curl: SMB access smuggling via FILE URL on Windows

Summary: While CURL 7.62 parses URLs that have an ? parameter separator char after the fragment separator, CURL urlapi code treats the path with the hash part as it being the same one, this may allow some problem on specific protocols that may have a security impact. On HTTP, an attacker may be...

VK.com: Мини-уязвимость в обработке ссылок

Проблема с парсингом ссылок. В 2013 существовал баг, который позволял при нажатии на лайк к записи перенаправить пользователя по ссылке. Необходимо было закодировать любую ссылку в HTML-мнемонику типа & ; и после публикации разметка у поста сразу ломалась. Тогда эту, со стороны безобидную, дырку...

Mail.ru: unauthorized access to add admin endpoint

Access to static page within media-poll.mail.ru admin interface was not restricted. Access to static page does not grant attacker the ability to perform any actions or access any sensitive information...

Mail.ru: Account Takeover at worki.ru

One time code reuse between registration and authentication in combination with insufficient bruterofce protection allowed account access via verification code bruteforce for worki.ru. Common flaws of SMS auth: https://blog.deteact.com/common-flaws-of-sms-auth/...

Automattic: [IDOR] Attacker user can Approve/Decline AFK on the behalf of other users

Summary: Hi team Hope you are good Missing proper authorization checks on the vulnerable request allows an attacker to approve/decline afk of users on the behalf of other user who is a member of other organization. This can be exploited simply by changing the responderuserid in the vulnerable...

Open-Xchange: Unchecked URL in attachment datasource

Implementation of com.openexchange.url.mail.attachment datasource does no validation of url parameter. Any URL supported by Java's URLConnection can be read. Attached is an exploit which reads /etc/hostname file from sandbox server. Impact Any URL supported by Java's URLConnection can be read...

HackerOne: latest_activity_id and latest_activity_at may disclose information about internal activities to unauthorized users

Mini information disclosure related with team's internal comments/assign group activity id and datetime are exposed Steps: 1 As victim, Create a sandbox team and create report 2 Add attacker as a participant for the report 3 As victim, create some internal comments team -only comments /assign gro...

Zomato: [www.zomato.com] Blind XSS on one of the Admin Dashboard

Thanks for the report @pandaaaa. The Blind XSS fired when the order details were viewed by the admin at the back-end, The script was injected through an API endpoint from the Zomato app on one of the parameters which was recently introduced to provide special instructions to the restaurant on how...

Central Security Project: OS Command Injection in Nexus Repository Manager 2.x -- Bypass for Nexus Repository Manage 2.14.15-01 Command Injection fix

https://support.sonatype.com/hc/en-us/articles/360033490774 An OS command injection vulnerability has been discovered in Nexus Repository Manager requiring immediate action. The vulnerability allows for an attacker with administrative access to nxrm to execute arbitrary commands on the system. We...

Uber: Change the rating of any trip, therefore change the average driver rating

The endpoint used for rating the driver did not validate correctly if the trip corresponded to one made per user logged in, therefore knowing the tripUUID, driverUUID and userId made it possible to change the rating of any trip. Attack scenario: a bad driver with poor ratings and programming skil...

Internet Bug Bounty: Tcpdump before 4.9.3 has a buffer over-read in print-dccp.c:dccp_print_option() (CVE-2018-16229)

Tcpdump before 4.9.3 has a buffer over-read in print-dccp.c:dccpprintoption. This vulnerability was disclosed to the tpcdump maintainers and was fixed in version 4.9.3 and disclosed as CVE-2018-16229. I was credited with finding and disclosing this vulnerability:...

Internet Bug Bounty: Tcpdump before 4.9.3 has a buffer over-read in print-802_11.c (CVE-2018-16227)

Versions of tcpdump before 4.9.3 are vulnerable to a buffer over-read in print-80211.c. This vulnerability was disclosed to the tcpdump maintainers and was recently patched in version 4.9.3 and disclosed as CVE-2018-16227. I was credited with finding and disclosing this vulnerability:...

Internet Bug Bounty: tcpdump: CVE-2018-14879 - buffer overflow in tcpdump.c:get_next_file()

The release of tcpdump 4.9.3 brought many bug fixes, including one I submitted, CVE-2018-14879. The command-line argument parser in tcpdump before 4.9.3 has a buffer overflow in tcpdump.c:getnextfile. ==2288==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe363769bf at pc...

Rocket.Chat: XSS (leads to arbitrary file read in Rocket.Chat-Desktop)

Description: Rocket.Chat allows administrative users to customize the home body. Since tags are removed, I think that running scripts should not be allowed. However, event handlers are not removed, allowing you to inject your own scripts. Releases Affected: Rocket.Chat-Desktop-Client: v2.15.5...

curl: Race condition with CURL_LOCK_DATA_CONNECT can cause connections to be used at the same time

Summary: We've seen race conditions when using CURLLOCKDATACONNECT in libcurl where sometimes two different threads using two different easy handles ends up sharing the same connection pointer at the same time. This causes UAFs and double frees when both threads are freeing items on the same...

