Mail.ru: Mail.Ru Top - Website Counter Bruteforcing

counter-specific password at top.mail.ru was not sufficiently protected against bruteforce...

WordPress: Stored XSS on Wordpress 5.3 via Title Post

I have identified a WordPress security vulnerability , a Stored XSS vulnerability that affects latest version of WordPress 5.3 POC: 1 Login to wordpress website 2 Make a post with title payload xss like example alertdocument.domain; 3 Publish then open the post, XSS Will trigger Impact Can steali...

Razer: Improper Authorization at https://api-my.pay.razer.com/v1/trxDetail?trxId=[Id] allowing unauthorised access to other user's transaction details

The tester determined that the Razer Pay backend server could be exploited to obtain transaction details from another user. Razer Fintech appreciates the detailed report and clear PoC...

Razer: Insecure Processing of XML leads to Denial of Service through Billion Laughs Attack

The tester discovered a Razer Gold Thailand server was vulnerable to a DoS attack / resource exhaustion related to an XML parser used on the server. Razer thanks the tester for his clear report/PoC...

Razer: [Razer Pay Mobile App] IDOR within /v1_IM/friends/queryDrawRedLog allowed unauthorised access to read logs

The tester determined the Razer Pay MY server was vulnerable to unauthorized access of certain log file information due to an exposed signature in the Razer Pay Android application. Razer Fintech appreciates the clear and detailed report...

Stripo Inc: SSRF in Export template to ActiveCampaign

Summary: I found a SSRF vulneranility in export template to email marketing platform ActiveCampaign. Steps To Reproduce: add details for how we can reproduce the issue 1. Login to your account in 1. Go to https://my.stripo.email/cabinet//templates/ 1. Click on Create your first mail & select one...

Node.js third-party modules: [htmr] DOM-based XSS

Hi, I would like to report DOM-based XSS in htmr. It allows attackers to insert malicious JavaScript payload into the page. Module module name: htmr version: 0.8.6 npm page: https://www.npmjs.com/package/htmr Module Description Simple and lightweight Hash: $window.location.hash; 4. Run the server...

Magic: HTTP SMUGGLING EXPOSED HMAC/DOS

HTTP SMUGGLING EXPOSED HMAC / DOS Using the transfer-encoding header and following it with a zero. The back end leaked the hmac the back end reflected back the hmac key encryption type, and a lot of details. Further testing had it reflect more headers. http-smuggling-dashboard-fortmatic.png we wi...

Zenly: Insecure Storage and Overly Permissive API Keys in Android App

Description: Most often Developers for their ease of use,leave API keys and some sensitive keys ,Tokens as hardcoded strings,which isn't really a good ideas as it can result in Leaks of sensitive information getting in Wrong Hands which indeed can results in Data theft and Tampering with how the...

PayPal: Reflected XSS at https://www.paypal.com/ppcreditapply/da/us

Researchers identified endpoints that were vulnerable to reflected XSS, due to insufficient input sanitization. This could allow malicious client-side content to be rendered by the app, which could affect a user's session, browser, or the contents of the page itself. The issue was resolved by...

Nord Security: Disclosure of User Information

Hi Team, We can get information about the users registered such as: id, name, login name, etc. and employees of NordVPN without authentication on https://www.nordvpn.com Vulnerable URL: https://nordvpn.com/wp-json/wp/v2/users/ Vulnerable URL: https://nordvpn.com/?restroute=/wp/v2/users/ POC:...

Unikrn: Staging Rabbitmq instance is exposed to the internet with default credentials

Description: RabbitMQ is an open-source message-broker software sometimes called message-oriented middleware that originally implemented the Advanced Message Queuing Protocol AMQP and has since been extended with a plug-in architecture to support Streaming Text Oriented Messaging Protocol STOMP,...

Concrete CMS: XSS in select attribute options

To reproduce 1. Create a new select attribute. 2. Add a select attribute option with value alert'XSS' and hit Save. 3. Edit the newly created attribute again and see XSS dialog. The vulnerability lays in the typeform.php file, see...

Polymail, Inc.: Bug in OAuth Success Redirect URI Validation

@bluebert discovered a bug on the OAuth login endpoint that allows creation of OAuth login urls with Polymail as the subdomain on external domains. This has now been fixed. A bug in how OAuth login URLs were generated in particular, of the redirect URI allowed for an attacker to steal secrets...

Yelp: DoS of https://blog.yelp.com/ and other WP instances via CVE-2018-6389

Description: There is possibility in /wp-admin/load-scripts.php script to generate large 3Mb amount of data via simple non-authenticated request to server. The vulnerability is registered as https://vulners.com/cve/CVE-2018-6389 Details: Detailed attack scenario is described for example here:...

