Mail.ru: Раскрытие серии/номера паспорта и снилс пользователя lootdog.io

Passport data is reflected back to user and can be accessed in the case of account or session compromisation. Now passport information is not stored by lootdog.io after validation and can not be accessed by user...

Node.js third-party modules: Samlify is vulnerable to signature wrapping

I would like to report a signature wrapping weakness in samlify It allows an attacker to modify a SAML token received from the IdP before validating it with the service provider Module module name: samlify version: 2.3.7 npm page: https://www.npmjs.com/package/samlify Module Description Highly...

LocalTapiola: Wordpress Users Disclosure (/wp-json/wp/v2/users/)

Information Using REST API, we can see all the WordPress users/author with some of their information. Step TO Reproduce You can get user info by entering below url in your browser: https://www.lahitapiolarahoitus.fi/wp-json/wp/v2/users/ Result javascript "id": 1, "name": "LTR", "url": "",...

Passit: Missing HSTS (Strict Transport Security)

Added HSTS headers...

Mail.ru: Раскрытие IP, почты и другой полезной информации lootdog.io

After the deal, service was disclosing some unnecessary counterparty's information IP address and e-mail...

Yelp: CRITICAL-CLICKJACKING at Yelp Reservations Resulting in exposure of victim Private Data (Email info) + Victim Credit Card MissUse.

Please have a look at this interesting article with precise explanation about Click-jacking security flaw: https://www.linkedin.com/pulse/20141202104842-120953718-why-am-i-anxious-about-clickjacking/ In Yelp platform the response headers of the Reservation page does not contain the X-Frame-Option...

Mail.ru: Modifying application settings via clickjacking on o2.mail.ru

It was possible to edit application information or delete application via clickjacking on o2.mail.ru...

WordPress: XSS on support.wordcamp.org in ajax-quote.php

Hi, There is an XSS vulnerability in ajax-quote.php on http://support.wordcamp.org. It can be demonstrated with the attached POC - this needs to be run in Firefox to execute, as it's super basic and XSS Auditor will catch it but with multiple parameters, even with one of them filtered, it's likel...

PullString: Open redirect at staging.pullstring.com

Hi Request http GET //%2fxgoogle.com HTTP/1.1 Host: staging.pullstring.com Accept: / Accept-Language: en User-Agent: Mozilla/5.0 compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0 Connection: close Response http HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=utf-8 Date...

Avito: Open Redirect via login avito.ru | Protection bypass

Open-redirect using the following vector and social auth: https://www.avito.ru/rossiyalogin?next=///...

Node.js third-party modules: [servey] Path Traversal allows to retrieve content of any file with extension from remote server

Hi Team, I would like to report a partial Path Traversal in servey module. It allows to read content of any arbitrary file with extension from the server. Module module name: servey version: 2.2.0 npm page: https://www.npmjs.com/package/servey Module Description A static & single page application...

Node.js third-party modules: [statics-server] XSS via injected iframe in file name when statics-server displays directory index in the browser

Hi Team, I would like to report HTML Injection in statics-server module. It is possible to inject malicious iframe tag via filename and execute arbitray JavaScript code. Module module name: statics-server version: 0.0.9 npm page: https://www.npmjs.com/package/statics-server Module Description npm...

Node.js third-party modules: [statics-server] Path Traversal due to lack of provided path sanitization

Hi Team, I would like to report Path Traversal in statics-server module. It allows to read content of any arbitrary file from the server. Module module name: statics-server version: 0.0.9 npm page: https://www.npmjs.com/package/statics-server Module Description npm install statics-server -g Go to...

Uber: Reflected XSS in https://eng.uberinternal.com and https://coeshift.corp.uber.internal/

The base parameter of /oidauth/prompt on multiple uberinternal.com subdomains was not sanitized before being reflected into the page body, making it vulnerable to reflected XSS. Additionally, these pages were affected by a clickjacking vulnerability that made exploitation easier, since a click wa...

Valve: Suspended users can bypass UGC upload ban

Community-banned users could potentially upload UGC, though not associated with specific Steam games...

Internet Bug Bounty: [CVE-2018-6913] heap-buffer-overflow in S_pack_rec

pack may cause a heap buffer write overflow with a large item count. Reported to the Perl security mailing list on 5 Aug 2017. Confirmed as a security flaw by TonyC on 30 Jan 2018 CVE-2018-6913 assigned to this flaw on 11 Feb 2018 Public security advisory released on 14 April 2018...

Passit: X-Content-Type-Options has not been set at app.passit.io

Hi The Http Header X-Content-Type-Options is missing. Impact Your website http://app.passit.io/ doesn't have a header settings for X-Content-Type Options which means it is vulnerable to MIME sniffing. The only defined value, 'nosniff', prevents Internet Explorer and Google Chrome from MIME-sniffi...

