EXNESS: IDOR in Stats API Endpoint Allows Viewing Equity or Net Profit of Any MT Account

Hi Team, Today I logged into my Exness PA and noticed an updated performance page. I thought to give it a quick check and noticed that the API endpoints responsible for fetching the stats performance chart /stats/ is vulnerable to IDOR via accounts= parameter. The issue allows fetching the stats ...

Linktree: No validation to Image upload user can upload ( php APK zip files and can be used as storage purpose)

No validation to Image upload user can upload...

GitLab: Path paths and file disclosure vulnerabilities at influxdb.quality.gitlab.net

NOTE! Thanks for submitting a report! Please note that initial triage is handled by HackerOne staff. They are identified with a HackerOne triage badge and will escalate to the GitLab team any. Please replace all the parenthesized sections below with the pertinent details. Remember, the more detai...

8x8: LFI via Jolokia at https://█.█.█.█:1293

@shuvam321 reported to us a single exposed host in the acceptance environment. The report demonstrated a Local File Inclusion via Jolokia, e.g.: https://█.█.█.█:1293/actuator/jolokia/exec/com.sun.management:type=DiagnosticCommand/compilerDirectivesAdd/!/etc!/hostname No sensitive information has...

GlassWire: Facebook App API credentials leaked in the APK

Facebook App API credentials were leaked in the GlassWire version 1,1,26,0b F1827380 APK file, including the App ID and App Secret. This could allow an attacker to modify Facebook App settings using the leaked token...

U.S. Dept Of Defense: Directory Traversal at █████

Hi DoD! I found directory traversal vulnerability at ████. I didn't find available title for this issue that's why I selected remote file inclusion. Host: ██████ Vulnerability: Directory Traversal in Windows Server Tool Used: BurpSuite Parameter: ==path== HTTP GET Request ==GET...

Nextcloud: Last video frame is still sent after video is disabled in a call

Summary: When a participant is in a call and that participant disables the video rather than a black frame the last frame of the video will be sent. Similarly, if the video is disabled before joining the call the last frame of the video before joining the call will be sent. The video is not...

LY Corporation: Stored XSS Via Filename On https://partners.line.me/

An XSS vulnerability was found on the file upload feature of "partners.line.me". Attackers could upload a file with an XSS payload in the filename, which was not properly escaped by the server. This allowed for DOM-based XSS to be embedded in HTML. The uploaded files were stored for a limited tim...

Glassdoor: [CRITICAL] Full account takeover without user interaction on sign with Apple flow

An account takeover was detected with our sign-up with Apple flow where an email parameter was manipulated in the request flow to our servers. This scenario can only be performed on a previously unlinked apple ID account with Glassdoor. Changing the email in the request flow allowed the researche...

Slack: Hashed data exposure via WebSockets to Workspace Members

A vulnerability in Slack's system allowed for the exposure of members' email addresses and sensitive data through WebSockets. This occurred when users created or revoked a Shared Invite Link for their workspace, resulting in the transmission of hashed passwords to other workspace members. The iss...

Hyperledger: Insecure TLS Configuration #3530

An insecure configuration was reported; however, this configuration is set on purpose in test code. Please see the resolved conversation on GitHub...

U.S. Dept Of Defense: Local File Inclusion in download.php

The local file inclusion vulnerability was discovered in the download.php file. Arbitrary files could be downloaded by an attacker using directory traversal via the filePathDownload parameter, provided the attacker knew a valid file path of an externally-facing document...

Planet Labs: Api data leak

A security vulnerability was identified where sensitive API keys were exposed through archived data accessible via the Wayback Machine. Some of these API keys were found to be valid...

Hyperledger: fix(cmd-socketio-server): mitigate cross site scripting attack #2068

Please refer this fix and approve Bounty. See this In Github Security Fix @ryjones https://github.com/hyperledger/cactus/pull/2068issuecomment-1186157206 Impact fixcmd-socketio-server: mitigate cross site scripting attack...

MTN Group: String length restriction byepass at https://callerfeel.mtnonline.com/profile/feedback.html

Summary: Hi, hope you are well : I found that the attacker can bye pass the lenght restriction of user name at the feedback form Steps To Reproduce: F1823237 Impact Attacker can make the receiver page to delay and can cause application level dos Mitigation: Restrict the lenght of the string in...

Stripe: CSRF in Importing CSV files [app.taxjar.com]

A CSRF vulnerability was found in the CSV import feature of app.taxjar.com, allowing an attacker to import transactions into a user's account without their permission. The vulnerability was due to a lack of CSRF protection in the import process...

GitHub: Command injection in GitHub Actions ContainerStepHost

GitHub Actions Runner is the application that runs a job from a GitHub Actions workflow. The actions runner invokes the docker cli directly in order to run job containers, service containers, or container actions. A bug in the logic for how the environment is encoded into these docker commands wa...

