GitLab: JSON serialization of any Project model results in all Runner tokens being exposed through Quick Actions

The Quick Actions interpreter allows an attacker to reference a Project it does not have access to. The model attributes are then being serialized and returned to the user, which results in the Runner token both encrypted and unencrypted being returned to the user. This vulnerability is currently...

Node.js third-party modules: [md-fileserver] Path Traversal

I would like to report path traversal in md-fileserver modulee It allows an attacker to read system files via path traversal through commandline Module module name: md-fileserver version: 1.3.2 npm page: https://www.npmjs.com/package/md-fileserver Module Description Starts a local server to rende...

InnoGames: Race condition in activating email resulting in infinite amount of diamonds received

There was a race condition, in the registration process, that might have given the attacker an advantage in the game by gaining additional premium in-game currency without paying for it. Summary: This is an interesting critical race condition that might give the attacker an advantage in the game ...

HackerOne: Invited team member can disclosure slack channels

Summary: Hello, this report is similar to 505493 also still waiting for response, but accent is totally on another thing. I think it is important and should be fixed, and so i create new report. Invited team member without any permission can disclosure private channel names of slack integration. ...

Nextcloud: Missing DNSSEC

The nextcloud.com domain does not have DNSSEC enabled...

Central Security Project: c3p0 may be exploited by a Billion Laughs Attack when loading XML configuration

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Please refer to the example on our poli...

50m-ctf: LFI on Accounting server and RCE on FliteThermostat admin server

Summary: An attacker is able to download local files on the Accounting server due leveraging improper input sanitization in the Invoice PDF generator. In the same fashion an attacker is also able to issue server-side requests on the Accounting server through user-controlled CSS, possibly leading ...

Valve: Vulnerability in GoldSource Engine allows to upload and run an arbitrary DLL on client

Introduction Greetings. In GoldSource Engine there is a vulnerability that allows to run an arbitrary DLL on the client, using the flaws in the file downloading system. Description Part of the problem is hidden in the CLBatchResourceRequest function. This is a client function that is responsible...

Rockstar Games: DOM based XSS on /GTAOnline/tw/starterpack/

In this report the researcher identified a DOM-based XSS vulnerability impacting localized versions of the https://www.rockstargames.com/GTAOnline/ site in varying locations. This attack also took advantage of an Open Redirect vulnerability on another part of the site to demonstrate how an attack...

VK.com: Загружаем видеозаписи в основной альбом любой открытой группе/паблику.

Недостаточные проверки при загрузке видеозаписей...

Nextcloud: Group admins can remove arbitrary data from "data" directory (including admin data)

Steps to reproduce: 1. Create a new user and make him an admin of an arbitrary group 2. Log in as this new user 3. Create a new user "filesexternal", "appdatarandom-data", .. 4. Delete this user Result: The data/filesexternal / data/appdata.. folder is removed. Solution: Prevent creation of users...

Nextcloud: Nextcloud domain and name of every user leaked to lookup server

Steps to reproduce: 0. Install and set up Nextcloud, optional: create a few random users 1. Apply the following patch to a standard Nextcloud server: patch diff --git a/settings/BackgroundJobs/VerifyUserData.php b/settings/BackgroundJobs/VerifyUserData.php index 56ebadff9c..76ed8b5ed3 100644 ---...

Nextcloud: Arbitrary SQL command injection

When querying for users on the lookup server any unauthenticated user could perform an SQL Injection...

Rockstar Games: DOM based XSS on /GTAOnline/de/news/article via "returnUrl" parameter

In this report, the researcher identified a DOM-based cross-site scripting vulnerability affecting localized versions of the GTA Online screenshots site, e.g. https://www.rockstargames.com/GTAOnline/jp/screens/. We have pushed out an update fixing this vulnerability so that it is no longer...

Omise: SSRF in webhooks leads to AWS private keys disclosure

Vulnerability Summary Omise makes use of Amazon AWS as their application environment. Due to a vulnerability in the way webhooks are implemented, an attacker can make arbitrary HTTP/HTTPS requests from the application server and read their responses. This is known as a server-side request forgery...

Node.js third-party modules: XSS in Bootbox

Hi. Sorry for taking the time with this report. This is already publicly disclosed issue at -https://github.com/makeusabrew/bootbox/issues/661 In essence all dialogs of bootbox vulnurable to XSS injections bootbox.alert"\alert1;"; This is apparently a feature to allow injecting HTML in messages...

Node.js third-party modules: [increments] sql injection

I would like to report SQL Injection in increments. It allows creating fake polls. Module module name: increments version: 1.2.1 npm page: https://www.npmjs.com/package/increments Module Description Increment is a database-driven for creating polls and taking votes for various options, candidates...

Ubiquiti Inc.: EdgeSwitch Command Injection

In EdgeSwitch X v1.1.0 and prior, a privileged user can execute arbitrary shell commands over the SSH CLI interface. This allows to execute shell commands under the root user...

