New Relic: Bypassing Protection Mechanism: Change of Account Name after Session Log out

The researcher illustrated a delay in session invalidation. This has not been added to our public policy to help prevent confusion...

Nord Security: Past payments using the Direct Debit method keep subscriptions active even if payments fail

I think this is a vulnerability that has no impact but it violates I found many accounts that are actively subscribed even though the payment failed, this is because the payment uses the Direct Debit method, and you have deleted it. Because Direct Debit payments have been deleted and no longer wo...

Razer: Blind SQL Injection(Time Based Payload) in https://www.easytopup.in.th/store/game/digimon-master via CheckuserForm[user_id]

The tester determined the Top Up site for Razer Gold TH suffered from a blind SQL injection vulnerability due to lack of input sanitization. Razer thanks the tester for his clear PoC and working with us to resolve the issue...

Mail.ru: Stored XSS at branded site in .mail.ru domain

Stored XSS via URL markdown on the mail.ru subdomain delegated to external service...

Internet Bug Bounty: Buffer Overflow in ext_lm_group_acl helper

Summary Due to incorrect buffer management extlmgroupacl is vulnerable to a denial of service attack when processing NTLM Authentication credentials. This problem is limited to installations using the extlmgroupacl binary. Affected Versions Squid 2.x - 2.7.STABLE9 Squid 3.x - 3.5.28 Squid 4.x - 4...

Node.js third-party modules: [nested-property] Prototype Pollution

Hi team, I would like to report a prototype pollution vulnerability in nested-property that allows an attacker to modify properties on Object.prototype. Module name:nested-property version: 1.0.4 npm page: https://www.npmjs.com/package/nested-property Module Description Read, write or test a data...

Mail.ru: [Mail.Ru for Android] Replacing "Add filter" screen by malicious screen

An implicit intent was invoked on "Add filter" action of Mail.ru Mail application for Android leading to interface spoofing possibility...

Visma Bug Bounty Program: Stored XSS in 'Notes'

A logged-in user can inject JavaScript code into a specifically crafted Note on a document, such as a Invoice, which will be executed when another user, logged in to the same company, edits the Note...

Open-Xchange: XSS - Guard - Insufficient escaping of User-IDs from PGP Keys

Vulnerability PGP user IDs are typically in form of name and OX Guard properly escapes angle brackets when inserting them to HTML. But in the code for displaying a list of keys it inserts IDs into HTML attributes without escaping double quote characters. javascript //...

New Relic: Secure credentials values disclosure to regular users due to access control issue in monitor creating function

@skavans discovered a test endpoint for Syntethics monitors that did not properly validate the permissions of the user making the request. This could allow lesser privileged users on the same to account create monitors using Secure Credentials...

Stripo Inc: Authorization for wp-admin directory are vulnerable to brute force.

The domain https://my.stripo.email in the directory /wp-admin are not blocking amount of request in the authorization form, this leads to bruteforce attack. Where the attacker are able to guess tons of passwords without getting blocked or the password field gets locked. This attack make it possib...

Visma Bug Bounty Program: Unrestricted file upload when creating quotes allows for Stored XSS

An attacker is able to bypass the restrictions which limit user uploads to .PDF only. Utilizing this exploit an attacker can upload malicious content to the web server. First the system checks the MIME-Type, and if it fails too match Content-Type: application/pdf then the upload won't be processe...

Visma Bug Bounty Program: A user can view the name and number of a customer in another company if the GUID is known

An IDOR vulnerability exists in /api/internal/customerlabels/, allowing an attacker to add a label to a customer in a another company if he has previous knowledge about the UUID. The result is that the name and number of the customer is shown in the attackers context. As all objects in the API ar...

Nextcloud: "Secure View" aka "Hide Download" can be bypassed easily

The mid-2019 announced feature "Secure view" https://nextcloud.com/blog/secure-view-prevent-your-shared-files-from-getting-downloaded/ allows for hiding the Download button on public shares. Even though the announcement admits that there are always workarounds out there to get hands on the file...

Topcoder: PII of Users Disclosure using "/members/invite/" endpoint

Hello! I found PII Disclosue at https://connect.topcoder.com/projects/ Steps to Reproduce. 1 Go to https://connect.topcoder.com/projects 2 Select an existing project, or create a new one. 3 Select the "Manage Invitations" option. on the left sidebar. 4 Enter the Username/Email of the user you wan...

New Relic: Ability to run monitors' jobs of other accounts and to read these jobs content (including the secure credentials values)

@skavans identified an endpoint for testing Synthetics monitors. Without proper validation, this could allow monitors from other accounts to run on your account with knowledge of the monitor's ID: POST /accounts//monitors/monitor/recheck.json?monitorId= HTTP/1.1 Host: synthetics.newrelic.com...

