TikTok: DOM XSS in tiktok.com/login via the redirect_url parameter

A DOM Cross-Site Scripting XSS vulnerability was found in the redirecturl parameter on the tiktok.com/login page. The vulnerability was reported and confirmed to be resolved...

Informatica: No rate limiting on form[register]

The vulnerability overview is as follows: There was a lack of rate limiting on the formregister endpoint, allowing an attacker to send a large number of requests to the server in rapid succession without any restrictions. This could potentially have led to accelerated service usage and resource...

HackerOne: Private data related to program exposed via /reports/<id>.json endpoint to external user participant

Vulnerability description not provided...

Rocket.Chat: NoSQL injection leaks visitor token and livechat messages

The Rocket.Chat application was affected by two NoSQL injection vulnerabilities. The first vulnerability allowed leaking visitor tokens by exploiting the livechat:loginByToken method, while the second vulnerability enabled leaking livechat messages by exploiting the livechat:loadHistory method...

GitHub: SAML Signature verification bypass allows logging into any user (with specific conditions)

The vulnerability allowed an attacker with direct network access to GitHub Enterprise Server to forge a SAML response and gain unauthorized access to the instance, including site administrator privileges, by exploiting a signature verification bypass. The vulnerability affected all versions of...

Mars: Reflected HTML Injection via contact (faq) search parameter on ███]=

The reflected HTML injection vulnerability was identified in the search parameter of the contact FAQ page on ███████. The vulnerability allowed for the injection and execution of arbitrary HTML and script code in the context of other users' web browsers. The issue was demonstrated through the...

Node.js: Worker permission bypass via InternalWorker leak in diagnostics

The vulnerability allowed for a worker permission bypass through a diagnosticschannel leak that exposed internal workers, enabling the retrieval of their constructor for malicious usage. This affected Permission Model users on Node.js versions 20, 22, and 23...

HackerOne: Hackers can Invite Collaborators Without 2FA on Programs Requiring 2FA

Vulnerability description not provided...

U.S. Dept Of Defense: XML External Entity (XXE) Injection

The vulnerability is an XML external entity XXE injection flaw. XXE vulnerabilities occur when an application parses XML input that contains a reference to an external entity. When the XML parser is improperly configured to process external entities, it can lead to unauthorized access to sensitiv...

HackerOne: Business Logic error leads to bypass 2FA requirement

Vulnerability description not provided...

HackerOne: Reports submitted by a non 2fa setupped user account can be transferred to a 2fa require submission program

Vulnerability description not provided...

Smule: Possible Subdomain Takeover For Inbound Emails

The affected URL email.smule.com pointed to sendgrid.net via a DNS CNAME record. As a result, a subdomain takeover was possible by registering the subdomain email.smule.com on Sendgrid...

U.S. Dept Of Defense: XML E██████ternal Entity (XXE) Injection in ███

The vulnerability described in CVE-2022-2414 was an XML External Entity XXE injection flaw. XXE vulnerabilities occur when an application improperly processes XML input containing references to external entities. This allowed access to arbitrary files on the server...

curl: NULL dereference when encoding DN of x509 certificate

Vulnerability description not provided...

curl: CVE-2024-6197: freeing stack buffer in utf8asn1str

The libcurl library at commit 04739054cdac5a0614fb94e3655e313c03399f35 contained an invalid invocation of the free function in the utf8asn1str function. The buffer being freed was located on the stack, which posed a security risk as the freed address could have been later returned by malloc calls...

Rootstock Labs: Crafted smart contract can take ~23 seconds to execute due to immense error string construction

The crafted smart contract can take approximately 23 seconds to execute due to the immense error string construction. The vulnerability was caused by the native contract's implementation, which constructed the entirety of the input message as a hex string for logging and throwing an exception. Th...

U.S. Dept Of Defense: █████████ (Android): Vulnerable to Javascript Injection and Open redirect

A vulnerability was discovered in the WebView components of two apps, ████ and ██████████, which allowed an attacker to execute JavaScript and open any URL through a link or a malicious app. The root cause of this issue was that certain activities were exported and set as browsable, exposing them...

