New Relic: Blind SSRF in Ticketing Integrations Jira webhooks leading to internal network enumeration and blind HTTP requests

Summary The Ticketing Integrations Jira webhooks for Jira 5/6 and Jira 4 are vulnerable to Blind SSRF issues. These endpoints can be abused to map internal NewRelic network services and send blind HTTP GET and POST requests to identified services. Details The Ticketing Integrations Jira 4 and Jir...

Ed: Session Cookie Without Secure Flag

Hi Ed, The bug mentioned in the report 343095 is not yet correctly patched I believe. Previously, the Researcher reports that the cookiegitlabsession is not Secure Missing Secure Flag and u closed that report as Informative and said that "Expoitability of this issue is so low that it does not...

Mail.ru: lootdog.io XSS

В данной ссылке можно наблюдать опенредирект: 1. https://lootdog.io/register?next=http://mail.ru?https%3A%2F%2Flootdog.io%2F Заполняем эту форму, подтверждаем номер: F290679 Нас перекидывает на http://mail.ru Impact open redirect...

Node.js third-party modules: Unrestricted file upload (RCE)

I would like to report an unrestricted file upload in express-cart. It allows a user with administrative privileges to upload a file to any path. Module module name: express-cart version: 1.1.5 npm page: https://www.npmjs.com/package/express-cart Module Description expressCart is a fully function...

Node.js third-party modules: Privilege escalation allows any user to add an administrator

I would like to report privilege escalation in the npm module express-cart. It allows a normal user to add another user with administrator privileges. Module module name: express-cart version: 1.1.5 npm page: https://www.npmjs.com/package/express-cart Module Description expressCart is a fully...

HackerOne: Team object in GraphQL discloses team group names and permissions

Summary: Hi team. We can disclosed your team member groups ; Description: Because of the communications error, we can disclose the data - teammembergroupsid,name,permissions Steps To Reproduce 1. "query": "query...

Mail.ru: api.icq.com / возможность отредактировать текст любого пользователя или группы переслав его.

Нашёл лютую дырку дело в том что при пересылке сообщения пользователя группы текст стоит в параметре конечно же я пробовал его отредактировать и послать пакет но никак не выходило и тут я использовал один старый метод, обычно же идёт GET запрос его мы и меняем, но после идёт POST запрос который...

Uber: Lack of CSRF protection on uberps.com makes every form vulnerable to CSRF

A malicious website can cause visitors who are currently authenticated to https://uberps.com to take sensitive actions on https://uberps.com A basic CSRF vuln on a old uber microsite. Check out my blog https://healdb.tech/blog/ or my Twitter https://twitter.com/healdben for some Bug Bounty tool...

Nextcloud: OAuth2 Access Token and App Password Security Vulnerability

The OAuth2 endpoint of the Nextcloud server was not following RFC6749. The server did not perform required verification of provided data. And the server did not properly rotate and expire access tokens. In case of a compromised OAuth client this could lead to unauthorized access. After working...

Ed: Session Cookie Without Secure Flag,

Assigned to:-ED Assigned by:- Kirtikumar Anandrao Ramchandani Assigned on:- 25/04/2018 Bug overview:- Session Cookie without secure flag. Cookie Name:- gitlabsession Description:-Risk description: Since the Secure flag is not set on the cookie, the browser will send it over an unencrypted channel...

HackerOne: Team object in GraphQL disclosed total number of whitelisted hackers

Summary: Hi team. Whitelistedhackers i think your setup - Two-factor authentication and IP whitelisting are available to further restrict access to accounts. Description: Again, because of the link error, I can see the number, but I can't see these links. Analogue 310946 Steps To Reproduce 1...

Stellar.org: brute force attack allowed on admin page https://www.stellar.org/wp-admin/

hi security team -due to your bug bounty program , i found basic authentication method -by doing many trials the server will response and will not block the logging process - the attack can be automated by burp intruder till getting access to admin page - in second screen the request is intercept...

