Coinbase: Window.opener bug at www.coinbase.com

Window.Opener Bug Description: When you open a link in a new tab target="blank" , the page that opens in a new tab can access the initial tab and change it's location using the window.opener property. Browsers Verified In: Mozilla Firefox Steps To Reproduce: 1. Visit https://www.coinbase.com/ 2. ...

Open-Xchange: Reflected Cross-Site Scripting due to vulnerable Flash component (Flashmediaelement.swf)

Discovery After installing the software for testing purposes locally I performed a little search for Flash files embedded in the platform and found the following: root@OpenXchange:/opt/open-xchange find . -iname .swf ./appsuite/apps/3rd.party/mediaelement/flashmediaelement.swf...

Starbucks: Reflected XSS by exploiting CSRF vulnerability on teavana.com wishlist comment module. (wishlist-comments)

User can add comments on their wishlist item. The http request which adds comment on wishlist item, looks like: http POST /on/demandware.store/Sites-Teavana-Site/default/Wishlist-Comments/:id HTTP/1.1 Host: www.teavana.com User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.12; rv:49.0...

OLX: XSS and Open Redirect on https://jobs.dubizzle.com/

Hi, I found an interesting vulnerability.With this one we can redirect someone to a malicious site,or we can trigger XSS. STEPS TO REPRODUCE --------------------- 1-Go to that link https://jobs.dubizzle.com/en/pricing/?return=javascript:prompt31 2-Click the "Continue placing your ad" button. 3-XS...

QIWI: [lk.contact-sys.com] SQL Injection reset_password FP_LK_USER_LOGIN

Steps to reproduce 1 Открыть https://lk.contact-sys.com/index.php/LK/login 2 Нажать "Забыли пароль?" 3 Заполнить форму Код Участника: test Логин: ' and @@version=1 and '1'='1 HTTP Request http POST /index.php/LK/resetpassword HTTP/1.1 Host: lk.contact-sys.com Content-Type:...

Khan Academy: Sensitive information/action is stored/done is done using a GET request

Description: The action to remove an email from account is done using a GET request and it has security token. The URL is : https://www.khanacademy.org/settings/unlinkaccount?email=134hackerone%40gmail.com&fkey= It is never a good practice to have sensitive information in URL. Following are the...

Skyliner: Email Spoofing

Hey Skyliner, I have found Email Spoofing type of Vulnerability in your Website. Attacker can use your E-Mail to send emails to others. Email spoofing is the creation of email messages with a forged sender address. Because the core email protocols do not have any mechanism for authentication, it ...

Legal Robot: Email spoofing possible via Legal Robot domain

Dear Team, There are few email spoofing tools available on for free and one of them is http://emkei.cz/ When i tried to send an email from [email protected] to my mail, it was successful and straight away delivered into my inbox but when i tried to send it from another mail id...

Nextcloud: Vulnerable Javascript library

Information disclosure: So from simple lookup you can confirm the version of the jquery used. And is a outdated one, that accordingly to some research i did, was public vulnerabilities, such as XSS. Steps to reproduce: 1- navigate to:...

Dropbox: Dropbox apps Server side request forgery

Hi, SSRF is a vulnerability that appears when an attacker has the ability to create requests from the vulnerable server. Usually, Server Side Request Forgery SSRF attacks target internal systems behind the firewall that are normally inaccessible from the outside world but using SSRF it’s possible...

Uber: User credentials are not strong on vault.uber.com

I was just trying to login vault.uber.com I entered email xx and password xx, I got loggedin to someones account. I entered email zz and password zz, I got loggedin to someones account. It means passowrd complexity and length of username/email is not enforced. This allowed my to access the someon...

Uber: Dom Based Xss

Hi. found dom xss on this subdomain eng.uber.com. you are using a vulnerable plugin prettyPhoto.. This XSS will work in Firefox,Chrome - Google and IE last version ! And this is very dangerous! POC Firefox vector http://eng.uber.com/prettyPhotoi/x,/x POC Google and IE...

HackerOne: External links should use rel="noopener" or use the redirect service

This is a rather low severity one and a successful exploitation relies on unlikely user interaction as well as the ability to control the HTML output of an remote host. Furthermore it is a kinda new hardening features in some browsers. Though one can work around this using "noreferrer" which is...

Shopify: Full access to Amazon S3 bucket containing AWS CloudTrail logs

An Amazon S3 bucket used internally by Shopify was misconfigured, allowing external users to read, write and list objects. The excess permissions have been removed...

Vimeo: Legacy API exposes private video titles

Hi, I have discovered Vimeo's legacy API vimeo.com/api exposes private video titles. Example URL: https://vimeo.com/api/oembed.json?url=https%3A//vimeo.com/152133387 Vimeo provides the uploader with 5 privacy options for viewing videos: 1. Anyone 2. Only me 3. Only people I follow 4. Only people ...

