Mail.ru: [authdl.mail.ru] Spoofing IP address

Client IP address could be spoofed via X-Forwarded-For headers in authdl.mail.ru. While no direct impact were identified, this issue could potentially lead to issues with logging, limitations or ABF protection...

New Relic: Stored XSS firing at transaction map (applicationName field)

Hey team, I have discovered the stored XSS vulnerability which is triggered at transaction map. The transaction map is retrieved via GET-request to the URL like https://rpm.newrelic.com/accounts/2319495/applications/143826822/transactions/2877762416/transactionmap. The response contains the...

GitLab: Clientside resource Exhausting by exploiting gitlab math rendering

Summary based on the documentation gitlab markdown is supporting math expresion rendering using KaTex and able to run subset syntax from LaTex this could be achieved by using 2 ways in the markdown for inline and for multiline. F476662 Steps to reproduce Step-by-step guide to reproduce the issue,...

Khan Academy: Users can make accounts with a fake email address.

A valid email address is not required to create a Khan Academy account. We do not consider this a security vulnerability...

Ping Identity: Internal Hostname disclosure from multiple Apache servers via blank host header method

This vulnerability was due to a general misconfiguration of Apache servers; this is a good example of the importance of "Secure Defaults" in open-source projects. An example of a generic request and response would be: openssl sclient -connect apache.example.com:443 GET apache.example.com/foo...

Mail.ru: [web.icq.com] Stored XSS in "О Контакте"

Stored XSS via contact info in web.icq.com...

Trint Ltd: IDOR in changing shared file name

Summary: Hi Trind LTD, I have found a IDOR vulnerability in https://app.trint.com . An user can change shared file names through this IDOR. Steps To Reproduce: 1. Create a file from account B 2. Capture the request of renaming the file as shown in sample request 3. Create a file from account A an...

curl: An integer overflow found in /lib/urlapi.c

Summary: libcurl contains a heap-based buffer overrun in /lib/urlapi.c. A similiar issue to CVE-2018-14618. Steps To Reproduce: analysis I found a potential integer overflow which may lead to a buffer overrun in /curl/lib/urlapi.c. In function seturl, urllen was multiplied by 2 and then passed to...

ok.ru: [okl.lt] Раскрытие администраторских функций в .js + Возможность использования этих функций.

@iframe reported insufficient authorization at okl.lt which allowed regular users to perform actions intended to be accessible to administrators only. This vulnerability was aggravated by the fact that administrators-only API could be reversed-engineered from the HTML code...

Nextcloud: Remote Code Execution via Extract App Plugin

Hi, I found a critical issue in the Add-on "Extract" listed in the Nextcloud Marketplace: https://apps.nextcloud.com/apps/extract This extension can be installed directly from Nextcloud Application The vulnerability was found in file: extract/lib/Controller/ExtractionController.php line 102. The...

Open-Xchange: Two heap use-after-free errors in IMAP operations

Summary ======= We’ve found two heap use-after-free errors, one in lib-storage/index/index-storage.c: indexcopycachefields and one in lib-index/mail-index-sync-update.c: mailindexsyncrecordreal. Error 1: indexcopycachefields ---------------------------------------------- This error involves two...

Mail.ru: Stored xss on message reply

XSS on message reply via double click functionality in web.icq.com...

RATELIMITED: HTTP PUT method is enabled downloader.ratelimited.me

Summary: Found on HTTP PUT sites enabled on web servers. I tried testing to write the file / codelayer137.txt uploaded to the server using the PUT verb, and the contents of the file were then taken using the GET verb Steps To Reproduce: Request: PUT /codeslayer137.txt HTTP/1.1 Host:...

ZEIT: Reflected DOM-Based XSS On Due Lack Filter On Parameter ?next

Summary: Hello I found that the parameter next lacks filtering, allowing the attacker to exploit this vulnerability to redirect users to a malicious site + The Attacker Can Exploit this bug to redirect the user to Malcious Site + The attacker can execute JavaScript code in the user browser Becaus...

curl: Github wikis are editable by anyone #Githubwikistakeover

Hey Curl, Github wiki on the following project, https://github.com/curl/curl/wiki can be edited by any logged in user in the system. This poses security and reputation risk for the company. As your policy i doesnot edited any of the wiki :- Regards, @MSRC29 Impact As wikis listed above can be...

Ubiquiti Inc.: Privilege Escalation From user to SYSTEM via unauthenticated command execution

The vulnerability, or feature depending how you look at it, is the ability to execute commands using the evostream API interface that is exposed on localhost:7440. Since the evostream service is running as SYSTEM a user can use the launchprocess command,...

Mail.ru: Cross-site Scripting (XSS) - Stored in ru.mail.mailapp

A leftover debug code for XSS protection was causing "alert1" execution in the case of XSS vector XSS vector itself was not executed...

U.S. Dept Of Defense: [Critical] Possibility to takeover any user account #2 without interaction on the https://██████████

Description Hello. This time I discovered a way to tekeover any user's account via unsafe password reset. This time it's much easier than 1 way in the 543678 report. When users requests the password reset, the next link is come to the email: https://█████/resetpassword.aspx?ru=userid&op=token The...

