Nextcloud: The password of a mail share is not set if the password is given when the share is created (Nextcloud < 18)

Create a new mail share with a password by using the OCS endpoint with something like: curl -u admin:admin -X POST -H "OCS-APIRequest: true" "http://localhost/ocs/v1.php/apps/filessharing/api/v1/shares?path=welcome.txt&shareType=4&[email protected]&password=plainTextPassword" - Open the...

Mail.ru: stored xss путём загрузки вредоносного файла + обход загрузки файлов.

Stored XSS via file upload functionality on static.donationalerts.ru /\ \ | \ . \ \ \ \ / \ + . x .\ / -----------/ o \ - .- + ; O \ +- . -'.- . \ \ / ..: - - - VVVVVVV VV V\ / . /./.+- . .- / +-- - . --AAAAAAAA/ | ' /x / x / // \ , x / ' . / . / ' \ / / / / / + | \ / ' / / / / ...

h1-ctf: [H1-2006 2020] CTF Writeup

Hi, The flag is :^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$ F850811 I will do the writeup in the report summary. Regards, Yash Impact None as the money paid was not real...

Ruby on Rails: HTTP Host injection in redirect_to function

Hi team, Here is the sample vulnerable code ruby class TesttestController You are being redirected." end Then it will check if the options, because the input is String, so it will be the concatenate of request.protocol + request.hostwithport + options File actioncontroller\metal\redirecting.rb li...

h1-ctf: [H1-2006 2020] Flag for H1-CTF

F850509 I will submit the write-up today but I need to get some rest, Excellent CTF though, its my firs time ever to solve H1-CTF Impact ^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$...

Node.js third-party modules: [wappalyzer] ReDoS allows an attacker to completely break Wappalyzer

Hello folks! please note that I'm reporting two different problematic regexes. module name: Wappalyzer version: 6.0.2 npm page: https://www.npmjs.com/package/wappalyzer Module Description Wappalyzer identifies technologies on websites. Module Stats Weekly downloads: 1,290 88 open issues 16 open...

Node.js third-party modules: [wappalyzer] ReDoS allows an attacker to completely break Wappalyzer

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! I would like to report VULNERABILITY in...

h1-ctf: [H1-2006 2020] CTF

As there is a bonus for first 10 solutions for now I'll just post a flag. F850100 Impact -...

Mail.ru: Local SQL Injection in Content Provider (ru.mail.data.contact.ContactsProvider) of Mail.ru for Android, version 12.2.0.29734

Local SQL injection vulnerability in ContactsProvider of Mail.ru Mail application for Android special permissions required...

h1-ctf: [H1-2006 2020] H1-CTF writeup

Summary: I've just solved the challenge, I will submit the write-up tomorrow. Impact Flag: ^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$...

Shopify: xss stored in https://your store.myshopify.com/admin/

hello , i fond xss stored in https://your store.myshopify.com/admin/ steps ; 1. go to https://swqdewd.myshopify.com/admin/menus/new 2. click in Add menu item 3. add name " AND any link 4. now click add 5. click in remove item 6. alert 7. watch the vedio poc for more information Impact xss attack...

h1-ctf: [H1-2006 2020] I successfully solved it!

Hello, I'll get post there the write-up soon. Here is flag: ^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$ Sincerely, @zeroxyele Impact null...

h1-ctf: [H1-2006 2020] I made the CEO's bounty payment!

^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$ I will write the details in comment. Impact I have headache now...

h1-ctf: [H1-2006 2020] CTF Writeup

Just submitting Flag for now, Will soon submit Writeup : Impact Flag: ^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$...

h1-ctf: [H1-2006 2020] Got the flag

Hey got the flag, will update the writeup soon started 6:00am may 30 BountyPay CTF Challenge Completed! Congratulations, all of the hackers have been paid their Bug Bounty money and you have completed the challange! Please submit your write up to https://hackerone.com/h1-ctf and make sure to...

h1-ctf: [H1-2006 2020] Multiple vulnerabilities leading account takeover

I'm posting flag and will send my write up upcoming days when I clear my mind after this rabbit holes! :D ^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$ Impact Multiple vulnerabilities leading attacker to takeover any bounty pay user...

OPPO: No rate limit on Reporting a Threat on [https://community.coloros.com] lead to Increase in the User Group/Points

Summary: When a user signs up on https://community.coloros.com he is assigned with a specific User Group which increases with his activity on the community. I found that there is no rate limit implemented on reporting a threat and due to which a User can abuse this functionality to Increase his...

h1-ctf: [H1-2006 2020] H1-2006 CTF Writeup

Hi! The challenges were really great. I had a lot of fun and I can honestly say I learned a few tricks during this journey. I will be submitting the flag now and will work on a very good writeup until the deadline. My reasoning is that there are two different prizes, one for the first ten and...

