Nextcloud: Talk - Leak of password-protected room name via already existent resource addition

CVSS ---- Medium 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Description ----------- Affected: Talk / Spreed 6.0.3 The name of shared but password-protected rooms leaks to low-privileged authenticated users. An attacker does not need to guess room IDs, but can simply iterate over IDs to gath...

Starbucks: Reflected cross-site scripting on multiple Starbucks assets.

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Please indicate NA, if not applicable. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling...

Nextcloud: Vulnerable W3 Total Cache plugin version in use on nextcloud.com

Hi there, I noticed you are currently using a vulnerable version of W3 Total Cache, as the changelog containing the plugin version is publicly reachable: https://nextcloud.com/wp-content/plugins/w3-total-cache/changelog.txt W3 Total Cache makes the site vulnerable to a series of attacks, includin...

Node.js third-party modules: environment variable leakage in error reporting

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! I would like to report the leak of...

Node.js third-party modules: [serve] Path Traversal

I would like to report path traversal vulnerability in serve module It allows an attacker to read system files via path traversal vulnerability Module module name: serve version: 10.1.2 npm page: https://www.npmjs.com/package/serve Module Description Assuming you would like to serve a static site...

OLX: XSS inside HTML Link Tag

Hello, i discovered XSS in sharjah.dubizzle.com. XSS is reflected inside HTML Link tag so it need some condition to trigger the payload. Step to Reproduce - Visit https://sharjah.dubizzle.com/property-for-sale/land" accesskey="X" onclick=alert1337...

VLC (European Commission - DIGIT): Access Violation Reading in libfaad_plugin

1 Basic info of application 1.1 Info of application Application Name VLC media player for Windows Application Version 4.0.0-dev Otto Chriek Download Address http://nightlies.videolan.org/ Testing OS Windows 8 2 Info of test file 2.1 Test file info Normal file name normal.mkv Normal file type...

Starbucks: XXE at ecjobs.starbucks.com.cn/retail/hxpublic_v6/hxdynamicpage6.aspx

Description: Hi,guys,when i was visited the jobs of starbucks websites in Chinahttps://ecjobs.starbucks.com.cn, i found a features of uploaded user's photo.Thought the bypass the security restrictions of upload,i can upload html|xhtml|xml|config files etc.The uploaded html file can realize the...

Grammarly: DOM based CSS Injection on grammarly.com

Summary: An attacker can inject an external css file which can lead to phishing attacks and xss in older browsers. Description: Within the main.js file the following code exists: javascript t.prototype.componentWillMount = function var e = this.getCtx.nav.waypoint.query, t = e.extcss, n =...

GitLab: Blocked user Git access through CI/CD token

Summary A blocked user does not have the ability to utilise Git client operations, GitLab UI access or API access. However, a blocked user can still use Git clone/Git pull client commands if they are able to obtain a CI/CD token before being blocked. This allows them to access projects they are...

DuckDuckGo: Partial bypass of #483774 with Blind XXE on https://duckduckgo.com

Summary: Hi DuckDuckGo team, I've contacted previously you because in a second time on the 483774 report, I've seen that was possible bypass the fix. Anyway, I've not got any response, and because I think that this is a bit dangerous issue, I'm opening another report for the bypass. Hope you'll...

QIWI: [QIWI Wallet] Access to protected app components

Здравствуйте, я хочу сообщить об обнаруженной уязвимости в классе ru.mw.main.Main Информация о приложении Приложение: QIWI Кошелек Имя пакета: ru.mw Номер версии: 3.25.0 Код версии: 21346 Актуальность версии: Последняя Уязвимый класс: ru.mw.main.Main Уязвимость Поскольку активность ru.mw.Main...

Internet Bug Bounty: Heap-buffer-overflow in Perl__byte_dump_string (utf8.c) could lead to memory leak

With crafted regex match, I have found a heap-over-flow in function Perlbytedumpstring, which would lead to memory leak. Reported to the Perl security mailing list on 11 Sep 2017. Confirmed as a security flaw by TonyC on 24 Feb 2018 CVE-2018-6797 assigned to this flaw on 7 Feb 2018 Public securit...

Internet Bug Bounty: ZeroMQ libzmq remote code execution

Bug report and exploit: https://github.com/zeromq/libzmq/issues/3351 Fix by me: https://github.com/zeromq/libzmq/pull/3353 My motive for full disclosure is as follows: Is it true that it is not safe to use ZeroMQ over the internet because it will crash? Earlier versions of the ZeroMQ library befo...

Weblate: Stored XSS @ /engage/<project_slug>

Description The vulnerability concerns a Stored XSS, while it is currently to the best of my knowledge not exploitable due to limitations stated below. I thought that the issue is worth reporting anyway. Steps to reproduce 1. Change a project's name or create one to the following payload:...

Kaspersky: Web protection component in Anti-Virus products family uses predictable links for certificate warnings

Summary Websites can predict links used in certificate warnings, Safe Money prompts, anti-phishing warnings and similar pages. This allows them to initiate actions without the user's knowledge. Description The links used to override certificate warnings have the following format: https:///?kiscup...

