New Relic: NRQL Query allows restricted user to pull all data from Synthetics monitors without having read permissions enabled

@jonbottarini identified an issue where our permissions for Synthetics didn't match the permissions elsewhere in our product. This eventually led to a change in our underlying permissions code to unify our products and prevent issues like this...

Shopify: App messaging can be hijacked by third-party websites

The JavaScript code at https://cdn.shopify.com/s/assets/admin/index-c6e72fa910cd0182ab1d1e67ff823fb2e6ca61745c00797769410ce01aafc4d8.js installs a message event listener to receive messages from installed apps when these apps are displayed in a frame. The following check rejects invalid event...

Mail.ru: Stored XSS in email

XSS in message composer if user replies to malformed message...

Ruby: OpenSSL::X509::Name Equality Check Does Not Work, Patch included

When two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects will return true. When the first argument is one character longer than the second, or the second argument contains a character that is one less than a character in the same position of the fir...

MyEtherWallet: Development configuration file https://myetherwallet.com/

Vulnerability description A configuration file e.g. Vagrantfile, Gemfile, Rakefile, ... was found in this directory. This file may expose sensitive information that could help a malicious user to prepare more advanced attacks. It's recommended to remove or restrict access to this type of files fr...

Mail.ru: [evo2.my.com] Internet Explorer XSS

Browser specific XSS via GET parameters in evo2.my.com. evo2.my.com is not currentl covered by bug bounty program...

GSA Bounty: [idp.fr.cloud.gov] Open Redirect

Description: Open Redirect Domain: idp.fr.cloud.gov Steps To Reproduce: Open URL: https://idp.fr.cloud.gov//blackfan.ru/..;/css HTTP Response HTTP/1.1 302 Found ... Location: //blackfan.ru/..;/css/ ... Impact A web application accepts a user-controlled input that specifies a link to an external...

HackerOne: Private program policy page still accessible after user left the program

Hi Team, Summary: I have found a critical sensitive information disclosure, I'm not sure if this is a result of a new hackerone UI update, I observed that some of the UI has been change such as Hacktivity etc. BUG: Now all private program policy page together with the updates is visible to me...

Node.js third-party modules: [flintcms] Account takeover due to blind MongoDB injection in password reset

I would like to report a privilege escalation vulnerability in flintcms. It allows to reset a known user password, extract its password reset token and reset its password to then access the account. Module module name: flintcms version: v.1.1.9 npm page: https://www.npmjs.com/package/flintcms...

Chaturbate: Login form on non-HTTPS page on http://stream.highwebmedia.com/auth/login/

Dear Team, Summary A page on a http://stream.highwebmedia.com/auth/login/ is not fully protected by an SSL certificate. This could allow an attacker in a Man-in-the-Middle position to obtain usernames and passwords of users visiting the site. Note the warning in screenshot 1, firefox has identifi...

Rocket.Chat: Slack Token exposed over internet (Github)

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report! Summary: Slack token is...

Semmle: Email Not Completely Deleted after Deleting an account

Description: If one of the user deletes their account it should be fully deleted in account while semmle doesnt delete it completely. Steps To Reproduce: Register email1 After registering, confirm your account. once email1 is confirmed. add another email which we will name as email2 Now Verify th...

Augur: Augur UI data can be completely replaced by an attacker which can lead to fund and reputation loss

Summary: A third party attacking site can fake UI data - markets, categories and other Description: A third party site can include a hidden iframe which can override "augur-node" configuration variable of a running augur application. This variable is persisted in localStorage. In the case of...

Ubiquiti Inc.: Reflected XSS in Nanostation Loco M2 - AirOS ver=6.1.7

AirMax XW.v6.2.0 and prior containing multiple end-points with parameters vulnerable to reflected cross site scripting XSS, allowing attackers to abuse the user' session information and/or account takeover of the admin user. These vulnerabilities were found on AirMax AirMax AirOS v6.2.0 and prior...

New Relic: [NR Alerts] Internal API exposes Synthetics monitor details to a restricted user without view monitor permissions

This bug requires a bunch of pre-setup, and a few conditions to make it work, but I'll do my best to write it out without making this a novel. You will need: 1. Account that is an admin 2. Account that is a "Restricted" user, without any synthetics permissions so, can't view monitors, can't edit...

Chaturbate: Users may still able to view chat room panel of password protected rooms

The hacker found that the chat room panel could be accessed without the user having the room password. This was resolved. An attacker may able to view a password protected chat room panel by requesting the api endpoint for room panel. It discloses information depends on what app they use...

Chaturbate: Reflected XSS on ssl-ccstatic.highwebmedia.com via player.swf

Hey there, There's a SWF based XSS on ssl-ccstatic.highwebmedia.com. You may want to update/remove the file. POC https://ssl-ccstatic.highwebmedia.com/jwplayer/player.swf?playerready=alertdocument.domain Thanks, Ben Impact...

