Open-Xchange: Null pointer dereference in SMTP server function smtp_command_parse_data_with_size

Sending the following bytes to the SMTP server induces a NULL pointer dereference...

Nextcloud: Missing server side controls when editing the board’s sharing permissions per user

Author: Silvia Väli, Clarified Security https://www.clarifiedsecurity.com/silvia-vali/ Date: 24th of March, 2020 Description: When the regular user is visiting the Deck view, all created boards are displayed along with the ones that are shared with the user by others. Available functionality with...

Open-Xchange: Null pointer dereference in SMTP server function smtp_string_parse

Sending the following bytes to the SMTP server induces a NULL pointer dereference...

Slack: Stored XSS in files.slack.com

We want to once again thank researcher @oskarsv for informing us of this issue. In the original submission that we previously disclosed here: https://hackerone.com/reports/783877, Oskarsv detailed a remote code execution vulnerability that hinged on the functionality of Slack’s “Posts” feature...

Qulture.Rocks: Privilege escalation from member user ( editor ) to admin user

Qulture.Rocks has multiple levels of admins, where you could manage parts of the application. One of those levels had a wrong configuration, which did not blocked it from updating its level to a higher one. Our team worked rapidly to fix this issue, blocking said level of updating itself...

Acronis: Missing rate limit for current password field (Password Change) Account Takeover

Vulnerability: Missing Rate Limit for Current Password field Password Change Account Takeover Steps to reproduce the bug: 1Go to Profile Password. Enter any wrong password In current password filed. 2Now enter the new password and Turn the Intercept ON. 3Capture the request & Send the request to...

Glassdoor: IDOR Vulnerability in Job Preferences

An attacker has the ability to change a victim's job preferences through an IDOR vulnerability. The issue exists in the following endpoint: https://www.glassdoor.com/member/profileApi/preferences/delete.htm...

GitLab: Arbitrary file read via the UploadsRewriter when moving and issue

Summary The UploadsRewriter does not validate the file name, allowing arbitrary files to be copied via directory traversal when moving an issue to a new project. The pattern used to look for references is : MARKDOWNPATTERN = %r!?.?\/uploads/?0-9a-f32/?.?.freeze This is used by the...

Open-Xchange: Use after free in smtp_server_connection_handle_command

Function smtpserverconnectionhandlecommand in src/lib-smtp/smtp-server-connection.c creates a variable named cmd with cmd = smtpservercommandnewtmpconn, cmdname, cmdparams; It gets used with return cmd == NULL || !cmd-inputlocked; ie cmd-inputlocked dereferences the pointer But we can get to this...

Razer: HTML injection in support.razer.com [IE only]

The tester discovered the support.razer.com site had an HTML injection vulnerability that could have facilitated a phishing attack. Razer thanks the tester for his report and for working with the team to help remediate...

PlayStation: Authorization Token on PlayStation Network Leaks via postMessage function

Description After some analysis on how playstation network authentication work, I came across a certain pattern of how authorization tokens are handled. The web application utilizes postMessage function to exchange authorization tokens between windows/frames. To simplify this, let's follow on one...

GitLab: SSRF on project import via the remote_attachment_url on a Note

Summary The Note model has an attachment which is provided by a CarrierWave uploader: ruby mountuploader :attachment, AttachmentUploader One of the features this provides is the ability to download and attach a file via a url, see...

Qulture.Rocks: Unrestricted File Upload in Chat Window

Summary: The application allows the attacker to upload dangerous file types that can be automatically processed within the product's environment. Steps To Reproduce: 1. Hit the browser with below URL. https://qa.qulture.rocks/en/users/signin 2. Open The Cat window. 3. Upload any exe file . 4. Cli...

BlockDev Sp. Z o.o: load scripts DOS vulnerability

load scripts DOS vulnerability...

HackerOne: program_analytics_benchmarks query shows information not visible in public

Summary: programanalyticsbenchmarks is displaying information i don't see yet in public profile of a program. Description: I tried querying programanalyticsbenchmarks for the program security and ██████ and it showing information i cannot find in public profile especially in ███████ Steps To...

PlayStation: SSRF chained to hit internal host leading to another SSRF which allows to read internal images.

Report Summary: We found an SSRF at https://image.api.np.km.playstation.net/ Vulnerable endpoints: /images , /dis/images. using image GET parameter. Description This endpoint allows us to fetch a remote image over HTTP protocol using the image GET parameter and convert them to the desired format...

PlayStation: Use-After-Free In IPV6_2292PKTOPTIONS leading To Arbitrary Kernel R/W Primitives

Summary Due to missing locks in option IPV62292PKTOPTIONS of setsockopt , it is possible to race and free the struct ip6pktopts buffer, while it is being handled by ip6setpktopt. This structure contains pointers ip6popktinfo that can be hijacked to obtain arbitrary kernel R/W primitives. As a...

