Mail.ru: SQL injection at fleet.city-mobil.ru

SQL injection in fleet.city-mobil.ru due to unsafe usage of POST parameter "param":"1'+MySQLpayload--+-"...

ownCloud: File System Monitoring Queue Overflow

in the source code "owncloud/client" in the file "src/gui/folderwatcherlinux.cpp" in the function "void FolderWatcherPrivate :: inotifyRegisterPath const QString & path" by calling "inotifyaddwatch" the file paths are set for monitoring cpp int wd = inotifyaddwatchfd, path.toUtf8.constData,...

WordPress: Arbitrary change of blog's background image via CSRF

Description: Despite being deprecated since v3.5.0, the wpsetbackgroundimage method defined in wp-admin/includes/class-custom-background.php, registered as an authenticated AJAX call wpajaxset-background-image, is still active. Given that the method is lacking CSRF checks, an attacker could chang...

Mail.ru: Collected Telegraf Matrics Accessible

Perfomance metrics were available at game.tz.mail.ru...

Node.js third-party modules: [last-commit-log] Command Injection

I would like to report Command Injection in last-commit-log It allows execution of arbitrary commands Module module name: last-commit-log version: [email protected] npm page: https://www.npmjs.com/package/last-commit-log Module Description Node.js module to get the last git commit information...

Slack: Stored XSS through PDF viewer

Slack allows users to upload files to their Workspace to facilitate sharing information between team members as well as with other workspaces. In addition, with the aim of easing access to PDF files, Slack provides its own "PDF Viewer" https://app.slack.com/pdf-viewer embedded in the application...

Starbucks: Default credentials for the temporary POC site alipoc.stg.starbucks.com.cn permitted WAF bypass and RCE

neweq discovered that a temporary proof of concept site alipoc.stg.starbucks.com.cn was initially configured with default credentials for a brief period of time before being taken offline. @neweq — thank you for reporting this vulnerability and for confirming the resolution...

Stripo Inc: [www.stripo.email] You can bypass the speed limit by changing the IP.

You can bypass the speed limit by changing the IP Login page Bypass the speed limit...

Glassdoor: Unauthorized usage of External API Key (Usage of Google Maps API Key ==> $$$

A Google Maps API key was found in the source code of a Glassdoor webpage, which allowed unauthorized usage of the API. The API key was not configured securely...

Starbucks: Cross-Site Scripting (XSS) on www.starbucks.com | .co.uk login pages

Hi team, Summary: There is a cross-site scripting vulnerability on the login page of www.starbucks.com and various regions, due to improper escaping on the URL path. Description: The login page at https://www.starbucks.com/account/signin builds several links by the relative URL path. An attacker...

Nutanix: AWS S3 bucket writeable for authenticated AWS users

S3 bucket permissions were not configured correctly, allowing any authenticated AWS user to delete and write files. Nutanix didn't properly configure one of their S3 buckets permissions and inadvertently allowed any authenticated AWS user to delete and write files. An attacker could post a...

GitLab: Todos are not redacted when membership changes - Access to (confidential) issues and merge requests

Summary This vulnerability was fixed in https://gitlab.com/gitlab-org/gitlab-foss/-/issues/54349 , but it reappears maybe due to some new changes and one is able to reproduce the vulnerability to access confidential issues and MRs. All issues and MRs used to get redacted after one hour grace peri...

Courier: SSO Provider Credential Cache (logged out of Google/GitHub, could still log into Courier)

After researching this further, our authentication provider Amazon's AWS Cognito caches the access token provided by Google, GitHub, and other SSO providers within their system for up to an hour and does not check against the SSO provider's API again until that cache has expired. We did verify th...

DigitalOcean: Blind XSS via Digital Ocean Partner account creation form.

Summary: Blind Cross-Site Scripting XSS was discovered at Digital Ocean Partners admin panel/dashboard where an attacker can run arbitrary Javascript Code at victims' end. Due to the absence of an HTTPonly cookie, an attacker can successfully steal the cookies of the user and use them to login to...

HackerOne: Near to Infinite loop when changing Group's name that has API token as Team Member

Summary: The https://hackerone.com contains an iteration or loop with an exit condition that is near to infinite loop. If the loop can be influenced by an attacker, this weakness could allow attackers to consume excessive resources such as CPU or memory and even a DoS attack. Description: Hello...

GitLab: Unrestricted file upload leads to Stored XSS

Summary i found that i can upload png file with JavaScript code and execute it in wiki page. Steps to reproduce Step-by-step guide to reproduce the issue, including: 1-login to gitlab account 2-open your project 3-open Wiki page. 4-Click "New page" button. 5-attach png file which contain below co...

Smartsheet: Smartsheet employees email disclosure through enpoint after login.

