Rockstar Games: Race condition vulnerability on "This Rocks" button.

In this report, the researcher brought to our attention a misbehavior in the "This Rocks" button that we use on the Social Club site. Using curl and a proxy tool such as Burp Suite, an attacker could invoke the "This Rocks" API call multiple times rapidly, and the system would accept multiple...

Keybase: XSS on Desktop Client

Steps to reproduce 1. Create a file named as 'alert1v.SS'.mp4 in the keybase public/private folder. 2. On the desktop client open the file as a preview. 3. An alert box pops up. gif poc: F399836 The Problem The client/shared/fs/filepreview/av-view.desktop.js file contains a template literal with...

Ruby on Rails: RCE which may occur due to `ActiveSupport::MessageVerifier` or `ActiveSupport::MessageEncryptor` (especially Active storage)

Since ActiveSupport::MessageVerifier and ActiveSupport::MessageEncryptor use Marshal as the default serializer, I confirmed that RCE is possible by object injection. ruby https://github.com/rails/rails/blob/v5.2.2/activesupport/lib/activesupport/messageverifier.rbL110 def initializesecret, option...

Node.js third-party modules: [bower] Arbitrary File Write through improper validation of symlinks while package extraction

I would like to report file write in arbitrary locations via install command in bower It allows attackers to write arbitrary files when a malicious package is extracted. Module module name: bower version: 1.8.4 npm page: https://www.npmjs.com/package/bower Module Description Bower offers a generi...

RATELIMITED: Cross Site Request Forgery in auth in https://auth.ratelimited.me/

Hi there i found a vulnerable post that an attacker can execute csrf into the victim. Steps to reproduce: 1º login into your account and with burp on intercept the request off update profile. csrf1.jpg 2º Send the post request to the generator csrf poc and alter the details. history.pushState'',...

Starbucks: Bug in GraphQL and API integration leads to limited user address disclosure

A modified GraphQL query to fetch a user's address book entries led to a limited disclosure of user address book entries. The modified query resulted in a backend API request with undefined as a parameter. The response contained address lists of accounts with a username of undefined. We were not...

VK.com: доступ к com.vk.usersstore.UsersContentProvider, возможна утечка exchange_token на android < 21

Подмена разрешений на старых версиях Android...

Keybase: Privilege Escalation through Keybase Installer via Helper

Keybase.app is bundled with the components installer named KeybaseInstaller.app. When --install-app-bundle --source-path --app-path is given to installer, KBAppBundle.m checks if is properly codesigned, then copies it to . First, there's two vulnerabilities in the source path validation: the chec...

Nextcloud: Content spoofing on https://surveyserver.nextcloud.com

Hi NextCloud team, the https://surveyserver.nextcloud.com domain is vulnerable against content spoofing in the forbidden page due to the fact that the request URI is reflected without validation inside the aforementioned page. 1. Go on...

Zomato: Open Redirect On Your Login Panel

Summery Hey There are a open Redirect on your login panel Platforms Affected: Website Browsers Verified In If Applicable: Chrome For Android Firefox For Android Steps To Reproduce: 1. Go To This Url :- https://www.zomato.com/login?redirecturl=https://askdcodes.org 2. Then login there 3. boom you...

Tron Foundation: Private key "tron" leaked via Travis CI Log

Hey Tron team, It appears that via your use of secured variables in Travis-CI, you do not want the content of the tron private key released. However, it appears that it was leaked in one of your logs. I generated a fingerprint and scanned the internet, but couldn't find any open servers with the...

Python Cryptographic Authority: Reflected Xss bypass Content-Type: text/plain

Hello Team: -------------- 1 - vulnerable subdomain : ci.cryptography.io 2 - after i tested this subdomain i found many payloads injected by me reflected but not executed 3 - so that i taked alook at the response and i found Content-Type: text/plain 4 - so i searched about bypass Content-Type:...

Uber: [manage.jumpbikes.com] Blind XSS on Jump admin panel via user name

By setting a user's name to an XSS payload, a user was able to inject JavaScript which was executed on the administrative panel for Jump bikes, allowing complete compromise of the panel, exposing user activity, personal information and billing information...

Weblate: Stored XSS @ /engage/<project_slug>

Description The vulnerability concerns a Stored XSS, while it is currently to the best of my knowledge not exploitable due to limitations stated below. I thought that the issue is worth reporting anyway. Steps to reproduce 1. Change a project's name or create one to the following payload:...

Chaturbate: The auto login link does not expire on changing email id

The auto login link does not expire on changing email and can be reused to login into user account Eg link : https://chaturbate.com/accounts/autologin/?█████ Attack Scenario: 1: Users email id has been compromised so now user changes emall id & password of account 2:but attacker can login into us...

