Cloudflare Public Bug Bounty: YAML schema injection risk in Swagger UI via schema_url parameter at developers.cloudflare.com

Vulnerability description not provided...

Mozilla: Subdomain takeover on one of the subdomain under mozaws.net

Vulnerability description not provided...

curl: NULL Pointer dereference in idn.c

Vulnerability description not provided...

Cloudflare Public Bug Bounty: Bypass R2 payment screen

The R2 payment screen bypass vulnerability was reported. Due to insufficient access control checks, it had been possible to enable the R2 subscription without having a valid payment method stored. Cloudflare addressed the issue by implementing stricter access controls around subscription enableme...

Node.js: setuid() does not drop all privileges due to io_uring

setuid did not drop all privileges in some versions of Node.js due to iouring being initialized before setuid call. This allowed privileged operations after setuid intended to drop privileges...

phpBB: Authenticated path traversal to Stored XSS and Denial-of-Service

An authenticated path traversal vulnerability was discovered that could allow an attacker to cause a denial-of-service by reading files from restricted directories. This vulnerability also enabled an attacker to determine which files existed on the server. Additionally, a stored cross-site...

Mars: RXSS on ████ via q parameter

A reflected Cross-Site Scripting XSS vulnerability was identified on the ████████ website at the search endpoint. The vulnerability was present in the 'q' parameter of the search functionality, where user-supplied input was reflected back to the page without proper sanitization or encoding...

HackerOne: Ability to bulk submit reports via query named based batching

A vulnerability was discovered in the GraphQL API of the HackerOne platform. The vulnerability allowed an attacker to bulk submit reports via query-based batching, bypassing the intended limit of 500 reports. This was achieved by leveraging a Python script to generate a large number of reports in...

Trellix: default credentials at https://52.42.105.71/

Default credentials were used to gain unauthorized access to a server at the reported IP address. The website was misconfigured, allowing login with default admin account credentials. The password should be changed or account disabled to remediate...

Frontegg: PATCH method manipulation allowing the users to escalate their functionalities and edit (upgrade/downgrade) API Keys settings which is not allowed

The PATCH method allowed users to edit API key information, including the description, role IDs, and other settings, which was not intended functionality. This represented a broken access control vulnerability that enabled users to escalate their privileges and manipulate API keys beyond their...

curl: CVE-2023-38546: cookie injection with none file

Vulnerability description not provided...

Mozilla: Security bug https://bugzilla.mozilla.org/oauth/authorize - CRLF Header injection via "redirect_uri" parameter

A cross-site scripting vulnerability was found in the "redirecturi" parameter of the OAuth authorization endpoint at https://bugzilla.mozilla.org/oauth/authorize that allowed arbitrary HTTP response headers to be injected through carriage return and line feed encoding in the parameter value,...

Internet Bug Bounty: [curl] CVE-2023-38039: HTTP header allocation DOS

CVE-2023-38039 is a security vulnerability in the curl library that allowed a malicious server to send an unlimited number of headers in an HTTP response, causing curl to exhaust heap memory and potentially leading to a denial-of-service condition...

Node.js: fs.lstat bypasses permission model

A vulnerability has been identified in Node.js affecting users of the experimental permission model. The flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors could retrieve stats from files they do not have...

Mars: **"CSRF Vulnerability in ███████ Website Allows Attackers to Change User Profile Picture at ███████"**

The identified vulnerability is a CSRF vulnerability that allowed an attacker to change the user's profile picture on the ███████ website. The vulnerability was successfully reproduced by creating an account, navigating to the profile picture upload section, and utilizing the provided exploit cod...

Internet Bug Bounty: CVE-2023-40611: Apache Airflow Dag Runs Broken Access Control Vulnerability

A vulnerability was found that allowed unauthorized modification of details in Apache Airflow dag runs. Users with dag view authorization could alter configuration parameters and start dates in some dag run details by modifying values when submitting notes. This issue was addressed in Apache...

U.S. Dept Of Defense: authentication bypass

An authentication bypass vulnerability was discovered in the login page of a web portal, allowing unauthorized access without providing valid credentials...

