Automattic: Stored XSS in Intense Debate comment system

Hi Team, Summary: The Intense Debate comment system is vulnerable to stored xss by users , this would allow for atacking admins/users on the blog , Platforms Affected: Intense Debate comment system Steps To Reproduce: 1. Go to intensedebate.com/moderate/-ID- 2. Go to comments allow images in...

TikTok: [CSRF] TikTok Careers Portal Account Takeover

A missing CSRF protection and open redirect vulnerability was reported in the TikTok Careers portal single sign on flow which is used by applicants to apply for TikTok positions. This flaw was quickly remediated and does not impact TikTok.com or mobile application. We thank @lauritz for reporting...

Mail.ru: Stored XSS through fileupload

Stored XSS in view uploaded file functionality on static.donationalerts.ru...

Shopify: Privilege Escalation in Point Of Sale Application from POS Manage Staff Role to potentially Store Owner

I was playing a bit with the Point Of Sale application and it came to my attention that it is possible to navigate from the Point Of Sale Application up to the Plan & Permission in the admin. I am not sure if this is intentional, but since it leads to potentially take over a shop, I'm reporting i...

Mail.ru: Path traversal lead to LFR via [CVE-2019-3394]

Path traversal lead to Local File Read via CVE-2019-3403 in confluence.plazius.ru...

Open-Xchange: A specially crafted message sent to the local delivery agent (LMTP) causes the LMTP child process to issue a panic (call i_panic)

Summary Sending a message to the local delivery agent with the number of MIME parts more than the dovecot core threshold of MIME parts results in ipanic. In the case of LMTP server it causes the child to abort connection. I believe that this can be quite problematic, if such a message lands in th...

Node.js third-party modules: [arpping] Remote Code Execution

I would like to report RCE in arpping It allows to execute arbitrary commands on the victim's PC Module module name: arpping version: 2.0.0 npm page: https://www.npmjs.com/package/arpping Module Description Discover and search for internet-connected devices locally using ping and arp Module Stats...

Zomato: [api.zomato.com] Abusing LocalParams (city_id) to Inject SOLR query

Disclosing it as per the request from @zzzhacker13. This report is identical to 844428 but this one was on a different endpoint. POC - - :v2/red/homepage.json?lat=&lon=&cityid=!dismax+df=cityid86&androidcountry=US&lang=en&androidlanguage=en Zomato Security Team...

Nextcloud: The password of a mail share is not hashed if the password is given when the share is created

Create a new mail share with a password by using the OCS endpoint with something like: curl -u admin:admin -X POST -H "OCS-APIRequest: true" "http://localhost/ocs/v1.php/apps/filessharing/api/v1/shares?path=welcome.txt&shareType=4&[email protected]&password=plainTextPassword" - Check the...

Mail.ru: MySQL username and password leaked on [2017.russianaicup.ru]

Configuration file available via web interface could disclosure potenrially sensitive inormation Configuration file available via web interface could disclosure potentially sensitive information...

Concrete CMS: Stored XSS in the file search filter

Download Concrete5 8.5.2 and install it 2. Log into your Concrete5 instance as admin 3. Go to Dashboard Files Search 4. In the file search bar, click Advanced 5. In the window that appears, enter a phrase and click the save button, paste the following payload: and click the save button 6. In the...

U.S. Dept Of Defense: Arbitrary file upload and stored XSS via ███ support request

Summary: A malicious user can upload files of any type when submitting a support request. Impact This would allow the attacker to upload malicious executable files as well as .html or .svg files which would allow the attacker to execute malicious code on behalf of the ████ customer support...

X (Formerly Twitter): 暴力破解用户密码没有速率控制

http://www.twitter.com的登录功能存在一个问题，只限制了单个用户尝试登录系统的错误次数，并不限制用固定的密码去尝试登录不同用户，或者是撞库 请您跟着视频操作，否则无法复现到此问题 Impact 暴力破解用户密码没有速率控制...

HackerOne: Attacker may be able to bounce enough emails which suspend HackerOne's SES service and cause a DoS of HackerOne's email service

This was a DoS based on triggering a lot of bounced emails via SES service which could put our email sending up for review with AWS. The vulnerability was due to unrestricted invitations on sandbox programs which allowed an attacker to generate an infinite number of bounced emails. We had applied...

GitLab: Path traversal in Nuget Package Registry

Summary There's a path traversal issue in Nuget package registry which was released to GitLab-EE recently. The issue allows an attacker to create any file with an extension “.nupkg” in the filesystem. By combining the bug with a race condition in Gitaly which I used several times before 762421,...

Node.js third-party modules: [Limited bypass of #793704] Blind SSRF in Ghost CMS

Blind SSRF vulnerability in Ghost allows for internal port scanning, or reading oembed contents from internal network...

Mail.ru: [v7lk.relap.io] Sending arbitrary emails to any user

Mail sending API endpoint at relap.io was publicly accessible...

Pornhub: Self-XSS to Good-XSS - pornhub.com

The researcher was able to bypass the site-wide clickjacking protection X-Frame-Options header in order to fully automate the exploitation of a self-xss vulnerability, allowing attackers to execute arbitrary javascript payloads on the pornhub domain through iframes hosted on a third-party website...

