U.S. Department of State: LDAP anonymous access enabled at certrep.pki.state.gov:389

LDAP anonymous access was enabled on the subdomain certrep.pki.state.gov, allowing unauthorized access to the LDAP server...

HackerOne: Scope information is leaked when visiting policy scopes tab of any External Program

Scope information was leaked when visiting the policy scopes tab of any external program on HackerOne, allowing unauthorized users to view private program details. The vulnerability was caused by the new scope policy feature that displayed all program names and scopes using the new functionality...

Internet Bug Bounty: Open Redirect Vulnerability in Action Pack

An open redirect vulnerability was discovered in Action Pack, specifically in the redirectto helper function. This vulnerability allowed for the possibility of an attacker to craft a URL that could bypass the protection against open redirects introduced in Rails 7.0. The vulnerability was fixed i...

GitHub Security Lab: [CPP]: Add query for CWE-805: Buffer Access with Incorrect Length Value using some functions

Vulnerability description not provided...

EXNESS: SSRF in graphQL query (pwapi.ex2b.com)

An SSRF vulnerability was discovered in the GraphQL query for allTicks on the pwapi.ex2b.com website. This vulnerability allowed an attacker to set the source parameter to perform arbitrary GET requests, potentially compromising internal services exposed to internal network requests...

LinkedIn: Attacker can unpin posts from companies he's not part of.

Vulnerability description not provided...

pixiv: Stealing Users OAuth authorization code via redirect_uri

A path traversal vulnerability in the OAuth redirecturi parameter allowed attackers to redirect authenticated users to their product page with their OAuth credentials, potentially leading to account takeover. This could occur due to the leakage of the user's authorization code via the query strin...

U.S. Dept Of Defense: DoS at ████████ (CVE-2018-6389)

An unauthenticated attacker could cause a denial of service resource consumption on a WordPress site by using the large list of registered .js files to construct a series of requests to load every file many times. The vulnerability was registered as CVE-2018-6389...

TD Bank: Search input is vulnerable for XSS in qa.td.com and dev.td.com

Summary: I was able to exploit search input in qa.td.com. Steps To Reproduce: Go to qa.td.com and use the search option to reproduce this vulnerability Supporting Material/References: F2152622 attachment / reference Example-...

inDrive: inDriver Job - Admin Approval Bypass

A vulnerability was discovered in the "inDriver Job" application that allowed an attacker to bypass the admin approval process for publishing job offers. This vulnerability enabled the attacker to publish arbitrary content without undergoing the necessary moderation step...

U.S. Dept Of Defense: Splunk Sensitive Information Disclosure @████████

A vulnerability in Splunk through version 7.0.1 allowed for information disclosure by appending a specific query to a URL, which could result in the exposure of sensitive information, such as license keys...

TD Bank: Server-Status leads to exposure information

Summary Hi team i hope you are well t is a pleasure to work in your program. I will begin to present the vulnerability that I found it: Server-status leads to disclosure information Steps Vulnerable subdomain : 1.https://cred.sit.td.com/ Example POC: https://cred.sit.td.com/server-status Path:...

Hyperledger: [indy_node]POOL_UPGRADE command injection, Trustee Node can execute command in any other Node`s system.

Vulnerability description not provided...

HackerOne: [CVE-2022-44268] Arbitrary Remote Leak via ImageMagick

A Local File Inclusion vulnerability was discovered in an outdated version of ImageMagick used for image resizing on a website. An attacker could exploit this vulnerability by uploading a malicious PNG image, which would include the local file as content of the resized image in a hexadecimal...

TD Bank: Reflected XSS on Admin Login Page

When you try to access private pages on the domain https://td.intelliresponse.com/a6 you are redirected to a login page, which has reflected values in the DOM from the URL on the parameter 'win'. Once there is no proper handle for the data reflected, it turns out into a vulnerable path on the...

JetBlue: XSS via Vuln Rendertron Instance At `██████████.jetblue.com/render/*`

A vulnerability was discovered in a Rendertron instance at a subdomain of a website, allowing for a reflected XSS attack. An attacker could exploit this vulnerability to execute malicious code on a victim's browser and potentially steal sensitive information...

