GitLab: Path traversal, to RCE

Summary This one is similar to 732330 but much simpler. A path traversal issue in GitLab package registry API allow an attacker to write any file at any location writable to user git in a GitLab server. Steps to reproduce 1. Enable package registry in your GitLab instance. 2. Create a project...

OWOX, Inc.: The URL in "Choose a data source'' at "https://bi.owox.com/ui/settings/connected-services/setup/" is not filtered => reflected XSS.

Hi team, This is another report with 732987. Because it is completely independent Detail -- In the process of selecting the data source at https://bi.owox.com/ui/settings/connected-services/setup/, I found a reflected XSS. Specifically, when you click on Google Analytics, a page will appear for y...

U.S. Dept Of Defense: CORS Misconfiguration Leads to Exposing User Data

Vulnerable Asset: https://██████/█████████/ Discovery: - Upon accessing the site we discover two specific response headers which indicates that a cross-domain request for sensitive information might be possible 1. Access-Control-Allow-Origin: injectable 2. Access-Control-Allow-Credentials: true -...

Clario: RXSS on thankyou.pixels.php (yapi.mackeeper.com)

Summary Reflected Cross-Site Scripting attack on yapi.mackeeper.com domain. The problem in /billing/thankyou.pixels.php script that passes a value of vulnerable parameter directly to HTML code of the page. Step to reproduce...

OWOX, Inc.: Reflected XSS

Hi team, I have found an XSS at https://bi.owox.com/ui/6177527534dc114eb07fa829e4ce4d28/dashboard/?trial=activated Because the input is not properly filtered, resulting in XSS being executed Vulnerable area: ----- 6177527534dc114eb07fa829e4ce4d28 The URL will now be:...

Nextcloud: Improper integrity protection of server-side encryption keys

The public keys used for the server-side encryption are not integrity-protected. These can easily replaced by anyone who has access to the data-at-rest data even when the per-user-keys are enabled, as described in https://nextcloud.com/security/threat-model/. This holds true for all key types -...

Mail.ru: Blind SQL Injection on news.mail.ru

Blind time based SQL injection in news.mail.ru due to insecure use of user-controlled GET parameter...

Ruby on Rails: The authenticity_token can be reversed and used to forge valid per_form_csrf_tokens for arbitrary routes

When performcsrftokens is set to true, each form should protected against CSRF with a unique token that is not predictable by an attacker. Theperformcsrftoken is generated using a HMAC SHA-256 using a key that is exposed in a reversed authenticitytoken. The authenticitytoken is a Base64 encoding ...

Clario: RXSS on /landings/123.1/index.php (mackeeperapp.mackeeper.com)

Summary Hi! I found Reflected Cross-Site Scripting attack on mackeeperapp.mackeeper.com via /landings/123.1/index.php endpoint. Step to reproduce...

Clario: RXSS on landings/land/3/ron_clean_17_app3_alerts/index.php (mackeeperapp3.mackeeper.com)

Summary Reflected Cross-Site Scripting attack on mackeeperapp2.mackeeper.com. The problem in /landings/land/1/roncleanprot17/index.php script that take any GET parameter and pass value of this parameter directly to HTML code of the page. Step to reproduce...

Mail.ru: An implementation flaw in Mail.ru can be exploited for DKIM signature spoofing and email spoofing

Domain, site, application -- https://e.mail.ru Quick note: this report is different from my previous report Report 727233 , and is not policy configuration or enforcement issue as well. TL;DR --------- This report disclosure an implementation bug, which chains multiple features in the Mail.ru...

Clario: Reflected XSS (mackeeperapp2.mackeeper.com)

Summary Hi! I found Reflected Cross-Site Scripting attack on mackeeperapp2.mackeeper.com. The problem in /landings/land/1/roncleanprot17/download.php script that take any GET parameter and pass value of this parameter directly to HTML code of the page. Also, don't forget for...

