VK.com: XSS Reflected in m.vk.com

XSS on the wall in m.vk.com...

U.S. Dept Of Defense: https://████ is vulnerable to cve-2020-3452

Description: A vulnerability in the web services interface of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The...

Nextcloud: XSS through image upload of contacts using svg file with png extension

Hello again, this is a bypass 89487 basically use the same payload file but change the extension to PNG Impact XSS or Open redirect when viewing the image of a contact...

Node.js third-party modules: [json8-merge-patch] Prototype Pollution

I would like to report a Prototype Pollution vulnerability in json8-merge-patch The apply function fails to restrict access to prototypes of objects, allowing for modification of prototype behavior. Module module name: json8-merge-patch version: v1.0.1 npm page:...

Starbucks: Korea - LFI Server directory traversal at starbucks.co.kr

b4bilal discovered a misconfiguration when handling URI paths. This permitted an adversary to traverse the docroot and access non sensitive resources that are normally unavailable to web users. @b4bilal — thank you for reporting this vulnerability and for confirming the resolution...

Razer: IDOR in eform.molpay.com leads to see other users application forms with private data

The tester discovered an IDOR which could allow an adversary to view the application form data of another user's application form given knowledge of the application ID. He worked with Triage to provide a working PoC. Razer Fintech appreciates the report to help keep customer data secure...

Glassdoor: XSS at https://www.glassdoor.com/Salary/* via filter.jobTitleExact

Summary: There exists a Cross Site Scripting and Content Injection vulnerability at https://www.glassdoor.com/Salary/ via the filter.jobTitleExact query parameter. Using URL encoded HTML entities, it is possible to inject HTML content and break out of the context of a tag. The WAF does a good job...

Internet Bug Bounty: Buffer Overflow in ext_lm_group_acl helper

Summary Due to incorrect buffer management extlmgroupacl is vulnerable to a denial of service attack when processing NTLM Authentication credentials. This problem is limited to installations using the extlmgroupacl binary. Affected Versions Squid 2.x - 2.7.STABLE9 Squid 3.x - 3.5.28 Squid 4.x - 4...

Mail.ru: [Web ICQ Client] XSS уязвимость в имени пользователя

Domain, site, application: WEB ICQ Client - https://web.icq.com/ Testing environment: Browser firefox Steps to reproduce 1. Устанавливаем имя пользователя, содержащее HTML код 2. Создаем канал/группу, в который приглашаем любого пользователя 3. Разрешаем/Запрещаем писать пользователю Actual resul...

Nord Security: UI Redressing (Clickjacking) vulnerability

Summary: Hello Team, When i'm testing you're website i have found the vulnerability which called Clickjacking. Description: Clickjacing also know as UI redress attack . By this vulnerability attacker can Hijack the site which is vulnerable by clickjacking.when an attacker uses multiple transparen...

Kubernetes: Kubelet resource exhaustion attack via metric label cardinality explosion from unauthenticated requests

Report Submission Form Summary: Malicious clients can potentially DOS a kubelet by sending a high amount of specially crafted requests to the kubelet's HTTP server. For each request the kubelet updates/sets 3 metrics: - kubelethttprequeststotal Counter - kubelethttprequestsdurationseconds Histogr...

Magic: HTTP SMUGGLING EXPOSED HMAC/DOS

HTTP SMUGGLING EXPOSED HMAC / DOS Using the transfer-encoding header and following it with a zero. The back end leaked the hmac the back end reflected back the hmac key encryption type, and a lot of details. Further testing had it reflect more headers. http-smuggling-dashboard-fortmatic.png we wi...

Showmax: Open Redirect in secure.showmax.com

The hacker submitted open redirect vulnerability in one of our payment method flows. The vulnerability could have been also used to perform XSS attack. write-up: https://medium.com/@ahmadbrainworks/bug-bounty-how-i-earned-550-in-less-than-5-minutes-open-redirect-chained-with-rxss-8957979070e5...

Node.js: HTTP request smuggling using malformed Transfer-Encoding header

Please see the attached PDF for a writeup of this vulnerability. Impact Please see the attached PDF for a writeup of this vulnerability...

MyEtherWallet: Local Storage Custom Node Credentials Leak

Summary Credentials for a custom node are stored in plain text inside Local Storage on the user's machine. If this node is configured in a certain way this could lead to the theft of any funds in accounts attached to this node, by a local attacker. And if not configured this way, an attacker coul...

TomTom: XSS Reflect

Hi guys, According to the attached prints, I found an XSS at https://www.tomtom.com/en/search/?q=%3C%2Fscript%3E link. Here is the payload used: https://www.tomtom.com/en/search/?q=%3C%2Fscript%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E Any questions, I'm available! Regards, z3xdd Impact A...

Shopify: Reflected XSS

Hi team , I found a reflected xss on https://app.oberlo.com domain . Reproduce : Visit https://app.oberlo.com/auth?shop=%3C/noscript%3E%3Cimg%20src=x%20onerror=promptdocument.domain%3E in latest version of firefox browser . You will see popup like attacked screenshot : F485407 Tested in Latest...

