Uber: lert.uber.com: Few default folders/files of AURA Framework are accessible

There were a few default folders/files of the AURA Framework accessible on lert.uber.com. The specified files/folders in the AURA framework were supposed to be accessible, so we did not make any changes here. However, we do appreciate the time taken to submit this report and are disclosing per th...

X (Formerly Twitter): CRLF and XSS stored on ton.twitter.com

Hey, 1 CRLF: It's similar to 52042 but weaker to reproduce go to: https://ton.twitter.com/1.1/ton/data/dm/x/%E5%98%8A%E5%98%8Dset-cookie%3A%20test%3Dtest%3B%20Domain%3D.twitter.com%3B%20Path%3D%2F%3B%20Expires%3DSat%2C%2015-Dec-2018%2009%3A45%3A55%20UTC you will find that test cookie with the val...

Internet Bug Bounty: Heap overflow caused by type confusion vulnerability in merge_param()

Since the original report is still marked as private in the PHP bug tracker please find the copy & pasted bug report below edited for readability and to include correct bug tracker id. See the references section for a link to the issue in the PHP bug tracker! The maintainer already fixed the issu...

Boozt Fashion AB: xss in Theme http://bztfashion.booztx.com

Researcher reported XSS vulnerability in Wordpress theme that we were using for our corporate site. Which in turn brought our attention to more available vulnerabilities within that Wordpress installation. Action taken - removed the installation completely and rebuild a more secured version of th...

Instacart: WordPress Authentication Denial of Service

Hi, I found out that you are using WordPress version 4.5.3. Researchers found out 5 days ago, that this version has a vulnerability, a Path traversal in WordPress Core Ajax handlers. Intro WordPress is web software that can be used to create a website, blog, or app. A path traversal vulnerability...

Internet Bug Bounty: stack buffer overflows in the curses module

I found two stack buffer overflows in the curses module. These vulnerabilities have been reported to the PSRT and were fixed here: https://hg.python.org/cpython/rev/d5f6bc45b376 https://hg.python.org/cpython/rev/85b35300f200 Below are copies of the mails I sent to the PSRT. They describe the...

Trello: File access using image tragick

While Trello had patched our image libraries to prevent the RCE vulnerability in ImageMagick, we had not applied a patch to prevent arbitrary file reads via labels in mvg files. After resolving the issue, we were able to determine that no files had actually been accessed using this vulnerability,...

Uber: User Enumeration and Information Disclosure

Vulnerability Name: User Enumeration and Information Disclosure Description: It was possible to enumerate users for SquareSpace admin console in uber-movement. Please find below details of users enumerated: 1. [email protected] 2. [email protected] Information Disclosure in...

Internet Bug Bounty: Adobe Flash Player ContentFactory class Memory Corruption Vulnerability

I. Summary Adobe Flash Player is prone to a vulnerability which leads to memory corruption because of improper validation of ContentFactory.retrieveAdPolicySelector. ------------------------------------------------------------------ II. Description Adobe Flash is a multimedia and software platfor...

Internet Bug Bounty: BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797)

https://openssl.org/news/secadv/20160301.txt...

Cakebet: Sender policy framework (SPF) records evaluation return (Too many DNS lookups) error

Hi Security Team , Your SPF record suffers from a “too many lookups” error. The specifications for the SPF record limit the number of lookups such as, translating a name to an IP address to 10. An SPF record like what is shown below will have the too many lookup errors : Found v=spf1 record for...

ThisData: Login CSRF using Google OAuth

This bug is related to bug report https://hackerone.com/reports/774 as this bug also allows a user to be logged in as the attacker. An attacker could exploit this bug as follows: Attacker initiates Google OAuth process with thisdata Attacker allows access to thisdata app Attacker records and drop...

HackerOne: Requesting unknown file type returns Ruby object w/ address

Hello sec folks, requesting a report you are not allowed to acccess along with an unhandled filetype extension discloses a Mime::NullType Ruby object representation with a corresponding memory address. Example: https://hackerone.com/reports/1337.foo Request: http GET /reports/1337.foo HTTP/1.1...

Informatica: [rev-app.informatica.com] - XXE via SAML

Request: POST /sso HTTP/1.1 Host: rev-app.informatica.com Connection: keep-alive Content-Length: 8669 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Origin: https://infapassport.okta.com Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5....

Coinbase: XXE in OAuth2 Applications gallery profile App logo

upload svg photo XML based as App logo contain XML payload renamed to .jpg server start execute this XML payload or just watch this video "https://www.dropbox.com/s/wkba6f0wrax0wr8/xxe.mp4?dl=0" the same vulnerability was in https://www.coinbase.com/careers and reported by...

QIWI: [rubm.qiwi.com] Yui charts.swf XSS

Yui charts.swf XSS...

Radancy: Version Disclosure (NginX)

Hi, I found a version disclosure Nginx in the your web server's HTTP response. Extracted Version: 1.8.0 This information might help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of Nginx. Impact An attacker...

