Rockstar Games: CSRF Vulnerability on post creation page /community/create-post.json

In this report the researcher demonstrated how to exploit a CSRF vulnerability on the impacted endpoint. This would allow a remote attacker to spam the community boards as other users. This attack only worked in Chrome browsers. A recent update to Chrome changed how cross-origin requests are...

QIWI: Каким-то образом получил чужой платеж к себе на копилку https://qiwi.me/undefined

Зарегистрировал копилку https://qiwi.me/undefined Выбрал такое имя не случайно, иногда с ним происходят забавные баги. Через некоторое время стали приходить случайные платежи от неизвестных пользователей...

WordPress: Stored XSS in Private Message component (BuddyPress)

Description: WordPress version: 5.0.3 BuddyPress version: 4.1.0 Users with accounts can send private messages containing rendered HTML to other uses, this includes being able to execute javascript code via elements such as scripts, iframe etc. The XSS is stored in the database and is triggered an...

Flickr: Arbitrary file read via ffmpeg HLS parser at https://www.flickr.com/photos/upload

Summary: FFmpeg is a video and audio software that is used for generating previews and for converting videos. Your current installation allows HLS playlists that contain references to external files, which leads to local file disclosure. Steps to Reproduce: 1.Download the attached file. F413554...

Node.js third-party modules: [serve] Access unlisted internal files/folders revealing sensitive information

I would like to report sensitive information disclosure in serve. Bypass of 308721 in ways. Module module name: serve version: 10.1.1 npm page: https://www.npmjs.com/package/serve Module Description Assuming you would like to serve a static site, single page application or just a static file no...

Urban Dictionary: Users able to set video url for unpublished words and able to see the name of unpublished words

Summary Users will be able to set youtube video URL to unpublished words and will be able to see names of an unpublished word. Description Once a user publishes a word and later unpublish it, others user still would be able to set the youtube video URL for it and will be able to see the name of t...

DuckDuckGo: Partial bypass of #483774 with Blind XXE on https://duckduckgo.com

Summary: Hi DuckDuckGo team, I've contacted previously you because in a second time on the 483774 report, I've seen that was possible bypass the fix. Anyway, I've not got any response, and because I think that this is a bit dangerous issue, I'm opening another report for the bypass. Hope you'll...

Nextcloud: 2FA Session not expires after the password reset

A bug in Nextcloud Server 15.0.2 causes pending 2FA logins to not be correctly expired when the password of the user is reset...

RATELIMITED: Missing Protection Mechanism in Mail Servers allows malicious user to use staff.ratelimited.me email could lead to identity theft.

Hello ratelimited, I'm not really sure how your mail servers being configured but i guess there is a mis-configuration or missing protection mechanism that fails to verify if the email that is going to be sent are only made by authorized ratelimited staff only. From this point of view a malicious...

Zomato: Improper validation allows user to unlock Zomato Gold multiple times at the same restaurant within one day

Summary: Using this vulnerability, a user can use his account to claim Zomato Gold benefit several times in the same restaurant within one day. Description: Based on Zomato Gold terms and condition, Zomato Gold can be used only once at each partner restaurant in a day. But I think it doesn't work...

Mail.ru: ICQ Windows Application is Vulnerable to DLL Search Order Hijacking

DLL injection via Download folder pollution during ICQ installation / first launch process was possible on some Windows installations with broken libraries dependencies Windows "Pro N" version designed for Europe is known to be affected in some installations...

X (Formerly Twitter): Stored XSS on reports.

Summary: Stored XSS can be submitted on reports, and anyone who will check the report the XSS will trigger. Description: Stored XSS, also known as persistent XSS, is the more damaging than non-persistent XSS. It occurs when a malicious script is injected directly into a vulnerable web application...

U.S. Dept Of Defense: Self XSS combine CSRF at https://████████/index.php

Hi Team, I found that https://█████████/index.php has vulnerability by XSS in arg2 parameter. Anyway there is no csrf token tied with the post request. As a result this csrf flaw can make the self-xss as a global reflected xss. CSRF to XSS PoC history.pushState'', '', '/' You just need to copy an...

