Mail.ru: XSS on https://o2.mail.ru/jsapi/button via PostMessage

DOM XSS in PostMessage handler of o2.mail.ru...

Topcoder: CSRF on https://apps.topcoder.com/wiki/users/editmyprofile.action

Summary: Hi : There is a CSRF on changing user details. Steps To Reproduce: There is no CSRF token or anything like that on https://apps.topcoder.com/wiki/users/editmyprofile.action . I added the poc html file below. When someone opens this html file, or we can add it into our website, victim's...

Mail.ru: Time-Based SQL injection at city-mobil.ru

Bind time-based SQL injection in https://city-mobil.ru/ due to unsafe usage of GET parameter JSON SLEEP PROFIT! P.S. Detail summary coming soon.... possibly... watch at https://blog.deteact.com...

Khan Academy: Unauthorised Account Detail Modification

Introduction ========= Hi 5kyw41k3r here, ==I found an Unauthorised Account Detail Modification in KA website==... Defination ========= It is a flaw which allows a malicious actor to modify the details of an account. I have included a video made by me for demonstration purposes using a test...

Helium: HTTP request Smuggling

When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to "smuggle" a request to one device without the other device being awa...

Kubernetes: Node disk DOS by writing to container /etc/hosts

Report Submission Form Summary: Pod files /etc/hosts, /etc/hostname, /etc/resolve.conf are not readonly. A normal pod running in kubernetes cluster can kil a host through write data to /etc/hosts. Not only /etc/hosts, but also /etc/resolve.conf and /etc/hostname can do this. Kubernetes Version:...

X (Formerly Twitter): XSS via referrer parameter

Description Hi, i would like to report an XSS via javascript scheme in https://www.twitterflightschool.com/student/award/ID?referer=, the payload e need just a click of user to be triggered because the link will be placed in a tag...

Basecamp: Unauthenticated request smuggling on launchpad.37signals.com

Description By sending an ambiguous request on the rails application on launchpad.37signals.com, an attacker can desynchronise frontend and backend servers, leaving the socket to the backend server poisoned with a harmful response. This response will then be served up to the next visitor. The...

Snapchat: CreatorID leaked from public content posted to SnapMaps

TL;DR - the Snap Map media responses unnecessarily return a creatorId. The creator's Snap username cannot be immediately derived from creatorId, but users can use the creatorId to correlate multiple public snaps with that creator. The impact is limited by the fact that all Our Story Snaps that...

Shopify: Takeover an account that doesn't have a Shopify ID and more

Details The https://pos-channel.shopifycloud.com/graphql-proxy/admin can be exploited to update a staff member email without any email confirmation. Using the partner dashboard, we've the ability to create a store that doesn't have a Shopify ID account on https://accounts.shopify.com. By using...

Topcoder: CSRF on https://apps.topcoder.com/wiki/pages/doattachfile.action

Summary: Hi : There is a CSRF on attaching files to wiki pages. Steps To Reproduce: There is no CSRF token or anything like that on https://apps.topcoder.com/wiki/pages/doattachfile.action?pageId= . I added the poc html file below. When someone opens this html file, or we can add it into our...

BTFS: misconfigured CORS let to HPP and SOP bypass

Hello team, I found a bug on your website that let me bypass the SOP policy. Hope you fix it, everything is in the video https://www.youtube.com/watch?v=PYsU350S-s4 Impact The attacker my direct a victim to a phishing page of www.bitterrent.com/login and he/she will be convince to enter their ema...

HackerOne: The hacker has access to the administrative part of the management reports in publish report

Summary: Hi team, @jobert, @bencode . At the moment, I'm not entirely sure that this has a strong effect. But I also assume that this should not be on behalf of the hacker, and also in the future it may create problems, for example when you add new statuses for the report and they will have some...

Nextcloud: External storage app saves password for all users in the database

External storage filesexternal app save passwords of all users to database table "occredentials" even when "Log-in credentials, save in database" option is not used. It's a security risk that allow password extraction of all users. A local system admin that has access to database and nextcloud...

