Node.js: "Assertion failed" in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash

A vulnerability was discovered in the Node.js HTTP/2 stack http2 package. An attacker could send a small amount of TCP packets with HTTP/2 frames, causing the Node.js server to crash due to an assertion failure in the Http2Session destructor. The issue occurred when headers with HTTP/2 CONTINUATI...

Drugs.com: Email OTP/2FA Bypass

The application had a 2FA functionality by email OTP. The vulnerability allowed bypassing the 2FA by deleting the "bbrefresh" cookie during the authentication process. This enabled successful login without the required 2FA...

Monero: Transactions in invalid blocks are kept in tx-pool without undergoing certain checks.

The transactions in invalid blocks were kept in the tx-pool without undergoing certain checks. When adding blocks to the blockchain, monerod first added the transactions to the tx pool with relaymethod::block, which allowed the tx-pool to skip certain checks like fee and extra field size. However...

Mars: CSRF resulting in adding pet at ███████

A Cross-Site Request Forgery CSRF vulnerability was discovered in the application, allowing an attacker to forge requests to add pets to the victim's account, provided the attacker knew the victim's account ID...

U.S. Dept Of Defense: Full Access to sonarQube and Docker

The vulnerability involved the exposure of sensitive credentials and IP addresses in a JavaScript file. The researcher gained access to the organization's Hub Docker account and Sonar projects, allowing them to identify and assess the issue. The vulnerability was caused by a JavaScript file withi...

U.S. Dept Of Defense: Time based SQL injection at████████

A time based SQL injection vulnerability was found in the /pubs/index.php endpoint on ██████. The 'years' and 'authors' parameters were vulnerable, allowing time delays to be introduced in database queries. This could have led to sensitive data exfiltration from the database. The issue could be...

Enjin: Weak Email Verification: Newly Registered Users Can Bypass Email Verification Step and Log In

Newly registered users were able to bypass email verification and log in. This vulnerability has since been addressed...

Enjin: Revocation API Token by Bypassing The XSRF Token

The revocation API token was bypassed by bypassing the XSRF token. This allowed the demonstration that the Enjin Platform's GraphQL interface lacked appropriate CSRF protection when utilizing a session token...

HackerOne: View Titles of Private Reports with pending email invitation

A vulnerability was discovered where anonymous users could view the titles of private reports with pending email invitations for collaboration. This was possible by sending a GraphQL request or running JavaScript code while logged out. It only worked for anonymous users when the collaboration...

Nextcloud: Directory Listing of publicly available assets

The directory listing was configured to publicly display the files in the directory. This configuration is not recommended, as it may expose sensitive or confidential information...

HackerOne: New Hacktivity features:Bounty rewards leakage Where programs doesn’t decide to disclose bounty in limited disclosure report

The report describes a vulnerability where users could access hidden bounty information on the HackerOne Hacktivity page. Specifically, by using a filter to search for reports with a specific total awarded amount, the actual bounty amount was revealed, even if the program chose to limit the...

MTN Group: CVE-2023-41763 Business Elevation of Privilege vulnerability on [.mtn.com]

The Microsoft Skype for Business installation on the remote host was missing security updates. The flaw was actively exploited. Attackers could access some sensitive information but not alter or restrict access to it. The impact related primarily to confidentiality. Multiple vulnerabilities were...

Mars: Sensitive Information Exposed at █████

Sensitive information was exposed in a JavaScript file, revealing configuration details, credentials, and file paths related to the deployment of a JavaScript application. This could enable unauthorized access to sensitive data...

IBM: XSS in Aspera documentation website

The XSS vulnerability in the Aspera documentation website was reported to IBM, analyzed, and subsequently remediated. The external researcher who discovered the flaw was acknowledged for their contribution...

Mars: Datadog api keys exposed can be used to do all the read and write access to the instance

A vulnerability was identified where Datadog API keys were exposed in a JavaScript file, which could have enabled unauthorized access to Datadog services. The issue was responsibly disclosed along with a proof-of-concept demonstration...

Mars: RXSS in ███ via S parameter

A Reflected Cross-Site Scripting RXSS vulnerability was identified in the search functionality of the application. The vulnerability was triggered when a user manipulated the search parameter 's'. User input was not properly sanitized before being reflected back to users...

