Mail.ru: CSRF Vulnerability at https://aw.my.com/

CSRF vulnerability allowed to change userbar settings in https://aw.my.com/ https://aw.my.com/ belongs to Ext.B scope...

Liberapay: Reauthentication for changing password bypass

Hello There So Libra Pay has this security system because of which if a malicious user tries to change the password of a logged in account, whether by session hijack or anything else he will be asked to re-enter the password before he can change it. But this loop hole I found in the system using...

Kartpay: URl redirection

In the following post HTTP request while registering for merchant POST /register HTTP/1.1 Host: merchant.kartpay.com User-Agent: Mozilla/5.0 X11; Ubuntu; Linux x8664; rv:67.0 Gecko/20100101 Firefox/67.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language:...

Kartpay: Option method enabled in kartpay Webservers

HTTP OPTIONS method is enabled on this web server. The OPTIONS method provides a list of the methods that are supported by the web server, it represents a request for information about the communication options available on the request/response chain identified by the Request-URI. Domain :...

Kartpay: Application Design issue for Phone Number field in Registration.

The current system only works for India so ISD Code of India i.e +91 is mandatory for Registration. During the Registration system was accepting any country ISD code due to Request was not validated by the system instead whatever sent through client-side modification is accepted. So the Strict...

Infogram: Bypass for blind SSRF #281950 and #287496

Hello, when checking these 2 reports 281950 and 287496 i found that it can be bypassed using IPv6/IPv4 Address Embedding Steps to reproduce: 1-access this link https://infogram.com/api/webresource/url?q=http://0:0:0:0:0:ffff:127.0.0.1 POC: F528736 Refrences:...

Kartpay: Bypass _token in forms [Merchant.Kartpay.com ]

Summary: I found a issue in froms related to the Merchant.Kartpay.com domain and it allow to bypassing token. Browsers Verified In: Firefox 68 Steps To Reproduce: 1. Go To Login or any form https://merchant.kartpay.com/merchantlogin 2. Fill form and Intercept in burpsuite next click on LOGIN 3...

Nextcloud: User can delete data in shared folders he's not autorized to access

Steps to reproduce 1. create a group folder named TEST and share with "admin group" and "test group", marking the advanced permission flag 2. create two folders inside the main share: visible and invisible 3. inside "invisible" folder create a test file let's say something like "test.txt" 4. set...

Kartpay: Captcha protection Bypass on Forgot password page

The Captcha system was implemented by Validation of Captcha was missed out during the forgot password. so it was found out and fixed has been released to the system. Captcha bypass by removing the token and forward the response...

Kartpay: Application Error disclosure, Verification token seen error and user able to change password

Summary: Application Error disclosure, Verification token seen error and user able to change password Browsers Verified In: Broswer version: Google Chrome is up to date Version 75.0.3770.100 Official Build 64-bit Steps To Reproduce: add details for how we can reproduce the issue Steps to reproduc...

Kartpay: SMTP Failure Leads to Chain of Internal System Failure

Kartpay Application uses the third Party SMTP Service to send the Email and while using the same application was not coded properly to handle the failure of SMTP. So it has been implemented once it was found and reported...

Dropbox: Broken OAuth leads to change photo profile users .

This report describes how an API to update a user account photo did not fully authenticate the provided authentication token. This would allow an attacker who gained access to a partial user authentication token through other means to set the user's photo to a malicious image. No feasible method...

X (Formerly Twitter): Stored XSS in https://app.mopub.com

Vulnerable URL https://app.mopub.com/reports/custom/ XSS Payload: " Parameter nrnew-interval Steps To Reproduce: 1. Login with your credentials. 2. Go to URL: https://app.mopub.com/reports/custom/ 3. Click on New Network Report = Create a new network performance report. 4. Start Burp suite proxy...

