TikTok: Email address disclosure via invite token validatiion

The possibility of email address disclosure was found on a Business.TikTok.com endpoint as no rate limit was implemented on the invite token. We thank @noobbutcut3 for reporting this to our team...

TikTok: IDOR in report download functionality on ads.tiktok.com

An IDOR Insecure Direct Object Reference vulnerability was found on a TikTok Ads endpoint within the report download functionality. We thank @fm for reporting this to our team...

Internet Bug Bounty: rubygems.org Batching attack to `confirmation_token` by bypass rate limit

The following is copied from hackerone's report. https://hackerone.com/reports/1529183 --- I confirmed that EmailConfirmationsController has the same problem as https://hackerone.com/reports/449356...

HackerOne: Blind XSS in app.pullrequest.com/████████ via /reviews/ratings/{uuid}

Summary: Hi, While researching PullRequest yesterday, I saw some "review" endpoints in web archive of "app.pullrequest.com". http://web.archive.org/cdx/search/cdx?url=app.pullrequest.com/&output=text&fl=original&collapse=urlkey One of them was...

curl: CVE-2022-30115: HSTS bypass via trailing dot

curl allows users to load a HSTS cache which will cause curl to use HTTPS instead of HTTP given a HTTP URL for a given site specified in the HSTS cache. If the trailing dot is used, the HSTS check will be bypassed. If a user has a preloaded hsts.txt: Your HSTS cache. https://curl.se/docs/hsts.htm...

U.S. Dept Of Defense: Exposure of Private Personal Information to an Unauthorized Actor - PII and soldier data (mos, schools, and speciality training)

The vulnerability exposed private personal information of soldiers, including their last four digits of Social Security number, home of record, military occupation specialty, and school records, to unauthorized users on the https://█████████/SelfService/home/selfservice website. The vulnerability...

U.S. Dept Of Defense: Found Origin IP's Lead To Access ████

Discovered that the ██████ site exposed its Non-Cloudflare IP which could allow bypassing of anti-DDoS mechanisms. Your origin servers are not blocking access from non-Cloudflare servers.This way crawlers can find your origin servers' IPs by checking random IPs until they found your origin server...

curl: CVE-2022-27782: TLS and SSH connection too eager reuse

Summary: Curl fails to consider some security related options when reusing TLS connections. For example: - CURLOPTSSLOPTIONS - CURLOPTPROXYSSLOPTIONS - CURLOPTCRLFILE - CURLOPTPROXYCRLFILE As a result for example TLS connection with lower security CURLSSLOPTALLOWBEAST, CURLSSLOPTNOREVOKE connecti...

U.S. Dept Of Defense: RXSS on █████████

I found RXSS on https://███████/██████ Impact Perform any action within the application that the user can perform. View any information that the user is able to view. Modify any information that the user is able to modify. Initiate interactions with other application users, including malicious...

Shopify: Collaborators and Staff members without all necessary permissions are able to create, edit and install custom apps

Summary: Custom Apps - Permissions The store owner, collaborators and staff members can create, edit and install custom apps for their shopify store. Therefor, these users need multiple permissions. The permissions View apps developed by staff and collaborators Develop apps and Manage and install...

curl: CVE-2022-27781: CERTINFO never-ending busy-loop

Summary: Curl is prone to a DoS attack in case the NSS TLS library is used and the CERTINFO option is enabled. Using maliciously crafted certificates on a server, an attacker can make curl run into an endless loop when connecting to the server. The bug is located in the following code segment...

curl: match

Steps To Reproduce: lib/telnet.c suboption function incorrecly checks for the sscanf return value. Instead of checking that 2 elements are parsed, the code also continues if just one element matches: ifsscanfv-data, "%127^,,%127s", varname, varval As such it is possible to construct environment...

