Uber: Outdated Wordpress installation and plugins at www.uberxgermany.com create CSRF and XSS vulnerabilities

Outdated Wordpress installation and plugins at www.uberxgermany.com create CSRF and XSS vulnerabilities This was a pretty simple vulnerability discovered using WPscan that found a few vulnerable plugins. And be sure to check out my blog https://healdb.tech/blog/ or my Twitter...

Ubiquiti Inc.: Firmware download/install vulnerable to CSRF

Attackers can abuse multiple end-points not protected against cross-site request forgery CSRF, as a result authenticated users can be persuaded to visit malicious web pages, which allows attackers to perform arbitrary actions, such as downgrade the device's firmware to older versions, modify...

JamieWeb: Insecure Transportation Security Protocol Supported (TLS 1.0) on https://www.jamieweb.net

Summary: https://www.jamieweb.net still support TLS 1.0 protocol which has several flaws. Vulnerability: With a SSL security scanner i was able to identify that an insecure transportation security protocol TLS 1.0 is still supported by your web server. TLS 1.0 has several flaws. An attacker can...

MyCrypto: Reflected XSS { support.mycrypto.com }

A reflected XSS was reported by sup3r-b0y that was activated by displaying unsanitized values of query parameters. The MyCrypto team worked with sup3r-b0y to identify and verify the fix, and are happy to confirm that the vulnerability described in the report has now been fixed. We are happy to...

Laravel: Persistent Cross-Site Scripting in default Laravel installation

Persistent XSS in default Laravel Installation I have been using the Laravel framework for quite a while now and discovered something odd. When following the installation instructions for the latest Laravel version 5.6.8 at the time of writing you will be up and running in a matter of minutes. Ev...

Internet Bug Bounty: Two vulnerability in GNU binutils

Last year, I submitted a bug to GNU and applied for two cve: https://vulners.com/cve/CVE-2017-12799 https://vulners.com/cve/CVE-2017-12967 Impact denial of service or leak information...

Imgur: CSRF leads to a stored self xss

Followup from 311460 Summary Self xss and CSRF are both out of scope, but when paired it is possible to create an attack on a user. Description A favorites folder with an xss payload for a name will launch when saving an image to said folder. This can be verified by following these steps Visit yo...

Upserve : Information disclosure through search engines (password reset token)

Search on google for: site:"hq.breadcrumb.com" Or access this link: https://www.google.com/search?q=site%3A%22hq.breadcrumb.com%22&oq=site%3A%22hq.breadcrumb.com%22&aqs=chrome..69i57j69i58.6216j0j7&sourceid=chrome&ie=UTF-8 Note that this vulnerability can be obtain on other search engines. Impact...

Upserve : Ability to reset password for account

The attacker was able to send a password reset link to an arbitrary email by sending an array of email addresses instead of a single email address. POST https://hq.breadcrumb.com/api/v1/passwordreset HTTP/1.1 with body like "emailaddress":"[email protected]","[email protected]"...

Internet Bug Bounty: Exim off-by-one RCE vulnerability

Hi, I found an off-by-one in Exim MTA utility function. It was reported to exim and official patch has been released, assigned CVE-2018-6789. This bug affects all versions of exim. This bug is simple, but can be leverage to gain remote code execution, using skillful heap exploitation. Details are...

Mail.ru: Local paths disclosure through error message

bonus.mail.ru disclosed trace information with absolute paths via 5xx error messages bonus.mail.ru is not covered by bug bounty scope...

██████: RCE, SQLi, IDOR, Auth Bypass and XSS at [staff.███.edu.eg ]

██████...

Shopify: Replace other user files in Inbox messages

Summary When a store publishes their listing, a user can message them if they are interested. Company can reply to this query and also add a file. When a file is uploaded, the link looks like this: https://shopify-exchange-private.s3.amazonaws.com/attachments/. This file can be replaced if the...