Chaturbate: CSS Injection on /embed/ via bgcolor parameter leaks user's CSRF token and allows for XSS

Hi there, There's a CSS injection here: https://chaturbate.com/embed/admin/?bgcolor=%7D%7Bbackground:red&tour=nvfS&disablesound=0&campaign=iNSGX body, divmain, div.content, div.block, div.section margin: 0px; padding: 0px; body min-width:800px; div.content width: 100%; body background:...

Slack: Bypass of the SSRF protection in Event Subscriptions parameter.

The vulnerability is present in the "Event Subscriptions" parameter where: "Your app can subscribe to be notified of events in Slack for example, when a user adds a reaction or creates a file at a URL you choose. ". URL: https://api.slack.com/apps/YOUAPPCODE/event-subscriptions? When we add a sit...

MariaDB: xmlrpc.php on mariadb.org can lead to DDOS and brute force attacks

XMLRPC was enabled and accessible on our website. Since we don't need any of the functionality provided by the Wordpress XMLRPC protocol, we were already trying to block XMLRPC requests to our site via our web server configuration, however, due to a syntactic error our enforcing rule did not appl...

VK.com: Bypass User Interaction to initiate a VoIP call to Another User

Initialization a call by a third-party application...

Chaturbate: CSV Injection with the CSV export feature

Hi there, hope you are well, The "Download as a CSV" feature of does not properly "escape" fields. So that particular field is vulnerable to CSV injection. Steps of POC Step 1 : Go to any chat room and donate any token to some and in note insert =4+4. Step 2 : Now go to on this link and download...

Vanilla: [allhiphop.vanillacommunities.com] XSS Request-URI

Summary: Reflected XSS via Request-URI for Internet Explorer. Steps to reproduce: 1. Open URL in Internet Explorer tested on IE 11 https://blackfan.ru/x?r=https://allhiphop.vanillacommunities.com/xxx%22-alertdocument.domain-%22xxx/%252e%252e/ blackfan.ru/x - a simple redirection script that is...

Mail.ru: [rm.mail.ru] Request-Path XSS

Reflected XSS via GET paramters. rm.mail.ru is not covered by bug bounty program...

New Relic: Missing security best practices (leads to further impact)

Vulnerabilities:- 1.Use of old passwords is possiblecurrent password can be used as new password. 2.Email notification is not being sent to linked mail account while changing passwords steps to reproduce the two issues create account with password example badcracker@123 change password to...

Open-Xchange: store xss in calendar via upload filename

reproduce step 1.access url https://sandbox.open-xchange.com/appsuite/app=io.ox/calendar/scheduling 2.create appointment 3.upload file ,the file name with payload '"img src=x onerror=alertdocument.domain.svg' 4.access...

Chaturbate: Rate limit missing at room login

Hello there, User are able to protect there broadcasting with password, so only password granted visitor can login to broadcast room. I notice that rate limit are missing at the endpoint /roomlogin/user/ which enable me to brute force on password field. I made 1k+ request but still server not blo...

Chaturbate: Homograph attack on redirect URL

Hello Team There is no Homography protection on redirect URL URL: https://m.chaturbate.com/externallink/?url=http://ebаy.com In Homograph attack basically attacker may able to inject some malicious script with URL. Here i made homograph link for the ebay.com, when normal user see this link its lo...

WordPress: Open API For Username enumeration

We Can do username enumeration, Reproduce: 1. Go any wordpress site. 2.www.site.com/?author=1 type ?author=1 at end of site 3. You will get www.site.com/author/admin now, admin is username of login panel of that site Thanks, Sameer Phad Impact -...

Chaturbate: Add non-existent room moderator

Description A broadcaster can add or remove a non-existent user as a moderator. This is submitted using the testbed as it wasn't possible to initiate a broadcast on the production site. Steps 1. As a broadcaster add a moderator to the broadcast attachment 1. 2. Observe the request sent to the...

Chaturbate: Blind SSRF on image proxy camo.stream.highwebmedia.com

The hacker discovered that our secure image proxy camo.stream.highwebmedia.com could be used to access https endpoints on internal ips. The application was patched to not allow access to internal ips. In this case these servers are in a separate cluster with no access to other services so possibl...

Chaturbate: Homograph attack on redirect URL (https://chaturbate.com/external_link/?url)

Hi There, Hope you are doing good, As i was just playing around with chaturbate.com and found that you guys does not have proper configuration for malicious script injection in website. In Homograph attack basically attacker may able to inject some malicious script with URL. Here i made homograph...

Nextcloud: Missing SPF flags for customerupdates.nextcloud.com

Hey, I just checked for SPF records for the customerupdates.nextcloud.com domain, and there are none. The fake message reaches the inbox from this domain. Not spam. You can validate by testing yourself here: http://www.kitterman.com/spf/validate.html This subdomain too: update.nextcloud.com Impac...

