U.S. Dept Of Defense: SSRF in Functional Administrative Support Tool pdf generator (████) [HtUS]

Summary: I found that it is possible to inject a javascript payload during the PDF form creation process, which is then executed by the checklist application server. Vulnerable Software: Functional Administrative Support Tool FAST v1.0 Intro: ██████████ Administrative clerks create a dynamic acti...

U.S. Dept Of Defense: Full read SSRF at █████████ [HtUS]

Heyy there, We have found a full read ssrf vuln in https://█████ , we were able to hit the AWS Metadata endpoint http://███████ though the SSRF Vuln. ------------ Steps to reproduce: 1.Goto https://██████/users/create and create an account 2.After you account is verified , get login If for some...

U.S. Dept Of Defense: IDOR Lead To VIEW & DELETE & Create api_key [HtUS]

Hi Dod & Hackerone Team i hope you are Doing Well Today : Explaining: i found That a User With a Member Permission in a Organization Can Create & View & DELETE APIKEYS Step To Reproduce: 1 First Create 2 Accounts From Here https://███ 2 Log in With The Victim User and Create New Group From Here...

U.S. Dept Of Defense: SQL injection at [https://█████████] [HtUS]

Hello, Summary while doing test on www.███ I’ve found that the endpoint at /olc/███comments/commentpost.php is vulnerable with SQL injection vulnerability Vulnerable parameters - staffstudent POC - using sqlmap run command jsx python3 sqlmap.py --level=5 --risk=3 --tamper=space2comment...

U.S. Dept Of Defense: Unauthenticated access to internal API at██████████.███.edu [HtUS]

There was unauthenticated access to internal API at██████████.███.edu. Multiple API calls allowed an attacker to gain access to the internal API via the Azure API url appg3entcalapi.azurewebsites.net. The access to█████.██████.edu was only supposed to be available to internal users...

U.S. Dept Of Defense: IDOR on ███████ [HtUS]

Hello, I have found an endpoint in ███ is vulnerable to IDOR which leads an attacker to brute-force an delete Companies Steps to reproduce: 1. Nevgaite to https://███████/████/Reception/Vendor and create account 2. Once you created an account go to https://████/████/Vendor/Companies 3. Regsiter a...

U.S. Dept Of Defense: time based SQL injection at [https://███] [HtUS]

Hello, Summary while doing test on www.█████ I’ve found that the endpoint at /olc/setlogin.php is vulnerable with SQL injection vulnerability Vulnerable parameters - username - password POC - using time based to verify , submit the below request jsx POST /olc/setlogin.php HTTP/1.1 Host: www.█████...

U.S. Dept Of Defense: Unauthenticated PII leak on verified/requested to be verified profiles on ███████/app/org/{id}/profile/{id}/version/{id} [HtUS]

Description: On any published profile page,you can switch between their profile's versionsprovided they have made at least 1 change after publication ,which will make a GET request to ███/organization/id/profileid/version/id. While proxying traffic through Burp Suite,another request is being sent...

U.S. Dept Of Defense: Account takeover on ███████ [HtUS]

Hello, I have found an endpoint in ████████ is vulnerable to Account takeover Steps to reproduce: 1. Create 2 accounts Attacker A and vicitm B 2. Log in to all of them and go to https://███████/███████/EditUserProfile with attacker's account 3. Now fill out the password with your password 4. Chan...

U.S. Dept Of Defense: RXSS on █████████

Description: the WhatSubmitted parameter not filtered, i can insert " character and execute code JS Impact Perform any action within the application that the user can perform. View any information that the user is able to view. Modify any information that the user is able to modify. Initiate...

Internet Bug Bounty: Rack CVE-2022-30122: Denial of Service Vulnerability in Rack Multipart Parsing

ReDoS in Rack::Multipart::BROKENQUOTED and Rack::Multipart::BROKENUNQUOTED. https://groups.google.com/g/ruby-security-ann/c/L2Axto442qk Carefully crafted multipart POST requests can cause Rack's multipart parser to take much longer than expected, leading to a possible denial of service...

