Ubiquiti Inc.: Bypass blocked profile protection on aircrm.ubnt.com

The researcher discovered a bypass in the "block profile publication" feature...

Starbucks: Unauthorized access to jiratest.starbucks.com

@damian89 found an unsecured JIRA instance containing internal and sensitive information. The finding was supported with detailed reporting and impact information. We immediately blocked remote access to the site and prevented anonymous users from browsing and editing issues. Thank you @damian89...

New Relic: Internal API endpoint discloses full account name of email address associated with unconfirmed user

There's an interesting thing happening with the Internal API call that lists users on an account. Based on what I can tell, it's another IDOR like █████████ in which it exposes user information of accounts that Steps to reproduce: 1. Create an account 2. As an admin, go to create a new user...

Ruby: HTTP header can split /[\r\n]/ instead of /\r\n/

https://www.ruby-lang.org/ja/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/...

Open-Xchange: [XSS] Pasting bootstrap in mail compose

Hi. No filter for bootstrap data attributes. data-target allow any html, e.g.: - " href="" collapse - " href="" dropdown - " href="" modal Steps: 1. Create page with this code best example with dropdown, you can use my template https://secator.com/ox/bootstrap.html 2. Ctrl+A select all, Ctrl+C co...

Vend VDP: Race Condition : Exploiting the loyalty claim https://xxx.vendhq.com/loyalty/claim/email/xxxxx url and gain x amount of loyalty bonus/cash

Hey Team! I love loyalty bonuses, that turns first time users into returning customers , but sometimes loyalty can be exploited, just like in this chase. LT:DR A firtstime loyalty customer will get x times the amount of loyalty bonus from the story by racing the loyalty link x amount of times in...

Dropbox: User Impersonation - Create Support Ticket With Any Registered Account Email

This report described a method to make support tickets look as if they came from another email address. Normally this would present a problem, however our customer support representatives will first verify the user's email address before taking any action or disclosing any information about a...

Khan Academy: https://mathfacts.khanacademy.org/ includes code from unprivileged localhost port

The webpage https://mathfacts.khanacademy.org/ contains an invalid javascript include at the bottom of the page: This is probably some unintended leftover from the development. In normal situations this will only cause the browser to be unable to connect. But it can actually become a security ris...

HackerOne: Email Forwarding invitations for Drafts are not marked as accepted, allowing multiple users to join a program after disabling Email Forwarding

STEPS TO REPRODUCE: 1. I have found a sandboxed team in hackerone,named █████. 2. The manager of that team sends an invitation to: ██████████ which email was not exist on hackerone account 3. Now the invitation link receive was ======== ████ 4. I logged in from multiple researcher account and...

Nextcloud: Extremly simple way to bypass Nextcloud-Client PIN/Fingerprint lock

I'm sorry for my bad English, I'm German How to reproduce this security bug. Step 1: Take a normal Android smartphone maybe it also works on iOS, but I have not tested it yet. Step 2: Install the official nextcloud-client. Step 3: Set up nextcloud: Open the nextcloud app, tap on "Skip", enter the...

Brave Software: Cross domain tracking even with 3rd party cookies disabled.

Cross domain tracking Default settings from Brave browser has 3rd party cookies disabled. Which I am assuming also disables 3rd part storage like IndexedDB etc. Because of this protection it is not possible for a 3rd party to track users across multiple domains. But, Even though third-party cooki...

Ubiquiti Inc.: 3x Reflected XSS vectors for services.cgi (XM.v6.1.6, build 32290)

There are certain end-points containing functionalities that are vulnerable to reflected cross site scripting XSS, allowing attackers to abuse the user' session information and/or account takeover of the admin user. Authenticated users can be persuaded to visit malicious web pages, which allows...

Nextcloud: Improper protection of FileContentProvider

Some data in the FileContentProvider is protected against applications not related to NextCloud. The application checks if calling application package name contains "com.nextcloud.client" string. Every application with such substring in package name is allowed to fully access FileContentProvider...

