U.S. Dept Of Defense: Authentication Bypass on https://███████/

An authentication bypass vulnerability was discovered on https://████████/. By visiting /███████/GxSessionIfc.php, a valid session was created for the user, allowing them to bypass the authentication requirement and access the site...

Mozilla: sentry Auth Token exposed publicly in docker hub image

The Sentry authentication token was exposed publicly in Docker Hub images belonging to the Taskcluster project. The token was found in the source code of the images and was still active, allowing access to the Sentry API...

Rootstock Labs: Crafted smart contract can take 8 minutes to execute due to bug in modexp precompile.

A bug in the modexp precompile of an Ethereum-based blockchain can cause long stalls in the execution of crafted smart contracts. The issue was reported and could have potentially stalled the network...

Hyperledger: Docker Secret Disclosure via GitHub Actions Cache Poisoning

The vulnerability involved the disclosure of Docker secrets through GitHub Actions cache poisoning. The issue was reported and subsequently resolved...

curl: CVE-2024-2379: QUIC certificate check bypass with wolfSSL

The vulnerability in vquic-tls.c in the curlwsslinitctx function allowed for a certificate check bypass when using the WolfSSL backend. The error handling was not properly implemented, resulting in a potential bypass of the certificate verification requirements...

U.S. Dept Of Defense: CVE-2021-39226 Discovered on endpoint https://██████/api/snapshots

CVE-2021-39226 was discovered in Grafana, where authenticated and unauthenticated users were able to view and delete snapshots by accessing specific endpoints. The vulnerability allowed for unauthorized access and deletion of snapshot data...

Node.js: Proxy-Authorization header not cleared on cross-origin redirect in undici.request

The Proxy-Authorization and x-auth-token headers were not cleared on cross-origin redirects in versions of undici up to and including 6.7.0. This issue was similar to a previously fixed security vulnerability where Authorization and Cookie headers were not cleared on such redirects...

HackerOne: View any user email using the Team's audit log section

Vulnerability description not provided...

LY Corporation: XSS on LINE CAREERS

The recruitment portal of LINE Plus Corporation had a reflected XSS vulnerability that occurred via the query parameter companyNm, allowing potential execution of JavaScript code on the client side...

curl: HTTP/2 PUSH_PROMISE DoS

Vulnerability description not provided...

curl: CVE-2024-2398: HTTP/2 push headers memory-leak

CVE-2024-2398 was a memory-leak vulnerability in the HTTP/2 push headers implementation of libcurl. For each incoming PUSHPROMISE header, a new string was allocated and stored in an array. When the number of headers exceeded a threshold, libcurl freed the array but forgot to free the individual...

IBM: Information disclosure identified on IBM endpoint.

The information disclosure vulnerability identified on an IBM endpoint was reported to IBM, analyzed, and remediated...

Internet Bug Bounty: CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words()

The django.utils.text.Truncator.words method with html=True and truncatewordshtml template filter were found to be vulnerable to a potential regular expression denial-of-service attack. The vulnerability was caused by regular expressions stored in variables that were susceptible to ReDoS attacks,...

Mars: Attacker can add two free bags offered by the site at the same time.

A vulnerability was found on the website that allowed an attacker to add two free bags offered by the site simultaneously, despite the restriction of choosing only one. This was achieved by manipulating the API responsible for adding the free bags to the cart...

Mozilla: two aws access key and secret key and database username and password exposed

A security vulnerability was identified in a Docker image hosted on Docker Hub. The image, associated with Mozilla's Common Voice project, was found to contain exposed AWS access keys, AWS secret keys, and database credentials. These sensitive credentials were discovered within the file...

Internet Bug Bounty: CVE-2024-25128: Apache Airflow: Authentication Bypass when Legacy OpenID(2.0) is in use as AUTH_TYPE

CVE-2024-25128: Apache Airflow: Authentication Bypass when Legacy OpenID2.0 is in use as AUTHTYPE. When OpenID2.0 was used as the Authentication Type, an attacker could forge authentication to any existing account in the target Airflow installation by deceiving the backend to trust arbitrary Open...

Doppler: Github app(link) Takeover Listed on "https://docs.doppler.com/docs/github-actions" page

A github app presented on a Doppler documentation page was vulnerable to takeover, enabling attackers to achieve malicious objectives. The app link has since been removed or replaced to mitigate this vulnerability...

