Solana BBP: i don't the important and it's impact . the affected asset : https://github.com/solana-labs/solana/blob/master/.buildkite/env/secrets.ejson

Summary: add summary of the vulnerability Steps To Reproduce: add details for how we can reproduce the issue 1. i have browsed this source code of github: https://github.com/solana-labs/solana/tree/master/programs 1. i have browsed the files and i found the file which called...

Acronis: Stored XSS in backup scanning plan name

Dear Acronis Security Team, Summary: There is a possibility of storing an XSS on the https://mc-beta-cloud.acronis.com/ui/ console. Steps To Reproduce: 1. Login to the console with the given account 2. Go to "Backup Scanning" under "PLANS" 3. Click on "Create Plan" 4. Specify the location of the...

Dropbox: User has Sender permission can Get Team information

A security researcher was able to leverage a user with a sender role to view all team information by issuing a crafted POST request to portal.helloworks.com/editteam which provided information disclosure team's primary contact, whereas accessing the URL is forbidden based on the sender role. The...

InnoGames: Cache Poisoning via uppercase letters in invalid path

Summary of the issue Cache poisoning vulnerability appears in the request to innogames.com. The issue arises when language path parameter from the url gets processed on the backend to become lowercase. Then if a path provided in X-Forwarded-Host does not exist on the server, 301 response is...

U.S. Dept Of Defense: CVE-2020-3187 - Unauthenticated Arbitrary File Deletion

Summary: A vulnerability in the web services interface of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and obtain read and delete access to sensitive files on a...

GitLab: Insufficient Type Check leading to Developer ability to delete Project, Repository, Group, ...

Summary Similar bug to 858671, but this time with annotations mutation: DeleteAnnotation in app/graphql/mutations/metrics/dashboard/annotations/base.rb ruby module Mutations module Metrics module Dashboard module Annotations class Base " clientMutationId 3. Project disappear along with Repository...

U.S. Dept Of Defense: Read-only path traversal (CVE-2020-3452) at https://█████

Summary: I discovered a vulnerability Read-only path traversal CVE-2020-3452 at https://███████ Description: A vulnerability in the web services interface of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote...

Node.js third-party modules: [supermixer] Prototype pollution

I would like to report a Prototype pollution in supermixer, It allows an attacker to modify the prototype of a base object which can vary in severity depending on the implementation. Module module name: supermixer version: 1.0.3 npm page: https://www.npmjs.com/package/supermixer Module Descriptio...

Visma Public: Information disclosure to "Permission as auditor" user

Inside the same company, the researcher was able to view information that that was not supposed to with the Auditor role associated with the user...

Acronis: Arbitrary Files and Folders Deletion vulnerability with Acronis Managed Machine Service

Vulnerability description not provided...

Dropcontact: Idor for firstpromoter service

An IDOR has been detected on firstpromoter service...

U.S. Dept Of Defense: Read-only path traversal (CVE-2020-3452) at https://████████

Summary: I discovered a vulnerability Read-only path traversal CVE-2020-3452 at https://████████ Description: A vulnerability in the web services interface of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote...

Acronis: Local Privilege Escalation via DLL Search-Order Hijacking with Cyber Protection Agent - systeminfo.exe utility

Vulnerability description not provided...

Mail.ru: В самокат имеется возможность просмотра суммы заказа и номера заказа по ID [smart.space]

IDOR in smart.space API allowed to list number and amount of order without attribution to user...

U.S. Dept Of Defense: ███ is vulnerable to CVE-2020-3452 Read-Only Path Traversal Vulnerability

Summary: ████████ is vulnerable to Read-Only Path Traversal Vulnerability as described at https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86 Description: Get request parameters at the /+CSCOT+/translation-table and the /+CSCOT+/oem-customization...

Acronis: TrueImage for Acronis True Image 2020 - Untrusted DLL Search-Ordering lead to Privilege Escalation as Administrative account

Vulnerability description not provided...

Azbuka Vkusa: Open redirect (DOM-based) on av.ru via "return_url" parameter (Login form)

Closed...

