Zomato: [auth2.zomato.com] Reflected XSS at `oauth2/fallbacks/error` | ORY Hydra an OAuth 2.0 and OpenID Connect Provider

Heyy there, I have found a xss in auth2.zomato.com Full url:https://auth2.zomato.com/oauth2/fallbacks/error?error=xss&errordescription=xss&errorhint=xss Vulnerable Parameters: All available parameters are vulnerable XSS Payload: XSS Steps To Reproduce the xss Just copy paste and load this url in...

QIWI: [p2p.qiwi.com] nginx alias traversal

Incorrect configuration of alias could allow an attacker to read file stored outside the target folder. https://github.com/yandex/gixy/blob/master/docs/en/plugins/aliastraversal.md Пример: http GET /services/admin../html HTTP/1.1 Host: p2p.qiwi.com Можно запрашивать файлы выше, чем /services/admi...

Starbucks: Thailand - SNMP Publicly Accessible

k3mlol discovered a Thailand SNMP publicly available which permitted access to configuration information from the asset. @k3mlol — thank you for reporting this vulnerability and for confirming the resolution...

Snapchat: Exposed Kubernetes API - RCE/Exposed Creds

@txt3rob found one of Snaps internal Kubernetes instances exposing an API endpoint without authorization to the public. With access to this API he was able to run arbitrary code/jobs as a cluster-admin and gained access to credentials with internal access to a significant number of instances...

HackerOne: Race Condition in Flag Submission

Summary: This report describes a Race Condition Vulnerability which allow an authenticated user to submit the same Flag multiple times. Increasing the user points and therefore the chances to get an invitation to a private program. Steps To Reproduce To reproduce this bug, you need to: 1. Login...

Mail.ru: Открытая панель

Non-production dashboad with random testing data was available on tarantool.org subdomain...

Mail.ru: PHP-FPM Status Page

PHP-FPM status page was available at guild.live.ro.gmru.net...

Mail.ru: [e.mail.ru] Stored xss in Mpop cookie

XSS on e.mail.ru domain via cookie content XSS in cookie via mitm. Good article - https://habr.com/en/post/460101/ by @w2w...

Node.js third-party modules: Prototype pollution attack through jQuery $.extend

I would like to report prototype pollution in jQuery. It allows an attacker to inject properties on Object.prototype. Module module name: jquery version: 3.3.1 npm page: https://www.npmjs.com/package/jquery Module Description jQuery is a fast, small, and feature-rich JavaScript library. Module...

Node.js third-party modules: [harp] File access even when they have been set to be ignored.

I would like to report information disclosure through file access in harp. It allows to access files that are supposed to be ignored according to the harp server rules. Module module name: harp version: 0.29.0 npm page: https://www.npmjs.com/package/harp Module Description zero-configuration web...

Node.js third-party modules: [harp] Unsafe rendering of Markdown files

I would like to report Cross Site Scripting vulnerablity in harp module It allows to execute arbitrary JavaScript due to unsafe rendering of markdown files. Similar to 404126 Module module name: harp version: 0.29.0 npm page: https://www.npmjs.com/package/harp Module Description zero-configuratio...

PayPal: Unsafe deserialization leads to token leakage in PayPal & PayPal for Business [Android]

A Bug Bounty researcher identified an issue where a JSON wrapper could be used to instantiate arbitrary Java objects. This could lead to circumstances where a class called in the PayPal Android app could be read by a malicious app on the same mobile device. A specific user’s session data could...

Node.js: Fix for CVE-2018-12122 can be bypassed via keep-alive requests

Summary: Fix for CVE-2018-12122 can be bypassed via keep-alive requests Description: I'm not a security expert, neither I'm familiar with Node.js core, so please forgive me if this report is inaccurate and in that case, sorry for your time. While investigating the issue 515I checked out the fix t...

U.S. Dept Of Defense: HTML Injection + XSS Vulnerability - https://████████/ | Proof of Concept [PoC]

Hello U.S. Dept Of Defense Security Team, My name is Ismail Tasdelen. As a security researcher. I found a html injection and xss vulnerability. Url address : https://█████████/ HTML Injection + XSS Payload = html+injection+xss"Ismail Tasdelen Descripton : The server reads data directly from the...

Mail.ru: sql

SQL interface for web analytics was available at terrhq.ru subdomain...

HackerOne: Inline banner on Report page discloses whether organization runs a private program

Summary: Hi team , @jobert Description: Your engineers have created inscription - You are participating in a private program for ████████. Please do not publicly discuss the program until the program goes public. When a hacker creates a report in an external program with a private page, we will s...

