HackerOne: Can read features from any user

Summary: An attacker can read feature notifications from any user. Just need to change me to userusername:"filedescriptor" in your request to get the features. Steps To Reproduce POST /graphql HTTP/1.1 Host: hackerone.com "query":"query Newfeature \n query \n id,\n ...F0\n \n\nfragment F0 on Quer...

Starbucks: Able to purchase a gift card with any amount

Description There is a vulnerability in card.starbucks.com.sg that allows an attacker to modify the purchasing value of a starbucks gift card such that he is paying the minimum amount for the maximum value of the gift card. Attack Summary An attacker is able to pay $0.01 for a $100 gift card and...

Dropbox: Forum posts and private messages are poorly sanitized, allowing execution of arbitrary JavaScript

The reporter informed us of both stored XSS vulnerabilities as well as unsafe css attributes that were allowed in forum posts due to TinyMCE editor. An upgrade to lithium's forum platform appears to have mitigated these vulnerabilities...

Semrush: Ad Builder Display Ads Path Traversal

Summary: The Semrush Ad Builder for Display Ads is vulnerable to path traversal when extracting zip files and referencing images from the embedded data.csv file. Description: The Semrush Ad Builder for Display Ads allows users to import Display Ads from an uploaded zip file. The backend...

VK.com: Reflected xss в m.vk.com/chatjoin

XSS в мобильных сообщениях...

Node.js third-party modules: [public] Stored XSS in filenames in directory served by public

Hi Guys, public allows to embed HTML in file names, which in certain conditions might lead to execute malicious JavaScript. I put https://www.npmjs.com/package/public in Weakness section - 'Where is the stored content accessible?' because it does not allowed me to open report with...

Semrush: XSS on redirection page( Bypassed)

Hello Semrush Team, In this report id 311330, I was filled duplicate and redirection url is fixed which made me feel happy as deserving bounty hunter gets a reward. However, after fixing from last night, I finally bypassed the redirection method which not only Triggered Xss, but also it redirects...

Coinbase: Prepopulation of email address and name leaks information provided to other merchants

Users of the commerce widget that have entered their name and email into the widget and moved to the currency selection step were vulnerable to a clickjacking attack that revealed name and email to an attacker due to pre-population of the widget's fields. After a user filled out the name / email...

Starbucks: Open Redirect on /account/signin?ReturnUrl

The attacker can redirect the victim just after the authentication. Open redirect on Login page: https://www.starbucks.com/account/signin?ReturnUrl= Steps to reproduce Go to Login Page. https://www.starbucks.com/account/signin?ReturnUrl=%2faccount%2fHome The paramter: ReturnUrl can be modified as...

VK.com: Обходим 2FA и/или получаем access_token, если мы когда-либо были на аккаунте жертвы

Частичный обход 2FA в некоторых случаях, имея доступ к странице. Была возможность всего один раз побывав на аккаунте в последующих случаях обходить 2FA. Хеши на https://login.vk.com/?act=grantaccess не имели срока действия и привязки к значимым параметрам аккаунта включена ли 2фа, когда посл. раз...

X (Formerly Twitter): CVE-2017-15277 on Profile page

Hi security team, Summary: Please refer to 302885 for more details. Uploading a .gif produces significantly different images every time which means the server is leaking information. Steps To Reproduce: 1. Clone https://github.com/neex/gifoeb 2. Generate exploitable gif with ./gifoeb gen 5120x512...

Starbucks: Able to reset other user's password in https://card.starbucks.com.sg/

Description In the website https://card.starbucks.com.sg/ there is a password reset function https://card.starbucks.com.sg/forgetPassword.php that sends the password reset link to the user's email. By using a web proxy to monitor the request, the email address can be changed to allow the attacker...

Coinbase: Stored CSS Injection

When creating a product, users can upload a logo. The logourl was not escaped properly, allowing an attacker to inject malicious characters into a style tag. This vulnerability did not allow for XSS due to our CSP, however, it did allow for CSS injection...

Coalition, Inc.: Non-Cloudflare IPs allowed to access origin servers

Hello Security Team, Summary: Like report 255978 It is possible to access origin servers served by nginx and not cloudflare. Description: Even though these IP's don't serve a functional version of the app it is possible to enable DDoS attacks by bypassing cloudflare protections. Steps To Reproduc...

Mail.ru: blind XXE in autodiscover parser

Как воспроизвести: 1 Закинуть на сервер атакующего xml должен быть доступен на сервере атакующего по адресу /autodiscover/autodiscover.xml: Я сделал такой ответ при запросе любой xml'ки: obmhld.com/autodiscover/autodiscover.xml email settings SMTP 52.34.103.214 1191 off [email protected] yandex....

Node.js third-party modules: Remote Command Execution vulnerability in pullit

I would like to report Remote Command Execution vulnerability in pullit It allows remote command execution such as reading or writing to the file system, and executing other programs under the current user running the pullit node executable. Module pullit https://www.npmjs.com/package/pullit...