Mail.ru: [cfire.mail.ru] Time Based SQL Injection

Добрый день. Уязвимо кукис с названием cfiresid. Рабочий PoC GET /account/userbar/ HTTP/1.1 User-Agent: Mozilla/5.0 Windows NT 6.1; WOW64 AppleWebKit/537.36 KHTML, like Gecko Chrome/47.0.2526.73 Safari/537.36 OPR/34.0.2036.25 Host: cfire.mail.ru Accept: text/html, application/xml;q=0.9,...

ok.ru: Обход защиты от csrf-ок в m.ok.ru

Здравствуйте! Нашел еще способ обхода защиты от csrf-ок через параметр st.rtu Тогда можно было обойти через dlgId и через ссылки на страницах Сейчас заметил что можно сделать ajax запрос с токеном X-XTKN через параметр st.rtu Его можно отправить через редактирование заметки, записи в группе, при...

Mail.ru: XSS at af.attachmail.ru

XSS via attached SVG on sandbox domain af.attachmail.ru. xss via .svg file, working into UC BROWSER MINI only. Video poc: https://www.youtube.com/watch?v=E5akSwOXaKs&feature=youtu.be...

MapLogin: Bypass verification of email while creating account(No rate limiting enable for verification code)

Hi Team, Bug type : Authentication bypassMissing rate limiting Description : While creating a account user needs to enter a email id and verification has been sent to his email ID.It is a 4 digits code.But there is no rate limiting enable while checking the verification on server side.So basicall...

Mail.ru: store-agent.mail.ru: stacked blind injection

store-agent.mail.ru purchases db admin auth bypass + blind sql injection...

Internet Bug Bounty: X509_to_X509_REQ NULL pointer deref

X509toX509REQ NULL pointer deref CVE-2015-0288 =================================================== Severity: Low The function X509toX509REQ will crash with a NULL pointer dereference if the certificate key is invalid. This function is rarely used in practice. This issue affects all current OpenSS...

Adobe: Reflected Cross Site Scripting - 'puser' Parameter in login page

PoC URL:...

Mobile Vikings: Reflected xss in user name thru cookie

Imagine, that we have user A with name - namealert1 And user B User B request a sim card and the Add authorization to user A of course this is not the common way to exploit. As a result we have xss thru user name in flash message thru cookie. And ! we got properly singed cookie with xss payload...

Yahoo!: https://caldav.calendar.yahoo.com/ - XSS (STORED)

Thank you for your submission to the Yahoo Bug Bounty program. We were able to reproduce the issue you reported and have implemented appropriate fixes. We appreciate your adherence to responsible disclosure guidelines and look forward to your future participation in the program...

curl: Exploitable Format String Vulnerability in curl_mfprintf Function

Vulnerability description not provided...

Automattic: Open redirect via redirect_to parameter in tumblr.com

The Tumblr website was affected by an open redirect vulnerability that allowed an attacker to redirect users to a specified URL through the "redirectto" parameter. This vulnerability could have been exploited to conduct phishing attacks or distribute malware...

AWS VDP: A potential risk in the experimental-programmatic-access-ccft which can be used to privilege escalation.

The experimental-programmatic-access-ccft application created a function with an associated role that was assigned policies with overly broad "sts:AssumeRole" permissions for "" resources. This could have allowed a malicious user to assume into any AWS Account in the AWS Organization, resulting i...

Node.js: Proxy-Authorization header not cleared on cross-origin redirect in undici.request

The Proxy-Authorization and x-auth-token headers were not cleared on cross-origin redirects in versions of undici up to and including 6.7.0. This issue was similar to a previously fixed security vulnerability where Authorization and Cookie headers were not cleared on such redirects...

Node.js: Code injection and privilege escalation through Linux capabilities

A vulnerability was found in Node.js on Linux where it incorrectly applied an exception for the CAPNETBINDSERVICE capability even when other capabilities were set. This allowed unprivileged users to inject code that inherited elevated privileges of the process...

Mozilla: Stored Xss on bugzilla.mozilla.org via comment edit feature from non-admin to admin.

A stored XSS vulnerability was discovered on the comment edit feature of bugzilla.mozilla.org. This allowed an attacker to execute malicious JavaScript code when an admin attempted to edit a comment. The vulnerability was reported and a bug report was filed...

Liberapay: Disavowed an email without any authentication

Vulnerability description not provided...

Internet Bug Bounty: jdbc apache airflow provider code execution vulnerability

A code execution vulnerability was discovered in the Apache Airflow JDBC Provider before version 4.0.0. The vulnerability allowed for privilege escalation by exploiting controllable parameters in the JDBC connection, enabling the execution of arbitrary Java code...

inDrive: Stored XSS on promo.indrive.com

Vulnerability description not provided...

Node.js: fs.mkdtemp() and fs.mkdtempSync() are missing getValidatedPath() checks.