Nord Security: Blind SSRF on debug.nordvpn.com due to misconfigured sentry instance

Summary: The debug subdomain uses Sentry for application monitoring and error tracking. This software comes with a feature known as source code scraping turned on by default which makes it is possible to make blind get requests from the server on which it is running. Steps To Reproduce: add detai...

Nextcloud: Talk - Leak of password-protected room name via already existent resource addition

CVSS ---- Medium 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Description ----------- Affected: Talk / Spreed 6.0.3 The name of shared but password-protected rooms leaks to low-privileged authenticated users. An attacker does not need to guess room IDs, but can simply iterate over IDs to gath...

Starbucks: Reflected cross-site scripting on multiple Starbucks assets.

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Please indicate NA, if not applicable. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling...

Nextcloud: Vulnerable W3 Total Cache plugin version in use on nextcloud.com

Hi there, I noticed you are currently using a vulnerable version of W3 Total Cache, as the changelog containing the plugin version is publicly reachable: https://nextcloud.com/wp-content/plugins/w3-total-cache/changelog.txt W3 Total Cache makes the site vulnerable to a series of attacks, includin...

OLX: web cache deception in https://tradus.com lead to name/user_id enumeration and other info

summary Hi OLX team, i found a web cache deception vulnerability in https://tradus.com. With this vulnerability an attacker can gain access to the name of the victim user, the userid and other informations. Attack scenario 1 an attacker send to the victim a link to the malicious page like the PoC...

Node.js third-party modules: environment variable leakage in error reporting

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! I would like to report the leak of...

Node.js third-party modules: [serve] Path Traversal

I would like to report path traversal vulnerability in serve module It allows an attacker to read system files via path traversal vulnerability Module module name: serve version: 10.1.2 npm page: https://www.npmjs.com/package/serve Module Description Assuming you would like to serve a static site...

GitLab: Blocked user Git access through CI/CD token

Summary A blocked user does not have the ability to utilise Git client operations, GitLab UI access or API access. However, a blocked user can still use Git clone/Git pull client commands if they are able to obtain a CI/CD token before being blocked. This allows them to access projects they are...

DuckDuckGo: Partial bypass of #483774 with Blind XXE on https://duckduckgo.com

Summary: Hi DuckDuckGo team, I've contacted previously you because in a second time on the 483774 report, I've seen that was possible bypass the fix. Anyway, I've not got any response, and because I think that this is a bit dangerous issue, I'm opening another report for the bypass. Hope you'll...

QIWI: [QIWI Wallet] Access to protected app components

Здравствуйте, я хочу сообщить об обнаруженной уязвимости в классе ru.mw.main.Main Информация о приложении Приложение: QIWI Кошелек Имя пакета: ru.mw Номер версии: 3.25.0 Код версии: 21346 Актуальность версии: Последняя Уязвимый класс: ru.mw.main.Main Уязвимость Поскольку активность ru.mw.Main...

Internet Bug Bounty: Heap-buffer-overflow in Perl__byte_dump_string (utf8.c) could lead to memory leak

With crafted regex match, I have found a heap-over-flow in function Perlbytedumpstring, which would lead to memory leak. Reported to the Perl security mailing list on 11 Sep 2017. Confirmed as a security flaw by TonyC on 24 Feb 2018 CVE-2018-6797 assigned to this flaw on 7 Feb 2018 Public securit...

Internet Bug Bounty: ZeroMQ libzmq remote code execution

Bug report and exploit: https://github.com/zeromq/libzmq/issues/3351 Fix by me: https://github.com/zeromq/libzmq/pull/3353 My motive for full disclosure is as follows: Is it true that it is not safe to use ZeroMQ over the internet because it will crash? Earlier versions of the ZeroMQ library befo...

Weblate: Stored XSS @ /engage/<project_slug>

Description The vulnerability concerns a Stored XSS, while it is currently to the best of my knowledge not exploitable due to limitations stated below. I thought that the issue is worth reporting anyway. Steps to reproduce 1. Change a project's name or create one to the following payload:...

Razer US: DLL Hijacking Vulnerability in synapse-2

The Synapse 2 installer was subject to a DLL planting attack in the Downloads folder. This was fixed in May of 2019...

Khan Academy: Stored 'undefined' Cross-site Scripting

Hello KhanAcademy Security Team, I'm rootbakar, I found an XSS bug on 'BIO' in the profile, I used payload XSS "/load=promptdocument.domain;"/load= prompt document.cookie; after I save it appears there is no trigger from the XSS, but when I try to change one of the values in the profile form and...

Upserve : OLO Total price manipulation using negative quantities

Manipulating an order request JSON object, containing an additional item with a negative quantity directly manipulates the total amount of the order. In the following JSON request, an order is submitted for 2 ChickenBurgers $12 each, as well as -1 BreadPuddings $9 each. The total price after tax...