Razer US: DLL Hijacking Vulnerability in synapse-2

The Synapse 2 installer was subject to a DLL planting attack in the Downloads folder. This was fixed in May of 2019...

RubyGems: 65534 times efficient, Brute-force attack for api_key

I have found that type checking for apikey is insufficient in rubygems.org's source code. https://github.com/rubygems/rubygems.org/blob/master/app/controllers/applicationcontroller.rbL63 ruby def authenticatewithapikey apikey = request.headers"Authorization" || params:apikey @apiuser =...

Khan Academy: Stored 'undefined' Cross-site Scripting

Hello KhanAcademy Security Team, I'm rootbakar, I found an XSS bug on 'BIO' in the profile, I used payload XSS "/load=promptdocument.domain;"/load= prompt document.cookie; after I save it appears there is no trigger from the XSS, but when I try to change one of the values in the profile form and...

Open-Xchange: store xss in calendar via upload filename

reproduce step 1.access url https://sandbox.open-xchange.com/appsuite/app=io.ox/calendar/scheduling 2.create appointment 3.upload file ,the file name with payload '"img src=x onerror=alertdocument.domain.svg' 4.access...

Upserve : OLO Total price manipulation using negative quantities

Manipulating an order request JSON object, containing an additional item with a negative quantity directly manipulates the total amount of the order. In the following JSON request, an order is submitted for 2 ChickenBurgers $12 each, as well as -1 BreadPuddings $9 each. The total price after tax...

DuckDuckGo: SSRF in proxy.duckduckgo.com via the image_host parameter

Description https://proxy.duckduckgo.com/iur/ endpoint is vulnerable to ssrf via imagehost get parameter. Vulnerable URL: https://proxy.duckduckgo.com/iur/?f=1&imagehost=https://tudomanyok.hu/ Some internal URL: https://proxy.duckduckgo.com/iur/?f=1&imagehost=https://127.0.0.1:18091/...

Mail.ru: Clickjacking Vulnerability on https://support.my.com/games/ticket/xxxx/

Hi There, I have found a Clickjacking vulnerability on your site. Steps to reproduce: 1.Go to https://support.my.com this site 2.Generate a Clickjacking script, save it as .html and run into your browser Script: iframe width: 800px; height: 500px; position: absolute; top: 0; left: 0; filter:...

Mail.ru: Modifying application settings via clickjacking on o2.mail.ru

It was possible to edit application information or delete application via clickjacking on o2.mail.ru...

HackerOne: Invalid Phabricator API token revealed through error message when escalating a report

Summary While trying to create a phabricator task by escalating to phabricator, error message contains the API token as a part of the pop up. This is seen when a user tries to enter an invalid API token. Description It was seen that after setting up phabricator integration in a program, when tryi...

Informatica: SSRF on infawiki.informatica.com and infawikitest.informatica.com

Researcher has identified and reported SSRF on Informatica's Sub-domain and helped us in resolving the issue...

U.S. Dept Of Defense: SSRF on █████████ Allowing internal server data access

Summary: An end point on ██████ allows an internal access to the network thus revealing sensitive data and allowing internal tunneling Description: OAuth Plugin allows you to provide a url that gives a snap shot of the web page. We can pass internal URLS and conduct SSRF. Impact Critical...

Open-Xchange: Stored-XSS with user interaction on [sandbox.open-xchange.com] via inserted link in mail

Hello, I would like to report about Stored-XSS on sandbox.open-xchange.com via inserted link in mail. Steps to Reproduce ---- 1 Login as first user User A and start creating new mail message 2 Click on a insert link button and paste the following text qwe"-alertdocument.domain-" into Url and Plea...

VK.com: Смотрим фотографии из частных/закрытых групп.

Просмотр закрытых фотографий. Жестки хак на просмотр любых фоток из любых груп + возможность их лаека и получения хеша для любого пользователя...

Ed: Fix for self-DoS in Security-txt Chrome Extension.

@sp1d3rs found a self-DoS vulnerability in the Security-txt Chrome Extension. He was also kind enough to provide a fix wich you can find on GitHub. We merged @sp1d3rs' fix when he submitted a PR. We later decided that it was better to stop using XHR and use Fetch instead, a newer API. This was th...

Ubiquiti Inc.: Triggering RCE using XSS to bypass CSRF in PowerBeam M5 300

In AirOS 6.1.5 and prior, due to lack of validation is possible to bypass the CSRF in certain web pages. If an authenticated user access an attacker controlled web page, it could trigger the CSRF and the resulting request could modify the device configuration and creating stored-XSS, with the XSS...

International Islamic University Chittagong: Union Based SQL injection in https://ieeeiiucsb.org/registration/details

Due to the lack of proper sanitization on our registration system, the researcher able to find a sql vulnerability which expose the database name & user id. We'd like to thank him for a nice catch on our system...

