curl: CVE-2021-22901: TLS session caching disaster

Summary: lib/vtls/openssl.c osslconnectstep1 sets up the osslnewsessioncb sessionid callback with SSLCTXsesssetnewcb, and adds association from dataidx and connectdataidx to current conn and data respectively: SSLCTXsetsessioncachemodebackend-ctx, SSLSESSCACHECLIENT | SSLSESSCACHENOINTERNAL;...

UPchieve: Zero click account Takeover due to Api misconfiguration 🏂🎩

Hacker reported that full account takeover was possible through exploitation of one our forms. Hacker provided sufficient information to prove capability and how to remediate. Our team remediated the issue so that the takeover is no longer possible. i was able to take over any account without any...

X (Formerly Twitter): Bypass t.co link shortener in Twitter direct messages

The researcher demonstrated a way to create a link that will not be replaced with safe shortened t.co url, by sending Direct Messages containing more than 50 t.co links to another Twitter user. If the recipient views the message using Twitter’s Android app, and clicks the 51st link in the...

U.S. Dept Of Defense: CSRF to Cross-site Scripting (XSS)

hello dear support I have found csrf to XSS on█████████ my payload "; Impact Malicious JavaScript has access to all the same objects as the rest of the web page, including access to cookies and local storage, which are often used to store session tokens. If an attacker can obtain a user's session...

U.S. Dept Of Defense: IDOR leads to Leakage an ██████████ Login Information

Hi security team, According to my report 1092618, The VDP team agreed that █████████ and it's subdomains is in the scope of the DoD program I continue testing that domain . . Issue Description: There is an IDOR in██████.███████ that connected with ████████.███████ highly protected encryption chat...

Algolia: email verification bypass

An issue in the way email modification was handled during the email verification process allowed the creation of account with arbitrary email address, bypassing the email verification step. A logical flaw resulting in email verification bypass! :D...

VK.com: XSS в обработчике ссылок

XSS в парсере ссылок...

Mail.ru: SDC bypass cloud.mail.ru for every /api/v3/* endpoint.

SDCS cookie was not properly checked for few cloud.mail.ru endpoints, allowing to bypass SDC secure domain cookies protection for privilege separation between projects...

U.S. Dept Of Defense: CSRF to Stored HTML injection at https://www.█████

Description: I have found out that on the https://www.███████ domain, you initiate POST request in order to look up for case studies, the parameter keyword on the request, allows the usage of bad characters such as Click here to win 1000$!" 3. Save the POST request and craft CSRF payload. HTML...

OWOX, Inc.: Unrestricted File Upload in Chat Window

Summary: The application allows the attacker to upload dangerous file types that can be automatically processed within the product's environment. Steps To Reproduce: - Hit the browser and navigate to https://bi.owox.com and sign in. - Open The Chat window. - Upload any .rb or .php file . - Click ...

Concrete CMS: Arbitrary File delete via PHAR deserialization

crayons : Concrete5 Arbitrary File delete via PHAR deserialization - Target: Concrete5 - Version: 8.5.4 Latest at 2020. 07. 12 / PHP 7.2 - Credit: WSP Lab@KAIST - Contact: [email protected] TL; DR - An attacker can send an arbitrary input value in the isdir function, which causes a PHAR...

U.S. Dept Of Defense: Stored XSS via Comment Form at ████████

Summary: An attacker can submit a comment form with injected HTML, leading to a number of malicious effects Step-by-step Reproduction Instructions 1. Browse to https://████ 2. Complete the form. I placed " in the Name field. Some example payloads for the Comments field are as follows: For...

Shopify: XSS / SELF XSS

I found xss but i think its self xss POC 1. Go to yourstore.myshopify.com 2. Go to settings import 3. Upload wrong file csv with file name payload xss " Impact xss attack...

Mail.ru: Cross-Site Request Forgery (CSRF) in my.games API

CSRF vulnerability allowed to add/delete/edit store.my.games comments...

Internet Bug Bounty: Out-of-Bound Read in urldecode() [CVE-2020-7067]

Hi, Please see: https://bugs.php.net/bug.php?id=79465&edit=2 CVE is assigned CVE-2020-7067 Fixed in 7.4.5 Release: https://www.php.net/ChangeLog-7.php7.4.5 Impact A remote attacker might leak values from the memory by crafting a malicious url-encoded string into PHP's urldecode...

Grammarly: “email” MFA mode allows bypassing MFA from victim’s device when the device trust is not expired

Summary: It is possible bypass MFA without the need to have the phone code. Description: When we turn on the MFA and we have the user and password of the user, it is possible bypass the MFA only changing some values the endpoint POST auth.grammarly.com//v3/api/login Steps To Reproduce: Note: - Us...

Ubiquiti Inc.: Local File Disclosure (+XSS+CSRF) in AirOS 6.2.0 devices

There are certain end-points containing functionalities that are vulnerable to reflected cross site scripting XSS, allowing attackers to abuse the user' session information and/or account takeover of the admin user. Authenticated users can be persuaded to visit malicious web pages, which allows...