Vanilla: jsConnect Plugin: Takeover of existing account

Description ----------- The current version 1.5.5 of the official jsConnect plugin allows the takeover of an existing account that wasn't created using SSO - eg a previously existing admin user - by registering an account with the same name using SSO. A successfull attack requires one request to ...

Node.js third-party modules: http-live-simulator npm module is prone to path traversal attacks

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! I would like to report Path Traversal...

LocalTapiola: F5 BigIP Backend Cookie Disclosure

Basic report information Summary: The Same issue was reported on www.myynti.lahitapiolarahoitus.fi by another reporter. It was fixed for that. But when I test the same issue on lahitapiolarahoitus.fi. It is also causing leakage of information. Description: I just identify F5 BigIP load balancers...

New Relic: stamp2-azure-ext.newrelic.com is vulnerable to MS12-020

Hi security team member, On stamp2-azure-ext.newrelic.com, there is running Windows Server 2008, which is vulnerable to MS12-020. F322944 Step to reproduce To show exploit, the server will shut down. 1- Download the attached file with the name MS12-020.rb 2- Run the below command on terminal ruby...

Mail.ru: [target.my.com] CRLF Injection -> XSS

CRLF injection via GET paramaters in target.my.com target.my.com is not currently covered by Bug Bounty program...

Internet Bug Bounty: DoS for HTTP/2 connections by crafted requests (CVE-2018-1333)

modhttp2 can be tricked by specially crafted requests to hold server resources longer than necessary. A simple demonstration of this for a server with h2c enabled is as follows: for x in seq 0 500; do echo...

Chaturbate: Stored XSS against all Chaturbate users using an application name

The hacker discovered that the tooltip on the app page did not protect against XSS attack in the application name. We quickly resolved this issue. The impact for a new attacker was limited as they would only appear under new apps. This vulnerability was discovered using a simple XSS payload in th...

LocalTapiola: User Information Disclosure via the REST API - /?_method=GET

Basic report information Summary: browser access to www.lahitapiolarahoitus.fi/wp-json is restricted for general public but it is still be accessible through which User information is leaked. Description: By default Wordpress allow public access to Rest API to get information about all users...

Internet Bug Bounty: linkinfo - openbasedir bypass on Windows PHP

Upstream bug - windows linkinfo lacks openbasedir check === https://bugs.php.net/bug.php?id=76459 Summary == Description: ------------ linkinfo function on windows doesn't implement openbasedir check, it can be seen by reviewing the source code. This could be abused to find files on paths outside...

Vanilla: Bypassing the Trusted Link Alert System

Summary: I have discovered a means of bypassing the system that will alert users of an untrusted link utilizing the Right to Left Overrride unicode character. The alert looks like this: https://i.imgur.com/9rp1K7b.mp4 Description: For this demonstration, I have added "facebook.com" to the trusted...

Rocket.Chat: XSS (stored) Wizard is saving executable code

issue: xssstored Stored XSS occurs when a web application gathers input from a user which might be malicious, and then stores that input in a data store for later use. The stored input is not correctly filtered. As a consequence, the malicious data will appear to be part of the web site and run...

Internet Bug Bounty: Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c

This bug was reported to PHP last month and a fix was public last week:https://bugs.php.net/bug.php?id=76423 Heap OverFlow in exifthumbnailextract of exif.c This vulnerability can be triggered by exifreaddata in any 32-bit system. exif.c:2947: if ImageInfo-Thumbnail.offset +...

Mail.ru: Possible to Upload Local Arbitrary Private File to the Cloud against User's Will

Unchecked permission in file sharing functionality could allow malicious application user-assisted access to arbitrary file in Mail.Ru Cloud android application...

U.S. Dept Of Defense: SQL Injection vulnerability located at ████████

Summary: I have found a SQL Injection at ███████ in the ████ Portal. Description: The SQL injection is being caused by the unsanitized parameter of itemID= i immediately stopped testing when i verified it was possible to get the Current user and version of the Database. 1.The vulnerable url is :...

GSA Bounty: Redirect on authorization allows account compromise

Login.gov had a bug in validating the redirecturi in the /openidconnect/authorize endpoint, which allowed specially crafted subdomains to be incorrectly validated when they began with a valid hostname. For example, a redirecturi with a hostname of agency.gov.example.com would validate a URL as if...

Zomato: Phishing user to download malicious app could lead to leakage of User Access Token, Email, Name and Profile photo via exported RemoteService

Thanks @shivasurya for helping us keep @zomato secure : One of the service components in the Zomato Android app was open to bind a service connection AIDL So, if an attacker would have phished a user to download a malicious app, it could have lead to leakage of access token of the user that leads...

GitLab: Stored XSS on Issue details page

Summary: The detail page of Issue the page that provides the content of an Issue is vulnerable to Stored XSS. Description: The two exploits are via the function of submittin an issue or the function of editing an issue. This vulnerability is reproduced in Firefox andChrome. IE11 andEdge are not. ...