U.S. Dept Of Defense: RXSS on ███████

I found Reflected XSS on https://███/contact-us/.YsSAGCNBzaQ. The parameters in the contact form are not properly filtered, leading to possible insertion of " characters and javascript execution Impact Perform any action within the application that the user can perform. View any information that...

U.S. Dept Of Defense: IDOR leading unauthenticated attacker to download documents discloses PII of users and soldiers via https://www.█████████/Download.aspx?id= [HtUS]

The API endpoint at https://www.█████████/Download.aspx?id= was found to be vulnerable to Insecure Direct Object Reference IDOR, allowing an unauthenticated attacker to download sensitive documents containing PII of users and soldiers...

U.S. Dept Of Defense: Account Takeover and Information update due to cross site request forgery via POST █████████/registration/my-account.cfm

Summary: Hello Team, While researching on https://████/ , I found a cross site request forgery attack which leads to account's information update and that further leads to account takeover via password reset functionality. Steps To Reproduce: Check This video for understanding the attack scenario...

Snapchat: Password reset tokens sent to CSP reporting endpoints

Description: It has been identified that the application is leaking referrer token to third party sites. In this case it was found that the password reset token is being leaked to third party sites which is a issue knowing the fact that it can allow any malicious users to use the token and reset...

U.S. Dept Of Defense: Critical sensitive information Disclosure. [HtUS]

Sensitive information, including the database user, password, and name, was disclosed due to a critical vulnerability on a website. This could have allowed an attacker to access the system...

U.S. Dept Of Defense: Unauthenticated SQL Injection at █████████ [HtUS]

Summary Hi team, I found Unauthenticated SQL Injection at ██████. Because of non-filter and non-escape input at API /api/organizations/, attacker can inject malicious payload after single quote ' to exploit and extract database. Step to Reproduce: Execute Request GET...

U.S. Dept Of Defense: Local file read at https://████/ [HtUS]

Heyy there, I have found local file read vulnerability in your website https://█████/ This the vulnerable endpoint https://██████████/download.php?filePathDownload=dataproducts and the filePathDownload path is vulnerable which allows an attacker to read any local files. There was some sort...

U.S. Dept Of Defense: Wordpress Takeover using setup configuration at http://████.edu [HtUS]

A vulnerability was found in the WordPress 'setup-config.php' installation page, which allowed a malicious user to install WordPress in a remote MySQL database without valid credentials on the target system. This could lead to remote code execution and total system compromise, as well as other...

U.S. Dept Of Defense: SQL injection at [█████████] [HtUS]

Hello, Summary while doing test on █████ I’ve found that the endpoint at /olc/set/m101/leasib.php is vulnerable with SQL injection vulnerability Vulnerable parameters - scn - SUBJECT - COURSEID POC 1. using sqlmap run command python3 sqlmap.py --level=5 --risk=3 --tamper=space2comment...

GitHub: Delimiter injection in GitHub Actions core.exportVariable

The GitHub Actions ToolKit provides a set of packages to make creating actions easier. The core.exportVariable function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values t...

Node.js: Insecure loading of ICU data through ICU_DATA environment variable

Insecure loading of ICU data through the ICUDATA environment variable allowed for potential exploitation, as ICU still honored the variable regardless of privilege level. The impact was likely limited, but it was suggested to build ICU with ICUNOUSERDATAOVERRIDE defined and sanitize the environme...

Cloudflare Public Bug Bounty: Misconfigured build on websites "abuse.cloudflare.com"

Due to a misconfiguration, a malicious actor could see all the backend code on the abuse.cloudflare.com page. The engineering team removed the misconfiguration and the information is no longer available...

