Mail.ru: SSRF & LFR on city-mobil.ru

SSRF/LFR vulnerability via photo upload functionality of partner's cabinet of city-mobil.ru...

Mail.ru: SSRF & LFR via on city-mobil.ru

SSRF/LFR vulnerability via photo editor functionality of partner's cabinet of city-mobil.ru...

Mail.ru: SSRF on fleet.city-mobil.ru leads to local file read

SSRF/LFR vulnerability via image retrieving functionality of operator's cabinet of fleet.city-mobil.ru...

BlockDev Sp. Z o.o: xmlrpc.php file is enable it will used for (Denial of Service) and bruteforce attack

xmlrpc.php file is enable it will used for Denial of Service and bruteforce attack...

BlockDev Sp. Z o.o: [blog.makerdao.com] Multiple Vulnerabilities - Leads to leakage user admin sensitive exposure

blog.makerdao.com Multiple Vulnerabilities - Leads to leakage user admin sensitive exposure...

Nextcloud: Bypassing Passcode/Device credentials

Assume user have set "App passcode" to "Passcode/Device credentials". So whenever user opens the app, it will prompt to unlock before accessing the app. Unfortunately there is a issue, attacker can able to bypass the lock easily in two ways. Setup 1. Install NextCloud app and Log in. 2. Go to...

Mail.ru: [city-mobil.ru/taxiserv/] Disclosure information about drivers

IDOR vulnerabilitiy in city-mobil.ru alllowed partner account with superuser privileges to access data of drivers belonging to different partners...

New Relic: Disclosure of locally served nerdpacks due to nr-local.net CORS policy misconfiguration

Hey team, I've discovered that webserver which serves NR1 nerdpacks locally after nr1 nerdpack:serve is executed allows cross-origin requests from every subdomain of nr-ext.net. Since the nr-ext.net domain is used as a sandbox for user-supplied apps, an attacker can place there a malicious code...

Internet Bug Bounty: Two out-of-bounds array reads in Python AST builder (Re-opening 520612 with CVEs)

I'm re-submitting 520612 after getting CVEs issued, as instructed in an automated email from November 17th. Getting CVEs issued took a while, but here they are: - https://vulners.com/cve/CVE-2019-19274 - https://vulners.com/cve/CVE-2019-19275 Impact A service that takes Python snippets as payload...

Node.js: Remotely trigger an assertion on a TLS server with a malformed certificate string

Summary: Connecting to a NodeJS TLS server with a client certificate that has a type 19 string in its subjectAltName will crash the TLS server if it tries to read the peer certificate. Affected versions include v10.17.0 and v13.1.0. This is related to issue...

Nextcloud: SSRF on local storage of iOS mobile

The tester uploaded the text file, containing "test ssrf" message, in order to proof SSRF attack. 2. Next, the tester uploaded the common file and then manipulate the content and extension file to html format in order to find the application path: 3. The tester access that file and found the...

Mail.ru: [https://city-mobil.ru/taxiserv] IDOR leads to information disclosure

IDOR vulnerability for orders report allowed partner's superuser account to access information related to different partners...

Mail.ru: [panel.city-mobil.ru/admin/] Blind XSS into username

Blind XSS in admin/support panel of city-mobil.ru via partner superuser's name different from 746497...

Mail.ru: [https://city-mobil.ru/taxiserv] Blind XSS into username

Blind XSS in admin/support panel of city-mobil.ru via partner superuser's name...

Bumble: Leak of authorization urls leads to account takeover

The researcher was able to pass verification to another account by finding confirmation data in response from the server...

LY Corporation: SSRF on music.line.me through getXML.php

The reporter found an endpoint through which limited SSRF could be achieved. It was only possible to issue GET requests served over HTTPS. LFI was not possible. The maximum impact found for this issue was minor service disruption and/or limited information leakage...

Slack: DoS on the Direct Messages

In November 2019, @cyanpiny alerted us to a vulnerability that could have allowed an attacker to cause a denial of service for Slack users. We implemented a fix within weeks, and nothing further is required from users to be protected. Thank you to @cyanpiny for finding this!...

Kubernetes: Subdomain Takeover Via via Dangling NS records on Amazon Route 53 http://api.e2e-kops-aws-canary.test-cncf-aws.canary.k8s.io

Good day, I truly hope it treats you great on your side of the screen : I have found that your website http://api.e2e-kops-aws-canary.test-cncf-aws.canary.k8s.io is pointed via Name Server records to AWS route 53. These name server records have been deleted, I was able to create a matching zone...

