Nextcloud: Delete permission can be added on reshare

user0 creates folder /test user0 creates file /test/file.txt user0 shares folder /test with user1 with read+share permissions 17 user1 receives the folder /test and can read-download /test/file.txt but not delete - good user1 uses the sharing API to share folder /test with user2, and specifies...

WordPress: pre-auth Stored XSS in comments via javascript: url when administrator edits user supplied comment

When a comment is submitted, it is filtered via wprelnofollowcallback, which adds the rel attribute to tags within the anchor: function wprelnofollowcallback $matches $text = $matches1; $atts = shortcodeparseatts $matches1 ; $rel = 'nofollow'; if ! empty $atts'href' if inarray strtolower wpparseu...

GitLab: Private System Note Disclosure using GraphQL

Summary When you use the REST API or UI to view an issue's discussion/notes, private system note is hidden to member's only. Such as moving an issue to a private project, making issue as duplicate of a confidential issue, someone mentioned this issue in a confidential issue. They are properly...

Starbucks: Information disclosure on sim.starbucks.com

Description: Hi,there.I found the sim.starbucks.com host deployed the jira server which version is 7.9.2,there is many public vulnerability on this low version. Information disclosured vulnerability 1.CVE-2019-3403https://jira.atlassian.com/browse/JRASERVER-69242 visit the URL address,you can che...

U.S. Dept Of Defense: Root Remote Code Execution on https://███

Summary: Atlassian Crowd is a centralized identity management application that allows companies to "Manage users from multiple directories - Active Directory, LDAP, OpenLDAP or Microsoft Azure AD - and control application authentication permissions in one single location." A DOD installation is...

GitLab: Server Side Request Forgery mitigation bypass

Summary This vulnerability allows attacker to send arbitrary requests to local network which hosts GitLab and read the response. This is possible due to flawed DNS rebinding protection. The attack is possible due to flaw here:...

Zomato: Self-Stored XSS - Chained with login/logout CSRF

NOTE! This report explains taking over an account in a single click by chaining stored XSS, WAF bypass, login and logout CSRF. Summary: Attacker can takeover someone's account by stealing their facebook / google login tokens chaining multiple vulnerabilities. Description: Attacker leaves a review...

Valve: Panorama UI XSS leads to Remote Code Execution via Kick/Disconnect Message

Overview Counter-Strike: Global Offensive's UI is built of a framework called Panorama which is heavily influenced by modern HTML/CSS with JS capabilities. Because of these properties, the UI becomes easily vulnerable to different types of code injection, most notably XSS. Previously, it was...

Lyst: Web Cache poisoning attack leads to User information Disclosure and more

Hello Your Web-Server is vulnerable to web cache poisoning attacks. This means, that the attacker are able to get another user Information. If you are logged in and visit this website For example: https://www.lyst.com/shop/trends/mens-dress-shoes/blahblah.css Then the server will store the...

TomTom: Listing of Amazon S3 Bucket accessible to any amazon authenticated user (vector-maps-e457472599)

Summary: It's possible to get a listing of every files in the S3 bucket vector-maps-e457472599 Description: The problem is using the AWS command line, it's possible to get a listing of files in the Amazon S3 Bucket with an AWS authentication. See screenshot vector-maps-e457472599publics3bucket.pn...

Informatica: Public Github Repo Leaking Internal Credentials Leading To DiscoveryIQ Docker Access

Researcher has identified and reported public github repo leaking internal information...

Nextcloud: Some HTML Tags are Getting Executed in com.nextcloud.client

What is the Vulnerability? HTML Tags such as , , and are Getting Executed in Next Cloud Client Mobile Application for Android which can then Results to Code Injection. Reproduction Steps 1. Using Next Cloud Client Mobile App on Android, Rename a Folder to test Our HTML tag Was Executed F518303...

Nextcloud: Passcode Protection in Android Devices Can be Bypassed.

What is The Vulnerability? The Passcode can be bypassed by calling a MainLoginActivity which is com.owncloud.android.ui.activity.FileDisplayActivity , We have successfully bypassed the passcode and are redirected to the App's User Interface. of the user’s credentials: Android Version: 9 Non Roote...

Monero: Monero Wallet Gui for Windows (Arbitrary Code Execution)

Summary: The windows version of the monero-wallet-gui.exe application allows for code injection. The monero-wallet-gui.exe utilizes a precompiled OpenSSL library called libeay32.dll. This OpenSSL library is trying to read a configuration file that doesn’t exist. By default, on windows systems,...

PuTTY (European Commission - DIGIT): Heap overflow happen when receiving short length key from ssh server using ssh protocol 1

Summary: There's no check in ssh1loginprocessqueue function when read servkey and hostkey length from packet which may cause heap overflow. Remote code execution may be possible. Steps To Reproduce: 1. To test this issue, I downloaded openssl6.8 to compile to craft packets, using below command to...