X (Formerly Twitter): IDOR and statistics leakage in Orders

Description: Twitter on its service "MoPub" statistics dedicated to the results of "Order", after the test shows that the endpoint "https://app.mopub.com/web-client/api/orders/stats/query" is infected with a "IDOR " bug Which led to the leak of private statistics "Orders" by another users Steps T...

Valve: [Source Engine] Material path truncation leads to Remote Code Execution

Title: Source Engine Material path truncation leads to Remote Code Execution Scope: .exe Weakness: Improper Input Validation Severity: High 7.1 Link: https://hackerone.com/reports/544096 Date: 2019-04-20 12:18:09 +0000 By: @nyancat0131 Details: Summary The handler of matcrosshairedit command...

Monero: Excessive Resource Usage

Summary: Unbounded resource usage due to open one file descriptor per connection, Python script below is effectively a threadbomb on the destination and uses all available memory on the server, clients not sending anything are never terminated. Steps To Reproduce: Up our daemon % monerod Check if...

8x8: Sensitive data disclosure via exposed phpunit file

Several domains with the development phpunit configuration files exposed without proper restrictions...

Dropbox: Algorithmic complexity vulnerability in ZXCVBN leads to remote denial of service attack

@davidrenardy discovered that the ZXCVBN algorithm is quadratic in time complexity, which implies that the user can submit an arbitrarily long password to the library, leading to a potential denial of service attack if performed at scale. Given how ZXCVBN is used at Dropbox, we accept the Denial ...

Revive Adserver: Deserialization of Untrusted Data in www/delivery/dxmlrpc.php

An attacker could send a specifically crafted payload to the XML-RPC invocation script and trigger the unserialize call on the first parameter in the "pluginExecute" RPC method. Impact Such vulnerability could be used to perform various types of attacks, e.g. exploit serialize-related PHP...

Uber: Sensitive user information disclosure at bonjour.uber.com/marketplace/_rpc via the 'userUuid' parameter

It was possible for an attacker to insert another user’s UUID into the userUuid POST parameter when making a request to https://bonjour.uber.com/marketplace/rpc?rpc=getConsentScreenDetails, allowing them to retrieve personal data from the victim user’s account, as well as the user's mobile auth...

Shopify: Cross Site Scripting at https://app.oberlo.com/

1- create an account from https://app.oberlo.com/ 2- path to https://app.oberlo.com/settings/account/profile 3- inject javascript code or xss payload at Name form 4- it will be printed at page and executed payload that i used it " Impact This vulnerability can be used by attacker to serve malicio...

Valve: Malformed NAV file leads to buffer overflow and code execution in Left4Dead2.exe

Summary In the parsing routines of NAV files which contain the navigation mesh used by the AI for survivor bots, zombies, and the AI director spawning system a buffer overflow exists which can be used to control the EIP register and takeover code execution. Proof-of-Concept 1. Download the attach...

ZEIT: CSRF On Connect Account With Github Lead To Account Takeover

Summary: Hi I found it as the endpoint of Connecting the account with the github account vulnerable to CSRF attack because of the lack of endpoint protection against CSRF attack The attacker Can exploit this vulnerability to force users to link their account with his or her github account, which ...

ZEIT: [Fix Bypass #541631] Open redirect on Signup

Some signup and login paths did not verify the ?next= query param properly and allowed an open redirect with a carefully crafted invalid URL. It is standard practise to use a redirect query param in login and signup endpoints but the value should be carefully validated before accepting to redirec...

pixiv: Open redirect protection (https://www.pixiv.net/jump.php) is broken for novels

Summary: I found that pixiv has a open redirect protection, any external link in illustration is converted to https://www.pixiv.net/jump.php?. For example https://i3mx4usociis8twimpcu2ty0erkh86.burpcollaborator.net/abc in https://www.pixiv.net/memberillust.php?mode=medium&illustid=74148892 is...

Mail.ru: [geekbrains.ru] CVE-2019-5418 Ruby on Rails File Content Disclosure

Unpatched CVE-2019-3396 in geekbrains.ru...

ZEIT: Stored XSS in profile page

Summary: There is a stored XSS vulnerability in the users profile page. Steps To Reproduce: 1. Go to https://zeit.co/login and login. 2. Go to https://zeit.co/profile/username/edit 3. Enter any value in the field which shows name 4. Intercept it burp and send it to repeater. 5. Then change the na...

Hiro: Blockstack Browser For Mac leaks "Core API Password" to 3rd parties

Hi Blockstack! 😃 I noticed that BlockStack Browser for Mac version is leaking the CoreAPIPassword via Referer Header to several websites: appco.imgix.net a third party site! F471236 api.app.co seems to have some blockstack affiliation? F471235 browser-api.blockstack.org F471237 Steps to Reproduce...

ZEIT: Stored XSS on Zeit.co user profile

Hello team, There is a possibility to have a stored XSS in user profile. Steps to reproduce: 1. Go to zeit.co 2. Click on "Join for free" at the top right side of the page to go to https://zeit.co/signup 3. Select "Continue with GITLAB" note that you must have your Gitlab account logged in 4. Cli...

