U.S. Dept Of Defense: Remote Code Execution (RCE) in a DoD website

SUMMARY: ==================== The DoD https://███/psc/EXPROD/ Web System uses the Oracle PeopleSoft platform which is vulnerable to Remote Code Execution RCE and Denial of Service Attacks DoS over a Java Object Deserialization CWE-502 in the “monitor” service. Thus an attacker can generate and se...

U.S. Dept Of Defense: Remote Code Execution (RCE) in a DoD website

An application deserialization vulnerability was found in a misconfigured Department of Defense DoD website by @joaomatosf via POST/GET request. Impressive work. This showcases your skills! Thank you for supporting the DoD Vulnerability Disclosure Program!...

U.S. Dept Of Defense: Remote Code Execution (RCE) in a DoD website

SUMMARY: ==================== The DoD https://██████/psc/EXPROD1/ Web System uses the Oracle PeopleSoft platform which is vulnerable to Remote Code Execution RCE and Denial of Service Attacks DoS over a Java Object Deserialization CWE-502 in the “monitor” service. Thus an attacker can generate an...

VK.com: CSRF на загрузку аудиозаписей

Недостаточные проверки хеша при загрузке аудиозаписей...

Mail.ru: Full account takeover am.ru

m.am.ru had no sufficient protection against bruteforce for SMS OTP. am.ru is not currently covered by Bug Bounty program...

Upserve : reports.breadcrumb.com is vulnerable for Arbitrary file existence disclosur CVE-2014-7829

A directory traversal vulnerability in a third-party ruby gem allowed a remote actor to determine the existence but not the contents of files outside of the application root...

Vanilla: Making further registrations difficult on Vanilla forum

Summary: After registering the account, user gets a verification email. There is a number assigned in that mail and it is incremented for next user. Trying to verify the next number with same code shows user not found but will create problem for next person registering the account. Description:...

Vimeo: Improper Authentication in Vimeo's API 'versions' endpoint.

The versions endpoint was exploitable by accounts that were not pro or business. Issue -- There was an authorization issue in versions endpoint, Which on exploiting could allow an attacker to leak private videos of pro/business users due to the fact version is only applicable for pro/business...

Coinbase: ETH contract handling errors

A business logic error in the ETH contract handling code allowed for a nested revert call in contract execution to improperly credit a user account though funds had not been transferred. In addition, the code did not appropriately handle delegatecall within a contract. Sample contract for the fir...

Zomato: [Zomato Android/iOS] Theft of user session

Hi, I'd like to report a bug which allows to theft user data even without installing third-party apps. Activity xml is exported, and can be accessed by browser. When any WebView in a client app, or a browser meets a zomato://etc URL it will automatically launch Zomato app. File...

Mail.ru: IDOR widget.support.my.com

На lootdog.io можно обратиться в службу поддержки. Когда мы создали тикет и хотим его подгрузить, то выполняется запрос...

Ruby on Rails: XSS vulnerability in sanitize-method when parsing link's href

Possible XSS vulnerability in rails-html-sanitizer There is a possible XSS vulnerability in rails-html-sanitizer. This vulnerability has been assigned the CVE identifier CVE-2018-3741. Versions Affected: 1.0.3 or older. Not affected: None. Fixed Versions: 1.0.4 Impact ------ There is a possible X...

Node.js third-party modules: [sexstatic] HTML injection in directory name(s) leads to Stored XSS when malicious file is embed with <iframe> element used in directory name

I would like to report HTML Injection vulnerability in sexstatic module. It is possible to use HTML in directory names, which might lead to run arbitrary JavaScript code in the browser. Module module name: sexstatic version: 0.6.2 npm page: https://www.npmjs.com/package/sexstatic Module Descripti...

Coinbase: User provided values trusted in sensitive actions

In the Coinbase zencart open source library, a researcher observed two issues related to making calls based on user provided values. The reporter observed that these issues could allow a malicious user to perform an open redirect and a CRLF injection in any PHP version =5.4.1. Unfortunately,...

Slack: Invitation reminder emails contain insecure links

If one gets invited to a slack channel and does not act upon the invitation a while later a reminder email is sent. The links in these reminders are http links. Excerpt from the mail: ---------------------- Don’t miss out — come join the conversation! Join Now...

Semrush: Error Page Content Spoofing or Text Injection

i want to report a context spoofing or text injection at u.semrush.com Impact Fix & Mitigation: Fix 404 error page to a new who not allow text content injection...

Ruby: Potential command injection in `Shell#[]` and `Shell#test`

As Shelltest and Shell use send when transferring to FileTest, private methods etc. can also be called. Therefore, command injection is possible when a crafted value is passed. ruby $ irb irbmain:001:0 ls xy ls: xy: No such file or directory = "" irbmain:002:0 require 'shell' = true irbmain:003:0...

