curl: Inconsistent URL Parsing in curl Leading to Potential SSRF and Access Control Bypass

0x01 Summary An inconsistency in URL parsing within curl's URL handling leads to potential security risks such as Server-Side Request Forgery SSRF and access control bypasses. Specifically, when parsing URLs containing IPv6 addresses with zone identifiers e.g., http://fe80::1%25eth0/, curl's pars...

Automattic: Open redirect via redirect_to parameter in tumblr.com

The Tumblr website was affected by an open redirect vulnerability that allowed an attacker to redirect users to a specified URL through the "redirectto" parameter. This vulnerability could have been exploited to conduct phishing attacks or distribute malware...

AWS VDP: A potential risk in the experimental-programmatic-access-ccft which can be used to privilege escalation.

The experimental-programmatic-access-ccft application created a function with an associated role that was assigned policies with overly broad "sts:AssumeRole" permissions for "" resources. This could have allowed a malicious user to assume into any AWS Account in the AWS Organization, resulting i...

Internet Bug Bounty: CVE-2024-49761: ReDoS vulnerability in REXML

CVE-2024-49761 was a ReDoS vulnerability in the REXML gem. The vulnerability was caused by the parsing of XML input with many digits between "&" and "x...;" in a hex numeric character reference. This issue was resolved by updating the REXML gem to version 3.3.9 or later...

Cosmos: Heap-Buffer-Overread in contains_whitespace when calling parser_validate after supplying a maliciously crafted buffer to parser_parse

A heap-buffer-overread vulnerability was discovered in the containswhitespace function when calling parservalidate after supplying a maliciously crafted buffer to parserparse. The vulnerability was not exploitable in the primary use case of the library, but a length check was added to prevent thi...

AWS VDP: A potential risk in the cloudFrontExtensionsConsole which can be used to privilege escalation.

A potential risk was found in the cloudFrontExtensionsConsole when it was deployed in the awslabs repository on GitHub. The functions created by the application had excessive permissions that could be leveraged to escalate privileges...

Cloudflare Public Bug Bounty: Any WARP User Can Access Organization-Specific Application

Vulnerability description not provided...

MTN Group: Admin Dashboard Access Leads to Updating Merchant Info

The application had a hidden registration endpoint that allowed an unauthorized user to sign up for an admin portal. This granted the user access to the admin dashboard, where they could view, edit, and delete information for registered merchants, cashiers, stations, and supervisors...

Doppler: Availability Impact from Exploiting Project Name Vulnerabilities

The vulnerability allowed a user to change the project name to a malicious string, which resulted in other users being logged out of their accounts when they attempted to access the project. This led to a denial of service for all users attempting to interact with the affected project, severely...

AWS VDP: Session Timeout Does Not Enforce Re-Authentication on AWS Access Portal

NOTE! Thanks for submitting a report to Amazon Web Services! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: AWS SSO...

AWS VDP: Non-Production API Endpoints for the bedrock-agent Service Fail to Log to CloudTrail Resulting in Silent Permission Enumeration

The non-production API endpoints for the bedrock-agent service failed to log to CloudTrail, resulting in silent permission enumeration. A total of 26 non-production endpoints were found that could be used with standard IAM credentials without generating CloudTrail logs. This vulnerability was...

HackerOne: Hackerone supports accounts organitation takeover

The HackerOne email change process was found to have a vulnerability where the system automatically verifies the email address if the verification link is opened in any browser, even by email scanning bots without human interaction. This allowed an attacker to verify email addresses belonging to ...

Internet Bug Bounty: CVE-2024-41990: Potential denial-of-service in django.utils.html.urlize()

CVE-2024-41990: Potential denial-of-service in django.utils.html.urlize A vulnerability was reported in the Django web framework's urlize function, which could lead to a denial-of-service attack. The issue was caused by a slow pattern in the urlize function when processing a user input string...

AWS VDP: CVE-2020-5902

CVE ID: CVE-2020-5902 Description: Affected Product: F5 BIG-IP Traffic Management User Interface TMUI Severity: Critical CVSS Score: 9.8 Description: Remote Code Execution RCE vulnerability in undisclosed pages of the TMUI CVE-2020-5902 is a critical vulnerability affecting the BIG-IP Traffic...

Internet Bug Bounty: [CVE-2024-47888] Possible ReDoS vulnerability in plain_text_for_blockquote_node in Action Text

There is a possible ReDoS vulnerability in the plaintextforblockquotenode helper in Action Text. This vulnerability has been assigned the CVE identifier CVE-2024-47888. Carefully crafted text was found to cause the plaintextforblockquotenode helper to take an unexpected amount of time, possibly...

curl: When curl uses Schannel as TLS backend, it fails to enforce TLS 1.3 cipher suite selections correctly

Vulnerability description not provided...

