Rockstar Games: Stored XSS on support.rockstargames.com

In this report, the researcher was able to demonstrate a proof-of-concept exploit for a Stored XSS vulnerability on our Support site at support.rockstargames.com. The POC consisted of two parts; the setup and the trigger. The setup required entering a particular XSS payload in the Title for a new...

Mail.ru: [new.wf.mail.ru] XSS Request-URI

Reflected XSS via GET parameters in new.wf.mail.ru wf.mail.ru is not currently covered with bug bounty program...

Trello: A CRLF injection into the redirect URL of https://trello.com/1/authorize can be used to cause a denial of service when later redirected to

Just found this, tested it on a whim and deeply regretted it. Sorry! So to recreate the issue: 1. Visit...

Slack: The Custom Emoji Page has a Reflected XSS

The Custom Emoji Page has a Reflected XSS in building flash message. The following is the PoC. https://team.slack.com/customize/emoji?added=1&name=vuln"alert0;...

Phabricator: Credential gets exposed

Create a repo 2. Mirror it to an URL 3. Assign a credential to the mirror 4. I've now had an existing repo, and wanted to change it to mirror only, so that phabricator pulls from an URL instead of self-hosting. I now recived this error msg: Pull of 'Luke081515Bot' failed: Working copy at...

Dropbox: Missing URL sanitization in comments can be leveraged for phishing

The report points out that a link in shared file's comments could say one thing in the text but actually point to another website. This is a risk we have always accepted: the document preview could also contain links, the legit links could point to shorteners. Additionally, Dropbox Paper supports...

ExpressionEngine: Image lib - unescaped file path

Under ./system/ee/legacy/libraries/Imagelib.php There are function from CodeIgniter to manipulate images. The issue is that the PHP function exec is used two times in two different functions: imageprocessimagemagick and imageprocessnetpbm In both cases the fullsrcpath and fulldstpath are given...

U.S. Dept Of Defense: CRLF Injection on ███████

Summary: The web application hosted on the "█████" domain is affected by a carriage return line feeds CRLF injection vulnerability that could be used in combination with others. This issue could allow XSS via Cookie, bypass Double Submit Cookie csrf protection or Session Fixation on .█████████...

Grab: CSV Injection https://hub.grab.com

@Poison had pointed out that it was possible to perform CSV Injection on hub.grab.com which was tested on Microsoft Excel 2016. Injection occurred by adding the payload in customer name field in Grab mobile application. The payload used was =cmd|' /C calc'!A0. We fixed this issue by properly...

Algolia: SAUCE Access_key and User_name leaked in Travis CI build logs

hello algolia team, I founded the SAUCE AccessKey and Username was leaked in Travis CI build logs of instantsearch.js product Line-249-&-250. This can be used to perform every API calls of sauce-lab.e.g Creating a Sub account. I created a test account for testing. sorry for this ; . You should...

Coinbase: Open redirect on sign in

Sir I make a video for clear understand. Watch that video. Thanks Best Regards Anirban Singha...

Cuvva: Clickjacking vulnerability in support-dashboard.corp.cuvva.co

Hi i found a clickjacking vulnerability in the subdomain of cuvva.com i.e, support-dashboard.corp.cuvva.co Impact: The resource without X-Frame-Options potentially vulnerable to the Clickjacking. The vulnerability exist only for authenticated users possible UI redressing in the Dashboard PoC: 1. ...

Instacart: Reverse Tab-nabbing at www.instacart.com/store/partner_recipe?recipe_url=

Summary Instacart at /store/partnerrecipe?recipeurl= endpoint is vulnerable to reverse tabnabbing, since the injected link use target="blank" , this means the page that opens in a new tab can access the initial tab and change its location using the window.opener property. example: Reproduction...

Instacart: XSS at in instacart.com/store/partner_recipe

Summary Hi team, i found that this endpoint - https://www.instacart.com/store/partnerrecipe? at param imageurl is vulnerable to XSS Reproduction Steps & PoC 1Go to...

