Automattic: DOM XSS on multiple Automattic domains through postMessages

A DOM XSS vulnerability was found on widgets.wp.com allowing injection of scripts into the DOM. This was combined with a vulnerability in the Jetpack WordPress plugin where postMessages from widgets.wp.com were used to populate avatar URLs without validation, leading to DOM XSS on WordPress sites...

HackerOne: LLM03: Training Data Poisoning via ASCII decoding

Vulnerability description not provided...

U.S. Dept Of Defense: DBMS information getting exposed publicly on -- [ ██████████ ]

A public file was found that exposed sensitive data from the website's database, including hashed user information and other configuration details. The file contained SQL statements that could be used to access the database, potentially revealing confidential data...

Weblate: Information Disclosure

A vulnerability allowed API keys to be exposed in a PyPI package...

Mars: Unrestricted File Upload at ██████████

The endpoint "████████" enabled unrestricted file uploads, allowing anyone to upload any type of file without registration...

GitHub: RC Between GitHub's Repo Update REST API and updateTeamsRepository GraphQL Mutation Results in Covert and Persistent Admin Access Retention

A race condition in GitHub Enterprise Server allowed an existing admin to maintain permissions on a detached repository by making a GraphQL mutation to alter repository permissions while the repository is detached. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.13...

Publitas: Unauthorized Access to Offline Publication Cover Pages via SOURCE_DOCUMENT_ID

A vulnerability was discovered that allowed unauthorized access to offline publication cover pages by sending requests with specific source document IDs. This exposed cover pages and associated user and publication IDs that were intended to be private...

HackerOne: Inadequate redaction exposes sensitive information via the “ShareReportViaEmail" GraphQL endpoint

The vulnerability involved inadequate redaction of sensitive information within the HackerOne platform. Specifically, the redaction feature failed to completely obscure data such as JIRA references, which could be accessed through GraphQL requests...

U.S. Dept Of Defense: Parâmetro XSS: Nome de usuário - █████████

The report describes a cross-site scripting XSS vulnerability in the username parameter of an application. The vulnerability was demonstrated using Burp Suite, where the attacker was able to inject malicious JavaScript code into the username field. No further details were provided about the...

Mars: unsubscribe anyone from all ████████ emails @ █████

The vulnerability allowed for the unsubscription of arbitrary users from all Banfield emails by manipulating the subscriber ID sid parameter in the unsubscribe URL. This issue was classified under CWE-284: Improper Access Control. The predictable nature of the sid parameter enabled potential mass...

U.S. Dept Of Defense: Attacker can Add itself as admin user and can also change privileges of Existing Users [█████████]

The website had a directory that lacked authentication, allowing an attacker to add a new admin user and change the privileges of existing users without any authentication...

Reddit: Infromation Disclosure To Use of Hard-coded Cryptographic Key

Vulnerability description not provided...

U.S. Dept Of Defense: Xss - ███

The parameter 'goal1Costs' was vulnerable to cross-site scripting XSS attack. The vulnerability allowed the attacker to inject malicious JavaScript code into the application, which could be executed by the users viewing the report...

U.S. Dept Of Defense: Xss Parameter: /<s>/[*]/<s>.css ████████

The request included a cross-site scripting XSS vulnerability in the parameter /\u003cs\u003e//\u003cs\u003e.css. The vulnerability was triggered by including malicious code in the request, which could have been executed when the request was processed...

TikTok: Reflected XSS on Pangle Endpoint

The summary is as follows: A cross-site scripting XSS vulnerability was found at the Pangle endpoint via the 'redirect' parameter. This was caused by the reflection of user-supplied data without appropriate HTML escaping or output encoding. The vulnerability was fixed and additional mitigations...

Node.js: Proxy-Authorization header is not cleared in cross-domain redirect in undici

A vulnerability was found in undici prior to version 6.5.0 where the Proxy-Authorization header was not cleared during cross-domain redirects, potentially leaking credentials to third party sites...

curl: cookie is sent on redirect

Vulnerability description not provided...

IBM: XSS in IBM InfoCenter

The IBM InfoCenter was found to have an XSS vulnerability. The issue was reported to IBM, analyzed, and has been remediated...

