GitHub Security Lab: CPP: Add query for CWE-369: Divide By Zero.

Vulnerability description not provided...

curl: CVE-2023-28321: IDN wildcard match

An improper validation of a certificate with host mismatch vulnerability was found in curl/libcurl, which allowed an attacker to perform a man-in-the-middle attack. The vulnerability was caused by the use of wildcards for validation during TLS communication, even if the hostname is an IDN. This...

Mars: Information Exposure Through Directory Listing

The vulnerability allowed an attacker to view the directory contents of the web server, leading to information disclosure. The directory listing function was not properly configured, exposing sensitive information...

Lark Technologies: Improper Access Control allows OTP bypass

A vulnerability was discovered that allowed the one-time password requirement to be bypassed when directly accessing the admin log download endpoint. This could have enabled users within the organization to access admin logs without verifying their identity. The issue was resolved after being...

Rockstar Games: Insecure Direct Object Reference allows Crew Invite deletion

An Insecure Direct Object Reference vulnerability was discovered in a service endpoint related to Crews management. This vulnerability allowed unauthorized users to delete outstanding Crew invitations from any Crew to any Social Club user. The vulnerability was resolved by implementing additional...

Mars: ███████ ' can delete any animal from other account ' at ██████████

The ██████████ website was found to have an Insecure Direct Object Reference IDOR vulnerability that allowed authenticated users to delete animals belonging to other users' accounts. This vulnerability arose due to the system's failure to properly validate and restrict access to protected resourc...

Brave Software: Open redirect due to scanning QR code via brave browser

An open redirect vulnerability was discovered in Brave's QR code scanner, which allowed attackers to direct users to malicious sites without their consent or knowledge. This vulnerability put the security of Brave users at risk and allowed them to be exposed to phishing and malware attacks. The...

Node.js: Dependency Policy Bypass via process.binding

The use of the deprecated API process.binding allowed for the bypassing of the policy mechanism in Node.js, potentially enabling the execution of arbitrary code outside the defined limits in a policy.json file. This vulnerability affected all users utilizing the experimental policy feature in...

Nextcloud: Missing permission check when removing a photo from an album

There was a vulnerability in the Nextcloud application where the permission check was missing when removing a photo from an album...

LinkedIn: “See who’s interested in working for your company” - security issue

A security vulnerability was identified in the "See who's interested in working for your company" feature of LinkedIn Recruiter. The vulnerability allowed recruiters to view profiles of members interested in working for certain companies. A fix was deployed to production within one month...

Internet Bug Bounty: CVE-2023-28755: ReDoS vulnerability in URI

A ReDoS vulnerability was discovered in the URI component of the Ruby programming language. The vulnerability allowed attackers to cause an increase in execution time for parsing strings to URI objects, resulting in high resource consumption, reduced performance, and denial of service. The...

LinkedIn: HTTP Request Smuggling (CL.0) leads to mass redirect users to attacker server without user interaction

Vulnerability description not provided...

Mars: Response Manipulation lead to bypass verification code while making appointment at `█████████`

The vulnerability allowed bypassing the verification code when making an appointment at █████████. The response could be manipulated to change the verification check from false to true, enabling the appointment to be completed without the correct code...

Fastly VDP: Cache purge requests are not authenticated

Vulnerability description not provided...

GitHub Security Lab: Go : Add more JWT sinks

Vulnerability description not provided...

GitHub Security Lab: [Python]: Timing attack

Vulnerability description not provided...

Mars: CRLF Inection at `██████████`

A CRLF injection vulnerability was discovered in the website ██████████. The vulnerability was caused by the application's failure to properly sanitize or encode user-supplied data containing carriage return and line feed CRLF sequences...

MetaMask: MetaMask Browser (on Android) does not enforce Content-Security-Policy header

The MetaMask Mobile browser was discovered to ignore Content-Security-Policy headers set by websites, allowing potential execution of scripts that should have been blocked. The issue was caused by an error in how the application handled web requests while trying to ensure the MetaMask JavaScript...

