mycompany VDP: This test report has been disclosed by 20_root.

This test report has been disclosed by 20root. ████...

Insightly: Email verification bypass via request to endpoint "accounts.insightly.com/signup/provisionuser"

The vulnerability allowed bypassing email verification when creating a new Insightly account. The vulnerability existed in the "EmailAddress" parameter of the member creation endpoint. By modifying the parameter, an attacker could create a new account using any email address, including those of...

U.S. Dept Of Defense: CSRF leads to Account takeover

The target website was found vulnerable to CSRF, allowing an attacker to perform actions on the user's behalf without their knowledge or consent. The vulnerable endpoint was identified at https://██████/account/profile/edit, where the user's profile information could be modified. A POC was...

Mozilla: Bypass Email verification for monitoring at `monitor.mozilla.org`

The email verification at monitor.mozilla.org was bypassed by leveraging a leaked verification token from the /api/v1/user/breaches endpoint. The verification token was then used to bypass the email verification process and gain access to monitor the email without the owner's permission...

HackerOne: Takeover of hackerone.engineering via Medium

The report describes a broken link hijacking vulnerability on the hackerone.engineering domain, which belonged to HackerOne. The domain was found to be pointing to a non-existent page on Medium, allowing the reporter to create a page with the same URL and take over the domain...

Mozilla: [ addons-preview-cdn.mozilla.net ] A subdomain takeover is available via unregistered domain in Fastly

The domain addons-preview-cdn.mozilla.net was found to CNAME resolve to addons.allizom.org, which was hosted on Fastly's service. The domain addons-preview-cdn.mozilla.net was not registered within Fastly, resulting in a "Fastly error: unknown domain" message. The vulnerability was demonstrated b...

Internet Bug Bounty: CVE-2024-45498: Apache Airflow Command injection in read_dataset_event_from_classic DAG

CVE-2024-45498 was a command injection vulnerability in the readdataseteventfromclassic DAG in Apache Airflow version 2.10.0. The vulnerability allowed an attacker with user privileges to inject OS commands into the s3://output/1.txt dataset, which were then executed when the DAG was triggered...

Nextcloud: Share information of Tables app is not limited to affected users

The vulnerability in the Tables app in Nextcloud allowed the sharing of information with users not affected by the vulnerability...

Kubernetes: Injection in path parameter of Ingress-nginx

A vulnerability was discovered in the Ingress-nginx controller where an attacker could inject arbitrary content into the path parameter of an Ingress. This allowed the attacker to upload a malicious nginx configuration file to the ingress controller's file system and then include that file in a...

U.S. Dept Of Defense: CSRF leads to Account takeover

The CSRF vulnerability was found on the endpoint https://██████████/account/profile/edit, which allowed an attacker to modify the victim's account information, including their username, password, and email address, resulting in account takeover...

IBM: SSRF and secret key disclosure found on Turbonomic endpoint

The vulnerability of SSRF and secret key disclosure was found on a Turbonomic endpoint and reported to IBM. The issue was analyzed and remediated...

IBM: SSRF and secret key disclosure found on Turbonomic endpoint

The SSRF and secret key disclosure vulnerabilities found on the Turbonomic endpoint were reported to IBM, analyzed, and remediated...

U.S. Dept Of Defense: CSRF Attack leads to delete album at ████████

The report describes a CSRF vulnerability in the DoD asset ███████, specifically in the feature to create albums for a media collection. The vulnerability allows an attacker to delete a victim's album without the victim's consent, as the delete request is based on GET and lacks CSRF verification...

Mozilla: Private Emails of Moz Workers Leaked in Public file

Vulnerability description not provided...

IBM: SSRF via host header let access localhost via https://go.dialexa.com

The SSRF vulnerability via the host header was reported to IBM, analyzed, and remediated. The external researcher @mersa-v6 discovered this issue...

Monero: A peer can remotely fill the pending block queue to an extremely high size, with blocks that will never leave the queue.

The pending block queue in the Monero cryptocurrency protocol could be remotely filled to an extremely high size, up to approximately 54 GB, with blocks that would never leave the queue. This was possible due to lax rules in the synchronization code that allowed the queue size limit to be bypasse...

Mozilla: MozillaVPN: Elevation of Privilege via a Logic Vulnerability

The MozillaVPN vulnerability was a logic flaw that allowed an unprivileged attacker to gain root privileges on macOS during the installation process. The issue was a bypass for a previously fixed vulnerability and involved the use of symbolic links...

