Dropbox: Leaking API_KEY of testrail of HelloSign gives read/write access

The APIKEY and testrail config details were leaked on Github, which attackers could use to access testrail accounts of HelloSign and perform read/write actions. Impact: Access to testrail account of HelloSign...

U.S. Dept Of Defense: Leaked DB credentials on https://██████████.mil/███

Summary: Information disclosure with login credentials for ms-sql database exposed. Description: I've found a PHP info file disclosed on https://█████.mil/██████ containing login credentials for a database cloud server ███████ as well as information on the host system such as hostname, username a...

Keybase: SOP bypass using browser cache

Summary An attacker has the ability to extract sensitive information from user's accounts, due to a CORS issue. On a minor note, this also is a cross-site leak as we can fingerprint what exact keybase user has accessed the attacker's website. Information disclosed:...

Mail.ru: Account takeover at geekbrains.ru

It was possible to takeover Geekbrains account registered via Google account due to misuse of unconfirmed attached e-mail as account id...

MTN Group: Information Disclosure FrontPage Configuration Information /_vti_inf.html in https://www.mtn.co.za/

Hi there i found a information disclosure Microsoft FrontPage configuration in the subdomain https://www.mtn.co.za/ that allows me to see version number and scripting paths off sharepoint using firefox. POC: Go to the following url: https://www.mtn.co.za/vtiinf.html and you will see a blank page...

MTN Group: Cross-Site Scripting through search form on mtnplay.co.zm

Summary: There is a XSS vulnerability that can be triggered through a search form on mtnplay.co.zm Steps To Reproduce: 1. Navigate to http://www.mtnplay.co.zm/smart/jqm.aspx 2. Click on the search button or go to this link: http://www.mtnplay.co.zm/smart/jqm.aspx?event=search&mnu=search&ctrlid=92...

Nord Security: User password left in memory in plain text after GUI launch

Summary When NordVPN GUI has sensitive data in memory and has no further need for it, it should wipe the data out of its memory, in case malware later gains access to the NordVPN process or the memory is swapped out to disk or written into a crash dump file. An obvious example of this is the user...

Mail.ru: Reflected XSS with WAF Bypass https://pw.mail.ru

Reflected user-assisted XSS in https://pw.mail.ru...

Stripo Inc: stripo blog search SQL Injection

Summary: Sql injection of search parameters at blog search request Steps To Reproduce: 1. request https://stripo.email/blog/search/ 2. input search 1' AND SELECT 6268 FROM SELECTSLEEP5ghXo AND 'IKlK'='IKlK 3. See a very large response delay Supporting Material/References: See attached screenshot...

Nextcloud: Update App Store: Django account high jacking vulnerability

High Severity Framework Security Fix Impact There's a nasty bug that allows accounts to be highjacked. Attackers still can't distribute archive since they are signed but can highjack admin accounts and swap out packges in the admin panel. I've updated the deps, tests work fine locally but you...

MTN Group: SQL Injection on cookie parameter

Summary: Hello team. It seams one of the parameters in the cookies is vulnerable to SQL injection. Below requests has the lang parameter in cookies. If you inject one quote mark like '. You get SQL error with the syntax. By injecting a second you have the error removed. I did not attempt to...

GitHub Security Lab: Netty HTTP Response Splitting (CRLF Injection) due to disabled header validation

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: CodeQL query to detect insecure MaxLengthRequest values in ASP.NET applications

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: CodeQL query to detect pages with validationRequest disabled

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: Adds CodeQL query to check for insecure RequestValidationMode in ASP.NET

This bug was reported directly to GitHub Security Lab...

MTN Group: SharePoint exposed web services in a subdomain

Hi there I found a subdomain that is sharepoint configuration is poorly implemented Because of improper configuration an anonymous user can access to the SharePoint Web Services. POC: Go to the following url: https://www.mtn.co.za/vtibin/lists.asmx?WSDL services.jpg Remediation Restrict access to...

MTN Group: Account Take over of millions of MTN users account due to lack of Rate limiting when sending OTP code

I attached a PDF document to this report which explained the vulnerability in full details and I also attached a link to the POC video in the document. Impact Account take over of about any MTN user account...