GitLab: Found Origin IP's lead to access to gitlab

@m-narayanan disclosed a known Origin IP / CloudFlare bypass issue, remediation for which was and is being tracked at https://gitlab.com/gitlab-com/gl-infra/reliability/-/issues/9945 The requested disclosure, then later requested it to be made private again...

8x8: Open Redirect ███.8x8.com

@mrk0anti reported to us an Open Redirect vulnerability utilising a misconfiguration which allowed https://█.█.█.█/.example.com to be redirected ➡️ https://www.8x8.com.example.com The issue has been swiftly rectified...

Internet Bug Bounty: Node.js - DLL Hijacking on Windows

Full Node.js Security Releases - summarizing the issue is here:https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/ The original Node.js HackerOne report is here: https://hackerone.com/bugs?reportid=1447455 ----- Node.js versions earlier than 16.16.0 LTS and 14.20.0 are vulnerabl...

Khan Academy: Email Verification Bypass Allows Users to Add & verify Any Email As Guardians Email

Go to https://www.khanacademy.org/signup and signup as learner keeping date of birth below 13 years. F1821117 2. Now keep victims email as parent's email for example here I am keeping [email protected] as parents email and click on signup. ████ 3. Now you will see a following message "Your...

Elastic: Synthetics Recorder: Code injection when recording website with malicious content

A vulnerability was discovered in the Synthetics Recorder tool, which allows attackers to inject arbitrary code into a recording session. The waitForNavigation event calls quote within the context of a multi-line comment, which can be escaped with a specially crafted URL. This can lead to code...

U.S. Dept Of Defense: Reflected cross site scripting in https://███████

It was observed that the application is vulnerable to cross-site scripting XSS. XSS is a type of attack that involves running a malicious scripts on a victim’s browser. request.txt attacked poc attached Impact Cookie Stealing - A malicious user can steal cookies and use them to gain access to the...

Cloudflare Public Bug Bounty: Lack of Packet Sanitation in Goflow Results in Multiple DoS Attack Vectors and Bugs

sflow decode package of the Goflow application did not implement sufficient packet sanitisation which could lead to a denial of service attack. Attackers could craft malformed packets causing the process to consume large amounts of memory resulting in a denial of service. The issue has been fixed...

Hyperledger: Remote denial of service in HyperLedger Fabric

How to reproduce 1.Bring up the test network.https://hyperledger-fabric.readthedocs.io/en/latest/testnetwork.htmlbring-up-the-test-network 2.Run the PoC. bash go run poc.go -server=192.168.0.208:7051 go package main import "context" "crypto/tls" "flag" "fmt"...

Cloudflare Public Bug Bounty: Ability to bypass locked Cloudflare WARP on wifi networks.

Using warp-cli command "add-trusted-ssid", a user was able to disconnect WARP client and bypass the "Lock WARP switch" feature resulting in Zero Trust policies not being enforced on an affected endpoint...

Hyperledger: Fix : (Security) Mitigate Path Traversal Bug

Unsanitized input from arg0 argument flows into java.io.FileOutputStream, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to write to arbitrary files. Impact Being able to access and manipulate an arbitrary path leads to vulnerabilities when a...

Stripe: Mass account takeover!

@akashhamal0x01 discovered an Organization Owner could update the email address of a member of their organization in TaxJar. This could have allowed an attacker to take over a victim’s account if the victim belonged to the attacker’s organization. The vulnerability was caused by the ability to ed...

U.S. Dept Of Defense: Open Redirect at █████

Open Redirect on https://███ User can be redirect to malicious site POC: ████████/texis/search/redir.html?query=1234&pr=External+Meta&prox=page&rorder=500&rprox=500&rdfreq=500&rwfreq=250&rlead=500&rdepth=62&sufs=3&order=r&u=http://evil.com&m=0&p=2 I hope you know the impact of open redirect and...

Cloudflare Public Bug Bounty: Completely remove VPN profile from locked WARP iOS cient.

It was possible for a user to delete VPN profile from WARP mobile client on iOS platform despite the Lock WARP switch feature being enabled on Zero Trust Platform. This led to bypassing policies and restriction enforced for enrolled devices by the Zero Trust platform. The issue was fixed in Warp...

Kindred Group: [www.32red.com] Reverse proxy misconfiguration leads to 1-click account takeover

==Below is the original, partially-redacted report== --------- Hi team, Summary We have found a misconfiguration in the reverse proxy powering www.32red.com, as it's possible to manipulate the forwarded requests using URL-encoded characters. This leads to a full 1-click account takeover by...

Node.js: DNS rebinding in --inspect (insufficient fix of CVE-2022-32212 affecting macOS devices)

Summary: This is an insufficient fix of CVE-2022-32212, which itself is a fix of CVE-2018-7160. There exists a specific behaviour in browsers on macOS devices when handling the http://0.0.0.0URL that allows an attacker-controlled DNS server to bypass the DNS rebinding protection by resolving host...

