Mail.ru: SSRF at jira.plazius.ru - CVE-2019-8451

SSRF via CVE-2019-8451 in jira.plazius.ru due to unpatched Jira version...

h1-ctf: [H1-2006 2020] Flag for H1-CTF

F850509 I will submit the write-up today but I need to get some rest, Excellent CTF though, its my firs time ever to solve H1-CTF Impact ^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$...

Open-Xchange: Pre-auth buffer over-read in Dovecot NTLM implementation

Hi, Dovecot security team. I am Orange from DEVCORE security team. We just did a little security audit on the authentication mechanism of Dovecot, and found a buffer over-read in NTLM implementation. The structure of NTLM field is defined in ntlm-types.h c struct ntlmsspbuffer uint16t length; /...

Valve: Privilege Escalation vulnerability in steam's Remote Play feature leads to arbitrary kernel-mode driver installation

Tested on Windows 10 x64 On Steam starting, it will check all installed files' Integrity, and re-download the modified files. This step makes every single file in Steam installation folder is exactly its original self. Before the first time Steam stream to SteamLink Remote Play feature, it makes...

Mail.ru: [staging.tarantool.org] Github Pages Subdomain-take-over

Unused staging.tarantool.org subdomain was delegated to github pages and was not claimed...

HackerOne: Unauthorized user can obtain `report_sources` attribute through Team GraphQL object

Summary: Hi team. And Happy New Year! Description: If I am not mistaken, then through this parameter we can define private programs with an external link. If this parameter is not empty, then the program is private. - "HackerOne Platform" Steps To Reproduce https://hackerone.com/graphql POST:...

Shopify: XSS while logging using Google

Hello Security Team, I have found xss when we enable login services as, Allow staff to use external services to log in to Shopify and we enable Google Apps for login we get the " Log in with Google " option enable F579219 Steps to Reproduce: Step1: Go to...

Nextcloud: Content Spoofing /Text Injection in https://docs.nextcloud.com

Hello Team, I have found a Content Spoofing / Text Injection on this domain https://docs.nextcloud.com Go to https://docs.nextcloud.com/!!!ATENTION!%20This%20server%20is%20on%20Maintenance%20please%20go%20to%20WWW.EVIL.COM%20%20%20%20%20%20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20%...

ZEIT: Open redirection in https://zeit.co/login?next=

you have a open redirection bug in https://zeit.co/login?next= now i want to redirect the victem to https://www.google.com https://zeit.co/login?next=\www.google.com done !! it will redirected F511594 Impact redirect the victems to any page and it can be xss bug...

Monero: Remote P2P DoS

Remote P2P DoS resolved. https://www.activism.net/cypherpunk/manifesto.html...

QIWI: XXE on ██████████ by bypassing WAF ████

XXE on ■■■■■■.qiwi.com with WAF bypass The endpoint on ██████ accepts a POST request with an XML document. A Web-Application Firewall WAF successfully blocked all requests that contained any of the keywords !DOCTYPE, !ENTITY or !ELEMENT, that are necessary for XXE attacks to be successful. Howeve...

PayPal: XSS [flow] - on www.paypal.com/paypalme/my/landing (requires user interaction)

Steps to reproduce On Chrome and Firefox: 1. Go to...

Chaturbate: No rate limiting in starting up a bot.

hi security team, I was able to start up a bot numerous times. 1. Goto https://chaturbate.com/b/username 2. Choose a bot and capture the request. 3. Send to intruder and repeat the step numerous times. 4. I did this 196times 5.I was able to activate a bot numerous times 6. My room was flooded wit...

New Relic: WordPress username enumeration (/author)

@rootbakar identified a previously-reported issue where authors could be viewed from an endpoint within our WordPress blog. As authors are intended to be public, this was closed as not having any security impact to the blog...

Chaturbate: Reflected XSS on secure.chaturbate.com

The hacker found that an external asset used for fraud detection on secure.chaturbate.com was not sanitizing input parameters and could be used for reflected XSS. This external asset was removed...

HackerOne: Missing Certificate Authority Authorization rule

Certificate Authority Authorization supported by LetsEncrypt and other CAs allows a domain owner to specify which Certificate Authorities should be allowed to issue certificates for the domain. All CAA-compliant certificate authorities should refuse to issue a certificate unless they are the CA o...

HackerOne: Exposing hackerone users personally identifiable information by abusing sandbox with swag reward enabled

Hi HackerOne Team, Summary: I have found a critical bug but this will require a bit user interaction, BUT please take note that once exploited, a hackerone user's PII - personally identifiable information can be exposed. I have found this bug by using the sandbox with swag reward enabled . --- Le...

