U.S. Dept Of Defense: stored cross site scripting in https://████

It was observed that the application is vulnerable to cross-site scripting XSS. XSS is a type of attack that involves running a malicious scripts on a victim’s browser. poc attached another parameter at 1636345 q13794 payload: %22%27%3e%3csvg%2fonload%3dconfirm666%3e Impact Cookie Stealing - A...

U.S. Dept Of Defense: stored cross site scripting in https://██████████

It was observed that the application is vulnerable to cross-site scripting XSS. XSS is a type of attack that involves running a malicious scripts on a victim’s browser. poc attached another parameter at 1636345 q13779 payload: %22%27%3e%3csvg%2fonload%3dconfirm666%3e Impact Cookie Stealing - A...

GitLab: Stored-XSS with CSP-bypass via labels' color

Stored-XSS with CSP-bypass was discovered in Gitlab that allowed attackers to execute arbitrary actions on behalf of victims at the client side. This was possible due to the import of unsanitized label colors from Github, which led to the execution of malicious JavaScript code...

U.S. Dept Of Defense: stored cross site scripting in https://████████.edu

A stored cross-site scripting XSS vulnerability was discovered in the ████████.edu website. This vulnerability allowed an attacker to inject and execute malicious scripts on a victim's browser, potentially leading to cookie theft, arbitrary requests, malware downloads, or website defacement...

Node.js: HTTP Request Smuggling Due to Incorrect Parsing of Multi-line Transfer-Encoding (improper fix for CVE-2022-32215)

Summary: Due to an incomplete fix for CVE-2022-32215, the llhttp parser in the http module in Node v16.16.0 and 18.7.0 still does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling HRS. Description: add more details about this vulnerability We have...

Cloudflare Public Bug Bounty: Bypass two-factor authentication

Due to lack of validation, a malicious actor could brute force OTP 2fa and guess a correct number after multiple failures. The issue was fixed by the Engineering team by implementing restrictions on 2FA attempts...

HackerOne: Program managers can see draft reports using Export Reports feature

A bug in the HackerOne platform allowed program managers to see draft reports using the Export Reports feature, which led to the disclosure of PII without the reporter's permission. The bug was discovered when a user exported a report and found that it contained draft and disclosed report titles,...

Automattic: Stored XSS in intensedebate.com via the Comments RSS

Stored XSS in intensedebate.com via the Comments RSS In our "comments.rss" file, the blog post's title reflects to the XML RSS file without any encoding. So I installed the IntenseDebate on my website https://wp.s2.cm, and created a blog post with alertdocument.domain payload on the title. Then, ...

Hyperledger: fix(security):Path Traversal Bug

Unsanitized input from CLI argument flows into io.ioutil.ReadFile, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to read arbitrary files. See this fix : https://github.com/hyperledger/fabric/pull/3573 Impact There is a path traversal...

Internet Bug Bounty: CVE-2022-35948: CRLF Injection in Nodejs ‘undici’ via Content-Type

undici library should be protects HTTP headers from CRLF injection vulnerabilities. However, CRLF injection exists in the ‘content-type’ header of undici.request api. Impact = [email protected] users are vulnerable to CRLF Injection on headers when using unsanitized input as request headers, more...

Internet Bug Bounty: [CVE-2022-35949]: undici.request vulnerable to SSRF using absolute / protocol-relative URL on pathname

GHSA: https://github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3 Report: https://hackerone.com/reports/1642017 Impact SSRF...

Top Echelon Software: Wordpress Users Disclosure (/wp-json/wp/v2/users/)

Hello Team @topechelonsoftware Information: Using REST API, we can see all the WordPress users/author with some of their information. Step To Reproduce: You can get user info by entering below url in your browser: https://www.topechelon.com/wp-json/wp/v2/users/ ███████ Impact Authors : LTR ,...

Slack: Bypass invite accept for victim

Vulnerability description not provided...

HackerOne: Ability to escape database transaction through SQL injection, leading to arbitrary code execution

HackerOne has an internal backend interface that gives debugging capabilities to its engineers. One of the features is the ability to run EXPLAIN ANALYZE queries against a connected database. This feature is accessible by a handful of engineers. The feature is vulnerable to a SQL injection that...

Showmax: Reflected XSS at https://stories.showmax.com/wp-content/themes/theme-internal_ss/blocks/ajax/a.php via `ss_country_filter` param

Summary: A Reflected XSS issue at https://stories.showmax.com/. Description: This issue was found at https://stories.showmax.com/wp-content/themes/theme-internalss/blocks/ajax/b.php page. But, as I understand the last part of pathname a.php can be different. For example b.php also working. Maybe ...

