Zomato: Potential server misconfiguration leads to disclosure of vendor/ directory

Hi, Apologies for the weakness label, it was the closest I could find for what appears to be a server misconfiguration. Typically, in MVC frameworks like Slim which I see you are using here, Symfony, Laravel, etc., the front controller is the only thing exposed, leaving vendor/, logs/, and others...

Legal Robot: Password reset token issue

Hi Team, Step to Repro Request for password reset link. Go to email and click on password reset link https://app.legalrobot.com/password-reset/token?v=gHonjdcdLTpmax2pHSXtaRlQrs2eHpTl7TXUpMfjjh Now remove the token and use the link https://app.legalrobot.com/password-reset/ Observe that able to...

Legal Robot: I cant login to my account

hey sir , new issue found when i reset my pass to my mail address [email protected] its done. but when i try to signin it says password is not same as mail address. i have changed my password successfully as my mailaddress , but it wont let me to login...

Quora: XSS through `__e2e_action_id` delivered by JSONP

Summary: The e2eactionid params used with POST requests to /servercallPOST?m= endpoint is not properly escaped when reflected back on a response allowing to inject Javascript. Also, another issue on some methods such as /servercallPOST?m=edit allows - with a strong premise discussed on the...

WakaTime: No redirect uri for Twitter Oath resulting in token leak

Good afternoon, There's an opportunity to steal Oath tokens upon the return uri in the following redirect. https://wakatime.com/oauth/twitter/authorize?reason=tweet&next=/share/embeddable/5e22456d-9aae-4267-b1a9-4315c2605d89/0ed2e4de-f479-4e03-a8db-464a0696c08f.svg/tweet If I change the &next= to...

WakaTime: Unsafe Inline and Eval CSP Usage

Hi Team, The HTTP header of the wakatime.com website includes an unsafe CSP parameter for "script-src". Impact: However, the "script-src" parameter is set to "unsafe-inline" or "unsafe-eval", which allows injection of user passed values, which in result can be misused for Cross-Site Scripting...

Automattic: woocommerce - prevent_caching() bug / bypass

As guest visit the following links and look at the headers. Yup there are not caching headers in the response. https://woocommerce.com/.cart/https://woocommerce.com/.cart/ https://woocommerce.com/+cart/https://woocommerce.com/+cart/ https://woocommerce.com/-cart/https://woocommerce.com/-cart/...

Automattic: Unauthenticated RCE in Vaultpress

Hitting wordpress instalattion with vaultpress on it with get parameter vaultpress=true attacker is one method away from RCE and that method is validateapisignature. In this method we have the following constraints: 1. Firewall 2. Usage recomended of openssl to validate API call In case of disabl...

Paragon Initiative Enterprises: directory information disclose

step: 1. goto https://bridge.cspr.ng/my/files/Hull with your login id 2. upload a file 3. click on "File info" and see full path of file is disclose...

HackerOne: Insecure SHA1withRSA in b5s.hackerone-ext-content.com and a4l.hackerone-ext-content.com

Hello, I just found some minor issue with RSA 2048 bits SHA1withRSA in b5s.hackerone-ext-content.com and a4l.hackerone-ext-content.com thru Qualys SSL Labs and wanted to report it. Proof of Concept https://www.ssllabs.com/ssltest/analyze.html?d=b5s.hackerone-ext-content.com Result: SHA1withRSA...

Weblate: Incorrect HTTPS Certificate

Weblate appears to have a public facing git repository located at git.weblate.org that utilises HTTPS when viewed in the browser. As a side note, netcat to port 80 results in the default debian landing page. 77.78.107.252 - git.weblate.org The site has an incorrectly configured certificate, and...

Uber: Chained Bugs to Leak Victim's Uber's FB Oauth Token

The Facebook OAuth application was misconfigured to allow any URL that followed the https://auth.uber.com/login? format to be provided as a redirecturi. By taking advantage of this, @ngalog was able to discover that the nexturl parameter could be added to the redirecturi allowing it to be chained...

LocalTapiola: SQL Injection /webApp/oma_conf ctx parameter (viestinta.lahitapiola.fi)

Vulnerable script: /webApp/omaconf Vulnerable parameter: ctxvarsemail Database: PostgreSQL PoC http POST /webApp/omaconf HTTP/1.1 Host: viestinta.lahitapiola.fi Content-Type: application/x-www-form-urlencoded Content-Length: 1131...

Boozt Fashion AB: Potential Subdomain Takeover Possible

Issue Description The researcher identified that the affected url points to sendgrid.net, via a DNS CNAME record. As a result of this an attacker could potentially initate a subdomain take over by registering the subdomain sendgrid.boozt.com on sendgrid and consiquently leverage this for further...

Boozt Fashion AB: xss in Theme http://bztfashion.booztx.com

Researcher reported XSS vulnerability in Wordpress theme that we were using for our corporate site. Which in turn brought our attention to more available vulnerabilities within that Wordpress installation. Action taken - removed the installation completely and rebuild a more secured version of th...

