U.S. Dept Of Defense: Reflected XSS at https://█████████ via "███" parameter

Description: There is Reflected Cross site scripting issue at the following url: https://█████████ Proof Of Concept https://███████?████████=%22%3E%3Cimg%20src=x%20onerror=alertdocument.domain%3E █████ Best Regards @pelegn Impact Cookies Exfiltration SOAP Bypass CORS Bypass Executing javascript o...

Basecamp: RCE via exposed JMX server on jabber.37signals.com/jabber.basecamp.com

@ian reported that jabber.37signals.com and jabber.basecamp.com exposed on port 555 an unauthenticated Java JMX server which was vulnerable to RCE. We've looked into this and found that we forgot to clean up some DNS records when we decomissioned Jabber so the exposed IP address were not part of...

EXNESS: Improper Implementation of SDK Allows Universal XSS in Webview Leading to Account Takeover

Affected App: Social Trading com.exness.investments App Version: - 2.45.8-release latest on PlayStore Summary: The SurveyMonkey SDK, used to collect surveys from users for analytic and informative purposes, was implemented in an insecure manner in . Particularly, the SMFeedbackActivity was...

GitHub Security Lab: ihsinme: CPP Add a query to find incorrectly used exceptions.

This bug was reported directly to GitHub Security Lab...

Internet Bug Bounty: Invalid handling of X509_verify_cert() internal errors in libssl (CVE-2021-4044)

Internally libssl in OpenSSL calls X509verifycert on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error for example out of memory. Such a negative return value is mishandled by OpenSSL and will cause an IO...

U.S. Dept Of Defense: Arbitrary File Deletion (CVE-2020-3187) on ████████

Hello team, I hope you're doing well, healthy & wealthy. I found an Arbitrary File Deletion CVE-2020-3187 vulnerability on https://██████████/+CSCOE+/sessionpassword.html that allows the Arbitrary File Deletion. References - https://twitter.com/aboul3la/status/1286809567989575685 -...

U.S. Dept Of Defense: CVE-2020-3452 on https://█████/

Hello team, I hope you're doing well, healthy & wealthy. I found a CVE-2020-3452 path traversal and here is the explanation. A vulnerability in the web services interface of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an...

Internet Bug Bounty: Buffer Overflow in optimized_escape_html method

This report is a copy of bug report https://hackerone.com/reports/1328463. I was asked to submit this bug here, because Ruby bug bounty program is moved to this new Internet Bug Bounty program. Operating System ================ Windows 10 This should reproduce in any other operating system where...

8x8: ████ api key exposed in github.com/███/███

@adnanmalikinfo identified a committed API key of a 3rd party SaaS platform for social marketing. We swiftly escalated to the repository owner, who restricted access...

GitHub Security Lab: [Java] CWE-552: Query to detect unsafe request dispatcher usage

This bug was reported directly to GitHub Security Lab...

Weblate: hosted.weblate.org display of unfiltered results

able to request all changes of everything not just sandbox when inserting this %'s in author username on this page. https://hosted.weblate.org/changes/?project=sandbox&lang=en&user=%25%27s&startdate=&enddate= Impact no filter on request feels like elevated permissions. lets you do the search even...

VK.com: Reflected Xss On https://vk.com/search

XSS in Search...

ownCloud: Theft of protected files on Android

There is an issue that allows to retrieve any files from protected directory of application - /data/data/com.owncloud.android/. The issue is caused by exported activity com.owncloud.android.ui.activity.ReceiveExternalFilesActivity with intent filter android.intent.action.SENDMULTIPLE that accepts...

Mars: Unauthenticated Sensitive Information Disclosure on █████████ CVE-2021-38314

The Gutenberg Template Library & Redux Framework plugin version 4.2.11 and below was found to have an unauthenticated sensitive information disclosure vulnerability CVE-2021-38314. The issue was identified where the plugin registered several AJAX actions that were accessible to unauthenticated...

TikTok: Reflected xss on ads.tiktok.com using `from` parameter.

A XSS cross-site scripting vulnerability was found on a TikTok ads endpoint using the "from" parameter. We thank @imrannisar for reporting this to our team and confirming its resolution...

JetBlue: Dom-Based XSS on parameter ?vsid=

Researcher found a DOM XSS vulnerability in one of the JetBlue applications using the vsid parameter. The researcher used the below payload to trigger XSS: ';alert1;//...

MTN Group: POST BASED REFLECTED XSS IN dailydeals.mtn.co.za

Summary: Dear Team , I have found a post based reflected XSS in https://dailydeals.mtn.co.za/ . Steps To Reproduce: 1.Create a html file with following content . "document.forms0.submit 2.Open the HTML file in any web-browser. 3.Cross site Scripting will be triggered . Impact Attacker can exploit...

Nextcloud: com.nextcloud.client bypass the protection lock in andoid app v 3.18.1 latest version.

