Razer: Insecure Logging - OWASP (2016-M2)

The tester discovered that the Razer Pay Android application was storing user data locally on the phone in the clear. An adversary would need access to the phone to obtain this information. The application was patched to avoid storing this information in version 2.10...

Mail.ru: worki.ru: SMS code bruteforce

SMS code verification process in worki.ru was not sufficiently protected against bruteforce attack Common flaws of SMS auth: https://blog.deteact.com/common-flaws-of-sms-auth/...

New Relic: Mixed content issues on newrelic.com

Hi guys, I have found Mixed Content on https://newrelic.com/: Insecure endpoint http://newrelic.com/ that should be served over HTTPS. Description: Passive mixed content is content sent over HTTP that is contained on the HTTPS page, but which can not change other parts of the page. For example, a...

Kartpay: bypass captcha in the form forgot password

Summary: In this issue I can bypass Captcha Protection in the Forgot Password form. Browsers Verified In: firefox url: https://affiliate.kartpay.com/ url vulnerable: https://affiliate.kartpay.com/forgotpassword Steps To Reproduce: 1-Enter your email in the forgot password parameter. 2-complet...

Razer: Misconfigured s3 Bucket exposure

Found a s3 bucket that belongs to razer and properly not configured. bucket name:- http://rzimageupload.s3.amazonaws.com/ Bucket Source:- https://api.razer.com Steps To reproduce:- 1. Go to https://api.razer.com and create a project . 2. In the project icon select an image from your computer. 3...

Omise: Signup with any email and enable 2FA without verifying email

Description : When i signup, i can enable 2FA without verification my email. Attack Scenario : 1. The Attacker signup with the victim email. 2. Go to Two factor authetication and enable 2FA Impact when the victim want to register in this site, they can't, because they email claims by attacker. an...

Razer: Race Condition in Oauth 2.0 flow can lead to malicious applications create multiple valid sessions

The tester discovered a flaw in the Razer ID authentication system that could allow multiple access tokens. This was a minor issue but could theoretically have led to extended access due to unexpired tokens. Razer thanks the tester for their diligence. Here is a write-up for similar bug:...

Razer: OTP token bypass in accessing user settings

The tester was able to determine that the OTP token used by Razer ID was not being properly verified against the specific user which would allow an adversary to replay their own OTP token against a different user. If the adversary also had been able to obtain the user's login and password through...

Razer: Admin Management - Login Using Default Password - Leads to Image Upload Backdoor/Shell

The tester discovered an access control issue on a development server. Although this was not technically in scope of the bounty program and there was little risk to customer information, we granted an award as a token of appreciation for providing excellent PoCs and working with us on this...

U.S. Dept Of Defense: Unauthenticated arbitrary file upload on the https://█████/ (█████.mil)

The vulnerability involved an unauthenticated arbitrary file upload on the https://█████/ █████.mil website. An unsafe upload endpoint at https://██████/upload.php was identified, where a test file was successfully uploaded. The uploaded file could be accessed at the internal path...

U.S. Dept Of Defense: Unauthenticated arbitrary file upload on the https://█████/ (█████████)

The vulnerability involves an unauthenticated arbitrary file upload on the https://█████/ █████████ website. A test file was successfully uploaded to the /upload.php endpoint, and the uploaded file was accessible at the /delete.me path. This vulnerability could have led to consequences such as...

Shopify: Bypass report #416983 - Removed Staff members who had "Apps" permission can still modify flow app connections

The following report intends to disclose a bypass for 416983. It's been found that removed staff members who had "Apps" permission can still modify flow app connection settings due to improper authorization. Description Signed URLs generated by Shopify Flow https://apps.shopify.com/flow use a...

LY Corporation: Able to Become Admin for Any LINE Official Account

The reporter found an issue where abusing an IDOR would allow for an attacker to become an administrator of any LINE Official Account. This was due to an issue where the group ID could be extracted and/or easily guessed, combined with lack of authentication, leading to being able to craft a reque...