X (Formerly Twitter): Changing email address on Twitter for Android unsets "Protect your Tweets"

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: Verifying email address on...

Mail.ru: Make user buy items via clickjacking possibility

Clickjacking attack could allow to force user to buy some item on lootdog.io...

Mail.ru: astrumnival.com subdomain

Hostname in astrumnival.com domain was unintentionally delegated to external service. astrumnival.com domain is not currently in use...

Keybase: macOS privilege escalation via keybase install

Environment OS: macOS Mojave 10.14.1 Kernel: Darwin Kernel Version 18.2.0 keybase version 2.12.2-20181218171841+29273f4110 Steps to reproduce Note: All steps are executed as an unprivileged user unless otherwise noted. For this PoC the unprivileged user is defined as below $ id test2 uid=508test2...

Zendesk: Stored XSS in Macro Editing - Introduced by Admins to affect Admins

This issue was reported to us as a bypass to a previous fix by adjusting the payload. The cross-site scripting vulnerability can only be introduced by Support account administrators and only executes in a place where administrators within the account can access. We greatly appreciate the work and...

Nutanix: Local file disclosure through SSRF at next.nutanix.com

Issue marked resolved and test fixed in January 2019...

Starbucks: unuse domain still in using at wechat by Starbucks East China

Summary: spcc.mobi is still using at wechat offical account by Starbucks East China. but this domain is on sale. Description: I had reported this at reportid=433843，bu your gays had ignored, because they said the domain is unused. In fact, spcc.mobi still having an interface using at wechat offic...

RATELIMITED: Hackerone1

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: add summary of the vulnerabili...

X (Formerly Twitter): Ability to perform actions (Tweet, Retweet, DM) and other actions, unauthenticated, on any account with SMS enabled.

Summary: By knowing the mobile phone number associated with a Twitter account, or by using random mobile phone numbers! It is possible to perform the following actions against a target without their knowledge or interaction. With no account takeover scenario. It's a case of, if I know the mobile...

Slack: User-assisted RCE in Slack for macOS (from official site) due to improper quarantine meta-attribute handling for downloaded files

Summary GateKeeper/Quarantine bypass for downloaded files Lack of com.apple.quarantine meta-attribute for downloaded files allows a remote attacker to send an executable file that won't be checked by Gatekeeper . File opening doesn't trigger native alerts from GateKeeper/Quarantine Downloaded...

Kaspersky: Unauthorized command execution in Web protection component of Anti-Virus products family [FF, Chrome]

Summary When Kaspersky Protect browser extension is installed in Firefox or Chrome, arbitrary webpages can take control of the Kaspersky command interface and disable parts of the functionality for example. Description Unlike with https://hackerone.com/reports/470544 or...

Kaspersky: Unauthorized command execution in Web protection component of Anti-Virus products family [IE]

Summary When Kaspersky add-on is installed in Internet Explorer, arbitrary webpages can take control of the Kaspersky command interface and disable parts of the functionality for example. Description Unlike with https://hackerone.com/reports/470544, when the Kaspersky add-on is installed in...

Kaspersky: Unauthorized command execution in Web protection component of Anti-Virus products family

Summary When no browser extension is installed, arbitrary webpages can take control of the Kaspersky command interface and disable parts of the functionality for example. Description Without a browser extension e.g. because extension installation not confirmed by user, unsupported like in MS Edge...

Valve: RCE on Steam Client via buffer overflow in Server Info

Introduction In Steam and other valve games CSGO, Half-Life, TF2 there is a functionality to find game servers called the server browser. In order to retrieve the information about these servers the server browser communicates with a specific UDP protocol called server queries. The protocol is we...

Kaspersky: Kaspersky Protection extension for Google Chrome is vulnerable to abuse its features

Summary The Google Chrome extension "Kaspersky Protection" installed automatically by Kaspersky Internet Security can be tricked by arbitrary websites into uninstalling browser extensions. Description Kaspersky Protection for Google Chrome has some functionality to uninstall malicious browser...

Keybase: Local privilege escalation bug using Keybase redirector on macOS

There's a local privilege escalation bug in the latest version of Keybase for macOS. The issue is in the process of launching keybase-redirector. The process works as follows: 1. Copy keybase-redirector binary to a root-only location 2. Check its signature 3. Launch the binary Code ref. Note the...

Mail.ru: Cross application scripting via account.mail.ru

Crossapplication scripting via User-Agent on push login confirmation functionality in mobile application in the context of account.mail.ru domain allowed session hijacking with minimal user interaction...

U.S. Dept Of Defense: [██████] Cross-origin resource sharing misconfiguration (CORS)

Hi! In this report I want to describe High level bug which can seriously compromise a user account. If I am authorize on this site, I can steal user's sessions, some personal information or do some action. Steps for reproduce 1 Send this request GET...