Yelp: Verification of E-Mail address possible on https://biz.yelp.com/login and https://biz.yelp.com/forgot

On pages https://biz.yelp.com/login and https://biz.yelp.com/forgot a malicious user can verify if a particular E-mail address is registered on biz.yelp.com. Steps to reproduce for https://biz.yelp.com/login: 1. Open https://biz.yelp.com/login 2. Enter non existing E-Mail Address 3. Enter any...

Nextcloud: Nextcloud server software: Content Spoofing

In Nextcloud the "dir" parameter is vulnerable to content spoofing attack. If anyone puts a valid directory name in dir parameter then it goes that directory other wise it redirects to the home directory / By putting ../../ in dir parameter I was able to stop the redirect then I had put some...

Starbucks: www.starbucks.co.uk Reflected XSS via utm_source parameter

https://www.starbucks.co.uk/shop/card/egift?utmcampaign=egift&utmcontent=WinterFY16&utmmedium=GPH&utmsource=SBUXcouk"%3e%3cb%20onbeforescriptexecute=promptdocument.domain%3e Payload: "%3e%3cb%20onbeforescriptexecute=promptdocument.domain%3e...

Pornhub: Weak user aunthentication on mobile application - I just broken userKey secret password

The researcher discovered a hard coded authentication bypass on the mobile app...

Sucuri: CRLF/HTTP header injection www.sucuri.net

I would like to report a security vulnerability on www.sucuri.net. The domain appears to be vulnerable for CRLF or HTTP header injection. This allows attackers to construct a URL that injects HTTP headers in the server's response. One of the things an attacker can do is injecting a "Set-Cookie"...

Uber: CSV Injection in business.uber.com

business.uber.com allows for names to begin with an = which allows for injection of formulas into the downloaded CSVs. I wasn't quite sure what to categorize this as since there are two main problems with allowing injection of formulas into a CSV: 1. It allows for data exfiltration through...

Mail.ru: bgplay.mail.ru

Potential RCE via Java object deserialization in out-of-scope service...

HackerOne: Requesting unknown file type returns Ruby object w/ address

Hello sec folks, requesting a report you are not allowed to acccess along with an unhandled filetype extension discloses a Mime::NullType Ruby object representation with a corresponding memory address. Example: https://hackerone.com/reports/1337.foo Request: http GET /reports/1337.foo HTTP/1.1...

Coinbase: XXE in OAuth2 Applications gallery profile App logo

upload svg photo XML based as App logo contain XML payload renamed to .jpg server start execute this XML payload or just watch this video "https://www.dropbox.com/s/wkba6f0wrax0wr8/xxe.mp4?dl=0" the same vulnerability was in https://www.coinbase.com/careers and reported by...

VK.com: Недочет в поиске по хештегам

Возможность узнать ID записи с определенным хештегом, если он единственный на стене. Возможность узнать ID записи с определенным хештегом, если он единственный на стене. И СЛОВО В ЭТОМ ПОСТЕ ! тобишь photo значит в после присутствует слово photo и соответсвенно скорей всего есть фотография и с...

HackerOne: Redirect FILTER bypass in report/comment

Hello, I made few reports recently. But, I guess you did not understand my perspective. As my video recorder is not working, I am explaining everything in written. Lately, I reported about 'External Link Warning Bypass to open redirect users' and @michiel attended the report. Actually, the report...

Internet Bug Bounty: open redirect in rfc6749

OAuth Providers servers that strictly follow rfc6749 are vulnerable to open redirect. Let me explain, reading 0 If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource...

Concrete CMS: FULL PATH DISCLOSUR

Full Path Disclosure FPD vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the loadfile within a SQL Injection query to view the page source, require the attacker to have the full path to the file they wis...

Phabricator: CSRF token valid even after the session logout of a particular user

Hi, To reproduce the issue: 1 Login to your https://secure.phabricator.com account and copy your Anti CSRF token. 2 Now logout and again login after sometime. 3 Open up your burp suite to modify the request and now submit any form with your old CSRF token. The request will be completed. So let's...

GoCD: XSS in GOCD Analytics Plugin

The vulnerability was discovered in the GOCD Analytics Plugin, specifically in the info-message.js file. The vulnerability allowed for Cross-Site Scripting XSS attacks by injecting malicious code through the ?msg= parameter. The vulnerable code failed to properly sanitize the user-supplied input,...

curl: CVE-2024-2004: Usage of disabled protocol

The usage of the disabled protocol in some circumstances with the --proto option can enable all protocols after being given -all, potentially leading to sending sensitive data over an unencrypted channel. The vulnerability was introduced in version 7.85.0 of curl when the string-based protocol...

Nextcloud: Authentication bypass in Global Site Selector allows an attacker to log in as any user

Authentication bypass vulnerability in software allowed attacker to bypass authentication and log in as any user...

Internet Bug Bounty: (CVE-2023-32003) fs.mkdtemp() and fs.mkdtempSync() are missing getValidatedPath() checks

The fs.mkdtemp and fs.mkdtempSync functions in Node.js were found to be missing getValidatedPath checks, allowing for a path traversal attack. This vulnerability could be exploited to create arbitrary directories...

HackerOne: Any one can view collaborater email address via path /reports/<id>/participants

The vulnerability allowed anyone to view the email address of collaborators invited to vulnerability reports through the program's API. Access to collaborator email addresses was not properly restricted...