New Relic: Host Header Injection

Reproduction 1- open reset link https://login.newrelic.com/passwords/forgot 2- Enter the victim's email address and click Reset and Email Password 3- Intercept the HTTP request in Burp Suite & add X-Forwarded Host Header and write attacker.com/.newrelic.com link will be like...

Nextcloud: Only the file extensions are checked, not the MIME types as configured

The tool is not working as hoped. File access control speaks of MIME types that are blocked or not blocked. In fact, only the file extensions are checked. If a user renames an unauthorized file to an allowed file, he can upload and download it. The MIME type of the current file is insignificant,...

Zomato: Information Disclosure through Sentry Instance ███████

Hello team I found a bug sensitive information can be used from attackers to perfom attack in youre server I don't know if this in scope so i'm sorry if i'm wrrong withou spending youre time here the steps how i found this bug : 1-Please use burp suite to reproduce the same result 2-i notice you...

Kindred Group: [unibet.com] Delete messages via IDOR at /mom-api/messages/unibet_█████████@unibet/

==Below is the original, partially-redacted report== --------- Description: Hey team, I found an endpoint which is vulnerable to IDOR by which I can delete messages of any user without their interaction at all. But sadly I can't reproduce this issue for the time being as I don't have any spare...

LY Corporation: Reflected XSS in OAUTH2 login flow

The reporter found a reflected XSS in the OAUTH2 login flow which could have allowed potential attackers to steal credentials or hijack accounts by sending a message to the victim containing a malicious URL...

Semmle: Worker container escape lead to arbitrary file reading in host machine [again]

Summary: After a successful build, LGTM allow user to view the file list. By default, only source code files and build config files are reserved lgtm.yml and .lgtm.yml. If there are both files in folder, LGTM will process lgtm.yml file and skip .lgtm.yml, but it still keeps both of files in...

Mail.ru: Stored XSS on go.mail.ru

Page URI in search results output on go.mail.ru was not properly sanitized...

curl: Potential invocation of qsort on uninitialized memory during cookie save

Summary: If cookiejar is set, cookies are written to file at exit. That is done by the function cookieoutput in cookie.c. The cookies are sorted before being stored, using qsort on a temporary array. That temporary array is uninitialized gotten from malloc at...

U.S. Dept Of Defense: [CVE-2018-0296] Cisco VPN path traversal on the https://████████/ (█████████.mil)

The Cisco VPN vulnerability CVE-2018-0296 was discovered in an instance of https://████/ ██████.mil. The vulnerability allowed for path traversal, which could have been used to disclose sensitive information such as VPN sessions and files. The issue was addressed by updating to a patched version ...

Nextcloud: Exposing debug.log file leads to server full path disclosure

At the following address i have found debug.log file disclose the application full path on the server. https://nextcloud.com/wp-content/debug.log Impact The server should not expose this log file as it could help an attacker to understand the environment that may lead to further attacks...

U.S. Dept Of Defense: Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://██████ (███)

The Pulse Secure SSL VPN was found to be vulnerable to multiple issues, including pre-authentication arbitrary file reading CVE-2019-11510 and post-authentication command injection CVE-2019-11539. These vulnerabilities were discovered and disclosed by security researcher Orange Tsai. The...

HackerOne: "Bounties paid in the last 90 days" discloses the undisclosed bounty amount in program statistics

Hi Team, Summary: I have found a bypass on this disclosed report: Know undisclosed Bounty Amount when Bounty Statistics are enabled. Description: When a program does not disclose how much bounty is paid to particular report, but if bounty statics is enabled then undisclosed Bounty Amount can be...

Nextcloud: WordPress Plugin Insert or Embed Articulate Content into WordPress Remote Code Execution (UNAUTHORIZED)

because in the burp suite, the build request is complicated, I only use curl 1. Create file index.html and index.php Index.html : Hello world Index.php : 2. Once created enter into .zip COMPRESS 3. LETS UPLOAD CURL : curl site.com/index.php/wp-json/articulate/v1/upload-data -F "name=NAMAFILE" -F...