Shopify: Reflected XSS in *.myshopify.com/account/register

Shopify allows shop admin to enable customer registration. When a customer registers with a short password and HTML content as the first name and last name then customer redirects to .myshopify.com/account/register with error messages and the provided data. As there is no Cross-site Scripting...

GitLab: DoS on the Issue page by exploiting Mermaid.

Summary: An attacker could exploit Mermaid available in Markdown and cause DoS. Description: Markdown supported by GitLab can generate diagrams and flowcharts from text using Mermaid. An Attacker can exploit this function to prevent users from successfully accessing some functions. For example, y...

Mail.ru: Дюп предметов lootdog и возможность их продавать.

It was possible to duplicated item for sale infinitely via modified request on lootdog.io...

Mail.ru: [lootdog.io] User phone number disclosure

User phone could be self-disclosed on lootdog.io...

Keybase: Privilege Escalation via Keybase Helper (incomplete security fix)

In the previous report, about the privileged helper lacks of validation so any applications can abuse it to gain root privilege. But the security fix is incomplete. I can describe 3 different ways to bypass possibly 4, I doubt. All the poc are simplified to not sending the actual attack payload,...

Nintendo: NEX: Stack overflow in UnicodeToUtf8

Vulnerability description not provided...

Upserve : Reflected XSS on https://inventory.upserve.com/ (affects IE users only)

The REQUESTURI was assigned as the value of a hidden field in the login form without proper escaping resulting in a reflected cross-site scripting bug. Browsers were mitigating the issue and IE was only impacted if XSS protection was disabled. We've improved the sanitization of this field. The...

Upserve : Open redirect at https://inventory.upserve.com/http://google.com/

The following URL is vulnerable to an open redirect it will redirect to stanko.sh: https://inventory.upserve.com/http://stanko.sh/ Impact Users could get redirected to malicious domain...

U.S. Dept Of Defense: [Urgent] Critical Vulnerability [RCE] on ███ vulnerable to Remote Code Execution by exploiting MS15-034, CVE-2015-1635

@ashutosh7 found a ███████ server in Shodan, vulnerable to MS15-034, confirmed using Metasploit. Thanks for participating in the DoD VDP. Found a ████ server in shodan, vulnerable to MS15-034. confirmed using Metasploit. will add the link for the writeup...

Nextcloud: Passwords being stored as plain text in logging

When an exception occurs, any password sent to or being processed by the server may be stored as plain text in the log. I noticed that some methods are already being filtered in ExceptionSerializer.php, but many methods are missing from this list. Suggestion: instead of relying on a list of...

Kaspersky: Web protection component in Anti-Virus products family uses predictable links for certificate warnings

Summary Websites can predict links used in certificate warnings, Safe Money prompts, anti-phishing warnings and similar pages. This allows them to initiate actions without the user's knowledge. Description The links used to override certificate warnings have the following format: https:///?kiscup...

QIWI: account takeover https://idea.qiwi.com/

Здравствуйте. Обнаружил account takeover на данном сайте. С воспроизведением придется поднапрячься, но это стоит того. Учитывая то, что на сайте есть админский аккаунт, в теории можно натворить делов. Скажу сразу, что мне не удалось полностью понять механизм работы данного тейковера и я буду очен...

Kaspersky: URL Advisor component in KIS products family is vulnerable to Universal XSS

Summary In Microsoft Edge, URL Advisor UI is served as first-party content on every domain. So the XSS vulnerability I found in this UI automatically applies to all websites, it allows running code in the context of any domain. Description URL Advisor frame is located under...

VK.com: Просмотр новых фотографии со стены частной/закрытой группы или закрытого профиля.

Просмотр некоторых закрытых фотографий...

HackerOne: Submitting report through Embedded Submission form gives user indefinite access to a profile

Summary: Hi team, @jobert , @ben After testing on the sandbox, I noticed that one of my accountswhich I removed from the program can see some of the information. I don't know if it affects other programs that have other States - private-only, private-only whit external link. I could not find the...

Kaspersky: Certificate warnings and similar UI elements in Web protection of Anti-Virus products family are susceptible to clickjacking

Summary Clickjacking can be used to trick users into overriding certificate warnings, disabling Safe Money functionality or phishing alerts. Description On certificate warning pages, a single click is sufficient to trigger overriding a wrong certificate. While an additional warning is displayed...

RATELIMITED: Editable Wiki repo by anyone

Description: I've created wiki page on your github repo without any permission Steps To Reproduce: https://github.com/EndlessHosting/Discord-LiveBot/wiki/Test-here Supporting Material/References: F391468 Impact Going on https://github.com/EndlessHosting/Discord-LiveBot/wiki/Test-here you can add ...