Cloudflare Public Bug Bounty: Accessing apps protected via ZT's Access when user account is deleted/disabled even after clearing user session/seat

Server-side validation checks were implemented after access to SaaS apps protected via ZT's Access could be gained when a user account was deleted or disabled by preserving metadata of the Access JWT and using another active user account within the same organization, despite lacking proper...

HackerOne: IDOR - Delete all Licenses and certifications from users account using CreateOrUpdateHackerCertification GraphQL query

All licenses and certifications in HackerOne could be deleted by changing the ID number in the CreateOrUpdateHackerCertification GraphQL query...

HackerOne: Names not completely redacted despite "Redact the names of the involved users" is selected

An edge case was discovered in the Export PDF function where names ending with a . were not properly redacted despite selecting the "Redact the names of the involved users" option. The vulnerability allowed for the disclosure of sensitive information...

Internet Bug Bounty: CVE-2023-40273: Session fixation in Apache Airflow web interface

A session fixation vulnerability was discovered in Apache Airflow web interface. This vulnerability allowed an authenticated user to continue accessing the webserver even after their password had been reset by the admin. The issue has been addressed in version 2.7.0 of Apache Airflow...

Internet Bug Bounty: Dependency Policy Bypass via process.binding

A vulnerability was discovered in Node.js that allowed for the bypassing of permissions policies via the use of the process.binding API. This vulnerability allowed an attacker to run arbitrary code outside of the limits defined in a policy.json file. The vulnerability affected all users using the...

Nextcloud: Bypass password confirmation via Context-dependent access control (CDCA)

A vulnerability was found in Nextcloud server that allowed bypassing password confirmation for deleting workflows. By directly sending a DELETE request to the workflow delete endpoint, an attacker could delete workflows without providing the expected password confirmation. This broken...

Cosmos: Circuit Breaker Authorization Issue

Vulnerability description not provided...

pixiv: clickjacing can lead to account takeover

An endpoint on the website https://sketch.pixiv.net/draw was discovered to be vulnerable to clickjacking. Proof-of-concept code was provided to demonstrate how a user could be tricked into performing unintended actions on the website...

Nextcloud: DNS pin middleware can be tricked into DNS rebinding allowing SSRF

A vulnerability was disclosed where the DNS pin middleware could be tricked into DNS rebinding, allowing SSRF...

Nextcloud: Enabling Birthday Contact to any user

The "Birthday Contacts" feature could be enabled for any user, including administrators and super administrators, from a low privileged account within the Nextcloud application by navigating to the calendar settings and intercepting a specific request...

Mozilla: Stored Xss on bugzilla.mozilla.org via comment edit feature from non-admin to admin.

A stored XSS vulnerability was discovered on the comment edit feature of bugzilla.mozilla.org. This allowed an attacker to execute malicious JavaScript code when an admin attempted to edit a comment. The vulnerability was reported and a bug report was filed...

Nextcloud: Memcached used as RateLimiter backend is no-op

A vulnerability was discovered where the Memcached cache was used as the backend for rate limiting. This resulted in cache entries being wiped and rate limit attempts and bruteforce protection being bypassed...

Tools for Humanity: Race Condition Enables Bypassing Verification Check

A race condition was discovered in the WorldID platform that could enable bypassing the verification check limits. The issue resided in the enforcement of maximum allowed verifications, which was not properly synchronized across parallel requests to the cloud backend service. The fix implemented...

HackerOne: Support Tickets can be created on behalf of other users using spoofed email | Bypass of #2001913

A vulnerability allowed an attacker to create support tickets on behalf of other users by sending a fake email to [email protected]. This bypassed a previous fix implemented by HackerOne to prevent support tickets from being created via email...

Mozilla: Potential Spoofing Risk through Firefox Private Relay Service

A potential spoofing risk was identified in the Firefox Private Relay service. Adversaries were able to send spoofing emails to users by leveraging the service. The design of the service allowed these spoofing emails to bypass security measures and reach the target inbox. This was due to the...

Nextcloud: Error when editing a calendar appointment returns stacktrace and query

A vulnerability was found where editing a calendar appointment and changing the ID to a non-existent value returned an error exposing internal server paths and an SQL query. The issue allowed disclosure of sensitive information...

Nextcloud: Admins can change authentication details of user configured external storage

A vulnerability was found where admins could change authentication details of user configured external storage. This allowed malicious admins to modify global credentials for other admin and user external storage...

