New Relic: IDOR via internal_api "users" endpoint

While trying to figure out what the heck is going on with 347664, I stumbled upon another way to perform the "gift that keeps on giving" as @ahamlin put it. Steps to reproduce: 1. Add a unconfirmed user to your account 2. Navigate to https://alerts.newrelic.com/accounts/1523936/channels 3. Click ...

Node.js third-party modules: Stored XSS in Node-Red

I would like to report a stored XSS in node-red It allows to execute javascript in the user's browser Module module name: node-red version: v0.18.4 npm page: https://www.npmjs.com/package/node-red Module Description A visual tool for wiring the Internet of Things. Module Stats 1,758 downloads in...

Nextcloud: Banner Grabbing - Apache Server Version Disclosure

I have found a little information disclosure on your system. Banner Grabbing is a technique used to gain information about a remote server. Additionally, this technique is use to get information about remote servers. I've captured the HTTP request while visiting...

GitLab: Snippet JS template allows attacker to read a user's private snippets

These days snippets can be embedded in a site other than the GitLab instance. An embed link is only generated for public snippets, as can be seen in the app/views/shared/snippets/header.html.haml: haml - if publicsnippet? .embed-snippet .input-group .input-group-btn %button.btn.embed-toggle...

HackerOne: Timing attack towards endpoints on the web without CSRF

Summary: When logged in user on HackerOne visits another web page, remote web page could get conclusion regarding this data: - logged in user - number of triaged reports in the last month - number of new reports at the moment - number of closed reports ... This conclusions are only from one...

Mail.ru: XSS web.icq.com double linkify

XSS via malformed link in message on web.icq.com...

Trello: Websocket response message disclose existence of Organization ID or Board ID

I found that websocket response message can reaveal existence of ID of organization or board It is up and running in other domain. PoC ==================== connect websocket. var ws = new WebSocket"wss://trello.com/1/Session/socket?token="; ws.open = functionevent console.log''; ws.onmessage =...

Hyperledger: many commands can be manipulated to delete identities or affiliations

Introduction: The Faric-ca data in http body and authorization header for many commands that send from client to server are protected by signature. But I find the identity and affiliation commands still have the risk to be manipulated. Hacker can manipulate most other commands to delete identitie...

New Relic: Stored XSS in Brower `name` field reflected in two pages

The Name field of the Brower apps feature is not properly escaped in at least two pages. An attacker can create a new browser application with a specially crafted Name field which will be reflected and interpreted by other users visiting these two pages. Leveraging this vulnerability, I was able ...

U.S. Dept Of Defense: Code reversion allowing SQLI again in ███████

Summary: I just noticed that my publicly disclosed report, https://hackerone.com/reports/311922 is sstill vulnerable either a code reversion was made or something was done to revert the patch. Additionally I'd please request that the images in the report to be censored or redacted as it's been ma...

HackerOne: Team object in GraphQL that have a published external program may expose existence of a private program

Summary: Hi Team! On Team object the parameter "icannotcreatejirawebhookreasons" is not NULL and gets the following default states when called for all programs "CANNOTVIEW","FEATUREGATED","PROGRAMPERMISSIONREQUIRED" If a Company Program runs a Private Program or a Public On the "FEATUREGATED" is...

Mail.ru: Attacker can send requests from mail.ru server

SSRF was potentially possible via request to Sentry in-app error tracking / debugging system. Problem was mitigated by isolating Sentry installation to restricted network...

Nextcloud: Click Jacking Nextcloud

Hello Security, Clickjacking User Interface redress attack, UI redress attack, UI redressing is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking contro...

X (Formerly Twitter): Improper session handling on web browsers

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: Sessions are not properly logg...

HackerOne: Program metrics disclosed response_efficiency_percentage via /program_name json response despite the team decided not to show on their profile

Hi Team, Summary: First of all, i am not sure if a private program or any program have the capability to not show their response efficiency, but i assume they have because i saw some private programs that do not show response efficiency percentage on their public page. Description: Below list of...

New Relic: Permissions leaks the full name of other NR accounts - Regression of #267636

One more before I run to dinner... Steps to Reproduce: 1. Add a user to your account 1. Enter "123" as the name and "[email protected]" as the email 1. Make them a "user" base role. 1. Click add user button. 2. Navigate to https://synthetics.newrelic.com/accounts/1523936/permissions 3. Create a...

VK.com: Open Redirection Vulnerability in m.vk.com

Open Redirect...

Zomato: XSS in "explore-keywords-dropdown" results.

It seems that people have exploited this vulnerability before on this website, however, it remains unpatched, so here I am reporting the vulnerability. A XSS vulnerability exists when a restaurant or dish is created with a malicious name. The title of the dish or restaurant is not properly filter...