Chaturbate: Camo Image Proxy Bypass with CSS Escape Sequences

Summary With CSS escape sequences it is possible to bypass CSS url detection and filtering. Details Users can use HTML tags in their Profile Bio in About Me and Wish List fields. Among other filtering and sanitization, image URLs are replaced by URLs on internal image proxy. For example, this...

Mail.ru: Boolean-based SQL Injection on relap.io

Boolean/error based SQLi in relap.io due to insecure use of GET parameters...

Ruby: Code Injection Bug Report

Good morning, I hope this message finds you well. On 22 November 2019, I emailed [email protected] about a Code Injection bug on cache.ruby-lang.org, as the ruby-lang.org website is considered out-of-scope on H1. on 24 November 2019 the bug was acknowledged and a patch released. This morning...

Grammarly: Unauthenticated users can access all food.grammarly.io user's data

Summary: The food.grammarly.io site uses the Meteor framework, which uses publications and methods to communicate between the backend and frontend. Although the site seems to require being authenticated as a Grammarly employee to use it, most methods and publications work without being...

Valve: Steam chat - trade offer presentation vulnerability

It was possible to construct a Steam URL that began with "/tradeoffer/new" and included valid partner and token information, but which was in fact an external link. The crafted URL would be treated by the Steam Chat UI as a trade offer and given special visual treatment...

HackerOne: Account takeover via leaked session cookie

Summary: You are disclose for me you session Description: you are gevi me your session on last report I am can use your sessionsorry ███ ████████ █████████ Impact HackerOneStaff Access, i can read all reports @security and more program...

Internet Bug Bounty: Dragonblood: Design and Implementation Flaws in WPA3 and EAP-pwd

Full background information is at our website and detailed information can be found in our research paper. Vulnerability Summary First Disclosure Summarized, the Dragonfly handshake of WPA3 and EAP-pwd is supposed to prevent dictionary attacks. However, we discovered design flaws that still enabl...

U.S. Dept Of Defense: Unprotected ██████ and Test site API Exposes Documents, Credentials, and Emails in ██████████ Proposal System

Summary: The test/integration API of the █████ web services is publicly exposed: disclosing documents, emails, and credentials to what appears to be the Seaport Bid proposal system. Because I did not attempt any exploitation outside of that necessary to deem this a reportable issue, it is not cle...

Bumble: The login of Hotor Not is Vulnerable to bruteforce.

I was able to validate that The Login of HotorNot is Vulnerable to BruteForcing . Steps to reproduce: 1. https://hotornot.com/signin 2.Use Burp intruder attack for BruteForcing 3.Send as many requests you want. Fix: Proper mitigation of BruteForcing should be done using Ratelimitng etc...

Mail.ru: Account Takeover worki.ru

worki.ru had no sufficient protection against SMS code bruteforce...

Razer: PHPInfo Page on www.razer.ru

The tester discovered a a PHP page disclosing information on a server out of scope of the bounty program. This was a low impact information disclosure of PHP version information. We appreciate the tester bringing this to our attention...

GitLab: Steal private objects of other projects via project import

Summary An attacker could transfer issues, merge requests of another project to the imported project by importing a crafted GitLab export. Steps to reproduce 1. Import the attached tarball as GitLab export. 2. Check the issues page of the imported project. You will see an private issue created by...

Mail.ru: IDOR of users

IDOR vulnerability in worki.ru API allowed to request information on job seekers / employers without imposed limits...

U.S. Dept Of Defense: Firewall rules for ████████ can be bypassed to leak site authors

Summary: ████ is a WordPress application that has several endpoints locked behind firewall, such as login screen and author names, but it can be bypassed. Description: By using additional slashes in the URL, I can bypass the firewall rules to display some WordPress information. Interestingly, the...

Bumble: Bruteforce password recovery code

Summary It's possible to bruteforce recovery code from SMS as iOS application doesn't have limits for incorrect inputs. I have tried 50+ different combinations until I reached code from SMS. Steps To Reproduce 1. Click "Use another option" on application startup view 1. Enter your phone number 1...

Starbucks: Hong Kong - Open Redirect on card.starbucks.com.hk

l00ph0le discovered that card.starbucks.com.hk was vulnerable to an open redirect due to improper parameter validation. @l00ph0le — thank you for reporting the original vulnerability and for confirming the resolution...