Rockstar Games: stored XSS (angular injection) in support.rockstargames.com using zendesk register form via name parameter

In this report, the researcher discovered that registering for our Support site using the Zendesk Registration Form allowed for entering an AngularJS Template Injection payload as the Username. This could have allowed an attacker to perform Stored XSS attacks or similar. We deployed a fix for thi...

Vanilla: Vanilla SQL Injection Vulnerability

Summary: There is a SQL injection vulnerability in the vanilla, an attacker can use this vulnerability to obtain database information. Description: We download the program from https://github.com/vanilla/vanilla and install. In applications/dashboard/controllers/class.profilecontroller.php:274 ph...

Valve: Unfiltered input allows for XSS in "Playtime Item Grants" fields

Enter "test in any of the 3 fields, save it and reload the page. Impact Stored XSS, could possibly break some internal features too as the stored value is not an integer. The hacker selected the Cross-site Scripting XSS - Stored weakness. This vulnerability type requires contextual information fr...

HackerOne: People who interviewed for HackerOne security analyst position can be enumerated and their personal email address may be exposed

Summary: It's possible to gather basic information on potential employees at the very least who interviewed via old sample reports not being removed from the program Description: This report is meant to provide awareness of potentially private data being accessed by potential candidates. When giv...

Reverb.com: XSS in buying and selling pages, can created spoofed content (false login message)

Previously this issue was resolved at another location in report 351376 After spending more time searching the website, I found additional areas where this problem persists: https://sandbox.reverb.com/my/buying/orders?query= https://sandbox.reverb.com/my/selling/listings?query=...

Grab: Subdomain Takeover Via Insecure CloudFront Distribution cdn.grab.com

Good day, I truly hope it treats you awesomely on your side of the screen : I have found that your website cdn.grab.com is pointed via a cname to a cloudfront instance cdn.grab.com = .cloudfront.net This was not registered on Amazon Aws Cloudfront. I was able to take over the domain: See my POC P...

Passit: `X-XSS-Protection` header has not been set at app.passit.io

Hi X-Xss-Protection at app.passit.io has not been set. Impact This header is used to configure the built in reflective XSS protection found in Internet Explorer, Chrome and Safari Webkit. Valid settings for the header are 0, which disables the protection, 1 which enables the protection and 1;...

Trello: Session can be continuously reused by editting "token" cookie.

Description: ==================== When loged in user edit "token" cookie , that session will be cut off and user will be loged out. It's nomal. But If you make websocket connection with proper token before editing the "token" cookie and then edit "token" cookie , websocket will still in connectin...

Reverb.com: Api token exposed in Reverb.com's public github repository

An access token of a user account was available in a public github repo. The token was tied to an experimental project, and the account was only used for that project, so no sensitive information was able to be obtained...

Reverb.com: Disclosure of all uploads to Cloudinary via hardcoded api secret in Android app

Hi, in file com/reverb/app/CloudinaryFacade.java you have hardcoded the following config: java private static final java.lang.String CONFIG = "cloudinary://434762629765715:█████@reverb"; where 434762629765715:████████ is basic auth details. It shouldn't be disclosed to third parties as official...

GitLab: Persistent XSS - Deleting a project (No Longer Vulnerable in 10.7)

Summary: When deleting a project in gitlab, it is possible to trigger a XSS with a malicious user name string. Description: I'd like to first point out that this is no longer vulnerable, but I filed a report anyways since it was never discovered. It looks like this was fixed on "accident"...

Shopify: Improper access check by Kit leads to controlling attributes of store & getting analytics by deleted Store member via dual messenger A/C

Hi, Disclaimer : - This report will be detected as a duplicate of a N/A marked report by me351154.The reason for self-close was i did not know if the scope in your policy only restricted to XSS,CSRF on kitcrm.com the domain. Issue : - A deleted store member can still use Kit via Facebook messenge...

Reverb.com: XSS in main search, use class tag to imitate Reverb.com core functionality, create false login window

This is an expansion of 349684 which was flagged as a duplicate. In that bug report I explained that several HTML tags end up rendering when entered into the main search. I've since found out that the class attribute of multiple types of tags can be modified to create a realistic imitation of cor...

Mail.ru: Открытая информация phpinfo() на сайте https://agent.mail.ru

phpinfo was available on agent.mail.ru. agent.mail.ru is not currently covered with bug bounty program...

Phabricator: Administrator can create user without entering high security mode

When an administrator wants to create a user, he can go to https://phabricator.example.com/people/create/ and will be required to enter his MFA token in order to enter high security mode. However, if an administrator goes to https://phabricator.example.com/people/new/standard/ he will bypass the...

Gatecoin: DOM Based XSS charting_library

Description chartinglibrary contains a DOM Based XSS vulnerability that allows to load an external JS script and execute it. PoC Open URL in any browser...

