Node.js third-party modules: [glance] Path Traversal in glance static file server allows to read content of arbitrary file

Hi Guys, There is Path Traversal vulnerability in glance module. This issue allows to read arbitrary files from the server, where glance is installed. Module glance a quick disposable http server for static files https://www.npmjs.com/package/glance Stats 33 downloads in the last day 34 downloads...

GitLab: GitLab CI runner can read and poison cache of all other projects

The GitLab CI runner allows users to cache files and directories in between runs. These files are stored in a ZIP file and uploaded to a shared cache instance. In my testing, the files were uploaded to runners-cache-4-internal.gitlab.com and runners-cache-3-internal.gitlab.com, even for dedicated...

VK.com: Blind XXE on pu.vk.com

Blind XXE vulnerability in processing of uploaded documents. Blind XXE vulnerability in processing of uploaded XML-documents such as docx. Vulnerability was hard-exploitable, because all data retrieval channels did not work except DNS...

Legal Robot: 2FA Error Handling on Google Authenticator

While searching for bugs in a recently launched 2FA feature, a security researcher discovered that client-side error handling for 2FA was incomplete and could cause confusing results for users. When 2FA failed, there was no error message returned to the client and the login progress spinner...

Starbucks: Possible SOP bypass in www.starbucks.com due to insecure crossdomain.xml

Hello. I was penetration testing your website, and noticed that your crossdomain.xml file allowed many sites access. I went through and, for all the sites that had .website.com with them, I scanned them for subdomains. I found that a subdomain for ███████.com a site in your crossdomain.xml as...

Udemy: Subdomain Takeover (and Stored XSS) via Trailing Dot at https://coding-exercises.udemy.com

Hello @Udemy! Summary ===== I previously reported a cross-site scripting vulnerability 222337 at coding-exercises.udemy.com. I recently discovered that GitBook-hosted sites are also vulnerable to subdomain takeovers due to a trailing dot vulnerability in the GitBook "Custom Domain" feature seen...

HackerOne: Subdomain takeover at info.hacker.one

Summary: Hi team,i've been able to takeover subdomain at info.hacker.one, the CNAME entry in the subdomain is pointing to an external page service app.unbounce.com. Actual Dns Entry: F156764 Steps To Reproduce 1 I have claimed the domain and placed a page for PoC validation located under: Go to -...

Open-Xchange: Directory listing

Hi @dovecot , Vulnerability description The web server is configured to display the list of files contained in this directory. This is not recommended because the directory may contain files that are not normally exposed through links on the web site. Affected items lists.dovecot.fi The impact of...

Nextcloud: \OCA\DAV\CardDAV\ImageExportPlugin allows serving arbitrary data with user-defined or empty mimetype

The SabreDAV plugin \OCA\DAV\CardDAV\ImageExportPlugin is used for displaying pictures of a VCF. It registers on a GET request on a CardDAV element and acts when the query parameter photo is sent. The logic can be seen below: / Intercepts GET requests on addressbook urls ending with ?photo. @para...

HackerOne: Users contents on AWS is cacheable

Hi , Background ============================= As I know you are using AWS S3 for saving and serving files . The AWS S3 on https://hackerone-attachments.s3.amazonaws.com are been called every time to show images on hackerone.com . For example view this report 145392 You will see a request for Fran...

Coinbase: No authorization required in iOS device web-application

Hey, this is Ahsan Tahir! I've found a authorization issue in coinbase! :- Issue ======= When we login to coinbase using PC not authorized it asks for authorization using a link, which is sent to our email and we have to authorize it by clicking on that email; but, when we login to a iOS device...

Internet Bug Bounty: Adobe Flash Player ShimContentResolver.configure Memory Corruption Vulnerability

I. Summary Adobe Flash Player is prone to a vulnerability which leads to memory corruption because of improper validation of ShimContentResolver.configure. ------------------------------------------------------------------ II. Description Adobe Flash is a multimedia and software platform used for...

Pornhub: Public Facing Barracuda Login

The researcher identified that the mail.pornhub.com subdomain has a public facing web login for Barracuda Spam & Virus Firewall...

Internet Bug Bounty: Adobe Flash Player Race Condition Vulnerability

Adobe Flash Player is prone to a race condition vulnerability which leads to Use After Free. COM Object will be initialized twice and uninitialized when the count number decrement to zero by the main thread. As we could force the second initialization being called by a Worker thread, the...

HackerOne: CSV Injection via the CSV export feature

Hi , I have managed to bypass your fix for 72785 by submitting a report with NewLine character 0x0a in the title before the CSV formula. Steps to reproduce: 1. As a researcher , Submit a report to a program with the title %0A-2+3+cmd|' /C calc'!D2 , here is an example request: POST...

Mail.ru: [parapa.mail.ru] SQL Injection

Добрый день. Тип уязвимости - Time Based SQL Injection, Уязвимые параметры - куки parapauid и parapasid. Уязвимость воспроизводиться на многих страницах сайта, в том числе и на форуме. PoC GET /forums/ HTTP/1.1 User-Agent: Mozilla/5.0 Windows NT 6.1; WOW64 AppleWebKit/537.36 KHTML, like Gecko...

