curl: An integer overflow found in /lib/urlapi.c

Summary: libcurl contains a heap-based buffer overrun in /lib/urlapi.c. A similiar issue to CVE-2018-14618. Steps To Reproduce: analysis I found a potential integer overflow which may lead to a buffer overrun in /curl/lib/urlapi.c. In function seturl, urllen was multiplied by 2 and then passed to...

X (Formerly Twitter): IDOR and statistics leakage in Orders

Description: Twitter on its service "MoPub" statistics dedicated to the results of "Order", after the test shows that the endpoint "https://app.mopub.com/web-client/api/orders/stats/query" is infected with a "IDOR " bug Which led to the leak of private statistics "Orders" by another users Steps T...

Internet Bug Bounty: Uninitialized read in exif_process_IFD_in_MAKERNOTE

This bug is present in exifprocessIFDinMAKERNOTE method of ext/exif/exif.c file. Detailed description and steps to reproduce for this bug is present in bug report submitted to php.net. Bug Report : https://bugs.php.net/bug.php?id=77563 PHP version : 7.1.26 CVE-ID : 2019-9638 Impact Uninitialized...

Zomato: [www.zomato.com] Availing Zomato Gold membership for free by tampering plan id(s)

Summary: Get free zomato gold membership using zomato iOS app. Description: add more details about this vulnerability 1 Login to the zomato iOS application. 2 Select zomato gold from the home screen. 3 Depending on your location, you will see different gold pack options. 4 Select any gold pack. 5...

Postmates: Web cache poisoning attack leads to user information and more

Hello, Your Web-Server is vulnerable to web cache poisoning attacks. This means, that the attacker are able to get another user informations. If you are logged in and visit this website For example: https://postmates.com/SomeRandomText.css Then the server will store the information in the cache,...

Monero: Monero can leak unitialized memory

See this proof of concept: cpp include include include INITIALIZEEASYLOGGINGPP template static void invokehttpjsonvoid typename T::request ireq; typename T::response ires; std::string reqparam; if!epee::serialization::storettojsonireq, reqparam return; printf"%s\n", reqparam.cstr; int mainvoid...

Mail.ru: astrumnival.com subdomain

Hostname in astrumnival.com domain was unintentionally delegated to external service. astrumnival.com domain is not currently in use...

Mail.ru: ОДМИН ТЭСТ

Test script on jw-cn-test-1.ext.terrhq.ru could be used to disclosure local database account. Database itself was not accessible...

Uber: [usuppliers.uber.com] - Server Side Request Forgery via XXE OOB

It was possible to determine open internal ports on an usuppliers.uber.com server, via examination of different error messages to a specific POST request made with various payloads. This error message discrepancy would allow an attacker to discover open internal ports, potentially allowing more...

Zomato: [www.zomato.com] Blind XSS in one of the Admin Dashboard

@sandeephodkasia identified a Blind XSS vulnerability that fired in one of our admin dashboard. POC - @sandeephodkasia added "alert0; XSS Hunter was used in this case in address field while placing an order. - XSS triggered when one of our support agent viewed the order details. Thanks...

Shopify: H1514 Removed Staff members who had "Apps" permission can still modify flow app connections

Summary: It's been found that removed staff members who had "Apps" permission can still modify flow app connection settings due to improper authorization. Description: Flow app https://apps.shopify.com/flow allows users to connect their Google Sheets, Trello and Asana accounts to their flow...

Dropbox: Stored XSS in dropboxforum.com

This report described a vulnerability where an attacker could put a specially crafted payload into the reply section of threads on dropboxforum.com to bypass the HTML filter on the site. This enabled a stored XSS attack against anyone viewing the message. This was an issue in Lithium forum...

HackerOne: Missing Certificate Authority Authorization rule

Certificate Authority Authorization supported by LetsEncrypt and other CAs allows a domain owner to specify which Certificate Authorities should be allowed to issue certificates for the domain. All CAA-compliant certificate authorities should refuse to issue a certificate unless they are the CA o...

Shopify: Open redirection in OAuth

steps to reproduce: 1-Open your shopify partner account. 2-Create an app and click on test your app. 3-Select a development store you own. 4-Intercept the request using burpsuite and change the "installappSelect a store" parameter to any store with no validation. The request like this: POST...

Node.js third-party modules: [express-cart] Customer and admin email enumeration through MongoDB injection

I would like to report an injection in express-cart It allows to enumerate the email address of the customers and the administrators. Module module name: express-cart version: 1.1.7 npm page: https://www.npmjs.com/package/express-cart Module Description expressCart is a fully functional shopping...

Starbucks: Subdomain takeover on svcgatewaydevus.starbucks.com and svcgatewayloadus.starbucks.com

Hello, This is fairly close to this report however these are different subdomains than the one in the report. This can be pretty serious since I can server virtually anything I want. In the 45 minutes I've held the domain I have served to 341 unique IP addresses. Two starbucks.com subdomains are...

Khan Academy: POST XSS in https://www.khanacademy.org.tr/ via page_search_query parameter

Hey there, while testing your program I came across a XSS vulnerability in the search area of your website. The vector uses HTTP POST request and the parameter is "pagesearchquery"" on www.khanacademy.org.tr/arama.asp In the next topics I will demonstrate how you can reproduce the vulnerability...