Keybase: From nobody to somebody

Short description Using a bug any user can change the keybase and git-remote-keybase symlinks in the /usr/locale/bin folder. We can exploit this to run arbitrary code as the user. Steps to reproduce 1. In the example I will use the low privileged nobody account could be any other account and I wi...

Rockstar Games: Flash injection vulnerability on /IV/imgPlayer/imageEmbed.swf

In this report, the researcher identified a vulnerability in a Flash file that could be exploited with Open Redirect and XSS attacks. With their help we identified the root cause and we put out an update to the impacted page to cause attempted attacks to redirect to a 404 page, rather than succee...

Mail.ru: CSRF на удаление товара из корзины

CSRF vulnerability in pandao.ru allowed to remove item with id known to attacker from the cart. On the time of reportting, clientside vulnerabilities in pandao.ru are not covered by bug bounty program...

Mail.ru: CSRF при вводе промокода на Pandao

CSRF vulnerability in pandao.ru allowed to apply a promo code for user. On the time of reportting, clientside vulnerabilities in pandao.ru are not covered by bug bounty program...

PuTTY (European Commission - DIGIT): puttygen: 160MB memory leak while trying to extract openssh public key from crafted key file

Summary: After downloading putty-0.70-2019-01-17.53747ad.tar.gz, I compiled it on Debian 9 with Clang-8.0.0 and AddressSanitizer. A 160000844 byte 160MB memory leak happens while trying to extract an OpenSSH public key from a crafted key file. Description: puttygen does not sufficiently track and...

U.S. Dept Of Defense: XSS Reflected

Hi Team , I found that https://████████/████/household/updateProfileInfo.action has vulnerability by XSS Reflected in household.householdID parameter . I can verify it with following URL: https://█████████/██████/household/updateProfileInfo.action?household.householdID=%27;alertdocument.domain//...

U.S. Dept Of Defense: [███] SQL injection & Reflected XSS

SQL injection test 1. Go to site ███████ 2. Intercept this request POST /viewem6.php HTTP/1.1 Host: ████ User-Agent: Mozilla/5.0 X11; Ubuntu; Linux x8664; rv:60.0 Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language:...

Valve: GoldSrc: Buffer Overflow in DELTA_ParseDelta function leads to RCE

Description The bug is triggered by 2 packets. First one is svcdeltadescription which describes memory layout of such structures as eventt, weapondatat, ... It is sent as a list of fields' descriptions: type, offset and others. Next, DELTAParseDelta fills these structures when corresponding delta...

Mail.ru: ICQ for macOS: lack of `com.apple.quarantine` meta-attribute on downloaded files leads to GateKeeper/Quarantine bypass for downloaded executables

Summary Quarantine & GateKeeper are important macOS security mechanisms, which prevent user/device from running unsigned executables and warn users about executables downloaded from the remote. Conceptually, Quarantine & GateKeeper are similar to MOTW on Windows. Applications that could download...

Mail.ru: [pandao.ru] Возможность списания несуществующих бонусных баллов

Race condition TOCTOU in pandao.ru marketplace allowed to use bonus points more than once. On the time of reporting, pandao.ru runs temporary pre-bug bounty competition program with $1000 bounties for vulnerabilities related to money/points/orders manipulation...

Vanilla: Unsanitized user photo paths allow local file read

Summary: When we register a new user, we can set the photo of user. If we set a milicious path, we can delete the profile photo of others Description: There is an episode of register. applications/dashboard/controllers/class.entrycontroller.php private function registerBasic $this-View =...

Imgur: Stored XSS on imgur profile

Hello, I submitted a report on imgur, but the staff marked it as duplicate. 482841 I reviewed the report of the first submitted report. 381553 We are on the same situation and his case is already fixed because I tried visiting his site too which is https://12test.imgur.com/ and even redoing his...

