Ping Identity: Session misconfiguration on forget password feature at https://ort-admin.pingone.com

Summary: After looking into session related bugs , i can see that Session misconfiguration on forget password feature at https://ort-admin.pingone.com Steps To Reproduce: 1 go to https://ort-admin.pingone.com and login as user-A in browser-A 2 go to https://ort-admin.pingone.com and click on forg...

Rockstar Games: Image Injection on `/bully/anniversaryedition` may lead to FB's OAuth Token Theft.

In this report, the researcher identified a chain of attacks that could result in sensitive token leakage, such as Oauth tokens. The attack would begin with an image injection exploit on the page at https://www.rockstargames.com/bully/anniversaryedition. That exploit was the focus of this...

Mail.ru: Blind XSS in operator's interface for 33slona.ru

Blind stored XSS in operator's interface of 33slona.ru via call back request...

Lark Technologies: Server Side Request Forgery

It was found that one lark endpoint was susceptible to a Server-Side Request Forgery SSRF vulnerability using the parameter "URL" which could have potentially been used by an attacker to conduct host/port scanning on the internal network. We thank @jin0ne for reporting this to our team and...

WordPress: Reflected XSS on https://make.wordpress.org via 'channel' parameter

Hi there, I just found a reflected XSS on make.wordpress.org domain. steps to reproduce : 1. visit this link : https://make.wordpress.org/chat/logs?channel=16%22%3E%3Cimg%20src=x%20onerror=alertdocument.domain%3E&date=2019-07-21&nobots=1 2. xss pop up will occurs POC: see:wp reflected xss.png Not...

Starbucks: China – Limited Partner PII Regarding Work Scheduling via Unauthenticated API Endpoint

0xpatrik discovered an unauthenticated API endpoint that allowed retrieval of specified work leave dates of designated Starbucks employees in China. @0xpatrik — thank you for reporting the original vulnerability and for confirming the resolution...

Shopify: Clickjacking in [exchangemarketplace.com]

Hi Team, Summary: X-Frame-Options ALLOW-FROM https://exchangemarketplace.com not supported by several Browser, this caused Clickjacking on https://exchangemarketplace.com Type of issue : Clickjacking Description: Clickjacking User Interface redress attack, UI redress attack, UI redressing is a...

WakaTime: Rate Limit too lenient for endpoint sending emails

Rate-limiting is a process that is used to define the rate at which consumers can access APIs. Also, it determines the speed at which a consumer can access APIs. Rate limit is calculated in real time. How to reproduce? 1. Sign-up for the account for WakaTime. Domain - www.wakatime.com 2. After...

GitLab: Git flag injection - local file overwrite to remote code execution

Summary The wikiblobs scope of the Search API can be provided with an arbitrary ref parameter, allowing for additional flags to be injected into the git command. For example the following API call: curl --header "PRIVATE-TOKEN: $TOKEN"...

Nextcloud: Clickjacking on https://download.nextcloud.com

This page is vulnerable to clickjacking https://download.nextcloud.com Steps to Reproduce: 1. Copy the following code and save it as clickjacking.html Clickjack test page Website is vulnerable to clickjacking! 2. Open it in browser You can see the website is vulnerable to clickjacking Impact Anyo...

Rockstar Games: Image Injection vulnerability on screenshot-viewer/responsive/image may allow Facebook OAuth token theft.

In this report, the researcher identified a series of vulnerabilities that could be exploited together to exfiltrate sensitive user tokens. In this attack chain, one critical step was an image injection vulnerability in the Screenshot-Viewer function on the main site, at...

Central Security Project: OS Command Injection in Nexus Repository Manager 2.x

Maven artifact groupId: org.sonatype.nexus.plugins artifactId: nexus-yum-repository-plugin version: 2.14.9-01 Vulnerability Vulnerability Description The Nexus Yum Repository Plugin is vulnerable to Remote Code Execution. All instances using CommandLineExecutor.java with user-supplied data is...

QIWI: Обход комиссии при оплате картой

обход комиссии при оплате картой...

HackerOne: Manipulate hacker profile and private program hacktivity to expose your name as researchers who is actively submitting reports with resolve status

Hi Team, Summary: First of all, the issue that i have found have multiple steps, so please make sure to follow the steps accordingly. I was able to put my hacker name on private program hacktivity profile showing that i have report that was resolved, this will also reflect to my hacker profile...

Rockstar Games: CSRF Vulnerabiliy on Facebook Linkage Page Allows Full Account takerover of Socialclub Accounts.

In this report, the researcher identified a CSRF vulnerability in the account linking process that could have allowed attackers to link their Facebook account to the victim's Social Club account, giving the attacker access to the victim's Social Club account. This attack would have required a...

Kartpay: XSS in https://merchant.kartpay.com/settlements

Parameter Search Payload " URL https://merchant.kartpay.com/settlements Steps to reproduce 1. Go to URL: https://merchant.kartpay.com/settlements 2. Enter above payload. 3. You will see xss payload getting executed. F535235 F535234 F535236 Impact Cross-site scripting is a flaw that allows users t...