Cloudflare Public Bug Bounty: Plaintext leakage of DNS requests in Windows 1.1.1.1 WARP client

A vulnerability in the Windows 1.1.1.1 WARP client allowed for plaintext leakage of DNS requests. When connected to WARP over an IPv6-capable network, the client assigned Unique Local Addresses instead of loopback IPv6 addresses. This could potentially expose DNS queries to unknown devices on the...

Acronis: Stored XSS in plan name field (Acronis Cyber Protect)

A stored XSS vulnerability was identified in the plan name field of Acronis Cyber Protect. This vulnerability allowed an attacker to execute arbitrary JavaScript code in the context of the affected user, potentially leading to unauthorized access or phishing attacks...

Snapchat: internal dev tokens disclosure

Sensitive internal development information was inadvertently disclosed in the commits history of the open-source project Keydb, which was made public by Snapchat. This included a Personal Access Token PAT used for GitHub authentication, which could have been exploited by malicious actors...

GitHub: Smuggling content in PR with refs/replace in GitHub

An incorrect comparison vulnerability was found in GitHub Enterprise Server, allowing commit smuggling through the display of an incorrect diff in the GitHub pull request UI. This vulnerability required write access to the repository and affected versions 3.7.0 and above. It was fixed in versions...

Shopify: Reflected XSS on help.shopify.com

A reflected cross-site scripting vulnerability was present in the returnTo parameter on help.shopify.com that allowed javascript code execution if specific steps were followed...

Ruby: heap-buffer-overflow in gc_writebarrier_incremental

Vulnerability description not provided...

U.S. Dept Of Defense: AEM misconfiguration leads to Information disclosure

Sensitive information was disclosed due to a misconfiguration in AEM, allowing access to internal usernames and webroot directories by appending /.1.json to certain URLs. This could lead to unauthorized access, social engineering attacks, and reputation damage...

U.S. Dept Of Defense: Default Credentials on Kinetic Core System Console - https://█████/kinetic/app/

Weak default credentials of "admin/admin" were discovered on the Kinetic Core System Console application, potentially allowing attackers to identify underlying technologies and access sensitive information such as server logs and user data. The vulnerability was present in version 2.1.0-SNAPSHOT...

U.S. Dept Of Defense: LDAP Server NULL Bind Connection Information Disclosure

The LDAP server allowed anonymous access, which could lead to information disclosure. Attackers could exploit this vulnerability to gain access to sensitive information. The recommended mitigation is to configure the service to disallow NULL BINDs...

GitLab: HTML injection possible with soft email confirmations when Administrator manually confirms attacker email address

The vulnerability allowed an attacker to include an HTML payload in their email address. If an administrator manually confirmed the attacker's unconfirmed email address, the HTML payload was rendered within the context of the self-hosted GitLab instance...

Sony: SQL Injection at https://████ via ███ parameter

Vulnerability description not provided...

IBM: IBM Maximo Asset Management could allow a remote attacker to bypass authentication due to improper access controls

Improper access controls in IBM Maximo Asset Management could allow a remote attacker to bypass authentication. This issue was reported to IBM, analyzed, and remediated...

Reddit: RichText parser vulnerability in scheduled posts allows XSS

Hyperlinks were not being filtered on the server-side in Reddit's scheduled post feature, allowing an attacker to modify a request with a normal hyperlink that embeds a malicious link using a javascript scheme. This could result in an XSS attack if an admin clicked on the malicious link while...

Bitwarden: Bypass for forced re-authentication upon biometrics change

A vulnerability allowed an attacker with physical access to a phone to bypass biometric authentication in the Bitwarden app, granting access to view and delete passwords...

curl: CVE-2023-28320: siglongjmp race condition

A race condition vulnerability existed in libcurl's siglongjmp call when using the USEALARMTIMEOUT codepath for DNS resolution. If two threads performed DNS resolving, a wrong register context could be used on the signal handler siglongjmp call if DNS timeout occurred, resulting in a segmentation...

