Brave Software: Incorrect security UI of files' download source on brave MacOS

The incorrect display of the download source in the Brave download alert was identified. Instead of displaying the actual source of the downloaded file, the browser displayed the referrer header value, which could have misled users into believing the file was from a trusted source...

Flickr: Information Disclosure: .dockerignore file is publicly accessible

Vulnerability description not provided...

Mars: massive PII leakage for ███████

The report identified a security vulnerability in the visitor management system mwcvisitor.royalcanin.com.cn that exposed a log file containing personally identifiable information PII of users. The log file was directly accessible through a public URL without any authentication, allowing...

curl: Buffer Overflow Risk in Curl_inet_ntop and inet_ntop4

Curl is a software that I love and is an important tool for the world. If my report doesn't align, I apologize for that. The Curlinetntop function is designed to convert IP addresses from binary format to human-readable string format, supporting both IPv4 and IPv6. It internally delegates to...

Shopify: GraphQL Introspection Enabled on Shopify API Endpoint (Intended Behavior)

Summary: Hi team ! i've found a misconfiguration in your graphql Api on the endpoint in which an attacker is able to run a graphql interospection query to fetch schemas , types , fields , available query operations , after running interospection query on the graphql api endpoint , an attacker is...

Drugs.com: 2FA Bypass leads to impersonation of legimate users

The authentication system contained a logic flaw that allowed an attacker to impersonate a legitimate user who had not yet registered. By abusing the email change functionality and bypassing two-factor authentication, the attacker could retain access to the account until the legitimate user reset...

Shopify: Shopify Partners Invitation Process Allows Privilege Escalation Without Email Verification

The Shopify Partners invitation process allowed privilege escalation without email verification. The vulnerability permitted unauthorized users to gain access to Shopify Partners accounts and escalate their privileges by creating accounts using the email addresses of invited owners and accepting...

Internet Bug Bounty: CVE-2024-53908: Django Potential SQL injection in `HasKey(lhs, rhs)` on Oracle

CVE-2024-53908: Django potential SQL injection in HasKeylhs, rhs on Oracle was reported. The vulnerability was found in the direct usage of the django.db.models.fields.json.HasKey lookup on Oracle databases when untrusted data was used as an lhs value. Applications that used the jsonfield.haskey...

Internet Bug Bounty: CVE-2024-45230 - Potential denial-of-service in django.utils.html.urlize() (Another pattern)

CVE-2024-45230: Potential denial-of-service vulnerability in django.utils.html.urlize The django.utils.html.urlize and urlizetrunc functions were affected by a potential denial-of-service vulnerability. Very large inputs containing a specific sequence of characters could have resulted in reduced...

Internet Bug Bounty: Possible ReDoS vulnerability in query parameter filtering in Action Dispatch

A possible ReDoS vulnerability was discovered in the query parameter filtering routines of Action Dispatch in Ruby on Rails. The vulnerability was assigned the CVE identifier CVE-2024-41128. Versions affected were less than 8.0.0.beta1. The issue was addressed in fixed versions 7.2.1.1, 7.1.4.1,...

curl: Buffer Overflow Vulnerability in strcpy() Leading to Remote Code Execution

Summary: The vulnerability in the program arises from a classic buffer overflow, triggered by the unsafe use of the strcpy function without bounds checking. The program copies data from a source buffer to a destination buffer, allowing attackers to overflow the buffer if the input string exceeds...

U.S. Dept Of Defense: Unauthenticated File Read Adobe ColdFusion

A vulnerability was discovered in Adobe ColdFusion that led to an Unauthenticated Arbitrary File Read. The vulnerability was caused by the deserialization of untrusted data. A password hash was disclosed as a result of the vulnerability...

Bykea: Bypassing Bronze Partner Wallet Restriction to Accept Trips with Negative Balance

The vulnerability allowed Bronze-tier partners with negative wallet balances to bypass platform restrictions and accept trips. By chaining three backend endpoints, a negative balance driver could reset their availability and successfully submit bids, enabling unauthorized access to trips despite...

TikTok: Unauthorized Access to TikTok Account [Private Videos] via API Endpoint

The vulnerability on a TikTok endpoint that allowed unauthorized viewing of videos from private accounts was discovered and reported by @datph4m. The issue was subsequently remediated...

