Nextcloud: Unauthenticated SSRF in 3rd party module "cerdic/csstidy"

Summary: The mail extension in nextcloud includes a module called "cerdic/csstidy" which basically ships with a publicly accessible test/example interface to play with the CSS formatter and optimiser /apps/mail/vendor/cerdic/css-tidy/cssoptimiser.php. This module allows contacting any remote serv...

Internet Bug Bounty: Apache HTTP Server: mod_proxy_ajp: Possible request smuggling

Inconsistent Interpretation of HTTP Requests 'HTTP Request Smuggling' vulnerability in modproxyajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions...

GitHub: [Git Gud] GitHub.com Svnbridge memcached deserialization vulnerability chain leading to Remote Code Execution

A deserialization of untrusted data vulnerability was identified in GitHub Enterprise Server that could potentially lead to remote code execution on the SVNBridge. To exploit this vulnerability, an attacker would need to gain access via a server-side request forgery SSRF that would let an attacke...

Cloudflare Public Bug Bounty: Sign in with Apple generates long-life JWTs, seemingly irrevocable, that grant immediate access to accounts

The OIDC JWT token issued on a new Sign in with Apple ID to the Cloudflare Dashboard had an excessive lifetime. When intercepted by a malicious actor, it enabled impersonation of the affected user on multiple devices during the entire token validity period without the need to re-authenticate. The...

Cloudflare Public Bug Bounty: Sign in with Apple works on existing accounts, bypasses 2FA

It was possible to bypass configured Cloudflare 2FA when logging in to a Cloudflare account using Apple ID authentication flow. A malicious actor could access a Cloudflare account by setting up an Apple ID account using e-mail address matching the one used to set up the targeted account. The issu...

Automattic: Sensei LMS IDOR to send message

Hi there, hope you are doing great. So, there is an option to send message to teacher privately by student on Sensei LMS. Each message sent by student will have different ID, Student1 cannot access or send message to the message from Student2 which is meant to be private with teacher Similarly...

LinkedIn: IDOR - Delete technical skill assessment result & Gained Badges result of any user

The web app is vulnerable to IDOR at DELETE /voyager/api/voyagerAssessmentsDashSkillAssessmentAttemptReports/urn%3Ali%3AfsdskillAssessmentAttemptReport%3Aurn%3Ali%3Afsdprofile%███%2Curn%3Ali%3Askill%3A280%2C1 HTTP request. Allows an attacker to delete the skill assessment result of any user's...

Adobe: API Key reported in #1465145 not rotated and thus is still valid and can be used by anyone

Adobe appreciates the work and partnership with this security researcher. We value the commitment and dedication to our external security community...

Showmax: lack of rate limit on athentification login page & forgot password page

We received a report about missing rate-limiting functionality that is explicitly mentioned as out-of-scope of our security program. Since migrating our backends to AWS, we have no proper rate-limiting functionality in place. Due to complexity of our infra stack, we cannot use the standard WAF...

LinkedIn: The software does not implement sufficient measures to prevent multiple failed authentication attempts within in a short time frame, making it more su

example- String username = request.getParameter"username"; String password = request.getParameter"password"; int authResult = authenticateUserusername, password; the security tokens can be bypassed easily , they are dont make user account safe . //script - check attached file Impact Technical...

GitLab: Unauthenticated IP allowlist bypass when accessing job artifacts through gitlab pages at `{group_id}.gitlab.io`

Summary An owner of a group can restrict access to the group, subgroups and projects to only work from a specific IP range. See documentation link To ensure only people from your organization can access particular resources, you can restrict access to groups by IP address. This will restrict most...

Shopify: Self XSS in https://linkpop.com/dashboard/admin

Summary: Hello Shopify team, Found a self XSS https://linkpop.com/dashboard/admin, the steps to reproduce are below Steps To Reproduce: 1- Visit https://linkpop.com/dashboard/admin 2- Click on links = add links 3- add in the url input javascript:alertdocument.cookie F1757141 4- Click on the link...

Reddit: Several Subdomains Takeover

there are some subdomains in reddit.com those are vulnerable to takeover subdomain attack. I found these subdomains while I have been testing the subdomains of reddit.com. Steps To Reproduce: add details for how we can reproduce the issue 1. create a user account in reddit.com. 2. there are some...

Dropbox: Abuse cookie-modification, toast HTML and expired domain in CSP-form-action replacing login-page at www.dropbox.com/login to submit creds externally

The report demonstrates a method of stealing user credentials by exploiting a permissive domain name check in combination with an outdated dropbox URL in the content-security-poilcy. A fix for the issue has been released and it was applied for existing users through an automatic update. An attack...

Automattic: Unauthenticated Private Messages DIsclosure via wordpress Rest API

Vulnearble Plugin: Senei LMS Hi there, Hope you are doing well, So, i noticed that their is an option to contact teacher on Sensei LMS which is meant to private. By default, other user can't see the question I asked to the teacher. But using the /wp-json/wp/v2/sensei-messages/ where numeric ID ca...

