Clario: Multiple Information Disclosure with Go PPROF on api-ne.mackeeper.com

Summary Multiple Information Disclosure with Go PPROF on api-ne.mackeeper.com. Steps To Reproduce Go to: https://api-ne.mackeeper.com/debug/pprof/ You will see these links: - allocs: A sampling of all past memory allocations - block: Stack traces that led to blocking on synchronization primitives...

Semrush: IDOR in semrush academy

INTRODUCTION I used two accounts to search for this vulnerability: - id: 5410425 email: ████[email protected] - id: 5407773 email: ████@anosimple.com IP used: ███ Endpoint URL: https://www.semrush.com/academy/courses/userEnroll EXPLOITATION Description of Security Issue: When a user clicks on the...

New Relic: Ability to buy PRO subscriptions by arbitrary reduced prices

Hey team, I've found that a malicious user can buy PRO subscriptions by arbitrarily reduced prices. Steps to reproduce 0 Make sure you have an account without subscriptions at APM PRO bought. If you don't – register a new one. It works for me inside the EU accounts at least. 1 Sign in this accoun...

Dropbox: Coupon codes indexed by Google

Security researcher was able to perform google dorking to find an explicit information regarding coupons that allowed to escalate pricing plans...

lemlist: SSRF in img.lemlist.com that leads to Localhost Port Scanning

Summary: A SSRF attack can be performed leading to localhost port scanning. Link : https://img.lemlist.com/api/image-templates/itpvBBNpQuMsy6FYLQAc/?preview=true&email=email@ Steps To Reproduce: To perform this port scan you'll need to setup a few files. First of all you need to change the url in...

Stripo Inc: Open memory dump method leaking customer information ,secret keys , password , source code & admin accounts

Summary: Stripo uses Spring boot for the backend API development , and misconfigured the application to open actuator APIs to the public. This issue is found in 3 domains , don't know if I need to publish 3 reports for that, or just one report , but the domains are :...

Localize: The password limit is not set, [DoS].

Summary: You can create a very long password until you get the last user to put and aries or DoS. Normally passwords have 8-10-24 digits Impact DoS...

Starbucks: Singapore - IDOR in campaign.starbucks.com.sg

bytebunny discovered an Insecure Direct Object Reference IDOR exposing limited marketing data for customers in Singapore. @bytebunny — thank you for reporting the vulnerability and for confirming the resolution...

Localize: 2-factor authentication can be disabled when logged in without confirming account password

Description === When users wants to Disable his/her TwoFactor Authentication, they have to know their account password. But using this vulnerability They don't need password to disable it. this will allow hacker who get someone cookie to disabling twofactor auth and also Fullytakeover the account...

Gener8: Clickjacking to change email address

Summary Clickjacking User Interface redress attack, UI redress attack, UI redressing is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of the...

Razer: https://zest.co.th/zestlinepay/checkproduct API endpoint suffers from Boolean-based SQL injection

The tester discovered an unused service that suffered from a SQL injection vulnerability. This service was removed. Razer thanks the tester for his detailed work and report...

Clario: IDOR at https://account.mackeeper.com/at/load-reports/profile/<profile_id> leaks information about devices/licenses

Summary IDOR at https://account.mackeeper.com/at/load-reports/profile/ leaks information about devices/licenses An attacker can access victim information via profile id Steps to reproduce go to account.mackeeper.com and login now go to: https://account.mackeeper.com/at/load-reports/profile/+USER...

Razer: Leftover back-end system on www.zest.co.th allows an unauthorized attacker to generate Razer Gold Pin for free

The tester discovered a residual backend system was left exposed. The system was removed from public access. Razer thanks the tester for his diligence...

Stripo Inc: Information disclosure through Server side resource forgery

Summary: The application https://my.stripo.email has a template feature where can we can enter html code. By including an iframe in the html template, I was able to make a call to my server. This exposed an internally running web application. Please refer below, 63.33.82.168 - -...

RATELIMITED: xss in /users/[id]/set_tier endpoint

Summary: add summary of the vulnerability Hello there ! I found an XSS since you forgot to add the json content-type response header right there: https://github.com/gtsatsis/RLAPI-v3-OOP/blob/508d3c610ccc9076753bdc81151a5e8d76871a3e/src/Controller/UserController.phpL93 The tier parameter is...

New Relic: Account owner/admin can't actually delete personal users' API keys

Hey team, An account owner/admin should be able to remove API keys belonging to other users in a case of, for instance, they are compromised. This sentence is confirmed by your own docs: F695035 However, the account owner/admin can't actually do this so he can't protect the account data from bein...

Clario: open redirect at https://account.mackeeper.com/auth/signin/continue via improper uri sanitization

Summary open redirect at https://account.mackeeper.com/auth/signin/continue via improper uri sanitization Steps to reproduce goto...

GitHub Security Lab: CodeQL query to detect weak (duplicated) encryption keys for ASP.NET Telerik Upload

This bug was reported directly to GitHub Security Lab...

