U.S. Dept Of Defense: IDOR - Delete Users Saved Projects

Target Url https://█████/██████████/█████████=Targetid Summary: Hello, I found an IDOR bug in deleting users saved projects. Through changing the search id in the above url in a GET request, you can delete saved projects for any users. Step-by-step Reproduction Instructions 1. Navigate to your...

Mail.ru: [xss] setTheme в ajax_attach_action

Reflected XSS in e.mail.ru via GET parameter setTheme...

Razer: Reflected XSS on molpay.com with cloudflare bypass

The tester discovered a reflected XSS vulnerability on molpay.com which could allow an adversary to steal client side information such as a cookie. Razer Fintech thanks the tester for his clear report and PoC. Follow brutelogic for amazing bypass tips. Thank you for bounty @razer 🙏...

Node.js third-party modules: [express-cart] Wide CSRF in application

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! I would like to report CSRF in...

Internet Bug Bounty: Several protocol parsers in before 4.9.2 could cause a buffer overflow in util-print.c:bittok2str_internal()

Length of a local buffer used to parse network packets was not validated against actual payload size leading to a classic buffer overflow. P.S. I was not aware of this bounty program at the time of reporting. Is this report in scope? I have a few more reports that were originally sent to the...

HackerOne: GraphQL node interface for ActiveResource models lacks encoding for resource identifier, enabling parameter injection in Payments backend

HackerOne exposes a small number of ActiveResource objects through its GraphQL node interface. ActiveResource objects use HTTP as transport layer in order to fetch data. Four of these models, TaxForm, Payout, Payment, and PayoutPreference are fetched from an internal Payments backend system with ...

Node.js: Malformed HTTP/2 SETTINGS frame leads to reachable assert

I do not expect any form of cash bounty for this issue. If we have discovered a unique vulnerability I only ask that Jordan Zebor and Adam Cabrey of F5 Networks be crediting with finding the issue. Summary: A reachable assert in the NodeJS HTTP/2 implementation can result in a denial of service...

HackerOne: An invite-only's program submission state is accessible to users no longer part of the program

Related This Report: 645299 Steps To Reproduce: ██████ Private Program: 1. I was invited by █████: https://hackerone.com/███ 2. Submitted a report/vulnerabilty. https://hackerone.com/reports/519502 3. Accepted by ████ and mark as resolved. 4. Try to leave the program. 5. The █████████ Program is...

U.S. Dept Of Defense: Admin Login Credential Leak for DoD Gitlab EE instance

Summary A DoD employee/contractor exposed the ███ password in a GitHub repository █████████ leading to full ███ access in a DoD DISA-associated private Gitlab EE instance ███. Description The IP address ████ recently hosted the subdomain █████████ as of 2019-09-23. ██████ Now port 80 points to a...

U.S. Dept Of Defense: CSRF - Modify User Settings with one click - Account TakeOver

Target Url https://█████ Summary: This CSRF is sensitive, similar to the old one 799855 , here attacker can change user name, email, and password with just one click from user. I think its severity should be greater than Medium High since it doesn't require any user interaction but only just bein...

PayPal: Reflect XSS and CSP Bypass on https://www.paypal.com/businesswallet/currencyConverter/

An endpoint used for currency conversion was found to suffer from a reflected XSS vulnerability, where user input was not being properly sanitized in a parameter in the URL. This could lead to a malicious user injecting malicious JavaScript, HTML, or any other type of code that the browser may...

Stripo Inc: XSRF Token is Not being validated when sending emails test request which lead to CSRF attack using the flash file + 307 redirect technique

XSRF Token is Not being validated when sending emails test request which lead to CSRF attack using the flash file + 307 redirect technique...

U.S. Dept Of Defense: CSRF - Delete Account (Urgent)

Target Url https://██████████/███/██████/█████████ Summary: Hello, I found a Cross Site Request Forgery bug in the target endpoint on the GET request ████ which is critical because it can delete authenticated user account whenever he navigates to the attacker website or link. Step-by-step...

U.S. Dept Of Defense: Reflected XSS - in Email Input

Target Url https://█████ Summary: Hello, I found a reflected xss injection in the email input when updating user profile. Seems Email input is not sanitized and the special characters are not encoded. xss payload used " Step-by-step Reproduction Instructions 1. Navigate to the target url...

Rockstar Games: Dom based XSS on www.rockstargames.com/GTAOnline/features/freemode

In this report, the researcher identified a DOM-Based XSS vulnerability on www.rockstargames.com/GTAOnline/features/freemode. This type of attack can result in cookie theft, or enable CSRF and phishing attacks. With the researcher's help we were able to identify the cause of the vulnerability and...

Mail.ru: vk.com profile page takeover on https://cabinet.am.ru/

Description Hi team, While exploring https://cabinet.am.ru/ domain I found this site points to some social media accounts, One of them was a vk.com profile as https://vk.com/amrusocial but when I opened that link it showed me a 404 error so I successfully could register an account on vk.com and...

