Nextcloud: xss on setup config page

Nextcloud version: 18.0.1 In setup config page，setting mysql Username with payloadalert1, and set others. F739076 then submit . F739077 this gif will show poc: F739069 Impact This is because the code does not filter dangerous characters. so dangerous characters need to be escaped...

Mail.ru: Brute-force any email account through allods.mail.ru

!!! Полная версия отчета со скриншотами находится во вложенном PDF-файле. Vulnerability Technical description ========================= По адресу https://allods.mail.ru/account.php находится форма регистрации нового пользователя в игре. В процессе заполнения формы, посылается Ajax POST-запрос в...

Visma Bug Bounty Program: [IDOR]Ability to Pause & Resume the Invoice of other users If GUID is known.

Insecure Direct Object Reference IDOR vulnerability is discovered via a certain endpoint and the application exposes a reference to an internal implementation object. It reveals the real identifier and format/pattern used of the element in the storage backend side...

Node.js: Node.js: TLS session reuse can lead to hostname verification bypass

The Node.js TLS library supports client side reuse of TLS sessions when multiple connections to the same server are opened. Code that wants to use this feature can listen for the 'session' event https://nodejs.org/api/tls.htmltlseventsession on a tls.TLSSocket to get notified of newly created TLS...

Mail.ru: CRLF Injection in 301 Redirect allow to Set-Cookies for mail.ru

CRLF injection in HTTP 301 reply on 1l-go.mail.ru...

Visma Public: Open Redirection In connect.identity.stagaws.visma.com

The researcher found an open redirection in one of the parameters. This can be used to trick a user to a fake website asking for credentials, and trick the user to give out credentials...

PlayStation: SSRF on image renderer

Summary: image.api.np.km.playstation.net allows image urls to be passed via the image parameter It is possible to use this endpoint to send Gopher requests that result in SMTP messages being sent Steps To Reproduce: 1. Create a Gopher redirect PHP file to save to your server ', 'RCPT TO: ', 'DATA...

Razer: SQL Injection in https://api-my.pay.razer.com/inviteFriend/getInviteHistoryLog

The tester determined the Razer Pay API server was vulnerable to a SQL injection that could allow the exposure of user information. Razer Fintech appreciates the clear and detailed PoC...

Helium: Account takeover w/o interaction for a user that doesn't have 2fa enabled via 2fa linking and improper auth at /api/2fa/verify

Description: Hello, team! I found 2 vulnerabilities in your 2FA implementation: 1 There is a possibility to link 2FA to any other account if it wasn't set up before and user ID is known on the request /api/2fa. In order to do this, after performing a request for 2FA linking, substitute the ID to...

Mail.ru: web.icq.com XSS in chat message via contact info

XSS in web.icq.com via chat message with contact details...

Razer: Helpdesk takeover (subdomain takeover) in razerzone.com domain via unclaimed Zendesk instance

The tester discovered a Razer subdomain subject to a takeover. Although we do not normally accept these as part of this program, Razer thanks the tester for his report...

MTN Group: Remote OS Command Execution on Oracle Weblogic server via [CVE-2017-3506]

Summary Hello. I was able to identify RCE vulnerability due to the outdated Oracle Weblogic instance on https://raebilling.mtn.co.za. Steps To Reproduce To reproduce, try this request with BurpSuite This request to the https://raebilling.mtn.co.za/wls-wsat/RegistrationRequesterPortType will trigg...

MTN Group: Remote OS Command Execution on Oracle Weblogic server via [CVE-2017-10271]

Summary Hello. I was able to identify RCE vulnerability due to the outdated Oracle Weblogic instance on https://raebilling.mtn.co.za. Steps To Reproduce To reproduce, launch this request with BurpSuite This request to the https://raebilling.mtn.co.za/wls-wsat/CoordinatorPortType will trigger slee...

Lark Technologies: SSRF with information disclosure

A SSRF server side request forgery vulnerability was identified in the messenger endpoint of Lark Suite which could have exposed internal credentials used by the server. We thank @jin0ne for reporting this to our team...

Visma Public: Able to continue user creation process after deleting the HTML element that shows the message that the session is closed

Summary: Able to continue user creation process and successfully submit the user creation form after deleting the HTML element that shows the message that the session is closed after signing out in different tab from same browser. Steps To Reproduce: 1. Login to...

Helium: Read-only user can delete higher privileged members using open DELETE /api/memberships/<membershipID> endpoint

Summary The /api/memberships/membershipID endpoint on console.helium.com is open to anyone, including read-only users in an organization. This means that a read-only member can kick a manager, administrator, or even the owner out of an organization using this vulnerability. Steps to Reproduce: 1...

