MTN Group: OTP code Leaked in API Response

The application allowed users to sign up for device insurance. When getting a quote, an OTP code was sent to the user's phone number for authentication, but the same OTP code was also returned in the API response...

HackerOne: IDOR Vulnerability at AddTagToAssets operation name

The IDOR vulnerability was discovered in the AddTagToAssets operation name of a GraphQL endpoint. The vulnerability allowed an attacker to obtain the IDs of custom tags created by a victim by decoding the base64-encoded tagId parameter in the request. This revealed the format and pattern of the t...

Zomato: OTP Bypass via Response Manipulation

OTP One-Time Password bypass via response manipulation is a technique where an attacker intercepts and alters the server's response to bypass the OTP verification step. Response Manipulation: The attacker manipulates the server's response. For example, they might change a response indicating OTP...

curl: CVE-2024-7264: ASN.1 date parser overread

Vulnerability description not provided...

RubyGems: Host Header Attac

The application was vulnerable to a Host Header Injection vulnerability. The Host header was manipulated to redirect users to arbitrary domains or potentially poison web caches...

Acronis: Rate limit bypass on passport.acronis.work using X-Forwarded-For request header

The vulnerability allowed an attacker to bypass the rate limit and the restriction on attempting to log in to employee accounts using the X-Forwarded-For request header on the passport.acronis.work website...

U.S. Dept Of Defense: Sensitive data exposure: █████████ candidate resumes/CVs available to download with no authentication through BAC/IDOR/Improper Salesforce config

The sensitive data exposure vulnerability allowed an attacker to download thousands of candidate resumes and other confidential files without authentication through a Salesforce community site...

Internet Bug Bounty: Unbounded memory growth with session handling in TLSv1.3

Some non-default TLS server configurations were found to cause unbounded memory growth when processing TLSv1.3 sessions. The issue was caused by a problem with the session cache management in certain scenarios involving the SSLOPNOTICKET option. This could lead to a Denial of Service...

Internet Bug Bounty: curl: stack-buffer overread during punycode conversions

The vulnerability in libcurl's URL API function curlurlget was discovered, where it performed punycode conversions. When converting a 256-byte domain name, the function read outside of a stack-based buffer, potentially leaking adjacent stack memory as part of the converted string. The flaw was...

Internet Bug Bounty: libcurl: freeing stack buffer during x509 certificate parsing

The libcurl's ASN1 parser had a vulnerability in the utf8asn1str function used for parsing an ASN.1 UTF-8 string. The function could detect an invalid field and return an error, which would trigger a free of a 4-byte local stack buffer. This could lead to a crash or potential memory corruption,...

Reddit: IDOR lets a malicious user reveal the unpinned achievement badges of any Reddit user

Vulnerability description not provided...

Automattic: Race condition on add 1 free domain

A race condition vulnerability was discovered on the Gravatar platform, which allowed users to bypass the limitation of claiming only one free custom domain. The vulnerability was triggered by creating multiple parallel requests to the public-api.wordpress.com endpoint, where the "meta" parameter...

U.S. Dept Of Defense: XSS on ███████

The report describes an XSS vulnerability found on the ████████ website. The vulnerability was triggered by visiting a specific URL with a crafted parameter. The impact of the vulnerability was that it could allow an attacker to execute arbitrary JavaScript code in the victim's browser...

Adobe: Disclosure of git metadata and springboot actuator information

The vulnerability involved the disclosure of git metadata and Springboot actuator information, which was responsibly disclosed and addressed through collaboration with the hacker...

Internet Bug Bounty: important: Apache HTTP Server: SSRF with mod_rewrite in server/vhost context on Windows (CVE-2024-40898)

important: Apache HTTP Server: SSRF with modrewrite in server/vhost context on Windows CVE-2024-40898 A vulnerability was reported in the Apache HTTP Server that allowed Server-Side Request Forgery SSRF in the server/vhost context on Windows systems with modrewrite enabled. This vulnerability was...

Nintendo: [Switch, PIA/MK8DX] Stack buffer overflow and potential RCE in PIA (LAN/LDN, possibly NEX) room info deserialization

The vulnerability was a stack buffer overflow and potential remote code execution issue in the LAN/LDN and possibly NEX room information deserialization process of the PIA application on the Nintendo Switch. The vulnerability could have been exploited by an attacker in a LAN/LDN or NEX room...

Acronis: Potential XSS Vulnerability in Acronis Login Callback URL

The Acronis login callback URL was found to be vulnerable to cross-site scripting XSS attacks. The redirectUrl parameter in the URL was not properly sanitized, allowing an attacker to inject arbitrary JavaScript code. This could have been exploited to steal user session cookies...

FetLife: Able to see location coordinates in any event without permission to do so

The vulnerability allowed attackers to view the location coordinates of events in the response of the /events/event-id endpoint, even when the event host had hidden the exact address from non-RSVP users. This was possible because the coordinates were included in the response regardless of the...

