U.S. Dept Of Defense: Path traversal on https://███ allows arbitrary file read (CVE-2020-3452)

Summary: According to Cisco: A vulnerability in the web services interface of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targete...

Yelp: JDBC credentials leaked via github

Summary: jdbc credentials found on a public github repo.though the repo belongs to yelp or not there is a doubt.I have found many more sensitive data on that repo.so kindly check the repo all together.sensitive data found publicly. Platforms Affected: website Steps To Reproduce: 1. visit the link...

Acronis: Reflected XSS on cz.acronis.com/dekujeme-za-odber-novinek-produktu-disk-director with ability to creating an admin user in WordPress

Hi team, There is a Reflected XSS on https://cz.acronis.com/dekujeme-za-odber-novinek-produktu-disk-director/ This attack uses the same technique as my other report 901014 for creating an administrator user in Wordpress with an new XSS vulnerability in website. Pre-requisite: User must be logged ...

Mail.ru: Un Authencitated Quartz Pannel with Scheduling tasks

Access to staging testing host task control panel was not restricted and allowed to stop or start scheduled task...

lemlist: Stored XSS at [ https://app.lemlist.com/campaigns/cam_QRS5caF2ca7MJtiLS/leads ] in " LINKEDIN URL" Field.

Summary: Vulnerability : A. Type:- Cross Site Scripting Stored B. Description:- Stored XSS, also known as persistent XSS, is the more damaging than non-persistent XSS. It occurs when a malicious script is injected directly into a vulnerable web application. Summary : When you will login into the...

Node.js third-party modules: [socket.io] Cross-Site Websocket Hijacking

I would like to report Cross-Site Websocket Hijacking in socket.io It allows an attacker to bypass origin protection using special symbols include "" and "$" Module module name: socket.io version: 2.3.0 npm page: https://www.npmjs.com/package/socket.io Module Description Socket.IO enables real-ti...

Mail.ru: XSS via "gp" cookie reflected in source code

Reflected XSS in mail.ru via cookie value...

8x8: Open Redirect on [blog.wavecell.com]

The Wavecell Blog application was vulnerable to a URL redirect due to a filter that replaced every occurrence of // with /. F915989...

HackerOne: Making program preference -> program visibilty feature usless and disclosing API Identifier in the progress and data that may cause potential IDORS.

@spongebhav identified a vulnerability that let a victim believe their program membership wasn't shown on their profile, when in reality, it was. This could be used to identify system users of a program when the program blocked this...

GitHub Security Lab: Java: CWE-939 - Address improper URL authorization

This bug was reported directly to GitHub Security Lab...

lemlist: Stored XSS in app.lemlist.com

Summary: add summary of the vulnerability Steps To Reproduce: - Go to Company Buddies-to-Be Custom variables - Add malicious code: " onmouseover="confirmdocument.domain" a=" F915718 - Go to Company Messages Blank email - In the WYSIWYG editor select Custom variables - Malicious code executed...

Mail.ru: [performancemarketing.geekbrains.ru] Tilda Subdomain Takeover

Unused subdomain of geekbrains.ru was delegated to tilda.cc and unclaimed...

Nextcloud: Formula Injection vulnerability in CSV export feature

Dear Nextcloud Team – I have identified a formula injection vulnerability 12 in the CSV export feature of the Forms App. I am aware that the Forms app is not part of this bug bounty program but was advised to disclose it via hackerone anyway. Description. When a n Excel-/Calc- formula is sent as...

GitLab: Ability To Delete User(s) Account Without User Interaction

Summary: Gitlab allows its user to exercise their GDPR rights Right to Access/Delete user data by sending an email to [email protected] however gitlab team doesn't ask for security questioni.e Date Of Birth before deleting the user account moreover doesn't authenticate the incoming emails...

Zomato: Ability to manipulate price with a max threshold of `<1 Rupee` in support rider parameter

Hi Team I have found an issue in support rider amount calculation at the time of checkout where the amount is tamperable by negative fraction of rupees which makes the total amount decreased by maximum of 1rs. POC - 1-Goto - zomato.com 2 - Add anything to your cart 3- At the checkout page , Add...

Shopify: Ability to publish a paid theme without purchasing it.

Hi, Description I found out that it is possible to publish a paid theme without purchasing it. I remember trying this some time ago and it seemed to be safe from this kind of attack. Steps to reproduce 1. Make sure you have the default theme installed and that it is published. 2. Install any free...

Zomato: The vulnerabilities found were XSS, Public disclosure, Network enumeration via CSRF, DLL hijacking.

Summary IP found using ping command- 52.77.124.190 Then I used nmap tool to find the indepth information. I used burp suite and DNS scanner but it was not fruitful. Then I explored some GitHub repositories to perform thorough web-application testing. Using Aquatone I found some hidden domains. Th...

