Node.js third-party modules: [m-server] HTML Injection in filenames displayed as directory listing in the browser allows to embed iframe with malicious JavaScript code

I would like to report Stored XSS vulnerability in m-server module. m-server displays content of selected directory as HTML in the browser. However, no escape is implemented which allows malicious user to embed executable JavaScript or HTML code eg. to load HTML document into iframe element and...

VK.com: Просмотр любого видео из частной группы и кто загрузил

Просмотр некоторых видеозаписей из закрытых групп...

Node.js third-party modules: `rgb2hex` is vulnerable to ReDoS when parsing crafted invalid colors

I would like to report a ReDoS in rgb2hex. It allows to cause Denial of Service by trying to parse a crafted color string. Module module name: rgb2hex version: 0.1.0 npm page: https://www.npmjs.com/package/rgb2hex Module Description Parse any rgb or rgba string into a hex color. Lightweight...

Node.js third-party modules: `sshpk` is vulnerable to ReDoS when parsing crafted invalid public keys

I would like to report a ReDoS in sshpk It allows to cause Denial of Service by trying to parse a crafted public key. Module module name: sshpk version: 1.13.1 npm page: https://www.npmjs.com/package/sshpk Module Description Parse, convert, fingerprint and use SSH keys both public and private in...

Node.js third-party modules: `protobufjs` is vulnerable to ReDoS when parsing crafted invalid *.proto files

I would like to report a ReDoS in protobufjs It allows to cause Denial of Service by trying to parse or load a crafted .proto file. Module module name: protobufjs version: 6.8.5 npm page: https://www.npmjs.com/package/MODULE NAME Module Description Protocol Buffers are a language-neutral,...

Node.js third-party modules: `https-proxy-agent` passes unsanitized options to Buffer(arg), resulting in DoS and uninitialized memory leak

I would like to report a Buffer allocation vulnerability in https-proxy-agent. In setups where auth argument is user-controlled, it allows to: 1. cause Denial of Service by trivially consuming all the available CPU resources 2. extract uninitialized memory chunks from the server on Node.js This...

Mail.ru: Stored self-xss and its escalation to a victim account in e.mail.ru

Stored XSS via external OAuth account data...

Semrush: Broken Authentication: A project addition request can be used multiple time for different users

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report! Summary: Broken...

Node.js third-party modules: `whereis` concatenates unsanitized input into exec() command

I would like to report command injection in whereis It allows to inject arbitrary shell commands by trying to locate crafted filenames. Module module name: whereis version: 0.4.0 npm page: https://www.npmjs.com/package/whereis Module Description Simply get the first path to a bin on any system...

Node.js third-party modules: [open] concatenation of unsanitized input into exec() command

I would like to report command injection in open. It allows to inject arbitrary shell commands by specifing crafted urls. Module module name: open version: 0.0.5 npm page: https://www.npmjs.com/package/open Module Description Open a file or url in the user's preferred application. Module Stats 31...

Node.js third-party modules: `macaddress` concatenates unsanitized input into exec() command

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! I would like to report code injection i...

Node.js third-party modules: `sql` does not properly escape parameters when building SQL queries, resulting in potential SQLi

I would like to report an SQLi in sql. It allows to insert potentially user-controlled content into the queries without proper escaping, in cases where that is not verified additionally in the applications that are using sql library. Module module name: sql version: 0.78.0 npm page:...

Node.js third-party modules: typeorm does not properly escape parameters when building SQL queries, resulting in potential SQLi

I would like to report an SQLi in typeorm. It allows to insert potentially user-controlled content into the queries without proper escaping, in cases where that is not verified additionally in the applications that are using typeorm library. Module module name: typeorm version: 0.1.12 npm page:...

Khan Academy: [critical] sql injection by GET method

Hey there, after tampering a bit with the values, since I figured out your backend is not php most likely django or nodejs, I found an SQL injection . You can view my steps to reproduce, if you need additional screenshots, please let me know. Regards Gabriel Kimiaie Impact If I dig deeper, I may ...

Brave Software: There is vulnebility Click Here TO fix

NOTE! Thanks for submitting a report! Please fill all sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty. Summary: add summary of the vulnerability Products affected: operating system, Brave versi...

Node.js third-party modules: [stattic] Inproper path validation leads to Path Traversal and allows to read arbitrary files with any extension(s)

I would like to report Path Traversal in stattic module. It allows to read content of some arbitrary files from the server where stattic is installed and run. Module module name: stattic version: 0.2.3 npm page: https://www.npmjs.com/package/stattic Module Description Ridiculous simple script for...

Shopify: Access to Private Photos of Apps in App section(IDOR)

Bug location : https://MyShop.myshopify.com/admin/apps Description : Previewing the Photo In App section Request is vulnerable to IDOR attack where changing the ID leads to Disclose Link of Private photos. Also It discloses the Shop Domain details also. The request goes through...

