Slack: Open Redirect in Slack

This link shall redirect to google.co.in: http://prakhar.slack.com/link?url=http%3A%2F%2Fgoogle.co.in Straight, open redirection! Thanks!...

Yahoo!: XSS Vulnerability (my.yahoo.com)

Thank you for your submission to the Yahoo Bug Bounty program. We were able to reproduce the issue you reported and have implemented appropriate fixes. We appreciate your adherence to responsible disclosure guidelines and look forward to your future participation in the program...

Phabricator: CSRF token valid even after the session logout of a particular user

Hi, To reproduce the issue: 1 Login to your https://secure.phabricator.com account and copy your Anti CSRF token. 2 Now logout and again login after sometime. 3 Open up your burp suite to modify the request and now submit any form with your old CSRF token. The request will be completed. So let's...

GoCD: XSS in GOCD Analytics Plugin

The vulnerability was discovered in the GOCD Analytics Plugin, specifically in the info-message.js file. The vulnerability allowed for Cross-Site Scripting XSS attacks by injecting malicious code through the ?msg= parameter. The vulnerable code failed to properly sanitize the user-supplied input,...

curl: CVE-2024-2004: Usage of disabled protocol

The usage of the disabled protocol in some circumstances with the --proto option can enable all protocols after being given -all, potentially leading to sending sensitive data over an unencrypted channel. The vulnerability was introduced in version 7.85.0 of curl when the string-based protocol...

Weblate: Information Disclosure

A vulnerability allowed API keys to be exposed in a PyPI package...

TikTok: Reflected XSS on Pangle Endpoint

The summary is as follows: A cross-site scripting XSS vulnerability was found at the Pangle endpoint via the 'redirect' parameter. This was caused by the reflection of user-supplied data without appropriate HTML escaping or output encoding. The vulnerability was fixed and additional mitigations...

Nextcloud: Authentication bypass in Global Site Selector allows an attacker to log in as any user

Authentication bypass vulnerability in software allowed attacker to bypass authentication and log in as any user...

Internet Bug Bounty: (CVE-2023-32003) fs.mkdtemp() and fs.mkdtempSync() are missing getValidatedPath() checks

The fs.mkdtemp and fs.mkdtempSync functions in Node.js were found to be missing getValidatedPath checks, allowing for a path traversal attack. This vulnerability could be exploited to create arbitrary directories...

HackerOne: Internal machine learning API endpoint for CWE classification is vulnerable to path traversal

Vulnerability description not provided...

HackerOne: Any one can view collaborater email address via path /reports/<id>/participants

The vulnerability allowed anyone to view the email address of collaborators invited to vulnerability reports through the program's API. Access to collaborator email addresses was not properly restricted...

Nextcloud: Twitter Account hijack @nextcloudfrance

The Twitter account of Nextcloud France was vulnerable to Broken Link Hijacking BLH attack, which occurs when attackers exploit expired external links on credible websites or web applications. The attackers took over the expired link and claimed the username for testing purposes, redirecting user...

Internet Bug Bounty: Inadequate Encryption Strength in nodejs-current reads openssl.cnf from /home/iojs/build/... upon startup on MacOS

A cryptographic vulnerability was found in nodejs-current that allowed openssl.cnf to be read from an insecure location upon startup on MacOS, potentially exposing encryption keys or certificates...

Uber: Complete Admin account takeover due to PhpDebugBar turned on in Uber's production server

A security vulnerability was discovered in Uber's production server on February 22, 2023. The vulnerability allowed an attacker to gain complete admin account takeover due to PhpDebugBar being turned on...

TikTok: Business Suite "Get Leads" Resulting in Revealing User Email & Phone

A vulnerability within the Business Suite settings on an Android device could have resulted in a user's email and/or phone number being revealed via the "secuserid" parameter if their information is sent via "Get Leads". We thank @datph4m for reporting this to our team...

Reddit: Reflected xss in https://sh.reddit.com

Summary: Reflected cross-site scripting or XSS arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way. Impact: attacker can execute malicious java script and steal cookies Steps To Reproduce: add details for how we can...

Kubernetes: SSRF vulnerability can be exploited when a hijacked aggregated api server such as metrics-server returns 30X

Report Submission Form Summary: This report uses metrics-server as example, but it should be applicable to any aggregated api server. When metrics-server is hijacked, either by modifying the container image directly or by running another pods using the same label selector in kube-system namespace...

curl: Denial of Service vulnerability in curl when parsing MQTT server response

Summary: Curl remains in infinite loop with suitable MQTT server response. Steps To Reproduce: Step 1: Run the following on linux with the attached file "poc" : $ socat -u FILE:poc TCP-LISTEN:12345,reuseaddr,fork Step 2: Use curl: $ curl mqtt://localhost:12345 Step 3: Observe output of "top"...

HackerOne: [Bypass] Ability to invite a new member in sandbox Organization

Summary: Able to bypass the restriction set in Organization sandbox automatically created when you created sandbox program to send an invite to another security researcher. Description: In the default UI of sandboxHackerone Organization, inviting another security researcher is restricted ex.:...

