Mars: Google dork lead to unsubscribe anyone from all Banfield emails

The vulnerability allowed an attacker to unsubscribe any Banfield user from their emails without authentication or authorization. The vulnerability was discovered through a Google dork search that led to an endpoint where the attacker could provide an email address to unsubscribe the user...

Node.js: Improper HTTP header block termination in llhttp

The vulnerability in Node.js 20's HTTP parser allowed improper termination of HTTP/1 headers using \r\n\rX instead of the required \r\n\r\n. This inconsistency enabled request smuggling. The issue was resolved by upgrading llhttp to version 9, which enforces correct header termination...

HackerOne: Usernames still visible on report export pdf despite "I want to redact all usernames" is selected

During a period of approximately one week, a feature was deployed that aimed to redact usernames in the Export PDF function. However, the feature did not account for certain edge cases, resulting in the disclosure of usernames in the exported PDF reports. The vulnerability was identified and...

U.S. Dept Of Defense: RCE via File Upload with a Null Byte Truncated File Extension at https://██████/

A remote code execution vulnerability via file upload with a null byte truncated file extension was found on a website. By uploading a file with .asp%00.png extension, malicious ASP code could be executed on the server. This allowed an attacker to run arbitrary system commands. The issue was...

Mozilla: Possibility of Deface through translation tool - www.mozilla.com

A vulnerability was discovered where credentials for a third-party translation tool used by Mozilla websites were publicly disclosed. This exposed access to translation management functions and internal documents. The issue was reported and it was advised that the disclosed passwords be changed t...

HackerOne: Hackerone All Private Program Name Leaked to Public Via Collaborator OR Attacker can Easily Dump all Private Program Names through Collaborator

A vulnerability was discovered in Hackerone that allowed an attacker to obtain the names of private programs. By manipulating the report ID and using the Collaborator feature, the attacker could determine if a program was private or public. This compromised the confidentiality of private programs...

Nextcloud: No Rate Limit On Forgot Password on https://apps.nextcloud.com

The "Forgot Password" feature on the Nextcloud apps website had no rate limit, allowing an attacker to send multiple requests and potentially overwhelm the victim's email inbox...

inDrive: Blind SQL injection on id.indrive.com

A blind SQL injection vulnerability was found where user input was not sanitized before being used in SQL queries. This allowed arbitrary SQL commands to be injected, revealing details of the backend database...

Node.js: process.binding() can bypass the permission model through path traversal

The use of the deprecated API process.binding allowed for bypassing the permission model in Node.js 20.x through path traversal...

Node.js: fs.statfs bypasses Permission Model

A vulnerability was found in Node.js version 20 that allowed malicious actors to bypass the permission model and retrieve file stats using the fs.statfs API, even if they did not have explicit read access to the file...

inDrive: Stored XSS on promo.indrive.com

Vulnerability description not provided...

Daimler Truck: CSRF + XSS REFLECT

Hello Daimler Truck Team! I found a reflected XSS at https://www.truck-privilege.daimlertruck.com/auth/lostLogin To make it reflected, CSRF - Cross-Site request Forgery was used together. An attacker can create a malicious website and trick the user into opening it, when the user opens it, he is...

Nextcloud: Nextcloud All-In-One path disclosure of internal frontend

Vulnerability description not provided...

Nord Security: Email verification bypass for manual connection setup using service credentials

Vulnerability description not provided...

Sorare: Circular based introspetion Query leading to single request denial of service and cost consumption and query cost on api.sorare.com/graphql

The Sorare GraphQL API has an introspection feature enabled by default, which allows developers to explore the API's schema. However, due to a lack of depth limits, an attacker can execute a circular introspection query that leads to a single request denial of service, affecting both the...

Nextcloud: Any (non-admin) user from an instance can destroy any (user and/or global) external filesystem

A vulnerability in Nextcloud allowed any user on an instance to delete any external filesystem, regardless of ownership or type. This could be exploited by sending a DELETE request to the appropriate endpoint, resulting in the removal of the external storage from the system. The issue has been...

HackerOne: inviting collaborator using email disclose the hackerone account related to the user

The new HackerOne collaborator feature allowed users to disclose the HackerOne account associated with an email address without the invitee's interaction...

