Uber: Pre-auth Remote Code Execution on multiple Uber SSL VPN servers

format string vulnerability on /sslmgr with no authentication required Details: http://blog.orange.tw/2019/07/attacking-ssl-vpn-part-1-preauth-rce-on-palo-alto.html...

Node.js third-party modules: [domokeeper] Unintended Require

I would like to report Unintended Require vulnerability in domokeeper It allows reading arbitary json files and load non-production code. Module module name: domokeeper version: 0.2.0 npm page: https://www.npmjs.com/package/domokeeper Module Description domokeeper server: a pluggable domotic...

Khan Academy: Account takeover by changing email

The endpoint /signup/email allows users to change their email before they confirm their account email. This endpoint is not protected from CSRF. Thus, any account that is not yet "confirmed" is vulnerable to account takeover using the following steps: 1. Attacker obtains new email address not...

U.S. Dept Of Defense: LFI with potential to RCE on ██████ using CVE-2019-3396

POC POST /rest/tinymce/1/macro/preview HTTP/1.1 Host: ██████ Content-Type: application/json Content-Length: 174 "contentId":"12345","macro":"name":"widget","body":"","params":"url":"https://www.youtube.com/watch?v=wHEHYJpCkpg","width":"300","height":"200","template":"file://../" Thanks, Ben Impac...

Ed: securitytemplate.site domain hijack

Hi, Security-template I realized that your security-template project domain name seems to have expired, http://securitytemplate.site doesn't serve your content. Penultimate I also found that it's possible to takeover the PenultimateIO's Twitter account. It seems that you have deleted the account,...

Open-Xchange: Another Stored XSS in mail app using Drive app

Vulnerability Details: When replying to a HTML E-Mail with specific payload, that payload could be executed as script code. The user would have to have HTML composing enabled to exploit this vulnerability. This vulnerability could happen as browsers incorrectly "fix" HTML content as demonstrated ...

Open-Xchange: Stored XSS in mail app

Vulnerability Details: When replying to a HTML E-Mail with specific payload, that payload could be executed as script code. The user would have to have HTML composing enabled to exploit this vulnerability. This vulnerability could happen as browsers incorrectly "fix" HTML content as demonstrated ...

WordPress: Add users to groups who have restricted group invites

Description: WordPress version: 5.2 BuddyPress version: 4.2.0 Through this vulnerability, an attacker could add users to groups who have set : I want to restrict Group invites to my friends only. There is no proper validation of the personal settings of the user and thus the users with such priva...

Open-Xchange: Another window.opener issue

Vulnerability Details: Appointment titles are rendered as hyperlink but were missing a protection against "tab nabbing". Risk: When following a hyperlink to a malicious website, the original tab location OX App Suite could be replaced with a URL chosen by the attacker. This can be exploited to...

Zomato: [Zomato for Business Android] Vulnerability in exported activity WebView

Hello, i want to report the vulnerability found, Since the following activity com.application.zomatomerchant.home.HomeSalt has exported="true" it can be exploited by another application. Application Information Application: Zomato for Business Package Name: com.application.zomatomerchant Version:...

OLX: web cache deception in https://tradus.com lead to name/user_id enumeration and other info

summary Hi OLX team, i found a web cache deception vulnerability in https://tradus.com. With this vulnerability an attacker can gain access to the name of the victim user, the userid and other informations. Attack scenario 1 an attacker send to the victim a link to the malicious page like the PoC...

Open-Xchange: Memory corruption in imap-parser.c

Hello Dovecot devs, this is a report from Nick Roessler and Rafi Rubin. We are researchers at the University of Pennsylvania. We’ve been fuzzing Dovecot and have triggered some memory errors---this one is the most serious, and can be used for controlled indirect out-of-bounds writes into heap...

Lyst: [https://█████████/]&&[https://█████████/] Open Redirection

Summary Hi Team, An attacker can redirect vicitm on an external website using https://████/account/login endpoint because next parameter is not being validated properly. Affected URL https://███/account/login/?next=///////////////////////////evil.com Steps to Reproduce 1 Go...

Node.js: Vulnerability in http-parser & embedded NULL header handling

Due to a snafu in how [email protected] is setup to forward see https://github.com/envoyproxy/envoy/issues/5155, the following bug report was not made available prior to disclosure. For completeness, I'm providing the original e-mail below. Please note that this has been fixed in http-parser...

HackerOne: Unreleased CTF Levels are Revealed on /group/user/ID1?user=USERID endpoint

Summary: At this moment, the two new upcoming CTF levels for https://ctf.hacker101.com/ctf have not been revealed. However, an IDOR at the https://ctf.hacker101.com/group/user/ID1?user=USERID endpoint reveals them see attached screenshot Description: Steps To Reproduce 1. Create a group. 2. At th...

Zendesk: "Test target" of the "HTTP target" extension can unintentionally send username and password in the Authorization header

Summary: In certain conditions, the HTTP target extension is sending the username and password of the authenticated user testing the target in the test request's Authorization header as base64 encoded i.e. HTTP basic auth. I have graded this as a medium due to some mitigating circumstances browse...