Mozilla: Subdomain takeover on one of the subdomain under mozgcp.net

A subdomain takeover was reported on one of the subdomains under mozgcp.net due to a dangling DNS record. Content was hosted under the subdomain by researchers who registered the record...

Mars: 0 Click account takeover via timed requests to ███████forgot-password (single-packet attack)

A vulnerability was present in the forgot password functionality of the platform. By sending carefully timed requests, an attacker was able to obtain the password reset token for any account using only the victim's email address...

Mozilla: Subdomain takeover on one of the subdomain under mozgcp.net

A subdomain takeover was reported on one of the subdomains under mozgcp.net due to a dangling DNS record. Content was able to be hosted under the subdomain by researchers who had registered the record...

X (Formerly Twitter): Ability to see hidden likes

The ability to see hidden likes on Twitter/X was a vulnerability. Authenticated users could view another user's hidden likes by making a specific GraphQL API request, even if the target user had their likes set to be hidden...

Snapchat: Intent Leads To Unauthorised Video Call Initiation Leaking Surrounding Informations Of Victim

The Snapchat Android application was found to contain a vulnerability that allowed a malicious user to initiate an unauthorized video call with a victim. The vulnerability was triggered by a deep link that, when clicked by the victim, forced the victim's Snapchat application to initiate a video...

HackerOne: IDOR: Authorization Bypass in LockReport Mutation for public reports

An authorization bypass vulnerability allowed an attacker to lock any public report, potentially disrupting the reporting process...

IBM: Jenkins server access due to weak password

Jenkins server access was gained due to a weak password. The issue was reported to IBM, analyzed, and remediated...

Internet Bug Bounty: Context isolation bypass via nested unserializable return value

A vulnerability was discovered in Electron that allowed for a bypass of context isolation. This meant that code running in the main world context in the renderer could access the isolated Electron context and perform privileged actions. The vulnerability was fixed in versions 25.0.0-alpha.2,...

Mozilla: Mozilla Mastodon Staging Instance Admin API Key Disclosure Through Slack

Admin Mastodon API keys were inadvertently disclosed in the trust-and-safety-eng channel on Mozilla's Slack workspace, potentially granting unauthorized access to the Mastodon server and compromising user data. Immediate action is required to mitigate this vulnerability...

Mozilla: Subdomain takeover on one of the subdomain under mozaws.net

Vulnerability description not provided...

HackerOne: Hackers two email disclosed on submission at hackerone hactivity

Sensitive information, including the email addresses of two hackers/reporters, was inadvertently disclosed in a video proof-of-concept POC on a HackerOne submission...

Mozilla: Subdomain takeover on one of the subdomain under mozaws.net

A dangling DNS record enabled subdomain takeover on a mozaws.net subdomain. Researchers exploited this to host content on the affected subdomain...

Liberapay: Password Reset Token Leak Via Referrer

Vulnerability description not provided...

Mars: IDOR to account takeover on POST to █████████ by changing member_id parameter

Website endpoint was vulnerable to account takeover by changing member ID parameter...

LinkedIn: Attackers can *Upgrade and claim offer* on the Premium Trial Subscription with a total price of *IDR0.00* from the original *IDR7,022,061.82*

The reporter found a method to tamper with the premium pricing flow, allowing an attacker to subscribe to the LinkedIn Sales Navigator Core offering for free. This issue has been fixed and resolved...

Mozilla: Subdomain takeover on one of the subdomain under mozaws.net

A dangling DNS record enabled subdomain takeover on a mozaws.net subdomain. Researchers exploited this to host content on the affected subdomain...

Lichess: Unauthorized Blogs Creation

A vulnerability was identified on the lichess.org website that allowed unauthorized blog creation. By manipulating certain requests and leveraging the session cookies of a different account, an attacker could bypass account-specific limitations and create a blog post on an account that was not ye...

Mozilla: Subdomain takeover on one of the subdomain under mozaws.net

A dangling DNS record enabled subdomain takeover on a mozaws.net subdomain. Researchers exploited this to host content on the affected subdomain...

FetLife: fetlife.com/signup_step_profile expose access_token of mapbox.com

Vulnerability description not provided...

