Nextcloud: File access control rules not enforced on image files

Installed Nextcloud from Snap package version 13.0.2snap1, revision 6916 on fresh Ubuntu 18.04 LTS install. 2. Installed and enabled Files access control v1.3.0 and Files automated tagging v1.3.0 apps. 3. As an administrator created an invisible collaborative tag Secret. 4. Added Files automated...

Ed: Session Cookie Without Secure Flag

Hi Ed, The bug mentioned in the report 343095 is not yet correctly patched I believe. Previously, the Researcher reports that the cookiegitlabsession is not Secure Missing Secure Flag and u closed that report as Informative and said that "Expoitability of this issue is so low that it does not...

Monero: Buffer out of bound read in miniupnpc xml parser

Summary: This is a buffer oob read vulnerability in miniupnpc when parsing xml response. This vulnerability could result in denial of service attack in monero client to in local area Network. Description: In miniupnpc, file "Minixml.c": The funnction parseelt: static void parseeltstruct xmlparser...

Brave Software: Cross domain tracking even with 3rd party cookies disabled.

Cross domain tracking Default settings from Brave browser has 3rd party cookies disabled. Which I am assuming also disables 3rd part storage like IndexedDB etc. Because of this protection it is not possible for a 3rd party to track users across multiple domains. But, Even though third-party cooki...

U.S. Dept Of Defense: SSRF+XSS

I discovered that due to an outdated Jira instance, I was able to exploit an SSRF vulnerability in Jira and was able to perform several actions such as bypass any firewall/protection solutions, access AWS instance data, access Internal DoD Servers and internal services. Additionally I was able to...

Upserve : Ability to reset password for account

The attacker was able to send a password reset link to an arbitrary email by sending an array of email addresses instead of a single email address. POST https://hq.breadcrumb.com/api/v1/passwordreset HTTP/1.1 with body like "emailaddress":"[email protected]","[email protected]"...

Snapchat: Takeover 2 MAIN DOMAINS of a company Acquired by Snapchat

Hi, As you may realize I noted "Domain" and not subdomain because actually, I was able to take over the MAIN domain of a company Acquired by Snapchat. As you can see in the screenshot below, when you type "Addlive" in Google https://goo.gl/EAxBaj , the first two results will be: F261984 First one...

Node.js third-party modules: [hekto] Path Traversal vulnerability allows to read content of arbitrary files

Hi Guys, There is Path Traversal vulnerability in hekto module, which allows to read arbitrary file from the remote server. Module hekto This package exposes a directory and its children to create, read, update, and delete operations over http. https://www.npmjs.com/package/hekto version: 0.2.0...

Node.js third-party modules: Prototype pollution attack (merge-deep)

As discussed in 309391, here's the separate report for each of the library. This one is the information for the merge-deep library. Module: merge-deep Summary: Utilities function in all the listed modules can be tricked into modifying the prototype of "Object" when the attacker control part of th...

Ruby: controlled buffer under-read in pack_unpack_internal()

Brief ----- There is a signedness error in the packunpackinternal, allowing the '@' type to trigger a buffer under-read when unpacking with a controlled format similar to format string implementation vulnerabilities. Code Vulnerability -------------------- Vulnerable version: 2.5.0 rc and prior...

Uber: The Microsoft Store Uber App Does Not Implement Certificate Pinning

Summary The Microsoft Store Uber App Windows Phone Architecture does not properly implement certificate pinning. Security Impact Layer-2+ network traffic transmitted from and received by the app can be surreptitiously intercepted and transparently modified by an attacker, with no warnings or erro...

IRCCloud: [IRCCloud Android] Opening arbitrary URLs/XSS in SAMLAuthActivity

Hi, I'd like to report a bug which allow to open arbitrary URLs in com.irccloud.android.activity.SAMLAuthActivity This activity is exported: xml it means that it can be accessed by any third-party apps installed on the same device. On the newest Androids it also could be exploited by Android...

