GitHub Security Lab: Java: An experimental query for ignored hostname verification

This bug was reported directly to GitHub Security Lab...

GitLab: Stored XSS in Notes (with CSP bypass for gitlab.com)

Summary I read the issue 345657 which handles the XSS in notes reported in Hackerone report 1398305. This issue fixes the reported XSS but leaves the HTML injection that was also mentioned. I don't know how you deal with these situations, but I thought I report this, and you can decide : The issu...

Reddit: CSRF (protection bypassed) to force a below 18 user into viewing an nsfw subreddit !

Summary of the Issue A state-changing POST request to https://old.reddit.com/over18? lacked proper modhash validator leaving the sensitive action vulnerable to CSRF attacks. An attacker can trick users into executing the action, enabling/disabling "I am over eighteen years old" and willing to vie...

8x8 Bounty: jaas.8x8.vc: Removed users can still have READ/WRITE access to the workspace via different API endpoints

An improper access control vulnerability was discovered in jaas.8x8.vc, where removed users could still have READ/WRITE access to the workspace via different API endpoints, if they were logged in and saved their session cookies. The issue was resolved by fixing the session management...

Omise: Open redirect Via X-Forwarded-Host

The vulnerability found involved an open redirect issue on the dashboard.omise.co website. The issue was reported on February 8, 2022, where it was discovered that the open redirect could be abused by the attacker through the use of the X-Forwarded-Host header...

TikTok: Instance Page DOS within Organization on TikTok Ads

A vulnerability was found on the Instance Page service of TikTok Ads, which would allow an Operator to perform a Denial of Service DoS on the Front End of only their own organization. We thank @arsenelupin for reporting this to our team...

Cloudflare Public Bug Bounty: HTTP Request Smuggling in Transform Rules using hexadecimal escape sequences in the concat() function

The Edge Rules engine used by Cloudflare Transform Rules features string modifying functions like lower and concat, which accepted hexadecimal-encoded characters such as ”\x0a\x0d“. This allowed for manipulation of request headers e.g. injecting an additional header and, as a consequence, made HT...

Showmax: Cross-origin resource sharing

A misconfiguration on recent deployment caused CORS headers not to be set on the https://stories.showmax.com service. While no customer data could be exposed via this channel, it's a good practice to set CORS headers if possible. Please note that CORS is actually out-of-scope of our program since...

Elastic: CSRF in AppSearch allows creation of "curations"

Summary Hello team! The curations creation for AppSearch engines can happen on a GET request which means there's no CSRF protection. Steps to reproduce 1. In one tab visit this page on my Elastic Cloud instance:...

Nextcloud: Information Exposure Through Directory Listing vulnerability

A directory listing provides an attacker with the complete index of all the resources located inside of the directory as well as download or access its contents. While the researcher did not dig deeper on to the available files, it might be possible that these websites host sensitive information...

TikTok: IDOR delete any Tickets on ads.tiktok.com

An IDOR Insecure Direct Object Reference vulnerability was found on TikTok ads, through the "draftorderid" parameter which could have allowed an attacker to delete the support tickets of other users. We thank @datph4m for reporting this to our team and confirming its resolution...

Zenly: Subdomain Takeover of brand.zen.ly

Hello Gents, Background: + Subdomain takeover vulnerabilities occur when a subdomain subdomain.example.com is pointing to a service e.g. GitHub pages, Heroku, etc. that has been removed or deleted. This allows an attacker to set up a page on the service that was being used and point their page to...

8x8 Bounty: connect.8x8.com: admin user can send invites on behalf of another admin user via POST /api/v1/users/<User ID>/invites

Vulnerability description not provided...

Omise: Open S3 Bucket Accessible by any User

hi team, here i found Open S3 Bucket Accessible by any User vulnerable URL: https://cdn2.omise.co/ bucket name : omise-cdn-2 I haven't tried this yet as it may delete the bucket. it is possible an Attacker can delete the bucket using this command:- $ aws s3 rb s3:// and claim the bucket again to...

8x8 Bounty: connect.8x8.com: deactivated users remain access to /api/v1/users/UUID/roles

Vulnerability description not provided...

U.S. General Services Administration: IDOR at https://demo.sftool.gov/TwsHome/ScorecardManage/ via scorecard name

Hi Team, I have found a broken access control vulnerability on https://demo.sftool.gov/ under your /tws directory. I made two accounts. One account i browsed to /tws and created a new scorecard. Here i can submit all information I need. The scorecard name is in the end of the URL...

Shopify: Xss triggered in Your-store.myshopify.com/admin/apps/shopify-email/editor/****

Hi team, I have found Store Xss in shopify-email Reproduction Instructions / 1.Configure shopify-email for Shopify stores at https://apps.shopify.com/shopify-email 2.Goto Your-store.myshopify.com/admin/apps/shopify-email/template-branding 3.Change F1607675 with " click Save. 4.Now Select any...