Khan Academy: RTL override char allowed at khanacademy redirect page

Summary Attacker can embed RTLO character at the following URL https://www.khanacademy.org/computer-programming/linkredirector?url= to trick the user to download suspicious files. Steps to reproduce Visit https://www.khanacademy.org/computer-programming/linkredirector?url= add the following paylo...

Internet Bug Bounty: Basic Authentication Heap Overflow

Summary: An attacker can get arbitrary data overflowed in the heap via Basic Authorization base64 blob. Even when basic auth isn't configured. Report sent to developers When calling HttpHeader::getAuth the field value will be base64 decoded. The call to the decode method doesn't ensure that the...

Node.js third-party modules: Yarn transfers npm credentials over unencrypted http connection

Module module name: yarn version: 1.16.0 npm page: https://www.npmjs.com/package/yarn Module Description Fast, reliable, and secure dependency management. Module Stats Replace stats below with numbers from npm’s module page: 166 703 downloads in the last day 849 928 downloads in the last week 3 7...

Trellix: Vulnerability Report: NO RATE LIMIT Password RESET

A vulnerability was found where there was no limit to the number of password reset requests that could be sent to a user. This could allow an attacker who obtained a user's session to send an unlimited number of OTPs to the user, potentially leading to denial of service...

curl: Active Mixed Content over HTTPS

Summary: Resources Loaded from Insecure Origin HTTP Steps To Reproduce: Vulnerability Details detected that an active content loaded over HTTP within an HTTPS page Remedy There are two technologies to defense against the mixed content issues: HTTP Strict Transport Security HSTS is a mechanism tha...

curl: Insecure Frame (External)

Summary: Insecure Frame External Steps To Reproduce: Vulnerability Details identified an external insecure or misconfigured iframe. Remedy Apply sandboxing in inline frame For untrusted content, avoid the usage of seamless attribute and allow-top-navigation, allow-popups and allow-scripts in...

HackerOne: Total bounties paid amount is disclosed because of redesign of the Program Profiles

Description: On July 2 Hackerone redesigned the Program Profiles.After the new program page design, I noticed that it is disclosing total bounties paid amount. For some program total bounties paid amount was hidden ████. It used to show like $4000 if the bounty was $3990.But after the redesign, i...

OLX: SQL Injection on https://www.olx.co.id

I found the SQL Injection on the website https://www.olx.co.id Affectected URL : https://www.olx.co.id/ajax/buybundle/getbundle/ POC: 1 In this below request i got SQL injection vulnerability in location parameter post method POST /ajax/buybundle/getbundle/ HTTP/1.1 Host: www.olx.co.id User-Agent...

OLX: Reflected XSS in www.olx.co.id

Vulnerability : Reflected XSS in www.olx.co.id Steps to Reproduce : 1 Go to https://www.olx.co.id/iklan/di-jual-t120ss-habis-kena-php-IDA4JSB.html?adtype=OR. 2 Inject this payload "alert1l43ax in adtype get parameter...

Rockstar Games: The return of the ＜

In this report, the researcher was able to demonstrate a Stored XSS vulnerability in our Message system on the Social Club website. By taking advantage of the fact that '＜' characters are normalized to '.͓̮̮ͅ=sW&͉̹̻͙̫̦̮̲͏̼̝̫́̕...

Khan Academy: Khan Academy ClickJacking to Steal Users's Credintials

DESCRIPTION 1. It ask to login to https://alerta.khanacademy.org with google account. 2. It doesn't give access to any normal user. 3. That's why after trying to login with GOOGLE account it shows a error message prompt with user's sensitive information including email, code/access token and clie...

MariaDB: Ubuntu/Debian installation method allows key poisoning and code execution for network attacker

The MariaDB installation instructions for apt-based distributions Debian/Ubuntu look like this: sudo apt-get install software-properties-common sudo apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xF1656F24C74CD1D8 sudo add-apt-repository 'deb arch=amd64...