Boozt Fashion AB: Users Unable to login using Gmail/Facebook on https://boozt-stage1.booztx.com/login

Hi Team, when i try to login in this subdomainhttps://boozt-stage1.booztx.com/login using gmail or facebook,the login form does not redirect me to gmail/facebook,it is giving the error message since it is blacklisted by the server. Steps to Reproduce: 1 Goto https://boozt-stage1.booztx.com/login ...

Zomato: [www.zomato.com] IDOR - Leaking all Personal Details of all Zomato Users through an endpoint

Hacker is able to get the PIPersonal Information of any Zomato user...

Shopify: stored xss in invited team member via email parameter

Hey there, while testing your program I found a stored XSS vulnerability which can placed by owners or other staff members who have ability to manage members and it will triggered by visiting invited team member page e.g. https://partners.shopify.com/642416/invitations/15406. Reproduction Steps 1...

Automattic: XSS Vulnerability in WooCommerce Product Vendors plugin

Version 2.0.27 of the WooCommerce Product Vendors plugin doesn't appear to correctly escape the "vendor description" POST parameter and can be manipulated to reflect arbitrary scripting. The good news is that it does appear to do some form of clientside validation before posting, in addition to...

U.S. Dept Of Defense: Remote Code Execution (RCE) in a DoD website

Summary: One of the DoD applications uses a java library which is vulnerable to expression language injection. Using only an URL I was able to inject java code. I made a simple PoC that requests a name resolution to a DNS server. Description: The application at https://███ uses Primefaces version...

Weblate: Insecure Account Removal #2

Hi Team, This report is the pretty much same of my closed report here: 223355 , the difference is BUG2 when a user created an account BUT did not supply the password, therefor there is nothing to reauthenticate when deleting the account, it will successfully delete the account without supplying...

Quora: self xss in

Hi Quora security team, there is self XSS vulnerability in https://www.quora.com/profile/Username/ Steps: copy and paste the link in chrome browser copy entire link within double quotes "javascript:alertdocument.domain//https://www.quora.com/profile/Username/" then XSS payload will trigger please...

HackerOne: HackerOne reports escalation to JIRA is CSRF vulnerable

Summary: HackerOne reports escalation to JIRA is CSRF vulnerable Description Include Impact: An attacker can steal private reports details through a CSRF in HackerOne report escalation to JIRA implementation. CSRF GET https://hackerone.com/reports/REPORTNUMBER/escalate Optional: Supporting...

Nextcloud: CSRF token validation is missing

Greetings, Hello Security Team, Summary I know this is a medium risk issue but i want you guys to be aware of it that the CSRF token validation is missing at the time of login on https://portal.nextcloud.com/login.php login page. PoC Code: Email Password Login Now Forgot Password? var tabs = '';...

X (Formerly Twitter): [Gnip Blogs] Reflected XSS via "plupload.flash.swf" component vulnerable to SOME

Hi, The following endpoints are exposed to reflected cross-site scripting by way of a vulnerable "plupload.flash.swf" component on WordPress. A comprehensive explanation of this vulnerability can be found on resolved report 134738: WordPress is vulnerable against a Same-Origin Method Execution SO...

Shopify: Stealing users' facebook access tokens - kitcrm.com

Summary: I have found a number of minor security vulnerabilities with no impact that when chained together will lead to an attacker being able to steal the current user's facebook access token provided for kitcrm.com Description: - In kitcrm.com, users register with their shopify account and the...

Rockstar Games: Control Character Injection In Messages

This report involved the injection of control characters, such as Null Byte 0x00, into vulnerable fields in the Message endpoints in order to cause unexpected, harmful behaviors. Our solution was to both block control characters from being saved on the backend when included in user-input, as well...

