QIWI: account takeover https://qiwi.me

It was possible to takeover user account by sending wrong code parameter in /sms/confirm request. Problem is that code didn't have relation with current user session...

Mail.ru: Account takeover via CORS misconfigutation on https://beta.delivery-club.ru

Insufficient check for request origin allowed crossite access to beta.delivery-club.ru...

Imgur: Password Reset Link not expiring after changing the email Leads To Account Takeover

Vulnerability: Password Reset Link not expiring after changing the email Proof Of Concept: 1.Send the password reset link to your email. 2.Dont open the password link just copy it and paste into any editor. 3.Open your account. 4.Go to your account settings. 5.Under account, you will see Account...

U.S. Dept Of Defense: Directory Indexing on the ████ (https://████/) leads to the backups disclosure and credentials leak

Description During poking around █████████/24 range - █████ looking for the Cisco devices, I came across █████ which resolved to the https://██████/ While it's a not .mil host, it's likely related to the DoD since it hosted in the DoD-controlled ASN. I discovered few critical vulnerabilities here...

U.S. Dept Of Defense: Local File Disclosure on the █████ (https://████████.edu/) leads to the full source code disclosure and credentials leak

A local file disclosure vulnerability was discovered on the █████ website https://████████.edu/. The vulnerability allowed an attacker to download the website's configuration file, which exposed the database credentials. Additionally, the source code for certain server-side resources was also...

U.S. Dept Of Defense: Authentication bypass and potential RCE on the https://████ due to exposed Cisco TelePresence SX80 with default credentials

The Cisco TelePresence SX80 device located at https://███████ was found to have default administrative credentials of "admin:admin", allowing authentication bypass and potential remote code execution. The device was identified as belonging to AS257 ███ and had been last used in 2017. The...

BlockDev Sp. Z o.o: Wordpress users disclosure on blog.makerdao.con

Wordpress users disclosure on blog.makerdao.con...

curl: Heap buffer overflow in TFTP when using small blksize

Summary: With a TFTP server that does not send OACK, but instead starts anyway with first block with 512 bytes block size, the curl library fails to assume default 512 bytes blocks. Instead it detects EOF and does not return an error code. Consequence is a truncated file that is 512 bytes without...

Internet Bug Bounty: Linux kernel: CVE-2017-1000112: a memory corruption due to UFO to non-UFO path switch

Hi! CVE-2017-1000112 is a vulnerability I found in the Linux kernel caused by a UFO to non-UFO path switch for UFO packets. It can be exploited to gain kernel code execution from an unprivileged process. This vulnerability was reported to [email protected] and linux-distros@ following the...

Internet Bug Bounty: Linux kernel: CVE-2017-7308: a signedness issue in AF_PACKET sockets

Hi! CVE-2017-7308 is a vulnerability I found in the Linux kernel caused by a signedness issue in AFPACKET sockets. It can be exploited to gain kernel code execution from an unprivileged process. The kernel has to be built with CONFIGPACKET for the vulnerability to be present. A lot of modern...

Quantopian: Cross-site scripting via hardcoded front-end watched expression.

Hello, favorite security team. This is so far most interesting XSS i've found on your website. And also this is 10th bug i report you, so im gonna celebrate. Summary: Via hardcoded front-end code in algo debugger one is able to execute XSS on algorithm collaborator. One is able to use python to...

GitLab: Stored XSS for Grafana dashboard URL

Hi GitLab Security Team Summary I found a stored XSS vulnerability in the admins page. The administrator can set up a Grafana dashboard. Here, the administrator can either enter a relative URL or an absolute address. However, when adding an absolute URL, the protocol is not checked allowing to ad...

BlockDev Sp. Z o.o: Steal all MKR from `flap` during liquidation by exploiting lack of validation in `flap.kick`

Summary: The flap contract provides the ability to auction DAI for MKR. That's a fundamental functionality of the MCD system, invoked usually from the vow contract. A flaw in the validation of calls to flap.kick, however, allows a malicious user to create "fake' auctions that can be later used to...

X (Formerly Twitter): Periscope-all Firebase database takeover

Hello, I found one public Firebase database of periscope.tv and I can able to insert data to this database and i only used it once for the testing purposes, so other database queries also possible. Please follow the below link to check the inserted test data. Periscope-all Firebase URL :-...

BlockDev Sp. Z o.o: Steal ALL collateral during liquidation by exploiting lack of validation in `flip.kick`

Summary: The flip contract allows for the MCD system to auction collateral in exchange for DAI. A lack of validation in the method flip.kick allows an attacker to create an auction with a fake bid value. Since the end contract trusts that value, it can be exploited to issue any amount of free DAI...

U.S. Dept Of Defense: Authentication bypass and RCE on the https://████ due to exposed Cisco TelePresence SX80 with default credentials

Description Hello. I was able to identify Cisco TelePresence SX80 device located on the https://█████ According to the IP Info: https://ipinfo.io/████████it belongs to ASN with ID ███████ so it's likely in scope of the program. The mentioned instance has default credentials ████ POC https://█████...

