LocalTapiola: CORS misconfiguration allows to steal customers data

Issue The reporter found an issue with CORS configurations in one of our applications. The misconfiguration allowed the hacker to leak and steal a logged on users information. Leaking much data would take quite some time, but it would also be a question of waiting for as many customets to log on...

X (Formerly Twitter): login csrf in analytics.mopub.com

Description: There is no csrftoken validation while logging in which leads to csrf. base request : POST /login HTTP/1.1 Host: analytics.mopub.com Connection: close Content-Length: 37 Accept: application/json, text/plain, / Origin: https://analytics.mopub.com User-Agent: Mozilla/5.0 Windows NT 10....

U.S. Dept Of Defense: MSSQL injection via param Customwho in https://█████/News/Transcripts/Search/Sort/ and WAF bypass

Summary: MSSQL injection via param Customwho in https://███████/News/Transcripts/Search/Sort/ Description: MSSQL injection via param Customwho in https://██████████/News/Transcripts/Search/Sort/ There is WAF, but we can make bypass and via global variable @@LANGID we can know that the base is use...

Valve: ISteamAssets gives partners control over unrelated community market transactions

ISteamAssets APIs would check that the key parameter used was a partner key with access to the appid specified, but then would ignore the passed in appid and would operate on app 753 regardless. This allowed anyone with a partner key to make changes to Steam economy items, like trading cards, and...

U.S. Dept Of Defense: RCE on █████ via CVE-2017-10271

Summary: Happy Friday! The server at ██████ is vulnerable to CVE-2017-10271 "Oracle WebLogic Server Remote Command Execution". Description: The following request takes 12 seconds 12000 milliseconds to complete: POST /wls-wsat/RegistrationPortTypeRPC HTTP/1.1 Host: ██████████ Content-Length: 423...

Shipt: Multiple Subdomain Takeovers: fly.staging.shipt.com, fly.us-west-2.staging.shipt.com, fly.us-east-1.staging.shipt.com

A researcher identified 3 different abandoned subdomain CNAME records that pointed to a 3rd party service fly.io that Shipt had recently stopped using. Upon receiving the report, the Shipt information security team responded quickly and resolved the issue by removing the stale DNS records...

Shopify: DOM XSS via Shopify.API.remoteRedirect

hi, team, after I read the report 422043, I found another monitor postmessage, and did not correctly verify the origin, leading to dom xss, using the store theme can write js this feature, we can modify a theme for the following Payload, function attack var...

Passit: password rest link not expired after change the password

Hi, this is my first report and bug .. i found password rest link not expired after change the password by resiver my e-mail Proof of Concept: 1Go to https://app.passit.io/account/reset-password and ask for password reset link. 2go to Email inbox. 3clicke to link from inbox example // Recovery li...

Revive Adserver: Authentication Bypass by abusing Insecure crypto tokens in /lib/OA/Dal/PasswordRecovery.php:

Hi, This is a fun bug I came across while doing a pentest for a client, after going through Revive Advserver's code for a few hours, I found this authentication bypass. This vulnerability seem to affect all versions, including the latest one, I was sent by one of your developers to report it here...

Chainlink: Testnet address being sent in cleartext as http://rinkeby.chain.link/ is missing SSL certificate

Summary: SSL certificate missing for page: http://rinkeby.chain.link/ which is letting an attacker to sniff sensitive information, in this case, user's testnet address as it is being transmitted unencrypted in clear text Description: http://rinkeby.chain.link/ missing SSL encryption, data sent ov...

Nextcloud: Blind Stored XSS on iOS App due to Unsanitized Webview

Hi Team! I found a Blind XSS can executed on iOS App due to unsanitized webview. Using this issue, attacker can extract information from victim. Steps To Reproduce: 1. Upload malicious HTML, share to victim 2. Waiting victim to open it F487447 F487448 HTML payload attached, don't forget to change...

X (Formerly Twitter): Verify any unused email address

Summary: Verify any unused email address in twitter account Description: After signing up on twitter it's recommended for a user to verify his/her email address to avoid spam and impersonation, I was able to verify the email without having access to the email itself. Steps To Reproduce: It's a bi...

X (Formerly Twitter): Reports Modal in app.mopub.com Disclose by any user

Summary: I sent this report and closed it "Informative" and asked me to send a new report if more information was available for exploitation 544278 Description: Twitter allows "mopub" users to create reports, and each report gives a unique ID to reach it, The report information is displayed by...

Uber: Lack of proper paymentProfileUUID validation allows any number of free rides without any outstanding balance

@eequalsmc2 discovered that when requesting a ride, it was possible to intercept the request and forward it with 3 random characters at the end of the paymentProfileUuid parameter. This would cause the ride to disappear from both the Rider and Driver's trip history, the Rider would not be charged...

Pornhub: SSRF and local file disclosure by video upload on http://www.youporn.com/

The researcher was successful in exploiting a vulnerability in 3rd encoding party library resulting in the execution of SSRF attacks and Local File Disclosure...

Pornhub: SSRF and local file disclosure by video upload on https://www.tube8.com/

The researcher was successful in exploiting a vulnerability in 3rd party encoding library resulting in the execution of SSRF attacks and Local File Disclosure...