OLX: Reflected XSS on https://www.olx.co.id/iklan/*.html via "ad_type" parameter

I found Reflected XSS on https://www.olx.co.id/ - Vulnerability URL : https://www.olx.co.id/iklan/.html - Payloads: " Proof of Concept: 1. Try to find every URL like this URL structure https://www.olx.co.id/iklan/.html 2. And add the payloads in adtype parameter, example:...

Vercel: User personal data disclosure via API

Summary: As a normal user, the API allows me to obtain information about other users by passing their email address as a query parameter which then returns their name, username, uid, avatar hash, and email in the HTTP response body. Under GDPR regulations this information disclosure is categorize...

Node.js third-party modules: Command Injection due to lack of sanitisation of tar.gz filename passed as an argument to pm2.install() function

Hi Guys, It's been a while : I would like to report Command Injection in pm2.import function when tar.gz archive is installed with a name provided as user controlled input. Due to lack of proper validation of tar.gz archive filename, this vulnerability allows to inject arbitrary commands and...

ZEIT: Access control bypass leads to domain information disclosure

Summary: By leveraging the domain verification endpoint I can obtain sensitive information about the user who registered the domain within the zeit UI including username, email address, userId, and customerId. In addition, some high level information about the domain is included as well such as...

Nextcloud: CSRF vulnerability that allows an attacker to modify encryption settings

The POST request to /ocs/v2.php/apps/provisioningapi/api/v1/config/apps/core/encryptionenabled is missing a unique token, so that if an attack can trick an admin user with an active session to visit an attacker controlled website, he/she can control the core application setting "encryptionenabled...

Grammarly: Lack of CSRF header validation at https://g-mail.grammarly.com/profile

Hello! Description I found that setting up a CORS in some places will check the protocol, but it allows using http scheme. In addition, any subdomain is considered trusted. If the origin is http://www.grammarly.com, then the server will respond: Access-Control-Allow-Origin:...

Node.js: loader.js is not secure

Summary: Node.js loader.js can be exploited by an attacker The vulnerability https://github.com/nodejs/node/blob/a33c3c6d33fa81fa59a5aa95246d7f599e6abdd3/lib/internal/modules/cjs/loader.jsL892 js Module.initPaths = function var homeDir; var nodePath; if isWindows homeDir = process.env.USERPROFILE...

Starbucks: Reflected cross-site scripting on multiple Starbucks assets.

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Please indicate NA, if not applicable. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling...

Yelp: PURGE is not authenticated

Vulnerability description not provided...

Shopify: any staff members have the ability to comment in [discounts] he/she can disable comment section it to other staff even the admin of the store

Hi, I found this cool behavior by mistake when I was testing for some GraphQL, any user have ability to comment in discounts code at discounts section can turn off comments to the other staff members include the admin/manager of the store. this happens because when the GraphQL used to create a...

New Relic: CSTI fix (#587829) bypass leading to stored XSS at plugins again

@skavans discovered a workaround for previous XSS mitigations. This led to a more robust approach to filtering dangerous content in Angular templates...

Chainlink: No Valid SPF Records.

Hiii, There is any issue No valid SPF Records Desciprition : There is a email spoofing vulnerability.Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email spoofing is a tactic used in phishing...

Node.js third-party modules: Application level denial of service due to shutting down the server

Module module name: http-live-simulator version: 1.0.7 npm page: https://www.npmjs.com/package/http-live-simulator Description I've found a way to crash the server due to the way it parses URL Steps To Reproduce: 1- Install the module : npm install -g http-live-simulator 2- Run the server :...

curl: Integer overlow in "header_append" function

Summary: The function headerappend contains an integer overflow, it can bypass the check on the length and can lead to a subsequent heap buffer overflow. Steps To Reproduce: I don't have PoC, but here there is a little description of the problem vulnerable code static CURLcode headerappendstruct...

New Relic: Stored XSS via "my recent queries" selector in NRQL dashboard builder

This is a pretty simple one. Within NR One, there is a stored XSS via the dashboard builder. It appears in the "My recent queries" dropdown. You can attack other users with this bug by having them navigate to the link, I'll show an example below. Steps to Reproduce: 1. From NR1, navigate to the...

Unikrn: Open Redirection leads to redirect Users to malicious website

--- Summary --- I found an open redirect bug on unikoingold.com .First, I create an account on unikoingold.com , I fill all the forms with the required information First name,Birth,etc..., until I came on the final step to verify my account , there was a mechanism to send a verification link to m...

Nextcloud: Wordpress Users Disclosure

Information Using REST API, we can see all the WordPress users/author with some of their information. Step to Reproduce You can get user info by entering below url in your browser: https://nextcloud.com/wp-json/wp/v2/users Reference: 356047 Impact Authors : LTR , LTREditor can be created scenario...