Kartpay: Error Page Content Spoofing or Text Injection [https://vpn.kartpay.com/]

VPN URL is accessible to the Public which is a misconfiguration of VPN Setup. So the Setup has been fixed and only internal network can access the VPN systems,...

GitLab: Git flag injection leading to file overwrite and potential remote code execution

Summary The refname in the Commits API is not sanitized, allowing for a ref starting with -- to be provided causing git to interpret it as a flag instead of as a ref. If a refname such as --output=/tmp/somefile is used then the following command is executed by gitaly in findcommits.go:...

Monero: CVE-2019-13132 - libzmq 4.1 series is vulnerable

Summary: A pointer overflow, with code execution, was discovered in ZeroMQ libzmq aka 0MQ 4.2.x and 4.3.x before 4.3.1. A v2decoder.cpp zmq::v2decodert::sizeready integer overflow allows an authenticated attacker to overwrite an arbitrary amount of bytes beyond the bounds of a buffer, which can b...

Valve: WG call injection in /economy/contextcommand

The vulnerability involved insufficient parameter validation in context-specific commands to a web-facing gateway. This allowed some economy queries to be executed outside the actual requesters' capability by confusing the type system. Bypasses for initial fixes were also provided...

Avito: Missing SPF Records

SPF Record was missing for m.avito.ru...

Mail.ru: [auto.mail.ru] IDOR на редактирование поста любого юзера.

IDOR allowed to edit arbitrary posts in auto.mail.ru auto.mail.ru belongs to Extended scope IDOR на редактирование произвольного поста на сайте auto.mail.ru...

Ruby: OS Command Injection via egrep in Rake::FileList

When a file which has command file name of stating with | is in Rake::FileList, then egrep will execute the command. How to reproduce PoC pocrake.rb is the following. ruby require 'rake' list = Rake::FileList.newDir.glob'' p list list.egrep/something/ Example of executing. % ls -1 Gemfile...

Uber: Unsecured Dropwizard Admin Panel on display.uber-adsystem.com exposes sensitive server information

The dropwizard instance running on display.uber-adsystem.com is unsecured, meaning any unauthenticated user can view and use it's admin tools. These tools expose sensitive information on Uber production servers, including the current threads running, info on the CPU, and more server info that...

Kaspersky: Stored credentials instantly autofilled within sandboxed iframes

Summary Stored credentials are instantly autofilled within sandboxed iframes, disregarding effective origin of sandboxed iframes and the expected cross-origin restrictions Description Kaspersky is expected to obey cross-origin restrictions which apply to sandboxed iframes. However, the Kaspersky...

Moneybird: Enable 2FA without verifying the email

Description : I able to add 2FA to my account without verifying my email Attack scenario : 1. Attacker sign up with victim email Email verification will be sent to victim email. 2. Attacker able to login without verifying email. 3. Attacker add 2FA. Impact the victim can't register an account wit...

Equifax-vdp: Important information leaked on Github

While searchin on Github about Equifax i found some juicy information like a username and password of this subdomain https://transport5.ec.equifax.com/, internal ip of the database and its username & password In the following link...

Internet Bug Bounty: Multiple HTTP Smuggling reports

Theses reports spreads other several years and are all about HTTP Smuggling issues HTTP Requests or Responses splitting, Cache Poisoning, Security filter bypass. I've made reports on a wide range of open source projects, explaining the not always easy problems to the various security maintainers...

U.S. Dept Of Defense: [█████] Reflected GET XSS (/personnel.php?...&rcnum=*) with mouse action

I will combine this vulnerability with this vulnerability described in this report 648222. If you have not read this report, I recommend reading that report first, and then studying this report. I want to note that this report cannot be closed as a duplicate to the above described report. why?...

U.S. Dept Of Defense: [████████] Boolean SQL Injection (/personnel.php?content=profile&rcnum=*)

In this report, I want to describe a dangerous SQL injection, with the help of which I was able to extract certain data from the database. I used the insights from this report 648222. Using the bug from the aforementioned report, I could find this endpoint and done SQL injection. Steps to reprodu...

U.S. Dept Of Defense: [██████] Reflected GET XSS (/personnel.php?..&folder=*) with mouse action

I will combine this vulnerability with this vulnerability described in this report 648222. If you have not read this report, I recommend reading that report first, and then studying this report. I want to note that this report cannot be closed as a duplicate to the above described report. why?...

U.S. Dept Of Defense: [███████] Reflected GET XSS (/mission.php?...&missionDate=*)

I will combine this vulnerability with this vulnerability described in this report 648222. If you have not read this report, I recommend reading that report first, and then studying this report. I want to note that this report cannot be closed as a duplicate to the above described report. why?...

U.S. Dept Of Defense: [██████████] Unauthorized access to admin panel

In previous reports, I described vulnerabilities in a panel to which I had access. 512269 512693 512695 I could log in to this site and then perform some attacks, such as SQL injection\XSS or other bugs. But before the above vulnerabilities were considered by you, the possibility to bypass...

