GitLab: Head pipeline leaked to unauthorized users via blocking merge request feature

Summary GitLab allows for public and internal projects to restrict the visibility of pipelines to project members only. Then, only project members should have access to the pipeline information. GitLab recently added the blocking merge request feature. This feature can be used to leak the head...

Mail.ru: Settings page in https://support.my.com is vulnerable to clickjacking

Researcher found that settings page on support.my.com was vulnerable to clickjacking...

Valve: [steam client] Opening a specific steam:// url overwrites files at an arbitrary location

If a user opens steam://devkit-1/list-shortcuts?response=/tmp/testfile, a file /tmp/testfile will be created containing the response to this request. Another problem with this is that the file will be overwritten if it already exists. The owner of the file will be the same as the user that runs t...

Automattic: Stored Self XSS on https://app.crowdsignal.com (in Photo Insert App) + Stored XSS on https://*your-subdomain*.survey.fm

Steps: 1. Go to https://app.crowdsignal.com/dashboard and click Create a New Quiz 2. Add Multiple Choice to your page and click image button, upload a photo and click upload. 3. Start the burp suite and click Save button. Look at the request poc1.png and you will see mediacode= parameter. It will...

GSA Bounty: Information disclosure (system username, server info) in the x-amz-meta-s3cmd-attrs response header on data.gov

Hi Team, I noticed, that the x-amz-meta-s3cmd-attrs response header returns sensitive information, like system username on data.gov x-amz-meta-s3cmd-attrs: uid:0/gname:root/uname:root/gid:0/mode:33184/mtime:1513269652/atime:1513269652/md5:2049644b6b833f5dbb826f60a4721f64/ctime:1513269652 Server:...

Omise: Email enumeration at SignUp page

Hi. There's bad security practise at https://trade.go.exchange/en/auth/sign-up against User enumeration. Description: At the signup page here https://trade.go.exchange/en/auth/sign-up , when you enter an existing user's mail , a msg box says "Email is invalid." F546294 The problem is that any use...

ok.ru: [insideok.ru] Remote Command Execution via file upload.

Incorrect configuration of the insideok.ru web server allowed PHP execution in the directory with user-generated files, which could be used for RCE...

X (Formerly Twitter): Delete direct message history without access the proper conversation_id

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: add summary of the vulnerabili...

Nextcloud: Content Spoofing /Text Injection in https://docs.nextcloud.com

Hello Team, I have found a Content Spoofing / Text Injection on this domain https://docs.nextcloud.com Go to https://docs.nextcloud.com/!!!ATENTION!%20This%20server%20is%20on%20Maintenance%20please%20go%20to%20WWW.EVIL.COM%20%20%20%20%20%20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20%...

Mail.ru: [sso.33slona.ru] Application Messages Error stacktrace PHP.

Sensitive configuration information was disclosed via verbose stack trace in web application...

MyEtherWallet: Malicious Node JavaScript Injection Leading to Theft of Private Keys and User Funds

Summary This vulnerability allows injection of arbitrary JavaScript code by the node that the MyEtherWallet user is connected to. This could be one of the default nodes e.g api.myetherwallet.com, or a custom node. With this code injection, the private key can be stolen if Keystore File or Private...

Acronis: Blind XSS on admin.acronis.com via delete account form on account.acronis.com

Blind XSS vulnerability was discovered on admin.acronis.com. The vulnerability could be triggered by sending a payload during the account deletion process on account.acronis.com...

BlockDev Sp. Z o.o: Earn free DAI interest (inflation) through instant CDP+DSR in one tx

Summary: The MCD contracts contain different mechanisms for accumulating rates in different contracts, namely pot and jug corresponding to the cost of a loan and interest earned on savings. Because these rates are not synchronised, and depend on the call to the drip method to be calculated, it's...

Mail.ru: Publicly Accessible Harshi Corp Consul

Consul interface was available from outside on one of my.com subdomains...

Grammarly: “email” MFA mode allows bypassing MFA from victim’s device when the device trust is not expired

Summary: It is possible bypass MFA without the need to have the phone code. Description: When we turn on the MFA and we have the user and password of the user, it is possible bypass the MFA only changing some values the endpoint POST auth.grammarly.com//v3/api/login Steps To Reproduce: Note: - Us...

VK.com: Дайте swag

Out-of-scope...

GSA Bounty: Stealing Users OAuth Tokens through redirect_uri parameter

I found that https://login.fr.cloud.gov/oauth/authorize has vulnerability by open redirect on oauth redirecturi which can lead to users oauth tokens being leaked to any malicious user. Step : 1, Clicked on link...

Starbucks: Subdomain takeover of datacafe-cert.starbucks.com

Summary: The subdomain datacafe-cert.starbucks.com had an CNAME record pointing to an unclaimed Azure webservice. This is a high severity security issue because an attacker can register the subdomain on Azure and therefore can own the subdomain datacafe-cert.starbucks.com. Description: The dangli...