Open-Xchange: Referer in /servlet/TestServlet

Hi. No encode referer URL in https://sandbox.open-xchange.com/servlet/TestServlet You check , but i think you need just replace Steps 1. Upload file 2. Change mimetype to "file":"filemimetype":"text/x-javascript" 3. Share to All or Link, but then need insert Iframe, same as in 342585 4. Make URL...

Mail.ru: api.icq.com / возможность написать кому угодно (даже icqsystem)

Можно написать на любой uin через api запрос сделав хитрую махинацию у нас есть запрос api.icq.net/im/sendIM ?t=1 &mentions= &message=0 &f= &aimsid=003.3533131881.4023885996%3A740645342 видим параметр ?t=1 попробовав отослать на неё сообщение Увы у нас не получится Но если в параметр добавить 0...

Mail.ru: api.icq.com / отсутсвие лимита на отправку сообщений удаляя параметр защиты "&r"

Researcher reported removing r= parameter from request allows to bypass rate limits. This claim was not confirmed, r= paramter protects message from intermediate caching and prevents sending the same message twice in the case of network failure, it does not affect any ratelimits, no security...

Rockstar Games: Smuggle SocialClub's Facebook OAuth Code via Referer Leakage

In this report, the researcher provided a POC in which they were able to combine two issues to create a condition that potentially could have allowed an attacker to obtain OAuth tokens. One of the issues involved allowing external content to load in our Screenshot Viewer tool; we resolved this...

Semrush: Password reset token leakage via referer

Hi Team, I have found that if user open the link of reset password and than click on any external links within the reset password page its leak password reset token in referer header. Steps to reproduce: 1.Open Password reset page from email. 2.Click on any social media linkon follow us section...

Open-Xchange: [XSS] Style/Event Filter Bypass v4.0

Hi. I update today to 7.8.4 Rev28. And found new way - no filter before Previous reports 314204 Without // comment you checking: 1. As Object Payload: Result: 2. Сomma && empty object Payload: Result: Fix - I think you need replace all ' = &x27 if style='a"a&x27a' and replace all " = &x22 if...

ExpressionEngine: XML Member Proccessing - Local File inclusion Vulnerability

@lawrenceamer discovered a local file inclusion vulnerability that logged in users with access to the control panel and permission to access developer utilities may be able to exploit. @lawrenceamer gave a detailed report with step-by-step instructions for replicating and screen captures of a the...

Node.js third-party modules: [bruteser] Path Traversal allows to read content of arbitrary file

I would like to report Path Traversal in bruteser module. It allows to read content of any arbitrary file from the server where bruteser is installed and run. Module module name: bruteser version: 0.0.2 npm page: https://www.npmjs.com/package/bruteser Module Description BruteSer - server can be...

ExpressionEngine: Import File Converter - local File inclusion

@lawrenceamer discovered a local file inclusion vulnerability that logged in users with access to the control panel and permission to access developer utilities may be able to exploit. @lawrenceamer gave a detailed report with step-by-step instructions for replicating and screen captures of a the...

Ed: DOM XSS in edoverflow.com/tools/respond due to unsafe usage of the innerHTML property.

Hi, There's a DOM XSS vulnerability on edoverflow.com. This cannot be exploited without user-interaction so I had to make a clickjacking PoC to trick the user in triggering the payload her/himself. Reproduction Steps 1. Open the attached HTML document in FireFox. 2. Drag Frog 1 to the other two...

Mail.ru: invalid handling of redirect_uri at o2.mail.ru/jsapi/button

o2.mail.ru/jsapi/button gets embedded as login window in website that using o2 oauth. parameter redirecturi by default may have either value of white listed domain from particular app by clientId either it may lead to .mail.ru, then it contacts with parent window via postmessages. Other domains a...

X (Formerly Twitter): XSS via Direct Message deeplinks

Description: By using a specially crafted payload as the value of the text parameter in a Direct Message deeplink, a malicious user can inject arbitrary HTML tags and possibly run arbitrary JavaScript code on the "twitter.com" origin. Steps To Reproduce: 1. Create a Direct Message deeplink by...

