Internet Bug Bounty: Race condition in Flash workers may cause an exploitabl​e double free

The issue occurs while sharing a bytearray between two workers. If both call bytearray.clear at the same time, Flash does not correctly handle the race and may double free the array. Indentified as CVE-2014-0574, and reported to Adobe via Chrome VRP:...

Square: malicious file upload

i found my payload on exif header and it works link https://www.bookfresh.com/upload/75084df285f94f6790a250fe516fef04test.php.jpg...

HackerOne: Anti-MIME-Sniffing header X-Content-Type-Options header has not been set.

Hi, The following host "profile-photos-user-content.hackerone.com" does not set the x-content-type-options header to nosniff. If a malicious user is able to upload an image with script content Possible within the comments metadata Internet Explorer up till IE8 might render the content as Javascri...

Yahoo!: information disclosure (LOAD BALANCER + URI XSS)

Thank you for your submission to the Yahoo Bug Bounty program. We were able to reproduce the issue you reported and have implemented appropriate fixes. We appreciate your adherence to responsible disclosure guidelines and look forward to your future participation in the program...

Coinbase: Cookie missing the HttpOnly flag

Hello coinbase, Iam saikiran.Iam a security researcher.while i was going through your site i found that your website does not have HTTPOnly flag for the cookies.it is not a vulnerability but it is a new improvement and improves the security of your site. If your not aware of HTTPOnly flag here is...

OkCupid: Instagram Authentication - No Request Token

Hello, On OkCupid, you have the ability to connect your Instagram account. This will sync any photos from your account onto your profile. This is performed by browsing to https://www.okcupid.com/okphotos/okinstagram.html, which will redirect to Instagram for the user to authorise the request. Onc...

RelateIQ: Value of JSESSIONID and XSRF token parameter in cookie remains same before and after login

Here are two same values captured via intercepting the request and the value of JSESSIONID and XSRF remains same before and after login JSESSIONID=m8u0pm8mjvckm1ya8da4oqlfb0pd34iw38lr; XSRF-TOKEN=6B025F41D13BC02E9D658409BAC23F84; This could lead to further threats such as session hijacking etc...

HackerOne: Email spoofing

There are few email spoofing tool is available free.one them is http://emkei.cz/ when I tried to send a email from ███████ to my email ,it was successful but when i tried to send the another from ██████ , i did not receive any email.Hence, there might be some configuration missing in your mail...

Internet Bug Bounty: Permission model improperly protects against path traversal in Node.js 20

A path traversal vulnerability was introduced in Node.js 20 due to insufficient patching of CVE-2023-30584. The vulnerability arises because the permission model implementation does not protect itself against the application overwriting built-in utility functions like path.resolve with user-defin...

U.S. Dept Of Defense: Adobe ColdFusion Access Control Bypass - CVE-2023-38205

A vulnerability in Adobe ColdFusion was discovered that allowed bypassing access controls by using malicious path traversal in URLs targeting the /CFIDE/wizards/common/utils.cfc endpoint. This enabled attackers to reach endpoints that should have been restricted. The issue affected Adobe ColdFusi...

Snapchat: internal dev tokens disclosure

Sensitive internal development information was inadvertently disclosed in the commits history of the open-source project Keydb, which was made public by Snapchat. This included a Personal Access Token PAT used for GitHub authentication, which could have been exploited by malicious actors...

U.S. Dept Of Defense: Reflected XSS in ██████████

A reflected XSS vulnerability was found on one of the subdomains of a website. The vulnerability was present in the "militarybranch" parameter of the "NextRequestAccount.action" page. An attacker could exploit this vulnerability to execute XSS attacks and steal user's cookies, launch phishing...

Node.js: HTTP Request Smuggling Due to Incorrect Parsing of Header Fields

Summary: The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling. Description: The following chunked request is processed. It should be rejected as Transfer-Encoding header obfuscatio...

Slack: Bypass invite accept for victim

Vulnerability description not provided...

Node.js: DNS rebinding in --inspect (insufficient fix of CVE-2022-32212 affecting macOS devices)

Summary: This is an insufficient fix of CVE-2022-32212, which itself is a fix of CVE-2018-7160. There exists a specific behaviour in browsers on macOS devices when handling the http://0.0.0.0URL that allows an attacker-controlled DNS server to bypass the DNS rebinding protection by resolving host...

Stripe: Bypass global deny-lists by wrapping domains using "[]" in https://github.com/stripe/smokescreen

The Smokescreen proxy is an open source project written and maintained by Stripe to restrict the URLs that internal services can connect to. The primary use case for Smokescreen is to prevent server-side request forgery SSRF attacks in which external attackers leverage the behavior of our...

