Internet Bug Bounty: Local Privilege Escalation during execution of VeraCryptExpander.exe (UAC bypass)

Summary: Your VeraCryptExpander.exe is vulnerable to a Local Privilege Escalation UAC BYPASS during execution. The issue is located here: https://github.com/veracrypt/VeraCrypt/blob/a108db7c85248a3b61d0c89c086922332249f518/src/ExpandVolume/VeraCryptExpander.manifest...

Node.js third-party modules: [harp] Path traversal using symlink

In reference to 453820 Module module name: harp version: 0.29.0 npm page: https://www.npmjs.com/package/harp Module Description zero-configuration web server with built in pre-processing Module Stats 2,679 downloads in the last week Vulnerability Path traversal using symlink. Vulnerability...

Passit: URL is vulnerable to clickjacking https://app.passit.io/

URLs do not have X-FRAME-OPTIONS set to DENY or SAMEORIGIN, and they are vulnerable to clickjacking. Reproduce steps: 1. enter your credentials and click on stay logged into this device then login 2. Run under the browser's code and you will see that the listed links are vulnerable to clickjackin...

50m-ctf: Writeup

h1 50M CTF =========== This is my solution for the h1 ctf. On the 27th of february h1 posted this tweet: Since there is no link no any sort of challenge I supposed the challenges is self contained inside this tweet. My guess was the first clue is inside the embeded picture, and since the second o...

VK.com: Узнаем новые email приглашенного нами пользователя после смены, и так же часть номера телефона

Отображение почты или части номера у приглашенных нами страниц. Была возможность использовать /invite.php?act=resend в любое время после того как приглашенный юзер поменяет мыло/телефон - можно будет получить новый номер. Также можно было добавить еще незарегистрированый номер - если на него кто-...

Shopify: STAFF member with NO Explicit permissions can view `ActivityFeed` via GraphQL

Hi, This is similar to 95589. I noticed that ActivityFeeds are now being fetched by GraphQL call on Shopify. But from my testing, I noticed that STAFF member with NO EXPLICIT permissions can fetch store's activity feed by calling the vulnerable endpoint. STEPS 1.STAFF member is not assigned any...

Mail.ru: XSS

XSS via GET parameters in touch.cooking.lady.mail.ru touch.cooking.lady.mail.ru belongs to extended scope...

Internet Bug Bounty: CVE-2019-0196: mod_http2 with scoreboard Use-After-Free (Read)

A crafted HTTP2 request can trigger reference to request data from a memory pool after its destruction. This memory is subsequently used as input to an sprintf type function for constructing a string value. This unsafe memory access ultimately means that the r-therequest string is poisoned with...

U.S. Dept Of Defense: Request smuggling on ████████

Summary: Description: The sites at █████████ and ww.██████████ are vulnerable to backend socket poisoning which enables attackers to hijack responses to other users. This vulnerability occurs because the backend server regards \n as a valid header ending, whereas the backend only thinks \r\n is...

GitLab: Bypassing push rules via MRs created by Email

Hi GitLab Security Team, GitLab EE has the feature of so-called push rules. An administrator, or more fine-grained per project, the owner can create certain push rules. The goal of these push rules is avoiding to push certain commits to the repository, which violate one of the push rules. If a...

GitLab: Stored XSS in Wiki pages

Summary I found Stored XSS using Wiki-specific Hierarchical link Markdown in Wiki pages. Steps to reproduce 1. Sign in to GitLab. 2. Open a Project page that you have permission to edit Wiki pages. 3. Open Wiki page. 4. Click "New page" button. 5. Fill out "Page slug" form with javascript:. 6...

Starbucks: DOM XSS on app.starbucks.com via ReturnUrl

Summary: XSS Can be achieved via the ReturnUrl when signing in on app.starbucks.com Platforms Affected: app.starbucks.com Steps To Reproduce: 1. Visit https://app.starbucks.com/account/signin?ReturnUrl=%09Jav%09ascript:alertdocument.domain 2. Sign in Supporting Material/References: F461364 How ca...

Node.js third-party modules: environment variable leakage in error reporting

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! I would like to report the leak of...

Nextcloud: In Dockerized Environments, Failing to Read config.php Grants Any Anonymous User Full Admin Access

Consider this deployment: - Nextcloud is already installed in a Dockerized environment. - There are two Nextcloud containers running in the environment. - Both containers share the same MySQL database. - Both containers share the same data /var/www/html/data and config /var/www/html/config via...

Mail.ru: URL redirection

Open redirection in loot.my.com...

