Ruby: Potential HTTP Request Smuggling in ruby webrick

function readbody in file /lib/webrick/httprequest.rb use expression /chunked/io to decide transfer-encoding whether or not. that is not rigorous. When using webrick as a http server, a attacker may use a Transfer-Encoding: AAAchunkedBBB header to fake a legal header. than can make a HTTP Request...

Yelp: Clickjacking lead to remove review

Steps To Reproduce: 1. Open iframe F960017 2. You can remove reviews from this iframe Impact Clickjacking lead to remove reviews...

Mail.ru: Access to git & and configuration files on backtoschool.geekbrains.ru via gitfile

Leaking sensitive application data in configuration files at backtoschool.geekbrains.ru...

Internet Bug Bounty: CVE-2017-13041 The ICMPv6 parser in tcpdump before 4.9.2 has a buffer over-read in print-icmp6.c:icmp6_nodeinfo_print().

Description: Versions of tcpdump before 4.9.2 are vulnerable to a buffer over-read in print-icmp6.c. This vulnerability was disclosed to the tcpdump maintainers and was recently patched in version 4.9.2 and disclosed as CVE-2017-13041. Patch:...

Internet Bug Bounty: CVE-2017-13040 The MPTCP parser in tcpdump before 4.9.2 has a buffer over-read in print-mptcp.c, several functions.

Description: Versions of tcpdump before 4.9.2 are vulnerable to a buffer over-read in print-mptcp.c. This vulnerability was disclosed to the tcpdump maintainers and was recently patched in version 4.9.2 and disclosed as CVE-2017-13040. Patch:...

Shopify: XSS Stored via Upload avatar PNG [HTML] File in accounts.shopify.com

Hello team, I found unrestricted file upload via avatar in https://accounts.shopify.com/accounts/, and XSS Stored in PNG IDAT chunks using exiftool , exiftool command exiftool -Comment=""alertprompt'XSS BY ZEROX4'" xsscommentexifmetadatadoublequote.png Payload example : �PNG �...

TikTok: Bypass SMS verification to delete TikTok account

Improper authorization could potentially allow an attacker to bypass SMS verification and delete a TikTok account. This attack would first require the account to be compromised. A fix has been implemented to resolve this issue. We thank @luizviana for reporting this to our team and confirming the...

Kartpay: Admin/Info lekage

The Administrator System was opened in public which can be misused by anyone so to avoid a Security system has been implemented to allow from limited Ip address only...

Mail.ru: Stored Xss

Stored XSS in comment functionality on profile.my.games and community.my.games...

Azbuka Vkusa: IDOR - Other user's delivery address disclosed

Closed...

Dropcontact: Information Disclosure through DEBUG at Subscription [https://app.dropcontact.io/app/subscription?connector=salesforce](CRITICAL)

We were displaying some sytem information in case of app crashing...

GitHub Security Lab: [javascript] CWE-117: CodeQL query to detect Log Injection

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: Java: CWE-522 Insecure basic authentication

This bug was reported directly to GitHub Security Lab...

Dropcontact: Django should not have debug mode enabled

We were displaying sensitive information...

Endless Group: XSS on https://fax.pbx.itsendless.org/ (CVE-2017-18024)

Summary: Hello Endless Hosting, I found an XSS on https://fax.pbx.itsendless.org/ . This domain running an AvantFax software 3.3.6 However, the exploit of CVE-2017-18024 for version 3.3.3 is working on that version. Here is the exploit code of CVE-2017-18024 history.pushState'', '', '/'...

Basecamp: Premium Email Address Check Bypass - Hey

Hello, I reported a bug to [email protected] a couple weeks ago, not realizing that I was a member of the private bug bounty program. It was fixed quickly Less than 1 hour which was awesome to see. Being that this was reported through a seperate channel, and it is for Hey, I'm not even sure it woul...

Dropcontact: Registering with email [ +70 Chars ] Lead to Disclose some informations [Django Debug Mode ]

We were displaying / leaking sytems information in case of app crash...

Dropcontact: User registration using public domain email like gmail in place of professional email.

Like sais in the title, we were only checking and restricting professional email in frontend, which led to being able to register with an email which is not pro because we were not checking this info in the backend. User was able to register with public domain email like gmail by response...

Dropcontact: Django DEBUG mode enabled and leaked system information.

We were leaking / showing system information. Django DEBUG mode was enabled and showing some information on some errors.I just follow the errors and finally got some sensitive system information such as configuation ,API keys ,Database users ,System Directories,etc...