Staging.every.org: Private account causes displayed through API

Summary: Any authenticated user can see which causes a private account user is interested in, by sending a GET request to the API, even though this information is not displayed anywhere on the profile page. In the profile settings, the following message is displayed for "Private Supporter" option...

Qulture.Rocks: Server Name disclosure

Hi, I found a Server Name disclosure Cowboy in the your web server's HTTP response! This information might help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the Server! Request with Burp: GET / HTTP/1.1 Host: qa.qulture.rocks...

Ubiquiti Inc.: View Only to Root Privilege Escalation on UniFi Protect

UniFi Protect v1.13.2 and prior containing vulnerabilities allowing users to run certain custom commands that can be used to assign themselves unauthorized roles, escalating their privileges. These vulnerabilities were found on UniFi Protect v1.13.2 and prior versions for Cloud Key Gen2 plus. The...

Node.js third-party modules: [logkitty] RCE via insecure command formatting

I would like to report a RCE issue in the logkitty module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: logkitty version: 0.7.0 npm page: https://www.npmjs.com/package/logkitty Module Description Display pretty Android and iOS logs without Android...

Staging.every.org: Improper email address verifiation while saving Account Details

Summary: Attacker could be able change its email to any email address even already created another user's email address.Even though UI doesnot allow it Steps To Reproduce: 0. Set up proxy. 1. Singup with any email address 2. Go to profile section 3. Click on update button 4. Monitor call in rever...

Staging.every.org: Flaw in Change Email https://youtu.be/MMvlcHIGs2A

See https://youtu.be/MMvlcHIGs2A...

Monero: Array Index Underflow--http rpc

Summary: parsersebaseutils.h:197 const unsigned char tmp = isxint++it; Int type will cause the array subscript to appear negative and read wrong data, Solution: const unsigned char tmp = isxunsigned char++it; Releases Affected: up to date version on github Steps To Reproduce: add details for how ...

Mail.ru: [icq.com/people/*uin*/edit] Отсутствует фильтр и проверка на дубли в поле "Никнейм"

It was possible to create account with a same nickname wih existing one...

Grammarly: Grammarly Keyboard for Android "Authorization Code with PKCE" flow implementation vulnerability that allows account takeover

@tomtenisse identified a vulnerability in Grammarly Keyboard for Android that allowed malicious application installed on the device to guess the PKCE code verifier value and consequently obtain access to OAuth accesstoken grauth cookie. The vulnerability was fixed by moving from PRNG to...

GitHub Security Lab: CWE-094 ScriptEngine in java

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: XPath Injection query in java

This bug was reported directly to GitHub Security Lab...

BTFS: Subdomain Takeover uptime

Hello Team: i can't report it to the company so i hope to accept it as a valid bug , i found subdomain takeover in your subdomain uptime.btfs.io , i found this subdomain pointed to uptimerobot and not claimed so i signedup in uptimerobot and claimed it. POC: ------ 1 - open https://uptime.btfs.io...

Internet Bug Bounty: URN Request bypass ACL Checks

Summary: Attacker can bypass ACL checks gaining access to restricted HTTP servers such as those running on localhost. Attacker could also gain access to CacheManager if VIA header is turned off. Only lines with : will be readable though, and the response must be less than 4096 bytes or it'll...

Internet Bug Bounty: UrnState Heap Overflow

Summary: When handling a URN Request an attacker controlled response can cause Squid to overflow a heap buffer. The buffer exist within a struct so not only does it allow an attacker to overflow adjacent memory, but also control a pointer that follows the buffer enabling them to free arbitrary...

Internet Bug Bounty: Cache Poisoning

Summary: An attacker can cause Squid to return to the user attacker controlled data, for any domain. From Squid-4.7 and below both HTTPS and FTP could be poisoned. This is due to Squid URL decoding parts of the Request URL and using that to create a hash. Request that decode to the same URL will...

GitLab: Send arbitrary PUT requests when user clicks on a link

Dear teams, Summary Mermaid allows users to set class name of a block. This ability becomes vulnerable in Gitlab issues because of issue.jsL90: javascript return $document.on 'click', '.js-issuable-actions a.btn-close, .js-issuable-actions a.btn-reopen', e = ... const $button = $e.currentTarget;...

Mail.ru: o2.mail.ru XSS

Reflected XSS in o2.mail.ru via GET parameter state...

Myndr: Reflected XSS in https://blocked.myndr.net

Summary: Reflected XSS in Domain https://blocked.myndr.net Steps To Reproduce: 1. Go to the https://blocked.myndr.net. 2. Find the endpoint in the domain -https://blocked.myndr.net/?trg=1 3. Add the payload ?trg="alert1 4. You can see the pop up in your browser. Impact With the help of XSS, a...