LocalTapiola: Sitemap causing strain on your Lahitapiola.fi server

Basic report information Summary: Your sitemap isn't split into many other sitemaps which causes all of the sitemap URL's to start loading in just 1 Sitemap which in turn causes a big strain on your server. Description: It took more than 5 minutes just to load your sitemap. That is not normal...

Semrush: SSLv3 Poodle Attack on Ip Of semrush

Summary: POODLE SSLv3 bug on multiple servers Description: CVE-2014-3566: The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka...

QIWI: Imformation Disclosure on id.rapida.ru

Привет, Происходит раскрытие путей на id.rapida.ru/dp.php Шаги для воспроизведения: 1 Перейти на https://id.rapida.ru/login 2 Попробовать авторизоваться через телефон, ожидая смс-код. 3 Попробовать ввести не рабочий смс кодлюбой 4 В респонсе можно увидеть пути HTTP/1.1 200 OK Server: nginx Date:...

HackerOne: Program profile_metrics.json contains time to triage for deptofdefense even it's turned off

Hello Hackerone Security Team, Summary 1 Well, in your previous report, it was revealing about Time to Triage for WordPress which you fixed it. 2 However, the program US dept of defense doesn't have profile metrics which we can't display any certain info. But, still profilemetrics.json leaks the...

Semrush: clickjacking to Semrush auth login

Description: Clickjacking User Interface redress attack, UI redress attack, UI redressing is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on. this attack could be perform to semrush auth user because its direct...

Grab: Registration enabled on ███grab.com

Summary: An attacker can register an account on the █████████grab.com service, and access information from the service Description: While logging in via Google accounts is prohibited, an attacker can register an account through the /login/create endpoint, as per the below request POST /login/crea...

GSA Bounty: SSH server compatible with several vulnerable cryptographic algorithms

An ssh-audit scan found that ssh.fr.cloud.gov supports sha1 for various purposesincluding exclusively for MAC addresses, as well as arcfour. Both of these are outdated and known vulnerable. The algorithms used are also indicative of an outdated SSH version OpenSSH 6 or Dropbear 2013. It's probabl...

VK.com: Просмотр приватных видео записей у Пользователей

Просмотр некоторых приватных видеозаписей. VK решил заплатить 100$ , но я переубедил.... ███████████████████████████ ███████▀▀▀░░░░░░░▀▀▀███████ ████▀░░░░░░░░░░░░░░░░░▀████ ███│░░░░░░░░░░░░░░░░░░░│███ ██▌│░░░░░░░░░░░░░░░░░░░│▐██ ██░└┐░░░░░░░░░░░░░░░░░┌┘░██ ██░░└┐░░░░░░░░░░░░░░░┌┘░░██...

Mail.ru: [online.games.mail.ru] - Sensitive information disclosure

include files with potentially sensitive configuration information were available via HTTP. online.games.mail.ru is not covered by bug bounty, an award was issued as a bonus...

Brave Software: Bypassing Homograph Attack Using /@ [ Tested On Windows ]

Summary: Bypassing Homograph Attack Using /@ I look at on my previous report on 268984 and see patch code in the github https://github.com/brave/browser-laptop/commit/f2e438d6158fbc62e2641458b6002a72d223c366 I look at code at it'returns the punycode URL when given a valid URL', function...

Nextcloud: twofactor_auth bypassable if provider fails to load

Just want to preface this by saying that this is probably not a significant vulnerability, as it requires that the server either have recently been incorrectly upgraded or otherwise misconfigured. However in the administration of my own personal NextCloud instance I have hit this several times...

Mail.ru: Race condition на market.games.mail.ru

It was possible to get few game items by replaying the single purchase operation for multiple times during the short amount of time. market.games.mail.ru is not in the bug bounty scope, the bounty was awarded out-of-scope due to real monetary impact...

Node.js third-party modules: Regular Expression Denial of Service (ReDoS)

The issue was already fixed. Module: is-my-json-valid Summary: Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS attacks. It used a regular expression /^\S+@\S+$/ in order to validate emails. This can cause an impact of about 10 seconds matching time f...

HackerOne: Unicorn worker pool exhaustion by continuously updating payout preferences

please this time i hope you listen to me - please see the included video as POC - please this is not self DOS , not self DOS, not self DOS - i hope this time you find out that this is last report that i have , please see the video to the end again this is not a self DOS i have invulded one...

Shipt: Any user can completely delete their own account without authorization and/or going through any kind of membership cancellation protocol.

A security researcher identified an endpoint that allowed Shipt Members to delete their own account by intercepting an HTTP request, changing the HTTP method to DELETE, and forwarding the request, bypassing the normal membership cancellation protocol. This endpoint did not allow for modifying oth...

X (Formerly Twitter): Account Takeover in Periscope TV

Summary: When you login periscope.tv using twitter, and change the host header from www.periscope.tv to attacker.com/www.periscope.tv, the oauth redirect destination will be attacker.com/www.periscope.tv, thus allowing attacker to send the oauth authorize link to victim, and takeover their accoun...

