Endless Group: Enumeration of username on password reset page

Summary: Reset password page api call, can be used to enumerate usernames based on the error message Steps To Reproduce: add details for how we can reproduce the issue 1. Go to password reset page 2. Enter username and click submit 3. Check email for password reset code, open the url in any brows...

X (Formerly Twitter): Reset password without knowing current password

Description Hi team, I found an interesting flaw in your password recovery mechanism that can get the ability of reset password without a valid token and knowing current password. I'm going to explain it here: In https://www.twitterflightschool.com/ domain if you try to reset your password from...

Visma Bug Bounty Program: A non-administrator user can change his email even when it is restricted by an administrator

A non-administrator user can change his email, even when it is restricted by an administrator, by tampering with the response data. Steps to Reproduce Login as a normal user and goto "My details" tab in Profile. Click on Edit icon in Account section. If this functionality is locked by your...

Starbucks: Minimal information disclosure of internal asset names and links which were not publicly accessible.

e4366eolywrgpidfbio discovered an application with links to internal Starbucks related resources. No public access to these resources was available, resulting in minimal information disclosure of host and resource names. @e4366eolywrgpidfbio — thank you for reporting this issue...

Engel & Völkers Technology GmbH: [go3-stage.engelvoelkers.com] - Reflected XSS in /dGPS3/default.jsp

Summary: The application fails to sanitize user input in https://go3-stage.engelvoelkers.com/dGPS3/default.jsp and reflect the input directly in the HTTP response, allowing the hacker to exploit the vulnerable parameter and have malicious content executed in the victim's browser. Description: A...

Engel & Völkers Technology GmbH: [go3-intern.engelvoelkers.com] - Reflected XSS in /dGPS3/default.jsp

Summary: The application fails to sanitize user input in https://go3-intern.engelvoelkers.com/dGPS3/default.jsp and reflect the input directly in the HTTP response, allowing the hacker to exploit the vulnerable parameter and have malicious content executed in the victim's browser. Description: A...

Engel & Völkers Technology GmbH: Information Exposure at https://printshop.engelvoelkers.com/

Summary: There is an information exposure through some tmp, txt files that can allow an attacker to download some files from the application. Steps To Reproduce: + There are some files that exposed internal links from the application, inside of these files you can view some .xls that you can...

X (Formerly Twitter): Periscope iOS app CSRF in follow action due to deeplink

Summary This issue is mainly in the Periscope iOS app against CSRF follow action using deeplink. as the report 583987 the CSRF work on iOS app POC 1 QR code to follow periscope profile pscp://user/periscopeco/follow ███████ POC2 by kunal94 /follow"CSRF DEMO video █████████ Impact CSRF Follow...

U.S. Dept Of Defense: Sensitive Information Leaking Through DARPA Website. [█████████]

Summary: While performing recon work on websites owned by DoD i came up with DARPA website which is leaking sensitive information. Description: The above website is leaking information such as- first name and last name, email address, phone number, house address and organization name of attendees...

Lark Technologies: Sensitive information of helpdesk is being leaked.

Due to improper access control, Larksuite help desk tickets could have been accessed by users who are not owners or admins of the helpdesk. We thank @imrannisar for reporting this to our team and verifying the resolution...

Internet Bug Bounty: DirectoryIterator class silently truncates after a null byte

The bug submitted at: https://bugs.php.net/bug.php?id=78863 The security advisory at: https://nvd.nist.gov/vuln/detail/CVE-2019-11045 There's an issue with SPL PHP extension on splfilesystemobjectconstruct function. When creating a new DirectoryIterator object splfilesystemobjectconstruct functio...

Internet Bug Bounty: PHP link() silently truncates after a null byte on Windows

The bug submitted at: https://bugs.php.net/bug.php?id=78862 The security advisory at: https://nvd.nist.gov/vuln/detail/CVE-2019-11044 The issue allow remote attackers to read or write arbitrary files via crafted input to an application that calls the vulnerable function. As demonstrated by a...

U.S. Dept Of Defense: Username&password is Disclosure in readme file in [https://█████████]

Summary: Username&password is Disclosure for login into dashboard in readme file in https://███ Description: open this and u will see the username and password in the file Impact Disclosure Sensitive Information "username&password"...

Engel & Völkers Technology GmbH: [www.go3.engelvoelkers.com] - Reflected XSS in /dGPS3/default.jsp

Summary: The application fails to sanitize user input in https://www.go3.engelvoelkers.com/dGPS3/default.jsp and reflect the input directly in the HTTP response, allowing the hacker to exploit the vulnerable parameter and have malicious content executed in the victim's browser. Description: A...

U.S. Dept Of Defense: phpinfo() disclosure info

hi security team i found subdoamins avalibale file phpinfo PoC:- https://█████████/phpinfo.php Impact An attacker can obtain information such as: •Exact PHP version. •Exact OS and its version. •Details of the PHP configuration. •Internal IP addresses. •Server environment variables. •Loaded PHP...