Urban Dictionary: URGENT - Subdomain Takeover in support.urbandictionary.com pointing to Zendesk

Hi. I found out that one of your subdomain which is http://support.urbandictionary.com/ can be taken over or is vulnerable to subdomain takeover. If youre gonna visit the site... you will see saying: No help desk at support.urbandictionary.com There is no help desk configured at this address. Thi...

Slack: Stored XSS in Slack (weird, trial and error)

Hi slack. I found a weird, trial and error Stored XSS in Slack... I hope you can get clear of this and get it too.. and I hope you can find the XSS too. Anyway here it is according to what I did: 1. Go to your Slack or create a new Slack team. 2. In slackbot.. enter this payload: 3. Then, Create ...

Sandbox Escape: Microsoft Internet Explorer ActiveX Broker Allows EPM Bypass

This vulnerability CVE-2015-1743 was reported to Microsoft on March 10, 2015 and has been patched via MS15-056 https://technet.microsoft.com/library/security/MS15-056. There is a security vulnerability in Microsoft Internet Explorer's ActiveX Broker. Successfully exploiting this vulnerability...

Mail.ru: http://fitter1.i.mail.ru/browser/ торчит Graphite в мир

http://fitter1.i.mail.ru/browser/ Он тут. Если верить: http://fitter1.i.mail.ru/version/ Версия: 0.9.10 У нее RCE через PICLE. http://www.rapid7.com/db/modules/exploit/unix/webapp/graphitepickleexec...

Coinbase: Coinbase Android Application - Bitcoin Wallet Leaks OAuth Response Code

Hi, There's a simple bug here, the Coinbase Android App. "BitCoin Wallet" leaks the OAuth Response Code which can be obtained using adb logcat -s Coinbase command line for testing, and any Android application on the same phone can read the response code for the user by reading the logs. As of now...

RelateIQ: Value of JSESSIONID and XSRF token parameter in cookie remains same before and after login

Here are two same values captured via intercepting the request and the value of JSESSIONID and XSRF remains same before and after login JSESSIONID=m8u0pm8mjvckm1ya8da4oqlfb0pd34iw38lr; XSRF-TOKEN=6B025F41D13BC02E9D658409BAC23F84; This could lead to further threats such as session hijacking etc...

Internet Bug Bounty: Flash local-with-fileaccess Sandbox Bypass

The proof of concept attached will exploit the implementation of flash in some browsers that will bypass the local-with-fileaccess sandbox. By encoding in ignored file:// uri characters, and navigating to another page with a decoder script. one is able to read arbitrary files AND parse it to the...

HackerOne: Email spoofing

There are few email spoofing tool is available free.one them is http://emkei.cz/ when I tried to send a email from ███████ to my email ,it was successful but when i tried to send the another from ██████ , i did not receive any email.Hence, there might be some configuration missing in your mail...

Internet Bug Bounty: OpenSSH: Memory corruption in AES-GCM support

Vulnerability A memory corruption vulnerability exists in the post- authentication sshd process when an AES-GCM cipher [email protected] or [email protected] is selected during kex exchange. If exploited, this vulnerability might permit code execution with the privileges of the...

U.S. Dept Of Defense: IDOR leads to PII Leak

The vulnerability allowed the disclosure of other users' email addresses through Insecure Direct Object Reference IDOR. A user could access other users' profile information by modifying the user ID in the URL...

HackerOne: Hackers can Invite Collaborators Without 2FA on Programs Requiring 2FA

Vulnerability description not provided...

PlayStation: Remote vulnerabilities in spp

A vulnerability was discovered in the spp PPPoE implementation on the PS4/PS5. The vulnerability could allow a malicious PPPoE server to cause a heap buffer overwrite and overread, potentially leading to denial-of-service or remote code execution in kernel context. The vulnerability was caused by...

HackerOne: HackerOne SAML signup domain enforcement bypass results in unauthorized access to HackerOne PullRequest organization

A vulnerability was discovered where SAML signup domain enforcement for new signups belonging to SAML-enabled organizations could be bypassed by appending control characters, allowing unauthorized access. This was leveraged to access the HackerOne PullRequest organization and view source code in...

Nextcloud: Password reset endpoint is not brute force protected

The lostpassword flow in Nextcloud was missing brute force protection for the password reset endpoint, allowing attackers to potentially brute force the token without being throttled...

U.S. Dept Of Defense: Reflected XSS in ██████████

A reflected XSS vulnerability was found on one of the subdomains of a website. The vulnerability was present in the "militarybranch" parameter of the "NextRequestAccount.action" page. An attacker could exploit this vulnerability to execute XSS attacks and steal user's cookies, launch phishing...

Consensys: CSV Injection at https://assets-paris-demo.codefi.network/

Summary: Hi consensys Security Team. I have found CSV Injection when generate report at https://assets-paris-demo.codefi.network/ CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. When a spreadsheet program such as Microsoft Excel or...