Informatica: SSRF on infawiki.informatica.com and infawikitest.informatica.com

Researcher has identified and reported SSRF on Informatica's Sub-domain and helped us in resolving the issue...

Vanilla: disclosure of email by sending a message.

Summary: When you send a message, the E-mail field is created. Thus, through the format of json, we can see the email of the user to whom we sent the letter Description: Steps to reproduce: 1. Create a message, select the user whose mail we want to open. F273484 F273485 2. Send a message and add...

HackerOne: Extra program metrics disclosed via /PROGRAM_NAME json response

Summary: The response to www.hackerone.com/PROGRAM.json includes slamissedcount slafailedcount and researchercount. Description: Viewing the response from a program's json endpoint includes the values for slamissedcount, slafailedcount and researchercount. With regards to the SLA metrics, these a...

Mail.ru: Stored Blind XSS

Blind XSS via support.my.com request ticket kayako.support.my.com is not covered with bug bounty, the bounty was awarded because because lootdog.io users were potentially affected...

MyCrypto: HTML Injection on https://www.mycrypto.com/

A vulnerability was reported by t-pwn that allowed arbitrary HTML injection via the notifier functionality. After a keystore file was uploaded, the filename would be shown without first sanitizing it. MyCrypto has since fixed our notification to no longer display the unsanitized filename...

Greenhouse.io: DoS through cache poisoning using invalid HTTP parameters

I was taking a look into a related report https://hackerone.com/reports/298265 and I discovered that the https://boards.greenhouse.io/embed/jobboard/js?for= endpoint doesn't throw errors when I try to pass in an array of for parameters like this:...

Uber: Reflected XSS on multiple uberinternal.com domains

The base parameter of /oidauth/prompt on multiple uberinternal.com subdomains was not sanitized before being reflected into the page body, making it vulnerable to reflected XSS. Additionally, these pages were affected by a clickjacking vulnerability that made exploitation easier, since a click wa...

Vanilla: Able to Select Every Poll Option[http://tedwebers-famous-loudspeakers.vanillacommunities.com]

Summary: Hello I would like to report a bug in which i was able to select multiple poll options even when a user is only allowed to select a single option. Description: In the New discussion are of the site http://tedwebers-famous-loudspeakers.vanillacommunities.com , there is an option to create...

Uber: Improper Access Control on Onelogin in multi-layered architecture

Path traversal in the web server powering uberinternal.com allowed an attacker to view content hosted on these subdomains, bypassing OneLogin authentication...

U.S. Dept Of Defense: SSRF+XSS

I discovered that due to an outdated Jira instance, I was able to exploit an SSRF vulnerability in Jira and was able to perform several actions such as bypass any firewall/protection solutions, access AWS instance data, access Internal DoD Servers and internal services. Additionally I was able to...

U.S. Dept Of Defense: SSRF on █████████ Allowing internal server data access

Summary: An end point on ██████ allows an internal access to the network thus revealing sensitive data and allowing internal tunneling Description: OAuth Plugin allows you to provide a url that gives a snap shot of the web page. We can pass internal URLS and conduct SSRF. Impact Critical...

MyCrypto: Content Spoofing or Text Injection support.mycrypto.com

w2w reported a text injection attack where the user could be shown arbitrary text injected via query parameters. The MyCrypto team worked with w2w to resolve these issues, and appreciate the responsible disclosure. We look forward to continuing to work with the security community to triage and...

MyCrypto: Missing SPF record for the in scope domain

nli@nlistation:$ dig mycrypto.com txt ; DiG 9.10.3-P4-Ubuntu mycrypto.com txt ;; global options: +cmd ;; Got answer: ;; -HEADER DiG 9.10.3-P4-Ubuntu gmail.com txt ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 19223 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1,...

HackerOne: Leakage badges on disabled user

Indonesia Here ; Hi HackerOne Team, Description: This attack occurs when an attacker uses this graphql code: and this builds the path of the attacker getting disclosure information about how many programs already in the close Resolved from the Public or Disable user. okay now I do not say if the...

Open-Xchange: Stored-XSS with user interaction on [sandbox.open-xchange.com] via inserted link in mail

Hello, I would like to report about Stored-XSS on sandbox.open-xchange.com via inserted link in mail. Steps to Reproduce ---- 1 Login as first user User A and start creating new mail message 2 Click on a insert link button and paste the following text qwe"-alertdocument.domain-" into Url and Plea...

Starbucks: Subdomain takeover on svcgatewayus.starbucks.com

Hello, this is pretty serious security issue in some context, so please act as fast as possible. Overview: One of the starbucks.com subdomains is pointing to Azure, which has unclaimed CNAME record. ANYONE is able to own starbucks.com subdomain at the moment. This vulnerability is called subdomai...

