Nord Security: nordvpn Linux Desktop executable application does not use pie / no ASLR

Summary: The nordvpn Linux binary application is not compiled as position independent code or position independent Executable. Steps To Reproduce: POC: $file /usr/bin/nordvpn /usr/bin/nordvpn: ELF 64-bit LSB executable, x86-64, version 1 SYSV, dynamically linked, interpreter...

DRIVE.NET, Inc.: Хранимый XSS в Business-аккаунте, на странице компании

Приложение уязвимо к атакам Типа "Межсайтовое выполнение сценариев". Тип XSS - Хранимый Persistent. Для воспроизведения атаки нужно зарегистрироваться на сайте drive2.ru и подключить бизнес-аккаунт. После чего переходим в панель управления компанией и заполняем все необходимые поля для успешной...

Clario: Open redirect on https://account.mackeeper.com

Summary An attacker can redirect a user to any external website using the vulnerable parameter in https://account.mackeeper.com/auth/fb use parameter continue. Steps To Reproduce 1. Visit the following url: https://account.mackeeper.com/auth/fb?continue=https://google.com 2. Login 3. This will...

Semrush: An attacker can buy marketplace articles for lower prices as it allows for negative quantity values leading to business loss

Hi there, When we Summary: When someone goes to https://www.semrush.com/marketplace/offers/ and orders for articles, an attacker can pay for less than intended due to negative quantities being allowed. Steps To Reproduce: - Go to https://www.semrush.com/marketplace/offers/ - Click on 500 Words$40...

Zomato: Stealing Zomato X-Access-Token: in Bulk using HTTP Request Smuggling on api.zomato.com

Intro Hi Zomato Security Team! My name is Evan Custodio and this is my first time evaluating your platform. I specialize in looking for server-side vulnerabilities. Recently I've taken a deep look at HTTP Request Smuggling issues. I have custom tools to evaluate over 150 types of HTTP Smuggling...

Node.js: CRLF Injection in legacy url API (url.parse().hostname)

Summary: There is CRLF Injection in legacy url.hostname API. Description: During the recent penetration test, I have found a whitelist bypass using CRLF Injection. We did a code review and determined the issue is in a legacy url.hostname API. Not sure if it's a known issue or not, I wasn't able t...

Smule: Open redirect bypass & SSRF Security Vulnerability

Open redirect issue. Full disclosure/writeup: https://medium.com/@snwlvl...

Stripo Inc: SSRF & unrestricted file upload on https://my.stripo.email/

The researcher discovered an SSRF & unrestricted file upload Remote code execution vulnerabilities...

U.S. Dept Of Defense: Blind SQL Injection

Bug is : Blind Sql injection SQL injection is a vulnerability that allows an attacker to alter back-end SQL statements by manipulating the user input. An SQL injection occurs when web applications accept user input that is directly placed into a SQL statement and doesn't properly filter out...

8x8 Bounty: Reflected xss on 8x8.vc

A reflected cross-site scripting issue was discovered within the account setup workflow of 8x8.vc...

Ping Identity: No valid SPF record not found

There are no SPF Records found for ort-admin.pingone.com Description: There is an email spoofing vulnerability. Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email spoofing is a tactic used i...

Ping Identity: Forbidden access to https://apps-staging.pingone.com but "/packages.json" visible and full path disclosure

Summary: If you visit the application https://apps-staging.pingone.com/. The application is protected from unauthorized users displays Forbidden. In spite of having this protection, an attacker would be able to see the packages information of the application. Steps To Reproduce: Go to...

Mail.ru: Insecure storage of private files

"Send to myself" activity of Mail.ru Mail application for Android could be locally manipulated via external content provider to access the files in application folder...

8x8: Insecure OAuth redirection at [admin.8x8.vc]

The meetings admin application performed an insufficient validation of the specified redirect location during OAuth negotiation. There was an improper redirection in "admin.8x8.vc" oauth that lead to takeover the admin.8x8.vc SSO accounts , When trying to adding an admin account in admin.8x8.vc...

8x8: Reflected xss on 8x8.com subdomain

The Beta version of a new chat API was discovered to contain a reflected XSS flaw. With the help of the researcher we were able to resolve the issue and ensure the future chat product will not contain this flaw. Write-up for beginners like me.. hackwithcommunity...

Ian Dunn: Dos https://iandunn.name/ via CVE-2018-6389 exploitation

Similar to 752010 Detail:- There is possibility in /wp-admin/load-scripts.php script to generate large 3Mb amount of data via simple non-authenticated request to server. The vulnerability is registered as https://vulners.com/cve/CVE-2018-6389 Detailed attack scenario is described for example here...

X (Formerly Twitter): Bypass Password Authentication for updating email and phone number - Security Vulnerability

Summary: Additional requirement for authentication is an extra layer of security for a person's Twitter account. Instead of only entering the password at the time of log in, twitter further Introduces additional layer of security by prompting users to enter their password before attempting to...

X (Formerly Twitter): Reflected XSS in twitterflightschool.com

While testing twitterflightschool.com, I came across the below endpoint: https://twitterflightschool.com/authentication/fbcallback?error=accessdenied&errorcode=200&errordescription= I noticed that it is possible to inject JS payload in "errordescription=" parameter and trigger XSS in...