Nord Security: Open redirect

The following URL is vulnerable to an open redirect it will redirect to google.com: https://support.nordvpn.com//path///google.com vulnerable code: if window.location.href.indexOf'/path' !== -1 console.log"document.URL", document.URL window.location.href =...

Stripo Inc: No CSRF Protection in Resend Confirmation Email feature leads to Sending Unwanted Email in Victim's Inbox without knowing Victim's email address

Summary: There's no CSRF protection in confirmation email resending feature as a result of which an attacker can trick the victim to receive a confirmation email unknowingly. In other features of the website, the content-type must be "application/json", and there is same-origin policy, which...

Stripo Inc: Upload Profile Photo in any folder you want with any extension you want

Summary: There exists a vulnerability in Stripo as a result of which an attacker can upload his/her profile photo in any folder he/she wants, with any file extension he/she wants. I also checked whether it could lead to code execution or directory traversal by modifying the values in the request,...

Razer: [Razer Pay Android App] Multiple vulnerabilities chained to allow "RedPacket" money to be stolen by a 3rd party

The tester discovered that the Razer Pay Android app was subject to an issue that could allow an adversary to obtain information originally destined for another user originating from the server. Razer Fintech appreciates the especially detailed work on this issue and clear help in reproduction...

Razer: [Razer Pay] Broken Access Control at /v1/verifyPhone/ allows enumeration of usernames and ID information

The tester discovered an API endpoint with insufficient access control that could allow an adversary to obtain user name and phone number information. Razer Fintech thanks the tester for his clear PoC and diligence in helping us secure our customers' information...

Nord Security: Connection informaton is sent to a third-party service

Application event data exposed through the reuse of API key The researcher reported that iOS app usage event information sent to the third party service can be intercepted through the reuse of API key. In order to resolve the issue we have disabled GET requests for API keys, removed the third par...

Nextcloud: Anonymous file drop page ignores user profile visibility restrictions

User profile on Nextcloud server by url like https:///index.php/settings/user includes personal information: photo, name, email address. For each listed fields user can select the visibility settings: local, contacts, public. It is expected that these settings will work in all places of the...

Nord Security: xmlrpc.php FILE IS enable it will used for Bruteforce attack and Denial of Service(DoS)

Hi Team, The website https://www.nordvpn.com has the xmlrpc.php file enabled and could thus be potentially used for such an attack against other victim hosts. Wordpress that have xmlrpc.php enabled for pingbacks, trackbacks, etc. can be made as a part of a huge botnet causing a major DDOS. URL:...

Semrush: Content Injection on api.semrush.com to Reflected XSS

The researcher found XSS vulnerability and wrote an awesome summary! : While testing api.semrush.com I've found that some inputs triggered MongoDB error on /reports/v1/projects/:id/siteaudit/page/list endpoint. Contents of url parameter was reflected in error message. Unfortunately WAF blocked my...

Nord Security: DoS of https://nordvpn.com/ via CVE-2018-6389 exploitation

There is possibility in /wp-admin/load-scripts.php script to generate large 3Mb amount of data via simple non-authenticated request to server. The vulnerability is registered as https://vulners.com/cve/CVE-2018-6389 Details Detailed attack scenario is described for example here:...

Zomato: Zomato Map server going out of memory while resizing map image

Go to https://maps.zomato.com/php/staticmap?center=0,0&size=240x150&maptype=zomato&markers=180,180,pinres32&sensor=false&scale=%&zoom=eval2147483647+1&language=en a map will be displayed Now increase the map size by 10x...

Nord Security: Version problem in wordpress leads to the many vulnearability

Title: WordPress 3.9-5.1 - Comment Cross-Site Scripting XSS Reference: https://wpvulndb.com/vulnerabilities/9230 Reference: https://github.com/WordPress/WordPress/commit/0292de60ec78c5a44956765189403654fe4d080b Reference:...

PUBG: Reflected XSS in pubg.com

Summary: PUBG's main website https://www.pubg.com has an endpoint that is vulnerable to an injection vulnerability - namely a reflected injection of JavaScript, also known as Reflected Cross Site Scripting XSS. As per OWASP's definition: "Cross-Site Scripting XSS attacks are a type of injection, ...

Razer: THX Tuneup Survey feedback disclosure via Google cached content for apps.thx.com

Summary: If you use this google dork: site:apps.thx.com, you will notice many of the links no longer work. However, in the cached versions, they contain lots of sensitive user information from users who seemingly filled out a survey, including first and last name, zip code, gender, email, country...

New Relic: NR-wide cross account access through misconfigured CORS-policy of multiple endpoints

Hey guys, While working at 746786, I've discovered a NewRelic-wide huge CORS-policy misconfiguration leading to cross-account data stealing and modification at a huge amount of endpoints. The vulnerability itself is that origin nr3.nr-assets.net is trusted NR-widely at many different endpoints, b...