Monero: Excessive Resource Usage

Summary: Unbounded resource usage due to open one file descriptor per connection, Python script below is effectively a threadbomb on the destination and uses all available memory on the server, clients not sending anything are never terminated. Steps To Reproduce: Up our daemon % monerod Check if...

Valve: Malformed NAV file leads to buffer overflow and code execution in Left4Dead2.exe

Summary In the parsing routines of NAV files which contain the navigation mesh used by the AI for survivor bots, zombies, and the AI director spawning system a buffer overflow exists which can be used to control the EIP register and takeover code execution. Proof-of-Concept 1. Download the attach...

Mail.ru: Open Selenoid instance at 188.93.63.186 leads to LFR/SSRF.

Externally accessible Selenoid instance in Mail.Ru Games network was vulnerable to LFR and SSRF via URI injection...

Hanno's projects: Open redirect on the https://tt.hboeck.de

Hi Team! Testing request: POST /public.php?return=%2F HTTP/1.1 Host: tt.hboeck.de ........... op=login&login=….&password=...&profile=0 Vulnerable parameter: return Method: POST - GET - OK POC: https://tt.hboeck.de/public.php?return=http%3a%2f%2fevil.com%2f&op=login&login=password=&profile=0 Impac...

Mail.ru: PHP-FPM Status Page

PHP-FPM Status Page available on pubg.my.com...

Rocket.Chat: Broken access control on apps

Summary: The user without administrative privileges can upload and install any Application into the rocket.chat As ID of application is controlled in the app.json file which is controlled by uploader user can also activate the app. Releases Affected: 0.73.2 Steps To Reproduce: - User log-in into...

Zomato: Open Redirect On Your Login Panel

Summery Hey There are a open Redirect on your login panel Platforms Affected: Website Browsers Verified In If Applicable: Chrome For Android Firefox For Android Steps To Reproduce: 1. Go To This Url :- https://www.zomato.com/login?redirecturl=https://askdcodes.org 2. Then login there 3. boom you...

Node.js third-party modules: [webpack-bundle-analyzer] Cross-site Scripting

I would like to report Cross-site Scripting in webpack-bundle-analyzer. It allows injecting and executing arbitray JavaScript code. Module module name: webpack-bundle-analyzer version: 3.0.3 npm page: https://www.npmjs.com/package/webpack-bundle-analyzer Module Description Visualize size of webpa...

GitLab: information disclosure of secret_key_base via encoding charcters

@pareshparmar discovered an error page that was disclosing the value of the secretkeybase key of customers.gitlab.com to unauthenticated users, which would have allowed an attacker to arbitrarily decrypt signed cookies. So I was fuzzing one parameter with different type of encodings. And one...

Liberapay: Publicly editable GitHub wikis

Hello team, While browsing https://github.com/liberapay I found that many of the repositories have their wikis publicly editable by any GitHub user. The following are some of the affected repositories: https://github.com/liberapay/cardregistration-js-kit/wiki...

Node.js: Fix for CVE-2018-12122 can be bypassed via keep-alive requests

Summary: Fix for CVE-2018-12122 can be bypassed via keep-alive requests Description: I'm not a security expert, neither I'm familiar with Node.js core, so please forgive me if this report is inaccurate and in that case, sorry for your time. While investigating the issue 515I checked out the fix t...

Grammarly: Permissive CORS policy trusting arbitrary extensions origin

@foobar7 identified that misconfigurations in CORS and CSRF handling allowed malicious browser extensions, which have permission to interact with grammarly.com domain, to impersonate the user. The vulnerability was resolved with improved CSRF/CORS handling...

Zomato: [www.zomato.com] Tampering with Order Quantity and paying less amount then actual amount, leads to business loss

Hi, Team, Like discussed with Prateek I am dropping the report here. Summary: Like the title says using this vulnerability one could order food at negligible price or keep all delivery executives busy. Description: While fuzzing my way through the payment flow on Zomato orders I came across a...

Starbucks: Subdomain takeover on wfmnarptpc.starbucks.com

Hello, this is pretty serious security issue in some context, so please act as fast as possible. Overview: One of the starbucks.com subdomains is pointing to Azure, which has unclaimed CNAME record. ANYONE is able to own starbucks.com subdomain at the moment. This vulnerability is called subdomai...

WordPress: Open API For Username enumeration

We Can do username enumeration, Reproduce: 1. Go any wordpress site. 2.www.site.com/?author=1 type ?author=1 at end of site 3. You will get www.site.com/author/admin now, admin is username of login panel of that site Thanks, Sameer Phad Impact -...

Mail.ru: molotok.m.mail.ru delegated to external entity

SDC bypass secure cookies access vulnerability in m.mail.ru due to subdomain name pointing to uncontrolled external host...

Shopify: Subdomain Takeover - https://competition.shopify.com/

Dear Shopify Security Team, The Shopify.com subdomain competition.shopify.com was vulnerable to a subdomain takeover as it was pointing to an unclaimed Heroku service through the CNAME competition.shopify.com.herokudns.com, while the custom domain 'competition.shopify.com' was unclaimed in Heroku...