Mail.ru: Возможность просмотра коментариев к чужим обращениям [corporate.city-mobil.ru]

IDOR vulnerability in corporate.city-mobil.ru interface allowed to access a feedback comments of a different users...

BugPoC: Users can Change their Own Email Address

BugPoC uses AWS Cognito for authentication and user pool management. @vasi42 noticed that they were able to use the Cognito API, UpdateUserAttributes, to update their own email address. Calling this API without subsequently calling the VerifyUserAttribute API puts your account into an unverified...

Acronis: Cross Origin Resource Sharing Misconfiguration

Description :- Cross-Origin Resource Sharing CORS is a mechanism that uses additional HTTP headers to tell browsers to give a web application running at one origin, access to selected resources from a different origin. The CORS mechanism supports secure cross-origin requests and data transfers...

Azbuka Vkusa: Corporate Jira credentials disclosed in public gist

Closed...

HackerOne: Pentester can obtain information about other pentesters who applied for the same test, but weren't accepted

Hi team, I don't know your policy about pentestersabout their visibility on the platform, But I couldn't find any other pentesters before. 1 For example: GraphQL has the h1pentester attribute that would explicitly point us to the pentester, but if we make a query, it doesn't reveal the pentester ...

Mail.ru: HTTP request smuggling (?) canpol.deti.mail.ru

HTTP request smuggling in canpol.deti.mail.ru led to possibility for non-blind SSRF exploitation with access to serverside api...

New Relic: Adding your account to victim's app via deeplink

At your android app, there is a feature for passwordless login. It sends an email and if you click the link, it triggers a deeplink on the app for login. I think this feature needs a state control, for example setting loginstatetoken=ABC on the requester device and adding this loginstatetoken to...

New Relic: Sending thousands of notifications with single request

Hello, while testing your mobile api an endpoint got my attention. This endpoint was: https://api.newrelic.com/api/ios/v3/devices/update.json?operation=register I immediately checked if server is validating the integrity of data or not. After finding out there is no validation, I added around 500...

Rockset: Failure to Invalid Session after Password Change

Summary: While conducting my researching I discovered that the application Failure to invalidate session after password. In this scenario changing the password doesn't destroys the other sessions which are logged in with old passwords. Steps To Reproduce: 1. Login with the same account in Chrome...

Acronis: Self XSS on Acronis Cyber Cloud

Self-XSS was possible in Cyber Protect Console via backup plan name...

Mail.ru: Открытый Confluence и доступы к чату операторов в Skype

Confluence opened to external network without authentication on city-mobil.ru...

GitHub Security Lab: Java: CWE-798 - Hardcoded AWS credentials

This bug was reported directly to GitHub Security Lab...

Mail.ru: IDOR zakazaka (состояние заказа и перезаказ)

An IDOR vulnerability in zakazaka allowed to obtain the content of the order without personal details...

Mail.ru: Возможность изменить поле "E-Mail для доступа в личный кабинет" у другого пользователя [corporate.city-mobil.ru]

It was possible to change e-mail address of the user via corporate.city-mobil.ru. An award for this report was distributed evenly between 956791 and 971422. Report 956791 demonstrated the vector for corporate.city-mobil.ru, 971422 demonstrated this vulnerability may have higher impact besides the...

Avito: link.avito.ru - Bypass of restrictions on external links.

Hello Avito! On "link.avito.ru" subdomain of "www.avito.ru" attacker able to bypass restriction for dangerous external links via trusted domain google.com. This scenario may be also possible with all other trusted subdomains of avito such as "yandex.ru" and so on, but in this example i'm used...

GitHub Security Lab: Golang : Improvements to Golang SSRF query

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: LDAP injection vulnerability in Java

This bug was reported directly to GitHub Security Lab...

Mail.ru: Stored XSS in address on [corporate.city-mobil.ru]

Stored XSS in address setting functionality on corporate.city-mobil.ru...

Lark Technologies: Reflected xss and open redirect on larksuite.com using /?back_uri= parameter.