MobiSystems Ltd.: Firebase Firestore insecure database

Summary: The app is exposing a firebase database url that has no read/write protections. Steps To Reproduce: 1. Decompile the Android app 2. Do a string search for firebasedatabase 3. Use the project name i.e. msdict-dev in combination with the Firestore REST API to modify the database. Supportin...

Starbucks: Open Redirect on Greater Asia domains

l00ph0le discovered open redirects on a few out of scope Greater Asia domains. @l00ph0le — thank you for reporting this vulnerability and for confirming the resolution...

Clario: CORS Misconfiguration, could lead to disclosure of sensitive information (translate.kromtech.com)

Summary CORS Misconfiguration, could lead to disclosure of sensitive information translate.kromtech.com Steps to reproduce In PoC section we send Origin: http://owmzuoswdxrx.com header and server respond to us with Access-Control-Allow-Origin: http://owmzuoswdxrx.com and...

Clario: No rate limiting on password reset page

Summary https://account.mackeeper.com hasn't enforced rate limiting on the password-reset page. By this, an attacker can send huge amounts of requests to the server for changing the password. Steps to Reproduce 1. Go to the forgot password page and enter your email. 2. Turn 'Intercept on' in Burp...

Clario: XSS in https://mackeeper.com

Summary: XSS in https://mackeeper.com Vulnerable URL: https://mackeeper.com/mk/memory-cleaner/%3C/%3E'+alertdocument.domain%20// Vulnerable Parameter: "URL Path" Steps To Reproduce: Steps: Navigate to the Vulnerable URL Notice the pop-up...

VK.com: Stored XSS в m.vk.com/video

XSS в видео...

Clario: CRLF Injection - http://stage-static-cdn.mackeeper.com/

Summary CRLF Injection - http://stage-static-cdn.mackeeper.com/ Steps To Reproduce In the rawRequest we have added '%0D%0Avirus:%20value' In Burp Repeater copy and paste the below rawRequest Notice the response with header added ------rawRequest---------- GET /%0D%0Avirus:%20value HTTP/1.1...

Clario: CRLF Injection - http://stage.mackeeper.com/

Summary: CRLF Injection - http://stage.mackeeper.com/ CRLF injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty...

Node.js: HTTP header values do not have trailing OWS trimmed

I suspect I may have tagged the wrong vulnerability type -I'm failing to find "insufficient validation of user input" According to the HTTP-spec, http values are field-value = field-content | LWS httpparser does not appear to trim trailing LWS. This means if a user sends "Host: foo\r\n" the strin...

Node.js third-party modules: Filesystem Writes via `yarn install` via symlinks and tar transforms inside a crafted malicious package

I would like to report an arbitrary filesystem write vulnerability in Yarn when installing a malicious package from the default repositories. This vulnerability has the potential for RCE -- even if --ignore-scripts is disabled. It allows a malicious package, upon install, to write to any path on...

Node.js third-party modules: [npm-git-publish] RCE via insecure command formatting

I would like to report a RCE issue in the npm-git-publish module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: npm-git-publish version: 0.2.4-beta npm page: https://www.npmjs.com/package/npm-git-publish Module Description Share/publish private packag...

Node.js third-party modules: [gity] RCE via insecure command formatting

I would like to report a RCE issue in the gity module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: gity version: 1.0.5 npm page: https://www.npmjs.com/package/gity Module Description A nice Git wrapper for Node. Module Stats 3/4 downloads in the las...

Mail.ru: Account TakeOver through password recovery at am.ru

Insufficient protection allowed account takeover at am.ru via account recovery code bruteforcing Common flaws of SMS auth: https://blog.deteact.com/common-flaws-of-sms-auth/...

Genasys Technologies: Login Bypass to OTP Enumeration

Summary: If an attacker gets access to the victim's username or know the email used for logging in to the application.He can bypass the login by enumeration og One Time Password. Steps To Reproduce: 1.Go to https://staging.genasystech.co.uk/d2c/ 2.Create an account ,Enter the relevant pin for...

