X (Formerly Twitter): Ability to bruteforce mopub account’s password due to lack of rate limitation protection using {ip rotation techniques}

Summary I tried to guess on my account. I sent out nearly 1,000 requests, and I was virtually banned on request about 120. But when I changed my IP and tried logging in, I was logged into the account without any additional checks Description: Your web authentication endpoint,...

U.S. Dept Of Defense: Knowledge Base Articles are Globally Modifiable via ██████

Summary: A user is able to create an account on ██████████ and modify or create any knowledge base articles. This includes articles that have been created by the ██████████ as a canned response to help users with frequently asked questions. Description: Knowledge base articles are used within the...

U.S. Dept Of Defense: Second Order XSS via █████

Summary: A malicious user can use HTML injection to send a malicious chat message to an unsuspecting user, leading to a second order HTML injection/XSS via e-mail. Description: This will send an e-mail to the user that they have received a new message, and the malicious message will be sent to th...

Nextcloud: XSS in PDF Viewer

An outdated version of PDF.js in use allows for the CVE-2018-5158 vulnerability. When the payload PDF is shown in the supplied PDF viewer, it can execute arbitrary JavaScript. I have tested the payload PDF, and it is working in the Safari 13.0.5 the latest version and Firefox 74.0 the latest...

GitLab: Initial mirror user can be assigned by other user even if the mirror was removed

Summary Even if the mirror was removed, project.mirroruser still will be persisted. So any maintainer can create "pull" mirror with initial mirror user: safemirrorparams.rb def validmirroruser?mirrorparams return true unless mirrorparams:mirroruserid.present?...

Nextcloud: Missing ownership check on remote wipe endpoint

On settings/user/security You can mark a device for wipe out that does not belong to you. Steps: 1. Create 2 accounts one for the hacker and one for the victim 2. On both accounts add devices with different names 3. On the hacker account, while intercepting with burpsuite, select the option to wi...

Razer: SQL injection at https://sea-web.gold.razer.com/ajax-get-status.php via txid parameter

The tester determined the Razer Gold TH site suffered from a SQL injection issue. Razer thanks the tester for his due diligence and clear report...

Razer: Source Code Disclosure

The tester discovered a PHP file with source code exposed. There was no known exploit...

Kubernetes: IPv4 only clusters susceptible to MitM attacks via IPv6 rogue router advertisements

This bug report mostly concerns the default CNI plugins https://github.com/containernetworking/plugins but I believe affects many K8S clusters. Because the CNI team still doesn’t provide an explicit way to report security bugs, I hope the K8S security team doesn’t mind doing the coordination job...

Mail.ru: [api.33slona.ru] Доступ к API из за неправильной конфигурации сервера 302 редирет.

A 302 reply for non-authenticated request to api.33slona.ru could leak some static content with HTML body...

U.S. Dept Of Defense: Improper Access Controls Allow PII Leak via ████

Summary: Dashboards in ██████████ allow a user to add widgets and obtain large amounts of information to include PII and diagnostic information. Additionally, a user is able to make changes to certain catalogs via these widgets. Description: Impact An adversary can gain access to PII to include...

Mail.ru: xss in ub.icq.net

XSS in ub.icq.net via HTML file upload. icq.net is a sandbox API domain without cookies or HTTP authentication...

Revive Adserver: Cross Site Scripting and Open Redirect in affiliate-preview.php file

Summary: Stored XSS can be submitted on the Website using Default Manager, and anyone who will check the report the XSS and Open Redirect will trigger. Description: Stored XSS, also known as persistent XSS, is the more damaging than non-persistent XSS. It occurs when a malicious script is injecte...

Zomato: Mathematical error found in meals for one

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out th Wrong calculation is done by the...

Mail.ru: mailgun subdomain takeover on "email.mail.geekbrains.ru"

Unused email.mail.geekbrains.ru domain was delegated to Mailgun and was not claimed, allowing to use it Mailgun service...

Greenhouse.io: Open S3 Bucket Accessible by any Aws User

hi team, vulnerable URL: http://grnhse-marketing-site-assets.s3.amazonaws.com/ There is no authentication required to access the AWS bucket of the website. As your site was associated with AWS, any AWS user can view the content , navigate through directories and download files, public access is...

X (Formerly Twitter): character limitation bypass can lead to DoS on Twitter App and 500 Internal Server Error

Summary: If you are creating a new moment on https://twitter.com/username/moments you get redirected to https://twitter.com/i/moments/edit/moments-id. There you can set a title, a description and also you can add, if you want, a Tweet to your Moment. The title and also the description are...