Mail.ru: api.icq.com / возможность присоединиться к любому чату (даже закрытому).

Получаем ссылку с АПИ на подключение к чату в моём случае она вот такая https://api.icq.net/mchat/AddChat?aimsid=002.0516319051.0828645279:740645342&c=WebIM.jscbtmpc12813&[email protected]&members=740645342 видим параметр &[email protected] просто меняем цифровое значение и вс...

Shopify: SSRF in Exchange leads to ROOT access in all instances

The Exploit Chain - How to get root access on all Shopify instances 1 - Access Google Cloud Metadata - 1: Create a store partners.shopify.com - 2: Edit the template password.liquid and add the following content: html...

Node.js third-party modules: [entitlements] Command injection on the 'path' parameter

Hello again, another command injection, this time on the entitlements module. Module module name: entitlements version: 1.2.0 npm page: https://www.npmjs.com/package/entitlements Module Description check the entitlements of a .app bundle Module Stats 26 downloads in the last day 328 downloads in...

Node.js third-party modules: [git-dummy-commit] Command injection on the msg parameter

Hi there, I've found a Command Injection on the "git-dummy-commit" module. Module module name: git-dummy-commit version: 1.3.0 npm page: https://www.npmjs.com/package/git-dummy-commit Module Description Create a dummy commit for testing Module Stats 62 downloads in the last day 94 downloads in th...

VK.com: Просмотр любых записей на стене

Отсутствие необходимых проверок при создании рекламного объявления. Можно было смотреть записи любых частных и закрытых групп, удаленные записи в группах или профилях, записи на удаленных страницах, заблокированные группы, посты в предложке...

VK.com: Часть админки доступна для всех пользователей

Раскрытие старого админ. интерфейса...

Ruby: Invalid URL parsing '#'

URI is not correctly parsed when "" is included in the URL. Therefore, could instead be tricked into connecting to a different host. PoC bash $ ruby --version ruby 2.4.1p111 2017-03-22 revision 58053 x8664-darwin16 ruby require 'uri' uri = URI"http://[email protected]/test" = p...

Zomato: [www.zomato.com] Abusing LocalParams to Inject Code through ███████ query

@bigshaq found an endpoint which was throwing 500 Internal Server Error after adding a double quote, while he thought that this behaviour might well be a SQLi, and after a bit of fuzzing @bigshaq demonstrated why he believed it to be a SQLi - 500 ISE domain.com?type=redacted&id=1" - 200...

Nextcloud: The session token in the URL

Hello team I found that tat the URL transport the Session token and it's a sentive information so Placing session tokens into the URL increases the risk that they will be captured by an attacker. fix Applications should use an alternative mechanism for transmitting session tokens, such as HTTP...

Nextcloud: Bruteforce in admin panel

Hello there, Admin panel of your website https://nextcloud.com/wp-login.php is vulnerable to bruteforce attacks as their is no rate-limiting. Impact Can gain access to admin panel. To fix this, Just add rate limiting...

Node.js third-party modules: [cloudcmd] Stored XSS in the filename when directories listing

I would like to report a Stored XSS issue in module cloudcmd It allows executing malicious javascript code in the user's browser. Module module name: cloudcmd version: 9.1.5 npm page: https://www.npmjs.com/package/cloudcmd Module Description Cloud Commander is an orthodox web file manager with...

Open-Xchange: [XSS] Parameter Theme

Hi. I found two cases via theme: inline fail && inject file done js $.when.applythis, g.thenfunction return g.mapfunctiona return a.responseText .join"/:oxsep:/" .donefunctionc 2 runCodeox.apiRoot, "/apps/load/", ox.version, ",", a.join"", c, e.completeLoadb, c.split"/:oxsep:/".eachfunctiona !...

Node.js: registry.nodejs.org Subdomain Takeover

I recently found an abandoned and/or overlooked nodejs.org subdomain that was indirectly pointing to Fastly. Fastly doesn't require any proof of DNS ownership to register new distributions that use a given domain, so I was able to effectively take it over. Vulnerability: Subdomain Takeover via...