Node.js third-party modules: Path Traversal on Resolve-Path

The author of resolve-path told me that I can submit this to here. The vulnerability already reported to the author and got a fixed! Module module name: resolve-path version: 1.3.3 npm page: https://www.npmjs.com/package/resolve-path Description Resolve a relative path against a root path with...

VK.com: Общий CSRF токен для сообщений сообществ, или как подставить соседа-редактора

Ошибка в генерации CSRF-токена. В разделе Group IM сообщения сообществ, /alim.php?gid=XXX для почти всех действий отправка сообщения, удаление диалога, etc hash привязывался к groupid, и был одним и тем же для всех пользователей, которые имели доступ к личке этой группы. Таким образом, имея hash...

Coalition, Inc.: No authentication on email address for password reset functionality/ https://platform.thecoalition.com/forgot-password

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: It was observed that the forgo...

Valve: ImageMagick GIF coder vulnerability leading to memory disclosure

Due to CVE-2017-15277, portions of server memory on some steamcommunity web servers could be leaked via image updates. An attacker would not be able to control what memory would be returned, but system information could be obtained. I was able to arbitrarily disclose server memory on...

Greenhouse.io: Debug information disclosure on oauth-redirector.services.greenhouse.io

Summary: The configuration of the Sintra framework application hosted at oauth-redirector.services.greenhouse.io exposes internal information when exceptions occur. The application is configured with the showexceptions setting which causes internal application configuration, environment variables...

Node.js third-party modules: Media parsing in canvas is at least vulnerable to Denial of Service through multiple vulnerabilities

There is at least a DoS vulnerability in canvas. It segfaults node.js which leads to a Denial of Service, but according to !exploitable it could possibly be worse Module canvas node-canvas is a Cairo backed Canvas implementation for NodeJS. https://www.npmjs.com/package/canvas version: 1.6.9 Stat...

Razer US: Razer Synapse 3 Local Privilege Escalation

Excellent report from @achapman. We appreciate the time, effort, technical skill, and professionalism of the researcher in helping us find and fix this issue...

Semrush: [oauth token leak] at oauth.semrush.com

Domain, site, application --- oauth.semrush.com Steps to reproduce --- 1 Create following html at attacker.com/postmessage.html function listenerevent alertJSON.stringifyevent.data; var dest =...

Reverb.com: Full account takeover

Hello Team, I got a security issue in reverb ios application which allows an attacker hack all users account. Since iOS application is not in the scope but still I am reporting this, because this vulnerability may compromise all users account. Please resolve this quickly. Desription: Reverb ios...

Snapchat: Takeover 2 MAIN DOMAINS of a company Acquired by Snapchat

Hi, As you may realize I noted "Domain" and not subdomain because actually, I was able to take over the MAIN domain of a company Acquired by Snapchat. As you can see in the screenshot below, when you type "Addlive" in Google https://goo.gl/EAxBaj , the first two results will be: F261984 First one...

LocalTapiola: Reflected XSS+CSRF on secure.lahitapiola.fi

Basic report information Summary: The secure.lahitapiola.fi -mail application contains a reflected XSS vulnerability which can be exploited for example with CSRF-attack. Description: As mentioned in the summary, the site contains a reflected cross-site scripting vulnerability. This vulnerability ...

Open-Xchange: [XSS] Style/Event Filter Bypass v3.0

Hi. New ways to bypass filter in the mail. Previous reports 279073, 244821 1. onEvent filter bypass - If add in style, then onEvents filter disabled. Send e-mail: json "content": "", Response: json "content":"" 2. Without onEvents - Without you can using : json "content": "aaa", Response: json...

Zomato: Blind XSS - Report review - Admin panel

Introduction In the Zomato Business app there is the functionality to report a review and give additional details as to why you did report the review. Because I knew this reason would be read by Zomato admins I did insert a blind XSS payload here, which ended up executing on...

Snapchat: Publicly accessible Continuous Integration Tool

@apfeifer27 found an internal Continuous-Integration instance, which disclosed internal source code and credentials for some of our instances...

Valve: Xss was found by exploiting the URL markdown on http://store.steampowered.com

Hello guys I found an xss vulnerability on store.steampowered.com markdown POC http://store.steampowered.com/widget/386360/?t=url=google.com:/onclick=%27alertdocument.domain%27url=xss/url Here is my exploit url=google.com:/onclick='alertdocument.domain'url=xss/url Steps 1 - go to any product 2 -...

Ubiquiti Inc.: Code Execution in restricted CLI of EdgeSwitch

In EdgeSwitch 1.7.3 and prior, an user with admin credentials can make use of specially crafted commands to execute arbitrary shell instructions, bypassing the SSH/TELNET CLI interface. A command injection vulnerability existed in the restricted CLI of the EdgeSwitch. Exploiting this vulnerabilit...