Brave Software: Unsafe handling of protocol handlers

Summary: Brave browser macOS handles protocol handlers in unsafe way and differently from other browsers. Key differences between protocol handlers handling in Brave and other browsers: Open external app vs Open "Terminal" Brave only asks about opening external app. Other browsers e.g. Chrome ask...

Internet Bug Bounty: [CVE-2018-6913] heap-buffer-overflow in S_pack_rec

pack may cause a heap buffer write overflow with a large item count. Reported to the Perl security mailing list on 5 Aug 2017. Confirmed as a security flaw by TonyC on 30 Jan 2018 CVE-2018-6913 assigned to this flaw on 11 Feb 2018 Public security advisory released on 14 April 2018...

New Relic: Blind SSRF in Ticketing Integrations Jira webhooks leading to internal network enumeration and blind HTTP requests

Summary The Ticketing Integrations Jira webhooks for Jira 5/6 and Jira 4 are vulnerable to Blind SSRF issues. These endpoints can be abused to map internal NewRelic network services and send blind HTTP GET and POST requests to identified services. Details The Ticketing Integrations Jira 4 and Jir...

VK.com: Reflected XSS в /al_audio.php

XSS в аудио. XSS в прикреплении аудиозаписи в виджете комментариев...

Ubiquiti Inc.: UniFi Video Server web interface Configuration Restore path traversal leading to local system compromise

In UniFi Video Controller 3.9.3 and prior, an user with administrator privileges can restore the configuration using a specially crafted zip file. Due to the lack of validation for path transversal, the user can upload arbitrary files to arbitrary locations...

Node.js third-party modules: `memjs` allocates and stores buffers on typed input, resulting in DoS and uninitialized memory usage

I would like to report a Buffer allocation vulnerability in memjs. In cases when the attacker is able to pass typed input e.g. via JSON to the storage, it allows to cause DoS on all Node.js versions and to store and potentially later extract chunks of uninitialized server memory containing...

Semrush: clickjacking to Semrush auth login

Description: Clickjacking User Interface redress attack, UI redress attack, UI redressing is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on. this attack could be perform to semrush auth user because its direct...

Open-Xchange: SSRF - RSS feed, blacklist bypass (IP Formatting)

FYI - Tested on local installation of App Suite 7.8.4 REV 17 Hello, There appears to be a SSRF vulnerability in the below endpoint. This is due to a failure in the App Suite code when evaluating an IP address against a blacklist. The SSRF is limited to scanning hosts on port 80/443 but accuracy i...

Semrush: subdomain takeover at news-static.semrush.com

Summary: The subdomain news-static.semrush.com can be taken over by attackers and abuse it for further attacks Phishing, XSS Cross origin, malware, etc... Description: The subdomain news-static.semrush.com was pointed using CNAME to Amazon S3, but no bucket with that name was registered. This mea...

Discourse: SSRF in upload IMG through URL

-Short description Private message function is vulnerable is vulnerable to a SSRF vulnerability which allows an attacker to craft connections originating from servers to any destination on the internet and discourse internal network and craft outgoing UDP-packet for example, to connect to FTP...

Legal Robot: Cross Site WebSocket Hijacking

Description: The given URL fails to validate Origin header- leading to Cross-Site WebSocket Hijacking. Impact: The impact, however, depends on how the server is configured. For example, it might require an authentication token which are user specific. In such cases, it might not be as sever as it...

Automattic: Captcha bypass for the most important function - At en.instagram-brand.com

Product / URL https://en.instagram-brand.com/wp-json/brc/v1/approval-requests Description and Impact The Instagram Brand Site has a functionality for business users to request for using Instagram Assets. The URL for creating a new request is: https://en.instagram-brand.com/requests/new There is a...

Internet Bug Bounty: CVE-2017-5204: The IPv6 parser in tcpdump before 4.9.0 has a buffer overflow in print-ip6.c:ip6_print()

Reported to the project maintainer in October 2016. A specially crafted IPv6 packet could trigger a read outside of buffer in tcpdump. ==27882==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000e000 at pc 0x0000005724b5 bp 0x7ffe8e17a790 sp 0x7ffe8e17a788 READ of size 1 at...

Mail.ru: [tanks.mail.ru] Open Redirect

tanks.mail.ru had an open redirect in the form of https://tanks.mail.ru/index.php.example.com Reporter also noted this redirect can be used for double redirection from https://auth.mail.ru/cgi-bin/logout page, this is known behavior. Neither tank.mail.ru nor open redirects without additional impa...

Internet Bug Bounty: Heap overflow in mysqlnd related to BIT fields (CVE-2016-7412)

This report is related to a bug in PHP that has now been fixed and publicly disclosed. It was assigned CVE-2016-7412. The details are at: https://bugs.php.net/bug.php?id=72293 Disclosure was on Sep 15: http://www.openwall.com/lists/oss-security/2016/09/15/10 Thanks!...

