Concrete CMS: Stored XSS in Conversations (both client and admin) when Active Conversation Editor is set to "Rich Text"

Hi concrete5 Team, Summary I've identified Stored XSS vulnerability in concrete5 Conversations module, when Active Conversation Editor is set to "Rich Text". An attacker is able to input malicious JavaScript, which is run in both client agains any site visitor as well as against any user logged...

GSA Bounty: Blind Stored XSS In "Report a Problem" on www.data.gov/issue/

Step To Produce : 1. Open : https://www.data.gov/issue/ 2. fill "Issue Title" and "Description" With XSSHunter Payload 3. XSS Fired In https://labs.data.gov/crm/admin/report/662445 Impact Can steal admin cookies...

Quantopian: Cross-site scripting on algorithm collaborator

Hi again my favorite VDP team. I bring you 8th bug and 4th cross-site scripting. Currently trying to upload python code via self-serve data, not looking for XSS'es only, but they're a thing still, right? Summary: By sending specially crafted websockets request attacker can run javascript in...

Flickr: CSRF in Account Deletion feature (https://www.flickr.com/account/delete)

CSRF was missing in Account Deletion form due to switching login providers. @asad0x01 found the vulnerability and reported it concisely, even with a video POC. The issue was fixed with 60 days, but we were slow to resolve the ticket and disclose. Sometimes you just get lucky. When Flickr was owne...

Hiro: EXIF Geolocation Data Not Stripped From Uploaded Images

The Blockstack Browser does not strip EXIF data on avatar uploads...

New Relic: Site-wide clickjacking at IE11

Hey team, I have discovered that the protection you use for clickjacking preventing is a CSP with frame-ancestors directive. But IE11 doesn't support this directive so you customers using this browser can be attacked. The market share of IE11 is about 2.5% now and it's higher than, for example,...

Zomato: Able to manipulate order amount by removing cancellation amount and cause financial impact

@sjvino identified an issue where it could have allowed to tamper the cancellation amount and pay less than the actual order amount. Steps submitted by the researcher to reproduce the issue maybe it will help new folks in the community to learn something out of it - - Select Items and add them to...

Mail.ru: XSS при загрузке изображения на [games.mail.ru]

Do-it-yourself XSS self-XSS via crafted file name in support request on games.mail.ru Insufficient filtering of dangerous tags when uploading images on games.mail.ru in technical support tickets...

GitLab: GraphQL query "namespace" leaks data

NOTE! Thanks for submitting a report! Please replace all the parenthesized sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary Using the "namespace"...

X (Formerly Twitter): Github Token Leaked publicly for https://github.com/mopub

Description : GitHub is a truly awesome service but it is unwise to put any sensitive data in code that is hosted on GitHub and similar services as i was able to find github token indexed 4 days Ago by user Dravya Nataraj Issue & POC : You can find the leak in this link :...

Weblate: Stored XSS via Create Project (Add new translation project)

Hi, Input validation and/or sanitisation is not currently applied in the Project Name field in https:///create/project/. As, a result, it is possible to have a stored XSS that will affect all the users in the Weblate application. To identify this XSS I used the Docker environment from...

ecobee: Open API - AWS S3 GET Bucket (List Objects) Version 1

Summary: AWS S3 GET Bucket List Objects Version 1 API accesible Steps To Reproduce: navigate to: https://www.ecobee.com/wp-content/uploads/ Observe that you get a listbucketresponse https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGET.htmlRESTBucketGET-requests The truncated param is set...

HackerOne: Disabled account can still use GraphQL endpoint

Summary Hi team & @jobert, I am not sure if it is by design. After disabling the account, the user will be forced to Enable his account after logging in. However, many of actions are implemented using GraphQL endpoint which bypasses account reactivation process before use. Since re-enabling the...

Internet Bug Bounty: Industry-Wide MITM Vulnerability Impacting the JVM Ecosystem

I've been exploring the industry-wide scope of the use of HTTP to resolve dependencies in build infrastructure across the industry. What I unearthed was that some of the most popular libraries and two compilers were impacted by this vulnerability. Vulnerability CWE-829: Inclusion of Functionality...

curl: Windows Privilege Escalation: Malicious OpenSSL Engine

Summary: The curl windows binaries are built with OpenSSL libraries and have an insecure path for the OPENSSLDIR build parameter. This path is set to c:\usr\local\ssl. When curl is executed it attempts to load openssl.cnf from this path. By default on windows, low privileged users have the...

ZEIT: Open redirect vuln on login

Summary: An attacker can redirect vicitm on an external website using https://zeit.co/login endpoint because next parameter Steps To Reproduce: add details for how we can reproduce the issue 1 .Go To https://zeit.co and login there 2 .after login go to...

Node.js third-party modules: [tianma-static] Security issue with XSS.