MTN Group: Unauthenticated phpinfo()files could lead to ability file read at h2f54.n1.ips.mtn.co.ug [/dashboard/]

The phpinfo files at h2f54.n1.ips.mtn.co.ug were left unauthenticated, potentially allowing remote attackers to obtain sensitive information about the web server configuration...

curl: CVE-2024-6874: macidn punycode buffer overread

The libcurl at commit 58772b0e082eda333e0a5fc8fb0bc7f17a3cd99c contained a stack-buffer overread in the function macidntoascii that could be triggered when the host of a URL was converted to punycode. The root cause was in the function uidnanameToASCIIUTF8, which left the output buffer unterminat...

GitLab: Remove obsolete domain from handbook subdomain

Vulnerability description not provided...

U.S. Dept Of Defense: Boolen Based Blind Sql Injection Via User Agent in ███.mil

The report describes a boolean-based blind SQL injection vulnerability in the User-Agent header of the ███.mil application. The vulnerable parameter was identified, and the vulnerability was confirmed by injecting a payload that triggered different application responses based on the boolean...

Internet Bug Bounty: CVE-2024-3416: MTU of 4096 or greater without fragmentation may cause NGINX worker processes to leak previously freed memory

A vulnerability was discovered in NGINX Plus or NGINX OSS when configured to use the HTTP/3 QUIC module. If the network infrastructure supported a Maximum Transmission Unit MTU of 4096 or greater without fragmentation, undisclosed QUIC packets could cause NGINX worker processes to leak previously...

HackerOne: Bypassing HackerOne 2FA due to race condition

A race condition vulnerability was discovered in HackerOne's 2FA reset process. The issue allowed an attacker to initiate multiple parallel 2FA reset requests, resulting in multiple reset notification emails. When a user canceled one reset request, the remaining requests would stay active,...

U.S. Dept Of Defense: Blind Sql Injection in https://████

A SQL injection vulnerability was discovered in the User-Agent parameter of the website "https://██████████/". The vulnerability allowed an attacker to inject SQL commands through the User-Agent HTTP header...

Nextcloud: X-E2EE-SIGNATURE verification can be bypassed, leading to loss of confidentiality of end-to-end encrypted files

The X-E2EE-SIGNATURE verification was found to be vulnerable, leading to the potential loss of confidentiality of end-to-end encrypted files...

Internet Bug Bounty: CVE-2024-38875: Denial-Of-Service through uncontrolled resource consumption caused by poor time complexity of strip_punctuation .

The vulnerability CVE-2024-38875 was discovered in the strippunctuation function used by the urlize and urlizetrunc filters. The function had a poor time complexity of On^2 in the worst case, which could lead to uncontrolled resource consumption when processing input with a large number of openin...

Internet Bug Bounty: fs.fchown/fchmod bypasses permission model

A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. The vulnerability allows operations such as fs.fchown or fs.fchmod to bypass the permission model by using a "read-only" file descriptor to change the owner...

HackerOne: TOTP Authenticator implementation Accepts Expired Codes

Vulnerability description not provided...

Django: SQL injection in JSONField KeyTransform

A vulnerability was discovered in the JSONField KeyTransform functionality of Django. The vulnerability allowed SQL injection attacks by crafting malicious user input for the .values method. The vulnerability was demonstrated in the Django test suite, where a SQL syntax error was triggered by...

inDrive: Change phone number OTP flaw leads to any phone number takeover

Vulnerability description not provided...

U.S. Dept Of Defense: Email Takeover leads to permanent account deletion

The security vulnerability found allowed an attacker to change the email address of a victim's account, leading to the permanent deletion of the victim's account. The vulnerability was caused by improper authentication on the change email functionality...

U.S. Dept Of Defense: Cross Site Scripting

The researchers discovered a cross-site scripting XSS vulnerability on the www.███.██████████ website. The vulnerability was found to only work in the Firefox browser. The affected product and version were not specified. No CVE numbers were provided. The vulnerability allowed for the execution of...

Mars: Reflected HTML Injection via contact (faq) search parameter on ██████████

The report describes a reflected HTML injection vulnerability in the contact faq search parameter on the ██████████. A specific HTML payload entered into this parameter was reflected back in the response without proper sanitization, allowing for the execution of arbitrary HTML and potentially...

Internet Bug Bounty: moderate: Apache HTTP Server proxy encoding problem (CVE-2024-38473)

Moderate: Apache HTTP Server proxy encoding problem CVE-2024-38473 An encoding problem was discovered in modproxy in Apache HTTP Server versions 2.4.59 and earlier. This issue allowed request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via...

U.S. Dept Of Defense: IDOR : Modify other users demographic details

The IDOR vulnerability allowed a malicious user to modify other user's demographic details on the vulnerable domain www.█████████. The vulnerability was present in the /JOINOnline/Board/SubmitDoc endpoint, where the user ID parameter was not properly validated, allowing an attacker to update the...

