Cloudflare Public Bug Bounty: Signup with any Email and Enable 2-FA without verifying Email

It was possible to enable Two-factor authentication feature for an unverified Cloudflare account . As a consequence, a legitimate owner of the e-mail address, which was used to create the unverified account, is unable to log in or reset password to the Cloudflare account. The issue was fixed by t...

TikTok: CSRF protection bypass on TikTok Webcast Endpoints

Vulnerability description not provided...

Reddit: Able to approve admin approval and change effective status without adding payment details .

Summary: In https://ads.reddit.com/ you can create campaign under which you can create ads , once you create new campaign , it is on pending stage and will not be delivered unless you add payment details and is reviewed by admin and approved according to what it says here...

curl: curl proceeds with unsafe connections when -K file can't be read

Summary: I'm using curl 7.82.0 on Linux. When the file specified by the -K option can't be read, curl sends network traffic as specified by the other options that are explicitly included on the command line in other words, there's only a warning and I'd like it to be a fatal error. This behavior...

U.S. Dept Of Defense: lfi in filePathDownload parameter via ███████

hi i found critcal lfi vulnerability poc: https://█████████/████████=/etc/passwd response: root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin...

TikTok: Stored XSS on TikTok Live Form

A Cross-Site Scripting XSS vulnerability was found on a restricted endpoint by an authenticated user inputting a payload in the "Description" form when creating a LIVE event on the TikTok mobile app. We thank @aidilarf2000 for reporting this to our team...

GitLab: XSS in ZenTao integration affecting self hosted instances without strict CSP

Summary The ZenTao issue integration premium feature is susceptible to an XSS attack by delivering modified API responses to GitLab. This is related and similar to my report https://hackerone.com/reports/1533976 but this time affecting the ZenTao integration. A user can create a project and...

Cloudflare Public Bug Bounty: Bypass Cloudflare WARP lock on iOS.

Lock Warp switch is a feature of Zero Trust platform which, when enabled, prevents users of enrolled devices from disabling WARP client. Due to insufficient policy verification by the client, this feature could be bypassed by using the "Disable WARP" quick action. The issue affected WARP client...

U.S. Dept Of Defense: ██████ SSN/EDPI

The vulnerability allowed authenticated users to request other soldiers' personally identifiable information, including their Social Security numbers and EDIPI, through a simple URL manipulation. The information was obtained by accessing the "listReviews" endpoint with a specific perID parameter...

U.S. Dept Of Defense: Pull Any Automated Record Brief

The vulnerability allows an authenticated user to request other soldiers' Automated Record Briefs ARBs or Officer Record Briefs ORBs by manipulating the URL. The URL contained an identifier that could be incrementally changed to access the records of other individuals. This vulnerability exposed...

MTN Group: Information Disclosure Leads To User Data Leak

Information disclosure is when a web application fails to properly protect confidential information, which causes revealing sensitive information or data of the users or anything related to users to any third party. Summary: Am able to get any MTN users data such as FULL NAME, CUSTOMER TYPE AND...

PortSwigger Web Security: Redirection in Repeater & Intruder Tab

This was a bug in Repeater/Intruder whereby a meta redirect would be followed when a user clicked the follow redirection button regardless of the content type or content disposition headers used on the target web site. This could disclose the referrer header. It was considered a low severity issu...

Nintendo: [WiiU/Switch] Remote code execution inside the ENL library

Vulnerability description not provided...

HackerOne: Race condition in joining CTF group

Summary: A race condition in https://ctf.hacker101.com/group/join allows a user to join the same CTF group multiple times. The user will show up in the group member list multiple times, and affect the group statistics. Description: Interestingly a race condition in this feature was reported in...

Nintendo: [WiiU/Switch] nullptr dereference in the ENL framework

Vulnerability description not provided...

Uber: Full read SSRF in flyte-poc-us-east4.uberinternal.com

Uber summary TBD. @shubs and I discovered an instance of Flyte Console on uberinternal.com. After auditing the open source code, we noticed an unauthenticated route for a “CORS proxy”. This was a classic server-side request forgery issue, allowing us to pass an arbitrary request to be performed b...

EXNESS: subdomain takeover at odoo-staging.exness.io

Domain: https://odoo-staging.exness.io PoC https://odoo-staging.exness.io Cname: $ host odoo-staging.exness.io odoo-staging.exness.io is an alias for exness-stg.odoo.com. exness-stg.odoo.com has address 141.95.172.222 exness-stg.odoo.com mail is handled by 10 eu123a.odoo.com. Impact Scam, phishin...

UPS VDP: Broken access control

Summary: hello ups team ,,, I've found broken access control vulnerability in your sites It allows me to access the admin panel of the support team, and I can view all requests within the site vulnerable domains:connectnb.ups.com Steps To Reproduce: add details for how we can reproduce the issue ...