Cloudflare Public Bug Bounty: Ability to bypass locked Cloudflare WARP on wifi networks.

Using warp-cli command "add-trusted-ssid", a user was able to disconnect WARP client and bypass the "Lock WARP switch" feature resulting in Zero Trust policies not being enforced on an affected endpoint...

Cloudflare Public Bug Bounty: API docs expose an active token for the sample domain theburritobot.com

A screenshot featured on API token creation documentation page exposed a valid API token with permissions sufficient to modify DNS records of one of Cloudflare’s demo zones. The token has since been revoked...

GitHub: CSRF protection bypass in GitHub Enterprise management console

A path traversal vulnerability was identified in GitHub Enterprise Server management console that allowed the bypass of CSRF protections. This could potentially lead to privilege escalation. To exploit this vulnerability, an attacker would need to target a user that was actively logged into the...

IBM: Remote Code Execution at https://169.38.86.185/ (edst.ibm.com)

A discovered Gitlab server was running an old version affected by RCE. This vulnerability could have allowed an unauthenticated attackers to compromise the server by public exploit in ExifTool. The issue was reported to IBM and remediated...

Mail.ru: [samokat.ru] PHP modules path disclosure due to lack of error handling

Hi security team @mailru we found a Information disclosure in phpproject in subsamokat.ru On one side of the server samokat.ru generates a full stack error trace instead of an HTTP 500 error. The complete error stack trace reveals the full path of the PHPConfiguration module directory on the...

Courier: Session Fixiation allow attacker to create new evil workspace without being logged in [ Insecure Session management ]

Hello, How are you, hope you are doing great in this pandemic. While testing again for the session management related bugs in your application, i found some session related issue where evil person can easily create new workspace from victims account without being logged in, that mean the session ...

Mail.ru: [185.30.178.57:8080] - Vulnerable to Jetleak

sfpc.euits.dev-my.games contains a vulnerable to JetLeak web server Jetty...

Brave Software: Brave Browser permanently timestamps & logs connection times for all v2 domains ~/.config/BraveSoftware/Brave-Browser/tor/data/tor.log

Summary: A vulnerability in the Brave Browser v1.28.43 and below allows a local or physical attacker to view the exact timestamps that a user connected to a v2 onion address. A local or physical attacker could read /.config/BraveSoftware/Brave-Browser/tor/data/tor.log identify the exact moment a...

Nextcloud: Download of file with arbitrary extension via injection into attachment header

Description ----------- When downloading mail attachments, the app fails to properly escape quotes in the content disposition header. Because of this, an attacker can send a victim a file with a benign extension such as .txt or .png which when downloaded will be stored with a malicious extension...

VK.com: Open redirect в карусели сообщения бота

Открытое перенаправление в каруселях чат-ботов. Уязвимость позволяет перенаправить пользователя на вредоносную ссылку из карусели, минуя away.php...

Nextcloud: Default settings leak federated cloud id to lookup server of all users

So with the default settings Nextcloud still sends requests to the lookup server if users update their profile. Even if none of the fields are set to 'published'. I must admit this is somewhat of a surprise as there is no reason for this. As long as the visibility of none of the fields change and...

Nextcloud: Unexpected federated shares added via public link

So I'm not 100% sure if this is an security issue or not. But it is in my opinion at least unexpected and could be handled better to make sure people trust the system. 1. Get a public link share again plenty of those around 2. Click the 'add to your Nextcloud' 3. A federated share is added/create...

Mail.ru: Path traversal on bank.mail.ru ( CVE-2013-3827 )

Defects in Oracle’s JSF2 implementation allowed limited path traversal in tbank.mail.ru...

Topcoder: Reflected XSS on https://apps.topcoder.com/wiki/page/

Summary: Hi : A reflected XSS occurs on https://apps.topcoder.com/wiki/pages/doeditattachment.action when editing wiki pages attachments. Steps To Reproduce: A user can add attachments on https://apps.topcoder.com/wiki/pages/viewpageattachments.action?pageId=165871793 a wiki page and can edit on...

Mail.ru: XSS in [community.my.games]

Crossite scripting in community.my.games via post comments All we say is Thank You for an Account Takeover Flaw!...

Mail.ru: SSRF in clients.city-mobil.ru

Limited non-blind SSRF in clients.city-mobil.ru the report was submitted before the launch of dedicated bug bounty scope for Citymobil Non-blind SSRF in apt-cacher, used for getting software updates, allowing limited requests to internal services...

Ruby: WEBrick::HTTPAuth::DigestAuth authentication is vulnerable to regular expression denial of service (ReDoS)

The private instance method splitparamvalue in class WEBrick::HTTPAuth::DigestAuth uses a regular expression that is vulnerable to denial of service due to catastrophic backtracking. The regular expression is: ^\s\w-.\%!+=\s"\.|^""\s,? Source:...

Internet Bug Bounty: DOS in stream filters

see bug report https://bugs.php.net/bug.php?id=76249 as simple as one process running in an endless loop Impact DOS, process ends up in an endless loop, CPU or available php processes or both of affected system get easily exhausted...