Node.js: Slowloris, body parsing

Summary: add summary of the vulnerability Attackers can cause a Denial of Service by sending HTTP request body data extremely slowly to keep a connection open by maintaining activity, and use resources over an extended period. Description: add more details about this vulnerability Body data is se...

Mail.ru: Reflected XSS on am.ru and subdomains

Content-Type for JSON response was incorrectly set to text/html for am.ru, potentially leading to multiple XSS possibilities, including demonstrated reflected XSS vector via GET parameters...

Nord Security: Email address is not validated, No Rate Limit and RCE On Forgot Password Page Of affiliates.nordvpn.com

Go to https://affiliates.nordvpn.com/users/forgotpassword. Enter arbitrary string like %0a or %0a%0d as email. It says, No user account was found for the address given, which proves the query are going till the database. Intercept request using Burp Interceptor, copy to intruder Copy some 300...

WakaTime: Broken Authentication and session management OWASP A2

Hi, Security Team! i found vulnerability on https://wakatime.com/ Steps To Reproduce: 1. First log in into the account, website will create a session for current login. 2. Copy all Cookies and paste it on notepad. 3. Log out your account. 4. Open your chrome browser and right click on bookmark ba...

Acronis: Accessing repository and other files by directory listing

It was reported that directory listing is possible on https://storage-repo.acronis.com. https://storage-repo.acronis.com is a YUM repository with no sensitive data and it is supposed to be publicly accessible...

Internet Bug Bounty: Null Pointer Dereference in PHP Session Upload Progress

Affected Versions ------------ Affected is all of PHP5.4/5.5/5.6 Affected is all of PHP7 Credits ------------ This vulnerability was disclosed by Taoguang Chen. Description ------------ session.c static int phpsessionrfc1867callbackunsigned int event, void eventdata, void extra / / ... switcheven...

GSA Bounty: open redirect in eb9f.pivcac.prod.login.gov

poc: https://eb9f.pivcac.prod.login.gov/?nonce=wI0UglN84A06Q4z4JnkZVc3i1V8%3D&redirecturi=https%3A%2F%2Fgoogle.com%23%40secure.login.gov%2Flogin%2Fpivcac visit this and will redirect to google.com Impact phishing...

Radancy: x-request-id header reflected in server response without sanitization

Domain and URL: maximum.nl Summary: When issuing a GET request to maximum.nl, its possible to set the x-request-id header which is then reflected in the server response without any sanitization. Description: An attacker can use this vulnerability to escalate to more advanced attacks such as CRLF...

Shopify: xss stored

Se encuentra un xss en las notas del cliente se requiere inicio de session, se encuentra en el campo notas de cliente POC https://macken22jorg.myshopify.com/admin/customers https://macken22jorg.myshopify.com/admin/customers/2901321318444...

FileZilla: FileZilla 3.46.3 - 'Scale factor' Buffer Overflow

Summary: FileZilla in has a problem in the "Scale Factor" field is vulnerable to a Buffer Over Flow attack or a denial attack. Adding random characters in an entry that must accept only Float input type values. Steps To Reproduce: A python file of name generatepaste.py was generated for the...

Mail.ru: PHP code injection at tz.mail.ru

A chain of bugs involving unsafe usage of PHP unserialize led to possibility of code execution in tz.mail.ru...

Rockstar Games: Open redirect in https://www.rockstargames.com/GTAOnline/restricted-content/agegate/form may lead to Facebook OAuth token theft

In this report, the researcher identified an Open Redirect vulnerability in the age-gate code on the GTA Online sub-site. This vulnerability could also potentially have caused sensitive tokens to leak via the Referer header if it were exploited under specific circumstances. The Open Redirect was...

Ubiquiti Inc.: SNMP Community String Disclosure to ReadOnly Users on EdgeSwitch

Read only users could execute unauthorized tasks and through SNMP community string pages. These vulnerabilities were found on EdgeSwitch 1G switch ESWH and EdgeSwitch 10G switch ESGH firmware v1.9.0. The fix for these vulnerabilities were included in the EdgeMax EdgeSwitch firmware v1.9.1 For mor...

Ping Identity: Stored XSS in Application menu via Home Page Url

There is a stored XSS vulnerability in the Application List page for the Connections module in https://console-staging.pingone.com/ Steps To Reproduce: 1. Login to https://console-staging.pingone.com/ and navigate to Connections / Applications 2. Add a new Application. Pick Native App, pick a nam...

Mail.ru: Reflected XSS at city-mobil.ru

Reflected XSS via URI vector in https://city-mobil.ru/ 404 response...

Semrush: IDOR in marketing calendar tool

INTRODUCTION I used two accounts to search for this vulnerability: Id: █████ Email: ██████ Id: ███ Email: ███ IP used: 78.194.169.36 Endpoint URL: https://ec.semrush.com/api/v1/ga/userstatus/?calendarid=CALENDARID EXPLOITATION Description of Security Issue: When a marketing calendar is loaded in...

Mail.ru: Google API Key is not restricted for specific application package name and signature [Mail.ru Cloud for Android]

Google API keys used in Cloud Mail.Ru for Android application were not properly limited in functionality...

