Starbucks: Subdomain takeover on developer.openapi.starbucks.com

Hi team, Summary: Subdomain developer.openapi.starbucks.com is vulnerable to subdomain takeover via Mashery service. The reason why it's worked unfortunately not fully clear to me. Details: Doing my recent research on starbucks.com subdomains, I stumbled upon http://developer.openapi.starbucks.co...

Mail.ru: Stored XSS using SVG on subdomain infra.mail.ru

It was possible to execute the script in the context of https://infra.mail.ru:8080/ by publishing static script-containing file such as SVG or XML in "Infra" service. This context doesn't use cookies for authentication, but XSS could allow phishing / content spoofing. This problem was addressed b...

X (Formerly Twitter): Blind XSS in Mobpub Marketplace Admin Production | Sentry via demand.mopub.com (User-Agent)

Summary: I've identified a Blind XSS vulnerability that fires in the Mobpub Marketplace Admin Production | Sentry dashboard and can be triggered by sending a HTTPS request to an endpoint from the domain demand.mopub.com. Description: I've sent the following HTTPS request to the following URL...

Ubiquiti Inc.: Stored XSS in dev-ucrm-billing-demo.ubnt.com In Client Custom Attribute

Hey, Was Testing the subdomins when I came Accross the subdomain https://dev-ucrm-billing-demo.ubnt.com/ I logged in as an Administrator and while testing i added a User and In Client Custom Attribute 1 i added the Payload: """"/ and Save the Client and Then on client page i.e:...

IRCCloud: Missing robots exclusion header for user uploads

User uploaded text files can be linked from external websites and end up appearing in search engine result pages if you perform a search such as: site:.irccloud-cdn.com ext:txt It's not possible to completely prevent such listings on all search engines, but some search crawlers support the...

Automattic: Stored XSS Using Media

Hi, Summary: This exploits an XSS vulnerability on polldaddy.com Steps to Reproduce: 1. Create a multiple-choice question quiz on Polldaddy 2. Insert stored XSS payload into Media Embed such that it matches the shortcode format Payload: 3. When someone goes on the quiz page through the quiz share...

Weblate: Account Restore / Reactivating an old email via old reset link

Hi, I noticed you now send a confirmation link after loading the reset link, below is a screenshot showing the email and highlighting the error. F227060 Best Regards, @footstep...

HackerOne: Pending member invitations are not revoked on program name change

Summary: When private program updates the handle of the hackerone program, former team members can see the new updated handles using old invitation link. The invitation link looks like https://hackerone.com/invitations/ This may also be true for participants participating in private programs but ...

Mail.ru: touch.mail.ru/messages - Stored XSS

XSS in touch.mail.ru image preview feature via crafted attachment filename...

RubyGems: Gem signature forgery

Summary Inconsistencies in how gem processes gem files make it possible to reuse a signature from an existing signed gem and apply it to arbitrary contents. The forged gem will install even with -P HighSecurity. The attached file multijson-1.12.2.gem is a forged version of the genuine...

WakaTime: Can link to websites from profile

when I input a website to my profile it creates tag link: test.org this is a flaw, how? if the owner of the profile and a malicious link it is possible to redirect the user to a phishing page of wakatime. Here's the scenario of this attack: 1 Attacker put a malicious link on his profile. 2 Once t...

WakaTime: password token validation

Hello, when I reset password all tokens are valid can be used, should keep valid only token in the last request or you can invalidate all reset links after using one of the requests successfully. Steps: 1 go to the password reset page and request more than one request. 2 go to your email and use...

Instacart: Get all instacart emails - missing rate limit on /accounts/register

Hey Instacart team, When signing up for an account, you enter your email. When this email is already in use, the server responds with ""errors":"email":"has already been taken"" This in not a problem, but the fact that you could send this request unlimited times is the issue. This way we can easi...

Tor: Use of unitialized value in crypto_pk_num_bits (src/common/crypto.c:971)

Vulnerability description not provided...

Tor: Use of uninitialized value in memarea_strdup (src/common/memarea.c:369)

Triggered in 51e4748 , compiled with clang 6.0.0-trunk and -fsanitize=memory. ./fuzz-hsdescv2 test001 Uninitialized bytes in interceptorstrlen at offset 0 inside 0x7fff5525ff80, 51 ==19693==WARNING: MemorySanitizer: use-of-uninitialized-value 0 0x5570edfe5fbd in memareastrdup...

RubyGems: Remote code execution on rubygems.org

When parsing a gem POSTed to the /api/v1/gems endpoint, the rubygems.org application immediately calls Gem::Package.newbody.spec inside app/models/pusher.rb. The authors of the application correctly observed that parsing untrusted YAML is dangerous since it can serialize more or less arbitrary...

