Shopify: Account takeover intercepting magic link for Arrive app

Summary The "magic link" used for login by Arrive app uses Branch.io to pass the login token via deeplink to the app. But the URL contained in the link app.link domain is not verified so it can be intercepted by a malicious app at takeover the account. Description When trying to login with Arrive...

Mail.ru: Cross-Site Request Forgery (CSRF) in comment update - api.my.games

CSRF vulnerability in api.my.games allowed to update store.my.gamesb log comment with crossite request...

Nextcloud: No set limit to try to login in "https://auth.nextcloud.com/auth/realms/master/protocol/openid-connect/auth" page.

Hi. I checked the "https://nextcloud.com" page, and try to go to wp-admin page. Then, I found the login page "https://auth.nextcloud.com/auth/realms/master/protocol/openid-connect/auth" In this page, I tried to login more than 10 times!manually I think that I can try to brute force to this login...

GitLab: Injection of `http.<url>.*` git config settings leading to SSRF

Summary When import a repo with credentials via a URL, gitaly generates the git clone command with a -c flag to add the Authorization header: https://gitlab.com/gitlab-org/gitaly/-/blob/master/internal/service/repository/createfromurl.goL37 go flags = appendflags, git.ValueFlagName: "-c", Value:...

Mail.ru: Cross-Site Request Forgery (CSRF) in my.games API

CSRF vulnerability allowed to add/delete/edit store.my.games comments...

Stripo Inc: [www.stripo.email] You can override the speed limit by adding the X-Forwarded-For header.

Summary In https://stripo.email/template-order I think you have implemented rate limiting via 429 status code for too many requests, but in reality it is not. An attacker could bypass the 429 speed limit by adding an X-Forwarded-For header. Steps To Reproduce 1. Go to the...

Mail.ru: Vertical Privilege Escalation on {target.my.com}

target.my.com user with read-only privilege can elevate privilege to add another user to project...

Brave Software: No rate limiting for confirmation email lead to email flooding and leads to enumeration of emails in publishers.basicattentiontoken.org

There is no bruteforce protection here https://publishers.basicattentiontoken.org/publishers when i try to changes email's contact account. Also the actual thing is when I put an existing email in the above url's "publisherpendingemail" parameter I get an error response status 400 Bad Request But...

Monero: Unix time unlock_time values have dangerous validation rules enabling a number of exploits

Initially found by TheCharlatan, discussed with and expanded on by Isthmus, impacts all releases of monero and monero wallets Description The unlocktime field in monero transaction dictates when a transaction's outputs can be spent again. This rule is enforced by the consensus code in...

U.S. Dept Of Defense: Unrestricted file upload leads to stored xss on https://████████/

Summary: When the user want to upload a "certificate", the web app doesn't check the content-type of the file. A user can upload any kind of file binary,html,... Step-by-step Reproduction Instructions 1. Create an account at https://██████/████████/app/registration/basic-info 2. When you are...

GitHub Security Lab: Initial websocket support for Javascript (SockJS)

This bug was reported directly to GitHub Security Lab...

X (Formerly Twitter): 暴力破解用户密码没有速率控制

http://www.twitter.com的登录功能存在一个问题，只限制了单个用户尝试登录系统的错误次数，并不限制用固定的密码去尝试登录不同用户，或者是撞库 请您跟着视频操作，否则无法复现到此问题 Impact 暴力破解用户密码没有速率控制...

Shopify: Self XSS in Timeline

Copy the url javascript: XSS payload to any Timeline, then click url will trigger XSS. F796167 F796161 I previously reported a storefront url XSS at 841361, then admin copy the url to Timeline is possibly. Impact Self XSS...

Palo Alto Software: IDOR on update user preferences

Summary: Team member with role USER can change data of any user in the team, or steal his cookies, or steal the account of victim via forget password function. Steps To Reproduce: 1. Login in as user1 the user with role admin and invite user2 set his role to user. 2. Login in as user2, open Mail...

U.S. Dept Of Defense: PulseSSL VPN Site with Compromised Creds @ ████

Dear US DoD, Back in 2019, I had reported that a pulseSSL VPN server owned by US DoD can be compromised by a publicly available exploit. The report is████████. As a result, the userid and passwd db was also compromised. I found that at least 1 userid and password combination from that compromised...

Mail.ru: Unrestricted file upload on [ambassador.mail.ru]

PHP code execution was possible via file upload functionality in ambassador.mail.ru An attacker was able to execute arbitrary PHP code on the server through the image uploading functionality. The vulnerability was quickly fixed by the Mail.ru team...