Shopify: Production Key and Data Found on Subdomain No Longer Operated by Shopify / Dangling DNS

The production key and data were found on a subdomain no longer operated by Shopify. The subdomain was pointing to an IP address that did not belong to Shopify. The DNS record for the subdomain was removed, but no Shopify services were impacted...

curl: KRB-FTP: Security level downgrade

Summary: libcurl doesn't fail the FTP connection if Kerberos authentication fails for some reason, but rather reverts back to using regular clear text password authentication. The logic is inlib/ftp.c ftpstatemachine:...

curl: CVE-2022-32208: FTP-KRB bad message verification

Summary: libcurl handles gssunwrap GSSSBADSIG error incorrectly. This enables malicious attacker to inject arbitrary FTP server responses to GSSAPI protected FTP control connection and/or make the client consume unrelated heap memory as a FTP command response. The defective krb5decode function is...

curl: Heap overflow via HTTP/2 PUSH_PROMISE

Summary: libcurl HTTP/2 support processes incoming PUSHPROMISE headers by storing them in an array. The code initially allocates storage for 10 headers and then keeps doubling the array size as needed: stream-pushheadersalloc = 2; headp = Curlsafereallocstream-pushheaders, stream-pushheadersalloc...

GitLab: CSP-bypass XSS in project settings page

Summary This javascript function is vulnerable: javascript deployKeyRowHtmlkey, isActive const isActiveClass = isActive || ''; return $key.title $sprintf 'Owned by %imagetag', imagetag: , , false, $escape key.fullname, $key.username ; It is used to render a deployment key in a dropdown item...

Nextcloud: Missing length validation of user displayname allows to generate an SQL error

Security advisory at https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6w9f-jgjx-4vj6...

LinkedIn: Campaign Account Balance and History Disclosed in API Response

During the security assessment of the application, it has been observed that server-side authorization checks are not implemented on the 'GET /campaign-manager-api/campaignManagerAccounts/:campaignId/accountCredits?q=account' HTTP request. As a result, an attacker can fetch the campaign wallet...

LinkedIn: Improper access control on Linkedin Page

An improper access control vulnerability was discovered on the LinkedIn page, allowing a user with the role of analyst to publish posts even after their role was changed from super admin...

GitHub Security Lab: Python : Add query to detect PAM authorization bypass

Vulnerability description not provided...

TikTok: IDOR in family pairing API

Vulnerability description not provided...

Yelp: installed.json sensitive file was publicly accessible on your web application which discloses information about authors and admins

kindly if you don't accept this issue please close it as informative , thanks in advance Description: The installed.json file is a sensitive file and it was publicly accessible on your webserver , which discloses some information about your web site and users such as authors like admin as shown...

Shopify: Information disclosure ( Google Sales Channel )

In the review on apps.shopify.com the Google sales channel has a review of 5407 but the actual number of shopify stores that use the Google channel I believe is more than that number so I think this vulnerability can have an impact on many shopify stores and here I found a vulnerability where...

Alohi: Weak rate limit for SIGN.PLUS email verification

zeesozee identified a way to reset the rate limit concerning the "Confirm your email" verification endpoint for new accounts. This increases the chance of successful bruteforce from an attacker who would try to register with a fake email. The issue was fixed immediately...

Phabricator: Deprecated owners.query API bypasses object view policy

The deprecated owners.query API does not check object view policy. A user is able to view some information about an owner package which they do not have permission to see by calling this API. Since the API is deprecated, it could just be removed. Impact An attacker is able to view some informatio...

Rocket.Chat: Clickjacking at open.rocket.chat

The open.rocket.chat instance was found to have a misconfiguration issue with the "X-FRAME-OPTIONS" header, which could have allowed for clickjacking attacks. The issue was acknowledged and accepted by the Rocket.Chat team. However, they no longer accept vulnerability reports for their clients or...

Node.js: Undici does not use CONNECT or otherwise validate upstream HTTPS certificates when using a proxy

Summary: When using Undici with its ProxyAgent, it does not use CONNECT or correctly verify the upstream server's HTTPS certificate. Description: This affects both Undici itself and global fetch in Node 18 when used with Undici's ProxyAgent. I've submitted this here for Node as it affects global...

Reddit: Misconfigurated login page able to lock login action for any account without user interaction

Summary While observing a few things about the login feature, I found that the account was locked after a certain number of requests. Although this feature is actually added to prevent problems such as rate limit, it is open to account lock attacks by attackers. PoC 1. Save this code as exploit.p...

GitHub Security Lab: CPP: Add query for CWE-243 Creation of chroot Jail Without Changing Working Directory

This bug was reported directly to GitHub Security Lab...

GitLab: Bypass for Domain-level redirects (Unvalidated Redirects and Forwar)

Summary F1745460 While testing for the ability to define custom redirects in Gitlab Pages, I discovered I was able to define Domain-level redirects which are explicitly disabled in the documentation. At a first glance, the validation step seems to disable any link not starting with /, It has...

LinkedIn: Can access the job name, creator name and can report any draft/under review/rejected job

The application has a functionality using which a user can report a job if he found the job is misleading/spam or fraud. Using this feature, an attacker can do report any unlisted draft/under review/rejected job. After reporting the job the victim will receive an email from 'LinkedIn Trust & Safe...