Internet Bug Bounty: PHP builded for Windows with TS support does not resolve relalative paths with drive letter correctly

Currently PHP process Windows paths like C:Users as if they were absolute. But they are not and PHP builded with TS thread-safe support currently points to root drive location instead of the current directory. This gives the attaker unlimited access to the root drive if a the path is...

Shopify: Able to Takeover Merchants Accounts Even They Have Already Setup SSO, After Bypassing the Email Confirmation

Able to Takeover Merchants Accounts Even They Have Already Setup SSO, After Bypassing the Email Confirmation Summary This report is based on the scenario that email confirmation has been bypassed already, like shown in 791775. What happened in 791775 was, I was too excited and didn't take a step...

Mail.ru: [icq.im] Reflected XSS via chat invite link

Insufficient filtering in icq.im allowed reflected XSS via invite link...

Shopify: [Part II] Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation

Summary In 791775, I submitted a bug at Sunday 5pm Canada time, it was triaged two hours later, and I got the temp fix message at around 3am the next day in Canada time. Truly awesome, the next day I retested after the first fix, and found that I - Cannot receive the email confirmation in the ema...

Nord Security: Cross Origin Resource Sharing Misconfiguration | Lead to sensitive information

Summary: Cross Origin Resource Sharing Misconfiguration | Lead to sensitive information. Description: An HTML5 cross-origin resource sharing CORS policy controls whether and how content running on other domains can perform two-way interaction with the domain that publishes the policy. The policy ...

Open-Xchange: access to stack memory beyond array boundaries

in PowerDNS Recursive Server in the rec-carbon.cc file in the void doCarbonDump void function, lines 36..43 contain vulnerable code: ….. char tmp80; memsettmp, 0, sizeoftmp; gethostnametmp, sizeoftmp; char p = strchrtmp, '.'; ifp p=0; hostname=tmp; boost::replaceallhostname, ".", ""; ……. the...

Node.js third-party modules: [dy-server2] - stored Cross-Site Scripting

I would like to report Stored XSS in dy-server2 It allows to steal session cookies, deface web , execute anything code javascript Module module name: dy-server2 version: dy-server2 npm page: https://www.npmjs.com/package/dy-server2 Module Description 这是一款轻量级http服务器，可用于文件传输，前端项目预览。 Module Stats...

Mail.ru: Self XSS via help.mail.ru interface

Self-XSS in sandbox domain via support chat interface on help.mail.ru with no security impact identified...

Ubiquiti Inc.: Readonly to Root Privilege Escalation on EdgeSwitch

An authenticated read-only user can execute arbitrary shell commands over the HTTP interface, allowing them to escalate privileges. These vulnerabilities were found on EdgeSwitch 1G switch ESWH and EdgeSwitch 10G switch ESGH firmware v1.9.0. The fix for these vulnerabilities were included in the...

U.S. Dept Of Defense: [Critical] Insufficient Access Control On Registration Page of Webapps Website Allows Privilege Escalation to Administrator

Summary: Hello. Due to insufficient access controls and poor implementation of the registration at https://████████/████/login.cfm it was possible to register while privilege escalating to an administrator. Description: It was possible to tamper with the registration request at...

Rockstar Games: csrf in https://www.rockstargames.com/reddeadonline/feedback/submit.json

In this report, the researcher discovered an endpoint that lacked CSRF protection and demonstrated a way to exploit it via a remote webserver. Typically CSRF-related reports are not eligible for bounty, but the impact of this exploit was high enough to warrant a reward. This was only exploitable ...

Kubernetes: Github test clientID and clientSecret leaked

Report Submission Form Summary: A github clientID and clientSecret for an oauth app are being leaked on github Description While looking for anything that is interesting on github I a clientID and clientSecret for a github oauth app hardcoded. While they have been removed a long time ago, they ar...

New Relic: CRLF Injection in email address

The researcher discovered an issue where control characters can be used when intercepting a request to update an email address. This would result in an inaccessible account without intervention by our Support team. As denial-of-service is out of scope for our program, and since it is scoped to a...

Mail.ru: turboslim.lady.mail.ru - Blind sql-injection.

Blind time based SQL injection in turboslim.lady.mail.ru promo page due to insecure use of GET parameter Уязвимость была в GET-параметре...

Razer: Insecure HostnameVerifier within WebView of Razer Pay Android (TLS Vulnerability)

The tester discovered the Razer Pay Android application was vulnerable to a client side hijack which could have allowed the capture of important user data. Razer Fintech thanks the tester for their clear PoC...

Lark Technologies: Users Without Permission Can Download Restricted Files

A vulnerability was found where it was possible to bypass restrictions imposed on downloading a file if the valid file token was known and by accessing at its URL directly. We thank @imrannisar for reporting this to our team...

Nextcloud: nextcloud-snap CircleCI project has vulnerable configuration which can lead to exposing secrets

Summary: CircleCI allows projects to configure whether builds will run as a result of a pull request from a fork, and also whether these fork PRs have access to the secrets stored in the parent repo's CircleCI settings. When both settings are enabled, and the repo associated with the project allo...