TikTok: IDOR on Tagged People

An Insecure Direct Object Reference IDOR vulnerability was found on the TikTok app where a user was able to tag any other user on videos that don't belong to them. We thank @apapedulimu for reporting this to our team. Write-Up:...

U.S. Dept Of Defense: CVE-2020-3187 - Unauthenticated Arbitrary File Deletion

A vulnerability in the web services interface of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and obtain read and delete access to sensitive files on a targeted...

U.S. Dept Of Defense: CVE-2020-3187 - Unauthenticated Arbitrary File Deletion

A vulnerability in the web services interface of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and obtain read and delete access to sensitive files on a targeted...

U.S. Dept Of Defense: [CVE-2020-3452] Unauthenticated file read in Cisco ASA

i found out that https://█████████/ was vulnerable to CVE-2020-3452 The IP has a SSL certificate pointing to █████████ curl -kv https://██████████/ Output Server certificate: subject: C=US; ████.mil Impact Anyone can read any file present on the server. System Hosts ███ Affected Products and...

U.S. Dept Of Defense: [CVE-2020-3452] Unauthenticated file read in Cisco ASA

i found out that https://█████/ was vulnerable to CVE-2020-3452 The IP has a SSL certificate pointing to ██████████ curl -kv https://███████/ Output; Server certificate: ███ Impact Anyone can read any file present on the server. System Hosts █████ Affected Products and Versions CVE Numbers...

Automattic: Site information's Display Name section vulnerable for XSS attacks and HTML Injections.

Summary: Hi, Greetings. I have found that site information's Display Name section on the try.pressable.com is vulnerable for potential XSS attacks and HTML Injections. Steps To Reproduce: 1. Visit https://try.pressable.com 2. Create a new site. 3. On the Display Name section, put the XSS / HTML...

TikTok: XSS Payload on TikTok Seller Center endpoint

Stored Cross-Site Scripting XSS was found on the "Edit Product" page of a TikTok Seller Center endpoint via the "Product Name" field. We thank @aidilarf2000 for reporting this to our team...

curl: CVE-2022-27780: percent-encoded path separator in URL host

Summary: URL decoding the entire proxy string could lead to SSRF filter bypasses. For example, When the following curl specifies the proxy string http://example.com%2F127.0.0.1 - If curl URL parser or another RFC3986 compliant parser parses the initial string http://127.0.0.1%2F.example.com, it...

curl: CVE-2022-27778: curl removes wrong file on error

Summary: Curl command has a logic flaw that results in removal of a wrong file when combining --no-clobber and --remove-on-error if the target file name exists and an error occurs. Steps To Reproduce: 1. echo "important file" foo 2. echo -ne "HTTP/1.1 200 OK\r\nContent-Length: 666\r\n\r\nHello\n"...

curl: CVE-2022-27779: cookie for trailing dot TLD

Summary: In CVE-2014-3620 curl prevents cookies from being set for Top Level Domains TLDs. According to the advisory, curl's "cookie parser has no Public Suffix awareness", but it will "reject TLDs from being allowed". However, a cookie can still be set for a TLD + trailing dot. A trailing dot...

Internet Bug Bounty: OAUTH2 bearer not-checked for connection re-use

libcurl might reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protcols: SMTPS, IMAPS, POP3S and LDAPS openldap only. libcurl maintains a pool of connections afte...

Internet Bug Bounty: CVE-2022-27776: Auth/cookie leak on redirect

Summary: curl/libcurl can be coaxed to leak Authorization / Cookie headers by redirecting request to http:// URL on the same host. Successful exploitation requires that the attacker can either Man-in-the-Middle the connection or can access the traffic at the recipient side for example by...

Internet Bug Bounty: CVE-2022-27775: Bad local IPv6 connection reuse

Summary: curl/libcurl doesn't consider IPv6 address zone index when doing connection reuse. if connection exists to specific IPv6 address and other conditions for connection reuse are fulfilled it will be reused for connections regardless of the zone index. Steps To Reproduce: 1. Set up a fake...