U.S. Dept Of Defense: CVE-2023-24488 xss on https://██████/

Vulnerability description not provided...

Cloudflare Public Bug Bounty: Ability to bypass Admin override on Cloudflare WARP Android

A security vulnerability allowed an attacker with local access to an Android device running Cloudflare WARP to bypass the Admin override feature by changing the device's date and time settings. This allowed the attacker to extend the maximum allowed disconnected time of the WARP client granted by...

Node.js: Policy-restricted modules can escalate to higher privileges by impersonating other modules in a policy list using module.constructor.createRequire()

A vulnerability was discovered in Node.js that allowed policy-restricted modules to gain higher privileges by impersonating other modules in a policy list using module.constructor.createRequire. This vulnerability affected all users using the experimental policy mechanism in Node.js versions 16.x...

Tennessee Valley Authority: Admin.MyTVA.com Customer lookup and internal notes bypass

The admin.mytva.com site had a vulnerability that allowed an attacker to bypass the login and access admin-only endpoints. This could lead to unauthorized access to customer information and the ability to add internal notes...

ownCloud: Cross-Site Request Forgery

A cross-site request forgery vulnerability was found in an application. Requests were not validating cross-site request forgery tokens, allowing an unauthorized user to perform administration functions by inserting valid session cookies into arbitrary requests. This could have enabled an attacker...

HackerOne: An attacker can submit a Pentest Opportunity and change the status of the opportunity from submitted to in_review or reviewed

A vulnerability was found where users could create and modify the status of pentest opportunities without going through the intended review process...

curl: CVE-2023-32001: fopen race condition

A race condition vulnerability existed in the fopen function of the curl library. This vulnerability allowed an attacker to exploit the race condition between the stat and fopen functions, potentially leading to unauthorized file overwrites or the theft of sensitive data such as cookies. The...

Kubernetes: Code inject via nginx.ingress.kubernetes.io/permanent-redirect annotation

The nginx.ingress.kubernetes.io/permanent-redirect annotation was not properly sanitized when passed into the nginx configuration, allowing code injection from users able to create ingress objects. This allowed commands to be run on the ingress-nginx-controller pod and the Kubernetes API to be...

Automattic: Entering passwords on the Share Login Page can lead to a brute-force attack

The Share Login Page on the Crowdsignal platform had a vulnerability that allowed for brute-force attacks on passwords. This could potentially grant unauthorized access to sensitive information such as Results, Answer Details, Devices, Locations, and Participants...

MTN Group: Reflected XSS in https://nin.mtn.ng/nin/success?message=lol&nin=<VULNERABLE>

The reflected XSS vulnerability was found in the 'nin' parameter of the 'https://nin.mtn.ng/nin/success' endpoint. Successful exploitation allowed an attacker to execute arbitrary JavaScript in the victim's browser...

Acronis: [oem.acronis.com] Reflected Cross Site Scripting

The researcher discovered a reflected cross-site scripting XSS vulnerability on the oem.acronis.com website. The vulnerability was found on the /test/testenv.html page, where user-supplied input was not properly sanitized, allowing the execution of arbitrary JavaScript code...

Internet Bug Bounty: DiffieHellman doesn't generate keys after setting a key

A security vulnerability was discovered in the DiffieHellman module of Node.js. The module did not generate new keys after setting a private key, potentially leading to the reuse of nonces and compromising security measures such as forward secrecy and IND-CPA...

Node.js: Permission model bypass by specifying a path traversal sequence in a buffer,

A vulnerability was discovered in Node.js version 20, specifically within the experimental permission model. This flaw allowed for the bypassing of file permissions by specifying a path traversal sequence in a buffer. The vulnerability affected all users utilizing the experimental permission mode...

Automattic: Authentication bypass on JetPack SSO manager - Allows to access the administration panel of wordpress without user interaction

A vulnerability was found in the JetPack SSO manager plugin that allowed authentication bypass on WordPress sites using the plugin. By exploiting the plugin's account invitation and email verification features, an attacker could gain administrative access to WordPress sites with a user account...

Node.js: fs.mkdtemp() and fs.mkdtempSync() are missing getValidatedPath() checks.