Node.js third-party modules: Prototype pollution in multipart parsing

I would like to report a prototype pollution attack in fastify-multipart it allows to crash a remote server parsing multipart requests by sending a specially crafted request. Module module name: fastify-multipart version: all versions before Detailed steps to reproduce with all required...

U.S. Dept Of Defense: [█████████] Administrative access to Oracle WebLogic Server using default credentials

Hello. I discovered an Oracle WebLogic Server and because of weak credentials managed to login as administrator, which led to complete server takeover...

Lark Technologies: Access to private file's of helpdesk.

A improperly implemented access controls vulnerability was found at a Larksuite endpoint that could have resulted in a team founder who was also an admin of a separate helpdesk, to view an arbitrary image from a ticket they did not have permission to view. We thank @imrannisar for reporting this ...

U.S. Dept Of Defense: Reflected XSS on https://███████/

Summary: Hey Team, There is reflected xss on https://█████/kinetic/ when certain action results in 404 error. Description: I am using some random strings paths after kinetic in https://███████/kinetic/ if that path is not exist then it says 404 not found. Strings is not sanitized after kinetic/ d...

U.S. Dept Of Defense: Domian Takeover in [███████]

Summary: subscription of ████ is expired so any attacker can takeover it Impact phishing attacks if any attacker takeovr the domain...

Nord Security: NordVPN Android Application privacy violation due to Google Advertising Identifier misuse

The researcher reported an issue regarding somewhat incorrect GAID usage integration in our application. The concerns were valid and properly addressed by our team...

Rockstar Games: DOM XSS on https://www.rockstargames.com/GTAOnline/feedback

In this report, the researcher identified a DOM-based Cross-Site Scripting vulnerability in the /GTAOnline/feedback endpoint. As we worked together on resolving this matter, the researcher helped us identify other parts of the GTA Online sub-site that suffered from the same vulnerability due to...

Ruby on Rails: Missing resource identifier encoding may lead to security vulnerabilities

I initially submitted this to the GitHub repository because the ActiveResource repository is not listed in scope. I was redirected here by @rafaelfranca A number of methods in the ActiveResource library, such as ActiveResource::Basefind and ActiveResource::Baseexists? don't URL encode the resourc...

Nord Security: Reduced Payment amount while paying on Crypto Currencies

Summary: While the payment is made via Crypto Currencies on the site "https://join.nordvpn.com/order/", the amount can be reduced to 25.64 instead of the original amount, this can cause loss of revenue to the company. Even the BTC value reflects the reduced converted values, see the screenshot...

Mail.ru: OTP bypass on user account deletion

Account deletion procedure was not sufficiently protected against bruteforce and allowed icq.com account delition valid session to victim account was required...

Nextcloud: Mail does not verify IMAP/SMTP host connected via TLS

The Mail app should verify that the servers it connects to are listed in the certificate's CN. Otherwise the connection should be aborted. Originally reported at https://github.com/nextcloud/mail/issues/308 Impact The app could be forced into connecting to an insecure server...

Nord Security: Unauthorized User Can Delete Any User Account

DESCRIPTION: Your help desk allows creating tickets by email. Which means the user can send an email to the NordVPN support email to a add a new ticket to his activities. So when you send an email to [email protected] from your email address, this ticket will be created on the account that you...

Mail.ru: [aw.mail.ru] XSS on /quiztank page

Reflected XSS in aw.mail.ru via URI...

Monero: Monero wallet password change is confirmed when not matching

Summary: If you change your wallet password in gui, the confirmation does not need to match the new password. Releases Affected: list each version and OS of the application affected list each version and OS of the application affected Steps To Reproduce: Open your wallet. Go to settings. Change...

Mail.ru: CSRF on https://market.my.games

Description Hi team, While exploring https://market.my.games/ domain, I got this domain is vulnerable to CSRF. This site include an X-CSRFToken in headers but it seems the server doesn't validate it at all. Many endpoints require application/json as their content-type so we can't exploit this iss...

Internet Bug Bounty: CVE-2017-13019: The PGM parser in tcpdump before 4.9.2 has a buffer over-read in print-pgm.c:pgm_print()

Hello, The vulnerable code portion is linked below. The linked function is responsible for printing PGM packet payload information to the terminal e.g., stdout https://github.com/the-tcpdump-group/tcpdump/commit/4601c685e7fd19c3724d5e499c69b8d3ec49933e The issue may be reproduced as follows Check...

Internet Bug Bounty: CVE-2017-13050: The RPKI-Router parser in tcpdump before 4.9.2 has a buffer over-read in print-rpki-rtr.c:rpki_rtr_pdu_print()

Hello, The vulnerable code portion is linked below. The linked function is responsible for printing RPKI-Router packet payload information to the terminal e.g., stdout https://github.com/the-tcpdump-group/tcpdump/commit/83c64fce3a5226b080e535f5131a8a318f30e79b The issue may be reproduced as follo...