Topcoder: Stored XSS on https://apps.topcoder.com/wiki/pages/editpage.action

Summary: Hi : There is a stored XSS on wiki pages and it executes when editing page. Steps To Reproduce: After I submitted 867125, i realized that the vote macro causes stored XSS on wiki edit page. A user can edit wiki pages on https://apps.topcoder.com/wiki/pages/editpage.action?pageId=. Users...

Nextcloud: Access Control: Inject tasks into other users decks

When moving a task to another deck a request is made to /apps/deck/cards/XXXX. in the request the destination stackId parameter is used. When a user changes the parameter to that of a stack not belonging to him the task is still added. PoC Create a card: POST /apps/deck/cards HTTP/1.1...

Topcoder: Reflected XSS on error page on https://apps.topcoder.com/wiki/plugins/socialbookmarking/updatebookmark.action

Hi : In https://apps.topcoder.com/wiki/plugins/socialbookmarking/updatebookmark.action bookmarkPageId parameter expects a number value. If you add XSS payload instead of number, an error page displays with XSS. PoC...

Topcoder: CSRF on https://apps.topcoder.com/wiki/plugins/socialbookmarking/updatebookmark.action

Summary: Hi : There is a CSRF on creating bookmarks form. Steps To Reproduce: There is no CSRF token or anything like that on https://apps.topcoder.com/wiki/plugins/socialbookmarking/updatebookmark.action. I added the poc html file below. When someone opens this html file, or we can add it into o...

Topcoder: Post Based Reflected XSS on https://apps.topcoder.com/wiki/plugins/socialbookmarking/updatebookmark.action

Summary: Hi : A post based reflected XSS occurs when creating bookmarks. Steps To Reproduce: Title and Labels parameters are vulnerable to XSS on https://apps.topcoder.com/wiki/plugins/socialbookmarking/updatebookmark.action. This form uses POST request so i added HTML file below. When someone...

Topcoder: Reflected XSS on https://apps.topcoder.com/wiki/plugins/socialbookmarking/updatebookmark.action

Summary: Hi : A reflected XSS occurs when creating bookmarks. Steps To Reproduce: A user can create bookmarks on https://apps.topcoder.com/wiki/plugins/socialbookmarking/updatebookmark.action. In this url redirect and url parameters are vulnerable to XSS. PoC:...

Topcoder: Stored XSS on https://apps.topcoder.com/wiki/plugins/socialbookmarking/updatebookmark.action

Summary: Hi : Adding javascript url causes to stored XSS when creating bookmark. Steps To Reproduce: Go to https://apps.topcoder.com/wiki/plugins/socialbookmarking/updatebookmark.action . Write javascript:alertdocument.domain on url input and fill other areas. After create, go...

Open-Xchange: Pre-auth Denial-of-Service in Dovecot RPA implementation

Hi, Dovecot security team. I am Orange from DEVCORE security team. We just did a little security audit on the authentication mechanism of Dovecot, and found a buffer over-read in RPA implementation. In the mech-rpa.c, the function rpareadbuffer doesn't check that the length could be zero, and pas...

Open-Xchange: Pre-auth buffer over-read in Dovecot NTLM implementation

Hi, Dovecot security team. I am Orange from DEVCORE security team. We just did a little security audit on the authentication mechanism of Dovecot, and found a buffer over-read in NTLM implementation. The structure of NTLM field is defined in ntlm-types.h c struct ntlmsspbuffer uint16t length; /...

Topcoder: Reflected XSS on https://apps.topcoder.com/wiki/pages/createpage.action

Summary: Hi : A reflected XSS occurs on https://apps.topcoder.com/wiki/pages/createpage.action when creating wiki pages. Steps To Reproduce: A user can create wiki pages on https://apps.topcoder.com/wiki/pages/createpage.action?spaceKey=tcwiki. In this url parentPageString and labelsString...