U.S. Dept Of Defense: Local File Read vulnerability on ██████████ [HtUS]

Kindly check screenshot ███████: In case if scope question. Because i picked this site from DOD website list under 'dod sites'. Lets move on to the bug now : Summary: Local File Include vulnerability on ███. Oracle Ebs Bispgrapgh is prone to a directory traversal vulnerability that can be exploit...

U.S. Dept Of Defense: CSRF to ATO at https://█████/user/account [HtUS]

hello dod security team today while i was doing pentest on your scope i came across https://████████/user/account so i register and after that tried to edit my data and the data was in json request so i simple change content-type to content-type application/x-www-form-urlencoded and the data was...

U.S. Dept Of Defense: Broken access discloses users and PII at https://███████ [HtUS]

Good morning, I was able to register at https://████/ and get the list of users. 1- Go to https://██████████/OAHTML/ibeCAcpSSOReg.jsp and register. 2- Go to https://███/OAHTML/AppsLocalLogin.jsp with the created user and login. 3- On the homepage, click on vacations rules, create, and search user...

U.S. Dept Of Defense: [████████] RXSS via "CurrentFolder" parameter

A reflected cross-site scripting vulnerability was found on a website that allowed malicious scripts to be injected via the CurrentFolder parameter...

U.S. Dept Of Defense: [███████] Remote Code Execution at ██████ [CVE-2021-44529] [HtUS]

IP Address used to find vulnerability: ██████ Vulnerable Website URL or Application: https://████ pomcldsvr2.████ Proof of ownership: ███ Summary: The server at https://███ is running a vulnerable version of CSA. A code injection vulnerability in the Ivanti EPM Cloud Services Appliance CSA allows...

U.S. Dept Of Defense: .git folder exposed [HtUS]

Heyy there, I have found a exposed .git folder on https://█████ https://████████/.git/config core repositoryformatversion = 0 filemode = true bare = false logallrefupdates = true remote "origin" url = https://████ fetch = +refs/heads/:refs/remotes/origin/ Using gitdumper...

U.S. Dept Of Defense: insecure gitlab repositories at ████████ [HtUS]

If you click the link https://███, you're redirected to https://██████/users/signin, where credentials have to be inserted. The repositories are private and shouldn't be accessable for unauthenticated users! POC If you click the following links https://████/api/v4/projects, information about...

U.S. Dept Of Defense: SSRF to read AWS metaData at https://█████/ [HtUS]

Hello Team, While researching your program I found that the domain https://████/ is vulnerable to Server Side Request Frogery Attacks via the url parameter. An attacker is able to fetch the aws metadata abusing the SSRF at https://████████/...

U.S. Dept Of Defense: LOGJ4 VUlnerability [HtUS]

Description: Hi team, log4 shell is recent 0-day exploit it's Java package vulnerable. █████ is vulnerable Impact RCE System Hosts ██████ Affected Products and Versions CVE Numbers CVE-2021-44228 Steps to Reproduce 1. Go to this url =...

U.S. Dept Of Defense: SSRF ACCESS AWS METADATA - █████

Hi Security Team, Based on https://hackerone.com/hack-us-h1c challenge, I have urgent vulnerability and the challenge doesn't accept reprots for now 1:56 AM . I have found a SSRF Vulnerability which allow access to the AWS metadata, using Parameter ?url= as shown blew An attacker can tunnel into...

Enjin: Host header injection leads to account takeover

Vulnerability description not provided...

Node.js: Node 18 reads openssl.cnf from /home/iojs/build/... upon startup.

A vulnerability was discovered in Node.js 18.4.0 where it attempted to read an openssl.cnf file from a specific location upon startup. This could potentially allow an attacker with a self-chosen username to affect the OpenSSF configuration of other users on a shared Linux host...

Top Echelon Software: xmlrpc.php FILE IS enable it will used for Bruteforce attack and Denial of Service(DoS)

xmlrpc.php was enabled even though we did not make use of any of its functionality - it is now disabled...

8x8: Public Apache Tomcat /examples example directory

@mrk0anti reported to us an exposed Apache Tomcat /examples example directory. The issue has been rectified, as we removed the directory from the host & restricted access...

