Nextcloud: Delete external storage of any user

An external storage vulnerability was discovered that allowed standard users to delete external storage resources from any user account in the application. By modifying a system-generated ID, unauthorized users could remove externally linked storage without special privileges, potentially resulti...

Glassdoor: Unauthorized Access to Deleted Interviews on Glassdoor Platform

Unauthorized access to deleted interviews on a career platform was possible through an RSS endpoint that has since been deprecated...

curl: CVE-2023-46218: cookie mixed case PSL bypass

A vulnerability in libcurl was discovered that allows bypassing cookie domain restrictions through improper hostname normalization. This enables a malicious site to set supercookies readable by other sites under the same top level domain. The issue was caused by libcurl failing to convert the...

Nextcloud: Self XSS when pasting HTML into Text app with Ctrl+Shift+V

A vulnerability was found where pasting HTML into the Text app using Ctrl+Shift+V would insert the HTML into the page, allowing for a potential XSS attack...

GitHub: View Repo and Title of Any Private Check Run

Improper access control in GitHub Enterprise Server allowed unauthorized users to view private repository names via an API endpoint...

Nextcloud: HTML injection in search UI when selecting a circle with HTML in the display name

An HTML injection vulnerability was discovered in the search user interface of a cloud application. When selecting a circle with HTML in the display name, this could allow redirection to malicious websites or other adverse impacts such as data theft, phishing, or malware distribution...

Bykea: Exposed trip_no in WebSocket Responses Leading to Excessive information Disclosure

The vulnerability in Bykea's WebSocket implementation was that the tripno identifier was exposed to drivers before a bid was accepted. This identifier could be used to access customer tracking URLs, revealing excessive information of the customers to unauthorized drivers. The issue was resolved b...

Internet Bug Bounty: Secrets can be unmasked in the "Rendered Template"

CVE-2023-40712: Apache Airflow versions before 2.7.1 allowed authenticated users to unmask secrets in the Rendered Template page by manipulating the executiondate parameter. Users should upgrade to version 2.7.1 or later...

Mozilla: Subdomain takeover on one of the subdomain under mozaws.net

A dangling DNS record enabled subdomain takeover on a mozaws.net subdomain. Researchers exploited this to host content on the affected subdomain...

GitHub: [PATs] Token with Read-Only permissions on Issues able to modify issue comments using content write permission

An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed issue comments to be updated with an improperly scoped token...

TikTok: Using Branded Hashtag Feature User Partnered with Account Manager Can View Videos Uploaded By A Private TikTok Account If 'item_id' Is Known

The branded hashtag feature on TikTok allowed users partnered with an account manager to view videos uploaded by private accounts if the video ID was known. This vulnerability has been remediated...

Mozilla: SQL Injection on prod.oidc-proxy.prod.webservices.mozgcp.net via invite_code parameter - Mozilla social inscription

A SQL injection vulnerability was found in the invitecode parameter on prod.oidc-proxy.prod.webservices.mozgcp.net during Mozilla social inscription. Adding quotes to the parameter revealed the issue. A time-based blind payload confirmed the vulnerability, allowing arbitrary SQL queries. This cou...

Internet Bug Bounty: Integrity checks according to policies can be circumvented in Node.js 20 and Node.js 18

Integrity checks according to Node.js policies can be circumvented, allowing untrusted code to execute with elevated permissions. This affects Node.js 18.x and 20.x when using the experimental policy feature. The vulnerability was reported by Tobias Nießen, who also provided a patch that has been...

Internet Bug Bounty: CVE-2023-42663: Apache Airflow: Bypass permission verification to view task instances of other dags

In Apache Airflow versions before 2.7.2, a vulnerability existed that allowed authorized users with access to read specific DAGs to view task instance information from other DAGs by bypassing permission verification. Upgrading to Apache Airflow version 2.7.2 or newer addressed this issue...

Internet Bug Bounty: CVE-2023-42780: Apache Airflow: Improper access control vulnerability in the "List dag warnings" feature

A vulnerability in Apache Airflow versions prior to 2.7.2 allowed authenticated users to list warnings for all DAGs, revealing dagids and stack traces even for DAGs the user did not have permission to access. Users should upgrade to Airflow 2.7.2 or newer...