HackerOne: Domain highlighting on External link warning is not working on Chrome & Microsoft Edge browsers on Mobile

The domain highlighting functionality on the External Link Warning interstitial page was not working as intended on the Chrome and Microsoft Edge mobile browsers. The issue was reported to have been previously fixed by HackerOne, but it appears to have resurfaced. The vulnerability could have...

Nextcloud: External storage - global credentials returned to the client side in plaintext

The security advisory reported that external storage credentials were returned to the client side in plaintext...

U.S. Dept Of Defense: HTML Injection into https://www.██████.mil

HTML Injection vulnerability was identified on the website www.██████.mil. The vulnerability allowed attackers to inject malicious HTML code, which could have compromised the security and integrity of the website. Input validation and output encoding were recommended as mitigations to prevent suc...

Basecamp: Path traversal in deeplink query parameter can expose any user's private info to a public directory (one click)

The Basecamp mobile application was found to be vulnerable to a path traversal issue. By crafting a malicious deeplink with a specific "filename" parameter, an attacker could force the application to save user data to any directory on the device, including locations accessible to other applicatio...

Basecamp: Navgraph confusion allows any 3p app to send and read requests from the server at app.hey.com

The vulnerability in the Navgraph system allowed any third-party app to send and read requests from the server at app.hey.com...

U.S. Dept Of Defense: Subdomain takeover ██████

The subdomain █████ was found to be pointing to open-elb-prod-277276106.us-east-1.elb-amazonaws.com., and the domain elb-amazonaws.com was available for registration. This vulnerability could have been exploited to host unwanted content, receive email, and potentially execute cross-site scripting...

HackerOne: Private draft report exposure in a program a user is added as a viewer to

A vulnerability was identified where adding a user as a program viewer caused them to be subscribed to draft reports within that program. This subscription resulted in the program viewer receiving notifications for every comment posted on a draft report. The vulnerability led to the exposure of...

curl: Denial of Service in curl Request - HTTP headers eat all memory

Vulnerability description not provided...

curl: Incorrect Encoding Conversion in hostname results in indeterminate SSRF vulnerabilities

Vulnerability description not provided...

Shopify: Exposure of shopify employee summit page allows anonymous user to place orders for free books

Vulnerability description not provided...

curl: Unicode-to-ASCII conversion on Windows can lead to argument injection and more

Vulnerability description not provided...

Rocket.Chat: The initial E2EE password generated by Rocket.Chat mobile can be recovered in a practical timescale.

The initial E2EE password generated by Rocket.Chat mobile prior to version 4.5.1 was found to have insufficient entropy, allowing it to be recovered in a practical timescale by an attacker...

Enjin: Cloudflare /cdn-cgi/ path allows resizing images from unauthorised sources on enjinusercontent.com

The Cloudflare /cdn-cgi/ path on enjinusercontent.com was discovered to allow resizing and rendering of images from unauthorized sources without restriction. This behavior could have led to HTML injection, SSRF, and portal scanning attacks, as well as the unrestricted display of external resource...

Mozilla: Subdomain takeover on one of the subdomains under mozaws.net

Subdomain takeover was discovered on a subdomain under mozaws.net due to a dangling DNS record. The dangling record was registered by researchers, allowing them to host content under the affected subdomain...

HackerOne: Bypassing Two-Factor Authentication via Account Deactivation and Password Reset

Vulnerability description not provided...

Internet Bug Bounty: [CVE-2024-32464] ActionText ContentAttachment’s can Contain Unsanitized HTML

CVE-2024-32464 ActionText ContentAttachment's can Contain Unsanitized HTML Instances of ActionText::Attachable::ContentAttachment included within a richtextarea tag were discovered to potentially contain unsanitized HTML. This vulnerability was assigned the CVE identifier CVE-2024-32464. Versions...

MTN Group: FULL ACCOUNT TAKEOVER

The selfservice portal at https://mymtn.com.ng/ allowed an attacker to take over any Nigerian MTN phone number. The attacker was able to access the account holder's personal information, such as date of birth and full name. The attacker also had the ability to use any available airtime on the...

pixiv: Disclose Hidden Comments on Media Section of hub.vroid.com

A vulnerability was discovered in the Media section of the website where hidden comments could be disclosed. By intercepting a request to like a specific comment, the attacker was able to retrieve the content of the hidden comment, which should have only been visible to the original poster...

