Cuvva: Insecure Direct Object Reference (IDOR) Allowing me to claim other user's photos (driving license and selfies) as mine

We weren't properly validating the photo fields on customer profiles. Although this couldn't lead to information disclosure or privacy issues, it would have caused various issues with our internal ops systems. Thanks again for another clear and helpful report!...

Tor: Uncloaking hidden services and hidden service users

I believe I am currently seeing an effective attack that decloaks hidden services and their users. Background ========= Following some denial-of-service attacks, I modified my tor code to display every rendezvous site. E.g., in or/rendservice.c, I added: Function rendservicereceiveintroduction...

Tor: Sql query disclosure,

Hi, path:- https://trac.torproject.org/projects/tor/query?status=accepted&status=assigned&status=mergeready&status=needsinformation&status=needsreview&status=needsrevision&status=new&status=reopened&component=- Select a...

delight.im: Logout CSRF

Hello, I Found Cross-Site Request Forgery CSRF on logout POC: "https://www.moviecontentfilter.com/logout" Reproduction: - Login to your account 2- Open the link "https://www.moviecontentfilter.com/logout"...

delight.im: Add movie or series CSRF

Hello, I Found Cross-Site Request Forgery CSRF while adding new movie or series . Reproduction: - Login by any user. - Add Name,YEAR and STRING for the movie in poc...

Mail.ru: Stored XSS and html injection in biz.mail.ru

Domain, site, application: biz.mail.ru Testing environment: Latest chrome Steps to reproduce 1 go to biz.mail.ru, login 2 go to "My company" 3 create a department named as "alert 4 add an employee in that department 5 create a new subdepartment 6 add the employee from step 4 in our subdepartment...

New Relic: Users can enable API access for free via mass assignment

Free tier users aren't allowed API access, but it's possible to bypass this restriction thanks to a mass assignment bug. To replicate this, first verify that you don't already have API access by visiting: Account Settings - API Explorer - Create an API Key You should see the message "This feature...

Pornhub: Possibility to insert stored XSS inside <img> tag

Researcher was able to temporarily due to cache store XSS in areas a given video is displayed via the thumbnail selection feature...

New Relic: [NR Synthetics] (IDOR) Ability to see full name associated with other New Relic accounts through workaround of #255894

Did you think I had fallen of the earth? Fear not - for I have returned. In 255894 you fixed the issue where a person could mass-harvest names of other New Relic users through the user management section. A fix was quickly pushed for this, but now I've found a workaround. I'm reporting this on th...

Shopify: Stored XSS through Facebook Page Connection

The following URL https://kitcrm.com/users/122686/connections displays us options to connect our several social networking accounts to kitcrm. Once i connect my facebook account, the facebook section in above link will list out all my facebook page and will give me an option to select a business...

Radancy: Weak password

It takes ash123456789123456789 as a password,which is not secure.It can be cracked using Dictionary,brute force etc attacks. Impact: If password complexity is not enforced people may tend to put easily guessable password which may be exploitable for a malicious user. Solution-To make it more...

OLX: XSS in OLX.pl ("title" in new advertisement)

Hello, I found XSS vulnerability in "new advertisement" in OLX.pl Step to reproduce: 1. Go to https://www.olx.pl/nowe-ogloszenie/ 2. Put this payload "" in "add-title" element 3. Complete all data in this form and click Next 4. On the next page we can see executed XSS Regards, 4rch...

Legal Robot: Autocomplete feature

A security researcher discovered that several password fields did not contain the Autocomplete attribute. Thanks to @gujjuboy10x00 for pointing this out!...

Gratipay: Information Disclosure on inside.gratipay.com

Hello @gratipay, By checking request headers I've been able to identify that inside.gratipay.com is running on Server: WSGIServer/0.1 Python/2.7.11. Request: https://inside.gratipay.com/assets/inside-gratipay.svg GET /assets/inside-gratipay.svg HTTP/1.1 Host: inside.gratipay.com User-Agent:...

Gratipay: 400 Bad Request [Use a third-party provider to sign in or create an account on Gratipay]

hi team .. i can not login or sign up with third-party social media like facebook , google , twitter ... i check one of them it show me message error 400 Bad Request please fixed soon...

Informatica: Reflected XSS

Researcher has found Reflected XSS on one of the Informatica's domain, and was resolved by migration of the web application...

Gratipay: clickjacking on https://gratipay.com/on/npm/[text]

hi team .. i found clickjacking URL on https://gratipay.com/on/npm/here this clickjacking must be 3 characturs and must be 5 number this entered endpoint of URL .. please fixed soon https://gratipay.com/on/npm/text step respond 1- go to https://gratipay.com/on/npm/text 2 - check name or number...