U.S. Dept Of Defense: ██████████ bruteforceable RIC Codes allowing information on contracts

Summary: I'm entirely sure if this is anything useful from an attacker's purpose. Close the report if its not sensitive or non impactful. I noticed the DoD Warning mentioned it's sensitive so I thought to report it regardless just incase I noticed ████████ has a functionality to let you look up R...

GitLab: Stored XSS in "Create Groups"

NOTE! Thanks for submitting a report! Please replace all the parenthesized sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary Stored attacks are those...

Shopify: ██████ DOM XSS via Shopify.API.remoteRedirect

Hi, team. I found a dom xss on the apple-business-chat app that seems to be referring to a vulnerable js file. For users who have installed this app, just let him use the theme code I provided to complete xss. Modify the theme code to the following payload function attack let...

HackerOne: Private information exposed through GraphQL filters

Summary: secure schema can be circumvented for graphql where filters by using or operator. Description: When passing a where clause to a collection in the graphql endpoint, like teamswhere: state: eq: softlaunched it queries the state through the secure schema - so it will not return any teams...

HackerOne: Program Email Nofication settings ignored when being added as an external contributor

Summary: When being added as an external contributor to a report, the report title are displayed in the email notification despite the program email notification settings being set to No Content Description: Hey team! I noticed that programs have the ability to set their Email Notification...

U.S. Dept Of Defense: PII leakage-Full SSN on ███

Summary: I discovered a pdf file on ████████ that outlines various information corresponding to military members. It reveals information on date of birth, where they were born, marriage status, race, children/dependents, etc Description: I discovered what looks to be an internal file that outline...

Lark Technologies: Server Side Request Forgery

A SSRF server side request forgery vulnerability was found in the chat feature of Lark Suite on MacOS, which could have potentially been used to access services and web applications running on the internal network. We thank @jin0ne for reporting this to our team and confirming the resolution...

WordPress: Stored XSS Vulnerability

Hi there, I found a stored xss @ https://core.trac.wordpress.org/ Steps: 1. Go to https://core.trac.wordpress.org/ and login. open new private window and login with another account 2. Go to https://core.trac.wordpress.org/newticket and set a summary and description. 3. Select a Workflow Keyword a...

Radancy: Developper's websites are easily accessibles leading to massive information disclosure

Domain and URL: .devmaximum.com ███████████.acc.devmaximum.com Hello, I've found a couple hundred of devmaximum websites with personal datas. I know this subdomains are out of scope, i've discovered them with devmaximum.maximum.nl's SSL certificate. But in less than 30 minutes of testing i've...

Ping Identity: Session misconfiguration on change password feature at https://apps-staging.pingone.com/myaccount/?environmentId=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx#

Summary: After loooking into session related issue , i can see that there is session misconfiguration on change password feature at https://apps-staging.pingone.com Steps To Reproduce: 1 go to https://apps-staging.pingone.com/myaccount/?environmentId=XXXXX and login as user-A in browser-A 2 go to...

Semrush: SSRF In Get Video Contents

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report! Summary: A SSRF In Get...

Kartpay: Reflected XSS on https://merchant.kartpay.com/payment_settings [status]

Vulnerable URL https://merchant.kartpay.com/paymentsettings/type Parameter status Payload " Steps to Reproduce 1. Login with your credentials. 2. Go to https://merchant.kartpay.com/paymentsettings 3. Start Burp suite proxy and intercept on. 4. Click on Run and Save button. intercept the request. ...

Radancy: Wrong link on corne.maximum.nl

Domain and URL: corne.maximum.nl Hello, I noticed that your subdomain corne.maximum.nl links to the website "maximum.com" instead of "maximum.nl" "maximum.com" is in control of a Chinese organization as you said in your description. I think you've made a little mistake, but there is no impact :...

Concrete CMS: Unauthenticated reflected XSS in preview_as_user function

An unauthenticated, reflected cross-site-scripting attack is possible due to the unsanitised cID parameter in the previewasuser functionality. Example URL: https://LOCAL-CONCRETE-INSTALL/ccm/system/panels/page/previewasuser/preview?cID=%22%3E%3C/iframe%3E%3Cscript%3Ealert1%3C/script%3E%3C!-- The...

Razer US: Synapse 2.21 - DLL Hijacking vulnerability

Description of Vulnerability: When Razer Synapse starts on a Windows machine it tries to load a DLL RazerConfigNative.dll from the C:\ProgramData\Razer\Synapse\Devices directory. If a malicious attacker puts the malicious DLL in that directory, Razer Synapse will load it and run the code found in...

X (Formerly Twitter): Viral Direct Message Clickjacking via link truncation leading to capture of both Google credentials & installation of malicious 3rd party Twitter App

Summary: Viral Direct Message Clickjacking via link truncation leading to capture of both Google credentials & installation of malicious 3rd party Twitter App Description: Because very long links in direct messages are truncated after 38 characters the malicious actors were able to provide a...

JamieWeb: HTTP Request Smuggling

is vulnerable to host header injection because the host header can be changed to something outside the target domain. Attack vectors are somewhat limited but depends on how the host header is used by the back-end application code. If code references the hostname used in the URL such as password...