Basecamp: Critical Data Breach - Big Data for all domains

The researcher provided an Excel sheet that appeared to be a dump of a breach database. The origin of the data entries in the database was unclear. A small number of valid HEY accounts with enabled 2FA were found, as well as a slightly larger number of other product accounts with valid passwords...

Mars: RXSS on ████ via configUrl parameter

A Reflected Cross-Site Scripting RXSS vulnerability was reported on the Swagger UI page of the Royal Canin eVet API. The vulnerability was identified in the configUrl parameter of the URL. This security flaw allowed an attacker to inject malicious scripts into the web page, which were then execut...

MTN Group: Social media account takeover

The social media account for https://simfy.africa was taken over, allowing the attacker to redirect visitors to their own Instagram account. This vulnerability was demonstrated through a proof of concept video...

Glassdoor: █████████eflected █████████████████ Vulnerability in Glassdoor Blog ███earch

A reflected cross-site scripting vulnerability was discovered in the Glassdoor blog search functionality. The vulnerability was remediated by strengthening input validation and output encoding...

Enjin: Race Condition on Create API Function

Race Condition on Create API Function A race condition was discovered that allowed users to submit multiple requests within rapid succession to create additional keys beyond the defined limit on the Enjin Platform Cloud service...

U.S. Dept Of Defense: Publicly Editable U.S. Air Force Google Spreadsheet Exposing Student Leave Data

The U.S. Air Force Google Spreadsheet that exposed student leave data was publicly editable, allowing any unauthorized user to access and modify the restricted contents...

Adobe: Unauthenticated Varnish Cache Purge

Vulnerability description not provided...

HackerOne: Bypass comment restriction

Vulnerability description not provided...

Monero: Spamming highly nested JSON RPC requests cause node to disconnect from p2p network

The vulnerability allowed an attacker to remotely lock monerod from syncing with the rest of the p2p network by forging a highly nested JSON payload and spamming it through a restricted RPC interface. The Epee JSON parser was found to allow duplicated fields and set a recursion limit that was too...

Internet Bug Bounty: CVE-2024-41937: Apache Airflow: Stored XSS Vulnerability on provider link

CVE-2024-41937: Apache Airflow: Stored XSS Vulnerability on Provider Link A stored cross-site scripting XSS vulnerability was discovered in Apache Airflow versions before 2.10.0. The vulnerability allowed the developer of a malicious provider to execute arbitrary script code when a user clicked o...

GitLab: Login email verification bypass via `/oauth/token`.

Vulnerability description not provided...

Nextcloud: Nextcloud Tables app - inserting rows to an arbitrary table possible

The Nextcloud Tables app was found to have a vulnerability that allowed inserting rows to an arbitrary table. The vulnerability was disclosed in a security advisory...

U.S. Dept Of Defense: XSS found for https://█████████

The XSS vulnerability was found in the /web/guest/search endpoint, where the query parameter was not properly sanitized before being reflected in the server's response. An attacker could craft a malicious payload and trick a user into sending a POST request, allowing the execution of arbitrary...

curl: CVE-2024-8096: OCSP stapling bypass with GnuTLS

CVE-2024-8096 was a vulnerability in GnuTLS where the OCSP stapling validation process could be bypassed, allowing the establishment of a connection even when the certificate was revoked. The issue was caused by a flaw in the gnutlscertificateverifypeers2 function, which only returned an error wh...

GitLab: Removed Guest role user who dosent have access to private project in members able to view jobs

Vulnerability description not provided...

Ruby: Uncontrolled Resource Consumption when parsing maliciously crafted XML with REXML

The REXML library in Ruby was found to be vulnerable to an issue where parsing a maliciously crafted XML file could lead to uncontrolled resource consumption, resulting in a denial of service. The vulnerability was caused by a flaw in the namespace handling functionality of the REXML library...

U.S. Dept Of Defense: Improper Authentication Allows Making Appeals as Other Users

The vulnerability allowed unauthenticated users to submit appeals by manipulating HTTP responses. This undermined the security and integrity of the application, as users could perform actions reserved for logged-in users...

Mars: phpinfo() exposed on ██████████

The phpinfo page was exposed on the Royal Canin email automation API server, revealing sensitive system configuration details and technical information about the PHP environment...

U.S. Dept Of Defense: Improper Authentication Allows Making Requests as Other Users

A vulnerability was discovered that allowed unauthenticated users to submit requests as other users by manipulating HTTP responses. The vulnerability was caused by the application's failure to enforce strict authentication checks on sensitive endpoints, and its inability to properly validate serv...

