RATELIMITED: Unrestricted File Upload on https://auth.ratelimited.me

Hello security team, Have found a way to upload files that aren't images on https://auth.ratelimited.me/ Steps to reproduce: 1. Login at https://auth.ratelimited.me/ 2. Click "change photo" and intercept with a tool used burpsuite 3. Choose "gravatar" option and change the 'url' parameter to...

arkadiyt-projects: Feature-Policy Header is Missing and Pastebin files

hey your website is very secure but i get only missing Feature-Policy Header if you add this webiste become more secure and i found two pastebin filesusing Google Dork : url : site:pastebin.com https://arkadiyt.com/ 1 https://pastebin.com/feaw9Ti8 2 https://pastebin.com/E0tLN2uJ Impact...

Node.js third-party modules: [webpack-bundle-analyzer] Cross-site Scripting

I would like to report Cross-site Scripting in webpack-bundle-analyzer. It allows injecting and executing arbitray JavaScript code. Module module name: webpack-bundle-analyzer version: 3.0.3 npm page: https://www.npmjs.com/package/webpack-bundle-analyzer Module Description Visualize size of webpa...

Rockstar Games: Account Takeover using Linked Accounts due to lack of CSRF protection

In this report, the researcher found a weakness in our third-party account linking process. They were able to create a malicious link that, if clicked by the victim, would under certain conditions give the attacker access to the victim's Social Club account. This issue has now been fixed...

Valve: Specially Crafted Closed Captions File can lead to Remote Code Execution in CS:GO and other Source Games

With a specially crafted closed captions file, the parser calls CHudCloseCaption::GetNoRepeatValue which in turn calls CHudCloseCaption::SplitCommand which has no boundary checks allowing the on stack variables cmd and args to be overflowed which in turn allows Remote Code Execution. Buffer...

Razer US: DLL Hijacking Vulnerability in synapse-2

The Synapse 2 installer was subject to a DLL planting attack in the Downloads folder. This was fixed in May of 2019...

RATELIMITED: Information Disclosure PHPpgAdmin

PHPpgAdmin is a piece of script which allows system administrators to manage their Postgres databases easily from a webUI. We had forgotten to limit access to this script, resulting in the ability for a brute-force attack to happen...

RATELIMITED: Exposure of tinyMCE js source code with plugin version disclosure which can leads to exploit further attacks.

Hello Security Team Summary : When looking for links and trying for content discovery i found a link on domain support.theendlessweb.com https://support.theendlessweb.com/swift/apps/base/javascript/global/thirdparty/TinyMCE/tinymce.min.js It contains the tinyMCE plugin and the version they are...

GitLab: Claiming package names in GitLab's automatic package referencer.

Hi team, GitLab has a pretty neat feature that auto-links packages to their respective registry. The problem is that GitLab currently assumes that packages have been uploaded to a registry by default. For example, if no homepage key is pointing to GitLab in a package.json file, Gitlab assumes tha...

Monero: Unauthorized access of Monero wallet by an unprivileged process

Description: As per our understanding, Monero wallet app provides a separate executable for the user to enable the RPC interface monero-wallet-rpc. When the user runs the executable, the RPC server will start on a port number that is specified by the user. The RPC server authenticates the client...

Nextcloud: Retrieval and alteration of exposed media on Android Oreo

Good afternoon. Any media downloaded from the cloud server within the Android app is subject to third party modification and server re-upload without explicit user consent. This happens at least on Android Oreo, as data is automatically stored on shared folder...

Grammarly: Grammarly Keyboard for Android <4.1 leaks user input through logs (except for sensitive input fields)

@homelander identified that Grammarly for Android on Android 4.1 was leaking user-entered text to device logs. Currently, Grammarly for Android doesn't support devices with platform versions less than Android 5.0...

New Relic: Ability to view monitor names of other NR accounts through internal API (v3) via "monitor_id" parameter

NR Alerts gives you the granularity to set alert conditions on an alert policy depending on the conditions you specify at the https://alerts.newrelic.com/accounts/ACCOUNTNUMBER/policies/POLICYID/conditions/new URL. When you select an entity for the condition, the application does not check to...

Dropbox: Disclose anonymous accessible link on embedded files in paper dropbox sessions

This report described some of the behavior of the integration between Dropbox and Dropbox Paper. In particular, when embedding a Dropbox file into Dropbox Paper, this implicitly creates a link to that file see https://www.dropbox.com/help/files-folders/view-only-access and embeds it within the...

Kaspersky: Web protection component in Anti-Virus products family ignores HSTS security policy

Summary Kaspersky Internet Security seems to ignore the Strict-Transport-Security HTTP header. This allows Man-in-the-Middle attacks on websites that would normally be immune to them. The only requirement is the user confirming the certificate override, something that can be achieved by social...

RATELIMITED: Information Disclosure on https://theendlessweb.com/

Dear Team, I have found an Information Disclosure Vulnerabilities at https://theendlessweb.com/ Step to Reproduce: Step 1: https://theendlessweb.com/vendor/composer/installed.json Let me know if you need any additional information. Regards, Dhamu. Impact This file expose sensitive information tha...

