Mail.ru: Чтение системных данных приложения: данные для авторизации, логи, БД, личная переписка

Insufficient case sensitive filtering in intent URI could allow local malicious application to access local files via ICQ for Android...

Radancy: I can subscribe and unsubscribe any user with the same token for as many times as i want

During the subscription process for a newsletter it was possible to enter any email-address which would automatically be added to the emaillist without proper confirmation via a confirmation token send by email. Same for the unsubscription process, anyone could unsubscribe all emailaddress becaus...

Brave Software: URL spoofing using protocol handlers

Summary: Navigation to protocol handler changes URL in the address bar e.g. ssh://google.com in the address bar is standard behavior. Browsers change URL in the address bar to about:blank if a parent window tries to access the opened page with protocol handler URL. This behavior prevents URL...

Infogram: CORS on (ws.infogram.com)

Hey Team i don't know if it's valid or not i just want to let you know about this thanks. Exploit var req = new XMLHttpRequest; req.onload = reqListener; req.open'get','https://ws.infogram.com/socket.io/?EIO=3&transport=polling&t=MH7BU79',true; req.withCredentials = true; req.send''; function...

OLX: Bypass CSP frame-ancestors at olx.co.za, olx.com.gh

Hi, olx.co.za and olx.com.gh both of them restrict framing by using this CSP rule: content-security-policy: frame-ancestors 'self' https://.mod-tools.com: olx.co.za: F313178 olx.com.gh: F313179 If we take a look at mod-tools.com we can see that the domain is not claimed: $ dig mod-tools.com ; DiG...

Ian Dunn: xmlrpc.php FILE IS enable on Main website

The domain contains XMLRPC activated which can cause serious damage to your server and website.Admin panel can be easily bypassed and also can cause heavy DDOS that can take down the entire server.Just a simple fix can resolve the issue.Secure your site :...

Brave Software: Directory Listing on https://promo-services-staging.brave.com

Summary: Hi Brave team, Hope you are good I have found a directory listing vulnerability at https://promo-services-staging.brave.com Products affected: Brave website page. Steps To Reproduce: Go to https://promo-services-staging.brave.com/swaggerui/ Supporting Material/References: Reference: This...

Internet Bug Bounty: CVE-2018-12882: heap-use-after-free in PHP 7.2 through 7.2.6, possible 7.2.7

exifreaddata in PHP 7.2 through 7.2.6 and possibly 7.2.7 is vulnerable to a heap use after free when fed a specially crafted JPEG. Any online service that uses PHP 7.2 and reads EXIF data from uploaded JPEGs is potentially vulnerable to this flaw. USEZENDALLOC=0 ./php-e147eb2 -r...

Udemy: [affiliates.udemy.com] Wordpress user admin information discloure

Summary This website using Wordpress CMS, so developer forget to disable the link that can view information of admin user. By access to this link, attacker can get all username and other information of user admin: http://affiliates.udemy.com/wp-json/wp/v2/users F312155 Admin user list: hamza...

VK.com: Доступ к администраторским faq

Просмотр некоторых закрытых статей FAQ. Уязвимость позволяла получить доступ к талмудам vk.com/tlmdXXX в которых хранится информация для администраторов и модераторов социальной сети ВКонтакте... Получение доступа к адм. информации... @ 500$...

Mail.ru: Вывод значений переменных Nginx в теле страницы

При обращении к url вида: https://biz.mail.ru/$имяпеременнойnginx Значение этой переменной попадет в страницу ответа 404, во все места вида: e.mail.ru/login?lang=ruRU&Page=https%3A%2F%2Fbiz.mail.ru%2Fзначениепеременнойnginx Примеры запросов: 1 https://biz.mail.ru/test$realpathroot в ответе:...

Nextcloud: Missing X-Content-Type-Options

Nextcloud doesn't have a header settings for X-Content-Type Options which means it is vulnerable to MIME sniffing. The only defined value, "nosniff", prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome...

RATELIMITED: HTTP PUT method enabled

Hi security team, Summary: It is possible to upload files to the server using the PUT method Steps To Reproduce: 1. I used the following request: PUT /emitrani.txt HTTP/1.1 Host: ratelimited.me Content-Length: 10 Connection: close emitrani POC Now a file exists at...

Node.js third-party modules: stored xss in scrape-metadata when reading metadata from an html page

Hy Module scrape-metadata https://www.npmjs.com/package/scrape-metadata Module Description a module used to scrape meta data contents from an article Vulnerability Description It was possible to embed malicious js code in metadata content read by scrape-metadata. When library reads such metadata,...

Mail.ru: Shell upload in partner service

Shell code upload RCE vulnerability in partner service provided as an additional functionality withing mail.ru branded service. On the moment of reporting, partner services are not covered by bug bounty program, the bounty was awarded due to potential problem criticality...

GitLab: SSRF in CI after first run

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: During the first run, the CI...

