Valve: Malformed .WAV triggers an Access Violation on GoldSRC (hl.exe)

A malformed .WAV triggers an Access Violation on GoldSRC engine games Half-Life upon invocation, which could lead to remote code execution on a client. Crash Information ------------------ Event Type: Exception Exception Faulting Address: 0x2469a000 First Chance Exception Type:...

Automattic: [FG-VD-19-022] Wordpress WooCommerce Cross-Site Scripting Vulnerability Notification

Subject: FG-VD-19-022 Wordpress WooCommerce Cross-Site Scripting Vulnerability Notification Dear Automattic, Fortinet's FortiGuard Labs have discovered a security issue in your product WooCommerce on 02/13/2019. We estimate its risk level is 2, on a scale of 1 lowest to 5 highest, in terms of its...

Ian Dunn: XSSI: Quick Navigation Interface - leak of private page/post titles

CVSS ---- Medium 4.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Description ----------- The Quick Navigation Interface plugin includes the names of all posts and pages in an automatically generated JavaScript file. By including this file in their own page, an attacker can view all post titles -...

WordPress: Reflected XSS: Taxonomy Converter via tax parameter

CVSS ---- Medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Description ----------- The Taxonomy Converter that is listed on the Official WordPress plugins page is vulnerable to reflected XSS as it echoes the tax parameter without encoding. POC ---- &step=2" method="POST" enctype="text/plai...

PuTTY (European Commission - DIGIT): Assertion `len == 1' failed, process aborted while streaming ouput from remote server

Summary: During the course of testing putty-0.70-2019-02-12.75dda5e on Fedora 29 compiled with clang version 7.0.1 Fedora 7.0.1-1.fc29, we discovered it was possible to abort a remote client by streaming data at it in such a way as to trigger an assertion failure. putty: unix/gtkwin.c:3801: void...

GitLab: Know whether private project name exists or not within a group using link comments

Summary: Hello, It is possible for anyone to know if private project exists or not in public/private groups if they can guess the project names correctly. Description: Using markdown feature, we can form a comment which will allow us to know if the private project is exists within a group or not...

Internet Bug Bounty: CVE-2019-5736: Escape from Docker and Kubernetes containers to root on host

description here: https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html PoC: https://github.com/q3k/cve-2019-5736-poc Some more links: https://seclists.org/oss-sec/2019/q1/119 https://access.redhat.com/security/cve/cve-2019-5736 Impact It allows to escape from container t...

Notepad++: No SearchEngine sanatizing can lead to command injection

Information: Summary: Notepad++ is vulnerable to a command injection vulnerability. Debug Info: Notepad++ v7.6.3 32-bit Build time : Jan 27 2019 - 17:20:30 Path : C:\Program Files x86\Notepad++\notepad++.exe Admin mode : ON Local Conf mode : OFF OS : Windows 10 64-bit Plugins : none Description:...

Notepad++: Insufficient sanitizing can lead to arbitrary commands execution

Information: Summary: Notepad++ is vulnerable to a command injection attack. Debug Info: Notepad++ v7.6.3 32-bit Build time : Jan 27 2019 - 17:20:30 Path : C:\Program Files x86\Notepad++\notepad++.exe Admin mode : ON Local Conf mode : OFF OS : Windows 10 64-bit Plugins : none Description: Let's...

GitLab: Inadequate cache control in gitter allows to view private chat room

Hi Gitlab, Summary: I have found a inadequate cache control vulnerability in Gitter. Description: You can use the backspace button to get the full access to the account. There is no cache control and the browser saves sensitive information of a private chat room. This report is influenced by the...

InnoGames: Information disclosure via ".htaccess" at https://login.innogames.de

Hi team , i found insecure file Name: htaccess Normally, only the web server is allowed to read the .htaccess file, but in this case, it appears that there is a misconfiguration that is causing the contents of the .htaccess located at https://login.innogames.de/.htaccess to download file and read...

