Liberapay: Unsafe yaml load can lead to remote code execution

The YAML load function can lead to remote code execution vulnerability. The vulnerability allows the construction of arbitrary Python objects from untrusted YAML data, which can be exploited by an attacker...

HackerOne: Two factor authentication bypass

Vulnerability description not provided...

HackerOne: 2fa can't be activated on app.pullrequest.com

Vulnerability description not provided...

Node.js: Bypass incomplete fix of CVE-2024-27980

The CVE-2024-27980 was identified as an incomplete fix for the BatBadBut vulnerability. This vulnerability arose from improper handling of batch files with all possible extensions on Windows via childprocess.spawn and childprocess.spawnSync. A malicious command line argument could have been used ...

PortSwigger Web Security: Incorrect logic when buy one more license which may lead to extend the expire date of existing license

Vulnerability description not provided...

Nextcloud: Event create can create attachments that link to other websites

The vulnerability allowed the creation of attachments that could link to other websites during the event creation process...

IBM: Insecure Direct Object Reference Protection bypass by changing HTTP method in IBM Your Learning endpoint.

The Insecure Direct Object Reference vulnerability in the IBM Your Learning endpoint was reported, analyzed, and remediated. The vulnerability allowed bypassing the protection by changing the HTTP method...

Mars: Sqli on ██████ search functionality

A SQL injection vulnerability was reported on the search functionality of the ██████ website. The vulnerability allowed an attacker to inject malicious SQL code into the search query...

Internet Bug Bounty: Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash

The Node.js HTTP/2 server was affected by a vulnerability that caused it to crash instantly after receiving a small number of HTTP/2 frames. The issue was caused by a race condition that occurred when the Http2Session destructor was triggered while header frames were still being processed, leavin...

Internet Bug Bounty: Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames

The Apache HTTP Server vulnerability CVE-2024-27316 was recently discovered. HTTP/2 incoming headers exceeding the limit were temporarily buffered in nghttp2 to generate an HTTP 413 response. However, if the client did not stop sending headers, this led to memory exhaustion. The vulnerability was...

Internet Bug Bounty: Proxy-Authorization header not cleared on cross-origin redirect in undici.request

The Proxy-Authorization header was not cleared on cross-origin redirects in the Undici HTTP client library. This issue was reported and patched in later versions of Undici...

MTN Group: Unauthorized access to PII leads to Administrator account Takeover

The vulnerability arises from insufficient restrictions placed on the list of post authors, which could be exploited by remote attackers to obtain sensitive information through wp/v2/users/15 requests. The sensitive information, including email addresses, could be obtained and used in further...

HackerOne: Any user could upload attachments to pentest scoping form they don't have access to

The root cause of this issue was insufficient access controls implemented in the attachment upload functionality for pentest scoping forms. The endpoint responsible for handling attachment uploads did not properly validate the user's access rights to the specific scoping form, allowing any...

Internet Bug Bounty: CVE-2019-1551: rsaz_512_sqr overflow bug on x86_64

The CVE-2019-1551 vulnerability was an overflow bug in the x6464 Montgomery squaring procedure used in exponentiation with 512-bit moduli in the OpenSSL library. The vulnerability was found and reported by researchers. The issue was mitigated in the 1.1.1 and 1.0.2 versions of OpenSSL...

Nextcloud: User can copy locked folders and gain access to the contents

A vulnerability in Nextcloud allowed users to copy locked folders and access their contents...

Mars: sqli on █████████ search functionality

A SQL injection vulnerability was found in the search functionality of the █████████ website...

Nextcloud: Weak ssh algorithms and CVE-2023-48795 Discovered on various subdomains of nextcloud.com

Security researchers discovered a vulnerability in the Secure Shell SSH cryptographic network protocol, known as Terrapin CVE-2023-48795. This vulnerability could have allowed an attacker to downgrade the security of the secure channel. Weak SSH algorithms were also identified on various subdomai...

Internet Bug Bounty: [CVE-2024-25126] Denial of Service Vulnerability in Rack Content-Type Parsing

A denial of service vulnerability was discovered in the content type parsing component of Rack. The vulnerability was assigned the CVE identifier CVE-2024-25126. The vulnerability affected versions 0.4 and above of Rack, and was addressed in versions 3.0.9.1 and 2.2.8.1...

Internet Bug Bounty: [CVE-2024-26146] Header Parsing leads to Possible Denial of Service Vulnerability

The Rack header parsing library in Ruby on Rails was found to have a potential denial of service vulnerability. The vulnerability was assigned the identifier CVE-2024-26146. It was discovered that carefully crafted headers could cause the header parsing routines to take longer than expected,...

