Liberapay: Email Address Exposure via Gratipay Migration Tool

Through the /migrate route, an attacker can input the username of any user on the site and retrieve their primary email address without any authorization required. Steps to reproduce: Note: This cannot be performed with hackerone-target, because that account seems to return a None as an email. 1...

Nextcloud: A vulnerability classified as critical has been found in gsi-openssh-server 7.9p1 on Fedora (Connectivity Software) on server (http://95.217.64.181:22

Summary: " hello " vulnerability: GSI-OPENSSH-SERVER 7.9P1 ON FEDORA /ETC/GSISSH/SSHDCONFIG CREDENTIALS MANAGEMENT Description of problem: A vulnerability classified as critical has been found in gsi-openssh-server 7.9p1 on Fedora Connectivity Software on server http://95.217.64.181:22. This...

Yelp: Robots.txt file with potentially sensitive content.

Vulnerability description not provided...

Cloudflare Public Bug Bounty: cd=false (DNSSEC) not respected in DNS over HTTPS JSON requests

The value of the cd check disabled flag was not correctly validated in DNS-over-HTTPS JSON API requests to cloudflare-dns.com. In result, despite explicitly setting the flag value to 0 or false according to the Cloudflare 1.1.1.1 documentation the DNSSEC verification was not enforced for an unawa...

Nextcloud: Secure view trivial to bypass

The secure view feature in Nextcloud was vulnerable to bypassing, allowing users to download files without watermarks. This was possible by using the richdocuments app and adding "/contents" to the URL. The checkbox indicating that downloading is not allowed was misleading, and a solution could b...

Nextcloud: Download permissions can be changed by resharer

Download permissions in Nextcloud 25 could be changed by a resharer, rendering the secure view feature for internal shares useless. This allowed users to download files without the watermark and other security measures...

U.S. Dept Of Defense: Sql Injection At █████████

Description: Hi Security Team I Hope You Are Doing Well Sql Injection is a common attack vector that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed. 1: Visit This Endpoint https://█████/ As You Can See This Website Using Asp.n...

Weblate: No rate limiting for Remove Account lead to huge Mass mailings

Name of the vulnerability:- No rate limiting for Remove Account lead to huge Mass mailings Hlw Team I am a security researcher and I found this vulnerability in your website Business Logic Errors https://hosted.weblate.org Description : No Rate Limit is a type of computer security vulnerability...

curl: CVE-2022-42915: HTTP proxy double-free

This is a finding that Trail of Bits found in their ongoing curl security audit. Reported at a status meeting today. Summary: curl frees memory twice in some cleanup function related to HTTP proxies. It as simple as curl -x http://localhost:80 dict://127.0.0.1 Using valgrind on the current git...

curl: CVE-2022-35260: .netrc parser out-of-bounds access

Summary: Curl expects the .netrc file to have space characters. So if there is no space character, it will do an out-of-bounds read and a 1-byte out-of-bounds write. This can happen multiple times depending on the state of the memory. Steps To Reproduce: curl --netrc-file .netrc test.local ".netr...

Nextcloud: Suspicious login app ships old league/flysystem version

A vulnerability in the Suspicious Login app allowed a remote attacker to execute arbitrary code on the target system due to a race condition. The vulnerability was caused by an outdated version of the Flysystem library 0.1.0 - 2.1.0 that allowed a malicious user to upload and execute arbitrary co...

Yelp: Autofill/Autosave password on login

The reporter disclosed that autocomplete is enabled on the Yelp login page. Our response: "Auto-completing passwords is generally considered a user-friendly feature. Additionally, some browsers now ignore the autocomplete=off on passwords."...

U.S. Dept Of Defense: Sensitive Data Exposure at https://█████████

Sensitive data exposure was discovered in an endpoint of a website, which contained AWS S3 credentials, PATH, IP, and PORTs. This could have allowed an attacker to gain access to sensitive information on the AWS account or perform arbitrary modifications on the AWS resources...

Nextcloud: Desktop client can be tricked into opening/executing local files when clicking a nc://open/ link

The Nextcloud Desktop Client in version 3.6.0 was vulnerable to a Remote Code Execution that could be exploited by anyone who could upload files to an instance the user had access to. The vulnerability was caused by the insecure implementation of the "local edit" feature, which allowed attackers ...

Acronis: mail.acronis.com is vulnerable to zero day vulnerability CVE-2022-41040

Hello Acronis team, Please run curl -ksL -m5 -o /dev/null -I -w "%httpcode" "https://mail.acronis.com/autodiscover/autodiscover.json?Email=autodiscover/[email protected]&Protocol=ActiveSync" curl -ksL -m5...

Reddit: HTML injection in API response including request url

Vulnerability description not provided...

Ruby: Header CRLF Injection in Ruby Net::HTTP

Vulnerability description not provided...

