U.S. Dept Of Defense: Members Personal Information Leak Due to IDOR

Summary https://██████ allows anyone to sign up and view other members profile. According to wikipedia, ███████ is part of US DoD "████████": ██████ I signed up with a regular account and noticed that by referencing users ████, I can send thousands of "█████████" and also, using another end-point...

U.S. Dept Of Defense: Stored XSS via 64(?) vulnerable fields in ███ leads to credential theft/account takeover

Summary: A user is able to complete a ████████ worksheets via https://██████████. This form allows a user to store multiple XSS payloads within, which will in turn allow the attacker to run malicious code in context of the legal personnel who view the request. Impact The attacker can have multipl...

Stripo Inc: SSRF via Export Service in ActiveCampaign

SSRF with ActiveCampaign...

Mail.ru: XSS at go.mail.ru

DOM-based self XSS in go.mail.ru social search functionality...

Elastic: Stored XSS in Elastic App Search

Summary: There exists a stored XSS via referenceui in "URL" Parameter in the latest Elastic App Search v7.6.2 Tested both on cloud and local instance Description: Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message...

BTFS: xss on bittorrent.com

hi team i realized xss bug on headers.php. https://www.bittorrent.com/scripts/site/headers.php?=1586521900793&callback= https://www.bittorrent.com/scripts/social/gettweet.php?=1586521900791&callback= its works on IE browsers. Impact fix them...

BTFS: frame injection on bittorrent.com

Hi team, headers.php is injectable. you can see on IE browsers. FULL URL : https://www.bittorrent.com/scripts/site/headers.php?=1586521900793&callback=%3ciframe%20src%3d%22http%3a%2f%2fgoogle.com%2f%3f%22%3e%3c%2fiframe%3e Impact fix them...

BTFS: .git file accessible on remote.bittorrent.com

Hi team, i detected your .git file accessible for any unauthorized user. url : https://remote.bittorrent.com/static/webui/.git/config HTTP/1.1 200 OK Set-Cookie: BTURT=talon-i-0837bbfadd509c546-2; path=/; domain=.utorrent.com Server: TornadoServer/2.1.1git Connection: keep-alive Content-Length: 2...

BTFS: XSS on remote.bittorrent.com

Hi security team, ı found xss on your subdomain. this is includes callback function. url : https://remote.bittorrent.com/talon/logout?message= Impact fix them...

Acronis: Open redirect at mc-beta-cloud-acronis.com

Open Redirect Vulnerability Steps To Reproduce: Type in this URL:...

Glassdoor: Reflected XSS on https://www.glassdoor.com/employers/sem-dual-lp/

Summary: There is a reflected XSS on https://www.glassdoor.com/employers/sem-dual-lp/ through the utmsource parameter. By using URL encoding I was able to bypass the WAF. Affected URL or select Asset from In-Scope: https://www.glassdoor.com/ Affected Parameter: utmsource Vulnerability Type: XSS...

BlockDev Sp. Z o.o: Blind SSRF at https://chat.makerdao.com/account/profile

Blind SSRF at https://chat.makerdao.com/account/profile...

Topcoder: SVG file upload leads to XML injection

Summary: Upload Avatar option allows the user to upload image/ . Thus enabling the upload of many file formats including SVG files MIME type: image/svg+xml SVG files are XML based graphics files in 2D images. Thus, this opens up an attack vector to upload specially crafted malicious SVG files. Th...

GitHub Security Lab: CPP: Out of order Linux permission dropping without checking return codes

This bug was reported directly to GitHub Security Lab...

Imgur: Sourcemaps and Unminified Source Code Exposed on Pages

Hello, I'm not sure if this was actually meant to be made public on purpose, but I was looking through some of the sources that were loaded and found out the following: https://imgur.com/ - See ██████ s.imgur.com - desktop-assets - js contains multiple minified JS files as one would usually expec...

Zomato: [www.zomato.com] Abusing LocalParams (city) to Inject SOLR query

Hi Team! ; I Found an limited SOLR Injection by Abusing LocalParams city in /webapi/searchapi.php, Therefore Please respect my decision to mark this report as Medium instead of High Based on the fact the code is Vulnerable even if it's hard to exploit. - Request adding single Backslash: http GET...

GitHub Security Lab: Java/CWE-036: Calling openStream on URLs created from remote source can lead to file disclosure

This bug was reported directly to GitHub Security Lab...

Starbucks: Korea - LFI Server directory traversal at starbucks.co.kr

b4bilal discovered a misconfiguration when handling URI paths. This permitted an adversary to traverse the docroot and access non sensitive resources that are normally unavailable to web users. @b4bilal — thank you for reporting this vulnerability and for confirming the resolution...