ZEIT: Stored Cross-site scripting

Stored Cross-site Scripting in https://zeit.co the steps in the video Impact steal an accounts cookies and more...

ZEIT: Gitlab Oauth Misconfiguration Lead To Account Takeover

Summary: Hello I found that you did not specify which link to redirect with Token Gitlab Allowing the attacker to exploit this vulnerability to force the user to redirect his Gitlab Token To the attacker's site , And Take Over The Account of user Steps To Reproduce: 1. Access To...

Shopify: [Privilege Escalation] Shopify Admin -- Permission from Settings to Customer

Hi, This is my first report to shopify, hope this report is not too bad considering the fact I can't verify this finding since I don't have shopify plus access. Summary This page talks about the multipass, and quoting from the multipass page FAQ Security considerations If your secret ever leaks...

Node.js third-party modules: [https-proxy-agent] Socket returned without TLS upgrade on non-200 CONNECT response, allowing request data to be sent over unencrypted connection

I would like to report a man-in-the-middle vulnerability in https-proxy-agent. It allows an attacker with access to the network firewall or targeted proxy server to obtain secrets e.g. a HTTP basic auth header from the client trying to send HTTPS traffic via HTTP proxy. Module module name:...

Node.js third-party modules: A specifically malformed MQTT Subscribe packet crashes MQTT Brokers using the mqtt-packet module for decoding

I would like to report a buffer over-read in mqtt-packet respectively BufferList module. It allows triggering an out of range read on a buffer which throws a RangeError. MQTT Brokers like mosca and aedes using this module can be forced to crash by sending a specifically malformed MQTT Subscribe...

TomTom: Exposed Git Repo at http://betaforum.tomtom.com/.git/{subfolders}

Dear Security team, I found a git repository on http://betaforum.tomtom.com/.git. This endpoint allows an attacker to retrieve much of the source code and git history for this service which could potentially reveal sensitive information, it all depends what is stored there. Example: 1...

TomTom: Apache mod_status /server-status Information Disclosure

Description It is possible to obtain an overview of the remote Apache web server's activity and performance by requesting the URL '/server-status'. This overview includes information such as current hosts and requests being processed, the number of workers idle and service requests, and CPU...

Starbucks: Reflected XSS on card.starbucks.com.sg/unsubRevert.php via the 'ct' Parameter

gnux discovered a reflected XSS in https://card.starbucks.com.sg/unsubRevert.php due to an unsanitized user-input via the ct parameter. @gnux— thank you for reporting this vulnerability and confirming the resolution...

GitLab: GitLab::UrlBlocker validation bypass leading to full Server Side Request Forgery

Summary The GitLab::UrlBlocker IP address validation methods suffer from a Time of Check to Time of Use ToCToU vulnerability. The vulnerability occurs due to multiple DNS resolution requests performed before and after the checks. This issue allows a malicious authenticated user to send GET and PO...

Valve: GetGlobalAchievementPercentagesForApp is missing the same release checks as GetSchemaForGame

GetGlobalAchievementPercentagesForApp API method can be used to reveal achievement names/percentages for games that have not been released yet. This is not a problem with GetSchemaForGame method, which leads me to believe the other method is missing all the relevant checks...

GitLab: Access Projects And create projects in gitlab pre production server

Steps to reproduce Go to https://pre.gitlab.com Here any one can register and can view the pre production projects of gitlab developers. I have registered in https://pre.gitlab.com/users/signin and have created one test group and test project go to https://pre.gitlab.com/explore/groups i have...

TomTom: Anonymous user login to Nexus Repository Manager

Hello, By default the Nexus Repository Manager has two login users one is admin and the other is anonymous. The default password for the user "admin" is admin123 The default password for the user "anonymous" is anonymous On your Nexus Repository Manager the password for the user admin has been...

TomTom: Reflected Cross Site Scripting vuln in tomtom.com

Hello Tomtom security team I found a reflected cross site scripting security vulnerability in tomtom.com https://www.tomtom.com/nlnl/search/?q=27%22--%3E%3CDetails%20Open%20OnToggle=confirmdocument.domain%3E This payload when loaded displays the domain the XSS vulnerability occurs in www.tomtom.c...

Starbucks: Reflected XSS on card.starbucks.com.sg/unsub.php via the 'ct' Parameter

gnux discovered a reflected XSS in https://card.starbucks.com.sg/unsub.php due to an unsanitized user-input via the ct parameter. @gnux— thank you for reporting this vulnerability and confirming the resolution...

TomTom: CSRF allows attacker to manage customer's shopping cart.

The following endpoint https://www.tomtom.com:443/enus/store/basket-add.html had no CSRF checks / tokens .. whatsoever , which allows a malicious user add massive amounts of a any product to a victim's cart or empty the cart. the CSRF POC file included adds 50 items of the giving product the a...

Automattic: Wordpress VIP leaks email of the test a/c

i was testing learn.fb.com and i came to known that its wp-json is open and when i saw all the routes of the websites than i got to known that one end-point is leaking their internal email address the endpoint is as follow https://learn.fb.com/wp-json/th/v1/usergeneration The issue has been fixed...