Moneybird: Pending MFA logins aren't immediatly expired after a password change

Researcher found an issue with sessions not all being terminated when password is changed. The 2FA implementation was at fault in this scenario as the session was found to be active even after the password was changed and two-step verification was turned off...

Nextcloud: Improper confidentiality protection of server-side encryption keys

This vulnerability is related to the Improper integrity protection of server-side encryption keys vulnerability but leverages a different attack vector. While the previous attack broke the confidentiality of encrypted files because the public keys are not integrity-protected, this new attack brea...

Zomato: HTML injection leads to reflected XSS

The following payload was used to bypass the WAF: html "...

Evernote: Non-production Open Database In Combination With XXE Leads To SSRF

Summary: The Apache Hive database hosted on the IP ██████████ and open on port 10000 is open and vulnerable to XXE. By "open", I mean that the database can be accessed by anyone. Steps To Reproduce: Chose any database client that supports Apache Hive and also uses a specific client version...

Nextcloud: Downgrade encryption scheme and break integrity through known-plaintext attack

The idea behind the Server Side Encryption is that you can move your encrypted files to an external party without that external party being able to to read or modify those files. Some time ago, Nextcloud switched from unauthenticated CFB cipher block mode to authenticated CTR cipher block mode in...

Mail.ru: Mail.Ru Email for Android: Injecting custom screen inside adding new account flow

Intent was implicitely invoked on account refistration in Mail.ru Mail application for Android, allowing screen content spoofing via local application...

U.S. Dept Of Defense: idor on upload profile functionality

Vulnerable URL: https://██████████/███████ID/Common/EditOne/Person/accountid steps to reproduce: 1.browse the image and click on the upload button 2.capture this request in burp suite 3. change the value 'personId' parameter to account2 accountid please see screenshot1 4.then goes to account2, th...

Clario: Lack of HTTPS in service communications

Summary: Lack of HTTPS in login page http://translate.kromtech.com/user/login Steps To Reproduce: http://translate.kromtech.com/user/login site, that allows accessing unencrypted of the site without SSL/TLS certificate...

Clario: Unauthenticated Reflected Cross-Site Scripting on https://account.mackeeper.com/signin page

Summary Unauthenticated Reflected Cross-Site Scripting on https://account.mackeeper.com/signin page in the bundled parameter Steps To Reproduce XSS via GET Method HTTP Request: GET /signin?bundleId=wrtqvetcvcwtd%22%3e%3cscript%3ealert1%3c%2fscript%3eyozl9 HTTP/1.1 Host: account.mackeeper.com...

Clario: Reflected XSS

Summary Unauthenticated Reflected Cross-Site Scripting on https://account.mackeeper.com/signup page Steps To Reproduce XSS via GET Method HTTP Request: GET /signup?trtId=wrtqvetc%22%3E%3Cscript%3Ealert%27xss%27%3C%2fscript%3E&tvrnplhw1=1&vim67=1&gvce1=1 HTTP/1.1 Host: account.mackeeper.com...

Shopify: Shopify Stocky App OAuth Misconfiguration

@vulnh0lic noticed that a staff member without Apps permission was able to access the Stocky app. We determined that this was because of a bug in Stocky's OAuth authentication code, which allowed the user to be granted access to Stocky at the start of the OAuth process rather than the end. This...

LY Corporation: Request smuggling on admin-official.line.me could lead to account takeover

The reporter identified a request smuggling issue on admin-official.line.me TE.CL-type. The reporter clearly illustrated the impact without putting our users at risk or affecting the stability of our service. For this we would like to thank @shaolintw! This issue was the result of how our load...

Mail.ru: SSRF in filtering on relap.io

Relap fetcher used to access external resources in relap.io project was not properly isolated from the production networks leaving potential for non-blind SSRFs. relap.io was in Ext.B scope on the moment of reporting...

Stripo Inc: Able to download any hosted content on AWS S3 bucket(stripo)

An AWS s3 bucket was found, with improper access controls, where all its contents could be downloaded. Steps to reproduce: 1. List contents of the bucket with: aws s3 ls s3://stripo 2. Download the hosted data with : aws s3 sync s3://stripo . Impact Any hosted data can be downloaded to an attacke...

Razer: Store Cross-Site Scripting - www.razer.ru

The tester discovered a stored XSS vulnerability on a Razer affilated website. Although this server was not in scope, we appreciate the tester bringing this to our attention...

Mail.ru: IDOR в списке пользователей по домену в relap.io

IDOR in relap.io allowed users enumeration for domain...