Basecamp: Stored XSS on trix editor version 2.1.1

The Trix editor version 2.1.1 was vulnerable to stored cross-site scripting XSS attacks. The vulnerability was caused by improper sanitization of content pasted into the editor, allowing an attacker to embed malicious scripts that were executed within the context of the application...

U.S. Dept Of Defense: Self XSS

A self-XSS vulnerability was discovered in the search function at "https://█████████/ords/f?p=1001:2::::::" where a normal XSS payload could be injected and executed...

Internet Bug Bounty: Possible XSS Vulnerability in Action Controller

There was a possible XSS vulnerability when using the translation helpers translate, t, etc in Action Controller. The vulnerability was assigned the CVE identifier CVE-2024-26143. Affected versions were 7.0.0 and above. The issue was fixed in versions 7.1.3.1 and 7.0.8.1...

Internet Bug Bounty: Possible DoS Vulnerability with Range Header in Rack

A potential denial-of-service vulnerability was discovered in the Rack web server interface for Ruby. The vulnerability was assigned the CVE identifier CVE-2024-26141 and affected versions of Rack 1.3.0 and later. The vulnerability was caused by carefully crafted Range request headers, which coul...

U.S. Dept Of Defense: CVE-2023-26347 in https://████.mil/hax/..CFIDE/adminapi/administrator.cfc?method=getBuildNumber&_cfclient=true

CVE-2023-26347 was discovered in Adobe ColdFusion versions 2023.5 and earlier and 2021.11 and earlier. The vulnerability was an Improper Access Control issue that could result in a Security feature bypass. Unauthenticated access was possible to the administration CFM and CFC endpoints...

Basecamp: Account takeover via insecure intent handling

The Basecamp app was vulnerable to account takeover due to insecure intent handling. A malicious app installed on the same device could obtain the user's Oauth2 token and take over their account...

HackerOne: Access Control Vulnerability Enabling Unauthorized Access to Limited Disclosure Reports

The vulnerability allowed an unauthorized user to close a report as a duplicate of another report from a different program or organization. The root cause was an improper access control check that did not account for limited disclosure reports or the original report being in the same organization...

Glassdoor: Cross-Site Leakage of Review Ownership via Navigation Detection

A vulnerability allowed detection of user login status by exploiting differences in Cross-Origin-Opener-Policy COOP headers between authenticated and unauthenticated states on the website. The issue was addressed by implementing consistent COOP headers across all domains...

Tools for Humanity: [Meetup][World ID][OIDC] Insufficient Filtering of "state" Parameter in Response Mode form_post leads to XSS and ATO

A lack of proper validation in the state parameter of the World ID OIDC authentication logic allowed the injection of HTML characters into the response body when using formpost as the OIDC response mode. This vulnerability was mitigated by the Content Security Policy CSP...

Mozilla: csrftoken not unique to session or specific user and csrfmiddlewaretoken can be altered

The CSRF token used in the application was not unique to the session or specific user, allowing an attacker to use a valid CSRF token obtained from another user to perform unauthorized actions on behalf of that user...

HackerOne: Program Member Could Duplicate Report To A Non Related Program Original Report

The vulnerability allowed a program member to duplicate a report to a report that was not related to the original program. This could lead to integrity issues, as the duplicate report should only be from reports within the original program...

U.S. Dept Of Defense: Out-Of-Bounds Memory Read on ███

Vulnerability description not provided...

Nextcloud: Mail auto configurator can be tricked into sending account information to wrong servers

The mail auto configurator was vulnerable to being tricked into sending account information to unintended servers...

Booking.com: Default Admin Account lead to full access control at https://desk-demo.fareharbor.engineering

Login to the application at https://desk-demo.fareharbor.engineering/login with [email protected], password: test F3271060 2. Realizing that the login is successful, the attacker can use all functions in the application. F3271059 Impact attacker can use all admin functions...

GitHub: Information Leakage via Clicked Link in GitHub Repository (Fingerprinting)

A vulnerability was identified in GitHub Enterprise Server that allowed an attacker to retrieve metadata information of a user who clicks on an uploaded malicious asset URL. The vulnerability affected all versions prior to 3.14 and was fixed in later versions...

inDrive: Reflected XSS of media.indrive.com

Vulnerability description not provided...

