Node.js third-party modules: [bower] Arbitrary File Write through improper validation of symlinks while package extraction

I would like to report file write in arbitrary locations via install command in bower It allows attackers to write arbitrary files when a malicious package is extracted. Module module name: bower version: 1.8.4 npm page: https://www.npmjs.com/package/bower Module Description Bower offers a generi...

VK.com: доступ к com.vk.usersstore.UsersContentProvider, возможна утечка exchange_token на android < 21

Подмена разрешений на старых версиях Android...

Kaspersky: Web protection component in Anti-Virus products family uses predictable links for certificate warnings

Summary Websites can predict links used in certificate warnings, Safe Money prompts, anti-phishing warnings and similar pages. This allows them to initiate actions without the user's knowledge. Description The links used to override certificate warnings have the following format: https:///?kiscup...

Nextcloud: Github wikis are editable by anyone

Github wikis on the following projects https://github.com/nextcloud/fulltextsearch https://github.com/nextcloud/nextcloudpi https://github.com/nextcloud/spreed https://github.com/nextcloud/ocsms https://github.com/nextcloud/nextcloud-snap https://github.com/nextcloud/passman can be edited by any...

PayPal: Unsafe deserialization leads to token leakage in PayPal & PayPal for Business [Android]

A Bug Bounty researcher identified an issue where a JSON wrapper could be used to instantiate arbitrary Java objects. This could lead to circumstances where a class called in the PayPal Android app could be read by a malicious app on the same mobile device. A specific user’s session data could...

RubyGems: 65534 times efficient, Brute-force attack for api_key

I have found that type checking for apikey is insufficient in rubygems.org's source code. https://github.com/rubygems/rubygems.org/blob/master/app/controllers/applicationcontroller.rbL63 ruby def authenticatewithapikey apikey = request.headers"Authorization" || params:apikey @apiuser =...

Rockstar Games: Found CSRF Vulnerability in https://support.rockstargames.com/

In this report, the researcher found a CSRF vulnerability that potentially allowed an attacker to spam false support requests. This issue was resolved in a site update...

Infogram: possibility to create account without username

hi , infogram.com doesn't allow us to go next untill we give name of our account but i bypassed that. i am able to create an account without any name, just by modify response field. steps:- 1. create new account , when you reach page where you have to give your name. 2. give name and intercept th...

HackerOne: Disclosing a private program in an external link if program is paused

Summary: Hi team Description: If the program is paused that we will not be able to send reports to this program and if we try to directly contact the link https://hackerone.com/externalprogrammpaused/reports/new we will be returned to the main page https://hackerone.com/externalprogrammpaused Ste...

VK.com: Узнаем несколько цифр номера телефона юзера (можно флудить смс), всего раз узнав его remixsid и его ид юзера, и установка оффлайна юзерам.

Недостаточные проверки сессии. Было можно узнать часть номера телефона юзера и отправлять ему смс с ссылкой на приложение https://vk.com/mobile всего раз узнав его remixsid, вне зависимости сколько раз были ресетнуты сессии. Самый давний валидный для этой темы remixsid был давности май 2016 года...

New Relic: Missing security best practices (leads to further impact)

Vulnerabilities:- 1.Use of old passwords is possiblecurrent password can be used as new password. 2.Email notification is not being sent to linked mail account while changing passwords steps to reproduce the two issues create account with password example badcracker@123 change password to...

Monero: Attcker can trick monero wallet into reporting it recived twice as much with alternative tx_keypubs

Summary: multiple identical txpubkeys were patched, but you can still use alternative txpubkeys to get the same result. Description: An attacker can craft an XMR transaction which causes the receiving wallet to report that it received twice as much XMR as the attacker actually sent. The balance o...

Dropbox: Bypass Local Authentication (TouchID)

​​This report describes an attack to bypass TouchID in the Dropbox Mobile iOS application on jailbroken iOS devices. Dropbox doesn’t consider jailbroken devices in scope for our bounty program...

Node.js third-party modules: Arbitrary File Write through archive extraction

I would like to report arbitrary file write vulnerability in adm-zip module It allows attackers to write arbitrary files when a malicious archive is extracted. More info here: https://snyk.io/research/zip-slip-vulnerability https://github.com/snyk/zip-slip-vulnerabilityaffected-libraries Module...

Starbucks: Information Leak - Github - JMS Information

Hi, After some research, I found a leak on GitHub that might lead to accessing sensitive data of employees or clients not sure based on the code. There is also a SAP S-user to access a cloud based HANA service. I have not confirmed what kind of data is in there to avoid potential legal issues. I...

Avito: Open Redirect via login avito.ru | Protection bypass

Open-redirect using the following vector and social auth: https://www.avito.ru/rossiyalogin?next=///...

