Coinbase: New Device confirmation tokens are not properly validated.

Hi, team I noticed that the new device confirmation code sent by your server is not validated . POC: 1 Login to a new computer and ask for confirmation code two times. Say around at 12.00 PM and at 12.01 PM 2 Now verify the device with the confirmation token which arrived at 12.01 PM and after...

WePay: CSRF & Nonce Token Weak Implementation

Hello, this report is a copy of my previous reports sent to your email [email protected] some days ago. Please note that everything written below are copied and pasted from the report. Ticket 437212 : As part of your responsible disclosure program, I am reporting this leakage weak implementation...

joola.io: X-Content-Type-Options header missing

Hello Team The doesn't have a header settings for X-Content-Type Options which means it is vulnerable to MIME sniffing. The only defined value, "nosniff", prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. This also applies to Google...

Internet Bug Bounty: Python vulnerability: reading arbitrary process memory

Python 2 and 3 are susceptible to arbitrary process memory reading by a user or adversary due to a bug in the json module caused by insufficient bounds checking. The sole prerequisites of this attack are that the attacker is able to control or influence the two parameters of the default scanstrin...

Khan Academy: Lighttpd version disclosure / directory listing

Hello there, the website at http://graphite.khanacademy.org/ isn't configured correctly. It displays the lighttpd version as well the directory contents. You should disable these features in your lighttpd.conf / php.ini. PoC: Index of / Name Last Modified Size Type Parent Directory/ - Directory...

Slack: Email enumeration

Navigate to the page - https://slack.com/signin Now, entering invalid email address returns an erroneous response. However, if you enter a valid email address like [email protected], it redirects you to a different page where it asks you to choose teams that belongs to [email protected]. You can then...

Yahoo!: Directory Traversal

Thank you for your submission to the Yahoo Bug Bounty program. We were able to reproduce the issue you reported and have implemented appropriate fixes. We appreciate your adherence to responsible disclosure guidelines and look forward to your future participation in the program...

Internet Bug Bounty: Secrets not masked in UI when sensitive variables are set via Airflow cli

A vulnerability was discovered in Apache Airflow where sensitive variables set using the Airflow CLI were not properly masked in the UI, specifically in the Audit logs page. This issue was addressed in the 2.10.3 release of Apache Airflow...

curl: Buffer overflow in strcpy

Vulnerability description not provided...

U.S. Dept Of Defense: DoD workstation exposed to internet via TinyPilot KVM with no authentication

The DoD workstation was exposed to the internet via a TinyPilot KVM device without any authentication. The TinyPilot KVM device was connected to the workstation and allowed remote access to the system over the internet...

curl: Unicode-to-ASCII conversion on Windows can lead to argument injection and more

Vulnerability description not provided...

Internet Bug Bounty: http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks

A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service DoS. The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk...

Internet Bug Bounty: [CVE-2023-27539] Possible Denial of Service Vulnerability in Rack’s header parsing

A denial of service vulnerability was discovered in Rack's header parsing component. This vulnerability could be exploited by carefully crafted input to cause the header parsing process to consume an unexpected amount of time, potentially leading to a denial of service attack. The vulnerability...

Internet Bug Bounty: DiffieHellman doesn't generate keys after setting a key

A security vulnerability was discovered in the DiffieHellman module of Node.js. The module did not generate new keys after setting a private key, potentially leading to the reuse of nonces and compromising security measures such as forward secrecy and IND-CPA...

inDrive: #1 XSS on watchdocs.indriverapp.com

The security vulnerability found on watchdocs.indriverapp.com allowed for cross-site scripting XSS attacks. The vulnerability was triggered by crafting a specific URL that executed arbitrary JavaScript code when accessed by users...

Internet Bug Bounty: Use of Cryptographically Weak Pseudo-Random Number Generator in WebCrypto keygen

A weak randomness vulnerability existed in WebCrypto keygen in Node.js 18, due to a change in EntropySource in SecretKeyGenTraits::DoKeyGen in src/crypto/cryptokeygen.cc. The vulnerability allowed for the possibility of non-cryptographically strong random data being used as keying material...

LinkedIn: Information disclosure by sending a GIF

Critical information about LinkedIn users, including their operating system, browser, IP address, device ID, phone model, and time zone, could be obtained by an attacker through the use of a GIF sent via the messaging feature. The vulnerability affected all platforms where the link could be used,...

curl: CVE-2022-32221: POST following PUT confusion

Summary: The bug I submitted at https://github.com/curl/curl/issues/9507 can have at least a few unintended security issues: - Information Disclosure: this bug causes an HTTP PUT to occur when the user intends for an HTTP POST to occur. The user, who intended an HTTP POST, expects the POSTed...

