Mail.ru: [myMail Android] Access to protected app components via RegistrationPhoneActivity

RegistrationPhoneActivity of My.com MyMail application for Android could be locally exploited by malicious application to access internal activities as was demonstrated by spoofing logon screen to send authentication request to arbitrary site...

Palo Alto Software: weak protection against brute-forcing on login api leads to account takeover

Summary: Weak protection against brute-forcing on login API: https://api.outpost.co/api/v1/login leads to account takeover on https://www.teamoutpost.com/ Steps To Reproduce: Sign in on https://www.teamoutpost.com/ F673002 redirect to https://app.outpost.co/sign-in to login F673012 test any login...

Starbucks: China - Leaked credentials permitted a limited ability to create Starbucks coupons and cards

neweq discovered a Github repository exposing credentials with which they could obtain an access token. The access token permitted limited access to generate Starbucks coupons and cards. @neweq — thank you for reporting this vulnerability...

pixiv: XSS reflected on [https://www.pixiv.net]

Summary: I found a xss reflected on https://www.pixiv.com URL and in the search bottom from Chrome IOS 13.1 Steps To Reproduce: 1. In the URL https://www.pixiv.net/en/%5B'-alertdocument.cookie-'%5D Add Payload '-confirm3-' 1. In the URL https://www.pixiv.net/en/%5B'-alertdocument.cookie-'%5D Add...

Affirm: Absence of Token expiry leads to Unauthorized login Access

Summary While doing the testing for the mobile app, I observed out that it is possible to bypass the authentication and gain unauthorized access to the user's account bu brute-forcing the PIN due to lack of login token expiry. The way affirm mobile login works is that, User inputs the phone numbe...

Stripo Inc: CSRF - Modify Project Settings

Target Url/Endpoint https://my.stripo.email/cabinet/stripeapi/v1/projects/ProjectId Note Attacker just need to know victim project Id. Summary: This CSRF Vulnerability leads to change user's project settings including General Information, Contacts, Social Networks and Other Options. Steps To...

Starbucks: Thailand - Insecure Direct Object Reference permits an unauthorized user to transfer funds from a victim using only the victims Starbucks card

nnez discovered that a hacker could transfer funds from one Starbucks card to another by inspecting the form with Google Chrome DevTools and then change the forms "CardNumber" value to a victim's valid Starbucks card number. If the value entered for the "FullAmount" form field did not exceed the...

Mail.ru: Blind XSS Stored On Admin Panel Through Name Parameter In [ https://technoatom.mail.ru/]

Blind XSS via username in admin panel of technoatom.mail.ru...

Clario: MK Site Cross-Site Scripting (XSS) in script context

Summary https://mackeeper.com Site Cross-Site Scripting XSS in script context Parameter - cookie: guid Step to reproduce Injected payload:...

Rocket.Chat: API Keys Hardcoded in Github repository

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report! Summary: API Keys is ha...

Stripo Inc: csrf bypass using flash file + 307 redirect method at plugins endpoint

Hi Security team, i have found that the request sent to https://my.stripo.email/cabinet/stripeapi/v1/plugin/$userid$/plugins don't have any protection against csrf attacks as the server only validates that the content type is application/json and this can be bypassed using the flash file + 307...

Genasys Technologies: Missing redaction on a disclosed report

Hi team, I wasn't sure if this worth a report, but I thought that you should be aware and HackerOne's support referred me to submit a report. I ran into a diclosed report where the reporter asked to redact his email but we can still extract his email and more info about his google account from th...

New Relic: Restricted user can remove NerdStorage documents/collections scoped to ACCOUNT or ENTITY

Hey team, I've found that the Restricted user can remove both documents and whole collections of NerdStorage documents which are scoped to ACCOUNT and ENTITY. I don't know if this is a vulnerability or not, but I think it would be better for you to discuss this internally. According to docs, if a...

Nord Security: Clickjacking at join.nordvpn.com

PoC at attach Create a new HTML file Put Save the file Open document in browser Impact https://www.owasp.org/index.php/Clickjacking...

U.S. Dept Of Defense: Git repo on https://██████.mil/ discloses API password

Summary: I found a .git repository on https://███████.mil/.git which discloses an API password for Yubikey on 2 different domains, together with full source code. Description: Fetching the git repository and decompressing the objects results in the ability to read the source code of the server,...

Palo Alto Software: Stored XSS on upload files leads to steal cookie

Summary: There isn't a check mechanism on file format in Inbox which an attacker can send an SVG file as other formats such as png, gif or bmp by rename and change file format leads XSS attack and steal victim cookies. Steps To Reproduce: You should create 2 accounts : First account for the...

curl: Heap Buffer Overflow (READ of size 1) in ourWriteOut

Summary: Whilst fuzzing the curl command line tool built from commit 779b415 with AFL, ASAN and libdislocator, a heap buffer overflow was triggered when a crafted curl configuration file was loaded. Steps To Reproduce: echo "LXdAAAou" | base64 -d test0070.conf ./curl -q -K test0070.conf...