Shopify: Order notifications being sent for a deactivated staff account

Hi, Steps to reproduce : - - Have a staff account with settings permission - The staff account can go to notifications & add himself so as to get new order notifications - Now,deactivate the staff account via the admin. - Create a new order,you shall see that the staff still receives the order...

Node.js third-party modules: [buttle] HTML Injection in filename leads to XSS when directory listing is displayed in the browser

I would like to report HTML Injection in buttle module. Due to lack of filenames sanitization, it is possible to inject malicious iframe tag via filename and execute arbitray JavaScript code. Module module name: buttle version: 0.2.0 npm page: https://www.npmjs.com/package/buttle Module Descripti...

VK.com: Определение id по номеру телефона

Недостаточность проверок в определенных запросах...

Node.js third-party modules: [buttle] Remote Command Execution via unsanitized PHP filename when it's run with --php-bin flag

I would like to report Remote Code Execution in buttle module. When buttle is run with --php-bin option to handle PHP, the PHP filename is not sanitized and allows to inject shell commands. Module module name: buttle version: 0.2.0 npm page: https://www.npmjs.com/package/buttle Module Description...

Mail.ru: XSS on https://www.delivery-club.ru/sd/test_330933/info/

Stored XSS on www.delivery-club.ru domain. On the time of reporting, delivery-club.ru client-side vulnerabilities are not covered by bug bounty program...

Node.js third-party modules: [pdfinfojs] Command Injection on filename parameter

Hello , there is a Command Injection vulnerability on the "pdfinfojs" module. Module module name: pdfinfojs version: 0.3.6 npm page: https://www.npmjs.com/package/pdfinfojs Module Description pdfinfo shell wrapper for Node.js Module Stats 10 downloads in the last day 61 downloads in the last week...

U.S. Dept Of Defense: Information Disclosure

I discovered that due to an outdated atlassian software instance, I was able to exploit an SSRF vulnerability in confluence and was able to perform several actions such as bypass any firewall/protection solutions, was able to perform XSPA through assessing the response times for ports, access...

Mail.ru: Partner Account Takeover on https://www.delivery-club.ru через пользовательский аккаунт.

Improper access control allowed user account to perform privileged actions for partner's account with same ID. Ситуация аналогичная с 324230, но в другую сторону. Можно захватывать партнерские аккаунты посредством сессии с основного сайта...

Node.js third-party modules: [serve] Directory listing and File access even when they have been set to be ignored (using dot-slash)

I would like to report a vulnerability in serve. It allows listing directory and reading local files on the target server. Module module name: serve version: 6.5.3 npm page: https://www.npmjs.com/package/serve Module Description Ever wanted to share a project on your network by running just a...

Tor: Expose relay IP in the debug (The source is different from the rendering)

Greetings, -- I observed that it was possible to expose the ip of a relay by doing this : Poc : -- - Go to https://sorry.google.com/sorry/misc/ - You must observe this visual. F279451 - Open Tor Browser debug - You must observe this visual F279452 Note : -- You observe that between the debug and...

LocalTapiola: F5 BIG-IP Cookie Remote Information Disclosure

Basic report information Summary: The remote host for myynti.lahitapiolarahoitus.fi is appears to be an F5 BIG-IP load balanceror behind load balancer and the unencrypted cookie may disclose BigIP pool name, backend's IP address and port, routed domain. Description: The remote host appears to be ...

Node.js third-party modules: [serve] Directory listing and File access even when they have been set to be ignored

I would like to report a vulnerability in serve on macOS. It allows listing directory and reading local files on the target server. Module module name: serve version: 6.5.3 npm page: https://www.npmjs.com/package/serve Module Description Ever wanted to share a project on your network by running...

VK.com: ПРОСМОТР ЛЮБЫХ ПРИВАТНЫХ ФОТО + ПРЕВЬЮ ЛЮБОГО ПРИВАТНОГО ВИДЕО.