Mail.ru: [garnier-olia.lady.mail.ru] Reflected XSS /exp/ bypass "/"

Reflected XSS at https://garnier-olia.lady.mail.ru via URI path...

Uber: Thumbor misconfiguration at blogapi.uber.com can lead to DoS

The subdomain blogapi.uber.com is internally downloading images from external sources and resizing it to arbitrary values, then sending a response to the user...

U.S. Dept Of Defense: Application level DoS via xmlrpc.php

Vulnerability description: Wordpress that have xmlrpc.php enabled for pingbacks, trackbacks, etc. can be made as a part of a huge botnet causing a major DDOS. The website https://████/ has the xmlrpc.php file enabled and could thus be potentially used for such an attack against other victim hosts...

Rockstar Games: Referer Leakage Vulnerability in socialclub.rockstargames.com/crew/ leads to FB'S OAuth token theft.

In this report, the researcher demonstrated a method to chain together separate vulnerabilities that, under certain conditions, could cause a user's Facebook Oauth tokens to leak via the Referer header. In this instance, an Open Redirect vulnerability was utilized to exploit the fact that the ful...

GitHub Security Lab: CodeQL query for finding LDAP Injection (CWE-90) vulnerabilities in Java

This bug was reported directly to GitHub Security Lab...

Clario: Reflected xss on mackeeper.com

Summary https://mackeeper.com is vulnerable to Reflected XSS. Steps to reproduce goto https://mackeeper.com/buynow-webkhaleesio2-ppg?lang=fr&x-prepay=xxxxxxxx'" xss will be triggered...

Nuri: HTML injection in email content

Summary: Hi, I just found an issue when register account in https://app.bitwala.com/onboarding/preliminary. It allow hacker injection malicious text include html code in email content. Steps To Reproduce: Make request register below with payload html in ==firstName== and ==lastName== parameter:...

Node.js third-party modules: Server Side Request Forgery in Uppy npm module

Hi Team, While we were testing our security engine at Shieldfy https://shieldfy.io, We found a server side request forgery SSRF vulnerability in Uppy npm package. It allows hacker to easily extract inside information from the server or take control of internal services. Module module name: Uppy...

Mail.ru: [Web ICQ Client] XSS уязвимость в имени пользователя

Domain, site, application: WEB ICQ Client - https://web.icq.com/ Testing environment: Browser firefox Steps to reproduce 1. Устанавливаем имя пользователя, содержащее HTML код 2. Создаем канал/группу, в который приглашаем любого пользователя 3. Разрешаем/Запрещаем писать пользователю Actual resul...

Mail.ru: [API] ICQ user's avatar can be manipulated remotely

Description: При обращении к API методу установки аватара пользователя https://ub.icq.net/files/api/v1.1/avatar/set Можно передать дополнительный GET параметр: targetSn - с установленным UIN'ом любого пользователя Тем самым можем изменить аватарку у любого пользователя Steps To Reproduce: 1...

Insolar: MAIL SPOOFING

The reporter found a flow in contact form which could have allowed potential attackers to steal credentials or hijack accounts by sending a message to the victim containing a malicious URL...

Mail.ru: warofdragons.my.games: configuration files with database account are accessible

Configuration files were accessible at https://warofdragons.my.games/ leaking configuration information, including database account...

Localize: Stored XSS in Name of Team Member Invitation

hello team i have found an stored in add team member Step to reproduce 1. Go to https://localizestaging.com/organization/team?filter=all 2. click on add team member 3. On the name, enter payload: 4. and in the email add your victim email 4. when he join the team the xss will trigger. F701271 now...

Semrush: Reflected XSS on https://www.semrush.com/my_reports/externalSource/callback/googleAccountsGMB

Researcher found reflected XSS vulnerability on https://www.semrush.com/myreports/externalSource/callback/googleAccountsGMB Report: The parameter status is missing sanitization in the following url: https://www.semrush.com/myreports/externalSource/callback/googleAccountsGMB?status=xssalert//...

New Relic: Attacker can create new account inside any partnership with no approve from the Partnership owner

@skavans discovered a way to link an account with an arbitrary Partnership with a known ID. Validation was added to prevent linking to unintended partnerships...

Mail.ru: [windows10.hi-tech.mail.ru] Blind SQL Injection

Доброе утро! Сегодня удалось найти у вас слепую скулю, правда она снова вне скопа походу URL: https://windows10.hi-tech.mail.ru/api/tweets?cityid=select0fromselectsleep25v Request: GET /api/tweets?cityid=select0fromselectsleep25v HTTP/1.1 Host: windows10.hi-tech.mail.ru User-Agent: Mozilla/5.0 X1...