A vulnerability was found in the fs.mkdtemp and fs.mkdtempSync functions in Node.js 20, which allowed malicious actors to bypass the permission model check and create arbitrary directories...

Mars: Stored XSS + CSRF in "apellido" value

A stored cross-site scripting and cross-site request forgery vulnerability was discovered in the "apellido" value of a user profile updating form, allowing unauthorized changes to be made to user accounts...

Mozilla: Subdomain takeover on one of the subdomain under mozaws.net

A dangling DNS record enabled subdomain takeover on a mozaws.net subdomain. Researchers exploited this to host content on the affected subdomain...

HackerOne: RXSS at image.hackerone.live via the `url` parameter

Vulnerability description not provided...

Frontegg: Bypassing the block of Security Domain Restriction and normally invite blocked domains with special characters “İ”

The vulnerability allows users to bypass the security domain restriction and invite blocked domains by using special characters such as "İ" instead of "I" or "i". The vulnerability was reported and could potentially have been abused to violate the owner's rules and invite blocked domains to the...

Internet Bug Bounty: HTTP Request Smuggling via Empty headers separated by CR

The llhttp parser in the Node.js http module did not strictly use the CRLF sequence to delimit HTTP requests, which allowed for HTTP Request Smuggling HRS. This vulnerability affected all active versions of Node.js...

HackerOne: Internal machine learning API endpoint for CWE classification is vulnerable to path traversal

Vulnerability description not provided...

HackerOne: An attacker can can view any hacker email via /SaveCollaboratorsMutation operation name

An attacker could view any hacker or normal user's email on HackerOne by sending an invitation via a dummy report, thereby disclosing their private email...

Invision Power Services, Inc.: XSS with Visual Language Editor tags

A security vulnerability allowed an attacker to execute arbitrary code on a website by exploiting the Visual Language Editor tags. By injecting malicious code into a post or comment, the attacker could gain full control of the website and its data. The vulnerability has been patched...

Mozilla: Mozilla FuzzManager API Token Exposed in Git Commit

An API token for a Mozilla fuzzing service was exposed in a GitHub repository commit. The token provided read-write access to internal fuzzing data. The token was rotated and configured for write-only access...

Mars: CSRF to delete a pet

The /kisallataim/ANIMALID/delete API endpoint at myroyalcanin.hu was found to be vulnerable to Cross-Site Request Forgery CSRF attacks. This vulnerability could have been exploited to delete a user's pet from their account without their knowledge or consent...

Teleport: robots.txt file

The web server includes a robots.txt file that serves a crucial role in providing instructions to web robots, such as search engine crawlers, about the permissible areas of the website that they can crawl and index. While the presence of this file does not pose a direct threat to the security of...

Rocket.Chat: IDOR vulnerability leads to Deleting message after leaving/getting banned from group using message ID

The vulnerability discovered was an IDOR Insecure Direct Object Reference vulnerability. The issue allowed a user to delete messages in a channel they had been banned from or left, using the message ID obtained from a previous message sent in the channel. This vulnerability existed because the...

inDrive: #3 XSS on watchdocs.indriverapp.com

A cross-site scripting XSS vulnerability was discovered on the watchdocs.indriverapp.com website. The vulnerability allowed an attacker to execute arbitrary JavaScript code in the victim's browser by injecting malicious input into the URL parameters...

Glassdoor: IDOR vulnerability on profile picture changing mechanism which discloses other user's profile picture.

Vulnerability description not provided...

GitHub Security Lab: [Python] Unsafe Unpacking and TarSlip bug slaying

Vulnerability description not provided...

Nextcloud: Issuer not verified from obtained token in user_oidc

The issuer verification in the useroidc app of Nextcloud did not properly validate the issuer of the obtained token, potentially allowing for a Man-in-the-Middle attack...

U.S. Dept Of Defense: Blind Sql Injection https:/████████

A blind SQL injection vulnerability was discovered on a website, allowing an attacker to execute arbitrary SQL commands...

GitHub: Git Reference Ambiguity in GitHub - Commit Smuggling, Account Takeover, and Remote Code Execution

A vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling due to an incorrect diff comparison in re-opened pull requests. This affected all versions of GitHub Enterprise Server and was fixed in newer releases...