Brave Software: OPEN REDIRECTION at every 302 HTTP CODE

Summary i guess every 302 HTTP CODE on https://publishers.basicattentiontoken.org possible to OpenRedirection Steps To Reproduce: 1. I edited the request when i got redirected from this request url...

Brave Software: Navigation to restricted origins via "Open in new tab"

Summary: It's possible to open links pointing to file:/// origin from web pages using "Open link in a new tab" in context menu. https://hackerone.com/bugs?reportid=369185 shows unsafe ssh:// protocol handling, which leads to information leak using sshOS username and etc.. The vulnerability is...

Mail.ru: XSS в теле письма, в новой версии почты.

DOM clobbering in new "Octavius" interface beta feature led to stored XSS on message reading...

Brave Software: Unsafe handling of protocol handlers

Summary: Brave browser macOS handles protocol handlers in unsafe way and differently from other browsers. Key differences between protocol handlers handling in Brave and other browsers: Open external app vs Open "Terminal" Brave only asks about opening external app. Other browsers e.g. Chrome ask...

Brave Software: URL spoofing in Brave for macOS

Summary: URL spoofing vulnerability. Repro window.onclick = function x = window.open'https://www.google.com/csi'; setTimeoutfunction x.document.writeI am not a www.google.com;click me , 100; URL in address bar is https://www.google.com/csi, but actually that's about:blank page. Attacker could...

██████: Remote Command execution due to image tragick

During my auditing of a profile avatar functionality I discovered that the website was affected by image tragick by using a curl request as seen below F349064 I then made a request to read etc/passwd F349067 I then wanted to prove maximum impact by further pivoting the rce. Due to not wanting to...

VK.com: Просмотр записей пользователя, который тебя заблокировал

Отсутствовали проверки черного списка в одном из действий при работе с записями пользователя...

Rocket.Chat: Open redirect open.rocket.chat/file-upload/ID/filename.svg

Summary: Open redirect through svg file upload Description: When you upload a file to a chat, the link to it will look like https://open.rocket.chat/file-upload/ID/filename.svg, but the file will be on storage.googleapis.com. We can embed js in our svg and when the victim goes to...

Mail.ru: XSS via message subject - mobile application

XSS in message compose window on forwarding message with crafted subject / sender name / content in mobile application for android...

Udemy: [engineering.udemy.com] - Subdomain Takeover (ghost.io)

Hi Security Team, Found that DNS record of engineering.udemy.com domain was pointing to inactive ghost.io instance. So when we visit https://engineering.udemy.com we will be notified that site doesn't exist. F310092 $ host engineering.udemy.com engineering.udemy.com is an alias for...

Vanilla: FileUpload Plugin: CSRF (delete all attached files)

Description ------------ The current version 1.9.1 of the official FileUpload plugin is vulnerable to CSRF. A successful attack allows the removal of files the attacked user has the permission to delete. Administrators for example have the permission to delete all attached files. As the request t...

Starbucks: athome.starbucks.com - URL parameter tampering of review forms permitted possible content injection

jackb898 discovered that the review forms on the informational site athome.starbucks.com was susceptible to parameter tampering possibly allowing for creation of limited custom review form content. @jackb898 — thank you for reporting the original vulnerability, the additional information and for...

Reverb.com: Basic auth details is still work on report ( 351555 )

Hi , Seem report 351555 is not full fixed where 434762629765715:PQlkrSHPqqjhIBc0MmUkdjcqpps basic auth details are Still work on login Poc : https://api.cloudinary.com/v11/reverb/usage F309894 Impact information Disclose...

Starbucks: PHPinfo page

GET /test.php HTTP/1.1 Host: 52.90.193.152 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 Windows NT 6.1; WOW64 AppleWebKit/537.21 KHTML, like Gecko Chrome/41.0.2228.0 Safari/537.21 Accept: / Impact This file may expose sensitive information that may help an maliciou...

Uber: [data-07.uberinternal.com] SSRF in Portainer app lead to access to Internal Docker API without Auth

Vulnerability description not provided...

Mail.ru: слепая XSS в админ панели torg.mail.ru через отзыв

Blind XSS in admin panel for torg.mail.ru. torg.mail.ru is not in bug bounty program's scope, a bounty was awarded due to high potential impact. Недостаточная фильтрация приводит к XSS в административной панели в одном из поддоменов mail.ru через имя пользователя при оставлении отзыва...

VK.com: Уязвимость в методе auth.restore

Недостаточные проверки при восстановлении страницы...

PortSwigger Web Security: Activat burp suite pro with the old license after transfared to anothe account

Hi team. I made 2 accounts and purchased burpsuite pro. The first account with this email :- ███████ The second account with this email :- ██████ I have opened a support ticket on Jun 13, 2018 05:26PM and the message is :- Hi Could you please add this account to my existing account ████ ███████ t...

Node.js: Your page has 2 blocking CSS resources. This causes a delay in rendering your page.