Rockstar Games: Exploiting Misconfigured CORS to Steal User Information

In this report, the researcher demonstrated how a CORS misconfiguration was allowing user details, such as email addresses and IDs, to be shared inappropriately. They also provided a POC which showed how an attacker could exploit this remotely. This issue was resolved in a platform update to our...

Uber: Delay of arrears notification allows Riders to take multiple rides without paying

Due to a delay in how Uber prompts accounts that have gone into arrears having an outstanding balance, it was possible to take rides without paying and without the account being blocked from booking new rides. This delay was a short-term issue, not a security vulnerability, and @djangohack’s...

Mail.ru: CSRF на покупку товара https://lootdog.io/

CSRF vulnerability for item buy action. On the time of reporting, lootdog.io clientside vulnerabilities were not covered with bug bounty...

Vend VDP: Improper access control on adding a Register to an Outlet

Summary: User without permissions to add a Register to an Outlet can bypass this restriction and add a Register to an Outlet. Description: I do not know which permission exactly controls this action, I tested this against default Cashier role. User with default Cashier role has no permission to a...

RubyGems: Delete directory using symlink when decompressing tar

In 2.7.6, the safety of symlink is confirmed with mkdirpsafe, Before that FileUtils.rmrf destination is running. Therefore, if tmp/dir is specified after tmp - /tmp, the following /tmp/dir is deleted. Proof of concept builder.rb ruby require 'rubygems/package' class GemBuiler def initialize spec,...

Mail.ru: CSRF на добавление товара на продажу

CSRF in lootdog.io allowed to put item on sale. Вело к выставлению предмету за любую цену 1 рубль и возможности выкупить после этого с другого аккаунта...

Phabricator: Window.opener fix bypass

Description Due to a recent reporthttps://hackerone.com/reports/306414 a fix was deployed in order to resolve the tabnabbing issue. However by using a line break the fix can be bypassed. Steps to reproduce 1 Browse to your Phabricator instance and create a new document. 2 Now paste in the followi...

vulners.com: [vulners.com] nginx alias_traversal

Incorrect configuration of alias could allow an attacker to read file stored outside the target folder. https://github.com/yandex/gixy/blob/master/docs/en/plugins/aliastraversal.md Уязвимость только в конфигурации http, на https такого нет. Пример: http GET /static../monit/COPYING HTTP/1.1 Host:...

Node.js third-party modules: [bracket-template] Reflected XSS possible when variable passed via GET parameter is used in template

Hi Guys, I would like to report Reflected XSS in bracket-template module. It allows to inject arbitrary JavaScript tag and malicious code to execute when variables read from GET are used directly in template without sanitization. Module module name: bracket-template version: 1.1.5 npm page:...

Dropbox: Exposed Git Repo at http://fileserver.dropboxbusiness.com

The report revealed an exposed git repository on a vendor that Dropbox uses. This endpoint could allow an attacker to retrieve much of the source code and git history for this service which could potentially reveal sensitive information like application secrets. Thankfully, after performing an...

Mail.ru: CSRF on lootdog.io

CSRF vulnerability for phone/email change action. On the time of reporting, lootdog.io clientside vulnerabilities were not covered with bug bounty...

Mail.ru: Shell upload in http://widget.support.my.com/

PHP shell upload was possible on widget.support.my.com support frontend site. This report was accepted within lootdog.io preliminary bug bounty program, because lootdog.io is supported via support.my.com...

GSA Bounty: Subdomain Takeover due to unclaimed domain pointing to AWS

Note: I know this is on an out of scope domain, however felt it should still be raised as it was the only subdomain of data.gov to be vulnerable. Issue Details The consultant identified that subdomain https://18f.domains.api.data.gov/ is pointing to dn9rrjaiux2m0.cloudfront.net via a DNS CNAME...

Rockstar Games: SocialClub's Facebook OAuth Theft through Warehouse XSS.

In this report, the researcher was able to chain together 3 separate, minor bugs to create an exploit that was greater than the sum of its parts. This exploit could have potentially allowed attackers to steal OAuth tokens from users. The exploit chain involved taking advantage of our SSO between...

VK.com: новенькое (старенькое upgreid) хакерство: делаем демократию во всем в контакте (XSS - на англиском)

XSS в Wiki. ето жесткое хакерство позволяло устроить массовую глючность в social set’ V Kontakte и зделать репост от имени любого челика открывшего сылку особено страшно в росии где сажают за репосты в контакти все оперативно исправили 3 месяца у них реяльно золотые руки к сожелению глючность...

Mail.ru: Reflected XSS on https://www.delivery-club.ru/

Reflected XSS via GET paramters. On the time of reporting, XSS vulnerabilites of delivery-club.ru are not covered with bug bounty...

Mail.ru: XSS on https://www.delivery-club.ru

Reflected XSS via GET paramters. On the time of reporting, XSS vulnerabilites of delivery-club.ru are not covered with bug bounty...