Node.js third-party modules: [devcert] Command Injection via insecure command formatting

I would like to report a Command Injection issue in the devcert module. It allows to execute arbitrary commands on the victim's PC. Module module name: devcert version: 1.1.0 npm page: https://www.npmjs.com/package/devcert Module Description devcert - Development SSL made easy Module Stats 276,46...

Concrete CMS: SSRF bypass

This simply describes a bypass for report at https://hackerone.com/reports/243865, using a decimal notation encoded IP address 0177.0.0.1 currently bypasses the limitations in place for localhost. crayons re-submitting report including "magic" string Concrete5 version used is 8.5.2 Impact...

Reddit: XSS in redditmedia.com can compromise data of reddit.com

Description Hi, i would like to report a XSS in redditmedia.com that can affect the reddit.com application. In redditmedia.com domain we are in the domain that reddit.com use to get all the thumbmails of any post. I found that redditmedia.com/gtm/jail uses the "id" parameter to get a valid GTM id...

Mail.ru: bit.games - sql-inj

Привет комманда. У bit.games есть сервис по загрузке картинок. На нём я обнаружил sql-inj. Домен: https://bit5.ru/ Уязвимый запрос: POST /filter/ajaxgetnewcontents?style=icons&sort=order&ord=desc&folders=42446&lastcontentid=1 HTTP/1.1 Host: bit5.ru User-Agent: Java Accept: application/json,...

Nuri: GraphQL introspection query works through unauthenticated WebSocket

Summary: It is possible to execute GraphQL introspection query through unauthenticated WebSocket connection. PoC included. Steps To Reproduce: To simplify reproducing I provided a simple html PoC file. 1. Start python static http server in directory with poc file: python3 -m http.server this step...

U.S. Dept Of Defense: No Rate Limiting on https://██████/██████████/accounts/password/reset/ endpoint leads to Denial of Service

Summary: No-Rate Limit on Password reset endpoint results mail-spam functionality to be abused. Additionally, the password-reset link remain the same after each request. Description: Malicious user could Spear-target █████████ user mail and Spam it for as many requests as he would like. Possible...

LY Corporation: Spring Actuator endpoints publicly available, leading to account takeover

Due to insufficient access controls, it was possible to access the Spring Boot Actuator endpoints /heapdump and /env. The /heapdump endpoint leaks data from the Java Virtual Machine, leading to disclosure of admin credentials, user tokens and a combination of other data. This endpoint was not...

Semrush: OAuth `redirect_uri` bypass using IDN homograph attack resulting in user's access token leakage

Issue Summary: It was found that SEMrush OAuth implementation fails to properly validate the value of redirecturi parameter which was bypassed using IDN homograph attack which results in leaking the user's access token to an attacker-controlled domain name. IDN homography attack exploits the fact...

RGhost: Idor on the DELETE /comments/

Summary: Idor on /comments Steps To Reproduce: Make sure you have 2 different ID's to maintain 2 different session for ensurity 1. The request can be tamper with the ID of different comment both the functions of edit/delete can be used 2. Delete gets hampered with the Captcha which is thrown but...

Elastic: Remote Code Execution in coming Kibana 7.7.0

Summary: Kibana 7.7.0 as per commit c5f682cb is vulnerable to a remote code execution vulnerability that is similar to the one reported in https://hackerone.com/reports/852613 Kibana 7.7.0 is not released, so this is an experiment. I know that getting these reports is more valuable to Elastic pri...

Clario: Cookie injection leads to complete DoS over whole domain *.mackeeper.com. Injection point accountstage.mackeeper.com/

Summary: The cookie bomb works by setting large cookies that are way too big making the server decline any request send with them for having a too long request header. PoC 1. Open below link and click on link https://unequaledfloor.htmlpasta.com/ 2. Now open https://accountstage.mackeeper.com/ or...

HackerOne: Attacker with an Old account might still be able to DoS ctf.hacker101.com by sending a Crafted request

Summary: by sending a crafted request on ctf.hacker101.com a very long delay with a response of error 502 has been observed I suspect that if I made this request on multiple tabs on my browser concurrently, it may cause ctf.hacker101.com to crash thats why I haven't tried it. Description: By...