MTN Group: Exposure Of Admin Username & Password

Hello Team, Ther an exposure of your username and password on this subdomain https://engage2.mtnonline.com/nc/ Exposed Credentials uid: "mtnng", passwd: "bd31568138edbfc0552a1ecc6886ea5c", Steps To Reproduce: Visit https://engage2.mtnonline.com/nc/ Now, press CTRL+U to view the source code of thi...

8x8: Public Apache Tomcat /examples example directory

@mrk0anti reported to us an exposed Apache Tomcat /examples example directory. The issue has been rectified, as we removed the directory from the host & restricted access...

UPchieve: No character limit in password field

Hey, when I try to set the password while creating an account into "UPchieve" I noticed that you haven't kept any password limit. You need to decrease password length: There are two reasons for limiting the password size. For one, hashing a large amount of data can cause significant resource...

U.S. Dept Of Defense: Cross site scripting

Cross-site Scripting XSS refers to client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS occurs when a web application makes use of unvalidated or unencoded user input within the output it generates. Impact Malicious...

Elastic: [Swiftype] - Stored XSS via document field `url` triggers on `https://app.swiftype.com/engines/<engine>/document_types/<type>/documents/<id>`

Dear Team, I have found a stored XSS when create a document via API-based engine. The XSS payload stored in url field. To understand about document schema for API-based engine, please go to https://swiftype.com/documentation/site-search/guides/schema-designapi-based After indexed a document with...

Stripo Inc: Stored XSS at Module Name

Summary: Hello, I found stored xss at module name with this payload "Hello : Steps To Reproduce: 1. Add new container, it doesn't matter which is it 2. Paste this payload in the module name"Hello : 3. Update it then check the module name again in setting 4. Alert Popup Stored XSS Stored cross-sit...

Ruby: Round-trip instability in REXML

Submitted previously via email to [email protected] due to REXML not being listed under in-scope assets here. Explicitly requested by @hsbt to re-submit through HackerOne. CVSS rating calculated based on confirmed downstream impact. --- Hi Ruby Security Team, I'm reaching out to you to repor...

Revive Adserver: Reflected XSS on /admin/campaign-zone-zones.php

I found a reflected XSS attack on /admin/campaign-zone-zones.php. Revive-Adserver version is revive-adserver-5.1.1. - Go to http://revive-adserver.loc/admin/campaign-zone-zones.php?=&clientid=1&campaignid=1&status=available%22%3E%3Cimg%20src=1%20onerror=alertdocument.domain%3E&text= - Malicious...

U.S. Dept Of Defense: XML Injection on https://www.█████████ (███ parameter)

Greetings, I found an XML injection on https://www.███. This kind of vulnerability can be difficult to detect and exploit remotely; you should review the application's response here is the complete link: https://www.███/███████ Payload : ███████= Result : ███ best regards, frenchvlad Impact gaini...

Basecamp: HEY.com email stored XSS

An attacker can bypass the HEY.com HTML sanitizer and inject arbitrary unsafe HTML in emails. To reproduce the bug you have to send raw HTML-formatted email. You can do it e.g. with the Sendmail tool on Linux. Example email: plain From: [email protected] To: [email protected] Subject: HackerOne test...

MTN Group: [play.mtn.co.za] Application level DoS via xmlrpc.php

Description Wordpress that have xmlrpc.php enabled for pingbacks, trackbacks, etc. can be made as a part of a huge botnet causing a major DOS/SSRF. The website play.mtn.co.za has the xmlrpc.php file enabled and could thus be potentially used for such an attack against other victim hosts. hackeron...

Rocket.Chat: XSS leads to RCE on the RocketChat desktop client.

Summary: It is possible to call electron.shell.openExternal from javascript inside a server webview. Description: The document onclick handler allows executing electron.shell.openExternal by crafting an attacker-controlled link and dispatching a click event on it after overwriting Regex.test...

curl: Curl_auth_create_plain_message integer overflow leads to heap buffer overflow

Summary: There is an incorrect integer overflow check in Curlauthcreateplainmessage in lib/vauth/cleartext.c , leading to a potential heap buffer overflow of controlled length and data. The exploitation seems quite easy, yet the vulnerability can only be triggered locally and does not seem to lea...

Valve: Privilege Escalation vulnerability in steam's Remote Play feature leads to arbitrary kernel-mode driver installation

Tested on Windows 10 x64 On Steam starting, it will check all installed files' Integrity, and re-download the modified files. This step makes every single file in Steam installation folder is exactly its original self. Before the first time Steam stream to SteamLink Remote Play feature, it makes...

Lark Technologies: SSRF with information disclosure

A SSRF server side request forgery vulnerability was identified in the messenger endpoint of Lark Suite which could have exposed internal credentials used by the server. We thank @jin0ne for reporting this to our team...

Razer: Reflected XSS in eform.molpay.com

The tester discovered a reflected XSS on eform.molpay.com. This was fixed in production on Feb 12. Razer Fintech thanks the tester for his diligence and clear PoC...