Internet Bug Bounty: CVE-2024-7347: Buffer overread in the ngx_http_mp4_module

CVE-2024-7347 was a vulnerability in the ngxhttpmp4module of NGINX Open Source and NGINX Plus. The vulnerability could have allowed an attacker to over-read NGINX worker memory, resulting in its termination, using a specially crafted MP4 file. The issue only affected NGINX if it was built with th...

Acronis: Potential XSS in redirect_url Parameter

The summary is as follows: A vulnerability was identified on https://learn.acronis.com/ in the redirecturl parameter, where arbitrary JavaScript code could be injected. By manipulating the redirectUrl parameter, an attacker could execute JavaScript code on the victim's browser...

U.S. Dept Of Defense: CSRF Attack on changing security questions leads to full Account TakeOver

The CSRF vulnerability in the security questions and password reset functionality of the website allowed an attacker to change a victim's security questions and answers, and then leverage this to reset the victim's password and gain full control of the account...

U.S. Dept Of Defense: CSRF Attack leads to delete album at

The CSRF vulnerability was discovered in the media gallery feature of the DoD asset www.████████. The vulnerability allowed an attacker to delete albums without CSRF verification, as the delete request was based on a GET request. This could have led to the deletion of users' albums...

LinkedIn: Forced OAuth authorization using button ID in hash and holding space

The vulnerability allowed attackers to conduct a social engineering attack to trick users into authorizing a third-party app to bind to their LinkedIn account without explicit consent. The attack exploited the OAuth process by using a button ID in the hash and requiring the user to press and hold...

Internet Bug Bounty: CVE-2024-42005: Potential SQL injection in QuerySet.values() and values_list()

CVE-2024-42005: Potential SQL injection in QuerySet.values and valueslist A vulnerability was discovered in Django where the QuerySet.values and valueslist methods on models with a JSONField were subject to SQL injection in column aliases via a crafted JSON object key as a passed argument...

Internet Bug Bounty: [CVE-2024-35176] DoS vulnerability in REXML

CVE-2024-35176: DoS vulnerability in REXML A DoS vulnerability was discovered in the REXML gem. A specially crafted XML document with many '' characters in an attribute value could cause REXML to take a long time to parse it. This issue was assigned the CVE identifier CVE-2024-35176. Users were...

Internet Bug Bounty: CVE-2024-41989: Denial-Of-Service vulnerability in the floatformat template filter when input string contains a big exponent in scientific notation

CVE-2024-41989: A denial-of-service vulnerability was discovered in the floatformat template filter of the Django web framework. The vulnerability was caused by improper handling of input strings containing a large scientific exponent, leading to significant memory consumption on the server...

Sony: 明確な認証不備および潜在的な中間者攻撃の可能性（Clear Authentication Deficiencies & Potential for Man-in-the-Middle Attacks）

The WH-1000XM5 headphones were found to have an authentication vulnerability that allowed an attacker to connect to the device without going through the proper pairing process. This vulnerability could be combined with existing Bluetooth attacks to enable man-in-the-middle attacks...

Mars: phpinfo() exposed on ██████████

A phpinfo page was exposed at the URL ███████. This configuration issue allowed sensitive system information to be publicly accessed...

HackerOne: Access to limited confidential information of private program as a Ex-reporter, Report Participant(external user) & Ex-staff member

The report described a vulnerability that allowed access to limited confidential information of a private program by ex-reporters, report participants, and ex-staff members of the program. The vulnerability was due to an endpoint that exposed details about the private program, including its...

MTN Group: Yet Another OTP code Leaked in the API Response

The OTP code was leaked in the API response, which compromised the purpose of its implementation. The application requested a phone number for authentication and sent an OTP code to the user, but the OTP was returned in the API response, exposing it to potential misuse...

U.S. Dept Of Defense: DoD workstation exposed to internet via TinyPilot KVM with no authentication

The DoD workstation was exposed to the internet via a TinyPilot KVM device without any authentication. The TinyPilot KVM device was connected to the workstation and allowed remote access to the system over the internet...

MTN Group: SQL injection in URL path leads to Database Access

The application https://corporate.admyntec.co.za/ was found to have an SQL injection vulnerability in its URL paths. User IDs, organization numbers, and other sensitive information were stored in the backend database without proper sanitization, allowing an attacker to exploit the vulnerability a...