Node.js third-party modules: Command Injection Vulnerability in win-fork/win-spawn Packages

I would like to report a command injection vulnerability in win-fork and win-spawn packages. It allows an attacker to inject multiple commands in exec-like manner. Module module name: win-spawn version: 2.0.0 npm page: https://www.npmjs.com/package/win-spawn npm page:...

Node.js third-party modules: Command Injection Vulnerability in libnmap Package

I would like to report a command injection vulnerability in libnmap. It allows an attacker to inject arbitrary OS commands instead of a valid network range to be scanned. Module module name: libnmap version: 0.4.11 npm page: https://www.npmjs.com/package/libnmap Module Description API to access...

Node.js third-party modules: Prototype Pollution Vulnerability in mpath Package

I would like to report prototype pollution vulnerability in mpath. It allows an attacker to inject arbitrary properties on Object.prototype. Module module name: mpath version: 0.4.1 npm page: https://www.npmjs.com/package/mpath Module Description G,Set javascript object values using MongoDB-like...

Node.js third-party modules: Prototype Pollution Vulnerability in noble Package

I would like to report prototype pollution vulnerability in noble. It allows attackers to pollute the Object.prototype object of an application running noble, possibly through Bluetooth. Module module name: noble version: 1.9.1 npm page: https://www.npmjs.com/package/noble Module Description A...

Node.js third-party modules: Command Injection is ps Package

I would like to report a command injection in ps package. It allows attacker to inject arbitrary OS commands instead of PID numbers. Module module name: ps version: 0.0.2 npm page: https://www.npmjs.com/package/ps Module Description A Node.js module for looking up running processes. Module Stats ...

Node.js third-party modules: Prototype Pollution Vulnerability in cached-path-relative Package

I would like to report a prototype pollution attack in cached-path-relative. It allows an attacker to inject properties on Object.prototype which are then inherited by all the JS objects through the prototype chain. Module module name: cached-path-relative version: 1.0.1 npm page:...

Nextcloud: Stored XSS on scan.nextcloud.com

The scan.nextcloud.com engine fetches a 'status.php' content in order to extract some version number as well as installed flavors. While scanning a website, the following API-wise cinematic happens : POST https://scan.nextcloud.com/api/queue twice, gives the UUID GET...

Revive Adserver: Open redirect in switch account functionality

To reproduce this vulnerability: 1. You have to be logged in user 2. Enter address: http:///www/admin/account-switch.php?returnurl=http://127.0.0.1:12345/test This is due to unrestricted redirection url passed in in the returnurl parameter. I would recommend to use some kind of whitelisting or a...

Node.js third-party modules: [ascii-art] Command injection

I would like to report a command injection vulnerability in the ascii-art npm module. It allows arbitrary shell command execution through a maliciously crafted command line argument. Module module name: ascii-art version: 1.4.3 npm page: https://www.npmjs.com/package/ascii-art Module Description...

New Relic: DNS misconfiguration on email.alerts.newrelic.com

While checking the subdomains i found that the subdomain email.alerts.newrelic.com upon navigating downloads a file saying "Mailgun Magnificent API" And has the following DNS info screenshot attached The problem lies in this issue: You add the domain email.alerts.newrelic.com to Mailgun Mailgun...

Monero: Stack Overflow in JSON RPC Server

Summary: There is a stack overflow bug in jsonparser when parsing nesting objects. Description: Monero's json parser handled by epee libraries doesn't check object tree depth while parsing Steps To Reproduce: Up the service bash monerod run bash python2 poc.py backtrace SUMMARY: AddressSanitizer:...

Valve: Reflected XSS on help.steampowered.com

URL: https://help.steampowered.com/en/wizard/HelpWithGameIssue/?appid=704740&issueid=125&option=%3Ch1%3Eunfiltered It puts option option into a translation token HelpGameMissingItemsTitleuser controlled string here And if there's no such translation token, it just prints out the entire user input...

Uber: Reflected XSS on https://www.uber.com

By getting an authenticated victim to visit a malicious website, an attacker can cause that victim to execute arbitrary JavaScript in the context of the uber.com domain. More details here: https://medium.com/@saamux/applying-a-small-bypass-to-steal-facebook-session-tokens-in-uber-5b9638b7a18c...

Brave Software: Local files reading from the "file://" origin through `brave://`

Summary: Sadly, fix for 390013 works only for web. Loading brave:// from the file:// origin allows reading local files on the device. I said that fix could be insufficient 😈 file:// and brave:// both are local origins. That means it's possible to access brave:// from file:// and vice versa...

U.S. Dept Of Defense: SOAP WSDL Parser SQL Code Execution

Summary: SOAP WSDL Parser SQL Code Execution Description: It was possible to parse WSDL resources and read all functions from the SOAP Admin Panel, therefor i was able to repeat the sql query with a tampered request with my own custom SQL command. i was able to extract all the database names for...

Uber: Reflected XSS on Partners Subdomain

There was a reflected cross site scripting vulnerability at https://partners.uber.com/. By providing a specifically crafted value, it was possible for an attacker to inject malicious content into the partners.uber.com site, which would then be executed when the site is loaded. We enjoyed working...