Mail.ru: SQL Injection [unauthenticated] with direct output at https://news.mail.ru/

Unsafe usage of GET parameter led to SQL injection in news.mail.ru...

HackerOne: Read-only team members can read all properties of webhooks

Description: A team member can view all properties of webhooks despite not needing them. Steps To Reproduce 1. Have an admin of a program setup webhooks 2. As a team member read-onlylog in 3. Run the following graphql query: query teamhandle: "security" name webhooks nodes id secret url 4. See th...

Mail.ru: MCS Graphite SSRF: internal network access

Blind SSRF in mcs.mail.ru via unpatched Graphite...

Glassdoor: Open Redirect ████████

The URL with the 'redirectUrl' parameter was found to be vulnerable to an open redirect attack. The parameter was not properly validated, allowing an attacker to redirect users to a malicious website of their choice...

MTN Group: Weak/Auto Fill Password

Summary: https://mtnc-selfservice.mtncameroon.net The following url has admin/admin as user name and password Steps To Reproduce: 1. open the url in any browser of your choice 1. enter admin as user name and password 1. booom .... full asset to super admin full panel Supporting Material/Reference...

Monero: Hardware Wallets Do Not Check Unlock TIme

Summary: The hardware wallet implementations using the monero wallet do not check the unlock time when signing. This allows malware on the user's computer which the hardware wallet should protect from to permanently lock-up all the user's funds if the user signs a transaction on the device with a...

Nord Security: The Linux binaries (nordvpn and nordvpnd) don't use PIE/ASLR

Summary: The Linux binaries nordvpn and nordvpnd don't have PIE/ASLR enabled. A such feature is used to harden programs against the exploitation of memory corruption bugs and should be enabled. The use of ASLR has long been debated among the Golang community. However, it seems that it's becoming...

Glassdoor: web.xml configuration file disclosure

Information disclosed via https://www.glassdoor.com/web.xml which has been resolved. Thanks, @stregh for your report and find. Looking forward to more reports from you. CVE-2021-34429 CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N...

Visma Bug Bounty Program: SSRF in img export

The researcher has found a SSRF vulnerability in the application's image export functionality. The app would take all the html as input and generate an image based on that. By manipulating the html code and adding a src tag, it was possible to trigger a SSRF...

Internet Bug Bounty: CVE-2020-10938-buffer overflow/out-of-bounds write in compress.c:HuffmanDecodeImage()

Hello, There is an out-of-bounds write that is likely exploitable while performing Huffman decoding of Fax images. The technical details are as follows. Type: integer underflow produces out of bounds heap/etc write Platform: 32-bit Details: 390 MagickExport MagickPassFail HuffmanDecodeImageImage...

QIWI: SQL injection on contactws.contact-sys.com in TRateObject.AddForOffice in USER_ID parameter leads to remote code execution

Summary The API interface on https://contactws.contact-sys.com:3456/ accepts a body to interact with the server's AppServ object. Because of insufficient input validation, an attacker can abuse the USERID parameter of the TRateObject.AddForOffice method to inject arbitrary SQL statements. This...

QIWI: SQL injection on contactws.contact-sys.com in TScenObject action ScenObjects leads to remote code execution

Summary The API interface on https://contactws.contact-sys.com:3456/ accepts a body to interact with the server's AppServ object. Because of insufficient input validation, an attacker can abuse the SCENID parameter to inject arbitrary SQL statements into the WHERE clause of the underlying SQL...

Slack: Team members can trigger arbitrary code execution in Slack Desktop Apps via HTML Notifications

A vulnerability in Slack's desktop clients allowed a user within a Slack team to send a malicious link to a teammate which would cause code to be executed on that victim's local computer. The issue hinged on a special type of Slack notification called HTML notifications. We resolved the issue by...

HackerOne: A team member of the program with Report rights can ban the Admin

Summary: Our team has conducted a number of studies tests in the field of permission Report. We noticed that a team member of the program with such permission can ban a member with Admin rights Steps To Reproduce: 1 Admin submit new report in program 2 A team member with Report rights can use the...

QIWI: Remote Code Execution on contactws.contact-sys.com via SQL injection in TCertObject operation "Delete"

Summary The API interface on https://contactws.contact-sys.com:3456/ accepts a body to interact with the server's AppServ object. Because of insufficient input validation, an attacker can abuse the ID parameter to inject arbitrary SQL statements into the underlying prepared statement. This leads ...

Valve: Unauthorized updates to extended_info properties in /store/ajaxpackagesave

Due to incorrectly-implemented access control, partners were able to set the "extendedinfo" value on their own packages. This in turn enabled other security-impacting issues such as the ability to create externally-grantable and other special package types...

HackerOne H1P BBP1: Testing

asdajnsdjasndkjas...