Topcoder: Reflected XSS on https://apps.topcoder.com/wiki/page/

Summary: Hi : A reflected XSS occurs on https://apps.topcoder.com/wiki/pages/doeditattachment.action when editing wiki pages attachments. Steps To Reproduce: A user can add attachments on https://apps.topcoder.com/wiki/pages/viewpageattachments.action?pageId=165871793 a wiki page and can edit on...

Topcoder: Reflected XSS on https://apps.topcoder.com/wiki/

Summary: Hi : A reflected XSS occurs on https://apps.topcoder.com/wiki/plugins/tinymce/wysiwyg-insertlink.action when creating wiki pages. Steps To Reproduce: A user can create wiki page on https://apps.topcoder.com/wiki/pages/createpage.action?spaceKey=tcwiki. A url can be inserted this page. Wh...

Brave Software: HTTP Request Smuggling

When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to "smuggle" a request to one device without the other device being awa...

Unikrn: Lack of Input sanitization leads to database Character encoding configuration Disclosure

Summary: Email Input field during Register is not properly sanitized leads to sql error Steps To Reproduce: During Register use '💩' character in email field Impact Information Exposure Through an Error Message ███████...

MTN Group: XMLRPC, Enabling XPSA and Bruteforce and DOS + A file disclosing installer-logs.

Summary: XMLRPC+Installerlogs+BackupFilename+Adminusername+disclosure Steps To Reproduce: 1. I was able to successfully exploit XMLRPC with the traditional method, the brute-force was done the username was there in the Installer Logs 2. path to XMLRPC is http://13.92.255.102/xmlrpc.php + the...

Nord Security: Incorrect control of the trial period

The report by @corryl identified an issue with service expire time validation. A user was able to bypass the subscription period validation checks which in turn allowed a user to use our service for free for a certain time...

Nextcloud: Bypass hide download Nextcloud Share

Summary Hello everyone, accidentally browsing through nextcloud, I have found a small vulnerability on nextcloud server. This vulnerability allow download the file when the download function has been hidden Here is the error details. If anything is wrong please respond to me. Thanks you...

Open-Xchange: Blind SSRF in /appsuite/api/oxodocumentfilter&action=addfile

Summary Logic in AddFileAction.getImageDataFromUrl for fetching images from external URLs when handling /appsuite/api/oxodocumentfilter&action=addfile implemented here validates the redirected URLs only after following all redirects java response = httpClient.executegetRequest, context; int...

MTN Group: SQL Injection on the administrator panel

Hello team. The admin panel of the website is mtngbissau.com or is vulnerable to sql attack via https://mtngbissau.com/webadmin/index.php Request POST /webadmin/index.php HTTP/1.1 Host: mtngbissau.com User-Agent: Mozilla/5.0 X11; Linux x8664; rv:68.0 Gecko/20100101 Firefox/68.0 Accept:...

U.S. Dept Of Defense: Arbitrary file upload and stored XSS via ███ support request

Summary: A malicious user can upload files of any type when submitting a support request. Impact This would allow the attacker to upload malicious executable files as well as .html or .svg files which would allow the attacker to execute malicious code on behalf of the ████ customer support...

Open-Xchange: reading the stack data of the imap process

in dovecot / core in the imap-client-hibernate.c file in the imaphibernatehandshake function, lines 31..39 contain vulnerable code: cpp else if ret = readfd, buf, sizeofbuf-1 0 && bufret-1 == '\n' bufret-1 = '\0'; if versionstringverifybuf, "imap-hibernate", 1 return 0; ierror"%s sent invalid...

Node.js third-party modules: [xps] Command Injection via insecure command concatenation

I would like to report a Command Injection issue in the xps module. It allows to execute arbitrary commands on the victim's PC. Module module name: xps version: 1.0.2 npm page: https://www.npmjs.com/package/xps Module Description xps is a cross-platform library for listing and killing processes...

Helium: unpermitted user can change the device name of admin account

Invited user with only the read-only permission can change the device name in admin account 1.create two account 'A 'and 'B ' in console.helium 2.Invited the account 'B' with 'A' by giving the read-only permission 3.In account 'B' trying to delete the organization created by admin account 'A' and...