Mattermost: Posts sent via websockets aren't sanitized properly

The posts sent via websockets in the Mattermost application were not properly sanitized, allowing attackers to inject malicious content. The vulnerability enabled the creation of customized permalink embeds and YouTube embeds with arbitrary content, which could lead to denial-of-service issues an...

Automattic: Authentication & Registration Bypass in Newspack Extended Access

The Newspack Extended Access plugin omitted to verify JWT signing on the registration and login JSON endpoint. This permitted registration of accounts with arbitrary user-supplied details, and authentication bypass and account hijack if a target account email was known...

LinkedIn: Can see phone numbers of others by providing mail address

The vulnerability allowed an attacker to view a user's phone number by abusing the password reset functionality. The phone number was exposed in the input field after verifying the user's email address...

Ionity GmbH: HTML injection in swagger UI

A vulnerability was discovered in the Swagger UI that allowed for HTML injection. This vulnerability existed because the application failed to properly sanitize user-supplied input before rendering it in the HTML context. An attacker could have exploited this issue to execute arbitrary scripts in...

HackerOne: [ Spot Check ] Team members can edit a user's write-up

Team members could edit a user's spot check write-up. The write-up could be modified through a GraphQL request, even though there was no option to edit the write-up in the user interface. This was considered unintended functionality, as HackerOne had previously fixed vulnerabilities where team...

HackerOne: Improper Authentication - 2FA OTP Reusable

Vulnerability description not provided...

HackerOne: 2FA requirement bypass when claiming bounty

Vulnerability description not provided...

GitLab: IDOR Exposes All Machine Learning Models

The vulnerability allows an attacker to access any Machine Learning Model Registry in GitLab, including private models, by guessing the incremental model IDs. The attacker can also access different versions of the models. This vulnerability was present in GitLab versions 15.11 and 16.2...

Internet Bug Bounty: CVE-2024-31079 in nginx

CVE-2024-31079 was discovered in the NGINX HTTP/3 QUIC module. When NGINX Plus or NGINX OSS were configured to use this module, undisclosed HTTP/3 requests could cause NGINX worker processes to terminate or experience other potential impact. The vulnerability was classified as a stack-based buffe...

Internet Bug Bounty: CVE-2024-32760 in nginx

CVE-2024-32760 was discovered in the HTTP/3 QUIC module of NGINX Plus and NGINX OSS. When the module was configured, undisclosed HTTP/3 encoder instructions could cause NGINX worker processes to terminate or experience other potential impact...

Internet Bug Bounty: CVE-2024-35200 in nginx

CVE-2024-35200 was discovered in NGINX Plus and NGINX OSS when configured to use the HTTP/3 QUIC module. Undisclosed HTTP/3 requests were found to cause NGINX worker processes to terminate...

HackerOne: [Spot Check] - Ability to disclose metadata about Spot Checks (Number of Hackers + Hackers Criteria) via "SpotCheckSingleQuery"

A vulnerability was discovered that allowed hackers to disclose private metadata about Spot Checks, including the number of hackers and the selection criteria. The vulnerability was triggered by navigating to a specific URL and accessing the "SpotCheckSingleQuery" parameter, which returned this...

WakaTime: IDOR to view order information of users and personal information

Vulnerability description not provided...

RATELIMITED: Subdomain takeover in GitLab Pages [george.ratelimited.me]

A subdomain takeover vulnerability was discovered in GitLab Pages. Subdomains could be taken over without verification of domain ownership. The vulnerability allowed an attacker to gain control of the subdomain...

GitLab: Subdomain takeover in Gitlab pages

The vulnerability allowed an attacker to take over a dangling custom domain pointing to GitLab Pages using "instanceX.gitlab.io". The problem arose when adding a custom domain to GitLab Pages without verifying the domain, as it would still serve content for 7 days before being disabled...