Imgur: Xss on community.imgur.com

Hello Team Description: I found a reflected cross site scripting on community.imgur.com Steps To Reproduce: Visit https://community.imgur.com/email/[email protected]%27%22%3E%3Csvg/onload=alertdocument.domain%3E F226739 Regards Santhosh...

Mail.ru: Stored XSS when you read eamils. <style>

Hello team, I have found stored XSS when you read emails via html tag. PoC: div background-image: url"data:image/jpg;base64,"; background-color: cccccc; lol F226715...

Mail.ru: Unupdated ImageMagic leads to uninitialized server memory disclosure

It was possible to disclosure the part of server memory from uncontrolled location on account.my.com project via uploaded GIF image header manipulation. account.my.com is not currently in the Bug Bounty scope, reward was paid as a bonus due to potential severity. CVE-2017-15277...

Paragon Initiative Enterprises: Invited user to a Author profile can remove the owner of that Author

SUMMURY: ------------------------------------- A user invite another user to his author by giving ownership. ------------------ Later invited user can completely remove the real owner from that author . ------------------- ----------------------------------- STEP TO REPRODUCE:...

Grab: stored xss in comments : driver exam

@pareshparmar found a Stored XSS vulnerability in an out-of-scope third party web application use by Grab. We decided to make an exception of our bug bounty policy here and accepted this out-of-scope finding because we believed that the stored-XSS was a real risk for our customers. With the...

Snapchat: Subdomain Takeover via Unclaimed WordPress site

@ysx found a bitstripsforschools CNAME entry pointing to an unclaimed WordPress domain, which could be taken over by an external party. The CNAME entry was for a product that is no longer active. An unclaimed WordPress domain mapping upgrade could be leveraged to assume the...

Legal Robot: cross site web socket hijacking

In the below web-socket request successful 101 protocol handshake is working with the origin:https://app.legalrobot.com, but if you place the malicious origin in the place of https://thisdata.com which is http://evil.com or any page containing the malware, the web socket server is still giving 10...

Tor: https://get.ooni.torproject.org/

Vulnerability description not provided...

RubyGems: Request Hijacking Vulnerability in RubyGems 2.6.13 and earlier

We received this report via security@ from [email protected], I'm filing here for tracking and visibility purposes... "I was looking at commit 8d91516fb7037ecfb27622f605dc40245e0f8d32, which was the fix for the DNS hijacking issue CVE-2017-0902. The function still handles the DNS response in ...

Rockstar Games: Your support community suffers from angularjs injection and must be fixed immediately [CRITICAL]

In this report, the researcher found that due to our implementation of AngularJS on our Support site, we were susceptible to limited-scope code injection attacks. Particularly, they found that by injecting ... blocks in the comment body parameter, they were able to cause errors that could be...

VK.com: Хранимая XSS в функционале добавления аудио в WYSIWYG

XSS в Wiki...

Legal Robot: Allowance of Meta/Null characters

Dear sir, I am very happy to report a vulnerability to legalrobot. Recently, the report 260468 is disclosed publicly and that report describes about the restriction lengths of profile fields "first name and last name". Now, i am reporting an another vulnerability regarding those profile fields...

Paragon Initiative Enterprises: CSRF token does not valided during blog comment

SUMMURY ================= i tested that all post request has CSRF token. During Author profile creation also a CSRF token is posted. Now when i removed this CSRF token , show s error like bellow CSRF validation failed 0 /var/www/csprng/src/Cabin/Bridge/Controller/Author.php52:...

VK.com: Хранимая XSS на странице "Виджет для авторизации"

Self-XSS на странице документации виджета. На счет того Self-XSS это или нет - оставляю на усмотрение общественности. Но лично мое мнение - команда vk тут все же ошибается. Для эксплуатации уязвимости атакующий должен был: Создать приложение с именем javascript:alert1;// Добавить атакуемого...

Grab: www.drivegrab.com SQL injection

Summary: The website uses a WordPress plugin called Formidable Pro. I found an SQL injection in the plugin code. Description: The plugin allows the site admin to create forms to be filled by users. For this end it implements some AJAX functions, including one to preview or actually just view a...

Automattic: Invalidate session after password reset on https://polldaddy.com

Hi there, I found broken session bug on your website.Your website is unable to validate the session.That may lead takeover victims account. Reproduce: 1.Go to https://polldaddy.com and log into your account from two different browsers. 2.Now change password from any browser you already logged in...

Tor: Content spoofing on

Vulnerability description not provided...

Paragon Initiative Enterprises: Improper access control lead To delete anyone comment

SUMMURY ======================== Here server dont check the owner of any comment. During Comment deletion it does not check whether the comment is created by user or not. so i can delete a comment of others user. STEP TO REPRODUCE ======================= 1. goto https://localhost:8080/blog/commen...