Stripe: CSRF token validation system is disabled on Stripe Dashboard

@dsharad discovered that due to a code change deployed on 2/14/2022, Cross Site Request Forgery CSRF protection was disabled in the Stripe Dashboard. This could have allowed an attacker to trick a victim user to visit a malicious website and cause limited changes to the victim’s Stripe account su...

U.S. Dept Of Defense: Arbitrary File Deletion (CVE-2020-3187) on ████████

Hello team, I hope you're doing well, healthy & wealthy. I found an Arbitrary File Deletion CVE-2020-3187 vulnerability on https://██████████/+CSCOE+/sessionpassword.html that allows the Arbitrary File Deletion. References - https://twitter.com/aboul3la/status/1286809567989575685 -...

Monero: DLL hijacking in Monero GUI for Windows 0.17.3.0 would allow an attacker to perform remote command execution

Summary: Monero for windows contains a DLL hijacking vulnerability that allows to get a meterpreter command metasploit remote shell, The moment the victim runs the program it will execute our payload malicious .dll that will give an attacker a meterpreter console. This will allow the attacker...

GitHub Security Lab: [cpp] CWE-787: query to detect unsigned integer to signed integer conversions used in pointer arithmetics

This bug was reported directly to GitHub Security Lab...

Shopify: Bypass a fix for report #708013

Summary: customerAccessTokenCreate mutation in the Storefront API does not correctly throttle login attempts. An issue in similar report https://hackerone.com/reports/708013 was already fixed, however, there is still a bypass. Steps To Reproduce: 1. Grab a Storefront API Token I got it from the B...

GitLab: Drive-by arbitrary file deletion in the GDK via letter_opener_web gem

Summary When running gitlab in development, an extra gem used to view emails that have been sent: https://gitlab.com/gitlab-org/gitlab/-/blob/v14.3.0-ee/config/routes/development.rbL14 ruby mount LetterOpenerWeb::Engine, at: '/rails/letteropener' One of the routes it adds is to delete a letter:...

Mail.ru: Subdomain Takeover

Hi team, Actually team this bug is similar to my previous bug which I submitted-██████ Issue details:- Subdomain takeover vulnerabilities occur when a subdomain subdomain.example.com is pointing to a service e.g. GitHub pages, Heroku, etc. that has been removed or deleted. This allows an attacker...

U.S. Dept Of Defense: RCE on ███████ [CVE-2021-26084]

A remote code execution vulnerability was present in affected versions of Confluence Server and Data Center due to an OGNL injection issue. This allowed an authenticated user, and in some cases an unauthenticated user, to execute arbitrary code. The vulnerability affected versions before 6.13.23,...

U.S. Dept Of Defense: XSS because of Akamai ARL misconfiguration on ████

Hello team, I hope you're doing well & healthy. I found a reflected XSS because of the misconfiguration of Akamai ARL. ███████ References - https://github.com/war-and-code/akamai-arl-hack - https://twitter.com/SpiderSec/status/1421176297548435459 - https://warandcode.com/post/akamai-arl-hack/ -...

U.S. Dept Of Defense: Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464)

A vulnerability in ForgeRock OpenAM allowed unauthenticated remote code execution due to unsafe Java deserialization in the Jato framework. The vulnerability, tracked as CVE-2021-35464, could be exploited by sending a crafted request to the /openam/ccversion/Version endpoint with a malicious...

Mail.ru: Unauthorized Access To Admin panel

Access to static files of playerone.ru admin web interface was not sufficiently restricted. There was no possibility to access admin functions. Simple Bypass: Try access playerone.ru/admin/users/ 403 : host playerone.ru 127.0.0.1 Try again 127.0.0.1/admin/users 200 OK :...

CS Money: Origin IP found, Cloudflare bypassed

Greetings!, Hope Y'all good and fine. Summary: I would like to report another vulnerability very Similar to my other report in 975991 Due to lack of secure design, I was able to find the origin IPs behind Cloludflare WAF. The IPs I found belong to : 3d.cs.money Description: I was able to find and...

8x8: DNS Misconfiguration (Subdomain Takeover) ███.wavecell.com

An S3 bucket was deleted, but a DNS record pointing to the bucket was initially not updated/removed. The issue has been rectified...

Stripe: GRAPHQL cross-tenant IDOR giving write access thought the operation UpdateAtlasApplicationPerson

@bubbounty discovered an Insecure Direct Object Reference IDOR vulnerability that allowed someone with prior Admin access to a Stripe account to add a co-founder to a Stripe Atlas application belonging to the merchant account they used to administer. The issue has been addressed by only allowing...

TikTok: CSRF To Add New App In Developer Account And Bypassing Json Format

The researcher found a CSRF issue allowing a malicious user to add arbitrary applications to a developer's account...

Rockstar Games: DOM XSS on https://www.rockstargames.com/GTAOnline/feedback

In this report, the researcher identified a DOM-based Cross-Site Scripting vulnerability in the /GTAOnline/feedback endpoint. As we worked together on resolving this matter, the researcher helped us identify other parts of the GTA Online sub-site that suffered from the same vulnerability due to...