Ping Identity: Google Maps API key leaked during device pairing

Summary: just on intercepting and going through the request i made from ort-admin.pingone.com . i found that the google map api key was leaking through get request . i was able to validate that the leaked key was a valid one Steps To Reproduce: 1.login to account goto setup tab ping iD device...

Moneybird: Bypass password reset rate limit protection at moneybird.com/passwords

Attacker found a way to completely bypass our rate limit protection, allowing for other types of attacks. This involved changing the value of the X-Forwarded-For header. Attacker never got a 429 response from our servers when the value for each request is different. Injecting X-Forwarded-For :...

Semrush: Code injection in https://www.semrush.com

INTRODUCES: -With a direct error on the homepage, it is easy to trick the victim into accessing a fake page from the attacker STEP: Step: Send url with payload to victim:...

Mail.ru: [api.pandao.ru] IDOR for order delivery address

API method in api.pandao.ru was not properly restricted and could be used to view delivery address information of arbitrary order...

GitLab: Stored XSS in merge request pages

A stored cross-site scripting XSS vulnerability was discovered in GitLab merge request pages. An attacker could exploit this vulnerability by creating a merge request with a specially crafted branch name and tricking a user with insufficient permissions to view the merge request page. This could...

Imgur: De-anonymization Attack: Cross Site Information Leakage

Dear Imgur Security Team, We are researchers at the IMDEA Software Institute in Madrid, Spain. We have been working on analyzing Cross-Site Browser Leaks xsleaks and building a tool for finding instances of it on target web sites. Recently we tested imgur.com and discovered a flaw that can affect...

Razer: [IDOR] API endpoint leaking sensitive user information

Summary: Hi, the backend on the insider.razer.com website seems to be using XenForo. Some actions on the api.php have been left misconfigured by the developers, which lead to leaking of sensitive information. Steps To Reproduce: 1. Go to a random user's profile, say,...

U.S. Dept Of Defense: [HTAF4-213] [Pre-submission] HTTPOnly session cookie exposure on the /csstest endpoint

The HTAF4-213 vulnerability involved the exposure of an HTTPOnly session cookie on the /csstest endpoint. The sensitive cookie information was reflected in the page's content, which should not have been accessible in the DOM...

Razer: Reflected XSS at https://pay.gold.razer.com escalated to account takeover

Summary: Due to the parameter err is injected to the body of the page without any sanitization a victim could be tricked to visit the page and get his account stolen. Steps To Reproduce: 1.Visit the specially crafted url Firefox | IE11...

U.S. Dept Of Defense: SQL INJECTION in https://████/██████████

Bug is : Sql injection in https://██████████/████████ via Referer I've confirmed the vulnerability using sleep SQL queries with various arithmetic operations. The sleep command combined with the arithmetic operations will cause the server to sleep for various amounts of time depending on the resu...

Mail.ru: Reflected XSS on https://go.mail.ru/search?fr=mn&q=<payload>

Reflected XSS via GET arguments in go.mail.ru...

lemlist: Unrestricted File Upload on https://app.lemlist.com

Summary: Hi! i found an Unrestricted File Upload on https://app.lemlist.com which let me upload anything. File Extensions Such as .html and others should not be executed on the server side. Steps To Reproduce: add details for how we can reproduce the issue 1. Login to https://app.lemlist.com 2. G...

Nextcloud: Bypass configured 2FA provider with another provider that can be set up at login

In Nextcloud 17 there is the possibility to set up 2FA providers at login. A missing check allows the following steps 1 Enforce 2FA for all users 2 As a user, configure a 2FA provider via settings or at login 3 Log out 4 Log in again password only 5 When prompted with the earlier set up provider,...

Mail.ru: Access to Tarantool

An access to admin interface of Tarantool host in development/stage environment was not properly restricted, allowing LUA code execution...

Internet Bug Bounty: CVE-2019-11043: a buffer underflow in fpm_main.c can lead to RCE in php-fpm

The vulnerability exists in php-fpm because of missing bounds check in fpmmain.c. If the FastCGI variable PATHINFO is empty, the underflow happens when the code tries to calculate the value of the pathinfo variable. An invalid pointer in pathinfo leads to a single byte out-of-bounds write, which...

8x8: Xss (cross site scripting) on http://axa.dxi.eu/

An older version of our ContactNow application did not adequately encode user input on the login page...

8x8: Reflected XSS on http://axa.dxi.eu

An older version of our ContactNow application did not adequately encode user input on one of the micro service endpoints utilized by registration...

8x8: [CRITICAL] Sql Injection on http://axa.dxi.eu

One of the micro service endpoints of the ContactNow application constructed a SQL query utilizing user provided parameters without utilizing a proper prepared statement...