MTN Group: Improper Access Controls(Admin Path)

The vulnerability involved improper access controls that allowed the admin path "/wp-admin/admin-ajax.php" to be accessed on the "https://nin.mtn.ng/" website. This could have potentially allowed unauthorized access to sensitive information...

Internet Bug Bounty: CVE-2024-0853: OCSP verification bypass with TLS session reuse

CVE-2024-0853 was a vulnerability in the cURL library where OCSP verification was bypassed when reusing a TLS session. The vulnerability was caused by cURL inadvertently keeping the SSL session ID in its cache even when the OCSP stapling verification failed. This allowed subsequent transfers to t...

Mars: Account takeover using reset password link

A vulnerability was found in the Mars website where the reset password functionality could be manipulated. The reset password link sent via email contained a parameter that specified the path of the reset password page. An attacker could modify this parameter to redirect users to a domain under...

Internet Bug Bounty: Apache Airflow: Bypass permission verification to read code of other dags

CVE-2023-50944: Apache Airflow: Bypass permission verification to read code of other dags Severity: low Affected versions: Apache Airflow before 2.8.1 Description: Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG to...

LinkedIn: Blocking a company page admin prevents him from delete paid media admin or edit his roles

A company page admin was prevented from managing deleting or editing roles of a paid media admin when the paid media admin blocked the company page admin. This created an access control vulnerability where administrative privileges were circumvented through the platform's social blocking feature...

IBM: XSS Refelected on jazz.net

A cross-site scripting vulnerability was reported on jazz.net. The issue was analyzed and remediated by IBM...

Monero: RPC service DOS

The RPC service running on port 18081 or 28081, 38081 was vulnerable to a denial-of-service attack due to a loop iterating until the maximum range of a 64-bit unsigned integer. The vulnerability was present in all versions after the commit b030f207517f59a5122409398549a02ac23829ae, up to and...

Sheer: Cleartext Transmission of password via Email

The password was sent to the user's email in cleartext after successful signup as a fan...

ownCloud: Authentication Bypass with usage of PreSignedURL

The ownCloud Infinite Scale oCIS was identified to be vulnerable to an authentication bypass vulnerability due to an issue with the default-enabled PreSignedURL feature. The vulnerability allowed access to any file without authentication, given the prior knowledge of the username and filename. Th...

GitHub: Privilege Escalation to Root SSH Access via Pre-Receive Hook Environment in GitHub Enterprise Server

An attacker with an Administrator role in GitHub Enterprise Server could gain SSH root access via remote code execution. This vulnerability affected GitHub Enterprise Server version 3.8.0 and above and was fixed in version 3.8.17, 3.9.12, 3.10.9, 3.11.7 and 3.12.1. This vulnerability was reported...

Internet Bug Bounty: Pickle deserialization vulnerability in XComs

CVE-2023-50943: Apache Airflow: Potential pickle deserialization vulnerability in XComs Severity: low Affected versions: - Apache Airflow before 2.8.1 Description: Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the...

Ruby on Rails: Path traversal in AcitveStorage, and lead RCE

Vulnerability description not provided...

Publitas: CVE-2018-6389 exploitation - using scripts loader

An unauthenticated denial of service vulnerability in WordPress was discovered, tracked as CVE-2018-6389. By requesting a large number of JavaScript files through the load-scripts.php endpoint, an attacker could consume excessive resources on the server. This vulnerability could allow denial of...

U.S. Dept Of Defense: Improper Authentication (Login without Registration with any user) at ████

The ████ system was vulnerable to an improper authentication issue. Attackers could log in as any user without registration by exploiting the signin parameter in the ██████████ endpoint. This allowed them to authenticate and change the session of a victim to any other user...

Internet Bug Bounty: Denial of Service caused by HTTP/2 CONTINUATION Flood

A denial of service vulnerability was discovered in Apache Tomcat versions 11.0.0-M1 to 11.0.0-M16, 10.1.0-M1 to 10.1.18, 9.0.0-M1 to 9.0.85, and 8.5.0 to 8.5.98. The vulnerability was caused by the way Tomcat processed HTTP/2 requests that exceeded configured limits for headers. A fix was releas...

Publitas: CORS Misconfiguration on █████

A cross-origin resource sharing misconfiguration was found that could allow an attacker to steal sensitive user information or force unwanted actions. The misconfiguration allowed credentials and enabled CORS for external domains. A proof of concept was shown that could exploit this to exfiltrate...