U.S. Dept Of Defense: [CVE-2018-0296] Cisco VPN path traversal on the https://████████/ (no hostname)

The Cisco VPN was vulnerable to a path traversal vulnerability CVE-2018-0296 that allowed an unauthenticated attacker to disclose sensitive information such as VPN sessions and user files...

U.S. Dept Of Defense: [CVE-2018-0296] Cisco VPN path traversal on the https://███████/ (██████)

The Cisco VPN was found to be vulnerable to a path traversal vulnerability CVE-2018-0296. The vulnerability allowed an unauthenticated attacker to access sensitive information such as VPN sessions and files...

U.S. Dept Of Defense: [CVE-2018-0296] Cisco VPN path traversal on the https://███████/ (████.███.mil)

The CVE-2018-0296 vulnerability was discovered in a Cisco VPN system. It allowed an unauthenticated attacker to perform path traversal and disclose sensitive information such as VPN sessions and user files. The issue was addressed by updating to a patched version that returned a 404 "File not...

U.S. Dept Of Defense: [CVE-2018-0296] Cisco VPN path traversal on the https://███ (████████████████)

A path traversal vulnerability was discovered in Cisco VPN that could allow unauthenticated users to disclose sensitive information such as VPN sessions and files. The vulnerability was assigned CVE-2018-0296. The vulnerability was fixed in updated versions of the software...

Node.js third-party modules: Path traversal using symlink

I would like to report Path Traversal in statics-server Module module name: statics-server version: 0.0.9 npm page: https://www.npmjs.com/package/statics-server Module Description npm install statics-server -g Go to the folder you want to statics-server Run the server statics-server Module Stats...

Shopify: The authentication code when activating 2FA can be used again to log in

Hi team, Summary: ====================== I noticed that when activating 2FA by sms, you can also use that 2FA activation code, to use as an authentication code when logging in. Steps: ========================= 1, Go to: https://accounts.shopify.com/accounts/36430415/security and log in 2, Activat...

U.S. Dept Of Defense: Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://████

Description Hello. Some time ago, researcher Orange Tsai from DEVCORE team had a talk on Defcon/BlackHat regarding Pulse Secure SSL VPN vulnerabilities fixed on 2019/4/25: CVE-2019-11510 - Pre-auth Arbitrary File Reading CVE-2019-11542 - Post-auth Stack Buffer Overflow CVE-2019-11539 - Post-auth...

curl: Resource leak when using a normal site as DOH server

Summary: If a DOH server is used, which is not really a DOH server but just a normal web server, the DNS request is sent but the reply will not be the expected DNS payload. In that case, curl correctly thinks DNS resolution failed, but it does not clean up allocated memory properly. Steps To...

New Relic: Can fake content email of newrelic to any user

@lamscun reported an issue where an arbitrary account name, including special characters and anchor tags, would show up in an invitation email. While we've seen this issue several times, we've decided not to change how account names are formatted. Ultimately, the email client determines how the...

Equifax-vdp: Information Leak (Github)

In Github I found some credentials to use in a webservice that exposes very sensitive information of people, family group, financial situation, and more. Github: https://github.com/geraldincg/proyecto/blob/9c89787deb1d217f58b58786d90bfb3eab290237/Proyecto/ViewModels/WebService/ConexionWS.cs The...

Node.js third-party modules: [snekserve] Stored XSS via filenames HTML formatted

I would like to report a stored XSS issue in the snekserve module. It allows to inject HTML/JS code inside the directory listing : Module module name: snekserve version: 1.0.0 npm page: https://www.npmjs.com/package/snekserve Module Description Assuming you would like to serve a static site, sing...

U.S. Dept Of Defense: [CVE-2018-0296] Cisco VPN path traversal on the https://██████████

The Cisco VPN vulnerability CVE-2018-0296 was discovered in a previously unidentified instance in the DOD network. The vulnerability allowed path traversal, which could have been exploited to disclose sensitive information such as VPN sessions and files. The issue was addressed by updating to a...

