Liberapay: Exploiting JSONP callback on /username/charts.json endpoint leads to information disclosure despite user's privacy settings

Hello! Vulnerability Details The /username/charts.json endpoint can return a JSONP callback due to the fact that jsonpdump is used in the file charts.json.spt. It appears that the content of the JSONP request depends on the authentication of the user. If the user enabled the privacy setting which...

Mail.ru: lootdog.io XSS

В данной ссылке можно наблюдать опенредирект: 1. https://lootdog.io/register?next=http://mail.ru?https%3A%2F%2Flootdog.io%2F Заполняем эту форму, подтверждаем номер: F290679 Нас перекидывает на http://mail.ru Impact open redirect...

Ruby: Invalid URL parsing '#'

URI is not correctly parsed when "" is included in the URL. Therefore, could instead be tricked into connecting to a different host. PoC bash $ ruby --version ruby 2.4.1p111 2017-03-22 revision 58053 x8664-darwin16 ruby require 'uri' uri = URI"http://[email protected]/test" = p...

Shopify: XSS *.myshopify.com/collections/vendors?q=

WAF cut ", but " and ' still in. 1. PoC example link" style="font-size: 1001pt;" 2.mouse on X 3. .. 4.XSS alert message Impact XSS atack...

LocalTapiola: Securemail server used to internal spam and resource exhaustion

Basic report information Summary: Confidential message systems fails to restrict large amount of receivers. This might lead to hardware exhausting and/or attacking localtapiola internal employees as securemail recipient. Description: Despite https://secure.lahitapiola.fi/ is designed to send...

LocalTapiola: Malicious file upload (secure.lahitapiola.fi)

Basic report information Summary: Malicious file upload Description: Hello! I noticed that when a user sends new message you have restricted pretty strictly the files which is ok to upload. Like .svg: F254353 How ever if a user impersonate another user just a one example and start the conversatio...

Node.js third-party modules: Fastify denial-of-service vulnerability with large JSON payloads

Module: Fastify - https://www.npmjs.com/package/fastify Affected versions: =0.37.0 all version before 0.38.0 Summary: A denial-of-service attack can be performed against servers running Fastify by sending a request with "Content-Type: application/json" and a very large payload. Description: Fasti...

Open-Xchange: IDOR allow to extract all registered email

STEP TO REPRODUCE ============================= vulnerable request.... PUT /appsuite/api/user?action=list&columns=1%2C20%2C500%2C501%2C502%2C505%2C524%2C555%2C606%2C614&session=144ebd4f736c475f9e7d681c07a6a50a&timezone=utc HTTP/1.1 Host: sandbox.open-xchange.com User-Agent: Mozilla/5.0 X11; Linux...

WakaTime: Clickjacking on authorized page https://wakatime.com/share/embed

Hii, https://wakatime.com/share/embed is vulnerabel to clickjaking. Description: I found the resource on https://wakatime.com/share/embed, which can be vulnerable to the Clickjacking. Impact The resource without X-Frame-Options potentially vulnerable to the Clickjacking. The vulnerability exist...

shopify-scripts: Null pointer dereference with send/method_missing

The following program triggers a null pointer dereference with mruby b200c747: ruby def methodmissingm ensure begin A rescue break rescue end end send '' ASAN report: text ASAN:DEADLYSIGNAL ================================================================= ==12116==ERROR: AddressSanitizer: SEGV on...

Paragon Initiative Enterprises: Full directory path listing

STEP: ==================== 1. goto https://bridge.cspr.ng/login and enter your username,password 2. click "LogIn" and intercept the request 3. change the value in cookie header and add 'single quote in PHPSESSID field eg: PHPSESSID=kn7e21dpp2ocai2ckn1v147qev' 4. Forward the packet and see full pa...

Paragon Initiative Enterprises: Directory Disclose,Email Disclose Zendmail vulnerability

i found three vulnerability Directory information disclose,Email address disclose, and possible Remote code execution in Zendmail during signup your code accept username with ',",/,@ while all of the special character must be forbidden or encoded in username Directory Disclose: 1. goto sign-up pa...

Dashlane: Throttling Bypass - ws1.dashlane.com

Description The host at ws1.dashlane.com throttles requests based on the IP address of the user after a certain amount of repeated requests. By adding the X-Forwarded-For header, an attacker can bypass the throttling completely, rendering the security measure ineffective against DOS attacks. Proo...

Envoy: Primary Cloning of Envoy web application resulting confidential information disclosure

It is possible to mirror envoy website which exposes internal structure as also client side java-script and CSS . When an attacker makes a copy of your webpages on their local machine, it is possible scan the code for vulnerabilities to exploit without generating additional traffic on your web...

U.S. Dept Of Defense: Remote code execution vulnerability on a DoD website

A remote code execution RCE vulnerability was found on a DoD website which could have enabled an attacker to execute remote commands on the web server. Thank you @korprit for notifying us of this vulnerability!...

