U.S. Dept Of Defense: [█████] — DOM-based XSS on endpoint `/?s=`

Description GET parameter s is vulnerable to DOM-based XSS on endpoint /?s=. XSS affects all users and no authentication or login is required. Proof of Concept Visit the following URL for PoC: https://██████/?s=%27%3E%3Cscript%3Ealertdocument.domain%3C/script%3E █████████ Explanation This DOM-bas...

New Relic: Unsafe charts embedding implementation leads to cross-account stored XSS and SSRF

Hey team, I've discovered an improper user-input filtration issue at charts embedding herald.service.newrelic.com leading to both cross-account stored XSS and SSRF. There is an action Get chart link for some charts for instance, for the ones located at Mobile - Overview. F600887 After user clicks...

BlockDev Sp. Z o.o: Two-factor authentication (2FA) Bypass

Bypassing 2FA after activating it on the company forum...

Mail.ru: IDOR позволяет изменить информацию о пользователе.

An IDOR vulnerability in skillbox.ru allowed to change arbitrary user's information...

Quantopian: Stored cross-site scripting in dataset owner.

Hi again. Another XSS this time. Summary: Unescaped chars in 'dataset owner' could be abused to store arbitrary javascript. Description: There is a 'dataset owner' field in new 'custom dataset dashboard' which contains unsanitized output. If attacker would modify his name, like first name '', the...

Uber: Reflected XSS on https://www.uber.com

The endpoint https://www.uber.com/en-NZ/blog/ is vulnerable to reflected XSS on the URL path...

Liberapay: Full Path disclosure on 500 error

On manipulating cookie + parameter: gitHub 500 error returned with path disclosing of Python Files. Error Below: Traceback most recent call last: File "/opt/python/run/venv/local/lib/python3.6/site-packages/statechain.py", line 328, in loop newstate = functiondeps.askwargs File...

U.S. Dept Of Defense: Information disclousure by clicking on the link shown in http://████████/

Description: Looking at some subdomains using aquatone I noticed http://█████/ I clicked it and then started navigating the page, if I go to this link: https://█████████/██████████wireframes/admin/round12/tsp0-awarded.html it is completely valid and shows some information that I'm unsure it shoul...

Shopify: StoreFront API allows for a brute force attack on customer login by not timing out ALL attempts

It seems that the service used for login purposes could be brute forced. the system fails when the password is incorrect, after some unsuccessful attempts the following message is shown: "data":"customerAccessTokenCreate":null,"errors":"message":"Login attempt limit exceeded. Please try again...

Uber: Subdomain takeover on mta1a1.spmail.uber.com

A dangling AWS record on mta1a1.spmail.uber.com allowed a complete DNS zone takeover, giving an adversary access to mta1a1.spmail.uber.com-scoped cookies and CORS, which could facilitate phishing attacks. Thanks again, @0x3c3e! It's so called IP-use-after-free attack. I was able to obtain an IP...

Automattic: Stored XSS vulnerability in comments on *.wordpress.com

Summary: The SyntaxHighlighter plugin used in the comments section of .wordpress.com sites is vulnerable to stored XSS via a crafted payload. Platforms Affected: .wordpress.com SyntaxHighlighter is also an open source plugin which is affected by this vulnerability:...

HackerOne: Disclosure of `payment_transactions` for programs via GraphQL query

Summary: payment transactions count of programs exposed Description: payment transactions details can be only accessed by program team members, but there is an flaw, with that, an unauthorized user can get payment transactions count of any program i have confirmed only with public program Steps T...

HackerOne: Team object in GraphQL disclosed of private programs via the industry

Summary: Disclosure of private programs across the industry If the program is private, it will show industriy Steps To Reproduce "query": "query teamhandle:\"█████████\"id,industry" "data":"team":"id":"█████████","industry":"Computer Hardware \u0026 Peripherals" "query": "query...

Mail.ru: Account Takeover at vseapteki.ru

Insufficient protection against SMS code bruteforcing allowed account takeover in vseapteki.ru Common flaws of SMS auth: https://blog.deteact.com/common-flaws-of-sms-auth/...

U.S. Dept Of Defense: Internal IP Address Disclosed

Target Url https://███████/███████/static/pubsite/js/main-header-dropdown.js?ver=0.87 Summary Hello, I found an internal IP address disclosure in the page. Description: Extracted ip address: ████████ extracted port: ██████ place where I found it: var logoutUrl = 'https://██████:███/█████/logout'...

LY Corporation: Get-based SSRF limited to HTTP protocol on https://resizer.line-apps.com/form

A SSRF in the resizer's /form endpoint allowed for leaking HTTP protocol based information from our internal network. The vulnerability could be used to scan ports and get service banners like SSH versions etc, but it was also possible to leak images available on the internal network. If an...

curl: use after free in cookie.c

I ran fuzzing with the internal fuzzer at https://github.com/pauldreik/curl-fuzzer/blob/paul/localfuzzpublic0/intreefuzzer/src/insidefuzzers/fuzzcookies.cc It seems like the following sequence of events trigger the use after free: c include "cookie.h" include curlglobalinitCURLGLOBALDEFAULT; CURL...