Shopify: stored xss in invited team member via email parameter

Hey there, while testing your program I found a stored XSS vulnerability which can placed by owners or other staff members who have ability to manage members and it will triggered by visiting invited team member page e.g. https://partners.shopify.com/642416/invitations/15406. Reproduction Steps 1...

Pornhub: Unsecured Elasticsearch Instance

The researcher has found an insecure Elasticsearch instance accessible to the public. A publicly accessible server running Elasticsearch instance was identified, due to a firewall misconfiguration. The instance was only intermittently accessible because of round robin ordering. The instance...

WordPress: Clickjacking irclogs.wordpress.org

Hello! @wordpress security team, I'm Md Sameull Soykot @sameull . Recently I have tested you all sub-domain and got a domain which is vulnerable named as clickjacking. I have attached my video Poc for details. Hope you will fix this issue as soon as possible. Reference:...

GitLab: Impersonation attack via Broken Link in Resellers Page

Summary A link on https://about.gitlab.com/resellers/ was broken and could've allowed a user to impersonate a reseller and attack / scam your customers. Proof of Concept 1. Visit https://about.gitlab.com/resellers/ 2. Hit Ctrl+F and find "intenso" F219301 3. Now click the Facebook link and you'll...

Informatica: [marketplace.informatica.com]-Reflected XSS

The researcher has identified and reported a Reflected XSS in Informatica website and helped us in resolving the issue...

Grab: Access Grab_Road BigData Database via Open Presto coordinator

A publicly accessible analytics database instance was identified, due to a firewall misconfiguration. The instance contained booking related information but did not contained any passenger or driver personal information. This vulnerability was discovered using Shodan search engine by Vinoth Kumar...

Razer US: Unauthenticated DOM-based XSS in zvault.razerzone.com via the redir parameter.

Summary --- zvault.razerzone.com is vulnerable to DOM-based XSS via the redir parameter. F219081 F219082 Affected Code --- js var redirectUrl = getUrlParameter'redir'; if isCrossOriginFrame window.location.href = redirectUrl; else window.parent.location.href = redirectUrl; Browsers Verified In --...

Razer US: Unauthenticated DOM-based XSS in pay.zvault.razerzone.com via the redir parameter.

Summary --- pay.zvault.razerzone.com is vulnerable to DOM-based XSS via the redir parameter. F219069 F219070 Affected Code --- js var redirectUrl = getUrlParameter'redir' // window.location.href; //alertredirectUrl; if isCrossOriginFrame window.location.href = redirectUrl; else...

Razer US: Authenticated DOM-based XSS in deals.razerzone.com via the rurl parameter.

The tester discovered the deals.razerzone.com website was vulnerable to open redirect via the rurl parameter e.g. https://deals.razerzone.com/user/ssologin?rurl= and that the parameter was also vulnerable DOM-based XSS. Also, the initial fix for this was a little too specific and edio was able to...

Quora: IDNs displayed in unicode

Hello Quora, Please refer https://en.wikipedia.org/wiki/Internationalizeddomainname to know more about IDNs. The IDN Internationalized Domain Name : http://ebаy.com/ is a homograph for the latin ebay.com. if you click that first link, you might think that you are going to ebay.com but in fact, yo...

GSA Bounty: [api.data.gov] Leak Valid API With out Verification -

Description Remote attackers are able to retrieve a valid working api key with random Generation Process without a secure parsing or secure channel , human verification ..etc . the current proccess for requesting any api key is with signup form , and message with api delivered privately to user ,...

Razer US: Open redirect in razer-id.razerzone.com via the redirect parameter.

Summary --- razer-id.razerzone.com is vulnerable to Open redirects via the redirect parameter. Browsers Verified In --- Google Chrome 60.0.3112.113 Official Build 64-bit Mozilla Firefox 55.0.2 64-bit PoC --- The following URL will redirect your users to https://google.com...

Razer US: 2 Subdomain takeovers

Two domains no longer in use under .razerzone.com were left pointing to Cloudfront servers that were no longer active. The DNS entries were cleared. We appreciate the report and look forward to working with the researcher in the future...

Coinbase: New Device Confirmation Bug

Device auto-confirmation appeared to be an issue, but was intended functionality...

Khan Academy: Possible to join any class without coache's knowledge & Little Information Disclosure

Students could join a class using only a 6-character class code. We have increased the codes to 8 characters to make them a bit harder to guess and provide a better balance between security and usability. /...

VK.com: Хранимая XSS в группе VK

Недостаточная фильтрация в боксе удаления приложения. Stored XSS в группе VK приложения...

Legal Robot: Add arbitrary value in reset password cookie

I recently discovered that we can add arbitery value in reset pass token and compromise the life time unlimitedly .. After opening a reset password link I got these cookies ....for token expires timeout . "domain": ".app.legalrobot.com", "expirationDate": 1504618468.82726, "hostOnly": false,...