Shopify: IDOR on GraphQL queries BillingDocumentDownload and BillDetails

A vulnerability allowed unauthorized access to billing invoice information for other merchants...

HackerOne: Organization members can delete reports in teams they have no access to

Reports in teams could be deleted by organization members without access to those teams. The vulnerability allowed deletion of analytics reports for restricted teams through a GraphQL mutation even when members lacked permissions to view or edit those reports...

Mars: Test 4 █████

This is test team summary with limited disclosure...

MTN Group: Information disclosure via enabled Django Debug Mode

The Django Debug Mode was enabled, which resulted in the disclosure of error messages, API endpoints, and the ability to register arbitrary user accounts and enumerate email addresses of registered users...

Mars: CVE-█████-35813 in █████

A critical remote code execution vulnerability CVE-█████-35813 affecting multiple Sitecore products through version 10.3 was discovered. The vulnerability was exploited through the sitecorexaml.ashx endpoint using ASP.NET TemplateParser injection, allowing attackers to execute arbitrary code. The...

Node.js: Path traversal through path stored in Uint8Array

A vulnerability was discovered in Node.js that allowed path traversal through Uint8Array objects. This vulnerability affected users using the experimental permission model in Node.js 20...

curl: [Critical] Curl CVE-2023-38545 vulnerability code changes are disclosed on the internet

Vulnerability description not provided...

GitHub: Invite tokens have Insufficient entropy in GHES Management Console

An insufficient entropy vulnerability in GitHub Enterprise Server invitation tokens allowed brute force attacks against pending user invitations to the management console. This affected all versions since 3.8 and was fixed in 3.8.12, 3.9.7, 3.10.4, and 3.11.1...

GitHub: GHES Management console EoP (editor to site admin)

Improper privilege management in GitHub Enterprise Server allowed editor role users to escalate privileges by making requests to the bootstrapping endpoint...

Mozilla: Account deletion using the /v1/account/destroy API endpoint using account password without 2FA verification

The account deletion endpoint at POST /v1/account/destroy did not check for 2FA and did not require an authorization header. Therefore, an unauthenticated attacker who knew the password of a user could delete their account without the need for 2FA...

U.S. Dept Of Defense: Full account takeover of any user through reset password

A vulnerability was reported that allowed full account takeover on a website. By requesting a password reset, the temporary password was disclosed in the request, allowing unauthorized access to any user account. Remediation was suggested to prevent disclosure of temporary passwords...

Mozilla: Subdomain takeover on one of the subdomain under mozaws.net

Vulnerability description not provided...

Mozilla: Mozilla Employee's Token for sql.telemetry.mozilla.org Exposed in Git Commit

A Mozilla employee's API token was exposed in a GitHub repository, granting access to confidential data. The token was rotated and removed from the service...

KHealth: Information disclouser from URL parameter "access" lead to Account Takeover

The vulnerability allowed an attacker to retrieve sensitive JWT tokens from URL parameters, leading to potential account takeover. The JWT tokens were found using web crawling tools and could be used to authenticate as other users...

IBM: Unauthenticated Remote Access to Testing Endpoint

Unauthenticated remote access to a testing endpoint was reported, analyzed and remediated...

GitHub: Bypassing Collaborator Restrictions: Retaining Admin Access Post-Repository Transfer

A race condition was discovered in GitHub Enterprise Server that allowed an outside collaborator to be added while a repository was being transferred. This vulnerability affected all versions of GitHub Enterprise Server since 3.8 and was addressed in version 3.8.12, 3.9.7, 3.10.4, and 3.11.1...

U.S. Dept Of Defense: User automatically logged in as Sys Admin user on https://███/Administration/Administration.aspx

A vulnerability was discovered where any user could be automatically logged in as a system administrator on a web application. This allowed unrestricted access and privileges could be abused to modify user privileges, add or delete users, and upload files, jeopardizing the integrity of the...

Mozilla: Subdomain takeover on one of the subdomain under mozgcp.net

A subdomain takeover was reported on a subdomain under mozgcp.net due to a dangling DNS record that had been registered by researchers, allowing them to host content under the subdomain...