Internet Bug Bounty: Adobe Flash Player Metadata class Memory Corruption Vulnerability

I. Summary Adobe Flash Player is prone to a vulnerability which leads to memory corruption because of improper validation of Metadata.setMetadata. ------------------------------------------------------------------ II. Description Adobe Flash is a multimedia and software platform used for authorin...

HackerOne: Web Authentication Endpoint Credentials Brute-Force Vulnerability

Dear, Your web authentication endpoint, https://hackerone.com/sessions POST, currently protects against credentials brute-force attacks only by requests rate-limiting based on IP. It was found that if an attacker sends login requests faster than every 4 seconds from the same IP address, it would...

Internet Bug Bounty: Buffer Over-read in unserialize when parsing Phar

https://bugs.php.net/bug.php?id=69324 ext/phar/phar.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to obtain sensitive information from process memory or cause a denial of service buffer over-read and application crash via a crafted length value in...

Enter: CSRF token leakage

Hi, I have noticed that when the account verification fails here : https://wallet.robocoin.com/verify/ due to an error, the CSRF token is being leaked via GET method like : https://wallet.robocoin.com/verify/id?csrf=b8ede20d-0c0b-4e16-9d05-6ad2ed8b72c4 So the authenticity token is being stored in...

Ruby on Rails: Active Record SQL Injection Vulnerability Affecting PostgreSQL

This vulnerability was reported directly to Rails. https://groups.google.com/forum/!msg/rubyonrails-security/wDxePLJGZdI/WP7EasCJTA4J...

Automattic: logout csrf app.simplenote.com/logout

Proof of Concept:...

Coinbase: User Enumeration, Information Disclosure and Lack of Rate Limitation on API

NOTE: I am making this email as I think the response from Coinbase originally, via my emails to them was not correct. They had not acknowledged that this flaw allowed for user enumeration and hence I am posting the report again - in hope of a proper and well evaluated response. The key security...

HackerOne: Hackerone Email Addresses Enumeration

Enumeration of email addresses of already registered users is possible, and or, checking if a user with specific email address is registered in the website and will then be used for phising attacks or any malicious intent. In the "Forgot Password" section, there is an implemented security measure...

Internet Bug Bounty: Flash double free vulnerability leads to code execution

This bug was reported directly to Adobe and got assigned CVE-2014-0502. http://helpx.adobe.com/security/products/flash-player/apsb14-07.html This one was actively and it still is exploited since February 12th in watering hole campaigns against nonprofit research institutions and human right...

HackerOne: Session Management

Hackerone fails to expire the session cookie from the server side even when the user logs off upon clicking "Sign-Out" from the application. The cookie is cleared from the client side browser, but is not cleared from the server side. If reused, it provides access to the user's account. Upon loggi...

U.S. Dept Of Defense: XSS found for https://█████████

The XSS vulnerability was found in the /web/guest/search endpoint, where the query parameter was not properly sanitized before being reflected in the server's response. An attacker could craft a malicious payload and trick a user into sending a POST request, allowing the execution of arbitrary...

Internet Bug Bounty: CVE-2019-1551: rsaz_512_sqr overflow bug on x86_64

The CVE-2019-1551 vulnerability was an overflow bug in the x6464 Montgomery squaring procedure used in exponentiation with 512-bit moduli in the OpenSSL library. The vulnerability was found and reported by researchers. The issue was mitigated in the 1.1.1 and 1.0.2 versions of OpenSSL...

GoCD: XSS in new.loading.page.html

A cross-site scripting vulnerability was found in new.loading.page.html due to inadequate handling of query parameters. This allowed attackers to insert javascript URIs as redirectors, leading to unauthorized script execution...

Nextcloud: xmlrpc.php &wp-cron.php files are enabled, and will used for (DDOS),(DOS) and broutforce users attack.

The xmlrpc.php and wp-cron.php files were found to be enabled on the target website, which could allow attackers to perform denial of service attacks. Username enumeration via the RSS generator identified several valid usernames. The xmlrpc.php file could be used to cause a DDOS attack by sending...

HackerOne: IDOR vulnerability in unreleased HackerOne Copilot feature

An unreleased feature of HackerOne's Copilot was vulnerable to IDOR through a GraphQL mutation. By supplying another user's conversation ID, an attacker could have deleted conversations in the Copilot interface before this issue was addressed...

U.S. Dept Of Defense: [█████████] Information disclosure due unauthenticated access to APIs and system browser functions

Multiple information exposure vulnerabilities were discovered in a Jira Server instance, allowing unauthenticated access to APIs and system browser functions. These vulnerabilities could be exploited by an attacker to gain unauthorized access to sensitive data and run arbitrary code on the server...

Node.js: Policy-restricted modules can escalate to higher privileges by impersonating other modules in a policy list using module.constructor.createRequire()

A vulnerability was discovered in Node.js that allowed policy-restricted modules to gain higher privileges by impersonating other modules in a policy list using module.constructor.createRequire. This vulnerability affected all users using the experimental policy mechanism in Node.js versions 16.x...

U.S. Dept Of Defense: Blind Sql Injection https:/████████

A blind SQL injection vulnerability was discovered on a website, allowing an attacker to execute arbitrary SQL commands...