LY Corporation: SSRF restricted to HTTP/HTML on LINE Social Plugins (https://social-plugins.line.me/)

LINE Social Plugins https://social-plugins.line.me/ is a service that provides LINE users with content sharing on the web. This SSRF attack was caused by bypassing the DNS verification of the parameter value received to check the page information of shared content. Attacks were only possible with...

Shopify: Staff member with no permission can delete POS staff from account settings

Hello Team Description Shopify POS also has staff settings only for POS purposes where an admin can add POS Shopify staff along with fname,lname, email address, and generated pin. Reference - https://help.shopify.com/en/manual/sell-in-person/pos-classic/setup/staff-settings After creation, Shopif...

Shopify: A staff without export customers permissions can still export customers CSV file

Steps To Reproduce: 1. Login as staff without export customers permissions but with customers permissions. 2. Go to customers pages, you can still export customers CSV file. F805311 F805312 F805313 Impact A staff without export customers permissions can still export customers CSV file...

Kubernetes: Bypass apiserver proxy filter

Report Submission Form Summary: TL,DR: Time-of-check apiserver proxy filter Time-of-use apiserver proxy request Race Condition. When the apiserver is proxying a request to a node though one of its addresses, it performs a filter validation. If the address type is a DNS record Hostname, ExternalDN...

Acronis: Flash Based Reflected XSS on www.grouplogic.com/jwplayer/player.swf

Hello there, I hope you are well! Steps: 1. Open firefox. 2. Go to http://www.grouplogic.com/jwplayer/player.swf?playerready=alertdocument.domain You will see xss alert. Impact Reflected XSS Regards, @mygf...

Acronis: Reflected XSS on www.grouplogic.com/video.asp

Hello there, I hope you are well! PoC: http://www.grouplogic.com/video.asp?v=Acroxx1%22%3C/script%3E%3Cscript%3Ealertdocument.cookie%3C/script%3EsaE&e=mp4&width=560&height=315 Impact Stealing cookies Best Regards, @mygf...

Stripo Inc: CORS on my.stripo.email

Hey Team i don't know if it's valid or not i just want to let you know about this thanks. following the HTML File .. var req = new XMLHttpRequest; req.onload = reqListener; req.open'get','https://my.stripo.email/cabinet/stripo-ws/v1/stripo-websocket/info?t=1587908666898',true; req.withCredentials...

LY Corporation: Path traversal in ZIP extract routine on LINE Android

@kanytu discovered that LINE Keepa file storage service in the LINE App contains an unsafe unzipping pattern, which can potentially be exploited to launch Path traversal attack. The reporter proved that it can lead to overwriting files in the LINE app's private folders under certain conditions by...

Acronis: Reflected XSS on http://www.grouplogic.com/files/glidownload/verify.asp

Hello there, I hope you are well! As I see, Group Logic is your subsidary and www.grouplogic.com is a managed website by Acronis. F803772 I found a reflected xss on http://www.grouplogic.com/ PoC:...

Mail.ru: [capsula.mail.ru] overriding order info

IDOR vulnerability in order editing functionality of capsula.mail.ru allowed to override the incomplete unsubmitted order saved for later...

U.S. Dept Of Defense: Reflected XSS and HTML Injectionon a DoD website

Summary: I found Xss and Html injection vulnerabilities on one of the DoD websites Description: When doing the Xss tests I used this payload: alert "XSS" and when running I noticed that the server returned a 403 Forbidden error, but it was easy to do a bypass I just modified the javascript tags i...

GitLab: Stored XSS in group issue list

Hello Gitlab! To reproduce the bug, we need to enable the "vueissuableslist" feature in Gitlab. This feature is not enabled by default, but I think it would be better to fix this issue before this feature is permanently available. Steps to reproduce: 1. Run Gitlab docker run --detach --hostname...