HackerOne: Unauthorized user can obtain `report_sources` attribute through Team GraphQL object

Summary: Hi team. And Happy New Year! Description: If I am not mistaken, then through this parameter we can define private programs with an external link. If this parameter is not empty, then the program is private. - "HackerOne Platform" Steps To Reproduce https://hackerone.com/graphql POST:...

curl: Unexpected access to process open files via file:///proc/self/fd/n

Summary: fileconnect routine https://github.com/curl/curl/blob/1b71bc532bde8621fd3260843f8197182a467ff2/lib/file.cL134 does not prevent access to /proc/self/fd pseudo filesystem. Application using libcurl and accepting URLs to fetch can be tricked to return content of any open file by passing a...

Automattic: Theme Assets uploader allows HTML content

The reporter submitted a report highlighting that specially formatted yet valid HTML files were able to be uploaded as theme assets. Even though we allow for JavaScript on our blog network, we don't allow HTML files to be uploaded here so that we can restrict JavaScript execution to the blog...

Ian Dunn: xmlrpc.php FILE IS enable it can be used for conducting a Bruteforce attack and Denial of Service(DoS)

Hi Team, The website https://www.iandunn.name has the xmlrpc.php file enabled and could thus be potentially used for such an attack against other victim hosts. Wordpress that have xmlrpc.php enabled for pingbacks, trackbacks, etc. can be made as a part of a huge botnet causing a major DDOS. URL:...

Razer: User Access Control Bypass Via Razer elevated service ( RzKLService.exe ) which loads exe in misconfigured way.

The tester discovered a Cortex related service suffered from a code path vulnerability that could lead to escalation of privilege. Razer thanks the tester for his report and helping keep our users secure...

Mail.ru: XSS на сайте https://warofdragons.my.games/.

Reflected XSS via GET parameter in https://warofdragons.my.games...

Razer: Reflected XSS at https://sea-web.gold.razer.com/cash-card/verify via channel parameter

The tester discovered that the sea-web.gold.razer.com server suffered from a reflected XSS vulnerability. Razer thanks the tester for his report...

Semrush: CORS misconfiguration which leads to the disclosure of certain data concerning the user.

INTRODUCTION I used an account to search for this vulnerability: id: 5407773 email: [email protected] IP used: 2a01:e34:ec2a:9240:7d25:26c3:1449:bfe7 endpoint URL: https://www.semrush.com/content-paywall/api/accesslevel Summary: CORS policy too permissive. EXPLOITATION Description of...

Starbucks: sdrc.starbucks.com - Information Disclosure via unsecured attachment directory

l00ph0le submitted a valid high severity XSS vulnerability report for sdrc.starbucks.com. After Starbucks confirmed this vulnerability and advised this asset was not in scope; l00ph0le performed additional analysis and research to uncover an unsecured attachment directory which elevated this to a...

Valve: [GoldSrc] RCE via 'spk' Console Command

Details: Description RCE can be achieved on clients via the 'spk' console command due to missing length checks before copying into a stack based buffer. POC 1. Place the attached cfg file in the root directory of the game: F676967 2. Launch the game and bring up the console with 3. Type in exec...

X (Formerly Twitter): lack of input validation that can lead Denial of Service (DOS)

Hi Security Team, Summary: There is no limit to the number of characters in the issue comments, which allows a DoS attack. The DoS attack affects server-side. Description On the input form of Username in https://twitter.com/settings/screenname there's no Input validation using this you can send...

Node.js third-party modules: Denial Of Service in Strapi Framework using argument injection

I would like to report Denial Of Service in Strapi Framework.It allows attacker to force restart the server using argument injection. Module module name: strapi version: 3.0.0-beta.18.3 and earlier npm page: https://www.npmjs.com/package/strapi Module Description The Strapi HTTP layer sits on top...

Starbucks: Korea - Reflected XSS on https://www.istarbucks.co.kr/app/getGiftStock.do via "skuNo" and "skuImgUrl" parameters

rexvuz discovered the endpoint at https://www.istarbucks.co.kr/app/getGiftStock.do was susceptible to a reflected cross-site scripting vulnerability via the skuNo and skuImgUrl parameters. @rexvuz — thank you for reporting this vulnerability and for confirming the resolution...

Concrete CMS: Unauthenticated HTML Injection Stored - ContactUs form

Unauthenticated HTML Injection Stored - ContactUs form • Title: concrete5-8.5.2 HTML Injection Stored - Contact Us form • Keyword: crayons • Software : concrete5 • Product Version: 8.5.2 • Vulnerability : HTML Injection Stored • Vulnerable component: Contact Us form • Vulnerability : HTML Injecti...

Concrete CMS: Remote Code Execution (Reverse Shell) - File Manager

Remote Code Execution Reverse Shell - File Manager • Title: concrete5-8.5.2 Remote Code Execution - Reverse Shell • Keyword: crayons • Software : concrete5 • Product Version: 8.5.2 • Vulnerability : Remote Code Execution - Reverse Shell • Vulnerable component: File Manager The attacker needs the...

