RubyGems: Installer can modify other gems if gem name is specially crafted

Installer can modify other gems if gem name is specially crafted The installlocation function allows writing to certain files outside the installation directory. The installlocation function in lib/rubygems/package.rb attempts to ensure that files are not installed outside destinationdir. However...

WordPress: Reflected Swf XSS In ( plugins.svn.wordpress.org )

Hello , I have found XSS in flash File video-js.swf in plugins.svn.wordpress.org and Content Spoofing Vulnerability in moxieplayer.swf POC https://plugins.svn.wordpress.org/1player/tags/1.3/players/video-js/video-js.swf?readyFunction=alert%27Hello%27 F222664...

Internet Bug Bounty: Denial of service in libxml2, using malicious lzma file to consume available system memory

Reported to the libxml2 devs on 23 August 2017 Patched on 7 September 2017 It was discovered through fuzzing that malicious LZMA compressed files could consume large amounts of memory when decompressed thus posing a DoS risk. I am unsure if a CVE will be assigned in this case. od -tx1 ./test000...

Razer US: Database credentials leak on the https://razer-id.razerzone.com/

The tester discovered database parameters left around in a YAML file that was publicly visible. The credentials were for a database that was no longer in use and never stored sensitive data, but we consider this a good find anyway because this was out of bounds of our security practices. I...

Razer US: Open redirect on oauth2.razerzone.com due to missing verification of redirect-uri paramether on /thirdparty endpoint

Thanks to SP1D3RS for a great report. Although there was some initial difficulty verifying this vulnerability in triage, he was very professional and helpful working with the team to make sure this was understood. This was fixed in production on 10/16. I discovered the Open Redirect on the...

Razer US: Open redirect on oauth2.razerzone.com caused by server misconfiguration when using triple slash after hostname

Another solid report form this tester, who helped us nail down the issue when it was only intermittently reproducible. We appreciate the hard work. I discovered the Open Redirect on the oauth2.razerzone.com due to improper handling of multiple/encoded slashes and dots in the URL path. POC link:...

VK.com: XSS в приглашении в группу

Отсутствие фильтрации параметров при приглашении в группу. Дыра в меню приглашения друзей в группу, позволявшая встраивать код через url...

Zomato: [www.zomato.com] IDOR - Leaking all Personal Details of all Zomato Users through an endpoint

Hacker is able to get the PIPersonal Information of any Zomato user...

Kaspersky: Keys

Check the attachment...

Nextcloud: WordPress < 4.8.2 vulnerable to multiple attacks

Hello team, Summary: I observed that your website https://nextcloud.com still uses WP less than 4.8.2 which is vulnerable to multiple attacks, i reported it so that the team will be aware of it, below are the new discovered bug that you can find on this release:...

Internet Bug Bounty: Optionsbleed / CVE-2017-9798

Bug has been disclosed here: https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html poc code: https://github.com/hannob/optionsbleed Apache is currently preparing 2.4.28, which will contain the fix, a patch is available in their svn repo...

HackerOne: Report Private Links Leaks to Google Analytics via Query String Param

Hello HackerOne Team, According to HackerOne privacy HackerOne sometimes partners with third-party services which may use various tracking technologies to provide certain services or features, including targeted online marketing. These technologies allow a partner to recognize your computer or...

ownCloud: Banner Grabbing - Apache Server Version Disclousure

Hello ownCloud, I'd like to report a nice little bug. Banner Grabbing is a technique used to gain information about a remote server. Additionally, this technique is use to get information about remote servers. I've captured the HTTP request while visiting https://marketplace.owncloud.com/ and...

Mail.ru: XSS в письме, в теле письма.

Здравствуйте! XSS срабатывает на e.mail.ru, m.mail.ru, light.mail.ru и в мобильном приложении. Уязвимость присутствует в параметрах стилей, в ...здесь... срабатывает, если экранировать символы. Рабочий вектор здесь одиночные бэкслэш, в примере ещё ниже хостинг обрезал до одиночных: i\\ Отправка...

Nextcloud: Banner Grabbing - Apache Server Version Disclousure

Hello Nextcloud, I'd like to report a nice little bug. Banner Grabbing is a technique used to gain information about a remote server. Additionally, this technique is use to get information about remote servers. I've captured the HTTP request while visiting https://customerupdates.nextcloud.com an...

Tor: Tor Project - Full Path Disclosure

Vulnerability description not provided...

Mail.ru: XSS on https://account.mail.ru/login via postMessage

Обработчик сообщений на страничке https://account.mail.ru/login не проверяет источник, что позволяет вызвать любую доступную команду с произвольного ресурса: js // https://img.imgsmail.ru/ag/0.3.3/authGate.js:formatted function ca a = a || window.event; var c, d, h = , i = a.data, j = a.source; i...

Tor: SQL Injection in parameter REPORT

Vulnerability description not provided...

Moneybird: Bypass of Rate limiting in secure_session endpoint's password input will lead to user password disclosure

The rate limit for entering a password to start a secure session was too low. This allowed for brute force password guessing when an attacker would gain access to an existing session of a user. We have solved the issue by making the password rate limit the same as the regular login procedure...