Staging.every.org: Race Condition when following a user

Summary: Hi team, There is a race condition vulnerability when following a user. If you send the Follow requests asynchronously, you can follow a user multiple times instead getting an error message. I've been using Turbo Intruder extension at Burp Suite for trying Race Condition attacks. I can...

LY Corporation: LINE Profile ID leaks in OpenChat

Users can participate in OpenChat using a new OpenChat profile that is distinct from the LINE profile. However, when the victim attaches an image in a post in OpenChat's Note, the ID of LINE Profile was stored together in the image's metadata. From this information, it is possible to determine th...

curl: curl overwrites local file with -J option if file non-readable, but file writable.

Summary: When using -J -O options on curl command line tool and a server responding with a header that is using Content-Disposition to provide a filename, existing local file will be overwritten if the file is non-readable by the current user, but file is writable by the current user. Curl contai...

Mail.ru: Bypass OTP on contact back request at https://driver.city-mobil.ru/

It was possible to bypass phone verification for support call back request...

Hyperledger: Vulnerability in Private Data Endorsement Policy Management in Hyperledger Fabric 2.0

To whom it may concern, We are a research group conducting research on the Hyperledger Fabric. We find a design flaw about the endorsement policy of Private Data related transactions in Hyperledger Fabric 2.0. When private data adopts a default chaincode-level MAJORITY endorsement policy, the...

BugPoC: Improper use of "path" parameter can be used to trick testers into leaking their Front-End PoC

Summary: In https://bugpoc.com/testers/front-end, the populateFromFragment function incorrectly assigns hash parameter path to the subdomain element, allowing the "Test" functionality of the Front-End PoC Generator to open a popup on any domain instead of the expected web.bugpoc.ninja. It can be...

Valve: Shell command injection in https://partner.steamgames.com/bundles/savestore/ via overwriting asset_path_identifier

Shell command injection in https://partner.steamgames.com/bundles/savestore/ via overwriting assetpathidentifier. Insufficient validation of parameters allowed injecting shell metacharacters into values used to construct a Bash command...

Weblate: Secret_key in GitHub

hello I have found secretkey in GitHub is public and noticed something this key have comment Make this unique, and don't share it with anybody. and it's public in GitHub also I noticed this file has coding to do the payment.db I think information like this must be private SECRETKEY =...

Nord Security: Getting SmartDNS for free from - join.nordvpn.com

The reporter identified an issue within our backend system which performs validation of the active services. There was a misconfiguration related to caching and time period calculation. This lead to SmartDNS service being active for a longer period of time than it should have been, compared with...

PayPal: RCE via npm misconfig -- installing internal libraries from the public registry

A Bug Bounty researcher identified an issue where certain development projects defaulted to the public NPM registry, instead of using the intended internal packages. Since the packages on the public registry did not exist, the researcher created these and observed they were downloaded. Had these...

Bitwarden: Blind HTTP GET SSRF via website icon fetch (bypass of pull#812)

After a credential has been added to vault.bitwarden.com or any self-hosted installation, if the settings allow website icons to be fetched https://bitwarden.com/help/article/website-icons/, the Bitwarden server will try to fetch the icon image. The relevant source code is...

MTN Group: [play.mtn.co.za] Application level DoS via xmlrpc.php

Description Wordpress that have xmlrpc.php enabled for pingbacks, trackbacks, etc. can be made as a part of a huge botnet causing a major DOS/SSRF. The website play.mtn.co.za has the xmlrpc.php file enabled and could thus be potentially used for such an attack against other victim hosts. hackeron...

OWOX, Inc.: Unrestricted File Upload in Chat Window

Summary: The application allows the attacker to upload dangerous file types that can be automatically processed within the product's environment. Steps To Reproduce: - Hit the browser and navigate to https://bi.owox.com and sign in. - Open The Chat window. - Upload any .rb or .php file . - Click ...

MTN Group: CVE-2018-6389 exploitation - using scripts loader

Issue Description Unauthenticated attackers can cause a denial of service resource consumption by using the large list of registered .js files from wp-includes/script-loader.php to construct a series of requests to load every file many times. The vulnerability is registered as CVE-2018-6389 76172...

Node.js third-party modules: [systeminformation] Command Injection via insecure command formatting

I would like to report a Command Injection vulnerability in the systeminformation package. It allows an attacker to inject arbitrary OS commands. Module Module name: systeminformation Version: 4.26.10 npm page: https://www.npmjs.com/package/systeminformation Module Description System and OS...