HackerOne: A user can bypass approval step in Hacker Publishing feature, allowing them to publish reports immediately

Summary: Hi team Description: Hacker can request agree-on-going-public publish report Steps To Reproduce 1. Create publish report 2. https://hackerone.com/reports/bulk POST...

Liberapay: Import of repositories from GitHub is tied to username instead of immutable ID

When a user verifies a Github account at /edit/elsewhere the final result is a Github username tied to a Liberapay account. The issue is Github usernames are mutable. Consider the scenario. 1. I create an account called ed-liberapay something likely to be claimed in the future 2. Verify that I ow...

Nextcloud: Expired reshare links allow access to all files in share

After a reshared subfolder link has expired, the link allows access to the full folder. I found the Problem in Nextcloud 14.0.3, but it still persists in 14.0.4 Steps: 1. share folder "A" with an nextcloud group 2. reshare a subfolder "B" of this folder with another user on this group in this cas...

VK.com: Уязвимый класс WebView

Activity issue. Opening of webview that may lead to phishing attacks...

Lyft: My Expense Report resulted in a Server-Side Request Forgery (SSRF) on Lyft

During a trip to a conference, I discovered that the Lyft app allowed users to create expense reports by exporting business ride history as a PDF or CSV file. Being an active Lyft user, this was excellent news to me since it made my life easier by simplifying the tedious process of work travel...

Vimeo: Possibility to overwrite any file in the vpe.cdn.vimeo.tv leads to the Stored XSS for the all customers on the embed.vhx.tv

By modifying the Content-Type to be blank, during a PUT command, the researcher was able to upload files to the CDN. This has been resolved. It was possible to write and overwrite arbitrary files to the CDN vpe.cdn.vimeo.tv used for JS scripts delivery on the various in-scope assets using the PUT...

Mail.ru: ОДМИН ТЭСТ

Test script on jw-cn-test-1.ext.terrhq.ru could be used to disclosure local database account. Database itself was not accessible...

Mail.ru: сервант статус

Apache server status was available at jw-cn-test-1.ext.terrhq.ru...

Mail.ru: source code leak

A fragment of source code was available for download on flash.terrhq.ru...

Infogram: User account blocking by Internal Server error

If you send a language=en in https://infogram.com/api/users/me user be forever get an Internal Server error EVEN AFTER re-logining: https://youtu.be/AxYa11lEiWA I idk why does hackerone can't upload this video so I uploaded this video privately to the youtube! In this video, I'm trying to relogin...

Starbucks: Able to bypass information requirements before launching a Chat.

Summary: Bypass of mandatory fields before a Chat session can begin. Description: URL allows for bypass straight into chat, and Chat personnel won't know my name, just that they are chatting with someone. Platforms Affected: website/mobile app - please include browsers and app versions used for...

PayPal: XSSI on refer.xoom.com allows stealing email addresses and posting to Twitter on behalf of victim

Due to a cross-origin configuration, the application at refer.xoom.com could be embedded in script tags on other websites. If a malicious site were open in the same browser as refer.xoom.com, the malicious site could see and extract data from the referral page. This included the email addresses...

Mail.ru: xss

XSS was reported for bb.cdn.gmru.net domain. This domain is considered sandbox with no security impact for XSS, but same XSS also existed in bb.mail.ru subdomain...

Zendesk: Blind XSS via Suspended Ticket Recovery

A cross-site scripting XSS vulnerability was reported to us. We validated the issue, investigated to ensure it wasn't exploited, and implemented a remediation to all customers. Big thanks to @trimatra-sec who was a pleasure to work with!...

Aeternity: Remote Code Execution in epoch via epmd

Summary: Remote Code Execution in epoch via exposed erlang ports epmd Description: Known Erlang cookie allows connecting to other Erlang nodes. Contrary to assumptions from https://github.com/aeternity/aetmodel/blob/master/ThreatModel.md, starting node with -sname does not prevent remote...

U.S. Dept Of Defense: XSS on www.██████ alerts and a number of other pages

Summary: If an action on ███████ results in an error, an error dialog is shown. This dialog, in certain scenarios, is vulnerable to stored XSS due to a lack of sanitization. Description: In this specific example, I'll be using a GET endpoint that attempts to delete alerts based on an ID supplied...

Node.js third-party modules: flatmap-stream malicious package (distributed via the popular events-stream)

I would like to report a case of malicious package flat-stream that made it's way into many other npm packages. One such popular package is event-stream user dominictarr transferred the ownership of an npm module to another user because he wasn't actively maintaining it. That user then added...

Infogram: Is the 504 Gateway Time-out error ok?

Link: https://infogram.com/api/merge/auth/google/?redirectto=123&token=gulHMyL6-1H0Am4zXa4H7j0DWomPdnKPhZOk&redirectto=123 it gives 504 after a long time! Is it normal? It can be used for DOS! I use two redirectto= if I use just one redirectto= it gives the response fastly!...