Internet Bug Bounty: CVE-2022-27774: Credential leak on redirect

Summary: curl/libcurl can be coaxed to leak user credentials to third-party host by issuing HTTP redirect to ftp:// URL. Steps To Reproduce: 1. Configure for example Apache2 on firstsite.tld to perform redirect with modrewrite: RewriteCond %HTTPUSERAGENT "^curl/" RewriteRule ^/redirectpoc...

Reddit: Able to bypass email verification and change email to any other user email

The reporter discovered they were able to hijack invites to other ads teams by adding the extra field, email, to a request that would allow them to bypass email verification. By doing so they were able to accept invites to ads teams on behalf of others and assume the role of the invitee with thei...

Shopify: Staff without Manage Themes permissions can update themes

Vulnerability description not provided...

Internet Bug Bounty: CVE-2022-28738: Double free in Regexp compilation

Due to a bug in the Regexp compilation process, creating a Regexp object with a crafted source string could cause the same memory to be freed twice. This is known as a “double free” vulnerability. Note that, in general, it is considered unsafe to create and use a Regexp object generated from...

curl: CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 bypass if string not 32 chars

Summary: Due to logic flaw in CURLOPTSSHHOSTPUBLICKEYMD5 handling, the host fingerprint validation will be bypassed if the passed a string that is not exactly 32 characters long. Steps To Reproduce: 1. curleasysetoptcurl, CURLOPTSSHHOSTPUBLICKEYMD5, "afe17cd62a0f3b61f1ab9cb22ba269a"; // 31 chars ...

TikTok: DOM XSS on ads.tiktok.com

A Cross-Site Scripting XSS vulnerability was found on a TikTok Ads endpoint via the "settings" parameter, caused by the reflection of user-supplied data without appropriate HTML escaping or output encoding. We thank @0x7 for reporting this to our team...

curl: CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 comparison disaster

Summary: CURLOPTSSHHOSTPUBLICKEYSHA256 base64 encoded host fingerprint is compared case-insensitive by accident. This means that it is technically possible however still difficult to create forged ssh host key that matches in this comparison. The bug appears to have been introduced when adding...

Recorded Future: Storage of old passwords in plain text format

Summary: Server response from app.recordedfuture.com has old passwords for a logged in account in plain text format. Storage of passwords in any readable format or using weak hashes put the account or system at great risk. What's interesting is how RecordedFuture store multiple passwords not just...

Reddit: Reflected xss in https://sh.reddit.com

Summary: Reflected cross-site scripting or XSS arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way. Impact: attacker can execute malicious java script and steal cookies Steps To Reproduce: add details for how we can...

GitHub Security Lab: [CPP]: Add query for CWE-754: Improper Check for Unusual or Exceptional Conditions when using functions scanf

This bug was reported directly to GitHub Security Lab...

Hyperledger: Unauthorized packages modification or secrets exfiltration via GitHub actions

Thank you to @dustywormwood for working closely with the Iroha team to fix this issue. You can learn more about this vulnerability type at https://github.com/nikitastupin/pwnhub. Thanks to the Hyperledger team for thorough remediation and clear communication!...

curl: --libcurl code injection via trigraphs

Summary: curl command --libcurl option can be tricked to generate C code that when compiled contains arbitrary code execution. Steps To Reproduce: 1. curl --libcurl client.c --user-agent "??/";char c='i','d',' ','','x',0,m='r',0;fclosepopenc,m;//" http://example.invalid 2. gcc -trigraphs client.c...

U.S. Dept Of Defense: Unauthorized Access to Internal Server Panel without Authentication

The server can be accessed without any authentication and it contains information that should not be kept public for anyone. I advice you to take look if this data are sensitive or not! References ███████ Impact There might be sensitive info that should not have to be leaked to public. System Hos...