Showmax: Wordpress directories/files visible to internet

A misconfiguration caused two directories being listable in our marketing blog that's running on wordpress. As the domain is out-of-scope of our program and the uploaded files include marketing material, it had no serious impact...

Reddit: registering with the same email address multiple times leads to account takeover

i'm not sure if this issue is in scope or not or if it's intended , kindly if you don't accept this issue please close it as informative , thanks in advance Summary: the ability of the user to register many times using the same mail address can lead to account take over Steps To Reproduce: 1...

Mail.ru: [Web ICQ Client] XSS-inj in polls

Domain, site, application: WEB ICQ Client - https://web.icq.com/ Testing environment: Browser firefox Steps to reproduce - Создаем новый опрос - Указываем в варианты ответов произвольный HTML код - Отправляем Actual results - Введенный HTML код срабатывает Демонстрация работы: █████ Impact...

Lark Technologies: Improper generating of access link at go.larksuite.com leads to access to other organizations/users' private data

Improper generating of a Lark access link could have led an attacker to potentially brute force access codes revealing other organizations/users' private data. We have resolved this issue and thank @w2w for reporting this to our team...

Mail.ru: Blind SSRF on [relap.io]

Blind SSRF in relap.io...

X (Formerly Twitter): Twitter Source Label allow 'mongolian vowel separator' U+180E (app name)

Summary: Twitter app-names which are shown in the Tweet source label are supposed to be unique and because of that they must not include invisible unicode characters. However, you can use the mongolian vowel separator in these app-name, which allows to fake a app-name. Description: Every tweet ha...

Razer: AWS subdomain Takeover at estore.razersynapse.com

The tester discovered the razersynapse.com domain was vulnerable to a subdomain takeover. Although this is out of scope of our program, we appreciate the tester bringing this to our attention...

GitHub Security Lab: CodeQL query for finding CSRF vulnerabilities in Spring applications

This bug was reported directly to GitHub Security Lab...

Mail.ru: [xss] перенаправление со старых url в почте

Reflected XSS in e.mail.ru via URI...

Slack: Relative Path Vulnerability Results in Arbitrary Command Execution/Privilege Escalation

Overview The Nebula clients for Darwin and Windows call relative paths in "exec.Command" to "ifconfig" and "route" executables on Darwin, and to "netsh" on Windows. These commands are entered using relative paths, not absolute paths such as /sbin/ifconfig. When a binary is run with a relative pat...

Insolar: XDSI(Cross Domain Script Inclusion)

Summary: As I did not get the proper CWE id over id to add but the proper CWE id is 829: The page includes one or more script files from a third-party domain. Here you are including in your website, someone else's code; You don't have any control over what is in that code, and you don't have any...

X (Formerly Twitter): iOS app crashed by specially crafted direct message reactions

Summary: iOS app crashed by specially crafted direct message reactions Description: Twitter does not properly sanitize direct message reactions, making it possible for arbitrary reaction text to be shown to the user via the message preview in the direct message list. Special characters such as \r...

Node.js: napi_get_value_string_X allow various kinds of memory corruption

Summary: napigetvaluestringlatin1, napigetvaluestringutf8, napigetvaluestringutf16 are vulnerable to buffer overflows, partially due to an integer underflow. Description: napigetvaluestringlatin1, napigetvaluestringutf8, and napigetvaluestringutf16 behave like this: 1. If the output pointer is...

Razer: DOM-based XSS on https://zest.co.th/zestlinepay/

The tester discovered a DOM based XSS on a Razer Gold Thailand associated website that could allow stealing of user session cookies. He provided excellent reproduction steps and a video PoC. Razer thanks the tester for his great report and helping us to keep our customers' information secure...

Rockstar Games: Image Injection vulnerability in www.rockstargames.com/IV/screens/1280x720Image.html

In this report, the researcher demonstrated a method to chain together separate vulnerabilities that, under certain conditions, could cause a user's Facebook Oauth tokens to leak via the Referer header. The specific vulnerability that was addressed in this report was the image injection component...

Clario: CSS Injection on static.mackeeper.com - Potential XSS

Summary CSS injection vulnerabilities arise when an application imports a style sheet from a user-supplied URL, or embeds user input in CSS blocks without adequate escaping. They are closely related to cross-site scripting XSS vulnerabilities but often trickier to exploit. Steps to reproduce the...

Slack: Remote Code Execution in Slack desktop apps + bonus

Summary With any in-app redirect - logic/open redirect, HTML or javascript injection it's possible to execute arbitrary code within Slack desktop apps. This report demonstrates a specifically crafted exploit consisting of an HTML injection, security control bypass and a RCE Javascript payload. Th...

Localize: Nginx version is disclosed in HTTP response

Summary: I found a version disclosure Nginx in your web server's HTTP response. Extracted Version: 1.16.1 This information might help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of Nginx. Steps To Reproduc...