Internet Bug Bounty: CVE-2016-2177 Undefined pointer arithmetic in SSL code

1.0.2 version here: https://github.com/openssl/openssl/commit/a004e72b95835136d3f1ea90517f706c24c03da7 1.0.1 version here: https://github.com/openssl/openssl/commit/6f35f6deb5ca7daebe289f86477e061ce3ee5f46 These will get listed in the next security advisory and rolled up in the next release...

Bumble: AWS S3 Bucket hotornot-images permissions allow for listing and removing files

We do not use amazon AWS but @yaworsk wanted to disclose his report anyway. Why not, we can do. ---- Hi All, Though I'm not 100% sure you own the bucket - and if not, I would appreciate being able to close this myself - I believe you may own the S3 bucket hotornot-images. If so, using the AWS CLI...

Uber: It is possible to re-rate a driver after a very long time

Hi It is not possible to edit your rating but there is a way to bypass that restriction Steps: 1- login to your uber account https://riders.uber.com 2- View your trips https://riders.uber.com/trips 3- choose one of your trips 4- click on resend 5- check your email 6- you will find a button in ema...

Zomato: XSS and CSRF in Zomato Contact form

URL affected:-- https://www.zomato.com/contact CSRF Payload:-- Step to Reproduce:---- 1I have tested it after Login and without Login .This CSRF worked with executing XSS due to CSRF in Contact form.It is tested in Latest Firefox browser. 2Just run the above payload and you will find below image...

Square Open Source: Unsafe usage of Ruby string interpolation enabling command injection in git-fastclone

While testing git-fastclone for the ext protocol issues in my other report, I looked at the source code and immediately noticed you're using the Cocaine0 library unsafely. Cocaine will protect from command injection but it "only does that for arguments interpolated via run, NOT arguments passed...

ownCloud: Full Path Disclosure

When I was trying to upload a html file as profile picture as a non admin user. then it popped up with a message containing full path . Like that "Could not obtain lock type 1 on "/opt/lampp/htdocs/owncloud/data/12/files/opt/lampp/htdocs/owncloud/data/12/cache/avatarupload"." Thanks...

Shopify: XSS https://delivery.shopifyapps.com/ (Digital Downloads App in myshopify.com)

Hello Installing the Digital Downloads App in .myshopify.com 1-install the app https://apps.shopify.com/digital-downloads 2-select product and click Add Digital Attachment 3-click to upload file and upload file with name the code will execute XSS Success: tested in firefox Hadji Samir...

Envoy: [dashboard.signwithenvoy.com] Open Redirect

Open redirect via Request-URI PoC: https://dashboard.signwithenvoy.com//www.google.com/%2e%2e%2f HTTP Response: HTTP/1.1 303 See Other ... Location: //www.google.com/%2e%2e%2f/...

Coinbase: Two-factor authentication (via SMS)

Hello Coinbase Security Team I just found a problem in Two-factor authentication mechanism, here is the details and how to reproduce this issue: I have two accounts with two emails on coinbase.com i active 2FA on the both of two emails with this phone number +201066462288. From Chrome i will try ...

joola.io: Weak Random Number Generator for Auth Tokens

https://github.com/joola/joola/blob/a534c3dca1a0deaec99c192978e61a35dd3a9069/lib/common/index.jsL90-L98 Math.random is not sufficient for cryptographic purposes such as authentication tokens. An example replacement that uses window.crypto.getRandomValues is available here:...

Internet Bug Bounty: Multiple issues in looking-glass software (aka from web to BGP injections)

During the month of May 2014 we performed an offensive security analysis, trying to find how hard would it be for a low-to-medium skilled attacker to disrupt the core of the Internet ie. achieve the largest possible impact at the lowest common layer, with minimal resource. This is a confidential...

Coinbase: CSRF on "Set as primary" option on the accounts page

On navigating to the Accounts page, a Coinbase user can create multiple accounts. The user can then make any of these accounts as their primary account. There are also other options of renaming and deleting these accounts. Although there is a CSRF token being sent as a POST parameter for the dele...

Localize: No Wildcard DNS

The target site has no DNS wildcard, and the contents of http://localize.io differ from the contents of http://www.localize.io...

Automattic: Session Cookie without Secure flag set

vulnerability-Session Cookie without Secure flag set Vulnerability description This cookie does not have the Secure flag set. When a cookie is set with the Secure flag, it instructs the browser that the cookie can only be accessed over secure SSL channels. This is an important security protection...

Yahoo!: From Unrestricted File Upload to Remote Command Execution

Thank you for your submission to the Yahoo Bug Bounty program. We were able to reproduce the issue you reported and have implemented appropriate fixes. We appreciate your adherence to responsible disclosure guidelines and look forward to your future participation in the program...

Slack: Open Redirect in Slack

This link shall redirect to google.co.in: http://prakhar.slack.com/link?url=http%3A%2F%2Fgoogle.co.in Straight, open redirection! Thanks!...

Yahoo!: XSS Vulnerability (my.yahoo.com)

Thank you for your submission to the Yahoo Bug Bounty program. We were able to reproduce the issue you reported and have implemented appropriate fixes. We appreciate your adherence to responsible disclosure guidelines and look forward to your future participation in the program...