Internet Bug Bounty: ReDoS( Ruby, Time)

A ReDoS vulnerability was discovered in the Time gem 0.1.0 and 0.2.1 and Time library of Ruby 2.7.7, which mishandles invalid strings with specific characters, causing an increase in execution time for parsing strings to Time objects. The vulnerability was assigned the CVE identifier...

GitHub Security Lab: [Ruby]: Server Side Template Injection

Vulnerability description not provided...

Weblate: Testing flow includes a DeepSource secret

The testing workflow for the WeblateOrg/wlc repository included a DeepSource secret, which could have allowed a malicious actor to access parts of the repository and report artifacts to DeepSource. The recommended usage would have been to create a GitHub action environment secret and call it at...

Node.js: DiffieHellman doesn't generate keys after setting a key

DiffieHellman in Node.js did not generate new keys after setting a key, due to an issue in OpenSSL. This vulnerability could have allowed for key reuse and potential compromise of confidentiality and integrity in applications relying on DiffieHellman for security...

WordPress: Previously created sessions continue being valid after 2FA activation

A vulnerability was discovered in the 2FA function of WordPress, where previously created sessions continued to remain valid after 2FA activation. This allowed unauthorized access to the account without requiring the 2FA code...

Nextcloud: Notes attachments render HTML in preview mode

Vulnerability description not provided...

Nextcloud: Improper restriction of excessive authentication attempts on WebDAV endpoint

Vulnerability description not provided...

GitLab: Account takeover due to insufficient URL validation on RelayState parameter

An insufficient URL validation on the RelayState parameter in GitLab allowed attackers to steal Bitbucket access tokens and other third-party access tokens, such as Google, Salesforce, and Twitter. The vulnerability was due to an open redirect while logging in to GitLab via SAML, which saved the...

Nutanix: Limited Disclosure: Employee credentials checked in to github (fixed)

Vulnerability description not provided...

Mars: Stored XSS via ' profile ' at ███

The vulnerability involved stored XSS on the profile page of the affected application. An attacker could register an account, verify it, and then change the animal name field to a malicious JavaScript payload. When the victim viewed the attacker's profile, the payload was executed...

Rockstar Games: Access to the business emails of Rockstar Support agents through the support platform

The researcher identified a flaw in the Zendesk configuration on the Rockstar Games support platform that allowed users to access the business emails of support agents. The issue was resolved earlier this year when the support site was overhauled...

Nextcloud: Brute force protection allows to send more requests than intended

Vulnerability description not provided...

HackerOne: Any one can view collaborater email address via path /reports/<id>/participants

The vulnerability allowed anyone to view the email address of collaborators invited to vulnerability reports through the program's API. Access to collaborator email addresses was not properly restricted...

Internet Bug Bounty: Authenticated but unauthorized users may enumerate Application names via the API

An information disclosure vulnerability existed in all versions of Argo CD starting with v0.5.0, allowing authenticated but unauthorized users to enumerate application names via API error messages. This could be used as a starting point for further attacks, such as social engineering. The...

Nextcloud: Twitter Account hijack @nextcloudfrance

The Twitter account of Nextcloud France was vulnerable to Broken Link Hijacking BLH attack, which occurs when attackers exploit expired external links on credible websites or web applications. The attackers took over the expired link and claimed the username for testing purposes, redirecting user...

Flickr: High resource consumption by insufficient sanitization of forum threads pagination

The forum threads pagination functionality was insufficiently sanitized, leading to high resource consumption. When a page number was provided in the URL that exceeded the number of available pages, an infinite loop was triggered, generating excessive markup on each iteration. The issue was...

GitLab: Arbitrary escape sequence injection in docker-machine from worker nodes

Vulnerability description not provided...