Nextcloud: Access control missing while viewing the attachments in the "All boards"

The vulnerability lies in the "view attachment" of the tasks . When a user uploads the file to the Task, the attachment is given a numeric number and is increased +1 on further uploads. It is easy for any user to view and download all the files uploaded to the tasks by any user. The access is not...

Node.js third-party modules: [json-bigint] DoS via `__proto__` assignment

I would like to report a DoS in json-bigint. It allows to cause denial of service using very limited input 70 bytes. Module module name: json-bigint version: 0.3.1 npm page: https://www.npmjs.com/package/json-bigint Module Description JSON.parse/stringify with bigints support. Based on Douglas...

Engel & Völkers Technology GmbH: SPF Misconfiguration

There is a email spoofing vulnerability. Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email spoofing is a tactic used in phishing and spam campaigns because people are more likely to open an...

Shopify: Script Editor preview token still working with uninstalled application, even for unpublished script

Within the Script Editor application, it is possible to preview a script on the storefront and proceed to purchase. Once the user click on the preview link, it opens https://shop.myshopify.com/admin/scripts/preview?scriptid=scriptid which then generate a preview token to be used by the storefront...

Engel & Völkers Technology GmbH: Improper authentication on phpmyadmin portal which is hosted in https://eventapp.engelvoelkers.com

Summary: Hi Team, following domain https://eventapp.engelvoelkers.com/ publicly exposed phpmyadmin portal and authentication mechanism is poorly configured, On response manipulation, application giving access to internal structure of phpmyadmin portal, which disclosing many internal paths and sta...

Automattic: [tumblr.com] 69< Firefox Only XSS Reflected

Description : Hello, i have found a XSS Reflected in https://www.tumblr.com/abuse/start?prefill= But the XSS only works in versions of firefox that are below 70. Because its been blocked by CSP, but the version below 69 of firefox is vulnerable. Here's a great article about this subject...

Shopify: Subdomain Takeover of multiple *.ttcdn.co domains

@priyanshuxo demonstrated being able to takeover multiple ttcdn.co subdomains. While we removed the DNS records, the ttcdn.co domain is out of scope for our program, making this report ineligible for a bounty. This is a limited disclosure at their request...

Nextcloud: Social App does not validate server certificates for outgoing connections

The Social App https://apps.nextcloud.com/apps/social does not validate the server TLS certificate for connections to other ActivityPub servers. These connections are used to retrieve the public key for a user or posting a message to another ActivityPub server. The public key for a user is used t...

U.S. Dept Of Defense: Reflected XSS on ███████ page

Summary: The page at https://█████/NtMView.php is vulnerable to reflected cross-site scripting. Description: The page takes a user input in the form of a drop down list, then uses that text in the resulting page ███████ . An attacker can intercept the query to the page and insert an XSS payload, ...

Stripo Inc: Cross-Site WebSocket Hijacking Lead to Steal XSRF-TOKEN

The WebSocket handshake request was vulnerable to CSRF, WebSocket content was contain many sensitive data for the user It was like the PortSwigger Lab...

Mail.ru: xss while uploading a file

Self-XSS via uploaded file name in city-mobil.ru XSS executing while uploading payloaded file...

Mail.ru: Account Takeover via Forgot Password Page at https://3k.mail.ru/send_password.php?

Password recovery procedure was not sufficiently protected against bruteforce and allowed arbitrary 3k.mail.ru account takeover...

Automattic: Users can bypass page restrictions via Export feature at "Share" feature in CrowdSignal

Summary: Hi team, If you upgraded your account, you can share your survey results via "Share" button. F893428 As you can see, I selected Results page on Allow access to the following. So user will access only Results page. But if user has the Export feature. User can export the restricted pages...

Automattic: IDOR at 'media_code' when addings media to questions

Summary: Hi team, When you add a question to your survey and click Save, it sends this request : F893416 In this request, mediacode is vulnerable for IDOR. If you change it to any media ID, you will see it on your question. And these IDs are sequential. So you can access to any user's media...

Automattic: IDOR when moving contents at CrowdSignal

Summary: Hi team, You can move your contents via Move to button at https://app.crowdsignal.com/dashboard And when you click to Move to My Content you will send a POST request to /dashboard like that : F893407 actionable parameter's value is the content's ID. And if you change this ID to victim's...

Automattic: IDOR when editing users leads to Account Takeover without User Interaction at CrowdSignal

Summary: Hi team, If you click Edit button on any user of your team at https://app.crowdsignal.com/users/list-users.php, you will send a GET request to https://app.crowdsignal.com/users/invite-user.php?id=userid&popup=1 In this endpoint, id parameter is vulnerable for IDOR. When you change the us...

