Valve: Reflected XSS in www.dota2.com

Hi guys, Description I found another XSS in www.dota2.com. This time it is located in http://www.dota2.com/international/live/5/5/1. However it seems that when you can change the /5/5 folders to any other number to confirm and it still worked. I tested this on...

Razer US: Authenticated DOM-based XSS in deals.razerzone.com via the rurl parameter.

The researcher discovered that deals.razerzone.com was vulnerable to Authenticated DOM-based XSS via the rurl parameter, which could allow account hijacking via session cookies. The researcher identified the specific code snippet and provided two PoCs with different techniques. Another great repo...

WordPress: Arbitrary file deletion in wp-core - guides towards RCE and information disclosure

Vulnerable place 1: wp-admin/post.php $newmeta'thumb' is placed into DB not sanitized directly from user input. case 'editattachment': checkadminreferer'update-post' . $postid; // Don't let these be changed unset$POST'guid'; $POST'posttype' = 'attachment'; // Update the thumbnail filename $newmet...

Slack: Shared-channel BETA persists integration after unshare

@oneiroi discovered a bug in the Shared Channels Beta wherein notifications may still be delivered to an unshared channel previously shared. This did not affect data not in notifications, and we patched and performed a thorough investigation. Thanks for the report @oneiroi!...

Nextcloud: SQL Injection found in NextCloud Android App Content Provider

Using Drozer, we identified com.nextcloud.client is vulnerable to Sql Injection here is output from drozer: dz run scanner.provider.injection -a com.nextcloud.client Scanning com.nextcloud.client... Not Vulnerable: content://com.nextcloud.android.providers.UsersAndGroupsSearchProvider...

Valve: Link filter protection bypass

Description Hi, there is a protection bypass in the linkfilter function. By using the character 。 %E3%80%82 url encoded instead of a normal dot in urls, it is possible to bypass the blocking. PoC Normal request : https://steamcommunity.com/linkfilter/?url=pornhub.com F240919 Bypass :...

HackerOne: IDOR on Program Visibilty (Revealed / Concealed) against other team members

Hi HackerOne Team, Summary: When you are a part of a program security team, you have a choice to show in your profile that you are a member of the sec team, you can also hide it if you don't want to show it to your profile, any team member can do that using your profile settings here:...

Automattic: Crafted frame injection leading to form-based UI redressing.

Summary One can inject iframes into a note and create a login form that sends the user's details to a third-party server. Once again I will let the PoC do most of the explaining. PoC Paste the following snippet into a Simplenote and then view it in the preview panel. I am using the latest stable...

Automattic: [Simplenote for Windows] Client RCE via External JavaScript Inclusion leveraging Electron

Hi, A carefully crafted injection in the Markdown parser within Simplenote for Windows can be leveraged to achieve remote code execution via an external JavaScript file. The nature of Simplenote's content sharing system, which makes use of tags containing email addresses, means that an adversary...

HackerOne: Introspection query leaks sensitive graphql system information.

Summary: Interospection query leaks sensitive data. Introduction As we know graphql was initially developed and used by facebook as an internal query language and so the features of graphql mostly revolve around internal and development areas. Graphql executes queries using a type system with the...

Mail.ru: XSS on account.mail.ru/login

Уязвимость на станице https://account.mail.ru/login и подготовка файлов для атаки --------------------- В процессе исследования заметил, что на странице https://account.mail.ru/login не валидируется значение параметра v. Значение выводится на странице как есть и используется в пути до скрипта...

Monero: Kovri: potential buffer over-read in garlic clove handling + I2NP message creation

Brief ----- There is a lack of sanitation checks when handling Garlic messages in the kovri I2P router. Sending a specially crafted Garlic message can cause the router to send onward an I2P message containing leaked RAM data, triggering a massive information leakage. Technical Details: ==========...

Electroneum: Hackerone [Mainsite Vulnerability]

96 Hello, I was checking out the website Electroneum – Crowdfunding Token Sale – Electroneum – the mobile based cryptocurrency for any vulnerabilities through hackerone. I would like to submit a vulnerability for consideration towards a bounty. Currently you have the file...

Hacker Target: Sending Emails from DNSDumpster - Server-Side Request Forgery to Internal SMTP Access

| Summary: | | -- | HackerTarget is a service that provides access to online vulnerability scanners and tools used by many security professionals and “makes securing your systems easier”. They also are the creators of DNSDumpster which is a popular service used for recon. | Description: | | --|...

Kaspersky: Hard Coded username and password in registry

I was using a tool called RegShot to take a snap shot of the registry before and after installation in order to see what changes were being made in the registry and I discovered hard-coded credentials I have attached the full comparison details of the registry changes but these are the lines and...

Valve: MySQL username and password leaked in developer.valvesoftware.com via source code dislosure

Hey there it looks like you are relying on a script that cleans up your backup process on developer.valvesoftware.com: /scripts/finalcleanup.sh: Remove files post cleanup rm -r $SITEPATH/data rm $SITEPATH/.sql rm $SITEPATH/.sql.gz rm $SITEPATH/.tgz rm $SITEPATH/.tar.gz rm $SITEPATH/.log rm -r...