Mars: Insecure API Response Leads to Disclosure of Hashed Passwords

A security vulnerability was identified in the API of ████████. The endpoint ████████ was found to return sensitive user information, including hashed passwords, in its response. This exposure presented a significant security risk, as it potentially allowed unauthorized access to user credentials...

AWS VDP: Reflected XSS on Amazon EC2 Instance

Product: Amazon Elastic Compute Cloud Amazon EC2 Vulnerability Type: Reflected Cross-Site Scripting XSS CVE: CVE-2022-29548 Severity: Medium Description: A reflected XSS vulnerability was discovered on the Amazon EC2 instance, allowing an attacker to inject malicious JavaScript code, potentially...

WordPress: Unauthenticated WordPress Database Repair DoS

Vulnerability description not provided...

AWS VDP: Information Disclosure Due To exposed .env file (Directory Listing) at ████████

Vulnerability description not provided...

Linux Foundation Decentralized Trust: Memory Leak in bytes_to_hexstring Function

The function bytestohexstring was found to have a memory leak vulnerability. The function dynamically allocated memory using malloc but did not provide a way for the caller to free the allocated memory. This could lead to an increase in the program's memory consumption over time, potentially...

Nextcloud: Exposing debug.log file leads to server full path disclosure

The debug.log file on the nextcloud.com website was publicly accessible and contained sensitive information, including the server's full directory path. This type of information disclosure could have assisted attackers in understanding the internal structure of the server...

U.S. Dept Of Defense: [ CVE-2018-1000129 ] RXSS At `https://███████` via the URI

The CVE-2018-1000129 vulnerability allowed remote cross-site scripting RXSS at the specified URL. The vulnerability was due to improper sanitization of user input, which enabled the execution of arbitrary scripts in the victim's browser...

MercadoLibre: Es posible poder navegar a cualquier pagina en Point Smart application

The vulnerability allowed users to navigate outside the intended application environment through a link in the Point Smart application...

U.S. Dept Of Defense: Unauthenticated LFI (Local File Inclusion) using the symbol `!` At the target `https://████/`

The endpoint at https://████/jolokia/exec/com.sun.management:type=DiagnosticCommand/compilerDirectivesAdd/ was vulnerable to unauthenticated local file inclusion using the symbol '!'. This allowed reading local files on the server, such as /etc/passwd and /etc/crontab...

MTN Group: Cisco IOS XE instance at ████ vulnerable to CVE-██████

A vulnerability was discovered in a Cisco IOS XE instance that allowed bypassing authentication to reach a web endpoint and execute arbitrary Cisco IOS commands or make configuration changes with Privilege 15 privileges. The vulnerability was characterized by improper path validation to bypass...

MTN Group: Information disclosure due to debug mode enabled at Laravel instance https://mpos.mtn.co.sz/

The Laravel framework contained a vulnerability known as CVE-2021-3129, which allowed remote code execution due to unsafe usage of PHP in the Ignition debug module. This vulnerability was relatively easy to exploit and did not require user authentication, resulting in a high CVSS score of 9.8. Th...

MTN Group: Unauthenticated phpinfo()files could lead to ability file read at █████████

The remote web server contained a PHP script that exposed sensitive information about the server's configuration through the phpinfo function. This information could have been used by an attacker to conduct further attacks against the system...

curl: CVE-2024-9681: HSTS subdomain overwrites parent cache entry

The HSTS HTTP Strict Transport Security cache in the curl web client can be overwritten by a subdomain, causing the parent domain's HSTS expiration time to be set incorrectly. This issue was discovered in curl versions 8.10.1 and 8.11.0-DEV...

MTN Group: Ability to Add and Verify Uncontrolled Mobile Numbers Leading to Account Takeover (ATO)

The vulnerability allowed attackers to manipulate the OTP verification response to bypass the OTP check and link an uncontrolled mobile number to the victim's account. This led to an account takeover scenario where the attacker gained full access to the victim's account without controlling the...

MTN Group: CVE-2017-9822 DotNetNuke Cookie Deserialization Remote Code Execution (RCE) on lonidoor.mtn.ci

The DotNetNuke DNN versions between 5.0.0 and 9.3.0 were affected by a deserialization vulnerability that could lead to remote code execution. The vulnerability was caused by the way DNN handled the DNNPersonalization cookie, which was used to store anonymous users' personalization options. The...

U.S. Dept Of Defense: Time-based blind SQL injection

A time-based blind SQL injection vulnerability was discovered in the sortBy parameter of the web application's SearchDocs.aspx functionality. The vulnerability was identified by observing differences in the server's response time when specific payloads were used. This type of vulnerability could...

Mars: █████████ when adding branches to your account

A vulnerability was identified in the branch addition functionality of the Royal Canin specialized channel website. The issue was classified as an Insecure Direct Object Reference IDOR vulnerability, which allowed unauthorized users to add branches to any account by manipulating the customer's...