Open-Xchange: [XSS/CSRF] filter content-type bypass in Files v2.0

Hi. sandbox.open-xchange.com runs a version that contains a fix for your first report First report 304098 If you found a valid workaround, please open a new report, thanks : : Yeah, I tested now in sandbox. Steps: 1. Add Note with any html tags 2. Change Fileinfo: json...

Zomato: [www.zomato.com] Getting a complimentary dessert [Zomato Treats] on ordering a Meal at no cost

Go to order food tab and select any restaurant that delivers online. 2. Add Zomato Treat Subscription to cart. 3. Add more items to cart to fulfil the minimum order requirement for that restaurant. 4. Click on Continue and proceed to pay online. 5. While paying online I faced the issue that...

Vanilla: A user can comment in private discussions without having permission to access the discussion

Hello team, I have found a vulnerability which allows a user who does not have access to a discussion to comment on it and thus avoid the control applied. http://littleguy.vanillastaging.com/ Proof Of Concept ============= For this proof of concept I have used 3 users. User A creates a PRIVATE...

Node.js third-party modules: `njwt` allocates uninitialized Buffers when number is passed in base64urlEncode input

I would like to report an uninitialized Buffer allocation issue in njwt. It allows to extract sensitive data from uninitialized memory or to cause a DoS by passing in a large number, in setups where typed user input can be passed e.g. from JSON. Module module name: njwt version: 0.4.0 npm page:...

Node.js third-party modules: `put` allocates uninitialized Buffers when non-round numbers are passed in input

I would like to report an uninitialized Buffer allocation issue in put. It allows to extract sensitive data from uninitialized memory by passing in non-round numbers, in setups where typed user input can be passed e.g. from JSON. Module module name: put version: 0.0.6 npm page:...

Node.js third-party modules: `utile` allocates uninitialized Buffers when number is passed in input

I would like to report an uninitialized Buffer allocation issue in utile. It allows to extract sensitive data from uninitialized memory or to cause a DoS by passing in a large number, in setups where typed user input can be passed e.g. from JSON. Module module name: utile version: 0.3.0 npm page:...

X (Formerly Twitter): Takeover of Twitter-owned domain at mobileapplinking.com

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: Not sure there is much of a...

Node.js third-party modules: `base64-url` below 2.0 allocates uninitialized Buffers when number is passed in input

I would like to report an uninitialized Buffer allocation issue in base64-url. It allows to extract sensitive data from uninitialized memory or to cause a DoS by passing in a large number, in setups where typed user input can be passed e.g. from JSON. Module module name: base64-url version: 1.3.3...

Node.js third-party modules: `base64url` allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below

I would like to report an uninitialized Buffer allocation issue in base64url. It allows to extract sensitive data from uninitialized memory or to cause a DoS by passing in a large number, in setups where typed user input can be passed e.g. from JSON, on Node.js 4.x and lower. Module module name:...

Node.js third-party modules: `atob` allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below

I would like to report an uninitialized Buffer allocation issue in atob. It allows to extract sensitive data from uninitialized memory or to cause a DoS by passing in a large number, in setups where typed user input can be passed e.g. from JSON, on Node.js 4.x and lower. Module module name: atob...

Node.js third-party modules: `stringstream` allocates uninitialized Buffers when number is passed in input stream on Node.js 4.x and below

I would like to report n uninitialized Buffer allocation issue in stringstream. It allows to extract sensitive data from uninitialized memory or to cause a DoS by passing in a large number, in setups where typed user input can be passed to the stream e.g. from JSON, on Node.js 4.x and lower. Modu...

Mail.ru: XSS в нике при запросе в контакты.

Stored XSS in web.icq.com via nickname in contact add request...

