Nextcloud: Formula Injection vulnerability in CSV export feature

Dear Nextcloud Team – I have identified a formula injection vulnerability 12 in the CSV export feature of the Forms App. I am aware that the Forms app is not part of this bug bounty program but was advised to disclose it via hackerone anyway. Description. When a n Excel-/Calc- formula is sent as...

Nextcloud: No rate limiting on sinup page

Hi Team, Summary: As a best practice a login page should have a rate limiting. Below is the captured request of respective login page of nextcloud.com -------------------------------------------------------------------------------------------------------------------- POST...

Node.js third-party modules: Server-side Template Injection in lodash.js

I would like to report Server-side Template Injection in lodash.js .template function It allows the execution of code on the server Module module name: lodash version: 4.17.15 npm page: https://www.npmjs.com/package/lodash Module Description The Lodash library exported as Node.js modules. Module...

h1-ctf: [H1-2006 2020] H1-2006 CTF Writeup

Hi! The challenges were really great. I had a lot of fun and I can honestly say I learned a few tricks during this journey. I will be submitting the flag now and will work on a very good writeup until the deadline. My reasoning is that there are two different prizes, one for the first ten and...

Mail.ru: Http Response Splitting on thumb.cloud.mail.ru

Limited CRLF injection at thumb.cloud.mail.ru allowed to manipulate cookies...

Shopify: *.shopify.com - Authentication bypass

I´ve found a flaw in the authentication process when accessing the website https://upcoming.shopify.com. There seems to be an HTTP Authentication in place to prevent access without authentication. Please follow below POC to get access to https://upcoming.shopify.com without login. The website is...

GSA Bounty: open redirect in eb9f.pivcac.prod.login.gov

poc: https://eb9f.pivcac.prod.login.gov/?nonce=wI0UglN84A06Q4z4JnkZVc3i1V8%3D&redirecturi=https%3A%2F%2Fgoogle.com%23%40secure.login.gov%2Flogin%2Fpivcac visit this and will redirect to google.com Impact phishing...

Mail.ru: PHP code injection at tz.mail.ru

A chain of bugs involving unsafe usage of PHP unserialize led to possibility of code execution in tz.mail.ru...

Mail.ru: Account Takeover at vseapteki.ru

Insufficient protection against SMS code bruteforcing allowed account takeover in vseapteki.ru Common flaws of SMS auth: https://blog.deteact.com/common-flaws-of-sms-auth/...

Node.js third-party modules: [treekill] RCE via insecure command concatenation (only Windows)

I would like to report a RCE issue in the treekill module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: treekill version: 1.0.0 npm page: https://www.npmjs.com/package/treekill Module Description treekill process and it's all children and child...

U.S. Dept Of Defense: [CVE-2018-0296] Cisco VPN path traversal on the https://██████████

The Cisco VPN vulnerability CVE-2018-0296 was discovered in a previously unidentified instance in the DOD network. The vulnerability allowed path traversal, which could have been exploited to disclose sensitive information such as VPN sessions and files. The issue was addressed by updating to a...

QIWI: Обход комиссии на переводы

Обход комиссии на переводы...

GitLab: Stored XSS for Grafana dashboard URL

Hi GitLab Security Team Summary I found a stored XSS vulnerability in the admins page. The administrator can set up a Grafana dashboard. Here, the administrator can either enter a relative URL or an absolute address. However, when adding an absolute URL, the protocol is not checked allowing to ad...

GSA Bounty: Information disclosure (system username, server info) in the x-amz-meta-s3cmd-attrs response header on data.gov

Hi Team, I noticed, that the x-amz-meta-s3cmd-attrs response header returns sensitive information, like system username on data.gov x-amz-meta-s3cmd-attrs: uid:0/gname:root/uname:root/gid:0/mode:33184/mtime:1513269652/atime:1513269652/md5:2049644b6b833f5dbb826f60a4721f64/ctime:1513269652 Server:...

Semrush: SSRF In Get Video Contents

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report! Summary: A SSRF In Get...

Mail.ru: XSS при загрузке изображения на [games.mail.ru]

Do-it-yourself XSS self-XSS via crafted file name in support request on games.mail.ru Insufficient filtering of dangerous tags when uploading images on games.mail.ru in technical support tickets...

GitLab: Local files could be overwritten in GitLab, leading to remote command execution

Summary Arbitrary file overwrite A new feature download a directory of a repository in GitLab 11.11 introduced some changes in ./internal/service/repository/archive.go of Gitaly. go func handleArchivectx context.Context, writer io.Writer, in gitalypb.GetArchiveRequest, compressCmd exec.Cmd, forma...

phpBB: CSS injection via BB code tag "█████"

The input to the "█████" BBcode tag is not properly filtered. It gets converted into a CSS style attribute for a span HTML element. Quotes " are removed, so there's no way to break out of the CSS style attributed. However it is possible to arbitrarily dress the resulting span element. To illustra...