Reddit: Can use the Reddit android app as usual even though revoking the access of it from reddit.com

Summary: Hi Team, For the last 4 days, I kept testing reddit web. That time, I revoked app access from the old.reddit.com and i checked my app and as expected i was not able to use the account in my app. After 2 days I was checking the chat invites feature on the web and after some time I turned ...

Glassdoor: XSS in http://www.glassdoor.com/Search/results.htm via Parameter Pollution

There was reflected XSS detected at http://www.glassdoor.com/Search/results.htm using parameter pollution via keyword and locName parameters resolved by our development team. Thanks @nokline for your report and co-operation. We are looking forward to more findings from you. Thank you once again. ...

U.S. Dept Of Defense: Sensitive information disclosure [HtUS]

Sensitive information was disclosed through an open server status directory, which displayed server status and sensitive information by server. Attackers could potentially access sensitive information from the server logs...

U.S. Dept Of Defense: an internel important paths disclosure [HtUS]

Summary: i found CGI script environment variable disclosure an important paths Steps To Reproduce: 1. visit this link : https://███ 2. look at poc pic you should restrict this quickly Impact this is so dangerous because attacker now know an internal paths and this juicy information as u can see i...

U.S. Dept Of Defense: STORED XSS in █████████/nlc/login.aspx via "edit" GET parameter through markdown editor [HtUS]

While looking through the source code of https://████████/nlc/login.aspx,I noticed this line 204: Cancel ,which exposes the edit GET parameter. Upon accessing https://█████████/nlc/login.aspx?edit=true ,a hidden markdown editor will be revealed if you click around where the bottom text is,which...

U.S. Dept Of Defense: solr_log4j - http://██████████

Hi security team, i found a solr log4j vulnerability in your aplication Impact Logging untrusted or user controlled data with a vulnerable version of Log4J may result in Remote Code Execution RCE against your application. This includes untrusted data included in logged errors such as exception...

U.S. Dept Of Defense: ██████_log4j - https://██████

Hi security team, i found a log4j vulnerability in your aplication Impact Logging untrusted or user controlled data with a vulnerable version of Log4J may result in Remote Code Execution RCE against your application. This includes untrusted data included in logged errors such as exception traces,...

Node.js: Off-by-slash vulnerability in nodejs.org and iojs.org

Summary: Configuration files for Nginx in nodejs/build repository have multiple off-by-slash misconfigurations. Because nodejs.org and iojs.org are deployed using those files, it is possible for an attacker to gain access to unexpected directories. This report is not related to nodejs/node...

Rocket.Chat: Rocket.Chat Server RCE

Vulnerability description not provided...

Stripo Inc: [demo.stripo.email] HTTP request Smuggling

A vulnerability in the demo.stripo.email website was reported, which has since been resolved...

Internet Bug Bounty: CVE-2022-32214 - HTTP Request Smuggling Due To Improper Delimiting of Header Fields

Original Report: https://hackerone.com/reports/1524692 Impact Depending on the specific web application, HRS can lead to cache poisoning, bypassing of security layers, stealing of credentials and so on...

Internet Bug Bounty: CVE-2022-32213 - HTTP Request Smuggling Due to Flawed Parsing of Transfer-Encoding

Original Report: https://hackerone.com/reports/1524555 Impact Depending on the specific web application, HRS can lead to cache poisoning, bypassing of security layers, stealing of credentials and so on...

Internet Bug Bounty: CVE-2022-32215 - HTTP Request Smuggling Due to Incorrect Parsing of Multi-line Transfer-Encoding

Original Report: https://hackerone.com/reports/1501679 Impact Depending on the specific web application, HRS can lead to cache poisoning, bypassing of security layers, stealing of credentials and so on...

Node.js: CVE-2022-32213 bypass via obs-fold mechanic

Summary The fix for CVE-2022-32213 can be bypass using an obs-fold, which Node's http parser supports Proof-Of-Concept const http = require'http'; http.createServerrequest, response = let body = ; request.on'error', err = response.end"error while reading body: " + err .on'data', chunk =...

XVIDEOS: Host Header Injection Attack - www.xnxx.com

Host Header Injection Attack - www.xnxx.com An attacker can manipulate the Host header as seen by the web application and cause the application to behave in unexpected ways. Very often multiple websites are hosted on the same IP address. This is where the Host Header comes in. This header specifi...

U.S. Dept Of Defense: CSRF to delete accounts [HtUS]

Vulnerability description not provided...

U.S. Dept Of Defense: Exposed GIT repo on ██████████[HtUS]

Vulnerability description not provided...

U.S. Dept Of Defense: SQL Injection at https://████████.asp (█████████) [selMajcom] [HtUS]

Summary: SQL injection SQLi is a vulnerability in which an application accepts input into an SQL statement and treats this input as part of the statement. Typically, SQLi allows a malicious attacker to view, modify or delete data that should not be able to be retrieved. An SQLi vulnerability was...