Central Security Project: Unrestricted File Upload Leading to Remote Code Execution

Description As an administrator user it is possible to create files and directories in any location on the file system of the server. This can be abused to write files to any sensitive location on the Windows file system because the Nexus process runs with SYSTEM privileges. This can allows an...

Mail.ru: [ RCE ] Through stopping the redirect in /admin/* the attacker able to bypass Authentication And Upload Malicious File

Combination of improper access control and unrestricted files upload in non-production service led to RCE possibility...

Kartpay: Referer issue in Kartpay.com

on https://Kartpay.com. The Issue of Referer was Fixed earlier before reporting this issue again but on finding the root cause it was found that the Code is perfect but the Sequence of code / Priority of code has changed which leads to Referer issue again. So The Sequence of Code has changed to...

Vanilla: XSS through chat messages

vulnerability name: cross site scripting through chat messages vulnerability description: cross site scripting is a vulnerability that allows an attacker to send malicious codeusually in javascript form to another user Because a browser cannot know if the script should be trusted or not, it will...

Internet Bug Bounty: Windows builds with insecure path defaults (CVE-2019-1552)

Advisory: https://www.openssl.org/news/secadv/20190730.txt Severity: Low OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable...

X (Formerly Twitter): XSS and Open Redirect on MoPub Login

Summary: I found open redirect at the MoPub login page, https://app.mopub.com/login?next=https://google.com. It also allows javascript URIs, leading to XSS. Description: You can modify the "next" URL parameter to redirect to any website upon logging in on MoPub. Steps To Reproduce: 1. Take this...

U.S. Dept Of Defense: Unrestricted File Upload

Summary: The endpoint at https://███████/ui/core/index.html required authentication, but navigating to https://█████/ui/core/index.html?mode=publicexpl-tabl./SHARED/rpchllmd/CSAT allow for read/write access. Description: The endpoint at...

Valve: Arbitrary file creation with semi-controlled content (leads to DoS, EoP and others) at Steam Windows Client

The vulnerability allows to create arbitrary file with some crafted text or append to existing file. Tested on actual version 5.31.28.21 SteamService.exe filevesion info. At start of the report I describe how to trigger vulnerability, than describe how to cause any consequences. How to trigger - ...

Starbucks: Improper handling of payment callback allows topping up a Swiss Starbucks Card bypassing actual payment via a crafted success message

khovansky uncovered that an attacker could register on https://xtras.starbucks.ch and utilizing that registration, subsequently generate a reset password email via https://card.starbucks.ch After resetting the password for the account, khovansky noticed this process auto generates a virtual Swiss...

GitLab: Git flag injection - Search API with scope 'blobs'

As requested from @hackerjuan, breaking this out of https://hackerone.com/reports/658013 for easier tracking. Summary Gitlab 12.1.6 fixed the wikiblobs scope of the search api, but the blobs scope is still vulnerable to git flag injection and allows reading any file in /var/opt/gitlab/gitaly...

WordPress: Parameter tampering : Price Manipulation of Products

Hello Security Team, I have found that you can buy any products in less amount or even we can say as free by changing the price of the product!! POC : 1 go to https://mercantile.wordpress.org/ 2 choose any product and add to cart 3 Now go to cart add your billing details 4 Intercept request with...

Node.js third-party modules: [node-red] Stored XSS within Flow's - "Name" field

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! I would like to report Stored XSS in...

ZEIT: Unauthorized admission to any team in zeit.co

step no.1: open : https://zeit.co/teams/invite/ XXXX and this is a code "CzKyCgbB" of joining in a team called "maxhacker" if we generate a list consists of 8 capital and small letters with any generate tools F565462 knowing that the invitation code of any team is constant...

Brave Software: Stored XSS in localhost:* via integrated torrent downloader

Summary: Due to filename of downloading torrent file isn't sanitized, an attacker is able to execute arbitrary JavaScript on localhost: by abusing crafted torrent file. Products affected: Brave 0.68.131 Chromium: 76.0.3809.100 Official Build Steps To Reproduce: 1. Open...

Pornhub: IDOR allows any user to edit others videos

The researcher was able to change the password of private videos, edit other videos data such as title and description, publish private videos by successfully exploiting an IDOR...

Nextcloud: The password recovery let users know whether an email address exists or not in the website

URL: https://apps.nextcloud.com/password/reset/ I have tried to recover the password for some emails: [email protected] exists [email protected] does not exists After I clicked the "reset my password"'s button, the website informed that the email did not exist. Impact This is a bad practice, and it ...

New Relic: User can run monitors at private locations, which he has no access to

@skavans discovered that insufficient validation was performed when configuring Synthetics monitors allowing deployment to arbitrary private locations with knowledge of the location ID: POST /accounts//validation.json HTTP/1.1 Host: synthetics.newrelic.com...

U.S. Dept Of Defense: Command Injection (via CVE-2019-11510 and CVE-2019-11539)

Summary: The Navy has a Pulse Secure SSL VPN https://████████/dana-na/auth/urldefault/welcome.cgi that is vulnerable to: CVE-2019-11510 - Pre-auth Arbitrary File Reading CVE-2019-11539 - Post-auth Command Injection vulnerable hostname from ssl certificate: ██████████.navy.mil The pre-auth arbitra...

