LinkedIn: Can VIEW Videos on LinkedIn Learning that Require a Subscription Without having to Subscribe Via `SHARE features`

Vulnerability description not provided...

GitLab: Stored XSS via Kroki diagram

Arbitrary javascript could be executed when a victim views a comment on GitLab due to a stored XSS vulnerability via Kroki diagram. This was possible by crafting a pre block so that arbitrary attributes can be injected into the resulting img tag. The vulnerability was caused by the lang attribute...

LinkedIn: Attackers can use TRIAL Premium only by paying **IDR 10,000.00** from the original price of `IDR462,400.00` per month

Vulnerability description not provided...

Node.js: Multiple OpenSSL error handling issues in nodejs crypto library

Multiple OpenSSL error handling issues were discovered in the Node.js crypto library up to version 19.2.0. The library did not clear the OpenSSL error stack after operations that may set it, which could lead to false positive errors during subsequent cryptographic operations that happen to be on...

LinkedIn: Attackers can create unlimited jobs by paying a low price `( Rp. 10,000 )` from the original lowest price of around **Rp 93,151**

Vulnerability description not provided...

Nextcloud: Permissions not respected when copying entire group folders

Vulnerability description not provided...

Kubernetes: The `io.kubernetes.client.util.generic.dynamic.Dynamics` contains a code execution vulnerability due to SnakeYAML

A code execution vulnerability was found in the io.kubernetes.client.util.generic.dynamic.Dynamics class of the Kubernetes Java Client version 17.0.0. The vulnerability was due to the use of SnakeYAML parser without safe constructor, which allowed an attacker to achieve code execution inside the...

LinkedIn: Entire database of emails exposed through URN injection

The entire database of LinkedIn emails was exposed due to a vulnerability in the decoration feature of the Voyager API. An attacker could assign an URN value to a text field inside a profile and trigger a URN resolution to retrieve the email. The query engine did not check whether a field should ...

U.S. Department of State: Accessing unauthorized administration pages and seeing admin password - speakerkit.state.gov

Vulnerability description not provided...

Nextcloud: Mail app stores cleartext password in database until OAUTH2 setup is done

A vulnerability was found in the Nextcloud Mail app where the password for XOAUTH2 accounts was stored in clear text in the database during the setup process, until the OAUTH2 setup was completed. This could have allowed a database administrator to read the plaintext password...

Nextcloud: Reference fetch can saturate the server bandwidth for 10 seconds

A vulnerability existed in Nextcloud Talk that allowed an attacker to saturate the server bandwidth for up to 10 seconds by posting messages containing links to high-bandwidth resources. This could result in temporary disk space filling and severe impact on server performance or denial of service...

Internet Bug Bounty: CVE-2022-23519: Rails::Html::SafeListSanitizer vulnerable to XSS when certain tags are allowed (math+style || svg+style)

The following is from: https://hackerone.com/reports/1656627 Intro The Rails HTML sanitzier allows to set certain combinations of tags in it's allow list that are not properly handled. Similar to the report 1530898, which identified the combinationselect and style as vulnerable, my fuzz testing...

Internet Bug Bounty: CVE-2022-23520: Incomplete fix for CVE-2022-32209 (XSS in Rails::Html::Sanitizer under certain configurations)

The following is from: https://hackerone.com/reports/1654310 While building a PoC for CVE-2022-32209, I noticed that I could not fix my vulnerable application by updating https://github.com/rails/rails-html-sanitizer from 1.4.2 to 1.4.3 even though the Hackerone report about this vulnerability...

Internet Bug Bounty: Rails ActionView sanitize helper bypass leading to XSS using SVG tag.

Loofah versions between 2.1.0 and 2.19.1 were vulnerable to a cross-site scripting XSS attack via the image/svg+xml media type in data URIs. This allowed an attacker to bypass HTML sanitization and execute malicious code. The vulnerability was mitigated by upgrading to Loofah version 2.19.1 or...

Cloudflare Public Bug Bounty: 2FA BYPASS

A vulnerability in Cloudflare's Dashboard allowed for the retrieval of recovery codes without completing the authentication process. The issue was resolved by disallowing requests to the vulnerable API endpoint until users were fully authenticated...