Genasys Technologies: Ability to bypass social OAuth and take over any account [d2c-api]

Summary: An attacker is able to login to any email account that doesn't belong to him through using the OAuth functionality https://staging.genasystech.co.uk/d2c-api/v1/account/login/provider Steps To Reproduce: 1. Register an account with an email and verify it using the one time code that is...

Shopify: Stored XSS in private message

1.Open customer function https://mosuan-img-src-x.myshopify.com/admin/customers 2.Click on the customer's email address F625957 3.Click the sent message on the current page F625959 Impact admin...

GitLab: Double linking cause XSS (but blokeced by CSP in gitlab.com)

Summary URL display on Gitlab.com is currently broken. There is a risk of XSS due to double conversion of URLs into links. However, 12.5 incorporating the fix has not yet been released and is blocked by CSP at gitlab.com. Steps to reproduce 1. Login to gitlab.com 2. Create new project 3. Create a...

VK.com: Отправка подарков/стикерпаков не теряя голоса.

Race-Condition...

Shopify: Shopify's SF and LA offices Dashboard Information disclosed via Public Gist

Hi Team, During my recon process, I found a public gist containing the Internal Information of the Shopify offices of LA and SF. The gist belongs to the Shopify employee - https://gist.github.com/runmad He is currently - Engineering Manager at Shopify LA Office Dashboard -...

GSA Bounty: Cache poisoning DoS to various TTS assets

I have recently come across a technique to force a Cloudfoundry app to return a HTTP 404 error when requesting any resource, which contains cache friendly headers. What this means is, if the Cloudfoundry app in question is behind a web cache like Cloudfront or Cloudflare etc, it will possibly sto...

U.S. Dept Of Defense: [HTAF4-213] [Pre-submission] Unsafe AMF deserialization (CVE-2017-5641) in Apache Flex BlazeDS at the https://www.███████/daip/messagebroker/amf

The vulnerability was an unsafe AMF Action Message Format deserialization issue in Apache Flex BlazeDS, affecting the /daip/messagebroker/amf endpoint. Successful exploitation could allow an attacker to trigger a DNS lookup by sending a crafted AMF payload. The vulnerability was identified and...

Lark Technologies: [CSRF] No Csrf protection against sending invitation to join the team.

A Cross-Site Request Forgery CSRF vulnerability was found on a "Create Invite" endpoint, which could result in any users being added to a team by tricking another user to run this Proof of Concept. We thank @imrannisar for reporting this to our team...

U.S. Dept Of Defense: [HTAF4-213] [Pre-submission] CVE-2018-2879 (padding oracle attack in the Oracle Access Manager) at https://█████████

Description We were able to identify CVE-2018-2879 in Oracle Access Manager, used on the https://██████ Link to the CVE: https://nvd.nist.gov/vuln/detail/CVE-2018-2879 This vulnerability is rated critical, and may allow unauthenticated attacker with network access via HTTP to compromise Oracle...

Node.js third-party modules: [git-promise] RCE via insecure command formatting

I would like to report a RCE issue in the git-promise module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: git-promise version: 0.3.1 npm page: https://www.npmjs.com/package/git-promise Module Description Simple wrapper that allows you to run any git...

Node.js third-party modules: [meta-git] RCE via insecure command formatting

I would like to report a RCE issue in the meta-git module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: meta-git version: 1.1.2 npm page: https://www.npmjs.com/package/meta-git Module Description git plugin for meta Module Stats 60 downloads in the...

Rocket.Chat: Clickjacking in the admin page

Summary: Hello Rocket.Chat, There is a clickjacking vulnerability in a very critical page which is the admin info page. For my installation, the URL https://penetrationtester.rocket.chat/admin/users was used for creating the PoC. Description: Clickjacking User Interface redress attack, UI redress...