Visma Public: [IDOR]Ability to edit Description of api_key's of other users.

The reasearcher was able to change the description associated with API-keys for other users on the /api/orgID/apiKey endpoint by modifying the id of the API-key in the request...

Visma Public: HTML-injection in PDF-export leads to LFI

The researcher was able to extract contents of files using the pdf-generator in "Yearly Financial Statements". This was done by adding an IFRAME-tag inside the companyname. Once rendered in Yearly Financial Statements, it included the file the IFRAME was pointing to. In this POC it was /etc/passw...

Helium: Organization Takeover

Hello @helium, The console.helium.com application doesn't correctly manage the /membership/ resources and allows a user to privilege escalate an organization of which he's part of just modifying it's role. Steps to reproduce the bug 1 Let's make two user accounts: - [email protected] A...

Rockstar Games: Referer Leakge in language changer may lead to FB token theft.

In this report, the researcher identified a CSRF vulnerability in the language changing function on https://www.rockstargames.com/GTAOnline/ that could be combined with other vulnerabilities to result in sensitive token theft such as Oauth tokens. This vulnerability would be triggered when changi...

Engel & Völkers Technology GmbH: full path disclosure on world.engelvoelkers.com via error messages

Webserver in world.engelvoelkers.com discloses internal path in it's error message Via a browser: http://world.engelvoelkers.com/config/app.php http://world.engelvoelkers.com/connect.php Impact There is no direct impact, however this information can help an attacker identify other vulnerabilities...

Visma Bug Bounty Program: Administration page visible without authentication

A backend system administration interface could be accessed without authorization, but it did not display any data unless the user was correctly logged in...

GitLab: SSRF into Shared Runner, by replacing dockerd with malicious server in Executor

Note I've assigned the severity HIGH and submitted this report based on previously disclosed blind SSRF bugs that were previously disclosed. https://hackerone.com/reports/398799 If that's not correct, please adjust or let me know if you require more immediate impact on users in order to consider...

U.S. Dept Of Defense: No ACL on S3 Bucket in [https://www.██████████/]

Summary: Hi team!, i was able to move and download all file in s3 bucket that's under ████ control cuz it didn't has ACL Step-by-step Reproduction Instructions first we will try to access all files via browser by go to this s3.amazonaws.com/files.████████ Now We Will try to download all files on...

Node.js third-party modules: [notevil] - Sandbox Escape Lead to RCE on Node.js and XSS in the Browser

I would like to report a sandbox escape / code injection vulnerability in notevil. It allows an attacker to escape the intended sandbox and execute javascript code in the global context, meaning that he/she can achieve arbitrary command execution RCE when running in nodejs and cross site scriptin...

Visma Bug Bounty Program: [IDOR]Ability to View/Delete/Edit (Forward to attachment archive) Email of other user if GUID is known.

Insecure Direct Object Reference IDOR vulnerability is discovered via a certain endpoint and the application exposes a reference to an internal implementation object which allows the attacker to perform unauthorized actions...

HackerOne: Rounding errors on rewarding a bounty leads to bypassing the 20% H1 commission fee

Summary: The team discovered a rounding error issue when rewarding hackers with a bounty. Through a series of micro-payments, a malicious program manager is able to pay a full amount to the hacker while evading the 20% H1 commission fee. Description: H1 has a system for awarding and paying hacker...

Visma Public: Unrestricted file upload leads to Stored XSS

An attacker is able to bypass the restrictions which limit user uploads to .PDF only. Attacker can upload malicious content to the web server and an included JavaScript code to gain Stored XSS...

Rockstar Games: Information Disclosure in https://www.rockstargames.com/search

In this report the researcher identified a flaw in our search function that caused it to display unintended error messages. These error messages contained detailed error codes that could reveal information useful to attackers. Thanks to this report we were able to address this behavior so that th...

Visma Public: Arbitrary File Upload to Stored XSS

An attacker is able to bypass the restrictions which limit user uploads to .PDF only. Utilizing this exploit by changing the content Beacon.html%00.pdf an attacker can upload malicious content to the web server and an included JavaScript code to gain Stored XSS...

Shopify: Exposed Slinky Instance Admin Panel

Last night the following server went from a 404 to a 200: ███████ Upon navigating to this page, I found that there was a slinky admin panel available here with the ability to change and modify URL redirection. https://slinky-server.shopifycloud.com/ Impact Ability to modify potentially trusted UR...

HackerOne: Mismatch between frontend and backend validation via `ban_researcher` leads to H1 support and hackers email spam

Summary: We found a mismatch between the frontend and backend validation when using the ban researcher feature, available for program customer. Description: When a program customer issues a ban, an automatic email will be send both to the banned user and H1 support. The problem is that fronted wi...