Просмотр закрытых фотографий. Уязвимость была обнаружена в редакторе статей. Уязвимость позволяла смотреть любые приватные фотографии и любое превью приватного видео...

Node.js third-party modules: [html-pages] Stored XSS in the filename when directories listing

I would like to report a Store XSS vulnerability in html-pages It allows executing malicious javascript code in the user's browser. Module module name: html-pages version: 2.1.1 npm page: https://www.npmjs.com/package/html-pages Module Description Simple development http server for file serving a...

Node.js third-party modules: `byte` allocates uninitialized buffers and reads data from them past the initialized length

I would like to report a memory exposure vulnerbaility in byte It allows to extract process memory using Buffers in some cases. Module module name: byte version: 1.4.0 npm page: https://www.npmjs.com/package/byte Module Description Input Buffer and Output Buffer, just like Java ByteBuffer. Module...

Node.js third-party modules: [angular-http-server] Server Directory Traversal

I would like to report a Server Directory Traversal vulnerability in angular-http-server. It allows reading local files on the target server. Module module name: angular-http-server version: 1.4.3 npm page: https://www.npmjs.com/package/angular-http-server Module Description A very simple...

Node.js third-party modules: [mcstatic] Server Directory Traversal

I would like to report a Server Directory Traversal in mcstatic. It allows reading local files on the target server. Module module name: mcstatic version: 0.0.20 npm page: https://www.npmjs.com/package/mcstatic Module Description Static Http server for mocking and stuff Vulnerability Steps To...

Udemy: S3 bucket unnecessarily discloses permissions

The 'udemy-images' bucket allows the 'AllUsers' group to list ACLs that are applied to the bucket. By navigating to: https://udemy-images.udemy.com or by using the aws-cli tool an attacker can see which users have READ, WRITE, READACP, and WRITEACP rights. Doing this now we can see one user who h...

Reverb.com: Bypassing CSRF Token On Reply Message & Send Message

Issue was with CSRF token validation in sandbox environment. Just another bypassing CSRF , by delete the token. Thanks to reverb team, fixed and responded quickly. Reference : https://zseano.com/tutorials/5.html...

Stellar.org: Exploitable vulnerability in SDEX

Hi, Last Thursday I discovered the exploitable vulnerability in SDEX. I immediately reported the bug directly to Jed by email and he confirmed it. It's all about rounding during trades. You see, I found that orders are always executed if the price matches market, even if the amount is as small as...

Ubiquiti Inc.: UniFi Video Server web interface admin user Firmware Update path traversal leading to local system compromise

The UniFi Video Server for Windows web interface Firmware Update functionality, under certain circumstances, does not validate firmware download destinations to ensure they are within the intended destination directory tree. It accepts a request with a URL to firmware update information. If the...

Sony: Remote Code Execution (RCE) in a Sony Pictures WebSystem

⠀...

X (Formerly Twitter): [dev.twitter.com] XSS and Open Redirect Protection Bypass

Description: Hi after I finish reading the report https://hackerone.com/reports/260744.i start to test this subdomain.i fount an interesting url https://dev.twitter.com/web/sign-inhttps://dev.twitter.com/basics/adding-international-support-to-your-apps.this url is special,my intuition tells me th...

X (Formerly Twitter): Tracking of users on third-party websites using the Twitter cookie, due to a flaw in authenticating image requests

Summary: As part of our SoftwareLab@TU Darmstadt latest research project, we discovered a privacy-related vulnerability in multiple high-profile websites, including Twitter. An attacker exploiting this vulnerability can identify a user of your website while the user visits an attacker-controlled...

Node.js third-party modules: [public] Stored XSS in the filename when directories listing

I would like to report a Stored XSS issue in module public It allows executing malicious javascript code in the user's browser. Module module name: public version: 0.1.3 npm page: https://www.npmjs.com/package/public Module Description Run static file hosting server with specified public dir &...

