curl: SSL options ISSUERCERT, EC_CURVES and CRLFILE silently ignored by non-OpenSSL backends

Summary: The SSL options ISSUERCERT, ECCURVES and CRLFILE are silently ignored for e.g. the mbedTLS backend, which allows MITM attacks for the ISSUERCERT and CRLFILE bug, and can reduce the security and compliance by ignoring the specified curve for the ECCURVES bug. Affected version Tested with...

HackerOne: View any user email using the Team's audit log section

Vulnerability description not provided...

Node.js: "Assertion failed" in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash

A vulnerability was discovered in the Node.js HTTP/2 stack http2 package. An attacker could send a small amount of TCP packets with HTTP/2 frames, causing the Node.js server to crash due to an assertion failure in the Http2Session destructor. The issue occurred when headers with HTTP/2 CONTINUATI...

Node.js: The use of __proto__ in process.mainModule.__proto__.require() bypasses the permission system in Node v19.6.1

The use of proto in process.mainModule.proto.require allowed bypassing the permission system in Node v19.6.1, enabling the loading of unauthorized dependencies...

8x8 Bounty: Jitsi Desktop Client RCE By Interacting with Malicious URL Schemes on Windows

A command injection vulnerability was found in Jitsi Desktop Client before commit 8aa7be58522f4264078d54752aae5483bfd854b2 on Windows. This vulnerability could allow an attacker to execute arbitrary code by interacting with malicious URL schemes when launching browsers. The vulnerability has been...

GitLab: RCE via the DecompressedArchiveSizeValidator and Project BulkImports (behind feature flag)

Summary The DecompressedArchiveSizeValidator is used to check the size of a archive before extracting it: https://gitlab.com/gitlab-org/gitlab/-/blob/v15.1.0-ee/lib/gitlab/importexport/decompressedarchivesizevalidator.rbL82 ruby def command "gzip -dc @archivepath | wc -c" end def validate pgrp =...

curl: CVE-2022-32205: Set-Cookie denial of service

Summary: Curl fails to limit the number of cookies that can be set by a single host/domain. It can easily lead to a situation where constructing the request towards a host will end up consuming more than DYNHTTPREQUEST memory, leading to instant CURLEOUTOFMEMORY. Any host in a given domain can...

Uber: Full read SSRF in flyte-poc-us-east4.uberinternal.com

Uber summary TBD. @shubs and I discovered an instance of Flyte Console on uberinternal.com. After auditing the open source code, we noticed an unauthenticated route for a “CORS proxy”. This was a classic server-side request forgery issue, allowing us to pass an arbitrary request to be performed b...

MariaDB: Grafana LFI on https://grafana.mariadb.org

Hello team, There is an LFI on https://grafana.mariadb.org/public/plugins/alertlist/../../../../../../../../../../../../../../../../../../../etc/passwd F1537157 Impact LFI...

Courier: [3] Bypassing IP Based Rate Limit Blocking leads to rate limit bypass in Courier Login Panel

Hi team, I would like to report rate limit issue based on IP blocking mechanism. Rate-limitation nowadays is not effective anymore to protect against brute-force. There are many botnets out there which can be used to overcome this hurdle, as well as cloud VPS services e.g. Amazon AWS EIPs, Digita...

Basecamp: Domain Takeover [3737signals.com]

Hi, While i was analyzing the Basecamp3 Android app i found 3737signals.com on the source code as i understand you are passing it to the intentto view it on some case. F1368921 When I opened it on the browser I got DNS error says the domain name does not exist F1368922 As you can see at the botto...

Sifchain: clickjacking vulnerability

Summary: add summary of the vulnerability While performing security testing of your website i have found the vulnerability called Clickjacking. Many URLS are in scope and vulnerable to Clickjacking. What is Clickjacking ? Clickjacking User Interface redress attack, UI redress attack, UI redressin...

U.S. Dept Of Defense: Administration Authentication Bypass on https://█████

Hi there I found a way to connect to an administration space on your website https://██████████ how to reproduce ? 1 - go to this link : https://███/██████████ 2 - create a html file with : html 3 - launch the file, click on the button and return to the page https://███████/█████ 4 - refresh the...

MTN Group: Unauthenticated Arbitrary File Deletion (CVE-2020-3187)

Summary: A vulnerability in the web services interface of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and obtain read and delete access to sensitive files on a...

GitHub Security Lab: [javascript] CWE-90: CodeQL to detect LDAP Injection

This bug was reported directly to GitHub Security Lab...

Nextcloud: Stored XSS in markdown file with Nextcloud Talk using Internet Explorer

While editing a markdown file through the text app, users can create link elements that have a javascript URL such as javascript:alert1. Steps to reproduce: While editing a markdown file, select some text and click the "Add Link" button. Using a web proxy, intercept the request and change the hre...

Basecamp: Remote Code Execution in Basecamp Windows Electron App

The Windows application for Basecamp, allows a "Download" feature for images in your posts. Under certain restrictions, those files are downloaded and sometimes even automatically opened executed. The file will be executed if it's a download from an internal URL and the mimetype is text/calendar...