VK.com: Обход фильтра на ссылки в загрузке историй..

Возможность прикрепить внешнюю ссылку к истории...

Mail.ru: SSRF

SSRF via URI injection in hou.my.com...

Mail.ru: Source code disclosure

PHP configuration file was available for download on few terrhq.ru subdomains...

Mail.ru: phpinfo

phpinfo was available at terrhq.ru subdomain...

Mail.ru: Phpinfo

phpinfo was available at terrhq.ru subdomain...

Internet Bug Bounty: Apache HTTP [2.4.17-2.4.38] Local Root Privilege Escalation

Hello, I reported a Local Root privilege escalation vulnerability on Apache HTTPd at the beginning of the year. Apache has now patched it, as you can see here. The vulnerability affects modprefork, modevent, and modworker, the most used mods on Linux. Basically, this is an arbitrary function call...

Mail.ru: [special.mail.ru] Information Disclosure

special.mail.ru was running misconfigured Laravel in debug mode, disclosing some sensitive information...

Mail.ru: СКР инжект

SQL injection in gifts.mail.ru gifts.mail.ru is Mail.Ru branded partner project...

U.S. Dept Of Defense: Email PII disclosure due to Insecure Password Reset field

Summary: I revisited report 235041 and discovered the vulnerability isn't patched properly as I was able to discover more emails I could gleam. It appears the core mechanism allows anyone who knows specific names or user names to leak sensitive emails Description: This password reset field allows...

Lob: Old WebKit HTML agent in Template Preview function has multiple known vulnerabilities leading to RCE

Summary: The Template Preview function allows users to render arbitrary HTML to a PDF document, this includes the ability to execute arbitrary Javascript. The HTML agent used to render the HTML is based on an old version of WebKit which has known security issues, for which public exploits and Pro...

New Relic: (Prerelease UI) Stored XSS via role name in JSON chart

When ████████ is released to the public, and you aren't someone like me who has to hack their way around to get access to it see: 520623 there will be a stored XSS in the chart builder section because of unsanitization of the role name when it is displayed as JSON within the chart visualization...

New Relic: Giving myself access to NR1 UI / one.newrelic.com without the proper feature flags on my account

@jonbottarini discovered a way to access the NR1 UI prior to it being generally available. This allowed him to test against and evaluate NR1 while it was still in a prerelease state. He describes the techniques used in this blog post. I used Burp Suite's match/replace rules to find this issue,...

New Relic: Full name of other accounts exposed through NR API Explorer (another workaround of #476958)

It's the gift that keeps on giving, and I've found another gift! Another way to find the full name of another New Relic user, without having them confirm their account and join your team. Thsi time I make use of the New Relic API which pulls details for me through the /v2/users.json endpoint. Ste...

Versa Networks: Versa Director is susceptible to Command Injection attacks (e.g., SQL, LDAP, XML, Xpath)

In Versa Director, the command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data forms, cookies, HTTP headers etc. to a...

U.S. Dept Of Defense: SQL Injection in ████

Summary There is an SQL injection vulnerability in ████████ in the /█████/recruiter/updapp.aspx page, exploitable through the appid form parameter. Impact An attacker could use this vulnerability to control the content in the database, exfiltrate information, and obtain remote code execution...

Ubiquiti Inc.: Catch mails sent to an SMTP Server over SSL using an Evil SMTP Server

A malicious actor setting up an SMTP proxy server between the UniFi Controller and their actual SMTP server can record their SMTP credentials for malicious use...

U.S. Dept Of Defense: Trace.axd page leaks sensitive information

Summary Trace.axd leaks sensitive information on ██████████ by allowing signed in users to view previous requests sent to the webserver. Impact Information leaked includes but is not limited to: - full names - email addresses - social security numbers - dates of birth - plaintext passwords -...

Midpoint (European Commission - DIGIT): Attacker can read password from log data

Summary: Attacker can read plain text password from log data. Steps To Reproduce: 1. From application dashboard choose Users section, I simultaneously ran process hacker to see the process disk write and read behavior. 2. change the password of one of the users, and you see in process hacker wind...

Ruby on Rails: File writing by Directory traversal at actionpack-page_caching and RCE by it

I found a directory traversal in actionpack-pagecaching. Some code may lead to RCE. https://github.com/rails/actionpack-pagecaching/blob/master/lib/actioncontroller/caching/pages.rbL143 ruby def cachefilepath, extension if path.empty? || path = %r\A/+\z name = "/index" else name =...