Stripe: Possible XSS vulnerability without a content security bypass

A possible XSS vulnerability was found in https://dashboard.stripe.com when creating a custom link with the javascript://%0aalert1 link. Although a content security policy refused executing the script, if an attacker could bypass the CSP, they could exploit the vulnerability...

U.S. Dept Of Defense: Improper Access Control on Media Wiki allows an attackers to restart installation on DoD asset

An improper access control vulnerability was found on a MediaWiki website, allowing attackers to restart the installation process without authentication. The vulnerability was fixed by blocking all access to the mw-config folder...

Internet Bug Bounty: ReDoS (Rails::Html::PermitScrubber.scrub_attribute)

I reported at https://hackerone.com/reports/1684163 https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w Certain configurations of rails-html-sanitizer 1.4.4 use an inefficient regular expression that is susceptible to excessive backtracking when attempting to...

Cloudflare Public Bug Bounty: Origin IP address disclosure through Pingora response header

HTTP responses to cached files served by the Pingora proxy revealed Origin IP address information. An attacker could trigger this misbehaviour by crafting a request with a malformed Range header. The attack was successful under conditions where Cloudflare cache was in REVALIDATED state, the...

LinkedIn: Delete any LinkedIn comment on learning API of other users

Vulnerability description not provided...

LinkedIn: Information disclosure by sending a GIF

Critical information about LinkedIn users, including their operating system, browser, IP address, device ID, phone model, and time zone, could be obtained by an attacker through the use of a GIF sent via the messaging feature. The vulnerability affected all platforms where the link could be used,...

U.S. Dept Of Defense: Reflected XSS on ██████.mil

A reflected XSS vulnerability was discovered on a military website, allowing an attacker to fetch cookies/tokens from any website requiring login by using a CORS bug if the site is vulnerable to CORS. The vulnerability was exploitable by injecting a script into the search bar...

MTN Group: Reflected cross site scripting (XSS) attacks Reflected XSS attacks,

The vulnerability summary is as follows: Reflected XSS attacks occur when a malicious script was reflected off of a web application to the victim's browser. The vulnerability was typically a result of incoming requests not being sufficiently sanitized, which allowed for the manipulation of a web...

Mattermost: Uninstalling Mattermost Launcher for Windows (64-bit), then reinstalling keeps you logged in without authentication

The Mattermost Desktop App for Windows 64-bit had a vulnerability where uninstalling and then reinstalling the app would automatically log the user back in without requiring authentication, allowing unauthorized access to the user's account and data. The uninstall process did not remove session...

Glassdoor: Cache Poisoning allows redirection on JS files

A cache poisoning vulnerability was discovered in Glassdoor's design website. By sending a specific request, an attacker could redirect the /test.js file to a malicious website. This could potentially lead to a stored cross-site scripting XSS attack if other Glassdoor websites import javascript...

U.S. Dept Of Defense: Unauthenticated phpinfo()files could lead to ability file read at █████████ [HtUS]

Description: Many PHP installation tutorials instruct the user to create a PHP file that calls the PHP function 'phpinfo' for debugging purposes, and various PHP applications may also include such a file by default. By accessing it, a remote attacker can discover a large amount of information abo...

U.S. Dept Of Defense: Reflective Cross Site Scripting (XSS) on ███████/Pages

Summary: A reflection cross-site scripting XSS vulnerability was discovered in Microsoft SharePoint Server. The vulnerability was caused by improper sanitization of a web request to an affected SharePoint server. The vulnerability could have been exploited by an authenticated attacker to execute...

Nextcloud: Website PHP source code returned in javascript

Server-side PHP source code was disclosed to users due to a misconfiguration or typographical error in the application's script, potentially exposing sensitive information such as database passwords and secret keys...

TikTok: Any user can vote on `Friend Only` video pull

Vulnerability description not provided...

8x8: Unprotected Atlantis Server at https://152.70.█.█

Atlantis is an application for automating Terraform via pull requests. @shuvam321 reported to us an exposed Atlantis test server in our infrastructure. No sensitive information had been disclosed & we restricted access to the Atlantis service entirely, which resolved the issue...

Hiro: Security Issue into Wallet lock protection

Description While testing wallet extension i generally try to test multiple endpoints, so 2 tabs were open of wallet on chrome-extension://ldinpeekobnhjjdofggfgjlcehhmanlj/popup.html So i tried to lock Wallet extension buti found that i can still use browser in 2nd tab, why i had already locked...

