PayPal: Token leak in security challenge flow allows retrieving victim's PayPal email and plain text password

A bug was identified whereby sensitive, unique tokens were being leaked in a JS file used by the recaptcha implementation. In certain cases, a user must solve a CAPTCHA challenge after authenticating. When the security challenge is completed, the authentication request is replayed to log in. The...

Bumble: Reflected XSS

The researcher has found an XSS when sending messages through our service...

Picsart: User account compromised authentication bypass via oauth token impersonation

OAuth token impersonation is actually a bug when 3rd party company app or malicious app collects the access token of the same user then that company can access to user account on PicsArt. The condition is that the user needs to authorized both PicsArt and malicious app with same Facebook or Googl...

Algolia: Information disclosure via a misconfigured third-party product

The researcher identified a misconfiguration in a third party product that could have been used to retrieve information about Algolia users. We fixed the issue and worked with the provider of the third party product who confirmed that this vulnerability had not been exploited. Disclosure of all...

Stripo Inc: Able to change password by entering wrong old password

Vulnerability Name: Able to change password by entering wrong old password. Description: The password change mechanism which is located at https://my.stripo.email/cabinet//profile is insecure as the password can be changed without knowing the old password. Any unauthorized user can access the...

Zomato: HTML Injection @ /[restaurant]/order endpoint.

The following payloads were used to bypass the WAF and perform XSS: Basic payload but did not work on all browsers: html " Payload worked on all browsers, but needed a right-click to be executed: html "XSS...

Mail.ru: allods.mail.ru sql injection

SQL injection in allods.mail.ru due to insecure use of externally controlled GET parameter...

Yoti: Multiple Vulnerabilities in (*www.yoti.com) - Leads to Leakage user admin Sensitive Exposure

Sumarry Hi! Team @yoti, We Found Multiple Vulnerabilities in you websites , Username Admin Login Sensitive Exposure All Sensitive Exposure Using Shodan Platforms Affected: website . https://185.116.54.11/wp-json . https://185.116.54.11/wp-json/wp/v2/users POC Supporting Material/References...

Stripo Inc: No length on password

Hey when I try to set the password while creating account I noticed that you haven't kept any password limit. You need to decrease password length :There are two reasons for limiting the password size. For one, hashing a large amount of data can cause significant resource consumption on behalf of...

Stripo Inc: SSL cookie without secure flag set

Issue background If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then t...

Stripo Inc: SSRF in /cabinet/stripeapi/v1/siteInfoLookup?url=XXX

Summary: SSRF vulnerability allows mapping the internal network. Steps To Reproduce: It is possible to run internal requests with the siteInfoLookup service. GET /cabinet/stripeapi/v1/siteInfoLookup?url=http://10.0.0.100:8080 HTTP/1.1 Host: my.stripo.email Based on the response we know if the ip ...

Shopify: XSS on product comments in transfers

summery: You are able to copy and paste stored XSS code into the comment section of a product in the transfers tab and receive the error. Reproduce: 1. Create a product with the name '"'' 2. add a transfer with that product 3. now go back to the product use the code button and type the same code...

Open-Xchange: SSRF - Office Documents - Image URL

Through /api/oxodocumentfilter?action=addfile endpoint it is possible to insert images into documents. Handling of this request in source code is implemented here: office/com.openexchange.office.rest/src/com/openexchange/office/rest/AddFileAction.java One of options is to insert an image by...

Mail.ru: [https://seosan.io] Account owner disclosure

seosan.io could unintentionally disclosure account owner name by e-mail during access recovery procedure. seosan.io has reached it's end of life and is not longer available...

Stripo Inc: subdomain takeover at status0.stripo.email

Hi , The subdomain status0.stripo.email was pointed at uptimerobot.com whereas it was not being used , but having Cname record as stats.uptimerobot.com . Hence anyone can takeover it. I have parked it with atest account on uptimerobot.com F634639 F634636 thanks Impact Anyone can use this subdomai...

Stripo Inc: Clickjacking on my.stripo.email for MailChimp credentials

Clickjacking is a malicious hacking technique where attackers can acquire sensitive data. Through simple social engineering techniques these links can be sent out to unsuspecting customers to steal their credentials or perform actions on their accounts. For this example I saw that where I goto...

Stripo Inc: Redirection through referer tag

Summary: I replaced the referer value https://stripo.email/de/ with www.google.com and it worked, it redirected me to google.com Steps To Reproduce: 1. Open URL https://stripo.email/de/subscribe/ 2. Intercept with BurpSuite 3. Change the parameter value of referer and insert any domain you want i...

Clario: Account verification bypass on translate.kromtech.com

Account verification bypass on translate.kromtech.com Summary: An account could be registered on translate.kromtech.com but the functionality returns "Access denied or Your user wasn't activated yet. ". But it's implemented in a strange way, every time we make a request that requires user to be...

