Brave Software: S3 Bucket Takeover "brave-browser-rpm-staging-release-test"

An unclaimed S3 bucket was found on the domain hosting services of brave.com, which could have been taken over by an attacker to spread malware using the keyrings of the brave browser. The bucket was used to get keyrings of the browser in Linux distros, and it was pointing towards an unclaimed S3...

U.S. Dept Of Defense: Reflected XSS at ████████

A reflected cross-site scripting XSS vulnerability was discovered in the dochelper feature of a certain domain. An attacker could inject a crafted script into the userId parameter, which would execute when the victim user accessed the page, potentially allowing the attacker to steal the victim's...

EXNESS: Blind SSRF on https://my.exnessaffiliates.com/ allows for internal network enumeration

A blind stored server-side request forgery vulnerability was discovered in an endpoint of a website. This allowed internal network details to be disclosed by making requests to internal IP addresses and ports. With escalation, further inspection of the internal network could have been possible. T...

Nextcloud: Existance of calendars and addressbooks can be checked by unauthenticated users

Vulnerability description not provided...

GitHub: Rogue collaborators and ambiguous branch names in GitHub

An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling. This affected all versions prior to 3.9 and was fixed in later versions...

EXNESS: Double forward slash breaks server-side restrictions & allows access to prohibited services from a partner account

A vulnerability was discovered where making an API call with double/multiple forward slashes broke server-side restrictions imposed upon a partner account, allowing unrestricted access to the autorebates facility, which was otherwise unavailable to the partner account...

8x8: wavecell.com: Broken Link Hijacking / Instagram Takeover @██

Vulnerability description not provided...

HackerOne: HackerOne Undisclosed Report Leak via PoC of Full Disclosure on Hacktivity

Sensitive report data, including report title, severity, program, and report ID, was leaked due to a mistake by a researcher and HackerOne. The leak occurred when HackerOne disclosed a report but did not redact the video proof of concept, which contained undisclosed reports reported by the...

curl: CVE-2023-23916: HTTP multi-header compression denial of service

An HTTP multi-header compression denial of service vulnerability was discovered that allowed an attacker to send an HTTP response with many occurrences of Transfer-Encoding and/or Content-Encoding headers, consuming all available memory and causing a denial of service. The vulnerability was patch...

U.S. Dept Of Defense: XSS on ( █████████.gov ) Via URL path

An XSS vulnerability was discovered on a government website, allowing an attacker to execute malicious code on the victim's browser and steal their cookies, potentially leading to account takeover. The vulnerability was exploited by injecting a script into the URL path. The suggested mitigation i...

Nextcloud: App pin of the Android app can be bypassed via 3rdparty apps generating deep links

Vulnerability description not provided...

8x8: speedtest.8x8.com: Enabled Directory Listing

Vulnerability description not provided...

curl: libssh backend CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 validation bypass

Summary: If libcurl is built against libssh CURLOPTSSHHOSTPUBLICKEYSHA256 is quietly ignored. As a result a SSH connection will be established even if the SHA256 key set doesn't match. Steps To Reproduce: 1. configure libcurl with libssh and build it 2. curl --hostpubsha256 HOSTFINGERPRINTHERE...

Cloudflare Public Bug Bounty: Session mismatch leading to potential account takeover (local access required)

Vulnerability description not provided...

Yelp: Direct access to tox.ini file which is contain configuration details

The tox.ini file, which contained configuration details, was publicly accessible...

HackerOne: Users querying dim_hacker_reports table through Analytics API can determine data from dim_reports table using WHERE or HAVING query

The Analytics API query builder was vulnerable to a confusion attack that allowed users to query data from the dimreports table using a WHERE or HAVING clause with a FILTER in the HackerOne Analytics Query Language HAQL. This was possible because the dimreports and dimhackerreports tables both...

Stripe: XSS vulnerability without a content security bypass in a `CUSTOM` App through Button tag

A possible XSS vulnerability was discovered in a CUSTOM app through the Button tag, without being able to bypass a content security policy. An attacker could exploit this vulnerability to execute malicious code on the affected website...