LinkedIn: Ad Account Takeover

Vulnerability description not provided...

Brave Software: S3 Bucket Takeover : brave-apt

An unclaimed S3 bucket was found on the domain brave.com, which was being used in the installation of brave-browser in Linux distros. An attacker could have taken over the S3 bucket and used it to spread malware or create a fake login page to spoof users. The vulnerability was reported to the...

Uber: HTML injection via insecure parameter [https://www.ubercarshare.com/]

Vulnerability description not provided...

Nextcloud: Contacts only sanitizes PHOTO svg if mime type is all lower case

Vulnerability description not provided...

Nextcloud: Document content of files can be obtained through Collabora for files of other users

Vulnerability description not provided...

Expedia Group Bug Bounty: Open Redirect in Logout & Login

An open redirect vulnerability was discovered in the logout and login functionality of Expedia's website. An attacker could exploit this vulnerability by manipulating the "rurl" parameter in the logout URL to redirect users to a malicious website, potentially leading to phishing or social...

Internet Bug Bounty: Electron CVE-2022-35954 Delimiter Injection Vulnerability in exportVariable

Describe the summary: The Electron Website provides a set of packages to make creating actions easier. The core.exportVariable function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write...

HackerOne: Any organization's assets pending review can be downloaded

Steps to reproduce - sign in as any user - visit https://hackerone.com/organizations/:handle/assets/downloadpendingreviews.csv, where :handle is the organization you want to download the assets for Impact This may leak sensitive data about an organization's attack surface...

AMBER AI: I found some api keys in js files ,huge leak of token addresses and huge amount of js files are not forbidden

Summary: Huge leak of token addresses in be.whalefin.com and huge leak of js files Steps To Reproduce: add details for how we can reproduce the issue 1. You can see huge leak of token addresses in below site https://be-jp.whalefin.com/common-config/v1/config/coin/all-config Please check poc...

Ian Dunn: Double evaluation in .bash_prompt of dotfiles allows a malicious repository to execute arbitrary commands

Summary Due to the improper usage of the PS1 environment variable in .bashprompt of dotfiles, a malicious repository can execute arbitrary commands when changed the current directory to it. Description The PS1 environment variable of bash supports command substitutions. For example, setting PS1 t...

Cloudflare Public Bug Bounty: Using special IPv4-mapped IPv6 addresses to bypass local IP ban

Vulnerability description not provided...

inDrive: Full access to InDrive jira panel via exposed API token

The Jira API token was exposed in a GitHub repository, allowing unauthorized access to the InDrive Atlassian panel and sensitive information stored in Jira...

inDrive: # Drivers can access the customers phone number, current location without getting their offer accepted!

A vulnerability was found where drivers could access customers' phone numbers and locations without having their offer accepted...

MTN Group: Leaking usernames through endpoints Wordpress

The WordPress API exposed user information, including usernames, through a publicly accessible endpoint at https://alt.mtn.com/wp-json/wp/v2/users. This allowed an attacker to enumerate valid usernames on the site...

MTN Group: Wordpress users Disclosure [ /wp-json/wp/v2/users/ ] Not Resolved ()

On this report's 735586 You closed the report and changed the status to Resolved. But it's Not Resolved The Bug It's Still there url: https://www.mtn.com/wp-json/wp/v2/users/ Sorry to say this still i can reproduce this issue please remove /wp-json/wp/v2/users/ file if your domain dont use that...

Nextcloud: Ability to read any emails through IDOR on Nextcloud Mail

Vulnerability description not provided...

Nextcloud: Passcode bypass on Talk Android app

Summary: It is possible to bypass the passcode protection in nextcloud android talk by clicking the notification of a message. Talk App Android version: 15.0.2 RC1 Steps To Reproduce: 1. Create two users 1. Using User A login it to the web interface while User B on Talk App Android 1. Using User ...

Node.js: Regular Expression Denial of Service in Headers

The Headers.set and Headers.append methods in the undici package were vulnerable to Regular Expression Denial of Service ReDoS attacks due to the inefficient regular expression used to normalize the values in the headerValueNormalize utility function. An attacker could exploit this vulnerability ...

Nextcloud: Messages can still be seen on conversation after expiring when cron is misconfigured

A vulnerability in Nextcloud Talk allowed expired chat messages to still be visible to anyone with access to the conversation, even after the message expiration time had passed...