VK.com: Узнаем несколько цифр номера телефона юзера (можно флудить смс), всего раз узнав его remixsid и его ид юзера, и установка оффлайна юзерам.

Недостаточные проверки сессии. Было можно узнать часть номера телефона юзера и отправлять ему смс с ссылкой на приложение https://vk.com/mobile всего раз узнав его remixsid, вне зависимости сколько раз были ресетнуты сессии. Самый давний валидный для этой темы remixsid был давности май 2016 года...

Brave Software: Local files reading from the web using `brave://`

Summary: brave:// protocol was introduced as a replacement for AsarProtocolHandleror something like that in brave/muon after 375329. However, fix for 375329 introduced a new much severe bug that allows reading files from a user's device from the web. PoC is similar to 375329, but it uses brave://...

Shipt: Subdomain takeover at segway.shipt.com

A security researcher identified a stale DNS record that pointed to a legacy 3rd party service. This allowed for a subdomain takeover, which the researcher provided a well written and detailed Proof of Concept POC. Shipt's security team acted immediately to validate the vulnerability and remove t...

HackerOne: TeamProfile exposes partially sensitive information through GraphQL

I noticed there is new field teamprofile added and using the graphql below the latest serious report and reports received in three months were exposed "query":"query Dashboardreportseveritybreakdowntable$first0:Int! \n query \n id,\n ...F0\n \n\nfragment F0 on Query \n...

Upserve : [theacademy.upserve.com] Reflected XSS Query-String

Steps To Reproduce: Open URL in FireFox: https://theacademy.upserve.com/roles/?%22%3E%3Cscript//src=data,alertlocation// HTTP Request http GET /roles/?%22%3E%3Cscript//src=data,alertlocation// HTTP/1.1 Host: theacademy.upserve.com HTTP Response html Name Views Duration Impact Reflected XSS...

Node.js third-party modules: Code Injection Vulnerability in zombie Package

I would like to report a code injection vulnerability in zombie. It allows crawled websites to access privileged APIs such as the file system or child process. Module module name: zombie version: 6.1.2 npm page: https://www.npmjs.com/package/zombie Module Description Insanely fast, headless...

Node.js third-party modules: Command Injection Vulnerability in kill-port Package

I would like to report a command injection vulnerability in kill-port. It allows an attacker to inject arbitrary commands. Module module name: kill-port version: 1.3.1 npm page: https://www.npmjs.com/package/kill-port Module Description Kill the process running on given port Module Stats 5,282...

Starbucks: Backup Source Code Detected

Impact Depending on the nature of the source code disclosed, an attacker can mount one or more of the following types of attacks:•Access the database or other data resources. With the privileges of the account obtained, attempt to read, update or delete arbitrary data from the database. •Access...

U.S. Dept Of Defense: IDOR

Summary: IDOR Description: By changing the value in the parameter █████████= from my own account █████ to something else such as ████████ it is possible to see barcode and expiration date of other ████ without their consent. Impact Information Disclosure Step-by-step Reproduction Instructions 1...

Shipt: Sensitive Clickjacking on admin login page.

A researcher identified that the 3rd party hosted login page for an externally-facing company tool is externally frameable and therefore potentially a vector for clickjacking...

U.S. Dept Of Defense: ███ exposes sensitive shipment information to public web

Summary: A subdomain of the ██████████ site exposes sensitive shipment information to the public web at ███/█████downloads/xferfak. Although I haven't been able to find too much info about this, it seems to be fairly sensitive and updated daily, containing over 500,000 lines just for 07/30/18...

Grammarly: Handling of `tracking` command allows making arbitrary blind requests with user's cookies from Grammarly Extension's origin

Summary: Attacker could trigger Grammarly extension's gnar.fetch command using a crafted page to perform XHR with cookies and any configurational params to any cross-origin resource. Description: Page could Init Grammarly popup editor no user gesture, helper Events have isTrusted property, which...

Uber: [experience.uber.com] Node.js source code disclosure & anonymous access to internal Uber documents, templates and tools

A configuration file on experience.uber.com exposed details for the server configuration as well as information about the content hosted on the site. The site itself did require authentication to log in, but this config file was publicly accessible. Other accessible URLs included slide deck...

Grammarly: `open-url` command allows opening unlimited number of tabs pointing to arbitrary URLs

Summary Attacker could trigger Grammarly extension's open-url command to open any number of tabs pointing to any origin including internal, e.g. chrome:// and cause "infinite Chrome DoS" if attacker's page is pinned. Description Page could Init Grammarly popup editor no user gesture, helper Event...

Node.js third-party modules: [egg-scripts] Command injection

I would like to report a command injection vulnerability in egg-scripts. It allows arbitrary shell command execution through a maliciously crafted command line argument. Module module name: egg-scripts version: 2.6.0 npm page: https://www.npmjs.com/package/egg-scripts Module Description "deploy...

Mail.ru: [info.tmgame.mail.ru] Apache Server Status

Open Apache Server Status in info.tmgame.mail.ru tmgame.mail.ru is not currently covered by Bug Bounty program...