HackerOne: June 2022 Incident Report

Intro Since the founding of HackerOne, we have kept a steadfast commitment to disclosing security incidents because we believe that sharing security information far and wide is essential to building a safer internet. HackerOne's culture is to disclose more often, and in more detail than the rest ...

Stripo Inc: [SSRF] my.stripo.email via the setup-wizard parameter

A vulnerability in the setup wizard allowed SSRF. The issue has been resolved...

Glassdoor: Web Cache Poisoning leads to XSS and DoS

@nokline and @bombon were able to utilize URL parser confusion in combination with reflected XSS under https://glassdoor.com/Job/ and https://glassdoor.com/mz-survey/interview/collectQuestionsinput.htm/ by caching XSS payloads via cookie and header params into a stored XSS for URLs /Award/ and...

Kubernetes: RCE on ingress-nginx-controller via Ingress spec.rules.http.paths.path field

A vulnerability was exploited that allowed arbitrary files to be written and executed on the ingress-nginx-controller pod through the manipulation of Ingress resource specifications. By configuring log formats and locations, malicious configurations could gain remote code execution capabilities o...

U.S. Dept Of Defense: Stored XSS at https://█████

Description: In registeration page https://████ , first name and last name field are vulnerable to Stored Cross Site Scripting. Proof of concept For the fastly test, use this credentials to login my test account email: █████████ password: ██████ After login , alert document.cookie will triggered...

Mattermost: DOS: out of memory from gif through upload api

Summary: When sending a specially crafted gif with max dimensions through the upload API, we get Mattermost server to consume more than 4Gbytes of RAM Steps To Reproduce: add details for how we can reproduce the issue 1. Run docker run --name mattermost-preview -d --publish 8065:8065...

GitHub: DoS via markdown API from unauthenticated user

cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Users may verify the...

U.S. Dept Of Defense: xmlrpc.php file enabled at ██████.org

The XML-RPC API on WordPress allowed third-party applications and services to interact with WordPress sites, but it opened up two types of attacks: XML-RPC pingbacks and brute force attacks. The xmlrpc.php file was enabled on ██████.org, making it vulnerable to these attacks. Disabling or removin...

Radancy: Admin account/panel takeOver and Doing actions in admin panel via DOM-based XSS

Hello team , I found Dom-XSS in your https://████████/ Webmail Admin Panel that manage attacker to stealing admin sensitive info and doing any action in your webmail admin panel . why and how this vulnerability happen : - if your reviewed the source code of this endpoint of the admin panel "...

HackerOne: Disclosing PolicyPageAssetGroup in Private Programs via /graphql `gid://hackerone/PolicyPageAssetGroupsIndex::PolicyPageAssetGroup/{id}`

The vulnerability allowed unauthorized users to retrieve sensitive information about private bug bounty programs on HackerOne, including program names, scope details, and the titles of reports. The issue was promptly addressed by the HackerOne team, who recognized its critical severity and awarde...

A.S. Watson Group : PII Disclosure At `theperfumeshop.com/register/forOrder`

A vulnerability was discovered that allowed unauthorized access to personally identifiable information of customers who placed orders on a website. By manipulating web requests, an attacker could view full name, address, phone number, order history and payment details of other customers. This...

Cloudflare Public Bug Bounty: Enable 2Fa verification without verifying email

It was possible to enable Two-factor authentication feature for an unverified Cloudflare account . As a consequence, a legitimate owner of the e-mail address, which was used to create the unverified account, is unable to log in or reset password to the Cloudflare account. The issue was fixed by t...

Acronis: Any expired reset password link can still be used to reset the password

Hello Aronis team! When requesting a password reset link at https://alt.5nine.com/passwordrecovery.aspx and using it, after a short time the link becomes invalid. When I open the link I get the message: "Your validation request is invalid or expired" But it is still possible to use it to reset th...