U.S. Department of State: Impact of Using the PHP Function "phpinfo()" on System Security - PHP info page disclosure

Sensitive information such as the exact PHP version, operating system and its version, internal IP addresses, server environment variables, and loaded PHP extensions and their configurations could be revealed by using the PHP function "phpinfo". This could potentially be exploited by attackers to...

U.S. Dept Of Defense: [U.S. Air Force] Information disclosure due unauthenticated access to APIs and system browser functions

Multiple information exposure vulnerabilities were found in a Jira Server instance, allowing unauthenticated attackers to access APIs and system browser functions, leading to unauthorized access to sensitive data. The vulnerability was registered as CVE-2020-14179...

Yuga Labs: Origin IP Exposed waf bypass

The origin IP address of the website was exposed, allowing bypassing of the anti-DDoS mechanism in place, such as Cloudflare. This could have enabled access to the service without going through the web application firewall, potentially leading to unfiltered payloads being forwarded to the service...

Node.js: CRLF Injection in Nodejs ‘undici’ via host

A CRLF injection vulnerability existed in the 'host' header of undici.request API, allowing an attacker to inject arbitrary HTTP headers and conduct various attacks. The vulnerability impacted undici library versions up to 5.14.0...

Shopify: Non-store owners can transfer Shopify-managed domain to another domain provider

A vulnerability was found where Shopify staff members without the 'Transfer domain to another Shopify store' permission were able to transfer Shopify-managed domains to external domain providers. This allowed non-store owners to transfer store domains outside of Shopify's control...

Nextcloud: No password length restriction in reset password endpoint

There was no password length restriction in the reset password endpoint of the Nextcloud platform, which could allow an attacker to perform a denial of service attack by entering a large number of characters as a password. The vulnerability has been mitigated by restricting users to use less than...

ExpressionEngine: PHP Object injection -> Building Custom Gadget chain -> RCE

Vulnerability description not provided...

Glassdoor: Full account takeover without user Interaction

A vulnerability in the email verification process allowed bypassing of email validation checks. An attacker could manipulate the API response to change the isValidated parameter, enabling registration of accounts with unregistered email addresses and verification without legitimate access to the...

Snapchat: Delete anyone's content spotlight remotely.

A vulnerability was discovered in Snapchat's Spotlight feature that allowed anyone to delete another user's content remotely. By intercepting and modifying the delete request, an attacker could replace the ID parameter with that of another user's video, resulting in the deletion of their content...

Brave Software: Brave News feeds can open arbitrary chrome: URLs

An issue was discovered in Brave Browser versions 1.46.144 and earlier. The Brave News feeds feature can be exploited to open arbitrary chrome: URLs, bypassing the Same Origin Policy SOP and potentially granting access to privileged URLs. An attacker could use this vulnerability to gain...

Brave Software: UI spoofing by showing sms:/tel: dialog on another website

A vulnerability was discovered in Brave for iOS version 1.45.2 that allowed for UI spoofing by showing an sms:/tel: dialog on another website without displaying the caller origin, potentially leading to user confusion and deception...

Brave Software: Brave Shield for iOS is weak against IDN homograph attacks

A vulnerability was found in Brave Shield for iOS, where it was weak against IDN homograph attacks. This allowed attackers to deceive users into believing that a site is legitimate by showing a different domain name in the Brave Shield panel. The vulnerability affected Brave for iOS version 1.45....

LinkedIn: [ Continuation Report from #1814842 ] Can create articles using other users' NewsLetters

Vulnerability description not provided...

U.S. Department of State: RXSS on https://travel.state.gov/content/travel/en/search.html

Vulnerability description not provided...

Equifax-vdp: reflected XSS in [www.equifax.com]

A reflected XSS vulnerability was found in the search functionality of Equifax's website. An attacker could execute malicious JavaScript code on a victim's browser by injecting a payload into the "q" parameter of the search query. This could potentially allow the attacker to steal the victim's...

