IBM: IDOR in upload videos of a Channel on https://video.ibm.com

Vulnerability description not provided...

Node.js: WASI sandbox escape via symlink

A WASI + WASM program was discovered to be able to use pathsymlink to read arbitrary files on the host machine by creating a symlink in a preopen to a different location on the local file system, thereby escaping the WASI sandbox...

U.S. Dept Of Defense: Remote Code Execution and AWS IAM Credentials Exfiltration in https://████████/

The host https://██████/ had a vulnerability in the /jenkins/script directory that allowed users to execute system commands on the host. This could have led to the disclosure of AWS IAM credentials, which could have been used by an attacker to manage various AWS resources, create and delete...

IBM: IDOR in channel ID leads to customer email disclosure on https://video.ibm.com

Vulnerability description not provided...

HackerOne: Register & create a ticket as somebody else on HackerOne Support

A vulnerability was discovered on HackerOne Support that allowed an attacker to register and create tickets as different individuals. The issue was resolved by adjusting a setting in the Freshdesk Software...

U.S. Dept Of Defense: Adobe ColdFusion - Access Control Bypass [CVE-2023-38205] at ██████

An access control bypass vulnerability was discovered in Adobe ColdFusion, allowing attackers to bypass the restriction on external access to the ColdFusion Administrator...

HackerOne: Bypass report submit restriction/ban using the API key

A vulnerability was discovered that allowed banned researchers to submit reports through API keys, bypassing reporting restrictions. By creating an API key after an account was banned from submitting reports, a researcher could still submit reports to programs without restrictions, potentially...

LinkedIn: Deny Admin from Editing LinkedIn Company Page using Gen Form Visibility via POST /voyager/api/voyagerOrganizationDashCompanies/{id}

Vulnerability description not provided...

U.S. Dept Of Defense: LDAP Anonymous Login enabled in ████

LDAP Anonymous Login was enabled in ██████████, allowing unauthorized users to connect to the LDAP server without providing any authentication credentials. This could lead to unauthorized access and retrieval of sensitive information stored in the LDAP directory...

U.S. Dept Of Defense: Blind Sql Injection in https://█████/qsSearch.aspx

A blind SQL injection vulnerability was discovered in the qsSearch.aspx page of the application. An attacker could exploit this vulnerability to bypass authentication and retrieve sensitive information from the database. The vulnerability has been mitigated by implementing appropriate security...

HackerOne: Unauthorized Ticket can be created by an Attacker in user's Helpdesk account

An unauthorized user was able to create tickets in any user's helpdesk account without authorization or knowledge...

Node.js: Permission model improperly processes UNC paths

The vulnerability in the istreegranted function in fspermission.cc assumed that any path starting with two backslashes had a four-character prefix that could be ignored, which was not always true. This led to vulnerable edge cases on Windows systems...

Mozilla: Exposing Django Debug Panel and Sensitive Infrastructure Information at https://dev.fxprivaterelay.nonprod.cloudops.mozgcp.net

The Django Debug Panel was exposed in a development environment, allowing sensitive infrastructure information to be accessed. This included details about the locations of databases, user information, and internal IP addresses. The exposure of this information posed significant security risks and...

Internet Bug Bounty: CVE-2023-30587 Process-based permissions can be bypassed with the "inspector" module.

A vulnerability in Node.js version 20 allowed for the bypassing of restrictions set by the --experimental-permission flag using the built-in inspector module. This vulnerability affected Node.js users who were using the permission model mechanism in Node.js 20...

Internet Bug Bounty: [curl] CVE-2023-32001: fopen race condition

CVE-2023-32001 is a vulnerability in the curl library that allowed for a race condition between the stat and fopen functions. This race condition could be exploited to trick users into overwriting protected files or to steal sensitive data, such as cookies. The vulnerability was fixed in a recent...

inDrive: Bypassing Garbage Collection with Uppercase Endpoint

A vulnerability was discovered in the garbage collection process, allowing the bypass of the "/metrics" endpoint by using uppercase letters. This could potentially lead to unauthorized access to sensitive information or resources and possible data manipulation. Other endpoints with similar patter...

8x8 Bounty: Stored xss at https://█.8x8.com/api/█/ID

A vulnerability was reported where stored data could be modified to introduce malicious JavaScript that would execute in a victim's browser when the data was retrieved. The issue was isolated to a randomly generated identifier. The development team addressed the issue by implementing additional...