Nextcloud: Malicious apps can crash Nextcloud Android client by sending malformed intents

Not sure if this can be tracked as a security issue, but this definitely calls for a code change. This can be classified into Denial of Service category attack and can seriously hamper user experience. Asset: Nexcloud Android Client com.nextcloud.client Version: 3.11.1 latest Details The Nextclou...

Shopify: CircleCI token in github repo allows for access to sensitive build information

While looking through some Shopify Github repos I came across the following CircleCI token: ca84774a88598f639b174d498c219163e04adbb2 in the js-buy-sdk repo. curl https://circleci.com/api/v1.1/me?circle-token=ca84774a88598f639b174d498c219163e04adbb2 returns information about the user which confirm...

HackerOne: Potential stored Cross-Site Scripting vulnerability in Support Backend

HackerOne maintains an internal Support Backend system for employees. On the internal user profiles for hackers, a small overview is shown that lists the skills the user tagged their penetration tester profile with. Although the skills are currently managed by HackerOne and a user can only pick...

Elastic: Stored XSS in TSVB Visualizations Markdown Panel

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: An authenticated user can save...

Open-Xchange: Recursor accepts unsigned, empty NXDOMAINs in secure zones

Hi! This is a slightly edited version of the email I sent to the project's security contacts on 2020-04-21. Open-Xchange confirmed it and asked me to resubmit it here. --- Subject: Recursor may be accepting unsigned, empty NXDOMAINs in secure zones I can easily reproduce this against Cloudflare's...

Node.js third-party modules: [wireguard-wrapper] Command Injection via insecure command concatenation

I would like to report a Command Injection issue in the wireguard-wrapper module. It allows to execute arbitrary commands on the victim's PC. Module module name: wireguard-wrapper version: 1.0.2 npm page: https://www.npmjs.com/package/wireguard-wrapper Module Description This project is a nodejs...

GitLab: Insufficient Type Check on GraphQL leading to Maintainer delete repository

Summary As you have know, Maintainer cannot delete/archive repository. But via GraphQL, they can do as there exists an sufficient check on GraphQL API app/graphql/mutations/snippets/destroy.rb ruby def resolveid: snippet = authorizedfind!id: id response = ::Snippets::DestroyService.newcurrentuser...

Starbucks: Thailand - IDOR on www.starbuckscardth.in.th: A logged in user could view any Thailand Starbucks card balance if they knew that Starbucks card number

nnez discovered that after a successful card balance transfer between two of their own registered Thailand Starbucks cards, they could update the 2nd card number URL parameter to another known Thailand Starbucks card number and view that 2nd card balance. @nnez — thank you for reporting this...

Starbucks: CRLF injection on www.starbucks.com

The vulnerability allows setting arbitrary headers, and also enables response splitting which can then be exploited further. POC: curl -i 'https://www.starbucks.com/email-prospecttg9wh%0d%0aset-cookie:foo%0d%0a%0d%0a4t6uf?requesturl=/responsibility/global-report/policies' -d...

Acronis: anti_ransomware_service.exe REST API does not require authentication

antiransomwareservice.exe exposes a REST API that can be used by everyone, even unprivileged users. This API is used to communicate from the Acronis True Image 2020 GUI to the antiransomwareservice.exe. This can be exploited to add an arbitary malicious executable to the whitelist or even exclude...

Acronis: Denial of Service in anti_ransomware_service.exe via logs files

antiransomwareservice.exe keeps a log in a folder where any unprivileged user has write permissions. The logs are generated in a predictable pattern allowing the unprivileged user to create a hardlink from the, not yet created, log file to the antiransomwareservice itself. On reboot, this forces...

Acronis: Local Privilege Escalation in anti_ransomware_service.exe via quarantine

antiransomwareservice.exe includes a functionality to quarantine files which will copy the suspected ransomware file from one directory to another using SYSTEM privileges. As any unprivileged user has write permissions in the quarantine folder, it is possible to control this privileged write with...

Nextcloud: Cross site scripting - XSRF Token

Please follow below mentioned steps for reproducing the vulnerability. 1. Open URL: https://nextcloud.com/enterprise/buy/ 2. Fill up valid name and email address and put payload in other fields. Payload/s: 3. Submit it 4. Open email address you mentioned in the email field. 5. Open up the email...

