JamieWeb: Security headers missed on https://acme-validation.jamieweb.net/

Summary: Hi JamieWeb team, the https://acme-validation.jamieweb.net/ domain doesn't present some important security headers. The X-DNS-Prefetch-Control header isn't specified with value off, so is enabled b default on modern web browsers, and can lead to information disclosure...

ecobee: CSTI on https://www.ecobee.com leads to XSS

Summary: Hi EcoBee team, the https://www.ecobee.com domain is vulnerable against angular injection via CSTI, that leads to XSS. Steps To Reproduce: 1. Go on https://www.ecobee.com/?s=x%20=%20%27y%27:%27%27.constructor.prototype;%20x%27y%27.charAt=.join;$eval%27x=alert/Mik/%27; 1. XSS executed...

Starbucks: XXE at ecjobs.starbucks.com.cn/retail/hxpublic_v6/hxdynamicpage6.aspx

Description: Hi,guys,when i was visited the jobs of starbucks websites in Chinahttps://ecjobs.starbucks.com.cn, i found a features of uploaded user's photo.Thought the bypass the security restrictions of upload,i can upload html|xhtml|xml|config files etc.The uploaded html file can realize the...

Starbucks: SSRF at ideas.starbucks.com

In this report, @damian89 identified a Server Side Request Forgery SSRF vulnerability on ideas.starbucks.com that allowed sending arbitrary HTTP requests and returned response bodies. The report went on to demonstrate how this flaw could be leveraged to use the vulnerable host as a proxy and...

Grammarly: DOM based CSS Injection on grammarly.com

Summary: An attacker can inject an external css file which can lead to phishing attacks and xss in older browsers. Description: Within the main.js file the following code exists: javascript t.prototype.componentWillMount = function var e = this.getCtx.nav.waypoint.query, t = e.extcss, n =...

Slack: URL filter bypass in Enterprise Grid

URL filter bypass in Enterprise Grid Description Slack Enterprise Grid seems to be able to add arbitrary column to the profile of the account. In my company there is a おすすめランチ My Favorite Lunch column, and we can set the URL of the website and Display text. F429131 F429132 Only the http: or https...

X (Formerly Twitter): Twitter lite(Android): Vulnerable to local file steal, Javascript injection, Open redirect

Summary: com.twitter.android.lite.TwitterLiteActivity is set to exported and doesn't validate data pass to intent due to which this activity vulnerable to steal users local files, javascript injection and open redirect. Description: com.twitter.android.lite.TwitterLiteActivity is set to exported ...

U.S. Dept Of Defense: [████████] Reflected XSS

Hi! I found reflected XSS in ███. This was due to the fact that the page did not have the necessary filtering of incoming parameters. Request POST /█████/Directorate-of-Human-Resources/ HTTP/1.1 Content-Length: 4643 Content-Type: multipart/form-data; boundary=-----BoundaryUXGIMHUKLO Referer:...

HackerOne: DOM Based XSS in www.hackerone.com via PostMessage (bypass of #398054)

Summary The security fix by Marketo to resolve the issue reported by @adac95 in 398054 can be bypassed by purchasing an .ma domain for €60. Description The issues described by @adac95 in 398054 remain insufficiently resolved because of an inadequate security check by Marketo in the following piec...

GitLab: Full access to internal Gitlab instances at redash.gitlab.com, dashboards.gitlab.com, prometheus.gitlab.com

Summary: Lack of proper ticket trick security leads to internal access on Gitlab instances. I did not use support.gitlab.com instead just using [email protected] email was suffice. Description: Getting a [email protected] Google Account After the Ticket Trick attack that Inti reported and...

Nextcloud: User Editable nextcloud Wiki pages of Public Repositories

Summary : I have found that the "Edit" Permissions of WIKI pages are NOT disabled on the public repositories of nextcloud. Generally Edit permissions are given only to the collaborators of a specific repository. but that is not the case with Nextcloud, It is public editable which isn't right in...

Liberapay: Session Cookie without HttpOnly and secure flag set

This report was closed as informative because we decided that for this to be a significant concern, the reporter would have to chain this issue with something else such as cross-site scripting...

Nextcloud: XSS On Nextcloud Integrated with zimbra drive

Hello Team, There is an stored xss on Nextcloud plugin with Zimbra Drive. I integrate zimbra with nextcloud 13 zimbra drive 0.8.20. Please see attached file and I am waiting for your response. Best regards Impact Get sensitive data...

HackerOne: A small set of users were assigned someone else's payout preference

On December 20th, 2016, HackerOne introduced a new payout preference that allowed employee bounties to be paid through payroll. At the time, a feature was added to our support backend that allowed the IT department to provision this special payout preference for HackerOne employees. To help the I...

Smule: Error Page Content Spoofing or Text Injection

Description: -------------- Content spoofing, also referred to as content injection, "arbitrary text injection" or virtual defacement, is an attack targeting a user made possible by an injection vulnerability in a web application. When an application does not properly handle user-supplied data, a...