Internet Bug Bounty: Out of Bounds Memory Read in php_jpg_get16

I have found and reported an out of bounds memory read in PHP phpjpgget16 When PHP EXIF extension is parsing EXIF information from an image, e.g. via exifreaddata function, in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 it is possible to supply it with data what will...

Node.js third-party modules: [seeftl] Stored XSS when directory listing via filename.

I would like to report Stored XSS via filename in directory listing in seeftl It allows to inject malicious input in a filename that leads to stored XSS when directories listing. Module module name: seeftl version: 0.1.1 npm page: https://www.npmjs.com/package/seeftl Module Description seeftl --...

U.S. Dept Of Defense: Partial SSN exposed through Presentation slides on ██████████

Summary: During a search of ████████ I discovered that one of the slides ina presentation contained a screen shot of live data. Description: The slides describe testing and using military application to organize and aggregate data on users. On one of the slides it does show a screen shot of actua...

Nextcloud: SignUp using Fake Email

In this trial I used the email '[email protected]' and after pressing the SIGN UP button it will automatically redirect to https://ppp.woelkli.com/apps/preferredproviders/password/set/emailfakeforregister/H2qlEWHxQ3yiJgCsEXkR8, not through the account verification process first. For full the link Po...

BlockDev Sp. Z o.o: App Takeover ( makerdao.herokuapp.com )

Takeover of an old app that is no longer used by the company...

X (Formerly Twitter): protected Tweet settings overwritten by other settings

protected tweet settings will be disabled without the account owner's knowledge step for reproduction 1.Log in to an account with unprotected tweets on the Android app. 2. Log in to the same account on mobile.twitter.com and turn on protected tweets. 3. Confirm that the account's tweets are...

Brave Software: [Brave browser] WebTorrent has DNS rebinding vulnerability

Summary: Brave browser has built-in WebTorrent extension. After it finishes downloading a torrent, it serves the downloaded files on a local HTTP server listening on a random port. The problem is that the local HTTP server doesn't check for the hostname of the requesters, so a malicious remote...

Snapchat: Access to multiple production Grafana dashboards

@damian89 found a production Grafana instance which displayed confidential metrics inside various dashboards. While fuzzing patterns of certain snapchat related projects, I was able to find an instance of Grafana which was accessible by a guest user. That instance contained hundreds of production...

HackerOne: IDOR in Bugs overview enables attacker to determine the date range a hackathon was active

A minor Insecure Direct Object Reference IDOR vulnerability is present in the /bugs endpoint. One of the Bugs overview filters enables a program member to filter by Hackathon that their program was a part of. This filter is applied when hackathon IDs are provided in the hackathons parameter, like...

Rockstar Games: Warehouse dom based xss may lead to Social Club Account Taker Over.

The researcher brought our attention to a DOM-based Cross-Site Scripting vulnerability. Although issues on rockstarwarehouse.com are typically out of scope, this had an explicit impact on Social Club account security, so we decided we needed to act. The vulnerability only affected Internet Explor...

Semrush: Manipulation of exam results at Semrush.Academy

The researcher was able to bypass the exam process. By replacing the exam results with the correct ones, as the body of the request was JSON. After sending the request with the correct results, the researcher received a certificate. Hi. In this situation, it was possible to bypass the exam proces...

curl: Integer overflow at line 1603 in the src/operator.c file

Summary: add summary of the vulnerability On systems with a 64 bit, if —retry-max-time 18446744073709552, config-retry-max-time1000L will be overflow at line 1603 in the src/operator.c file. Similarly, the same is true for 32-bit operating systems. Steps To Reproduce: add details for how we can...

GitLab: Cross-site Scripting (XSS) - Stored in RDoc wiki pages

Summary When creating an RDoc wiki page it's possible to use a large number of html tags and attributes that are normally sanitized, when creating a linkable image of the format link For example it is possible to specify a class attribute when creating an image link: rdoc a will generate the...

Nextcloud: Talk - Leak of password-protected room name via already existent resource addition

CVSS ---- Medium 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Description ----------- Affected: Talk / Spreed 6.0.3 The name of shared but password-protected rooms leaks to low-privileged authenticated users. An attacker does not need to guess room IDs, but can simply iterate over IDs to gath...

Nextcloud: Persistent XSS via filename in projects

CVSS ---- Medium 5.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Description ----------- Affected: Talk / Spreed 6.0.3 The name of a file is echoed without encoding when moving the mouse onto it in the projects tab of a conversation, leading to persistent XSS. A successful attack requires an...

Nextcloud: Clickjacking on https://download.nextcloud.com/

the vulnerability is Clickjacking Steps for Reproduce: 1. Create a script like this Clickjacking! The Site is Vulnerability Clickjacking 2. Enter a file name after saving it in the .html format Then the web is Vuln Clickjacking Sorry bad english im indonesian Impact By using Clickjacking techniqu...

Kartpay: Being able to change account contents even after password change

Improper Handling of Sessions leads to this vulnerability where users can try to login with 2 different sessions in 2 different browsers. changing any data doesn't reflect all the logged-in sessions...