U.S. Dept Of Defense: [CVE-2018-0296] Cisco VPN path traversal on the https://1████████ (https://████████.███.████████/)

The Cisco VPN vulnerability CVE-2018-0296 was discovered, which allowed an unauthenticated attacker to perform path traversal and disclose sensitive information such as VPN sessions and files. The issue was addressed by updating to a patched version, which returned a 404 "File not found" error...

PortSwigger Web Security: Clicking "http://burp" hyperlink on FireFox CA Installation guide redirects to "burp.com" (unclaimed website).

Executive Summary --------------------------------------------------- I was in the process of installing Burp suite community edition on my recent machine where I believe I stumbled across a potential open redirect issue on the CA certificate installation website. This is a security concern due t...

Lob: HTTP Request Smuggling on vpn.lob.com

Hi , vpn.lob.com is vulnerable to CL TE Front end server uses Content-Length , Back-end Server uses Transfer-encoding HTTP request smuggling attack. Steps to reproduce 1. Run the burp suite turbo intruder on the following request POST /auth/session HTTP/1.1 Host: vpn.lob.com User-Agent: Mozilla/5...

Node.js third-party modules: [create-git] RCE via insecure command formatting

The create-git NPM module was vulnerable against command injection which was possible since some user supplied inputs were concatenated without proper checks inside a exec call, which made possible executing arbitrary commands besides the git one which is used by the tool. The PoC resulted in: js...

OLX: load scripts DOS vulnerability

1 vulnerability description WordPress allows users to load multiple JS files and CSS files through load-scripts.php files at once. For example, https://wpwebsite.com/wp-admin/load-scripts.php?c=1&load%5B%5D=jquery-ui-core,editor&ver=4.9.1, file load-scripts.php will load jquery-ui-core and editor...

curl: Buffer write overflow when forming dns over http request

Summary: If dns over http is used, the hostname to look up is packed into a buffer to send to the dns server using the dohencode function from the doh.c source file. By default, curl uses a 512 byte buffer. For that length, the buffer may be overflowed with one byte, which is set to 1. Note that...

Semmle: Worker container escape lead to arbitrary file reading in host machine

Summary: Because lack of security, attacker will be able to remove original log file and replace it will a symlink to other file, After finishing job, host machine copy file from docker container. Because the original log file has been removed, the host machine will copy the symlink file. But the...

Lark Technologies: [Lark Android] Vulnerability in exported activity WebView

A vulnerability was found in Lark Android exported activity web view which could have potentially been used to send a malicious URL to WebView and replace the content in the application with malicious code. We thank @shellc0de for reporting this to our team...

U.S. Dept Of Defense: SSN leak due to editable slides

Summary: A presentation slide contains a screenshot of a records brief which contains an SSN Description: The slides try to redact the PII of the records with a blue block but we can remove it by editing the slides to remove the offending blue block Impact Critical Step-by-step Reproduction...

U.S. Dept Of Defense: PII leakage due to scrceenshot of health records

Summary: Document shows a screenshot of a medical record for a soldier Description: One of the slides describes the CIV and PAD DSN along with some information relating to the soldier such as their name, the information appears to be old but could be still be an issue if they're in service Impact...

Node.js third-party modules: [expressjs-ip-control] Whitelist IP bypass leads to authorization bypass and sensitive info disclosure

I would like to report a unauthenticated access/authorization bypass issue in the expressjs-ip-control module. It allows to bypass the whitelist IP check in order to bypass the authorization check and possibly expose sensitive datas. Module module name: MODULE NAME version: MODULE VERSION npm pag...

Semmle: Privilege escalation in workers container

Summary about the bugs: In the prepare step, semmle allows user to install new package. By upload a malicious package along with source code and force server to build this package, attacker will gain root access to the container Steps: 1. Create a malicious package contains the backdoor: I use th...