bounds read in timelibmeridian. As wddxdeserialize is exposed to network data, and sometimes echo the results back to client, this issue could potentially allow remote peeking of the process...