Valve: Stored XXS @ https://steamcommunity.com/search/users/#text= via Profile Name

Dear Valve security staff, Short description --------------------- There is a stored cross-site-scripting vulnerability present at the user search endpoint which can be exploited by modifying profile name of the would be attacking account. See POC picture. Steps to reproduce ---------------------...

Valve: resetreportedcount & updatetags doesn't verify appid param

This requires an account that has admin permissions on any community hub & Fiddler not 100% required, but I'll use it for the demonstration. resetreportedcount: Step 1: Go to any UGC in the hub you have admin access on, open Fiddler if you haven't yet, click Clear Reports and click OK on the...

Valve: Malformed Skybox .TGA in Half-Life (GoldSRC) leads to Access Violation

A malformed .TGA when loaded as a Skybox on a map in a GoldSRC engine game Half-Life can lead to arbitrary code execution on a remote client. Reproduction Steps Load the attached map + resources on a local Half-Life listen server. The game will crash with an Access Violation as soon as the map wi...

Valve: Malformed .BSP Access Violation in CS:GO can lead to Remote Code Execution

A malformed .BSP can trigger an Access Violation on CS:GO that can lead to arbitrary code execution on a remote computer. I have attached a copy of the malformed .BSP which reliably triggers an Access Violation on CS:GO. Impact An attacker hosting a malicious server could compromise a remote clie...

HackerOne: User object in GraphQL exposes number of trial reports for External Programs that also have a Private Program

Summary: For this vulnerability to work, it is necessary that you should be Admin/member of atleast one sandbox team and running a GraphQL node can tell you if the external programs exist on directory page running a private program on hackerone or not...

VK.com: Получение чужого номера телефона (все цифры) через форму восстановления пароля

В некоторых случаях можно было получить привязанный к странице номер телефона. Данная уязвимость позволяет злоумышленнику получить личный номер телефона жертвы, который привязан к странице Вконтакте. Для использования данной уязвимости достаточно знать только электронный адрес жертвы...

Valve: GetReports works for hubs you don't have access to

Admin permissions on a game hub could be leveraged to view UGC reports on unrelated games. If an account had admin permissions on a game hub, he'd be able to view other game hubs UGC reports by simply making the appid parameter the appid of the game hub he has admin permissions on...

Greenhouse.io: Bypass of request line length limit to DoS via cache poisoning

Summary This is a bypass of the fix that was introduced in response to report 334709. The bug in question was that it was possible to poison the cache of the generated JS file at https://boards.greenhouse.io/embed/jobboard/js?for=surveymonkey, by appending a URL-encoded NULL byte %00, followed by...

Versa Networks: Insecure File Creation Mask

In VOS and overly permissive "umask" may allow for authorized users of the server to gain unauthorized access through insecure file permissions that can result in an arbitrary read, write, or execution of newly created files and directories. Insecure umask setting was present throughout the Versa...

HackerOne: Lack of cross-origin request blocking allows leaking of sensitive information on several endpoints

Summary: It is possible to make users leak sensitive information on several endpoints by measuring the time certain requests take to be cached. Description: If a request is made to https://hackerone.com/github/weaknesses and the user is logged in, the size of the response will be around 9kb becau...

HackerOne: Information disclosure

Summary: Chaining few simple informative issues on HackerOne platform and applying new method of timing attack, exploiting interesting feature in HTML5 https://developer.mozilla.org/en-US/docs/Web/API/ResourceTimingAPI/UsingtheResourceTimingAPI more precise Copy with CORSwe can perform low cost,...

Node.js third-party modules: Insecure implementation of deserialization in cryo

I would like to report code injection in serialization package cryo It allows execute arbitrary code using custom prototype. Module module name: cryo version: 0.0.6 npm page: https://www.npmjs.com/package/cryo Module Description JSON on steroids. Built for node.js and browsers. Cryo is inspired b...

Node.js third-party modules: Insecure implementation of deserialization in funcster

I would like to report code injection in serialization package funcster. It allows execute arbitrary code during deserialization of JSON. Module module name: funcster version: 0.0.3 npm page: https://www.npmjs.com/package/funcster Module Description This library contains utilities for serializing...

Ubiquiti Inc.: Two Factor Authentication Bypass

The researcher found a method to brute-force the 2FA code request in the www.ubnt.com login page. This method still requires the username/password from the account...

Bitso: Injecting html codes

Hi, I observed that I could inject some html codes in this page https://bitso.com/authenticate?redirect=/merchantinfo. To reproduced: Login to your account that has two factor authentication set up After you login you will be redirected to a page which you will enter the authentication code Open ...

Valve: Buffer overflows in demo parsing

This was originally reported by @yalter at https://github.com/ValveSoftware/halflife/issues/1654...

Valve: Aapp name leakage on economy history page

App name leakage on economy history page Partners with authorization to view economy logs for their own titles could be presented with a list of all game titles that have used economy features...