Harvest: [platform.harvestapp.com] Reflected XSS in Error Message via URL parameters

Hi @jorgeleria, I came across a potential reflected XSS vector while exploring platform.harvestapp.com functionality. At present, I have been unable to locate a functional payload, so would like to report this as HTML injection. Proof of Concept Steps to reproduce 1. Visit the below Demonstration...

Paragon Initiative Enterprises: Broken Authentication & Session Management - Failure to Invalidate Session on all other browsers at Password change

Broken Authentication & Session Management - Failure to Invalidate Session on all other browsers at Password change ========================================================== Hello Team, While I was testing your web application "Paragon Initiative Enterprises", I came to know that it is vulnerabl...

Nextcloud: I am because bug

I'm because I hacker found bug because I report this bug I want to report a bug and because want some $$$$ so please because you are telling me how much you pay money so I give you bug. Me because very poor :' want money because father :' F181820 Thank you wish you because pay lots $$$$$$$$...

Weblate: Bypassing captcha in registration on Hosted site

Hello again, I believe the captcha on the user registration form is very simple and can be easily bypassed to automatically register any number of accounts. A program can read the math captcha, solve it and submit the form with the answer and the other required parameters & headers. Note: I read...

X (Formerly Twitter): HTTP 401 response injection on "amp.twimg.com/amplify-web-player/prod/source.html" through "image_src" parameter

Overview The imagesrc parameter on amp.twimg.com accepts images from any arbitrary host, therefore, enabling attackers to supply image destinations that respond with a "HTTP 401 Unauthorized" response. Description HTTP 401 attacks occur when there is no whitelisting or proxying images and/or page...

HackerOne: Subdomain takeover #4 at info.hacker.one

Summary: Hi team, looking the last fix released from unbounce team at https://hackerone.com/reports/217358 i've been able to bypass it and takeover the subdomain info.hacker.one with a new vulnerable ENDPOINT + PARAM COMBINATION at UnbouncePages App Actual Dns Entry: F174718 Reproduction Steps fo...

Shopify: XSS in $shop$.myshopify.com/admin/ via twine template injection in "Shopify.API.Modal.input" method when using a malicious app

Description The Shopify Embedded App SDK is used to facilitate limited interactions with parent page /admin/apps/$id from an embedded app within the shop admin interface. The SDK has multiple methods which allow an app to interact with the user which execute in the context of the admin domain and...

shopify-scripts: SIGABRT - in free

PoC ------------------- The following code triggers the bug attached as free.rb: a= h=""=0 ha,"h00000000h000000=0000000 0000ht00000=00t0000 0000h000000=000000 00000"=0 a0="z" ha,"h00000000h000000=0000000 0000ht00000=00t0000 0000h000000=000000 00000"=0 h.dup Backtrace - mirb -------------------...

Slack: Bypass to postMessage origin validation via FTP

@a1kmm- discovered a bypass to our postMessage origin check, wherein an attacker with existing MITM capabilities could use FTP to bypass validation and view XOXS tokens of victims on the local network. This was related to, and investigated at the same time as, a previous report. This issue is now...

Grab: Authorization bypass using login by phone option+horizontal escalation possible on Grab Android App

Description: After my previous report about 2FA bypass on the Profile Edit endpoint i was interested to find enpoint, which will allow me horizontal privileges escalation. So, I found the endpoint using android app https://p.grabtaxi.com/api/passenger/v2/profiles/activationsms which allow me to...

Internet Bug Bounty: CVE-2017-3730: Bad (EC)DHE parameters cause a client crash

https://www.openssl.org/news/secadv/20170126.txt https://guidovranken.wordpress.com/2017/01/26/cve-2017-3730-openssl-1-1-0-remote-client-denial-of-service-affects-servers-as-well-poc/...