Equifax-vdp: reflected XSS in [www.equifax.com]

A reflected XSS vulnerability was found in an endpoint of Equifax's website. An attacker could execute malicious JavaScript code on victims who visit a specially crafted link, potentially stealing their cookies...

Sorare: Mystery with a leaked token and Reusability of email confirmation link leading to Account Takeover

A vulnerability was discovered where leaked email confirmation links could be reused to gain access to a user's account without requiring a password. This was possible by modifying the token parameter in the URL of the expired confirmation link. An attacker who gains access to such a leaked link...

Semrush: IDOR allows information disclosure

A vulnerability in the Social Media Inbox tool's task tracker allowed information disclosure. The tool enables linking social accounts to oversee content and engage audiences. Its task tracker lets users delegate messages to colleagues. It was found a user could assign messages to any user ID,...

Reddit: Reflected XSS via File Upload

Vulnerability description not provided...

Reddit: oauth misconfigration lead to account takeover

Vulnerability description not provided...

Gener8: Twitter Broken Link in https://gener8ads.com (Hackerone Profile)

A broken Twitter link was found on a company's Hackerone profile, which could be claimed by any malicious user. This could lead to the hijacking of the link and the potential deception of new researchers who click on it...

curl: curl file writing susceptible to symlink attacks

Summary: If curl command is used to download a file with predictable file name to a world writable directory such as /tmp, a local attacker is able to mount a symlink attack to either A redirect the target file writing to another file writable by the user or B replace the downloaded file contents...

U.S. Dept Of Defense: reflected xss in www.████████.gov

A reflected XSS vulnerability was discovered in a government website, allowing an attacker to execute malicious scripts on a victim's browser. The vulnerability could lead to cookie stealing, arbitrary requests, malware download, and defacement of the website. The vulnerability was triggered by...

curl: CVE-2023-23915: HSTS amnesia with --parallel

HSTS cache entries were overwritten by curl when requests were made in parallel, resulting in only one site being protected by TLS and the others being vulnerable to loss of confidentiality and integrity...

curl: CVE-2023-23914: curl HSTS ignored on multiple requests

A vulnerability was found in curl tool's HSTS feature, where it failed to work correctly when multiple requests were made within a single invocation, resulting in requests being performed over insecure channels, potentially leading to loss of confidentiality and integrity...

Internet Bug Bounty: CVE-2022-43551: Another HSTS bypass via IDN

Curl versions 7.77.0 to 7.86.0 were affected by a vulnerability CVE-2022-43551 that allowed bypassing of the HTTP Strict Transport Security HSTS check, enabling attackers to trick curl into using HTTP instead of HTTPS. The vulnerability was caused by the use of IDN characters that get replaced to...

Nintendo: [MK8DX] Improper ranking/replay file parsing

The vulnerability in the Mario Kart 8 Deluxe game involved improper ranking and replay file parsing. This allowed for potential exploitation, leading to potentially unintended consequences...

LinkedIn: Attackers do not need to Pay for a Subscription to get the `Discussion Group URL` in `Paid Learning`

Vulnerability description not provided...

Reddit: CVE-2020-11022

Vulnerability description not provided...

GitHub Security Lab: [Go]: Add Beego.Input.RequestBody source to Beego framework

Vulnerability description not provided...

Nintendo: [MK8DX] Improper metadata validation 2

Vulnerability description not provided...

Cloudflare Public Bug Bounty: Bypassing creation of API tokens without email verification

API tokens could be created without email verification on Cloudflare. If an email-verified account changed their email address without verifying the new email, previously created API tokens remained valid. This vulnerability was addressed by requiring verification before completing the email chan...

U.S. Department of State: xss and html injection on ( https://labs.history.state.gov)

Possible XSS and HTML injection vulnerabilities were found on the website https://labs.history.state.gov through the "id" parameter, as user input was not sanitized and the website was using a vulnerable version of the jQuery library. Attackers could have exploited these vulnerabilities to execut...