Internet Bug Bounty: [CVE-2024-26142] ReDoS vulnerability in Accept header parsing in Action Dispatch

A ReDoS vulnerability was discovered in the Accept header parsing in Action Dispatch. The vulnerability was assigned the CVE identifier CVE-2024-26142. Affected versions were 7.1.0 to 7.1.3, while versions prior to 7.1.0 and 7.1.3.1 and later were not affected. The vulnerability was reported and ...

Mars: CSRF in Delete Pet Function

The Delete Pet functionality on the ████████ platform was found to be vulnerable to Cross-Site Request Forgery CSRF. The vulnerability was discovered in the pet deletion endpoint, where the pet ID parameter could be manipulated to force authenticated users to delete their pets without their...

U.S. Dept Of Defense: Reflected XSS via Moodle on ███ [CVE-2022-35653]

A reflected XSS vulnerability was identified in the LTI module of Moodle. The vulnerability was caused by insufficient sanitization of user-supplied data in the LTI module. A remote attacker could have tricked a victim into following a specially crafted link, which could have executed arbitrary...

TikTok: Account Takeover via Authentication Bypass in TikTok Account Recovery

An improper authentication mechanism in TikTok's account recovery process was identified. The vulnerability was reported and has been completely fixed. There was no evidence of exploitation...

Teleport: SSRF in region parameter that leads to AWS Teleport role AWS account takeover

You have an Integration page in Teleport where one of the options is AWS OIDC which will allow people in Teleport to add resources fluently without actually having initial access to these resources or installing any agents on them. You will need to have connected and ready OIDC integration with A...

Internet Bug Bounty: CVE-2024-2398: HTTP/2 push headers memory-leak

A memory leak was found in libcurl when handling HTTP/2 push headers. The vulnerability was caused by libcurl's failure to properly release the allocated memory when aborting a server push due to the maximum allowed limit being exceeded. This could lead to denial of service due to memory exhausti...

U.S. Dept Of Defense: Missing Access Control Allows for User Creation and Privilege Escalation

The RSI Test Environment application had a vulnerability that allowed unauthenticated users to create new user accounts and grant them administrator privileges. This provided unauthorized access to restricted information and documents within the application...

HackerOne: Attachment disclosure via summary report

A critical vulnerability was discovered in the HackerOne platform that allowed an attacker to gain unauthorized access to attachments belonging to other users through the report summary editing functionality. By manipulating attachment IDs in the request, an attacker could view sensitive files th...

passhash: Potential DoS due to PasswordPoliciesNotMet in errors.go

Summary: Possible DoS depending on amount of PasswordPolicyError instances that can be created in a short time type PasswordPoliciesNotMet struct UnMetPasswordPolicies PasswordPolicyError func e PasswordPoliciesNotMet Error string errorStrs := makestring, 0, lene.UnMetPasswordPolicies for , ppe :...

passhash: Missing policies for password in password_policies.go

Summary: Some missing policies to consider adding Policies: 1. Password History - There isno policy implemented for password history requirements. This will be for preventing users from reusing their previous passwords. 2. Strong password- here are no checks for strong password requirements like...

Internet Bug Bounty: CVE-2024-27281: RCE vulnerability with .rdoc_options in RDoc

A remote code execution vulnerability was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. The vulnerability was caused by the lack of restrictions on the classes that could be restored when parsing .rdocoptions as a YAML file. Additionally, object injection and...

Internet Bug Bounty: Usage of disabled protocol in curl

CVE-2024-2004 was a vulnerability in the usage of disabled protocols in curl. When a protocol selection parameter option disabled all protocols without adding any, the default set of protocols remained in the allowed set due to an error in the logic for removing protocols. This flaw was assessed ...

Internet Bug Bounty: CVE-2024-2379: QUIC certificate check bypass with wolfSSL

CVE-2024-2379 was a vulnerability in libcurl's QUIC implementation where certificate verification was skipped under certain conditions when using the wolfSSL library. The vulnerability was caused by an error path that accidentally returned success when encountering unknown or unsupported ciphers ...

Internet Bug Bounty: CVE-2024-2466: TLS certificate check bypass with mbedTLS (reward request)

CVE-2024-2466: TLS certificate check bypass with mbedTLS. The vulnerability was reported in libcurl, where it did not check the server certificate of TLS connections made to a host specified as an IP address when built to use mbedTLS. This caused the certificate check to be completely skipped,...

U.S. Dept Of Defense: Reflected Cross-site Scripting via search query on ██████

The summary is as follows: A reflected cross-site scripting vulnerability was discovered in the search query functionality of the ████████ website. An attacker could execute arbitrary JavaScript code in the victim's browser by injecting malicious payload into the search query parameter...