Passit: password rest link not expired after change the password

Hi, this is my first report and bug .. i found password rest link not expired after change the password by resiver my e-mail Proof of Concept: 1Go to https://app.passit.io/account/reset-password and ask for password reset link. 2go to Email inbox. 3clicke to link from inbox example // Recovery li...

ZEIT: Gitlab Oauth Misconfiguration Lead To Account Takeover

Summary: Hello I found that you did not specify which link to redirect with Token Gitlab Allowing the attacker to exploit this vulnerability to force the user to redirect his Gitlab Token To the attacker's site , And Take Over The Account of user Steps To Reproduce: 1. Access To...

Zomato: credentials leakage in public lead to view dev websites

Description: Hello Zomato team : So after I found a new OSINT website ████ which fetch results from Pastebin website, I searched for "zdev.net" and I got this interesting result ██████████ F443315 I logged in https://gazal.zdev.net/test.php after I decoded Base64 Authorisation ███ F443316 I tried...

Nextcloud: Uploading large avatar images cause excessive CPU usage

How to reproduce: - Create an account on any server running Nextcloud 13 or 14. - Open the personal settings. - Upload a large image as avatar tested with a 4032x3024 PNG image of about 14.5 MB. - Keep the selected area in the popup and save the avatar. - Notice that the avatar area shows the...

RATELIMITED: Banner Grabbing - Apache Server Version Disclousure

Hello RATELIMITED, I'd like to report a nice little bug. Banner Grabbing is a technique used to gain information about a remote server. Additionally, this technique is use to get information about remote servers. I've captured the HTTP request while visiting theendlessweb.com POC: Simply check...

Valve: Malformed save files (.sav) allow to write files with arbitrary extensions and content in GoldSrc-based games.

The structure of the save file implies unpacking of temporary files with extensions .HL1, .HL2 and .HL3. In the code of command 'load', there is a check for invalid substrings, such as .., so unpacking the files into the top directories will not work. Also, it seems, there is a code for checking...

Mail.ru: SSRF на api.icq.net

SSRF in api.icq.net due to invalid handling of non-zero Content-Length value in GET requests...

Ubiquiti Inc.: CORS Misconfiguration leading to Private Information Disclosure

Due to mistake on te CORS policy configuration, the sites https://client.amplifi.com and https://protect.ubnt.com/ CORS policy allowed HTTP requests to be made from certain sites outside the .ubnt.com and .ui.com domains. This bug could be used to steal users information or force the user to...

HackerOne: Missing Password Confirmation at a Critical Function (Payout Method)

Hey Hackerone Team, Payout being one the very important matter demands to be taken extra precaution. But at our lovable platform "Hackerone" there is no Password Confirmation at one of very critical functions i.e Payout Method/state Change. All the other important functions like : 1. Email Change...

Open-Xchange: SSRF in /appsuite/api/autoconfig

FYI: This was conducted on a local install of App Suite and not the sandbox. App Suite version was: 7.8.4 Rev14 Hello, There is a possible SSRF vulnerability in the following App Suite API endpoint that will primarily allow blind port scanning of the App Suite server and any internal servers...

Semrush: Insecure Direct Object Reference on API without API key

Summary: It is possible to query the semrush API without specifying an API key. This allows anyone to query the API and retrieve information without having paid for a subscription. This is not a security vulnerability as such, but I believe it does undermine your business model in that a user doe...

Stellar.org: Session Cookie without HttpOnly and secure flag set

vulnerable URL: www.stellar.org The PHPSESSID cookie does not have the HTTPOnly flag set. When a cookie is set with the HTTPOnly flag, it instructs the browser that the cookie can only accessed by the server and not by client-side scripts. This is an important security protection for session...

Phabricator: IRC-Bot exposes information

You can setup the IRC-Bot, and set it into private channels, so that it posts only information about tasks into private channels. Example: T698 T698: Task title - https://url.example.org/T698 The problem is, that, if the bot is online in IRC, you can send him task numbers via private messages, an...

HackerOne: IE 11 Self-XSS on Jira Integration Preview Base Link

I wasn't sure if you would accept this report due to it being Self-XSS, but I figured it might be useful information because it breaks one of the flows used to validate URLs. Steps ==================== 1. Launch IE 11 2. Log into a HackerOne account that has admin on a program. 3. Go to the...

LocalTapiola: Error Page Content Spoofing or Text Injection (viestinta.lahitapiola.fi)

Hi team! I want to report a context spoofing or text injection at the new scope added viestinta.lahitapiola.fi Vulnerability Description: The new scope allows users to inject any content on the 404 not found webpage Vulnerable Location:...

Imgur: Unauthenticated Docker registry

A docker registry was open and unauthenticated, giving access to outdated Imgur source code and secret keys...