Mail.ru: Customer domain information disclosure at https://biz.mail.ru/api/domains/*

IDOR vulnerability in biz.mail.ru could be used to enumerate registered domains...

MTN Group: Upload directory of Mtn.co.sz has listing enabled

Summary: There are some exposed files accessible for anyone Steps To Reproduce: Go to http://www.mtn.co.sz/wp-content/uploads/ and navigate between available folders Impact Every uploaded data can be accessible through this directory listing vulnerability This might include several...

DataStax: Helpdesk Takeover at dmc.datastax.com

Summary: DNS record dmc.datastax.com is pointing to stale dmc-support.zendesk.com domain on Zendesk which is available for takeover. DNS Stale Records: F661014 Proof of Concept: There was no helpdesk configured at this address, which means that the address was available and anyone could claim it....

U.S. Dept Of Defense: Reflected Xss https://██████/

Hello security all teams Relevant Products/Components: last version Detailed Description: Reflected XSS so have high impact. Steps To Reproduce: 1-go in subdomain 2-and check url if tableau uses 3-Uses you can add this redirect dir in url with Authentication redirect:-...

Reverb.com: Race Condition allows to redeem multiple times gift cards which leads to free "money"

Hello team! I've found a Race Condition vulnerability which allows to redeem gift cards multiple times. This how a s/he can easily buy stuff just bying one gift card and redeem it over and over again. Steps to reproduce Preparations - Burp Suite Pro - Turbo Intruder Note: This also can be...

Stripo Inc: Tabnabbing in template comments - stripo.email

Tabnabbing - template comments on stripo.email Tabnabbing - template comments on stripo.email...

Stripo Inc: Stored XSS in template comments.

Stored XSS - template comments on stripo.email Stored XSS - template comments on stripo.email...

Mail.ru: XSS via POST request to https://account.mail.ru/signup/

Reflected XSS in account.mail.ru via POST parameter back...

Mail.ru: XXE на webdav.mail.ru - PROPFIND/PROPPATCH

XXE injection in webdav.mail.ru...

Mail.ru: Blind SSRF на calendar.mail.ru при импорте календаря

Blind SSRF in calendar.mail.ru via calendar import functionality...

U.S. Dept Of Defense: Reflected Xss

hello security team i found reflected XSS in this subdomain https://███ POC:- 1-go in subdomain 2-go here https://███████/en/embeddedAuthRedirect.html?auth=javascript:alert"xElkomy" 3-Done Image:- ███████ xElkomy Impact reflected cross-site scripting XSS operation with JavaScript, which runs in t...

Nord Security: CORS Misconfiguration on nordvpn.com leading to Private Information Disclosure,Account takeover

Summary: An cross-origin resource sharing CORS policy controls whether and how content running on other domains can perform two-way interaction with the domain that publishes the policy. The policy is fine-grained and can apply access controls per-request based on the URL and other features of th...

InnoGames: Blind SQL Injection

Summary of the Issue A Time Based Blind SQL injection vulnerability was detected on www.innogames.com. Using a specifically crafted payload it was possible to extract database entries. Vulnerable endpoint: https://www.innogames.com/ Steps to reproduce: 1. Getting two states for boolean based sql...

Mail.ru: Stored XSS in calendar via UID parameter

Stored XSS in calendar.mail.ru via UUID of calendar...

Internet Bug Bounty: HTTP Smuggling multiple issues in Squid 3.x & squid 4.x

Hello, as can be seen on a recent public security update by Squid I reported several smuggling issues. If you want some background on impact of Smuggling issues You can check the current works of James Keetle or my own previous published works. https://www.youtube.com/watch?v=upEMlJeUIk HTTP Desy...

Mail.ru: API method at api.my.games allows to enumerate user emails

API method which allowed to enumerate emails at https://api.my.games/ was not sufficiently protected...

Nord Security: Host header injection/redirection | signup and login page

Hey Team. There's a host header injection vulnerability in signup and login page. If possible, the application should avoid incorporating user-controllable data into redirection targets. In many cases, this behavior can be avoided in two ways: Remove the redirection function from the application,...

Razer: Expired reCAPTCHA site key leads to Rate Limit Bypass and Email Enumeration

The tester discovered a configuration issue involving Google reCAPTCHA that would allow adversaries to enumerate valid email addresses for users. While minor, Razer appreciates the report and clear PoC...