Uber: User Enumeration and Information Disclosure

Vulnerability Name: User Enumeration and Information Disclosure Description: It was possible to enumerate users for SquareSpace admin console in uber-movement. Please find below details of users enumerated: 1. [email protected] 2. [email protected] Information Disclosure in...

Internet Bug Bounty: CVE-2015-8874 Stack overflow with imagefilltoborder

Reported in 2014 https://bugs.php.net/bug.php?id=66387 A variation was rediscovered this year and reported to PHP and LIBGD: https://bugs.php.net/bug.php?id=72350 https://github.com/libgd/libgd/issues/215 Patches for both issues:...

Internet Bug Bounty: EVP_EncodeUpdate overflow (CVE-2016-2105)

https://github.com/openssl/openssl/commit/ee1e3cac2e83abc77bcc8ff98729ca1e10fcc920...

Informatica: [rev-app.informatica.com] - XXE via SAML

Request: POST /sso HTTP/1.1 Host: rev-app.informatica.com Connection: keep-alive Content-Length: 8669 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Origin: https://infapassport.okta.com Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5....

Radancy: Version Disclosure (NginX)

Hi, I found a version disclosure Nginx in the your web server's HTTP response. Extracted Version: 1.8.0 This information might help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of Nginx. Impact An attacker...

InVision: Deleting a Project for which the user is not owner but a normal member

A Project member who is not the owner of the project does not have delete option. But using proxy tool like Burp Suite, a low privilege Project member user can delete the Project, Where only the project owner has the privilege to delete the project. Pre-Requisite: A project where current user is...

Gratipay: DKIM records not present, Email Hijacking is possible

Your SPF record is v=spf1 include:email.freshdesk.com include:spf.mandrillapp.com include:spf.google.com -all Which very well shows that you don't want spoofed email to be sent from your domains, but you just forget one thing: DKIM DomainKeys Identified Mail is an important authentication mechani...

Mail.ru: Same Origin Policy bypass

Hi, After small investigation I've probably found something that can be exploited to bypass Same Origin Policy on mail.ru services specially your main domain and e.mail.ru. First of all - let's take a look about your crossdomain.xml both for mail.ru and e.mail.ru: After time spent on searching...

X (Formerly Twitter): Insecure Data Storage in Vine Android App

Hi Twitter, - Vulnerability Class:OWASP M2 : Insecure Data Storage Every application needs to store something secret, like a website username,password, cookies etc. , internal storage is the place to do it, android sandbox prevents other applications from accessing this data but,In vine android a...

Mail.ru: XSS via .eml file

сначала смотрим скриншот : XSS возможен через .eml вложения, уязвимо имя .eml файла, которое присваивается из названия Темы сообщения строка Subject в eml. JS отыграет на странице превью файлов https://e.mail.ru/attaches-viewer/?... шаги для воспроизведения пересылая письмо: -...

Automattic: Missing HSTS header in https://app.simplenote.com

Hi, Vulnerable Website: https://app.simplenote.com I tested the website using firefox add-on called: Strict Transport Security Detector https://addons.mozilla.org/en-US/firefox/addon/strict-transport-security-d/ HSTS addresses the following threats: User bookmarks or manually types...

Yahoo!: Testing for user enumeration (OWASP‐AT‐002) - https://gh.bouncer.login.yahoo.com

Thank you for your submission to the Yahoo Bug Bounty program. We were able to reproduce the issue you reported and have implemented appropriate fixes. We appreciate your adherence to responsible disclosure guidelines and look forward to your future participation in the program...

Yahoo!: Yahoo! Messenger v11.5.0.228 emoticons.xml shortcut Value Handling Stack-Based Buffer Overflow

Thank you for your submission to Yahoo’s Bug Bounty program. While we recognize the effort that you put into the research and writing of a report for us to evaluate, we will take your report into consideration for any future releases. We appreciate your adherence to responsible disclosure...

OkCupid: XSS Vulnerability Found!

Good Day okcupid Security Team! i just want to report that i found a bug on your website. what i've found out is a xss vulnerability with the use of third party app facebook. at first i upload an image in facebook and name it as " then go to okcupid.com then i click upload image and i click the...

Yahoo!: Out of date version

Thank you for your submission to Yahoo’s Bug Bounty program. While we recognize the effort that you put into the research and writing of a report for us to evaluate, but unfortunately this bug has already been reported to us. We appreciate your adherence to responsible disclosure guidelines and...

Hyperledger: fix(security):Path Traversal Bug

Unsanitized input from CLI argument flows into io.ioutil.ReadFile, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to read arbitrary files. See this fix : https://github.com/hyperledger/fabric/pull/3573 Impact There is a path traversal...

U.S. Dept Of Defense: LOGJ4 VUlnerability [HtUS]

Description: Hi team, log4 shell is recent 0-day exploit it's Java package vulnerable. █████ is vulnerable Impact RCE System Hosts ██████ Affected Products and Versions CVE Numbers CVE-2021-44228 Steps to Reproduce 1. Go to this url =...

Phabricator: Global default settings page is accessible to non-administrators

If you go to /settings/, it correctly redirects to /settings/user/username/ and does not give you the option to change global default settings. However if you go straight to /settings/builtin/global/, any user can edit the global default settings. According to https://secure.phabricator.com/D1604...