Linktree: A malicious admin can be able to permanently disable a Owner(Admin) to access his account

Ability to disable access to account While exploring the Multiple Admin feature in the application. I noticed a behavior that can lead to permanently disabling an Owner Admin to access his account...

Equifax-vdp: Subdomain takeover at http://test.www.midigator.com

Vulnerability Subdomain test.www.midigator.com points to an AWS S3 bucket that no longer exists. I was able to take control of this bucket and serve my own content on it. Proof Of Concept code $ dig test.www.midigator.com snipped ;; ANSWER SECTION: test.www.midigator.com. 60 IN CNAME...

Stripe: Promotion code can be used more than redemption limit.

A race condition vulnerability existed in the promotion code creation process, allowing users to use the same code more times than the specified redemption limit. This could result in unauthorized discounts or other unintended consequences...

Consensys: Sub-Domain Takeover at http://www.codefi.consensys.net/

Summary: Subdomain takeovers: A subdomain takeover occurs when an attacker gains control over a subdomain of a target domain. Typically, this happens when the subdomain has a canonical name CNAME in the Domain Name System DNS, but no host is providing content for it. This can happen because eithe...

Semrush: Exposure of service tokens to webpack bundle

Service tokens were exposed in a webpack bundle during the build process due to environment variables being accidentally included in the webpack configuration file. A review found no evidence the exposed tokens were used by unauthorized parties...

LinkedIn: Unauthorized User can View Subscribers of Other Users Newsletters

A vulnerability existed in the LinkedIn Voyager platform that allowed unauthorized users to view the subscriber list and details of other users' newsletters by replaying a vulnerable request using the victim's NewsletterId. This was due to missing server-side authorization checks on a specific AP...

Yelp: CORS Misconfiguration on trust.yelp.com

Summary: An cross-origin resource sharing CORS policy controls whether and how content running on other domains can perform two-way interaction with the domain that publishes the policy. The policy is fine-grained and can apply access controls per-request based on the URL and other features of th...

Reddit: sensitive data exposure

Summary: A Password hash entry was found in /etc/passwd. This is a major vulnerability since /etc/passwd is a world-readable file by default. Once the password hash is found, an attacker may extract the password using a program like crack. Impact: it is high impact vulnerability .once hacker foun...

Omise: The endpoint '/test/webhooks' is vulnerable to DNS Rebinding

Vulnerability description not provided...

Slack: Ability to join an arbitrary workspace by utilizing a proxy to manipulate invite links

A vulnerability was found in Slack that allowed experienced researchers to utilize an intercepting proxy to manipulate invite links and join an arbitrary workspace without admin approval. The issue was fixed immediately and no customers were impacted...

Yelp: Subdomain Takeover on delivey.yelp.com

Summary: Subdomain takeover vulnerabilities occur when a subdomain delivery.yelp.com is pointing to a service Vulnerable url : delivery.yelp.com This is an verify Link. F1959331 Platforms Affected: website Steps To Reproduce 1. Create the Amazon S3 Bucket on this Name : delivery.yelp.com F1959320...

Fastify: Deny of service via malicious Content-Type

Summary: I found a way to crash a [email protected] server with a single query on a minimal setup. The function ContentTypeParser.getParser do not check properly if the requested content-type parser exists. /lib/contentTypeParser.js:94 javascript ContentTypeParser.prototype.getParser = function...

Internet Bug Bounty: DNS rebinding in --inspect (insufficient fix of CVE-2022-32212 affecting macOS devices)

A vulnerability in Node.js allowed an attacker-controlled DNS server to bypass DNS rebinding protection by resolving hosts in the .local domain. This allowed an attacker to gain access to the Node.js debugger, potentially resulting in remote code execution. The vulnerability affected all versions...

Yelp: no rate limit in forgot password session

A little bit about Rate Limit: A rate limiting algorithm is used to check if the user session or IP-address has to be limited based on the information in the session cache. In case a client made too many requests within a given timeframe, HTTP-Servers can respond with status code 429: Too Many...

U.S. Dept Of Defense: Upload and delete files in debug page without access control.

A debug page with no access control allowed uploading, reading, and deleting files, leading to insufficient access control and potential file deletion by attackers...

MTN Group: IDOR Leads To User Profile Modification https://mtnmobad.mtnbusiness.com.ng/app/updateUser

A vulnerability in the web application allowed authenticated users to modify the profile information of any other user without proper authorization checks. The issue was caused by the lack of sufficient authorization controls when updating user profiles through the /app/updateUser endpoint...

Mars: Jolokia Reflected XSS

Summary: salam Hi team i hope you are well , after doing some recon on mars.com i saw that the website use jolkia 1.3.5 it's vulnerable to reflected XSS Steps To Reproduce: 1. Vuln Link : https://couponsmanager-uat.b2b.mars.com/jolokia/read%3Csvg%20onload=alertdocument.cookie%3E?mimeType=text/htm...