Paragon Initiative Enterprises: Github repo's wiki publicly editable

Hello Team, Primablock Github repo's wiki page is publicly editable. This enables an attacker to edit the wiki pages of the affected repo's. Adding content that may link to malicious code libraries that would be installed and used by developers or information that may mislead users. Links:...

Ian Dunn: Security issue: Github repo's wiki publicly editable

Hello Team, Github repo's wiki page is publicly editable. This enables an attacker to edit the wiki pages of the affected repo's. Adding content that may link to malicious code libraries that would be installed and used by developers or information that may mislead users. POC Links:...

Nextcloud: Remote attacker can impersonate Social users via ActivityPub API

Hi there! First up I want to acknowledge that Social may not be in scope. I emailed [email protected], which pointed me here, and I wasn't sure whether to just put it in a GitHub issue. In any case I hope I'm not wasting your time. When an HTTP request arrives at the shared inbox endpoint...

Zomato: [www.zomato.com] Blind XSS in one of the admin dashboard

Summary: Admin dasboard ████ from user has XSS Vul Steps To Reproduce: 1. Login ██████ 1. Go to ███ function and intercept request Post data: "/zomato.php?c=zomatoxss" / POST ████ HTTP/1.1 X-Zomato-App-Version-Code: 5610001 ██████████ ███████ X-Zomato-API-Key: ███████ X-App-Language:...

RATELIMITED: Open Directory

Summary: A misconfigured server can show a directory listing, which could potentially yield sensitive information to an attacker. Solution : 1. Disable directory listings in the web- or application-server configuration by default. 2. Restrict access to unnecessary directories and files. 3. Create...

RATELIMITED: Apache Version Disclosure Through Directory Indexing

attention that this is the https part of this domain the url https://pengu.will-never-love.me/ is showing a directory indexing which reveals the version of the Apache and OS of the ser PoC Included Impact The attacker can use the gathered information for further exploitation of the server...

RATELIMITED: Line feed injection in get request leads AWS S3 Bucket information disclosure

Summary: By added line feed control character to the end of url https://ratelimited.me/migration/ it is possible to list elements of bucket name "████████" , also it is possible to view source code of any php file in the bucket such as the php file with key "██████████" which is the...

HackerOne: Response program can create bounty table

Summary: Follow h1 document https://docs.hackerone.com/programs/bounty-tables.htmlgatsby, create bounty table only available for bounty program. Description: Step1: Create request to graphql entrypoint Step2: Change team id in parameter like this: "teamid":"Z2lkOi8vaGFja2Vyb25lL1RlYW0vMzYyOTE="...

WordPress: [FG-VD-18-165] Wordpress Cross-Site Scripting Vulnerability Notification II

Subject: FG-VD-18-165 Wordpress Cross-Site Scripting Vulnerability Notification II Dear Wordpress, Fortinet's FortiGuard Labs have discovered a security issue in your product Wordpress on 12/11/2018. We estimate its risk level is 3, on a scale of 1 lowest to 5 highest, in terms of its impact...

GitLab: Milestones leaked via search API

GitLab allows to restrict the project features for public projects. When disabling all features of a public project for non-project members under https://gitlab.com/xanbanx/test-search/edit, full access to milestones is still possible via the search API. Steps To Reproduce: Reproduced on GitLab...

RATELIMITED: HTTP PUT method enabled

Hi security team, Summary: It is possible to upload files to the server using the PUT method Steps To Reproduce: I used the following request: PUT /emitrani.txt HTTP/1.1 Host: ratelimited.me Content-Length: 10 Connection: close Now a file exists at https://ratelimited.me/emitrani.txt with content...

RATELIMITED: Banner Grabbing - Apache Server Version Disclousure

Hello RATELIMITED, I'd like to report a nice little bug. Banner Grabbing is a technique used to gain information about a remote server. Additionally, this technique is use to get information about remote servers. I've captured the HTTP request while visiting theendlessweb.com POC: Simply check...

GitLab: information disclosure of secret_key_base via encoding charcters

@pareshparmar discovered an error page that was disclosing the value of the secretkeybase key of customers.gitlab.com to unauthenticated users, which would have allowed an attacker to arbitrarily decrypt signed cookies. So I was fuzzing one parameter with different type of encodings. And one...

RATELIMITED: information disclosure which leak the apache version

Hello ratelimited team ! I have found a information disclosure which leak the apache version Link : https://social.ratelimited.me/manual/en/index.html Impact Leaking the http apache server version...

RATELIMITED: Server Header disclose The Os and Web server Version

Server header was present and disclosed the version of the web server and OS in HTTP responses. Server header was present and disclosed the version of the web server and OS...

New Relic: The impossibility of inclusion of the trial (BROWSER)

Hello! Found a problem that reveals a query in the newrelic database in connection with receiving a server error on a normal domain https://rpm.newrelic.com/browser/id this is not! The problem is that I can't run the trial version through the EU. Getting 500-server message: "Internal Server Error...

