Starbucks: Blind SQLi leading to RCE, from Unauthenticated access to a test API Webservice

@geekjeremy, at the same time as other hackers who submitted their own reports, discovered a browsable WSDL service on an API endpoint under the starbucks.com.cn domain, running on a non-standard port. @geekjeremy demonstrated that the service had several functions that executed without any...

WordPress: Stored XSS on byddypress Plug-in via groups name

Hi, I found that there is a storage xss in another output group name, but this xss needs to press the key combination to trigger. Just create or modify the group information, set the group name to the following payload, and then access Group page, if you are macos need to press,...

Monero: Remote P2P DoS

Remote P2P DoS resolved. https://www.activism.net/cypherpunk/manifesto.html...

Monero: Remote Daemon RPC Attack

Remote Daemon RPC Attack https://www.activism.net/cypherpunk/manifesto.html...

Trustpilot: IDOR in sending support email upon Verifying user business domain

Summary Trustpilot Business is making sure that you own the domain you have registered before continuing the process so they set 5 choices on how to verify. But there's another one, which is through sending a support ticket. By this you can send message to a support and hope to help you out. Ther...

Uber: [Pre-Submission][H1-4420-2019] API access to Phabricator on code.uberinternal.com from leaked certificate in git repo

A username and certificate was found that allows API access to Phabricator on code.uberinternal.com. This API access could give away source cod and the private phabricator instance of Uber...

Shopify: XSS on services.shopify.com

Hy security, i Got a stored xss in one of your sub-domain "services.shopify.com" steps: 1- Go to https://yourstore.myshopify.com/admin/apps/expertsmarketplace/servicesmarketplace 2- Then Go to All servicesMarketing and salesemail marketing Design custom email templates click select 3- fill al the...

curl: Signed integer overflow in tool_progress_cb()

Summary: Good afternoon curl security! I built this curl from commit 8144ba38c383718355d8af2ed8330414edcbbc83. We discovered a signed integer overflow in toolprogresscb. Steps To Reproduce: Compiled with the Undefined Behavior Sanitizer enabled. Ran with the following command line: ./curl -q - -T...

X (Formerly Twitter): Twitter Periscope Clickjacking Vulnerability

Bonjour, Summary X-Frame-Options ALLOW-FROM https://twitter.com/ not supported by several Browser, this caused Clickjacking on Twitter Periscope subdomain https://canary-web.pscp.tv & https://canary-web.periscope.tv Steps To Reproduce: 1. Create a new HTML file 2. Put 3. Save the file 4. Open...

Automattic: Denial of service to WP-JSON API by cache poisoning the CORS allow origin header

The WP-JSON implementation on some wordpress.com websites I've tested is vulnerable to denial of service where by an attacker can provide an arbitrary Origin header in the request, which is then echoed back in the response via the Access-Control-Allow-Origin header, which is cached and served to...

X (Formerly Twitter): Potential pre-auth RCE on Twitter VPN

Hi, weOrange Tsai and Meh Chang are the security research team from DEVCORE. Recently, we are doing a research about SSL VPN security, and found several critical vulnerabilities on Pulse Secure SSL VPN! We have reported to vendor and patches have been released on 2019/4/25. Since that, we keep...

LifeOmic: open redirect while login at https://apps.dev.jupiterone.io can leak access code.

LifeOmic Comments @base64 found an open redirect bug in our auth flow. After review, we determined that due to design the exploit would only work in our dev environment. Though we determined mitigating controls were already in place for this attack in prod, we valued @base64 's efforts and awarde...

Unikrn: Full Path Disclosure

HI security team! we can see path on your resource. https://crm.unikrn.com/app/bundles/CampaignBundle/EventListener/LeadSubscriber.php You must create a ban on viewing the script from the outside using .htaccess Impact Full Path Disclosure https://www.owasp.org/index.php/FullPathDisclosure...

Nextcloud: Linux client is vulnerable to directory traversal when downloading files

Summary The Nextcloud Linux client is vulnerable to directory traversal when downloading files from a Nextcloud server. A malicious Nextcloud administrator can exploit the vulnerability to write arbitrary files to a user computers with the potential for remote command execution under certain...

Valve: [CS 1.6] Map cycle abuse allows arbitrary file read/write

The CS 1.6 server has a feature of map cycle - i.e. automatic map change after specified period of time. This feature relies on data of the file specified in mapcyclefile cvar. Any user with RCON access to the server can set this variable to arbitrary value - no input sanitization applies. In ord...

Internet Bug Bounty: CRLF Injection in urllib

Hi. I found CRLF Injection a few months ago. Please refer my bug issue. https://bugs.python.org/issue35906 Thank you Impact lead to SSRF. e.g. can exploit a internal redis server to send arbitrary packet data including ascii and non-ascii...

Node.js: Multiple HTTP/2 DOS Issues

A security researcher has conducted a broad survey of HTTP/2 implementations to investigate common Denial of Service attack vectors. The Node.js implementation has been found to be subject to a number of these issues. On the plus side, we're not the only ones! ;- ... This work is still under...