Rockstar Games: Image Injection on /bully/anniversaryedition may lead to OAuth token theft.

In this report, the researcher identified an image injection issue on www.rockstargames.com/bully/anniversaryedition that could be combined with other vulnerabilities to result in sensitive token theft under certain conditions. We resolved the image injection issue, preventing this series of...

Versa Networks: Passwords Stored Insecurely

In Versa Director, Versa Analytics and VOS, Passwords are not hashed using an adaptive cryptographic hash function or key derivation function prior to storage. Popular hashing algorithms based on the Merkle-Damgardconstruction such as MD5 and SHA-1 alone are insufficient in thwarting password...

U.S. Dept Of Defense: [█████] Get all tickets (IDOR)

In this report I want to describe an interesting vulnerability that allows you to extract tickets with personal data on the site. When user registering a new entry, the user receives a link with a ticket number and a random 4-digit code. The vulnerability is that this code can be easily bruted, s...

New Relic: Password theft login.newrelic.com via Request Smuggling

Hi, The Rails application at login.newrelic.com is accessed through a proxy written in Golang, and an nginx server. By sending an ambiguous request, an attacker can desynchronize these servers, leaving the socket to the backend poisoned with a harmful response. This response will then be served u...

U.S. Dept Of Defense: [Critical] Full local fylesystem access (LFI/LFD) as admin via Path Traversal in the misconfigured Java servlet on the https://███/

Description Hello. I discovered a Path Traversal issue on the https://██████████/ I was able to turn it to the local file read, and after series of the test determined that it's possible to reach sensitive system files with administrator rights. POC The next request will read the...

WordPress: Stored XSS in Post Preview as Contributor

Root cause I noticed that the getthecontent makes a pregreplacecallback after all other validation and sanitization has been performed. function getthecontent $morelinktext = null, $stripteaser = false global $page, $more, $preview, $pages, $multipage; $post = getpost; ... if $preview // Preview...

Upserve : Open redirect on https://hq-api.upserve.com/

The returnto parameter on https://hq-api.upserve.com/auth/auth0?prompt=none&returnto= was not validated and allowed an open redirect...

Rockstar Games: Image Injection on www.rockstargames.com/screenshot-viewer/responsive/image may allow facebook oauth token theft.

In this report, the researcher identified an image injection vulnerability in our screenshot-viewer utility on rockstargames.com. One of the input parameters utilized was not being properly filtered, and external URLs could be referenced, allowing off-site images to be called. This issue was...

Notepad++: Command injection by setting a custom search engine

Summary: Arbitrary commands can be injected when using the "Search on Internet" function with a malicious custom search engine. The custom search engine can be set through the GUI or the config files, with different attack scenarios. Description: The "Search on Internet" context menu functionalit...

Notepad++: A stack buffer overflow in BabyGrid.cpp can lead to program crashes via a malicious localization file

Summary: A stack buffer overflow in BabyGrid.cpp can lead to program crashes via a malicious localization file, when opening the Shortcut Mapper sub-menu Description: Setting a very long name attribute for specific xml tags in the nativeLang.xml will trigger a stack buffer overflow, due to missin...

Mail.ru: Раскрытие информации о совершенных операциях

History API in pandao.ru could disclosure non-personalized data about last operations...

Mail.ru: Stored XSS на странице pubg.mail.ru/community

Stored XSS via stream name on https://pubg.mail.ru/community On the moment of reporting, XSS reports in pubg.mail.ru extended scope are accepted without bounty. Stored XSS в названии трансляции https://pubg.mail.ru/community...

GitLab: Blocked user Git access through CI/CD token

Summary A blocked user does not have the ability to utilise Git client operations, GitLab UI access or API access. However, a blocked user can still use Git clone/Git pull client commands if they are able to obtain a CI/CD token before being blocked. This allows them to access projects they are...

Mail.ru: PHP-FPM Status Page

PHP-FPM Status Page available on pubg.my.com...

GitLab: Persistent XSS via e-mail when creating merge requests

Summary: The vulnerability consists in the ability to create branch names that contain characters such as /. This branch name is sent via e-mail which is rendered as HTML. Description: One way to exploit this is by forking a repository. Then an attacker would create a branch called alert1 and mak...

Grammarly: Employee's GitHub Token Found In Travis CI Build Logs

Our Security Team was notified by researchers who identified a valid leaked Github token in Travis CI logs that allow accessing a limited number of Grammarly repositories. We immediately revoked the token and conducted investigation together with the Github support team. Based on the available...

Zendesk: Leaked artifactory_api_key via GitHub.

It was reported to Zendesk that a valid API key to an instance of Artifactory was unintentionally leaked via a public GitHub repository. We immediately rotated the key and investigated to ensure it was not utilized by any other party. We want to thank @rubyroobs for providing a detailed report...