New Relic: Restricted user can add and delete tags of APM key transactions

Description Within APM after you setup a connection, there is the ability for you to mark a "key transaction" which will then populate data on the Key Transactions page in APM. On this page, there is the ability for an admin to hover over the tag icon and add a tag to the name of the key...

Trint Ltd: Insecure Zendesk SSO implementation by generating JWT client-side

Summary: app.trint.com implements SSO to Zendesk, it does this by using JWT as described at https://support.zendesk.com/hc/en-us/articles/203663816-Enabling-JWT-JSON-Web-Token-single-sign-on This functionality has not been implemented securely because the JWT generation happens in the client-side...

Tron Foundation: Private Key exposed in Travis Log can Compromise all the test servers.

REQUIRED: 1. Summary of the bug Summary: Private key is printed in Travis Console log https://travis-ci.org/tronprotocol/java-tron/builds/361945077L4101 Github provides information of test servers https://github.com/tronprotocol/java-tron/blob/24575f0d835b00850b89c620e276fb61c791508d/deploy.sh...

Dropbox: Fedora installation instructions fetch repo and validation key from insecure source, allowing mitm attack

The reporter noted that our installation instructions for our Linux Desktop Client for Fedora specified HTTP urls instead of HTTPS. This could allow an attacker, with a privileged network position, the ability to swap the GPG key during installation allowing them to install a rogue signing key on...

MariaDB: Path traversal in command line client

The command line client has a directory traversal bug which allows server chosen files to be dlopened when it connects to a malicious server. The path can also be padded with / characters so that strxnmov drops the .so extension. The dlopen call is performed here: Impact In rare situations where...

curl: Libcurl ocasionally sends HTTPS traffic to port 443 rather than specified port 8080

Summary: We have encountered an issue with libcurl where, under certain network conditions, the library will attempt to submit data to an incorrect port as was set by CURLOPTPORT. As information is sent to an unauthorised port, we consider this an information disclosure issue. Our security softwa...

Upserve : Payment method token being sent to 3rd party analytics service

Vulnerability Details: Payment Tokens can be re-used to link the Credit Card to Another Users Account. When Linking a Credit Card, a url with Paymentmethodtoken will be generated and then the user will be redirected to the generated url F523794 Then, a Request will be Made to orders.upserve.com t...

Shopify: Bypass of biometrics security functionality is possible in Android application (com.shopify.mobile)

Summary Shopify Android App has an option to sign in to the app using fingerprint. But if the application was open and someone triggers a "deeplink", authentication is no longer required. Step to Reproduce F523700 Link: Shopify Help Center - Topics - Products NOTE¹: The application must be open...

GitLab: Project Milestones Disclosed Via Groups When the Victim disabled milestones access in project settings

Reproduction steps: Create a public group and public project. Go to public project settings and disable the project settings to members only. F522796 If the attacker visits milestones via projects then may see 404 not found page...

OLX: Reflected XSS on m.olx.co.id via ad_type parameter

I have identified a Reflected Cross Site Scripting XSS vulnerability on the m.olx.co.id website. Vulnerable URL: https://m.olx.co.id/iklan/zundapp-1962-cafe-racer-250-cc-made-in-germany-IDA3GpU.html?adtype=PL"" Steps to replicate is fairly simple. Just access the URL and the JavaScript gets...

curl: huge COLUMNS causes progress-bar to buffer overflow

Summary: If an attacker can set environmental variables, curl will always crash with a buffer overflow when downloading a file if the --progress-bar argument is set. Steps To Reproduce: Just run the following command on a 64-bit Linux system verified on Ubuntu 19.04. bash Of course you can set th...

X (Formerly Twitter): Wrong Interpretation of URL encoded characters, showing different punny code leads to redirection on different domain

Summary: There is wrong interpretation of URL encoded characters at https://twitter.com/safety/unsafelinkwarning endpoint which could lead to different location then what is supposed to. Although it shows warning but doesn't show warning about punny code characters. Description: On following...