Basecamp: AWS keys and user cookie leakage via uninitialized memory leak in outdated librsvg version in Basecamp

Sensitive data, including AWS keys and user cookies, could be leaked due to an uninitialized memory leak in an outdated version of librsvg used by Basecamp. This vulnerability allowed an attacker to upload a specially crafted SVG image as an avatar, triggering the memory leak. By extracting...

Mars: subdomain takeover at █████████

A subdomain takeover vulnerability was discovered. The subdomain had been pointing to an inactive third-party resource, allowing an attacker to claim the resource and take control of the subdomain. The attacker was then able to serve arbitrary content on the subdomain...

HackerOne: Bypass of #2035332 RXSS at image.hackerone.live via the `url` parameter

A reflected cross-site scripting RXSS vulnerability was discovered on the image.hackerone.live website. The vulnerability allowed an attacker to bypass the fix implemented for a previous RXSS issue. By modifying the server's response to a HEAD request, the attacker could change the Content-Type a...

Mozilla: CSRF to Information disclosure on password reset

The vulnerability allowed an attacker to obtain the victim's IP address and browser details by tricking the victim into clicking on a malicious password reset link. The vulnerability was caused by a cross-site request forgery CSRF in the password reset functionality...

Rootstock Labs: DOS of RSKJ server

The RSKJ server was vulnerable to a Denial of Service DoS attack. The vulnerability was due to a flaw in the RLP Recursive Length Prefix decoding function, which could return a negative value, leading to a length of 0. This caused the server to process only one UDP packet forever, preventing it...

GitLab: Maintainer can leak sentry token by changing the configured URL (fix bypass)

A malicious Maintainer could have leaked the sentry token by changing the configured URL in the Sentry error tracking settings page. This was as a result of an incomplete fix for CVE-2022-4365...

Internet Bug Bounty: (CVE-2023-32003) fs.mkdtemp() and fs.mkdtempSync() are missing getValidatedPath() checks

The fs.mkdtemp and fs.mkdtempSync functions in Node.js were found to be missing getValidatedPath checks, allowing for a path traversal attack. This vulnerability could be exploited to create arbitrary directories...

Internet Bug Bounty: (CVE-2023-32006) Permissions policies can impersonate other modules in using module.constructor.createRequire()

A vulnerability was discovered in Node.js that allowed permissions policies to impersonate other modules using the module.constructor.createRequire function. This could bypass the policy mechanism and enable the loading of modules outside of the defined policy. The vulnerability affected all user...

Internet Bug Bounty: (CVE-2023-32004) Permission model bypass by specifying a path traversal sequence in a Buffer

A vulnerability was discovered in Node.js version 20, specifically within the experimental permission model. It allowed for a bypass of the permission model by specifying a path traversal sequence in a Buffer, leading to improper handling of file permissions...

Nextcloud: user_ldap app logs user passwords in the log file on level debug

User passwords were logged in Nextcloud application logs when using LDAP authentication and debug log level settings...

HackerOne: Able to see Bonus amount given to a report even if the bounty and Bonus is not visible to public or mentioned in {Report-Id}.json

A vulnerability allowed users to see the bonus amount given to a report, even if the bounty and bonus were not visible to the public or mentioned in the report's JSON file. This resulted in the exposure of confidential information...

HackerOne: HackerOne SAML signup domain enforcement bypass results in unauthorized access to HackerOne PullRequest organization

A vulnerability was discovered where SAML signup domain enforcement for new signups belonging to SAML-enabled organizations could be bypassed by appending control characters, allowing unauthorized access. This was leveraged to access the HackerOne PullRequest organization and view source code in...

WakaTime: Waketime Payment Gateway Vulnerability

Vulnerability description not provided...

GitLab: Information Disclosure - Pvt Gitlab Issue Disclosing Through GitLab Unfiltered YouTube channel.

A private issue report containing sensitive information was inadvertently disclosed through a video on the GitLab Unfiltered YouTube channel. The video showcased specific URLs, code snippets, and vulnerability descriptions, posing a potential security risk. Immediate action was recommended to...

HackerOne: Staff and Triage can modify the initial post of a report, including of already disclosed reports

The initial post of a report on HackerOne could be modified by program members and Triage, allowing them to change the information and potentially manipulate the narrative of the report...

8x8 Bounty: Jitsi: Bridge Message Spoofing due to Improper JSON Handling leads to Prototype Pollution

The Jitsi VideoBridge failed to properly handle JSON messages with duplicate colibriClass keys, enabling clients to send messages interpreted differently by the bridge and resulting in unauthorized actions within video conferences. Jitsi Security Advisory has been published...