U.S. Dept Of Defense: springboot actuator is leaking internals at ██████████

Proof of Concept If you go to https://█████████/actuator you'll get a complete overview of all the endpoints that are accessable Suggestion: Use a Firefox Browser if possible, its json representation is well formed and the links are clickable ██████████ Impact Information Disclosure...

Omise: Secret API Key is logged in cleartext

Summary: While code-reviewing the repository , I have found that you log in clear-text some sensitive data. Steps To Reproduce: 1. Check here omise/request.pyL88 and here omise/request.pyL111 1. The code source explicitly logs in debugging mode the secret API key. logger.debug'Authorization: %s',...

Adobe: Main Domain Takeover at https://www.marketo.net/

Resolved valid subdomain takeover report on Marketo. We appreciate the collaboration with the researcher...

Slack: CSV export/import functionality allows administrators to modify member and message content of a workspace

On August 6th, 2022 @security-warrior submitted a report in HackerOne to Slack regarding the CSV export/import functionality primarily used by administrators to merge workspaces. The report centers on the ability of an administrator to modify an export to change user or message content. Upon...

Reddit: IDOR allows an attacker to modify the links of any user

Hi team! I found an IDOR which allows to modify the links of any user. Users can put their custom links or social media links on their profile, ex: F1855366 To reproduce this: - Replicate the following request by replacing it with your own authentication headers: You must also put in the body of...

U.S. Dept Of Defense: stored cross site scripting in https://███

It was observed that the application is vulnerable to cross-site scripting XSS. XSS is a type of attack that involves running a malicious scripts on a victim’s browser. poc attached another parameter at 1636345 q21675 Impact Cookie Stealing - A malicious user can steal cookies and use them to gai...

U.S. Dept Of Defense: stored cross site scripting in https://█████████

It was observed that the application is vulnerable to cross-site scripting XSS. XSS is a type of attack that involves running a malicious scripts on a victim’s browser. poc attached another parameter at 1636345 q21677 Impact Cookie Stealing - A malicious user can steal cookies and use them to gai...

Reddit: Getting access of mod logs from any public or restricted subreddit with IDOR vulnerability

Summary: There's no check if the user is moderator of the particular subreddit or not while trying to access the mod logs via gql.reddit.com by using operation id. You can change the parameter subredditName to any target subreddit name which is public or restricted and get access to mod logs of...

U.S. Dept Of Defense: stored cross site scripting in https://███

It was observed that the application is vulnerable to cross-site scripting XSS. XSS is a type of attack that involves running a malicious scripts on a victim’s browser. poc attached another parameter at 1636345 q21655 Impact Cookie Stealing - A malicious user can steal cookies and use them to gai...

U.S. Dept Of Defense: stored cross site scripting in https://██████████

It was observed that the application is vulnerable to cross-site scripting XSS. XSS is a type of attack that involves running a malicious scripts on a victim’s browser. poc attached another parameter at 1636345 q21671= Impact Cookie Stealing - A malicious user can steal cookies and use them to ga...

U.S. Dept Of Defense: stored cross site scripting in https://███

It was observed that the application is vulnerable to cross-site scripting XSS. XSS is a type of attack that involves running a malicious scripts on a victim’s browser. poc attached another parameter at 1636345 Impact Cookie Stealing - A malicious user can steal cookies and use them to gain acces...

U.S. Dept Of Defense: stored cross site scripting in https://███

It was observed that the application is vulnerable to cross-site scripting XSS. XSS is a type of attack that involves running a malicious scripts on a victim’s browser. poc attached another parameter at 1636345 Year Group Military Only Impact Cookie Stealing - A malicious user can steal cookies a...

Adobe: Reflected Cross site scripting via Swagger UI

The security researcher responsibly disclosed a Reflected XSS to Adobe. We appreciate the collaboration and we're proceeding to include his name in our Acknowledgement page...

Ruby on Rails: Rails::Html::SafeListSanitizer vulnerable to XSS when certain tags are allowed (math+style || svg+style)

Intro The Rails HTML sanitzier allows to set certain combinations of tags in it's allow list that are not properly handled. Similar to the report 1530898, which identified the combinationselect and style as vulnerable, my fuzz testing from today suggests that also svg and style as well as math an...

Reddit: Reddit talk promotion offers don't expire, allowing users to accept them after being demoted

Description: When promoting a user to a speaker/host, an offerId is created which can be accepted by the user. However, after accepting them the offerIds don't expire. This means that after the user is demoted back to a listener, they can still use the offerIds to go back to their previous promot...

Acronis: Bypassing Recaptcha Protection in `https://connect.acronis.com`

The Recaptcha token was not properly validated in the registration process of the website https://connect.acronis.com. The same token could be reused to create multiple user accounts, bypassing the Recaptcha protection...

TikTok: Add products to any livestream.

An improper access control issue on a TikTok Shop endpoint could have resulted in arbitrary products being added to livestreams. We thank @datph4m for reporting this to our team...