Greenhouse.io: DoS through cache poisoning using invalid HTTP parameters

I was taking a look into a related report https://hackerone.com/reports/298265 and I discovered that the https://boards.greenhouse.io/embed/jobboard/js?for= endpoint doesn't throw errors when I try to pass in an array of for parameters like this:...

Mixmax: Subdomain takeover (sales.mixmax.com)

Unused DNS record was reported, we promptly removed...

Cuvva: No rate limiting at POST /2/2017-05-22/send_identifier_token

SUMMARY ---------- Hello, while testing your api I have noticed that the request at POST /2/2017-05-22/sendidentifiertoken does not have any rate limiting made about 60-70 requests and this actually sens an SMS when the type is mobilephone. I agree, this is not a very big issue, but all endpoints...

Ubiquiti Inc.: Ability to log in as any user without authentication if █████████ is empty

Devices that can be monitored by airControl include a ticket based authentication system that allows access to the WebUI using a ticket id. This system had a flaw that allowed unauthenticated access without a valid ticket, given these requirements were met: 1. A device was monitored by airControl...

Legal Robot: Cross Site WebSocket Hijacking

Description: The given URL fails to validate Origin header- leading to Cross-Site WebSocket Hijacking. Impact: The impact, however, depends on how the server is configured. For example, it might require an authentication token which are user specific. In such cases, it might not be as sever as it...

X (Formerly Twitter): [Urgent] Invalidating OAuth2 Bearer token makes TweetDeck unavailable

First of all, really sorry for the unintentional DoS : I was testing it with a fresh bearer token but copied the production one accidentally. Details I've noticed that TweetDeck is using OAuth2 to issue requests Authorization Bearer token: http GET...

Informatica: [wave.informatica.com]- Subdomain missconfiguration

One of your subdomain https://wave.informatica.com has a CNAME record that resolved to ghs.google.com and shows 404 error when navigating to subdomain. You should remove CNAME entry for that subdomain pointing towards ghs.google.com. Although I couldnt verify the domain ownership process to fully...

Paragon Initiative Enterprises: BAD Code !

Hi sir, My name is Ahmed Kohly and I'm the biggest hacker on EGYPT, I'm also who hacked ISIS pages with my friend Ahmed Samara we are so dangerous. so don't trust me Please . Anyway, I've found that your code here https://github.com/paragonie/airship/blob/master/tools/audithelper.php , is startin...

Nextcloud: Arbitrary File Upload in Logo & Log in image Theming setting.

Hi team First I think this vulnerability doesn't fall at your bug bounty program but this is a bad design that should fix right now cause if an attacker get admin access he still can upload a malicious file in client server side. I saw that Logo & Log in image allow to upload other files type...

Zomato: Weak Password Policy

Weak Password Policy :- In your Website the user are able to use the same password as their user name for eg. the user name is pentest123@ and user can set their password as pestent123@ these type of passwords can be easily guessed How to Fix this issue ? :- prevent users to use their username as...

VK.com: Уязвимость в Указание мест на фото + фича + хакинг

Для начало прошу прощения за столько много выделенных ТИПОВ ... коротко с помощью уязвимости можно ставить отметку на фото гео лакации любому пользователю Следование этому пожеланию увеличит вероятность получения награды. Сервис, в котором найдена уязвимость. https:/vk.com/alplaces.php...

HackerOne: Content Spoofing - External Link Warning Page

Here is example link: Click Here Raw Data: Click Here Issue: In External link warning page, this link shown as plain text and no forced URL encoded, leading an attacker to frame sentences and trick users. In given example, attacker can trick user to click 'Proceed' button saying it will redirect...

Enter: CSRF token leakage

Hi, I have noticed that when the account verification fails here : https://wallet.robocoin.com/verify/ due to an error, the CSRF token is being leaked via GET method like : https://wallet.robocoin.com/verify/id?csrf=b8ede20d-0c0b-4e16-9d05-6ad2ed8b72c4 So the authenticity token is being stored in...

Ruby on Rails: Active Record SQL Injection Vulnerability Affecting PostgreSQL

This vulnerability was reported directly to Rails. https://groups.google.com/forum/!msg/rubyonrails-security/wDxePLJGZdI/WP7EasCJTA4J...

Coinbase: Simultaneous Session Logon : Improper Session Management

Hi, I would like to report this bug related to improper simultaneous logon. Issue: 1 When a user is logged in to the application already authenticated, visits the login page https://coinbase.com/signin he/she should directly get redirected to their home page as there is already a session running...

Khan Academy: Lighttpd version disclosure / directory listing

Hello there, the website at http://graphite.khanacademy.org/ isn't configured correctly. It displays the lighttpd version as well the directory contents. You should disable these features in your lighttpd.conf / php.ini. PoC: Index of / Name Last Modified Size Type Parent Directory/ - Directory...

