Shipt: Vulnerabilities in exported activity WebView

Hello, i want to report the vulnerability found, Since the following activity com.pushio.manager.iam.ui.PushIOMessageViewActivity has exported=true it can be exploited by 3rd parties. Vulnerability com.pushio.manager.iam.ui.PushIOMessageViewActivity has exported set to true making the activity...

Vanilla: Persistent XSS via Signatures

Description ----------- The current version of the signature plugin 1.6.1 is vulnerable to persistent XSS as the Format parameter is echoed without encoding. POC --- Prerequisite: Enable the Signatures plugin To place the payload, the following request can be used it's simply the request that is...

Shopify: Race condition at create new Location

User can bypas restriction and create more ctore location, than maximum depends store plan. Intercept request and send it multiple at once. See screensots F350687 - requests F350688 - results I created 12 store location when 4 possible Impact Bypass the limitations of the billing plan...

Semmle: Server side includes in https://lgtm-com.pentesting.semmle.net/internal_api/v0.2/savePublicInformation leads to 500 server error and D-DOS

Summary: Improper sanitizing of input in one of the input forms in https://lgtm-com.pentesting.semmle.net/internalapi/v0.2/savePublicInformation leads to server side include that causes a 500 internal server error and a possible denial of service. Description: After login in to semmle , in other ...

Dropbox: [www.dropboxforum.com] - reflected XSS in search

There was a reflected XSS in the search feature for www.dropboxforum.com...

Chaturbate: No rate limit in affiliate statsapi endpoint

Brute force at affiliate statsapi Steps To Reproduce: 1. The affiliate stats api link is vulnerable to brute force https:// chaturbate.com/affiliates/apistats/?username=hackeronetestchat&token=vulnerable I've used my profile and and my token to check brute force The correct token returned with 20...

Chaturbate: [chatws25.stream.highwebmedia.com] - Reflected XSS in c parameter

Hi Team, Found that chatws25.stream.highwebmedia.com is vulnerable to reflected XSS in c parameter, we can verify it with following URL, it is also a Cloudflare filter bypass: https://chatws25.stream.highwebmedia.com/ws/007/tgpraolp/htmlfile?c=███...

Chaturbate: Open redirect on chaturbate.com (tipping/purchase_success)

Hi, I would like to report an open redirect issue on https://chaturbate.com/ Description An attacker can redirect a user to any external website using the parameter prejoindata, this parameter seems to miss sanitization. Steps to Reproduce Visit the following url:...

Chaturbate: Reflected XSS on secure.chaturbate.com

The hacker found that an external asset used for fraud detection on secure.chaturbate.com was not sanitizing input parameters and could be used for reflected XSS. This external asset was removed...

Ruby on Rails: Untrusted strings that are cache fetched with raw option are automatically marshal loaded

This vulnerability effects application code that caches a string from an untrusted source using the raw: true option. For example, vulnerable application code might looks something like the following ruby body = Rails.cache.fetchkey, raw: true, expiresin: ttl do res = Net::HTTP.getresponseremoteu...

Mail.ru: Блокированный ящик ( Обход )

It was possible to bypass administrative lock for mailbox e.g. lock set by biz.mail.ru domain administrator by pre-requesting recovery link...

Dropbox: Stored XSS in dropboxforum.com

This report described a vulnerability where an attacker could put a specially crafted payload into the reply section of threads on dropboxforum.com to bypass the HTML filter on the site. This enabled a stored XSS attack against anyone viewing the message. This was an issue in Lithium forum...

8x8: CRLF injection agentcrm.8x8.com

The agent application was vulnerable to a response splitting attack when parsing line feed characters in a given URL...

8x8: Stored Cross Site Scripting.

Hellow team I got Stored based XSS on your web :D Here Is Step : 1. Go to https://www.easycontactnow.com/ 2. Click "Try For Free" Sign Up 3. It will told you "Enter your details to get started". So Enter your full name like : "alert1 Then put all the other details. 4. Then Confirm your id and...

HackerOne: Hacker can request mediation for published reports

Hi team, @jobert Summary: After creating the publish report, we do not have a field to send the requested meditation from HackerOne Support Description: Steps To Reproduce 1. Create publish report for any program ████████ 2. Use query https://hackerone.com/reports/numberpublishreport/hackerhelp M...

8x8: Hardcoded credentials in Android App

The mobile applications contained a URL that included credentials to a third party bug capture API. Access was restricted to pushing bug information...

8x8: XSS (Cross site scripting) on https://apimgr.8x8.com

The domain apimgr.8x8.com hosted an outdated version of WSO2 Data Analytics Server...

Khan Academy: Creating Unlimited Fake Accounts.

Hello @khanacademy, Anyone can create unlimited fake accounts using temp mails. i,e https://temp-mail.org/en/ 1- Go to https://temp-mail.org/en/ 2- Select an mail 3- Enter that mail while creating an account in khanacademy 4- You will get confirm mail from khanacademy on https://temp-mail.org/en/...