Clario: Bypass front server restrictions and access to forbidden files and directories through X-Rewrite-Url/X-original-url header on account.mackeeper.com

Summary Normally a client can't access /admin directory because of front nginx server which returns 403. But we can use X-Rewrite-Url or X-original-url because back server processes these headers and front server doesn't. Steps to reproduce: This request shows normal behavior curl -i -s -k -X...

Radancy: 'X-Forwarded-Host' key used in input without sanitation - possible cache poisoning

Domain and URL: maximum.nl Summary: The HTTP 'X-Forwarded-Host' is dynamically used in the application without sanitization, allowing an attacker control of the input key. This can allow for self-XSS, or when a CDN or caching service is deployed, risk the CDN caching the request and serving the...

Stripo Inc: Bypass email verification and create email template with the editor

Description : The main goal to use the Stripo is to create an email templates with the editor that is available in the account. And you're not allowed to open it until you validate your email address. But by modifying the response , i was able to bypass the email verification. Steps To Reproduce:...

Open-Xchange: SSRF - Image Sources in HTML Snippets - 727234 bypass

This is about incomplete fix for my recent bug 727234. In short, the /ajax/snippet?action=import endpoint allows to create HTML snippets. URLs of images are extracted from HTML and their content is fetched and attached to created snippet. For more details please see 727234. With the fix applied,...

Open-Xchange: SSRF - URL Attachments - 725307 bypass

This is about incomplete fix for my recent bug 725307. In short, the /ajax/attachment?action=attach endpoint allows to create URL based attachments. Content of specified URL is fetched and used as attachment body. For more details please see 725307. With the fix applied, the URL is validated befo...

Slack: Mass account takeovers using HTTP Request Smuggling on https://slackb.com/ to steal session cookies

Hi Slack Security Team! My name is Evan and I'm a first time bug hunter to your platform : Because you guys were running a month long bounty promotion I decided to take a little of my time and gently perform recon on your platform. Specifically the area of interest I focus in is HTTP Request...

Clario: Affiliates - Session Fixation

SEVERITY: Medium LOCATION: ● https://affiliates.kromtech.com ISSUE DESCRIPTION: User can use the same session token after logout. Attacker can repeat request with token that should be marked as invalidated. PROOF OF VULNERABILITY: Request made after Logout with the same cookie value. curl -i -s -...

Stripo Inc: Password token leak via Host header

Password token leak via Host header -------------- Vulnerability Description: Token will be leaked by the Server to that third party site and that token can be used by third parties to reset the password and take over the account & directly login in your account Steps To Reproduce: 1 Send reset...

Stripo Inc: OLD SESSION DOES NOT EXPIRE AFTER PASSWORD CHANGE

OLD SESSION DOES NOT EXPIRE AFTER PASSWORD CHANGE Description: On changing password both session using which user changes password and old sessions in any other browser or device does not expire and remains active. STEPS TO REPRODUCE: 1. Log in to Browser A and make sure to check 'stay logged in ...

Nextcloud: SSRF protection bypass

CVSS ---- High 7.7 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Description ----------- The filter which protects Nextcloud from SSRF can be bypassed using IPv6/IPv4 address embedding. SSRF protection is for example used in the calendar or dav apps. Successful exploitation of the issue will allow...

Starbucks: Bulgaria - Subdomain takeover of mail.starbucks.bg

nukedx discovered that the mail.starbucks.bg domain was pointing to a mail service from icn.bg and confirmed that icn.bg did not host this domain. nukedx successfully claimed the subdomain from icn.bg, configured login credentials through the web panel and setup a valid email server. nukedx then...

Mail.ru: IP address can be leaked on Image preview in ICQ for Android chat

Описание: При отправке пользователю изображения, в android версии в web и mac версии клиента этой проблемы не наблюдаю со внешнего ресурса, при открытии превью изображения "жертвой", отправляется запрос на внешний сервер с IP адреса клиента. Воспроизведение: 1. Отправляем пользователю сообщение с...

Node.js third-party modules: [authmagic-timerange-stateless-core] Improper Authentication

I would like to report Improper Authentication in authmagic-timerange-stateless-core It allows to forge user's identity. Module module name: authmagic-timerange-stateless-core version: 0.0.9 npm page: https://www.npmjs.com/package/authmagic-timerange-stateless-core Module Description Stateless an...

U.S. Dept Of Defense: [HTA2] Authorization Bypass on https://██████ leaks confidential aircraft/missile information

Vulnerability description not provided...

MobiSystems Ltd.: open Firebase Database: msdict-dev.firebaseio.com

Summary: publicly available Firebase Database msdict-dev.firebaseio.com Steps To Reproduce: Version: Oxford Dictionary of English Freev11.1.511 in res/values/strings.xml https://msdict-dev.firebaseio.com Accessing your Firebase Database via https://msdict-dev.firebaseio.com/.json returns null...

Razer: Through blocking the redirect in /* the attacker able to bypass Authentication To see Sensitive Data sush as Game Keys , Emails ,..