U.S. Dept Of Defense: IDOR leads to view other user Biographical details (Possible PII LEAK)

The researcher discovered an Insecure Direct Object Reference IDOR vulnerability in the www.██████████ domain. The vulnerability allowed a user to access other users' biographical details, leading to a potential Personally Identifiable Information PII leak. The vulnerable endpoints were located i...

U.S. Dept Of Defense: Restrict any user from Login to their account

A security vulnerability was discovered where an attacker could change their email address to the victim's email, effectively restricting the victim from accessing their account. The vulnerability stemmed from improper authentication on the "Update Profile" functionality of the website...

U.S. Dept Of Defense: IDOR leads to PII Leak

The vulnerability allowed the disclosure of other users' email addresses through Insecure Direct Object Reference IDOR. A user could access other users' profile information by modifying the user ID in the URL...

ProductBoard, Inc.: Insecure Invitation Link Handling

The invitation link handling process of satismeter.com was found to have a critical security vulnerability. The issue allowed unauthorized users to join an organization using invitation links sent to different email addresses, bypassing the email verification process. The vulnerability occurred...

Internet Bug Bounty: CVE-2024-34750 Apache Tomcat DoS vulnerability in HTTP/2 connector

CVE-2024-34750: Apache Tomcat Denial of Service Vulnerability A vulnerability was discovered in Apache Tomcat versions between 11.0.0-M1 and 11.0.0-M20, 10.1.0-M1 and 10.1.24, and 9.0.0-M1 and 9.0.89. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers...

MetaMask: Missing Line Terminator on allowedOrigins enables origin spoofing

The vulnerability identified by @pkkr was related to the Snaps allowedOrigins functionality, which allows Snap developers to control which origins can interact with certain Snap APIs. Due to a missing regex terminator, the origin control could be bypassed, enabling a malicious domain to access...

Internet Bug Bounty: moderate: Apache HTTP Server: HTTP response splitting (CVE-2023-38709)

moderate: Apache HTTP Server: HTTP response splitting CVE-2023-38709 Faulty input validation in the core of Apache allowed malicious or exploitable backend/content generators to split HTTP responses. This issue affected Apache HTTP Server through version 2.4.58...

Internet Bug Bounty: moderate: Apache HTTP Server: mod_rewrite proxy handler substitution (CVE-2024-39573) CWE-20 Improper Input Validation

moderate: Apache HTTP Server proxy encoding problem CVE-2024-38473 An encoding problem was discovered in modproxy in Apache HTTP Server versions 2.4.59 and earlier. This issue allowed request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via...

Internet Bug Bounty: important: Apache HTTP Server: Crash resulting in Denial of Service in mod_proxy via a malicious request (CVE-2024-38477)

important: Apache HTTP Server: Crash resulting in Denial of Service in modproxy via a malicious request CVE-2024-38477 A null pointer dereference vulnerability was discovered in modproxy in Apache HTTP Server versions 2.4.59 and earlier. This vulnerability allowed an attacker to crash the server ...

Internet Bug Bounty: important: Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect (CVE-2024-38476)

The Apache HTTP Server vulnerability CVE-2024-38476 was discovered in versions 2.4.0 through 2.4.59. The vulnerability allowed the use of exploitable or malicious backend application output to run local handlers via internal redirect. Users were recommended to upgrade to version 2.4.60, which fix...

Internet Bug Bounty: important: Apache HTTP Server weakness in mod_rewrite when first segment of substitution matches filesystem path. (CVE-2024-38475)

The Apache HTTP Server was found to have a vulnerability in modrewrite where improper escaping of output allowed attackers to map URLs to filesystem locations that were permitted to be served by the server but were not intentionally/directly reachable by any URL. This resulted in potential code...

Internet Bug Bounty: important: Apache HTTP Server on WIndows UNC SSRF (CVE-2024-38472)

The Apache HTTP Server on Windows contained a SSRF vulnerability CVE-2024-38472 that allowed potential leakage of NTLM hashes to a malicious server. The vulnerability was reported through the official Apache HTTP Server security email on April 1, 2024 and was fixed in version 2.4.60 released on...

Internet Bug Bounty: important: Apache HTTP Server weakness with encoded question marks in backreferences (CVE-2024-38474)

The Apache HTTP Server versions 2.4.0 through 2.4.59 were affected by a substitution encoding issue in modrewrite that allowed attackers to execute scripts in directories permitted by the configuration, but not directly reachable by any URL, or disclose the source of scripts meant to be executed ...

Internet Bug Bounty: ReDoS Vulnerability in HTTP Accept Headers Parsing

A Regular Expression Denial of Service ReDoS vulnerability was discovered in the Rack::Request::Helpers module when parsing HTTP Accept headers. The vulnerability was caused by a lack of fix in the Rack v3.1 release series until v3.1.5...