Starbucks: Subdomain takeover of mydailydev.starbucks.com

A subdomain of starbucks.com had a CNAME record pointing to an Azure Traffic Manager profile that @0xpatrik was able to claim...

Trint Ltd: IDOR in changing shared file name

Summary: Hi Trind LTD, I have found a IDOR vulnerability in https://app.trint.com . An user can change shared file names through this IDOR. Steps To Reproduce: 1. Create a file from account B 2. Capture the request of renaming the file as shown in sample request 3. Create a file from account A an...

MariaDB: smtp service vulnerable to POODLE SSLv3

One of our package servers had an old smtpd service linked with openssl 1.0.1i, which uses nondeterministic CBC padding, making it easy for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue. The service has been disabled for the internet, as ...

WePay: Active mixed content issues on the site https://stage-go.wepay.com.

Hello. Summary: Page https://stage-go.wepay.com/static/ contains active mixed content: Description: Passive mixed content is content sent over HTTP that is contained on the HTTPS page, but which can not change other parts of the page. For example, an attacker can replace a picture sent via HTTP...

U.S. Dept Of Defense: [Critical] Full local fylesystem access (LFI/LFD) as admin via Path Traversal in the misconfigured Java servlet on the https://███/

Description Hello. I discovered a Path Traversal issue on the https://██████████/ I was able to turn it to the local file read, and after series of the test determined that it's possible to reach sensitive system files with administrator rights. POC The next request will read the...

Notepad++: No SearchEngine sanatizing can lead to command injection

Information: Summary: Notepad++ is vulnerable to a command injection vulnerability. Debug Info: Notepad++ v7.6.3 32-bit Build time : Jan 27 2019 - 17:20:30 Path : C:\Program Files x86\Notepad++\notepad++.exe Admin mode : ON Local Conf mode : OFF OS : Windows 10 64-bit Plugins : none Description:...

Semrush: XSS Reflected on my_report

Еще раз привет. На этот раз, кроме HTML-инъекции проходит полноценный XSS в дашбоарде пользователя. Payload: https://www.semrush.com/myreports/api/v1/document%22%3E%3Cimg%20src=x%20onerror=alertdocument.cookie%3E/4007861 PoC: На скрине Impact Кража сессионных куков...

Node.js third-party modules: [serve] Access unlisted internal files/folders revealing sensitive information

I would like to report sensitive information disclosure in serve. Bypass of 308721 in ways. Module module name: serve version: 10.1.1 npm page: https://www.npmjs.com/package/serve Module Description Assuming you would like to serve a static site, single page application or just a static file no...

Mail.ru: ICQ for macOS: lack of `com.apple.quarantine` meta-attribute on downloaded files leads to GateKeeper/Quarantine bypass for downloaded executables

Summary Quarantine & GateKeeper are important macOS security mechanisms, which prevent user/device from running unsigned executables and warn users about executables downloaded from the remote. Conceptually, Quarantine & GateKeeper are similar to MOTW on Windows. Applications that could download...

Mail.ru: [e.mail.ru] Stored xss in Mpop cookie

XSS on e.mail.ru domain via cookie content XSS in cookie via mitm. Good article - https://habr.com/en/post/460101/ by @w2w...

Mail.ru: Open Redirect In passport.maps.me/logout/?next=//fb.com/

Open redirect on passport.maps.me page...

Shopify: H1514 Bypass Wholesale account signup restrictions

Summary: By default, account registration is disabled on Shopify Wholesale, requiring customers to be manually invited: Wholesale account signup is disabled. Customers need to be manually invited from the Customers page. This can be bypassed due to improper access controls in the invitation...

Mail.ru: Найден build.sh в webagent.mail.ru

Source code of build script for web application was available for download. It could leak some non-sensitive information on internal build processes and configurations...

Khan Academy: Creating Unlimited Fake Accounts.

Hello @khanacademy, Anyone can create unlimited fake accounts using temp mails. i,e https://temp-mail.org/en/ 1- Go to https://temp-mail.org/en/ 2- Select an mail 3- Enter that mail while creating an account in khanacademy 4- You will get confirm mail from khanacademy on https://temp-mail.org/en/...

Vanilla: Vanilla Forums Xenforo password splitHash Unserialize Remote Code Execution Vulnerability

Summary: An authenticated admin user can inject an unserializable password in a another users account. Later when attempting a login with that user, the attacker can trigger a call to an unserialize in the splitHash function. By using a custom pop chain to write into the constants.php file, an...

Node.js third-party modules: [apex-publish-static-files] Command Injection on connectString

I would like to report a command injection vulnerability in the apex-publish-static-files npm module. It allows arbitrary shell command execution through a maliciously crafted argument. Module module name: apex-publish-static-files version: 2.0.0 npm page:...

Node.js third-party modules: Command Injection Vulnerability in libnmap Package

I would like to report a command injection vulnerability in libnmap. It allows an attacker to inject arbitrary OS commands instead of a valid network range to be scanned. Module module name: libnmap version: 0.4.11 npm page: https://www.npmjs.com/package/libnmap Module Description API to access...

