Ubiquiti Inc.: Format String Vulnerability in the EdgeSwitch restricted CLI

In EdgeSwitch 1.7.3 and prior, an user with admin credentials can make use of specially crafted commands to execute arbitrary shell instructions, bypassing the SSH/TELNET CLI interface. There was a format string vulnerability present in the Admin CLI for the EdgeSwitch. Exploiting this...

Mail.ru: CSRF на calendar.mail.ru

CSRF on ICS URI import in calendar.mail.ru Cцрф с обходом защиты через ORIGIN посредством размещения пока на одном из субдоменов...

Semrush: Cross-origin resource sharing misconfig

Description An HTML5 cross-origin resource sharing CORS policy controls whether and how content running on other domains can perform two-way interaction with the domain that publishes the policy. The policy is fine-grained and can apply access controls per-request based on the URL and other...

LocalTapiola: Securemail server used to internal spam and resource exhaustion

Basic report information Summary: Confidential message systems fails to restrict large amount of receivers. This might lead to hardware exhausting and/or attacking localtapiola internal employees as securemail recipient. Description: Despite https://secure.lahitapiola.fi/ is designed to send...

Zomato: Reflected XSS on https://www.zomato.com

Hello, I found an XSS issue due to the incorrect handling of the \ character in a context, the following link works as a PoC that alerts the location of the document: https://www.zomato.com/googleOAuth2Callback?alertlocation;%3C!--&state=\ The issue exists because, given that the \ character...

WePay: Reflected XSS in the IE 11 / Edge (latest versions) on the stage-go.wepay.com

Description Hello. I discovered Reflected XSS on the stage-go.wepay.com. Browsers & OS tested The XSS checked in the latest IE 11 and Edge on Windows 7. Not checked on Windows 10. POC IE 11 or Edge...

HackerOne: Reputation gain split by company can be used to track the existence of otherwise undisclosed reports

Summary: A researcher who shares an anonymised description of a vulnerability prior to disclosure may inadvertently be also sharing the company to whom the issue affects if a bounty/thanks has been issued. You may ask: "Where would someone get the idea to share partial information about unfixed...

Mail.ru: XSS in delivery club

Reflected XSS via GET parameters of AJAX method due to invalid content-type for JSON data. On the moment of the report delivery-club.ru was not covered by bug bounty program...

Urban Dictionary: See details of a unpublished word by guessing the word ID

https://www.urbandictionary.com/remove.form.php?reconsider%5Bdefidtoremove%5D=$id$ Example Word : https://www.urbandictionary.com/remove.form.php?reconsider%5Bdefidtoremove%5D=12504202 Impact Its is minor information disclosure in which any one see details of an unpublished word...

Node.js third-party modules: Prototype pollution attack (merge-recursive)

As discussed in 309391, here's the separate report for each of the library. This one is the information for the merge-recursive library. Module: merge-recursive Summary: Utilities function in all the listed modules can be tricked into modifying the prototype of "Object" when the attacker control...

Node.js third-party modules: Prototype pollution attack (merge-options)

As discussed in 309391, here's the separate report for each of the library. This one is the information for the merge-options library. Module: merge-options Summary: Utilities function in all the listed modules can be tricked into modifying the prototype of "Object" when the attacker control part...

Node.js third-party modules: Prototype pollution attack (deep-extend)

As discussed in 309391, here's the separate report for each of the library. This one is the information for the deep-extend library. Module: deep-extend Summary: Utilities function in all the listed modules can be tricked into modifying the prototype of "Object" when the attacker control part of...

Semrush: Open Redirect

Open Redirect on https://www.semrush.com/ User can be redirect to malicious site POC: https://www.semrush.com/redirect?url=http://bing.com I hope you know the impact of open redirect and more info refer https://cwe.mitre.org/data/definitions/601.html Impact User can be redirect to malicious site...

X (Formerly Twitter): ms5 debug page exposing internal info (internal IPs, headers)

Summary: Information exposure through /debug in ms5.twitter.com Description: Debug page from ms5.twitter.com exposes internal info, such as internal IPs and headers. Steps To Reproduce: 1. Visit ms5.twitter.com/debug 1. See internal IP and header-names used 1. To gather more internal IPs, just...

GSA Bounty: CI for [example.gov] can be logged in and accessible

When anyone searched a public search engine for inurl:example.gov where example.gov was one of the URLs in the TTS Bug Bounty scope, the search results included a CI/CD build results URL. When anyone visited that build results page, they were faced with a login page, but if they clicked "log in",...

Node.js third-party modules: [query-mysql] SQL Injection due to lack of user input sanitization allows to run arbitrary SQL queries when fetching data from database

Hi Guys, There is SQL Injection in query-mysql module. Due to lack of sanitization of user input, an attacker is able to craft SQL query and get any data from the database. Module query-mysql Install this module in your project like dependency https://www.npmjs.com/package/query-mysql version:...