Mozilla: Subdomain takeover on one of the subdomains under mozaws.net

Subdomain takeover on one of the subdomains under mozaws.net was discovered due to a dangling DNS record. The record was registered by the researchers, who were able to host content under the subdomain...

IBM: jazz.net - publicly accessible .svn repositories

The vulnerability regarding publicly accessible .svn/entries files in jazz.net was reported to IBM, analyzed, and remediated. The issue was identified by an external researcher...

Mars: sensitive data-creds for database - private key

The sensitive database credentials, including a username, password, and a private key, were discovered in a publicly accessible GitHub repository. The credentials were stored in plaintext within a configuration file, exposing them to anyone who could access the repository...

Yelp: Privilege Escalation - A Low Privilege User who does not have access to the user management module can remove the owner of the business account

The owner of the business account was removed by a low-privilege user who did not have access to the user management module...

Yelp: Privilege Escalation - A Non Owner User Who Does not Have access to the user management can invite other users to the restaurant page

Privilege escalation vulnerability was discovered where a non-owner user without access to user management could invite other users to the restaurant page...

Mars: Upload profile photo and Pets addition - IDOR

The Insecure Direct Object Reference IDOR vulnerability was discovered on the website ██████████. The vulnerability allowed for the manipulation of user accounts by unauthorized users through the profile photo upload feature and the pet addition system. Specific parameters in the requests could b...

Internet Bug Bounty: Proxy-Authorization header is not cleared in cross-domain redirect in undici

Proxy-Authorization header not cleared on cross-origin redirect in Undici. Impacted versions = v6.0.0 = v6.6.0. Patched in v5.28.3 and v6.6.1. No known workarounds...

Mars: Reflected xss on ████████

The ████████ website was vulnerable to a reflected Cross-Site Scripting XSS vulnerability. The vulnerability was caused by the improper neutralization of user-supplied input within the 's' parameter, which was then reflected in the application's response without proper sanitization or encoding...

Ruby on Rails: Action Text XSS (Rails 7.1.x)

The vulnerability in Action Text in Rails 7.1.x allows for cross-site scripting XSS when attempting to edit the text in which the crafted values were stored. The vulnerability was likely introduced in the PR that addressed a previous issue. It was confirmed that the XSS did not occur on the show...

Nextcloud: Easy way to create a new Deck board without permission

A vulnerability was discovered that allowed users to create new boards without permission. The vulnerability involved cloning an existing board and renaming it, bypassing the restrictions set by the admin to limit board creation to specific groups...

Mars: CVE-2022-21371: Oracle WebLogic Server Local File Inclusion

A vulnerability was identified in Oracle WebLogic Server's Web Container component. Affected versions included ██████████, ██████████, ██████████, and ██████████. The vulnerability could be exploited by an unauthenticated attacker over HTTP, potentially leading to unauthorized access to critical...

PortSwigger Web Security: CSP Bypass and escalation of https://hackerone.com/reports/2279346

Vulnerability description not provided...

Mozilla: Bypass Email Verification on Add Email Monitoring

A security vulnerability has been identified in the email verification process of Mozilla Monitor. The issue allowed attackers to bypass the email verification step when adding a new email address for monitoring. The vulnerability was exploited by obtaining the verification token from the server...

curl: CVE-2024-2004: Usage of disabled protocol

The usage of the disabled protocol in some circumstances with the --proto option can enable all protocols after being given -all, potentially leading to sending sensitive data over an unencrypted channel. The vulnerability was introduced in version 7.85.0 of curl when the string-based protocol...

Mozilla: Insecure S3 Bucket Exposing Git Directory in Mozilla Foundation Infographics Project

Git configuration was leaked in one of the S3 buckets used by Mozilla Foundation Infographics Project. The configuration included an old Github access token which was no longer valid. We restricted access to the .git directory on the bucket...

GitHub: Source Code and data exfiltration via Github Copilot

The vulnerability was caused by insecure output handling in the Copilot client interfaces. A prompt injection attack was able to result in data exfiltration. The vulnerability was addressed by only rendering images from trusted domains and adding interstitial modals to inform users about link...

Mozilla: IDOR on Delete Email address features

An insecure direct object reference vulnerability was found in a web application which allowed users to delete email addresses in other users' accounts by manipulating identifiers. The issue was mitigated by adding proper access controls on the delete operation...