Polymail, Inc.: XSPA on API service endpoint

Batch endpoint on the api was vulnerable to XSPA due to incorrect validation of url parameter in the request body...

Nord Security: No Rate Limit On Forgot Password Page Of NordVPN

Introduction A little bit about Rate Limit: A rate limiting algorithm is used to check if the user session or IP-address has to be limited based on the information in the session cache. In case a client made too many requests within a given timeframe, HTTP-Servers can respond with status code 429...

Nord Security: Password Reset Link Leaked In Refer Header In Request To Third Party Sites

The reporter has identified that the web application is leaking password reset token in the HTTP referrer header. By obtaining a token, malicious user would be able to reset the passwords for a particular user. It is worth to mention that the attack must be highly personalised and requires prior...

Nord Security: IDOR allow access to payments data of any user

simple send this POST request no need any auth: POST /api/v1/orders HTTP/1.1 Host: join.nordvpn.com Accept: application/json Accept-Language: en-US,en;q=0.5 Content-Type: application/json Content-Length: 179 DNT: 1 Connection: close...

Mail.ru: [fleet.city-mobil.ru] Driver balance increasing

Partner's account with manager role could perform fraudulent funds withdrawal via driver's account...

Stripo Inc: Improper Authorization

hi there , i found an vulnerability on https://my.stripo.email/cabinet//users/orogid , generally every user have an organisation and the organisation contain projects , lets suppose : [email protected] is the owner of the project and [email protected] was invited to his project as admin , in normal...

PUBG: Reflected XSS in https://lite.pubg.com

The researcher found an XSS vulnerability caused by query parameters not being properly sanitized before being displayed on the page...

Mail.ru: [city-mobil.ru/taxiserv/] IDOR leads to driver account takeover

IDOR vulnerability allowed partner account with manager role to takeover driver's accounts belonging to different partner...

Mail.ru: [https://fleet.city-mobil.ru] Stored XSS into driver mailing

Stored XSS via content of the message to driver in operator's interface...

Clario: Local Privilege escalation to root via XPC

Summary The application is divided into a few parts responsible for different actions. The standard, running with user permissions parts are: MacKeeper MacKeeperAgent MacKeeper communicates with more privileged root part named com.mackeeper.MacKeeperPrivilegedHelper that is located in the...

Mail.ru: relap.io IDOR

IDOR vulnerability in relap.io allowed to disclosure attributes of arbitrary site...

Mail.ru: Mirror of https://city-mobil.ru admin interface

Network restrictions for admin interface could be bypassed via alternate hostnames...

Showmax: Open Redirect in secure.showmax.com

The hacker submitted open redirect vulnerability in one of our payment method flows. The vulnerability could have been also used to perform XSS attack. write-up: https://medium.com/@ahmadbrainworks/bug-bounty-how-i-earned-550-in-less-than-5-minutes-open-redirect-chained-with-rxss-8957979070e5...

Mail.ru: Possible tokens leak on ws-app.city-mobil.ru

Potentially sensitive application related information was disclosed via debug interface in ws-app.city-mobil.ru...

Semrush: Unrestricted file upload in www.semrush.com > /my_reports/api/v1/upload/image

@zcashi found vulnerability in My Reports Tool. You can read the full write-up here: How I earned 500$ by uploading a file: write-up of one of my first bug bounty...

Node.js third-party modules: [Total.js] Path traversal vulnerability allows to read files outside public directory

I would like to report path traversal in Total.js. It allows read arbitrary files outside public directory. Module module name: Total.js version: 3.3.2 npm page: https://www.npmjs.com/package/total.js Module Description Total.js framework is a framework for Node.js platfrom written in pure...

Mail.ru: tracker.my.com information disclosure via csrf bypass

CSRF vulnerability in tracker.my.com allowed attacker to invite himself as a project owner via crossite request...

GitLab: Transferring a public group to a private group doesn't remove code from the Elastichsearch API search result

Summary When a public group with public projects is transferred to a private group, the code and the wiki of the public project, although now should be private, it is still reachable through search APIs. I set the severity as "medium" and not "high", because any new action over the project issues...

Razer: Cookie based XSS on http://ftp1.thx.com

The ftp1.thx.com server, typically only used by THX employees and vendors, was subject to a minor XSS vulnerability. Razer thanks the tester for his diligence and clear report...

Node.js third-party modules: [express-laravel-passport] Improper Authentication

I would like to report Improper Authentication in express-laravel-passport It allows to forge user's identity Module module name: express-laravel-passport version: 1.1.2 npm page: https://www.npmjs.com/package/express-laravel-passport Module Description You want a middleware support express get...