New Relic: Cross-account reading of Insights dashboards through GraphQL

@skavans identified a GraphQL query lacking validation. This had the potential to return a subset of Insights dashboards in target accounts...

Automattic: Modify account details by exploiting clickjacking vulnerability on refer.wordpress.com

Summary: I have found that their is no protection for click jacking on refer.wordpress.com so attacker can exploit it to change users details. This clickjacking is on authenticated pages so it is very critical vulnerability. Steps To Reproduce: 1. Create a HTML file with following content...

Stripo Inc: my.stripo.emai email verification bypassed and also create email templates

Summary: According to the Stripo.emai When the new user sign up Stripo.email allow to create email templates after the verification of the email of Your stripo account. Until your email get verified You are not able to create a email templates in your acc. User need to verified their email...

Nextcloud: Remote code execution via path traversal in Zip extraction in the Extract app

I realise this doesn't qualify for a reward, as it's a vulnerability in a third-party app, but as the app is part of the "official" VM image provided by Hansson IT, I think it's well worth fixing. The Extract app doesn't validate the path or filename of a zip file to be extracted, allowing an...

Ian Dunn: Potential Open-Redirection

Steps To Reproduce: ===================== 1 visit : Normal Link. 2 Sign-in with your wordpress account and you will directed to This 3Change the value of the Parameter : redirectto .. To the attacker website let's say : https://vul-example.com 4NOTE THAT : you must URL-encode the vulnerable link...

MTN Group: Week Passwords generated by password reset function

Summary: Assessor observed that password reset function generates only alphanumeric passwords that is passwords don't contain any special characters Also User can set old password as new password. Steps To Reproduce: Goto https://mycontract.mtn.co.za/landing/landing.htm Click forget password link...

Kubernetes: Man in the middle using LoadBalancer or ExternalIPs services

I rated this vulnerability as high because trying to rate it with CVSS v3.0 Calculator gives me 9.9 which seems way too high as you do require to be able to create services in the K8S cluster. Summary: This report details 2 ways to man in the middle traffic by: a creating a LoadBalancer service a...

Mail.ru: Stored XSS in Review Section https://games.mail.ru/

Stored XSS via malcrafted link bbcode in review editor...

U.S. Dept Of Defense: Publicly accessible Grafana install allows pivoting to Prometheus datasource

Summary: A publicly accessible Grafana install exposes semi sensitive Dashboards. This also exposes the Prometheus proxied datasources which allow direct queries to a Prometheus instance which reveals sensitive data an opens the instance up to potential DoS via crafted requests. Description: Impa...

Node.js third-party modules: [http-live-simulator] Application-level DoS

The http-live-simulator npm package has an application level DoS vulnerability...

BCM Messenger: Account Takeover with old password and login QR

BCM servers don't store users' passwords, and the private keys are stored locally. If you change the password, the data in the old QR code will not be revoked. Please read the warnings during registration and backup, and protect your account credentials. Thank you! When someone wants to log into...

Stripo Inc: SSRF leads to internal port scan

SSRF Vulnerbility leads to internal port scan. From the response time, we can confirm the internal IP exist/accessible or not...

HackerOne: profile-picture name parameter with large value lead to DoS for other users and programs on the platform

Summary: The issue persists as there are no text limitations for profile-picture name while uploading the profile-picture, these heavy text names can cause denial of service on different pages of hackerone. Description: I was checking the profile picture upload feature of hackerone and found out...

Infogram: Bypass to report #280389 [Thinking The issue is not fixed Yet]

Please see the report https://hackerone.com/reports/280389. There it was mentioned that it is resolved but the fact is that I tried with 5000 and it flooded my email. I think the issue is not solved. Please look into this. F668239 Impact Please fix as rate limit on the password reset functionalit...

BCM Messenger: API - Amazon S3 bucket misconfiguration

Dear, BCM Messenger Description My discovering was starting from com.bcm.messenger, First, i trace what application send and receive from the network so i use Frida tool to bypass SSL pinning, Then i was able to trace application http traffic, and since API data is not encrypted and there's nothi...

Stripo Inc: No Rate Limiting on /reset-password-request/ endpoint

Hi there ! I noticed when we hit the /reset-password-request/ endpoint too many times via some proxy for e.g:- Burp there is no rate limit on that endpoint and you can spam the email with 100's of requests and resend even more password reset emails to the users as there is no rate limiting on tha...

