Grammarly: Reflected Cross Site Scripting (XSS)

hi there, here is the link that fired XSS https://www.grammarly.com/blog/search/" Impact stealing cookies stealing data etc...

HackerOne: SQL injection in GraphQL endpoint through embedded_submission_form_uuid parameter

The embeddedsubmissionformuuid parameter in the /graphql endpoint is vulnerable to a SQL injection. Execute the following command to reproduce the behavior: Locally: curl -X POST http://localhost:8080/graphql?embeddedsubmissionformuuid=1%27%3BSELECT%201%3BSELECT%20pgsleep\30%3B--%27...

X (Formerly Twitter): Incorrect details on OAuth permissions screen allows DMs to be read without permission

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: The OAuth screen can be tricke...

Open-Xchange: No session expiry after log-out and session id exposed in URL

Hi, There is no session expiry after log-out which can help an attacker to take-over the full account by reusing it. The JSESSIONID which is vulnerable can be used unlimited times even after the password change. The server will keep on creating an unlimited number of sessions after each log-in...

X (Formerly Twitter): Global defaming of any twitter user

Private tweets can be used to keep any user's tweet secret from rest of twitter world. Once the user changes his setting from private tweets to public tweets, all his secret tweets become visible. This can become a major issue causing global distributed attacks Steps to Reproduce 1. Assume the...

Hanno's projects: Text injection at https://media.hboeck.de

Text injection possible at https://media.hboeck.de if we craft url like this: https://media.hboeck.de/?c=http://www.example.com We can see the output on web app. Impact Defacement of website by following crafted link...

X (Formerly Twitter): Opportunity to post hidden comments

Twitter allows to comment on anyone's tweet. While testing this feature, observed that one can post comment on tweet which will be invisible to the victim whom the reply was posted and would be visible to any other twitter user. This can allow an Attacker to abuse victim on a tweet. The catch her...

Phabricator: Exposing voting results on the Slowvote application without actually voting

Description There is a feature on the Phabricator Slowvote application which allows creating polls and asking questions. The poll creator can choose to only allow people who voted to actually see the poll results. However, it seems that by sending an illegal vote a user can still see the poll's...

QIWI: XXE on ██████████ by bypassing WAF ████

XXE on ■■■■■■.qiwi.com with WAF bypass The endpoint on ██████ accepts a POST request with an XML document. A Web-Application Firewall WAF successfully blocked all requests that contained any of the keywords !DOCTYPE, !ENTITY or !ELEMENT, that are necessary for XXE attacks to be successful. Howeve...

VK.com: Вставляем свой код в мобильном приложении в разделе помощи сообществам

Недостаточная фильтрация текста...

Rocket.Chat: Blind SQL injection in third-party software, that allows to reveal user statistic from rocket.chat and possibly hack into the rocketchat.agilecrm.com

Hi. I decided to go to static website https://rocket.chat/ and look what is there. I found third-party website request...

Node.js third-party modules: [static-resource-server] Path Traversal allows to read content of arbitrary file on the server

Module module name: static-resource-server version: 1.7.2 npm page: https://www.npmjs.com/package/static-resource-server Module Description A tiny http server that provides local static resource access Module Stats Replace stats below with numbers from npm’s module page: 0 downloads in the last d...

Mail.ru: SSRF на api.icq.net

SSRF in api.icq.net due to invalid handling of non-zero Content-Length value in GET requests...

Shopify: Order Creation Webhooks can be edited/deleted by STAFF with `Settings` only permission

Hi, A STAFF with just Settings permission can only create 1 type of webhook called Shop Update as seen below. F368739 Attempting to create a Order Creation webhook via burp proxy gives a 403 -Forbidden response with the message indicating that You do not have permission to create webhooks with...

Ruby on Rails: Specially constructed multi-part requests cause multi-second response times; vulnerable to DoS

The multi-part body parsing in Rack and consequently Rails has a worse-than-linear performance relative to the number of parts in the request body. In small scale i.e. non-disruptive tests on a variety of Rails applications on the internet, including my own, GitHub.com, Heroku API, Instacart,...

██████: Golden techniques to bypass host validations in Android apps

███...

Kaspersky: Kaspersky Password Manager allows websites to access user's address data

Note: According to https://www.securityweek.com/kaspersky-adds-password-manager-bug-bounty-program and some other sources, Kaspersky Password Manager is in scope for this program. The program description doesn't reflect this however. Summary It is possible for websites to read out addresses that...

Node.js third-party modules: Prototype pollution attack in node.extend

I would like to report a prototype pollution vulnerability in node.extend. It allows an attacker to inject properties on Object.prototype. Module module name: node.extend version: 2.0.0 npm page: https://www.npmjs.com/package/node.extend Module Description A port of jQuery.extend that actually...

