CompanyHub: No Rate Limit On forgot Password Leading To Massive Email Flooding

Summary: No rate limit check on forgot password which can lead to mass mailing and spamming of users and possible employees A little bit about Rate Limit: A rate limiting algorithm is used to check if the user session or IP-address has to be limited based on the information in the session cache. ...

Kubernetes: Route53 Subdomain Takeover on test-cncf-aws.canary.k8s.io

Summary: I discovered that it was possible to takeover test-cncf-aws.canary.k8s.io by assigning a zone to that name with one of the following nameservers in Route53: test-cncf-aws.canary.k8s.io. 3600 IN NS ns-265.awsdns-33.com. test-cncf-aws.canary.k8s.io. 3600 IN NS ns-687.awsdns-21.net...

Revive Adserver: Open redirection bypass in /www/admin/campaign-modify.php

Description - There is an open redirect on /www/admin/campaign-modify.php?returnurl= F713773 - By using //// at the start of the link, you can bypass the open redirect filter. - example: /www/admin/campaign-modify.php?clientid=&campaignid=&returnurl=%2F%2F%2F%2Fhackerone.com Impact This...

Semrush: SSRF and LFI in site-audit tool

SSRF and LFI vulnerability in Site Audit due to lack of connection protocol verification...

Node.js third-party modules: Server-Side Request Forgery (SSRF) in Ghost CMS

I would like to report about SSRF vulnerability in CMS Ghost blog It allows attacker able to send a crafted GET request from a vulnerable web application Module module name: ghost version: 3.5.2 npm page: https://www.npmjs.com/package/ghost website page https://ghost.org/ Module Description Ghost...

Nextcloud: Email Spoofing

An SPF/DMARC record is a type of Domain Name Service DNS record that identifies which mail servers are permitted to send email on behalf of your domain. The purpose of an SPF/DMARC record is to prevent spammers from sending messages on the behalf of your organization. Remediation: Create a SPF...

HackerOne: 404-response contains debug-information with all headers

Summary: When requesting a page that does not exist under www.hackerone.com the page returns a hidden HTML-element debugData that reflects all headers in the GET-request, including http-only cookies. Description: This in itself is not a serious vulnerablity, but as the program description mention...

Open-Xchange: SSRF - Guard - Unchecked WKS servers

Note This is different vulnerability than HKP lookup 792953, although it does basically same thing and has same problem, these are independent implementations of key lookup and the vulnerable code isn't shared. Description When encrypting an email, one of strategies to lookup recipient's encrypti...

Open-Xchange: SSRF - Guard - Unchecked HKP servers

Description When encrypting an email, one of strategies to lookup recipient's encryption key is to contact a HKP keyserver specified in DNS records of recipient's domain. Specifically it is DNS SRV records for hkps.tcp. and hkp.tcp., which specify hostname and port of the keyserver. In source cod...

HackerOne: Email address of any user can be queried on Report Invitation GraphQL type when username is known

Summary: Email id of all hackerone users disclosure Description: There is an flaw , with that i can get all hackerone users email id Steps To Reproduce 1. Invoke the below graphql call POST /graphql HTTP/1.1 "query":"mutation Revokecredentialmutation$input0:AddReportParticipantInput!...

Revive Adserver: bypass old password with array in /admin/account-user-email.php

Short Description - attacker maybe change email or password without enter old password with array param. - version:revive-adserver-5.0.4 - os :window POC F712486 Impact attacker maybe change email or password without enter old password...

Nord Security: Hard-coded API keys at NordVpn Android App

Hello NordVpn, APK Version : 4.6.2 API'S at res/values/strings.xml Google googleapikey = AIzaSyBySEqk7WWee9bxpw5BM1eJeUx1TWdHE Stripe stripepublishableapikey = pklivej1Mt911wyZwAhATA9TYdA8q2 Referance; https://stripe.com/docs/keys Impact Cleartext Storage of Sensitive Information...

Mail.ru: [geekbrains.ru] Reflected XSS via Angular Template Injection

Potential XSS due to use of Angular templates...

Nord Security: Password Reset Link not expiring after changing the email Leads To Account Takeover

The researcher has identified an issue in our password reset workflow where the password reset URL was not expiring correctly after the user has requested a password change 1 Go to this website : https://ucp.nordvpn.com/lost-password 2 Enter your main account [email protected] 3 Go to [email protected]...

Clario: Multiple Links Vulnerable to Reflected xss

Summary Multiple Links Vulnerable to Reflected xss in https://mackeeper.com/mk/de/ Steps to reproduce goto these links and xss will be triggered...

Bumble: On Singing up with a Phone number , The 4 digit OTP does not expires for a long time leading to an easy attack and make a verified account easilty

Hello there how are you doing ? Go to sign up page and enter a new phone number and you will be redirected to https://bumble.com/registration/confirm-phone . You will receive a easy breakable 4 digit OTP Code . I waited for about 4 hours and the OTP did not expired , This shows that the OTP can b...