Ruby: Variant of CVE-2013-0269 (Denial of Service and Unsafe Object Creation Vulnerability in JSON)

During my recent keyword argument separation work on rbscanargs in the master branch, I discovered what I now think is a vulnerability. While the CVE-2013-0269 change fixed most usage of JSON.parse, it ended up not fixing KernelJSON. The reason behind this is that internally, in...

Razer: [pay.gold.razer.com] Stored XSS - Order payment

The tester discovered that the pay.gold.razer.com site suffered from a Stored XSS issue that could be used to steal a client id and key. The tester worked with team to provide multiple POCs to help them resolve the issue. Razer appreciates all the assistance from corraldev, which was above and...

Mail.ru: RCE Jira(CVE-2019–11581) [my-com.atlassian.net]

Hello, Summary i found the domain my-com.atlassian.net is vulnerable with RCE JiraCVE-2019–11581 via contact admin function POC - on page https://my-com.atlassian.net/secure/ContactAdministrators!default.jspa - use payload on Subject & Request details...

New Relic: Stored XSS at Mobile (Versions tab)

Hey team, I've discovered stored XSS rendered at Mobile inside the Versions tab working at least at latest Safari and latest Chrome MacOS. Steps to reproduce: 1 Sign into Mobile with some account which can edit the mobile applications 2 Navigate to some active mobile app, then go to Settings -...

Internet Bug Bounty: A reflected XSS in python/Lib/DocXMLRPCServer.py

I have report this issue to PSRT and it has been resolved now. Details about this issue is at https://bugs.python.org/issue38243 and https://vulners.com/cve/CVE-2019-16935 Impact It's the same with other xss...

curl: SSRF via maliciously crafted URL due to host confusion

Summary: Curl is vulnerable to SSRF due to improperly parsing the host component of the URL compared to other URL parsers and the URL living standard. POC curl -sD - -o /dev/null "http://google.com:80\@yahoo.com/" Curl makes a request to yahoo.com instead of google.com. Supporting...

ForeScout Technologies: DOM XSS at www.forescout.com in Microsoft Edge and IE Browser

Summary: I've found an DOM Based XSS on homepage Steps To Reproduce: 1.Go to this url and you'll see alert pop https://www.forescout.com/ But this will work just on ME/IE browsers because chrome and firefox have default encode system hash url And vulnerable code is on your directly source code...

pixiv: Reset any password

Summary: When I try to reset the password, the verification code of the mailbox is 6 digits, and there is no limit on the number of submissions, so I can reset the password of any user. Steps To Reproduce: 1.input the email reset password url. F595146 click the "submit" button F595147 input the...

Mail.ru: JMX RMI command injection on 195.211.131.82(Mail.ru Gaming)

Externally available Jolokia interface in Mail.Ru Gaming network allowed JMX RMI commands injection Сommand injection in Jolokia JMX. Reading the docs helps. A lot. Also, having good friends who can help you when you need it:...

GitLab: View the Starred Projects in a Private Profile

Summary It is possible to view the starred Projects in a private profile. Consider my profile for instance, https://gitlab.com/maruthi-adithya . This is a private profile and none of my account-related information should be leaked. However, https://gitlab.com/users/maruthi-adithya/starred.json...

People Interactive: Origin IP found, Cloudflare bypassed

The vulnerability allowed non-Cloudflare IP addresses to access the origin servers, bypassing Cloudflare's protection and potentially exposing the servers to unfiltered attacks and data retrieval...

IBM: SQL Injection and plaintext passwords via User Search

An identified SQL Injection vulnerability was reported to IBM found within an IBM asset. It has been analyzed, and resolved. We thank the xyantix for reporting this vulnerability...

Bumble: SSO through odnoklassniki uses http rather than https

SUMMARY When using single-sign on through odnoklassniki, the user is sent to an http non-https URL, allowing an attacker under some conditions to log in to the victim's Badoo account by stealing odnoklassniki credentials, as well as to execute a CSRF-attack on the log-in form. RECOMMENDATION Let...

Ubiquiti Inc.: RCE in AirOS 6.2.0 Devices with CSRF bypass

There are certain end-points containing functionalities that are vulnerable to command injection. It is possible to craft an input string that passes the filter check but still contains commands, resulting in remote code execution. These vulnerabilities can be also can be also paired with other e...

Mail.ru: Information disclosure with sensitive data

Apache server status was available at touch.mail.ru, leaking some requests information...

Razer: Subdomain takeover at ftp.thx.com

The tester discovered the ftp.thx.com server was vulnerable to a subdomain takeover. This server is only used by internal parties so risk was minimal but THX appreciates the report...

Node.js third-party modules: [treekill] RCE via insecure command concatenation (only Windows)

I would like to report a RCE issue in the treekill module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: treekill version: 1.0.0 npm page: https://www.npmjs.com/package/treekill Module Description treekill process and it's all children and child...