Yahoo!: Bypass of anti-SSRF defenses in YahooCacheSystem (affecting at least YQL and Pipes)

Thank you for your submission to Yahoo’s Bug Bounty program. There were similar reports submitted, this report is marked as closed as the other reports will be triaged. We appreciate your adherence to responsible disclosure guidelines and look forward to your future participation in the program. ...

U.S. Dept Of Defense: [ CVE-2018-1000129 ] RXSS At `https://███████` via the URI

The CVE-2018-1000129 vulnerability allowed remote cross-site scripting RXSS at the specified URL. The vulnerability was due to improper sanitization of user input, which enabled the execution of arbitrary scripts in the victim's browser...

HackerOne: Reports submitted by a non 2fa setupped user account can be transferred to a 2fa require submission program

Vulnerability description not provided...

MTN Group: CVE-2010-1429 JBoss Insecure Storage of Sensitive Information on ips.mtn.co.ug

The JBoss Enterprise Application Platform 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 allowed remote attackers to obtain sensitive information about deployed web contexts via a request to the status servlet, as demonstrated by a full=true query string. This issue was caused by a regression fr...

Weblate: Information Disclosure

A vulnerability allowed API keys to be exposed in a PyPI package...

Teleport: access list owner can escalate his role to the highest roles

Summary: 1. Go to your-domain.teleport.sh/web/accesslists. 2. Create a new access list and add a role to "Roles Granted," e.g., "reviewer" role. 3. Add a user as the Access List Owner. 4. The user, as the Access List Owner, can escalate the role of the list to higher roles, thereby escalating the...

GitHub: RC Between GitHub's Repo Transfer REST API and updateTeamsRepository GraphQL Mutation Results in Covert and Persistent Admin Access Retention

A race condition was discovered in GitHub Enterprise Server that allowed an administrator to retain access permissions on repositories after transfer. This was possible by manipulating repository permissions through a GraphQL mutation during the transfer process. The vulnerability affected GitHub...

Mozilla: Subdomain takeover on one of the subdomain under mozaws.net

Vulnerability description not provided...

Node.js: fs.statfs bypasses Permission Model

A vulnerability was found in Node.js version 20 that allowed malicious actors to bypass the permission model and retrieve file stats using the fs.statfs API, even if they did not have explicit read access to the file...

Glassdoor: Cache Poisoning allows redirection on JS files

A cache poisoning vulnerability was discovered in Glassdoor's design website. By sending a specific request, an attacker could redirect the /test.js file to a malicious website. This could potentially lead to a stored cross-site scripting XSS attack if other Glassdoor websites import javascript...

Hiro: Security Issue into Wallet lock protection

Description While testing wallet extension i generally try to test multiple endpoints, so 2 tabs were open of wallet on chrome-extension://ldinpeekobnhjjdofggfgjlcehhmanlj/popup.html So i tried to lock Wallet extension buti found that i can still use browser in 2nd tab, why i had already locked...

AMBER AI: Open redirect that can lead to malicious websites

go to a picture in website inspect that picture and you can see a tag change the tag with the command it will redirect !! kindly watch the POC attaching to it Impact redirect to any malicious web sites may have a chance for account takeover...

Yelp: Public Github Repo Leaking Internal Credentials

Summary: In Github I found some credentials to use in a mesos.apache.org Github: https://github.com/Yelp/Tron/blob/master/yelppackage/itestdockerfiles/mesos/mesos-secrets https://github.com/Yelp/Tron/blob/master/yelppackage/itestdockerfiles/mesos/mesos-slave-secret POC ss F2021070 F2021071 Login...

Adobe: HTML INJECTION FOUND ON https://adobedocs.github.io/analytics-1.4-apis/swagger-docs.html DUE TO OUTDATED SWAGGER UI

Responsible disclosure of HTML injection. Swagger UI has an interesting feature that allows you to provide a URL to API specification - a yaml or json file that will be fetched and displayed to the user. To do that you have to add a query parameter ?url=https://yourapispec/spec.yaml or...

Nextcloud: XSS in Desktop Client in call notification popup

Summary: The Nextcloud Desktop Client application does not properly neutralize the name of a group conversation before using it. Steps To Reproduce: Server Machine: 1. Install the Nextcloud Server application 2. Create an administrator account 3. Create a user account Client Machine: 4. Install t...

TikTok: Email address disclosure via invite token validatiion

The possibility of email address disclosure was found on a Business.TikTok.com endpoint as no rate limit was implemented on the invite token. We thank @noobbutcut3 for reporting this to our team...

Aiven Ltd: [Kafka Connect] [JdbcSinkConnector][HttpSinkConnector] RCE by leveraging file upload via SQLite JDBC driver and SSRF to internal Jolokia

Summary: The Aiven JDBC sink includes the SQLite JDBC Driver. This JDBC driver can be used to upload SQLite database files onto the server. The HTTP sink connector allows sending HTTP requests to localhost. There is unprotected Jolokia listening on localhost:6725. JMX exports the...