Mail.ru: [MY.GAMES] XSS в мессенджере

XSS in store.my.games on chat message...

curl: curl overwrite local file with -J

Summary: curl supports the Content-disposition header, including the filename= option. By design, curl does not allow server-provided local file override by verifying that the filename= argument does not exist before opening it. However, the implementation contains 2 minor logical bugs that allow...

HackerOne: Uploading large payload on domain instructions causes server-side DoS

This was a DoS vulnerability in a specific endpoint that didn't limit the size of the upload. As explained in the hacker summary, we limited the payload to mitigate the attack. Note : To everyone who sees this report, if a program accepts DoS vulnerabilities please try to try test carefully as it...

Engel & Völkers Technology GmbH: XSS reflected in https://tableau.engelvoelkers.com/

Summary: XSS reflected in https://tableau.engelvoelkers.com/ Steps To Reproduce: POC: https://tableau.engelvoelkers.com/en/embeddedAuthRedirect.html?auth=javascript:alertdocument.domain F848501 Impact XSS...

Stripo Inc: multiple email usage -my.stripo.email-

I first went to the "my.stripo.emai" view and registered with my google account. Then I entered the profile. I have replaced my email with an email that is not registered with your google account.I received a verification message on the email I changed. The button was not clicked. I copied it by...

GitHub Security Lab: Java: CWE-532 sensitive info logging

This bug was reported directly to GitHub Security Lab...

X (Formerly Twitter): Private list members disclosure via GraphQL

Summary: Due to improper queries of GraphQL, the attacker can steal members of the private list. Description: Twitter implements a unique GraphQL endpoint, which can use only the queries that Twitter specified. However, there is a flaw in the backend...

Nextcloud: The password of a mail share is not hashed if the password is given when the share is created

Create a new mail share with a password by using the OCS endpoint with something like: curl -u admin:admin -X POST -H "OCS-APIRequest: true" "http://localhost/ocs/v1.php/apps/filessharing/api/v1/shares?path=welcome.txt&shareType=4&[email protected]&password=plainTextPassword" - Check the...

Node.js third-party modules: [commit-msg] RCE via insecure command formatting

I would like to report a RCE issue in the commit-msg module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: commit-msg version: 0.2.3 npm page: https://www.npmjs.com/package/commit-msg Module Description commit-msg is a customizable git commit message...

Lark Technologies: Stored xss in larksuite internal helpdesk and other user's helpdesk.

A stored XSS cross site scripting vulnerability was found which an attacker could have potentially used to obtain access to the internal team's help desk and view submitted user tickets. We have resolved this issue and thank @imrannisar for reporting this to our team...

U.S. Dept Of Defense: xmlrpc.php FILE IS enable which enables attacker to XSPA Brute-force and even Denial of Service(DOS), in https://████/xmlrpc.php

Summary: Hello team, I have found a security vulnerability inhttps://███████/xmlrpc.php which lets attacker to: 1: XSPA or PortScan 2: Bruteforce 3:DOS and much more Description: Impact Step-by-step Reproduction Instructions █████████ 1: Go to https://██████/xmlrpc.php to check if it is enabled o...

Shopify: Ability to generate shipping labels in another store orders

Details A shop owner creating a session on its own store on https://mailbox.shopifycloud.com/ service can craft request to print labels on another store he doesn't have access to. Steps to reproduce 1. Go to an unfulfilled order and click on Create a shipping label 2. Copy the CURL request that i...

Shopify: Inject page in admin panel via Shopify.API.pushState [New Payload]

The correction for 868615, allows you to use new payload: js const ctx = window.openlocation.origin+'/admin/themes', 'blank' const data = JSON.stringify message: 'Shopify.API.replaceState', data: pathname: "abc:d../pages/xss//" ; ctx.postMessagedata Impact Abuse the active admin session to extrac...

Rockstar Games: Minor Account Privacy can Set to Everyone.

In this report, the researcher demonstrated an Insecure Direct Object Reference vulnerability that would allow Minor accounts accounts where the owner's age is self-reported to be under 18 years old to modify their privacy permissions to restricted settings. Ordinarily, accounts with owners betwe...

U.S. Dept Of Defense: Information Disclosure(PHPINFO/Credentials) on DoD Asset

Summary: A DoD leaks credentials on a phpinfo page. Description: https://███ publicly displays a phpinfo page that leaks system information and credentials. Impact The impact is medium not only due to information leakage of numerous different details such as system information but also the leakag...

Open-Xchange: Missing (or redundant) null check in `dcrypt_openssl_sign`

Function dcryptopensslsign in file src/lib-dcrypt/dcrypt-openssl.c has the following code if EVPPKEYbaseidkey-key == EVPPKEYRSA errorr = "Format does not support RSA"; return FALSE; and later if md == NULL if errorr != NULL errorr = tstrdupprintf "Unknown digest %s", algorithm; return FALSE; So,...