TikTok: Reflected xss on ads.tiktok.com using `from` parameter.

A XSS cross-site scripting vulnerability was found on a TikTok ads endpoint using the "from" parameter. We thank @imrannisar for reporting this to our team and confirming its resolution...

UPchieve: Clickjacking ar https://hackers.upchieve.org/login

I found clickjacking at login page on https://hackers.upchieve.org that can be exploited if the UI overlay can be performed correctly by the attacker. Clickjack test page Website is vulnerable to clickjacking! Click me when you finish : Impact Its login page so if the UI overlay can be performed...

U.S. General Services Administration: Weak password policy leading to exposure of administrator account access

Hi, The login endpoint https://mysmartplans.gsa.gov/Marathon/Default.aspx is having weak password policy. During the recon, I came across a mysmartplans overview document http://www.accentimaging.com/accent/pdfs/Accent%20MySmartPlans.pdf . In this document few users are mentioned like - rick, ban...

GitLab: Arbitrary file read during project import

NOTE! Thanks for submitting a report! Please replace all the parenthesized sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary A mis-usage of json sche...

U.S. General Services Administration: IDOR at training.smartpay.gsa.gov/reports/quizzes-taken-by-user

Hey, I found an IDOR that allow anyone view other user result by changing USERID parameter. /reports/quizzes-taken-by-user.csv/USERID Step to Produce: Go to the Section quizzes-taken-by-user as Shown in the Screenshot attached. Step 2: Click on Download CSV. Step 3 Intercept the Request using the...

Mail.ru: Reflected XSS https://tracker.my.com

Reflected XSS on tracker.my.com via GET parameter iconUrl...

GitLab: Stored-XSS on wiki pages

Hello, A Stored-XSS is existing on Wiki pages. It is caused by recent change in show.html.hamlL10 ruby ... "".htmlsafe ... authorurl is defined by committed email in wikipageversion.rb: ruby delegate :message, :sha, :id, :authorname, :authoremail, :authoreddate, to: :commit def authorurl user =...

Mail.ru: Debug Mode Leak Critical Information [ AWS Keys , SMTP , Database , Django Secret Key ( RCE ) , Dodoc , Telegram , Twilio .. ]

Debug mode was enabled in legium-back.corp.mail.ru leaking some potenitially sensitive information Debug mode was enabled in legium-back.corp.mail.ru leaking some potenitially sensitive information...

Informatica: Html injection on ██████.informatica.com via search.html?q=1

hello dear I have found HTML injection on ██████.informatica.com parameters injectable search.html?q=1 URL : https://████████.informatica.com/search.html?q=1%22%3E%3Cimg%20src=https://www.no-gods-no-masters.com/imagesdesigns/anonymous-gandhi-d001001207265.png%3E%E2%80%[email protected]%20%22 payload ; 1"”@x...

GitHub Security Lab: [javascript] CWE-614: CodeQL query to detect if cookies are sent without the flag secure being set

This bug was reported directly to GitHub Security Lab...

Shopify: authenticity token not verfied leads to change business name

Hello security team , while sign up I have noticed that authenticity token is not verified leads to change info like business name Steps to reproduce 1- visit this url https://www.shopify.com/partners and add you mail then click on join now 2- Then fill out your data and click on create new partn...

Mail.ru: SECRET_KEY Of Django Leaked In maps.me

Token for a internal Jenkins account of maps.me was leaked via git commit...

Internet Bug Bounty: [CVE-2020-10543] Buffer overflow caused by a crafted regular expression

CVE ID: CVE-2020-10543 See: + https://metacpan.org/pod/release/XSAWYERX/perl-5.30.3/pod/perldelta.pod + https://metacpan.org/pod/release/XSAWYERX/perl-5.28.3/pod/perldelta.pod Impact Potential RCE...

Shopify: Takeover an account that doesn't have a Shopify ID and more

Details The https://pos-channel.shopifycloud.com/graphql-proxy/admin can be exploited to update a staff member email without any email confirmation. Using the partner dashboard, we've the ability to create a store that doesn't have a Shopify ID account on https://accounts.shopify.com. By using...

Staging.every.org: No Rate Limit On Reset Password

Summary: A rate limiting algorithm is used to check if the user session or IP address has to be limited based on the information in the session cache. In case a client made too many requests within a given time frame, HTTP servers can respond with status code 429: Too Many Requests. wikipedia I...

h1-ctf: [H1-415 2020] CTF Writeup

As there is a bonus for the first solver, I am sending only the flag for now. F687111 Impact...

MTN Group: Information Disclosure FrontPage Configuration Information /_vti_inf.html in https://www.mtn.co.za/

Hi there i found a information disclosure Microsoft FrontPage configuration in the subdomain https://www.mtn.co.za/ that allows me to see version number and scripting paths off sharepoint using firefox. POC: Go to the following url: https://www.mtn.co.za/vtiinf.html and you will see a blank page...