Starbucks: Subdomain takeover of mydailydev.starbucks.com

A subdomain of starbucks.com had a CNAME record pointing to an Azure Traffic Manager profile that @0xpatrik was able to claim...

Node.js third-party modules: [min-http-server] Stored XSS in the filename when directories listing

I would like to report Stored XSS in module "min-http-server". It allows to inject malicious scripts in the file name, store them on the server, then execute these scripts in the browser via the XSS vulnerability. Module module name: min-http-server version: 1.0.6 npm page:...

Node.js third-party modules: [http-file-server] Stored XSS in the filename when directories listing

I would like to report Stored XSS in module "http-file-server". It allows to inject malicious scripts in the file name, store them on the server, then execute these scripts in the browser via the XSS vulnerability. Module module name: http-file-server version: 0.2.6 npm page:...

Pornhub: SSRF and local file disclosure by video upload on https://www.redtube.com/upload

The researcher was successful in exploiting a vulnerability in 3rd party encoding library resulting in the execution of SSRF attacks and Local File Disclosure...

Mail.ru: Full Path Disclosure

crisis.mail.ru revealed non-sensitive information, such as application installation path via error messages. crisis.mail.ru is a domain name delegated to partner service...

Node.js third-party modules: [http-file-server] List any files and sub folders in the folder by using path traversal.

I would like to report Path Traversal in http-file-server. It allows to list any files and sub folders in another folder of web root. Module module name: http-file-server version: 0.2.6 npm page: https://www.npmjs.com/package/http-file-server Vulnerability Vulnerability Description http-file-serv...

Node.js third-party modules: [statichttpserver] List any file in the folder by using path traversal.

I would like to report Path Traversal in statichttpserver. It allows to list any file in another folder of web root. Module module name: statichttpserver version: 0.9.7 npm page: https://www.npmjs.com/package/statichttpserver Module Description 'statichttpserver' is inspired by SimpleHTTPServer.p...

Node.js third-party modules: [serve-here.js] List any file in the folder by using path traversal.

I would like to report Path Traversal in serve-here.js. It allows to list any file in another folder of web root. Module module name: serve-here.js version: 1.1.3 npm page: https://www.npmjs.com/package/serve-here.js Module Description Serve static files over HTTP Vulnerability Vulnerability...

Node.js third-party modules: [min-http-server] List any file in the folder by using path traversal.

I would like to report Path Traversal in min-http-server. It allows to list any file in another folder of web root. Module module name: min-http-server version: 1.0.6 npm page: https://www.npmjs.com/package/min-http-server Module Description 'min-http-server' is a zero-configuration, lightweight...

QIWI: Nickname disclosure through web-chat

Nickname disclosure through web-chat...

Shopify: Reflected XSS

Hi team , I found a reflected xss on https://app.oberlo.com domain . Reproduce : Visit https://app.oberlo.com/auth?shop=%3C/noscript%3E%3Cimg%20src=x%20onerror=promptdocument.domain%3E in latest version of firefox browser . You will see popup like attacked screenshot : F485407 Tested in Latest...

Automattic: No rate limit on app.crowdsignal.com (Finish quiz)

Hello team https://hackerone.com/reports/488923 -- vulnerability resolved maybe you can compare the report to start this, but this vulnerability has been closed.this is a separate no-rate limit error.this is not a duplicate bug. No rate limit on app.crowdsignal.com Finis quiz POC step:...

New Relic: Stored XSS at APM key transactions list

Hey team, I have discovered an XSS firing at APM key transactions list. Steps to reproduce 1 Sign into the APM with some account with some account which can change the APM application name 2 Navigate to some app, which has tracked key transactions, or switch on tracking of some its transaction by...

U.S. Dept Of Defense: ████ - Complete account takeover

Summary: ███████ ██████████ was updated today 03/04, which includes a backend rewrite. Unfortunately, the new site is insecure and allows a password to be reset given only a username. This allows access to payment records for any DoD employee given only their username, which is commonly known...

New Relic: Stored XSS firing at the "Add chart to note" popup

Hey team, I have long found that a request retrieving content for Add chart to note popup is XSS-vulnerable. The following Add to note popup F484252 retrieves its content via the following request: http GET...

Node.js third-party modules: [larvitbase-api] Unintended Require

I would like to report Unintended Require vulnerability in larvitbase-api It allows loading arbitary non-production code js files. Module module name: larvitbase-api version: 0.5.3 npm page: https://www.npmjs.com/package/larvitbase-api Module Description REST http API base framework based on...

GitLab: Bypass Email Verification -- Able to Access Internal Gitlab Services that use Login with Gitlab and Perform Check on email domain

Summary Hi, I found the new SCIM provisioning function allows any group owner in gitlab to create any user with verified email address. i.e. I can create user with email address [email protected], and gitlab.com will think [email protected] is verified already. This will bring problem to the clie...

HackerOne: View HackerOne challenge scope before challenge begins

Summary: Hi team, I have come across an issue where I am able to view a HackerOne challenge scope before the challenge begins. The issue here being that I can get an understanding of what the in-scope assets are before a challenge starts, allowing myself to start researching and finding bugs to...