OWOX, Inc.: Server-side cache poisoning leads to the http://my.dev.owox.com inaccessibility

By using single specially crafted URL, it was possible to cause service inaccessibility for all users who will visit the site, as result of infinite redirect loop. I discovered an issue, when by using single specially crafted URL, it was possible to cause service inaccessibility for all users who...

Ed: Chrome Extension is vulnerable to the self-DOS issues in case it process the security.txt with a big size

Description Hello. Before all, thanks for the invite: Here is keyword: frog I discovered the self-DOS issue, which affects Chrome extension. Impact I marked the impact as low, because it will affect only the browser tab, and will not impact other browser tabs. The issue happens due to processing...

HackerOne: Information Disclosure when /invitations/<token>.json is not yet accepted

Hi Team, Summary: First, i just want to clarify that this finding seems a purely human mistake from one of the hackerone member team who created a summary of this report: 283309 --- I have found that you guys HackerOne was disclosing email address and private program as part of this report summar...

Aspen: Session does't get expired after changing the password in https://readthedocs.org

Session does't get expired after changing the password in https://readthedocs.org...

Infogram: Persistent XSS in share button

Persistent XSS in "Share" button was found: 1. In custom link field for "Share" button add: ". 2. Share the infographic publicly, navigate to its public URL and click the "Share" button. 3. See that pop-up window activates...

Mail.ru: CSRF на biz.mail.ru

Здравствуйте, Я обнаружил CSRF на biz.mail.ru PoC: система думает что мы хотели добавить эти домены в свой аккаунт через час мы получим майли: "Нужна помощь с подтверждением домена .com?" F239336 Благодарю за внимание. С уважением, Джейхун Джафаров c37hun...

Trello: Able to run script on https://trello-attachments.s3.amazonaws.com/ [N/A]

HI Trello Security Team this pratik From India ------------------------------------------------------------------------------ I have Founded Stored XSS On your Website critical issue need to be patched before someoneattacker exploit this...

U.S. Dept Of Defense: X-XSS-Protection -> Misconfiguration

Hi there, URL: https://www.sfl-tap.army.mil/ I have seen that the website is using the X-XSS-Protection Header. But it has a strange configuration. When I take a look at securityheaders, I've seen that you guys use this as configuration. X-XSS-Protection: DENY DENY is used for the X-Frame Option...

Automattic: Improper markup sanitization.

Summary One can inject HTML into a note and create a login form that sends the user's details to a third-party server. This was a fun issue to play around with. I will let the PoC do most of the talking for a change. PoC Paste the following HTML into a Simplenote. I am using the Simplenote app...

HackerOne: Program profile metrics endpoint contains mean time to triage, even when turned off

Description Include Impact: when a bug bounty program disables its profile metrics which shows the Response Efficiency, there still some data leaked in the response of the the following endpoint: hackerone.com/PROGRAMHANDLE/profilemetrics.json this endpoint leaks the meantimetotriage although the...

Concrete CMS: Reflected XSS vulnerability in Database name field on installation screen

"Leave me in a room with some crayons and I'll draw on the wall." Platform information Issue: Core CMS issue Version: Concrete5 - 8.2.1 md500080d5a625ddbaece643894f67d57b1 downloaded today from official download site2 Short description There is reflected XSS vulnerability in Database Name filed o...

RubyGems: [gem server] Stored XSS via crafted JavaScript URL inclusion in Gemspec

Hi, A JavaScript URL injection in the homepage field within a Gemspec file can be leveraged to achieve stored XSS on the default gem server web interface, referenced here. When you install RubyGems, it adds the gem server command to your system. This is the fastest way to start hosting gems. As...

Ubiquiti Inc.: Triggering RCE using XSS to bypass CSRF in PowerBeam M5 300

In AirOS 6.1.5 and prior, due to lack of validation is possible to bypass the CSRF in certain web pages. If an authenticated user access an attacker controlled web page, it could trigger the CSRF and the resulting request could modify the device configuration and creating stored-XSS, with the XSS...

Semrush: Following links are vulnerable to clickjacking

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report! Summary: The below list...

Legal Robot: Exposes a series of other private credentials

Hi, I found a Javascript file where have many private credentials. JS File https://app.legalrobot.com/meteorruntimeconfig.js Code meteorruntimeconfig = "meteorRelease":"[email protected]","meteorEnv":"NODEENV":"production","TESTMETADATA":"","PUBLICSETTINGS":"analyticsSettings":"Google...

AlienVault : DNS pinning SSRF

Hello there, this is for the otx.alienvault.com domain, but I couldn't mark it in the drop down menu. I saw the note about the 2 weeks so I decide to report this. Summary: I've found that you can perform a SSRF attackwith DNS pinning and read the response from url http://169.254.169.254 Browsers...