X (Formerly Twitter): CSRF on https://www.niche.co leads to "account disconnection"

The researcher discovered that Niche’s CSRF protection was broken and that an attacker could trick a logged-in user into deleting existing network connections under the network/ endpoint...

X (Formerly Twitter): CSRF and probable account takeover on https://www.niche.co

The researcher discovered that Niche’s CSRF protection was broken and that an attacker could trick a logged-in user into changing account information under the /account endpoint, including email address. This would not have enabled account takeover, however, since Niche does not handle account...

HackerOne: report id is exposed for undisclosed reports in Hacktivity

Summary: This is similar to https://hackerone.com/reports/127620 where the report Id of undisclosed report is visible on graphql query Description: The new hacktivity graphql query includes undisclosed reports, but part of the query result is the report id which is included in private information...

GitLab: Privilege escalation from any user (including external) to gitlab admin when admin impersonates you

Summary: Hey team, I have discovered a way for any logged in user attacker to escalate his privileges to gitlab administrator if the real gitlab administrator impersonates attacker's account. Description: When the gitlab admin impersonates some user, he gets new gitlabsession cookie and then...

HackerOne: Partial report contents leakage - via HTTP/2 concurrent stream handling

Summary: The concurrent handling of HTTP/2 streams allows for a "timeless timing attack": instead of timing, the ordering of responses is used, making the attack resilient to network jitter. As the /bugs.json endpoint takes slightly longer to process when a query returns results, it is possible t...

Postmates: Web cache poisoning attack leads to user information and more

Hello, Your Web-Server is vulnerable to web cache poisoning attacks. This means, that the attacker are able to get another user informations. If you are logged in and visit this website For example: https://postmates.com/SomeRandomText.css Then the server will store the information in the cache,...

U.S. Dept Of Defense: [https://███] Local File Inclusion via graph.php

Summary: There exists a Local File Inclusion vulnerability on https://████ due to a known vulnerability in the ZendTo library. This was fixed in Version 5.16-6 Beta, although ██████ is still running ZendTo 5.11. Impact This allows path traversal in a file name that is then returned to the user...

Internet Bug Bounty: [bower] Arbitrary File Write through improper validation of symlinks while package extraction

Hi, I want to submit my report https://hackerone.com/reports/473811 for the Internet Bug Bounty. Snyk's writeup: https://snyk.io/blog/severe-security-vulnerability-in-bowers-zip-archive-extraction My assessment on why this report might be eligible: To qualify, vulnerabilities must meet the...

Rocket.Chat: Broken access control on apps

Summary: The user without administrative privileges can upload and install any Application into the rocket.chat As ID of application is controlled in the app.json file which is controlled by uploader user can also activate the app. Releases Affected: 0.73.2 Steps To Reproduce: - User log-in into...

Brave Software: DMARC RECORD MISSING

VULNERABILITY TYPE- DMARC RECORD MISSING. HOW TO REPRODUCEPOC-ATTACHED IMAGE:- 1.GO TO- https://mxtoolbox.com 2.ENTER THE WEBSITEbrave.org.CLICK GO. 3.YOU WILL SEE THE FAULTNo DMARC Record found 4.In the new page that loads change MXLookup to DMARCLookup I HAVE ALREADY INFORMEDD THEM.THEY TOLD TO...

U.S. Dept Of Defense: RCE on https://█████/ Using CVE-2017-9248

Summary: https://█████████/ is hosting an unpatched version of the Telerik DialogHandler Telerik.Web.UI.DialogHandler.aspx allowing for the machine key to be brute forced. The machine key can be used to access the DNN file manager to upload arbitrary files including ASPX giving a web shell and RC...

Rockstar Games: Image Injection vulnerability affecting www.rockstargames.com/careers may lead to Facebook OAuth Theft

In this report, the researcher demonstrated a method to chain together separate vulnerabilities that, under certain conditions, could cause a user's Facebook Oauth tokens to leak via the Referer header. The specific vulnerability that was addressed in this report was the image injection component...

