Internet Bug Bounty: LZ4 Core

Lab Mouse Security Report LMS-2014-06-16-6 Report ID: LMS-2014-06-16-6 CVE ID: CVE-2014-4611 Researcher Name: Don A. Bailey Researcher Organization: Lab Mouse Security Researcher Email: donb at securitymouse.com Researcher Website: www.securitymouse.com Vulnerability Status: Reported / No respons...

HackerOne: Account takeover

Hello, I found another bug on hackerone. This time it is very dangerous and creative. Hope you will definitely love it. Any valid account on hackerone can be hacked. eg Co-founders @jobert and @michiel can also be hacked. I tried this one on my account only. Lets go to the point ... Things requir...

HackerOne: Arbitrary file uploads to Amazon WS.

Hi, It seems one is able to upload arbitrary files to Amazon Webservices through the UI. This allows for uploading malware such as msf-payload-x86.jpg.exe or whatever. Beyond free hosting this could potentially be used to entice teams into downloading stuff they probably don't want. Actual...

Automattic: HTML form without CSRF protection

HTML form without CSRF protection Vulnerability description Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts...

Slack: CSRF on add comment section

Hi, Steps to repro: 1 Go to this link https://sehacure.slack.com/help/requests/237956 2 The malicious guy should now the request number and the username. 3 Open Tamper data using tamper data firefox addon,Fill the reply in the form. 4 Submit the request.You will see there are no anti-csrf token i...

Sandbox Escape: Win32k Window Handle Vulnerability (EoP)

This bug was disclosed directly to Microsoft. http://technet.microsoft.com/en-us/security/bulletin/ms14-003...

HackerOne: RTL override symbol not stripped from file names

Any U+202E RIGHT-TO-LEFT OVERRIDE and similar symbols in file names of uploaded files are not stripped from the file name, causing potentially malicious executables to look like harmless images, for example. This might trick HackerOne panel members into accidentally opening evil h4x0r filez. I’ve...

U.S. Dept Of Defense: IDOR leads to view other user Biographical details (Possible PII LEAK)

The researcher discovered an Insecure Direct Object Reference IDOR vulnerability in the www.██████████ domain. The vulnerability allowed a user to access other users' biographical details, leading to a potential Personally Identifiable Information PII leak. The vulnerable endpoints were located i...

U.S. Dept Of Defense: CVE-2023-26347 in https://████.mil/hax/..CFIDE/adminapi/administrator.cfc?method=getBuildNumber&_cfclient=true

CVE-2023-26347 was discovered in Adobe ColdFusion versions 2023.5 and earlier and 2021.11 and earlier. The vulnerability was an Improper Access Control issue that could result in a Security feature bypass. Unauthenticated access was possible to the administration CFM and CFC endpoints...

Internet Bug Bounty: Possibility of Request smuggling attack

A vulnerability in Apache Tomcat allowed request smuggling due to incorrect parsing of HTTP trailer headers. A specially crafted trailer header exceeding the size limit could cause Tomcat to treat a single request as multiple requests, enabling request smuggling attacks when behind a reverse prox...

Nextcloud: RCE on Wordpress website

A remote code execution vulnerability was exploited on a WordPress website due to unsafe deserialization of user input. This allowed arbitrary code execution as the web server user...

Internet Bug Bounty: Integrity checks according to policies can be circumvented in Node.js 20 and Node.js 18

Integrity checks according to Node.js policies can be circumvented, allowing untrusted code to execute with elevated permissions. This affects Node.js 18.x and 20.x when using the experimental policy feature. The vulnerability was reported by Tobias Nießen, who also provided a patch that has been...

Mars: Test 4 █████

This is test team summary with limited disclosure...

Mozilla: Mozilla Mastodon Staging Instance Admin API Key Disclosure Through Slack

Admin Mastodon API keys were inadvertently disclosed in the trust-and-safety-eng channel on Mozilla's Slack workspace, potentially granting unauthorized access to the Mastodon server and compromising user data. Immediate action is required to mitigate this vulnerability...

HackerOne: Register & create a ticket as somebody else on HackerOne Support

A vulnerability was discovered on HackerOne Support that allowed an attacker to register and create tickets as different individuals. The issue was resolved by adjusting a setting in the Freshdesk Software...

U.S. Dept Of Defense: CVE-2023-24488 xss on https://██████/

Vulnerability description not provided...

HackerOne: Create miscellaneous support ticket on anyone's account through [email protected] email

A vulnerability was discovered where an attacker could create support tickets on anyone's account by sending a fake email to [email protected]. This allowed the attacker to create tickets on behalf of victims or even HackerOne staff. The issue was resolved internally and the created tickets...