New Relic: Stored XSS Via NRQL chartbuilder JSON view

I've found another stored XSS that can affect other users through the JSON chart type in one.newrelic.com Steps to Reproduce: 2. Navigate to the chart builder in one.newrelic.com 3. Within the chart builder, perform the following NRQL query: SELECT “ "' Style=position FROM SyntheticCheck 4. Paylo...

HackerOne: Custom Field Attributes may be created and updated for customers with Custom Field Trial enabled

The Custom Field feature is currently only available for customers on the Enterprise product edition. A trial period can be given by enabling the custom-fields-trial feature for programs who are not on that product edition yet. However, when enabling this feature, the incorrect ordering of an ACL...

Mail.ru: web.icq.com XSS in chat message via contact info

web.icq.com XSS in chat message via contact info...

U.S. Dept Of Defense: Remote OS command Execution in the 3 more Oracle Weblogic on the ████████, ████, ███████ [CVE-2017-10352]

Description Hello. I was able to identify 3 more RCE vulnerabilities due to the outdated Oracle Weblogic instance on the █████████, ███, █████ After my previous discoveries I decided to dig deeper into the ███.mil scope/IP space and found other instances of vulnerable Oracle WebLogic. I decided t...

Omise: Broken Authentication and Session Management Flaw After Change Password and Logout

Summary Usually it's happened that when you change password or sign out from one place or one browser, automatically someone who is open same account will sign out too from another browser. Basically your session destroyed at server side... But in your site, it still alive.. PoC Detail About...

Weblate: HTML injection and information disclosure in support panel

Hello Weblate Team! I found HTML injection and information disclosure in support panel Description There is a form to weblate.org and hosted.weblate.org to send to support I poisoned the request, where I inserted such payload in all fields: " After that, when my payload got into the support panel...

OLX: Reflected XSS on www.olx.co.id via ad_type parameter

I have identified a Reflected Cross Site Scripting XSS vulnerability on the www.olx.co.id website. Vulnerable URL: https://www.olx.co.id/iklan/sony-xz-ram-3gb-32gb-finger-mulus-preisure-naik-test-air-disini-IDA2UED.html?adtype=OR"/alert"XSS" Vulnerable Parameter: skeyword XSS Payload:...

shopify-scripts: Invalid read in `str_replace_partial`

PoC === The attached POC shows an invalid read. Debug info ========== The issue happens when memmove is called inside strreplacepartial. valgrind report: 0==27051== Invalid read of size 1 ==27051== at 0x483FA10: memmove vgreplacestrmem.c:1270 ==27051== by 0x135D60: strreplacepartial string.c:1193...

Mail.ru: Unsafe downloaded file execution

ICQ inteface did not informed user on potentially dangerous file types then opening file from the chat window...

Shopify: Add store to new partner account without confirming email address.

Details When a someone signs up for a new account on partners.shopify.com they are asked to confirm their email address before they can do anything and by anything I mean add stores, invite members, use affiliate tools and so on. Apparently they can leverage an issue on partners.shopify.com to...

Node.js third-party modules: Command Injection in npm module name passed as an argument to pm2.install() function

Hi Lads, I would like to report Command Injection possible when npm module name is passed into pm2.install. An attacker is able to attach OS commands to npm module name and those commands will be executed when payload reaches execution sink in continueInstall function in API/Modules/NPM.js file...

Nextcloud: Code injection in macOS Desktop Client

Vulnerability description I've identified a code injection vulnerability in your macOS desktop client. Any malicious application, running with standard user permissions is able to exploit this vulnerability and execute code in your application's context. Requirements In order to exploit this...

Mail.ru: Code Injection in macOS Desktop Client

DYLD Environment Variables were not disabled In MacOS desktop ICQ client. Disabling DYLD Environment Variables is BCP for MacOS application to prevent code injection vector into local process...