Visma Public: Session replay vulnerability in app.workbox.dk domain

The researcher found that sessions don't expire when users logs out of their account. This means that if the session cookie and it's value is known, an attacker can impersonate the owner of the account...

Mail.ru: [v7lk.relap.io] Sending arbitrary emails to any user

Mail sending API endpoint at relap.io was publicly accessible...

Visma Bug Bounty Program: Stored XSS when uploading files to an invoice

I've found a stored XSS from the fileupload. The parameter fileID is vulnerable and will be stored to the page. Steps To Reproduce Login Navigate to one of your invoices Upload some file and intercept the traffic Once you see the JSON payload like this "id":"abcabccabcabc","name":"file-name" modi...

U.S. Dept Of Defense: PII Leak via https://████████

Summary: An attacker can create an account on https://████ and gain access to a wealth of PII for practically every member that is registered on the website. This includes e-mail addresses, physical addresses, telephone numbers, and other information about a vast majority of the US Air Force, as...

Nextcloud: Unrestricted file upload on the image of contacts

When uploading an image for a contact, on the file upload pop up window it shows that it can accept all files of any data type. For my testing I uploaded a sample executable, named 'SimpleCrackMe.exe' which doesn't do really do anything without passing parameters to it on a terminal when running...

Kubernetes: Blind SSRF on velodrome.canary.k8s.io

A blind server-side request forgery SSRF was found at the endpoint http://velodrome.canary.k8s.io/api/snapshots via a JSON parameter. An attacker can force the host to make a request to arbitrary URLs...

8x8: Stored XSS on Company Logo

The ContactNow application saved the location of the custom company logo without proper encoding considerations...

GlobaLeaks: Since no defined tries for incorrect answer, an attacker can brute the answers and post a submission

Logic of the attack pass 50 answers for per token.. if within the 50 answers this can be increased for more success rate, if there's a valid. the token becomes usable. and then submit the submission POST data. Screenshot of script running F733033 Screenshot of inbox F733034 Mitigation This can be...

8x8: Blind Command Injection #1

OS Command injection on text-to-speech functionality API. This issue arised because of the generic text to speech conversion tool being used here in the web application & because of the fact that the user input data was not being sanitised before taking it to the server for output of the inputed...

Shopify: CSRF on connecting Paypal as Payment Provider

Hi, I think there is a weak csrf protection on adding paypal as the payment provider, but the protection is not good. When user try to add paypal as payment provider, they will make this GET request...

U.S. Dept Of Defense: SharePoint Web Services Exposed to Anonymous Access Users

Summary: Any unauthenticated/anonymous users are able to access the SharePoint Web Services .wsdl files for the █████ Initiative website. Description: The SharePoint installation for this particular site allows any user to access the spdisco.aspx on the web server which discloses the location of ...

Valve: OOB reads in network message handlers leads to RCE

Vulnerability In Source engine games there are many network messages sent from the server to the client that take an entity index. There is a common pattern among many of these messages for the lower bounds of the entity index to be checked but not the upper bounds. In many cases these out of bou...

HackerOne: Customer private program can disclose email any users through invited via username

Summary: Hey team,This bug could have been used by my calculations a long time ago Steps To Reproduce: 1Go to https://hackerone.com/hackeroneh1pbbp3/launch 2Take invite via username 3Input username , send invite 3.1When an invite is created, we get a token 4Now Go use GraphQL query...

GitHub Security Lab: Java (Maven): Actually fix the use of insecure protocol to download/upload artifacts

This bug was reported directly to GitHub Security Lab...

Nord Security: Arbitrary Set-Cookie via "?coupon=" due to semi-colon not encoded

Related to , the separator in the cookie header is semi-colon ; and this issue is caused by semicolon ; not encoded, so the attacker can arbitrarily manipulate cookies. Arbitrary set cookie will cause several problems like: - Session Fixation - Cookie Bomb Client-Side DoS - Etc Vulnerable Endpoin...

GitLab: Stored XSS in blob viewer

Summary I found a Stored-XSS in blob viewer when viewing a json file. In particular, when viewing an openapi file, openapiviewer is called to transfer the file's data to SwaggerUIBundle to render. SwaggerUIBundle does its job when rending graphical representation of the openapi's content. It also...

Google: CVE-2020-8913 - Persistent arbitrary code execution in Android's Google Play Core Library: details, explanation and the PoC

██████████████████████████...

U.S. Dept Of Defense: Sensitive Information Leaking Through DoD Owned Website. [██████████]

Summary While performing recon work on websites owned by DoD i came up with ██████████ website which is leaking sensitive information. Description The above website is leaking information such as- first name and last name, email address, phone number, house address and organization name of...