VK.com: Просмотр любых статей по их айди.

Просмотр статей...

Nextcloud: Memory Leak in OCUtil.dll library in Desktop client can lead to DoS

The function IsChildFileconst wchart rootFolder, const wchart file in FileUtil.cpp allocates memory on line 42 and fails to free it. The following PoC code can provide evidence. The code and the PoC executable is attached to this report. Also OCUtils.dll and OCUtilsx64.dll library which is...

Tor: Detect Tor Browser's language

Summary Some error pages uses Tor Browser's language based text, and iframe can steal it. Details Since the language of Tor Browser is used for the title of the link tag on 404 error page, an attacker can obtain the language of Tor Browser even if the user has set privacy.spoofenglish to 2. I...

HackerOne: Password not checked when disabling 2FA on HackerOne

Hi, when I was submitted a report to a program that request 2FA ON, I notice that if you try to disable this option will ask for backup code - password and if you enter a random password in the request filed and a correct backup code it will be successfully disabled the 2FA without check if the...

GitLab: Local files could be overwritten in GitLab, leading to remote command execution

Summary Arbitrary file overwrite A new feature download a directory of a repository in GitLab 11.11 introduced some changes in ./internal/service/repository/archive.go of Gitaly. go func handleArchivectx context.Context, writer io.Writer, in gitalypb.GetArchiveRequest, compressCmd exec.Cmd, forma...

New Relic: CSTI at Plugin page leading to active stored XSS (Publisher name)

Hey team, I have discovered the CSTI vulnerability at NR single Plugin page leading to stored XSS. To plant the payload you need to publish new plugin using account having the payload inside its name. Below I show you the easiest way to reproduce this using a python script which creates the new...

Flickr: Improper access control in place for "member only" groups via root.YUI_config.flickr.api.site_key

Researcher identified API endpoint that was not doing sufficient permission validation...

phpBB: CSS injection via BB code tag "█████"

The input to the "█████" BBcode tag is not properly filtered. It gets converted into a CSS style attribute for a span HTML element. Quotes " are removed, so there's no way to break out of the CSS style attributed. However it is possible to arbitrarily dress the resulting span element. To illustra...

Trint Ltd: IDOR to update folder name of other user

Summary There is an IDOR to update folder name of other user Steps To Reproduce: - user A login to the application and see the folder name F494331 - user B login to the application and call the API with the projectId of user A POST / HTTP/1.1 Host: graphql2.trint.com User-Agent: Mozilla/5.0 Windo...

U.S. Dept Of Defense: ██████ Authenticated User Data Disclosure

Background The Air Force’s ███ application is exposing members’ personal information to other users with access to the applocaton. We’ve identified two specific issues, but there may be other similar problems in the same vein as the ones described here. The underlying problem appears to be that...

Mail.ru: Blind SSRF [ Sentry Misconfiguraton ]

Researcher found Blind SSRF via Sentry misconfiguration. This report received smaller bounty since server located in dedicated hosting colocation network separated from production servers...

Homebrew: Homebrew installed LaunchDaemons create simple root esclations

Many programs installed via Homebrew require services to function as expected - most of the time these are LaunchAgents but sometimes they need to run as root via LaunchDaemons to function properly. While Homebrew attempts to secure the executables run by the LaunchDaemons that it installs, any...

Internet Bug Bounty: Null Pointer Dereference in phar_create_or_parse_filename

The original report is here https://bugs.php.net/bug.php?id=77396 Description: ------------ Please use these poc file: https://drive.google.com/file/d/1bzw-j4FtV7PEf6SW2GYmDVKtMybmbKnl/view?usp=sharing Test script: --------------- USEZENDALLOC=0 ../../php-7.1.25/sapi/cli/php -r '$phar=new...

Valve: RCE on CS:GO client using unsanitized entity ID in EntityMsg message

Title: RCE on CS:GO client using unsanitized entity ID in EntityMsg message Scope: csgo.exe Weakness: Out-of-bounds Read Severity: Critical 9.6 Link: https://hackerone.com/reports/584603 Date: 2019-05-19 17:49:21 +0000 By: @chaynik Details: Vulnerability ------------- CSVCMsgEntityMsg message is...

VK.com: Просмотр закрытых фотографий

Недостаточная валидация запросов...

X (Formerly Twitter): Periscope android app deeplink leads to CSRF in follow action

Hello Twitter Team Summary This issue is mainly in the Periscope Android app against CSRF follow action using deeplink. Description In normal Periscope Website, when we share a follow link like www.pscp.tv//follow, we get a response whether to follow a person or not, giving us an option, means CS...

X (Formerly Twitter): cookie injection allow dos attack to periscope.tv

Description: i find in periscope.tv a parameter "createuser" allow to inject "loginissignup" cookie, when tested with crlf payload get response "HTTP/1.1 504 GATEWAYTIMEOUT" Link Vulnerable: https://www.periscope.tv/i/twitter/login?createuser=payload&csrf=yourcsrftoken Steps To Reproduce: 1. go t...