Legal Robot: Logic issue in email change process

A security researcher discovered that during the email change process, the new account was not properly validated before making it available for login. As a result of this report, Legal Robot checks that both the current address confirms the change and the new address is verified before proceedin...

Weblate: Add another email address without verification

Introduction In the normal case, to link another email address to the Weblate account, users need to own the email address and click the verification link. However, I found an issue, that allows adding another email address without clicking on the verification link. Description and PoC: Create a...

Snapchat: Stealing SSO Login Tokens (snappublisher.snapchat.com)

Description Attacker can steal SSO login tokens for snappublisher.snapchat.com by chaining different flaws in SSO and Snapchat’s Snappublisher tool. Detailed attack flow is as follows. Attack Flow 1.. Snapchat fetches a SSO LOGIN TOKEN from accounts.snapchat.com to login into different products o...

Legal Robot: Logic issue in email change process

Same issue as 266017, however due to a clerical error, report 266017 was processed first, awarded a bounty, and closed as Resolved. It is therefore only fair to award the same bounty to @gujjuboy10x00 and close this report as Resolved. @gujjuboy10x00, we apologize for the error and have awarded a...

Legal Robot: No notification of change email feature

A security researcher suggested that we add a notification when a user changes their email - thanks @gujjuboy10x00! Thanks @danrubins for quick response and adding new feature. as discussed with @danrubins , they just wanted to add some security features and security best practices , so i suggest...

Legal Robot: Wrong password validation message

Hello, Your password validation message seems to be contradicting with the server side validation of password field during new account sign up at https://app.legalrobot.com/sign-in. When you start typing in password field, it says Passwords must be more than 8 characters but when you type more th...

Mail.ru: Monitor

Здравствуйте обнаружил GWT Monitor http://185.5.139.198:8086/index.html Whois говорит ваше inetnum: 185.5.138.0 - 185.5.139.255 netname: MAILRU-SRV-15 descr: Mail.Ru country: RU admin-c: MAIL-RU tech-c: MAIL-RU status: ASSIGNED PA mnt-by: MNT-NETBRIDGE created: 2012-10-11T14:40:11Z last-modified:...

Legal Robot: Password reset token issue

Hi Team, Step to Repro Request for password reset link. Go to email and click on password reset link https://app.legalrobot.com/password-reset/token?v=gHonjdcdLTpmax2pHSXtaRlQrs2eHpTl7TXUpMfjjh Now remove the token and use the link https://app.legalrobot.com/password-reset/ Observe that able to...

Legal Robot: Password reset token issue

Summary Can still change password without token Step to Reproduce - Request for password reset link. - Go to email and click on password reset link https://app.legalrobot.com/password-reset/token?v=uWeyFJS0-N9fIk0nG0b0NZ70lkwNNi7RdUZu0KhiaX - Now remove the token and use the link...

Legal Robot: Bypass email verification when register new account

Hi Legalrobot, I have found a way to ignore Activate your account in my mailbox. Here is my new acc: [email protected] and the activate link: https://app.legalrobot-uat.com/email-verify?v=1Y5wiWwcvGcxznjlUsO-TuyEZgFpVbxMmQdfpEKrVTp I never click on that link and i can still log in at...

Radancy: [Cross Domain Referrer Leakage] Password Reset Token Leaking to Third party Sites.

Domain and URL: https://werkenbijdefensie.nl Summary:: Password Reset Token Leaking to Third party Sites from the link in the footer Description: Hello, I found that the if a user request for a password reset link and open it but don't change the password and click on the Third Parties Sites link...

Tor: [rt.torproject.org] No Rate Limitting on Login Form

Vulnerability description not provided...

Ubiquiti Inc.: Security: Publicly accessible x.509 Public and Private Key of Ubiquiti Networks.

The researcher found two unused files on airOS firmware. These files were not used by any process and did not create any security threat, but it was decided to remove them to free some device memory...

GitLab: Gitlab is vulnerable to impersonation attacks due to broken links

Good afternoon team, Vulnerability There's a lot of possible attacks that can be carried out with broken external links as noted in this github post by edoverflow. https://gist.github.com/EdOverflow/24e0bb929169eb948bb7f3d0a2d5528f. In this particular example I'm impersonating Ricardo who...

Legal Robot: No alert in verify email address with wrong input

Hello team @legalrobot, In your verify email address sector, I got something different. in that sector if I click on "Resend verification email" option and see the request. There is a parameter named email. So when I input something in that parameter it's show me done on output. I have show all i...

GSA Bounty: Reflected XSS on the data.gov (WAF bypass+ Chrome XSS Auditor bypass+ works in all browsers)

Description Hello. I discovered Cross-Site scripting issue on the https://www.data.gov/local/ endpoint. The issue can be site-wide, and exploitable in any place, where pagination exist. The Impact and Severity I assigned the High severity, because unlike the last 263226 report that XSS was...