Starbucks: Singapore - Unrestricted File Upload Leads to XSS on campaign.starbucks.com.sg/api/upload

ko2sec discovered it was possible to upload arbitrary content on https://campaign.starbucks.com.sg/api/upload, leading to a stored XSS. This site was decommissioned. @ko2sec — thank you for reporting this vulnerability and for confirming the resolution...

Open-Xchange: Directory traversal allows execution of arbitrary binaries usign doveadm exec

Both the doveadm-exec man page and the online manual specify that it can be used to execute commands from Dovecot's libexecdir which sounds like an implicit security boundary. I recently ran across a situation where doveadm-exec was whitelisted in sudoers to be run as root. I realized it was...

Radancy: [www.werkenbijderet.nl] There is no rate limit for vacature-alert endpoints

https://werkenbijderet.nl/vacature-alert lacked a properly configured application specific tuned rate limiting defense mechanism. Because the speed limit was set very high, it was possible to send thousands of mails within 10 minutes. The fix was to implement a middleware which throttles requests...

Kubernetes: DoS for client-go jsonpath func

Summary: jsonpath recursive descent cause a DoS vul kubectl apiextensions-apiserver cli-runtime and kubernetes is depends on client-go I think evalRecursive cause of this vulnerability function pos: client-go/util/jsonpath/jsonpath.go:451 Component Version: client-go:master Steps To Reproduce: i...

GitLab: Possibilty to purchase Ultimate - 1 Year (EDU or OSS)

Hi, Any user can purchase Ultimate - 1 Year EDU or OSS which is for educational institutions or open source projects.I have found here https://gitlab.com/gitlab-org/customers-gitlab-com/-/issues/860 list of Gitlab plan id and found Ultimate - 1 Year which is free and purchased. Steps to reproduce...

Xiaomi: Insecure file upload in xiaoai.mi.com Lead to Stored XSS

Insecure file upload in xiaoai.mi.com Lead to Stored but self XSS...

Automattic: DOM-Based XSS in tumblr.com

Description Hi, i just found a XSS that i think it's a valid issue and i think it is in scope this time. To get the XSS the attacker needs to create a post in tumblr.com using...

Mail.ru: Database read through provider misconfiguration

Content provider implementation in ICQ for Android allowed another local application to force ICQ private files to be copied to insecure location...

Shopify: OrderListInitial leaks order details

Hello, During my investigation I have noticed that OrderListInitial graphql operation is leaking more information that it suppose to be for a staff with "Customer" only permission. Normally the graphql call is as below. POST /admin/internal/web/graphql/core HTTP/1.1...

Nextcloud: New users can read all Nextcloud Deck data from previous user with same username

First of all: Sorry, i know there is no scope "Deck" but both Joas and Jus pointed me to hackerone to report this security issue. 1. As an administrator create Nextcloud account "test" 2. Log in as "test" 3. Go to Deck app and create some boards, stacks and cards with personal or confidential...

U.S. Dept Of Defense: XSS via X-Forwarded-Host header

Summary: The █████ website is vulnerable to a cross-site scripting flaw if the server receives a crafted X-Forwarded-Host header. Description: The server reads data directly from the HTTP request and reflects it back in the HTTP response. Reflected XSS exploits occur when an attacker causes a...

Visma Public: SXSS using unsanitized `customer no` in eaccountingprinting.stage.vismaonline.com

The researcher found that the customer no field in customer profile is not properly sanitized enabling html/js codeinjection causing an Stored XSS...

WordPress: Authenticated Stored Cross-site Scripting in bbPress

Description: There exists a stored XSS vulnerability in bbPress, due to which the XSS payload which I enter in my content, gets executed at /wp-admin/edit.php?posttype=forum. This vulnerability requires you to be an authenticated user. Steps To Reproduce: Step 1. Visit...

Mail.ru: SQL injection at fleet.city-mobil.ru

SQL injection in fleet.city-mobil.ru due to unsafe usage of POST parameter "param":"1'+MySQLpayload--+-"...

ownCloud: File System Monitoring Queue Overflow

in the source code "owncloud/client" in the file "src/gui/folderwatcherlinux.cpp" in the function "void FolderWatcherPrivate :: inotifyRegisterPath const QString & path" by calling "inotifyaddwatch" the file paths are set for monitoring cpp int wd = inotifyaddwatchfd, path.toUtf8.constData,...

WordPress: Arbitrary change of blog's background image via CSRF

Description: Despite being deprecated since v3.5.0, the wpsetbackgroundimage method defined in wp-admin/includes/class-custom-background.php, registered as an authenticated AJAX call wpajaxset-background-image, is still active. Given that the method is lacking CSRF checks, an attacker could chang...