Radancy: [werkenbijmcdonalds.nl] Unsafe-inline in "script-src" results in "bootstrapping" or passing data to JavaScript from HTML pages.

Hi Dear Maximum Team Hope you are good! Vulnerablity Summary The HTTP header of the werkenbijmcdonalds.nl website includes an unsafe-inline parameter for "script-src". Impact: However, the "script-src" parameter is set to "unsafe-inline" or "unsafe-eval", which allows injection of user passed...

WordPress: Information / sensitive data disclosure on some endpoints

Hello team! While doing a preliminary recon on .wordpress.org I've come across a few sensitive files that should not be facing the public web; I'll leave you a list organized by criticality and some proof. High priority .travis.yml configuration file with credentials php maintenance/install.php...

X (Formerly Twitter): Unauthorized Access to Protected Tweets via niche.co API

Hello, Summary: Normally If user victim set to private / protect their tweets in setting Tweet privacy, other people/user will not able to see their recent or their pass status/twits when they visit his/her victim profile. people only can see their victim profile images and information about how...

Gratipay: Adding Used Primary Email Address to attacker account and Account takeover

Summary I just found that the Gratipay is vulnerable for adding used Primary Email Address to attacker account and Account takeover of the Gratipay. Description I was looking at the source code of the application and I found that, "If the email address [email protected] is already added in the X...

Yelp: Leaking sensitive information lead to compromise employer API keys

The configuration file of an internal IRC bot which included credentials to internal services and some external services used by Yelp developers was inadvertently included by an employee in a personal public GitHub repository. The repository was taken down and the affected credentials rotated...

WakaTime: Validation of Password reset tokens

Dear sir, At first, i am very happy to report an issue. Before three months, i reported to wakatime and again i am reporting another issue now. Note:-This report is similar to 244614 which was previously reported at the start of this bug bounty program. Vulnerability:- -If two password reset toke...

Shopify: ability to install paid themes for free

Hi, Discription while searching for access control issues on shopify I noticed a subdomain of shopify https://themes.shopify.io which gave me the opportunity to install and download paid themes for free. POC 1. go to https://themes.shopify.io/login and login 2. select one of the paid themes and...

Ubiquiti Inc.: Authenticated RCE in ToughSwitch

In ToughSwitch v1.3.5 and prior, due to lack of validation is possible to execute an CSRF. If an authenticated user access an attacker controlled web page, it could trigger the CSRF and the resulting request could trigger an RCE. An RCE vulnerability existed in the ToughSwitch that could be...

Tor: Multiple Path Transversal Vulnerabilites

Vulnerability description not provided...

VK.com: XSS в товарах

Отсутствие фильтрации при поиске в товарах. Не было фильтрации некоторых символов в поиске товаров. Из-за еще одного встроенного фильтра все приравнивалось к ="" и не получалось выполнить js. Выход из ситуации был найден в тот же день, получилось выполнить js:...

Shopify: User with removed manage shops permissions is still able to make changes to a shop

Description it has been noticed that when a partner account user with manage shops permissions installs app in the one of the managed shops he can still be able to make changes to the shop through that app although his manage shops permissions were revoked on partners.shopify.com. POC 1. create...

Rockstar Games: Stored XSS via Send crew invite

In this report, the researcher was able to demonstrate a vulnerability in our Crew Invite mechanism that could have allowed an attacker to carry out a Stored XSS attack. By modifying a request in-flight and injecting unexpected characters in the Invitation message body, it was possible to escape...

Aspen: Information leakage on django.aspen.io

Hi Team, I got a error message that disclose the version of nginx with OS detail, since The version of nginx is vulnerable to integer overflow. Impact: By seeing this information attacker can throw only interger overflow attack in order to get sensitive information Finally Request you to remove...

U.S. Dept Of Defense: 2 vulnerabilities of arbitrary code in ████████ - CVE-2017-5929

Summary: GitHub repo: https://github.com/████████ QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components. High Severity Arbitrary Code Execution Vulnerable module: ch.qos.logback:logback-core Introduced through:...

Legal Robot: External links should be served in HTTPS.

Summary: This is just for the awareness to use HTTPS everywhere, even for outgoing links - where it's possible. Treat this report with some salt, not as in hashes. Navigate to: https://www.legalrobot.com/events/2017/06/12/ICAIL/ Some of the External Links on that Page redirects to HTTPS after...

Unikrn: Weak Session ID Implementation - No Session change on Password change

Summary: Weak session id implementation Description: Unikrn does not change session id after password is changed. Reusing same session ids, after password is changed is highly risky. Example scenario: Hacker has successfully brute forced the password of a victim and has access to the account. The...