BlockDev Sp. Z o.o: UNRESTRICTED FILE UPLOAD AT chat.makerdao.com

Uploading any file types to the company chat...

X (Formerly Twitter): XSS on https://app.mopub.com/reports/custom/add/ [new-d1]

Parameter new-d1 Payload Steps to reproduce 1. Go to URL: https://app.mopub.com/reports/custom/add/ 2. Start burp suite proxy, intercept on. 4. Enter payload in vulnerable parameter. 3. click on Run and Save button. 4. You will see java-script getting executed. POST Request POST...

U.S. Dept Of Defense: Followup - SQL Injection - https://██████████/██████/MSI.portal

Summary: Time based blind sql injection for parameter MSIadditionalFilterType1, at the following URL: https://███/███/MSI.portal?nfpb=true&pageLabel=msiportalpage61 Description: This is a follow up to a previous report I submitted: https://hackerone.com/reports/674838 The following page has a for...

Node.js third-party modules: Path traversal in https://www.npmjs.com/package/http_server via symlink

I would like to report Path traversal in httpserver It allows an attacker to read arbitrary system files. Module module name: httpserver version: 1.0.12 npm page: https://www.npmjs.com/package/httpserver Module Description Copy description from npm page Module Stats Weekly downloads: 35...

GitLab: Group search leaks private MRs, code, commits

Summary Using the group search you can access MRs and code set as "not public" in a project Steps to reproduce Create a public group, create a public project inside the group, but with private code. Push some code, search in the group search the code while logged out, you will find it also if it...

Vend VDP: Open Redirect in the Path of vendhq.com

Summary: There is an open redirection vulnerability in the path of https://www.vendhq.com/ Description: An attacker can redirect anyone to malicious sites. Steps To Reproduce: Type in this URL: https://www.vendhq.com//evil.com/ As, you can see it redirects to that website when you inject this...

8x8: Access to ██████████████ due to weak credentials

Hi Team Description: During the analysis, It was found that the █████████████████████ ask's for credentials from the users to access the ██████, But the weak credentials set █████:██████ allows anyone to login. Steps To Reproduce: 1. Open █████████████████████████ 1. Enter █████████ ███████...

Ed: Domain takeover on http://doesfranshaveashell.com/ due to expiration

Summary Hi Ed, I'm not so sure if registrar inform your domain had expired or it will auto renew upon reaching. To be safe, I decide to manual inform you. Step to Reproduce So lately I notice that http://doesfranshaveashell.com/ is no longer operate. It will show some advertisements there. F57967...

Internet Bug Bounty: PHP 7.3.3: Heap-use-after-free (READ of size 8) in match_at()

Bug Report: https://bugs.php.net/bug.php?id=77721 PHP 7.3.3 was vulnerable to a Use After Free flaw thanks to 3rd party code known as oniguruma. This bug was fixed by upgrading the PHP bundled oniguruma from 6.9.0 to 6.9.1. This particular bug wasn't assigned a CVE for whatever reason. However a...

Node.js third-party modules: [reveal.js] XSS by calling arbitrary method via postMessage

I would like to report XSS in reveal.js It allows gaining access to the victim's account and performing actions on his behalf Module module name: reveal.js version: 3.8.0 npm page: https://www.npmjs.com/package/reveal.js Module Description A framework for easily creating beautiful presentations...

QIWI: Обход комиссии на переводы

Обход комиссии на переводы...

QIWI: hard-use account takeover qiwi.com

It was possible to brute force guessable confirmation token id due to an auth flaw...

Shopify: XSS while logging using Google

Hello Security Team, I have found xss when we enable login services as, Allow staff to use external services to log in to Shopify and we enable Google Apps for login we get the " Log in with Google " option enable F579219 Steps to Reproduce: Step1: Go to...

Mail.ru: CSRF in attach phone API endpoint on delivery-club.ru

Legacy delivery-club.ru API endpoint allowed to attach arbitrary phone without checking the validation code and without additional CSRF protection...

Nextcloud: Directory listing is enabled that exposes non public data through multiple path

Directory Listing is enabled on https://try.nextcloud.com and it shows out a few files on the server + The server version. POC: https://try.nextcloud.com/assets/ https://try.nextcloud.com/css/ https://try.nextcloud.com/js/ Impact This could leak sensitive information on the server and it also...

New Relic: Passive stored XSS at Synthetics job result page (View resource)

Hey team, I've discovered a stored XSS at Synthetics job result page. There is a View resource link near every URL which was requested by a browser and this link href is the requested URL itself: F577804 All the URLs, the browser interacted with, are saved into the database by a minion, when the...

Mail.ru: OOB XXE

Limited XXE on XML request processing led to blind SSRF possibility OOB XXE on one of Ext. B Mail.ru domains, which could be exploited as blind SSRF...

Valve: SQL injection in /errors/viewbuild/

A SQL injection vulnerability was discovered in a partner-facing tool that allowed queries against a legacy backing store...

