New Relic: User to Admin privilege escalation in Infrastructure Conditions - /v2/accounts/1835740/alerts/conditions

Details The endpoints POST /v2/accounts/:accountid/alerts/conditions create new and PUT /v2/accounts/:accountid/alerts/conditions/:conditionid update existing on infrastructure-alert.service.newrelic.com are vulnerable to privilege escalation. As per the screenshot below, an account with regular...

LocalTapiola: Secure Client-Initiated Renegotiation

Renegotiation can open the door to attacks. There are two primary worries: CVE-2009-3555: This vulnerability allows a “man-in-the-middle” attacker to inject data into an HTTPS session and execute requests on behalf of the victim. Refer to CVE-2009-3555 for more details. Denial of Service DoS:...

Automattic: Stored XSS in www.learnboost.com via ZIP codes.

Summary --- www.learnboost.com is vulnerable to stored XSS via ZIP codes stored alongside school names in the Network panel. Browsers Verified In --- Mozilla Firefox 58.0b12 64-bit PoC --- Visit https://www.learnboost.com/settings/network/search and search for fro. My entry will trigger the XSS...

Uber: Hack The World 2017 Top 2 Bonus

Thanks for your participation in Hack the World 2017, @nutellite!...

Coinbase: Ethereum account balance manipulation

The researchers noticed an issue with our ETH receiving code when receiving from a contract. This allowed sending of ETH to Coinbase to be credited even if the underlying contract execution failed. The issue was fixed by changing the contract handling logic. Analysis of the issue indicated only...

VK.com: Монипулирование на страницах пользоватлей значением "Подсказывать стикеры в полях ввода"

Отсутствовал hash в запросах при изменении настроек стикеров. Ошибочка в репорте включить на конце 1 Включить https://m.vk.com/attachments?ajax=1&act=stickershintsenabled&value=1 CSRF - ОТСУСТВИЕ HASH дает возможность совершать переключение в мобильной версии ВК , подсказок в полях ввода ! Тем...

Concrete CMS: Stored XSS on Add Calendar

Greetings, There is no soup like crayons soup with vegetables. Hello @Concrete5 Team. Like my last report 300532 I found other Stored XSS vulnerability in your nice CMS. If you don't mind I will omit what Stored - XSS is and its description, hope everything is fine in your side about that :. The...

U.S. Dept Of Defense: SharePoint exposed web services

Microsoft SharePoint is a web application platform developed by Microsoft. Because of improper configuration an anonymous user has access to the SharePoint Web Services. The impact of this vulnerability The SharePoint Web Services can disclose sensitive information. This information can be used t...

U.S. Dept Of Defense: SharePoint exposed web services

Microsoft SharePoint is a web application platform developed by Microsoft. Because of improper configuration an anonymous user has access to the SharePoint Web Services. The impact of this vulnerability The SharePoint Web Services can disclose sensitive information. This information can be used t...

Concrete CMS: Stored XSS on Add Event in Calendar

Greetings In crayons we trust Hello @Concrete5 Team. While checking the Hacktivity in your HackerOne Program I saw many reports regarding to XSS thus I will omit the vulnerability description I'm going to report now. After downloaded Concrete5 8.3.1 released at 12/20/17, while searching for some...

U.S. Dept Of Defense: WebLogic Server Side Request Forgery

Universal Description Discovery and Integration UDDI application is publicly available on this WebLogic server. The SearchPublicRegistries.jsp page can be abused by unauthenticated attackers to cause the WebLogic web server to connect to an arbitrary TCP port of an arbitrary host. Responses...

Zomato: [www.zomato.com] Privilege Escalation - /php/restaurant_menus_handler.php

Introduction In the following ██████████ the endpoint /php/restaurantmenushandler.php was found. This endpoint is meant solely to be accessible for admins, however due to insufficient protections normal users can access this endpoint too. This results in any Zomato user being able to edit and...

LocalTapiola: The parameter in the POST query allows to control size of returned page which in turn can lead to the potential DOS attack

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Do not remove any subsections of this template. If the report is not complete, we will most likely close your report with no further action. QUALITY BEFORE QUANTITY. Remember, the more...

Shopify: Ability to bypass partner email confirmation to take over any store given an employee email

I told Pete I would take a look at Spotify, hi Pete. Summary It's possible to take over any store account through partners given an employee email address. This is possible because I found a way to confirm arbitrary emails. I don't know the Shopify ecosystem well enough to know the other...

Unikrn: [unikrn.com] Profile updated with error":true,"success":false"

Greetings, We noticed that even if the https://unikrn.com/apiv2/user/updateprofile gave an answer that the code is on error , the post is proceeded : PoC : -- curl 'https://unikrn.com/apiv2/user/updateprofile' -XPOST -H 'Referer: https://unikrn.com/profile' -H 'Content-Type: application/json' -H...

Automattic: Stored XSS in learnboost.com via the lesson[goals] parameter.