Cuvva: Time-limit Bypassing, Rate-limit Bypassing and Spamming at https://ops.cuvva.co

Hello cuvva secteam, Hope you are well and safe Summary When trying to sign in at https://ops.cuvva.com: 1. There is no checking if supplied email is valid before sending login link Note: the sent login links do not work but this bug can be used for spamming any supplied email. 2. The time-limit...

U.S. Dept Of Defense: CSRF - Modify Company Info

Target Url ███/services/user/manageAccountCompany Summary: Similar to███████, but on different endpoint. The application is missing CSRF Token on Editing company info endpoint. This lead to CSRF attack. Bypassing Content-Type The application is just accepting Content-Type as application/json. Thi...

GitLab: Stored XSS on PyPi simple API endpoint

Summary The recently released PyPi package feature has a new endpoint at /api/:version/projects/:id/packages/pypi/simple/packagename which exposes an HTML page listing the package versions. The packagelink's are generated using the following code: packagepresenter.rbL50 ruby def packagelinkurl,...

Node.js third-party modules: [flsaba] Stored XSS in the file and directory name when directories listing

I would like to report a Stored XSS in module "flsaba". It allows to inject malicious scripts in the file and directory name, store them on the server, then execute these scripts in the browser via the XSS vulnerability. Module module name: https://www.npmjs.com/package/flsaba version: 1.1.0 npm...

GitLab: Stored XSS on the job page

Hello Gitlab! Steps to reproduce: 1. Run Gitlab docker run --detach --hostname gitlab.example.com --publish 443:443 --publish 80:80 --publish 22:22 --name gitlab gitlab/gitlab-ce:latest 2. Create a new project with README.md 3. Go to Operations-Kubernetes 1. Click on the "Add Kubernetes cluster"...

U.S. Dept Of Defense: CSRF - Close Account

Target Url ████/services/user/closeAccount Summary: Hello, I found a Cross Site Request Forgery bug in the target endpoint on the POST request /█████/services/user/closeAccount which is critical because it can delete authenticated user account whenever he navigates to the attacker website or link...

Stripo Inc: [www.stripo.email] There is no rate limit for /it/contact-us/ endpoints

The speed limit for the https://stripo.email/it/contact-us endpoint has not been implemented...

Stripo Inc: [www.stripo.email] There is no rate limit for contact-us endpoints

Summary The speed limit for the https://stripo.email/es/contact-us endpoint has not been implemented. Steps To Reproduce 1. Go to the https://stripo.email/es/contact-us 2. Turn on blocking and fill out the contact form 3. Send request to Intruder. 4. Set your payloads and start attack. 5. There i...

Mail.ru: XSS on https://deti.mail.ru/

deti.mail.ru allowed to insert javascript: links into post content leading to self XSS possibility on message editing...

Starbucks: China - Open redirect at trackinghub.starbucks.com.cn

m82a1 discovered an open redirect at https://trackinghub.starbucks.com.cn/trackinstallation due to improper validation of the redirecturl parameter. @m82a1 — thank you for reporting this vulnerability...

Shopify: Account takeover intercepting magic link for Arrive app

Summary The "magic link" used for login by Arrive app uses Branch.io to pass the login token via deeplink to the app. But the URL contained in the link app.link domain is not verified so it can be intercepted by a malicious app at takeover the account. Description When trying to login with Arrive...

Mail.ru: Cross-Site Request Forgery (CSRF) in comment update - api.my.games

CSRF vulnerability in api.my.games allowed to update store.my.gamesb log comment with crossite request...

Nextcloud: No set limit to try to login in "https://auth.nextcloud.com/auth/realms/master/protocol/openid-connect/auth" page.

Hi. I checked the "https://nextcloud.com" page, and try to go to wp-admin page. Then, I found the login page "https://auth.nextcloud.com/auth/realms/master/protocol/openid-connect/auth" In this page, I tried to login more than 10 times!manually I think that I can try to brute force to this login...