Mail.ru: XSS

Reflected XSS via URI in allods.mail.ru. allods.mail.ru belongs to extended scope...

Liberapay: Publicly editable GitHub wikis

Hello team, While browsing https://github.com/liberapay I found that many of the repositories have their wikis publicly editable by any GitHub user. The following are some of the affected repositories: https://github.com/liberapay/cardregistration-js-kit/wiki...

HackerOne: GitHub users outside of HackerOne organization can create and update Wiki pages of certain public HackerOne repositories

Summary Hi HackerOne team, recently this vulnerability have been reported and resolved in various programs, so I'm going to try my bad luck, reporting the same kind of report also in this program. Steps 1. Go on https://github.com/Hacker0x01/react-datepicker/wiki/BB-test 2. I've created a simple...

Semrush: Persistent CSV injection

Hi Team, https://www.semrush.com/notes is vulnerable to persistent csv injection stored csv injection POC: 1 Login into application and open https://www.semrush.com/notes 2 click on "Add note" button 3 And enter csv injection payloads like =4+4, =HYPERLINK"http://evil.com", "EVIL" and click on sa...

Semrush: User Controllable Cookie

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report! User Controllable Cooki...

New Relic: [NR Insights] IDOR - Modify the filter settings for any NR Insights dashboard through internal_api endpoint

An IDOR exists allowing me to change the filter settings of any account on New Relic through the following PUT request: PUT /internalapi/1/accounts/1523936/dashboards/687944/filter HTTP/1.1 Host: insights.newrelic.com User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.14; rv:63.0 Gecko/20100101...

Semrush: protocol & Ports are not shown in third-party site redirect warning page

Summary: protocol & Ports are not shown in third-party site redirect warning page Vulnerable Endpoint :- https://www.semrush.com/redirect?url=ftp://evil.com:1337 Description: I noticed 311330 this report where you guys fixed a open redirect report by adding a external third-party site redirect...

Ruby: The taint flag is not propagated at JSON.parse

Vulnerability description not provided...

Valve: Malformed BSP in GoldSrc Engine may cause shellcode injection

Introduction Hello. There's a vulnerability in GoldSrc Engine that allows to run arbitrary assembly code using incorrect BSP format processing. Description The vulnerability is found in the UTILStringToIntArray function. This function belongs to the game mod library mp.dll/cs.so and has the...

Valve: Malformed save files (.sav) allow to write files with arbitrary extensions and content in GoldSrc-based games.

The structure of the save file implies unpacking of temporary files with extensions .HL1, .HL2 and .HL3. In the code of command 'load', there is a check for invalid substrings, such as .., so unpacking the files into the top directories will not work. Also, it seems, there is a code for checking...

Nextcloud: xmlrpc.php is enabled - Nextcloud

Hi Nextcloud Team, Summary: An attacker can devise a XML request to list all the methods that are enabled on the server. Replace Get with POST request and add method call in the request. To reproduce the vulnerability you need to use Firefox browser and Burpsuite Open:...

MyCrypto: SPF Records (SMTP protection not used)

Hello MyCrypto Team , I am checking your website and found something is missing in SPF record.I don't find you have applied strict SMTP policy to stop spoofed email sending from your domain. I would like to recommend you to read the following article :...

Nextcloud: Github wikis are editable by anyone

Github wikis on the following projects https://github.com/nextcloud/fulltextsearch https://github.com/nextcloud/nextcloudpi https://github.com/nextcloud/spreed https://github.com/nextcloud/ocsms https://github.com/nextcloud/nextcloud-snap https://github.com/nextcloud/passman can be edited by any...

MariaDB: Github wiki is editable by anyone

Some of our GitHub repos had default public Wiki editing turned on, which could be used with malicious intent...

Grab: Production secret key leak in config/secrets.yml

Summary: Production secret key leak in config/secrets.yml Description: In Github, http://engineering.grab.com/ secretkeybase is leaked which is present in the config/secrets.yml Steps To Reproduce: 1. Go to the below GitHub URL and we can verify that secretkeybase is present...

VK.com: Open redirect на мобильной версии в контакте (m.vk.com

Открытое перенаправление в мобильных фотографиях...

Internet Bug Bounty: null pointer dereference in imap_mail

in imapmail if message args is null, in phpimapmail no check wheater message can get, so crash. fprintfsendmail, "\n%s\n", message; /usr/local/php/bin/php ./craxxx.php Warning: imapmail: No message string in mail command in /home/fan/github/php-7.2.10/myselffuzz/craxxx.php on line 3 sh: 1: -t: no...

Node.js third-party modules: [atlasboard-atlassian-package] Cross-site Scripting (XSS)

I would like to report XSS in atlasboard-atlassian-package It allows to inject clientside javascript or HTML in cases when attacker has opportunity to create or modify issues on JIRA server e.g bug tracker which is configured to work with application from module. Module module name:...