Liberapay: Punny code Detection Parsing should be implemented on Markdown

Hello Liberapay Security Team, Description When we insert any URL in Markdown Box in liberapay.com/profilename/edit/statement, it reflects on our main profile page. There was main issue which I discovered was about Punny code parsing method which was not enabled on Markdown. Step to Reproduce For...

Nextcloud: File access control rules not enforced on image files

Installed Nextcloud from Snap package version 13.0.2snap1, revision 6916 on fresh Ubuntu 18.04 LTS install. 2. Installed and enabled Files access control v1.3.0 and Files automated tagging v1.3.0 apps. 3. As an administrator created an invisible collaborative tag Secret. 4. Added Files automated...

Ed: Session Cookie Without Secure Flag

Hi Ed, The bug mentioned in the report 343095 is not yet correctly patched I believe. Previously, the Researcher reports that the cookiegitlabsession is not Secure Missing Secure Flag and u closed that report as Informative and said that "Expoitability of this issue is so low that it does not...

Monero: Buffer out of bound read in miniupnpc xml parser

Summary: This is a buffer oob read vulnerability in miniupnpc when parsing xml response. This vulnerability could result in denial of service attack in monero client to in local area Network. Description: In miniupnpc, file "Minixml.c": The funnction parseelt: static void parseeltstruct xmlparser...

Brave Software: Cross domain tracking even with 3rd party cookies disabled.

Cross domain tracking Default settings from Brave browser has 3rd party cookies disabled. Which I am assuming also disables 3rd part storage like IndexedDB etc. Because of this protection it is not possible for a 3rd party to track users across multiple domains. But, Even though third-party cooki...

U.S. Dept Of Defense: SSRF+XSS

I discovered that due to an outdated Jira instance, I was able to exploit an SSRF vulnerability in Jira and was able to perform several actions such as bypass any firewall/protection solutions, access AWS instance data, access Internal DoD Servers and internal services. Additionally I was able to...

Upserve : Ability to reset password for account

The attacker was able to send a password reset link to an arbitrary email by sending an array of email addresses instead of a single email address. POST https://hq.breadcrumb.com/api/v1/passwordreset HTTP/1.1 with body like "emailaddress":"[email protected]","[email protected]"...

Snapchat: Takeover 2 MAIN DOMAINS of a company Acquired by Snapchat

Hi, As you may realize I noted "Domain" and not subdomain because actually, I was able to take over the MAIN domain of a company Acquired by Snapchat. As you can see in the screenshot below, when you type "Addlive" in Google https://goo.gl/EAxBaj , the first two results will be: F261984 First one...

Node.js third-party modules: [hekto] Path Traversal vulnerability allows to read content of arbitrary files

Hi Guys, There is Path Traversal vulnerability in hekto module, which allows to read arbitrary file from the remote server. Module hekto This package exposes a directory and its children to create, read, update, and delete operations over http. https://www.npmjs.com/package/hekto version: 0.2.0...

Node.js third-party modules: Prototype pollution attack (merge-deep)

As discussed in 309391, here's the separate report for each of the library. This one is the information for the merge-deep library. Module: merge-deep Summary: Utilities function in all the listed modules can be tricked into modifying the prototype of "Object" when the attacker control part of th...

Ruby: controlled buffer under-read in pack_unpack_internal()

Brief ----- There is a signedness error in the packunpackinternal, allowing the '@' type to trigger a buffer under-read when unpacking with a controlled format similar to format string implementation vulnerabilities. Code Vulnerability -------------------- Vulnerable version: 2.5.0 rc and prior...

IRCCloud: [IRCCloud Android] Opening arbitrary URLs/XSS in SAMLAuthActivity

Hi, I'd like to report a bug which allow to open arbitrary URLs in com.irccloud.android.activity.SAMLAuthActivity This activity is exported: xml it means that it can be accessed by any third-party apps installed on the same device. On the newest Androids it also could be exploited by Android...

Boozt Fashion AB: Users Unable to login using Gmail/Facebook on https://boozt-stage1.booztx.com/login

Hi Team, when i try to login in this subdomainhttps://boozt-stage1.booztx.com/login using gmail or facebook,the login form does not redirect me to gmail/facebook,it is giving the error message since it is blacklisted by the server. Steps to Reproduce: 1 Goto https://boozt-stage1.booztx.com/login ...

Zomato: [www.zomato.com] IDOR - Leaking all Personal Details of all Zomato Users through an endpoint

Hacker is able to get the PIPersonal Information of any Zomato user...

Shopify: stored xss in invited team member via email parameter

Hey there, while testing your program I found a stored XSS vulnerability which can placed by owners or other staff members who have ability to manage members and it will triggered by visiting invited team member page e.g. https://partners.shopify.com/642416/invitations/15406. Reproduction Steps 1...

Internet Bug Bounty: CVE-2017-1000101: cURL: URL globbing out of bounds read

FYI, this security advisory will not be released until 9 August 2017: curl supports "globbing" of URLs, in which a user can pass a numerical range to have the tool iterate over those numbers to do a sequence of transfers. In the globbing function that parses the numerical range, there was an...