The rsa3027.razersynapse.com server suffered a SQLi vulnerability which allowed write access to the server in the context of Cortex Deals. This allowed access to game key information from giveaways and emails of users who claimed these giveaways. This vulnerability was reported 11/12 and closed b...

LY Corporation: DOM-based XSS on mobile.line.me

The reporter found a DOM-based XSS affecting mobile.line.me, which could have resulted in an attacker gaining access to information about a user's mobile plans, usage and user details registered as part of their mobile subscription plan...

QIWI: [qiwi.me] Stored XSS

Stored XSS with WAF bypass in "wishlist" functionality Хранимая ХСС в функционале вишлистов с обходом встроенного WAF. https://twitter.com/ptswarm...

QIWI: IDOR редактирование любого вишлиста

The Piggybox service had the ability to edit other people's wishlists using a specially formed request. В копилке существовала возможность редактировать чужие вишлисты с помощью специально сформированного запроса. https://twitter.com/ptswarm...

QIWI: Слив какого-то access токена

An error occurred while specifying quotation mark in the GET parameter userId https://api.qiwi.me/social-networks/vk?userId=lc%27 Error contained API Token of Piggibox Application from social network VKontakte. При добавлении кавычки в GET параметр userId...

Node.js: HTTP request smuggling using malformed Transfer-Encoding header

Please see the attached PDF for a writeup of this vulnerability. Impact Please see the attached PDF for a writeup of this vulnerability...

Rocket.Chat: Account takeover via XSS

Summary: By combining AutoLinker and Markdown an attacker is able to inject malicious scripts. Description: By combining AutoLinker and Markdown we can trick the parser into breaking out of the current HTML attribute. https://a?p= results in: html ." target="blank" rel="noopener noreferrer" "...

Trint Ltd: SSO bypass in zendesk using trint organization able to leak internal ticket information

Summary hello there because in app.trint.com there's no email verification i able to login in your zendesk SSO using your organization your organization using domain @trint.com because there's no email verification i able to read and takeover + claim this email [email protected] and i able to...

Clario: XSS in https://affiliates.kromtech.com

Summary XSS in https://affiliates.kromtech.com Vulnerable URL: https://affiliates.kromtech.com/monetize-mac-traffic/adgroup/affiliatefixhello%22%3Ehello/type/affiliate Vulnerable Parameter: "URL Path" XSS Payload: hello"hello Steps To Reproduce: Navigate to the Vulnerable URL Notice the pop-up...

Clario: Open Redirect at https://store.mackeeper.com/767/cookie via redirectto parameter

Summary Open Redirect via cookie script. Steps to reproduce https://store.mackeeper.com/767/cookie?affiliate=43960&redirectto=https://google.com...

Valve: [Portal 2] Remote Code Execution via voice packets

Description RCE can be achieved on other players via voice packets due to the lack of length validation when reading into a stack based buffer. POC 1. As the victim, invite the attacker into a game. 2. Wait until both players have loaded into the game. 3. Inject the following DLL into the attacke...

Automattic: Stored XSS in wordpress.com

Summary: Stored XSS as a comment or as a post body or title at https://wordpress.com/read/feeds/blogid/posts/postid https://yoursubdomain.wordpress.com using the payload: Click Here=/iframe Steps To Reproduce: - As a comment 1. Log in to wordpress.com 2. Choose a post from the feeds 3. Add a...

Smule: stored xss in https://www.smule.com

hi team , I found a stored xss in www.smule.com Summary: add summary of the vulnerability The most damaging type of XSS is Stored XSS Persistent XSS. An attacker uses Stored XSS to inject malicious content referred to as the payload, most often JavaScript code, into the target application. If the...

Clario: RXSS on unsubscribe feature (affiliates.kromtech.com)

Summary Reflected Cross-Site Scripting attack on affiliates.kromtech.com domain. The problem in email parameter in /unsubscribe script that takes GET parameter and pass value of this parameter directly to HTML code of the page. Step to reproduce...

Clario: Reflected XSS on stage.mackeeper.com

Summary RXSS on https://stage.mackeeper.com/ , the vulnerable parameter is guid. Step to reproduce Visit the following link:...

GitLab: Path traversal, to RCE

Summary This one is similar to 732330 but much simpler. A path traversal issue in GitLab package registry API allow an attacker to write any file at any location writable to user git in a GitLab server. Steps to reproduce 1. Enable package registry in your GitLab instance. 2. Create a project...

OWOX, Inc.: The URL in "Choose a data source'' at "https://bi.owox.com/ui/settings/connected-services/setup/" is not filtered => reflected XSS.

Hi team, This is another report with 732987. Because it is completely independent Detail -- In the process of selecting the data source at https://bi.owox.com/ui/settings/connected-services/setup/, I found a reflected XSS. Specifically, when you click on Google Analytics, a page will appear for y...