Internet Bug Bounty: ReDoS (Rails::Html::PermitScrubber.scrub_attribute)

I reported at https://hackerone.com/reports/1684163 https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w Certain configurations of rails-html-sanitizer 1.4.4 use an inefficient regular expression that is susceptible to excessive backtracking when attempting to...

U.S. Dept Of Defense: External service interaction ( DNS and HTTP ) in www.████████

An External Service Interaction vulnerability was found in www.█████████, allowing an attacker to induce the application to interact with arbitrary external services such as DNS and HTTP. This could lead to various attacks, including DDoS, OS Command Injection, DOS, and Code Manipulation...

Internet Bug Bounty: Renderers can obtain access to random bluetooth device without permission

With the default configuration in Electron, renderer processes which should not have access to system resources by default can gain read/write access to a nearby bluetooth device. To reproduce: Run the electron-quick-start app with a vulnerable version of Electron:...

EXNESS: CRLF Injection - Http Response Splitting

HTTP response splitting allowed to add a malicious header to the response...

TikTok: Impersonation of tiktok account via Broken Link in TikTok Newsroom

A broken link was found on TikTok Newsroom, which could have allowed an attacker to claim the associated username and hijack the link. We thank @bushidobrown200 for reporting this to our team and confirming its resolution...

Nextcloud: Information Exposure Through Directory Listing vulnerability

A directory listing provides an attacker with the complete index of all the resources located inside of the directory as well as download or access its contents. While the researcher did not dig deeper on to the available files, it might be possible that these websites host sensitive information...

JetBlue: Open Redirect

Vulnerability description not provided...

VK.com: Reflected Xss On https://vk.com/search

XSS in Search...

TikTok: Cross site scripting via file upload in subdomain ads.tiktok.com

A file upload XSS cross-site scripting vulnerability was found in TikTok ads ticketing platform. Due to missing checks it was possible to upload .svg files which contained XSS payload. We thank @blubluuu for reporting this to our team and confirming its resolution...

TikTok: Reflected XSS in TikTok endpoints

Cross site scripting vulnerability was found in few TikTok endpoints using the region parameter. We thank @sh1yo for reporting this to our team...

Reddit: Hash-Collision Denial-of-Service Vulnerability in Markdown Parser

Summary: We have found three bugs in Reddit's markdown parser. Two of these bugs are exploitable to launch an algorithmic complexity denial-of-service DoS attack. In this report we explain the bugs and exploits. We also show, in a non-disruptive way, that it appears to exist in the current versio...

Nextcloud: Virtual Data Room / Hide download on collabora is easy to bypass

So, let me start with saying I'm not sure if this is a security issue or if it is by design. The reason I'm reporting it here is since Nextcloud promotes this Virtual Data Room a lot...

Exodus: Cache Poisoning DoS on downloads.exodus.com

Summary: Hello, The subdomain downloads.exodus.com hosts all files meant to be downloaded by exodus users. A few of the file I found are: https://downloads.exodus.com/releases/exodus-linux-x64-21.4.9.zip https://downloads.exodus.com/releases/hashes-exodus-21.2.12.txt...

Homebrew: Brew bootstrap process is insecure

The process described in this page is not secure - no checksum / PGP signature is published and there is no way to check the download is legit: https://brew.sh/ "/bin/bash -c "$curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh"" This can lead to supply chain attacks su...

Basecamp: DNS Setup allows sending mail on behalf of other customers

Sent on your behalf I knew basecamp themselves had used helpscout for support, so I was curious to see if hey was doing the same. A quick DNS lookup gave me the answer I was looking for: dig hey.com txt ; DiG 9.10.6 hey.com txt ;; global options: +cmd ;; Got answer: ;; -HEADER DiG 9.10.6...

GitLab: GitLab-Runner on Windows `DOCKER_AUTH_CONFIG` container host Command Injection

Summary GitLab-Runner, when running on Windows with a docker executor, is vulnerable to Command Injection via the DOCKERAUTHCONFIG build variable. Injected commands are executed on the container host, not within a Docker container, as such could compromise all future builds which are executed by...

Open-Xchange: Blind SSRF in /appsuite/api/oxodocumentfilter&action=addfile

Summary Logic in AddFileAction.getImageDataFromUrl for fetching images from external URLs when handling /appsuite/api/oxodocumentfilter&action=addfile implemented here validates the redirected URLs only after following all redirects java response = httpClient.executegetRequest, context; int...

