New Relic: Upgrade menu exposes the mobile application token meant to only be visible to administrators

Usually, the restricted user is not able to view the mobile application token for a mobile app - the page that this token is visible on is only accessible to administrators. However - there exists a workaround to this if you are a restricted user and you still want to obtain this token - simply...

HackerOne: Embedded submission form UUIDs can be enumerated through GraphQL node interface, exposing sensitive program details

It's possible for an attacker to enumerate embedded submission form UUIDs through HackerOne's GraphQL node interface. In normal application behavior, an embedded submission form is queried through GraphQL with a UUID. These UUIDs are random and they're not susceptible to brute force attacks...

U.S. Dept Of Defense: SQL Injection in Login Page: https://█████/█████████/login.php

Summary: I believe I've discovered an error based SQL injection in the login page for https://████/██████/login.php. Description: When browsing to the webpage https://█████/██████/login.php and entering certain control characters into the "Username" field, and SQL error Oracle is produced. Impact...

Nextcloud: Share recipient can modify a share's expiration date

Vulnerable URL http://server/nextcloud/ocs/v2.php/apps/filessharing/api/v1/shares/share ID number Summary Nextcloud users can set expiration dates on documents they share with others. However, the function to update a share does not appear to properly validate the requester is the owner when...

HackerOne: Corrupted Authorization header can cause logs not to be ingested properly in ████████

HackerOne ingests different logs in ██████, one of them being nginx access logs from our load balancers. The default log format of our load balancer configuration is shown below. As can be seen in the format, the HTTP user specified in the Authorization header $remoteuser is placed between the...

Versa Networks: Plaintext Credentials in Backups & Configs

In Versa Director, the unencrypted backup files stored on the Versa deployment contain credentials stored within configuration files. These credentials are for various application components such as SNMP, and SSL and Trust keystores...

Versa Networks: Unapproved SSH Encryption Enabled

In VOS compromised, an attacker at network endpoints can possibly view communications between an unsuspecting user and the service using man-in-the-middle attacks. Usage of unapproved SSH encryption protocols or cipher suites also violates the Data Protection TSR Technical Security Requirements...

Versa Networks: Privilege Escalation Using Cron Jobs

In Versa Analytics, the cron jobs are used for scheduling tasks by executing commands at specific dates and times on the server. If the job is run as the user root, there is a potential privilege escalation vulnerability. In this case, the job runs a script as root that is writable by users who a...

Node.js: Node.js HTTP/2 Large Settings Frame DoS

Hi, I would like to report a vulnerability in the http2 module of Node.js. In section 10.5 of the HTTP/2 RFC an attack is described where an attacker is sending large SETTINGS frames that includes many settings inside it. We tested this scenario by opening many connections to the server and sendi...

GitLab: GitLab's GitHub integration is vulnerable to SSRF vulnerability

The GitHub service is vulnerable to a SSRF vulnerability. An attacker may be able to leverage this to make arbitrary POST requests in a GitLab instance's internal network. It can also be used to connect to cloud provider's instance metadata API, which may result in the ability to execute commands...

GitLab: Exfiltrate and mutate repository and project data through injected templated service

The GitLab import feature contains a vulnerability that allows an attacker to import a project that creates a service template. Service templates can normally only be created by a GitLab instance Administrator. When a new project is created, service templates are automatically initialized for the...

Mail.ru: [o2.mail.ru] nginx alias traversal

Invalid nginx configuration allowed limited path traversal in o2.mail.ru...

OLX: SQL Injection https://www.olx.co.id

I found the SQL Injection security hole on the website https://www.olx.co.id, this is a critical finding. here is the POC from the findings that I got Affectect:https://www.olx.co.id/ajax/buybundle/getbundle/ POC: Request DATA POST /ajax/buybundle/getbundle/ HTTP/1.1 Host: www.olx.co.id User-Agen...

X (Formerly Twitter): CRLF injection

Hello twiiter security team, on the domain ads.twitter.com http response splitting is vulnerability. PoC: https://ads.twitter.com/subscriptions/mobile/landing?ref=gl-tw-tw-promote-mode?t=%0d%0atest:tested Impact an attacker can set new header...

GitLab: EXIF metadata not stripped from JPG group logos

Summary: When uploading JPEG images as group logos on Gitlab, the EXIF metadata is not removed or changed in any way. Description: When setting up a group on Gitlab, you can upload a logo, and if you upload a JPEG with EXIF metadata on it, it isn't stripped. This can lead to disclosure of locatio...

Khan Academy: Take over of accounts created using Google or Facebook

When a user creates an account using Google or Facebook and does not set an additional password, it is possible to set their passwords via CSRF. Since the account is created using a social media account, no existing password check is needed and the CSRF check on the endpoint is broken. To...

HackerOne: Notifications sent due to "Transfer report" functionality may be sent to users who are no longer authorized to see the report

Hi Hackerone team, I am still able to access other program details etc. when i'm authenticated to HackerOne through SAML . I'm not sure if it's the same bug i reported earlier or there is some weak authorization check in place. PFA for more info i can access related to ██████████ etc. See the dat...