Slack: open redirect in https://slack.com

Navigate to Https://slack.com append "/link?url=url=http://bing.com" or enter any website of your choice with http:// vulnerable link https://slack.com/link?url=http://bing.com notice that user is redirected to bing.com without being validated or notified...

Internet Bug Bounty: Flash double free vulnerability leads to code execution

This bug was reported directly to Adobe and got assigned CVE-2014-0502. http://helpx.adobe.com/security/products/flash-player/apsb14-07.html This one was actively and it still is exploited since February 12th in watering hole campaigns against nonprofit research institutions and human right...

HackerOne: Session Management

Hackerone fails to expire the session cookie from the server side even when the user logs off upon clicking "Sign-Out" from the application. The cookie is cleared from the client side browser, but is not cleared from the server side. If reused, it provides access to the user's account. Upon loggi...

curl: SSL options ISSUERCERT, EC_CURVES and CRLFILE silently ignored by non-OpenSSL backends

Summary: The SSL options ISSUERCERT, ECCURVES and CRLFILE are silently ignored for e.g. the mbedTLS backend, which allows MITM attacks for the ISSUERCERT and CRLFILE bug, and can reduce the security and compliance by ignoring the specified curve for the ECCURVES bug. Affected version Tested with...

HackerOne: View any user email using the Team's audit log section

Vulnerability description not provided...

HackerOne: LLM01: Invisible Prompt Injection

The report described a vulnerability in Hai's system involving invisible prompt injection via Unicode tag characters. The vulnerability allowed the submission of a test report with a fake report containing hidden characters, which could be used to inject prompts into the system's responses. The...

Node.js: The use of __proto__ in process.mainModule.__proto__.require() bypasses the permission system in Node v19.6.1

The use of proto in process.mainModule.proto.require allowed bypassing the permission system in Node v19.6.1, enabling the loading of unauthorized dependencies...

Hyperledger: POOL_UPGRADE request handler may allow an unauthenticated attacker to remotely execute code on every node in the network.

This issue is related to the https://github.com/hyperledger/indy-node. The issue was found in the indy-node code that handles the write request of type POOLUPGRADE in file indy-node/indynode/server/requesthandlers/configreqhandlers/poolupgradehandler.py. The additionaldynamicvalidation function...

8x8 Bounty: Jitsi Desktop Client RCE By Interacting with Malicious URL Schemes on Windows

A command injection vulnerability was found in Jitsi Desktop Client before commit 8aa7be58522f4264078d54752aae5483bfd854b2 on Windows. This vulnerability could allow an attacker to execute arbitrary code by interacting with malicious URL schemes when launching browsers. The vulnerability has been...

Uber: Full read SSRF in flyte-poc-us-east4.uberinternal.com

Uber summary TBD. @shubs and I discovered an instance of Flyte Console on uberinternal.com. After auditing the open source code, we noticed an unauthenticated route for a “CORS proxy”. This was a classic server-side request forgery issue, allowing us to pass an arbitrary request to be performed b...

MariaDB: Grafana LFI on https://grafana.mariadb.org

Hello team, There is an LFI on https://grafana.mariadb.org/public/plugins/alertlist/../../../../../../../../../../../../../../../../../../../etc/passwd F1537157 Impact LFI...

Courier: [3] Bypassing IP Based Rate Limit Blocking leads to rate limit bypass in Courier Login Panel

Hi team, I would like to report rate limit issue based on IP blocking mechanism. Rate-limitation nowadays is not effective anymore to protect against brute-force. There are many botnets out there which can be used to overcome this hurdle, as well as cloud VPS services e.g. Amazon AWS EIPs, Digita...

Basecamp: Domain Takeover [3737signals.com]

Hi, While i was analyzing the Basecamp3 Android app i found 3737signals.com on the source code as i understand you are passing it to the intentto view it on some case. F1368921 When I opened it on the browser I got DNS error says the domain name does not exist F1368922 As you can see at the botto...

Sifchain: clickjacking vulnerability

Summary: add summary of the vulnerability While performing security testing of your website i have found the vulnerability called Clickjacking. Many URLS are in scope and vulnerable to Clickjacking. What is Clickjacking ? Clickjacking User Interface redress attack, UI redress attack, UI redressin...

U.S. Dept Of Defense: Administration Authentication Bypass on https://█████

Hi there I found a way to connect to an administration space on your website https://██████████ how to reproduce ? 1 - go to this link : https://███/██████████ 2 - create a html file with : html 3 - launch the file, click on the button and return to the page https://███████/█████ 4 - refresh the...

MTN Group: Unauthenticated Arbitrary File Deletion (CVE-2020-3187)

Summary: A vulnerability in the web services interface of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and obtain read and delete access to sensitive files on a...

GitHub Security Lab: [javascript] CWE-90: CodeQL to detect LDAP Injection

This bug was reported directly to GitHub Security Lab...