New Relic: [NR Insights] Data app permissions setting does not fully prevent other users from modifying/changing changing data related to your data app

In NR Insights, there is the ability to set a permissions for the data app itself. It's located here: F326634 Now, in this section, if a user creates a new data app and sets the permissions to "visible to others within my account" it essentially provides read-only access to the data app and its...

Homebrew: GitHub API Key for BrewTestBot is publicly exposed

Hello! While browsing through some old reports, I found that https://jenkins.brew.sh was publicly accessible. I got curious when I saw one of the brew bottle builds doing a git push to BrewTestBot/homebrew-core, and wondered if the credentials to make authenticated pushes were accessible. Sure...

Starbucks: Subdomain takeover on wfmnarptpc.starbucks.com

Hello, this is pretty serious security issue in some context, so please act as fast as possible. Overview: One of the starbucks.com subdomains is pointing to Azure, which has unclaimed CNAME record. ANYONE is able to own starbucks.com subdomain at the moment. This vulnerability is called subdomai...

Shipt: Price manipulation via fraction values (Parameter Tampering)

A security researcher identified an issue in our member application that showed how a user's cart would accept fractional quantities of any item; irrespective of whether or not the item was capable of being in a 'fractional' state e.g. fractional quantities were being accepted for a half pound of...

U.S. Dept Of Defense: ████ █████ exposes highly sensitive information to public

Summary: www.██████ is a system used by ██████ for vendors to upload details of their technology for review by ███. Due to an insecure direct object reference vulnerability, all vendor uploads are accessible to the public, without authentication. This includes Unclass//FOUO documents, documents...

Pornhub: CSRF Full Account Takeover - https://redtube.com/settings

The researcher was able to account takeover by exploiting a vulnerability within 'User Settings' where the form was not authenticated by CSRF token. An attacker could take over any user account :...

Nextcloud: Self xss

Hello, I found self xss your main domain. I m sending details and I attached poc video. Pls open https://nextcloud.com/about/ Use burp suite and active intercept. Refresh this url. And pls add this payload your url. "alert205'"nextcloud.com Pls click intercept off and page refreshing. Now you see...

Nextcloud: Access control issue -- [Allow file system access not validated when using session auth]

Obtain an App Token 2. Check that you can access the files with this token and save the cookies 3. Revoke filesystem access for this token 4. See that you can still access the files when using the cookies At step 4 there access to the files should also be forbidden...

Open-Xchange: Stored XSS in Email attachment file name

How to reproduce -- - send to victim email with attachment - intercept request - change file name to this payload "b" - when victim move the mouse over the attachment XSS POP-UP Impact An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to...

Eobot: XSS on link in eobot account page

There is a XSS flaw in the account profile page https://eobot.com/user/userid which can execute javascript when a victim clicks one of the social media links listed in the personal information section of the web page. After some research I found that when a user inputs a twitter link into their...

WordPress: Account takeover vulnerability by editor role privileged users/attackers via clickjacking

Vulnerability - Editor role privileged users are able to hack into other's account by exploiting clickjacking vulnerability. Version- 4.9.7 Issue- https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/why-are-some-users-allowed-to-post-unfiltered-html As mentioned pe...

VK.com: Проверяем принадлеженость email и номера телефона к определенному юзеру / CSRF на смену номера для некоторых пользователей

Проблема генерации хеша. CSRF на смену номера имея фамилию и логин юзера, возможность сопоставить номер и email на принадлежность к одной и той же странице...

Chaturbate: Internal loop going to infinite for cb.setTimeout(func, msecs) for broadcast app.

Hi There, I am not sure about that this is vulnerability for @chaturbate or not but in my seeing i thought it can be vulnerable and attacker can use this vulnerability for exploitation on @chaturbate website with normal user so finally i decide to report. As i was just playing with Broadcast app...

VK.com: Злом (virus).. Смотрим кто голосовал в анонимном опросе!!

Просмотр участников в некоторых анонимных опросах...

Shipt: Subdomain Takeover at test.shipt.com

A researcher identified a stale DNS record that pointed to an abandoned test Heroku instance. This allowed for subdomain takeover. This was not an actively used subdomain and was not linked in any of our production applications. Nonetheless, Shipt Security immediately addressed the issue and...

Shopify: Admin bar: Incomplete message origin validation results in XSS

This issue is very similar to https://hackerone.com/reports/381192, identical logic in a different script. The JavaScript code at https://cdn.shopify.com/s/assets/storefront/bars/adminbarinjector-7461c2cab955bf9ef3df40acd10741df8c4e27c86d9dc323f65a4e786a1786f2.js loaded by the shop front when the...

Versa Networks: Possible to change log level without authentication

In Versa Director, the un-authentication request found...

Vimeo: Domain pointing to vimeo portfolio are prone to takeover using on-demand.

We thank @bugdiscloseguys for finding this issue. We were only checking \ on-demand to on-demand, but not on-demand to portfolio. Vimeo offers service for pro users to add custom domain under portfolios so that portfolios can be hosted on your subDomain, However Vimeo offers same feature for...