Bykea: Improper Access Control Allows Trip Hijacking and Passenger/Driver PII Disclosure

The vulnerability discovered allowed improper access control, enabling an attacker to hijack trips and disclose passenger and driver personally identifiable information. The /acknowledgedtheoffer and /accept endpoints failed to properly validate the ownership of the tripid, allowing an attacker t...

curl: -H with space prefix leads to previous header injection when used with --proxy

Summary: Hi team, I hope you're doing well. Recently I came accross this weird curl behavior where -H "spaceheader: value" would inject the header in the previous HTTP header. Tried it on mac OS Sequoia 15.1 with curl version curl 8.11.0 aarch64-apple-darwin24.1.0 libcurl/8.11.0 OpenSSL/3.4.0...

curl: Arbitrary File Deletion Vulnerability in curl Source Code via os.unlink()

Summary: The curl source code's testing scripts contain instances where the os.unlink function is used to delete files without validating the input file paths. This introduces a risk of arbitrary file deletion when these scripts are executed with malicious or manipulated inputs. Although the...

Bykea: Ability to increase any customer offered fare (BAC)

A business logic flaw was discovered that allowed a malicious passenger or driver acting as a passenger to increase the fare of another customer's ride without their involvement. By chaining two unauthenticated endpoints, an attacker could cause an inflated fare to appear on the driver's screen...

curl: curl mishandles `%0c%0b` sequences in HTTP responses leading to CRLF confusions, Headers and Cookies Injection

Summary: Hello, Actually, this bug was found unexpectedly during some security audits on a private asset, we found some differences on how burp proxy/python's requests library handles the asset's HTTP responses on a certain endpoint and how curl handles the same HTTP responses, the bug arises whe...

Mozilla: Denial of Access to Static Resources via Cache Poisoning on addons.allizom.org

A cache poisoning vulnerability was identified on addons.allizom.org that allowed an attacker to block access to static resources such as images and JavaScript files. The issue was exploited by processing the X-HTTP-Method-Override header, which was honored by the origin server and treated the...

curl: curl --continue-at confusion

Summary: When curl command is used with --continue-at, the --no-clobber is unexpectedly ignored and curl will append the output to the target file, even if it already exists. If --continue-at is used with--remove-on-error it can lead to unexpected removal of the file on early errors. Note that th...

U.S. Dept Of Defense: Unauthorized Access Exposing Sensitive Data

The identified page allowed unauthorized access to a user's profile management functionality without requiring authentication. Sensitive user details, such as name, email address, and EDIPI, were exposed upon accessing the page...

Monero: low-level p2p ping + tcp flooding leads to a remote crash in monerod

The vulnerability allowed remote crashes of the P2P daemon through low-level ping and TCP flooding...

U.S. Dept Of Defense: Exposed Extremely Sensitive Information in Public ZIP File

A publicly accessible ZIP file containing sensitive information, including SMTP credentials, database connection details, and AWS secret keys, was discovered. The sensitive data was exposed due to the lack of proper access controls and encryption. The exposed credentials could have been misused f...

Shopify: Staff with Restricted Permissions Could Access Customer Data After Company Removal

The report describes a vulnerability in Shopify's admin interface where staff members with restricted company permissions could access and update customer information even after the customer had been removed from a specific company. The issue arose when a customer, initially associated with a...

U.S. Dept Of Defense: XSS found in https://www.████████.mil

The security researcher found a reflected cross-site scripting XSS vulnerability on the www.████████.mil website. The vulnerability was demonstrated using a proof-of-concept link that triggered a JavaScript alert. The affected product was identified as the web server, and the vulnerable code was...

curl: Information Disclosure at : https://curl.se/.mailmap

Summary: ================= During a security assessment, it was discovered that email addresses were exposed in a publicly accessible location. The data was retrieved using standard tools, such as curl, without requiring authentication or special permissions. This raises a concern regarding the...

TikTok: IDOR on ads.tiktok.com Allows Unauthorized Product Addition

An Insecure Direct Object Reference IDOR vulnerability was discovered on the TikTok Ads API that allowed the addition of arbitrary products to a user's catalog without proper authorization...

Khan Academy: XSS on using the legacy "Graphie To Png" API

The legacy "Graphie To Png" API was vulnerable to exploitation. An attacker could upload malicious graphies that included harmful SVG and JSON data. The SVG contained an onload attribute that executed arbitrary JavaScript. The JSON data modified the content of labels, causing the graphie renderer...

IBM: Exposed Logs and Bearer Tokens on Test Endpoint

Exposed Logs and Bearer Tokens on Test Endpoint were reported to IBM, analyzed, and have been remediated...

Node.js: GOAWAY HTTP/2 frames cause memory leak outside heap

A memory leak could occur when a remote peer abruptly closed the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could have led to increased memory...

curl: information disclosure

Summary: web.archive.org -website web. Archive is a website like google search, but he saves all links. Wayback disclosing URL's without users' permission, Anyone can access them maybe emails and passwords they are notes they should be private and see everything just by searching about random not...