HackerOne: javascript: and mailto: links are allowed in JIRA integration settings

Summary: For new feature settings, you accept website URLs like javascript:// or data:// in base urls. Even https://evil.com works, this needs to be stripped, this can be used to create another integrations without Steps To Reproduce 1. https://hackerone.com/Team/integrations/jira/edit 2. Try in...

PortSwigger Web Security: Email Spoofing

There is an Email Spoofing Vulnerability. Steps to reproduce: 1 Go to http://emkei.cz/ 2 Fill "From Email" field to [email protected] or any other portswigger email. 3 Fill the victim's address your address to "TO" field and fill in other details as you wish. You will receive email from...

Ubiquiti Inc.: Content Spoofing or Text Injection in (403 forbidden page injection) and Nginx version disclosure via response header

Hello there, I know that this is Non-critical issue but i want you guys to be aware of it. 1. I have found a Content Spoofing or Text Injection in This url http://dl-origin.ubnt.com/ Go to this url...

Nextcloud: Disclosure of administrators via JSON on nextcloud.com Wordpress

@rbcafe reported the following issue, since it contains references to internal data we've decided to disclose this issue only limitedly. ------- Greetings, Description : ---------------- Since the update of the website to wordpress 4.7 the JSON discloses administrators : POC : ----------------...

Internet Bug Bounty: Use of uninitialized memory in unserialize()

The following is a copy of the bug report at https://bugs.php.net/bug.php?id=73832 Description There was found a bug showing that PHP uses uninitialized memory during calls to unserialize. As the following report shows, the payload supplied to unserialize may control this uninitialized memory...

Nextcloud: BruteForce in to Admin Account

Hello, My self Abdulwahab, I want to Alert You that Your website is Facing a serious Problem Called : Username Enumeration This Problem is on nextcloud.com/wp-admin We Use wpscan to get username and the username is "frank" After getting username a user can Bruteforce it Using Wpscan and get acces...

Uber: Subdomain takeover on rider.uber.com due to non-existent distribution on Cloudfront

Hi, 3 hours ago, rider.uber.com was responding like this: F127137 This happened on both HTTP and HTTPS. Now, as our blog post from last week says: https://labs.detectify.com/2016/10/05/the-story-of-ev-ssl-aws-and-trailing-dot-domains/ This means that there's a high chance this domain does not hav...

Internet Bug Bounty: Adobe Flash Player ShimContentFactory class Memory Corruption Vulnerability

I. Summary Adobe Flash Player is prone to a vulnerability which leads to memory corruption because of improper validation of ShimContentFactory.retrieveOpportunityGenerators. ------------------------------------------------------------------ II. Description Normally, retrieveOpportunityGenerators...

Pornhub: [idor] Profile Admin can pin any other user's post on his stream wall

The researcher discovered a vulnerability where a user may pin and post other users' content to their stream without their authorization...

Pornhub: CSV Macro injection in Video Manager (CEMI)

Missing character escaping in video title delivery of an executable CSV payload to when exporting stats to file...

Automattic: WordPress SOME bug in plupload.flash.swf leading to RCE

Intro == WordPress is vulnerable against a Same-Origin Method Execution SOME vulnerability that stems from an insecure URL sanitization problem performed in the file plupload.flash.swf. The code in the file attempts to remove flashVars ¹ in case they have been set GET parameters but fails to do s...

QIWI: SSL Certificate on qiwi.com will expire soon.

The validity of the SSL certificate is about to expire on 15 may 2016. The browser will normally present the user with a warning message indicating that the certificate has expired. These warnings are extremely confusing for the typical web user, and cause most users to question the authenticity ...

New Relic: newrelic.com rails directory traversal vuln

details: https://github.com/omarkurt/cve-2014-0130 POC: GET /devops/%5c%2e%2e%2f%5c%2e%2e%2f%5c%2e%2e%2fGemfile HTTP/1.1 Cookie: Host: newrelic.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 Windows NT 6.1; WOW64 AppleWebKit/537.21 KHTML, like Gecko...