HackerOne: Information Disclosure which violate program privacy

Summary: please refer to the following report: https://hackerone.com/reports/311289 It was noticed that TTS changed the summary and set the domain to example.gov as not to reveal to the public. But at the bottom of the page, "britta changed the scope from https://ci.fr.cloud.gov to None."...

Zomato: IDOR in treat subscriptions

The treat subscriptions tab in my profile has an IDOR. The corresponding api: POST /php/filterusertabcontent.php HTTP/1.1 userid=██████&tab=treatsubscription&orderhistoryoffset=0&orderhistorylimit=20 You can give any user id and you will be able to see the treat subscriptions of that user. Impact...

U.S. Dept Of Defense: Blind SQL injection on ████████

Summary: I discovered that a post request made to https://████████/elist/viewem6.php is vulnerable to SQL injection and is quite clearly vulnerable as I was able to induce a 2 second hang on the web page. Additionally I was able to discover the mysql version with a true/false condition...

Node.js third-party modules: [public] Path Traversal allows to read content of arbitrary files

Hi Guys, There is Path Traversal in public module. It allows to read content of arbitrary files on the remote server. Module public Run static file hosting server with specified public dir & port. Support a "direcotry index" like Apache httpd. https://www.npmjs.com/package/public version: 0.1.2...

Node.js third-party modules: [mcstatic] Path Traversal allows to read content of arbitrary files

Hi Guys, There is Path Traversal in mcstatic module. It allows to read content of arbitrary files on the remote server. Module mcstatic This is a general file server made by nodejs. It will be easy for you to access the files on the server through the browser. https://www.npmjs.com/package/mcstat...

Node.js third-party modules: [localhost-now] Path Traversal allows to read content of arbitrary file

Hi Guys, There is Path Traversal in localhost-now module. It allows to read content of arbitrary files on the remote server. Module localhost-now This is a general file server made by nodejs. It will be easy for you to access the files on the server through the browser...

Discourse: Gaining access to private topics using quoting feature

Description Some topics have limited access to certain groups and users, and while there exists a validation for access on this topic, it can be bypassed by abusing a vulnerability in the "onebox" quoting feature. When pasting a link in a reply, if this link happens to be a link to another topic ...

Mail.ru: IDOR on mcs.mail.ru

CSRF tokens were static, CSRF token for arbitrary user's account can be obtained. No direct security implications were found, since token is transmitted in request headers and can not be sent crossite, but using static tokens was considered as a bad security practice. mcs.mail.ru was not in bug...

Mail.ru: XSS via Cookie in e.mail.ru

Привет! Нашел stored xss через куку VID. Обычно такое эксплуатируется через mitm. Сама кука не имеет атрибутов secure и samesite, что дает возможность выставить ее по http на сервере атакующего. Сценарий такой: 1. Жертва находится в сети атакующего 2. DNS сервер сети атакующего резолвит хост...

Semrush: XXE in Site Audit function exposing file and directory contents

Summary: The Project Site Audit function is vulnerable to XXE when parsing sitemap.xml files. Description: The Site Audit function spiders a given website and performs analysis on the discovered pages. In order to improve website spidering the URL of a sitemap.xml file can be provided. If provide...

Mail.ru: [mobs.mail.ru] nginx path traversal via misconfigured alias

Domain, site, application -- mobs.mail.ru Steps to reproduce -- http://mobs.mail.ru/media../mobs/settings.py Actual results -- py ... SECRETKEY = '████████████' ... DISTIMOPRIVATEKEY = '████████████' ... PoC, exploit code, screenshots, video, references, additional resources --...

Informatica: [https://life.informatica.com] - information disclose

Researcher had discovered and reported an issues that leads to information disclosure...

Mail.ru: Error in processing gif images

Application crash on malformed GIF image parsing in ICQ for Desktop...

GitLab: Using GitLab to monitor and hijack domains in mass quantity.

Vulnerability Description There is a logic flaw in how GitLab pages can set custom domains that allows an attacker to actively monitor domains and hijack them as soon as they point to 52.167.214.135. GitLab allows setting an unlimited number of domains for a single repository. First, I wrote a...

Node.js third-party modules: [uppy] Stored XSS due to crafted SVG file

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Module: Uppy. Affected version: 0.22.2...

Pornhub: Stored XSS (client-side, using cookie poisoning) on the pornhubpremium.com

The researcher discovered that a parameter's value was stored in a cookie and that cookie's value was echoed in certain pages. The researcher was successful in providing an XSS payload as this parameter's value and having it execute. DOM XSS through cookie. Discovered by manual inspection of JS...

U.S. Dept Of Defense: SQL injection

Initially I discovered a Defunct admin panel with default credentials, admin/admin. This was vulnerable to a blind SQL Injection but I wasn't able to successfully exploit the login panel. I later google dorked for php files on the subdomain and ended up finding another end point that was vulnerab...

VK.com: Reflected XSS в m.vk.com

XSS в поиске по карте...