Mail.ru: [xss] подмена content-type в загрузке лого к почте

Stored XSS in biz.mail.ru via upload log functionality...

Razer: RXSS at https://api.easy2pay.co/inquiry.php via txid parameter.

The tester discovered a reflected XSS on an API server related to Razer Pay TH. Note this is not a site that users will typically visit via a web browser front end. Razer thanks the tester for his diligence and the clear report...

Endless Group: CVE-2017-8779 exploit on open rpcbind port could lead to remote DoS

Summary: An open rpcbind port on https://da.theendlessweb.com allows for possible exploitation by an existing Metasploit module. This could lead to large and unfreed memory allocations for XDR strings. Description: Port scanning on 149.56.38.19 which is the IP of https://da.theendlessweb.com show...

Nord Security: Misconfigured web directory allows to retrieve public proxy list

The reporter has identified a misconfigured web directory that displays NordVPN public proxy list and corresponding port numbers, which is not a vulnerability rather a piece of outdated information that was left unattended...

Shopify: Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation to Any Shop Owner by Taking Advantage of the Shopify SSO

I told Pete I would take a look at Spotify, hi Pete. Summary It's possible to take over any store account through bypassing the email confirmation step in .myshopify.com. I found a way to confirm arbitrary emails, and after confirming arbitrary email in .myshopify.com, user is able to integrate...

Nord Security: Expired Available Domains in nordvpn.com website code

We at NordVPN want to stress that these domains were removed not because they were a threat, but because they simply were of no use. Also, new domains were added because this is a part of our operational tasks. These changes are made every few months. THANKS @nordvpn @emanu Well I have been Doing...

Nord Security: No Rate Limit On Forgot Password Page Of affiliates.nordvpn.com

Introduction:- A little bit about Rate Limit: A rate limiting algorithm is used to check if the user session or IP-address has to be limited based on the information in the session cache. In case a client made too many requests within a given time frame, HTTP-Servers can respond with status code...

Endless Group: Weak Password Policy via DirectAdmin Password Change Functionality

The product did not require users to have strong passwords, making it easier for attackers to compromise user accounts...

Endless Group: Modify Host Header which is sent to email

Summary: Modify host header and include the fake website in password reset email. Password reset mail is taking source domain from request header host, which can be modified using burp suite and the modified link is sent to the victims email Steps To Reproduce: 1. Go to...

Mail.ru: idor leads to leak order information

IDOR in zakazaka.ru API allowed to list items of order content without attribution to user...

Lark Technologies: Stealing app credentials by reflected xss on Lark Suite

A reflected cross-site scripting XSS vulnerability was found on a Lark Suite endpoint via the 'next' parameter which an attacker could have potentially used to obtain app credentials must first know the app ID. We have resolved this issue and thank @imrannisar for reporting this to our team...

Razer: Blind SQL Injection at http://easytopup.in.th/es-services/mps.php via serial_no parameter

The tester determined a Razer Gold Thailand server was vulnerable to a boolean-based blind SQL injection attack. Razer thanks the tester for the very clear PoC...

GitHub Security Lab: Dynamic reflection class

This bug was reported directly to GitHub Security Lab...

Node.js third-party modules: [hangersteak] Web Server Directory Traversal via Crafted GET Request

I would like to report path traversal in hangersteak module. It allows an attacker to read system files via path traversal local/remote Module module name: hangersteak version: 0.2.4 latest npm page: https://www.npmjs.com/package/hangersteak Module Description Node web static files server with...

X (Formerly Twitter): NO username used in authenthication to www.mopub.com leading to direct password submission which has unlimited submission rate.

Summary:user name is not used in authentication leading to direct password submission Description: user name not used in authentication in https://www.mopub.com/login/?next=/dsp-portfolio/ this page is labelled as SITE ADMIN: refer POC can lead to direct submitting of password and this password h...

8x8: Directory Listing vulnerability on █.packet8.net/php/include/

@rajauzairabdullah reported to us an enabled Directory Listing in a /php/include/ directory. No sensitive information had been disclosed & we restricted access, which resolved the issue...

Razer: IDOR in eform.molpay.com leads to see other users application forms with private data

The tester discovered an IDOR which could allow an adversary to view the application form data of another user's application form given knowledge of the application ID. He worked with Triage to provide a working PoC. Razer Fintech appreciates the report to help keep customer data secure...

GitLab: Members from parent group keep their access level on a subgroup transfer and are invisible

Summary There's an option that allows to transfer groups from one namespace to another, it doesn't work as intended when transferring subgroups from inside a parent group to another group. Users that were part of the first parent group from where the subgroup has been transfered, keep their...