Mail.ru: REFLECTED XSS On http://jsgames.mail.ru/bad_browser.php via back_url paramter

Reflected XSS in jsgames.mail.ru via GET paramter...

Nextcloud: External storage app saves password for all users in the database

External storage filesexternal app save passwords of all users to database table "occredentials" even when "Log-in credentials, save in database" option is not used. It's a security risk that allow password extraction of all users. A local system admin that has access to database and nextcloud...

Stripo Inc: [www.stripo.email] You can override the speed limit by adding the X-Forwarded-For header.

Summary In https://stripo.email/template-order I think you have implemented rate limiting via 429 status code for too many requests, but in reality it is not. An attacker could bypass the 429 speed limit by adding an X-Forwarded-For header. Steps To Reproduce 1. Go to the...

Starbucks: Korea - LFI Server directory traversal at starbucks.co.kr

b4bilal discovered a misconfiguration when handling URI paths. This permitted an adversary to traverse the docroot and access non sensitive resources that are normally unavailable to web users. @b4bilal — thank you for reporting this vulnerability and for confirming the resolution...

Kubernetes: Kubelet resource exhaustion attack via metric label cardinality explosion from unauthenticated requests

Report Submission Form Summary: Malicious clients can potentially DOS a kubelet by sending a high amount of specially crafted requests to the kubelet's HTTP server. For each request the kubelet updates/sets 3 metrics: - kubelethttprequeststotal Counter - kubelethttprequestsdurationseconds Histogr...

Internet Bug Bounty: tcpdump: CVE-2018-14879 - buffer overflow in tcpdump.c:get_next_file()

The release of tcpdump 4.9.3 brought many bug fixes, including one I submitted, CVE-2018-14879. The command-line argument parser in tcpdump before 4.9.3 has a buffer overflow in tcpdump.c:getnextfile. ==2288==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe363769bf at pc...

HackerOne: [Bypass #645264] Report title disclosure despite the program settings for email notification is set to "No Content"

Hi Team, Summary: There is newly disclosed resolved report Program Email Nofication settings ignored when being added as an external contributor, However i found that the fix is incomplete. I have found that email invitation for a collaborator bounty splitting still disclosing the Report title in...

Shopify: DOM XSS via Shopify.API.Modal.initialize

Similar 422043 & 576532 Payload Based on 576532: html function attack const ctx = window.openlocation.origin+'/admin/themes', 'blank' const json = message: "Shopify.API.Modal.initialize", data: src: "" let interval; interval = setIntervalfunction if window.attackSuccess clearIntervalinterval else...

Mail.ru: SSRF On [ allods.mail.ru ]

SSRF in allods.mail.ru. allods.mail.ru belongs to Ext.B scope...

Chaturbate: Unrestricted POST request size on /customer_support/information_form/ endpoint

The hacker found that a form on the billing site had a high post size limit that could cause increased load. This was lowered to a reasonable amount. This had no effect on any stored data...

Internet Bug Bounty: ChaCha20-Poly1305 with long nonces

This report relates to CVE-2019-1543, https://www.openssl.org/news/secadv/20190306.txt, which I reported to the OpenSSL maintainers a few days ago. OpenSSL accepts nonces for the AEAD cipher ChaCha20-Poly1305 of up to 16-bytes. This support is advertised in the OpenSSL documentation and via the...

Node.js: Fix for CVE-2018-12122 can be bypassed via keep-alive requests

Summary: Fix for CVE-2018-12122 can be bypassed via keep-alive requests Description: I'm not a security expert, neither I'm familiar with Node.js core, so please forgive me if this report is inaccurate and in that case, sorry for your time. While investigating the issue 515I checked out the fix t...

Internet Bug Bounty: XML hash collision DoS vulnerability in Python's xml.etree module

Python's standard library uses libexpat to parse XML. Internally the expat library has a hash table implementation to efficiently store and lookup DTD elements like entities, elements, attributes, etc. Hash tables are potentially vulnerable to hash collision Denial-of-Service attacks, which turns...

Chaturbate: Rate limit missing at room login

Hello there, User are able to protect there broadcasting with password, so only password granted visitor can login to broadcast room. I notice that rate limit are missing at the endpoint /roomlogin/user/ which enable me to brute force on password field. I made 1k+ request but still server not blo...

Pornhub: Mobile Reflect XSS / CSRF at Advertisement Section on Search page

The researcher identified a search query parameter vulnerable to cross-site scripting in the Mobile view. It is same vulnerability of redtube's mobile search page. The report is 380246 . This vulnerability is performed XSS because protecting with adding slashes at double quoters. At the tag's...

Shopify: Subdomain Takeover - https://competition.shopify.com/

Dear Shopify Security Team, The Shopify.com subdomain competition.shopify.com was vulnerable to a subdomain takeover as it was pointing to an unclaimed Heroku service through the CNAME competition.shopify.com.herokudns.com, while the custom domain 'competition.shopify.com' was unclaimed in Heroku...

Zomato: URL is vulnerable to clickjacking

The browser has verified the identity: Successfully implemented in IE browser Reproduce steps: URLs do not have X-FRAME-OPTIONS set to DENY or SAMEORIGIN, and they are vulnerable to clickjacking. Run under the browser's code and you will see that the listed links are vulnerable to clickjacking...