Acronis: mysql credentials exposed on - https://cz.acronis.com/docker-compose.yml

Hi, there are some MySQL credentials exposed on https://cz.acronis.com/docker-compose.yml It is not that you are gonna avoid a compromise with that user/password pair, but just in case you don't wanna make it even easier publishing the credentials to the wild x Impact MySQL credentials exposed...

Yelp: Email flooding using user invitation feature in biz.yelp.com due to lack of rate limiting

Summary: Hello everyone, The feature to invite users to manage your business has no rate limiting or captcha implemented. Therefore, a malicious user can use this to mail bomb any email's inbox with invitation requests. Platforms Affected: biz.yelp.com Steps To Reproduce: This is a pretty straigh...

Dropcontact: Sensitive Information Disclosure

we were displaying sensitive information. While testing the site i was able to disclose sensitive information such as username, passwords, api keys, etc due to DEBUG = True .This bug arose due to default configuration at the backend. Now the bug is fixed. Thanks to the team for the quick fix!...

Dropcontact: Dropcontact's disclosed report is exposing Private/Confidential information

Some other report was disclosed fully with confidential information !...

Dropcontact: Django debug enabled showing information about system, database, configuration files.

We were displaying sensitive information...

Azbuka Vkusa: Unauthorized access to choice.av.ru control panel

Closed...

Brave Software: Arbitrary file download via "Save .torrent file" option can lead to Client RCE and XSS

Summary: An attacker can use the "Save .torrent file" option in WebTorrent to smuggle malicious files onto the client's machine. Description Brave allows users to download the ".torrent" via WebTorrent. WebTorrent decides whether a file is torrent or not based on the following headers...

Acronis: Local Privilege Escalation via DLL Search-Order Hijacking with Cyber Protection Agent - tibxread.exe utility

Vulnerability description not provided...

Dropcontact: No Valid SPF Records

Hiii, There is any issue No valid SPF Records Desciprition : There is a email spoofing vulnerability.Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email spoofing is a tactic used in phishing...

U.S. Dept Of Defense: Read-only path traversal (CVE-2020-3452) at https://██████.mil

Summary: I discovered a vulnerability Read-only path traversal CVE-2020-3452 at https://██████████.mil Description: A vulnerability in the web services interface of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remot...

Rocket.Chat: Session Hijack via Self-XSS

Summary: It's possible to hijack a session by tricking the user to perform a Self-XSS on the drag and drop functionality in the chat. Description: Self-XSS is an underrated vulnerability that can have a harmful impact on the users of the application like here, after we get access to the user's...

Shopify: Stocky App Administrator can create a backdoor admin account by using an existing POS User

Details The Stocky App has POS Users that are being created once a POS Staff logs in into the application from the Point Of Sale application on a mobile device. From the users management page located at https://stocky.shopifyapps.com/users there's no visible way to edit those POS users. Although,...

Acronis: SQL Injection in agent-manager

1.https://mc-beta-cloud.acronis.com/api/agentmanager/v2/unitconfigurations?name=update-schedule&nodata=false&tenantid=1590228&unit=atp-agent%27and%2F%2A%2A%2Fextractvalue%281%2Cconcat%28char%28126%29%2C%28select+database%28%29%29%29%29and%27...

Mail.ru: CVE-2016-6415 on api-staging.plazius.ru [46.148.201.218]

Unpatched CVE-2016-6415 vulnerability could potentially lead to information disclosure on the host in plazius.ru infrastructure...

Solana BBP: Heap memory can be accessible through metrics.solana.com

Summary: Heap memory can be accessable due to misconfiguration in one of the sub-domains. While doing recon i ended up downloading heap memory file. Steps To Reproduce: 1.Open https://metrics.solana.com:8086/debug/pprof/heap 2. now you can see heap memory accessible through it Supporting...

Solana BBP: Buffer can be readable through Debug on metrics.solana.com

Summary: Buffer memory can be readable due to debug mode enable in one of the sub-domains. t Steps To Reproduce: 1.Open https://metrics.solana.com:8086/debug/pprof/goroutine?debug=1 2. Here you can also brute force the endpoint. Supporting Material/References: F955888 Impact Buffer over-reads can...

U.S. Dept Of Defense: Elmah.axd is publicly accessible and leaking Error Log for ROOT on █████_PRD_WEB1 █████████elmah.axd

Description: Hello, Security team, hope you are doing well. I found out that elmah.axd is publicly accessible on ████████ which is leaking error log which contain cookies and server code etc. Step-by-step Reproduction Instructions 1. Go to ██████elmah.axd and you will see the error logs. 2. Same...