New Relic: [synthetics.newrelic.com] SMTP header injection leads to (mass) arbitrary email sending

While setting up a Synthetics "Ping", I noticed that the name of your monitor was echoed back in warning emails about hosts that fail the validation string phase. I abused this mechanism to insert newline mechanism in these emails, allowing the sending of near arbitrary emails to a easily...

Semmle: Docker Registry HTTP API v2 exposed in HTTP without authentication leads to docker images dumping and poisoning

Summary: Docker Registry HTTP API v2 is exposed in HTTP without authentication. An attacker can use it to dump your docker images and poison them. Description: While digging into the environment that hosts the sandboxed build container, I came across the port 5000 open on another machine probably...

Internet Bug Bounty: Linux kernel: CVE-2017-6074: DCCP double-free vulnerability

Hi! CVE-2017-6074 1 is a double-free vulnerability I found in the Linux kernel. It can be exploited to gain kernel code execution from an unprivileged processes. The kernel needs to be built with CONFIGIPDCCP for the vulnerability to be present. A lot of modern distributions enable this option by...

Mail.ru: Blind Stored XSS

Blind XSS in torg.mail.ru admin panel. torg.mail.ru is not currently covered by bug bounty program. Слепая ХСС вне скоупа, но затрагивающая аккаунты магазинов и админку...

Rockstar Games: LFI and SSRF via XXE in emblem editor

This summary is provided by the researcher who submitted this report, @alexbirsan . About one year after I started messing with the emblem editor, I finally found a full SSRF and LFI. I was able to extract text files from the server and HTTP responses by rendering them on my crew emblem. For thos...

Mail.ru: LFI in beta.mail.ru

Local file read via file:// URI in report's image in beta.mail.ru. beta.mail.ru is not currently covered by bug bounty program. Чтение произвольных файлов сервера путем недостаточной проверки прикрепленных изображений...

Cloudflare: Remote file inclusion using "/cdn-cgi/pe/bag2?r[]="

Grampae was able to load arbitrary resources into an HTML response form. The following header parameters provided an HTTP request back although sometimes 30 minutes later: X-Forwarded-For Client-IP Referer Contact X-Wap-Profile Forwarded X-Originated-IP X-Client-IP From User Agent The resource...

Node.js third-party modules: Remote code executio in NPM package getcookies

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! I would like to report remote code...

Mail.ru: XSS e.mail.ru fixSpecialSymbols

Domain, site, application -- e.mail.ru Testing environment -- Firefox Steps to reproduce -- 1. send email from 2. add sender to contacts on https://e.mail.ru/messages/inbox/ 3. using Firefox go to https://e.mail.ru/compose/ 4. click on Кому: to open Contacts Actual results -- alert message Expect...

GitLab: Persistent XSS - Selecting users as allowed merge request approvers

Summary: When using the dropdown that selects the users that are allowed to approve a merge request, it is possible to trigger a XSS with a malicious user name string. Description: This vulnerability is similar to the recently announced CVE-2018-10379 and another vulnerability I recently reported...

GitLab: XSS (Persistent) - Selecting role(s) for protected branches

Summary: When using the dropdown that selects the groups or users that are allowed to push or merge to a protected branch within a project, it is possible to trigger a XSS with a malicious user name string. Description: This vulnerability is similar to the recently announced CVE-2018-10379. The...

Ed: Session cookie missing SecureFlag on git.edoverflow.com.

Assigned to:-ED Assigned by:- Kirtikumar Anandrao Ramchandani Assigned on:- 01/05/2018 Bug overview:- Session Cookie without secure flag. Cookie Name:- gitlabsession Description:-Risk description: Since the Secure flag is not set on the cookie, the browser will send it over an unencrypted channel...

RATELIMITED: Local File Download

Summary: This bug affects suuport.ratelimited.me and can be used by attackers to download local file from your servers including your emails, and files uploaded by your admins and other users. Description: While starting a conversation with your support agent, I noticed an option to upload a file...

Shopify: Publicly Accessible Datadog link

During my daily scanning of shopify and shopify's internal domain Shopify.io, I landed on a personal bookmark of an employee: █████████ who works at Guru at Shopify. The link for personal bookmark is here: ███ There is a personal bookmark called ██████████. When going to the link: ████████ it...

Node.js third-party modules: Arbitrary file overwrites in `node-tar`

Background I was looking for vulnerabilities in a different tar library, tar-fs, and discovered a bug that allowed me to overwrite arbitrary files on the host system using its default extraction method. After reporting the bug to the maintainer of tar-fs, Mathias Buus, he realized that node-tar w...