Chaturbate: Homograph attack on redirect URL (https://chaturbate.com/external_link/?url)

Hi There, Hope you are doing good, As i was just playing around with chaturbate.com and found that you guys does not have proper configuration for malicious script injection in website. In Homograph attack basically attacker may able to inject some malicious script with URL. Here i made homograph...

Brave Software: Directory Listing on https://promo-services-staging.brave.com

Summary: Hi Brave team, Hope you are good I have found a directory listing vulnerability at https://promo-services-staging.brave.com Products affected: Brave website page. Steps To Reproduce: Go to https://promo-services-staging.brave.com/swaggerui/ Supporting Material/References: Reference: This...

Liberapay: Exploiting JSONP callback on /username/charts.json endpoint leads to information disclosure despite user's privacy settings

Hello! Vulnerability Details The /username/charts.json endpoint can return a JSONP callback due to the fact that jsonpdump is used in the file charts.json.spt. It appears that the content of the JSONP request depends on the authentication of the user. If the user enabled the privacy setting which...

Mail.ru: lootdog.io XSS

В данной ссылке можно наблюдать опенредирект: 1. https://lootdog.io/register?next=http://mail.ru?https%3A%2F%2Flootdog.io%2F Заполняем эту форму, подтверждаем номер: F290679 Нас перекидывает на http://mail.ru Impact open redirect...

Ruby: Invalid URL parsing '#'

URI is not correctly parsed when "" is included in the URL. Therefore, could instead be tricked into connecting to a different host. PoC bash $ ruby --version ruby 2.4.1p111 2017-03-22 revision 58053 x8664-darwin16 ruby require 'uri' uri = URI"http://[email protected]/test" = p...

Shopify: XSS *.myshopify.com/collections/vendors?q=

WAF cut ", but " and ' still in. 1. PoC example link" style="font-size: 1001pt;" 2.mouse on X 3. .. 4.XSS alert message Impact XSS atack...

LocalTapiola: Securemail server used to internal spam and resource exhaustion

Basic report information Summary: Confidential message systems fails to restrict large amount of receivers. This might lead to hardware exhausting and/or attacking localtapiola internal employees as securemail recipient. Description: Despite https://secure.lahitapiola.fi/ is designed to send...

LocalTapiola: Malicious file upload (secure.lahitapiola.fi)

Basic report information Summary: Malicious file upload Description: Hello! I noticed that when a user sends new message you have restricted pretty strictly the files which is ok to upload. Like .svg: F254353 How ever if a user impersonate another user just a one example and start the conversatio...

Node.js third-party modules: Fastify denial-of-service vulnerability with large JSON payloads

Module: Fastify - https://www.npmjs.com/package/fastify Affected versions: =0.37.0 all version before 0.38.0 Summary: A denial-of-service attack can be performed against servers running Fastify by sending a request with "Content-Type: application/json" and a very large payload. Description: Fasti...

Open-Xchange: IDOR allow to extract all registered email

STEP TO REPRODUCE ============================= vulnerable request.... PUT /appsuite/api/user?action=list&columns=1%2C20%2C500%2C501%2C502%2C505%2C524%2C555%2C606%2C614&session=144ebd4f736c475f9e7d681c07a6a50a&timezone=utc HTTP/1.1 Host: sandbox.open-xchange.com User-Agent: Mozilla/5.0 X11; Linux...

GitLab: SQL injection in MilestoneFinder order method

The MilestoneFinder is a class used to find milestones based on group or project identifiers. The class is used in multiple controllers. It allows to filter based on state and can be used to order the result set. One of the uses can be found in the Groups::MilestonesController. When the index...

RBKmoney: Open Redirection on auth.rbk.money

An open redirect vulnerability was found in KeyCloak. Find writeup soon in my website ; Edit , Write is here : http://abartandhakal.com.np/main/2018/01/27/open-redirection-on-rbk-money/...

Open-Xchange: Adding external participants to unaccessible appointments

Description When making an appointment users are able to invite additional participants which do not have an open-xchange account. However, it appears than any user can invite external participants to any appointment even this appointment is not accessible for him. Additionaly using the same bug...

AlienVault : DNS pinning SSRF bypass

Summary: this issue is a bypass for this report: https://hackerone.com/reports/285380 . It is a SSRF bypass with DNS pinning. Description: We can bypass the SSRF protection with a simple domain that is resolving to 169.254.169.254 , like: ssrf-cloud.localdomain.pw Browsers Verified In: Firefox 56...

AlienVault : [www.threatcrowd.org] - reflected XSS

Summary: I have found a reflected XSS in https://www.threatcrowd.org/graphHtml.php, in GET parameter email. Browsers Verified In: Firefox 56.0.1 Steps To Reproduce: 1. Browse to https://www.threatcrowd.org/graphHtml.php?email=%27-alertdocument.domain-%27 2. Click on the embed functionnality in th...