Mail.ru: Reflected cross site scripting at https://auto.mail.ru/reviews/add_review/ via problems_text parameter.

Description https://auto.mail.ru is vulnerable for xss. It is possible for an attacker to inject arbitrary JavaScript in application response Step to reproduce 1. Open the below link in Firefox...

Starbucks: Store Development Resource Center was vulnerable to a Remote Code Execution - Unauthenticated Remote Command Injection (CVE-2019-0604)

l00ph0le discovered an endpoint on the Store Development Resource Center site at https://sdrc.starbucks.com/layouts/15/picker.aspx was vulnerable to a deserialization RCE in Microsoft Sharepoint per CVE-2019-0604. @l00ph0le — thank you for reporting this vulnerability, your patience while we...

Mail.ru: Path traversal, SSTI and RCE on a MailRu acquisition

Unpatched CVE-2019-3396 and few more in publicly accessible Atlassian Confluence instance in ESForce domain...

shopify-scripts: Buffer overflow in yywarning_s

PoC === The following demonstrates a crash: 300000000000000000000000000000000000000000000000E0030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Debug...

Lob: No Access Control

There is "No Access Control" vulnerability identified in "lob-assets.com" on Invoice section. Steps To Reproduce: Go to...

Coda: Lack or Origin check leads to Cross-Site Websocket Hijacking (CSWSH)

Summary @fisher discovered a CSRF-related vulnerability in Coda docs by which an attacked could craft a convincing page that would make modifications to a specific document without the victim knowing. This is due to the inherent nature of Websockets not being secure by default. Although a...

pixiv: CSRF at https://chatstory.pixiv.net/imported

Summary: A CSRF in https://chatstory.pixiv.net/imported can trick users to import a novel of the attacker as the users' chatstory. Steps To Reproduce: 1. Attacker creates a novel 2. Go to the novel https://www.pixiv.net/novel/show.php?id=10997105 Import the novel as chatstory by clicking the...

Rocket.Chat: Custom crafted message object in Meteor.Call allows remote code execution and impersonation

The researcher found a vulnerability where an attacker could impersonate other users...

GitLab: Importing GitLab project archives can replace uploads of other users

Summary Importing a modified exported GitLab project archive can overwrite uploads for other users. If the secret and file name of an upload are known these can be easily identified for any uploads to public repositories, any user can import a new project which overwrites the served content of th...

New Relic: Stored XSS at APM apps labels autocomplete dropdown (apps listing)

Hey team, I have discovered the stored XSS vulnerability triggered at APM apps labels autocomplete dropdown. Only admins are able to add labels to apps, so it seemed to me that this XSS impact is "admin to owner" only. But I googled a little and stumbled upon the NEWRELICLABELS environment variab...

U.S. Dept Of Defense: Remote Code Execution - Unauthenticated Remote Command Injection (via Microsoft SharePoint CVE-2019-0604)

Summary: Microsoft recently released a patch for CVE-2019-0604. This vulnerability is caused by the Microsoft SharePoint application deserializing untrusted data from a user. This means an attacker can send a specially crafted/encoded parameter to a Microsoft SharePoint URL, and it will allow...

Shopify: Unpublished Product Images can be disclosed

Hi, This looks like a minor issue but felt like it was something worth reporting. Ideally, a product can be published or remain unpublished on any sales channel. If a product remains unpublished, then no information regarding it must be visible to public including product pictures. But I found an...

Nextcloud: Combination of content provider allows private data disclosure

Good afternoon. Sorry, its me again .. I use NC on a daily basis so I often makes some checks .. As per 489105, document thumbnail shall not be disclosed. The exposure on thumbnailCache/ is an already know issue. However, malicious apps are still able to extract at least pictures and text files b...

Grammarly: Account takeover through the combination of cookie manipulation and XSS

Summary: A cookie based XSS on www.grammarly.com exists due to reflection of a cookie called gnarcontainerId in DOM without any sanitization. Normally, gnarcontainerId is being set by the server however a vulnerable endpoint at gnar.grammarly.com called "/cookies" allows us to manipulate cookies...

Mail.ru: Web Cache Poisoning

Reverse proxy cache poisoning via host header content could lead to stored XSS in uxui.geekbrains.ru...

EXNESS: [com.exness.android.pa Android] Universal XSS in webview. Lead to steal user cookies

Details: Package: com.exness.android.pa Name: Exness Version: 1.7.5-real-release Description: Third-app may use exported activity to load any url in internal webView. This leads to steal cookies used in trading app, including cookies of payment system Vulnerability description: Application has...

Node.js third-party modules: Server Side JavaScript Code Injection

I would like to report a Service Side JavaScript Code Injection in fastify. It allows an attacker that can control a single property name in the serialization schema to achieve Remote Command Execution in the context of the web server. Module module name: fastify version: 2.2.0 npm page:...

Shopify: Stored - XSS

Hello Security Team, I have Found Stored XSS Vulnerability POC : Step1: Go to https://app.oberlo.com/suppliers Step2: Click on any product you will be redirected to URL as i have given for example...