Internet Bug Bounty: XML hash collision DoS vulnerability in Python's xml.etree module

Python's standard library uses libexpat to parse XML. Internally the expat library has a hash table implementation to efficiently store and lookup DTD elements like entities, elements, attributes, etc. Hash tables are potentially vulnerable to hash collision Denial-of-Service attacks, which turns...

Chaturbate: No rate limit in stats api token endpoint

Brute force on statsapi endpoint to view stats of an user Steps To Reproduce: 1. Stats api token can be generated at https://chaturbate.com/statsapi/authtoken/ https://chaturbate.com/statsapi/?username=hackeronetestchat&token=vulnerable I've used my profile and and my token to check brute force T...

Grammarly: Permissive CORS policy trusting arbitrary extensions origin

@foobar7 identified that misconfigurations in CORS and CSRF handling allowed malicious browser extensions, which have permission to interact with grammarly.com domain, to impersonate the user. The vulnerability was resolved with improved CSRF/CORS handling...

Starbucks: China - ecjobsdc.starbucks.com.cn html/shtml file upload vulnerability

1, Summary During the test, I found ecjobsdc.starbucks.com.cn this site has an upload vulnerability, you can upload html and shtml format files, so you can read the server's intranet IP, the physical address of the website application and read the website web.config file. 2, Vulnerability scope...

HackerOne: User with privilege to maintain External Programs can update certain churned HackerOne programs

Summary: You wrote that some programs are behind, but you are trying to get them back sorry maybe bad translation Description: Apparently because of a system error, I have access to change information in the public program. This option is given only for external programs.But here is a public...

Chaturbate: Leaking Username and Password in the URLs via Virustotal, can leads to account takeover

Hi Dear @chaturbate team Vulnerability Type Critical Information Leakage in URLs via Virustotal. Vulnerability Severity High. Description During my regular testing, went to https://www.virustotal.com/%2Fdomain%2Fchaturbate.com After reviewing all URLs more and more, I got 2 Interesting and Critic...

Chaturbate: Blind SSRF at https://chaturbate.com/notifications/update_push/

In the application at https://chaturbate.com/notifications/updatepush/ there is a functionality to subscribe any cam model which will trigger the provided request. Using this Request an attacker can execute SSRF attack and also steal sensitive Token / Keys of the internal web server Steps to...

Chaturbate: Password protected rooms total number of viewers disclosure to unauthorized members

Summary Password protected rooms are supposed to be completely private, no information should be exposed if you do not have the room's password, and the UI looks like this. F348826 However, through the following endpoint, It is possible to know the total number of viewers of the room even if it i...

Chaturbate: Open redirection at https://chaturbate.com/auth/login/

Hi, Summary An attacker can redirect vicitm on an external website using https://chaturbate.com/auth/login/ endpoint because next parameter is not being validated properly. There is a protection existed but it's weak and can be bypassed. http keyword is detected and protection works if payload...

Alliance of American Football : Stored xss in address field in billing activity at https://shop.aaf.com/Order/step1/index.cfm

Dear Team, Summary: add summary of the vulnerability After looking into https://shop.aaf.com/Order/step1/index.cfm i get to know that there is address field is vulnerable to stored xss which can lead to steal any user's cookie and can lead to complete account takeover Description: add more detail...

Chaturbate: View Failed Approval and Pending videos other users

See videos uploaded by a user. The video is available when it waits for confirmation or is not accepted. Steps To Reproduce: 1 - Go victim page : https://chaturbate.com/p/akaxanxa/?tab=bio 2 - Open video : https://chaturbate.com/photovideos/photo/big/username/contentid/ 3 - Get random requests -...

Chaturbate: Form Replay in customer information form

The hacker found that the server replays some form field data back in the response when there were form validation errors, which could be cached or viewed by someone with physical access to the same device used to complete the form. The fix was to delete the form data from showing in the response...

RubyGems: DNS SRV lookup of file:// sources enables local hijacking of gems

Summary gem makes a DNS SRV query for each of its configured sources; the response is allowed to override the source URL in certain ways. The SRV query happens not only for http:// and https:// sources, but also for s3:// and file://. In the case of file://, the SRV response may add a prefix to t...

Mail.ru: Чтение файлов на сервере и раскрытие директорий mediator.media

It was possible to access some internal addresses and special URI schemes due to lack of URI filteint on page submission. mediator.media it not in the Bug Bounty scope, the bounty was issued due to problem severity...

Node.js third-party modules: [http-live-simulator] Path traversal vulnerability

Module module name: http-live-simulator version: 1.0.6 npm page: https://www.npmjs.com/package/http-live-simulator Description this vulnerability is a bypass for the one found in this report in version 1.0.5 Steps To Reproduce: 1- Install the module : npm install -g http-live-simulator 2- Run the...