Omise: IDOR Payments Status

Summary: Found in the payment status function, IDOR's weakness. Where when doing the experiment managed to see the payment status of another account The following is the POC of the experiments carried out. Steps To Reproduce: 1.GET /payments/paymtestxxxx/status HTTP/2 Host: api.omise.co Sec-Ch-Ua...

LinkedIn: [ADMIN FEATURE ACCESS] Knowing The Competitors analytics of any company

Vulnerability description not provided...

Reddit: Regular Expression Denial of Service vulnerability

Summary: The vulnerability I have found is classified as a Regular Expression Denial of Service. While inspecting the source code file RealtimeGQLSubscriptionAsync.js I came across the nodemodule subscriptions-transport-ws See Screenshot 1. The search result of the subscriptions-transport-ws...

GitHub Security Lab: [Python]: Add Server-side Request Forgery sinks

This bug was reported directly to GitHub Security Lab...

Radancy: Blind SSRF at packagist.maximum.nl

Hello Team, I found a subdomain vulnerable to header blind SSRF: packagist.maximum.nl Steps to Reproduce 1 - Go to https://packagist.maximum.nl/ and intercept it. 2 - Send a GET request adding the parameter X-Forwarded-For and adding a header X-Forwarded-For, the value the header is your Burp...

Acronis: Read-only administrator can change agent update settings

Hello Gents, + While testing eu2-cloud.acronis.com I found that read-only administrators are able to update agents just by editing the HTML! Steps to reproduce: 1. Please login at https://eu2-cloud.acronis.com/mc/ 2. From Users, invite a new user with Read-only administrator role. 3. From Read-on...

U.S. Dept Of Defense: ███ vulnerable to CVE-2022-22954

I found that one of the targets belongs to DOD vulnerable to CVE-2022-22954 where an attacker may be able to execute any malicious code like escalating Remote code execution is also possible Technical Summary: CVE-2022-22954 is a server-side template injection vulnerability in the VMware Workspac...

U.S. Dept Of Defense: ██████████ vulnerable to CVE-2022-22954

I found that one of the targets belongs to DOD vulnerable to CVE-2022-22954 where an attacker may be able to execute any malicious code like escalating Remote code execution is also possible Technical Summary: CVE-2022-22954 is a server-side template injection vulnerability in the VMware Workspac...

Automattic: XSS and HTML Injection on the pressable.com search box

Summary: Hi, I have found that search box on pressable.com is vulnerable for XSS attack and HTML Injection . Steps To Reproduce: 1. Visit https://pressable.com/knowledgebase/ 2. Put the payload on the search box. XSS Payload: " HTML Injection Payload: Visit Our New WebSite e x a m p l e . c o m...

MTN Group: Unprotected Direct Object Reference

Hello MTN Security Team, During my hunting, I discovered that there's an Insecure Direct Object Reference on https://nin.mtnonline.com Vulnerable Path: https://nin.mtnonline.com/nin/success?message=1 Steps To Reproduce: You may not even require to submit any NIN before accessing this unprotected...

Acronis: Self XSS in attachments name

Hello Gents, + While testing account.acronis.com I found that I could inject XSS payload in attachments name at "Support requests" . Steps to Reproduce: 1. Please Login at account.acronis.com. 2. From support request, support a new case. 3. Expand Case ID, Leave a comment for support professional...

Acronis: HTML Injection in E-mail

Hello Gents, + While testing "account.acronis.com", I found that "first name" could be injected with HTML tags while sending an email invitation. But this attack requires user interaction to confirm the email first, then he/she will receive a welcome email "Welcome to your Acronis Cyber Protect...

UPS VDP: Reflected XSS on https://wwwapps.ups.com/ctc/request?loc=

Summary: ========= Detalis XSS ----------- Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a...

SMTP2GO BBP: Origin IP found, WAF Cloudflare Bypass

Description: I have discovered that the http://172.105.190.180/login/ site exposed it's IP which could allow bypassing of anti-DDoS mechanisms i.e you are using Cloudflare for protection. For Originate IP address which I found from https://search.censys.io/ By using these IP address as a resolver...

U.S. Dept Of Defense: Reflected XSS via `████████` parameter

Hello everyone, I came across a page that allows users to subscribe to certain forum posts at https://███ I noticed that the ████ parameter is reflected in the Page without filtering dangerous characters such as except the = character which is filtered by default, but this can be circumvented by...

TikTok: Stored XSS Payload when sending videos

A Cross-Site Scripting XSS payload was found via the text used when sending videos to a friend, which could have resulted in session hijacking, user impersonation, or client-side attacks. We thank aidilarf2000 for reporting this to our team. Don't forget Vacation and Have Fun.. Write up :...

