Cloudflare Public Bug Bounty: Basic XSS [WAF Bypasses]

Vulnerability description not provided...

Internet Bug Bounty: CVE-2022-32208: FTP-KRB bad message verification

When curl does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client. Impact Loss of integrity of FTP-KRB transfers...

Internet Bug Bounty: CVE-2022-32207: Unpreserved file permissions

When curl saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name. In that rename operation, it might accidentally widen the permissions for the target file, leaving the update...

Internet Bug Bounty: CVE-2022-32206: HTTP compression denial of service

curl supports "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited...

Internet Bug Bounty: CVE-2022-32205: Set-Cookie denial of service

A malicious server can serve excessive amounts of Set-Cookie: headers in a HTTP response to curl and curl stores all of them. A sufficiently large amount of big cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the...

curl: CVE-2022-35252: control code in cookie denial of service

Summary: I took a look at https://github.com/curl/curl/pull/9048/commits/d7bcbc7d8d4b6d972d3da12d54819169a19c287b a sneak peek on a vulnerability to be announced tomorrow. My guess for that vulnerability is that since cookies are persistent, someone who can trick curl into storing cookies can sto...

Stripo Inc: Non-revoked API Key Information disclosure via Stripo_report()

Talking about 983331 reports where a security researcher reported secret API key leakage vulnerability in a JavaScript file at Stripo. This report is disclosed on HackerOne, and the team at Stripo have forgotten to blur the API keys from the report before disclosing it to the public. The API keys...

TikTok: Improper user validation on mentions and hashtags

Vulnerability description not provided...

GitLab: RCE via the DecompressedArchiveSizeValidator and Project BulkImports (behind feature flag)

Summary The DecompressedArchiveSizeValidator is used to check the size of a archive before extracting it: https://gitlab.com/gitlab-org/gitlab/-/blob/v15.1.0-ee/lib/gitlab/importexport/decompressedarchivesizevalidator.rbL82 ruby def command "gzip -dc @archivepath | wc -c" end def validate pgrp =...

Judge.me : Improper Access Control in Ali Express Importer

An improper access control vulnerability was found in the Ali Express Review Importer app, which allowed staff members with no access to the Judge.me app to view all reviews, including hidden and archived ones, from the Judge.me app. The vulnerability was exploited by intercepting and replacing t...

Reddit: Rate limit is implemented in Reddit , but its not working .

Vulnerability description not provided...

LinkedIn: IDOR allows an attacker to delete anyone's featured photo.

An Insecure Direct Object Reference IDOR vulnerability allowed an attacker to delete anyone's featured photo on LinkedIn by manipulating the parameters in the delete request. This vulnerability was exploited by obtaining the necessary parameters from the victim's profile link and replacing them i...

Krisp: Authentication bypass for ███ leads to take over any users account.

@n0m3rcy has identified and reported an account takeover issue which required no user interaction. We would like to thank @n0m3rcy for reporting it responsibly to our bug bounty program !...

Nextcloud: SSRF via potential filter bypass with too lax local domain checking

Summary: Hi. Reviewing the code for filtering for ssrf, in preventLocalAddress, we can see that it calls the function ThrowIfLocalAddress. It has three common checks, first, it checks if the string is localhost, or if it ends in .local or .localhost php // Disallow localhost and local network if...

8x8: CVE-2019-11248 on http://█.█.█.█:9100/debug/pprof/goroutine

@mrk0anti reported to us an exposed debugging endpoint /debug/pprof over the unauthenticated Kubelet healthz port 9100. No sensitive information has been disclosed & the affected host belonged to our staging environment. The issue has been rectified...

Omise: Unauthorized Access - downgraded admin roles to none can still edit projects through brupsuite

hi team, I found that your site is vulnerable to Unauthorized Access lead to privilege escalation, where when the owner invites a user with admin roles, the user can still edit anything with admin access, via brupsuite, it should get an error message because the admin role has been removed...

LinkedIn: Add me email address Authentication bypass

hi, this vulnerability can able to access user account without email verification in linkedins' add me email address function page. user add mail2 email address. without mail2 email address verification user can fully access mail1 linkedin account using mail2 email address. In linkedin mobile...

Nextcloud: @nextcloud/logger NPM package brings vulnerable ansi-regex version

Summary: Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS due to the sub-patterns \;? and ?:;-a-zA-Z\d\/&.:=?%@. Details: Denial of Service DoS describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate...

Panther Labs: Twitter Account hijack through broken link in https://runpanther.io

Summary: A linkhttps://twitter.com/runpanther in https://runpanther.io was broken and anyone could create that account which leads to account impersonate Steps To Reproduce: 1.Go to https://runpanther.io 2.Scroll down to bottom there you can see that twitter icon. 3.Click on that icon, you will...