U.S. Dept Of Defense: Cross-Site Scripting (XSS) Vulnerability via parameter c0-id + Akamai Firewall Bypass

A Cross-Site Scripting XSS vulnerability was discovered on a specific website. The vulnerability was found in the POST method, allowing the injection of malicious scripts that could be executed. Exploitation of this vulnerability could have led to consequences such as cookie theft and session...

U.S. Dept Of Defense: Cross-Site Scripting (XSS) Vulnerability via POST Method + Akamai Firewall Bypass

A Cross-Site Scripting XSS vulnerability was discovered in the POST method on the target website. The vulnerability allowed the injection of malicious scripts that could be executed. A payload was provided to bypass the Akamai firewall. The vulnerability was reported and the affected products and...

U.S. Dept Of Defense: Lack of rate limiting in https://███/PKI/PassReset.aspx leads to PII disclosure and potential account takeover

The password reset functionality of AFPC Secure allowed users to provide their Social Security Account Number SSAN and Mother's Maiden Name to reset their password. The issue was that the system informed the user if the SSAN was associated with an active PKI credential, leading to potential...

MTN Group: Broken Access Control leads to disclosure of transaction history via /v2/rechargeTransactionHistory endpoint

The vulnerability disclosed the transaction history details of MTN NG customers, including recharge dates, amounts, and transaction IDs. This was caused by insufficient authorization checks in the /v2/rechargeTransactionHistory API endpoint, which allowed access to other customers' data without...

U.S. Dept Of Defense: CVE-2020-7961 RCE Liferay Portal Unauthenticated via https://████████/

CVE-2020-7961 was a remote code execution vulnerability in Liferay Portal. The vulnerability was exploited through the "/api/jsonws/invoke" endpoint, which allowed unauthenticated users to execute arbitrary commands on the server...

U.S. Dept Of Defense: XSS Reflected

The web application was vulnerable to reflected cross-site scripting XSS attacks. Untrusted data from the URL parameters was included in the application's response without proper sanitization or validation. This allowed an attacker to inject malicious scripts into web pages viewed by other users...

U.S. Dept Of Defense: SQL Injection

The application was found to have a blind SQL injection vulnerability in the 'filterevent' parameter. The vulnerability allowed an attacker to manipulate database queries and extract sensitive information from the database through time-based or boolean-based techniques, as the injection was blind...

Mozilla: Information disclosure on password cancel endpoint

The password reset cancellation process disclosed the user's IP address in the email sent to the user upon cancellation. This information disclosure vulnerability was exploited to obtain the IP address of a user by tricking them into submitting the password reset cancellation request...

U.S. Dept Of Defense: CSRF to XSS

The vulnerability allowed an attacker to combine Cross-Site Scripting XSS and Cross-Site Request Forgery CSRF attacks. The XSS vulnerability allowed the injection of malicious scripts that could be executed in the victim's browser, potentially stealing sensitive data like cookies or session token...

Mozilla: User API Key leakage in Github commit leads to unauthorized access to sql.telemetry.mozilla.org

A Mozilla employee's API token for https://sql.telemetry.mozilla.org was leaked in one of the Github repos. The token provided access to the service dashboard which contained confidential data. The API token was rotated and removed from the service...

PortSwigger Web Security: cgi scripts wordlist entry for windmail.exe has payload that sends arbitrary file read result to third-party

The windmail.exe application in the CGI scripts wordlist had a vulnerability that allowed an attacker to read arbitrary files on the server and send the contents to a third-party email address...

MacTaggart Scott: Overwrite any file of the web server

The web server was vulnerable to file overwrite due to a vulnerable module used to generate files. An attacker could have overwritten any file on the web server, including critical system files, by sending a specially crafted request...

AWS VDP: External service interaction (HTTP)

The External Service Interaction vulnerability was discovered in a URL. The vulnerability allowed an attacker to induce the application to interact with arbitrary external services such as DNS and HTTP. This vulnerability was outside the scope of the program, as the related infrastructure had bee...

Internet Bug Bounty: `std::process::Command` batch files argument escaping could be bypassed with trailing whitespace or periods

The Rust Security Response WG disclosed a vulnerability in the std::process::Command module on Windows, where it incorrectly escaped arguments when invoking batch files. This allowed for bypassing the fix by including trailing whitespace or periods in the batch file name, which are ignored and...

Nextcloud: Open redirect when logging in with user_oidc

An open redirect vulnerability was discovered in Nextcloud's useroidc app. This vulnerability allowed an attacker to redirect users to a malicious website during the login process...

HackerOne: Issue with VDP Program's Transition to Private Status and Missing Warning Labels on ORG Invitation

Vulnerability description not provided...

nullsec VDP: Test by HDR

Test by HDR...