Ubiquiti Inc.: Two Factor Authentication Bypass

The researcher found a method to brute-force the 2FA code request in the www.ubnt.com login page. This method still requires the username/password from the account...

Unikrn: CSRF logs the victim into attacker's account

Description: There is no session validation while logging in which leads to csrf. Steps To Reproduce: 1. Create a CSRF login POC using the following code. 2. Replace the email and password with the valid credentials. 3. Send the script to the victim to make them click. References: 1. You've...

HackerOne: Invalid Phabricator API token revealed through error message when escalating a report

Summary While trying to create a phabricator task by escalating to phabricator, error message contains the API token as a part of the pop up. This is seen when a user tries to enter an invalid API token. Description It was seen that after setting up phabricator integration in a program, when tryi...

Node.js third-party modules: [mcstatic] Server Directory Traversal

I would like to report a Server Directory Traversal in mcstatic. It allows reading local files on the target server. Module module name: mcstatic version: 0.0.20 npm page: https://www.npmjs.com/package/mcstatic Module Description Static Http server for mocking and stuff Vulnerability Steps To...

Stellar.org: Exploitable vulnerability in SDEX

Hi, Last Thursday I discovered the exploitable vulnerability in SDEX. I immediately reported the bug directly to Jed by email and he confirmed it. It's all about rounding during trades. You see, I found that orders are always executed if the price matches market, even if the amount is as small as...

U.S. Dept Of Defense: Remote Code Execution (RCE) in a DoD website

SUMMARY: ==================== The DoD https://██████/psc/EXPROD1/ Web System uses the Oracle PeopleSoft platform which is vulnerable to Remote Code Execution RCE and Denial of Service Attacks DoS over a Java Object Deserialization CWE-502 in the “monitor” service. Thus an attacker can generate an...

Informatica: SSRF on infawiki.informatica.com and infawikitest.informatica.com

Researcher has identified and reported SSRF on Informatica's Sub-domain and helped us in resolving the issue...

HackerOne: Extra program metrics disclosed via /PROGRAM_NAME json response

Summary: The response to www.hackerone.com/PROGRAM.json includes slamissedcount slafailedcount and researchercount. Description: Viewing the response from a program's json endpoint includes the values for slamissedcount, slafailedcount and researchercount. With regards to the SLA metrics, these a...

U.S. Dept Of Defense: SSRF on █████████ Allowing internal server data access

Summary: An end point on ██████ allows an internal access to the network thus revealing sensitive data and allowing internal tunneling Description: OAuth Plugin allows you to provide a url that gives a snap shot of the web page. We can pass internal URLS and conduct SSRF. Impact Critical...

LocalTapiola: Reflected XSS (myynti.lahitapiolarahoitus.fi)

Basic report information Summary: There is an Reflected XSS on myynti.lahitapiolarahoitus.fi. Description: There is an Reflected XSS on myynti.lahitapiolarahoitus.fi website. redirect parameter is vulnerable to XSS. Impact: Steals cookies from other logged in users. Browsers / Apps Verified In:...

VK.com: Просмотр любого видео из частной группы и кто загрузил

Просмотр некоторых видеозаписей из закрытых групп...

Mail.ru: CSRF on lootdog.io

CSRF vulnerability for phone/email change action. On the time of reporting, lootdog.io clientside vulnerabilities were not covered with bug bounty...

Node.js third-party modules: [general-file-server] Path Traversal vulnerability allows to read content on arbitrary file on the server

Hi Guys, There is Path Traversal in general-file-server module. It allows to read content of arbitrary files on the remote server. Module general-file-server This is a general file server made by nodejs. It will be easy for you to access the files on the server through the browser...

VK.com: self-xss ads_easy_promote vk.com

Self-XSS в рекламе...

Ubiquiti Inc.: Triggering RCE using XSS to bypass CSRF in PowerBeam M5 300

In AirOS 6.1.5 and prior, due to lack of validation is possible to bypass the CSRF in certain web pages. If an authenticated user access an attacker controlled web page, it could trigger the CSRF and the resulting request could modify the device configuration and creating stored-XSS, with the XSS...

International Islamic University Chittagong: Union Based SQL injection in https://ieeeiiucsb.org/registration/details

Due to the lack of proper sanitization on our registration system, the researcher able to find a sql vulnerability which expose the database name & user id. We'd like to thank him for a nice catch on our system...

International Islamic University Chittagong: Improper error handler

during the analysis it was found that when we submit the form and try to upload a txt file then it show a error page with internal path disclosure...

International Islamic University Chittagong: Full Path Disclosed

Hi, i want to say that you have not fixed the previous report properly i can still find the path fix it properly the paths should be hidden text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://119.18.148.140/hrd/login.php? Cookie:...