Discourse: XSS vulnerability on Audio and Video parsers

Just like in the XSS vulnerability on Image parser, there is the same vulnerability on Audio https://github.com/discourse/onebox/blob/394409ca319cc1a1cd31fefa50c9468c990531a3/lib/onebox/engine/audioonebox.rb and Video...

Starbucks: Subdomain takeover on happymondays.starbucks.com due to non-used AWS S3 DNS record

Hi, I discovered that happymondays.starbucks.com DNS CNAME record is pointing to S3 AWS bucket which doesn't exist. Here's the screenshot of vulnerable domain: F138556 As happymondays.starbucks.com was free to register on AWS S3 service and DNS-setup is already correct set-up: F138557 I was able ...

Pushwoosh: Nginx server version disclosure

Design Issue, Information Disclosure, Low Severity...

Mail.ru: [qpt.mail.ru] CRLF Injection / Open Redirect

Уязвимый сценарий: /tests/ Уязвимый параметр: qptquestionurl Пример Open Redirect:...

Open-Xchange: Tab nabbing via window.opener

Details: When you open a link in a new tab target="blank" , the page that opens in a new tab can access the initial tab and change it's location using the window.opener property. POC: Edit your contact details, with the website URL of http://davenport.net.nz/test.html, which has the following htm...

Shopify: Able to Login deactivated staff account in shopify app mobile

Hi Shopify, Deactivated staff account is able to login in shopify mobile app. STEPS 1. Login your owner account 2. Go to Staff Accounts and deactivate your staff account 3. Login to your staff account in your shopify mobile app As you can see you were able to login even the staff account was...

Internet Bug Bounty: Additional information for CVE-2016-5699

I was not the first to report this issue, but the fix languished for quite some time, since no one realized quite how bad it was. I wasn't aware of the original bug report and discovered the issue independently. I was the first to report the much more serious consequences of it. The vulnerability...

Internet Bug Bounty: Out of bound read in exif_process_IFD_in_MAKERNOTE

I have found some vulnerable code that lacks check size of buffer may lead to memory out of read or write. Take a look at : static int exifprocessIFDinMAKERNOTEimageinfotype ImageInfo, char valueptr, int valuelen, char offsetbase, sizet IFDlength, sizet displacement SNIP switch makernote-offsetmo...

Ubiquiti Inc.: Reflected Xss in AirMax [Nanostation Loco M2]

Dear James, I've found a reflected xss in nanostation Loco M2. just open this link and xss will execute. http://172.98.67.89:22057/survey.cgi?iface=%22%3E%3Cimg%20src=x%20onerror=promptdocument.cookie%3E F103333 Best Regard Shubham...

Nextcloud: Uploading files to a folder where invited user don't have any EDIT privilege

Hi, Any invited user to a shared folder with no edit privilege can create files in it through copy feature of Nextclod android app. Steps to reproduce it + Create any folder and invite a user in it without any edit privilege. + Now login from invited user account through android app. + Copy any...

Nextcloud: No captcha on newsletter.nextcloudcom leaves vulnerable to email spammers

The lack of a captcah or verificationcodeX it's empty in your phplist configuration allows attackers to use this mail for to send as much spam as they like to victims. I did not reach an email sending limit when I had tested this. PoC images below: Burp suite automated requests:...

drchrono: SSL/TLS BEAST ATTACK

Supported versions: TLSv1.0 TLSv1.1 TLSv1.2 Deflate compression: no Supported cipher suites ORDER IS NOT SIGNIFICANT: TLSv1.0 RSAWITH3DESEDECBCSHA RSAWITHAES128CBCSHA RSAWITHAES256CBCSHA TLSECDHERSAWITH3DESEDECBCSHA TLSECDHERSAWITHAES128CBCSHA TLSECDHERSAWITHAES256CBCSHA TLSv1.1: idem TLSv1.2...

Mail.ru: Множественные уязвимости приложения Mail.Ru Почта (Android)

Few mistakenly exported Content providers and activities are reported to have vulnerabilities, allowing application data access and manipulation. This report was marked as a duplicate due to known fact activities and content providers are exported by mistake fix is under development...