Node.js third-party modules: Prototype pollution attack (mixin-deep)

As discussed in 309391, here's the separate report for each of the library. This one is the information for the mixin-deep library. Module: mixin-deep Summary: Utilities function in all the listed modules can be tricked into modify the prototype of "Object" when the attacker control part of the...

Node.js third-party modules: [hekto] Path Traversal vulnerability allows to read content of arbitrary files

Hi Guys, There is Path Traversal vulnerability in hekto module, which allows to read arbitrary file from the remote server. Module hekto This package exposes a directory and its children to create, read, update, and delete operations over http. https://www.npmjs.com/package/hekto version: 0.2.0...

Node.js third-party modules: [626] Path Traversal allows to read arbitrary file from remote server

Hi Guys, There is Path Traversal vulnerability in 626 module, which allows to read arbitrary file from the remote server. Module 626 This package exposes a directory and its children to create, read, update, and delete operations over http. https://www.npmjs.com/package/626 version: 1.1.1 Stats 0...

Node.js third-party modules: [crud-file-server] Stored XSS in filenames when directory index is served by crud-file-server

Hi Guys, crud-file-server allows to embed HTML in file names, which in certain conditions might lead to execute malicious JavaScript. Module crud-file-server This package exposes a directory and its children to create, read, update, and delete operations over http...

Mail.ru: Хранимая XSS ( API )

Stored XSS via saved signature in Mail.Ru Mail mail compose functionality...

Informatica: [http://www.informatica.com]- info disclosure

Researcher has identified and reported an sensitive information leakage in one of our domain. He helped us in resolving the issue...

HackerOne: The request tells the number of private programs, the new system of authorization /invite/token

Summary: Hi team. The old version of the invite program, looks simple. A link to the program in which you need to log in.Now this looks through token.So my PoC I think you can count work since you have changed the system to a new, token Description: Steps To Reproduce 1...

Node.js third-party modules: [general-file-server] Path Traversal vulnerability allows to read content on arbitrary file on the server

Hi Guys, There is Path Traversal in general-file-server module. It allows to read content of arbitrary files on the remote server. Module general-file-server This is a general file server made by nodejs. It will be easy for you to access the files on the server through the browser...

Node.js third-party modules: Prototype pollution attack (merge-deep)

As discussed in 309391, here's the separate report for each of the library. This one is the information for the merge-deep library. Module: merge-deep Summary: Utilities function in all the listed modules can be tricked into modifying the prototype of "Object" when the attacker control part of th...

Node.js third-party modules: Prototype pollution attack (assign-deep)

As discussed in 309391, here's the separate report for each of the library. This one is the information for the assign-deep library. Module: assign-deep Summary: Utilities function in all the listed modules can be tricked into modifying the prototype of "Object" when the attacker control part of...

Node.js third-party modules: Prototype pollution attack (merge-objects)

As discussed in 309391, here's the separate report for each of the library. This one is the information for the merge-objects library. Module: merge-object Summary: Utilities function in all the listed modules can be tricked into modifying the prototype of "Object" when the attacker control part ...

Node.js third-party modules: [crud-file-server] Path Traversal allows to read arbitrary file from the server

Hi Guys, There is Path Traversal vulnerability in crud-file-server module, which allows to read arbitrary file from the remote server. Module crud-file-server This package exposes a directory and its children to create, read, update, and delete operations over http...

Node.js third-party modules: [file-static-server] Path Traversal allows to read content of arbitrary file on the server

Hi Guys, There is Path Traversal vulnerability in file-static-server module, which allows to read arbitrary file from the remote server. Module file-static-server no description provided https://www.npmjs.com/package/file-static-server version: 1.0.2 Stats 0 downloads in the last day 3 downloads ...

Semrush: CORS (Cross-Origin Resource Sharing)

Affected URL: https://ta.semrush.com/version/ Description: The application implements an HTML5 cross-origin resource sharing CORS policy for this request which allows access from any domain. Allowing access from all domains means that any domain can perform two-way interaction with the applicatio...

Node.js third-party modules: Prototype pollution attack (defaults-deep)

As discussed in 309391, here's the separate report for each of the library. This one is the information for the defaults-deep library. Module: https://www.npmjs.com/package/defaults-deep Summary: Utilities function in all the listed modules can be tricked into modifying the prototype of "Object"...

Node.js third-party modules: Prototype pollution attack (deap)

As discussed in 309391, here's the separate report for each of the library. This one is the information for the deap library. Module: deap Summary: Utilities function in all the listed modules can be tricked into modify the prototype of "Object" when the attacker control part of the structure...

Node.js third-party modules: Prototype pollution attack (lodash)

As discussed in 309391, here's the separate report for each of the library. This one is the information for the lodash library. Module: lodash Summary: Utilities function in all the listed modules can be tricked into modify the prototype of "Object" when the attacker control part of the structure...