Hyperledger: The “payload” Field of Transactions in a Block Reveals the Private Data to All Peers

To whom it may concern, We are a research group conducting research on Hyperledger Fabric 2.0. We find a design flaw about the “payload” field of transactions, which can reveal the Private Data to all peers in one channel. When a client invokes a function to read the private data, the is stored i...

GitLab: Revoked User can still view the Merge Request created by him via API

Summary In Gitlab when a user is demoted to Guest role, the Guest user will not be able to view and edit the Merge requests in a project even if the merge request is created by him. But this check is not implemented in API so the Guest user will be able to the following actions for the Merge...

GitLab: Unauthorized user is able to access schedule pipeline variables and values

Summary The feature allows to add or overwrite variables that are passed to jobs in order to modify the behavior just for that specific instance. As per this https://gitlab.com/gitlab-org/gitlab-foss/-/issues/32568note32531510 , the current security model is If you are owner of schedule as...

Dropcontact: API key is not validated for C.R.M integration [Pipedrive] of LOGGED IN USER, A user can use another USER'S API key for this operation.

We didn't verified the API key when a new user was using his pipedrive free trial, so someone could take a key of another pipedrive which don't belong to him and make his free trial on this api key. Or launch a free trial on a pipedrive already connected to pipedrive...

U.S. Dept Of Defense: Remote Code Execution on █████████

Summary: An unauth solr lead to RCE on ██████████ Description: Hello, I found a solr unauth at https://██████/solr/ This version is 5.5.1, vulnerable with CVE-2019-0192 and CVE-2019-0193, i have try CVE-2019-0193 and successful RCE. Impact Attacker can get shell on server. Step-by-step Reproducti...

Nextcloud: Denial of Service when entring an Array in email at seetings

in settings https://demo2.nextcloud.com/index.php/settings/users/TweLbFT93aqRnEfF/settings when you submit the request with email value Array the server return 500 Internal Server Error Poc video: F954435 Impact denial a service attack on the server. This may lead to the website becoming slow or...

Shopify: Ability to see password protected content by bypassing the password page of shopify preview URL for new development stores (as of August 17, 2020)

Hi, Description I have found a way to bypass the password page of a shopify preview URL for new development stores created as of August 17, 2020. Currenty, with older development stores, when we share a preview url with someone, we are able to see the content of the store without having to enter ...

HackerOne: Recently added 'Country' field doesn't send email notification when changed

Summary: Hi team, This is a small bug report. Actually I think there is no important security issue but I wanted to report it ¯\ツ/¯ If you change your 'Country' information on account settings, HackerOne doesn't send Your profile was recently changed email. Description: There is an email...

Acronis: CSRF and XSS on www.acronis.com

Vulnerability description not provided...

X (Formerly Twitter): Twitter Media Studio Source Information Disclosure With Analyst Role

== Steps == 1. With "A" account go to "https://studio.twitter.com/accountmanagement/youraccountnumberhere/accountusers" and Add account "B" as analyst. 2. Now, With "B" account go to "https://studio.twitter.com/" and switch to "A" account. Then go to "https://studio.twitter.com/producer" and you...

Mail.ru: Bitbucket public repo leaking credentials from the 1C Enterprise system used by Samokat

Application configuration data related to Samokat project was leaked on github.com...

Acronis: XSS in (Support Requests) : User Cases

Stored XSS was possible on https://www.acronis.com/en-us/my/cases/index.html via support case sent to https://support.acronis.com...

Solana BBP: i don't the important and it's impact . the affected asset: https://github.com/solana-labs/solana/blob/master/.buildkite/env/secrets.ejson

Summary: add summary of the vulnerability Steps To Reproduce: add details for how we can reproduce the issue 1.i have browsed this source code of github: https://github.com/solana-labs/solana/tree/master/sdk 2. i have browsed the files and i found the file which called buildkite/env/secrets.ejson...

Solana BBP: Sensitive data leaks [username, password, keys]

Summary: Hello team, This bug shows some critical asset like secret username, password, keys, etc. publicly on githubq Steps To Reproduce: Please visit the url below 1. https://github.com/solana-labs/solana/blob/e310bad7ab09a4a5bd23314983bffa1707506230/.buildkite/env/secrets.ejson 2...