Imgur: BUG XSS IN "ADD IMAGES"

I want to report bug XSS in "ADD IMAGES" How To Produce it : 1. Login to your Account 2. Then Add Images With XSS Payload In filename example : ".png 3. Click on Image that you upload 4. in the name of picture XSS will fired Impact https://www.owasp.org/index.php/Cross-siteScriptingXSS...

Cuvva: Clickjacking in ops.cuvva.com

Hi, Description: Clickjacking User Interface redress attack, UI redress attack, UI redressing is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking contr...

TomTom: XSS Reflect

Hi guys, According to the attached prints, I found an XSS at https://www.tomtom.com/en/search/?q=%3C%2Fscript%3E link. Here is the payload used: https://www.tomtom.com/en/search/?q=%3C%2Fscript%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E Any questions, I'm available! Regards, z3xdd Impact A...

Valve: Arbitrary File Write as SYSTEM from unprivileged user

Note: This report was reviewed and updated after a correction to program scope. Vulnerability ======== The Steam Client installs a "Steam Client Service" that runs as SYSTEM to update the steam application. This service executes from C:\Program Files x86\Common\Steam where permissions are properl...

Mail.ru: self XSS на странице https://aw.mail.ru/pin/

Do-it-yourself XSS in https://aw.mail.ru/pin/...

Mail.ru: Xss Reflected On spgw.terrhq.ru [ url ]

Researcher found Reflected XSS and Blind SSRF via the same GET parameter. Bounty was awarded for SSRF. Reflected Xss And Non-Blind Ssrf Via The same GET Parameter...

GitLab: Last pipeline status for MR leaked

Hi GitLab security team, Summary GitLab allows for public and internal projects to restrict the visibility of pipelines to project members only. Then, only project members should have access to the pipeline information. However, this can be bypassed. There is a internal endpoint...

Node.js third-party modules: [static-server-gx] Path Traversal allowing to read any files on the server

I would like to report path traversal vulnerability in module "static-server-gx" It allows an attacker to read any files even system files via this path traversal vulnerability. Module module name: static-server-gx version: 1.2.1 npm page: https://www.npmjs.com/package/static-server-gx Module...

Uber: API on campus-vtc.com allows access to ~100 Uber users full names, email addresses and telephone numbers.

There was an API endpoint on the Uber site campus-vtc.com that allows an attacker to view the full names, personal email addresses and phone numbers of 83 Uber France members. These were people who uploaded entries to a contest on campus-vtc.com. Endpoint leaked some PII for the 83 Uber France...

Django: Jenkins Unauthenticated RCE on https://djangoci.com/

This report discloses an RCE issue on djangoci.com as outlined in https://www.djangoproject.com/weblog/2019/may/15/rce-djangoci/ While technically a valid issue, it is out of scope for bounty, please see https://hackerone.com/django for details on which issues qualify for bounties...

Node.js third-party modules: [larvitbase-www] Unintended Require

I would like to report Unintended Require vulnerability in larvitbase-www It is similar to bug found here 566056 because the module is maintained by the same developer, but it is a different module and the code behind the vulnerability is different. It allows loading arbitary non-production code ...

Node.js third-party modules: [http_server] Path Traversal allowing to read any files on the server

I would like to report path traversal vulnerability in module "httpserver" It allows an attacker to read any files even system files via this path traversal vulnerability. Module module name: httpserver version: 1.0.12 npm page: https://www.npmjs.com/package/httpserver Module Description 一个静态服务器...

Node.js third-party modules: [hnzserver] Path Traversal allowing to read any files on the server

I would like to report path traversal vulnerability in module "hnzserver" It allows an attacker to read any files even system files via this path traversal vulnerability. Module module name: hnzserver version: 2.0.6 npm page: https://www.npmjs.com/package/hnzserver Module Description 静态服务器 means...

Nextcloud: Vulnerable W3 Total Cache plugin version in use on nextcloud.com

Hi there, I noticed you are currently using a vulnerable version of W3 Total Cache, as the changelog containing the plugin version is publicly reachable: https://nextcloud.com/wp-content/plugins/w3-total-cache/changelog.txt W3 Total Cache makes the site vulnerable to a series of attacks, includin...

Node.js third-party modules: [http_server] Stored XSS in the filename when directories listing

I would like to report Stored XSS in module "httpserver". It allows to inject malicious scripts in the file name, store them on the server, then execute these scripts in the browser via the XSS vulnerability. Module - module name: httpserver - version: 1.0.12 - npm page:...

GitLab: Privilege escalation due to insecure use of logrotate

Summary Gitlab sets the ownership of the logdirectory to the system-user "git", which might let local users obtain root access because of unsafe interaction with logrotate. Steps to reproduce Please note that the exploit is just a proof-of-concept. In order to win the race reliably the following...