Daimler Truck: Default credential to login at site management panel

Summary: Hi Team During recon on shodan I came across an IP pointing towards lre.daimlertruck.com Here is the shodan link https://www.shodan.io/host/20.219.79.49 On port 8443, there was a login panel at https://20.219.79.49:8443/Site/ and using default credential admin admin I was able to login...

Internet Bug Bounty: CVE-2023-40195: Apache Airflow Spark Provider Deserialization Vulnerability RCE

Apache Airflow Spark Provider before 4.1.3 was affected by a deserialization vulnerability that allowed remote code execution RCE. Attackers could exploit this vulnerability by configuring a malicious Spark server address through the Airflow UI, which would then manipulate the PySpark clients...

Mozilla: Subdomain takeover on one of the subdomain under mozaws.net

A dangling DNS record enabled subdomain takeover on a mozaws.net subdomain. Researchers exploited this to host content on the affected subdomain...

U.S. Dept Of Defense: [██████] Reflected XSS via Keycloak on ██████

A cross-site scripting XSS vulnerability was discovered in Keycloak 8.0 and earlier versions. This vulnerability allowed an attacker to execute arbitrary script and potentially steal authentication credentials. The vulnerability was due to a lack of input validation, which allowed an attacker to...

U.S. Dept Of Defense: [█████████] Information disclosure due unauthenticated access to APIs and system browser functions

Multiple information exposure vulnerabilities were discovered in a Jira Server instance, allowing unauthenticated access to APIs and system browser functions. These vulnerabilities could be exploited by an attacker to gain unauthorized access to sensitive data and run arbitrary code on the server...

Internet Bug Bounty: [CVE-2023-23913] DOM Based Cross-site Scripting in rails-ujs for contenteditable HTML Elements

A DOM-based cross-site scripting vulnerability was discovered in rails-ujs, affecting versions 5.1.0 and above. By pasting malicious HTML content with specific attributes into a contenteditable element, an attacker could execute arbitrary JavaScript on the affected origin. The vulnerability has...

Liberapay: Twitter account hijack @Costalfy

A broken link on the Liberapay website allowed attackers to hijack the Twitter account of Andy Costanza, potentially leading to scams or phishing attempts...

inDrive: Unlimited fake rate to the passenger in city to city, Affected endpoint `/api/v1/reviews/ride/<ID>/driver`

The vulnerability allowed an unlimited increase of the passenger's rating in the city-to-city shared ride feature. The request to the /api/v1/reviews/ride//driver endpoint was manipulated by changing the rating value to a higher number, which was accepted by the application and resulted in an...

Tor: 'Request English versions of web pages for enhanced privacy' keeps previous (grayed out) settings

The vulnerability allowed an attacker to identify users who had changed their language settings in the Tor Browser. By exploiting JavaScript and HTTP fingerprinting techniques, the attacker could determine the user's language preferences, even if the user had enabled the "Request English versions...

Mozilla: Subdomain takeover on one of the subdomain under mozgcp.net

A dangling DNS record for a subdomain of mozgcp.net was discovered, allowing researchers to host content on the subdomain...

Internet Bug Bounty: SSRF Vulnerability through Connection test feature

A security vulnerability was found in Apache Airflow versions prior to 2.7.0. An authenticated user with Connection edit privileges could exploit this vulnerability to access connection information and perform a denial of service attack on the server. Upgrading to version 2.7.0 or newer is...

Internet Bug Bounty: Argocd's web terminal session doesn't expire

A vulnerability was discovered in all versions of Argo CD starting from v2.6.0, where open web terminal sessions did not expire. This allowed users to send websocket messages even after their session token had expired, potentially exposing sensitive information. The issue has been patched in...

U.S. Dept Of Defense: [███████] Information disclosure due unauthenticated access to APIs and system browser functions

Multiple vulnerabilities were exposed in a Jira Server instance allowing unauthenticated access to APIs and system browser functions. This included the ability to run arbitrary code on an internal network server. Project categories, resolutions, and usernames could be listed without authenticatio...

Mars: debug.log File Exposure that exposes (user/████) username and password at █████████

A debug log file exposure vulnerability was discovered that allowed sensitive information to be viewed. The debug log file contained a username and password, which could enable unauthorized access to the application if exploited. To address this, restricting access to the debug log file and...