HackerOne: Account creation with invalid email addresses / email is accepting % and %0d%0a line termination chars

An account creation vulnerability was found where invalid email addresses containing '%' and '%0d%0a' line termination characters were accepted, allowing multiple unverified accounts to be created...

Node.js third-party modules: [Limited bypass of #793704] Blind SSRF in Ghost CMS

Blind SSRF vulnerability in Ghost allows for internal port scanning, or reading oembed contents from internal network...

Nord Security: Account deletion requests not entirely honoured. Misinformation even after seeking clarification from customer support.

Summary: Requesting account deletion from NordVPN customer support that is supposed to have "removed your account from our database." does not truly remove account from database. Even after asking if critical information such a billing information is removed, which customer support confirms...

U.S. Dept Of Defense: Unrestricted File Upload to ███████SubmitRequest/Index.cfm?fwa=wizardform

Summary: An attacker is able to upload files of any type to ███SubmitRequest/Index.cfm?fwa=wizardform as long as they are less than 5 MB. Description: The █████ ████ Request System allows a user to submit requests to the ██████████ ███ for event support. An attacker can exploit this request form ...

Mail.ru: [staging.tarantool.org] Github Pages Subdomain-take-over

Unused staging.tarantool.org subdomain was delegated to github pages and was not claimed...

Razer: Subdomain takeover at iosota.razersynapse.com via Amazon S3

The tester discovered a dangling DNS record for iosota.razersynapse.com that was no longer in use and demonstrated a subdomain takeover. Subdomain takeovers by themselves are not in the scope of our program, but Razer thanks the tester for their diligence and clear report...

HackerOne: Changes to data in a CVE request after draft via GraphQL query

Summary: Our team has conducted a number of studies tests in the field of CVE Request. We found several statuses of such requests Awaiting Publication, Pending HackerOne approval, Cancelled . At the time of creating the request , we can change the data. However, we noticed that we can 't change...

Endless Group: Lets Encrypt Certificates affected by CAA Rechecking Incident

Summary: Lets encrypt released a statement regarding 3 million certificates being revoked due to a issue in the CA signing process, Looking at your subdomains it appears that you are affected by this incident. When the revoking occurs the certificates the certificates are no longer valid. This ma...

Helium: Cleartext Transmission of Sensitive Information Leads to administrator access

The weakness of the program is Cleartext Transmission of Sensitive Information through URL Leads to administrator access. This program is having one feature like we can add users like administrator and read-only, these are roles, into organizations. Here I get the administrator role at same...

curl: curl still vulnerable to SMB access smuggling via FILE URL on Windows

Summary: The released fix for CVE-2019-15601, SMB access smuggling via FILE URL on Windows, leaves curl still vulnerable to SMB access smuggling via FILE URLs. - FILE URLs formatted as file:////smbserver/smbshare/file are not filtered. - FILE URLs which point to the global DOS name space, ??, and...

Urban Dictionary: Bypass voting restriction due to HTTP Header Injection

It is possible to bypass the voting restriction by adding a specially crafted HTTP-Header. The underlying algorithm uses the ip address to restirct the voting of a user. However, by manipulating the IP-Adress via adding the HTTP-Header "X-Forwarded-For" it is possible to vote a entry up or down...

Nextcloud: Denial of Service by requesting to reset a password

Description: I believe that this is posible due to the brute force protection that makes all request last for 30 seconds which in this case is using all the PHP workers avalible in the pool, so the only way to defend yourself is setting up a limit or having a lot of resources. How to reproduce: I...

U.S. Dept Of Defense: Sensitive Information Leaking Through Navy Website. [█████]

Summary: While performing recon work on websites owned by DoD i came up with a Navy website which is leaking sensitive information. Description: The website is leaking information such as- first name and last name, email address, phone number, location, rank, and other information of trainees in ...

Brave Software: Username Information Disclosure via Json response - Using parameter number Intruder

Summary: Hi , Brave Team we found vulnerability's in your websites , I Found all username disclosed using Json Response parameter-number. Platforms Affected: website . https://community.brave.com/c/brave-feature-requests.json . https://community.brave.com/c/beta-builds/38.json Steps To Reproduce:...

Visma Public: Access control on https://eaccounting.stage.vismaonline.com/

The researcher was able to find an access control issue in the application by checking if the permissions are correctly replicated in the active sessions for the user...

Rocket.Chat: SAML authentication bypass

Summary When using SAML authentication, responses are not checked properly. This allows attacker to inject/modify any assertions in the SAML response and thus, for example, authenticate as administrator. Description Following code snippets are from app/meteor-accounts-saml/server/samlutils.js Whe...