Ruby on Rails: DoS with crafted "Range" header

The vulnerability was discovered in the Active Storage component of Ruby on Rails. The vulnerability allowed an attacker to craft a "Range" header that could lead to a Denial of Service DoS attack. The attack was possible due to the lack of validation on overlapping ranges in the...

Nextcloud: Code injection in Nextcloud Desktop Client for macOS

The Nextcloud Desktop Client for macOS was found to be vulnerable to code injection. The vulnerability allowed untrusted input to be executed as code, potentially leading to a security breach...

Node.js: Path traversal by drive name in Windows environment

A vulnerability has been identified in the handling of drive names in the Windows environment of Node.js. Certain Node.js functions do not treat drive names as special on Windows, resulting in a path that refers to the root directory instead of a relative path as assumed. This vulnerability affec...

TikTok: Stored-XSS-ads.tiktok.com

A stored cross-site scripting XSS vulnerability was found on a TikTok Ads endpoint, allowing MP4 video files or files with HTML or JS code to be executed in a user's browser...

Nextcloud: Email not verified when changing afterwards on apps.nextcloud.com

The email verification bypass vulnerability was discovered in the web application apps.nextcloud.com. The vulnerability allowed attackers to create accounts with any email address without verification, effectively taking over victim accounts...

Ruby on Rails: XSS when using `translate` in Action Controller (Rails 7.0, 7.1)

The vulnerability allows cross-site scripting XSS when using the translate method in Action Controller in Rails versions 7.0 and 7.1. The vulnerability was caused by the implementation of translate in Action Controller, which did not properly escape the values passed to it. The vulnerability was...

Teleport: A member with “editor” permissions can create an access list that cannot be modified, viewed, or deleted

Summary: A member who has “editor” permissions can add an access list that cannot be modified, viewed, or deleted, also he can add a rule that cannot be modified or deleted. Using these two bugs , a suspicious member with “editor” permissions can create a access list, put the members and rules he...

HackerOne: Server Side Request Forgery (SSRF) in webhook functionality

Server Side Request Forgery SSRF vulnerability found in webhook functionality. Attacker able to bypass anti-SSRF protections by using IPv6 address mapped to IPv4. This allowed unauthorized access to internal AWS EC2 metadata instance...

inDrive: SSRF in https://couriers.indrive.com/api/file-storage

A server side request forgery vulnerability was present in the url parameter of the https://couriers.indrive.com/api/file-storage endpoint, allowing arbitrary external websites to be requested and their content returned in responses...

Internet Bug Bounty: Request Smuggling in Apache Tomcat (Important, CVE-2023-45648)

A vulnerability in Apache Tomcat versions 11.0.0-M1 to 11.0.0-M11, 10.1.0-M1 to 10.1.13, 9.0.0-M1 to 9.0.80, and 8.5.0 to 8.5.93 allowed HTTP request smuggling due to improper parsing of trailer headers. This could be exploited by a remote attacker to bypass security controls when Tomcat was...

LinkedIn: Employee-only Area Bypass

An improper access control issue allowed unauthorized access to an employee-only area, leading to information disclosure...

TikTok: HTML Injection on TikTok Ads

A HTML injection vulnerability was found in a TikTok Ads endpoint. The vulnerability could have allowed arbitrary HTML or phishing content to be injected. The issue was responsibly disclosed...

Nextcloud: xmlrpc.php &wp-cron.php files are enabled, and will used for (DDOS),(DOS) and broutforce users attack.

The xmlrpc.php and wp-cron.php files were found to be enabled on the target website, which could allow attackers to perform denial of service attacks. Username enumeration via the RSS generator identified several valid usernames. The xmlrpc.php file could be used to cause a DDOS attack by sending...

curl: CVE-2024-0853: OCSP verification bypass with TLS session reuse

A vulnerability was identified in cURL version 8.5.0 that allowed revoked certificates to be accepted when reusing a TLS session. The issue was caused by a correction that inadvertently skipped OCSP stapling verification during TLS session reuse. This allowed revoked certificates to be accepted i...

curl: Buffer Overflow Vulnerability in WebSocket Handling

Vulnerability description not provided...

U.S. Dept Of Defense: Resource Injection - [████████]

The Swagger UI prior to version 4.1.3 was vulnerable to spoofing attacks. By crafting a URL with a malicious payload, an attacker could have displayed remote OpenAPI definitions on the affected host...

TikTok: Exploitable live argument in onClick Function leads to Data Leakage of Inactive/Suspended Products

The "Search Product" function in the TikTok Shop Seller API contained a vulnerability that allowed access to inactive or suspended products by manipulating the "live" parameter in the API request. The vulnerability was reported to the team and remediated...