DuckDuckGo: SSRF in proxy.duckduckgo.com via the image_host parameter

Description https://proxy.duckduckgo.com/iur/ endpoint is vulnerable to ssrf via imagehost get parameter. Vulnerable URL: https://proxy.duckduckgo.com/iur/?f=1&imagehost=https://tudomanyok.hu/ Some internal URL: https://proxy.duckduckgo.com/iur/?f=1&imagehost=https://127.0.0.1:18091/...

Mail.ru: Clickjacking Vulnerability on https://support.my.com/games/ticket/xxxx/

Hi There, I have found a Clickjacking vulnerability on your site. Steps to reproduce: 1.Go to https://support.my.com this site 2.Generate a Clickjacking script, save it as .html and run into your browser Script: iframe width: 800px; height: 500px; position: absolute; top: 0; left: 0; filter:...

Mail.ru: Modifying application settings via clickjacking on o2.mail.ru

It was possible to edit application information or delete application via clickjacking on o2.mail.ru...

Open-Xchange: Stored-XSS with user interaction on [sandbox.open-xchange.com] via inserted link in mail

Hello, I would like to report about Stored-XSS on sandbox.open-xchange.com via inserted link in mail. Steps to Reproduce ---- 1 Login as first user User A and start creating new mail message 2 Click on a insert link button and paste the following text qwe"-alertdocument.domain-" into Url and Plea...

VK.com: Смотрим фотографии из частных/закрытых групп.

Просмотр закрытых фотографий. Жестки хак на просмотр любых фоток из любых груп + возможность их лаека и получения хеша для любого пользователя...

Ed: Fix for self-DoS in Security-txt Chrome Extension.

@sp1d3rs found a self-DoS vulnerability in the Security-txt Chrome Extension. He was also kind enough to provide a fix wich you can find on GitHub. We merged @sp1d3rs' fix when he submitted a PR. We later decided that it was better to stop using XHR and use Fetch instead, a newer API. This was th...

Brave Software: Homograph Attack Bypass [ Tested on Linux & Windows ]

Summary: at 175286 you has been patched, and i try it work, but i've another way to bypass it. when we add a site to our Homepage with @, it's not validate a url properly, make sure it's display the punycode. Products affected: Brave 0.18.36 Linux & Windows Steps To Reproduce: 1. In browser add...

Legal Robot: Password reset token issue

Summary Can still change password without token Step to Reproduce - Request for password reset link. - Go to email and click on password reset link https://app.legalrobot.com/password-reset/token?v=uWeyFJS0-N9fIk0nG0b0NZ70lkwNNi7RdUZu0KhiaX - Now remove the token and use the link...

GSA Bounty: Email Spoofing - SPF record set to Neutral

Hi, Introduction: There is a email spoofing vulnerability.Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email spoofing is a tactic used in phishing and spam campaigns because people are more...

Nextcloud: Password of failed (2FA) login attempt is stored in log

If I try to log in on Webdav with my usual Nextcloud password, it doesn't work due to 2FA. I need an application password. The password of a failed login attempt by any user is stored plain text in the log: ...OCA\\DAV\\Connector\\Sabre\\Auth-validateUserPass'matthes', 'THEPASSWORD'... Even...

Nextcloud: Email Spoofing Vulnerability from nextcloud.

Hi nextcloud, Here is Shaifullah Shaon BlackEyE, An Ethical Hacker. a white hat cyber security researcher from Bangladesh reporting a serious 3'rd ranking in OWASP security vulnerability on your system. There is an Email Spoofing Vulnerability from nextcloud. Steps to reproduce: 1 Go to...

RubyGems: Escape sequence injection in "summary" field

Seems we can include any escape sequence in the "summary" field of gemspec. This allows attackers to inject escape sequences to a victim's terminal emulator. How to attack 1 An attacker creates a gem with summary string that includes malicious escape sequences, and push it to rubygems.org. 2 A...

Nextcloud: information disclose

Hello Team . I Reported a issue - disclosure SERVER Version !! when i interrupt this https://demo.nextcloud.com/ Request , its disclosure The server version Server: Apache/2.4.6 CentOS OpenSSL/1.0.1e-fips As you can See this Pic , or you can Interrupt the url useing Any Proxy tools like Burp Suit...

Nextcloud: https://portal.nextcloud.com/.htaccess file is readable

@mksahilisr reported a disclosure of the .htaccess file on https://portal.nextcloud.com. This has been resolved by adding the following to the Apache server configuration: order allow,deny deny from all Since the .htaccess file contained some potential sensitive data this report has only been...

Mail.ru: Reflected XSS on frag.mail.ru

Domain, site, application The "frag.mail.ru" is affected by a reflected XSS vulnerability on the "/user/register/" handler. Testing environment The exploitation of the issue has been tested on the latest version at the time of writing of Firefox: 52.0.1 both 32 and 64 bit on Sierra and Windows 7...

Open-Xchange: RTLO character in file names

DESCRIPTION ------- Hello, I have noticed that you allow the RTLO Right-To-Left-Override character is not filtered from the names of the files saved to drive, or in the attachement names, thus allowing 2 things : 1. Someone sends a malicious file html or exe or something esle via email that...