Keybase: Keybase client: downloaded executables lack "com.apple.quarantine" meta-attribute [macOS]

Summary 1. Missing quarantine attribute for downloaded files allows remote attacker to send executable file that won't be checked by Gatekeeper codesign bypass. 2. Since sent executable files lack com.apple.quarantine meta-attribute, no alert about launching executable file from the web will be...

Node.js third-party modules: Prototype pollution attack in just-extend

I would like to report a prototype pollution vulnerability in just-extend It allows an attacker to inject properties on Object.prototype. Module module name: just-extend version: 2.1.0, and 3.0.0 npm page: https://www.npmjs.com/package/just-extend Module Description Part of a library of...

Mail.ru: Reference to external uncontrolled resource in terrhq.ru

Domain name esrv3.wartune-fra.ext.terrhq.ru was erroneously pointing to external resource outside of organizational control. terrhq.ru domain belongs to mail.ru but is not currently used to host any resources...

Ubiquiti Inc.: CORS Misconfiguration leading to Private Information Disclosure

Due to mistake on te CORS policy configuration, the sites https://client.amplifi.com and https://protect.ubnt.com/ CORS policy allowed HTTP requests to be made from certain sites outside the .ubnt.com and .ui.com domains. This bug could be used to steal users information or force the user to...

Infogram: Stored XSS in infogram.com via language

The stored XSS was found in the language profile parameter. POC: Change profile settings with following request: http PUT /api/users/me HTTP/1.1 Host: infogram.com User-Agent: Mozilla/5.0 X11; Linux x8664; rv:63.0 Gecko/20100101 Firefox/63.0 Accept: / Accept-Language: en-US,en;q=0.5...

U.S. Dept Of Defense: Padding Oracle ms10-070 in the a DoD website (https://██████/)

Hi there i found a Padding Oracle ms10-070 in the following website: https://█████████/ In the following steps i will demonstrate how to reproduce the vulnerability. POC: 1ºGo to the following url: https://████/ you will see in the source code off the page something like "WebResource.axd?d="...

Ruby on Rails: XSS by MathML at Active Storage

In Active Storage, formats treated as binary have been confirmed, It does not contain application/mathml+xml. https://github.com/rails/rails/commit/d40284b1a44773b03d78ca67a888b94fd330d1b1 In Marcel::MimeType.for, if content-type can not be determined with magic byte, since it is determined using...

Nextcloud: https://help.nextcloud.com::: Web cache poisoning attack

Hi there, I just found the website: https://help.nextcloud.com is infected with "Web cache poisoning" Abuse this bug, Attacker can: 1. Poison your cache with HTTP header with XSS included. This attack may leads to Stored XSS 2. Poison your website contains malware url cache poisoned by attacker,...

Shopify: POST-based XSS on apps.shopify.com

Hello Shopify team! I found a post-based XSS which may be shared to other users and occurs in firefox, IE, Edge. How to reproduce: 1. at partners.shopify.com go to apps - choose one - more actions - create shopify app store listing 2. you will get redirected to url with ?signature parameter. Full...

OLX: XSS Reflected at SEARCH >>

I have Found XSS payload avaliable at GET Request.. Live PoC URL:...

Shopify: Reverse Proxy misroute leading to steal X-Shopify-Access-Token header

Hello Shopify team! I found out that on /admin/api/graphql endpoint server fetches content of Host header value $HTTPHost + /admin/api/graphql. If my own host was sent to server, request comes from ██████████or ██████████ your google cloud cluster. Also I can grab all reverse proxy headers...

Chaturbate: Stored XSS in chat topic due to insecure emoticon parsing on any message type

Description The funcitonality for adding emoticons into the chat from the serverside perspective is based on a string in the following format: %%%emoticon NAME|EMOTICONURL|WIDTH|HEIGHT|REPORTURL%%% The EMOTICONURL must conform to the following regex: javascript...

HackerOne: Race condition in performing retest allows duplicated payments

Summary There exists a race condition in performing retests. By executing multiple requests to confirm a retest at the same time, a malicious user is paid multiple times for the retest. This allows for stealing money from HackerOne, which could go unnoticed by both HackerOne and the attacker me...

U.S. Dept Of Defense: Access to all █████████ files, including CAC authentication bypass

Summary: Due to an Insecure Direct Object Reference IDOR in adding recipients to a shared package on ██████████, an unauthenticated attacker can access all files uploaded to ████. As described on ██████████ website, this includes documents with classifications up to FOUO, including PII / PHI...