Helium: Hyperlink Injection on Email Invitation

DESCRIPTION Found an hyperlink injection of the name of Organization when the attacker invites the victim to his organization with injection hyperlink. STEPS 1. Add organization with the name of https://attacker.com and switch it. 2. Go to user and invite the victim using email. 3. victim will se...

8x8: Outdated Coturn is vulnerable to known vulnerabilities (High)

Jitsi had several CoTurn servers that needed improvements to their access configurations and updated...

8x8 Bounty: Open TURN relay abuse is possible due to lack of peer access control (Critical)

NOTE: This is not an SSRF vulnerability but an open TURN relay vulnerability. Typically, this security vulnerability has at least the same impact as an SSRF. However it is considered more useful from an attacker's point of view since attacks are not restricted to HTTP. - Affects: - █████:443 -...

Rocket.Chat: Desktop app RCE (#276031 bypass)

Summary: 276031 fix bypass, two click remote code execution. Description: The security issue is in links preload file https://github.com/RocketChat/Rocket.Chat.Electron/blob/master/src/preload/links.js file. By rewriting RegExp.prototype.test method it is possible to prepare proper answers to get...

Mail.ru: Account takeover through password reset in cups.mail.ru

An IDOR vulnerability in password recovery procedure allowed arbitrary cups.mail.ru account rakeover. Write-up is here. : https://medium.com/kminthein/account-takeover-in-cups-mail-ru-bdab1483f92c...

Rocket.Chat: account takeover on 3.0.1 version

I find user reset password hash info and other security info on "/api/v1/users.info" note : I login on rocketchat with ldap account my role : user note: in request "https://target/api/v1/users.info?username=xhttps://target/api/v1/users.info?username=%5Bx%5D" you should change usrname to userId 1-...

Node.js third-party modules: Pixel flood attack cause the javascript heap out of memory

I would like to report Pixel flood attack in jimp It allows flooding the memory and causing DoS by uploading a crafted image 5kb image, and the Jimp module will tries to allocate 4128062500 pixels into memory. Module module name: jimp version: An image processing library for Node written entirely...

Glassdoor: HTML Injection in Glassdoor job sharing emails

HTML injection possibility within the "fromEmail" field of the email template going out from [email protected]. This report was a duplicate of 824165 which should've resolved this issue. Thanks @jackb898 for your report and looking forward to more findings from you...

Shopify: Open Redirect in www.shopify.dev Environment

Summary Reported vulnerability allows attacker for open/unknown redirect for victim user Steps to reproduce 1 Go to https://shopify.dev/concepts/shopify-introduction 2 Click on search 3 Type POC in search box and hit enter 4 Right click on first result displayed as POS and click on copy link...

Concrete CMS: Remote Code Execution through Extension Bypass on Log Functionality

Summary: ===================== The Application concrete5 CMS available on github is vulnerable to remote code execution through the functionality of setting the log file in "Loggin Settings". It is possible to bypass the portion of code responsible for the verification of the extension of the log...

Acronis: Content Spoofing

Vulnerability: Content Spoofing or Text Injection Description: This vulnerability will reflect text on to the web page which is used to scam a victim to visit or send information to a malicious website. Because it is inside the domain and trusted web page, there is chances of scam. Open the Url a...

ExpressionEngine: Low privileges (auth) Remote Command Execution - PHP file upload bypass.

The ExpressionEngine software was vulnerable to a remote command execution flaw due to a bypass in the file upload extension check, which allowed a low-privileged user to execute arbitrary commands...

Node.js third-party modules: Prototype pollution attack (lodash)

I would like to report a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype. Module module name: lodash version: 4.17.15 npm page: https://www.npmjs.com/package/lodash Module Description A modern JavaScript utility library delivering...

HackerOne: Reflected XSS on www.hackerone.com and resources.hackerone.com

Good day : I hope your doing as well as can be during these difficult times. I have found xss at 2 endpoints: https://www.hackerone.com/resources/ and https://resources.hackerone.com The payloads that work are here:...

Myndr: Open Redirect filter bypass through '\' character via URL parameter

Hi, I hope I find you all safe and good regarding those hard times nowadays. Summary: Found an Open Redirect vulnerability on http://meta.myndr.net by bypassing the trusted domain filter using a '' character. I was able to get the original redirection URL from the register button located at...

8x8: Send Phishing/Spam email from [email protected] to any email address.

The Sameroom API contained an endpoint to generate an email to notify the user that the account had been updated. This API request utilized a JSON body that specified the email address and DisplayName of the user without validating the format or characters of the DisplayName. An attacker could ha...

Nextcloud: Possible denial of service when entering a loooong password

You can create a very long password until you get the last user to put and aries or DoS. Normally passwords have 8-10-24 digits. By sending a very long password 1.000.000 characters Usually this problem is caused by a vulnerable password hashing implementation. When a long password is sent, the...