HackerOne: GraphQL node interface for ActiveResource models lacks encoding for resource identifier, enabling parameter injection in Payments backend

HackerOne exposes a small number of ActiveResource objects through its GraphQL node interface. ActiveResource objects use HTTP as transport layer in order to fetch data. Four of these models, TaxForm, Payout, Payment, and PayoutPreference are fetched from an internal Payments backend system with ...

Affirm: Absence of Token expiry leads to Unauthorized login Access

Summary While doing the testing for the mobile app, I observed out that it is possible to bypass the authentication and gain unauthorized access to the user's account bu brute-forcing the PIN due to lack of login token expiry. The way affirm mobile login works is that, User inputs the phone numbe...

Mail.ru: Open Redirect

Hello Team Mail.ru Open Redirect on http://aw.mail.ru/ There is an Open Redirect on http://aw.mail.ru/dynamic/auth/?forumreg= due to the application not checking the value passed by the user to the "forumreg" parameter. User can be redirect to malicious site PoC: Open Redirect...

curl: curl successfully matches IP address literal in URL against IP address literal in certificate Common Name

Summary: A user may invoke the curl command line utility with an IP address literal in the URL, such as https://192.168.124.2/... If the HTTPS server presents a certificate whose Common Name matches this IP address literal as a string that is, Common Name is the ASCII string 192.168.124.2, then...

New Relic: Host Header Injection

Reproduction 1- open reset link https://login.newrelic.com/passwords/forgot 2- Enter the victim's email address and click Reset and Email Password 3- Intercept the HTTP request in Burp Suite & add X-Forwarded Host Header and write attacker.com/.newrelic.com link will be like...

Nextcloud: Only the file extensions are checked, not the MIME types as configured

The tool is not working as hoped. File access control speaks of MIME types that are blocked or not blocked. In fact, only the file extensions are checked. If a user renames an unauthorized file to an allowed file, he can upload and download it. The MIME type of the current file is insignificant,...

Weblate: HTML injection and information disclosure in support panel

Hello Weblate Team! I found HTML injection and information disclosure in support panel Description There is a form to weblate.org and hosted.weblate.org to send to support I poisoned the request, where I inserted such payload in all fields: " After that, when my payload got into the support panel...

Nextcloud: Reflected XSS / Markup Injection in `index.php/svg/core/logo/logo` parameter `color`

I just found a reflected Cross-Site Scripting XSS vulnerability in Nextcloud Server that affects current stable and dates back to at least 15.0.5. The vulnerability seems mitigated by a Content-Security-Policy CSP, but there might be a residual risk for phishing, due to the CSP's lack of a...

Internet Bug Bounty: Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer overflow

PHP upstream bug report: https://bugs.php.net/bug.php?id=78069 Description: In phpiconvmimedecode function in iconv.c, there's an out-of-bounds read due to an integer overflow vulnerability. MIME encoded string is being parsed and decoded in for loop with following condition: for strleft =...

Starbucks: Blind SQLi leading to RCE, from Unauthenticated access to a test API Webservice

@geekjeremy, at the same time as other hackers who submitted their own reports, discovered a browsable WSDL service on an API endpoint under the starbucks.com.cn domain, running on a non-standard port. @geekjeremy demonstrated that the service had several functions that executed without any...

Monero: (remote) exabyte allocation via load_from_binary() (DoS)

Changes introduced in commit b82efa32e can result in a denial of service if epee::serialization::portablestorage::loadfrombinary is called with untrusted data. The 'reserve' method implemented here:...

RATELIMITED: Missing Protection Mechanism in Mail Servers allows malicious user to use staff.ratelimited.me email could lead to identity theft.

Hello ratelimited, I'm not really sure how your mail servers being configured but i guess there is a mis-configuration or missing protection mechanism that fails to verify if the email that is going to be sent are only made by authorized ratelimited staff only. From this point of view a malicious...

Nextcloud: Private/confidential setting of calendar events is ignored on activity stream

https://github.com/nextcloud/server/pull/13331 Events that are private should not generate events for other users Events that are confidential should not leak the name to other users Impact The details are leaked to other users...

Chaturbate: Missing Rate Limitation at /photo_videos/photoset/create

Hello,I discovered that one is able to create an unlimited number of albums Via /photovideos/photoset/create/ Steps To Reproduce: 1.Login And Go to http://fr.chaturbate.co /photovideos/photoset/create/ 2.Fill the form 3.Enable a proxy interception tool e.g Burp Suite 4.Click Save 5.Send the POST...

Grammarly: "More on Wikipedia" link disclose "Referrer" and leak `window.opener` reference for arbitrary websites

Summary: "Referrer" leak http:// link to Wikipedia transferring Referrer header allows a remote attacker with MITM access to sniff Referrer URL for important tokens after following "More on Wikipedia" link. Controllable page MITM with window.opener pointing to the navigation-initiated webpage...