Omise: Brute force attack of current password on login page by bypassing account limit using IP rotator(https://dashboard.omise.co/signin)

brute force...

Recorded Future: Dom Xss vulnerability

Summary: Dom Xss vulnerability Steps To Reproduce: add details for how we can reproduce the issue 1. Go to this link: https://api.recordedfuture.com/index.html 2. Open chrome devtool and go to console tab 3. Type: document.write'...alert1...'; 4. And boom! Alert 1! Impact XSS can have huge...

lemlist: [app.lemlist.com] Improper handling of payment lead to bypass payment

Summary: Hello Team, I truly hope it treats you awesomely on your side of the screen : due to improper handling of payment methods, an attacker can easily bypass the payment and benefit from a paid plan. Steps To Reproduce: 1. Log to your account 1. Go to the billing page 1. Fill in the address t...

GitHub Security Lab: C# : Add query to detect Server Side Request Forgery

This bug was reported directly to GitHub Security Lab...

Kubernetes: Ingress-nginx annotation injection allows retrieval of ingress-nginx serviceaccount token and secrets across all namespaces

I submitted the following report to [email protected]: I've been exploring CVE-2021-25742 and believe I've discovered a variant although it appears there may be many. Most template variables are not escaped properly in nginx.tmpl, leading to injection of arbitrary nginx directives. For...

GitLab: IDOR in "external status check" API leaks data about any status check on the instance

Summary The API endpoint for returning approval from an external status check contains an IDOR that lets a user list information about all external status checks on the GitLab instance. The feature is an Ultimate feature, but can be accessed by starting an Ultimate trial on GitLab.com. So the...

Adobe: AEM forms XXE Vulnerability

AEM Forms Cloud Service offering, as well as version 6.5.10.0 and below are affected by an XML External Entity XXE injection vulnerability that could be abused by an attacker to achieve RCE. CVE: CVE-2021-40722 Ref: https://helpx.adobe.com/security/products/experience-manager/apsb21-103.html We...

U.S. Dept Of Defense: Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464)

A vulnerability in ForgeRock OpenAM allowed unauthenticated remote code execution due to unsafe Java deserialization in the Jato framework. The vulnerability, tracked as CVE-2021-35464, could be exploited by sending a crafted request to the /openam/ccversion/Version endpoint with a malicious...

Reddit: Domain Takeover of Reddit.ru via DNS Hijacking

Summary I discovered that Reddit.ru was vulnerable to DNS hijacking via DNS provider, Reg.ru. This would allow a malicious attacker to control the content on this domain, as well as, create email addresses associated with it... I'm going to be totally honest and say that any of us ethical hackers...

Shopify: Ability to potentially hit internal NGINX locations on *.myshopify.com by making use of the `X-Accel-Redirect` header via a configured App Proxy

By making use of the Shopify App Proxy and the X-Accel feature of NGINX, it is possible to hit any configured internal NGINX location as your current configuration is not ignoring the X-Accel-Redirect header response from an upstream service. The way it works is that NGINX allows internal...

Mail.ru: SDC bypass on calendar.mail.ru

SDCS cookie was not properly checked for few calendar.mail.ru endpoints, allowing to bypass SDC secure domain cookies protection for privilege separation between projects...

Rocket.Chat: Stored XSS in any message (leads to priv esc for all users and file leak + rce via electron app)

Persistent XSS flaw using nested markdown tags allows remote attacker to inject arbitrary JavaScript to message. This flaw leads to arbitrary file read and RCE on Rocket.Chat desktop app. Patched on 3.11, 3.10.5, 3.9.7, 3.8.8...

Revive Adserver: Reflected XSS on /www/delivery/afr.php (bypass of report #775693)

It is possible to bypass the first fix of this XSS by closing the script tag, and then opening a new one. cURL PoC is trivial : curl "https://revive-instance/www/delivery/afr.php?refresh=10000&alert1" The response will be : Advertisement alert1&loc="', 10000000; // -- body margin:0; height:100%;...

Kubernetes: secret leaks in vsphere cloud controller manager log

Report Submission Form Summary: When create k8s cluster over vsphere and enable vsphere as cloud provider. With logging level set to 4 or above, secret information will be printed out in the cloud controller manager's log. Kubernetes Version: 1.18.6 Component Version: legacy cloud provider Steps ...

Internet Bug Bounty: CVE-2017-13041 The ICMPv6 parser in tcpdump before 4.9.2 has a buffer over-read in print-icmp6.c:icmp6_nodeinfo_print().

Description: Versions of tcpdump before 4.9.2 are vulnerable to a buffer over-read in print-icmp6.c. This vulnerability was disclosed to the tcpdump maintainers and was recently patched in version 4.9.2 and disclosed as CVE-2017-13041. Patch:...

IBM: CVE-2020-3452 Cisco ASA / Firepower Read-Only Path Traversal Vulnerability - https://esccvc.de.ibm.com

A vulnerability in the interface of Cisco Adaptive Security Appliance and Cisco Firepower Threat Defense FTD was reported to IBM, analyzed and have been remediated. Thank you to Khaled 0xelkomy...