HackerOne: HTML Injection in email via Name field

Hello Gents, I would like to report an issue where attackers are able to inject HTML into the Name field at app.qualified.dev. Steps to reproduce: 1. Please register at https://app.qualified.dev/signup 2. Inject the Namefield with any HTML payload. 3. Open the victim's test email, HTML will be...

Exodus: 2 Cache Poisoning Attack Methods Affect Core Functionality www.exodus.com

Summary: www.exodus.com hosts static js and css files on Server: cloudflare . Which is cached by cloudflare and passed to all other users accessing the source. I was able to impact the core functionality by using a custom HTTP. Here are 2 details of the Bug. Steps To Reproduce: 1. 501 Not...

Flickr: Open Redirect

A misconfiguration of the routing system was at fault. A wildcard URL pattern existed with the intention to send visitors to a 404 page but this wasn't reliably working. Now when the wildcard handler catches a URL it redirects reliably to a dead end 404 page...

Stripe: Mass Account Takeover at https://app.taxjar.com/ - No user Interaction

@beerboyankit discovered an IDOR in the user invite link in Taxjar. This could have allowed an attacker to take over a user's account. The vulnerability was caused by a leaked token in the delete invitation request feature and resolved by using the invitation ID instead of the token to look up th...

Rocket.Chat: Regex account takeover

Summary: get admin reset token with authenticated user Description: normal user login can access to admin reset token and set a new password for admin user Releases Affected: 3.18.5 3.0.5 Steps To Reproduce from initial installation to vulnerability: Add details for how we can reproduce the issue...

Glovo: Exposed valid AWS, Mysql, Sendgrid and other secrets

Summary: Hi team, I just discovered some hardcoded credentials allowing access to AWS, Mysql database, ... To make this report short, here is the POC: see ███ & █████ Steps To Reproduce: where there are the info : APPNAME=Glovo APPENV=local APPKEY=█████ APPDEBUG=false APPURL=http://localhost...

Stripe: Bypassing domain deny_list rule in Smokescreen via double brackets [[]] which leads to SSRF

@sim4n6 discovered a bypass of the domain denylist rule in github.com/stripe/smokescreen using double brackets. This could have led to a server-side request forgery SSRF vulnerability for users of smokescreen. The vulnerability was caused by only stripping one set of brackets before processing a...

Kubernetes: Bypass validation parts in AWS IAM Authenticator for Kubernetes

Multiple bypasses were discovered in AWS IAM Authenticator for Kubernetes. An attacker could craft a token without a signed cluster ID header and use it for replay attacks, manipulate the extracted AccessKeyID to gain higher permissions in the cluster, and send a request to other action values...

Nextcloud: Ownership check missing when updating or deleting attachments

Summary: Ownership check is missing for attachments. Steps To Reproduce: 1. Open mail app 2. Compose a new message 3. Attach some file 4. Send message 5. Copy the xhr request and modify the attachment ids 6. See that localmessageid is changed for a different user When you compose a message and pu...

GitLab: XSS: `v-safe-html` is not safe enough

v-safe-html directive uses Dompurify to remove data-remote', 'data-url', 'data-type', 'data-method' attributes from HTML tags. Rails-js relies on another attribute, data-disable-with to show a HTML content when an user clicks on a disabled link. For example, the following text will bypass the...

Brave Software: Browser is not following proper flow for redirection cause open redirect

Summary: Brave browser is not following proper flow for redirection. Browser is directly redirecting to the site that is present in redirect parameter without confirming from the main site server. I have found this vulnerability and this is affecting Facebook. Facebook use l.facebook.com/l.php?u=...

GitHub Security Lab: [Java]: Flow sources and steps for JMS and RabbitMQ

This bug was reported directly to GitHub Security Lab...

Acronis: unauth mosquitto ( client emails, ips, license keys exposure )

Hi team Summary connect.acronis.com ip 88.99.142.45:1883 has unauth mosquitto mqtt, anyone can connect and read\write messages Steps To Reproduce add details for how we can reproduce the issue 1. https://github.com/bapowell/python-mqtt-client-shell 1. python3 mqttclientshell.py 1. connection 1...

GitLab: New /add_contacts /remove_contacts quick commands susseptible to XSS from Customer Contact firstname/lastname fields

Summary In Gitlab 15.0.0 a new Customer Relations feature was added that allows us to use quick actions to find the contact we wish to select. However, I noticed that if I set the contact's first name or last name to alertdocument.domain we can get the XSS to trigger when we are attempting to use...

LinkedIn: Rate limit Bypass on contact-us through IP Rotator (burp extension)(https://www.linkedin.com/help/linkedin/solve/contact)

hello Team i have found issue on https://www.linkedin.com/help/linkedin/solve/contact , which spam the mail box of victim through alternative email and support team. Steps 1. Go to https://www.linkedin.com/help/linkedin/solve/contact 2. Fill the Form 3. Fill the victim mail id in alternative emai...