Tennessee Valley Authority: File listing through scripts folder

Files were publicly accessible through a SharePoint site, allowing attackers to potentially enumerate sensitive information...

Mars: No CSRF protection when adding an item to cart

The report details a vulnerability due to lack of CSRF protection when adding items to a shopping cart. This allows attackers to force users to unknowingly add items to their cart...

TikTok: CRLF injection leads to internal XSS on PangleGlobal

A cross-site scripting vulnerability was discovered due to carriage return line feed injection on the filename parameter of a PangleGlobal endpoint. This could have allowed JavaScript code execution in a user's browser through reflected cross-site scripting. The vulnerability has since been...

Mars: RXSS on stores on *█████████/visitorRegistration.pml via destination parameter

The vulnerability involved a reflected XSS in the destination parameter of the visitorRegistration.pml endpoint across all stores under ██████████. A working proof of concept was provided demonstrating JavaScript execution via URL parameter injection...

U.S. Dept Of Defense: Subdomain Takeover via Host Header Injection on www.█████

The vulnerability was a subdomain takeover due to a CNAME record pointing to an unclaimed domain. This allowed malicious individuals to potentially take control of the affected subdomain and use it for malicious purposes...

Zendesk: Privilege escalation - Support-Contributor to Support and Product Admin via `/api/v2/██████` . No ADMIN PRIVILEGE required.

The vulnerability allowed a support contributor with the lowest privilege to escalate their role to a full support and product administrator without requiring any administrative privileges. The vulnerable endpoint /api/███ did not properly validate the user's privilege level, enabling the privile...

Internet Bug Bounty: Permissions policies can be bypassed via Module._load and require.extensions (High) (CVE-2023-30587)

A vulnerability in the experimental permissions policy mechanism in Node.js was reported. The use of Module.load could bypass the policy and require unauthorized modules. This affected all active release lines. The vulnerability was reported by a researcher and fixed by the Node.js security team...

curl: CVE-2023-38545: socks5 heap buffer overflow

Vulnerability description not provided...

GitHub: Persistent Unauthorized Administrative Access on All Organization Repositories via RC in User Conversion to Organization

A race condition was identified that could allow unauthorized administrative access when converting a user to an organization. This affected GitHub Enterprise Server versions since 3.7 and was fixed in version 3.7.19, 3.8.12, 3.9.7, 3.10.4, and 3.11.1...

GitHub: [PATs] Ability to leak comments from issues without ANY "Issues" repo permissions by utilizing "Pull Request" permissions

An incorrect authorization vulnerability in GitHub Enterprise Server allowed issue comments to be read without proper permissions through improperly scoped tokens...

Rockstar Games: Exposed CDN access token allows modification of all newly uploaded Snapmatic photos

A CDN access token was exposed that allowed modification of newly uploaded Snapmatic photos in GTA5. This provided a brief window to alter content after uploading. The issue was fixed by removing the exposed CDN fields...

MTN Group: Remote code execution [CVE-2023-36845]

A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series and SRX Series was discovered. The vulnerability allowed an unauthenticated, network-based attacker to control certain, important environment variables...

HackerOne: Google Docs link in JS files allows editing & reading survey information

A Google Docs link was discovered in JavaScript files on a website allowing editing and reading of survey information. The link provided access to edit a survey and view some users' emails and responses...

U.S. Dept Of Defense: Information Disclosure FrontPage Configuration Information

An information disclosure vulnerability was discovered in the Microsoft FrontPage configuration of a subdomain. This vulnerability allowed an attacker to view the version number and scripting paths of Sharepoint using Firefox...

U.S. Dept Of Defense: Unauthenticated Jenkins instance exposed information related to █████

Vulnerability description not provided...

TikTok: Reflected XSS On [https://www-useast1a.tiktok.com/ug/incentive/share/hd]

A reflected cross-site scripting vulnerability was found in a TikTok endpoint. User-supplied data was reflected without appropriate escaping, allowing JavaScript injection...

PlayStation: Remote vulnerabilities in spp

A vulnerability was discovered in the spp PPPoE implementation on the PS4/PS5. The vulnerability could allow a malicious PPPoE server to cause a heap buffer overwrite and overread, potentially leading to denial-of-service or remote code execution in kernel context. The vulnerability was caused by...