X (Formerly Twitter): Protected tweets exposure through the URL

Summary Leaking sensitive information from protected tweets via a prepared website. This vulnerability could lead to exposure of information such as credit card numbers, bank account numbers, phone numbers, tokens, specific words or even the whole phrases but also the exposure of any additional...

Mail.ru: [https://pandao.ru] - PUT method available

Unrestricted PUT method allowed upload of static content to server in pandao.ru...

GitLab: Guests Will Disclose the Private Project Full Activity Via Project Activity Feeds

Hello! Here guests will disclose the complete activity of the project via feeds Reproduction Steps: Create Private Project. Invite Attacker as Guest. Next attacker will go to https://gitlab.com/victimyoursz/helloproject/activity and he access the feeds link...

U.S. Dept Of Defense: SQL Injection in the `move_papers.php` on the https://██████████

Description Hello. I was able to find another one Time-based SQLI on the https://██████████/pubs/movepapers.php using pubgroupid parameter. This is my third SQLi and probably the last one found on this host. I wasn't able to detect more, but due to the big number of high impact issues found I als...

Semrush: XSS Reflected on my_report

Еще раз привет. На этот раз, кроме HTML-инъекции проходит полноценный XSS в дашбоарде пользователя. Payload: https://www.semrush.com/myreports/api/v1/document%22%3E%3Cimg%20src=x%20onerror=alertdocument.cookie%3E/4007861 PoC: На скрине Impact Кража сессионных куков...

MariaDB: [downloads.mariadb.org] CRLF injection in case of encoded query mark

A CRLF injection vulnerability was reported and fixed for our downloads.mariadb.org website. The attack could lead to cookie injection, HTTP response splitting and session fixation attacks, amongst other things, across mariadb domains...

Keybase: macOS privilege escalation

Short description We can add an arbitrary folder to the default $PATH environment variable, so we can exploit this to run arbitrary code as the targeted user. Steps to reproduce 1. In the example I will use the low privileged nobody account could be any other account and I will target the u3mur4...

Nextcloud: Bypassing lock protection

Nextcloud allows multi account within the android client app and relies on a single lock Based on the exposed intent nc://login, it is possible to add a new account under attacker domain and open the Nextcloud without the lock check. Proof of concept 1. open the NC app with the lock displayed 2...

RATELIMITED: Credientals Over GET method in plain Text

Hi Team, Description While I was testing the application i found this bug where the application is sending the credentials over Plain text in URL : https://auth.ratelimited.me/login?username=testqaz%40grr.la&password=D33vanh%40h%40h%40 Vulnerable URl https://auth.ratelimited.me Impact Impact: if...

WordPress: Mssing Authorization on Private Message replies (BuddyPress)

Description: Users can reply to private message threads which they are not participants of by changing the threadid parameter in the messagessendreply ajax action. This affects both the Legacy and Nouveau Template packs. Steps To Reproduce: 1. Login to your account 2. Send the following request...

Node.js third-party modules: [takeapeek] XSS via HTML tag injection in directory lisiting page

I was taking a peek at takeapeek module and found it is vulnerable to XSS via malicious injection in directory listing. It allows execution of arbitrary JS code. Module module name: takeapeek version: 0.2.2 npm page: https://www.npmjs.com/package/takeapeek Module Description A simple static...

Mail.ru: Доступ к аккаунту после смены пароля.

Session was not expired on password change in pandao.ru...

Node.js third-party modules: [glance] Access unlisted internal files/folders revealing sensitive information

I would like to report sensitive information disclosure in glance. Similar to 486933 in ways Module module name: glance version: 3.0.5 npm page: https://www.npmjs.com/package/glance Module Description a quick disposable http server for static files Module Stats weekly downloads 41 Vulnerability...

U.S. Dept Of Defense: SQL Injection in the get_publications.php on the https://█████

Description Hello. I was able to find Time-based SQLI on the https://███/pubs/getpublications.php using pubgroupid parameter POC GET /pubs/getpublications.php?pubgroupid=wrtqvasi10rc19j1'%2bselectfromselectsleep5a%2b'&rno86qi4=1 HTTP/1.1 Host: █████ Connection: keep-alive Cache-Control: max-age=0...

