Nintendo: [3DS][StreetPass] Heap Overflow in Swapnote parser leads to userland StreetPass RCE

Affected Systems - System: Nintendo 3DS - Version: = 11.13 - Region: ALL Description When parsing TLRF chunks in message files the application calls memcpy using user provided sizes to copy controlled data over a fixed-size buffer. Thus one can overflow heap chunks which is enough to get code...

Dropbox: Server Side Request Forgery (SSRF) at app.hellosign.com leads to AWS private keys disclosure

The report details about a Server Side Request Forgery vulnerability that was present on the document upload through integrations feature in the HelloSign application. The vulnerability was caused due to an unvalidated external file upload through our various integration partners. The attacker...

Acronis: Administrative access to development deployment of web service due to auto-filled credentials

It was possible to gain administrative permissions on https://admin.acronis.host due to auto-filled credentials. The service was used for development purposes only and did not contain any sensitive data or data of real users. Summary: I discovered an Acronis admin panel which auto filled...

Acronis: SQL injection on admin.acronis.host development web service

Summary: I found an Acronis domain and started hunting on it. During my hunting, I found an admin panel and was able to access this panel separate report inbound. It was easy to gain access to this panel, and I was not sure if it was for testing purposes or a genuine admin panel. I played around...

Node.js: HTTP Request Smuggling due to CR-to-Hyphen conversion

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: add summary of the vulnerabili...

8x8: SQL injection (stacked queries) in the export to Excel functionality on Vidyo Server

An abandoned Vidyo server was found to be vulnerable to SQL injection and exposing access to the associated local database. The Vidyo server was retired...

Mail.ru: Account takeover in cups.mail.ru using punycode characters

A logical bug in database collation usage for string comparison during access recovery process allowed to takover account in cups.mail.ru by registering colliding Unicode domain...

Mail.ru: Subdomain takeover at msproject.geekbrains.ru

Unused subdomain of geekbrains.ru was deligated to tilda.cc and not claimed...

U.S. Dept Of Defense: DOM XSS on https://www.███████

Description DOM XSS can be achieved due to missing sanitation when setting the source of an iframe. POC 1. Visit https://www.████frame.htmljavascript:alertdocument.domain 2. View alert Vulnerable Code javascript function Load str=document.location.hash,idx=str.indexOf'' ifidx=0 str=str.substr1;...

Nextcloud: No rate limiting on sinup page

Hi Team, Summary: As a best practice a login page should have a rate limiting. Below is the captured request of respective login page of nextcloud.com -------------------------------------------------------------------------------------------------------------------- POST...

GitLab: Ability to bypass email verification for OAuth grants results in accounts takeovers on 3rd parties

Summary There's a limitation that requires a validated email before going through the OAuth flow, however this is bypassable. Bypassing this means the target site assumes your email is validated, and actually ends up signing you in with an non-validated email. This behavior can frequently lead to...

Mail.ru: [https://youdrive.today/] Nginx directory traversal

Invalid nginx configuration allowed limited path traversal in youdrive.today and leaking sensitive application data in configuration files. Nginx directory traversal via misconfigured alias leads for disclosing all the configuration. Exploit: https:///static../config.js...

Mail.ru: SMS Brute Force Possibility via https://youdrive.today/login/web/code can lead to Account Takeover

Authentication procedure was not sufficiently protected against bruteforce and allowed arbitrary youdrive.today account takeover...

Snapchat: Improper Authentication - any user can login as other user with otp/logout & otp/login

'/scauth/otp/droid/logout' request contains userid parameter. Usually it is equal to current user userid, but if an attacker passes userid of victim account he can login as victim. I will demonstrate the problem on two accounts. Victim: ███ Attacker: ██████████ - Attacker perform a usuall login t...

Nextcloud: Improper access control to messages of Social app

The Social App https://apps.nextcloud.com/apps/social lacks access controls in the displayPost function /@username/token allowing an unauthenticated user to view any message content by knowing or guessing the message ID. The vulnerable code is at...

WordPress: Clickjacking on donation page

Description: Vulnerable URL: https://wordpressfoundation.org/donate/ Clickjacking on the vulnerable URL allows an attacker to redirect a victim to do a donation at an attacker's page. Steps To Reproduce: 1 To test whether the page is vulnerable to clickjacking or not use this code i Frame THIS PA...