QIWI: https://teamplay.qiwi.com/ накрутка баллов => финансовые убытки для компании

Накрутка баллов в teamplay.qiwi.com...

Smule: Missing Rate Limit in Forgot Password can Lead to email address leakage of all smule accounts

Hello Smule, I have found a vulnerability by which an attacker can get access of all the gmail accounts associated with Smule. The forgot password parameter can be brute forced through which an attacker can get the email address. Steps to Reproduce Enter your email address and for the forgot...

GitLab: CRLF injection & SSRF in git:// protocal lead to arbitrary code execution

Summary: The implementation of git:// protocal in GitLab is vulnerable to CRLF injection and Server-Side Request Forgery. If the redis server is configured to listen on TCP socket eg. port 6379, an attacker can abuse SSRF to manipulate redis server, injecting malicious payload into systemhookpush...

PortSwigger Web Security: Privilege Escalation by abusing non-existent path. (Windows)

Vulnerability Overview When Burpsuite runs, it tries to load some DLLs in the path C:\Program%20Files. Because the folder doesn't exists, it can be created by a low-privileged user which can inject arbitrary DLL into the process when another privileged user runs Burpsuite. I have verified the...

Valve: Potential buffer overflow in demoplayer module of GoldSource Engine

Introduction Hey. There's a potential vulnerability in the GoldSource Engine that allows to write data to stack of arbitrary size, thereby causing a buffer overflow and the ability to execute assembler code using .dem files. Description The problem is located in the DemoPlayer::ReadDemoMessage...

Mail.ru: [Mail.Ru Android] Typo in permission name allows to write contacts without user knowledge

Hi, Mail.Ru app registers permission writecontacts xml but uses write xml which is unclaimed, has normal protection level by default and automatically granted to all apps. It means that any third-party apps have ability to insert any data into that database PoC xml java ContentValues contentValue...

Starbucks: Starbucks China Android app cloud storage service leaks a credential.

k3mlol found a credential encoded in the Starbucks China mobile application for Android phones, which provided access to a cloud-hosted service that was used to upload information for customer service requests. This credential allowed for read/write access. The credential has since been disabled,...

Smule: Missing Rate Limit in Password Change

Incorrect or missing rate limits related to account features...

Smule: Open Redirect on smule.com

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: Open Redirect at smule.com You...

Shopify: Stored XSS on demo app link

Hi, I found stored XSS in apps.shopify.com in the DEMO URL of the apps you create. POC 1. go to your partner account and create a new app 2. go to DEMO link in https://apps.shopify.com/services/appsubmissions/edit of your app put the payload you see below: F374863 and when pressing on preview...

Nextcloud: Event privacy level does not work in Thunderbird

Events in shared calendar with changed privacy level to any other than public are shown in Thunderbird as public anyway with all details How to reproduce: 1 - create an event in user A's calendar shared to user B 2 - change privacy setting of this event to any other than public 3 - open Thunderbi...

GitLab: Add and Access to Labels of any Private Projects/Groups of Gitlab(IDOR)

Summary & Description : If you have a private project or private group then no non member should be able to access any information.But Adding Labels in your Private boards API request is vulnerable to IDOR attack which is leading to add private group/project labels and access it. Vulnerable Reque...

OLX: Cross-site Scripting (XSS) - Reflected

Dear Security OLX team, I want to report the findings of the security gap on the olx.co.id website, the detailed findings are as follows: impact:https://www.olx.co.id/adminpanel/login/ Payload : ope8i"alert1grpo8 POC: paramter = userpassword POST /adminpanel/login/?ref0action=index&ref0method=ind...

Uber: Access to SQL server of ubergreen.pt through password disclosure from different domain on same IP

The uber microsite http://ubergreen.pt has an open MYSQL port on 3306. ubergreen.pt itself is hosted on the IP 109.71.41.173. After some research, it was found that this IP also hosts many other domains. As of yesterday 11/10/18, this included the domain apps.etnos.co. This domain existed on the...

QIWI: account takeover https://teamplay.qiwi.com

Здравствуйте. Нашел баг, как украсть аккаунт на данном сайте. Для того, чтобы это провернуть нам нужно знать эмайл вашего пользователя. Предположим что пользователь зашел на ваш сайт через аккаунт ВКонтакте, к его странице привязана почта [email protected] Мы идем на https://www.faceit.com и...

HackerOne: Verbose PHP error messages exposed on a blog article

Hey guys! For what its worth, warning messages aren't suppressed on the /blog/ endpoint, giving verbose PHP error messages when visiting a blog article such as https://www.hackerone.com/blog/H1-702-2018-makes-history-over-500K-bounties-paid. F374066 Impact Not much impact, just disclosures of pat...

Node.js third-party modules: Prototype pollution attack (upmerge)

Hi team, I would like to report a prototype pollution vulnerability in upmerge that allows an attacker to inject properties on Object.prototype. Module module name: upmerge version: 0.1.7 npm page: https://www.npmjs.com/package/upmerge Module Description JavaScript Object Merge and Clone for Clie...