Razer: SQL injection in Razer Gold List Admin at /lists/index.php via the `list[]` parameter.

The tester discovered a monitoring server in a Razer Gold environment was running legacy software with a SQL injection vulnerability. Razer thanks the tester for his diligence and helping keep Razer's customer data secure. A Razer Gold asset suffered from an SQL injection due to an outdated...

Internet Bug Bounty: Cache Manager ACL Bypass

Summary: ACL Manager can be bypassed giving non authorized users to squid-internal-mgr. Possible to bypass other urlregex, but only focused on manager. with the hostname of the server running squid echo -e "GET https://jeriko.one%252f@:3128/squid-internal-mgr/activerequests HTTP/1.1\r\n\r\n" |nc...

Internet Bug Bounty: Squid leaks previous content from reusable buffer

Summary: A malicious response to a FTP request can cause Squid to miscalculate the length of a string copying data past the terminating NULL. Due to Squid's memory pool the contents that is exposed could range from internal data, to other user's private Request/Response to Squid. This exist in...

HackerOne: Attacker may be able to bounce enough emails which suspend HackerOne's SES service and cause a DoS of HackerOne's email service

This was a DoS based on triggering a lot of bounced emails via SES service which could put our email sending up for review with AWS. The vulnerability was due to unrestricted invitations on sandbox programs which allowed an attacker to generate an infinite number of bounced emails. We had applied...

Stripo Inc: Unrestricted File Upload on https://my.stripo.email and https://stripo.email

Hi Stripo Inc, I found 2 Unrestricted File Upload Vulnerabilities on your website. First Vulnerability: Step to Reproduce 1. Create an account in "https://my.stripo.email" 2. Simply Download a php shell from internet and open with text editor. ex: r57 shell 3. Then save it as JPEG file. 4. Go bac...

Evernote: One Click Code Execution via File

This issue was reported to Evernote by @ajdumanhug and fixed in November 2019. This disclosure is a copy of the original, and is for historical purposes only. Overview The Open with Terminal functional is vulnerable to One Click Code Execution. Tested the vulnerability using the Mac Desktop App...

DigitalOcean: Unauthorized access to https://shipit.analogpond.com/

Summary: Unauthorized access to https://shipit.analogpond.com/digitalocean/marketplace/production/ with ability to rollback deploys just like digitalocean developers. Steps To Reproduce: I was doing recon when I came accross marketplace-fra1.digitalocean.com with CNAME...

GitLab: Path traversal in Nuget Package Registry

Summary There's a path traversal issue in Nuget package registry which was released to GitLab-EE recently. The issue allows an attacker to create any file with an extension “.nupkg” in the filesystem. By combining the bug with a race condition in Gitaly which I used several times before 762421,...

U.S. Dept Of Defense: Apache solr RCE via velocity template

Hi team, While doing some recon i stumbled upon an IP address http://██████/ The IP took me to a Login Page at ████=https%3A%2F%2F██████████████████ as of the URL suggest this system belongs to US gov. Doing a Port scan reveals that POST ██████████ is Open, A lot of doors open if Solr is exposed...

Razer: 🐞 OS Command Injection at https://sea-web.gold.razer.com/lab/ws-lookup via IP parameter

The tester discovered a Razer Gold Thailand site that suffered from a service with a command injection vulnerability. Razer thanks the tester for his report and clear PoC. a real world CTF-Like challenge 😅 Burpsuite Collaborator Client was very helpful Thanks @Razer for the bounty 🥳...

PlayStation: Access token stealing.

Summary: https://my.playstation.com/auth/response.html suffers from a misconfiguration which leads to access token stealing. Description: The page...

Mail.ru: relap.io CSRF bypass on adding domain to use relap widgets

The lack of CSRF protection in API endpoint in relap.io allowed to force user to add domain to the widget...

Node.js third-party modules: [sapper] Path Traversal

I would like to report a critical path traversal vunerability in the sapper module It allows an attacker to simply obain arbitrary files from the remote server, exploiting a simple path traversal using URL-encoded "../". Module module name: sapper version: 0.27.10 npm page:...

Mail.ru: Stored XSS In mlbootcamp.ru

XSS in mlbootcamp.ru via forum post...

Nextcloud: PHPUnit is included in groupfolders release package potentially causing RCE

The groupfolders tarball contains the phpunit code in the vendor directory https://github.com/nextcloud/groupfolders/releases/download/v6.0.2/groupfolders.tar.gz . As discussed on https://thephp.cc/news/2020/02/phpunit-a-security-risk this really is a potential security risk. The phpunit code...