Razer: Information disclosure at http://sea-s2s.molthailand.com/status.php

The tester discovered a Razer Gold TH server was transmitting sensitive information without proper encryption, leading to a potential MITM attack. Razer thanks the tester for his diligence and the clear report/PoC...

Khan Academy: Information can be changed without a password

If a user has access to a logged in session on Khan Academy, they are able to conduct a full account takeover. This is due to the fact that a new email address can be added to an account without a method of re-authentication. Once this email address has been added, the attacker can simply logout...

Internet Bug Bounty: Buffer Overflow in smblib.c

Summary: In Squid 4.8, a local buffer overflow vulnerability exists in the SmbConnect and SmbConnectServer functions of Squid's smblib.c, in which an attacker can achieve code execution that can result in the disclosure of credential hashes. The cause of this overflow is due to the SMB domain...

Mail.ru: [iot-hackathon.geekbrains.ru] Tilda Subdomain Takeover

iot-hackathon.geekbrains.ru subdomain was delegated to tilda.cc service, which is vulnerable to takeover...

Nextcloud: Docker image with FPM is vulnerable to CVE-2019-11043

The CVE-2019-11043 vulnerability can be exploited in the latest nextcloud:fpm image. This is due to the specific nginx configuration recommended for nextcloud: https://github.com/nextcloud/dockerbase-version---fpm...

Polymail, Inc.: [share.polymail.io] XSS when uploading a file to the server

Files uploaded to Polymail could contain javascript. This has now been mitigated and resolved...

Infogram: LFI through the MySQL connection

Hello team! I've found a way to read Infogram's server local files through the MySQL connection. The problem is that you're using the LOAD DATA LOCAL feature with your MySQL client. This how an attacker can easily send server's local files to her/his database. I've successfully readed the...

Node.js third-party modules: Prototype pollution in dot-prop

I would like to report a parameter pollution in dot-prop It allows an attacker to modify the prototype of a base object which can vary in severity depending on the implementation DoS, access to sensitive data, RCE. Module module name: dot-prop version: 5.1.1 npm page:...

U.S. Dept Of Defense: [Partial] SSN & [PII] exposed through iPERMs Presentation Slide.

Hello @deptofdefense, when performing reconnaissance, I came across a presentation slide that displayed live data since the data is blocked out & is formatted with XXX-XX with the last 4 digits. The exposed data contains the following: UPC, Division/Brigade, Rank, Soldier Name, Last 4 digits of...

Nextcloud: File-drop content is visible through the gallery app

I set up a file-drop on NC 17 btw, according to https://nextcloud.com/security/ NC17 is not covered - but it should be once it's released!: created folder, set share as upload-only. I access that folder as https://cloud.domain.com/s/randompath - fine: I get the upload interface and cannot see...

Starbucks: Norway - store.starbucks.no - CSRF on email change

moonlight323 discovered a Cross-Site Request Forgery CSRF vulnerability on store.starbucks.no. This vulnerability affected the functionality that allows a customer to change the email address associated with their account. By abusing this functionality, an attacker could potentially change the...

Node.js third-party modules: [git-lib] RCE via insecure command formatting

I would like to report a RCE issue in the git-lib module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: git-lib version: 1.6.0 npm page: https://www.npmjs.com/package/git-lib Module Description A library that contains different methods to be consumed ...

HackerOne: Reporter, external users, collaborators can mark sent swag awarded to reporter as unsent

An Insecure Direct Object Reference IDOR vulnerability allow the reporter, external users, and collaborators to mark sent swag that was awarded to the reporter as unsent. This may result in swag being sent multiple times. Proof of concept Follow the steps below to reproduce the vulnerability. sig...

HackerOne: Any user with access to program can resume and suspend HackerOne Gateway

An Insecure Direct Object Reference IDOR vulnerability is present in the UpdateGatewayProgramStateMutation that'd allow an attacker to suspend and resume the HackerOne Gateway feature for any program the user has access to. This includes any private programs that use the Gateway product and have ...

Semrush: Open redirect in semrush.com

Summary: There is an open redirect on https://www.semrush.com/login/?redirectto=. By using /\ at the start of the link, you can bypass the open redirect filter. Description: An attacker can control the value of the "redirectto" parameter and make it redirect to a malicious endpoint. Steps To...

Starbucks: WAF bypass via double encoded non standard ASCII chars permitted a reflected XSS on response page not found pages - (629745 bypass)

Summary: Report 629745 not properly resolved: "Many Starbucks websites are vulnerable to cross-site scripting on 404 pages because double quotes lack sanitizing in hidden input tags, which leads to JavaScript execution". Description: Report 629745 caught my attention, so I began testing the WAF t...

GitLab: Domain Takeover - gl-canary.freetls.fastly.net

The domain gl-canary.freetls.fastly.net was whitelisted in Gitlab's Content Security Policy, allowing an attacker to bypass the CSP and execute malicious client-side code. This domain could be controlled from any Fastly account, potentially impacting other areas of Gitlab's application...