Shopify: help.shopify.com Cross Site Scripting

Hello Security Team. Tested windows 10 and edge Microsoft Edge 44.17763.1.0 , internet explorer Test Url : https://help.shopify.com/it/partners/resources/marketing-pack-for-accountants Payload: ?v0sjx'-alert1-'uyvvr=1 Proof Url: Open Url: edge , internet explorer , click me "Condividi il tuo...

Vanilla: Spoofing the redirect process using RTLO

Hi team, Description: I was testing this subdomain rinkerboats.vanillacommunities.com and after some search, I found this path url https://rinkerboats.vanillacommunities.com/home/leaving?Target=https://google.com/ which used to redirect the users to external websites now this is good because you...

HackerOne: Open Redirection in [https://www.hackerone.com/index.php]

You are resolved open redirect issue report 439075.This report publicly disclosed. but this issue again work at this time. When a user visit http://www.hackerone.com/index.php/index.php.evil.com user will be redirected to www.hackerone.com.evil.com Steps To Reproduce Click on this link...

ownCloud: Remote Code Execution through Deserialization Attack in OwnBackup app.

I found a deserialization vulnerability in the OwnBackup app, this vulnerability allows to execute remote code in the server. An administrator user could install the vulnerable app, or take advantage of this vulnerability if the OwnBackup application is installed. Below are the steps to properly...

Nextcloud: W3 Total Cache plugin multiple vulnerabilities

W3 Total Cache plugin version = 0.9.4.1 on the https://nextcloud.com has multiple vulnerabilities. See the screenshot.png Impact Remote Command Execution, Unauthenticated Security Token Bypass, Unauthenticated Arbitrary File Read etc...

LinkedIn: Access to resumes applied through LinkedIn Jobs

Vulnerability description not provided...

TomTom: Reflected XSS on www.tomtom.com

Summary: XSS on www.tomtom.com is very dangerous, if this vulnerability misused by Attacker to steal cookie it will be fatal for other users. Proof of Concept: - I tried to visit https://www.tomtom.com/enau/search/ - Then, search using keyword: TEST" - I realized double quote " is reflected - So,...

GitLab: DoS attack via comment on Issue

Summary There is no limit to the number of characters in the issue comments, which allows a DoS attack. The DoS attack affects both server-side and client-side. NOTE: This bug happens on GitLab.com. Steps to reproduce ▼Attack for Client-side 1. Sign in to GitLab. 2. Create a project as below: -...

Automattic: Insufficient DKIM record with RSA 512-bit key used on WordPress.com

What is DomainKeys Identified Mail DKIM ? DKIM allows the receiver to check that an email claimed to have come from a specific domain was indeed authorized by the owner of that domain. It achieves this by affixing a digital signature, linked to a domain name, to each outgoing email message. The...

curl: Heap Buffer Overflow at lib/tftp.c

Summary: A heap buffer overflow can occur at line 1114 in file lib/tftp.c due to the fact of state-blksize containing the default size instead of containing the one specified in the --tftp-blksize parameter. This bug could lead to a crash or maybe to RCE in the case the attacker also had a memory...

Valve: [CS:GO] Unchecked texture file name with TEXTUREFLAGS_DEPTHRENDERTARGET can lead to Remote Code Execution

Title: CS:GO Unchecked texture file name with TEXTUREFLAGSDEPTHRENDERTARGET can lead to Remote Code Execution Scope: csgo.exe Weakness: Stack Overflow Severity: High 8.0 Link: https://hackerone.com/reports/550625 Date: 2019-04-29 17:52:46 +0000 By: @nyancat0131 Details: Summary A texture with lon...

ok.ru: [okmedia.insideok.ru] Web Cache Poisoing & XSS

XSS and Web Cache Poisoning at .insideok.ru via X-Forwarded-Host header Web Cache Poisoing & XSS okmedia.insideok.ru...

Vimeo: SSRF leaking internal google cloud data through upload function [SSH Keys, etc..]

Using our upload feature, the user was able to force an SSRF to occur. For more information you can read my writeup: https://medium.com/@dPhoeniixx/vimeo-upload-function-ssrf-7466d8630437...

Nextcloud: External Storage - WebDAV - New user has access to storage from deleted user (same user-ID)

Delete existing user account "user3" Create new user account "user3" Also reported on https://github.com/nextcloud/server/issues/15258 Impact Newly created user with same user-id of a deleted user has access to the configured external webdav storage from the deleted user...

HackerOne: Account recovery text message is sending a wrong domain to users.

Hey, I hope you're fine. : Summary: When users setup Account recovery at Authentication section Hackerone sends them text message to their updated phone number with a wrong domain link. Description: When users adds phone number at Account recovery, they get a text message on their phone number,...

Starbucks: Blind SQL Injection on starbucks.com.gt and WAF Bypass :*

Starting with a blind SQL Injection on http://www.starbucks.com.gt/menu/beverage/detail, @d3417 was able to dump schema on several database tables. Initially closed as N/A because of our exclusion on automated tools, reopened to investigate the data reported in the tables, and because the casual...