Vimeo: Reflected File Download (RFD) in download video

The researcher was able to craft a Reflected File Download during the re-download of a video previously uploaded...

Brave Software: Torrent extension: Cross-origin downloading + "URL spoofing" + CSP-blocked XSS

Summary: \378809 allows navigating to chrome-extension:// \378805 allows displaying alert windows on chrome-extension:// origin As I said in 378809, navigation to chrome-extension:// allows attacking dependencies/components of extensions. Brave has only 3 extensions installed by default w\o...

Brave Software: `alert()` dialogs on `chrome-extension://` origin (internal pages)

Summary: Navigation to chrome-extension from the web is possible with 378805 ftp:// - chrome-extension://. A blank page is created during navigation to chrome-extension:// origin. Blank pages have "This page" title. It's possible to initiate alert with a social-engineering content and "This page"...

Brave Software: Navigation to `chrome-extension://` origin (internal pages) from the web

Summary http and https pages are disallowed from navigating to chrome-extension:// origin. However, ftp protocol isn't checked. Pages from ftp:/// and file:/// origin could navigate to chrome-extension:// origin. Steps to reproduce: 1. Start ftp server sample ftp server attached, npm i ftpd && no...

ok.ru: Cisco ASA Denial of Service & Path Traversal (CVE-2018-0296)

Unpatched CVE-2018-0296 in test Cisco ASA instance enter-test.odkl.ru...

Mail.ru: [e.mail.ru] XSS в поиске

Reflected XSS in e.mail.ru via GET paramters Multiple reflected XSS in the mailbox via the search param Timeline: Friday, July 6 2018, 23:26 – reported Saturday, July 7 2018, 01:13 – triaged Saturday, July 7 2018, 11:12 – temporary fix Monday, July 23 2018, 14:25 – resolved...

Uber: Information Leak - GitHub - Endpoint Configuration Details

@peuch found a publicly available Github repository providing insight about security controls in place on Uber workstations. We enjoyed working with @peuch on this issue and look forward to their future submissions to our program...

HackerOne: Ajouter le même utilisateur que celui déjà inscrit dans les équipes

Description: Possibilité d'ajouter le même utilisateur que celui déjà inscrit dans les équipes. Steps To Reproduce 1. Aller sur https://hackerone.com/teamname/teammembers 2. Observer les emails des utilisateurs. 3. Utiliser le même email que celui précédemment inscrit, mais varier les majuscules ...

GitLab: Vulnerability in project import leads to arbitrary command execution

Summary: A filename regular expression could be bypassed and enable the attacker to create a symbolic link in Gitlab upload directory by importing a specially crafted Gitlab export. Further more, Gitlab is designed to not delete project upload directory currently. So, the attacker could delete th...

HackerOne: HackerOne customer submitted sensitive link to VirusTotal, exposing confidential information

Hi There, Steps To Reproduce 1- open this site: https://www.virustotal.com//domain/hackerone.com ------------------------- 2- Then Go down to the end of this page and you will see this: ████ https://hackerone.com/reports/334677?invitationtoken=███████ -------------- 3- when i open it, i see this:...

Monero: A bug in the Monero wallet balance can enable theft from exchanges

Summary: A Monero bug already fixed in master allows theft from exchanges. This has been exploited again a Monero-derived coin, so the exploit may be underway currently. Description: fluffypony: Also please mention you spoke to me and I recommended you put it on HackerOne PR 3985 fixed a wallet...

VK.com: Получение БД кэша из Android-приложения через стороннее приложение

Просмотр кэша приложения на Android...

Hiro: Can view all username leaked in https://core.blockstack.org

Hello team, This should be private hide all username who registered in blockstack.org the attacker can get the information of a user https://core.blockstack.org/v1/subdomains?page=10 i thought it is a demo users but i found my username in the list this should be private "demoaccount1.stealthy.id"...

VK.com: CVE-2018-0296

Path traversal...

Augur: A miner can manipulate the gas reporting bond

Not entirely confident I've understood this system correctly, apologies if it's wrong and feel free to stop reading if you run into an obvious mistake... Summary: add summary of the vulnerability By creating a market with themselves as designated reporter and setting a very high gas price for the...

U.S. Dept Of Defense: █████ - DOM-based XSS

Greetings, I've discovered a DOM-based XSS at ███ Proof of concept: 1. Go to https://████/█████████/home/troubleshoot.html?lang=en 2. In the username field, add the following code: --button/autofocus/onfocus=Function"confirm1";//name="XSS 3. The javascript code is correctly executed: ██████ Impac...

Brave Software: `settingcontent-ms` files lacks "mark of the web" => execute code by dbl click in Downloads toolbar

Summary: settingcontent-ms files allow launching any binary with any params. Brave doesn't mark settingcontent-ms files with "mark of the web", so the file could be executed by double click in "Downloads" toolbar. Launched settingcontent-ms file could lead to code execution with user-level...

ok.ru: Privacy violation для аттачей в сообщениях.