GitHub: Management Console Editor Privilege Escalation to Root SSH Access in GitHub Enterprise Server via nomad template injection and audit-forward

A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance via nomad templates when configuring audit log forwarding. This vulnerability affected all versions of GitH...

GitHub: Management Console Editor Privilege Escalation to Root SSH Access in GitHub Enterprise Server via nomad template injection

A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance via nomad templates when configuring SMTP options. This vulnerability affected all versions of GitHub...

8x8 Bounty: Open Redirect via Non-Latin Subdomain in vcc-*.8x8.com/AGUI/█.php

The report described an Open Redirect vulnerability in the vcc-.8x8.com/AGUI/█.php endpoint, where a filter that prevented the use of 1-9 and a-z characters in the subdomain parameter could be bypassed by utilizing a non-Latin domain. The vulnerability was demonstrated by redirecting to the...

GitHub: Management Console Editor Privilege Escalation to Root SSH Access in GitHub Enterprise Server via RCE in collectd

A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance when setting the username and password for collectd configurations. This vulnerability affected all version...

GitHub: Management Console Editor Privilege Escalation to Root SSH Access in GitHub Enterprise Server via RCE in syslog-ng

A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance via the syslog-ng configuration file. This vulnerability affected all versions of GitHub Enterprise Server...

Internet Bug Bounty: CVE-2024-21733 Apache Tomcat HTTP Request Smuggling (Client- Side Desync) (CWE: 444)

SECURITY CVE-2024-21733 Apache Tomcat - Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0-M11 to 9.0.43 Apache Tomcat 8.5.7 to 8.5.63 Description: Incomplete POST requests triggered an error response that could contain data fr...

Enjin: Lack of Tenant Scoping Enables Limited Cross-Tenant Data Querying and Mutation

A vulnerability was demonstrated on the Enjin Platform that allowed for limited cross-tenant data querying and mutation, enabling querying or mutating of someone else's data in certain cases. A full assessment found this had not been exploited outside of the report...

Nextcloud: Deck app allows to spoof file extensions by using RTLO characters

The Deck app was found to allow spoofing of file extensions by using RTLO characters...

Internet Bug Bounty: Argo CD CSRF leads to Kubernetes cluster compromise

Cross-Site Request Forgery CSRF in github.com/argoproj/argo-cd CVE-2024-22424 Severity: High Impact The Argo CD API prior to versions 2.10-rc2, 2.9.4, 2.8.8, and 2.7.16 are vulnerable to a cross-server request forgery CSRF attack when the attacker has the ability to write HTML to a page on the sa...

GitHub: Management Console Editor Privilege Escalation to Root SSH Access in GitHub Enterprise Server via RCE in ghe-update-check

A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance when setting up an HTTP proxy. This vulnerability affected all versions of GitHub Enterprise Server prior t...

HackerOne: Program admins could add verified domains to an organization

Program admins could add verified domains to an organization in HackerOne despite lacking organization admin permissions. This allowed program admins to access restricted features and escalate privileges...

GitHub: Management Console Editor Privilege Escalation to Root SSH Access in GitHub Enterprise Server via RCE in actions-console

A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance via the actions-console docker container while setting a service URL. The vulnerability affected all versio...

MTN Group: Insecure direct Object Reference(Horizontal Escalation)

The vulnerability allowed for insecure direct object reference horizontal escalation. Specifically, the user's dashboard was accessed without authentication, and the text content was modified through client-side inspection and manipulation...

HackerOne: Being able to disclose IBB bounty table of any public program

A private Internet Bug Bounty IBB bounty table was disclosed. The IBB bounty table contained information about the reward amounts for critical, high, medium, and low vulnerabilities in open-source projects...

MTN Group: DOM Based Reflected Cross Site Scripting

The outdated version of Swagger used by the notification-server-v2.sz-my.mtn.com asset was found to be vulnerable to a DOM-based reflected cross-site scripting vulnerability. The vulnerability was triggered by crafting a malicious URL that resulted in the execution of arbitrary scripts in the...

MTN Group: Broken Access Control(Horizontal Privilege Escalation).

The vulnerability allowed unauthorized users to gain access to sensitive information by modifying the phone number parameter in the URL. This led to a breach of access controls and potential security risks...