Algolia: No rate-limit in Two factor Authentication leads to bypass using bruteforce attack

Hi, There is no rate limit set for Two factor authentication, which demand for code sent to mobile. This code can be bruteforced easily to bypass this. POST /users/testqr HTTP/1.1 Host: www.algolia.com User-Agent: Mozilla/5.0 Windows NT 6.3; WOW64; rv:44.0 Gecko/20100101 Firefox/44.0 Accept:...

Veris: User enumeration via error message

Hi guys, Well, the issue is in authentication process, an attacker able to enumerate registered users on the site via brute forcing the login page, in case when user is not exist, system returns the following error message: "User not exist", in case when user exist, but incorrect password:...

Udemy: Able to view others' gifts on /gift/share URL, giftId is predictable, and easy to manipulate

I recently purchased a gift for a friend, and noticed the share URL gift ID was simply numeric. I managed to access other people's gifts simply by incrementing and decrementing the ID by 2, I was able to verify that the price was dropped to "Free", regardless of if I was logged in or not, and I w...

New Relic: Potential Subdomain Takeover - http://storefront.newrelic.com/

Hi, The subdomain "storefront.newrelic.com" is currently pointing to Fastly, but is not registered to a service. Depending on whether Fastly permits it, a subdomain takeover similar to that of https://hackerone.com/reports/32825 could be possible. If the subdomain is not needed, it's recommended...

Shopify: Open Redirect at *.myshopify.com/account/login?checkout_url=

Hi, Any user after logging into an any myshopify shop can be redirected to other domain. To reproduce: Send this to victim: http://sehyoginfoshop.myshopify.com/account/login?checkouturl=.np Now when our victim logs in, He will be redirected to https://sehyoginfoshop.myshopify.com.np/ Which is not...

ok.ru: Same-Origin Policy Bypass #2

Hi, This is really similar issue to my previous report 102234 - exploitation mechanism is really same but other swf file is vulnerable. All conditions are met: - st.mycdn.me domain which is in ok.ru crossdomain.xml - Security.allowDomain'' - possibility to execute own SWF code provided by URL...

VK.com: Внедрение произвольного javascript-сценария в функционале просмотра изображений мобильной версии сайта

Уязвимость существует из-за недостаточной обработки пользовательских данных, полученных из объекта location url, который используется в функции photo.fullscreen. Функция выполняется при активации события onclick, который срабатывается при клике на фотографию В настоящее время существует фильтраци...

Shopify: Bypass access restrictions from API

This issue allowed users with limited access to login into a Shopify Mobile application, capture their own access token, and perform queries against Shopify's API in order to create new users with full access, or delete other users. An additional issue was reported, where users with no access cou...

Mail.ru: http://tp-dev1.tp.smailru.net/

Логин-пароль на вход admin/admin + YII в дебаге...

Mail.ru: Flash XSS on img.mail.ru

Vulnerable Flash File: http://img.mail.ru/r/video2/playerv2.swf Steps: + Open http://img.mail.ru/r/video2/playerv2.swf?metadataUrl=http://videoapi.my.mail.ru/videos//community/mir/groupvideo/921.json&redirectUrl=%22;alertdocument.domain;catche// + Click on social share and click on anything eg...

Airbnb: Vulnerability type xss uncovered in airbnb.es

The vulnerability is exploited doing an upload of the file Exploit attached in this conversation as profile photo...

Internet Bug Bounty: Adobe Flash Player MP4 Use-After-Free Vulnerability

I. Summary Adobe Flash Player is prone to a vulnerability which leads to Use-After-Free. After parsing a malformed mp4 file, Flash will keep on accessing a block of memory for timing. Such memory block is still accessed even the page containing Flash is closed, which leads to a memory crash...

X (Formerly Twitter): HTML form without CSRF protection at http://try.crashlytics.com/enterprise/

Vulnerability description:- This alert may be a false positive, manual confirmation is required. Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitte...