GitHub Security Lab: [Python] Unsafe Unpacking and TarSlip bug slaying

Vulnerability description not provided...

GitHub Security Lab: cpp: if (a+b>c) a=c-b is incorrect if a+b overflows

Vulnerability description not provided...

HackerOne: Asset Inventory Internal Descriptions are leaked in CSV export

An internal asset description in the Asset Inventory feature of HackerOne was leaked in the CSV export, potentially exposing sensitive information stored in the description...

Cloudflare Public Bug Bounty: Cloudflare CASB Confused Deputy Problem

A vulnerability was found in Cloudflare CASB on Microsoft and GitHub integrations, allowing an attacker to create a new integration and access sensitive information if they were able to enumerate a valid tenant UUID or domain. The issue was resolved by disallowing the creation of multiple...

Nextcloud: Mail app stores cleartext password in database until OAUTH2 setup is done

A vulnerability was found in the Nextcloud Mail app where the password for XOAUTH2 accounts was stored in clear text in the database during the setup process, until the OAUTH2 setup was completed. This could have allowed a database administrator to read the plaintext password...

Nextcloud: CSRF vulnerability in Nextcloud Desktop Client 3.6.1 on Windows when clicking malicious link

Summary It is possible to make a user send any POST request with an arbitrary body given they click on a malicious deep link. e.g. in an email, chat link, etc This vulnerability was introduced in an attempt to fix 1720043. The patch however can be bypassed and also introduced a CSRF vulnerability...

U.S. Dept Of Defense: AWS Credentials Disclosure at ███

Sensitive AWS credentials were disclosed through a config.json file found on a server. An attacker could have used these credentials to gain access to sensitive information on the AWS account or perform arbitrary modifications on AWS resources. The affected system host was not disclosed. No CVE...

U.S. Dept Of Defense: IDOR leaking PII data via VendorId parameter

Description: Dear DoD, I found one bug on your domain from Hack US program: █████ It's IDOR bug. Make sure to know that I didn't test many funcs here for IDOR. I didn't test for ATO Account Takeover. But you should fix this. Here's the PoC: ██████████ Thank you DoD! Impact An attacker could steal...

curl: CVE-2022-35252: control code in cookie denial of service

Summary: I took a look at https://github.com/curl/curl/pull/9048/commits/d7bcbc7d8d4b6d972d3da12d54819169a19c287b a sneak peek on a vulnerability to be announced tomorrow. My guess for that vulnerability is that since cookies are persistent, someone who can trick curl into storing cookies can sto...

Internet Bug Bounty: Undici ProxyAgent vulnerable to MITM

Full GitHub advisory summarizing the issue is here: https://github.com/nodejs/undici/security/advisories/GHSA-pgw7-wx7w-2w33 The original Node.js HackerOne report is here: https://hackerone.com/bugs?reportid=1583680 This was fixed & disclosed in Undici v5.5.1. This primarily affects Undici, a...

curl: curl "globbing" can lead to denial of service attacks

Summary: add summary of the vulnerability The curl "globbing" allows too much scope, which can cause the server to be denied service or used to attack third-party websites. The globbing allow 1-9999999999999999999 to parse in the url. So when curl request for...

IBM: sql injection via https://setup.p2p.ihost.com/

A SQL Injection against an IBM domain was reported to IBM, analyzed and has been remediated. Thank you to exploitmsf...

curl: curl proceeds with unsafe connections when -K file can't be read

Summary: I'm using curl 7.82.0 on Linux. When the file specified by the -K option can't be read, curl sends network traffic as specified by the other options that are explicitly included on the command line in other words, there's only a warning and I'd like it to be a fatal error. This behavior...

IBM: Public Jenkins instance with /script enabled

An RCE/LFI due to Public Jenkins instance with /script enabled was reported to IBM February 26th, analyzed and has been remediated since March 3rd, 2022. Thank you to Sanjok Karki thesanjok for the finding. RCE/LFI due to Public Jenkins instance with /script enabled...

GitHub Security Lab: [Java] CWE-552: Query to detect unsafe request dispatcher usage

This bug was reported directly to GitHub Security Lab...

HackerOne: HackerOne Staging uses Production data for testing

Summary: Today I received an email related to smart rewards from HackerOne. This included staging environment details, such as: sender: [email protected] Privacy / Terms links pointing to domain: https://www.enorekcah.com/... This basically tells us that HackerOne is using hacker dat...

TikTok: Reflected XSS on TikTok Website

A cross-site scripting XSS vulnerability was found on TikTok.com via multiple parameters. We thank @homosec for reporting this to our team and confirming its resolution...

U.S. Dept Of Defense: RCE in ███ [CVE-2021-26084]

A vulnerability in affected versions of Confluence Server and Data Center allowed authenticated users, and in some cases unauthenticated users, to execute arbitrary code. The vulnerability was due to an OGNL injection issue affecting endpoints that could be accessed by non-administrators when use...

GitLab: Stored XSS in custom emoji

Summary I found Stored XSS with a feature of custom emoji. This feature hasn't been rolled out yet and need to set feature flags in self management installation. https://gitlab.com/gitlab-org/gitlab/-/issues/231317 The problem is the code here...

GitLab: Clipboard DOM-based XSS

Summary A clipboard DOM-based XSS exists on several Markdown text fields. Technical details The app/assets/javascripts/behaviors/markdown/copyasgfm.js file is used to get and set GFM GitHub Flavored Markdown data on the clipboard on different parts of the GitLab application. If a user copies data...

GitLab: Cache poisoning Denial of Service affecting assets.gitlab-static.net

Summary Hi, Gitlab.com is hosting JS and CSS on https://assets.gitlab-static.net/ and uses them on gitlab.com/ The static files seem to be stored on a gcp host, which by default accepts the x-http-method-override header. Since the CDN is using Varnish to cache files, I was able to combine the GCP...

GitLab: Stored-XSS on wiki pages

Hello, A Stored-XSS is existing on Wiki pages. It is caused by recent change in show.html.hamlL10 ruby ... "".htmlsafe ... authorurl is defined by committed email in wikipageversion.rb: ruby delegate :message, :sha, :id, :authorname, :authoremail, :authoreddate, to: :commit def authorurl user =...

BlockDev Sp. Z o.o: xmlrpc.php FILE IS enabled it will used for Bruteforce attack and Denial of Service(DoS)

xmlrpc.php file is visible...

Ruby on Rails: HostAuthorization middleware does not suitably sanitize the Host / X-Forwarded-For header allowing redirection.

When a site is configured to use the .tkte.ch leading dot short form for domain name, ex: ruby config.hosts You are being redirected. Where the controller is simply: ruby class RedirectController ApplicationController def main redirectto action: 'main' end end The host header poisoning was report...

TikTok: CORS misconfiguration in TikTok ads portal

A CORS misconfiguration was discovered in the TikTok ads portal which could potentially allow an attacker to obtain user IDs and usernames of logged in users. This issue has been resolved. We thank @chihuahua for reporting this to our team...

Mail.ru: [performancemarketing.geekbrains.ru] Tilda Subdomain Takeover

Unused subdomain of geekbrains.ru was delegated to tilda.cc and unclaimed...

Zomato: Ability to manipulate price with a max threshold of `<1 Rupee` in support rider parameter

Hi Team I have found an issue in support rider amount calculation at the time of checkout where the amount is tamperable by negative fraction of rupees which makes the total amount decreased by maximum of 1rs. POC - 1-Goto - zomato.com 2 - Add anything to your cart 3- At the checkout page , Add...

Kubernetes: Internal IP addresses range and AWS cluster region leaked in a Github repository

Report Submission Form Summary: I was exploring the GitHub repository and found some internal IP address and its cluster region related to AWS cluster. So i decided to report it to you. Please have a look and let me know. Steps To Reproduce: VISIT THIS LINK : Repository - kubernetes / kubernetes...

Concrete CMS: SSRF bypass

This simply describes a bypass for report at https://hackerone.com/reports/243865, using a decimal notation encoded IP address 0177.0.0.1 currently bypasses the limitations in place for localhost. crayons re-submitting report including "magic" string Concrete5 version used is 8.5.2 Impact...

Nuri: GraphQL introspection query works through unauthenticated WebSocket

Summary: It is possible to execute GraphQL introspection query through unauthenticated WebSocket connection. PoC included. Steps To Reproduce: To simplify reproducing I provided a simple html PoC file. 1. Start python static http server in directory with poc file: python3 -m http.server this step...

Mail.ru: Account takeover through password reset in cups.mail.ru

An IDOR vulnerability in password recovery procedure allowed arbitrary cups.mail.ru account rakeover. Write-up is here. : https://medium.com/kminthein/account-takeover-in-cups-mail-ru-bdab1483f92c...

Staging.every.org: No Rate Limit On Reset Password

Summary: A rate limiting algorithm is used to check if the user session or IP address has to be limited based on the information in the session cache. In case a client made too many requests within a given time frame, HTTP servers can respond with status code 429: Too Many Requests. wikipedia I...

Kubernetes: Compromise of auth via subset/superset namespace names.