IBM: IBM OpenPages vulnerable to exposure of sensitive information

The IBM OpenPages vulnerability that exposed sensitive information was reported, analyzed, and remediated. The vulnerability was discovered by an external researcher...

HackerOne: Bypassing the victim's phone number OTP in the account recovery process on the https://hackerone.com/settings/auth/setup_account_recovery

Vulnerability description not provided...

Brave Software: Brave Android: Incorrect URL Eliding in Brave Shields Pop Up

A vulnerability was discovered in the Brave Android browser where the URL was not properly elided from the front when displayed in the Brave Shields pop-up. This could have led to URL confusion or spoofing for users. The issue was not present in the desktop version of Brave...

GitHub: Access body and title of Internal Repo Issues in Projects

An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed read access to issue content via GitHub Projects. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.1, 3.12.6, 3.11.12, 3.10.14, and...

U.S. Dept Of Defense: Subdomain takeover ████████.mil

The subdomain ██████.mil was found to be pointing to a domain that is currently available for registration. This indicates a potential subdomain takeover vulnerability. The domain ████ was found to be unregistered and could have been used by an attacker to host unwanted or malicious content under...

GitLab: DOS: taking down a 1k users Gitlab EE instance or multiple Sidekiq instances by importing a malicious repo from a Github EE self-hosted server

The report described a vulnerability in GitLab where an attacker could cause a denial of service by importing a malicious payload via the GitHub importer functionality...

IBM: S3 Bucket Takeover on apptio endpoint

The S3 bucket takeover vulnerability on the Apptio endpoint was reported, analyzed, and remediated. The external researcher who discovered the issue was thanked...

Nextcloud: Invisible Salamanders Attack against end_to_end_encryption in Nextcloud

Vulnerability description not provided...

MercadoLibre: Sale cancellations from other sellers without restrictions

The summary is as follows: A vulnerability was reported that allowed sale cancellations from other sellers without restrictions. The issue was acknowledged and addressed by MercadoLibre...

Truecaller : Lack of URL Validation in avatarUrl at /v4/profile

The endpoint "profile4-noneu.truecaller.com/v4/profile" was found to have a lack of URL validation in the "avatarUrl" parameter. The validation only checked if the URL started with "https" and contained the string "images-noneu.truecallerstatic.com", allowing attackers to craft fake URLs by addin...

curl: Incorrect Type Conversion in interpreting IPv4-mapped IPv6 addresses and below `curl` results in indeterminate SSRF vulnerabilities.

Vulnerability description not provided...

HackerOne: Reset the 2FA of the user which can lead to Account Takeover

Vulnerability description not provided...

HackerOne: Able to Create Testimonials for myself using Sandbox

The vulnerability allowed hackers to create and display self-authored testimonials on their public profiles. This was achieved by creating a sandbox program on HackerOne and inviting an alternate account. The alternate account could submit reports to the sandbox program, and the primary account,...

Rootstock Labs: Crafted smart contract can take 1.5 minutes to execute due to inefficient CODESIZE implementation

The crafted smart contract can take 1.5 minutes to execute due to an inefficient implementation of the CODESIZE operation in the VM. The issue was caused by the VM.doCODESIZE method, which retrieved the entire code array instead of just the code length. This behavior could be exploited to transfe...

HackerOne: Insecure Direct Object Reference (IDOR) Allows Viewing Private Report Details via /bugs.json Endpoint

The Insecure Direct Object Reference IDOR vulnerability allowed viewing private report details through the /bugs.json endpoint. Any private reports could be accessed by sending a POST request to the endpoint with the organization ID and a single-digit text query. This gave access to sensitive...

HackerOne: Two-factor authentication bypass lead to information disclosure about the program and all hackers participate

Vulnerability description not provided...

GitHub: GitHub Apps can access suspended installations via scoped user-to-server tokens

An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed a suspended GitHub App to retain access to the repository via a scoped user access token. This vulnerability was only exploitable in public repositories. The vulnerability affected all versions of...