Ford: Subdomain takeover on usclsapipma.cv.ford.com

Hello Ford H1 team, I want to report a Subdomain takeover vulnerability in this report, a pretty serious security issue in some context. Overview: One of the ford.com subdomains is pointing to Azure, which has unclaimed CNAME record. ANYONE is able to own ford.com subdomain at the moment. This...

VLC (European Commission - DIGIT): Buffer overflow in libavi_plugin memmove() call

Summary: When parsing an invalid AVI file, a buffer overflow might occur. Description: The ReadFrame function in the avi.c file uses a variable iwidthbytes, which is obtained directly from the file. It is a signed integer. It does not do a strict check before the memory operationmemmove, memcpy,...

U.S. Dept Of Defense: Information Disclosure (can access all ███s) within ███████ view █████████ Portal

Summary: Once ███████ authenticated I did not mess around to see if I could reproduce without authentication, any user can view any ██████████ simply by changing the offasgid HTTP GET parameter value in the ██████ view █████████ portal link. Description: I was looking through my previous ███████s...

Mail.ru: [api.pandao.ru] IDOR позволяет изменять адрес любого пользователя

IDOR in deliveryProfiles API of pandao.ru marketplace allowed to change delivery address of arbitrary user On the time of reporting, pandao.ru runs temporary pre-bug bounty competition program with $1000 bounties for vulnerabilities related to money/points/orders manipulation...

Mail.ru: Возможность зайти на любой аккаунт https://pandao.ru/

Logical bug in SMS verification code allowed access to pandao.ru account bond to arbitrary phone number. On the moment of reporting, pandao.ru runs preliminate bug bounty for business logic bugs with potential for fraud. При входе по номеру телефона не было проверки, принадлежит ли отправленая SM...

DuckDuckGo: XXE on https://duckduckgo.com

An XML External Entity XXE injection vulnerability was discovered in the x.js endpoint on https://duckduckgo.com via u parameter. This was due to improper sanitation of external XML entities. The results was a leak of certain world readable files on the system. This issue was patched. Additionall...

Intel Corporation: [FG-VD-19-009] Intel(R) Trace Analyzer and Collector 2019 Memory Corruption Vulnerability Notification

The Vulnerability Report along with PoC file has been shared in the PGP encrypted using Intel Public Key Attachment along with this report. Impact Memory Corruption & Arbitrary Code Execution...

Mail.ru: ssl cookie without secure flag set

Missed Secure flag for health.mail.ru session cookie was reported. Currently, health.mail.ru does not provide user's access to any protected information and does not rely on session cookies as a security mechanism, so this issue is not considered to have any security impact...

QIWI: [QIWI Wallet] Access to protected app components

Здравствуйте, я хочу сообщить об обнаруженной уязвимости в классе ru.mw.main.Main Информация о приложении Приложение: QIWI Кошелек Имя пакета: ru.mw Номер версии: 3.25.0 Код версии: 21346 Актуальность версии: Последняя Уязвимый класс: ru.mw.main.Main Уязвимость Поскольку активность ru.mw.Main...

Mail.ru: CSRF на загрузку изображения Pandao

Domain, site, application https://pandao.ru/ -- Don't forget to include site address / application name / version information https://pandao.ru/ Testing environment -- OS version, browser information, settings and prerequisites to reproduce vulnerability, testing tools used, etc Parrot OS Steps t...

Mail.ru: CSRF на лайк к отзыву (Pandao)

CSRF vulnerability in pandao.ru allowed to force user to "like" the user's comment. On the time of reportting, clientside vulnerabilities in pandao.ru are not covered by bug bounty program...

Mail.ru: JSONP hijacking

In this report researcher bypassed client-side protection against JSONP hijacking. Vulnerability allowed to disclose emails of logged in my.com users which visited malicious site...

Rockstar Games: Facebook OAuth Code Theft through referer leakage on support.rockstargames.com

In this report, the researcher was able to discover a method to expose and exfiltrate Oauth tokens. This was done by injecting an tag containing a payload pointing to the attacker's own domain into replies of Support Community forum threads. Once this was done, users operating under a particular...