Teleport: Improper session management - Failure to invalidate old session after password change

Failure to Invalidate Session on Password Change Failure to invalidate a session after a password change is a vulnerability which allows an attacker to maintain access on a service. Most users have the expectation that when they reset their password, no one else can access their account. When...

U.S. Dept Of Defense: ███ leaking PII of tour visitors (names, email addresses, phone numbers) via misconfigured record permissions

The ████████ portal was found to be leaking sensitive personal information, including full names, email addresses, and phone numbers of its users. The issue was caused by a misconfiguration that allowed registered users to access records of other users, potentially exposing the data of hundreds o...

Internet Bug Bounty: CVE-2023-49920: Apache Airflow: Missing CSRF protection on DAG/trigger

A vulnerability in Apache Airflow versions 2.7.0 through 2.7.3 allowed triggering of DAGs without CSRF validation, enabling malicious websites to trigger DAG execution without consent in browsers where a user was logged into Airflow. Users were advised to upgrade to 2.8.0 or later...

Internet Bug Bounty: Command Injection using malicious hostname in expanded proxycommand

A vulnerability in the handling of ProxyCommand and ProxyJump hostname parameters in libssh versions 0.10.x, 0.9.x and 0.8.x was reported. The issue enables malicious code injection through unchecked hostname syntax. User interaction is required for exploitation...

EXNESS: GraphQL attribute Batching DOS can take down pwapi.ex2b.com

Summary: Hi team! I hope you are having a great day! pwapi.ex2b.com instances work with a GraphQL API. This GraphQL endpoint is at / and can be called by unauthenticated users. This Graphql endpoint allows you to perform a query with the same attribute multiple times on a single request. The more...

GitLab: Account Takeover via Password Reset without user interactions

The report submitted to GitLab described a vulnerability that allowed account takeover via the password reset form. The vulnerability was triggered by modifying the JSON request to include the victim's email along with the attacker's email. This resulted in the password reset email being sent to...

IBM: Improper Authentication on Alertmanager instance

Improper authentication was configured on an alertmanager instance. The issue was reported to IBM, analyzed, and remediated...

LinkedIn: An attacker can submit arbitrary projects to their service accounts and obtain full information on projects of other users.

An information disclosure vulnerability was discovered in the Request Services feature that allowed attackers to obtain project details of other users. The issue was resolved and a bounty was paid to the researcher who reported it...

Nextcloud: Re-emergence of Security Vulnerability in Nextcloud Version 28 Previously Fixed in 25.0.4

A security vulnerability in Nextcloud version 28 was discovered, which had been previously fixed in version 25.0.4...

MercadoLibre: Account Takeover / Arbitrary File read and deletion / Partial code execution (intent redirection)

The vulnerability allowed for account takeover, arbitrary file read and deletion, and partial code execution through intent redirection. MercadoLibre acknowledged the issue and worked on a fix internally...

Nextcloud: Can reshare read&share only folder with more permissions

The vulnerability allowed a user with read-only access to a folder to reshare that folder with additional permissions, such as read and write access. This could potentially allow the user to gain more permissions than they were originally granted...

Nextcloud: see card comments after remove shared board

The vulnerability allowed unauthorized access to card comments after a shared board was removed...

Mozilla: Subdomain takeover on one of the subdomain under mozaws.net

A subdomain takeover vulnerability was discovered on a subdomain under mozaws.net due to a dangling DNS record. The researchers were able to host content on the affected subdomain...

Mozilla: Subdomain takeover on one of the subdomain under mozaws.net

A subdomain takeover vulnerability was discovered on a mozaws.net subdomain due to a dangling DNS record. The researchers were able to host content under the affected subdomain...

Liberapay: Avatar URL is exposed in patron export for secret donations

The avatar URL was exposed in the patron export for secret donations, which could potentially identify donors who wished to remain anonymous...

TikTok: Authentication Bypass on TikTok Seller Signup Process Allows Account Creation Without Phone Verification

The authentication bypass vulnerability on the TikTok Seller signup process allowed account creation without phone verification...

Mozilla: Subdomain takeover on one of the subdomain under mozaws.net

A subdomain takeover vulnerability was discovered on a mozaws.net subdomain due to a dangling DNS record. The researchers were able to host content under the affected subdomain...