Summary: nextcloud allowed multiple account within the android client app on a single lock Steps To Reproduce: 1.open nextcloud app 2.add security password to protect the app 3.close the app again open the app and now show the password to open the app 1. so now the password protection bypass lets...

Nextcloud: Nextcloud Deck : Possibility for anyone to add a stack with existing tasks on anyone's board

Hi everyone, Hope you are well ! I found an IDOR vulnerability, allowing any user without privilege to add lists with tasks in any user board. This was tested on a Nextcloud Hub II server v23 with the Deck application in version 1.6.0. Steps To Reproduce: Beforehand: - Have an A user with a board...

Krisp: Visibility Robots.txt file

Issue detail:- The web server contains a robots.txt file. Issue background:- The file robots.txt is used to give instructions to web robots, such as search engine crawlers, about locations within the web site that robots are allowed, or not allowed, to crawl and index. The presence of the...

Recorded Future: Dom Xss vulnerability

Summary: Dom Xss vulnerability Steps To Reproduce: add details for how we can reproduce the issue 1. Go to this link: https://api.recordedfuture.com/index.html 2. Open chrome devtool and go to console tab 3. Type: document.write'...alert1...'; 4. And boom! Alert 1! Impact XSS can have huge...

MTN Group: Remove Every User, Admin, And Owner Out Of Their Teams on developers.mtn.com via IDOR + Information Disclosure

Hello world, This vulnerability is too involved with regular users, in order for us to prevent any damage, we need 3 different user accounts we own. This gives us specific "userid" and "teamid" to work with. There's an Information Disclosure as a side effect of this vulnerability. User and team...

Rocket.Chat: TOTP 2 Factor Authentication Bypass

Summary Two Factor Authentication can be bypassed when telling the server to use CAS during login. Description The 2FA Login Handler skips validation when it finds CAS enabled. When the clients sends the option among the login request, the login proceeds without validation of a second factor. In...

GitHub Security Lab: [Javascript]: [Clipboard-based XSS]

This bug was reported directly to GitHub Security Lab...

JetBlue: Sensitive information disclosure on grafana

Sensitive information was disclosed through publicly accessible Grafana metrics, SAP public info endpoints, and an AWS bucket listing...

MTN Group: Firebase Database Takeover in https://pulseradio.mtn.co.ug/

Summary: During my test , in one of the subdomain of mtn.co.ug I found firebase configuration disclosed in the source code along with apiKey and database URL . Exploiting this vulnerability attacker is able to upload malicious data in the firebase account of pulseradio.mtn.co.ug and see database...

Rocket.Chat: Authentication Bypass in login-token Authentication Method

The Rocket.Chat application contained a vulnerability in the login-token authentication method that allowed for authentication bypass. Improper input data validation in the login-token authentication handler permitted the use of crafted data to obtain a valid authToken, granting administrative...

Rocket.Chat: getRoomRoles Method leaks Channel Owner

Summary Lack of ACL checks in the getRoomRoles Meteor method leak channel members with special roles to unauthorized clients. Description Lack of ACL checks in the getRoomRoles Meteor method allow unauthorized clients to query channel members with special roles: javascript Meteor.methods...

Rocket.Chat: API route chat.getThreadsList leaks private message content

Summary The /api/v1/chat.getThreadsList does not sanitize user inputs and can therefore leak private thread messages to unauthorized users via Mongo DB injection. Description The chat.getThreadsList API route is defined in app/api/server/v1/chat.jsL522-L572: javascript const rid, type, text =...

U.S. Dept Of Defense: CVE-2021-42567 - Apereo CAS Reflected XSS on https://█████████

Apereo CAS through 6.4.1 allows XSS via POST requests sent to the REST API endpoints. CAS is vulnerable to a Reflected Cross-Site Scripting attack, via POST requests sent to the REST API endpoints. The payload could be injected on URLs: /███████/. Malicious scripts can be submitted to CAS via...

EXNESS: Verification process done using different documents without corresponding to user information / User information can be changed after verification

A business logic flaw in the Exness trading platform allowed a verified user to change their profile information Name, DoB, and Address after identity verification. Additionally, a user could verify their account with official documents that did not correspond to their provided information. This...

Krisp: Add more seats by paying less via PUT /v2/seats request manipulation

Summary: I could not fully test this vulnerability because the test plan must be completed for the payment process, that is, 30 days. But the price value in api also changes and if payment is made according to this value, wrong billing will occur. The annual pro option for Team plan billing is $6...

Rocket.Chat: Mute User can disclose private channel members to unauthorized users

Vulnerability description not provided...

Shopify: XSS at jamfpro.shopifycloud.com

An XSS vulnerability was discovered in the instance of Jamf Pro running on https://jamfpro.shopifycloud.com due to the old Swagger-UI being exposed at /classicapi/doc/. An attacker could have crafted a URL to introduce an XSS payload and execute arbitrary JS code in the context of the application...