Shopify: Inject page in admin panel via Shopify.API.pushState

Summary Shopify.API.pushState call the method handleRoutePushEvent, allows you to change routes to open pages from admin panel: js handleRoutePushEventpathname: e, search: t, state: a, hash: o const adminPath: n, history: i = this.props // adminPath = /admin , s = "".concatn.concate; // // If we...

Phabricator: IDOR bug to See hidden slowvote of any user even when you dont have access right

USER ACCOUNT ============= 1. user A who create slowvote 2. User B Dont have permissioon to see above slowvote 3. User C has permission to see above slowvote STEP TO REPRODUCE ================== 1. From user A account goto http://phabricator.localhost.com/vote/create/ and create a slowvote . Chan...

Paragon Initiative Enterprises: Github wikis are editable by anyone https://github.com/paragonie/password_lock/wiki

submitted a misconfiguration in some of our GitHub repositories to us. Wikis are inherently editable for all users, but for some repositories an organization may want to restrict this access. In some cases it was possible for GitHub users . Github wikis on the following project...

Node.js third-party modules: Command Injection vulnerability in kill-port-process package

I would like to report a command injection vulnerability in the kill-port-process package. It allows an attacker to inject arbitrary commands. Module module name: kill-port-process version: 1.1.0 npm page: https://www.npmjs.com/package/kill-port-process Module Stats 0 downloads in the last day 13...

Mail.ru: Information Disclosure - Получаем доступ к работам и к приватным презентациям к курсам

Access to course training materials was possible in Geekbrains due to read access to S3-compatible bucket. Geekbrains belongs to extended Ext. B scope...

curl: Integer overflows in tool_operate.c at line 1541

Summary: add summary of the vulnerability In tooloperate.c at line 1541, if --retry-delay18446744073709552, config-retrydelay1000 2^64 results in integer overflows, on 64 bit architectures; Steps To Reproduce: add details for how we can reproduce the issue 1. add step Tooloperate.c add a "printf"...

Nextcloud: Clickjacking on https://nextcloud.com/

the vulnerability is Clickjacking Steps for Reproduce: 1. Create a script like this Clickjacking! The Site is Vulnerability Clickjacking 2. Enter a file name after saving it in the .html format Then the web is Vuln Clickjacking Sorry bad english im indonesian Impact By using Clickjacking techniqu...

Starbucks: Subdomain takeover of d02-1-ag.productioncontroller.starbucks.com

Summary: I was able to claim the subdomain: d02-1-ag.productioncontroller.starbucks.com using Azure Cloud Service Platforms Affected: Subdomain Azure Cloud Service Steps To Reproduce: 1. Using dig, I was able to determine that the subdomain 'd02-1-ag.productioncontroller.starbucks.com' was...

Ruby: WEBrick::HTTPAuth::DigestAuth authentication is vulnerable to regular expression denial of service (ReDoS)

The private instance method splitparamvalue in class WEBrick::HTTPAuth::DigestAuth uses a regular expression that is vulnerable to denial of service due to catastrophic backtracking. The regular expression is: ^\s\w-.\%!+=\s"\.|^""\s,? Source:...

Ubiquiti Inc.: Local File Disclosure (+XSS+CSRF) in AirOS 6.2.0 devices

There are certain end-points containing functionalities that are vulnerable to reflected cross site scripting XSS, allowing attackers to abuse the user' session information and/or account takeover of the admin user. Authenticated users can be persuaded to visit malicious web pages, which allows...

Rockstar Games: Image Injection Vulnerability on /bully/screens

In this report, the researcher identified an image injection vulnerability in www.rockstargames.com/bully/screens that could be combined with other vulnerabilities to result in sensitive token theft from other users. This vulnerability has since been patched to prevent it from being exploitable...

LifeOmic: Improper signup & sign-in validation

Original Report from @zsbappa Summary: From the signup option I can able to signup differently using google and facebook account where i am using same email address. Description: I have account in facebook and gmailGoogle both. Both account i opened using same email account.When i goes to signup...

Nextcloud: Message Authentication Codes calculated by the Default Encryption Module allow an attacker to silently overwrite blocks in a file

First: The default encryption module bundled with the Nextcloud Server creates SHA256-HMAC based message authentication codes for each individual 6072 byte-sized block of data. These are the steps to calculate the MAC: Take the user password and harden it with SHA256-PBKDF2 denoted as $passPhrase...

Node.js third-party modules: [jsreport] Remote Code Execution

I would like to report Remote Code Execution in jsreport It allows running js files remotely on a vulnerable server. Module module name: jsreport version: 2.5.0 npm page: https://www.npmjs.com/package/jsreport Module Description jsreport is a reporting server which lets developers define reports...

Node.js third-party modules: [script-manager] Unintended require

I would like to report Unintended Require in script-manager. It allows loading arbitary non-production code js files. Module module name: script-manager version: 0.8.6 npm page: https://www.npmjs.com/package/script-manager Module Description node.js manager for running foreign and potentially...