Semrush: Lack of sanitization of the billing address in pdf invoice

A vulnerability in the invoice PDF generation allowed HTML code injection due to insufficient sanitization of billing address data. An internal review found no evidence of exploitation...

Daimler Truck: Server-based source code disclosures

URL: https://www.bharatbenz.com/TEST.PHP CWE: CWE-538 CVSS: 7.5-CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N One or more pages disclosing source code were found. This check is using pattern matching to determine if server side tags are found in the file. In some cases this alert may generate fals...

Daimler Truck: Time-based SQL Injection

CWE: CWE-89 CVSS: 9.1 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N URL: www.bharatbenz.com//dealer/0'XORifnow=sysdate,sleep20,0XOR'Z QL injection SQLi refers to an injection attack wherein an attacker can execute malicious SQL statements that control a web application's database server. Impact ...

inDrive: Host Header Injection - internal.qa.delivery.indrive.com

A vulnerability was found where the Host header was not properly validated or escaped, allowing an attacker to inject arbitrary Host header values and manipulate server-side behavior. This could allow redirection to malicious sites for phishing...

LinkedIn: HTML injection at Company Name or Product Name and can be shown on Contact Sales form

A vulnerability was discovered that allowed HTML injection into the company name and product name fields on a contact sales form. Attackers could exploit this to conduct phishing attacks or distribute malware. The issue was addressed...

Mars: IDOR in one subdomain of █████████ -> change information of pets without athorization!

A potential Insecure Direct Object Reference IDOR vulnerability was discovered on a subdomain of ███████. The vulnerability allowed users to change information of pets belonging to other users without authorization...

U.S. Dept Of Defense: SqlInject at ██████

Vulnerability description not provided...

curl: CVE-2023-38039: HTTP header allocation DOS

A vulnerability was discovered in curl that allowed an attacker to cause a denial-of-service DOS condition on a user's system. By setting up a malicious HTTP server and continuously sending new headers, the attacker could exhaust system resources, leading to system instability or crash. The issue...

U.S. Dept Of Defense: Blind Sql Injection in https://████████/

A blind SQL injection vulnerability was discovered in the █████████ website. This vulnerability allowed an attacker to bypass authentication and retrieve sensitive information from the database. The vulnerability was successfully exploited using SQLmap, a popular SQL injection tool...

Internet Bug Bounty: CVE-2023-36617: ReDoS vulnerability in URI (Ruby)

A ReDoS vulnerability was discovered in the URI component of the Ruby uri gem versions 0.12.1 and earlier. The vulnerability allowed for the mishandling of invalid URLs with specific characters, resulting in an increase in execution time for parsing strings to URI objects. This issue was a result...

Internet Bug Bounty: [CVE-2023-27539] Possible Denial of Service Vulnerability in Rack’s header parsing

A denial of service vulnerability was discovered in Rack's header parsing component. This vulnerability could be exploited by carefully crafted input to cause the header parsing process to consume an unexpected amount of time, potentially leading to a denial of service attack. The vulnerability...

Internet Bug Bounty: [CVE-2023-27531] Possible Deserialization of Untrusted Data vulnerability in Kredis JSON

A deserialization vulnerability was discovered in the Kredis JSON deserialization code, allowing for the potential deserialization of untrusted data. This could result in unexpected objects being deserialized in the system. The vulnerability has been assigned the CVE identifier CVE-2023-27531...

Internet Bug Bounty: Potential NULL dereference in libssh's sftp server

A potential NULL dereference vulnerability was discovered in libssh's sftp server. This vulnerability could be exploited by a malicious client to cause a crash in the server's connection, potentially leading to a denial of service DoS condition. The vulnerability has been patched...

Internet Bug Bounty: Apache Airflow path traversal by authenticated user

Apache Airflow before version 2.6.3 was affected by a vulnerability that allowed an authenticated user to perform unauthorized file access outside the intended directory structure by manipulating the runid parameter...

HackerOne: Draft report exposure via slack alerting system for programs

Vulnerability description not provided...

HackerOne: HackerOne Support System Doesn't Require Any Authentication May Lead Unauthorized Action

The HackerOne support system did not require any authentication, allowing anyone to open a support ticket for another user's account. This could potentially lead to unauthorized actions being taken on the account...