Bumble: Leave inaccessible messaging system with a message (https://us1.badoo.com)

Hello, to test the messaging system I found a vulnerability that allows Inaccessible leave mensajaria system to another user only required to send a message. The vulnerability is in the system as the mobile version smiles and app do not have that system is only vulnerable version desktop VULNERAB...

Vimeo: OAuth 2 Authorization Bypass via CSRF and Cross Site Flashing

Hello Vimeo Security Team, There is a vulnerability in api.vimeo.com/oauth which allows an attacker to gain full App privilege over a Vimeo victim user account without user approval, just by having the victim open a link to the attacker webpage. Proof of Concept link :...

Uber: Information Disclosure on lite.uber.com

Hello, according to your policy https://hackerone.com/uber?viewpolicy=true, you are looking for Local File Disclosure. And lite.uber.com also in scope for your program. request: GET https://lite.uber.com/auth/login HTTP/1.1 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.11; rv:42.0...

VK.com: Внедрение внешних сущностей в функционале импорта пользователей YouTrack

Уязвимость существует из-за возможности использования внешних сущностей XML разметки в функционале импорта пользователей YouTrack. Веб-приложение доступно по адресу youtrack.vk-cdn.net Исходя из документации https://confluence.jetbrains.com/display/YTD6/Import+Users поддерживает импорт данных...

Mail.ru: [api.login.icq.net] Open Redirect

https://api.login.icq.net/auth/cancel?f=1&k=1&supportedIdType=1&succUrl=http://example.com...

Ubiquiti Inc.: Arbritrary file Upload on AirMax

It's possible to upload arbitrary files to airMAX devices via HTTP because of a vulnerability in the airOS web server. An attacker can bypass the device's authentication mechanisms by exploiting this vulnerability...

Coinbase: OAuth authorization page vulnerable to clickjacking

Due to a misconfiguration, the 'authorize' button on the OAuth authorization page was vulnerable to clickjacking. The bug was fixed by ensuring our OAuth-related responses included the same security headers including X-Frame-Options as the rest of the site...

VK.com: Page replacement and redirect loop

Открытие страницы через параметр в запросе и циклическое перенаправление. This report includes a description of two vectors: 1. Page replacement via hidden vulnerable parameter that may lead to phishing attacks. 1. Infinite redirect loop...

Internet Bug Bounty: Memory Corruption in phar_parse_tarfile when entry filename starts with null

https://bugs.php.net/bug.php?id=69453...

Internet Bug Bounty: ZIP Integer Overflow leads to writing past heap boundary

https://bugs.php.net/bug.php?id=69253 Integer overflow in the zipcdirnew function in zipdirent.c in libzip 0.11.2 and earlier, as used in the ZIP extension in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 and other products, allows remote attackers to cause a denial of service...

Internet Bug Bounty: Adobe Flash Player MP4 Use-After-Free Vulnerability

I. Summary Adobe Flash Player is prone to a vulnerability which leads to Use-After-Free. After parsing a malformed mp4 file, Flash will not free the NetStream object properly. Such memory block is still accessed even the page containing Flash is closed, which leads to a memory crash...

Mail.ru: rs.mail.ru - Flash Based XSS

Hi, I found a flash based XSS in rs.mail.ru. Vulnerable link: http://rs.mail.ru/b27161485.swf?link1=javascript:alertdocument.domain Just click on the page and you will see the alert. Tested on Mozilla Firefox Regards, Florin...

InVision: TLS Renegotiation and Denial of Service Attacks on InVision.

Hi, I found a Bug in your website.It's a TLS Renegotiation and Denial of Service Attacks. Description:- A group of hackers known as THC The Hacker's Choice last week released an interesting DoS tool that works at the SSL/TLS layer. The tool is exploiting the fact that, when a new SSL connection i...

Slack: Email enumeration

Navigate to the page - https://slack.com/signin Now, entering invalid email address returns an erroneous response. However, if you enter a valid email address like [email protected], it redirects you to a different page where it asks you to choose teams that belongs to [email protected]. You can then...

Slack: csrf

Hi, Anti CSRF token to prevent CSRF attacks are missing on this link https://sehacure.slack.com/help/requests/new A new request can be submitted by an malicious guy to the support team on behalf of the user. The victim will never get to know. 1 Go to this link...

Yahoo!: Directory Traversal

Thank you for your submission to the Yahoo Bug Bounty program. We were able to reproduce the issue you reported and have implemented appropriate fixes. We appreciate your adherence to responsible disclosure guidelines and look forward to your future participation in the program...

Internet Bug Bounty: Secrets not masked in UI when sensitive variables are set via Airflow cli

A vulnerability was discovered in Apache Airflow where sensitive variables set using the Airflow CLI were not properly masked in the UI, specifically in the Audit logs page. This issue was addressed in the 2.10.3 release of Apache Airflow...