New Relic: Mixed content issues on newrelic.com

Hi guys, I have found Mixed Content on https://newrelic.com/: Insecure endpoint http://newrelic.com/ that should be served over HTTPS. Description: Passive mixed content is content sent over HTTP that is contained on the HTTPS page, but which can not change other parts of the page. For example, a...

Semmle: Privilege escalation in workers container

Summary about the bugs: In the prepare step, semmle allows user to install new package. By upload a malicious package along with source code and force server to build this package, attacker will gain root access to the container Steps: 1. Create a malicious package contains the backdoor: I use th...

Mail.ru: Delete images of users with clickjacking in https://pw.mail.ru

Researcher found site-wide Clickjacking on https://pw.mail.ru which potentially could be used to trick user to delete avatar or change his/her profile data...

PayPal: DoS on PayPal via web cache poisoning

On https://paypal.com/, you could impact core functionality by using an invalid Transfer-Encoding header to replace JavaScript files from www.paypalobjects.com with the message '501 Not Implemented'. This was patched and awarded a $9,700 bounty. By the time you read this, there should be a full...

HackerOne: Team member with Program permission only can escalate to Admin permission

Summary https://hackerone.com/TEAM/groups URL is accessible to team members with Program permission, even when "Group Management" and "User Management" menus aren't visible. I didn't research this further, however, I was able to grant all permissions to the user assigned to a group with Program...

Django: Jenkins Unauthenticated RCE on https://djangoci.com/

This report discloses an RCE issue on djangoci.com as outlined in https://www.djangoproject.com/weblog/2019/may/15/rce-djangoci/ While technically a valid issue, it is out of scope for bounty, please see https://hackerone.com/django for details on which issues qualify for bounties...

curl: An integer overflow found in /lib/urlapi.c

Summary: libcurl contains a heap-based buffer overrun in /lib/urlapi.c. A similiar issue to CVE-2018-14618. Steps To Reproduce: analysis I found a potential integer overflow which may lead to a buffer overrun in /curl/lib/urlapi.c. In function seturl, urllen was multiplied by 2 and then passed to...

X (Formerly Twitter): IDOR and statistics leakage in Orders

Description: Twitter on its service "MoPub" statistics dedicated to the results of "Order", after the test shows that the endpoint "https://app.mopub.com/web-client/api/orders/stats/query" is infected with a "IDOR " bug Which led to the leak of private statistics "Orders" by another users Steps T...

Internet Bug Bounty: Uninitialized read in exif_process_IFD_in_MAKERNOTE

This bug is present in exifprocessIFDinMAKERNOTE method of ext/exif/exif.c file. Detailed description and steps to reproduce for this bug is present in bug report submitted to php.net. Bug Report : https://bugs.php.net/bug.php?id=77563 PHP version : 7.1.26 CVE-ID : 2019-9638 Impact Uninitialized...

Zomato: [www.zomato.com] Availing Zomato Gold membership for free by tampering plan id(s)

Summary: Get free zomato gold membership using zomato iOS app. Description: add more details about this vulnerability 1 Login to the zomato iOS application. 2 Select zomato gold from the home screen. 3 Depending on your location, you will see different gold pack options. 4 Select any gold pack. 5...

Postmates: Web cache poisoning attack leads to user information and more

Hello, Your Web-Server is vulnerable to web cache poisoning attacks. This means, that the attacker are able to get another user informations. If you are logged in and visit this website For example: https://postmates.com/SomeRandomText.css Then the server will store the information in the cache,...

Monero: Monero can leak unitialized memory

See this proof of concept: cpp include include include INITIALIZEEASYLOGGINGPP template static void invokehttpjsonvoid typename T::request ireq; typename T::response ires; std::string reqparam; if!epee::serialization::storettojsonireq, reqparam return; printf"%s\n", reqparam.cstr; int mainvoid...

Mail.ru: astrumnival.com subdomain

Hostname in astrumnival.com domain was unintentionally delegated to external service. astrumnival.com domain is not currently in use...

Mail.ru: ОДМИН ТЭСТ

Test script on jw-cn-test-1.ext.terrhq.ru could be used to disclosure local database account. Database itself was not accessible...

Uber: [usuppliers.uber.com] - Server Side Request Forgery via XXE OOB

It was possible to determine open internal ports on an usuppliers.uber.com server, via examination of different error messages to a specific POST request made with various payloads. This error message discrepancy would allow an attacker to discover open internal ports, potentially allowing more...

Zomato: [www.zomato.com] Blind XSS in one of the Admin Dashboard

@sandeephodkasia identified a Blind XSS vulnerability that fired in one of our admin dashboard. POC - @sandeephodkasia added "alert0; XSS Hunter was used in this case in address field while placing an order. - XSS triggered when one of our support agent viewed the order details. Thanks...