Omise: Host Header Injection leads to Open Redirect and Content Spoofing or Text Injection.

Summary: 1. Open Redirection The https://dashboard.omise.co/test/dashboard website is vulnerable to an Open Redirection flaw if the server receives a crafted X-Forwarded-Host header. Description: Open Redirect is a vulnerability in which the attacker manipulates a web page to redirect the users t...

curl: Remote memory disclosure vulnerability in libcurl on 64 Bit Windows

Remote memory disclosure vulnerability in libcurl on 64 Bit Windows Summary: libcurl latest contains a vulnerability that enables attackers to remotely read memory beyond the bounds of a buffer in the style of the infamous "heartbleed" vulnerability. Luckily, however, this is only possible when...

Ruby: URI parser's RFC3986 regular expression has poor performance when there are two # characters, leading to ReDoS

A vulnerability was found in the URI parser's RFC3986 regular expression. It has poor performance when parsing URLs with two characters, leading to denial of service through resource exhaustion...

Ruby on Rails: XSS vulnerabilities due to missing checks in tag helpers

XSS vulnerabilities were discovered in certain tag helpers in Rails, specifically in the FormTagHelper and TagHelper modules. These vulnerabilities allowed attackers to execute arbitrary JavaScript code by manipulating user-controlled input in tag attributes and tag names. The impact of these...

Krisp: Error Page Content Spoofing or Text Injection

Summary: Error Page Content Spoofing or Text Injection in two urls Target: https://download.prelive.krisp.ai/ Target:https://upld.prelive.krisp.ai/ Description: Content spoofing, also referred to as content injection, "arbitrary text injection" or virtual defacement, is an attack targeting a user...

U.S. General Services Administration: Registered users contact information disclosure on salesforce lightning endpoint https://disposal.gsa.gov

Hi, Sample of the Information Disclosure is below. More records are attached -███ "LastName":"████","FullNamec":"█████████","Id":"██████████","MailingStreet":null,"Activec":false,"Emailc":null,"LastModifiedBy":"Id":"00530000009KyDqAAK","Name":"SNA...

Mattermost: html injection via invite members can be leads account takeover

An HTML injection vulnerability was found on the website that allowed an attacker to inject HTML code into an email invitation sent to a victim. This could lead to the victim being redirected to a malicious site or tricked into giving away login credentials...

Mattermost: Bypass Email Verification in Customer Portal

Hi team hope you doing well : i found a vulnerability OTP Bypass on https://portal.test.cloud.mattermost.com . Summery : I was able to use the otp that was sent to victim email and i used it in the attacker's email verify .when i tried this issue first time the server log me out , and second time...

GitHub Security Lab: Java: Regex injection

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: [Java] CWE-089: MyBatis Mapper XML SQL Injection

This bug was reported directly to GitHub Security Lab...

Rockstar Games: Improper Authentication inside the Rockstar Games Launcher which leads to Account takeover to some extend

An improper authentication vulnerability was discovered in the Rockstar Games Launcher. This vulnerability allowed attackers who had already gained access to a victim's Steam or Epic Games account to also gain access to the victim's Social Club account. By exploiting the "Switch Account" feature...

Adobe: Log4j Java RCE in [beta.dev.adobeconnect.com]

Hello Security Team, Summary Log4j versions prior to 2.15.0 are subject to a remote code execution vulnerability via the ldap JNDI parser. As per Apache's Log4j security guide: Apache Log4j2 =2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker...

GitLab: Container escape on public GitLab CI runners

Summary It is possible to circumvent the isolation in place for build jobs running on public CI runners by escaping the docker container running the build job. This is possible via abuse of the cgroup releaseagent functionality, made possible by CI jobs being allowed to mount filesystems inside t...

Mattermost: Self XSS in Create New Workspace Screen

Hi team, I have found an vulnerability on your website . step to reproduce : 1.firstly i want to say sorry for this .please read carefully when im testing on your website .i was redirected to : https://customers.mattermost.com/cloud/connect-workspace 2.then navigate to create new workspace 3.on...

Shopify: Stored XSS at https://linkpop.com

Summary: There is Stored XSS vulnerability at https://linkpop.com/dashboard/admin that can later be delivered through unique linkpop link. This is due to lack of sanitizaiton and relying on client side protections when inserting urls to our applications. This is the client side protection error:...

PlayStation: Use-after-free in setsockopt IPV6_2292PKTOPTIONS (CVE-2020-7457)

The PS5 is vulnerable to https://hackerone.com/reports/826026 which easily grants kernel access to an attacker. This vulnerability had been reported by me for the PS4 2 years ago when the PS5 did not yet exist, thus this should be considered as a new report and not a duplicate. I was able to use...