Phabricator: Markdown parsing issue enables insertion of malicious tags

mongoose By exploiting the URL markdown an attacker is able to add tags to an anchor-element. This is less impactfull since the default csp policy blocks inline javascript execution, but an attacker could deface individual pages, bypass the rel="norefferrer" tag to perform tab nabbing or perform...

New Relic: Restricted user can manage the NerdGraph entities' tags

Hey team, I've found that the Restricted user can manage the NerdGraph entities' tags: - create new ones; - edit and/or remove current ones. It seems that the tags are supposed to be used internally by account administration and unauthorized removing of them can cause some issues. Thus, this repo...

Mail.ru: HTML injection at face.city-mobil.ru

Browser-specific IE HTML injection in city-mobil.ru On the moment of reporting, HTML injection within this scope was considered under same condition with XSS. Under current rules, HTML injection without proven XSS execution may be not eligible for bounty. https://rdot.org/forum/showthread.php?t=2...

Razer: [Razer Pay Mobile App] Broken access control allowing other user's bank account to be deleted

The Razer Pay MY backend API had an access control vulnerability which would allow a client to delete the account of other users by varying the ID. Although an adversary could not target a specific individual by name, they could affect the integrity of the Razer Pay system. This was fixed in...

Mail.ru: Leak Sensetive Data at face.city-mobil.ru

Unrestricted git directory in face.city-mobil.ru could leak sensitive data including access token for internal repository...

Mail.ru: Public available Sensitive Information about drivers

Domain, site, application -- API for client app Citimobil https://c-api.city-mobil.ru/ Version 4.33.0 and others Testing environment -- Device on any OS with internet connection Any software to send https requests Steps to reproduce -- Send POST request to url...

Shopify: Stored XSS in Shopify Chat

1.install app Shopify Chat 2.Click chat on the shop homepage or Shopify Ping to send poc javascript:alert1//https://dqdqdqdqdq.myshopify.com 3.Click url, alert F657395 Impact 1.Front end user Self-XSS 2.Administrator XSS foreground user...

Razer: Misconfigured Bucket [razer-assets2] https://assets2.razerzone.com/

The tester discovered an S3 bucket exposure at assets2.razerzone.com. We appreciate the tester bringing this to our attention...

PUBG: RXSS to Stored XSS - forums.pubg.com | URL parameter

René Kroka found a Reflected XSS vulnerability that could be chained to a Stored XSS attack in the Invision Community forums software used by PUBG. By crafting a malicious URL the attacker is able to trigger Javascript to execute on their own page; known as Reflected XSS. The attacker then create...

Polymail, Inc.: Reflected XSS by changing url parameters on the user invite onboarding links.

@renekroka Discovered a potential reflected XSS by changing url parameters on the user invite onboarding links. 1...

Nord Security: Potential leak of server side software at repogohi.nordvpn.com

Summary: I found a public Git Repository at https://repogohi.nordvpn.com/. It looks like the software components in this repository are part of the VPN Servers. So I'm afraid there's a certain risk. The following packages are among others publicly available: openvpn-xor2.4.5-stretch1nordamd64.deb...

Nord Security: Blind SSRF on debug.nordvpn.com due to misconfigured sentry instance

Summary: The debug subdomain uses Sentry for application monitoring and error tracking. This software comes with a feature known as source code scraping turned on by default which makes it is possible to make blind get requests from the server on which it is running. Steps To Reproduce: add detai...

Shopify: Timeline Editor Self-XSS (Previous Fix #738072 Incomplete)

1.Consistent steps 2.poc: axxx 3. F656339 Impact admin...

Ruby on Rails: Prevent XSS when passing a parameter directly into link_to

Note: I would say this is perhaps more of a feature request than an actual vulnerability, but Rafael França deleted this from GitHub and asked to submit it here instead In a rails views it's easy to accidentally create an XSS vulnerability by using the following in a template: Doing this exposes...

Mail.ru: Stored XSS on https://community.my.games/ (Add Post)

Two stored XSS at https://community.my.games/. First XSS via upload photo title at link https://community.my.games/community/game/GameName/ . Second XSS via Discussion at the same link...