GitLab: When you call your branch the same name as a git hash, it could be checked out by dependents

Summary If we call a branch the same name like a git hash then the moment it's checked out somewhere, git prefers the branch name. So let's say the git hash is "e91803d442559d6efb63102b10c919e10901b01d". And someone referenced that hash in their program. Now the developer or a hacker with access ...

Node.js third-party modules: [sirloin] Web Server Directory Traversal via Crafted GET Request

I would like to report path traversal in Sirloin module. It allows an attacker to read system files via path traversal local/remote Module module name: Sirloin version: 0.15.0 latest release build npm page: https://www.npmjs.com/package/sirloin Module Description This high performance, extremely...

Visma Bug Bounty Program: A 'Read only' user can modify the company logotype and invoice background image

A 'Read only' user can modify the company logotype and invoice background image in his own company, which should not be allowed for this permission level...

Rockstar Games: Image Injection/XSS vulnerability affecting https://www.rockstargames.com/newswire/article

In this report, the researcher demonstrated a method to chain together separate vulnerabilities that, under certain conditions, could cause a user's Facebook Oauth tokens to leak via the Referer header. The specific vulnerability that was addressed in this report was the image injection/XSS...

Clario: Reflected xss

Summary RXSS in https://mackeeperapp.mackeeper.com/ Steps to reproduce...

Glassdoor: Site wide CSRF affecting both job seeker and Employer account on glassdoor.com

Summary: I have found an issue which enables an attacker to do CSRF attacks on all actions on both job seeker and employer account on www.glassdoor.com. Attacker is able to get a CSRF token from the server, which can be used to do CSRF attacks on any logged in victim on both types of glassdoor...

Mail.ru: 3igames.mail.ru SQL Injection

Error based SQLi: https://wrd-pay.3igames.mail.ru/?openid=21&appid=1&ts=12&payitem=2&token=1&billno=1&version=1&zoneid=1&providetype=1&amt=1&payamtcoins=1&pubacctpayamtcoins=1&sig=1%27,1,1,1,select%20expselectfromselect%20userx,1;--%20- SQLMAP: sqlmap -u...

Razer: Reflected XSS in eform.molpay.com

The tester discovered a reflected XSS on eform.molpay.com. This was fixed in production on Feb 12. Razer Fintech thanks the tester for his diligence and clear PoC...

Uber: Disclosure of Co-Rider user (Uber-pooling) profile picture at Amazon AWS Cloudfront within HTTP RESPONSE

After booking a shared ride, an attacker is able to access the profile picture of a co-rider. It is possible during the trip to view the co-rider's picture...

Glassdoor: XSS at https://www.glassdoor.com/Salary/* via filter.jobTitleExact

Summary: There exists a Cross Site Scripting and Content Injection vulnerability at https://www.glassdoor.com/Salary/ via the filter.jobTitleExact query parameter. Using URL encoded HTML entities, it is possible to inject HTML content and break out of the context of a tag. The WAF does a good job...

Topcoder: Reflected-XSS on https://www.topcoder.com/tc via pt parameter

Summary: I Found an XSSReflected at the URL mentioned and the injected parameter is: pt Steps To Reproduce: 1-go to this URL https://www.topcoder.com/tc?module=ReviewBoard&pt=1 $$you will recognize that is parameter pt is reflecting its value into the page 2- try injecting this parameter with HTM...

Ruby on Rails: ActiveStorage direct upload fails to sign content-length header for S3 service

When a user makes a direct upload using ActiveStorage, the browser makes a request to the DirectUploadsController containing the directupload parameters filename, contenttype, bytesize, and checksum. These are used to generate a presigned url that is then passed back to the browser, allowing the...

Stripo Inc: Strored Xss on https://my.stripo.email/ ( multiple inputs)

Stored Xss in multiples parameters...

MTN Group: Accessible Restricted directory on [bcm-bcaw.mtn.cm]

Summary: There are some exposed directory/files publicly accessible for anyone, when it should be restricted on the server Steps To Reproduce: Go to http://bcm-bcaw.mtn.cm/wp-content/uploads/ and navigate between available folders ==Poc:== F707036 Impact Every uploaded data can be accessible...

Smule: [com.smule.autorap.*] Cloud Messaging/Push Notification service takeover due to clear-text usage of Legacy FCM Server keys in the client app

Potential FCM issues across several apps investigated and remediated. Reference to Research: https://twitter.com/absshax/status/1295383047295008768?s=19...

Engel & Völkers Technology GmbH BBP: Source Code Disclosure at http://service.engelvoelkers.com/alert/_backups/app

Summary: I found the source code of http://service.engelvoelkers.com/, compressed in the file app.gz, which can be downloaded at http://service.engelvoelkers.com/alert/backups/app. It contains the source code, some source code back ups and other sensitive information such as production server mys...