Automattic: Denial-of- service By Cache Poisoning The Cross-Origin Resource Sharing Misconfiguration Allow Origin Header

Summery: The wp-json implementation on some WordPress websites I've tested is vulnerable to Denial-of-service where by an attacker can provide an arbitrary origin header in the request, which is then echoed back in the response via the Access-Control-Allow-Origin header, which is cached and serve...

GlassWire: Uncontrolled Search Path Element allows DLL hijacking for priv esc to SYSTEM

GlassWire contains a DLL hijacking vulnerability that could allow an authenticated attacker to execute arbitrary code on the targeted system. The vulnerability exists due to GlassWire loading DLL files from the PATH environment variable without verification. The machine should have at least one...

DuckDuckGo: DOM XSS on duckduckgo.com search

Hey there, there is a DOM XXS vulnerability on the https://duckduckgo.com/ search result page through the kp and kae parameters of the Cloud Save feature. POC URL:...

Concrete CMS: Arbitrary File delete via PHAR deserialization

crayons : Concrete5 Arbitrary File delete via PHAR deserialization - Target: Concrete5 - Version: 8.5.4 Latest at 2020. 07. 12 / PHP 7.2 - Credit: WSP Lab@KAIST - Contact: [email protected] TL; DR - An attacker can send an arbitrary input value in the isdir function, which causes a PHAR...

X (Formerly Twitter): Denial of Service [Chrome]

Hi Team, Summary: I encountered such an error while creating a new account: F903872 But I don't remember where I found this last point. I remember only when I was a new member. I created a url using the load %xx as in 500686 reports as follows. https://twitter.com/i/flow/%00 I got a result like t...

Radancy: [mijn.werkenbijdefensie.nl] Denial of service occurs due to lack of email length confirmation

Creating an account on https://mijn.werkenbijdefensie.nl/profielaanmaken/ could be done with a very long emailaddress. A max email address length validation check has been implemented as per RFC the maximum length allowed for an email address is 255 characters. However, we don't validate email...

Mail.ru: Improper Restriction of Excessive Authentication Attempts at https://api.warrobots.com/auth (Pixonic Games)

Password at warrobots.com was not sufficiently protected against bruteforce...

U.S. Dept Of Defense: SharePoint Web Services Exposed to Anonymous Access

Summary: Any unauthenticated/anonymous users are able to access the SharePoint Web Services .wsdl files for the ██████████ website. Description: The SharePoint installation for this particular site allows any user to access the spdisco.aspx on the web server which discloses the location of of all...

U.S. Dept Of Defense: SharePoint Web Services Exposed to Anonymous Access

The SharePoint configuration for this particular site allows any user to access the spdisco.aspx on the web server which discloses the location of of all SharePoint's web service endpoints. The URLs are: ██████████ ███ Impact An adversary may utilize the exposed information about the web services...

Automattic: Captcha checker "pd-captcha_form_SURVEYID" cookie is accepting any value

Summary: Hi team, There is a Captcha protection feature on surveys and polls. If you captcha protection enabled survey, you will see this : F901789 When you solve captcha and click Submit Captcha, website sets a cookie like this : F901799 And if you delete this cookie and try access to survey, yo...

GitHub Security Lab: [javascript] CWE-020: CodeQL query to detect missing origin validation in cross-origin communication via postMessage

This bug was reported directly to GitHub Security Lab...

Automattic: Stored XSS on app.crowdsignal.com + your-subdomain.survey.fm via Embed Media

Hello there, I found a stored xss vulnerability. Steps: 1. Go to https://app.crowdsignal.com/dashboard 2. Create a quiz. 3. Go to https://app.crowdsignal.com/quizzes/your-quiz-id/question 4. Add Multiple Choice 5. Put a name to answer 1. 6. Click Add media button. F901543 7. Select Embed Media 8...

Visma Public: HTTP Request Smuggling at app.workbox.dk

The researcher was able to find a HTTP request CL.TE smuggling vulnerability at app.workbox.dk. The likely consequences would have result in interfering with normal user traffic, leak 'Session Cookies, leak PII info...

lemlist: stored xss in app.lemlist.com

Hi there, I found a stored xss app.lemlist.com. Steps To Reproduce: 1. go to https://app.lemlist.com/. 1. create or edit campaigns. 1. visit tab Buddies-to-Be. 1. click Add one on the right Top. 1. Fill in the input 1. add / Icebreaker and companyName 1. click create . POC F901411 Impact Stealing...