Uber: Chained vulnerabilities create DOS attack against users on desafio5estrelas.com

On a vendor created and managed site desafio5estrelas.com, by controlling the value of the gender parameter on the /salvargenero endpoint via CSRF, an attacker was able to prevent a user from ever logging into their account again. Fun chained CSRF that caused a DOS on user’s account. Check out my...

Mail.ru: XSS in messages on geekbrains.ru

Stored XSS via data URI in messages on geekbrains.ru. geekbrains.ru is in extended Ext.B scope, XSS reports for this scope are accepted without bounty. Description Stored XSS in messages on a large IT training portal GeekBrains, the vulnerability allowed to execute JavaScript code in the victim's...

Internet Bug Bounty: Uninitialized read in gdImageCreateFromXbm

This bug is present in gdImageCreateFromXbm method of ext/gd/libgd/gdxbm.c file. This method contains below mentioned lines. c ... unsigned int b; ... sscanfh, "%x", &b; for bit = 1; bit = maxbit; bit = bit 1 gdImageSetPixelim, x++, y, b & bit ? 1 : 0; ... So when sscanf method is not able to rea...

Urban Company: Private ip leaking through response

Name of Vulnerability: Information desclosure User Details: +91 ████ Summary: Private ip addresses are leaking through response in urban clap. Description: Hi team. During my research i found some IP address from the response.After finding the origin of the ip i found that these ip addresses are...

U.S. Dept Of Defense: https://█████████ Vulnerable to CVE-2018-0296 Cisco ASA Path Traversal Authentication Bypass

Summary: https://█████ is an ASA running software vulnerable to CVE-2018-0296 which allows a remote attacker to exploit a path traversal vulnerability and bypass authentication to sensitive files. The attacker can use this to enumerate the ASA VPN web directory structure and exploit privileged...

Nextcloud: Arbitrary code execution in desktop client via OpenSSL config

Summary: The nextcloud windows desktop application utilizes a precompiled OpenSSL library called libeay32.dll. This OpenSSL library attempts to load c:\usr\local\ssl\openssl.cnf when the nextcloud windows application is launched. The c:\usr\local\ssl\openssl.cnf file does not exist. By default, o...

PayPal: DoS on PayPal via web cache poisoning

On https://paypal.com/, you could impact core functionality by using an invalid Transfer-Encoding header to replace JavaScript files from www.paypalobjects.com with the message '501 Not Implemented'. This was patched and awarded a $9,700 bounty. By the time you read this, there should be a full...

Mail.ru: пхпинфо

Test script with phpinfo output was available in russianaicup.ru...

Mail.ru: SVN repository

SVN repository for static web files was available on terrhq.ru subdomain...

Mail.ru: xss

Reflected XSS via GET parameters in terrhq.ru subdomain...

shopify-scripts: NULL pointer dereference in `mrb_check_frozen`

PoC === The following demonstrates a crash: 3735928559.removeinstancevariable '@a' Debug info ========== Valgrind suggests the crash happens due to an invalid read in mrbcheckfrozen: ==4882== Memcheck, a memory error detector ==4882== Copyright C 2002-2017, and GNU GPL'd, by Julian Seward et al...

Unikrn: Rate Limit workaround in the message of the phone number verification

There was a to more or less trivial workaround to the SMS resend rate limit. Thx @drakm !...

Nextcloud: User with read-only access to a share can gain write access to sub-folders in the share

user0 creates folders /test and /test/sub user0 creates file /test/sub/file.txt user0 shares folder /test with user1 with read+share permissions 17 user1 receives the folder /test and can read-download /test/sub/file.txt - good user1 creates a link share of /test/sub - it has permissions 1...

ZEIT: Open redirection in https://zeit.co/login?next=

you have a open redirection bug in https://zeit.co/login?next= now i want to redirect the victem to https://www.google.com https://zeit.co/login?next=\www.google.com done !! it will redirected F511594 Impact redirect the victems to any page and it can be xss bug...

Shopify: Stored XSS in Discounts section

self-xss Impact 1.add Products, shop name is '"'' 2.click Discounts-code, https://mosuan-img-src-x.myshopify.com/admin/discounts/367541518396 3.add comments, Choose the goods just now. 4.alert...

GitLab: Bypass Email Verification using Salesforce -- Reproducible in gitlab.com

Summary The salesforce login integration allows attacker to bypass email verification -- user is able to signup with any email domain they want, effectively bypass all email domain whitelist/blacklist restriction or any other 3rd party using gitlab instance's email address. It is possible because...

Collibra: Access to the database on onboarding.collibra.com

Summary: During the study, it was discovered that port 9306 was open on this server, which is open to the Sphinx service. I was able to connect to the internal database. Steps To Reproduce: 1. Discovery of open port 9306, on which service Sphinx is running screenshot 0 2. Connection to the databa...

Uber: Arbitrary File Reading on Uber SSL VPN

The hacker has found a series of 0 day related to Pulse Secure SSL VPN...