Node.js third-party modules: Prototype pollution attack (Hoek)

As discussed in 309391, here's the separate report for each of the library. This one is the information for the Hoek library. Module: hoek Summary: Utilities function in all the listed modules can be tricked into modify the prototype of "Object" when the attacker control part of the structure...

ok.ru: Хранимая XSS в личных сообщениях новое место

Stored XSS in chat title at https://ok.ru/messages...

MapsMarker.com e.U.: [Informational] Possible SQL Injection in inc/ajax-actions-frontend.php

At first, I thought, that my finding is a valid sql injection but I was wrong because of WordPress currently adding magic slashes to COOKIE/POST/GET - this is a very special behaviour which may be remove in the future. There are tons of requests to remove this "old" technique. Nevertheless I...

GitLab: Removing a user from a private group doesn't remove him from group's project, if his project's role was changed

Summary: a rogue user is added to a private group with dozen of projects b The role in some projects is changed for the rogue user c rogue is fired, and removed from the group: he still has access to projects where his role was changed Description: the b can happen for a lot of different reasons:...

Node.js third-party modules: [glance] Stored XSS via file name allows to run arbitrary JavaScript when directory listing is displayed in browser

Hi Guys, There is a Stored XSS vulnerability in glance module. File name, which contains malicious HTML eg. embedded iframe element or javascript: pseudoprotocol handler in element allows to execute JavaScript code against any user who opens directory listing contains such crafted file name. Modu...

Node.js third-party modules: [glance] Path Traversal in glance static file server allows to read content of arbitrary file

Hi Guys, There is Path Traversal vulnerability in glance module. This issue allows to read arbitrary files from the server, where glance is installed. Module glance a quick disposable http server for static files https://www.npmjs.com/package/glance Stats 33 downloads in the last day 34 downloads...

Automattic: Disclosure of 152 cookie names via crafted input

If someone sends a cookie called '0', automattic.com responds with a list of all 152 cookies supported by the application: curl -v -H 'Cookie: 0=1' https://automattic.com/?cb=123 | fgrep Cookie Set-Cookie: ██████=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/;...

U.S. Dept Of Defense: SSRF vulnerability on ██████████ leaks internal IP and various sensitive information

Summary: A server side request forgery vulnerability appears to leak an internal IP address and tries to connect to an attacker controlled host. Description: In an normal request on this web page GET /HTTP/1.1 Host: www.████████ User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:58.0...

U.S. Dept Of Defense: SQL injection on █████ due to tech.cfm

Summary: The website appears to be vulnerable to SQL injection due to inducing an sql error using a single ' Description: The following url, https://█████/hro/html/tech.cfm?Sort=Grade&ThisType=2 contains the parameter sort= which is vulnerable to SQLI. We know this due to the error disclosing the...

WordPress: [support.wordcamp.org] - publicly accessible .svn repository

Hi Team, Found that .svn repo is publicly accessible. We can verify it by loading https://support.wordcamp.org/.svn/entries in any browser. This is very dangerous as an attacker may download entire source code. More details about this vulnerability provided here:...

Mail.ru: [3k.mail.ru] - Content spoofing

Text content spoofing protection bypass within application interface in 3k.mail.ru. Text-only content spoofing reports are usually not accepted. This report was triaged, because application had protection which was bypassed by reseracher. 3k.mail.ru is not in bug bounty scope...

Node.js third-party modules: [simplehttpserver] Stored XSS in file names leads to malicious JavaScript code execution when directory listing is output in HTML

Hi Guys, simplehttpserver allows to embed HTML in file names, which in certain conditions might lead to execute malicious JavaScript. Module: 'simpehttpserver' is simple imitiation of python's SimpleHTTPServer and intended for testing, development and debugging purposes...

Node.js third-party modules: [simple-server] HTML with iframe element can be used as filename, which might lead to load and execute malicious JavaScript

Hi Guys, simple-server allows to embed HTML in file names, which in certain conditions might lead to execute malicious JavaScript. This is caused by outdated version of connect framework. Module: Simple Server allows you to easily get a node.js static file server up and running anywhere anytime...

VK.com: error

Useless logs. Сначало был информатиФФФФ потом лог удалили и ресолвед бат ноу баунти...

VK.com: Backup Source Code Detected

Старый сборщик логов. Старый сборщик логов. Который я увидел а также получил доступ к бд !...

Rockstar Games: Stored XSS in Snapmatic + R★Editor comments

Summary provided by the Researcher, @europa . I requested the disclosure of what I hope is the final report regarding stored cross-site-scripting vulnerabilities on the Rockstar Games SocialClub, to also allow me to summarize the research that went into the other 5 reports. Have fun! Report 1 The...

Node.js third-party modules: [anywhere] An iframe element with url to malicious HTML file (with eg. JavaScript malware) can be used as filename and served via anywhere

Hi Guys, anywhere allows to embed HTML in file names, which in certain conditions might lead to execute malicious JavaScript. Module: Running static file server anywhere. https://www.npmjs.com/package/anywhere Description To embed malicious tag with JavaScript code to execute, / character is...