Shopify: Disclose Any Store products, Files, Purchase Orders Via Email through Shopify Stocky APP

Hello Shopify Security Team! Bug Summary: This bug leads to disclose any store products, files, purchase orders through shopify stocky app. It is bug in shopify app but it effects stores also. Reproduction steps: Go to apps.shopify.com and install the stocky app. Now you will be redirected to thi...

Mapbox: Stored XSS | api.mapbox.com | IE 11 | Styles name

On December 24, 2019, user @renekroka reported a stored XSS injection vulnerability on api.mapbox.com that affected users in Internet Explorer 11. An attacker could store XSS injections on Mapbox servers, and then exploit them in IE11 due to JSON responses not including the X-Content-Type-Options...

Stripo Inc: Email verification bypasa

Email verification bypass: after finishing the registration user need to verify the email address, this can be bypased while loggin in to the account...

Valve: [GoldSrc] RCE via malformed BSP file

Description RCE can be achieved via a malformed BSP file due to the lack of length validation when copying data from the BSP file into a stack based buffer. POC 1. Place the attached BSP F666628 in the maps directory of the chosen GoldSrc game czero/maps, cstrike/maps, tfc/maps, etc.. 2. Launch t...

Mail.ru: information disclosure via IDOR on "https://target.my.com/api/v2/coverage/segment.json?id={id}" endpoint

IDOR in target.my.com allowed to get numeric segmentation identifiers by site id. No sensitive information or associated security risks identified...

Phabricator: User can link non-public file attachments, leading to file disclose on edit by higher-privileged user

CVSS ---- Medium 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Description ----------- Uploaded files can be linked to from anywhere by referencing their ID. If the user viewing the reference to the file has permission to access the file, it will be rendered. Otherwise, the reference will be...

Vercel: through %09 Character the attacker is able to steal Github Token [ Account Takeover ]

Summary: Hello i've found the filter will deleted this %09 character when checking the value parameter next in oauth which allow to attacker to bypass Filter and steal Oauth Token of user thats lead to account takeover ! Steps To Reproduce: 1. Go To...

Zomato: Free food bug done by burp suite

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report! Summary: By this...

Polymail, Inc.: Metadata leakage via IDOR

Inbox metadata leakage via Insecure Direct Object Reference on one endpoint...

Starbucks: India - OTP bypass on Phone number verification for account creation

dekster discovered a mobile number verification bypass via incorrect client side validation allowing an attacker to validate a new account creation without a valid phone number attached. @dekster — thank you for reporting this vulnerability and for confirming the resolution...

HackerOne: How the Bug stole hacking

In light of the season - here's a story I wrote for you: Every hacker down in Hackerone liked hacking alot, But the Bug who lived down in the source code, did not! The Bug hating hacking! The whole Bug-hunt season! Now please don’t ask why. No one quite knows the reason. It could be perhaps, that...

GitLab: Guest users can change the confidentiality attribute on those issues that have been assigned to them

Summary A user with no association to a project nor group can use a mutation GraphQL query to change the confidentiality on those issues where they have been previously assigned. This functionality is restricted to those users which have been granted access to a project and hold at least the...

Starbucks: Singapore - XXE at https://www.starbucks.com.sg/RestApi/soap11

rugb discovered the endpoint at https://www.starbucks.com.sg/RestApi/ was found vulnerable to XML eXternal Entity XXE processing. This permitted arbitrary reading of files on the remote server. This asset is not rated as critical as it does not contain sensitive data. @rugb — thank you for...

Automattic: Follow by email allows for following by unverified emails

The initial report outlined being able to add any email to a Tumblr account without verifying it first which is expected behavior that does not pose a security risk. However, the reporter also reported that these unverified emails were able to be used in our “follow by email” feature which we did...

MTN Group: Upload directory of Mtn.ci

Summary: Upload directory of Mtn.co.sz has listing enabled Steps To Reproduce: 1. Just go to https://www.mtn.ci/wp-content/uploads/ and navigate between available folders Impact Every data uploaded by the webmaster can be accessible through this directory listing vulnerability This might include...

QIWI: Keychain data persistence may lead to account takeover

Summary When user deletes Qiwi iOS application Keychain isn't wiped and on first Qiwi launch after re-installation Keychain isn't wiped as well. It allows an attacker possible buyer of second hand Iphone to takeover account. Steps to reproduce 1. Find somebody who uses Qiwi phone enumeration may...

Pornhub: Self-XSS to Good-XSS - pornhub.com

The researcher was able to bypass the site-wide clickjacking protection X-Frame-Options header in order to fully automate the exploitation of a self-xss vulnerability, allowing attackers to execute arbitrary javascript payloads on the pornhub domain through iframes hosted on a third-party website...