Uber: Cleartext password exposure allows access to the desafio5estrelas.com admin panel

Vendor created and managed site desafio5estrelas.com exposes an administrator login password through the javascript source. This site was used by Uber in Portugal to encourage low-rated drivers to raise their ratings.This password allowed remote users access to the administrator panel of the site...

Mail.ru: easyXDM allows cross domain postmessaging with any origin, leaking sensitive info

Mail.Ru Agent uses easyXDM library for crossdomain communication between different mail.ru messaging systems. For modern browsers postMessage is used inside. The security issue was because of lacking ACL for domains. So malicious man could in some circumstances he should know victim's email, forc...

Monero: epee will accept an arbitrary amount of leading line-breaks in an http request

Summary: In the epee http protocol handler, as it reads a new request, it first attempts to ignore any leading carriage-returns and line-feeds. It does not have a mechanism to give up if an inordinate number of CrLfs are encountered. Description: The pertinent block of code is here:...

New Relic: User is able to access and create private synthetics locations without upgrading (regression of #276157)

It seems like the fix done for 276157 wasn't enough, as I'm able to bypass it and generate private synthetics locations without approval or the proper plan. This is the page that users see when they navigate to the private synthetics location: F291890 I'm able bypass this by navigating as an Admi...

Avito: reflected XSS avito.ru

Привет, авито Я нашел у вас хсс. 1. Переходим по этой ссылке https://www.avito.ru/sankt-peterburg?verifyUserLocation=1login?next=javascript:alert;// 2. Логинимся через ОК, ВК и т.д. 3. XSS выполнена. Impact XSS...

██████: Same Origin Policy Bypass at ██████.com

██████.com: helps different sectors of business to create passes very easily through their app. ██████.org: helps their customers focus on using video to move their business in meaningful ways...

New Relic: Adding a new user discloses their full name in the "Users" section of NR Alerts notification channels page

The NR developers did a really good job at restricting me from finding out info about other user accounts through the NR Synthetics settings - so far I haven't found a way to bypass it yet 😉. There exists another way to obtain this information about other user accounts, and it has to do with the...

Instacart: View & add to cart unlisted items via IDOR

Access Control vulnerability that would let an attacker order certain items from the API, even though they are missing from the Web catalog...

Mail.ru: Stored xss в пересланном сообщении.

Здравствуйте! Обнаружил такую особенность пересланных сообщений, что мы можем изменять их содержимое. И тут я вспомнил про свою self xss, когда можно было изменить id стикера к примеру на " и воспроизводился js, но стикер не отправлялся из за ошибки, то есть сообщение было видно только нашей...

VK.com: [Привязка email к странице] by [email protected] | email-flood

Отсутствие некоторых проверок при привязке почты. Impact: e-mail flood Флуд. █.vk.com/█?act=█&█=█&█=█&█=█&█=█&█=█&█=█&[email protected]&█=█&ref=█ Status: fixed Флуда больше нет. █.vk.com/█?act=█&█=█&█=█&█=█&█=█&chash=█&█=█&ref=█...

Mail.ru: api.icq.com / возможность смотреть аватарку и название приватного чата

It was possible to manipulate chat ID in forward message to get meta-data chat name of private group chat...

Zomato: [www.zomato.com] IDOR - Gold Subscription Details, Able to view "Membership ID" and "Validity Details" of other Users

Hello Zomato, The following URL : https://www.zomato.com/gold/payment-success?subscriptionid=██████████&userid=█████████ is vulnerable to IDOR in subscriptionid field. Anyone can get Subscription Start & End Date and Plan Duration of a Membership ID just by changing the subscriptionid parameter...

Mail.ru: XSS account.mail.ru in state JSON script

Domain, site, application -- account.mail.ru Testing environment -- Chrome Steps to reproduce -- Login and open...

Uber: Uber employees are sharing information on productforums.google.com

@researcher found an exposed Google spreadsheet on productforums.google.com containing mostly test data. The researcher also found screenshots of Uber tools on Prezi containing driver personal information. This was result of a small research done after https://twitter.com/xKushagra released tip...

Node.js third-party modules: The react-marked-markdown module allows XSS injection in href values.

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! I would like to report XSS in...

Mail.ru: XSS touch.mail.ru compose Body

Domain, site, application -- touch.mail.ru Testing environment -- Mobile devices tested on Chrome for iPad Steps to reproduce -- login using Chrome in Chrome for iPad User-Agent https://touch.mail.ru/messages/sentmsg?Body=%3Cimg%20src%20onerror%3dalert1%3E Actual results -- alert1 Expected result...

Internet Bug Bounty: Heap Buffer Overflow (READ: 1786) in exif_iif_add_value

The exifreaddata function is prone to an out of bounds read while processing crafted JPG data. This was discovered using AFL. It can be reproduced as follows: USEZENDALLOC=0 php -r...