Internet Bug Bounty: mod_http2, read-after-free in h2 connection shutdown (CVE-2019-10082)

Using fuzzed network input, the http/2 session handling could be made to read memory after being freed, during connection shutdown. This is made possible by a race condition in which nghttp2 maintains a reference to a stream after modhttp2 has destroyed it. This vulnerability has been fixed in...

New Relic: Stored XSS at Synthetics private locations (planted through location label or description)

Hey team, I've discovered stored XSS at Synthetics private locations list. The Private locations page contains a script with private locations metadata inside and the user-input of location label and description aren't properly escaped as you can see below: html window.nr =...

Slack: CSS Injection to disable app & potential message exfil

Tested on Slack for MacOS v4.0.2 - I've marked this as code injection since there was no "css injection" 1. In the app go to Preferences - Sidebar 2. Enable custom theming 3. Set the column BG to FFFFFF; html display:none; 4. The app will no-longer render this survives re-installs If this theme...

Roblox: Malformed string sent through FireServer leads to server freezing/hanging

This was found an hour ago so if I get any information wrong, please comment and I'll get back to you! A cheater/exploiter can hang any Roblox gameserver due to a 5 line script which sends a big malformed string through SayMessageRequest resulting in the server to hang itself. This works in any...

MyCrypto: The twitter accounts are linked on page but unclaimed.

Hey team! There is two unclaimed social media account on "https://about.mycrypto.com" Accounts https://twitter.com/rikasukenik https://twitter.com/sharonmanriquej Proof Of Concept POC For account one: F562323 For account two: F562307 F562308 F562310 Note Yes you noticed that like "Social...

Node.js third-party modules: [crypto-js] Insecure entropy source - Math.random()

Module module name: crypto-js version: 3.1.9-1 npm page: https://www.npmjs.com/package/crypto-js Module Description JavaScript library of crypto standards. Module Stats Replace stats below with numbers from npm’s module page: 184959 downloads in the last day 912568 downloads in the last week...

Nextcloud: potential RCE and XSS via file upload requiring user account and default settings

potential RCE and XSS via file upload requiring user account and default settings Requirements 1. User account that can upload files NO admin 2. User account name on creation usually the same as on creation/displayed name 3. data directory inside of nextcloud server folder suggested by...

U.S. Dept Of Defense: Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://███

Description Hello. Some time ago, researcher Orange Tsai from DEVCORE team had a talk on Defcon/BlackHat regarding Pulse Secure SSL VPN vulnerabilities fixed on 2019/4/25: CVE-2019-11510 - Pre-auth Arbitrary File Reading CVE-2019-11542 - Post-auth Stack Buffer Overflow CVE-2019-11539 - Post-auth...

Node.js: Hostname spoofing

Summary: I found that url.parse is vulnerable to hostsplit that causes hostname spoofing. Description: Steps To Reproduce: url.parse'http://evil.c℀.victim.test/?' returns evil.ca/c.victim.test as hostname, so this hostname matches .victim.test but will access evil.ca. Welcome to Node.js v12.9.0...

Liberapay: Invalidate session after password reset

Website doesn't invalidate session after the password is reset which can enable attacker to continue using the compromised session. Steps: 1 Open same accounts in two different browsers 2 Change password in one browser and you will see that another browser still validate the session after passwor...

Node.js third-party modules: `indexFile` option passed as an argument to node-server can lead to arbitrary file read

Hi Guys, I would like to report Path Traversal vulnerability in indexFile parameter passed as an option tonode-server. This vulnerability affects both CLI --indexFile and options.indexFile passed as an argument to Server.prototype.serveDir function in node-static.js Module module name: node-stati...

ZEIT: Open Redirect on Gitllab Oauth leading to Acount Takeover

Summary: When an Open Redirect is used in a phishing attack, the victim receives an email that looks legitimate with a link that points to a correct and expected domain. What the victim may not notice, is that in the middle of a long URL there are parameters that manipulate and change where the...

Internet Bug Bounty: mod_http2, memory corruption on early pushes (CVE-2019-10081)

HTTP/2 very early pushes, for example configured with H2PushResource, could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the client. Scenarios where an attacker may be ab...

GitLab: Container scanning and Dependency scanning report leaked to unauthorized users

Hi GitLab Security team Summary GitLab makes the container scanning and dependency scanning information available as part of a JSON endpoint for merge requests. These reports are output of the CI job and should only be displayed if the visiting user has access to CI. However, right now GitLab...

Node.js: Http response is not ended although underlying socket is already destroyed

Summary: When node server receives http request and hooks to end, finish and error events are attached on response object to handle cases when response is closed/ended but underlying socket is abruptly terminated then none of those events is fired. This leads to state when response seems to be...

Coda: Use Github pack with Coda employee github account (search code of Coda's private repositories)

Summary: When you use the Github formula, the information from the Github API is returned by the endpoint https://coda.io/coda.CalcService/InvokeFormula. From what I understand, this endpoint expects a gRPC request. In the request is sent: the formula Github..CodeSearch, the version of the Github...