Mail.ru: Seven DOM-Based XSS Vulnerabilities | Execution in Login Sequence

DOM based XSS in tz.mail.ru tz.mail.ru belongs to extended scope I was able to exploit DOM XSS at the following endpoints. The vulnerability was exploitable on forbidden pages and the root cause lies in jquery. text https://tz.mail.ru/a/ https://tz.mail.ru/a/js/ https://tz.mail.ru/www/...

GitLab: Persistent XSS in Note objects

Summary: Some cache invalidation and project import logic issues enable an attacker to import a project with XSS payloads in places like MR discussions and similar places where a Note object exists. Description: There are basically 3 issues causing the XSS here: All attributes of Note objects are...

50m-ctf: @ajxchapman 50m-ctf writeup

50m-ctf writeup TL;DR Flag is c8889970d9fb722066f31e804e351993, thanks for the challenge! Introduction My goal for this CTF was to primarily use tools and scripts that I had personally written to complete it. Throughout this challenge I used and extended my personal toolkit extensively. All the...

Omise: Public and secret api key leaked via omise github repo(owned by omise)

Found secret key of particular omise accounts! Functionality of the public and secret keys are described below: Public key The public key can be used to create tokens via javascript from your customers browsers. This key can be safely exposed to the outside world. Secret key The secret key can be...

50m-ctf: CTF Writeup - c8889970d9fb722066f31e804e351993

CTF Code: c8889970d9fb722066f31e804e351993 HackerOne $50M CTF Write-Up ============ I came across this tweet announcing the HackerOne CTF for invitations to the HackerOne event in Vegas during DEFCON. I tried searching for a URL for the CTF, but couldn't find anything online, so I assumed that th...

VK.com: Просмотр удаленного сообщения из лс группы + возможность его переслать.

Недостаточные проверки при пересылке сообщений сообществ...

Starbucks: Stored XSS on www.starbucks.com.sg/careers/career-center/career-landing-*

Summary: While enumeration of the webpage for Starbucks I observed the following pages. https://www.starbucks.com.sg/careers/career-center/career-landing-5? The webpage have been highly spam by automated scanners or malicious attack. By clicking on any of the pages it would redirect the user to a...

Chaturbate: DoS attacks utilizing camo.stream.highwebmedia.com

DoS attacks utilizing camo.stream.highwebmedia.com Summary The asset proxy at camo.stream.highwebmedia.com used to embed external images linked by users fails to enforce 1. a timeout on slow responses if a little data is sent every 10 seconds a kind of "reverse-slowloris" attack 1. a size limit o...

Rockstar Games: xss on https://www.rockstargames.com/GTAOnline/jp/screens/

In this report, the researcher identified a Cross-Site Scripting vulnerability on the /GTAOnline/jp/screens/ section of the website. Cross-Site Scripting can be exploited to steal cookies or help perform other attacks. This was possible because the page would blindly decode and attempt to load an...

Node.js third-party modules: [deliver-or-else] Path Traversal

I would like to report path traversal in deliver-or-else module It allows an attacker to read system files via path traversal through commandline Module module name: deliver-or-else version: 1.0.0 npm page: https://www.npmjs.com/package/deliver-or-else Module Description Copy description from npm...

Node.js third-party modules: [file-browser] Inadequate Output Encoding and Escaping

I would like to report stored xss in file-browser module It allows an attacker to embed malicious js code as filenames,which get executed once browsed to the file over the web browser Module module name: file-browser version: 0.0.5 npm page: https://www.npmjs.com/package/file-browser Module...

Node.js third-party modules: [untitled-model] sql injection

I would like to report VULNERABILITY in MODULE It allows DESCRIBE THE IMPACT OF THE VULNERABILITY - E.G READ ARBITRARY FILES, READ DATA FROM DATABASE ETC Module module name: untitled-model version: 1.0.5 npm page: https://www.npmjs.com/package/untitled-model Module Description Rapid sql query...

Nextcloud: Able to bypass "Device credentials" Lock

Prepare 1. Enable "Device credentials" lock via the settings. I'm using fingerprint in my case 2. Test if this works by closing the app and open it again. 3. If this works close the app again, do a force close to make sure the application is closed. The next steps need to be done quickly right...

Node.js third-party modules: [fileview] Inadequate Output Encoding and Escaping

I would like to report stored xss in fileview module It allows an attacker to embed malicious js code in filename there was no sanitization performed. Module module name:fileview version: 0.1.6 npm page: https://www.npmjs.com/package/fileview Module Description File browsers on web. It's easy to...

50m-ctf: `Cody trolled us all` h1-702 CTF write-up

Premise I use not to play CTF challenges because they usually absorb me entirely. I cannot think of anything else but "I want that flag!". That said, this is going to be a long story: no princess, no dragoons, only a tweet. https://twitter.com/Hacker0x01/status/1100543680383832065 Level 0 - Nothi...

Automattic: DOM based XSS in the WooCommerce plugin

I have found a stored DOM based XSS in the order page at WooCommerce 3.5.6. The Data input from HTML element name shippingstate and billingstate in order page outputs data without escaping.When the victim read the page containing the payload, it executes the script. Steps to reproduce 1. From a...