Concrete CMS: Cross Site Scripting (XSS) Stored - Private messaging

• Title: concrete5-8.5.2 Cross Site Scripting XSS Stored - Private messaging • Keyword: crayons • Software : concrete5 • Product Version: 8.5.2 • Vulnerability : Cross Site Scripting XSS Stored • Vulnerable component: Private messaging concrete5 latest version 8.5.2 suffer from persistent Stored...

U.S. Dept Of Defense: Public instance of Jenkins on https://██████████/ with /script enabled

Summary: An Amazon instance was found on https://█████/ running Jenkins. On analysing the SSL certificate, I reported here to the DoD. Description: On checking the SSL certificate, the details show: Issued to and Issued By records: CN: █████ OrganizationO: █████████ Organizational Unit OU: ███...

Razer: SQL Injection at api.easy2pay.co/add-on/get-sig.php via partner_id Parameter

The tester discovered a SQL injection vulnerability that allowed the potential extraction of sensitive user information from the Razer Gold Thailand database. Razer thanks the tester for his PoC as well as working with the Triage and dev teams to clarify the issue and get it fixed...

U.S. Dept Of Defense: Bypassing CORS Misconfiguration Leads to Sensitive Exposure

Hi! Security Team @deptofdefense, It's possible to get information about the users registered such as: id, name, login name, etc. without authentication in Wordpress via API on . ███████. Description: By default Wordpress allow public access to Rest API to get informations about all users...

Nord Security: Race condition (TOCTOU) in NordVPN can result in local privilege escalation

Summary: A vulnerability exists in the NordVPN service, which is installed as part of the NordVPN Windows app. By exploiting a race condition in the NordVPN service it is possible to launch OpenVPN with a user-supplied configuration file. By setting an OpenSSL engine name within this configuratio...

Razer: dom based xss on [hello.merchant.razer.com]

The tester discovered a DOM based xss on a Razer Merchant Services status server, associated with an unneeded application. Razer Fintech appreciates the tester bringing this to their attention and the clear PoC...

Starbucks: Account take over of 'light' starbuckscardb2b users

This issue was found on https://www.starbuckscardb2b.com, this website belongs to starbucks and its is a critical vulnerability so I am reporting this. Issue: An attacker can takeover the account of the victim by creating a new account by using victim's who is already registered email address...

GitLab: Private objects exposed through project import

Summary This is a bypass of https://hackerone.com/reports/743953 , the current fix is blocking all "ids" attributes. However an attacker could still set attributes like issueids by indrectly settings the field within the attributes field it self: project.json "attributes": "issueids": 29279725 ,...

Clario: Account Takeover because of the mis-configuration on the Password Reset Page

Summary https://api.account.opendoor.ltd has no rate-limit on the password reset's verification page. By this, I can take over any account. All I need to know is victim's email address. Step to reproduce 1. There is an endpoint - POST /v1/verification-code/forgot-password which will take POST dat...

Nord Security: Vulnerabilities chain leading to privilege escalation

The researcher provided us with a chain of 5 vulnerabilities. By chaining all of them together, the attacker is able to establish a valid XPC connection with the privileged helper. Then, the attacker is able to send a message to open a binary located in the controlled location that has a symlink...

MTN Group: Java Debug Console Provides Command Injection Without Privellage Esclation

Summary: I intially found the debug console as a tool to insert arbitrary html/xss bugs, however after further probing the debug console it has some serious security flaws to allow arbitrary java code to be executed. My intial report of a seperate bug using this console,...

Mail.ru: Ability to find out the name of the database table and its columns

Verbose errors were not disabled on api.iconjob.co An attacker can learn the name of a database table and its columns from an error message. This can help implement other SQL injection type attacks...

X (Formerly Twitter): User input validation can lead to DOS

Hi Security Team, Summary: There is no limit to the number of characters on phone numbers and using this you can perform a DOS Attack Description: On the input form of phone number in https://twitter.com/account/complete there's no Input validation using this you can send more payload and may cau...

GitHub Security Lab: Java (Maven): Use of insecure protocol to download/upload artifacts

This bug was reported directly to GitHub Security Lab...

Genasys Technologies: Improper Input Validation on payment page

Executive Summary ===================== All activities were conducted against Genasys Technologies with the goals of: • Identifying if a remote attacker could penetrate Genasys Technologies defenses • Determining the impact of a security breach on: • Confidentiality of the company’s private data...

MTN Group: Information Disclosure Microsoft IIS Server service.cnf in a mtn website

Hi there i found a information disclosure Microsoft IIS Server service.cnf file in the website https://www.mtn.co.za/ using firefox. In the following steps i will demonstrate how to reproduce the vulnerability. POC: 1ºGo to the following url: https://www.mtn.co.za/vtipvt/service.cnf you will see:...

Monero: Potential linkage of public/private (anonymous) node addresses

During the handshake for an incoming connection, the peer id is checked against the local node's peer id only for the specific zone of the incoming peer, in order to avoid linking public addresses to tor addresses:...