Veris: Security Vulnerability - SMTP protection not used

Hi, I'm checking your website found SPF record there. You should apply strict SMPT policy to stop spoofed email sending from your domain. An attacker would send a Fake email from [email protected] saying that Please change your password, The victim is aware of phishing attacks, But when he sees...

Pornhub: Unprotected Memcache Installation running

The consultant was able to connect to the stage.pornhub.com subdomain via port 60893, it was determined that the target host was running memcached and required no authentication...

Internet Bug Bounty: Adobe Flash Player ASnative(900,1).call(TextField) Use-After-Free Vulnerability

I. Summary Adobe Flash Player is prone to a vulnerability which leads to Use-After-Free. ------------------------------------------------------------------ II. Description If the ASnative900,1 is invoked with TextField instance and getter properties associated with swfRoot where the getter method...

X (Formerly Twitter): Tweet Deck XSS- Persistent- Group DM name

Hello Group names in tweetdeck.twitter.com aren't filtered properly, giving scope for Cross site vulnerability attacks. Challenge I have faced while escalating the xss: - group name can only be 9 character long. How i bypassed it: Set multiple group names with different payloads, which means we c...

HackerOne: CSV Injection at the CSV export feature

Hi there, I have find a way to bypass the mitigation done in 72785 and 111192. What happens if an attacker creates a Ticket with the Tittle ":";-3+3+cmd|' /C calc'!D2. The ; will break the field making excel think that there are two fields. Although, you are using "" to encapsulate a field and , ...

Radancy: RC4 cipher suites detected

A group of researchers Nadhem AlFardan, Dan Bernstein, Kenny Paterson, Bertram Poettering and Jacob Schuldt have found new attacks against TLS that allows an attacker to recover a limited amount of plaintext from a TLS connection when RC4 encryption is used. The attacks arise from statistical fla...

HackerOne: Pre-generation of 2FA secret/backup codes seems like an unnecessary risk

If you manage to get a malicious script running in HackerOne, requesting https://hackerone.com/settings/authentication/edit and parsing out the two factor authentication form will yield either… - the 2FA secret key and backup codes that will be used if 2FA is enabled for the first time this sessi...

HackerOne: Cross-domain AJAX request

Hi, Two weeks ago, I found a Cross-domain AJAX request, but due to the fact that you uses a very strict Content Security Policy, I hesitated to send this. Today, I noticed that bug has been fixed. But this fix can be bypassed. This example not working now screenshot 1:...

Bumble: Tokens from services like Facebook can be stolen

Description This file https://mus1.badoo.com/cb.html looks for the parameters accesstoken, token and code in the URL and send the value back to the window.opener using window.opener.postMessagemessage, '';. Because you specified as the value of the second parameter of postMessage, the browser is...

Shopify: www.shopify.com XSS on blog pages via sharing buttons

social sharing buttons facebook and linkedin vulnerable to xss at www.shopify.com/guides/ www.shopify.com/videos/ and www.shopify.com/success-stories/ steps to reproduce: - go to page https://www.shopify.com/videos/pop-up-shop?x=';alert1// - share this page by clicking facebook or linkedin sharin...

ownCloud: apps.owncloud.com: SSL Session cookie without secure flag set

URL: https://apps.owncloud.com/usermanager/login.php Issue detail The following cookie was issued by the application and does not have the secure flag set: PHPSESSID=27caghhkfjvuso3mmiqajqt2n4; path=/; HttpOnly The cookie appears to contain a session token, which may increase the risk associated...

ownCloud: owncloud.com: Content Sniffing not disabled

URL :- https://owncloud.com Issue description :- There was no "X-Content-Type-Options" HTTP header with the value nosniff set in the response. The lack of this header causes that certain browsers, try to determine the content type and encoding of the response even when these properties are define...