AMBER AI: Open redirect that can lead to malicious websites

go to a picture in website inspect that picture and you can see a tag change the tag with the command it will redirect !! kindly watch the POC attaching to it Impact redirect to any malicious web sites may have a chance for account takeover...

Yelp: Public Github Repo Leaking Internal Credentials

Summary: In Github I found some credentials to use in a mesos.apache.org Github: https://github.com/Yelp/Tron/blob/master/yelppackage/itestdockerfiles/mesos/mesos-secrets https://github.com/Yelp/Tron/blob/master/yelppackage/itestdockerfiles/mesos/mesos-slave-secret POC ss F2021070 F2021071 Login...

Adobe: HTML INJECTION FOUND ON https://adobedocs.github.io/analytics-1.4-apis/swagger-docs.html DUE TO OUTDATED SWAGGER UI

Responsible disclosure of HTML injection. Swagger UI has an interesting feature that allows you to provide a URL to API specification - a yaml or json file that will be fetched and displayed to the user. To do that you have to add a query parameter ?url=https://yourapispec/spec.yaml or...

Nextcloud: XSS in Desktop Client in call notification popup

Summary: The Nextcloud Desktop Client application does not properly neutralize the name of a group conversation before using it. Steps To Reproduce: Server Machine: 1. Install the Nextcloud Server application 2. Create an administrator account 3. Create a user account Client Machine: 4. Install t...

Ruby on Rails: Rails::Html::SafeListSanitizer vulnerable to XSS when certain tags are allowed (math+style || svg+style)

Intro The Rails HTML sanitzier allows to set certain combinations of tags in it's allow list that are not properly handled. Similar to the report 1530898, which identified the combinationselect and style as vulnerable, my fuzz testing from today suggests that also svg and style as well as math an...

TikTok: Email address disclosure via invite token validatiion

The possibility of email address disclosure was found on a Business.TikTok.com endpoint as no rate limit was implemented on the invite token. We thank @noobbutcut3 for reporting this to our team...

Aiven Ltd: [Kafka Connect] [JdbcSinkConnector][HttpSinkConnector] RCE by leveraging file upload via SQLite JDBC driver and SSRF to internal Jolokia

Summary: The Aiven JDBC sink includes the SQLite JDBC Driver. This JDBC driver can be used to upload SQLite database files onto the server. The HTTP sink connector allows sending HTTP requests to localhost. There is unprotected Jolokia listening on localhost:6725. JMX exports the...

Omise: Brute force attack of current password on login page by bypassing account limit using IP rotator(https://dashboard.omise.co/signin)

brute force...

Recorded Future: Dom Xss vulnerability

Summary: Dom Xss vulnerability Steps To Reproduce: add details for how we can reproduce the issue 1. Go to this link: https://api.recordedfuture.com/index.html 2. Open chrome devtool and go to console tab 3. Type: document.write'...alert1...'; 4. And boom! Alert 1! Impact XSS can have huge...

lemlist: [app.lemlist.com] Improper handling of payment lead to bypass payment

Summary: Hello Team, I truly hope it treats you awesomely on your side of the screen : due to improper handling of payment methods, an attacker can easily bypass the payment and benefit from a paid plan. Steps To Reproduce: 1. Log to your account 1. Go to the billing page 1. Fill in the address t...

GitHub Security Lab: C# : Add query to detect Server Side Request Forgery

This bug was reported directly to GitHub Security Lab...

Kubernetes: Ingress-nginx annotation injection allows retrieval of ingress-nginx serviceaccount token and secrets across all namespaces

I submitted the following report to [email protected]: I've been exploring CVE-2021-25742 and believe I've discovered a variant although it appears there may be many. Most template variables are not escaped properly in nginx.tmpl, leading to injection of arbitrary nginx directives. For...

GitLab: IDOR in "external status check" API leaks data about any status check on the instance

Summary The API endpoint for returning approval from an external status check contains an IDOR that lets a user list information about all external status checks on the GitLab instance. The feature is an Ultimate feature, but can be accessed by starting an Ultimate trial on GitLab.com. So the...

Acronis: No server side check on terms of service page which leads to bypass

Hi team, I have found that there is no server side check implemented on the "Acronis Terms of Service and Privacy Statement" Page that is shown after filling the registration form which results in bypassing it without even accepting it. Steps To Reproduce: 1. Register as a new user by filling out...

Adobe: AEM forms XXE Vulnerability

AEM Forms Cloud Service offering, as well as version 6.5.10.0 and below are affected by an XML External Entity XXE injection vulnerability that could be abused by an attacker to achieve RCE. CVE: CVE-2021-40722 Ref: https://helpx.adobe.com/security/products/experience-manager/apsb21-103.html We...

Reddit: Domain Takeover of Reddit.ru via DNS Hijacking

Summary I discovered that Reddit.ru was vulnerable to DNS hijacking via DNS provider, Reg.ru. This would allow a malicious attacker to control the content on this domain, as well as, create email addresses associated with it... I'm going to be totally honest and say that any of us ethical hackers...

GitHub Security Lab: [Java] CWE-522: Insecure LDAP authentication

This bug was reported directly to GitHub Security Lab...