Alohi: Misconfigured rate limit at app.sign.plus/forgot_password

shamim12 found a weakness in our rate-limiting mechanism, allowing an attacker to bypass rate limits and spam the endpoint for requesting a password reset email. There was no effect on other API endpoints and no direct security implication, except email spamming attacks. The issue has been fixed...

GitHub Security Lab: [Python]: Add shutil module sinks for path injection query

This bug was reported directly to GitHub Security Lab...

Lark Technologies: Normal User is able to EXPORT Feature Usage Statistics

A vulnerability was found where certain Lark endpoints did not properly validate user permissions, allowing a low-privileged user to generate and download usage statistics information. We thank @aishkendle for reporting this to our team...

curl: Binary output bypass

Binary output check bypass Summary: When curl outputs content, it checks for binary output. If the output is large enough, it bypasses the check for binary output. This can mess with the terminal. Steps To Reproduce: 1. Setup a server of your choice. 2. Create a function f with these arguments:...

Dropbox: Exfiltrate GDrive access token using CSRF

The report demonstrates a method of redirecting Google Drive OAuth tokens from Dropbox. A fix for the issue has been released and it was applied for existing users through an automatic update. An attacker could exploit this vulnerability by getting a user to visit a specially-crafted link that se...

8x8: Open Redirect on https://██.8x8.com/login?nextPage=%2F

@ig420vrush reported to us an Open Redirect after login in a 3rd party referral platform. We swiftly relayed this to the vendor and their engineering team fixed the affected code, which resolved the issue...

Cloudflare Public Bug Bounty: Blind SSRF on platform.dash.cloudflare.com Due to Sentry misconfiguration

Cloudflare uses Sentry for application monitoring and error tracking. Due to the tool's misconfiguration source code scraping feature enabled, it was possible to sent blind requests to any endpoints using the Cloudflare infrastructure. The issue has been fixed by the Engineering team and the sour...

Omise: Brute force attack of current password on login page by bypassing account limit using IP rotator(https://dashboard.omise.co/signin)

brute force...

Kubernetes: Broken link hijacking in https://kubernetes-csi.github.io/docs/drivers.html?highlight=chubaofs#production-drivers

Report Submission Form Summary: When a web application has any pages, sources, links to external 3rd party services and are broken then the attacker can claim those endpoints to successfully conduct the attack and claim those endpoints on behalf of the target website and impersonate his identity...

Shopify: User with no Develop apps permission can Uninstall Custom App

Hi, You know user must have Develop apps permission to Uninstall Develop apps to test this just create staff with Manage and install apps and channels F1601504 send this mutation just change appId by your id...

Kubernetes: monitoring.prow-canary.k8s.io is vulnerable to CVE-2022-21703 (Grafana 0-day)

The monitoring.prow-canary.k8s.io site was found to be running a vulnerable version of Grafana affected by CVE-2022-21703. This vulnerability could have been exploited by an attacker to escalate their privileges on the Grafana instance through a cross-origin request forgery attack. The issue was...

Omise: Brute force of a current password on a disable 2fa leads to guess password and disable 2fa.

Summary: This Attack happen when victim login in other device and forget to logout ,Then attacker can enable 2-factor authentication by brute fore the password of victim endpoints. Steps To Reproduce: 1Login in https://dashboard.omise.co/signin 2 Click on your username 3Navigate to Two-factor...

Internet Bug Bounty: Ruby CVE-2021-41819: Cookie Prefix Spoofing in CGI::Cookie.parse

Release note: https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/ The old versions of CGI::Cookie.parse applied URL decoding to cookie names. An attacker could exploit this vulnerability to spoof security prefixes in cookie names, which may be...

Semrush: IDOR allowing to read another user's token on the Social Media Ads service

The hotfix was released asap. The investigation showed that there were no cases of vulnerability exploitation. Social Media Ads is a tool for dedicated paid social specialists working with ads. The tool needs to interact with the user's social network account. To do this, Semrush collects a token...

Equifax-vdp: RXSS on https://equifax.gr8people.com on Password Reset page in the username parameter

Hello, While testing your program i came across a website that is owned by informatica and is vulnerable to RXSS on Password Reset page in the username parameter POC:...

Lark Technologies: [AWC-Pune] - User can download files deleted by Admin using shortcuts

A vulnerability was found in where a Lark user could bypass Admin restrictions on deleted files, which typically would block users of the file from downloading or using it. However, the user could add a shortcut of the file to a folder, and upon downloading that folder could access the file...

curl: Occasional use-after-free in multi_done() libcurl-7.81.0

We are seeing the use of a struct connectdata on a thread after it was returned to the connection cache and thus available for use on other threads including potential deallocation in multidone in libcurl-7.81.0. This could occasionally result in an actual use-after-free, witnessed on Windows 10...

