HackerOne: Ability to escape database transaction through SQL injection, leading to arbitrary code execution

HackerOne has an internal backend interface that gives debugging capabilities to its engineers. One of the features is the ability to run EXPLAIN ANALYZE queries against a connected database. This feature is accessible by a handful of engineers. The feature is vulnerable to a SQL injection that...

Reddit: Getting access of mod logs from any public or restricted subreddit with IDOR vulnerability

Summary: There's no check if the user is moderator of the particular subreddit or not while trying to access the mod logs via gql.reddit.com by using operation id. You can change the parameter subredditName to any target subreddit name which is public or restricted and get access to mod logs of...

Cloudflare Public Bug Bounty: Completely remove VPN profile from locked WARP iOS cient.

It was possible for a user to delete VPN profile from WARP mobile client on iOS platform despite the Lock WARP switch feature being enabled on Zero Trust Platform. This led to bypassing policies and restriction enforced for enrolled devices by the Zero Trust platform. The issue was fixed in Warp...

Cloudflare Public Bug Bounty: Sign in with Apple works on existing accounts, bypasses 2FA

It was possible to bypass configured Cloudflare 2FA when logging in to a Cloudflare account using Apple ID authentication flow. A malicious actor could access a Cloudflare account by setting up an Apple ID account using e-mail address matching the one used to set up the targeted account. The issu...

GitHub Security Lab: [Python]: Add Server-side Request Forgery sinks

This bug was reported directly to GitHub Security Lab...

Shopify: Xss triggered in Your-store.myshopify.com/admin/apps/shopify-email/editor/****

Hi team, I have found Store Xss in shopify-email Reproduction Instructions / 1.Configure shopify-email for Shopify stores at https://apps.shopify.com/shopify-email 2.Goto Your-store.myshopify.com/admin/apps/shopify-email/template-branding 3.Change F1607675 with " click Save. 4.Now Select any...

TikTok: Clickjacking Vulnerability Can Leads To Delete Developer APP

A clickjacking vulnerability was found on a TikTok subdomain, where an attacker could trick another user into deleting the Developer App. We thank @rioncool22 for reporting this to our team...

Panther Labs: Broken subdomain takeover of runpanther which was pointing towards herokuapp

An outdated link on our public blog pointed to a decommissioned Slack sign-up app hosted on Heroku for our also-decommissioned open source Slack community. The reporter was able to re-register the decommissioned subdomain with his own Heroku account...

Semrush: php info file and sql backup at vendor's subdomain

Researcher found open /phpinfo.php and sql backup from mvp app at vendor's subdomain. There was no sensitive data...

Reddit: No Password Length Restriction leads to Denial of Service

Hey when I try to set the password while creating account I noticed that you haven't kept any password limit. You need to decrease password length :There are two reasons for limiting the password size. For one, hashing a large amount of data can cause significant resource consumption on behalf of...

GitHub Security Lab: [GO]: CWE-326: Insufficient key size

This bug was reported directly to GitHub Security Lab...

Nextcloud: public webdav endpoint not bruteforce protected

Again related to https://hackerone.com/reports/1173684 I am having some trouble finding the code. However if you do curl -u "RANDOM1:RANDOM2" -X PROPFIND https://server/public.php/webdav And then check your ocbruteforceattempts table. You'll see there is no entry registered. Impact Low just like ...

HackerOne: Improper data update process on UpdatePhabricatorIntegration mutation leads to leak of Phabricator Conduit API token.

Details Title: Improper data update process on UpdatePhabricatorIntegration mutation leads to leak of Phabricator Conduit API token. Risk: High Impact: High Exploitability: High Target: baseurl parameter on UpdatePhabricatorIntegration mutation at /graphql endpoint. Introduction Sensitive data...

Palo Alto Software: [Bypass #870709] Unauthorised access to pagespeed global admin at https://webtools.paloalto.com/

Hi team, I found bypass of report 870709. Just by using X-Forwarded-For: 127.0.0.1 you can again get access to global admin page. Bypass request Request GET /pagespeed-global-admin/ HTTP/1.1 Host: webtools.paloalto.com X-Forwarded-For: 127.0.0.1...

TikTok: Multiple bugs leads to RCE on TikTok for Android

A series of WebView vulnerabilities were found including XSS which could have potentially led an attacker to achieve remote code execution. We thank @dphoeniixx for reporting this to our team and verifying the resolution!...

h1-ctf: Solution for hackyholiday

Summary: Since there is a reward for the first 10 submissions, I'll start by providing the flags: flag48104912-28b0-494a-9995-a203d1e261e7 flagb7ebcb75-9100-4f91-8454-cfb9574459f7 flagb705fb11-fb55-442f-847f-0931be82ed9a flag972e7072-b1b6-4bf7-b825-a912d3fd38d6...