HackerOne: Creation of bounties through Customer API leads to private email disclosure

The creation of bounties through the Customer API led to the disclosure of private email addresses. The vulnerability was demonstrated by using both the API and GraphQL requests to award a program bounty to a user, which then exposed the email address of that user in the response...

Tools for Humanity: IDOR - Leaking of team data (name, email, ID, member ID) via POST /api/v1/graphql `FetchMemberships` operation

The vulnerability allowed individuals no longer associated with the organization to access sensitive team member data due to inadequate validation of user permissions. The information that was potentially accessible included names, email addresses, roles, and IDs of current team members...

HackerOne: Ability to identify actual private from sandboxed programs using link hackerone.com/$handle/terms_acceptance_data.csv

The researcher discovered a vulnerability that allowed them to identify private programs on HackerOne by accessing the terms acceptance data CSV file for those programs. The vulnerability was confirmed to exist on HackerOne's own dummy invite-only program, as well as other private programs, but n...

Nextcloud: Can download files on Android app without permission

A vulnerability was discovered in the Android app where users could download files shared with them, even if the owner had disabled the download option. The vulnerability affected various file types, including PDF, document, image, and presentation files. The vulnerability allowed users to access...

Mozilla: paypal client_id And stripe api key indexed on web archive

The paypal clientid and stripe API key have been indexed on the web archive, exposing sensitive data...

Node.js: fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect

The vulnerability in the undici library in Node.js was that the parseHashWithOptions function did not properly handle base64url encoded hashes and invalid hashes. This allowed resources to be loaded without the expected Subresource Integrity SRI checks being performed...

Nextcloud: Attachments folder for Text app is accessible on Files Drop/Password protected shares

The Nextcloud Text app's attachments folder was found to be accessible on Files Drop/Password protected shares...

Nextcloud: Possible to enumerate valid files in password protected shares/files drop shares as well as spam folder with files

The summary is as follows: It was possible to enumerate valid files in password protected shares and file drop shares. Additionally, it was possible to spam the folder with empty files using an attacker-controlled file name. The vulnerability existed in the DocumentAPIControllercreate method, whi...

Nextcloud: ID4me feature of OpenID connect app available even when disabled

The useroidc app in Nextcloud allowed the registration of new accounts by accessing the /apps/useroidc/id4me endpoint, even when the ID4Me feature was disabled. This was caused by the setting to enable/disable ID4Me having no effect on the accessibility of the controllers...

MTN Group: CVE-2018-0296 Cisco ASA Denial of Service & Path Traversal vulnerable on [mtn.co.ug]

The Cisco Adaptive Security Appliance ASA was affected by a vulnerability in its web interface that could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service condition. In certain software releases, the vulnerability also could ha...

MTN Group: CVE-2010-1429 JBoss Insecure Storage of Sensitive Information on ips.mtn.co.ug

The JBoss Enterprise Application Platform 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 allowed remote attackers to obtain sensitive information about deployed web contexts via a request to the status servlet, as demonstrated by a full=true query string. This issue was caused by a regression fr...

Internet Bug Bounty: http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks

A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service DoS. The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk...

Bykea: Broken Access Control (IDOR) in Booking Detail and Bids Could Leads to Sensitive Information Disclosure

The report identified a vulnerability in the Bykea application's booking detail and bids endpoints that could lead to the disclosure of sensitive information. The vulnerable endpoints allowed an attacker to access the booking details, bids information, and bids configuration of other users by...

HackerOne: LLM01: Invisible Prompt Injection

The report described a vulnerability in Hai's system involving invisible prompt injection via Unicode tag characters. The vulnerability allowed the submission of a test report with a fake report containing hidden characters, which could be used to inject prompts into the system's responses. The...

ExpressionEngine: Multiple XSS and open HTTP redirection

The ExpressionEngine platform was affected by multiple cross-site scripting vulnerabilities that could have allowed attackers to execute JavaScript in the browsers of targeted users. An open HTTP redirection issue was also discovered...

HackerOne: Non Org Admin/Group Manager can create groups in an organization

The report described a privilege escalation vulnerability that allowed a user with "Program Admin" permissions to escalate their privileges to higher levels, such as "Report Manager" or full administrator privileges, under certain circumstances. The vulnerability existed due to a mutation in the...