GitHub Security Lab: [Java]: Add JDBC connection SSRF sinks

This bug was reported directly to GitHub Security Lab...

Adobe: DoS of https://research.adobe.com/ via CVE-2018-6389 exploitation

The researcher successfully exploited CVE-2018-6389 on https://research.adobe.com/. We appreciate the collaboration and the responsible disclosure...

RubyGems: Dependency repository hijacking aka Repo Jacking from GitHub repo rubygems/bundler-site & rubygems/bundler.github.io + bundler.io docs

Dependency repository hijacking aka repo jacking is an obscure supply chain vulnerability, conceptually similar to subdomain takeover. When the linked repository owner changes their username, it becomes immediately available to be re-registered by anyone. This means that any project that linked...

TikTok: reflected xss on the path m.tiktok.com

A cross site scripting vulnerability was found in Ambassador Manage endpoint. We thank @semsem123 for reporting this to our team...

Traffic Factory: WordPress Plugin Update Confusion at trafficfactory.com

Hi, I'm currently researching a "novel" supply chain attack affecting WordPress plugins, and I believe your website might be vulnerable. The way it works is similar to a recent Dependency Confusion attack, where a malicious actor can take over internal packages unclaimed on PyPI / npm registry. I...

Affirm: IDOR to view order information of users and personal information

Summary: Broken access control is the method of controlling which users can perform a certain type of action or view set of data. Broken access control is a vulnerability that allows an attacker to circumvent those controls and perform more actions than they are allowed to, or view content they...

Localize: Stored XSS in Document Title

Summary : Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XSS ...

QIWI: Subdomain Takeover on 1c-start.tochka.com pointing to unbouncepages

Actuall this report is same as of this one:- https://hackerone.com/reports/38007 Subdomain takeover vulnerabilities occur when a subdomain subdomain.example.com is pointing to a service e.g. GitHub pages, Heroku, etc. that has been removed or deleted. This allows an attacker to set up a page on t...

Mail.ru: Blind XSS Stored and CORS misconfiguration в отчете "События" сервиса top.mail.ru

Details: Прежде чем начать, хотелось бы отметить что в правилах по XSS сказано including privilege escalations within the product are accepted without bounty, однако полученные таким образом Cookies жертвы не привязаны к домену продукта top.mail.ru. Вот пример, Cookies: ██████████ Domain, site,...

Bumble: Exfiltrating a victim's exact location (to within 5m)

I used Bumble's distance feature to exfiltrate the exact location to within approx 5m of a victim. I did this by using the Bumble API to move my attacker account's location around the approximate area of the victim. I was able to obtain the exact distance between attacker and victim at 3 separate...

HackerOne: Report Bulk endpoint "agree-on-going-public" action may reveal Report disclosure state for invite-only programs

Hello, Hope you are doing well, SUMMARY -In hackerone user doesn't have permission to do any action like "disclosing/undiclosing" in disclosed report. -Here user can send the "cancel-disclosure-request" request to the server and server accepts the request gave 200ok response with ""flash":"The...

Nextcloud: Download of file with arbitrary extension via injection into attachment header

Description ----------- When downloading mail attachments, the app fails to properly escape quotes in the content disposition header. Because of this, an attacker can send a victim a file with a benign extension such as .txt or .png which when downloaded will be stored with a malicious extension...

GitHub Security Lab: [JAVA]: CWE-347 - Improper Verification of Cryptographic Signature : Potential for Auth Bypass

This bug was reported directly to GitHub Security Lab...

Nextcloud: index.php/apps/files_sharing/shareinfo endpoint is not properly protected

When federated shares between two Nextclouds are created they do not use standard webdav to communciate. But to obtain the filelist they seem to use the SERVER/index.php/apps/filessharing/shareinfo endpoint. Unlike the other endpoint for tokens like public link shares. There is no brute force...

Ruby: OS Command Injection in 'rdoc' documentation generator

Details: If the removeunparseable function receives a list of files with a command in the name of one of them, it will be executed. Just enough the name to match the pattern. The problem code: ruby def removeunparseable files files.reject do |file, | file =...

Topcoder: IDOR at https://fast.trychameleon.com/observe/v2/profiles/ via uid parameter discloses users' PII data

Summary: Hello, A API on apps.topcoder.com/forums/ exposes the email of any user on topcoder.com and some PIIs name, surname, id. Steps To Reproduce: 1 Create a profile at topcoder.com 2 Go to apps.topcoder.com/forums and login forum 3 Entery any topic example:...

h1-ctf: 12 Days of Hacky Holidays write-up, but as a text-based RPG?