Shopify: Access to Employee calendar disclosing internal presentation and meetings

Summary During a school research, we found out that some Shopify employees have their google calendar set to public. This discloses some sensitive informations: New hire information due to onsite interviews Internal presentation we found at least one internal presentation that we could access Zoo...

HackerOne: Confidential data of users and limited metadata of programs and reports accessible via GraphQL

Summary: The GraphQL endpoint doesn't have access controls implemented properly. Description: Any attacker can get personally identifiable information of users of Hackerone such as email address, backup hash codes, facebookuserid, accountrecoveryphonenumberverifiedat, totpenabled, etc. These are...

VLC (European Commission - DIGIT): VLC 4.0.0 - Stack Buffer Overflow (SEH)

Summary: Incorrect calculation of Buffer Size in rist module for VLC leading to Stack Overflow with SEH chain overwrite. The modules/access/rist module has an incorrect calculation of buffer size giving an attacker the possibility to set the buffer size of a local variable by sending a maliciousl...

HackerOne: Race condition in claiming program credentials

Hi, Summary: I was invited to a private program and I tried to get test credentials so a request as follows was sent to your server: POST /graphql HTTP/1.1 Host: hackerone.com Connection: close Content-Length: 778 Accept: / X-Auth-Token: ████ User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64...

Automattic: No Rate Limit on CrowdSignal Polls when Adding Comment

Hi team! I hope this isn't duplicate :/ I created a poll on CrowdSignal.com https://poll.fm/10226924 When adding a comment, there is no rate limit. You can see my comments on my poll. 1. Go to any poll. 2. Turn on Intercept and Add a Comment. 3. Send request to Intruder. 4. Set your payloads and...

U.S. Dept Of Defense: SQL injection on the https://████/

Description Hello. I was able to find Blind SQL injection on the https://███/ Database appears to be MySQL 5. POC GET /library.php?path=test&docid=1%20AND%20SELECT%20%20FROM%20SELECTSLEEP1WUeh HTTP/1.1 Host: ██████ Connection: keep-alive Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1...

HackerOne: Disclosure of h1 challenges name through the calendar

Summary: It seems like the Calendar somehow grabs the name of the target for a h1 challenge even though the target name is not public. Description: h1challenges do not disclose the name of the target until the time it starts. For example for this challenge: █████ the name of the target is not...

Mail.ru: Insecure Storage and Overly Permissive Google Maps API Key in Android App

Google API keys used in Cloud Mail.Ru for Android application were not properly limited in functionality...

Mail.ru: [XSS] data-url в письмах

XSS via DOM clobbering on message reading functionality...

Rockstar Games: Stealing Facebook OAuth Code Through Screenshot viewer

In this report, the researcher demonstrated a way to combine multiple vulnerabilities to potentially allow an attacker to extract Oauth tokens from a victim's session. This was done by taking advantage of an image injection vulnerability in the Screenshot Viewer utility as well as additional...

PayPal: Stored XSS on https://paypal.com/signin via cache poisoning

Due to a configuration in frontend, caching servers, it was possible for a researcher to use request smuggling to convert a page request into a cached redirect. If the cached redirect were accessed by a legitimate user, an attacker's content would be rendered instead of the requested page. While...

Rockstar Games: Dom based xss on /reddeadredemption2/br/videos

In this report, the researcher identified a DOM-based XSS vulnerability affecting localized versions of the Red Dead Redemption 2 video viewer on our website, e.g. www.rockstargames.com/reddeadredemption2/br/videos. This affected all major modern browsers, and could have been used for cookie or...

RATELIMITED: HTTP PUT method is enabled ratelimited.me

Found on HTTP PUT sites enabled on web servers. I tried testing to write the file / codelayer137.txt uploaded to the server using the PUT verb, and the contents of the file were then taken using the GET verb. the following is POC Request: PUT /codeslayer137.txt HTTP/1.1 Host: ratelimited.me...