Shopify: Ability to potentially hit internal NGINX locations on *.myshopify.com by making use of the `X-Accel-Redirect` header via a configured App Proxy

By making use of the Shopify App Proxy and the X-Accel feature of NGINX, it is possible to hit any configured internal NGINX location as your current configuration is not ignoring the X-Accel-Redirect header response from an upstream service. The way it works is that NGINX allows internal...

Mail.ru: SDC bypass on calendar.mail.ru

SDCS cookie was not properly checked for few calendar.mail.ru endpoints, allowing to bypass SDC secure domain cookies protection for privilege separation between projects...

Rocket.Chat: Stored XSS in any message (leads to priv esc for all users and file leak + rce via electron app)

Persistent XSS flaw using nested markdown tags allows remote attacker to inject arbitrary JavaScript to message. This flaw leads to arbitrary file read and RCE on Rocket.Chat desktop app. Patched on 3.11, 3.10.5, 3.9.7, 3.8.8...

Revive Adserver: Reflected XSS on /www/delivery/afr.php (bypass of report #775693)

It is possible to bypass the first fix of this XSS by closing the script tag, and then opening a new one. cURL PoC is trivial : curl "https://revive-instance/www/delivery/afr.php?refresh=10000&alert1" The response will be : Advertisement alert1&loc="', 10000000; // -- body margin:0; height:100%;...

Kubernetes: secret leaks in vsphere cloud controller manager log

Report Submission Form Summary: When create k8s cluster over vsphere and enable vsphere as cloud provider. With logging level set to 4 or above, secret information will be printed out in the cloud controller manager's log. Kubernetes Version: 1.18.6 Component Version: legacy cloud provider Steps ...

Internet Bug Bounty: CVE-2017-13041 The ICMPv6 parser in tcpdump before 4.9.2 has a buffer over-read in print-icmp6.c:icmp6_nodeinfo_print().

Description: Versions of tcpdump before 4.9.2 are vulnerable to a buffer over-read in print-icmp6.c. This vulnerability was disclosed to the tcpdump maintainers and was recently patched in version 4.9.2 and disclosed as CVE-2017-13041. Patch:...

IBM: CVE-2020-3452 Cisco ASA / Firepower Read-Only Path Traversal Vulnerability - https://esccvc.de.ibm.com

A vulnerability in the interface of Cisco Adaptive Security Appliance and Cisco Firepower Threat Defense FTD was reported to IBM, analyzed and have been remediated. Thank you to Khaled 0xelkomy...

Mail.ru: Open Redirect at "city-mobil.ru"

Open redirection in city-mobil.ru via URI path with '@'...

Rocket.Chat: [Security Vulnerability Rocket.chat] HTML Injection into Email via Signup

Description Due to a lack of sanitization and validation in parameter affected, we can input HTML Tag and system will render it into Email victim. Affected Endpoint https://chat.oas.greenhost.net/home Parameter : Name Step to produce In textbox name, input HTML code like "\”@x.y " And in Email,...

Rocket.Chat: API Keys Hardcoded in Github repository

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report! Summary: API Keys is ha...

Nord Security: Password Reset Link Leaked In Refer Header In Request To Third Party Sites

The reporter has identified that the web application is leaking password reset token in the HTTP referrer header. By obtaining a token, malicious user would be able to reset the passwords for a particular user. It is worth to mention that the attack must be highly personalised and requires prior...

Mail.ru: Mail.Ru Email for Android: Injecting custom screen inside adding new account flow

Intent was implicitely invoked on account refistration in Mail.ru Mail application for Android, allowing screen content spoofing via local application...

Open-Xchange: SSRF - Office Documents - Image URL

Through /api/oxodocumentfilter?action=addfile endpoint it is possible to insert images into documents. Handling of this request in source code is implemented here: office/com.openexchange.office.rest/src/com/openexchange/office/rest/AddFileAction.java One of options is to insert an image by...

HackerOne: Disclosure of `payment_transactions` for programs via GraphQL query

Summary: payment transactions count of programs exposed Description: payment transactions details can be only accessed by program team members, but there is an flaw, with that, an unauthorized user can get payment transactions count of any program i have confirmed only with public program Steps T...

Railto LLC: Administrator access to staging.railto.com

Summary: Hey team, While doing some recon for railto sub-domains. i came across a most critical bug which lets me complete access of https://staging.railto.com. i can add anything and removing anythings as i got the ADMIN level privilege. Steps 1. Go to https://staging.railto.com/admin url. 2. Se...

Ruby: OS Command Injection via egrep in Rake::FileList

When a file which has command file name of stating with | is in Rake::FileList, then egrep will execute the command. How to reproduce PoC pocrake.rb is the following. ruby require 'rake' list = Rake::FileList.newDir.glob'' p list list.egrep/something/ Example of executing. % ls -1 Gemfile...

Radancy: Wrong link on corne.maximum.nl

Domain and URL: corne.maximum.nl Hello, I noticed that your subdomain corne.maximum.nl links to the website "maximum.com" instead of "maximum.nl" "maximum.com" is in control of a Chinese organization as you said in your description. I think you've made a little mistake, but there is no impact :...