FormAssembly: scripts loader DOS vulnerability

1 vulnerability description WordPress allows users to load multiple JS files and CSS files through load-scripts.php files at once. For example, https://wpwebsite.com/wp-admin/load-scripts.php?c=1&load%5B%5D=jquery-ui-core,editor&ver=4.9.1, file load-scripts.php will load jquery-ui-core and editor...

MariaDB: scripts loader (denial of service) vulnerability

1 vulnerability description WordPress allows users to load multiple JS files and CSS files through load-scripts.php files at once. For example, https://wpwebsite.com/wp-admin/load-scripts.php?c=1&load=jquery-ui-core,editor&ver=4.9.1, file load-scripts.php will load jquery-ui-core and editor files...

Mail.ru: OOB XXE

Limited XXE on XML request processing led to blind SSRF possibility OOB XXE on one of Ext. B Mail.ru domains, which could be exploited as blind SSRF...

Mail.ru: XSS via Cookie in Mail.ru

Unfiltered cookie content was used in DOM manipulation, leading to XSS possibility...

Node.js third-party modules: OS Command Injection on Jison [all-parser-ports]

I would like to report OS Command Injection vulnerability on Jison in parser ports. CSharp, PHP It allows arbitrary OS shell command execution through a crafted command-line argument. Basic Information Module: jison Version: 0.4.18 NPM Project Page: https://www.npmjs.com/package/jison Module...

HackerOne: Disclosure of Email title report in quick award paypout email (no content mode)

Hello H1 Security Team Description In report 645264 and 669776, email title disclosure has been fixed in no content settings. However, there is one more area which needs to be fix - "Instant bounty Award Email". In this email, even though email settings have been set as "No content", still it's...

GitLab: Project Template functionality can be used to copy private project data, such as repository, confidential issues, snippets, and merge requests

I've found a three minor vulnerabilities which, when combined, allow an attacker to copy private repositories, confidential issues, private snippets, and then some. I'll go through the code path to explain the vulnerabilities and how they are combined. See the Proof of Concept section if you want...

U.S. Dept Of Defense: [████████] — XSS on `/███████_flight/images` via `advanced_val` parameter

Description POST parameter advancedval is vulnerable to reflected XSS on endpoint https://███/██████████flight/images. XSS affects all users and no authentication or login is required. Proof of Concept Either visit the following URL for PoC: https://██████████/poc/ Or, create your own PoC file:...

GitLab: SSRF In plantuml (on plantuml.pre.gitlab.com)

NOTE! Thanks for submitting a report! Please replace all the parenthesized sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary The site...

LocalTapiola: CORS misconfiguration allows to steal client's "password", Authorization token and the customer details e.g. names, SSN, bank account etc.

Issue The reporter found that ext-gw.lahitapiola.fi had a faulty CORS configuration. Fix Logic and processing around CORS was improved and the issue was fixed. Reasoning The issue is real. CORS as a bug and flaw has real impact. The report was well written and had a good working PoC. This is...

Palo Alto Software: Clickjacking

Summary Clickjacking User Interface redress attack, UI redress attack, UI redressing is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of the...

Central Security Project: OS Command Injection in Nexus Repository Manager 2.x(bypass CVE-2019-5475)

OS Command Injection in Nexus Repository Manager 2.xbypass CVE-2019-5475 Maven artifact groupId: org.sonatype.nexus.plugins artifactId: nexus-yum-repository-plugin version: 2.14.14-01 Vulnerability Vulnerability Description The Nexus Yum Repository Plugin is vulnerable to Remote Code Execution. A...

curl: Incorrect IPv6 literal parsing leads to validated connection to unexpected https server.

Summary: The IPv6 ip address can be specified with square brackets like fe80::3. There can also be a zone id specified like fe80::3%15. A URL can specify its hostname with IPv6 literal, It seems that the parsing in curl library is not complete. For instance, it is possible for particular IPv6...

Omise: Found Origin IP's Lead To Access To [ Grafana Instance , PgHero Instance [ Can SQL Injection ]

Hello through RECON for on go.exchange i found origin ip's on https://censys.io/ipv4?q=go.exchange That's allow to the attacker to access to Many Instances Like Grafana But Need Crediantles And Access To PgHero and TokenModel · GO.Exchange where the attacker can use pghero to Execute postgresql...

Nintendo: [3DS][StreetPass] Buffer Overflow in Super Mario Maker level decompression

-- Information - Platform: New Nintendo 3DS - Region: EU all regions are affected - System version: less or equal to 11.10 latest Description Since the bootroms have been dumped, it is now possible for an attacker to decrypt streetpass communications. Super Mario Maker is vulnerable to a buffer...

curl: Double-free of `trailers_buf' on `Curl_http_compile_trailers()` failure

Summary: When Curlhttpcompiletrailers fails, trailersbuf is freed twice, because we don't pass to this function the pointer value by reference. Steps To Reproduce: Did not actually reproduce, please double check patch attached and analysis. Impact Some memory corruption due to the double-free...