Node.js third-party modules: Prototype pollution attack (lutils-merge)

Hi team, I would like to report a prototype pollution vulnerability in lutils-merge that allows an attacker to inject properties on Object.prototype. Module module name: lutils-merge version: 0.2.6 npm page: https://www.npmjs.com/package/lutils-merge Module Description Merge javascript objects...

Node.js third-party modules: Prototype pollution attack (mergify)

Hi team, I would like to report a prototype pollution vulnerability in mergify that allows an attacker to inject properties on Object.prototype. Module module name: mergify version: 1.0.2 npm page: https://www.npmjs.com/package/mergify Module Description Merge objects deeply Vulnerability...

HackerOne: Open redirect vulnerability in index.php

Summary: Hello Team i would like to report an open redirect on hackerone.com with reference to report 320376. In report 320376 it shows vulnerability i mitigated but still i am able to reproduce it. so all the summary and description remains the same. Redirection is performed by HackerOne website...

Semrush: Web cache deception attack - expose earning state information

Hello, I have found new Vulnerability in your website which called Web cache deception attack. It's found first time in Paypal. Web Cache Deception Attack Websites often tend to use web cache functionality to store files that are often retrieved, to reduce latency from the web server. Let's see a...

Khan Academy: Cross site scripting (content-sniffing)

Your website may be vulnerable to cross site scripting attacks HTTP request: GET...

HackerOne: Accidental Access to Programs Information via SAML Login

On November 8th, 2018, HackerOne released software to production that contained a bug which impacted our Security Assertion Markup Language SAML authentication system. As a result of the bug, the SAML JIT Just-In-Time provisioning mechanism granted users of one customer program read-only access t...

X (Formerly Twitter): Information Exposure Through Directory Listing vulnerability on 8 vcache**.usw2.snappytv.com websites

Summary: Researcher has found directory listing exposure to several vcache.usw2.snappytv.com websites. A directory listing provides an attacker with the complete index of all the resources located inside of the directory as well as download or access its contents. While the researcher did not dig...

Node.js third-party modules: Prototype pollution attack (smart-extend)

Hi team, I would like to report a prototype pollution vulnerability in smart-extend that allows an attacker to inject properties on Object.prototype. Module module name: smart-extend version: 1.7.3 npm page: https://www.npmjs.com/package/smart-extend Module Description smart-extend is an extensio...

Starbucks: Reflected Cross site Scripting (XSS) on www.starbucks.com

Summary: Reflected Cross site Scripting XSS on https://www.starbucks.com/account/signin?ReturnUrl Description: The attacker can execute javascript on the victims account just after the authentication process. Platforms Affected: www.starbucks.com www.starbucks.ca www.starbucks.com.br...

Concrete CMS: SVG file that HTML Included is able to upload via File Manager

Concrete5 has the whitelist for restricting that malicious file is uploaded. concrete/config/concrete.php, Line no. 8688 The extension whitelist allows to upload SVG file. However, SVG can has the HTML elements in its code. Ref. https://www.w3.org/TR/SVG2/intro.htmlW3CCompatibility If web browser...

FanDuel: Passive mixed content issues on the site https://*.fanduel.com

Hello. Summary: While browsing the sites https://www.fanduel.com and https://subscriptionapi.fanduel.com found a mixed content error on the site with HTTPS. This error is located at https://www.fanduel.com/press and https://subscriptionapi.fanduel.com/press. Image are uploaded to the site via HTT...

GitLab: Instant open redirect on Live preview WEB Ide opening

Hello Gitlab team! Asset is my own gitlab installation for Ubuntu. The issue I want to report is lack of sandbox attribute in iframe pointing to codesandbox. This results content inside iframe redirect top level window on load. How to reproduce: 1. create index.js with following content:...

WordPress: RCE as Admin defeats WordPress hardening and file permissions

This vulnerability was found when I found myself in the following scenario: My collegue set up WordPress on his local machine and challenged me to hack it. Before he gave me admin access he used the following hardeing mechanisms: 1. PHP Safe mode 2. The entire web directory was not writable 3...

Phabricator: TOTP Key is shorter than RFC 4226 recommended minimum

mongoose Observed Behavior: When creating a TOTP secret a 16 character base32 encoded string is presented to the user. Expected Behavior: I would expect a 32 character base32 secret to be presented. The RFC recommends 160 bits of entropy, which is 32 character x 5 bits per character in a base32...

Kaspersky: Kaspersky Password Manager is vulnerable to HTML injection in the browser action pop-up via user name

Note: According to https://www.securityweek.com/kaspersky-adds-password-manager-bug-bounty-program and some other sources, Kaspersky Password Manager is in scope for this program. The program description doesn't reflect this however. Summary There is a stored XSS vulnerability in popover.html the...

Imgur: Ability to login to the Nexus Repo Manager from https://nexus.imgur.com/

Hello Imgur Administrators, I am not sure if this falls in your scope but I wanted to alert you that your Nexus Repository Manager can be accessed through https://nexus.imgur.com/ Usually the default user/pass for the NRM are admin/admin123 but there is an alternative way to login using the below...