Node.js third-party modules: [node-df] RCE via insecure command concatenation

I would like to report a RCE issue in the node-df module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: node-df version: 0.1.4 npm page: https://www.npmjs.com/package/node-df Module Description node-df abbreviation of disk free is a cross-platform...

Node.js third-party modules: [yarn] yarn.lock integrity & hash check logic is broken

I would like to report a vulnerability in yarn. It allows to pollute yarn cache via a crafted yarn.lock file and place a malicious package into cache under any name/version, bypassing both integrity and hash checks in yarn.lock so that any future installs of that package will install the fake...

Mail.ru: Information Disclosure [ https://curious.ru/api/submissions ]

API endpoint at curious.ru disclosed e-mails of subscribed users...

Roblox: Insecure redirect rule results in bypassing ban redirect on certain pages

Description Account bans on Roblox work via redirect rules. If an user attempts go to a page that's outside a whitelisted set of rules, they'll be redirected back to the ban page. After researching, I've found that the following rules are whitelisted and bypass this redirect: - Any URLs ending in...

GitLab: No redirect_uri in the db for web-internal clientKey leads to one-click DoS on gitter.im

Summary In the oauthclients collection of the default gitter installation, there's no value registeredRedirectUri in the database for web-internal clientKey. The request to /login/oauth/authorize?responsetype=code&clientid=web-internal&redirecturi=http://whatever causes the app to crash when tryi...

Razer: DOM XSS at https://www.thx.com in IE/Edge browser

Summary: I just recently found easy exploitable DOM XSS vulnerability because of https://www.thx.com/assets/plugins/ultimate-social-media-icons/js/custom.js?ver=5.2.3 js file Steps To Reproduce: First i want to say this is vulnerable code function sfsimobilewechatshareurl if...

Razer: Accessible Druid Monitor console on https://api.pay-staging.razer.com/

The tester discovered a monitoring application was available on a remotely accessible administrative console in the Razer Pay staging environment, which could have been used to leverage information that could have compromised the server. The Razer Pay team removed this and other similar servers...

Razer: Unauthenticated access to sensitive user information

The tester discovered that a THX server known primarily to THX employees was exposing several hundred records containing customer email addresses and in very few cases, a personal name. No other information was revealed. This issue was fixed shortly after the report. We appreciate @smalien's...

Razer: Payment PIN Verification Bypass

The tester originally reported a PIN bypass in the Razer Pay MY client and provided a video POC which was very helpful. This was fixed in client version 2.11. Razer Fintech appreciates the tester's assistance and patience helping us resolve this issue...

Razer: DLL Hijacking in Synapse 2 CrashSender1402.exe via version.dll

The tester determined that the Synapse 2 installed executable CrashSender1402.exe was subject to a DLL hijacking vulnerability. As this was no longer supported by the third party provider, Razer decided to remove this executable from future versions of Synapse 2...

Razer: 2FA doesn't work in "https://insider.razer.com"

Hello, I found 2FA bypass vulnerability in https://insider.razer.com and I found this feature not at all working after enabled 2FA. Please follow the below steps to reproduce the issue Steps to reproduce 1. Login to https://insider.razer.com with your credentials. 2. Next, go to Two-Step...

Node.js third-party modules: [tree-kill] RCE via insecure command concatenation (only Windows)

I would like to report a RCE issue in the tree-kill module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: tree-kill version: 1.2.1 npm page: https://www.npmjs.com/package/tree-kill Module Description Kill all processes in the process tree, including t...

Starbucks: India - An Insecure Direct Object Reference (IDOR) allowed unauthorized access to view card index number and monetary balance

mrintrusionist discovered an Insecure Direct Object Reference IDOR which affects the https://card.starbucks.in/StarbucksMSRModule/starbucksGetCardData.do endpoint through the cardId parameter. This allowed an authenticated, but unauthorized user to iterate cards and view the balance...

Mail.ru: Race condition на покупке призов за баллы

Добрый день! Описание Уязвимость Race condition была обнаружена на delivery-club.ru при покупке за баллы. Запросы покупки успевают пройти до того, как происходит списание баллов. Таким образом можно успеть купить несколько товаров не тратя на это баллы. Тестирование У меня на счету было 105 балло...

Shopify: Unauthenticated read and write access to ALL endpoints of a store is possible for removed staff members who had "Apps" permission

Technical Background ===================== Shopify Apps need an access token to work with the data of a store. Is very important to keep this token in a secure place. Quoting the Shopify Blog: ... this is like a password into this shop, so you’ll want to store this token in a very safe place...

Lark Technologies: Reflected XSS on Lark Suite

A reflected cross-site scripting XSS vulnerability was found at the Lark Suite log-in endpoint via the redirecturi parameter which could have potentially allowed an attacker to inject malicious code. We thank @jin0ne for reporting this to our team and confirming the resolution...