Internet Bug Bounty: Cargo not respecting umask when extracting crate archives

Cargo did not respect the umask when extracting crate archives on UNIX-like systems, potentially allowing a local attacker to modify the source code compiled and executed by the current user...

Nextcloud: Password of talk conversations can be bruteforced

The password of talk conversations could be bruteforced by adding the password as a parameter on the GET request of the frontpage instead of sending a POST to the authentication endpoint. This allowed bypassing brute force protection of public talk conversation passwords...

Cloudflare Public Bug Bounty: Yet Another CASB Integration Takeover of Active Integrations

A vulnerability was found in a cloud access security broker's Microsoft integration where an attacker could bypass confused deputy protections. By manipulating the casing of a tenant UUID, a new integration could be created that surfaced sensitive customer information. This issue was addressed by...

Node.js: Integrity checks according to policies can be circumvented

The Node.js policy feature, which checks the integrity of a resource against a trusted manifest, could be circumvented by intercepting the operation and returning a forged checksum, effectively disabling the integrity check. This vulnerability affected all users using the experimental policy...

Cosmos: RCE and DoS in Cosmovisor

Vulnerability description not provided...

Node.js: Permission model improperly protects against path traversal

Vulnerability description not provided...

Node.js: Bypass network import restriction via data URL

A security flaw in Node.js was discovered that allowed bypassing of network import restrictions. By embedding non-network imports in data URLs, arbitrary code execution was possible, compromising system security. The vulnerability was verified on various platforms and was mitigated by forbidding...

Internet Bug Bounty: OpenSSL engines can be used to bypass and/or disable the Node.js permission model

Arbitrary OpenSSL engines could be loaded in Node.js 20, bypassing and disabling the permission model. This allowed for the execution of arbitrary code, unaffected by the permission model...

IBM: RXSS in hidden parameter

RXSS in hidden parameter was reported to IBM, analyzed, and has been remediated. The vulnerability was a reflected cross-site scripting issue found in a hidden parameter...

U.S. Dept Of Defense: Adobe ColdFusion Access Control Bypass - CVE-2023-38205

A vulnerability in Adobe ColdFusion was discovered that allowed bypassing access controls by using malicious path traversal in URLs targeting the /CFIDE/wizards/common/utils.cfc endpoint. This enabled attackers to reach endpoints that should have been restricted. The issue affected Adobe ColdFusi...

Mars: Reflected XSS on formaction parameter

The formaction parameter of the target application was found to contain a reflected Cross-Site Scripting XSS vulnerability. User-supplied data was reflected back without proper sanitization, allowing for the injection of malicious JavaScript code. The issue was compounded by potential cache...

Yelp: yelp.com and biz.yelp.com ATO via XSS + Cookie Bridge

The researcher discovered an XSS vulnerability on biz.yelp.com where the unverified email was reflected in a message, allowing for arbitrary JavaScript execution. This XSS was combined with Yelp's cookie bridge functionality to target other users, leaking HttpOnly session cookies and enabling...

Liberapay: Disavowed an email without any authentication

Vulnerability description not provided...

Yahoo!: Bitly link takeover

A vulnerability was discovered in which a Bitly link referred to in the description of a Yahoo Twitter handle was broken and redirected to an unintended destination. This situation presented an opportunity for attackers to potentially hijack the link and direct users to a malicious website for...

Daimler Truck: Blind xss at https://homologation.omniplus.com/

Hello team, I have found a blind xss leads to admin panel exposed with cookie StepToReproduce 1- Navigate to https://homologation.omniplus.com/ 2- You will face a submit form contains 6 pages 3- At each input field you have to put your blind xss payload , for me I used xss.report just go there an...

Cloudflare Public Bug Bounty: Permanent CASB Integration Takeover due to Improper Access Controls+Confused Deputy Problem

A security vulnerability was discovered in Cloudflare's Cloud Access Security Broker CASB integration, allowing potential unauthorized access to sensitive information. The vulnerability, known as the "confused deputy problem," affected a limited set of integrations. Cloudflare promptly addressed...

HackerOne: Takeover of hackerone.engineering via Github

The hacker was able to take over the hackerone.engineering domain after a brief misconfiguration window on GitHub. They claimed the domain in their own repository while the DNS records were still pointing towards GitHub. The issue has been resolved and no malware was found on the site during the...