Urban Dictionary: Stored XSS on urbandictionary.com

hi team, I have found an XSS flaw on your site in add page. POC in this video...

GSA Bounty: Subdomain Takeover

@picklepwns discovered a subdomain takeover attack. Technically, the domain was out of scope for our Vulnerability Disclosure Policy. We want to remind hackers to please limit their testing to domains explicitly listed in that scope which is repeated on our HackerOne program page for convenience...

Bitwarden: Vulnerable exported broadcast receiver

Good evening, This is actually in your code base this time. : Since the following broadcast receiver has export=true it can be exploited by 3rd parties. Vulnerability com.x8bit.bitwarden.PackageReplacedReceiver has exported set to true making the receiver vulnerable to tampering. F238236 POC I wa...

Internet Bug Bounty: SSL_peek() hang on empty record (CVE-2016-6305)

As described here: https://www.openssl.org/news/secadv/20160922.txt...

X (Formerly Twitter): POODLE SSLv3 bug on multiple twitter smtp servers (mx3.twitter.com,199.59.148.204,199.16.156.108 and 199.59.148.204)

Summary: POODLE SSLv3 bug on multiple twitter smtp servers Description: CVE-2014-3566: The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle...

IRCCloud: [IRCCloud Android] Theft of arbitrary files leading to token leakage

Bug description Hi, I'd like to report a vulnerability which allows to theft arbitrary protected files and as a result takeover account, because all tokens will be leaked, similar to my bug reported to Harvest https://hackerone.com/reports/161710 This one is really tricky, passed two days to...

HackerOne: Additional bypass allows SSRF for internal netblocks

It turns out there is another bypass in the privateaddresscheck gem. The gem does not include 0.0.0.0 in the exclusion list in the first place. irbmain:001:0 require 'privateaddresscheck' = true irbmain:002:0 PrivateAddressCheck.privateaddress?"0.0.0.0" = false I was able to bypass your filter by...

Semrush: Cross-origin resource sharing

Issue:Cross-origin resource sharing: arbitrary origin trusted The application implements an HTML5 cross-origin resource sharing CORS policy for this request that allows access from any domain. The application allowed access from the requested origin https://hhgdhgjgbrg.com Since the Vary: Origin...

Infogram: Bruteforcing Coupons

Hi, while i was fuzzing for an API endpoints i found this endpoint: https://infogram.com/api/discounts the first thing came on my mind is bruteforcing the coupon codes so i gave it a try and it worked! there's no rate limit on that endpoint so an attacker could use it to bruteforce the coupon cod...

Aspen: Email Spoofing

There is an Email Spoofing Vulnerability. Steps to reproduce: 1 Go to http://emkei.cz/ 2 Fill "From Email" field to [email protected] or any other aspen email. 3 Fill the victim's address your address to "TO" field and fill in other details as you wish. You will receive email from aspen admin...

Phabricator: Command injection on Phabricator instance with an evil hg branch name

Hi phabricator, I found an evil branch name of hg a repo can lead to arbitrary command injection on phabricator instance. Here is the reproduction steps: 1. Monitor a remote mercurial repo with phabricator; 2. Create a branch and called "--config=hooks.pre-log=wget" on the remote; 3. After...

AlienVault : Puplic .htaccess/.htpasswd/.canvas files leads to password disclosure.

iam a big fan of fuzzing/bruteforcing after my last submission 288533 on http://data.alienvault.com, i decided to go further, after some bruteforcing i came across this directory which looked kinda interesting for me http://data.alienvault.com/snort/ when u try to access the directory you will ge...

Zomato: User Profiles Leak PII in HTML Document for Mobile Browser User Agents

@chriszielinski found that user personal information was leaking when you make a request using mobile user agent...

VK.com: CSRF создание опроса от имени пользователя, зная id приложения. + небольшой флуд сообщениями на стену

CSRF на создание опроса от приложения...

AlienVault : Server Side Request Forgery protection bypass № 2

Hi, you haven't fixed the vulnerability.The bypass of this report 287762 This is a classic example of url bypass. POC https://www.threatcrowd.org/domain.php?domain=173.0302.0x2c.70 https://www.threatcrowd.org/domain.php?domain=0xad.0xc2.0x2c.0x46...

Rockstar Games: SMB SSRF in emblem editor exposes taketwo domain credentials, may lead to RCE

In this report, the researcher found that by submitting crafted SVG files, he was able to establish a listener on our server that enabled SSRF attacks. This potentially could have been pivoted to carry out more damaging attacks as well. We improved our validation of user-submitted SVG files to...

Valve: LFI in pChart php library

Local File Inclusion LFI vulnerability in the pChart php library...

AlienVault : SSRF bypass #2 (using octal encoding) on the https://www.threatcrowd.org/domain.php

Description The latest SSRF fixes can be bypassed, using octal encoding of the AWS IP. There is other more general bypass, which can't be fixed using blacklisting - it's reported in the 288183. POC https://www.threatcrowd.org/domain.php?domain=0251.00376.000251.0000376 F237500 Suggested fix As wa...