Reverb.com: Stored xss in shop name @ lp.reverb.com

hello team, There is a stored xss in lp.reverb.com. Attacker can inject malicious script into server while adding shop name as lll"alert'xss';. Exploit: https://lp.reverb.com/shops/faniyos-boutique/listings Steps to reproduce: 1. Navogate to https://reverb.com/my/lpshop/edit 2. Change your lp sho...

Node.js third-party modules: Bypass to defective fix of Path Traversal

I would like to report a Path Traversal vulnerability in localhost-now. It allows to read arbitrary files on the server. This is a bypass on the mitigation of 312889 . Module module name: localhost-now version: 1.0.2 npm page: https://www.npmjs.com/package/localhost-now Module Description Am I th...

HackerOne: h1-202 leaderboard photo discloses local wifi password

Summary: the h1-202 event took several photos for the event that rotate on the public leaderboard. One of these photos disclosed the local wifi SSID and Password. Description: SSID: HackerOne Password: █████████ Steps To Reproduce 1. Look at the photo attached Remediation Have your staff...

LocalTapiola: Internal IP Address Disclosure at https://www.lahitapiolarahoitus.fi/wp-json/wp/v2/pages

Basic report information Summary: Hello, i found an internal ip address at https://www.lahitapiolarahoitus.fi/wp-json/wp/v2/pages. Description: While digging the path in /wp-json/ directory, i found this url : https://www.lahitapiolarahoitus.fi/wp-json/wp/v2/pages and when i request this using Bu...

Ubiquiti Inc.: UniFi Video Server web interface Configuration Restore path traversal leading to local system compromise

In UniFi Video Controller 3.9.3 and prior, an user with administrator privileges can restore the configuration using a specially crafted zip file. Due to the lack of validation for path transversal, the user can upload arbitrary files to arbitrary locations...

Ubiquiti Inc.: UniFi Video Server web interface Configuration Restore CSRF leading to full application compromise

In UniFi Video 3.10.0, due to the lack of CSRF protection, it is possible to abuse the Web API to make changes on the server configuration without the user consent, requiring the attacker to lure an authenticated user to access on attacker controlled page...

Mapbox: Test-scripts for postgis in mason-repository using unsafe unzip of content from unclaimed bucket creates potential RCE-issues

On March 25, 2018 @fransrosen reported a vulnerability to Mapbox. An AWS S3 bucket previously owned by Mapbox was reclaimed by this researcher, which is possible due to the global namespacing of S3 buckets. This bucket was still actively referenced in a test script. The bucket takeover therefore...

Ubiquiti Inc.: UniFi Video web interface Configuration Restore user privilege escalation

Summary of the issue: Low privileged UniFi Video users can abuse the Configuration Restore functionality to modify any application configuration setting, including creating new administrative users. Details: The UniFi Video Server Windows web interface configuration restore functionality at the...

Internet Bug Bounty: Silent omission of certificate hostname verification in LibreSSL and BoringSSL

Abstract LibreSSL and BoringSSL implemented X509VERIFYPARAMset1host differently than OpenSSL. All applications that use the preferred and documented way to configure a TLS connection for hostname validation, silently neglect to perform hostname validation at all. As a consequence, they are...

Sony: Remote Code Execution (RCE) in a Sony WebSystem

⠀...

New Relic: Drupal admin takeover via install.php not being performed prior to install.

@grampae discovered an uninitialized Drupal instance running on one of our properties being hosted by a third party provider, an issue we've seen previously. To prevent this issue from surfacing again, we decommissioned the related domains and contacted the provider with details of the issue...

U.S. Dept Of Defense: Remote Code Execution (RCE) in a DoD website

SUMMARY: ==================== This report describes a vulnerability similar to that described in my other reports 329376, 329397, 329399 The DoD https://████/psc/EXPROD/ Web System uses the Oracle PeopleSoft platform which is vulnerable to Remote Code Execution RCE and Denial of Service Attacks D...