JetBlue: Open Redirect - https://████████.jetblue.com/███?url=

Vulnerability description not provided...

Mars: Bug Report #23JAN136 (subdomain takeover via shopify )

A subdomain takeover vulnerability was identified on the domain █████████, where the subdomain pointed to an unclaimed Shopify instance. The vulnerability was successfully exploited by the researcher, who created a Shopify account, added the custom domain █████████, and demonstrated control over...

Mars: Bug Report #23JAN135 (subdomain takeover via shopify )

The researcher discovered a subdomain takeover vulnerability affecting ██████████, which was pointing to an unclaimed Shopify instance. The researcher successfully demonstrated the takeover by claiming the subdomain and setting up a proof-of-concept storefront...

Mattermost: Member role which doesn't have permission to send message can send by executing channel commands

The member role which did not have permission to send messages could send messages by executing channel commands...

Nextcloud: Chat room member disclosure via autocomplete API

It was possible to find out who is in a Spreed chat room using the autocomplete API, even if the person is not a member of the room. This vulnerability could have been exploited to gain information about the members of a chat room for malicious purposes...

U.S. Dept Of Defense: [XSS] Reflected XSS via POST request

A reflected XSS vulnerability was found on a subdomain of a website. The vulnerability was found in a POST request to a specific page, where the flddisplaytype parameter was vulnerable to XSS. Although a WAF was deployed on the endpoint to prevent such attacks, the payload was successfully...

U.S. Dept Of Defense: [█████] Bug Reports allow for Unrestricted File Upload

Unrestricted file upload was possible through the bug report feature of a web page, allowing an attacker to attach a malicious file to a bug report and execute malware on the support agent's system. The web server did not validate the extension and size of the uploaded file...

Stripe: Fee discounts can be redeemed many times, resulting in unlimited fee-free transactions

A fee discount offer on Stripe transactions could be redeemed multiple times, resulting in unlimited fee-free transactions. The vulnerability allowed the attacker to call the /ajax/acceptfeediscountoffer endpoint multiple times, applying the discount each time. The impact was unlimited fee-free...

Shopify: URL Path Manipulation Enables Cache Poisoning of Amazon Affiliate Products in Shopify Linkpop

The Shopify Linkpop service was found vulnerable to a cache poisoning issue that allowed attackers to manipulate the display of Amazon affiliate products. By crafting malicious URLs, attackers could trick victims into linking to the attacker's products instead of the intended ones. This...

MTN Group: PHP info page disclosure in ██████████

The PHP info page was disclosed, which provided detailed information about the system and PHP configuration, including the exact PHP version, operating system, and internal IP addresses...

Radancy: Cross-origin resource sharing: arbitrary origin trusted

referred from CWE-942: Permissive Cross-domain Policy with Untrusted Domains Issue detail The application implements an HTML5 cross-origin resource sharing CORS policy for this request that allows access from any domain. The application allowed access from the requested origin https://example.com...

IBM: Moodle XSS on s-immerscio.comprehend.ibm.com

Vulnerability description not provided...

U.S. Department of State: IDOR in TalentMAP API can be abused to enumerate personal information of all the users

An IDOR vulnerability was discovered in the Talentmap API that allowed guest users to enumerate personal information of all users. The vulnerability was due to the lack of access control mechanisms in the API endpoint. A malicious actor could exploit this vulnerability to fetch information of all...

Brave Software: download file type warning on Windows does not appear if "ask where to save file before downloading" setting is enabled

Vulnerability description not provided...

Nextcloud: Full Passcode bypass on Nextcloud App iOS

Vulnerability description not provided...

Internet Bug Bounty: Argo CD reconciles apps outside configured namespaces when sharding is enabled

An authorization bypass vulnerability was found in Argo CD versions 2.5.0-rc1 and later, allowing a malicious user to deploy applications outside of the configured allowed namespaces when sharding is enabled. The vulnerability was triggered when an application was updated, and the controller...