This report was not deemed to be a security vulnerability and the reporter was asked to open an issue upstream to fix publicly...

Shopify: Subdomain Takeover - https://competition.shopify.com/

Dear Shopify Security Team, The Shopify.com subdomain competition.shopify.com was vulnerable to a subdomain takeover as it was pointing to an unclaimed Heroku service through the CNAME competition.shopify.com.herokudns.com, while the custom domain 'competition.shopify.com' was unclaimed in Heroku...

Uber: Privacy policy contains hardcoded link using unencrypted HTTP

The link to Uber’s privacy policy was using the unencrypted http:// scheme, making it possible for an attacker with the ability to Man-in-The-Middle MiTM traffic. This would allow them to replace normal responses with malicious content such as a phishing page. The content would then render within...

Valve: Comment restriction in subsection "Workshop" of domain "steamcommunity.com" can be bypassed using IDOR

Summary - While testing Domain "steamcommunity.com", i found subsection "workshop" which has restriction to comment on workshop items of the game which i do now own in my account. This access control can be bypassed using IDOR and user can post comment though comment section is disabled on worksh...

Mail.ru: Stealing Arbitrary Private Files of MyMail App

It was possible for local malware application to steal sensitive local files of MyMail / Mail.Ru Mail application due to specifics of file:// schema URI handling in SharingActivity...

Basecamp: Remote code execution on Basecamp.com

A critical flaw in Basecamp's profile image upload function leads to remote command execution. Images are converted on the server side, but not only image files but also PostScript/EPS files are accepted if renamed to .gif. This is probably due to ImageMagick / GraphicsMagick being used for image...

Uber: Information Leakage - GitHub - VCenter configuration scripts, StorMagic usernames and password along with default ESXi root password

@peuch found data exposure on Github - expired passwords and usernames for ESXi a bare metal hypervisor. The researcher also found credentials to a SendGrid instance uberinfradevtools, which would have allowed them to log in to SendGrid and send email from any @uber.com address. However, this wou...

QIWI: XSS https://agent.postamat.tech/ в профиле + дисклоз секретной информации

Здравствуйте. Я раскрутил ваш сайт https://agent.postamat.tech/ на интересную XSS + достаточно серьезный баг, который дисклозит некоторую пользовательскую информацию. Хочу заметить что на данном сайте хранятся некоторые личные данные пользователей, следовательно из этой XSS можно извлечь достаточ...

Mail.ru: SQL injection on jd.mail.ru

SQL injection via POST parameter in user registration at jd.mail.ru. die ███████████████████████████ ███████▀▀▀░░░░░░░▀▀▀███████ ████▀░░░░░░░░░░░░░░░░░▀████ ███│░░░░░░░░░░░░░░░░░░░│███ ██▌│░░░░░░░░░░░░░░░░░░░│▐██ ██░└┐░░░░░░░░░░░░░░░░░┌┘░██ ██░░└┐░░░░░░░░░░░░░░░┌┘░░██ ██░░┌┘▄▄▄▄▄░░░░░▄▄▄▄▄└┐░░██...

Internet Bug Bounty: Client DoS due to large DH parameter (CVE-2018-0732)

https://www.openssl.org/news/secadv/20180612.txt OpenSSL Security Advisory 12 June 2018 ======================================== Client DoS due to large DH parameter CVE-2018-0732 ==================================================== Severity: Low During key agreement in a TLS handshake using a DH...

Smule: Disclosure of information about the system, configuration files.

Disclosure of django configuration via debug mode...

Monero: Misreporting of received amount by show_transfers

Summary: A sender may cause showtransfers to report a higher amount that was actually sent on the recipient's showtransfers output. Description: Due to a flaw in processnewtransaction in wallet2.cpp, if the tx pubkey is present multiple times, it will decode outputs correctly as many times, and a...

Upserve : OLO Total price manipulation using negative quantities

Manipulating an order request JSON object, containing an additional item with a negative quantity directly manipulates the total amount of the order. In the following JSON request, an order is submitted for 2 ChickenBurgers $12 each, as well as -1 BreadPuddings $9 each. The total price after tax...

VK.com: Просмотр приложений любого пользователя / группы

Просмотр чужих списков приложений...

New Relic: Insecure Infrastructure Integrations YML Loading leads to Windows Privilege Escalation

After installing the Windows Infrastructure client as discussed in https://docs.newrelic.com/docs/infrastructure/new-relic-infrastructure/installation/install-infrastructure-windows-server I noticed that integration yml config files are not only loaded from the folder within Program Files, but al...

Ruby: SEGV in parse_rat()

A crafted string can cause SEGVREAD memory access to 0x000000000000 when parsed as rational number - ruby 2.5.1p57 on Fedora 28 $ ruby -e 'Rational"2e-9942067"' -e:1: warning: in ab, b may be too big -e:1: BUG Segmentation fault at 0x0000000000000000 ruby 2.5.1p57 2018-03-29 revision 63029...