Automattic: No Email Checking at Invitation Confirmation Link leads to Account Takeover without User Interaction at CrowdSignal

Summary: Hi team, When you have a team account, you can invite users to your team from https://app.crowdsignal.com/users/list-users.php If you invite a user, you will see this : F893386 As you can see, there is confirmation link and we can see it from our dashboard. And if you invite existing ema...

U.S. Dept Of Defense: Stored XSS via Comment Form at ████████

Summary: An attacker can submit a comment form with injected HTML, leading to a number of malicious effects Step-by-step Reproduction Instructions 1. Browse to https://████ 2. Complete the form. I placed " in the Name field. Some example payloads for the Comments field are as follows: For...

Mail.ru: Improper Restriction of Excessive Authentication Attempts at https://mirror.w1.dwar.ru/login.php

Password at dwar.ru was not sufficiently protected against bruteforce...

Engel & Völkers Technology GmbH: XXE on www.publish.engelvoelkers.com

Summary: A XML External Entities vulnerability has been found on www.publish.engelvoelkers.com:8443. Initially a GET request was made to /dp/services and that returned a 500 Error with some XML data. Changing the HTTP request method to POST with some XML data produced a different response, so it...

Engel & Völkers Technology GmbH: Information disclosure via Spring Boot Actuators on gonext-stage.engelvoelkers.com

Summary: The Spring Boot Actuators are exposing critical information on gonext-stage.engelvoelkers.com such as the last 100 HTTP requests made to the server including cookies, paths, etc and the environment configuration. The endpoints are the following: - /trace - /env - /mappings - /configprops...

Mail.ru: Открытая админка Tarantool

Testing installation of internal Tarantool admin inteface without actual users data was available from external network...

Engel & Völkers Technology GmbH: SQL Injection at /displayPDF.php (printshop.engelvoelkers.com)

Intro An SQL injection has been identified. Through this vulnerability an attacker could execute arbitrary SQL statements compromising the integrity of the database and obtain sensitive information, violating the confidentiality of the data. Given the great impact of the vulnerability and...

Engel & Völkers Technology GmbH: Remote Code Execution (RCE) at "juid" parameter in /get_zip.php (printshop.engelvoelkers.com)

Summary Taking advantage of the vulnerability reported in 914194, it has been possible to analyze certain application code and detect remote code execution at https://printshop.engelvoelkers.com/getzip.php?juid=1 due to a lack of sanitization of the inputs received by the web application. This...

Palo Alto Software: IDOR on notes to HTML injection

Summary: Team member with role USER can change notes of any users and also we able to inject some html tags Steps To Reproduce: 1. Login in with role owner create note 1. login team member with role users 1. add note and capture with burp suite and change the uuid of notes PUT...

Mail.ru: Stored self XSS at auto.mail.ru using add_review functionality

Stored self-XSS in auto.mail.ru review functionality...

WordPress: CSRF on comment post

Hi Wordpress, I just found an CSRF on comment post. It allow attacker make victim comments on a post. Steps To Reproduce: Attacker send to victim a link with content below: history.pushState'', '', '/' Video poc: F891759 Impact Attacker make victim comments on a post...

Engel & Völkers Technology GmbH: Publicly accessible .SVN repository allows downloading entire source code

Summary of the Issue The researcher found a publicly accessible SVN repository at https://printshop.engelvoelkers.com/.svn/wc.db Steps to reproduce Go to https://printshop.engelvoelkers.com/.svn/wc.db Impact statement Information disclosure...

U.S. Dept Of Defense: Remote Code Execution via CVE-2019-18935

Summary: The website at https://█████████/apps/XTRAHome/Telerik.Web.UI.WebResource.axd?type=rau is vulnerable to CVE-2017-11317 and CVE-2019-18935, allowing an attacker to upload arbitrary files and gain remote code execution on the underlying system. Step-by-step Reproduction Instructions 1...

Bitwarden: Server-Side Request Forgery in "icons.bitwarden.net"

As, I already checked with support team via portal, due to domain confirmation I checked with them. Here, adding the required information: Title: Server-Side Request Forgery in "icons.bitwarden.net". URL: https://icons.bitwarden.net/spoofed.burpcollaborator.net/icon.png Parameter: REST based in...

SMTP2GO: Stored XSS at https://app.smtp2go.com/settings/users/

Vulnerability : A. Type:- Cross Site Scripting Stored B. Description:- Stored XSS, also known as persistent XSS, is the more damaging than non-persistent XSS. It occurs when a malicious script is injected directly into a vulnerable web application. Summary : When you will create a particular user...

Lark Technologies: Messages disclosure via search feature of other users group(Cross-Tenant).

Due to a Insecure Direct Object Reference IDOR vulnerability identified within the message search function of Lark, an attacker could have potentially viewed messages, docs, and attachments shared in other users groups. We thank @base64 for reporting this to our team and verifying the resolution...