HackerOne: Attacker can claim credentials for private program that has a published external program

An attacker can obtain credentials for private programs that have a published external program, even when the attacker doesn't have access to the private program. Here is the regression spec to proof the security vulnerability: diff diff --git...

Liberapay: Broken Authentication and session management OWASP A2

Hello @liberapay, Description: It seems now if attacker has csrf token & victim cookies then attacker can easily login to victim account without any login details. No need Of Any Username/Password Theory Proof-Of-Concept: - Go to https://liberapay.com/admin.101/edit/username any username/Self...

Mail.ru: XXE крит

XXE injection in partner service with delegated my.com subdomain...

Ruby: Null character at fnmatch

I confirmed that it will behave unintentionally when null characters are entered in patterns with fnmatch, fnmatch? . log $ ruby -v ruby 2.5.3p105 2018-10-18 revision 65156 x8664-darwin16 $ irb irbmain:001:0 require 'pathname' = true should not be true irbmain:002:0 File.fnmatch"x\0yz", 'x' = tru...

Mail.ru: benchmark metrics available at 5.61.239.154

Benchmark data for 3rd party product was available from outside. Benchmarking was performed using generated data in isolated testing evironment, so no actual data or production information was leaked...

Ruby: Command injection in Pathname

The command may be executed when the value passed to Pathname is the first character of "|". This is the same problem as https://bugs.ruby-lang.org/issues/14245, but here it is executed without warning. ruby $ ruby -v ruby 2.5.3p105 2018-10-18 revision 65156 x8664-darwin16 $ irb irbmain:001:0 ls ...

Brave Software: Brave allows flash to follow 307 redirects to other origins with arbitrary content-types

Steps to reproduce: Used https://github.com/sp1d3r/swfjsoncsrf in latest available version of flash to send a post request cross-domain with a non-simple content type. Actual results: The request is sent in firefox. Expected results: The request should either not be sent or the content-type shoul...

RubyGems: 65534 times efficient, Brute-force attack for api_key

I have found that type checking for apikey is insufficient in rubygems.org's source code. https://github.com/rubygems/rubygems.org/blob/master/app/controllers/applicationcontroller.rbL63 ruby def authenticatewithapikey apikey = request.headers"Authorization" || params:apikey @apiuser =...

HackerOne: IE only: stored Cross-Site Scripting (XSS) vulnerability through Program Asset identifier

Hai, I've found a stored xss vulnerability via assets but unfortunately its been blocked by CSP. Steps to reproduce:- 1 Add a asset like " i Go to program -- scope -- Add asset -- select 'Others' and give " ii Check your console now. 2 Then, Go to the created program. You can check with this...

OLX: blog.praca.olx.pl database credentials exposure

Hi, I found that the site blog.praca.olx.pl is exposing the content of wp-config.php file in plaintext due that a misconfiguration in the file-manager plugin. The information can be accessed here: http://blog.praca.olx.pl/wp-content/uploads/file-manager/log.txt The credentials are stored in the...

ok.ru: Отсутствие CSRF ключа на функции Закрытый Профиль.

"Friends only" account mode could be toggled on and off with a CSRF attack. Настройка Закрытый профиль могла быть включена или выключена через CSRF...

Shipt: Slack token leaking in stackoverflow and devtimes

A Shipt employee inadvertently posted a Slack Webhook URI including the authentication token on two public tech forums: Stackoverflow.com and devtimes.com. While this incoming webhook's configuration was restricted to posting in a single channel created for testing this application and only 2 Shi...

Mail.ru: Open Redirect In passport.maps.me/logout/?next=//fb.com/

Open redirect on passport.maps.me page...

Uber: [usuppliers.uber.com] - Server Side Request Forgery via XXE OOB

It was possible to determine open internal ports on an usuppliers.uber.com server, via examination of different error messages to a specific POST request made with various payloads. This error message discrepancy would allow an attacker to discover open internal ports, potentially allowing more...

FormAssembly: xmlrpc.php file is enable it will used for (DOS) and bruteforce attack

Wordpress that have xmlrpc.php enabled for pingbacks, trackbacks, etc. can be made as a part of a huge botnet causing a major DDOS. The website https://www.formassembly.com/ has the xmlrpc.php file enabled and could thus be potentially used for such an attack against other victim hosts. In order ...

HackerOne: A user can request a report to be retested even though the program has not been verified by HackerOne

Hey Team I have some observations and issues which i found in my recent testing on h1 platform related to creation of a new private program , So here are my observations listed below - kindly have a look and revert back if you feel like these are valid and worth reporting issues. 1 Can A program...