Nextcloud: Twitter Account hijack @nextcloudfrance

The Twitter account of Nextcloud France was vulnerable to Broken Link Hijacking BLH attack, which occurs when attackers exploit expired external links on credible websites or web applications. The attackers took over the expired link and claimed the username for testing purposes, redirecting user...

Internet Bug Bounty: Inadequate Encryption Strength in nodejs-current reads openssl.cnf from /home/iojs/build/... upon startup on MacOS

A cryptographic vulnerability was found in nodejs-current that allowed openssl.cnf to be read from an insecure location upon startup on MacOS, potentially exposing encryption keys or certificates...

Uber: Complete Admin account takeover due to PhpDebugBar turned on in Uber's production server

A security vulnerability was discovered in Uber's production server on February 22, 2023. The vulnerability allowed an attacker to gain complete admin account takeover due to PhpDebugBar being turned on...

TikTok: Business Suite "Get Leads" Resulting in Revealing User Email & Phone

A vulnerability within the Business Suite settings on an Android device could have resulted in a user's email and/or phone number being revealed via the "secuserid" parameter if their information is sent via "Get Leads". We thank @datph4m for reporting this to our team...

Reddit: Reflected xss in https://sh.reddit.com

Summary: Reflected cross-site scripting or XSS arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way. Impact: attacker can execute malicious java script and steal cookies Steps To Reproduce: add details for how we can...

Kubernetes: SSRF vulnerability can be exploited when a hijacked aggregated api server such as metrics-server returns 30X

Report Submission Form Summary: This report uses metrics-server as example, but it should be applicable to any aggregated api server. When metrics-server is hijacked, either by modifying the container image directly or by running another pods using the same label selector in kube-system namespace...

curl: Denial of Service vulnerability in curl when parsing MQTT server response

Summary: Curl remains in infinite loop with suitable MQTT server response. Steps To Reproduce: Step 1: Run the following on linux with the attached file "poc" : $ socat -u FILE:poc TCP-LISTEN:12345,reuseaddr,fork Step 2: Use curl: $ curl mqtt://localhost:12345 Step 3: Observe output of "top"...

HackerOne: [Bypass] Ability to invite a new member in sandbox Organization

Summary: Able to bypass the restriction set in Organization sandbox automatically created when you created sandbox program to send an invite to another security researcher. Description: In the default UI of sandboxHackerone Organization, inviting another security researcher is restricted ex.:...

Stripe: CSRF token validation system is disabled on Stripe Dashboard

@dsharad discovered that due to a code change deployed on 2/14/2022, Cross Site Request Forgery CSRF protection was disabled in the Stripe Dashboard. This could have allowed an attacker to trick a victim user to visit a malicious website and cause limited changes to the victim’s Stripe account su...

U.S. Dept Of Defense: Arbitrary File Deletion (CVE-2020-3187) on ████████

Hello team, I hope you're doing well, healthy & wealthy. I found an Arbitrary File Deletion CVE-2020-3187 vulnerability on https://██████████/+CSCOE+/sessionpassword.html that allows the Arbitrary File Deletion. References - https://twitter.com/aboul3la/status/1286809567989575685 -...

Monero: DLL hijacking in Monero GUI for Windows 0.17.3.0 would allow an attacker to perform remote command execution

Summary: Monero for windows contains a DLL hijacking vulnerability that allows to get a meterpreter command metasploit remote shell, The moment the victim runs the program it will execute our payload malicious .dll that will give an attacker a meterpreter console. This will allow the attacker...

GitHub Security Lab: [cpp] CWE-787: query to detect unsigned integer to signed integer conversions used in pointer arithmetics

This bug was reported directly to GitHub Security Lab...

Shopify: Bypass a fix for report #708013

Summary: customerAccessTokenCreate mutation in the Storefront API does not correctly throttle login attempts. An issue in similar report https://hackerone.com/reports/708013 was already fixed, however, there is still a bypass. Steps To Reproduce: 1. Grab a Storefront API Token I got it from the B...

GitLab: Drive-by arbitrary file deletion in the GDK via letter_opener_web gem

Summary When running gitlab in development, an extra gem used to view emails that have been sent: https://gitlab.com/gitlab-org/gitlab/-/blob/v14.3.0-ee/config/routes/development.rbL14 ruby mount LetterOpenerWeb::Engine, at: '/rails/letteropener' One of the routes it adds is to delete a letter:...

Mail.ru: Subdomain Takeover

Hi team, Actually team this bug is similar to my previous bug which I submitted-██████ Issue details:- Subdomain takeover vulnerabilities occur when a subdomain subdomain.example.com is pointing to a service e.g. GitHub pages, Heroku, etc. that has been removed or deleted. This allows an attacker...

U.S. Dept Of Defense: RCE on ███████ [CVE-2021-26084]

A remote code execution vulnerability was present in affected versions of Confluence Server and Data Center due to an OGNL injection issue. This allowed an authenticated user, and in some cases an unauthenticated user, to execute arbitrary code. The vulnerability affected versions before 6.13.23,...