U.S. Dept Of Defense: IDOR + Account Takeover [UNAUTHENTICATED]

1- Open the burp suite. 2- Switch the "Repeater" tab. 3- Paste the content of the attached request into the repeater. 4- Replace the "UID2 = 4820041" value in the cookie with the ID value of the user to be attacked. Also write the user's email in the "userName" input. 5- Replace the victim user's...

Zivver: Two-factor authentication can be disabled when logged in without 2fa or password confirmation

When a user performed sensitive actions on an account, he/she didn't have to provide his/her password after some inactivity. This issue is now addressed and to perform actions related to account security, the user has to provide his/her password before continuing...

DigitalOcean: Blind XSS via Digital Ocean Partner account creation form.

Summary: Blind Cross-Site Scripting XSS was discovered at Digital Ocean Partners admin panel/dashboard where an attacker can run arbitrary Javascript Code at victims' end. Due to the absence of an HTTPonly cookie, an attacker can successfully steal the cookies of the user and use them to login to...

Shopify: Subdomain takeover in help.tictail.com pointing to Zendesk (a Shopify acquisition)

Hello, Description: --------------------- The subdomain at https://help.tictail.com has an unclaimed CNAME record tictail.zendesk.com . I checked the username availability in the signup process at zendesk, it was observed that the subdomain is vulnerable to a subdomain takeover which allows an...

Helium: HTTP request Smuggling

When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to "smuggle" a request to one device without the other device being awa...

Mail.ru: SQL LIKE clauses wildcard injection

LIKE clause was misused for session validation in one of https://c-api.city-mobil.ru/v2 API calls, allowing character-by-character session bruterofce. The session validation logic mistakenly allowed wildcards in the authorization token...

Internet Bug Bounty: CVE-2020-10938-buffer overflow/out-of-bounds write in compress.c:HuffmanDecodeImage()

Hello, There is an out-of-bounds write that is likely exploitable while performing Huffman decoding of Fax images. The technical details are as follows. Type: integer underflow produces out of bounds heap/etc write Platform: 32-bit Details: 390 MagickExport MagickPassFail HuffmanDecodeImageImage...

Razer: Helpdesk takeover (subdomain takeover) in razerzone.com domain via unclaimed Zendesk instance

The tester discovered a Razer subdomain subject to a takeover. Although we do not normally accept these as part of this program, Razer thanks the tester for his report...

Internet Bug Bounty: CVE-2017-13019: The PGM parser in tcpdump before 4.9.2 has a buffer over-read in print-pgm.c:pgm_print()

Hello, The vulnerable code portion is linked below. The linked function is responsible for printing PGM packet payload information to the terminal e.g., stdout https://github.com/the-tcpdump-group/tcpdump/commit/4601c685e7fd19c3724d5e499c69b8d3ec49933e The issue may be reproduced as follows Check...

Nord Security: Password Reset Link Works Multiple Times

Background: Normally, a secure way to handle password reset links is to invalidate the link/token upon usage. Additionally, if multiple reset links are requested, older & unused tokens should also be invalidated i.e., if 2 reset tokens were requested, the 2nd token should be invalid upon your usa...

Mail.ru: XSS на сайте https://warofdragons.my.games/.

Reflected XSS via GET parameter in https://warofdragons.my.games...

Node.js third-party modules: Prototype pollution attack (lodash)

I would like to report a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype Module module name: lodash version: 4.17.15 npm page: https://www.npmjs.com/package/lodash Module Description The Lodash library exported as Node.js modules. Module...

curl: Active Mixed Content over HTTPS

Summary: Resources Loaded from Insecure Origin HTTP Steps To Reproduce: Vulnerability Details detected that an active content loaded over HTTP within an HTTPS page Remedy There are two technologies to defense against the mixed content issues: HTTP Strict Transport Security HSTS is a mechanism tha...

Tron Foundation: Private Key exposed in Travis Log can Compromise all the test servers.

REQUIRED: 1. Summary of the bug Summary: Private key is printed in Travis Console log https://travis-ci.org/tronprotocol/java-tron/builds/361945077L4101 Github provides information of test servers https://github.com/tronprotocol/java-tron/blob/24575f0d835b00850b89c620e276fb61c791508d/deploy.sh...

HackerOne: Custom Field Attributes may be created and updated for customers with Custom Field Trial enabled

The Custom Field feature is currently only available for customers on the Enterprise product edition. A trial period can be given by enabling the custom-fields-trial feature for programs who are not on that product edition yet. However, when enabling this feature, the incorrect ordering of an ACL...