Monero: Computing hash of crafted block leads to crash in tree_hash()

I'm not sure how to test this against against an actual Monero instance, so I'm instead showing an isolated PoC: c include int mainvoid cryptonote::block b = AUTOVALINITb; for sizet i = 0; i baoss; std::string s; if ::serialization::serializeba, b == true s = oss.str; else return 0; / Uncomment t...

Ruby: Ruby is shipping a vulnerable jQuery

No this isn't a report about the website! Ruby ships Darkfish as part of RDoc https://github.com/ruby/ruby/tree/HEAD/lib/rdoc/generator/template/darkfish https://github.com/ruby/rdoc/tree/master/lib/rdoc/generator/template/darkfish https://github.com/ged/darkfish Darkfish includes jQuery v1.6.4,...

X (Formerly Twitter): Protected Tweets setting overridden by Android app

Summary: Protected Tweets setting overridden by Android app Description: The Android app overrides the "Protect your Tweets" setting set from outside the app in some cases when changing other settings. Steps To Reproduce: 1. Log in to an account with unprotected tweets on the Android app. 1. Log ...

Uber: Publicly exposed HashiCorp Vault (Secrets management) at usec-gcp-staging.uberinternal.com & usec-gcp.uberinternal.com

The following two subdomains has been deployed and resolved: usec-gcp-staging.uberinternal.com, usec-gcp.uberinternal.com...

Lob: Discloser of Internal Ip address

Vulnerability : Internal Ip address Discloser. I have founded a similar report https://hackerone.com/reports/329791 Steps to Check. 1. Copy the link https://wp.lob.com/wp-json/wp/v2/pages. 2. You will get a Json-Response. 3. In Json Response, you will see a link...

Zomato: Sending Unlimited Emails to anyone from zomato mail server.

Summary: Zomoto provides developers to get the rich data of restaurant from their API. https://developers.zomato.com/api But here there is a security issue that can we exploited against zomato's Simple Email Server on Aws. Description:When we request the apikey from zomato they ask us for our ema...

PortSwigger Web Security: DLL Hijacking in Burp Suite Pro 2.0.19 Installer

I've found that the latest installer of Burp Suite Pro tries to load some DLLs from an unprotected folder. After providing it with admin privileges required to install it tries to load these DLLs: C:\Users\bortto\AppData\Local\Temp\e4jA5E5.tmpdir1553882416\jre\bin\WINMM.dll...

Nextcloud: SQLi allow query restriction bypass on exposed FileContentProvider

FileContentProvider is an exposed provider As per its definition on https://github.com/nextcloud/android/blob/master/src/main/java/com/owncloud/android/providers/FileContentProvider.java, limited set of data shall be exposed as per @l444 switch mUriMatcher.matchuri case ROOTDIRECTORY: case...

Mail.ru: LRF on shared.mail.ru due to "markdown" plugin

Markdown plugin in Atlassian Jira instance for external contractors was vulnerable to LFR vulnerability...

Mail.ru: RCE on shared.mail.ru due to "widget" plugin

Confluence widget connector vulnerable to CVE-2019-3396 was available on shared.mail.ru...

Valve: RCE on partner.steampowered.com

The vulnerability on partner.steampowered.com involved insufficient validation of parameters, which allowed an attacker to specify the name of a PHP function to call with specific parameter types. This could be exploited to call the assert function, which at the time invoked eval, enabling...

Mail.ru: Rails application running in development mode

autodiscover.staging.geekbrains.ru was running Ruby on Rails in development mode...

curl: libcurl: SMTP end-of-response out-of-bounds read - CVE-2019-3823

libcurl contains a heap out-of-bounds read in the code handling the end-of-response for SMTP. If the buffer passed to smtpendofresp isn't NUL terminated and contains no character ending the parsed number, and len is set to 5, then the strtol call reads beyond the allocated buffer. The read conten...

Mail.ru: Открытые сорцы

gitlab repository with opensource projects was available from external network on geekbrains.ru subdomain. While no sensitive information was leaked, decision was made to limit the access to eliminate possible risks in future...

Zomato: Bypassing the SMS sending limit for download app link.

Summary: Here an attacker can send the download link sms to any number of people bypassing the sms rate limit imposed by zomato. Description: zomato provides an easy way for the users to download their app when they are at the home page of zomato's website. A user can send upto 15 sms to themself...

Mail.ru: CSRF on /subscription_manage.php endpoint at allods.mail.ru

CSRF in https://allods.mail.ru allows to manage user's subscriptions. allods.mail.ru belongs to extended scope...