A vulnerability was found in the fs.mkdtemp and fs.mkdtempSync functions in Node.js 20, which allowed malicious actors to bypass the permission model check and create arbitrary directories...

Teleport: robots.txt file

The web server includes a robots.txt file that serves a crucial role in providing instructions to web robots, such as search engine crawlers, about the permissible areas of the website that they can crawl and index. While the presence of this file does not pose a direct threat to the security of...

Internet Bug Bounty: [CVE-2022-44572] Possible Denial of Service Vulnerability in Rack’s RFC2183 boundary parsing

A denial of service vulnerability was discovered in the multipart parsing component of Rack. This vulnerability could be exploited by carefully crafted input to cause the RFC2183 multipart boundary parsing in Rack to consume an unexpected amount of time, potentially leading to a denial of service...

Cloudflare Public Bug Bounty: Privilege escalation to root in Pages build image v2

Vulnerability description not provided...

Sony: SQL Injection at https://████ via ███ parameter

Vulnerability description not provided...

Expedia Group Bug Bounty: https://www.wotif.com/vc/blog/info.php script is prone to reflected HTML/CSS injection and COOKIE leak

The info.php script on https://www.wotif.com was vulnerable to reflected HTML/CSS injection and COOKIE leak due to caching of HTTP headers. An attacker could inject malicious HTML/CSS code and steal victim cookies. The vulnerability was reported to the vendor...

LinkedIn: Unauthorized access to resumes stored on LinkedIn

Researcher found an IDOR on an endpoint where a recruiter could download resumes without the appropriate access - This security issue was unintentionally introduced in late-October 2022 - The reporter reached out and provided details to LinkedIn on this security issue in November 2022 - LinkedIn...

8x8: Directory Listing at https://█.█.█.█

@shuvam321 reported to us an enabled Directory Listing at https://█.█.█.█/cobbler/ & https://█.█.█.█/cblr/. The directories exposed open source files related to the Spacewalk project. The server instance was initially installed as a preview of a Spacewalk. No sensitive information had been...

Ruby on Rails: ReDoS (Rails::Html::PermitScrubber.scrub_attribute)

I have confirmed that ReDoS occurs on Rails::Html::PermitScrubber.scrubattribute. https://github.com/rails/rails-html-sanitizer/blob/v1.4.3/lib/rails/html/scrubbers.rbL134 ruby def scrubattributenode, attrnode attrname = if attrnode.namespace "attrnode.namespace.prefix:attrnode.nodename" else...

Hyperledger: fix(security):Path Traversal Bug

Unsanitized input from CLI argument flows into io.ioutil.ReadFile, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to read arbitrary files. See this fix : https://github.com/hyperledger/fabric/pull/3573 Impact There is a path traversal...

U.S. Dept Of Defense: LOGJ4 VUlnerability [HtUS]

Description: Hi team, log4 shell is recent 0-day exploit it's Java package vulnerable. █████ is vulnerable Impact RCE System Hosts ██████ Affected Products and Versions CVE Numbers CVE-2021-44228 Steps to Reproduce 1. Go to this url =...

Phabricator: Global default settings page is accessible to non-administrators

If you go to /settings/, it correctly redirects to /settings/user/username/ and does not give you the option to change global default settings. However if you go straight to /settings/builtin/global/, any user can edit the global default settings. According to https://secure.phabricator.com/D1604...

TikTok: Reflected xss on ads.tiktok.com using `from` parameter.

A XSS cross-site scripting vulnerability was found on a TikTok ads endpoint using the "from" parameter. We thank @imrannisar for reporting this to our team and confirming its resolution...

UPchieve: Clickjacking ar https://hackers.upchieve.org/login

I found clickjacking at login page on https://hackers.upchieve.org that can be exploited if the UI overlay can be performed correctly by the attacker. Clickjack test page Website is vulnerable to clickjacking! Click me when you finish : Impact Its login page so if the UI overlay can be performed...

U.S. General Services Administration: Weak password policy leading to exposure of administrator account access

Hi, The login endpoint https://mysmartplans.gsa.gov/Marathon/Default.aspx is having weak password policy. During the recon, I came across a mysmartplans overview document http://www.accentimaging.com/accent/pdfs/Accent%20MySmartPlans.pdf . In this document few users are mentioned like - rick, ban...

GitLab: Arbitrary file read during project import

NOTE! Thanks for submitting a report! Please replace all the parenthesized sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary A mis-usage of json sche...

U.S. General Services Administration: IDOR at training.smartpay.gsa.gov/reports/quizzes-taken-by-user

Hey, I found an IDOR that allow anyone view other user result by changing USERID parameter. /reports/quizzes-taken-by-user.csv/USERID Step to Produce: Go to the Section quizzes-taken-by-user as Shown in the Screenshot attached. Step 2: Click on Download CSV. Step 3 Intercept the Request using the...