Mail.ru: Cross site scripting vulnerability in JW Player SWF

Flash-based XSS in aw-xbox.my.com...

Mail.ru: XSS

Reflected XSS in vseapteki.ru via URI path...

Mail.ru: [XSS] iframe в payments/phones

XSS via request parametes in e.mail.ru mobile payment funtionality...

Zendesk: Leaked artifactory_key, artifactory_api_key, and gcloud refresh_token via GitHub.

It was reported to Zendesk that valid credentials to an instance of Artifactory and a gcloud project were unintentionally leaked via a public GitHub repository. We immediately rotated the credentials and investigated to ensure they were not utilized by any other party. We want to thank @rubyroobs...

Vanilla: Stored XSS in vanilla

Summary: There is a stored XSS in the latest version 2.8 of vanilla. Attack with post privileges can trigger this. Description: In last report 481360, I found a XSS cause by Format. But in lastest version 2.8, the default Format of Discussion and Comment is Rich. In this Format, we can insert a...

Starbucks: Reflected XSS in https://www.starbucks.co.jp/store/search/

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Please indicate NA, if not applicable. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling...

Khan Academy: EMAIL SPOOFING

Hey KHANACADEMY, I have found Email Spoofing type of Vulnerability in your Website. Attacker can use your E-Mail to send emails to others. Email spoofing is the creation of email messages with a forged sender address. Because the core email protocols do not have any mechanism for authentication, ...

U.S. Dept Of Defense: █████████ - Insecure download cookie generation allows bypass of CAC authentication, access to deleted and locked files

Summary: To download a file, ████ directs users to /██████████/Download.aspx and sets a cookie authenticating the download. The cookie looks like this: pickup=Subject=&PackageID=MTU4NDgzMTU=███ If an attacker can generate this cookie, this allows downloading a file. As it turns out, the generatio...

Node.js third-party modules: [url-parse] Improper Validation and Sanitization

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! I would like to report Improper...

Internet Bug Bounty: Ubuntu Linux privilege escalation (dirty_sock)

Hi team, This week, I have publicly disclosed the dirtysock local root exploit affecting multiple Linux Operating Systems. Very detailed information on the vulnerability can be found in my blog posting here. And the exploit code can be found in my GitHub repository here. The vulnerability exists ...

Mail.ru: CSRF уязвимость позволяет взять беспроцентный кредит пользователю cfire.mail.ru

CSRF vulnerability in Crossfire cfire.mail.ru allowed to force user to request game credit. On the time of reporting, game/business logic vulnerabilities in cfire.mail.ru are not covered by bug bounty program...

U.S. Dept Of Defense: █████ - Pre-generation of VIEWSTATE allows CAC bypass

Summary: As of today, ███ is back online https://███████. █████████ allows users to check a box labeled Require CAC for Pick-up. This option requires users to present their CAC in order to download files. As explained by ███: Choosing this option, however, does add a significant degree of assuran...

Mail.ru: XSS via the lang parameter in a POST request on light.mail.ru

Reflected XSS in light.mail.ru via request parameters...

Notepad++: Crash

1 Settings - Preferences - Print 2 insert to "Left part" field of "Header" block A500 Full string for paste consist in poc.txt 3 Click "Add" 4 Crash Crash info: 1c8.2dd8: Unknown exception - code c000041d !!! second chance !!! ERROR: Module load completed but symbols could not be loaded for npp.e...

Valve: Malformed .MDL triggers an Access Violation on GoldSRC (hl.exe)

A malformed player .MDL triggers an exploitable Access Violation on GoldSRC engine games Half-Life upon invocation, which could lead to remote code execution on a client. Crash Information FAILUREIDHASHSTRING: um:invalidpointerwriteexploitablec0000005hw.dll!createinterface Event Type: Exception...

Valve: Malformed .WAV triggers an Access Violation on GoldSRC (hl.exe)

A malformed .WAV triggers an Access Violation on GoldSRC engine games Half-Life upon invocation, which could lead to remote code execution on a client. Crash Information ------------------ Event Type: Exception Exception Faulting Address: 0x2469a000 First Chance Exception Type:...

Automattic: [FG-VD-19-022] Wordpress WooCommerce Cross-Site Scripting Vulnerability Notification

Subject: FG-VD-19-022 Wordpress WooCommerce Cross-Site Scripting Vulnerability Notification Dear Automattic, Fortinet's FortiGuard Labs have discovered a security issue in your product WooCommerce on 02/13/2019. We estimate its risk level is 2, on a scale of 1 lowest to 5 highest, in terms of its...

Ian Dunn: XSSI: Quick Navigation Interface - leak of private page/post titles

CVSS ---- Medium 4.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Description ----------- The Quick Navigation Interface plugin includes the names of all posts and pages in an automatically generated JavaScript file. By including this file in their own page, an attacker can view all post titles -...