Node.js third-party modules: `http-proxy-agent` passes unsanitized options to Buffer(arg), resulting in DoS and uninitialized memory leak

I would like to report a Buffer allocation vulnerability in http-proxy-agent. In setups where auth argument is user-controlled, it allows to: cause Denial of Service by trivially consuming all the available CPU resources extract uninitialized memory chunks from the server on Node.js This module...

VK.com: Смотрим фотографии из частных/закрытых групп.

Просмотр закрытых фотографий. Жестки хак на просмотр любых фоток из любых груп + возможность их лаека и получения хеша для любого пользователя...

Stellar.org: It's possible to put SDX orderbook into invalid state and execute trades at arbitrary price

stellar-core improperly handles creation of a buy offer which crosses existing sell offers immediate execution but can only be filled partially due to a trustline limit on the source account. This makes it possible to create a valid offer to buy any custom asset at higher price than existing sell...

Keybase: Fix bypass of different processing of usernames on Hackernews

Description In report https://hackerone.com/reports/307670 the reported identified a flow which abuses parsing differences between Keybase and Hackernews. Also the original reports is resolved there appears to be a bypass having the same impact by abusing upper-case letters. Steps to reproduce 1...

Vanilla: xss reflected in littleguy.vanillastaging.com

Go littleguy.vanillastaging.com create a account and go http://littleguy.vanillastaging.com/discussion/comment/ Go: http://littleguy.vanillastaging.com/discussion/comment/6'%22%26%25%22%3E%3Csvg/onload=prompt1%3E/ Paylaod:PAyload: 6'%22%26%25%22%3E%3Csvg/onload=prompt1%3E/ xss Reflejected Impact ...

Mail.ru: XSS в названии лайвчата

Stored XSS in web.icq.com via livechat name...

Vanilla: A user can create an event in a group without being in it http://littleguy.vanillastaging.com/

Hello again, I have found another failure other than the 321405 report, in this failure a user can create an event in a group in which he is not. PoC === I've use two accounts. With the first one I created the following groups F268608 User B has joined the group Hello, therefore creates an event ...

Vanilla: Forum Users Information Disclosure

Summary: An unauthorized even unauthenticated user is able to view some private information about forum users. this information includes: email address even if the user not allows it, IP address of the user, data of some of the private messages between two users. Description: by brute forcing...

Monero: Monero GUI not linked with /DYNAMICBASE or hardening on windows, no ASLR

Summary: The monero daemon is compiled and linked without ASLR, at least on windows. This security hardening feature should be enabled in order to make exploiting of this service harder. Description: See above. Releases Affected: At least v0.11.1.0 probably more / Tested on Windows 8.1 Steps To...

Slack: HTML Injection inside Slack promotional emails

Hi, There's a HTML injection vulnerability present inside emails sent from slack when the FIRST name on the account contains HTML. The html is stored in the backend database and when emails are sent promotional, etc, the HTML is sent along with the rest of the email. In my PoC, which is provided...

Node.js third-party modules: [hekto] open redirect when target domain name is used as html filename on server

Hi, There is an open redirect in hekto when target domain name is used as html filename on server. Module module name: hekto version: 0.2.3 npm page: https://www.npmjs.com/package/hekto Module Description This package exposes a directory and its children to create, read, update, and delete...

New Relic: [NR Synthetics] Restricted user can view synthetics monitors and user permissions through .json endpoint at /permissions/securablemetadata/{GROUP ID}

This report is two reports in one, but I figured why create two reports when the root cause is essentially the same exact endpoint. Description When a restricted user with no permissions to view synthetics monitors tries to navigate to the permissions settings within Synthetics...

Grab: [growth.grab.com] Reflected XSS via Base64-encoded "q" param on "my.html" Valentine's microsite

Hi, An encoded injection in the q parameter on my.html can be used to reflect JavaScript in the growth.grab.com context. This microsite creates a "Grab's Valentine" card for a driver over the past year, and carries its data in Base64 format. Proof of concept Please visit the following URL, scroll...