U.S. Dept Of Defense: [HTAF4-213] [Pre-submission] XSS via arbitrary cookie name at the https://www2.██████/nssi/core/dot_stu_reg/Registration.aspx

The researcher identified a reflected cross-site scripting XSS vulnerability in the cookie name on the https://www2.██████/nssi/core/dotstureg/Registration.aspx endpoint. The first cookie name was reflected on the page without sanitization. A proof of concept was demonstrated by setting a malicio...

Mail.ru: [pandao.ru] possibility to attach arbitrary phone number to account registered via social network

It was possible to attach an arbitrary unregistered phone number to account registered via different id e.g. social network id. This behavior can prevent user from registering with his phone number and facilitate phishing attack if victim attempts to login by phone number...

Yoti: [www.yoti.com] Wordpress user admin information discloure

Summary This website using Wordpress CMS, so developer forget to disable the link that can view information of admin user. By access to this link, attacker can get all username and other information of user admin: https://www.yoti.com/wp-json/wp/v2/users ████ Admin user list: 1. ███████ 1. █████ ...

LY Corporation: Path traversal in filename in LINE Mac client

Initially, @hackerontwowheels and @renekroka discovered that by using a path traversal payload combined with to block out the file extension, arbitrary, pre-installed applications could be executed. It was not possible to provide additional arguments to these applications, however. The payload us...

Snapchat: Bypass Rate Limits on app.snapchat.com API Endpoint via X-Forwarded-For Header

An attacker can bypass the rate limiting in place at app.snapchat.com by setting the X-Forwarded-For header to 127.0.0.1 in POST requests to app.snapchat.com/storieseverywhere/downloadsms and several other endpoints. This bypasses the controls in place for this endpoint, which appears to have...

New Relic: [Bypass] Code injection to open redirect in https://insights.newrelic.com/accounts/2521182/dashboards/1026927

INTRODUCES: Overcoming mechanism of controlling url insertion, redirecting users to fake pages STEPS: Payload: Add dashboard note and insert code malicious. Code : Click link to view note detail : Impact Redirecting users to malicious pages, stealing user information such as fake scripts and user...

Slack: Header modification results in disclosure of Slack infra metadata to unauthorized parties

I found files.slack.com domain will honor the X-Forwarded-Host header, instead of host header. Although file.slack.com has host validation to return 500 Internal server error when host is not files.slack.com, I can bypass the validation by appending @ at the end of host name. Also, the server wil...

GSA Bounty: HTTP Request Smuggling on https://labs.data.gov

Greetings, The application appears to be vulnerable to HTTP request smuggling due to a disagreement between the front-end and back-end server, where the front-end server uses the Transfer-Encoding header to determine content in the HTTP body, but back-end server uses the Content-Length header,...

Mail.ru: HTTP-Response-Splitting leads to information disclosure (email, firstname, lastname) at https://tz.mail.ru

CRLF injection via GET paramaters in tz.mail.ru Clientside vulnerabilities in tz.mail.ru is not currently covered by Bug Bounty program...

Mail.ru: Open Redirect

Hello Team Mail.ru Open Redirect on http://aw.mail.ru/ There is an Open Redirect on http://aw.mail.ru/dynamic/auth/?forumreg= due to the application not checking the value passed by the user to the "forumreg" parameter. User can be redirect to malicious site PoC: Open Redirect...

Node.js third-party modules: Crash Node.js process from handlebars using a small and simple source

I would like to report Denial of service in handlebars. It allows an attacker to crush Node.js process with a small and simple source. Module module name: handlebars version: 4.5.1 npm page: https://www.npmjs.com/package/handlebars Module Description Handlebars.js is an extension to the Mustache...

Moneybird: IDOR in https://moneybird.com/user/accountant_company/edit(change company name)

Reporter found a way to change the name of an accountant company for which he didn't have permissions. We added extra checks to prevent these kind of Insecure Direct Object Reference bugs...