VK.com: Недочет в поиске по хештегам

Возможность узнать ID записи с определенным хештегом, если он единственный на стене. Возможность узнать ID записи с определенным хештегом, если он единственный на стене. И СЛОВО В ЭТОМ ПОСТЕ ! тобишь photo значит в после присутствует слово photo и соответсвенно скорей всего есть фотография и с...

InVision: Deleting a Project for which the user is not owner but a normal member

A Project member who is not the owner of the project does not have delete option. But using proxy tool like Burp Suite, a low privilege Project member user can delete the Project, Where only the project owner has the privilege to delete the project. Pre-Requisite: A project where current user is...

Gratipay: DKIM records not present, Email Hijacking is possible

Your SPF record is v=spf1 include:email.freshdesk.com include:spf.mandrillapp.com include:spf.google.com -all Which very well shows that you don't want spoofed email to be sent from your domains, but you just forget one thing: DKIM DomainKeys Identified Mail is an important authentication mechani...

HackerOne: Internal bounty and swag details disclosed as part of JSON response

Hello Hackerone team !!!! If Some company take option like this : Show minimum bounty on the program page? Do not display the minimum bounty on the program page. for example : https://hackerone.com/███████████ Private bounty details "basebounty":10 https://hackerone.com/████ Private swag details...

VK.com: Issue in the implementation of captcha and race condition

Reuse of captcha. The researcher was able to find a misconfiguration in the captcha mechanism which allowed him to reuse any captcha and bypass the uniquness of the same . Furthermore the race condition bypassed the no. of retries...

Mail.ru: XSS in ad.mail.ru

The XSS vulnerability is located here: https://ad.mail.ru/adi/3030 and is triggered by setting referer to: "alert0 The problem is that the referer is being loaded like so: html alert0 " I am aware that this is out of scope, but I am still reporting it since I just happened to spot it while lookin...

Internet Bug Bounty: Use After Free in Flash MessageChannel.send can cause arbitrary code execution

Sending messages between workers while having the animation reloaded can cause an object to be freed while a reference remains in memory. An attacker can use this issue to control eip and potentially execute arbitrary code. Identified as CVE-2015-0320, and reported to Adobe via Chrome VRP:...

Internet Bug Bounty: Race condition in workers may cause an exploitable double free by abusing bytearray.compress()

The issue occurs while sharing a bytearray between two workers. If one worker calls bytearray.compress while the other uses that bytearray, Flash does not correctly handle the race and may double free the array. Identified as CVE-2015-0312, and reported to Adobe via Chrome VRP:...

Vimeo: XSS on any site that includes the moogaloop flash player | deprecated embed code

The moogaloop flash player includes in most cases http://f.vimeocdn.com/p/flash/moogaloop/6.0.30/controllers/videoControllerProgressive.swf. In that flash file we can find functionality that looks into the SharedObject "com.conviva.livePass" for recently loaded swf-URLs under the key "lastSwfUrls...

X (Formerly Twitter): twitter android app Fragment Injection

com.twitter.android.WidgetSettingsActivity extend PreferenceActivity and export. By entering the appropriate extra intent can call any of its internal fragment. So do not export com.twitter.android.WidgetSettingsActivity...

Vimeo: Vimeo.com Insecure Direct Object References Reset Password

Hello, my name is Toufik Airane. This is Responsible Disclosure and Silent Disclosure. Thanks you to opened bug bounty program! Please find a proof of concept for IDOR attack on famous vimeo.com. With this IDOR, attacker can reset any password, of any account and take controle of it. Please, find...

QIWI: Metadata in hosted files is disclosing Usernames, Printers, paths, admin guides. emails

Hi - vulnerable hosts; agent.qiwi.com static.qiwi.com visa.qiwi.com w.qiwi.com www.qiwi.com • the type of vulnerability; Information disclosure • where exactly; There are multiple locations for documents with valuable metadata attached. These are both Qiwi documents and documents uploaded by...

X (Formerly Twitter): URGENT - Subdomain Takeover on media.vine.co due to unclaimed domain pointing to AWS

Hi, This is an urgent issue and I hope you will act on it likewise. Your subdomain media.vine.co is pointing to AWS S3, but no bucket was connected to it. Actually, the reason to it is due to the CNAME of the meda.vine.co-DNS-entry: media.vine.co - media.vine.co is an alias for...

Mail.ru: XSS via .eml file

сначала смотрим скриншот : XSS возможен через .eml вложения, уязвимо имя .eml файла, которое присваивается из названия Темы сообщения строка Subject в eml. JS отыграет на странице превью файлов https://e.mail.ru/attaches-viewer/?... шаги для воспроизведения пересылая письмо: -...

Mavenlink: Login password guessing attack

I have found out that an attacker can perform brute force attack on your login panel because there is no rate limitation to prevent this attack...

Yahoo!: Testing for user enumeration (OWASP‐AT‐002) - https://gh.bouncer.login.yahoo.com

Thank you for your submission to the Yahoo Bug Bounty program. We were able to reproduce the issue you reported and have implemented appropriate fixes. We appreciate your adherence to responsible disclosure guidelines and look forward to your future participation in the program...

OkCupid: XSS Vulnerability Found!