LY Corporation: Improper Access Control in LINE Timeline API that returns a list of hidden friends

Due to an insufficient access control check in an API endpoint for LINE Timeline function, it was possible for an attacker to retrieve a hidden list of any LINE users. Users can configure the hidden list not to show someone's post on their Timeline. Using this vulnerability, an attacker can get a...

Mail.ru: "😂" + Unauthenticated Stored XSS in API at https://api.my.games/comments/v1/comments/update/

Crossite scripting in community.my.games via post comments due to incomplete fix for 848732 I have been working on this issue for 2 hours and over 300 fails. Finally, I could exploit with a very exotic XSS payload. Payload with an emoji a little trick: %F0%9F%98%82!--😂//=...

8x8: Directory listing of https://get8x8.com/

The marketing domain get8x8.com was using default Apache directory configurations with indexing enabled...

GitLab: Unauthorized access to private project security dashboard

Summary User with guest permissions can't view security dashboard of the private project. However, this is not applied when user permission changes from maintainer to guest. As a result, if user was previously a maintainer in the project he/she can add the project to their security dashboard and...

MTN Group: Disclosure of internal information using hidden NTLM authentication leading to an exploit server

By using a request get on the url http://www.mtncongo.net/fr/Pages/ of the blog. we collect sensitive information from blogs step Typically, when visiting a website http://www.mtncongo.net/ or directory http://www.mtncongo.net/fr/Pages/ requiring privileged access, the server will initiate a logi...

Semrush: Broken validation of user Id for JWT Token

Traffic Analytics Tool TA uses JWT tokens to store user subscription information without any kind of personal information. JWT tokens are created by passing a user ID. There was an error with validation of user Id for JWT token...

Shopify: IDOR on stocky application-Low Stock-Varient-Settings-Columns

Hello, I have found a IDOR on stocky application Low Stock-Varient-Settings-Columns attribute, in fact malicious user can change the columns of another user. POC: 1Create two user A and B, login to A and create a store, test.myshopify.com login to user B and create a store test1.myshopify.com...

Mail.ru: [city-mobil.ru] SSRF & limited LFR on /taxiserv/photoeditor/save endpoint via base64 POST parameter

Vulnerability in photo editing functionality of https://city-mobil.ru/taxiserv/ allowed SSRF requests to internal services and local file read ability limited to image files. ¯\ツ/¯ I don't understand how I have missed it during fix validation of 748123 report. It's partly blind SSRF & LFR, which...

Nextcloud: Reduced purmations on encryption

OC\Security\SecureRandom::generate Reduced Permutations OC\Security\SecureRandom::generate will by default use a-Z0-9+/ 64 bytes character set. The numbers are not predictable, due to the use of randomint. Most notably the OC\Security\Crypto::encrypt method uses an IV with a length of 16 bytes. I...

U.S. Dept Of Defense: Previously Compromised PulseSSL VPN Hosts

Hi again!! Back in 2019, I had reported that a pulseSSL VPN server owned by US DoD can be compromised by a publicly available exploit. The report is 681249. As a result, the userid and passwd db was also compromised. I found that at least 1 userid and password combination from that compromised db...

Elastic: Remote Code Execution on Cloud via latest Kibana 7.6.2

Summary: A prototype pollution in Kibana can be used to gain remote code execution. Description: There is a prototype pollution bug in the upgrade assistant's telemetry collector, via a dangerous usage of .set:...

Stripo Inc: SSRF in my.stripo.email

They are a SSRF Server-side Request Forgery in https://my.stripo.email An attacker can do an attack and get ip address behind WAF and try to get RCE...

GitHub Security Lab: CPP: Out of order Linux permission dropping without checking return codes

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: Go/CWE-643: XPath Injection Query in Go

This bug was reported directly to GitHub Security Lab...

Mail.ru: SQL LIKE clauses wildcard injection

LIKE clause was misused for session validation in one of https://c-api.city-mobil.ru/v2 API calls, allowing character-by-character session bruterofce. The session validation logic mistakenly allowed wildcards in the authorization token...

Internet Bug Bounty: Out-of-Bound Read in urldecode() [CVE-2020-7067]

Hi, Please see: https://bugs.php.net/bug.php?id=79465&edit=2 CVE is assigned CVE-2020-7067 Fixed in 7.4.5 Release: https://www.php.net/ChangeLog-7.php7.4.5 Impact A remote attacker might leak values from the memory by crafting a malicious url-encoded string into PHP's urldecode...