Rockstar Games: Open redirect affecting m.rockstargames.com/

In this report, the researcher identified an open redirect vulnerability on our Support site that impacted m.rockstargames.com, among other subdomains that were no longer actively being maintained. By addressing the problem on the Support site, we were able to prevent it from being further...

X (Formerly Twitter): Accepting error message on twitter sends you to attacker site

Summary: Accepting error message on twitter sends you back to attacker site. Description: 1. The link https://twitter.com/i/flow shows up an error message with an OK button 2. When you are not logged in, clicking in that OK button takes you back to twitter.com 3. But if you open that link when yo...

Node.js third-party modules: Several simple remote code execution in pdf-image

I would like to report "A simple remote code execution" in "pdf-image". It allows "a remote attacker to execute arbitrary code when several functions of the PDFImage class are called and the class loaded from user-input value". Module module name: pdf-image version: latest npm page:...

Stripo Inc: subdomain takeover at status-stage0.stripo.email

The subdomain status-stage0.stripo.email was pointed at uptimerobot.com whereas it was not being used , but having Cname record as stats.uptimerobot.com . Hence anyone can takeover it. I have parked it with an account on uptimerobot.com note : this issue is similar to report but with another...

Internet Bug Bounty: Out-of-bounds Read in php_strip_tags_ex

The bug submitted at: https://bugs.php.net/bug.php?id=79156 The fix committed at: https://github.com/php/php-src/commit/2dc170e25d86a725fefd4c08f2bd8378820b28f5 Impact Attackers can exploit this issue to obtain sensitive information or crash PHP remotely...

h1-ctf: [h1-415 2020] SSRF in a headless chrome with remote debugging leads to sensible information leak

Summary: Converter is using headless chrome with remote debbuging by rendring a page where we have out name, with which we can get xss leads to ssrf By using the remote debbugging with that ssrf we can grab the info all tabs in that chrome wher we can get even the flag document. Steps To Reproduc...

Topcoder: Cross Site Scripting via CVE-2018-5230 on https://apps.topcoder.com

Hi, I found reflected xss on https://apps.topcoder.com via error message.. Payload : %3CIFRAME%20SRC%3D%22javascript%3Aalert%28%27XSS%27%29%22%3E.vm Vulnerable link : https://apps.topcoder.com/wiki/labels/%3CIFRAME%20SRC%3D%22javascript%3Aalert'XSS'%22%3E.vm Step to reproduce : Create an account...

Mail.ru: XSS via HTTP request version in account.my.games

Server reflects a version of HTTP protocol as HTTP response version without filtering. This behavior does not lead to security issues, because there are no known ways to manipulate request version in any of supported clients, request used violates HTTP protocol and can not be produced with browse...

h1-ctf: [h1-415 2020] Chain of vulnerabilities leading to account takeover and unauthorized access of sensitive internal resources

Note: Please read this report as "An attacker taking over a customer's account" and not as "helping Jobert recovering his document" : Summary: Chaining following issues let's an attacker access sensitive information, 1. Exposure of customer email and regex logic error leading to account takeover ...

h1-ctf: [h1-415 2020] Spent a week and failed at solving the last step.

Summary: I found something interesting with Headless chrome debugging in the last step, I am sure I am going to solve this after trying very hard for about a week, I don't know when this CTF is going to end, that's why I am submitting a summary of how to solve this so that I can write the full...

h1-ctf: [h1-415 2020] h1ctf{y3s_1m_c0sm1c_n0w}

Summary: add summary of the vulnerability Account takeover was possible because of the email validation used - [email protected] could be registered, but when the the system created the recovery QR code the extra symbols would get stripped leaving us with a valid recovery QR code to log into...

Nord Security: User data not anonymized is sent to analytics server

A good report from @martinbydefault. Although we have never received the IDs and they could not be linked with any specific events, we have removed the connection events altogether. While, even prior to the fix, it was impossible to tie the ID with the username or activity, the reporter's concern...

Razer: SQL Injection at https://sea-web.gold.razer.com/lab/cash-card-incomplete-translog-resend via period-hour Parameter

The tester discovered a SQL injection issue that allowed access to data via Razer Gold Thailand's sea-web server. Razer appreciates the clear and thorough report...

HackerOne: Unauthenticated users can obtain information about Checklist objects with unclaimed ChecklistCheck objects

The Checklist objects that can be queried through GraphQL are supposed to only be accessible by program members, the users who claimed or responded to a check belonging to a checklist, and HackerOne Pentesters. The Checklist object is also supposed to be in the running state e.g. when the platfor...

HackerOne: HackerOne Pentesters can access any structured scope object through GraphQL node interface

A missing authorization check in the StructuredScope protector class app/protectors/protectedstructuredscope.rb:42 enables any HackerOne Pentester to access structured scope objects of programs they aren't invited to or aren't running a penetration test through HackerOne. ruby class...

h1-ctf: [h1-415 2020] I found Joberts missing file!

The key is: h1ctfy3s1mc0sm1cn0w My writeup is available unpublished at: https://p4fg.github.io/h14152020/ I might edit some styling but the main contents is there. The twist of my writeup is that tried to give a detailed account of EVERYTHING to allow new hackers to follow along my discoveries an...