Summary --- learnboost.com is vulnerable to stored XSS via the lessongoals parameter. Browsers Verified In --- Mozilla Firefox 58.0b12 64-bit PoC --- The payload I used was: html Click F249206 POST /apps/lesson/update HTTP/1.1 Host: www.learnboost.com User-Agent: Mozilla/5.0 X11; Linux x8664;...

Brave Software: Torrent Viewer extension web service available on all interfaces

Summary: When files are downloaded via the Torrent Viewer, a local web service is spun up that allows the user to download the files. This web service listens on all interfaces, allowing anyone in the network to view what files are being downloaded, and download them from the user. This mostly...

Mavenlink: User uploaded portfolio files can be accessed by any user even after deleted

Reproduction: ========= 1. Login as a user, e.g: user1 2. Create a portfolio by going to https://app.mavenlink.com/users/1234567-user1/worksamples/new note: replace 1234567-user1 with the actual user id/name endpoint. 3. Uploading any file to the new portfolio and click save. On the right side of...

Zomato: [https://reviews.zomato.com] Time Based SQL Injection

@samengmg found an cookie based SQL injection on https://reviews.zomato.com. I noticed that two cookies were submitted during a request during the login page of https://reviews.zomato.com orange squeeze Due to the oddly named cookies, I decided to fuzz them. Eventually, I discovered both are...

Hiro: REDIRECTION VULNERABILITY/HOST HEADER INJECTION VULNERABILITY

Hiii.. This is vyshnav nk i need to address you a vulnerability i have found in https://github.com/blockstack/blockstack-core/ https://github.com/blockstack/blockstack-core/ is vulnerable to host header injection/redirection vulnerability.. IMPACT:- Attack vectors are somewhat limited but depends...

Razer US: SQL Injection on careers.razerzone.com within the Admin interface without any access credentials

The researcher discovered a SQL Injection vulnerability on our careers.razerzone.com host, which is used to list job openings for Razer worldwide and receive application submissions from potential hires. This vulnerability could have allowed the exfiltration of admin credentials as well as person...

LocalTapiola: Cleartext protocol after bank authentication (yrityspalvelu.tapiola.fi)

Issue The reporter found a redirect from https-http-https in the late stages of the authentication process. Fix The issue was fixed. Reasoning Although no authentication information was leaked, session related data could in theory also leak at this stage of the authentication process, hence a...

Uber: udi-id Query Parameter Can Generate SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint

Summary The udi-id request parameter at the https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js mobile endpoint is copied into a javascript string encapsulated in double quotation marks, resulting in SSL-protected payloads being reflected unmodified in the application's response. The script-src whitelis...

Uber: muber-id Query Parameter Can Generate SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint

Summary The muber-id request parameter at the https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js mobile endpoint is copied into a javascript string encapsulated in double quotation marks, resulting in SSL-protected payloads being reflected unmodified in the application's response. The script-src...

Uber: lite:sess Query Parameter Can Generate SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint

Summary The lite:sess request parameter at the https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js mobile endpoint is copied into a javascript string encapsulated in double quotation marks, resulting in SSL-protected payloads being reflected unmodified in the application's response. The script-src...

Zomato: [www.zomato.com] Privilege Escalation - Control reviews - /████dashboard_handler.php

Introduction The handler that controls all the ███ actions for reviews is accessible for any user. The following actions are thus being left open to anyone: getmanagerstatus read███████ unread██████████ ████████ feature██████ unfeature████████ moderate████ unmoderate█████ drop ███ sendmail...

Uber: SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint

Summary The ga request parameter at the https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js mobile endpoint is copied into a javascript string encapsulated in double quotation marks, resulting in SSL-protected payloads being reflected unmodified in the application's response. The script-src whitelist at...

Uber: SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint

Summary The cc request parameter at the https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js mobile endpoint is copied into a javascript string encapsulated in double quotation marks, resulting in SSL-protected payloads being reflected unmodified in the application's response. The script-src whitelist at...

Mail.ru: XSS в отправителе, БЕТА-версия почты

Reflected user-assisteted XSS in "Unsubscribe" beta feature via crafted e-mail From: header...

RBKmoney: DOM-based Cross-Site Scripting in redirect url checkout

The application was exposed to the XSS vulnerability. The code was injected through the "javascript:" URL schema. If the invoice was successfully paid, the code was executed...

GSA Bounty: Link poisoning on https://secure.login.gov/ login page

This link leads to the genuine secure.login.gov login page, in French: https://secure.login.gov/fr?host=portswigger.net However, if you try to change the language to English using the bar at the bottom you'll end up an external website of my choice. As users won't expect changing their language t...

Open-Xchange: Stored XSS

Vulnerability Details: Script code within Presentations is being executed when transferring it to the clipboard. This is done by "copying" or "cutting" text using keyboard commands. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggerin...