U.S. Department of State: HTML INJECTION on coins.state.gov

An HTML injection vulnerability was found on coins.state.gov, which could have allowed an attacker to modify the page and potentially steal a user's identity. The vulnerability was discovered through the use of the dalfox tool...

Rocket.Chat: Reflected Cross-Site Scripting(CVE-2022-32770 )

Vulnerability description not provided...

U.S. Dept Of Defense: Install.php File Exposure on Drupal

The install.php file on Drupal 8 or higher was left accessible after installation, potentially allowing attackers to reinstall the website and cause data loss or other issues. Additionally, an error message displayed on the website could be used to escalate privilege and access sensitive...

Kubernetes: Privilege Escalation in kOps using GCE/GCP Provider

A privilege escalation vulnerability was discovered in kOps when using the GCE/GCP provider. An attacker with shell access to a pod could escalate their privileges to cluster admin by accessing the service account credentials and sensitive information stored in the state storage bucket. This...

Automattic: Stored XSS on app.crowdsignal.com your-subdomain.crowdsignal.net via Thank You Header

A stored XSS vulnerability was found on app.crowdsignal.com, allowing an attacker to execute arbitrary JavaScript code on the victim's browser. The vulnerability could be triggered by editing the Thank You Header with a malicious payload and could result in the compromise of sensitive user...

Adobe: Adobe Experience Manager 'Childlist selector' - Cross-Site Scripting on cbconnection.adobe.com

A cross-site scripting XSS vulnerability was discovered in the 'Childlist selector' feature of Adobe Experience Manager on cbconnection.adobe.com. The vulnerability could be exploited by an attacker to execute arbitrary code in the context of the affected website...

Adobe: Adobe Experience Manager 'Childlist selector' - Cross-Site Scripting on cbconnection-stage.adobe.com

We appreciate the collaboration and responsible disclosure of this researcher...

Krisp: SQL Injection + Insecure Deserialization leads to Remote Code Execution on https://krisp.ai

The tenweb-speed-optimizer WordPress plugin prior to version 2.12.22 was vulnerable to unauthenticated SQL injection in /wp-json/tenwebio/v2/compress-one, which could be exploited to gain remote code execution by chaining it with insecure deserialization...

LinkedIn: bypass two-factor authentication.

Vulnerability description not provided...

Nextcloud: Missing brute force protection on password confirmation modal

A vulnerability was found in Nextcloud that allowed an attacker to bypass password protection and view a user's current password in cleartext. This was possible due to a lack of rate limit on the endpoints for generating backup codes, deleting accounts, and updating profiles. The vulnerability wa...

Nextcloud: Error in Booking an appointment reveals the full path of the website

A vulnerability in Nextcloud allowed users to reveal internal paths of the website when booking an appointment with SMTP configuration. An attacker could exploit this vulnerability to gain sensitive information about the website's internal structure...

X (Formerly Twitter): Ability to getting Twitter Blue verified badge without purchase it

Vulnerability description not provided...

Nord Security: Stored XSS at nordvpn.com

Vulnerability description not provided...

U.S. Dept Of Defense: Authentication Bypass Using Default Credentials on █████

An authentication bypass vulnerability was discovered on the admin console of █████████, allowing unauthorized access to the portal and its data using default credentials. The suggested mitigation is to change the credentials. No CVE numbers or affected product versions were mentioned...

ownCloud: Remote Code Execution on ownCloud instances with ImageMagick installed

A vulnerability in ownCloud instances with ImageMagick installed allowed attackers to execute arbitrary code on the system by uploading a specially crafted file and knowing the file path of a previously uploaded file. The vulnerability was due to the usage of ImageMagick for preview generation fo...

HackerOne: Private information exposed through GraphQL search endpoints aggregates

Private information could be exposed through the aggs argument on the search and opportunitiessearch endpoints on the GraphQL root node, allowing for the potential exposure of private program handles and other data that can be aggregated...

LinkedIn: Anyone can view the results of linkedin skill test -if failed to earn a badge or if the badge earned is kept private: both cases results can be viewed

Vulnerability description not provided...

8x8: Open Redirect - Polycom Company Directory

Vulnerability description not provided...