Legal Robot: External links to be in HTTP

Hello Legal Robot Team On looking to 260591 report i saw on the main page https://www.legalrobot.com/ that some external links are not set to be in https On clicking in that links i get redirected on https. Check the attachment and see the other circled one also appears to be same issue. Thanks...

Starbucks: SQL injection in partner id field on https://www.teavana.com (Sign-up form)

While signing up for "teavana" shopping account on it came to notice that the partner id validation fails and exists SQL injection. So this is what I did: 1 Visit https://www.teavana.com/us/en/account 2 Click on signin create shopping account 3 In the partnerno, gave an input of "1234" 1.PNG Resu...

Tor: Report Regarding Security Vulnerability

Vulnerability description not provided...

HackerOne: Emails of invited collaborators are disclosed in full in payload for report participants

Summary: Hackerone added new feature in which hackers can add collaborators to their reports. this can be done using two ways: 1. by email address 2. by user name adding hackers using their email address doesn't disclose the email address of the hacker and every participant will see something lik...

Hiro: Cross site request forgery

An e-mail signup form does not check CSRF tokens. This would allow the creation of click-able links which perform an e-mail signup. Because the e-mail signup form does not pass any sensitive information, nor perform any state changes on behalf of a user, this is not a vector for attack...

Hiro: Weak crossdomain.xml

The e-mail list management service used by Blockstack operated by MailChimp has a lenient cross-domain flash policy -- this is not a vulnerability, however, the crossdomain.xml used by the mailing service is more lenient than used by normal web services...

Snapchat: Subdomain Takeover via unclaimed UserVoice domain

@benocular found a bitstripsforschools CNAME entry pointing to an unclaimed UserVoice domain, which could be taken over by an external party. The CNAME entry was for a product that is no longer active...

Ubiquiti Inc.: Remote Code Execution at http://tw.corp.ubnt.com

The researcher found a Command Injection in tw.corp.ubnt.com. While hunting i came across a host of Ubiquiti Networks tw.corp.ubnt.com , when i browsed to http://tw.corp.ubnt.com there was Dir listing enabled which contained various sensitive information. This was reported to Ubiquiti Team. Howev...

Hiro: Clickjacking https://blockstack.org/

https://blockstack.org/ does not return an X-FRAME-OPTIONS header. However, because blockstack.org does not contain any endpoints where the UI is rendered to invoke a state change action on behalf of users, we do not believe that click-jacking presents a security vulnerability. see this informati...

Brave Software: Homograph Attack Bypass [ Tested on Linux & Windows ]

Summary: at 175286 you has been patched, and i try it work, but i've another way to bypass it. when we add a site to our Homepage with @, it's not validate a url properly, make sure it's display the punycode. Products affected: Brave 0.18.36 Linux & Windows Steps To Reproduce: 1. In browser add...

Legal Robot: Missing homograph filter character

A security researcher pointed out that while fixing report 260938, we missed one homograph of a latin l character...

Razer US: CORS Misconfiguration leading to disclosure of access_token and account takeover!

The researcher discovered that the SSO endpoint for oauth2.razerzone.com, which is a web API server for our Razer ID architecture, did not properly validate the origin header of the caller. This would allow any caller to obtain a user's access token, which combined with other techniques, could...

X (Formerly Twitter): Sensitive Information Disclosure https://cards-dev.twitter.com

Dear Twitter Team, While researching through one of your domain cards-dev.twitter.com i discovered that the host is disclosing sensitive information when a user browses to a specific directory https://cards-dev.twitter.com:443/keys/. The application downloads a file json.json which discloses the...

Internet Bug Bounty: CVE-2017-13038 The PPP parser in tcpdump before 4.9.2 has a buffer over-read in print-ppp.c:handle_mlppp().

Reported to the devs on 11 June 2017. Tcpdump 4.9.2 released on 8 September 2017. Patch: https://github.com/the-tcpdump-group/tcpdump/commit/7335163a6ef82d46ff18f3e6099a157747241629 The PPP parser in tcpdump before 4.9.2 has a buffer over-read in print-ppp.c:handlemlppp. ./tcpdump -nr test003...

Internet Bug Bounty: CVE-2017-13010 The BEEP parser in tcpdump before 4.9.2 has a buffer over-read in print-beep.c:l_strnstart().

Reported to the devs on 6 March 2017. Tcpdump 4.9.2 released on 8 September 2017. Patch: https://github.com/the-tcpdump-group/tcpdump/commit/877b66b398518d9501513e0860c9f3a8acc70892 The BEEP parser in tcpdump before 4.9.2 has a buffer over-read in print-beep.c:lstrnstart. ./tcpdump -n -r test005...

Internet Bug Bounty: CVE-2017-13009 The IPv6 mobility parser in tcpdump before 4.9.2 has a buffer over-read in print-mobility.c:mobility_print().

Reported to the devs on 6 March 2017. Tcpdump 4.9.2 released on 8 September 2017. Patch: https://github.com/the-tcpdump-group/tcpdump/commit/db8c799f6dfc68765c9451fcbfca06e662f5bd5f The IPv6 mobility parser in tcpdump before 4.9.2 has a buffer over-read in print-mobility.c:mobilityprint. ./tcpdum...