Summary: add summary of the vulnerability After login - while validating this issue 858974 - I notice there is an endpoint call /b/home?formName=webop&formAction=SheetLabLoadData&to=68000&ssv=98.0.2 that is bringing emails from some employees. Steps To Reproduce: add details for how we can...

Xiaomi: DOM-based XSS in d.miwifi.com on IE 11

There is a DOM based XSS on d.miwifi.com but it only works on IE 11...

8x8: IDOR: Adding Contacts to Other User Groups

The request to add a new contact performed insufficient validation on the specified group number. Altering the target group resulted in incrementing license count and disclosure of the name of the group, however access was not granted...

Node.js third-party modules: Bypass of SSRF Vulnerability

Bypass of SSRF report https://hackerone.com/reports/793704 Fix applied after reporting the actual report did not prevent from SSRF issue. https://github.com/TryGhost/Ghost/commit/47739396705519a36018686894d1373e9eb92216diff-3aa52b4b8c6e0fb8422de65648e35887R101 The function fetchOembedData only...

Central Security Project: Repositories of datanucleus are fetched over insecure protocol (http insted of https)

Maven artifact groupId: org.datanucleus artifactId: datanucleus-maven-parent version: 4.0.0 Vulnerability the jar files inside repositories are fetched using insecure protocol http instead of https. This allows these artifacts to be potentially MITMed to maliciously compromise them and infect the...

Xiaomi: CORS Misconfiguration, could lead to disclosure of users information

This will result in the leakage of the users IP by exploiting this cors misconfiguration issue There is no impact...

8x8: Admin Reseller Account Disclosure

The vendor that handles 8x8 Resellers had inadvertently exposed account credentials. The information was removed and credentials changed. Leaked admin account of third party reseller in github with full access to all files...

Mail.ru: MySQL username and password leaked on [2017.russianaicup.ru]

Configuration file available via web interface could disclosure potenrially sensitive inormation Configuration file available via web interface could disclosure potentially sensitive information...

GitLab: Full Read SSRF on Gitlab's Internal Grafana

Apparently, Grafana is bundled with Gitlab by default. So the grafana instance that is accessible via /-/grafana/is vulnerable to the SSRF outlined below. Summary By chaining together some redirects and a URL decoding bug, it is possible to achieve a full-read, unauthenticated, SSRF from your...

LinkedIn: LinkedIn users primary email + full name visibilty

Vulnerability description not provided...

Visma Public: [CSRF]While Closing and opening Fiscal year.

The reporter has found that the CSRF token is not checked when using the Open/Close functionality of the Fiscal year...

8x8: vidyard api auth_token exposed

The third party content provider for the domain www.8x8.com had inadvertently disclosed the API token for Vidyard. Access was resolved and the token replaced...

Node.js third-party modules: [windows-edge] RCE via insecure command formatting

I would like to report a RCE issue in the windows-edge module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: windows-edge version: 1.0.1 npm page: https://www.npmjs.com/package/windows-edge Module Description Launch a new Microsoft Edge tab on Windows...

Node.js third-party modules: [objtools] Prototype pollution

I would like to report a prototype pollution vulnerability in objtools module. It allows an attacker to inject properties on Object.prototype. Module module name: objtools version: 2.0.1 npm page: https://www.npmjs.com/package/objtools Module Description objtools provides several utility function...

Node.js third-party modules: [extend-merge] Prototype pollution

I would like to report a prototype pollution vulnerability in extend-merge module. It allows an attacker to inject properties on Object.prototype. Module module name: extend-merge version: 1.0.5 npm page: https://www.npmjs.com/package/extend-merge Module Description Shallow extend and deep merge...

Node.js third-party modules: [object-path-set] Prototype pollution

I would like to report a prototype pollution vulnerability in object-path-set module. It allows an attacker to inject properties on Object.prototype. Module module name: object-path-set version: 1.0.0 npm page: https://www.npmjs.com/package/object-path-set Module Description set values in...

Node.js: Child process environment injection via prototype pollution

Summary: prototype pollution causes polluted system environment for child processes. Description: This can be used to inject arbitrary --require flags to node.js child processes or in the case of current node.js versions it can be used to inject arbitrary JavaScript to child processes. In practic...

Topcoder: Blind stored XSS due to insecure contact form at https://www.topcoder.com leads to leakage of session token and other PII

Summary: I have discovered a blind stored cross site scripting vulnerability due to an insecure Contact form available here https://www.topcoder.com/contact-us/ This form does not properly sanitize user input allowing for the insertion and submission of dangerous characters such as angle brackets...