Nextcloud: Incomplete sanitization in SVG preview provider

The SVG preview provider in Nextcloud suffered from incomplete sanitization, allowing potential exploitation...

HackerOne: [IDOR] Improper Access Control on Embedded Submission Form

The researcher discovered an improper access control vulnerability that allowed them to access sensitive program information for private/inactive embedded submission forms by leveraging the form's UUID. The researcher used reconnaissance techniques to obtain a list of UUIDs for various private...

HackerOne: Payload delivery via Social Media urls on H1 profile

The Hackerone platform allowed users to add social media profiles to their profiles, where users could provide their usernames. Due to improper sanitization, users were able to construct their own URLs, except for Twitter which was sanitized. This allowed attackers to hide malicious payloads behi...

HackerOne: 2FA Bypass via Leaked Cookies

Vulnerability description not provided...

Nextcloud: Events information leaked with shared calendars on recurrence exceptions

Events information leaked with shared calendars on recurrence exceptions...

U.S. Dept Of Defense: reflected xss [CVE-2020-3580]

The application was vulnerable to cross-site scripting XSS due to insufficient input validation. This allowed an attacker to inject malicious scripts that could be executed in the victim's browser...

HackerOne: Confirmed #2118458: Intentional redirect from www.hackerone.com to domain which is up for sale

The report describes an intentional redirect from www.hackerone.com to a domain that is currently for sale. The report states that the endpoint https://www.hackerone.com/node/9386 automatically redirects to https://www.iotna.com/, and that the domain iotna.com is currently up for sale...

LY Corporation: Client-Side Path Traversal on LINE Developers Console

The LINE Developers Console had a Client-Side Path Traversal vulnerability that led to an effective CSRF. The operations that could be enforced with the CSRF were limited...

pixiv: Internal logs/info leaked via endpoint {https://203.137.128.240/server-status}

The server-status endpoint was accessible, allowing access to internal logs and information...

Automattic: Authentication & Registration Bypass in Newspack Extended Access

The Newspack Extended Access plugin failed to validate the JWT signing on the registration and login JSON endpoint. This allowed for the registration of accounts with arbitrary user-supplied details and authentication bypass if a target account email was known...

Node.js: fs.fchown/fchmod bypasses permission model

A vulnerability was identified in Node.js that affected users of the experimental permission model when the --allow-fs-write flag was used. The vulnerability allowed operations such as fs.fchown or fs.fchmod to be used with a "read-only" file descriptor to change the owner and permissions of a...

Hyperledger: Code exec on Github runner via Pull request name

A command injection vulnerability was discovered in the GitHub Actions workflow of the Hyperledger Cacti repository. The vulnerability allowed an attacker to inject arbitrary commands and execute them on the GitHub runner by crafting a malicious pull request title. The vulnerability was present i...

U.S. Dept Of Defense: [███] .NET Framework ObjRefs Disclosure (CVE-2024-29059)

A vulnerability was discovered in Microsoft .NET Framework that could allow a remote attacker to obtain sensitive information. The vulnerability was caused by the potential disclosure of ObjRef URIs, which could be used to perform .NET Remoting attacks via HTTP. The vulnerability was assigned the...

GitHub: View private repository NWO of deploy key via internal LFS API

The vulnerability allowed an attacker to enumerate the names of private repositories that utilized deploy keys in GitHub Enterprise Server. The vulnerability did not provide unauthorized access to any repository content besides the repository names. This vulnerability affected all versions of...

HackerOne: Session Not Expire / 2FA Bypass

Vulnerability description not provided...

U.S. Dept Of Defense: GlobalProtect - OS Command Injection #█████████

A command injection vulnerability was discovered in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations. This vulnerability could have enabled an unauthenticated attacker to execute arbitrary code with root privileges on...

Mozilla: Jira Credential Disclosure within Mozilla Slack

The Jira admin API keys were disclosed within a Mozilla Slack channel by a staff member. The exposed credentials allowed for the verification of the user's elevated privileges, including being a Jira Administrator, Administrator, and Jira Service Desk user...