A XSS Cross-Site Scripting vulnerability was found in larksuite via the "backuri" parameter, caused by the reflection of user-supplied data without appropriate HTML escaping or output encoding. This could result in a Javascript payload being injected into the vulnerable endpoint and executed in t...

HackerOne: Graphql: Sorting the reports by jira_status field resulted to different value

Summary: Sorting the reports by jirastatus yield to different result depicting the team is using jira even the user has no access. Description: A user with no access to jira information of any reports can somehow access the jira field using orderby through jirastatus Using the 2 graphql below we...

QIWI: HTTP Request Smuggling on api.flocktory.com Leads to XSS on Customer Sites

HTTP Request Smuggling is a technique to desync the sequence in which HTTP requests and responses are processed. This particular vulnerability abuses the CLTE variant of HTTP Request Smuggling as described in PortSwigger's blog. The domain api.flocktory.com was found to be vulnerable to this atta...

GitLab: GitLab-Runner on Windows `DOCKER_AUTH_CONFIG` container host Command Injection

Summary GitLab-Runner, when running on Windows with a docker executor, is vulnerable to Command Injection via the DOCKERAUTHCONFIG build variable. Injected commands are executed on the container host, not within a Docker container, as such could compromise all future builds which are executed by...

8x8: Default Creds Spring Boot Admin

An instance hosting Spring Boot Admin was left exposed with default credentials set...

U.S. Dept Of Defense: SQLi on █████████

Researcher discovered a Boolean-based SQLi on a Dept. of Defense asset. Discovered a boolean-based SQLi on a Dept. of Defense asset...

BugPoC: DOM based Cross-site Scripting

Summary: The postMessage API is an alternative to JSONP, XHR with CORS headers and other methods enabling sending data between origins. It was introduced with HTML5 and like many other cross-document features it can be a source of client-side vulnerabilities. Steps To Reproduce: Visit -...

Brave Software: Cross-origin resource sharing misconfiguration (CORS)

Hi! In this report I want to describe High level bug which can seriously compromise a user account. If I am authorize on this site, I can steal user's sessions, some personal information or do some action. In my tests, I found the relevant vulnerability using different methods. I detected the COR...

Dropcontact: Host Header Injection.

Someone could change the redirection when login out from firstpromoter, by tweaking the logout request and using http X-Forwarded-Host, someone could redirect the logout toward a bad place...

U.S. Dept Of Defense: Сode injection host █████████

Good day, security team. Host █████████ vulnerable to code injection. POC The server makes a time delay. POST /cgi-bin/gMapBuild.py HTTP/1.1 Host: ███ Accept: / Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded...

BugPoC: Solution for XSS challenge calc.buggywebsite.com

Summary: http://calc.buggywebsite.com/ is a angular site designed as a calculator. After observing the source code , there is iframe frame.html with functionality of displaying the data of postmessage in the webpage. js window.addEventListener"message", receiveMessage, false; function...

BugPoC: XSS Challenge #2 Solution

Summary: An attacker can achieve arbitrary JavaScript execution in the context of the user's session on calc.buggywebsite.com. This is possible due to a weak origin check in the message event handler in http://calc.buggywebsite.com/frame.js as well as improper handling of the message data, allowi...

Dropcontact: Unauthorized Access and updation of EMAIL settings of other user at https://app.dropcontact.io/app/sponsorship/ by changing the " email " parameter.

When changing email settings with firstpromoter, the email of the account was right in the url, so by changing this parameter, we could change setting of other users...

Lark Technologies: Stored XSS in Satisfaction Surveys via "Ask Reason for Dissatisfaction" option

A stored XSS cross site scripting vulnerability was found within the Lark satisfaction survey which an attacker could have potentially used to inject malicious javascript within the "reason for dissatification" section when selecting a poor rating after a help desk chat is completed. We thank...

Acronis: Subdomain Takeover – www.jet.acronis.com pointing to unclaimed Webflow services

Hi Team, Greetings! I've come across another subdomainwww.jet.acronis.com of acronis.com pointing to an unclaimed Webflow service. Visiting the www.jet.acronis.com returned the default 404 page for Webflow service, thereby making it potential for subdomain takeover. F940499 Similar to the previou...