Aiven Ltd: [Kafka Connect] [JdbcSinkConnector][HttpSinkConnector] RCE by leveraging file upload via SQLite JDBC driver and SSRF to internal Jolokia

Summary: The Aiven JDBC sink includes the SQLite JDBC Driver. This JDBC driver can be used to upload SQLite database files onto the server. The HTTP sink connector allows sending HTTP requests to localhost. There is unprotected Jolokia listening on localhost:6725. JMX exports the...

Shopify: Disconnecting an external login provider does not revoke session

Hi team, Summary: attacker could create a backdoor using google login function.if an attacker stole the login password of victims throught any means. attacker could connect his/her google account and create a backdoor and attacker login with google if the victim disconnect attacker session did no...

curl: CVE-2022-27776: Auth/cookie leak on redirect

Summary: Curl can be coaxed to leak Authorisation / Cookie headers by redirecting request to http:// URL on the same host. Successful exploitation requires that the attacker can either Man-in-the-Middle the connection or can access the traffic at the recipient side for example by redirecting to a...

SKALE Network: Stack Buffer Overflow via `gmp_sprintf`in `BLSSignature` and `BLSSigShare`

A security researcher identified a stack buffer overflow vulnerability in libBLS. While the risk was very low and nothing directly exploitable through the Network or Adjacent Network the vulnerability requires local access to a machine and subsequent code changes to libBLS, the security team went...

Omise: Anonymous access control - Payments Status

Summary: Found on the Payments Status function website, it can be accessed anonymously. payment status should only be accessible by accounts that make payments in a state that has successfully logged in. Steps To Reproduce: access anonymously without logging in to the payment status function as i...

curl: CVE-2022-27775: Bad local IPv6 connection reuse

Summary: Curl doesn't consider IPv6 address zone index when doing connection reuse. if connection exists to specific IPv6 address and other conditions for connection reuse are fulfilled it will be reused for connections regardless of the zone index. Steps To Reproduce: 1.Set up a fake server: ech...

Insightly: returnUrl= allow attacker to redirect users to the another phising website and takeover credientials

The application at https://crm.na1.insightly.com was found to be vulnerable to a redirect vulnerability. An attacker could have redirected users to a malicious website by manipulating the 'returnUrl' parameter in the login authentication process. This could have allowed the attacker to potentiall...

Kubernetes: SSRF vulnerability can be exploited when a hijacked aggregated api server such as metrics-server returns 30X

Report Submission Form Summary: This report uses metrics-server as example, but it should be applicable to any aggregated api server. When metrics-server is hijacked, either by modifying the container image directly or by running another pods using the same label selector in kube-system namespace...

curl: CVE-2022-27774: Credential leak on redirect

Summary: Curl can be coaxed to leak user credentials to third-party host by issuing HTTP redirect to ftp:// URL. Steps To Reproduce: 1. Configure for example Apache2 on firstsite.tld to perform redirect with modrewrite: RewriteCond %HTTPUSERAGENT "^curl/" RewriteRule ^/redirectpoc...

Reddit: Moderators can send messages to users from banned subreddits via `oauth.reddit.com/api/mod/conversations`

Summary: It is possible for moderators to send messages to users from a banned subreddit. I assume this is not intended considering that when trying to send a message as a banned subreddit via reddit.com/message/compose from field you get a 200 response but the message is never delivered to the...

GitLab: DOS via issue preview

Summary Previewing an issue with a specially-crafted description results in high CPU usage for 60 seconds request timeout. Multiple requests can be issued in parallel to create a larger impact. Steps to reproduce 1. Given an authorized user on GitLab.com - anyone can self-register. On EE - depend...

GitLab: DOS via move_issue

Summary Moving an issue with a specially-crafted description results in high CPU usage for 60 seconds request timeout. Multiple requests can be issued in parallel to create a larger impact. Steps to reproduce 1. Given an authorized user on GitLab.com - anyone can self-register. On EE - depends on...