Zomato: [Zomato Order] Insecure deeplink leads to sensitive information disclosure

Hello, i want to report the vulnerability found, Since the following activity com.application.zomato.activities.DeepLinkRouter has exported="true" it can be exploited by another application. Application Information Application: Zomato Order - Food Delivery App Package Name:...

X (Formerly Twitter): Subdomain takeover on dev-admin.periscope.tv

Subdomain takeover on dev-admin.periscope.tv I takeover the subdomain and upload the index file : index.html Impact Subdomain takeover on dev-admin.periscope.tv Subdomain takeover on dev-admin.periscope.tv/index.html http://dev-admin.periscope.tv.s3-website-us-west-2.amazonaws.com/index.html...

VK.com: Information Disclosure (phpinfo())

Out-of-scope...

Starbucks: SQL Injection Extracts Starbucks Enterprise Accounting, Financial, Payroll Database

As described in the Hacker Summary, @spaceraccoon discovered a SQL Injection vulnerability in a web service backed by Microsoft Dynamics AX. @spaceraccoon demonstrated that the flaw was exploitable via XML-formatted HTTP payload requests to the server. We appreciate @spaceraccoon's clear and...

Starbucks: Reflected XSS in https://www.starbucks.com/account/create/redeem/MCP131XSR via xtl_amount, xtl_coupon_code, xtl_amount_type parameters

HI, Summary: Reflected XSS Description: the parameters are complementary to each other Platforms Affected: my browser firefox 52.7.3 Steps To Reproduce: 1. go to https://www.starbucks.com/account/create/redeem/MCP131XSR?xtlcouponcode=1&xtlcouponcode=81431&xtlamount=0.0&xtlamounttype=DOLLARVALUE 1...

Slack: Slack DTLS uses a private key that is in the public domain, which may lead to SRTP stream hijack

Affects: Janus DTLS certificate Description The Janus server in use by Slack is configured using a certificate and private key that were previously distributed by default. This certificate is used to authenticate the DTLS connection which is later used to exchange keys for the SRTP stream. As a...

Snapchat: Server-Side Request Forgery using Javascript allows to exfill data from Google Metadata

Hey there, I was looking at your ads site with @daeken, we found some weird behavior in the import function of the creative app. Here are the steps: POC - Login to https://business.snapchat.com/ - Go to creative library - New Creative - Under "Topsnap Media", click on "Create" - Click on any of t...

Ubiquiti Inc.: UniFi Video v3.10.1 (Windows) Local Privileges Escalation to SYSTEM from arbitrary filedelete and DLL hijack vulnerabilities.

Summary: UniFi Video v3.10.1 for Windows 7/8/10 x64 Local Privileges Escalation to SYSTEM from arbitrary file deletion and DLL hijack vulnerabilities. The issue was fixed by adjusting the .tsExport folder when the controller is running on Windows and adjusting the SafeDllSearchMode in the windows...

Vanilla: Hidden Stored XSS in nested post embeds

Summary: Comments can be crafted in a way that when quoted will trigger a hidden stored XSS payload. Requires initial user interaction. Description: When quoting a comment, an attacker can edit the insert embed-external data url field to contain a string which when parsed, can result in the...

New Relic: Stored XSS firing if the error occurs when trying to delete the APM app

Hey team, I have discovered that when the user tries to delete the APM app and some error occurs, the error message contains the app's name, which is not sanitized properly. So the XSS is possible there under certain circumstances. The XSS payload is absolutely simple here, it can be like e.g...

Vanilla: Stored XSS in embedded posts containing images

Summary: Embedded posts containing images can be maliciously crafted to insert Javascript code to run on page load. Description: Steps to reproduce: 1. Ensure you are logged into an account no special permissions are needed 2. Navigate to any page with the richEditor component e.g. any forum post...

New Relic: Stored XSS at APM applications listing

Hello team, I have discovered that the attacker which can create APM app or modify the existing app name can cause a stored XSS firing at APM apps listing page. There is a script like the following at the APM apps listing page: javascript window.applicationData =...

Automattic: WooCommerce: Persistent XSS via customer address (state/county)

Persistent XSS via customer address state/county ================================ CVSS ---- High 7.2 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N Description ----------- The current version 3.5.7 of the WooCommerce WordPress plugin echoes the state/county of a customer in the admin backend withou...

Vanilla: Stored XSS in Profile Comments

Summary: The Profile Comments page which is responsible for listing a profile's recent comments is vulnerable to stored XSS as it renders the contents of recent comments without sanitizing them. Steps to reproduce: 1. Ensure you are logged in to a user account no special permissions are needed 2...

Vanilla: Stored XSS in Rich editor via Embed datetime

Summary: Rich embed posts can contain javascript URIs which when clicked will trigger javascript code. Description: Registered users can post content in forum posts, private messages and activity posts containing Rich embeds where the date/time of the embedded post when clicked, will trigger a...

Uber: Unauthorized access to █████████.com allows access to Uber Brazil tax documents and system.

A website operated by an Uber vendor, allowed any unauthenticated user to access pages within the site. Due to the site's purpose, this vulnerability could expose sensitive information. This was a interesting vulnerability as the site did not have any sensitive information that I could find, but...