I would like to report XSS in tianma-static It allows XSS and HTML Injection First of all, It is my first report and I am sorry that I am not good at English T.T thank you. Module module name: tianma-static version: 1.0.4 npm page: https://www.npmjs.com/package/tianma-static Module Description...

Nextcloud: Reflected XSS / Markup Injection in `index.php/svg/core/logo/logo` parameter `color`

I just found a reflected Cross-Site Scripting XSS vulnerability in Nextcloud Server that affects current stable and dates back to at least 15.0.5. The vulnerability seems mitigated by a Content-Security-Policy CSP, but there might be a residual risk for phishing, due to the CSP's lack of a...

New Relic: Stored admin-to-owner XSS at infrastructure alerts runbook URL leading to account takeover by malicious admin

Hey team, I have discovered a stored XSS vulnerability at infrastructure alerts runbook URL. There is a filter that is not allowed this URL to be with javascript: scheme, but I have found a way to bypass it. Alerts can't be created/modified by users with role lower than "admin" so I will show you...

HackerOne: Team member with Program permission only can escalate to Admin permission

Summary https://hackerone.com/TEAM/groups URL is accessible to team members with Program permission, even when "Group Management" and "User Management" menus aren't visible. I didn't research this further, however, I was able to grant all permissions to the user assigned to a group with Program...

GitLab: [information disclosure] Validate existence of a private project.

Summary In Gitlab, we have a feature of creating groups and setting their permissions to public/internal/private. While testing I discovered that a user can check existence of a project in a group of which he is not a part judging by the difference in types of error messages generated. This reque...

Brave Software: Tor IP leak caused by the PDF Viewer extension in certain situations

A vulnerability was discovered in the PDF Viewer extension in Brave browser, where web requests made by the extension in Tor mode were not properly proxied under certain conditions. This could result in the user's real IP address being leaked to the server hosting the PDF file...

QIWI: Обход комиссии на переводы

Доброго времени суток. Не так давно мне на кошелек подключили тариф «Активный пользователь кошелька» Этот тариф подразумевает 2% комиссии на переводы. Меня, соответственно, это крайне не устроило и я решил пойти искать обход. После недолгих поисков удалось найти дыру вот здесь...

HackerOne: Race Condition leads to undeletable group member

Hi, Summary: There exists a Race Condition in which the user can add themselves twice to a group which will make them unremovable from group. They themselves cannot remove themselves from the group as well as the group leader cannot remove that user from the group. Ofcourse this is a low severity...

InnoGames: Chaining Bugs: Leakage of CSRF token which leads to Stored XSS and Account Takeover (xs1.tribalwars.cash)

The referrer leaked the CSRF code, when opening an embedded PHP file set by the images function in tribe forums. Due to a premium function, which allows players to store and run Javascript scripts during the game, the session ID could be grabbed, as it was mistakenly embedded into the DOM. This...

Pornhub: Blind XSS in redtube administering site my.reflected.net

Researcher was able to execute Blind XSS in Redtube WAF administering panel Blind XSS in Redtube WAF administering panel...

Mail.ru: Unrestricted File Upload To Xss Stored [ https://ideas.browser.mail.ru/ ]

Stored XSS in https://ideas.browser.mail.ru/ ideas.browser.mail.ru belongs to extended scope...

Upserve : DOM Based XSS via postMessage at https://inventory.upserve.com/login/

Description DOM based XSS is possible at https://inventory.upserve.com/login/ due to insecure origin checking when receiving a postMessage. POC 1. Visit https://hq.upserve.com.████████/upservexss.html 2. Click link 3. View alert on https://inventory.upserve.com Vulnerable Code javascript...

ExpressionEngine: Open Redirect in comment section

@winst0n13 discovered that the URL you are redirected to after successfully submitting a comment could be modified in certain circumstances. @winst0n13 gave a detailed report with step-by-step instructions for replicating, enabling a speedy resolution to the issue...

Shopify: DOM XSS via Shopify.API.Modal.initialize

Similar 422043 & 576532 Payload Based on 576532: html function attack const ctx = window.openlocation.origin+'/admin/themes', 'blank' const json = message: "Shopify.API.Modal.initialize", data: src: "" let interval; interval = setIntervalfunction if window.attackSuccess clearIntervalinterval else...

ok.ru: Plain text password for 'unknown' user exist in URL when opening jira.apiok.ru

Documentation at https://api.mail.ru/docs/guides/billing/ has a link to http://apiok.ru/jira/documents/ which redirects to https://jira.apiok.ru/secure/CreateIssue.jspa?pid=-2&osusername=unknown&ospassword=X7:1OEh3 This pair of username & password - is effective login & password to JIRA system an...

New Relic: Urgent! Stored XSS at plugin's violations leading to account takeover

Hey team, I have found a stored XSS which is fired at plugin's Violations page. This vulnerability can be used by malicious plugin maker to take over any account which installs this malicious plugin. Vulnerability details The Violations page contain the following script inside its source code: ht...