GitLab: Bypass Email Verification using Salesforce -- Reproducible in gitlab.com

Summary The salesforce login integration allows attacker to bypass email verification -- user is able to signup with any email domain they want, effectively bypass all email domain whitelist/blacklist restriction or any other 3rd party using gitlab instance's email address. It is possible because...

Grammarly: Account takeover through the combination of cookie manipulation and XSS

Summary: A cookie based XSS on www.grammarly.com exists due to reflection of a cookie called gnarcontainerId in DOM without any sanitization. Normally, gnarcontainerId is being set by the server however a vulnerable endpoint at gnar.grammarly.com called "/cookies" allows us to manipulate cookies...

Internet Bug Bounty: Local Privilege Escalation during execution of VeraCryptExpander.exe (UAC bypass)

Summary: Your VeraCryptExpander.exe is vulnerable to a Local Privilege Escalation UAC BYPASS during execution. The issue is located here: https://github.com/veracrypt/VeraCrypt/blob/a108db7c85248a3b61d0c89c086922332249f518/src/ExpandVolume/VeraCryptExpander.manifest...

Mail.ru: Source code disclosure

PHP configuration file was available for download on few terrhq.ru subdomains...

Mail.ru: Rails application running in development mode

autodiscover.staging.geekbrains.ru was running Ruby on Rails in development mode...

Capital One: Heartbleed Bug

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over th...

Nextcloud: Missing DNSSEC

The nextcloud.com domain does not have DNSSEC enabled...

Upserve : Open redirect on https://hq-api.upserve.com/

The returnto parameter on https://hq-api.upserve.com/auth/auth0?prompt=none&returnto= was not validated and allowed an open redirect...

Internet Bug Bounty: efree() on uninitialized Heap data in imagescale leads to use-after-free

The core bug: https://bugs.php.net/bug.php?id=77269 This bugfix actually involves two vulnerabilities: a call to efree on uninitialized data and another free based vulnerability. What is described below is a bug that was fixed in libgd two years ago CVE-2016-10166, but the patch was never applied...

HackerOne: Response program can create bounty table

Summary: Follow h1 document https://docs.hackerone.com/programs/bounty-tables.htmlgatsby, create bounty table only available for bounty program. Description: Step1: Create request to graphql entrypoint Step2: Change team id in parameter like this: "teamid":"Z2lkOi8vaGFja2Vyb25lL1RlYW0vMzYyOTE="...

RATELIMITED: Server Header disclose The Os and Web server Version

Server header was present and disclosed the version of the web server and OS in HTTP responses. Server header was present and disclosed the version of the web server and OS...

HackerOne: Unauthenticated user can upload an attachment to the last updated report draft

The newly launched beta embedded submissions form introduced the concept of anonymous submissions. When an anonymous user starts writing a report through an embedded form, a UUID will be generated to track their submission. Any object that is created will reference this UUID. We call this a trace...

Tor: Expose user IP if TOR crashs

Greetings, I have noticed that for unpredictable reason a TOR relay can exposes the IP of an user. I noticed this by going to the server http://195.176.3.24/ and getting information about the headers. I arrived to this header who is : "X-Your-Address-Is" . How : -- - So I went to this tor-relay...

Weblate: flood of comment no rate limit on commnets >> by using different user agent

It was possible to post 200- 300 of comments within minutes, there was no rate limiting applied...

Vanilla: Bypassing the Trusted Link Alert System

Summary: I have discovered a means of bypassing the system that will alert users of an untrusted link utilizing the Right to Left Overrride unicode character. The alert looks like this: https://i.imgur.com/9rp1K7b.mp4 Description: For this demonstration, I have added "facebook.com" to the trusted...

Slack: SSRF in api.slack.com, using slash commands and bypassing the protections.

Bypassing the reports 61312 and 356765 Tutorial: Go to api.slack.com and create an application with your own slash command. F320014 Enter your own domain: in your own domain: index.php location: http://:::22/ F320019 And save. Go to your Slack and type /youslash Try with my server...

Liberapay: csrf token did not changed after login/logout many times

hello team, your csrf token did not expired and after login and logout many times , i found that your csrf token is generated same as last one. Impact if an attacker found an xss on your domain and you fixed it but attacker still has csrf token of user, attacker can use it to perform any action...

Node.js third-party modules: [simplehttpserver] List any file in the folder by using path traversal.

I would like to report Path Traversal in simplehttpserver. It allows to list any file in another folder of web root. Module module name: simplehttpserver version: 0.1.1 npm page: https://www.npmjs.com/package/simplehttpserver Module Description 'simpehttpserver' is an simple imitation of python's...

Mail.ru: Открытая информация phpinfo() на сайте https://agent.mail.ru

phpinfo was available on agent.mail.ru. agent.mail.ru is not currently covered with bug bounty program...