Remitly: [CRITICAL] 0-Click Account Takeover via Password Reset [AUTH-3243] /orchestrator/v1/password_reset/start

The vulnerability discovered allows an attacker to reset the password of a victim's account without requiring any user interaction or special privileges. By intercepting the password reset request and modifying it with the victim's session data, the attacker can successfully take over the account...

curl: netrc crlf injection

Summary: Curl allows CR and LF characters to be encoded in login and password netrc fields. This allows an attacker who can affect contents of the netrc entry to inject FTP commands by injecting CRLF to the login or password. POP3 is likely affected as well, but hasn't been tested. The only...

IBM: SQL injection identified on IBM endpoint.

SQL injection vulnerability was identified on an IBM endpoint. The issue was reported to IBM, analyzed, and remediated...

Mars: Customer Data Exposure via Insecure Endpoint of coupon

A security vulnerability was identified in the Royal Canin Greece website. An insecure API endpoint was exposed that allowed unauthorized access to customer information without requiring authentication. The endpoint related to coupon functionality and revealed sensitive customer data, including...

Mars: change part of personal information all users

The report describes a vulnerability in the ██████████ website, where unauthorized access to an API endpoint allowed attackers to add new users and modify personal information of existing users. The vulnerability was classified as Improper Access Control. The issue stemmed from the absence of...

Mars: Users Data Exposure via Insecure Endpoint

An insecure endpoint on the Mars Royal Canin website exposed sensitive customer information without proper authentication. Personal data, including full names, phone numbers, email addresses, physical addresses, and postal codes, was accessible through a simple API endpoint that could be accessed...

curl: CVE-2024-11053: netrc + redirect credential leak

CVE-2024-11053 was a logic flaw in Curl that resulted in a credential leak during redirects. The issue was caused by the way Curl processed netrc credentials when performing redirects. Under certain conditions, the redirect passed along credentials specified for the original host to the redirecti...

Mars: unauthorized access and add user and change personal information all users

The report describes a vulnerability in the ██████████ website, where unauthorized access to an API endpoint allowed attackers to add new users and modify personal information of existing users. The vulnerability was classified as Improper Access Control. The issue stemmed from the absence of...

Localize: open redirected by host header

An Open Redirect vulnerability occurs when an application allows users to be redirected to an external, untrusted URL without validating the redirection target. By controlling the Host header and observing a redirection to the specified external site, you may have found an open redirect...

Internet Bug Bounty: Apache Airflow: Sensitive Information Exposure in DAG Run Logs

The Apache Airflow platform was vulnerable to sensitive information exposure in DAG run logs. Passwords, secrets, and the Fernet key were logged in plain text, which could have resulted in the disclosure of this sensitive information to unauthorized users...

Internet Bug Bounty: Secrets not masked in UI when sensitive variables are set via Airflow cli

A vulnerability was discovered in Apache Airflow where sensitive variables set using the Airflow CLI were not properly masked in the UI, specifically in the Audit logs page. This issue was addressed in the 2.10.3 release of Apache Airflow...

curl: Buffer overflow in strcpy

Vulnerability description not provided...

curl: Exploitable Format String Vulnerability in curl_mfprintf Function

Vulnerability description not provided...

Basecamp: Mutation Based Stored XSS on Trix Editor version latest (2.1.8)

A vulnerability was discovered in the Trix Editor version 2.1.8 where a mutation-based stored cross-site scripting XSS attack was possible. The vulnerability could be exploited by crafting a malicious payload that, when copied and pasted into the editor, would trigger the execution of arbitrary...

Sorare: Unsufficent input verification leads to DoS and resource consumption

The vulnerability affects the API endpoint at api.sorare.com/api/v1/users/, where insufficient input verification of the email parameter was discovered. This allowed an attacker to submit an excessively long email, causing the server to become unresponsive and return a 503 Service Unavailable...

MetaMask: Missing ^ Line Beginner Leads to Origin Spoofing

The vulnerability was identified in MetaMask's regex-based origin validation for endowments. Due to a missing caret ^ anchor at the beginning of the regex pattern, origin spoofing was possible. This oversight allowed malicious domains to be treated as trusted, bypassing intended security...

Trellix: Unauthenticated Path Traversal and Command Injection in Trellix Enterprise Security Manager 11.6.10

A critical vulnerability was identified in Trellix Enterprise Security Manager ESM version 11.6.10. The vulnerability allowed unauthenticated access to internal API endpoints through path traversal and enabled remote code execution via command injection. The issue stemmed from insecure AJP proxy...

Node.js: Improper error handling in async cryptographic operations crashes process

The C++ method SignTraits::DeriveBits incorrectly called ThrowException based on user-supplied inputs when executing in a background thread, crashing the Node.js process...