Clario: No rate Limit on Licenses Activation

Introduction A little bit about Rate Limit A rate-limiting algorithm is used to check if the user session or IP-address has to be limited based on the information in the session cache. In case a client made too many requests within a given time-frame, HTTP-Servers can respond with status code 429...

Shopify: increased privileges on staff account

staff on partners without a store management permit can have access to the collaboration shop steps for reproduction 1. Invite staff to partners without store management permission 2. accept the invitation and the staff has become a member of the partner 3. On the staff account, try to access the...

Snapchat: Leaked JFrog Artifactory username and password exposed on GitHub - https://snapchat.jfrog.io

Researcher found valid jFrog credentials which were committed to a public Github repository of a Snap employee. This allowed access to internal Snap libraries/artifacts along with the ability to push updates to existing artifacts as well...

Visma Public: Reverse Tabnabbing in printing source document images

The security researcher was able to find a Reverse Tabnabbing bug in printing source document images functionality. This bug allows to replace current web page in users browser with a phishing one, facilitating phishing attacks...

Hiro: blockstack.org - is vulnerable to (CVE-2016-2183, CVE-2016-6329)

Descriptions Cryptographic protocols like TLS, SSH, IPsec, and OpenVPN commonly use block cipher algorithms, such as AES, Triple-DES, and Blowfish, to encrypt data between clients and servers. To use such algorithms, the data is broken into fixed-length chunks, called blocks, and each block is...

Showmax: [stories.showmax.com] Cross Origin Misconfiguration - Sensitive Information Exposure

The hacker reported user enumaration on https://stories.showmax.com/wp-json/wp/v2/users/ and CORS. The user enumeration didn't disclose any sensitive information except usernames which are not problematic because we have 2FA login in place and the usernames could be obtained even from standard...

DuckDuckGo: XSS on Videos IA

Failure found in the videos tab. A user was created on a website https://rutube.ru/video/83a4775f020b3fd68efd3dc9a73031e8/ one with the tag " . When we search DuckDuckGo for the video or user tag, we find a xss flaw in page...

Mail.ru: Mail.ru for Android - Theft of sensitive data

Symlink vulnerability in sharing activity allowed to access internal application files in Mail.Ru Mail for Android...

Shopify: Email Confirmation Bypass in your-store.myshopify.com which leads to privilege escalation

Hello Shopify, I have found a bug by which I can verify any email on .myshopify.com, the bug is very strange but it works. Also I can take over the accounts but only the ones which do not have SSO. To reproduce please follow the steps exactly as I written otherwise you will not be able to reprodu...

Node.js third-party modules: property-expr - Prototype pollution

I would like to report Prototype pollution in property-expr It allows attacker to modify the prototype of a base object. Module module name: property-expr version: 2.0.2 npm page: https://www.npmjs.com/package/property-expr Module Description Tiny property path utilities, including path parsing a...

TikTok: Rate limiting on report video

Rate limiting was not in place for the "report video" option on TikTok web. We thank @alertjd for reporting this to our team...

Shopify: Low privileged user can create high privileged user's KITCRM authorization token and can read and write message to KIT

Using the Shopify ping application a user can communicate with the kit. The kit is an application that creates tasks based on the information supplied through the Shopify ping app by a user. With a few quick messages to Kit using Shopify Ping, a user can create a discount code and promote it, sta...

Node.js third-party modules: [is-my-json-valid] ReDoS via 'style' format

I would like to report a ReDoS in is-my-json-valid It allows cause a denial of service if schema uses the built-in style format. Module module name: is-my-json-valid version: 2.20.1 npm page: https://www.npmjs.com/package/is-my-json-valid Module Description A JSONSchema validator that uses code...

Engel & Völkers Technology GmbH: reflected xss in ██████

Summary: your subdomain : ██████ suffer from reflected xss bug that leads to execute javascript codes into browser Steps To Reproduce: add details for how we can reproduce the issue 1. visit : █████ 2. you will see popup and xss confirmed Supporting Material/References: █████ Impact An attacker c...

GitHub Security Lab: Golang : Add MongoDb NoSQL injection sinks

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: Java : CWE-548 - J2EE server directory listing enabled

This bug was reported directly to GitHub Security Lab...

Mail.ru: Log files Leaked In mcsblog.ru

Server log files were available via web interface...

Glassdoor: wasResumeUsed ███ on /api-internal/api.htm endpoint leaking other user's resume usage status

The API endpoint that checks if a resume was used for previous job applications was found to be vulnerable. The endpoint accepted a parameter called "resumeMetadataId" which was not properly validated, allowing an attacker to check the usage status of resumes that did not belong to the user. This...