U.S. Dept Of Defense: Admin panel take over | User info leakage | Mass Comprimise

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: add summary of the vulnerabili...

Nextcloud: Gallery: No feedback for invalid password

CVSS ---- Low 3.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N Description ----------- The Gallery plugin does not inform a user when password-protecting a file failed in combination with the Password Policy plugin. Because of this, files that the user will rightfully assume to be...

Mail.ru: CSRF on draft message creation in tel.mail.ru

CSRF allowed to save message draft with attacker controlled content...

WordPress: CSRF to HTML Injection in Comments

Simon discovered a CSRF vulnerability that led to RCE. More details are available on the RIPS blog...

Nextcloud: Talk / spreed: Disclosure of Room names and participants for password protected rooms

CVSS ---- 5.3 Medium CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS isn't always as fine-grained as I'd like; personally, I would rate the issue somewhere between low and medium Description ----------- The API of the official spreed/talk extension reveals potentially sensitive information such...

Nextcloud: Server-Side request forgery in New-Subscription feature of the calendar app

CVSS ---- 8.5 High CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N Description ----------- The "New Subscription" functionality of the official Calendar app allows authenticated users to direct the server to perform arbitrary external requests, and then displays the full response to the user. The...

HackerOne: Proper verification is not done before sending invitations to researchers for certain private programs with rules e.g. "Participants must be US-based"

Hi, I would like to report something I just recently noticed upon receiving an automated invite from Hackerone for a private program. The program brief clearly states the following in program rules: █████ This is where I believe the issue is. I live in ███ and according to the program rules I...

New Relic: Swiftype key stored in JavaScript source

Hi, I am surfing on the newrelic website. I found a sensitive data including authentication key written in public accessible javascript file. Some 3rd party solution SwiftType newrelic using for crawling or search/suggestion. below is the link where you can find the authkey. which would be able t...

Mail.ru: Server side request forgery

SSRF in eu.portal.sf.my.com allowed to proxy request to another host...

Keybase: Linux privilege escalation via trusted $PATH in keybase-redirector

keybase-redirector is a setuid root binary. keybase-redirector calls the fusermount binary using a relative path and the application trusts the value of $PATH. This allows a local, unprivileged user to trick the application to executing a custom fusermount binary as root. Environment CentOS Linux...

Chaturbate: Missing Rate Limitation at /photo_videos/photoset/create

Hello,I discovered that one is able to create an unlimited number of albums Via /photovideos/photoset/create/ Steps To Reproduce: 1.Login And Go to http://fr.chaturbate.co /photovideos/photoset/create/ 2.Fill the form 3.Enable a proxy interception tool e.g Burp Suite 4.Click Save 5.Send the POST...

DuckDuckGo: DOM XSS on 50x.html page on proxy.duckduckgo.com

Hi, I read the report about DOM XSS on 50x.html page https://hackerone.com/reports/405191. I decided to check some other subdomains to be sure. This link still executes javascript: https://proxy.duckduckgo.com/50x.html?e=&atb=test%22/%3E%3Cimg%20src=x%20onerror=alert%27test%27;%3E The following...

Mail.ru: [screenshot.mail.ru] CRLF Injection

CRLF injection in screenshot.mail.ru allowed to manipulate response headers...

Zomato: [www.zomato.com] CORS Misconfiguration, could lead to disclosure of sensitive information

Summary: Cross Origin Resource Sharing Misconfiguration | Lead to sensitive information. Description: An HTML5 cross-origin resource sharing CORS policy controls whether and how content running on other domains can perform two-way interaction with the domain that publishes the policy. The policy ...

X (Formerly Twitter): CORS misconfig | Account Takeover

Summary: CORS misconfig is found on niche.co as Access-Control-Allow-Origin is dynamically fetched from client Origin header with credential true and different methods are enabled as well. Description: Basically, the application was only checking whether "//niche.co" was in the Origin header, tha...

Shopify: Disclosure of Github Issues

About 5 mins ago a new website was just registered by Shopify. https://github-issues-tracker.shopifycloud.com/. This contains title of all the internal github issues that Shopify currently has. I wanted to let you know right away of this as soon as I saw it. I am testing this further to get more...

Gatecoin: API request signature can be reused with other parameters/data than the original in certain cases

If an attacker can intercept/see an API-request from a client who has a system-clock that is slightly ahead of the server time then the attacker can re-use the API request-signature towards the same URL but with a different payload. This can for some of the endpoint lead to serious vulnerabilitie...

PayPal: XSS [flow] - on www.paypal.com/paypalme/my/landing (requires user interaction)

Steps to reproduce On Chrome and Firefox: 1. Go to...