MTN Group: blind sql on [selfcare.mtn.com.af]

Summary: add summary of the vulnerability Steps To Reproduce: add details for how we can reproduce the issue get cid = sql SQL query - SELECT user FROM dual CONAPPMTNA HTTP Request GET /selfcare/HomePageDisplay?cid=26%20AND%20321=6%20AND%20498=498&location=MTNA HTTP/1.1 X-Requested-With:...

LY Corporation: CORS misconfiguration leads to users information disclosure at https://studyroom.line.me

Due to the CORSCross-Origin Resource Sharing misconfiguration in the StudyRoom API server, SOPSame Origin Policy can be bypassed, and the API that retrieves one's profile information was returning more personal information than necessary. Combining the issues allows an attacker to obtain user...

Mail.ru: Access to information about any video and its owner via GraphQL endpoint [dictor.mail.ru]

An IDOR vulnerability in dictor.mail.ru allowed to obtain arbitrary video information via direct GraphQL query...

MTN Group: SQL injection [futexpert.mtngbissau.com]

Summary: add summary of the vulnerability Steps To Reproduce: add details for how we can reproduce the issue 1. Poc Request POST /signin/ HTTP/1.1 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Referer: https://futexpert.mtngbissau.com/ Cookie:...

MTN Group: xss on [developers.mtn.com]

xss on history.pushState'', '', '/' F908897 Impact POC F908895 F908896...

U.S. Dept Of Defense: Reflected XSS in https://www.██████/

Hello Security Team, I would like to report the XSS vulnerability on your system. The i= parameter is not escaped properly for URL encoded values. Steps To Reproduce: Visit the following POC link:...

Acronis: Acronis Sync Agent Service - Untrusted DLL Search-Ordering lead to Privilege Escalation

Vulnerability description not provided...

U.S. Dept Of Defense: Exposed Docker Registry at https://████

Summary: The docker registry at https://██████ has no authentication in place and is therefore exposed to the public. This leads to full disclosure of all available docker containers, the possibility to upload docker container and manipulate and delete existing docker containers. Description: Fro...

Mail.ru: Path traversal on bank.mail.ru ( CVE-2013-3827 )

Defects in Oracle’s JSF2 implementation allowed limited path traversal in tbank.mail.ru...

Nintendo: Arbitrary code execution in TSEC Heavy Secure, return-oriented programming in TSEC Secure ROM, and recovery of TSEC-derived cryptographic secrets

The vulnerability in TSEC Heavy Secure allowed for arbitrary code execution. A return-oriented programming vulnerability was discovered in the TSEC Secure ROM. Cryptographic secrets derived from TSEC were recovered...

Acronis: Local File Disclosure /Delete On [us-az-vpn.acronis.com]

Cisco ASA VPN server hosted on https://us-az-vpn.acronis.com was found to be using an outdated version that suffers from a Local File Disclosure /Delete vulnerability. Through this vulnerability an unauthenticated remote attacker can read and delete the contents of any file stored on the VPN serv...

Nextcloud: PIN for passwordless WebAuthn is asked for but not verified

Nextcloud introduced WebAuthn passwordless authentication with version 19. As far as we understand, you assume that your implementation provide two-factor authentication: "The server asking for authentication can request verification of multiple factors, so that a configured key requires the user...

Rocket.Chat: Insecure use of shell.openExternal() in Rocket.Chat Desktop App leading to RCE

Summary: The Rocket.Chat Desktop app passes the links users click on to Electron's shell.openExternal function which can lead to remote code execution. Description: The filtering on the URLs passed to shell.openExternal is insufficient. An attacker can craft and send a link that when clicked will...

U.S. Dept Of Defense: Blind Stored XSS on the internal host - █████████████

The vulnerability was a blind stored XSS on an internal host. The payload was triggered from the endpoint https://███████████████/NSSI/controlcenterV2/index.htm?directlink&courses/classes/findstudent&&&&&&&& and was found in the Referer header. The vulnerable URL was not accessible from outside t...

U.S. Dept Of Defense: RXSS - ████

Hello, friends today when I was checking some sites I found this bug on your own website. Detalis XSS Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web...

Mail.ru: IDOR of contracts on dictor.mail.ru

API endpoint at dictor.mail.ru disclosed e-mails of registered users...

Phabricator: Edit Policy restriction does not prevent comments.

Change the edit policy of a Maniphest Task - Attempt to comment on the the task with a user who doesn't have access Impact Given a few users I spoke to believe restricting the edit policy blocks comments, This allows an underpriveleged user to gain access to carry out a restrcited action. Mongoos...

lemlist: stored xss via Campaign Name.

Summary: Hi, I found a stored xss https://app.lemlist.com Steps To Reproduce: 1. go to https://app.lemlist.com/. 2. create or edit campaigns. 3. set the payload / in the Campaign Name. 4. visit Buddies-to-Be tab . 5. click Add one on the right Top . or click on one of the list of Contact 6. you...