HackerOne: Markdown parsing issue enables insertion of malicious tags and event handlers

When markdown is being presented as HTML, there seems to be a strange interaction between and @ that lets an attacker insert malicious tags. Proof of Concept : hello is rendered converted to the following HTML: /http:hello As you can see, the output includes a /http:marquee tag that I can add...

QIWI: Information disclosure on https://paycard.rapida.ru

Hello, I would like to report information disclosure on one of your sub-domains due to some files that might contain some useful information. Basically i have found 3 files that might giveaway some information about the infrastructure : 1 composer.json 2 composer.lock 3 package.json I found all t...

GitLab: Evaluating Ruby code by injecting Rescue job on the system_hook_push queue through web hook

The secret token field of a webhook is vulnerable to a new line injection, allowing an attacker to inject non-HTTP commands in a TCP stream. When a GitLab instance is configured with an external Redis instance, e.g. on 127.0.0.1:6379, it may result in arbitrary code execution on a Sidekiq worker ...

OV-chipkaart: Personal data of all Dutch public transport cards ("OV-Chipkaart") accessible

███████████████████████████████...

Open-Xchange: [XSS] Mail <style> v2.0

Hi. New way for 269116. Testing rev17. OX check data before remove / /, therefore a filter bypass: html .a font-family: ; font-family: ; font-family: ; For example: json "content": ".a font-family: ", Result: html ox-c3a5f76596 .ox-c3a5f76596-a font-family: Impact malicious code injection...

Ed: Fix for self-DoS in Security-txt Chrome Extension.

@sp1d3rs found a self-DoS vulnerability in the Security-txt Chrome Extension. He was also kind enough to provide a fix wich you can find on GitHub. We merged @sp1d3rs' fix when he submitted a PR. We later decided that it was better to stop using XHR and use Fetch instead, a newer API. This was th...

Shopify: Bypass Filter and get Stored Xss

Description Shopify allows developers to create a special type of application called a "Sales Channel". Developers are allowed to upload a 16x16 SVG "Navigation Icon" for their app provided the SVG follows the design guidelines which limits the allowed elements and attributes. For some reason whe...

HackerOne: Domain spoofing in redirect page using RTLO

Summary: Hello, Domains can be spoofed on redirect page using RTLO. Description Include Impact: Using http://[email protected] & RTLO method, i found a way where redirect page host detection can be spoofed Steps 1. Insert this on report Just Click Here 2. On click of link, it will redirect to...

Mavenlink: Information disclosure when trying to delete an expense's attachment on m.mavenlink.com

There was an information disclosure vulnerability in a particular error message on the mobile site. Using this vulnerability, it was possible to gain access to the filename of certain un-owned attachments...

Informatica: [marketplace.informatica.com] - Template Injection

The researcher has identified and reported a "Template Injection" vulnerability in one of Informatica's domain and helped us in resolving the issue...

Open-Xchange: SSRF - RSS feed, blacklist bypass (301 re-direct)

FYI - Tested on local installation of App Suite 7.8.4 REV 17 Hello, There appears to be another SSRF re-direct vulnerability, similar to my earlier reports that will allow scanning of the App Suite local ports or internal hosts, regardless of blacklist protection in place. The endpoint is the...

Open-Xchange: SSRF - RSS feed, blacklist bypass (IP Formatting)

FYI - Tested on local installation of App Suite 7.8.4 REV 17 Hello, There appears to be a SSRF vulnerability in the below endpoint. This is due to a failure in the App Suite code when evaluating an IP address against a blacklist. The SSRF is limited to scanning hosts on port 80/443 but accuracy i...

WordPress: MediaElements XSS

The reporter disclosed a reflected XSS vulnerability in MediaElement's Flash files, which are bundled in WordPress. MediaElement and WordPress released versions 4.2.8 and 4.9.2, respectively, which resolve the issue...

RBKmoney: Text manipulation in https://checkout.rbk.money

Phishing / social engineering via text manipulation on html form labels...

Semrush: Single Sing On - Clickjacking

Description: Clickjacking User Interface redress attack, UI redress attack, UI redressing is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on. Browsers Verified In: Any Steps To Reproduce: Create HTML file containg...

Uber: Configuration and/or source code files on uchat-staging.uberinternal.com can be viewed without OneLogin SSO Authentication

Summary Configuration file and/or source code information leakage without Uber OneLogin SSO authentication. Security Impact Misconfiguration on the server results in information leakage without authentication. Reproduction Steps...

Uber: Design Issue at riders.uber.com/profile

Summary Hello, This is not actually a security threat but a design issue. When a user logs into rush.uber.com, he will get an option called Account Information, when clicked on it takes the user to page https://riders.uber.com/trips where user can edit his profile information. Here user can...

GitLab: Command injection by overwriting authorized_keys file through GitLab import

The Projects::GitlabProjectsImportService contains a vulnerability that allows an attacker to write files to arbitrary directories on the server. This leads to an arbitrary command execution vulnerability by overwriting the authorizedkeys file. To reproduce, sign in to a GitLab instance that has...