Nextcloud: [nextcloud/server] Moment.js vulnerable to Inefficient Regular Expression Complexity

Describe the bugs: 🐛 moment is a lightweight JavaScript date library for parsing, validating, manipulating, and formatting dates. affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the preprocessRFC2822 function in from-string.js, when processing a...

Yelp: Server-side request forgery (ssrf)

.yelp-support.com Summary: Server-side request forgery Platforms Affected: www.yelp-support.com Steps To Reproduce: 1. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details. 2. your server has redirect to malicious website 3. i am...

GitHub: Github Apps can use Scoped-User-To-Server Tokens to Obtain Full Access to User's Projects in Project V2 GraphQL api

An incorrect authorization vulnerability was found in GitHub Enterprise Server that allowed GitHub Apps to gain access to and modify most organization-level resources that are not tied to a repository, regardless of granted permissions. This vulnerability affected all versions of GitHub Enterpris...

Gymshark: Subdomain takeover on 'de-headless.staging.gymshark.com'

The Gymshark subdomain https://de-headless.staging.gymshark.com/ was pointing to an unclaimed Shopify site. Because of this an attacker could claim this subdomain, via Shopify, and serve their own content. This is extremely dangerous as an attacker could serve any malicious content on this domain...

Nextcloud: XSS in Desktop Client in call notification popup

Summary: The Nextcloud Desktop Client application does not properly neutralize the name of a group conversation before using it. Steps To Reproduce: Server Machine: 1. Install the Nextcloud Server application 2. Create an administrator account 3. Create a user account Client Machine: 4. Install t...

Automattic: Archived / Deleted / Private Poll Can Be Viewed by Another Users [Crowdsignal WordPress plugins]

This issue was reported by @apapedulimu in CrowdSignal. The private or deleted polls on https://app.crowdsignal.com questions/answers, not results could be viewed by other users through the editor in the CrowdSignal plugin. Happy to learn and work with the Automattic team!...

Node.js: DNS rebinding in --inspect via invalid octal IP address

Summary The Node.js rebinding protector for --inspect still allows invalid IP address, specifically, the octal format. An example of an octal IP address is 1.09.0.0, the 09 octet is invalid because 9 is not a number in the base 8 number system. Browsers such as Firefox tested on latest version m1...

GitHub Security Lab: [CPP]: Add query for CWE-297: Improper Validation of Certificate with Host Mismatch

This bug was reported directly to GitHub Security Lab...

MetaMask: Possible to spoof Origin in "Connected Sites"

A vulnerability was discovered in MetaMask that allowed for the spoofing of the origin domain name in the "Connected Sites" list. This was caused by a CSS style sheet that set the direction to "right-to-left", which resulted in the order of characters in the domain name being messed up and...

Basecamp: Arbitrary write in the application's data folder and arbitrary read of server's replies from 3rd party apps.

A path traversal vulnerability was found in the Android app com.basecamp.bc3 version 3.26.3, allowing an attacker to write arbitrary files in the app's private directory. Additionally, the attacker could redirect server responses containing sensitive information to 3rd party apps using a...

MTN Group: Authentication Bypass Leads To Complete Account TakeveOver on ██████████

The application's backend logic placed too much trust on the login information submitted by the user, which allowed a remote attacker to bypass authentication and perform account takeover...

Stripo Inc: Non-revoked API Key Disclosure in a Disclosed API Key Disclosure Report on Stripo

A previously disclosed vulnerability regarding API key disclosure in Stripo was reported as resolved...

Nextcloud: Vulnerable moment-timezone version shipped

An information exposure vulnerability was found in the moment-timezone package used by Nextcloud server. Attackers could sniff network traffic during data transmission, making exploitation easier. The vulnerability was patched in version 0.5.35 by changing the FTP endpoint with an HTTPS endpoint...

Yelp: No rate limit on subscribe form

Summary: Hi team, I found that you missing a rate limit protection for subscribe form Platforms Affected: https://business.yelp.com/?source=consumersiteheader&utmcontent=header&utmmedium=www&utmsource=conshome Steps To Reproduce: 1. go to...

Nextcloud: XSS in Desktop Client via user status and information

Summary: The Nextcloud Desktop Client application does not properly neutralize the Full Name and Status Message of users before using them. Steps To Reproduce: Server Machine: 1. Install the Nextcloud Server application 2. Log into your account 3. Navigate to your profile page 4. Set the Full Nam...

Yelp: If the website does not impose additional defense against CSRF attacks, failing to use the 'Lax' or 'Strict' values could increase the risk of exposur

Summary: Cookies are typically sent to third parties in cross-origin requests. This can be abused to do CSRF attacks. Recently a new cookie attribute named SameSite was proposed to disable third-party usage for some cookies, to prevent CSRF attacks. Same-site cookies allow servers to mitigate the...