Nextcloud: Full path disclosure vulnerability via Upload .htaccess file

Hello Security team, i foud Full path disclosure vulnerability via Upload .htaccess file see POC video. Thankz Impact Sensitive File/Folder Information...

Mail.ru: Open Redirect at "city-mobil.ru"

Open redirection in city-mobil.ru via URI path with '@'...

Basecamp: HTTP request smuggling on Basecamp 2 allows web cache poisoning

It is found that an authenticated Basecamp 2 user can desync front and backend servers and poison the socket with harmful response for the next visitor. During redirect probe, It also appears that front-end infrastructure performs caching of content. Using HTTP request smuggling attack, It is...

Omise: Authenticity token doesnt expire after single use leading to CSRF

Summary Once you said that you ruby framework for making the authenticity-token which acts as a CSRF protection. You also send me this as to help me understand https://medium.com/rubyinside/a-deep-dive-into-csrf-protection-in-rails-19fa0a42c0ef . After finding i found that an authenticity-token c...

Visma Public: Missing authorization allows sales only user to record payment.

The researcher has found a missing authorization issue that allowed a sales only user to record payments that he was not supposed to...

U.S. Dept Of Defense: Subdomain takeover due to an unclaimed Amazon S3 bucket on ███

Summary: An unclaimed Amazon S3 bucket on █████████ gives an attacker the possibility to gain full control over this subdomain. Description: ███████ pointed to an S3 bucket that did no longer exists. The bucket points to an Amazon S3 website bucket in the US East region. I claimed this bucket and...

Visma Public: A sales only user can edit the purchase invoice drafts.

The researcher has found a missing authorization issue: a sales only user could edit the purchase invoice drafts that he shouldn't...

Mail.ru: Clickjacking Vulnerability via https://webagent.mail.ru leading to protection bypass for https://web.icq.com/ end point

Clickjacking protection bypass on web.icq.com via webagent.mail.ru...

Kubernetes: Fake email from <any_name>@kubernetes.io to any other email

Hi, I just found an issue No Valid SPF Records in your mail server @kubernetes.io Desciprition : There is a email spoofing vulnerability.Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email...

Rocket.Chat: It is possible to elevate privileges for any authenticated user to view permissions matrix and view Direct messages without appropriate permissions.

Description: ===================== For the user with "View Private Room" permission only it is possible to rewrite permission role e.g. to admin in /api/v1/me method response via some proxy tools e.g. Charles and get access to servers permissions matrix and view Direct messages. Releases Affected...

Shopify: STAFF "No-Permissions" on the Store can retrieve the details Order via exchangeReceiptSend

I discovered a bug in an android mobile app that allowed STAFF No Permissions using Receipt Send to Mobile of any Order information in the Store. Steps to reproduce: 1 STAFF account is created and assigned "No Permissions" on a Shop by Owner/Admin 2 STAFF then login to shop. Notice that STAFF is...

Central Security Project: Unsafe deserialization in Nexus Repository helm plugin

A remote code execution vulnerability CVE-2020-15871 has been discovered in Nexus Repository Manager 3. A user with the right permissions can run arbitrary code as the user running the Nexus Repository Manager server. Alternatively, an attacker could trick a user with the right permissions into...

Mail.ru: Improper Restriction of Excessive Authentication Attempts at o2-ac.my.com/token

Password at my.com was not sufficiently protected against bruteforce...

Mail.ru: [combo.mail.ru] SMS code bruteforce

Authentication procedure was not sufficiently protected against bruteforce and allowed arbitrary combo.mail.ru account takeover...

GitHub Security Lab: [Java] CWE-295 - Incorrect Hostname Verification - MitM

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: CodeQL query to detect OGNL injections

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: Java: CWE-273 Unsafe certificate trust

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: CodeQL query for disabled revocation checking

This bug was reported directly to GitHub Security Lab...

InnoGames: Stored XSS on recruit.innogames.de

Summary: When applying for a Supporter/Moderator job at recruit.innogames.de the drop-down field "Position" is vulnerable to a stored XSS as the content is not validated. Description: Steps To Reproduce: 1. Visit https://recruit.innogames.de/staemme/de/index/page/show/apply 2. Fill out all requir...

Gener8: Session not invalidated after password reset

After a user performed a password reset, all their active refresh tokens were not invalidated. This could allow an adversary with access to a valid refresh token to regain control of a victim's account, subsequent to a password reset being completed...