Kubernetes: Clickjacking

Report Submission Form Summary: Clickjacking is an attack that tricks a user into clicking a webpage element which is invisible or disguised as another element Description: Clickjacking User Interface redress attack, UI redress attack, UI redressing is a malicious technique of tricking a Web user...

curl: Heap buffer overflow in TFTP when using small blksize

Summary: With a TFTP server that does not send OACK, but instead starts anyway with first block with 512 bytes block size, the curl library fails to assume default 512 bytes blocks. Instead it detects EOF and does not return an error code. Consequence is a truncated file that is 512 bytes without...

Paragon Initiative Enterprises: Github wikis are editable by anyone https://github.com/paragonie/password_lock/wiki

submitted a misconfiguration in some of our GitHub repositories to us. Wikis are inherently editable for all users, but for some repositories an organization may want to restrict this access. In some cases it was possible for GitHub users . Github wikis on the following project...

Rockstar Games: The return of the ＜

In this report, the researcher was able to demonstrate a Stored XSS vulnerability in our Message system on the Social Club website. By taking advantage of the fact that '＜' characters are normalized to '.͓̮̮ͅ=sW&͉̹̻͙̫̦̮̲͏̼̝̫́̕...

Shopify: any staff members have the ability to comment in [discounts] he/she can disable comment section it to other staff even the admin of the store

Hi, I found this cool behavior by mistake when I was testing for some GraphQL, any user have ability to comment in discounts code at discounts section can turn off comments to the other staff members include the admin/manager of the store. this happens because when the GraphQL used to create a...

TomTom: Reflected Cross Site Scripting vuln in tomtom.com

Hello Tomtom security team I found a reflected cross site scripting security vulnerability in tomtom.com https://www.tomtom.com/nlnl/search/?q=27%22--%3E%3CDetails%20Open%20OnToggle=confirmdocument.domain%3E This payload when loaded displays the domain the XSS vulnerability occurs in www.tomtom.c...

Mail.ru: phpinfo

phpinfo was available at terrhq.ru subdomain...

Mail.ru: Phpinfo

phpinfo was available at terrhq.ru subdomain...

Razer US: Razer Synapse 3 Chromasdk.io Root CA with Private Key Re-use

The researcher found that a root certificate was preinstalled with the Chroma SDK with a exposed private key. He assisted us in testing a fix. This was integrated into the codebase in May and published at the end of June. We appreciate his assistance working with us on this issue. Razer Synapse 3...

Mail.ru: CSRF на загрузку изображения Pandao

Domain, site, application https://pandao.ru/ -- Don't forget to include site address / application name / version information https://pandao.ru/ Testing environment -- OS version, browser information, settings and prerequisites to reproduce vulnerability, testing tools used, etc Parrot OS Steps t...

Ruby on Rails: Specially constructed multi-part requests cause multi-second response times; vulnerable to DoS

The multi-part body parsing in Rack and consequently Rails has a worse-than-linear performance relative to the number of parts in the request body. In small scale i.e. non-disruptive tests on a variety of Rails applications on the internet, including my own, GitHub.com, Heroku API, Instacart,...

h1-5411-CTF: MemeCTF serial exploitation to local file read to Papertrail access via API-token leakage and more

Hi there dear CTF staff! First of all a huge thank you for the great challenge you put up! I've found it super exciting and the learning curve has been steep. For this case, I was first wondering if this is a part of the actual CTF, but after some inspecting, it surely doesn't seem so! I did even...

PayPal: [Venmo Android] Remote theft of user session

A URL activity in the Venmo application used the built-in android.net.Uri parser, which has a known logic problem with certain characters. If an external URL were passed from a website or other app on the device to the application activity, the app would open the URL without properly validating t...

DuckDuckGo: SSRF vulnerability on proxy.duckduckgo.com (access to metadata server on AWS)

Hello, I saw that SSRF on proxy.duckduckgo.com is out of scope but because of the severity I wanted to report this. The payload is simple: curl "https://proxy.duckduckgo.com/iur/?f=1&imagehost=http://169.254.169.254/latest/meta-data/" Response from the server: ami-id ami-launch-index...

Internet Bug Bounty: DoS for HTTP/2 connections by crafted requests (CVE-2018-1333)

modhttp2 can be tricked by specially crafted requests to hold server resources longer than necessary. A simple demonstration of this for a server with h2c enabled is as follows: for x in seq 0 500; do echo...

VK.com: Доступ к администраторским faq

Просмотр некоторых закрытых статей FAQ. Уязвимость позволяла получить доступ к талмудам vk.com/tlmdXXX в которых хранится информация для администраторов и модераторов социальной сети ВКонтакте... Получение доступа к адм. информации... @ 500$...