Uber: Reflected XSS and sensitive data exposure, including payment details, on lioncityrentals.com.sg

lioncityrentals.com.sg employed a Wordpress installation that possessed a vulnerable plugin, Formidable Forms, which was vulnerable to reflected XSS, and exposed sensitive form data. Thanks again for the report, @healdb! This was the first bug I ever found that exposed a large amount of PII, than...

Node.js third-party modules: Command injection in 'pdf-image'

I would like to report command injection in pdf-image It allows executing commands on the server Module module name: pdf-image version: 1.0.5 npm page: https://www.npmjs.com/package/pdf-image Module Description Provides an interface to convert PDF's pages to png files in Node.js by using...

Shopify: Session works after logout from Shopify account

@Cryptographer reported if a logout request for a given session was received during the time a product creation request was in progress from the same session, it was possible the logout request could fail. We determined this was the result of a race condition in how we were updating and revoking...

Node.js: Use After Free in crypto.randomFill

Summary: We can trigger Use-After-Free while running crypto.randomFill, so we can easily read/write heap memory using a typed array pointing a freed backing store. Description: See this nodecrypto.cc code. pp void RandomBytesBufferconst FunctionCallbackInfo& args ... char data = Buffer::Dataargs0...

Monero: Buffer out of bound read in miniupnpc xml parser

Summary: This is a buffer oob read vulnerability in miniupnpc when parsing xml response. This vulnerability could result in denial of service attack in monero client to in local area Network. Description: In miniupnpc, file "Minixml.c": The funnction parseelt: static void parseeltstruct xmlparser...

Passit: Weak Password Policy on Signup

Hi Team, i would like to let you know about password management issue. PoC: ======== 1. Navigate to signup page. 2. Fill you details and give password as simple as 123123. 3. You can see you will be registered and there is no strong enforcement. FIx: ------ Use complex password management. Regard...

ExpressionEngine: [EE] Spoof the redirect process

The original report was not a security issue, but that did lead the reporter to discovering that a user could potentially be tricked by nesting redirects so that they first redirected to the site itself, which would allow the second redirect to occur without warning the user that they were being...

WordPress: "Bad Protocols Validation" Bypass in "wp_kses_bad_protocol_once" using HTML-encoding without trailing semicolons

Description: The wpksesbadprotocolonce function https://developer.wordpress.org/reference/functions/wpksesbadprotocolonce/ is used to sanitise content from bad protocols and other characters. It detects the protocol URI scheme by using the first colon character. It compares the identified protoco...

Unikrn: CSRF logs the victim into attacker's account

Description: There is no session validation while logging in which leads to csrf. Steps To Reproduce: 1. Create a CSRF login POC using the following code. 2. Replace the email and password with the valid credentials. 3. Send the script to the victim to make them click. References: 1. You've...

Mail.ru: [web.icq.com] Stored XSS in link when sending message

Domain, site, application -- https://web.icq.com/ Testing environment -- Chrome Steps to reproduce -- 1 Enter a chat 2 Send the following message: https://www.google.com/"onmouseover="javascript:prompt" 3 Hover the link Actual results -- XSS prompt shows. Expected results, security impact...

Mail.ru: XSS при добавлении в чат пользователя

web.icq.com 1. кликаем по чату. открываем боковое меню уведомления выбираем наш аккаунт с XSS ником. при клике на кнопку Начать чат с .... происходит XSS screenshot1 Impact кража кукисоф...

Zomato: Clickjacking: Delete Account, Change privacy settings, Rate business, follow/unfollow (IE)

Inspired by report 337219. Please note that this report includes a clear security impact as well as a proof of concept. CVSS ---- medium 5.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L Description ----------- The application does not send a X-Frame-Options header, thus allowing pages to be...

Passit: Insecure Account Removal

Hi Team, The removal of account is one of the sensitive part of a web application that needs to protect, therefor removing an account should validate the authenticity of the legitimate user. Scenario: =============== The user logins to a shared computer office, library, cafe Left the account open...