Node.js third-party modules: `foreman` is vulnerable to ReDoS in path

I would like to report ReDoS in foreman. It allows to cause denial of service by suppling a crafted path. Module module name: foreman version: 2.0.0 npm page: https://www.npmjs.com/package/foreman Module Description Node Foreman is a Node.js version of the popular Foreman tool, with a few Node...

HackerOne: Open Redirection in index.php page

Summary: Redirection is performed by HackerOne website when index.php page is visited. The parameter to index.php is used in redirection. By manipulating this parameter, an attacker can redirect victim outside www.hackerone.com Description: When a user visit www.hackerone.com/index.php/xyz, he/sh...

Shopify: myshopify.com domain takeover

Hello Shopify Security Team, I just received your email and I'm sorry for any inconvenience. Yes, it was me. Basically, I just tried to audit your website using some black box testing. Unfortunately, I didn't read about those guidelines, such as creating a store on https://partners.shopify.com/ a...

Node.js third-party modules: `npmconf` (and `npm` js api) allocate and write to disk uninitialized memory content when a typed number is passed as input on Node.js 4.x

I would like to report a Buffer allocation issue in npmconf and npm package js api. It allows to extract sensitive content from uninitialized memory by passing typed input to setCredentialsByURI, limited to Node.js 4.x and below. Module module name: npmconf version: 2.1.2 npm page:...

Internet Bug Bounty: memory corruption while parsing HTTP response

In the network interfacing PHP API filegetcontents, a mechanism is implemented to parse the HTTP/S response from the remote host. A vulnerability is found when the vulnerable PHP build processes certain malformed HTTP/S response packets, resulting an array negative indexing. Vulnerable code at:...

New Relic: [NR Alerts/Synthetics?] User with no Synthetics permissions can view synthetic monitor details through /internal_api/ endpoint

Hey all, This one is pretty interesting. What's happening is that a user with no permissions to view synthetics will get this page when they try to navigate directly to the Synthetics monitor list https://synthetics.newrelic.com/accounts/1523936/monitors: F267305 However, the restricted user can...

New Relic: Bypass of my three other reports #267636 + #255894 + #271861 - (IDOR) Ability to see full name associated with other New Relic accounts

@jonbottarini discovered a regression in the way users are shown within the Alerts notification UI. This allowed him to reveal the first and last name of an existing registered user if their email was known, rather than showing an obfuscated version of that information. The application protects...

Node.js third-party modules: `concat-with-sourcemaps` allocates uninitialized Buffers when number is passed as a separator

I would like to report an uninitialized Buffer allocation issue in concat-with-sourcemaps. It allows to extract sensitive data from uninitialized memory or to cause a DoS by passing in a large number, in unlikely setups where separator is attacker-controlled. Module module name:...

Node.js third-party modules: `useragent` is vulnerable to ReDoS in user-agent string

Denial of Service by passing crafted user-agent strings...

Node.js third-party modules: `superstatic` is vulnerable to path traversal on Windows

I would like to report path traversal vulnerability in superstatic It allows to read arbitrary out-of-dir files when running on the Windows platform Module module name: superstatic version: 5.0.1 npm page: https://www.npmjs.com/package/superstatic Module Description Superstatic is an enhanced...

Node.js third-party modules: `memjs` allocates and stores buffers on typed input, resulting in DoS and uninitialized memory usage

I would like to report a Buffer allocation vulnerability in memjs. In cases when the attacker is able to pass typed input e.g. via JSON to the storage, it allows to cause DoS on all Node.js versions and to store and potentially later extract chunks of uninitialized server memory containing...

Node.js third-party modules: [m-server] Path Traversal allows to display content of arbitrary file(s) from the server

I would like to report Path Traversal in m-server module. It allows to read content of any arbitrary file from the server where m-server is installed and run. Module module name: m-server version: 1.4.0 npm page: https://www.npmjs.com/package/m-server Module Description M-Server is a mini http...