Starbucks: Information Exposure Through an Error Message at news.starbucks.com

I've discovered Information Exposure Through an Error Message on your system POC link: https://news.starbucks.com/cms/index.php?/cp/login/forgottenpasswordform=http://evil.com/?id=test-test Vulnerable url --...

U.S. Dept Of Defense: https://████████ Impacted by DNN ImageHandler SSRF

Summary: https://███████ runs DNN 8.0.0 to 9.1.1 and is impacted by CVE 2017-0929 allowing for a SSRF through the DNN ImageHandler. Origin servers will request any image file supplied by the attacker. This allows for internal NIPR sites to be mapped and accessed through a vulnerable host. The...

PuTTY (European Commission - DIGIT): puttygen: heap-buffer-overflow in mp_get_decimal()

Summary: After downloading putty-0.70-2019-01-17.53747ad.tar.gz, I compiled it on Debian 9 with Clang-8.0.0 and AddressSanitizer and while trying to extract a public key from a crafted key file, I triggered a heap-buffer-overflow in mpgetdecimal. Description: A buffer overflow condition exists wh...

Semrush: Ports are not shown in third-party site redirect warning page.

Summary: Ports are not shown in third-party site redirect warning page Vulnerable Endpoint :- https://www.semrush.com/redirect?urlhttp://example.com:1337 Description: I noticed 311330 this report where you guys fixed a open redirect report by adding a external third-party site redirect warning pa...

Mail.ru: ssl cookkie without secure flag set

Based on this report, decision was made to add SSL flag for session cookie and HSTS header for lootdog.io. Usually, HTTPS/SSL configuration reports are only accepted for Main Scope, this report was accepted/awarded as an exception...

Weblate: No Rate On Add Suggest

Hello Description : I have found that there is no limit in the number of requests in place of adding suggest, which may exploit the vulnerability of the attacker to send a large number of suggestions, for example, send a million suggest may lead to cause a problem to the server Steps To Reproduce...

U.S. Dept Of Defense: Website vulnerable to POODLE (SSLv3) with expired certificate

Summary: ████████ uses insecure cipher suites SSL V2 and SSL V3 which makes it vulnerable to many attacks, including POODLE. The ssl certificate has also expired 4 years ago. Impact The POODLE attack can be used against any system or application that supports SSL 3.0 with CBC mode ciphers. This...

PuTTY (European Commission - DIGIT): heap-use-after-free (READ of size 8) in main()

Summary: After downloading putty-0.70-2019-01-17.53747ad.tar.gz, I compiled it on Debian 9 with Clang-8.0.0 and AddressSanitizer and while trying to extract a public key from a crafted key, I triggered a heap-use-after-free in main. Description: add more details about this vulnerability Steps To...

Shopify: Bypass GraphQL rate limit by abusing negative cost queries

Hi security team, While looking into the graphql app I noticed an interesting implementation where each app has a bucket of query cost they are allowed to used in a given time with a certain refresh rate associated with it. The details can be found at...

MariaDB: CRLF injection on https://buildbot.mariadb.org

A CRLF new line injection vulnerability has been discovered in the Buildbot.net software and reported to us. We have forwarded this to the Buildbot developers which coordinated a fix release and public disclosure. This vulnerability has been assigned CVE-2019-7313. More details in the advisory te...

Slack: URL link spoofing

Words such as http://example.com and example.com included in the message are displayed by URL link. This URL link naturally links to example.com. However, we can spoof the link destination by changing the message post request. diff POST /api/chat.postMessage HTTP/1.1 Host: example.slack.com...

Vanilla: Stored XSS in vanilla

Summary: There is a stored XSS in the latest version 2.6.4 of vanilla. Attack with post privileges can trigger this. Description: This is a feature that user can post content in markdown format. And the content and format type is inserted into database without check the format param. So attack ca...