InnoGames: Chaining Bugs: Leakage of CSRF token which leads to Stored XSS and Account Takeover (xs1.tribalwars.cash)

The referrer leaked the CSRF code, when opening an embedded PHP file set by the images function in tribe forums. Due to a premium function, which allows players to store and run Javascript scripts during the game, the session ID could be grabbed, as it was mistakenly embedded into the DOM. This...

curl: libcurl: SMTP end-of-response out-of-bounds read - CVE-2019-3823

libcurl contains a heap out-of-bounds read in the code handling the end-of-response for SMTP. If the buffer passed to smtpendofresp isn't NUL terminated and contains no character ending the parsed number, and len is set to 5, then the strtol call reads beyond the allocated buffer. The read conten...

Internet Bug Bounty: Invalid Read on exif_process_SOFn

This bug is present in exifscanthumbnail method of ext/exif/exif.c file. Detailed description and steps to reproduce for this bug is present in bug report submitted to php.net. Bug Report : https://bugs.php.net/bug.php?id=77540 PHP version : 7.1.26 CVE-ID : 2019-9640 Impact This bug may allow an...

Mail.ru: Открытая панель

Non-production dashboad with random testing data was available on tarantool.org subdomain...

RubyGems: 65534 times efficient, Brute-force attack for api_key

I have found that type checking for apikey is insufficient in rubygems.org's source code. https://github.com/rubygems/rubygems.org/blob/master/app/controllers/applicationcontroller.rbL63 ruby def authenticatewithapikey apikey = request.headers"Authorization" || params:apikey @apiuser =...

Chaturbate: Missing CSRF Protection in /stats EndPoint.

EndPoint /affiliates/stats. doesnot verify the CSRF Tokens Steps To Reproduce: 1. Login with the your account 2. Navigate to the URL https://chaturbate.com/affiliates/stats.. 3. Check the stats in default its todays date or this week in select period. 4. Intercept the request and change the...

Mail.ru: ДОБАВЛЕНИЕ СВОИХ ДАТ В КАЛЕНДАРЬ ПОЛЬЗОВАТЕЛЮ !

Reporter pointed to possibility to mark scheduled meeting request sent via ICS file as accepted in calendar via CSRF by bruteforcing attachment id. Currently, this behavior is not believed to introduce real additional security risks, because meeting can be added anyway without user's intervention...

HackerOne: Content spoofing and potential Cross-Site Scripting vulnerability on www.hackerone.com

Summary: Hackerone.com using following script file https://js.driftt.com/include/1530431100000/hp9revvwkk62.js you can see the below script on page this.handleMessage=functioneife&&e.datavar t=document.getElementByIdSi;ift&&e.source===t.contentWindow||e.source===window.opener handleMessage method...

Nextcloud: Missing X-Content-Type-Options

Nextcloud doesn't have a header settings for X-Content-Type Options which means it is vulnerable to MIME sniffing. The only defined value, "nosniff", prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome...

Liberapay: A single user can subscribe a community multiple times

There is no proper validation while subscribing for a community. A user can subscribe a single community multiple times. Steps to recreate: Step 1: Open any community Step 2: Click on subscribe button Step 3: Capture the POST request and submit it multiple times Step 4: Check the subscription cou...

Zomato: [www.zomato.com] SQLi on `order_id` parameter

@saltedfish found that a parameter orderid was vulnerable to SQLi. POC for everyone to learn from this disclosed report - There was an endpoint which had orderid as one of the parameters. - Requesting '-if1=2,'0','1'-' in orderid parameter changed the Response Length and upon further investigatio...

Node.js third-party modules: The react-marked-markdown module allows XSS injection in href values.

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! I would like to report XSS in...

Reverb.com: Persistent XSS in https://sandbox.reverb.com/item/

Description I found a Persistent XSS in a listing page. The flaw is in the SoundCloud link that the listing owner can attachThe parameter is called productsoundcloudlinkattributeslink. There's no encoding on the user input and it looks like there's only client-side validation. PoC The payload:...

MyCrypto: Reflected XSS { support.mycrypto.com }

A reflected XSS was reported by sup3r-b0y that was activated by displaying unsanitized values of query parameters. The MyCrypto team worked with sup3r-b0y to identify and verify the fix, and are happy to confirm that the vulnerability described in the report has now been fixed. We are happy to...

GSA Bounty: SSH server compatible with several vulnerable cryptographic algorithms

An ssh-audit scan found that ssh.fr.cloud.gov supports sha1 for various purposesincluding exclusively for MAC addresses, as well as arcfour. Both of these are outdated and known vulnerable. The algorithms used are also indicative of an outdated SSH version OpenSSH 6 or Dropbear 2013. It's probabl...

Starbucks: Able to reset other user's password in https://card.starbucks.com.sg/

Description In the website https://card.starbucks.com.sg/ there is a password reset function https://card.starbucks.com.sg/forgetPassword.php that sends the password reset link to the user's email. By using a web proxy to monitor the request, the email address can be changed to allow the attacker...