Report Submission Form Summary: Use of nginx.ingress.kubernetes.io/auth annotations results in a file named namespace-ingress.passwd. If user knows the namespace and ingress of an ingress they want to compromise they need to be able to create a namespace that is some subset of namespace-ingress...

h1-ctf: [h1-415 2020] I got the flag

Hey guys, The flag is: h1ctfy3s1mc0sm1cn0w I'll submit a well written writeup later today or tomorrow. I now have a lot of work to catch up thanks to this devilish ctf hehehe. Thanks Ben and the rest of the team for this awesome challenge. Impact Getting the flag...

8x8: Reflected xss on 8x8.com subdomain

The Beta version of a new chat API was discovered to contain a reflected XSS flaw. With the help of the researcher we were able to resolve the issue and ensure the future chat product will not contain this flaw. Write-up for beginners like me.. hackwithcommunity...

Nord Security: CORS Misconfiguration on nordvpn.com leading to Private Information Disclosure,Account takeover

Summary: An cross-origin resource sharing CORS policy controls whether and how content running on other domains can perform two-way interaction with the domain that publishes the policy. The policy is fine-grained and can apply access controls per-request based on the URL and other features of th...

Mail.ru: SSRF in filtering on relap.io

Relap fetcher used to access external resources in relap.io project was not properly isolated from the production networks leaving potential for non-blind SSRFs. relap.io was in Ext.B scope on the moment of reporting...

Node.js third-party modules: Filesystem Writes via `yarn install` via symlinks and tar transforms inside a crafted malicious package

I would like to report an arbitrary filesystem write vulnerability in Yarn when installing a malicious package from the default repositories. This vulnerability has the potential for RCE -- even if --ignore-scripts is disabled. It allows a malicious package, upon install, to write to any path on...

GitLab: Stored XSS in merge request pages

A stored cross-site scripting XSS vulnerability was discovered in GitLab merge request pages. An attacker could exploit this vulnerability by creating a merge request with a specially crafted branch name and tricking a user with insufficient permissions to view the merge request page. This could...

8x8: Publicly accessible .svn repository - aastraconf.packet8.net

The server contained artifacts from an old SVN repository. The files were removed...

curl: krb5: double-free in read_data() after realloc() fail

Summary: In 'lib/security.c', there is a double-free of the reference 'buf-data' on the teardown path if 'Curlsaferealloc' fails. Also, since we read 'len' from the 'fd', the sender might be able to remotely trigger a realloc failure, and then the double-free, by sending the value 0x7fffffff...

Node.js third-party modules: gitlabhook OS Command Injection

I would like to report OS Command Injection in gitlabhook. It allows execution of arbitrary code on the remote server, that waits for instructions from gitlab. Module module name: gitlabhook version: 0.0.17 npm page: https://www.npmjs.com/package/gitlabhook Module Description This is an easy to u...

Grammarly: Can register any mobile number in MFA without current code.

@chackmate identified a vulnerability that allows a user to connect arbitrary phone numbers with their account. No users affected...

50m-ctf: $50 million CTF Writeup

Summary: For a brief overview of the challenge you can take a look at the following image: F451370 Below I will detail each step that I took to solve the CTF, moreover all the bad assumptions that led me to a dead end in some cases. Twitter The CTF begins with this tweet: F451371 What is this...

X (Formerly Twitter): url that twitter mobile site can not load

Summary: A url that twitter mobile site can not load, crushes any page containing this url Description: Invalid hex characters crushes twitter mobile site as example go to https://mobile.twitter.com/?%xx twitter won't load. 1 Sending such url on a direct message, twitter will no longer be able to...

Internet Bug Bounty: Buffer over-write in finfo_open with malformed magic file.

https://bugs.php.net/bug.php?id=71527 This bug causes a segfault when running with environment variable USEZENDALLOC set to 0, and also when compiled with ASAN with USEZENDALLOC set and unset. To reproduce, run the following PHP file, with the example magic file below. $ cat magic-open.php Magic...

Starbucks: unuse domain still in using at wechat by Starbucks East China

Summary: spcc.mobi is still using at wechat offical account by Starbucks East China. but this domain is on sale. Description: I had reported this at reportid=433843，bu your gays had ignored, because they said the domain is unused. In fact, spcc.mobi still having an interface using at wechat offic...

WordPress: CSRF to HTML Injection in Comments

Simon discovered a CSRF vulnerability that led to RCE. More details are available on the RIPS blog...

Valve: Malformed .BMP file in Counter-Strike 1.6 may cause shellcode injection

With the vulnerability of the GoldSource Engine, the server is able to perform remote code execution on the client, overwriting the stack when reading the BMP file. The problem is in the LoadBMP8 function, which is executed when the player connects to the server, by loading the...

Mail.ru: XSS на странице account.mail.ru/recovery

Reflected XSS via GET parameters in account.mail.ru...