RubyGems: Possibility to guess email address from gravatar image URL

The vulnerability allowed an attacker to potentially guess a user's email address by exploiting the use of a simple MD5 hash in the Gravatar implementation on rubygems.org. This could be done by matching the hash in the Gravatar URL with the generated hash from the email address. The impact of th...

Flickr: Stored XSS in photos_user_map.gne

The Flickr map page was inadequately escaping the name of groups when browsing the map of a group's photos...

GitLab: Content injection in Jira issue title enabling sending arbitrary POST request as victim

Summary The issue described here leads to the same outcome as my previous report, https://hackerone.com/reports/1409788 . So look into that one for further details on the JavaScript gadgets. Also see my report https://hackerone.com/reports/1481207 for a detailed rundown of injections in GitLab...

Lark Technologies: Ability to View Non-Permitted Admin Log

An access control issue was found where a user without proper permissions would be able to view the admin log. We thank @imrannisar for reporting this to our team...

Omise: Cross-site scripting on dashboard2.omise.co

Summary: Cross-site scripting XSS is an attack vector that injects malicious code into a vulnerable web application. Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Steps To...

GitLab: ReDoS in net/http affects webhooks: Sidekiq job stuck at 100% CPU for a year

Summary A Gitlab webhook may be pointed at a malicious webhook receiver. The webhook receiver can respond with a specially crafted long header. Gitlab processes the header with Ruby's net/http where there is a regular expression operation with quadratic complexity ReDoS. This causes the webhook...

TikTok: CSRF in Changing User Verification Email

A Cross-Site Request Forgery CSRF was found on a TikTok Ads endpoint, which could have resulted in a malicious user adding a new user verification email address. We thank @fm for reporting this to our team...

Kraden: Found Origin IP's Lead To Access To kraden.com

Summary: Discovered that the kraden.com site exposed its Non-Cloudflare IP which could allow bypassing of anti-DDoS mechanisms. Description:Your origin servers are not blocking access from non-Cloudflare servers. This way crawlers can find your origin servers' IPs by checking random IPs until the...

Ruby on Rails: Rails::Html::SafeListSanitizer vulnerable to xss attack in an environment that allows the style tag

It seems to be a problem caused by a difference between the nokogiri java implementation and the ruby implementation. It seems to be an ambiguous case as to whether to do it with nokogiri or have rails-html-sanitizer defend it. jruby9.3.3.0 nokogiri java, use...

U.S. Dept Of Defense: CORS Misconfiguration

Vulnerable Url: www.█████████ Summary: Cross-origin resource sharing CORS is a browser mechanism that enables controlled access to resources located outside of a given domain. However, it also provides a potential for cross-domain-based attacks, if a website's CORS policy is poorly configured and...

MTN Group: Open redirection at https://smartreports.mtncameroon.net

Summary: Hello, I found open redirection on https://smartreports.mtncameroon.net Steps To Reproduce: 1. Go to https://smartreports.mtncameroon.net//example.com/..;/css 2. Redirection to example.com Impact Open redirection vulnerability can redirect users to malicious sites that harm users...

Algolia: Web Cache Deception vulnerability on algolia.com leads to personal information leakage

A web cache deception vulnerability was discovered on algolia.com, which could allow an attacker to trick a caching proxy into storing private information transmitted over the internet from an authenticated user. The attacker could then access the cached data, which may include personal and...

Aiven Ltd: Kafka Connect RCE via connector SASL JAAS JndiLoginModule configuration

Summary: When configuring the connector via the Aiven API or the Kafka Connect REST API, the attacker can set the database.history.producer.sasl.jaas.config connector property for the io.debezium.connector.mysql.MySqlConnector connector. This is likely true for other debezium connectors too. By...

Stripe: Bypass global deny-lists by wrapping domains using "[]" in https://github.com/stripe/smokescreen

The Smokescreen proxy is an open source project written and maintained by Stripe to restrict the URLs that internal services can connect to. The primary use case for Smokescreen is to prevent server-side request forgery SSRF attacks in which external attackers leverage the behavior of our...

TikTok: IDOR on TikTok Ads Endpoint

An Insecure Direct Object Reference IDOR vulnerability was found on a TikTok Ads endpoint, which could have resulted in an unauthorized user adding products into another user's catalogue. We thank @sinayeganeh for reporting this to our team...

Vanilla: CORS Misconfiguration on vanillaforums.com

Summary: An cross-origin resource sharing CORS policy controls whether and how content running on other domains can perform two-way interaction with the domain that publishes the policy. The policy is fine-grained and can apply access controls per-request based on the URL and other features of th...