UPchieve: No character limit in password field

Hey, when I try to set the password while creating an account into "UPchieve" I noticed that you haven't kept any password limit. You need to decrease password length: There are two reasons for limiting the password size. For one, hashing a large amount of data can cause significant resource...

Rocket.Chat: Maliciously crafted message can cause Rocket.Chat server to stop responding

Vulnerability description not provided...

Reddit: Broken links make users from France unable to understand the allowed content policy

Vulnerability description not provided...

Slack: Email html Injection

This bug is Email html Injection present in name of workspace while creating Impact The input is unsanitized and vulnerable which led to html injection which may lead to phishing. when 2fa is applied it send mail with injected html...

FetLife: Race condition in endpoint POST fetlife.com/users/invitation, allow attacker to generate unlimited invites

This report describes the same bug as 1455487. I rewrite this bug here to make the report clearer. I will self-close 1455487 right now. Description The Invite Your Friend to Join FetLife feature is vulnerable to race condition. By sending many requests at the same time to endpoint POST...

Acronis: [CVE-2021-44228] Arbitrary Code Execution on ng01-cloud.acronis.com

Vulnerability description not provided...

Shopify: Same the Url

Summary: i found the /graphql path and /performancereport with the post method. when i will create page with name /graphql i am not allowed on the grounds it is reserved but i can create page with name performancereport. although both use the same method but only /graphql cannot be created. Shops...

Aiven Ltd: 0-day Cross Origin Request Forgery vulnerability in Grafana 8.x .

Disclaimer To triage, please note that this is still a 0-day that was alerted to Grafana already, in order to make sure the client is safe I report this issue now, please make sure to not spread it further or leak it, as the best interest is to let you be aware and safer from any potential attack...

Rocket.Chat: NoSQL-Injection discloses S3 File Upload URLs

Summary A NoSQL-Injection vulnerability in the getS3FileUrl Meteor server method can disclose arbitrary file upload URLs to users that should not be able to access. Description The fileId argument of the getS3FileUrl Meteor server method is not validated and can contain a regular expression. The...

U.S. Dept Of Defense: Subdomain takeover of █████████

I have found a subdomain of ███████ to be vulnerable to takeovers via a CNAME to unclaimed domain. I have claimed this domain and redirected them to a blank page to prevent a bad actor from doing so in the meantime, and hosted a POC file at obscure URLs. These are the following domains I discover...

JetBlue: Open Redirect

Vulnerability description not provided...

U.S. Dept Of Defense: Reflected XSS at https://█████ via "██████████" parameter

There is Reflected Cross site scripting issue at the following url: https://█████ Proof Of Concept https://████████?█████=%22onfocus%3d%22alertdocument.domain%22autofocus%3d%22&█████████████████████=Search ████ Best Regards @pelegn Impact Cookies Exfiltration SOAP Bypass CORS Bypass Executing...

U.S. Dept Of Defense: Reflected XSS at https://██████████/████████ via "███████" parameter

There is Reflected Cross site scripting issue at the following url: https://████████/█████ Proof Of Concept https://████/███?███=%22onfocus%3d%22alertdocument.domain%22autofocus%3d%22&submit=Search ███ Best Regards @pelegn Impact Cookies Exfiltration SOAP Bypass CORS Bypass Executing javascript o...

Shopify: Limited Privilege User Can Create Unauthorized Referrals on partners.shopify.com

A privilege escalation vulnerability was discovered in Shopify's Partner Portal that allowed users without "View referrals" permission to create POS leads by directly accessing the lead creation URL. The backend API lacked proper authorization checks, enabling users to bypass the implemented...

U.S. Dept Of Defense: Reflected XSS at https://██████/██████ via "██████" parameter

There is Reflected Cross site scripting issue at the following url: https://██████████/██████ Proof Of Concept https://████████/█████████████████=%22%3E%3Csvg/onload=alert1%3E█████████ █████ Best Regards @pelegn Impact Cookies Exfiltration SOAP Bypass CORS Bypass Executing javascript on the victi...

U.S. Dept Of Defense: Reflected XSS at https://██████/██████████ via "████████" parameter

There is Reflected Cross site scripting issue at the following url: https://█████/████ Proof Of Concept https://████████/███████?text=&███=%22%3E%3Csvg/onload=alert1%3E████ ███████ Best Regards @pelegn Impact Cookies Exfiltration SOAP Bypass CORS Bypass Executing javascript on the victim behalf...