Clario: rxss at https://mackeeper.com page not found via rid parameter

Summary Reflected xss at /mk/api/send-event with rid parameter. Vuln endpoint: https://mackeeper.com/mk/api/send-event?rid= payload: alerttest Steps To Reproduce go to https://mackeeper.com/mk/api/send-event?rid=%3C/script%3E%3Cscript%3Ealertdocument.cookie%3C/script%3E payload:...

U.S. Dept Of Defense: CSRF Account Deletion on ███ Website

Summary: A CSRF vulnerability against the ███████ allows attackers to delete user accounts. Impact Users who visit a malicious website could find their ████████ account deleted. Step-by-step Reproduction Instructions 1. Create and login to a new account on the ██████ 2. Open the provided HTML fil...

Valve: Shell command injection in https://partner.steamgames.com/apps/communityitems/ via file extension of item_image_small and item_image_large

Shell command injection in https://partner.steamgames.com/apps/communityitems/ via file extension of itemimagesmall and itemimagelarge. Shell injection was achieved on a publishing gateway through metacharacter injection in an item-upload path...

Glassdoor: [XSS] Reflected XSS via POST request in (editJobAlert.htm) file

Description: first, it was a very good bug for me it starts when I was testing the form for I found a CSRF I sent it here 838778 I tested the form again and after few minutes I found that this parameter locationId in the post request is vulnerable to XSS the page take the value of this parameter...

Zomato: [www.zomato.com] Blind SQL Injection in /php/geto2banner

Hi Team! Our team discovered a Blind SQL Injection by Abusing LocalParams resid in /php/geto2banner We are working to create a full PDF Report as an WriteUp ; Here is a Temporal Exploit based on the Vulnerable request: POST /php/geto2banner HTTP/1.1 Host: www.zomato.com Connection: close...

MTN Group: Insecure crossdomain.xml on https://vdc.mtnonline.com/

Hi, https://vdc.mtnonline.com/crossdomain.xml contains the following xml file: Impact This will make any one able to receive content from https://vdc.mtnonline.com/ , attacker can steal CSRF tokens and user PII. More information about this issue is available here:...

Internet Bug Bounty: Use of uninitialized value in ftp_getrc_msg method of mod_proxy_ftp.c

This is a Security Bug Report for modproxyftp. This bug is present in ftpgetrcmsg method of modules/proxy/modproxyftp.c file. This is the line which causes this bug. c ... mb = aprcpystrnmb, response + 4, me - mb; ... If ftp server returns a response like "\r\n", which has 3 characters with...

Mail.ru: Http Response Splitting on thumb.cloud.mail.ru

Limited CRLF injection at thumb.cloud.mail.ru allowed to manipulate cookies...

WHO COVID-19 Mobile App: Improper Input Validation on User's Location on PUT /WhoService/putLocation Could Affect Availability/Falsify Users

Summary: Note: I noticed that that the team has fixed issues like an XSS that's caused only from a header value typically OOS since it's not directly exploitable https://github.com/WorldHealthOrganization/app/pull/855, so in the spirit of this I'm also reporting another "good-to-fix" issue. On th...

LY Corporation: Spring Actuator endpoints publicly available and broken authentication

Due to insufficient access control, it was possible to access the Spring Boot Actuator endpoints /heapdump and /env. @kazan71p identified two highly sensitive applications leaking information through these endpoints. The LINE Security team shutdown the secondary endpoints just as it was discovere...

Mail.ru: Private files exposed to other apps

Insecure handling of external intent in ICQ for Android allowed another local application to force ICQ private files to be copied to insecure location...

Staging.every.org: No Rate Limit On Reset Password

Summary: A rate limiting algorithm is used to check if the user session or IP address has to be limited based on the information in the session cache. In case a client made too many requests within a given time frame, HTTP servers can respond with status code 429: Too Many Requests. wikipedia I...

Visma Public: Read-only user can access payroll information without having access to payroll.

The researcher found that a read-only user without having access to payroll can still access all the data in payroll tab, by visiting the url directly, thus resulting into an unauthorized access...

Nextcloud: user can bypass password enforcement when federated sharing is enabled

If the admin forces password for link shares and federated shares are enabled, users can bypass this enforcement. Tested with Nextcloud 18.0.3 Steps to reproduce: - enable password enforcement for link shares as admin - as user1 create a link share with password - open the link share in a separat...

Shopify: *.shopify.com - Authentication bypass

I´ve found a flaw in the authentication process when accessing the website https://upcoming.shopify.com. There seems to be an HTTP Authentication in place to prevent access without authentication. Please follow below POC to get access to https://upcoming.shopify.com without login. The website is...