Hyperledger: Brute Force of fabric-ca server admin account

fabric-ca server - Default configuration maxenrollments value -1enable outside enrollment - Listening 0.0.0.0:7054easily discoved and can be reached - No limit to wrong password try Above conditions result in brute force to CA server admin account Impact Attack gain a high-level permissioned...

Chaturbate: Forget password link not expiring after email change.

I found a token miss configuration flaw in chaturbate.com, When we reset password for a user a link is sent to the registered email address but incase it remain unused and email is updated by user from setting panel then too that old token reset link sent at old email address remains valid. A...

Valve: code injection, steam chat client

The steam chat client allows oEmbed, apparently based on a whitelist. One of the whitelisted oEmbedis codepen. When a codepen is created, it can be sent as a link to another steam user, and the code inside the codepen will execute within the privileged Steam Chat context. You can send these codep...

Informatica: Cisco RCE

The researcher was able to complete RCE attack and download sensitive files. We have mitigated it by hardening the machine and port. There are opened classical cisco smart install service, which was successfully exploited. Informatica is a fAsTeSt!!! bug fixer in my life. Closing vulnerability in...

Vanilla: Vanilla Forums AddonManager getSingleIndex Directory Traversal File Inclusion Remote Code Execution Vulnerability

Summary: An authenticated admin user can trigger a directory traversal to require call leading to local file inclusion which can allow an attacker to gain remote code execution. Notes: - You need to have an admin session to run this poc. - You can use the directory traversal to reach outside of t...

Vanilla: Abusing "Report as abuse" functionality to delete any user's post.

Hi Team, Greetings!! Description: I would like to report a vulnerability that can be used to delete any user’s post by abusing “Report an abuse” function within application. After specific number of reports submitted to server, it automatically deletes that post of user. Application has...

ExpressionEngine: License verification mechanism can be bypassed

@unbaiat discovered that an invalid license file could be accepted as valid in certain circumstances. @unbaiat gave a detailed report with step-by-step instructions for replicating, enabling a speedy resolution to the issue...

ExpressionEngine: Persistent XSS via malicious license file

@unbaiat discovered that the display of the license file information was not properly sanitized leaving it vulnerable to XSS. @unbaiat gave a detailed report with step-by-step instructions for replicating, enabling a speedy resolution to the issue...

Vanilla: Vanilla Forums domGetImages getimagesize Unserialize Remote Code Execution Vulnerability (critical)

Summary: An unauthenticated attacker can inject an serialized payload into a phar archive and trigger read access to it via an unprotected getimagesize. The attacker can leverage this to deserialize untrusted data and gain remote code execution. Notes: - THIS BUG IS UNAUTHENTICATED, however you...

Mail.ru: [moba.my.com] phpinfo, logs

PHP info and fragment of access logs were available...

Mail.ru: [sj.my.com] Source Code Disclosure /.svn/wc.db

Available SVN files for sj.my.com led to source code disclosure. sj.my.com is not currently covered by Bug Bounty program...

Starbucks: Unauthorized access to a system used for CI/CD processes

@k3m reported a vulnerability allowing unauthorized access to a system used for CI/CD processes. Our teams quickly restricted access and fixed the vulnerability. Thank you @k3m for a detailed report...

HackerOne: User login page doesn't implement any form of rate limiting

Hi Team, Summary: As a best practice a login page should have a rate limitting just like hackerone.com Vulnerable Request POST /auth/postlogin HTTP/1.1 Host: ctf.hacker101.com User-Agent: Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://ctf.hacker101.com/...

IBM: Reflected XSS and Blind out of band command injection at subdomain dstuid-ww.dst.ibm.com

I found an XSS and Blind OS based injection issue due to the incorrect handling of the characters in THE EMAIL get& post parameters. A injected and a sleep command succesfully executed, the following link works as a PoC that alerts the string in the script: I reproduced the same on Firefox and IE...

HackerOne: Missing Certificate Authority Authorization rule

Certificate Authority Authorization supported by LetsEncrypt and other CAs allows a domain owner to specify which Certificate Authorities should be allowed to issue certificates for the domain. All CAA-compliant certificate authorities should refuse to issue a certificate unless they are the CA o...

Vanilla: Vanilla Forums ImportController index file_exists Unserialize Remote Code Execution Vulnerability

Summary: An authenticated admin user can inject an serialized payload into a phar archive and trigger read access to it via an unprotected fileexists. An attacker can leverage this to deserialize untrusted data and gain remote code execution. Notes: - You need to have an admin account to run this...

Valve: unlock self-lock by brute force

Due to a missing protection on the self account unlock feature, self unlock codes could be bruteforced - leading to unrestricted access to the account. The endpoint issue has been corrected...