Nord Security: Html Injection and Possible XSS in main nordvpn.com domain

Summary: HTML injection in main domain can allow hackers forward users to any another domain. Also, if anybody can find method to bypass cloudflare filter hackers can steak cookie with with vuln Steps To Reproduce: add details for how we can reproduce the issue 1. Go to...

Engel & Völkers Technology GmbH BBP: Stored XSS in Watch Lists

Summary: Hi team, I added a house to my Watch List by clicking "Star" button in a property. And I saw this request. █████ Firstly, I changed value of the title parameter to alertdocument.cookie and I sent this request. But the name of property was same in my Watch list. So I tried to change IDs i...

h1-ctf: [h1-415 2020] H1-415 CTF Writeup by W--

H1-415 CTF Writeup Intro HackerOne kicked off this year's H1-415 CTF with the following tweet: F692033 Loading the target challenge website shows that the website is called My Docz Converter. A quick look at the challenge website shows that it allows users to register an account and then upload a...

Mapbox: Reflected XSS via XML Namespace URI on https://go.mapbox.com/index.php/soap/

On January 22, 2020 user @h4ck3d reported a reflected XSS vulnerability via an XML Namespace URI on go.mapbox.com. Using the information provided by the researcher, we deployed a patch to this page on February 11, 2020...

Valve: Hidden scheduled partner events are propagated to Steam clients in CMsgClientClanState

PartnerEvent details were propagated to Steam clients immediately upon creation, which could lead to improper exposure of hidden/scheduled event data...

h1-ctf: [h1-415 2020] Multiple vulnerabilities leading to leaking of secret user files

Hello, I'm just submitting both flags for CTF, will send my write up on hacker summary, since it's 7:00 am now :. Original flag for CTF: h1ctfy3s1mc0sm1cn0w Extra flag for unintended account takeover: h1ctfwtf1shapp3ningw1thth1ss1mulat1on Sincerely, @nukedx Impact By chaining multiple...

Starbucks: Korea - LFI via path traversal at https://msr.istarbucks.co.kr:6443/appif/

@iampuky — thank you for reporting the original vulnerability and for confirming the resolution. While analyzing the Starbucks Korea mobile application, i noticed that it called an API at https://msr.istarbucks.co.kr:6443/appif/. It was found that the application running under that directory was...

h1-ctf: [h1-415 2020] finally

add or chars behind Joberts email, which leaks on the login page 2. register a new account using that email 3. sign out and use the recover feature with the just generated qr code. this will get you into Joberts account 3. head to /support and submit a blind XSS payload which extracts the...

Topcoder: Stored-Xss at connect.topcoder.com/projects/ affected on project chat members

Hi team , I'm sorry for my bad report and english , but i wish you understand the impact of that bug here , if it well performed the sers may lose their access to their sso accounts Summary: While a developer at connect.topcoder.com can manage a messages about his/her project with someonelse , Th...

Yelp: Multiple Vulnerabilities in (*.blog.yelp.com) - Leakage user admin Sensitive Exposure

Hi! Team @yelp, We Found Multiple Vulnerabilities in you websites , Username Admin Login Sensitive Exposure Refferals Hackerone 753725 Platforms Affected: website . https://blog.yelp.com/wp-json/ user-admin sensitive exposure . https://blog.yelp.com/wp-login.php Admin-Page disclousure Steps To...

Lyst: Subdomain takeover of storybook.lystit.com

Summary: The subdomain storybook.lystit.com had an CNAME record pointing to an unclaimed S3 bucket. This is a high severity security issue because an attacker can register the bucket on AWS and therefore can serve her own content on the subdomain. This allows for various attacks. Description: The...

h1-ctf: [h1-415 2020] @_bayotop h1-415-ctf writeup

TL;DR: Thanks for the challenge! 1. Abusing account recovery via QR codes to get access to [email protected]. 2. Blind XSS in /support/review/ including CSP bypass. 3. Missing input sanitization on name parameter when POSTing to /support/review/. 4. Access to remote debugging port on local...

Ruby: Source code disclosed via S3 Bucket

Summary The Ruby having an Amazon S3 bucked named http://rubyci.s3.amazonaws.com/ which lists some of their log files. Those logs having some informations to check the source code server side directories. Steps to Reproduce 1. direct to http://rubyci.s3.amazonaws.com/ which having READ Permission...

Internet Bug Bounty: OOB read in php_strip_tags_ex

This issue is open https://bugs.php.net/bug.php?id=79099&edit=2 You can know the bug in the link Impact Memoey leak or rce...

Kubernetes: Compromise of auth via subset/superset namespace names.

Report Submission Form Summary: Use of nginx.ingress.kubernetes.io/auth annotations results in a file named namespace-ingress.passwd. If user knows the namespace and ingress of an ingress they want to compromise they need to be able to create a namespace that is some subset of namespace-ingress...

8x8: (Critical) Remote Code Execution Through Old TinyMCE upload bypass

A third party marketing site utilized an outdated version of TinyMCE that was vulnerable to CVE-2011-4906...