Internet Bug Bounty: The VTP parser in tcpdump before 4.9.2 has a buffer over-read in print-vtp.c:vtp_print()

Hello, The vulnerable code portion is linked below. The linked function is responsible for printing VTP packet payload information to the terminal e.g., stdout https://github.com/the-tcpdump-group/tcpdump/commit/ae83295915d08a854de27a88efac5dd7353e6d3fdiff-8c6895b252e6da31d60a7866973d5787L262-L26...

InnoGames: Create any military unit in any age

Summary of the Issue It's possible to create a sniperbot unit in the bronze age by sending a crafted request to xs1.forgeofempires.com/game/json endpoint Steps to reproduce 1 Login to https://xs1.forgeofempires.com with Chrome browser while observing network tab. 2 Open the poc20200227.html F7304...

Ubiquiti Inc.: XW 6.2.0 firmware: 5 Reflected XSS issues in link.cgi

AirMax XW.v6.2.0 multiple end-points with parameters vulnerable to reflected cross site scripting XSS, allowing attackers to abuse the user' session information and/or account takeover of the admin user. These vulnerabilities were found on AirMax AirMax AirOS v6.2.0 and prior versions for TI, XW...

Shopify: user with no draft order permission can still perform action on draft order's in stocky app (idor)

@imranhudaa reported that the Shopify Stocky application was missing a permission check to download purchase orders. We implemented the missing check to resolve the issue. This is a limited disclosure at their request...

Ubiquiti Inc.: Unauthenticated request allows changing hostname

We have recently released new version of UniFi Cloud Key firmware that fixes a vulnerability found on v1.1.6 and prior for Cloud Key gen2 and Cloud Key gen2 Plus, according to the description below: Unauthenticated API requests allow changing device hostname. Affected Products: UniFi Cloud Key Ge...

Kubernetes: Grafana Improper authorization

Summary: new report from part2. wrong configuration causes Grafana datasource to use root userwith influxdb admin priv. Component Version: test-infra:master Steps To Reproduce: in normally configuration read-only user used by grafana, but in my test i found datasource user wite admin perms. refer...

GitLab: Email notification about login email changed is not received when using verified linked email address

Summary In https://gitlab.com/profile, user can update the email id to use for login to gitlab account using field "Email". Usually, when this login email id is updated, there will be 2 email sent on previous email Id with subjects as. Email 1 - Email Changed:- This tell that login email has been...

Reddit: Race condition leads to Inflation of coins when bought via Google Play Store at endpoint https://oauth.reddit.com/api/v2/gold/android/verify_purchase

Hi, Summary: When we purchase coins from Reddit's mobile app using Android, https://oauth.reddit.com/api/v2/gold/android/verifypurchase is called with parameters like transactionid and token. There exists a race condition on this endpoint which allows an attacker to get coins many times more than...

Glassdoor: Access to Glassdoor's Infra (AWS) and BitBucket account through leaked repo

AWS credentials associated to a Glassdoor employee was exposed via publicly accessible repo. This keys gave access to a particular account on AWS related to big data. We have removed and rotated the keys since and corrected the permissions on the repo. Thanks @prateek0490 for detecting and lettin...

Node.js third-party modules: [utils-extend] Prototype pollution

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! I would like to report prototype poluti...

MTN Group: Exposed .bash_history at http://21days2017.mtncameroon.net/.bash_history

Summary: Dear Security Team, I found some dangerous urls on your servers that reveal important informations about the servers configuration themself and that are very interesting from a hacker point of view. Steps To Reproduce: http://21days2017.mtncameroon.net/.bashhistory Remediation disable th...

Alibaba BBP: SSRF / Arbitrary File Read on Alibaba Cloud Academy

Summary: Alibaba Cloud Academy certificate download function is vulnerable with SSRF bug. It can also read arbitrary file on the server. Steps To Reproduce: - Login to your https://edu.alibabacloud.com/ account - Click the url to Ping external...

Mail.ru: Insufficient limitation of web page title leads to DoS against ICQ for Android

It was possible to permanently hang or crash ICQ application by posting the URI of the page with oversized TITLE header before testing and reporting DoS conditions please check @mailru rules and scope description to avoid signal/reputation loss, not every DoS report is accepted...

Hyperledger: RCE vulnerability in Hyperledger Fabric SDK for Java

Hyperledger Fabric SDK for Java version 2.0.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. In the following source code files and corresponding line number, an arbitrary file gets parsed by...

GitHub Security Lab: CodeQL query for finding ReDoS and Regex Injection vulnerabilities in Java

This bug was reported directly to GitHub Security Lab...

Nord Security: Sensitive Information Disclosure on https://nordvpn.com/

The researcher provided us with a URL where there was a list of NordVPN accounts posted. We want to assure that our service, our users' data is still secure – as far as our website and service are concerned. This is a global issue in cyberspace where hackers know that most users don't bother to s...

Razer: Post Based Reflected XSS on [https://investor.razer.com/s/ir_contact.php]

The tester discovered our investor relations website suffered from a reflected XSS issue due to unsanitized user input. Razer thanks the tester for his clear PoC and working with us to resolve this issue...

Stripo Inc: Blind SSRF while Creating Templates

Blind SSRF While Creating Email Templates...