The vulnerability allowed unauthorized access to other users' file attachments with no ability to identify senders or recipients. Уязвимость позволяла получить несанкционированный доступ к приаттаченным файлам без возможности определить отправителя и получателя. Vulnerability allowed downloading...

ownCloud: Possible to steal any protected files on Android

Hi. I have found an issue which allows to retrieve any files from /data/data/com.owncloud.android/ directory. The problem is in exported activity com.owncloud.android.ui.activity.ReceiveExternalFilesActivity which accepts a URI to download files. I see that you've added verification path...

Mail.ru: molotok.m.mail.ru delegated to external entity

SDC bypass secure cookies access vulnerability in m.mail.ru due to subdomain name pointing to uncontrolled external host...

Mail.ru: Launch Any Activity in MyMail App

An exported activity in My.Com Mail application could be used to launch protected activities...

Stellar.org: Admin panel of https://www.stellar.org/wp-admin/

https://www.stellar.org/wp-admin/ link has various operations which should not be accessible to an anonymous user. As admin panel is accessible an attacker can use this information in targeted attack and he can bruteforce the username and password. on the other side server information is easily...

Cloudflare: Private API key leakage due to lack of access control

The lack of access control on the https://mobilesdk.cloudflare.com/api/v1/ api allows for a remote attacker to access and steal a logged in user's private data. This can be done due to the lack of origin protection. An attacker can embed the config URI...

U.S. Dept Of Defense: █████ - DOM-based XSS

Greetings, I've discovered a DOM-based XSS at ██████ Proof of concept: 1. Go to https://███/█████/home/troubleshoot.html?lang=en&returnUrl=https://█████/███████/home/signin.html?returnUrl=https%3A//████/██████████/home/user.html 2. In the username field, add the following code:...

Tor: Potential IP revealing using UNC Path in Windows File Picker

Vulnerability description not provided...

VK.com: XSS-уязвимость, связанная с загрузкой файлов

XSS в документах...

Semrush: Post Based XSS On Upload Via CK Editor [semrush.com]

Summary: XSS Via Post Method When Upload via CKEditor Description: This XSS is execute by error message when upload some image on https://www.semrush.com/my-posts/api/image/upload/?CKEditor=text&CKEditorFuncNum=0&langCode=en Browsers Verified In: Firefox Steps To Reproduce: - This is POST based...

Brave Software: Local files reading using `link[rel="import"]`

Summary: HTML file could import another file using . Brave returns Access-Control-Allow-Origin: response header for local HTML files. That leads to local files reading. This vulnerability makes 369218 critical. Products affected: Brave: 0.23.19 V8: 6.7.288.46 rev:...

Brave Software: Cross-origin page stays focused before/after downloading + uninformative modal window for download

Summary: 1. Open twitter.com using window.open 2. Wait some time to finish page rendering 3. Change location of the opened page to any downloading 4. Download modal appears above the twitter.com The problem is that a user doesn't see what page exactly initiates downloading and what resourceURL wi...

Slack: The POODLE attack (SSLv3 supported) at status.slack.com

@cryptographer found that for some regions, status.slack.com supported an outdated cipher suite, which we've since updated. Thanks @cryptographer! nmap -sV --version-light --script ssl-poodle -p 443 IP...

U.S. Dept Of Defense: Partial PII leakage due to public set gitlab

Summary: ████████ allows you to explore the repos, snippets,etc. On the snippets we find a name+icon and some code information. This shouldn't publicly exposed as an attacker may use it to perform further attacks Description: A configuration issue allows code and the name+icon of a user on the...

Slack: Private application files can be uploaded to Slack via malicious uploader

Hi. I have found an issue which allows to retrieve any files from /data/data/com.Slack/ directory. The problem is in exported activity com.Slack.ui.UploadActivity which accepts a URI to download files. I see that you've added verification java private static boolean isPrivateFileUri uri return...

Brave Software: Navigation to protocol handler URL from the opened page displayed as a request from this page.

Summary: Navigation to protocol handler URL from the page opened using window.open is considered as a request from the opened page. Example: 1. The page opens google.com 2. The page changes opened window's location to ssh://evil.com 3. Request to open ssh://evil.com URL displayed at google.com...

LinkedIn: Persistent XSS (unvalidated Open Graph embed) at LinkedIn.com

This report was previously published on Medium.com/@JonathanBouman. Follow me on Twitter or Medium for new reports. F361972 Proof of concept Background In my previous report we learned more about a special type of the persistent XSS attack; the unvalidated oEmbed attack. This attack allows us to...