Glassdoor: Get all personal email IDs of Glassdoor users[No user interaction required]

Thanks @safehacker2715 for reporting this finding to us and for your great work with a PoC. Keep up the good work and looking forward to more findings from you. Glassdoor sent me an email asking me to upload my resume on Job portal. This email provided a direct link to the upload screen...

Node.js third-party modules: [vboxmanage.js] Command Injection via insecure command concatenation

I would like to report a Command Injection issue in the vboxmanage.js module. It allows to execute arbitrary commands on the victim's PC. Module module name: vboxmanage.js version: 1.0.6 npm page: https://www.npmjs.com/package/vboxmanage.js Module Description A wrapper for VirtualBox CLI with...

Lark Technologies: Hyper Link Injection while signup

A hyperlink injection attack was reported on the Lark website. This flaw has since been remediated. We thank @susantwagle123 for reporting this to our team and confirming the resolution...

Zomato: Page has a link to google drive which has logos and a few customer phone recordings

Description: Go to ███████ Refer to the screenshot below ██████ As you can see in the above image, there is is link to access zomato logos.This redirected me to a google drive page which not only had logos but also customer care recordings where sensitive information like Customer mobile...

Node.js third-party modules: Prototype Pollution lodash 4.17.15

I would like to report Prototype Pollution in lodash version 4.17.15 It allows Denial of Service and more. Module module name: lodash version: 4.17.15 npm page: https://www.npmjs.com/package/lodash Module Description The Lodash library exported as Node.js modules. Module Stats 27M in the last wee...

Kubernetes: There is any issue No valid SPF Records

There is a email spoofing vulnerability.Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email spoofing is a tactic used in phishing and spam campaigns because people are more likely to open an...

Mail.ru: [panel.city-mobil.ru/admin/] Blind XSS via partner name (similar to #746505)

It was possible to cause XSS condition in admin panel of Citymobil by setting malformed partner name in https://fleet.city-mobil.ru/front/ The issue is really similar to 746505. The original issue was exploited via editing an existed user - we could add blind XSS payload during user editing. The...

Slack: Workspace configuration metadata disclosure

Slack allows users to create a Workspace using the Get Started page, located at https://slack.com/get-started/create. This process uses workspace metadata to direct the user-provided email address to existing Slack accounts. However, if a domain pertaining to an Enterprise customer is submitted...

Node.js third-party modules: [diskstats] Command Injection via insecure command concatenation

I would like to report a Command Injection issue in the diskstats module. It allows to execute arbitrary commands on the victim's PC. Module module name: diskstats version: 0.0.2 npm page: https://www.npmjs.com/package/diskstats Module Description This library uses df to pull disk information suc...

U.S. Dept Of Defense: RXSS - https://███/

Hello All I Found RXSS in your OWN Website Steps:- Add Payload XSS To /████?view= Example:- https://████/█████████?view=%3Cscript%3Ealert%22xElkomy%22%3C/script%3E Payloads:- Any payloads XSS Fix:- Filter input on arrival Encode data on output Use appropriate response headers Content Security...

Mail.ru: Cross-organization data access in city-mobil.ru

A legitimate partner's superuser account could have access to information of driver belonging to different partner, including passport and driving license data. Combined Improrer Access + IDOR It was possible to get access to passport, drive license any taxi driver. As well as changed settings...

Kubernetes: Compromise of node can lead to compromise of pods on other nodes

Hi Kubernetes team, Summary: If an attacker manages to escape a eg. privileged container and gains access to the underlying node it can replace the Kubelet process listening on port 10250/10255 on the node. A fake Kubelet server issueing 301 redirects can trick 'kubectl' or other clients into...

Node.js third-party modules: [extra-asciinema] Command Injection via insecure command formatting

I would like to report a Command Injection issue in the extra-asciinema module. It allows to execute arbitrary commands on the victim's PC. Module module name: extra-asciinema version: 1.0.5 npm page: https://www.npmjs.com/package/extra-asciinema Module Description asciinema is a terminal screen...