Nextcloud: Generated passwords are not fully validated by HIBPValidator

Summary: If the Nextcloud server generates a secure random password e.g. for sharing files, the validation is checked before the shuffle function strshuffle is called. In very rare cases it could happen, that a password is validated by HIBPValidator before strshuffle, but would not validate after...

Reddit: Unrestricted File Upload on reddit.secure.force.com

Summary: Reddit.secure.force.com is Reddit SalesForce instance. Attacker is able to send attachments of disallowed filetypes to this server. The attacker is able to send malicious documents such as CVE-2022-30190 Follina to the victim. Impact: Attacker can send malicious files to whoever handles...

U.S. Dept Of Defense: XSS DUE TO CVE-2020-3580

Hello Team, During my research, I found multiple hosts to be vulnerable to Cisco ASA XSS CVE-2020-3580, This vulnerability targets the saml service within the VPN. It is triggered via a POST request to domain/+CSCOE+/saml/sp/acs?tgname=a References...

Internet Bug Bounty: CVE-2022-27781: CERTINFO never-ending busy-loop

Published Advisory: https://curl.se/docs/CVE-2022-27781.html Original Report: https://hackerone.com/reports/1555441 Impact Due to an erroneous function, a malicious server could make libcurl built with NSS get stuck in a never-ending busy-loop when trying to retrieve that information...

Shopify: store internal email disclosed through shopify-data-exporter

Summary: Hey Shopify, When a store install shopify-data-exporter app to export various data of the store a link is sent to the store internal email. This internal email is disclosed via the below request to anyone json GET /?shop=yourstore.myshopify.com HTTP/2 Host:...

Cloudflare Public Bug Bounty: I found another way to bypass Cloudflare Warp lock!

It was possible to bypass Lock WARP switch feature on WARP iOS mobile client by enabling both "Disable for cellular networks" and "Disable for Wi-Fi networks" switches at once in the application settings. Such configuration caused WARP client to disconnect and allowed the user to bypass...

Hyperledger: Remote denial of service in HyperLedger Fabric

This issue was caused by a missing check of nil. An orderer to orderer consensus message that contains an empty inner message crashes the node because it attempts to figure out its type and the mere action of determining the type of a nil pointer, causes a panic. Thank you to Haosheng Wang of OPP...

Nextcloud: Information exposure in in guzzlehttp/guzzle (https://github.com/nextcloud/3rdparty/tree/master/guzzlehttp/guzzle)

Summary: Affected versions of this package are vulnerable to Information Exposure which fails to strip the Authorization header on HTTP downgrade, this depency is out of date and it can leat to still authorization header. Steps To Reproduce:...

GitHub Security Lab: PYTHON: CWE-079 - Add query for email injection

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: CPP: Pam Authorization Bypass

Vulnerability description not provided...

Panther Labs: reflected XSS on panther.com

Summary: When visiting runpanther.io I got redirected to panther.com and the application failed to sanitise user's input resulting into HTML injection and possible XSS. Steps To Reproduce: F1774502 1. Go to...

Acronis: HTML Injection in E-mail Not Resolved ()

Summary On this report " https://hackerone.com/reports/1536899 " You closed the report and changed the status to Resolved. But it's Not Resolved The Bug It's Still there Steps To Reproduce 1.Please register at https://www.acronis.com/en-us/products/cyber-protect/trial/registration with the victim...

Internet Bug Bounty: Rails::Html::SafeListSanitizer vulnerable to xss attack in an environment that allows the style tag

It seems to be a problem caused by a difference between the nokogiri java implementation and the ruby implementation. jruby9.3.3.0 nokogiri java, use Rails::Html::SafeListSanitizer.new.sanitize, allow select/style tag code tags = %wselect style puts...

Internet Bug Bounty: Undici ProxyAgent vulnerable to MITM

Full GitHub advisory summarizing the issue is here: https://github.com/nodejs/undici/security/advisories/GHSA-pgw7-wx7w-2w33 The original Node.js HackerOne report is here: https://hackerone.com/bugs?reportid=1583680 This was fixed & disclosed in Undici v5.5.1. This primarily affects Undici, a...

TikTok: TikTok's pixel/sdk.js leaks current URL from websites using postMessage

A vulnerability was found where an oauth token could have been leaked due to an origin check bypass in the TikTok Pixel SDK. We thank @fransrosen for reporting this to our team...