HackerOne: GraphQL field on Team node can be used to determine if External Program runs invite-only program

On 19th May, A new parameter policymarkdownhtml been introduced inside the team Graphql query. Using Graphql query, We can able to determine External program running privately on Hackerone as policymarkdownhtml parameter was able to fetch private internal policy. Note: Using this parameter, it wa...

U.S. Dept Of Defense: PII/PHI data available on web https://████████Portals/22/Documents/Meetings

Summary: https://███Portals/22/Documents/Meetings contains many internal documents which likely were reviewed on meeting/meetings preparations which should not be available for public but searchable via google/bing. Documents include: resumes, bio data form, emails including history of medical...

Node.js third-party modules: [keyd] Prototype pollution

I would like to report a prototype pollution vulnerability in keyd module. It allows an attacker to inject properties on Object.prototype. Module module name: keyd version: 1.3.4 npm page: https://www.npmjs.com/package/keyd Module Description A small library for using and manipulating key paths i...

Kubernetes: Hard coded Username and password in GiHub commit

Report Submission Form Summary: I was exploring the GitHub repository and I found some hard coded credentials in the commit history. These credentials are related to Vagrant tool which is used to setup virtual machines environment, This is a very critical disclosure and can lead to bigger damages...

Kubernetes: Internal IP addresses range and AWS cluster region leaked in a Github repository

Report Submission Form Summary: I was exploring the GitHub repository and found some internal IP address and its cluster region related to AWS cluster. So i decided to report it to you. Please have a look and let me know. Steps To Reproduce: VISIT THIS LINK : Repository - kubernetes / kubernetes...

Lark Technologies: User with single department permission can view applicant list of all department's

An endpoint was discovered that did not properly check for user permissions which could have caused unauthorized access to view pending approval requests, email addresses, and phone numbers belonging to other departments. We thank @imrannisar for reporting this to our team and confirming the...

Concrete CMS: Time-base SQL Injection in Search Users

Description ===================== I've identified an SQL injection vulnerability in the website labs.data.gov that affects the endpoint /index.php/dashboard/users/search and can be exploited via the fSearchDefaultSortDirection param. I didn't extract any data from the database, I've confirmed the...

Kubernetes: Private RSA key and Server key exposed on the GitHub repository

Report Submission Form Summary: I was searching for sensitive data in Kubernetes repository where I found these private keys. These are private RSA key and private server key, which could be used for unauthorized access. Steps To Reproduce: VISIT THESE LINKS Repository : kubernetes / kubernetes...

Valve: Signedness issue in ClassInfo message handler leads to RCE on CS:GO client

Title: Signedness issue in ClassInfo message handler leads to RCE on CS:GO client Scope: csgo.exe Weakness: Array Index Underflow Severity: Critical 9.6 Link: https://hackerone.com/reports/876719 Date: 2020-05-17 20:31:35 +0000 By: @chaynik Details: Vulnerability ------------- CSVCMsgClassInfo...

U.S. Dept Of Defense: Remote Code Execution through DNN Cookie Deserialization

Summary: The application at https://████████ presents a deserialization vulnerability that permits RCE and file read/write Step-by-step Reproduction Instructions 1. Navigate to a random page that must return a 404 Error status like https://████/test 2. Add this cookie in the request header:...

InnoGames: Impersonation and ticket id enumeration on support.innogames.com

A missing check for authorization made it possible to answer tickets owned by other users in their own name...

Topcoder: SSRF at https://cognitive.topcoder.com leads to AWS instance metadata due to vulnerable email subscription feature

Summary: Topcoder makes use of Amazons AWS in their web application environment. I noticed a feature that allows a user to subscribe and receive emails from Topcoder. This feature is vulnerable to server side request forgery since it allows a user to supply an arbitrary URL which the application...

Starbucks: Singapore - Account Takeover via IDOR

ko2sec discovered that an alternate site shared database and cookie credentials with card.starbucks.com.sg. By exploiting an endpoint on the alternate site, ko2sec was able to copy a PHPSESSID cookie value from that site over to card.starbucks.com.sg and then see user information, update the...

Starbucks: Misuse of an authentication cookie combined with a path traversal on app.starbucks.com permitted access to restricted data

zlz and rhynorater discovered that by obtaining a valid authentication cookie and then combining that with a path traversal, this allowed access to restricted data. noapearson assisted by providing additional information post discovery. @zlz / @rhynorater / @noapearson — thank you for reporting...

Stripo Inc: Integer Overflow (CVE_2017_7529)

Integer Overflow - The issue affects nginx 0.5.6 - 1.13.2...

Brave Software: Cookie steal through content Uri

Summary A misconfiguration in a content provider is allowing Brave for Android to download internal files to Downloads folder, making them accessible to other apps. A malicious app could order Brave to download the cookies database and retrieve it afterwards. Environment - Device: HTC M8 - OS...