International Islamic University Chittagong: Full Path Disclosed

Hi, i want to say that you have not fixed the previous report properly i can still find the path fix it properly the paths should be hidden text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://119.18.148.140/hrd/login.php? Cookie:...

RecargaPay: IDOR exposes receipts of all users.

@cablej found an insecure direct object reference IDOR that could expose receipts from external users. Thanks for helping us make RecargaPay more secure!...

Brave Software: Homograph Attack Bypass [ Tested on Linux & Windows ]

Summary: at 175286 you has been patched, and i try it work, but i've another way to bypass it. when we add a site to our Homepage with @, it's not validate a url properly, make sure it's display the punycode. Products affected: Brave 0.18.36 Linux & Windows Steps To Reproduce: 1. In browser add...

GSA Bounty: Email Spoofing - SPF record set to Neutral

Hi, Introduction: There is a email spoofing vulnerability.Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email spoofing is a tactic used in phishing and spam campaigns because people are more...

Mail.ru: [new.wf.mail.ru] XSS Request-URI

Reflected XSS via GET parameters in new.wf.mail.ru wf.mail.ru is not currently covered with bug bounty program...

Trello: A CRLF injection into the redirect URL of https://trello.com/1/authorize can be used to cause a denial of service when later redirected to

Just found this, tested it on a whim and deeply regretted it. Sorry! So to recreate the issue: 1. Visit...

Dropbox: Missing URL sanitization in comments can be leveraged for phishing

The report points out that a link in shared file's comments could say one thing in the text but actually point to another website. This is a risk we have always accepted: the document preview could also contain links, the legit links could point to shorteners. Additionally, Dropbox Paper supports...

U.S. Dept Of Defense: CRLF Injection on ███████

Summary: The web application hosted on the "█████" domain is affected by a carriage return line feeds CRLF injection vulnerability that could be used in combination with others. This issue could allow XSS via Cookie, bypass Double Submit Cookie csrf protection or Session Fixation on .█████████...

Grab: CSV Injection https://hub.grab.com

@Poison had pointed out that it was possible to perform CSV Injection on hub.grab.com which was tested on Microsoft Excel 2016. Injection occurred by adding the payload in customer name field in Grab mobile application. The payload used was =cmd|' /C calc'!A0. We fixed this issue by properly...

Coinbase: Open redirect on sign in

Sir I make a video for clear understand. Watch that video. Thanks Best Regards Anirban Singha...

Cuvva: Clickjacking vulnerability in support-dashboard.corp.cuvva.co

Hi i found a clickjacking vulnerability in the subdomain of cuvva.com i.e, support-dashboard.corp.cuvva.co Impact: The resource without X-Frame-Options potentially vulnerable to the Clickjacking. The vulnerability exist only for authenticated users possible UI redressing in the Dashboard PoC: 1. ...

Instacart: XSS at in instacart.com/store/partner_recipe

Summary Hi team, i found that this endpoint - https://www.instacart.com/store/partnerrecipe? at param imageurl is vulnerable to XSS Reproduction Steps & PoC 1Go to...

Paragon Initiative Enterprises: Broken Authentication & Session Management - Failure to Invalidate Session on all other browsers at Password change

Broken Authentication & Session Management - Failure to Invalidate Session on all other browsers at Password change ========================================================== Hello Team, While I was testing your web application "Paragon Initiative Enterprises", I came to know that it is vulnerabl...

RubyGems: Escape sequence injection in "summary" field

Seems we can include any escape sequence in the "summary" field of gemspec. This allows attackers to inject escape sequences to a victim's terminal emulator. How to attack 1 An attacker creates a gem with summary string that includes malicious escape sequences, and push it to rubygems.org. 2 A...

Nextcloud: Delete All Data of Any User

If you are user have permission manage useradmin group, you can delete all data off website. step: 1. Create new user with username is '.'. 2. Delete user, who just have been created. Cause: when you create new use, nextcloud app will make a new folder same name with username, which have been...

HackerOne: Subdomain takeover #4 at info.hacker.one

Summary: Hi team, looking the last fix released from unbounce team at https://hackerone.com/reports/217358 i've been able to bypass it and takeover the subdomain info.hacker.one with a new vulnerable ENDPOINT + PARAM COMBINATION at UnbouncePages App Actual Dns Entry: F174718 Reproduction Steps fo...

VK.com: Возможность взлома любого пользователя, не использующего двухфакторной аутентификации, через получения кода восстановления на чужой номер.

Уязвимость в библиотеке приложения VK на Android, позволяющая получить на свой номер код для восстановления некоторых страниц. Из-за уязвимости можно было отправить код восстановления любой страницы на чужой номер, спасала только двухфакторная аутентификация...

Open-Xchange: RTLO character in file names

DESCRIPTION ------- Hello, I have noticed that you allow the RTLO Right-To-Left-Override character is not filtered from the names of the files saved to drive, or in the attachement names, thus allowing 2 things : 1. Someone sends a malicious file html or exe or something esle via email that...