HackerOne: Stored XSS on www.hackerone.com due to deleted S3-bucket from old page_widget

A stored XSS vulnerability was found on www.hackerone.com due to a deleted S3-bucket from an old pagewidget. An attacker could claim the bucket and run JavaScript on the website, potentially allowing them to steal user data or perform actions on behalf of the user. The vulnerability was reported ...

GitHub Security Lab: Golang : Add Query To Detect PAM Authorization Bugs

This bug was reported directly to GitHub Security Lab...

Insightly: Stored XSS in Email Notifcation

A stored XSS vulnerability was discovered in the email notification feature of the crm.na1.insightly.com platform. The vulnerability allowed an attacker to inject malicious code into the email subject, which was then executed when users viewed the notification. The vulnerability was caused by...

Nextcloud: Brute force protections don't work

Summary: Most of the brute force protections don't actually throttle the response and so they are not logging negative attempts Search for functions with the @BruteForceProtection annotation and check that they call throttle on the response at least conditionally. Impact Brute force protection is...

Nextcloud: Lack of Brute force protection while joining video call in talk section which is password protected

Advisory at https://github.com/nextcloud/security-advisories/security/advisories/GHSA-pf36-jvpv-4hwq...

Reddit: Admin can create a hidden admin account which even the owner can not detect and remove and do administrative actions on the application.

ads.reddit.com is an ads creating and managing application for reddit. The application has the feature to invite other members to the organization and give different roles at ad management. Testing around the role management functionalities, I have noticed that a user with the same email can get...

Nextcloud: Talk Android broadcast receiver is not protected by broadcastPermission allowing malicious apps to communicate

Summary: Call to registerReceiver misses the broadcastPermission argument - no permissions will be checked for the broadcaster, which allows a malicious application to communicate with the broadcast receiver. Supporting Material/References: Screenshot Snyk report references to fixes in other repo...

Internet Bug Bounty: DoS via lua_read_body() [zhbug_httpd_94]

Greetings. I have found a bug that can crash httpd 2.4.53, causing a denial of service. The bug is that luareadbody modules/lua/luarequest.c uses the value of the Content-Length header to allocate memory. While apreadrequest limits Content-Length's value to a non-negative |aprofft| via a call to...

Nextcloud: Calendar name length not validated before writing to database

Security advisory at https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m92j-xxc8-hq3v...

Nextcloud: Missing character limitation allows to put generate a database error

Hi Security Team, Summary: ========= There is no limit to the number of characters in the display name, which allows a DoS attack. The DoS attack affects server-side. Description ========= On the input form of Username in nextcloud.com/settings/user there's no Input validation using this you can...

Judge.me : XSS in Widget Review Form Preview in settings

Summary: Hi team, I found a XSS vulenrability in the widget review form preview. The payload is added in the success message and triggers when you preview the form Steps To Reproduce: 1. Login to your Shopify account and open Judge.Me App 1. Go to 'Settings' - 'Review Widget' - 'Widget Form' 1. G...

Internet Bug Bounty: Read beyond bounds via ap_rwrite() [zhbug_httpd_47.2]

Greetings. I have found that aprwrite /server/protocol.c can cause a read beyond bounds with the extra data sent to an attacker. The bug is that aprwrite passes its |int nbyte| argument to bufferoutput, where bufferoutput's corresponding |len| argument isa |aprsizet|. Thus, a negative |nbyte| val...

Internet Bug Bounty: Read beyond bounds in mod_isapi.c [zhbug_httpd_41]

Greetings. I have found a read-beyond-bounds bug in httpd that arises from an apparent logic error. The bug is in /modules/arch/win32/modisapi.c, on lines 979 and/or 983, which use the length of the path to the ISAPI DLL |strlenr-filename| to index into the string specified by the ISAPI DLL itsel...

Internet Bug Bounty: Controllable read beyond bounds in lua_websocket_readbytes() [zhbug_httpd_126]

Greetings. I have found a read-beyond-bounds bug in luawebsocketreadbytes that permits an attacker to exfiltrate a controllable amount of heap data if the victim site runs a suitable LUA program. The bug is due to misuse of apgetbrigade and aprbucketread. The following code from v2.4.53 assumes...

Internet Bug Bounty: Read beyond bounds in ap_strcmp_match() [zhbug_httpd_47.7]

Greetings. I have found a read-beyond-bounds attack against httpd that allows an attacker to search httpd's memory for strings matching an attacker-specified pattern 1. The attack arises from an overflow in apstrcmpmatch server/util.c. 2 The vulnerability can be reached via an LUA program that us...

GitHub Security Lab: Golang : Hardcoded secret used for signing JWT

This bug was reported directly to GitHub Security Lab...