Mail.ru: SSRF On [ allods.mail.ru ]

SSRF in allods.mail.ru. allods.mail.ru belongs to Ext.B scope...

Cuvva: Unclaimed facebook page at www.cuvva.com/about

Description: Hello sir, while I was surfing your website I found unclaimed facebook page at www.cuvva.com/about F503171 when you click this button you will be redirected to https://www.facebook.com/getcuvvad which was unclaimed but I claimed it as poc steps to reproduce: 1. go to...

WakaTime: Vulnerability Name: Host Header Injection Redirect

Vulnerability Description: Open redirection is sometimes used as a part of phishing attacks that confuse visitors about which web site they are visiting. Remediation: If possible, the application should avoid incorporating user-controllable data into redirection targets. In many cases, this...

Shopify: HTML injection in https://interviewing.shopify.com/index.php?candidate=

https://interviewing.shopify.com/index.php?candidate= is inserting the value of candidate into the DOM without any filtering except that the equal sign can't appear in the payload, this allows attacker to injection any html in the DOM. Of course reflected XSS payloads like ...something... will be...

curl: Integer overflow in the source code tool_cb_prg.c

Summary: Integer overflow in the source code toolcbprg.c Steps To Reproduce: Review the source code of toolcbprg.c In the function fly, pay attention to Line 80, 82, 84 C 69 static void flystruct ProgressData bar, bool moved 70 71 char buf256; 72 int pos; 73 int check = bar-width - 2; 74 75...

Mail.ru: Открытый .htaccess на cookery.zakazaka.ru

.htaccess file was available for reading via Web request on cookery.zakazaka.ru due to invalid configuration. While this misconfiguration could potentially lead to information disclosure, no sensitive information was actually leaked...

VK.com: Бесконечный доступ к аккаунту если мы смогли хотя бы раз зайти на аккаунт.

Временная возможность продлить сессию после получения полного доступа к странице...

Infogram: Privilege escalation allows to use iframe functionality w/o upgrade

Hello team! I've found a privilege escalation issue which allows to set iframes to the projects w/o upgrading. Steps to reproduce - Login - Navigate to the project - Choose integrations and click the IFrame - See that you'll get upgrade now notification F501019 - Inspect the page with developer...

Mail.ru: CSRF на отправку вопроса на [games.mail.ru]

CSRF in gmr.operator.mail.ru allowed to send a question on behalf of the user to TimeZero project support. CSRF to send a question in the disabled method /support/tz/questions/ajax in the interface...

Homebrew: Homebrew privilege escalation vulnerability

Additional symlinks/directories that were not chownd by brew services needed to be added to avoid the replacement of the opt prefix link. Homebrew has a privilege escalation vulnerability which can cause an attacker easily gain root permission...

Node.js third-party modules: [public] Path traversal using symlink

I would like to report Path traversal vulnerability in public module Module module name: public version: 0.1.4 npm page: https://www.npmjs.com/package/public Module Description Run static file hosting server with specified public dir & port. Support a "direcotry index" like Apache httpd. Module...

Magic: CSRF in generating developer api_key

Hi At https://dashboard.forttmatic.com when developer tries to generate new apikey for his application, a POST request is sent to https://api.forttmatic.com which doesn't have any tokens to guard against CSRF attacks. CSRF POC : history.pushState'', '', '/' On submitting the above request, a new...

Vanilla: Web cache deception attack on https://open.vanillaforums.com/messages/all

I have found a Vulnerability in vanilla forums which called Web cache deception attack. Web Cache Deception Attack Websites often tend to use web cache functionality to store files that are often retrieved, to reduce latency from the web server. Websites often tend to use web cache functionality...

Internet Bug Bounty: Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer overflow

PHP upstream bug report: https://bugs.php.net/bug.php?id=78069 Description: In phpiconvmimedecode function in iconv.c, there's an out-of-bounds read due to an integer overflow vulnerability. MIME encoded string is being parsed and decoded in for loop with following condition: for strleft =...

Unikrn: multiple vulnerabilities on your mautic server

Hi @unikrn! I found some vulnerabilities in you crm server: 1. By pass Cloudflare access: You Use Cloudflare Access on https://crm.unikrn.com . BUt this link bypassed Cloudflare Access: ████████/login This vulnerability generates the disclosure of important data: PHP info page: ██████████phpinfo ...

Nextcloud: Non-admin users can trigger writes to memcached by entering a malicious server as a share URL

Dangling remote share attempts in Nextcloud 16 allow a DNS pollution when running long...

Automattic: Gaining unlimited bonus points on websites with WooCommerce Points and Rewards

In WooCommerce Points and Rewards plugin there is an assumption that Processing order status is only for paid orders. However, this assumption is wrong for payment gateway Cash On Delivery, which immediately changes order status to Processing on all new orders. Plugin then increases bonus points...

Node.js third-party modules: Lack of input validation and sanitization in react-autolinker-wrapper library causes XSS

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! I would like to report XSS in...