Node.js third-party modules: Trojan:JS/CoinMiner in npm files

Hello, I am a front end developer and use Vue.js and Visual Studio Code and have had an issue recently with scripts not running in my terminal so decided to fault find. All programmes that I can think of are up to date, and today I decided to do a full windows defender scan and found the above...

curl: krb5: double-free in read_data() after realloc() fail

Summary: In 'lib/security.c', there is a double-free of the reference 'buf-data' on the teardown path if 'Curlsaferealloc' fails. Also, since we read 'len' from the 'fd', the sender might be able to remotely trigger a realloc failure, and then the double-free, by sending the value 0x7fffffff...

BlockDev Sp. Z o.o: .git file accessible

Hi, Your .git file accessible. Thats information disclosure. URL: https://blog.makerdao.com/wp-content/themes/makerDAO/.git/config REQUEST: GET /wp-content/themes/makerDAO/.git/config HTTP/1.1 Host: blog.makerdao.com Accept:...

U.S. Dept Of Defense: Improper Neutralization of Input During Web Page Generation

Summary: Cross-site scripting XSS vulnerabilities occur when: 1. Untrusted data enters a web application, typically from a web request. 2. The web application dynamically generates a web page that contains this untrusted data. Description: Impact Once the malicious script is injected, the attacke...

Mail.ru: Blind SSRF on sentry.dev-my.com due to Sentry misconfiguration

Insufficient isolation of Sentry installation could potentially lead to blind SSRF...

U.S. Dept Of Defense: [██████████] — Directory traversal via `/aerosol-bin/███████/display_directory_████_t.cgi`

Description On the domain https://█████████, there is a vulnerable endpoint that lets an attacker preview and browse the whole server including all the server's critical directories such as etc , var, cache etc. located in the root directory of this Linux web server. This vulnerable endpoint is...

Railto LLC: Administrator access to staging.railto.com

Summary: Hey team, While doing some recon for railto sub-domains. i came across a most critical bug which lets me complete access of https://staging.railto.com. i can add anything and removing anythings as i got the ADMIN level privilege. Steps 1. Go to https://staging.railto.com/admin url. 2. Se...

Nextcloud: Clear text storage of proxy parameters and passwords

Proxy settings of the Nextcloud desktop client were not stored in a save way, instead they where just base64 encoded stored in the nextcloud.cfg file...

HackerOne: Searching from Hacktivity returns hits for words in limited disclosure reports that are not visible

Summary: It appears I'm able to discover words used in limited disclosed reports, that are not publicly visible, by using the search function available from the Hactivity page. Description: Recently I was investigating a finding for another program which involved exploiting XSS ████. I wondered h...

██████: Directory Traversal in uftpd 2.6-2.10

Description It is possible for an unauthenticated user to perform a directory traversal attack using multiple different FTP commands and read and write to arbitrary locations on the filesystem due to improper path sanitization in the chroot jail implementation in common.c's composeabspath. Impact...

Nextcloud: XSS in desktop client via invalid server address on login form

Team! I have found this vulnerability that in my time would be called "cross zone" but at the moment I don't know. The problem is found in the latest version of "nextcloud.exe" for your windows version. The problem occurs with the initial screen where you ask to connect to a website. Apparently...

Nextcloud: Persistent XSS on favorite via filename

CVSS ---- Medium 6.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N Description ----------- The name of a file is echoed without encoding when favoring the file, leading to persistent XSS. POC --- To place the payload: - Create a file called test'".pdf and upload it. To trigger the payload: - click...

Node.js third-party modules: gitlabhook OS Command Injection

I would like to report OS Command Injection in gitlabhook. It allows execution of arbitrary code on the remote server, that waits for instructions from gitlab. Module module name: gitlabhook version: 0.0.17 npm page: https://www.npmjs.com/package/gitlabhook Module Description This is an easy to u...

Mail.ru: Race condition при покупке подарков на games.mail.ru

TOCTOU conditions in games.mail.ru gift purchase functionality allowed to spend bonus points above balance...

U.S. Dept Of Defense: Local File Disclosure on the ████████ (https://████/) leads to the source code disclosure & DB credentials leak

Description I discovered another LFD on the https://████/ virtual host on the █████ IP POC https://█████/file.ashx?path=web.config will download the website configuration file. It exposes different DB credentials than in previous reports: ███ Similarly, attacker able to get content of any...

U.S. Dept Of Defense: Unauth IDOR to mass account takeover without user interaction on the ███████ (https://███████.edu/)

The vulnerability discovered was an Insecure Direct Object Reference IDOR that allowed for mass account takeover without user interaction on the ███████ https://███████.edu/ website. The vulnerability was found in the /chkUser.aspx endpoint, which was vulnerable to IDOR. The numeric user ID...