Internet Bug Bounty: Regular Expression Denial of Service (ReDoS) Vulnerability before 2.6.3

A vulnerability was found in Apache Airflow versions before 2.6.3, allowing an authenticated user to exploit crafted input and cause the current request to hang, resulting in a denial of service...

Nextcloud: New AppPassword can be generated without password confirmation

A security vulnerability allowed an attacker to generate a new AppPassword without requiring password confirmation, potentially granting unauthorized access to Nextcloud accounts...

Sorare: Operation CreateOrUpdateSo5LineupMutation does not restrict multiple captains

The CreateOrUpdateSo5LineupMutation operation in the Sorare API allowed users to set multiple captains for a football team, which violated the game logic of having only one captain. This vulnerability could be exploited to gain an unfair advantage over other players...

Internet Bug Bounty: odbc apache airflow provider code execution vulnerability

A privilege escalation vulnerability was discovered in Apache Airflow ODBC Provider before version 4.0.0. The vulnerability allowed for the loading of arbitrary dynamic-link libraries through controllable ODBC driver parameters, resulting in command execution...

Internet Bug Bounty: jdbc apache airflow provider code execution vulnerability

A code execution vulnerability was discovered in the Apache Airflow JDBC Provider before version 4.0.0. The vulnerability allowed for privilege escalation by exploiting controllable parameters in the JDBC connection, enabling the execution of arbitrary Java code...

Internet Bug Bounty: unsanitized input goes to regex function leads to ReDos that make request hangs

An authenticated user could exploit a vulnerability in Apache Airflow versions prior to 2.6.3 by providing crafted input, causing the current request to hang...

X (Formerly Twitter): Twitter Subscriptions Information Disclosure

A security vulnerability allowed any user to view a target user's "Subscriber-Only" Tweet and access attached images without being a subscriber to the user's profile...

U.S. Dept Of Defense: Create account without auth via response manipulation

A vulnerability was discovered that allowed creating an account without authentication by manipulating the response. This vulnerability could have been used to create and join an event without the required event code or email verification...

IBM: Nginx Alias Traversal - babel.bluetab.net

Vulnerability description not provided...

HackerOne: Triager/Team members can edit hacker's report and hacker is not even notified

The hacker's report could be edited by a triager or team member without notifying the hacker, compromising the integrity of the report...

Mars: Html injection

The consultant identified that the show parameter can reflect into the HTML page. An attacker could have crafted a malicious query that resulted in the inclusion of attacker-controlled HTML elements on the web page, changing the content presented to users. The vulnerability was assessed to have a...

Nextcloud: Self XSS when sending HTML as a comment in the Deck app

A vulnerability was found in the Deck app comments that allowed HTML injection. This could lead to malicious script execution when a user clicked a specially crafted link. The issue was reported to the Nextcloud security team...

Nextcloud: Inviting excessive long email addresses to a calendar event makes the server unresponsive

An absence of a character limit in the email address field when sending emails allowed for the sending of excessively long email addresses, causing the server to become unresponsive and resulting in a denial of service...

Automattic: reflected xss in https://wordpress.com/start/account/user

A reflected cross-site scripting vulnerability was exploited in the account user page of a website. By appending malicious JavaScript code to the redirect URL parameter after authenticating, reflected XSS could be triggered when users clicked continue on the account user page...

Mars: Google dork lead to unsubscribe anyone from all Banfield emails

The vulnerability allowed an attacker to unsubscribe any Banfield user from their emails without authentication or authorization. The vulnerability was discovered through a Google dork search that led to an endpoint where the attacker could provide an email address to unsubscribe the user...

Node.js: Improper HTTP header block termination in llhttp

The vulnerability in Node.js 20's HTTP parser allowed improper termination of HTTP/1 headers using \r\n\rX instead of the required \r\n\r\n. This inconsistency enabled request smuggling. The issue was resolved by upgrading llhttp to version 9, which enforces correct header termination...

HackerOne: Usernames still visible on report export pdf despite "I want to redact all usernames" is selected

During a period of approximately one week, a feature was deployed that aimed to redact usernames in the Export PDF function. However, the feature did not account for certain edge cases, resulting in the disclosure of usernames in the exported PDF reports. The vulnerability was identified and...