Snapchat: Takeover 2 MAIN DOMAINS of a company Acquired by Snapchat

Hi, As you may realize I noted "Domain" and not subdomain because actually, I was able to take over the MAIN domain of a company Acquired by Snapchat. As you can see in the screenshot below, when you type "Addlive" in Google https://goo.gl/EAxBaj , the first two results will be: F261984 First one...

Phabricator: Window.opener protection Bypass

SUMMURY ======== If you create a post/comment with a link like http://x.com in fabricator then server add rel="norefferrer" to anchor tag . So child window dont have access to parent window. But it can be bypassed with url like /\x.com/index.php and child window can change the location property o...

International Islamic University Chittagong: PHP Myadmin Accesable & Database Error Information

Dear Team, MyPHPAdmin console is accessible over the internet as well as Directory of PHP documentation is accessible. Refer all attached images Kindly MOve this to 403 Forbidden resources Steps below to reproduce the same. enter this Url http://119.18.148.140/phpmyadmin/ accessible over Internet...

Uber: No rate limiting on https://biz.uber.com/confirm allowed an attacker to join arbitrary business.uber.com accounts

A lack of rate limiting on the "/confirm" endpoint made it possible for an attacker to add themselves to arbitrary business.uber.com accounts by brute forcing confirmation codes. If they were able to successfully brute force the correct confirmation code, this would allow an attacker to take ride...

Aspen: Information leakage on django.aspen.io

Hi Team, I got a error message that disclose the version of nginx with OS detail, since The version of nginx is vulnerable to integer overflow. Impact: By seeing this information attacker can throw only interger overflow attack in order to get sensitive information Finally Request you to remove...

Zomato: [www.zomato.com] IDOR - Leaking all Personal Details of all Zomato Users through an endpoint

Hacker is able to get the PIPersonal Information of any Zomato user...

Internet Bug Bounty: CVE-2017-5969: libxml2 when used in recover mode, allows remote attackers to cause a denial of service (NULL pointer dereference)

I first reported this bug to the developers on 20 November 2015. A patch was finally committed on 7 June 2017 here. The caveat here is that this only happens in recover mode which the developers say no sane person should ever use in production and/or against untrusted inputs. A CVE was assigned i...

Internet Bug Bounty: CVE-2017-1000101: cURL: URL globbing out of bounds read

FYI, this security advisory will not be released until 9 August 2017: curl supports "globbing" of URLs, in which a user can pass a numerical range to have the tool iterate over those numbers to do a sequence of transfers. In the globbing function that parses the numerical range, there was an...

Automattic: XSS Vulnerability in WooCommerce Product Vendors plugin

Version 2.0.27 of the WooCommerce Product Vendors plugin doesn't appear to correctly escape the "vendor description" POST parameter and can be manipulated to reflect arbitrary scripting. The good news is that it does appear to do some form of clientside validation before posting, in addition to...

Cuvva: Your two domain login email address are disclosed in

HI LINK: support-dashboard.corp.cuvva.co while accessing this link it takes to google authentication. then seen source page of that login page then i saw your email that used to login. POC attached. emails are: ███ ██████████ another way is to simply click on to "continue to cuvva.co" you will se...

Weblate: Insecure Account Removal #2

Hi Team, This report is the pretty much same of my closed report here: 223355 , the difference is BUG2 when a user created an account BUT did not supply the password, therefor there is nothing to reauthenticate when deleting the account, it will successfully delete the account without supplying...

Quora: self xss in

Hi Quora security team, there is self XSS vulnerability in https://www.quora.com/profile/Username/ Steps: copy and paste the link in chrome browser copy entire link within double quotes "javascript:alertdocument.domain//https://www.quora.com/profile/Username/" then XSS payload will trigger please...

HackerOne: HackerOne reports escalation to JIRA is CSRF vulnerable

Summary: HackerOne reports escalation to JIRA is CSRF vulnerable Description Include Impact: An attacker can steal private reports details through a CSRF in HackerOne report escalation to JIRA implementation. CSRF GET https://hackerone.com/reports/REPORTNUMBER/escalate Optional: Supporting...

RubyGems: Request Hijacking Vulnerability in RubyGems 2.6.11 and earlier

Description: The RubyGems client supports a gem server API discovery functionality, which is used when pushing or pulling gems to a gem distribution/hosting server, like RubyGems.org. This functionality is provided via a SRV DNS request to the users gem source hostname prepended with...

Rockstar Games: Control Character Injection In Messages

This report involved the injection of control characters, such as Null Byte 0x00, into vulnerable fields in the Message endpoints in order to cause unexpected, harmful behaviors. Our solution was to both block control characters from being saved on the backend when included in user-input, as well...

HackerOne: javascript: and mailto: links are allowed in JIRA integration settings

Summary: For new feature settings, you accept website URLs like javascript:// or data:// in base urls. Even https://evil.com works, this needs to be stripped, this can be used to create another integrations without Steps To Reproduce 1. https://hackerone.com/Team/integrations/jira/edit 2. Try in...