Ruby on Rails: Incomplete fix for CVE-2022-32209 (XSS in Rails::Html::Sanitizer under certain configurations)

While building a PoC for CVE-2022-32209, I noticed that I could not fix my vulnerable application by updating https://github.com/rails/rails-html-sanitizer from 1.4.2 to 1.4.3 even though the Hackerone report about this vulnerability suggested that this should fix it see here:...

GoCD: Open S3 Bucket Accessible by any Aws User

Description: It has been observed that the amazon s3 bucket which i believe belongs to GoCD as it contains data related to GoCD █████ documents and all is misconfigured as a result any unauthenticated users can access it without any restrictions Step-by-step Reproduction Instructions 1.Access...

Nintendo: [MK8DX] Improper verification of Competition creation allows to create "Official" competitions

. Introduction This vulnerability impacts: - Mario Kart 8 Deluxe on the Switch - Mario Kart 8 on the WiiU The vulnerability was fixed for Mario Kart 8 Deluxe the 7 December, 2022 with the release of v2.2 or v851968 for the internal version The vulnerability was fixed for Mario Kart 8 the 3 August...

Nextcloud: Exception logging in Sharepoint app reveals clear-text connection details

Summary: On Exceptions thrown in the context of the SharePoint app, connection credentials may be written to the Nextcloud log in clear text. Steps To Reproduce: Attempt to configure a sharepoint mount in an erroneous way. Supporting Material/References: was files publically:...

Shopify: Stored XSS in Dovetale by application of creator

Summary: Dovetale is an influencer platform from Shopify to manage and scale influencer marketing. The influencers can become an ambassador of the brand and are able to apply for it. If a malicious creator applies with XSS payloads inside the first name, last name, etc., the data is stored and...

Internet Bug Bounty: CVE-2022-21831: Possible code injection vulnerability in Rails / Active Storage

Original report: https://hackerone.com/reports/1154034 Rails advisory: https://discuss.rubyonrails.org/t/cve-2022-21831-possible-code-injection-vulnerability-in-rails-active-storage/80199 Blogpost:...

HackerOne: Private Email Address Leak of H1 Researchers.

...

MetaMask: Bypass parsing of transaction data, users on the phishing site will transfer/approve ERC20 tokens without being alerted

Vulnerability description not provided...

Internet Bug Bounty: Off-by-slash vulnerability in nodejs.org and iojs.org

Original Report: https://hackerone.com/reports/1631350 The reason for submitting this report is written in the comment of the original report. ---- Summary: Configuration files for Nginx in nodejs/build repository have multiple off-by-slash misconfigurations. Because nodejs.org and iojs.org are...

ownCloud: GitHub Security Lab (GHSL) Vulnerability Report: Insufficient path validation in ReceiveExternalFilesActivity.java (GHSL-2022-060)

The Owncloud Android app was found to have insufficient path validation in the ReceiveExternalFilesActivity activity, allowing attackers to read from and write to the application's internal storage. This could be exploited by uploading arbitrary files from the app's internal storage or by writing...

ownCloud: GitHub Security Lab (GHSL) Vulnerability Report: SQLInjection in FileContentProvider.kt (GHSL-2022-059)

Vulnerability description not provided...

Hyperledger: Corsa Site Scripting Vulnerability (XSS)

An XSS was found in Cactus, a project that is not part of the bounty program...

Uber: Golang expvar Information Disclosure

Package expvar provides a standardized interface to public variables, such as stack trace information and operation counters in servers...

Internet Bug Bounty: Disabling context isolation, nodeIntegrationInSubFrames using an unauthorised frame.

Details can be found in the following github advisory: https://github.com/electron/electron/security/advisories/GHSA-mq8j-3h7h-p8g7 Impact Using a renderer exploit, context isolation and nodeIntegrationInSubFrames can be disabled, which enables an attacker to leak IPC module and communicate with...

TikTok: Stored XSS Via Ads Account Name

Vulnerability description not provided...

Invision Power Services, Inc.: support.invisionpower.com takeover the subdomain with Zendesk

The subdomain at https://support.invisionpower.com has an unclaimed CNAME record ipscommunity.zendesk.com . I checked the username availability in the signup process at Zendesk, it was observed that the subdomain is vulnerable to a subdomain takeover which allows an attacker could exploit such a...

Showmax: delete the subaccount from the user id

Entry in order to delete this sub-profile, you must first create an account. then you need to find the user id and master id of the account that you will delete, you can do a brute force attempt to find it, if it holds, you can delete the child profile of this person or view a lot of information...

MTN Group: Reflected xss on videostore.mtnonline.com

Summary: Hi, I found reflected xss vuln on videostore.mtnonline.com Steps To Reproduce: 1. Open browser 2. Go to...