The flags are - flag48104912-28b0-494a-9995-a203d1e261e7 - flagb7ebcb75-9100-4f91-8454-cfb9574459f7 - flagb705fb11-fb55-442f-847f-0931be82ed9a - flag972e7072-b1b6-4bf7-b825-a912d3fd38d6 - flag2e6f9bf8-fdbd-483b-8c18-bdf371b2b004 - flag18b130a7-3a79-4c70-b73b-7f23fa95d395 -...

Node.js: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion

Summary: Node.js http2 server is vulnerable against denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new...

Mail.ru: CVE-2020-3187 на ip адресе 91.231.115.30

CVE-2020-3452 on webvpn.city-srv.ru...

BugPoC: Strict Transport Security Misconfiguration

Hello I have found security vulnerable The vulnerable URL: https://bugpoc.com/icons/bandage.svg Summary The table below shows the numbers of issues identified in different categories. Issues are classified according to severity as High, Medium, Low or Information. This reflects the likely impact ...

Mail.ru: Возможность создать канал в группе, в которой пользователь не является админом [my.games]

Privilege escalation in chat management functionality on store.my.games...

Kubernetes: CVE-2019-11250 remains in effect.

Report Submission Form Summary: "CVE-2019-11250: TOB-K8S-001: Bearer tokens are revealed in logs" remains in effect. Kubernetes Version: Effects at least all versions since 1.4. - This was determined with some git archaeology. This was determined by following the code snippet from it's current...

Mail.ru: [webvpn.city-srv.ru] Path traversal via CVE-2020-3452

CVE-2020-3452 on webvpn.city-srv.ru...

GitLab: Ability To Delete User(s) Account Without User Interaction

Summary: Gitlab allows its user to exercise their GDPR rights Right to Access/Delete user data by sending an email to [email protected] however gitlab team doesn't ask for security questioni.e Date Of Birth before deleting the user account moreover doesn't authenticate the incoming emails...

Staging.every.org: Race Condition when following a user

Summary: Hi team, There is a race condition vulnerability when following a user. If you send the Follow requests asynchronously, you can follow a user multiple times instead getting an error message. I've been using Turbo Intruder extension at Burp Suite for trying Race Condition attacks. I can...

BugPoC: Improper use of "path" parameter can be used to trick testers into leaking their Front-End PoC

Summary: In https://bugpoc.com/testers/front-end, the populateFromFragment function incorrectly assigns hash parameter path to the subdomain element, allowing the "Test" functionality of the Front-End PoC Generator to open a popup on any domain instead of the expected web.bugpoc.ninja. It can be...

InnoGames: Stored XSS on recruit.innogames.de

Summary: When applying for a Supporter/Moderator job at recruit.innogames.de the drop-down field "Position" is vulnerable to a stored XSS as the content is not validated. Description: Steps To Reproduce: 1. Visit https://recruit.innogames.de/staemme/de/index/page/show/apply 2. Fill out all requir...

h1-ctf: [H1-2006 2020] I successfully solved it!

Hello, I'll get post there the write-up soon. Here is flag: ^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$ Sincerely, @zeroxyele Impact null...

Mail.ru: Information Disclosure on {http://pro.tracker.my.com}

Prometheus performance metrics were publicly available on pro.tracker.my.com...

Open-Xchange: Null pointer dereference in SMTP server function smtp_string_parse

Sending the following bytes to the SMTP server induces a NULL pointer dereference...

Mail.ru: Stored XSS at branded site in .mail.ru domain

Stored XSS via URL markdown on the mail.ru subdomain delegated to external service...

MobiSystems Ltd.: Firebase Firestore insecure database

Summary: The app is exposing a firebase database url that has no read/write protections. Steps To Reproduce: 1. Decompile the Android app 2. Do a string search for firebasedatabase 3. Use the project name i.e. msdict-dev in combination with the Firestore REST API to modify the database. Supportin...

Razer: [IDOR] API endpoint leaking sensitive user information

Summary: Hi, the backend on the insider.razer.com website seems to be using XenForo. Some actions on the api.php have been left misconfigured by the developers, which lead to leaking of sensitive information. Steps To Reproduce: 1. Go to a random user's profile, say,...

Starbucks: WAF bypass via double encoded non standard ASCII chars permitted a reflected XSS on response page not found pages - (629745 bypass)

Summary: Report 629745 not properly resolved: "Many Starbucks websites are vulnerable to cross-site scripting on 404 pages because double quotes lack sanitizing in hidden input tags, which leads to JavaScript execution". Description: Report 629745 caught my attention, so I began testing the WAF t...