Internet Bug Bounty: CVE-2017-13008 The IEEE 802.11 parser in tcpdump before 4.9.2 has a buffer over-read in print-802_11.c:parse_elements().

Reported to the devs on 6 March 2017. Tcpdump 4.9.2 released on 8 September 2017. Patch: https://github.com/the-tcpdump-group/tcpdump/commit/5edf405d7ed9fc92f4f43e8a3d44baa4c6387562 The IEEE 802.11 parser in tcpdump before 4.9.2 has a buffer over-read in print-80211.c:parseelements. ./tcpdump -n ...

Internet Bug Bounty: CVE-2017-12986 The IPv6 routing header parser in tcpdump before 4.9.2 has a buffer over-read in print-rt6.c:rt6_print().

Reported to the devs on 4 February 2017. Tcpdump 4.9.2 released on 8 September 2017. Patch: https://github.com/the-tcpdump-group/tcpdump/commit/7ac73d6cd41e9d4ac0ca7e6830ca390e195bb21c The IPv6 routing header parser in tcpdump before 4.9.2 has a buffer over-read in print-rt6.c:rt6print. /tcpdump...

Internet Bug Bounty: CVE-2017-12985: The IPv6 parser in tcpdump before 4.9.2 has a buffer over-read in ip6_print()

Reported to the devs on 4 February 2017. Tcpdump 4.9.2 released on 8 September 2017. Patch: https://github.com/the-tcpdump-group/tcpdump/commit/66df248b49095c261138b5a5e34d341a6bf9ac7f The IPv6 parser in tcpdump before 4.9.2 has a buffer over-read in print-ip6.c. ./tcpdump -nr test003 reading fro...

GitLab: all private tokens are leaked to an unauthenticated attacker

Using the api, one can obtain the authentication token for any user on gitlab: $ curl -s --request GET https://gitlab.com/api/v4/users/951422 | jq '.authenticationtoken' "redacted" We can then use this token to impersonate any user to perform any action they can perform: $ curl --request POST...

GSA Bounty: Homo graphs attack

Hi there, Greeting for the day, hope you are doing good, In Federa localhost i found homograph attack, Here i made homograph for the ebay.com, when see this link its look like normal simple text link but no its not, however, when you click on this particular link you might be think that you are...

Legal Robot: Failed OutLink on Terms of Service

Hi team .. i found Failed OutLink on Terms of Service on https://www.legalrobot-uat.com/faq/ when i open it i read some your service it show me page 404: Page Not Found with this Link .. https://www.legalrobot-uat.com/faq/"/terms" please check really Link On your website...

Boozt Fashion AB: booztfashion.com URL should HTTPS

hi team .. l click to Investor Relations on http://www.boozt.com/ outgoing links not use HTTPS please fix soon This is just for the awareness to use HTTPS everywhere, even for outgoing links - where it's possible. Treat this report with some salt, not as in hashes. Navigate to: http://www.boozt.c...

Legal Robot: Venturebeat.com URL should be HTTPS

This is just for the awareness to use HTTPS everywhere, even for outgoing links - where it's possible. Navigate to: https://www.legalrobot-uat.com/ Example page In the lower part where you find the observer.com Link: observer redirect to HTTPS after click, but cookie is sent on the network before...

New Relic: [Synthetics/Infrastructure/everything] Individual account permissions are not properly managed and inherited on sub accounts

I've been poking around with sub accounts since I exploited 219356 and gave myself access to New Relic pro features, and I found a few things that seem to be overlooked after the user management overhaul that happened about a few weeks ago. When you have a sub account on your account, you get thi...

GSA Bounty: Nginx misconfiguration leading to direct PHP source code download

Poc: https://www.data.gov/app/plugins/saml-20-single-sign-on/saml/config/config.php...

Tor: solving TOR vulnerability, in other to make bruteforce difficult

Vulnerability description not provided...

Mail.ru: XSS in biz.mail.ru/error

Hello again! I've found an open redirect issue and possibility to bypass your filters to add direct links in tag Domain, site, application: biz.mail.ru/error Testing environment: latest Chrome Steps to reproduce: 1 go to https://biz.mail.ru/error/500/?from=%20https://www.google.com 2 click Refres...

Mail.ru: A manager of a determinate group of users still might have access to any user account from any group that he doesn't administrate anymore.

Domain, site, application: biz.mail.ru Testing environment: Lastest Chrome Steps to reproduce: Ok, this one is pretty much depending on scenario, so lets assume that there is the Evil Manager exists with network knowledge on higher than medium level. At first lets say that there is such role as...

Hiro: Information Disclosure

It looks like I can access notification panel of any user. https://forum.blockstack.org/u/username/notifications Just change the username with the desired username and you are redirected to their notification panel...

Hiro: No Confirmation Email For Email Change

https://forum.blockstack.org/u/username/preferences/email Hello, it looks like there is a security flaw in this part. While changing email address from email1 to email2. A Confirmation email is sent to email2 not to email1 which is the main account. This can lead to account lost if someone has us...