LocalTapiola: xmlrpc.php FILE IS enable it will used for bruteforce attack and denial of service

hy https://www.lahitapiolarahoitus.fi is wordpress site Wordpress that have xmlrpc.php enabled for pingbacks, trackbacks, etc. can be made as a part of a huge botnet causing a major DDOS. The website https://www.lahitapiolarahoitus.fi has the xmlrpc.php file enabled and could thus be potentially...

MyCrypto: Html injection mycrypto.com

Hello. I remembered that a couple of months ago I found an HTML injection vulnerability on myetherwallet.com, I sent it, but my message was ignored. Since you have the same interface, I decided to check this vulnerability on your site and it was reproduced. The vulnerability works both on...

Node.js third-party modules: `fs-path` concatenates unsanitized input into exec()/execSync() commands

I would like to report command injection in fs-path. It allows to inject and execute arbitrary shell commands while performing various operations from fs-path API like copying files. Module module name: fs-path version: 0.0.24 npm page: https://www.npmjs.com/package/fs-path Module Description...

Node.js third-party modules: `command-exists` concatenates unsanitized input into exec()/execSync() commands

I would like to report command injection in command-exists. It allows to inject and execute arbitrary shell commands while trying to determine if a crafted command exists. Module module name: command-exists version: 1.2.2 npm page: https://www.npmjs.com/package/command-exists Module Description...

LocalTapiola: Reflected XSS on bbe_open_htmleditor_popup.php of BBE Theme via "value"-GET-parameter

Basic report information Summary: The BBE Theme allows unauthorized access to bbeopenhtmleditorpopup.php which echoes unsanitized values of value-GET-parameter leading to reflected XSS. Description: The www.lahitapiolarahoitus.fi has Wordpress with theme BBE Theme v1.52. I did some code review an...

LocalTapiola: Reflected XSS (myynti.lahitapiolarahoitus.fi)

Basic report information Summary: There is an Reflected XSS on myynti.lahitapiolarahoitus.fi. Description: There is an Reflected XSS on myynti.lahitapiolarahoitus.fi website. redirect parameter is vulnerable to XSS. Impact: Steals cookies from other logged in users. Browsers / Apps Verified In:...

MyCrypto: Missing SPF Records.

What Is SPF/TXT Records? An SPF record is a type of Domain Name Service DNS record that identifies which mail servers are permitted to send email on behalf of your domain. The purpose of an SPF record is to prevent spammers from sending messages with forged From addresses at your domain. Checking...

MyCrypto: DOM Based XSS in mycrypto.com

Description & PoC The "connected successfully" message is printed out without any output sanitation: F271357 This is how it's being printedthis code snippet is taken from mycrypto-master.js, line 4072: F271359 An attacker can simply put his payload at the link and it'll be embedded within the pag...

Mail.ru: Account Takeover on https://www.delivery-club.ru через партнерский аккаунт.

Improper access control allowed partner account to perform privileged actions for user's account with same ID. Некорректная проверки сессии...

Upserve : Blind stored xss in demo form

Through Upserve's demo request form, @pareshparmar found a blind XSS in a 3rd party package for Upserve's CRM system. While the CRM system and 3rd party package are out of scope for our program, we decided to reward @pareshparmar for his work in bringing this issue to our attention. - Endpoint...

Shopify: XSS *.myshopify.com/collections/vendors?q=

WAF cut ", but " and ' still in. 1. PoC example link" style="font-size: 1001pt;" 2.mouse on X 3. .. 4.XSS alert message Impact XSS atack...

Rootstock Labs: JSON RPC methods for debugging enabled by default allow DoS

A vulnerability was discovered in the RSK JSON-RPC server that allowed an attacker to cause a denial of service DoS attack by sending the evmreset command. The server would hang, become slow, and eventually become synced to block 0, resulting in a loss of service and responsiveness to all users...

Ping Identity: SaaS admin can modify/delete/get user information.

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: add summary of the vulnerabili...

Ping Identity: Server-Side Request Forgery on SAML Application - Import via URL

Summary == The My Applications feature on PingOne Identity admin allows you to add new SAML applications to your account. One feature allows you to import metadata via URI instead of via upload. This uses Java 1.8 to make an external web request to the URI supplied. Typically this is hard to...

U.S. Dept Of Defense: Publicly accessible Order confirmations leaking User Emails on ███

Summary: I noticed that a user's order confirmation was publicly accessible leaking email information Description: An attacker can gleam sensitive information that is stored in the order confirmation file Impact Medium Step-by-step Reproduction Instructions...

Ping Identity: CSRF in Inviting users

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: add summary of the vulnerabili...

Mail.ru: Double authentication bypass

Report describes current behavior of "Bind session to IP" and "Disable parallel session" security settings and is unrelated to authentication. While behavior doesn't match to reporter's expectation e.g. mobile and desktop sessions may exist in parallel despite of the settings current behavior is...