RecargaPay: IDOR exposes receipts of all users.

@cablej found an insecure direct object reference IDOR that could expose receipts from external users. Thanks for helping us make RecargaPay more secure!...

Mail.ru: XSS on https://account.mail.ru/login via postMessage

Обработчик сообщений на страничке https://account.mail.ru/login не проверяет источник, что позволяет вызвать любую доступную команду с произвольного ресурса: js // https://img.imgsmail.ru/ag/0.3.3/authGate.js:formatted function ca a = a || window.event; var c, d, h = , i = a.data, j = a.source; i...

Rockstar Games: Stored XSS on support.rockstargames.com

In this report, the researcher was able to demonstrate a proof-of-concept exploit for a Stored XSS vulnerability on our Support site at support.rockstargames.com. The POC consisted of two parts; the setup and the trigger. The setup required entering a particular XSS payload in the Title for a new...

Mail.ru: [new.wf.mail.ru] XSS Request-URI

Reflected XSS via GET parameters in new.wf.mail.ru wf.mail.ru is not currently covered with bug bounty program...

Trello: A CRLF injection into the redirect URL of https://trello.com/1/authorize can be used to cause a denial of service when later redirected to

Just found this, tested it on a whim and deeply regretted it. Sorry! So to recreate the issue: 1. Visit...

Slack: The Custom Emoji Page has a Reflected XSS

The Custom Emoji Page has a Reflected XSS in building flash message. The following is the PoC. https://team.slack.com/customize/emoji?added=1&name=vuln"alert0;...

Phabricator: Credential gets exposed

Create a repo 2. Mirror it to an URL 3. Assign a credential to the mirror 4. I've now had an existing repo, and wanted to change it to mirror only, so that phabricator pulls from an URL instead of self-hosting. I now recived this error msg: Pull of 'Luke081515Bot' failed: Working copy at...

Dropbox: Missing URL sanitization in comments can be leveraged for phishing

The report points out that a link in shared file's comments could say one thing in the text but actually point to another website. This is a risk we have always accepted: the document preview could also contain links, the legit links could point to shorteners. Additionally, Dropbox Paper supports...

ExpressionEngine: Image lib - unescaped file path

Under ./system/ee/legacy/libraries/Imagelib.php There are function from CodeIgniter to manipulate images. The issue is that the PHP function exec is used two times in two different functions: imageprocessimagemagick and imageprocessnetpbm In both cases the fullsrcpath and fulldstpath are given...

U.S. Dept Of Defense: CRLF Injection on ███████

Summary: The web application hosted on the "█████" domain is affected by a carriage return line feeds CRLF injection vulnerability that could be used in combination with others. This issue could allow XSS via Cookie, bypass Double Submit Cookie csrf protection or Session Fixation on .█████████...

Grab: CSV Injection https://hub.grab.com

@Poison had pointed out that it was possible to perform CSV Injection on hub.grab.com which was tested on Microsoft Excel 2016. Injection occurred by adding the payload in customer name field in Grab mobile application. The payload used was =cmd|' /C calc'!A0. We fixed this issue by properly...

Algolia: SAUCE Access_key and User_name leaked in Travis CI build logs

hello algolia team, I founded the SAUCE AccessKey and Username was leaked in Travis CI build logs of instantsearch.js product Line-249-&-250. This can be used to perform every API calls of sauce-lab.e.g Creating a Sub account. I created a test account for testing. sorry for this ; . You should...

Internet Bug Bounty: heap-buffer-overflow (READ of size 61) in Perl_re_intuit_start()

Reported to the Perl security mailing list on 25 August 2016. ==17057==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60800000b978 at pc 0x0000004a9201 bp 0x7ffe97551890 sp 0x7ffe97551048 READ of size 61 at 0x60800000b978 thread T0 0 0x4a9200 in interceptormemcmp...

Coinbase: Open redirect on sign in

Sir I make a video for clear understand. Watch that video. Thanks Best Regards Anirban Singha...

Cuvva: Clickjacking vulnerability in support-dashboard.corp.cuvva.co

Hi i found a clickjacking vulnerability in the subdomain of cuvva.com i.e, support-dashboard.corp.cuvva.co Impact: The resource without X-Frame-Options potentially vulnerable to the Clickjacking. The vulnerability exist only for authenticated users possible UI redressing in the Dashboard PoC: 1. ...

Instacart: Reverse Tab-nabbing at www.instacart.com/store/partner_recipe?recipe_url=

Summary Instacart at /store/partnerrecipe?recipeurl= endpoint is vulnerable to reverse tabnabbing, since the injected link use target="blank" , this means the page that opens in a new tab can access the initial tab and change its location using the window.opener property. example: Reproduction...