Valve: Privilege Escalation vulnerability in steam's Remote Play feature leads to arbitrary kernel-mode driver installation

Tested on Windows 10 x64 On Steam starting, it will check all installed files' Integrity, and re-download the modified files. This step makes every single file in Steam installation folder is exactly its original self. Before the first time Steam stream to SteamLink Remote Play feature, it makes...

Nextcloud: Code injection possible with malformed Nextcloud Talk chat commands

Summary The Nextcloud Talk app allows system administrators to setup chat commands that can be executed in Talk using the "/command" syntax. Users can provide additional arguments to the commands, such as "/calc 1+1" or "/wiki Hello", which are passed to the underlying script using @exec. If...

DRIVE.NET, Inc.: [www.drive2.ru] Insufficient Security Configurability - The user can using the same password as your current ID.

The current username and password can be set the same, making it easy to guess the password. As a weak password policy issue, The current username and password can be set the same, making it easy to guess the password. |Technical severity|VRT category| Specific vulnerability name|Variant / Affect...

Internet Bug Bounty: Windows only: arbitrary file read vulnerability in openssl s_server

==Copied from an email sent to [email protected] on August 15, 2019== Hi, There's an arbitrary file read vulnerability present in openssl sserver when ran on Windows with the -WWW or -HTTP option. To reproduce: run openssl sserver -tls1 -WWW -accept 443 run .\curl.exe -k...

Mail.ru: [c-api.city-mobil.ru] IDOR chat messages between driver and customer

UUIDv1 was used as identifier in c-api.city-mobil.ru for some APIs where identifier was intended to be non-brutable while UUIDv1 entropy is insufficient...

GitLab: gitlab-workhorse bypass in Gitlab::Middleware::Multipart allowing files in `allowed_paths` to be read

Summary Extracted from https://hackerone.com/reports/835455activity-7672566 While testing and looking at the patch for the nuget package workhorse bypass https://gitlab.com/gitlab-org/gitlab/issues/209080 I think I came across a more widespread bypass: bash create test file on gitlab server echo...

Phabricator: SSRF in notifications.server configuration

Modifying the notification server settings so that it connects to a malicious server. An attacker is able to redirect traffic from the vulnerable application to internal or external network resources. Steps To Reproduce: --------------------- 1. Open your phabricator installation authenticated wi...

Basecamp: CSRF on launchpad.37signals.com OAuth2 authorization endpoint

Hi, I found a CSRF in the OAuth2 authorization endpoint on launchpad.37signals.com. That allows a malicious 3rd party application to gain full API access to victim's account in 37signals products that uses OAuth2 authorization. I found that when making a post request to authorization endpoint it...

Visma Public: Ability to delete projects from Archived companies (Read only version)

The researcher discovered that Projects can be deleted from Archived companies which have "read only version".It was assessed as Low impact...

Uber: Exposed█████████in apk file - devbuilds.uber.com

Sensitive information was disclosed because of internal token leakage...

Mail.ru: Reflected XSS in city-mobil.ru/

Reflected XSS in city-mobil.ru due to unsafe usage of GET parameter...

Mail.ru: XSS in [community.my.games]

Crossite scripting in community.my.games via post comments All we say is Thank You for an Account Takeover Flaw!...

Shopify: None permission staff member can identify installed application and products attached to it

Hello, To see if a store has application installed and which products its configured the staff member should have application permission otherwise nothing is visible but i found a way that let none permission staff member to identify if the store has installed Digital Downloads and if the...

Mail.ru: IDOR in tracking driver logs at city-mobil.ru

IDOR vulnerability in taxiserv interface allowed to access a track log of a different driver...

Uber: Cookie Bombing cause DOS - businesses.uber.com

Cookie Bombing cause DOS on businesses.uber.com...

Mail.ru: Content injection on shared event (calendar.mail.ru)

Allowed tags/attributes for calendar events in calendar.mail.ru were not properly restricted allowing interface elements spoofing...

U.S. Dept Of Defense: Full Account Take-Over of ████████ Members via IDOR

Summary https://███████ is a Social Network Site belonging to US DoD. Membership is open to anyone, I have found a method to fully take-over any members' account by exploiting an IDOR bug in the ██████████ end-point. By changing the following values in the POST request to the affected end-point:...

Mail.ru: Information Disclosure on {http://pro.tracker.my.com}

Prometheus performance metrics were publicly available on pro.tracker.my.com...