HackerOne: Content spoofing and potential Cross-Site Scripting vulnerability on www.hackerone.com

Summary: Hackerone.com using following script file https://js.driftt.com/include/1530431100000/hp9revvwkk62.js you can see the below script on page this.handleMessage=functioneife&&e.datavar t=document.getElementByIdSi;ift&&e.source===t.contentWindow||e.source===window.opener handleMessage method...

GSA Bounty: Root user disclosure in data.gov domain though x-amz-meta-s3cmd-attrs header

I performed a GET request on Host www.data.gov in burp suite to a custom domain and the Response showed the x-amz-meta-s3cmd-attrs header with the user id as root and group id running as root. x-amz-meta-s3cmd-attrs: uid:0/gname:root/uname:root/gid:0/mode:33184/ This represents information...

Casper: Mixed content issues on the site https://casper.com

Hello. While browsing the site https://casper.com found a mixed content error on the site with HTTPS. This error is located at https://casper.com/faqs/resources/the-best-positions-for-sleeping/. 8 images are uploaded to the site via HTTP. What warns the browser Google Chrome. F314123 Impact If th...

Hanno's projects: SSRF in rompager-check

Summary The script rompager.php does not restrict which hosts can be requested. Thereby, an attacker can send HTTP requests to localhost and other servers of the same local network segment, on port 80 and 7547. Description In rompager.php, the value of CURLOPTURL is fully controlled: php Port...

VK.com: Clickjacking vkpay

Clickjacking...

Hanno's projects: SQL injection in Serendipity (serendipity_fetchComments)

Summary An authenticated administrator can alter Entries to display on frontpage and Entries to display in Feeds in a way to perform a SQL injection and extract database records or access files on the underlying system. Description The function serendipityfetchComments implemented in...

HackerOne: Blind SSRF on errors.hackerone.net due to Sentry misconfiguration

Summary: When setting up Sentry you should turn off "source code scrapping". If it is turned on, then server that has Sentry on it will make blind get requests everywhere controlled from outside via error reporting. Description: Hello Hackerone team. In your CSP I found ?sentrykey parameter, so i...

Brave Software: Lack of quarantine meta-attribute for downloaded files leads to GateKeeper bypass

Summary: Executable files downloaded through Brave don't have quarantine attribute. That means it's possible to launch any executable bypassing codesigning + quarantine. However, later I found that Brave has already tracked similar report but only in the context of .pkg files. Additionally, Brave...

Hanno's projects: Reflected xss in Serendipity's /index.php

Summary: There exists a reflected xss threat in https://blog.fuzzing-project.org/index.php?frontpage. Description: By setting the serendipity%5bmultiCat%5d%5b%5d POST input to 1'"&%prompt1 I'm able to trigger a JavaScript prompt box in versions of IE up to and including IE 11. Steps To Reproduce:...

U.S. Dept Of Defense: Corda Server XSS ████████

Summary: Cord server will display the error message if something isn't allowed to be used thus allowing xss Description: /scripts/ctredirector.dll allows users to call images or files. We can use the parameter @FILE to dictate a file or url, if it fails it'll display the url into the page. We the...

Nextcloud: Accessing to download.nextcloud.com from original ip adreess | insecure Download

Hi team , Summary I found that when I can access from original ip to the web site ,.This disable Https secure connection. Description First I make DNS Lookup to find the ip adress download.nextcloud.com has address 88.198.160.133 F313820 Now When I open The website from download.nextcloud.com I s...

Hanno's projects: blind sql injection

Summary: There exists a possibility that your Serendipity installation is vulnerable to a blind sql injection. Description: By sending specially crafted SQL commands to /plugin/tag/ and timing how long it takes for the server to respond, it is quite possible that the blog backend is interepreting...

U.S. Dept Of Defense: PII leakage due to caching of Order/Contract ID's on █████████

Summary: I was able to discover contract numbers which leak out user names/emails/phone numbers nd other sensitive information. I took the time to assure that these contract id's wouldn't/shouldn't be easy guessable or known. Description: I discovered through google search query that I was able t...

Hanno's projects: Reflected Cross-Site Scripting in Serendipity (serendipity.SetCookie)

Summary The Smarty template responsible of creating JavaScript snippets assigning cookies to users is during sorting of entries in the administration interface is affected by a reflected cross-site scripting. Description In templates/2k11/admin/entries.inc.tpl, the following code is dynamically...

Hanno's projects: Open redirect in Serendipity (exit.php)

Summary Serendipity contains a script named exit.php that can be directly accessed. When crafting an hyperlink pointing to this page with the parameter url containing a base64-encoded URL, it will redirect the user to this URL. Description The file exit.php contains the following code: php ?php /...

Hanno's projects: Open redirect on https://blog.fuzzing-project.org

Summary: There is an Open Redirect on https://blog.fuzzing-project.org/exit.php?url= due to the application not checking the value passed by the user to the "url" parameter. Description: Unchecked redirects occur when an application redirects to a destination controlled by attackers. This often...