New Relic: Stored XSS in notes (charts) because of insecure chart data JSON generation

Hey team, I have discovered vulnerability of chart data JSON generation endpoint when the chart is displayed inside a note allowing attacker to inject arbitrary fields into it and leading to stored XSS. The impact is higher than usual here because the payload remains after publishing a note so th...

Zomato: Open AWS S3 bucket leaks all Images uploaded to Zomato chat

Hey, Summary: The vulnerable bucket is ████images and we can use aws s3 ls s3://$bucketname/2019/1/ to retreive all images uploaded in 2019 and in January. Similarly we can use different years and months to retreive all images uploaded to Zomato Chat! The images can be accessed at...

50m-ctf: CTF Writeup

Hackerone 50m-CTF Writeup By VoidMercy Proof of Completion: c8889970d9fb722066f31e804e351993 Step 1: Twitter Post Image Steganography The 50M Hackerone challenge began with a tweet from @Hacker0x01. At first, I did not expect this tweet to be the start of the challenge, but little did I know, thi...

Unikrn: bypass Claudflare access crm.mautic.com

Hi @unikrn! Hello, I see that when you switch to the crm,unikrn.com, login attempts are filtered by Claudflare Access to avoid brute-force account attacks, but we can ByPASS Claudflare access. Example: https://crm.unikrn.com/oauth/v2/authorizelogin Impact having accounts, we can easily get into t...

Dropbox: URL modification changes server side behavior to allow access

@itay658 discovered that adding "?dl=1" allows files to be downloaded, even if they were blocked with error 429. The bug has been fixed and pushed out...

Central Security Project: Pippo XML Entity Expansion (Billion Laughs Attack)

Maven artifact groupId: ro.pippo artifactId: pippo-jaxb version: 1.12.0 Vulnerability Vulnerability Description Pippo unsafely parses user provided XML. The fromString in the ro.pippo.jaxb.JaxbEngine class allows user provided DTDs that the rest of the XML may reference. This can lead to recursiv...

Node.js third-party modules: [typeorm] SQL Injection

I would like to report SQL Injection in typeorm. It allows reading data from database. Module module name: typeorm version: 0.2.14 npm page: https://www.npmjs.com/package/typeorm Module Description TypeORM is an ORM that can run in NodeJS, Browser, Cordova, PhoneGap, Ionic, React Native,...

Starbucks: Webshell via File Upload on ecjobs.starbucks.com.cn

Summary: OS Command Injection which can let the attacker who get more important information of the server,such as disclosures internal source code of the webapp,database data and invade the internal network. Description: I found that users can upload asp/aspx and other dynamic files via the avata...

Node.js third-party modules: [@azhou/basemodel] SQL injection

I would like to report SQL injection in @azhou/basemodel It allows attacker to read data from database. Module module name: @azhou/basemodel version: 1.0.0 npm page: https://www.npmjs.com/package/@azhou/basemodel Module Description Usage Initialization js var model =...

Monero: CryptoNote: remote node DoS

Summary: Remote node DoS. See patch below. Releases Affected: All Monero versions, including the recent v0.14.0.2. Possibly all CryptoNote implementations that aren't Zano. Steps To Reproduce: Since this is currently a theoretical attack, non-code PoC detailed in the patch below. Supporting...

Monero: (remote) exabyte allocation via load_from_binary() (DoS)

Changes introduced in commit b82efa32e can result in a denial of service if epee::serialization::portablestorage::loadfrombinary is called with untrusted data. The 'reserve' method implemented here:...

Monero: RingCT malformed tx prevents target from being able to sweep balance

Summary: An attacker can send a malformed RingCT transaction to an attackee wallet that prevents the attackee from sweeping their wallet balance. This is done by the attacker changing the mask amount in genRctSimple with a modified wallet. The attacker does not need any intervention from the...

Hyperledger: Enrolling to a CA that returns an empty response crashes the node process

If a CA server responds with an empty response during enrollment, an exception is thrown in the event emitter on end. This is an uncaughtException and causes the containing node process to exit. To replicate: With the attached files, run: npm install node badCa.js & node index.js This starts a...

PortSwigger Web Security: Build fetches jars over HTTP

CWE-829: Inclusion of Functionality from Untrusted Control Sphere CWE-494: Download of Code Without Integrity Check PortSwigger maintains several Open Source Projects under the PortSwigger GitHub organization. Some of these projects contain build files that indicate that some of these projects ar...

Rockstar Games: image injection /screenshot-viewer/responsive/image (ANOTHER FIX BYPASS)

In this report, the researcher was able to identify an oversight in our input filtering put in place to fix previous findings in the screenshot-viewer utility on the main website. Thanks to this report, we were able to improve our solution to prevent bypasses such as this one...

Internet Bug Bounty: ChaCha20-Poly1305 with long nonces

This report relates to CVE-2019-1543, https://www.openssl.org/news/secadv/20190306.txt, which I reported to the OpenSSL maintainers a few days ago. OpenSSL accepts nonces for the AEAD cipher ChaCha20-Poly1305 of up to 16-bytes. This support is advertised in the OpenSSL documentation and via the...