Good Day okcupid Security Team! i just want to report that i found a bug on your website. what i've found out is a xss vulnerability with the use of third party app facebook. at first i upload an image in facebook and name it as " then go to okcupid.com then i click upload image and i click the...

curl: CVE-2024-6197: freeing stack buffer in utf8asn1str

The libcurl library at commit 04739054cdac5a0614fb94e3655e313c03399f35 contained an invalid invocation of the free function in the utf8asn1str function. The buffer being freed was located on the stack, which posed a security risk as the freed address could have been later returned by malloc calls...

Internet Bug Bounty: [CVE-2024-32464] ActionText ContentAttachment’s can Contain Unsanitized HTML

CVE-2024-32464 ActionText ContentAttachment's can Contain Unsanitized HTML Instances of ActionText::Attachable::ContentAttachment included within a richtextarea tag were discovered to potentially contain unsanitized HTML. This vulnerability was assigned the CVE identifier CVE-2024-32464. Versions...

HackerOne: 2FA Bypass via Leaked Cookies

Vulnerability description not provided...

Nextcloud: Bruteforce protection in password verification can be bypassed

A vulnerability was found where the IP address used for brute force protection in Nextcloud server could be bypassed by adding a valid X-Forwarded-For header. This allowed an attacker to bypass the brute force protection and brute force login credentials...

Node.js: Path traversal by monkey-patching Buffer internals

A path traversal vulnerability was introduced in the experimental permission model in Node.js 20 and 21 by monkey-patching Buffer internals. This allowed modification of the result of path.resolve, leading to traversal beyond the expected path...

Nextcloud: HTML injection in search UI when selecting a circle with HTML in the display name

An HTML injection vulnerability was discovered in the search user interface of a cloud application. When selecting a circle with HTML in the display name, this could allow redirection to malicious websites or other adverse impacts such as data theft, phishing, or malware distribution...

Internet Bug Bounty: CVE-2023-42780: Apache Airflow: Improper access control vulnerability in the "List dag warnings" feature

A vulnerability in Apache Airflow versions prior to 2.7.2 allowed authenticated users to list warnings for all DAGs, revealing dagids and stack traces even for DAGs the user did not have permission to access. Users should upgrade to Airflow 2.7.2 or newer...

Node.js: Process-based permissions can be bypassed with the "inspector" module.

Process-based permissions in Node.js can be bypassed using the built-in inspector module, allowing an attacker to access restricted resources...

GitLab: Account takeover due to insufficient URL validation on RelayState parameter

An insufficient URL validation on the RelayState parameter in GitLab allowed attackers to steal Bitbucket access tokens and other third-party access tokens, such as Google, Salesforce, and Twitter. The vulnerability was due to an open redirect while logging in to GitLab via SAML, which saved the...

Internet Bug Bounty: Open Redirect Vulnerability in Action Pack

An open redirect vulnerability was discovered in Action Pack, specifically in the redirectto helper function. This vulnerability allowed for the possibility of an attacker to craft a URL that could bypass the protection against open redirects introduced in Rails 7.0. The vulnerability was fixed i...

Reddit: Can use the Reddit android app as usual even though revoking the access of it from reddit.com

Summary: Hi Team, For the last 4 days, I kept testing reddit web. That time, I revoked app access from the old.reddit.com and i checked my app and as expected i was not able to use the account in my app. After 2 days I was checking the chat invites feature on the web and after some time I turned ...

U.S. Dept Of Defense: SQL injection at [https://█████████] [HtUS]

Hello, Summary while doing test on www.███ I’ve found that the endpoint at /olc/███comments/commentpost.php is vulnerable with SQL injection vulnerability Vulnerable parameters - staffstudent POC - using sqlmap run command jsx python3 sqlmap.py --level=5 --risk=3 --tamper=space2comment...

curl: Use of Unsafe function || Strcpy

Summary: It was observed that application is using strcpy function which may cause buffer overflow attacks. Affected Code https://github.com/curl/curl Affected Lines 1. Line 195 of curl-master\tests\libtest\stubgssapi.c 2. Line 204,212,216 curl-master\tests\server\socksd.c Steps To Reproduce: Let...

8x8: ████ api key exposed in github.com/███/███

@adnanmalikinfo identified a committed API key of a 3rd party SaaS platform for social marketing. We swiftly escalated to the repository owner, who restricted access...

MTN Group: Remote code injection in Log4j on http://mtn1app.mtncameroon.net - CVE-2021-44228

The vulnerability CVE-2021-44228, a remote code injection flaw in Log4j, was discovered on the website http://mtn1app.mtncameroon.net. The vulnerability was confirmed to be present on the ports 8080 and 8443 of the website. The issue was demonstrated by retrieving the hostname of the affected...

Shopify: Sidekiq dashboard exposed at notary.shopifycloud.com

Summary: Hi, I found that the host https://notary.shopifycloud.com/ is exposing a sidekiq dashboard to the internet, for any unauthenticated user to use. I am not very familliar with Sidekiq, but from what I can tell its used for ruby background proccessing. I am fairly certain this dashboard is...