Internet Bug Bounty: Improper handling of wildcards in --allow-fs-read and --allow-fs-write

The Node.js Permission Model was found to have improper handling of wildcards in the --allow-fs-read and --allow-fs-write options. The implementation silently ignored any text after a wildcard character, potentially granting unintended file system access. Additionally, when the wildcard character...

Internet Bug Bounty: Path traversal by monkey-patching Buffer internals

In Node.js 20 and 21, a path traversal vulnerability was introduced due to the ability to monkey-patch Buffer internals. By overwriting Buffer.prototype.utf8Write, an attacker could bypass the path resolution logic and access restricted file system paths. The vulnerability was caused by the...

U.S. Dept Of Defense: SQL injection on ██████████ via 'where' parameter

An SQL injection vulnerability was discovered in the 'where' parameter of the ArcGIS server. The vulnerability allowed an attacker to retrieve database content by injecting malicious SQL queries into the 'where' parameter. Esri released an update to ArcGIS Server 10.1 Service Pack 1 to address th...

GoCD: XSS in GOCD Analytics Plugin

The vulnerability was discovered in the GOCD Analytics Plugin, specifically in the info-message.js file. The vulnerability allowed for Cross-Site Scripting XSS attacks by injecting malicious code through the ?msg= parameter. The vulnerable code failed to properly sanitize the user-supplied input,...

HackerOne: "package_name" can be set as desired when submitting a Pentest Opportunity form

Vulnerability description not provided...

HackerOne: Minor security issue with Hackerone Invitations from sandbox program

The Hackerone team had enabled the "Invite Users" feature to add users to an organization in a sandbox program. When inviting other users through email, there was no warning message in the email stating that the invitation was sent from an unverified program on Hackerone...

Internet Bug Bounty: Libuv: Improper Domain Lookup that potentially leads to SSRF attacks

The vulnerability in the libuv library was caused by the improper truncation of hostnames to 256 characters before calling the getaddrinfo function. This behavior allowed the creation of addresses like 0x00007f000001, which were considered valid by getaddrinfo, potentially leading to SSRF attacks...

Monero: [Monero wallet RPC] File precreation to file ownership and credentials leak

The Monero wallet RPC was found to have a vulnerability in the file creation process that could lead to potential credential leakage. The issue was located in the walletrpcserver::init method, where a file was created without using the OEXCL flag, allowing an attacker to pre-create the file and...

PortSwigger Web Security: [portswigger.net] Path Traversal al /cms/audioitems

Vulnerability description not provided...

HackerOne: Possible PII Disclosure via Advanced Vetting Process - ██████

Possible PII disclosure was identified in the HackerOne Advanced Vetting process. Unauthorized users were able to download a CSV file containing the names, usernames, and other personal details of users who had accepted the Advanced Vetting terms. The issue was observed in a sandboxed program, bu...

Nextcloud: Ability to by-pass second factor

The advisory described a vulnerability that allowed bypassing the second factor authentication in Nextcloud. The vulnerability was addressed in a security update...

GoCD: XSS in new.loading.page.html

A cross-site scripting vulnerability was found in new.loading.page.html due to inadequate handling of query parameters. This allowed attackers to insert javascript URIs as redirectors, leading to unauthorized script execution...

Doppler: Acquisition on broken link listed on the page "https://docs.doppler.com/docs/removal-deprecated-packages-scripts in [scheduling a call]

The report describes a broken link on the Doppler documentation website. The broken link was located on the page "https://docs.doppler.com/docs/removal-deprecated-packages-scripts" in the "scheduling a call" section. The broken link pointed to "https://calendly.com/doppler-ryan/onsite-install",...

U.S. Dept Of Defense: Reflected XSS on error message on Login Page

The login page on the specified system was found to have a reflected cross-site scripting XSS vulnerability. The vulnerable link allowed an attacker to inject crafted JavaScript code that could be executed in the user's browser. The vulnerability was discovered in the error message parameter of t...

TikTok: Lynxview JS interfaces Takeover via deeplink traversal

The application had vulnerabilities that could have allowed the takeover of JavaScript interfaces via the application's exposed Webview. The issues were only present in older versions of the Android application and were addressed after the researcher reported them to the team...

curl: CVE-2024-2466: TLS certificate check bypass with mbedTLS

The Curl library had a security vulnerability where the certificate name check was bypassed when connecting to a host via its IP address. This could have potentially introduced spoofing attacks or unauthorized access due to unverified server certificate. The issue affected Curl with MbedTLS from...