UPchieve: CORS origin validation failure

Hi team, I hope you are doing well on the other side. Summary: I found that https://hackers.upchieve.org/ is using cross-origin resource sharing in an insecure way. The web application fails to properly validate the Origin header and returns the header Access-Control-Allow-Credentials: true. This...

Judge.me : Email templates XSS by filterXSS bypass

Summary: js-xss is used to prevent XSS on email templates previews but the custom onIgnoreTag function can be used to bypass this filter. This leads to a Self-XSS scenario that can be used to achieve Account Takeover in 1-click. js onIgnoreTag: function e, t return "!--if" === e || "!endif--" ===...

Internet Bug Bounty: Ruby - Regular Expression Denial of Service Vulnerability of Date Parsing Methods

Official report: https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/ CVE-2021-41817 Here are the details from the official article: Date’s parsing methods including Date.parse are using Regexps internally, some of which are vulnerable against regular...

Judge.me : Stored XSS in "product type" field executed via product filters

HI @judgeme! I found Stored XSS! I Install judge.me in Shopify E-Commerce. Step to reproduce: 1. Log in to our shopify dev store and install "judgeme" app. 2. Create random product in our Shopify store make it active and insert XSS playload " in "PRODUCT TYPE" field and SAVE F1518888 3. Then go t...

Internet Bug Bounty: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.50

Hello Apache team, @fms and myself were able to bypass the latest patch for CVE 2021-41773 in the Apache 2.4.50. These are the payloads: 1 %%32%65%%32%65 2 .%%32%65 3 .%%32e 4 .%2%65 PoC Path Traversal GET /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/etc/passwd HTTP/1.1...

TikTok: Multiple vulnerability leading to account takeover in TikTok SMB subdomain.

Multiple vulnerabilities like Insecure Direct Object Reference IDOR, Cross-Site Request Forgery CSRF, XSS were found that could have resulted in account takeover on the TikTok SMB subdomain. First, an Insecure Direct Object Reference IDOR was found, where a missing authorization check could allow...

Nextcloud: Possibility to force an admin to install recommended applications

Summary: Endpoint /nextcloud/index.php/core/apps/recommended is accessible via GET http method and doesn't check anti-csrf token. If an admin visits this endpoint in a browser the process of installation of recommended applications begins immediately. Steps To Reproduce: 1. an attacker creates a...

Mail.ru: blog/wp-json/wp/v2/users FILE is enable it will used for bruteforce attack the admin panel at blog/wp-login.php

hello team, The file v2/users at https://happynumbers.com/blog/wp-json/wp/v2/users/ is enabled and this give the attacker many users names like admin adam Alexa Alina Danny David Fedor Olga to use them at https://happynumbers.com/blog/wp-login.php on BRUTE FORCE attack because no protection again...

GitHub Security Lab: [Python]: JWT security-related queries

This bug was reported directly to GitHub Security Lab...

Acronis: IDOR vulnerability (Price manipulation)

Target: acronis.cz Step to Reproduce 1.Go to acronis.cz 2.buy any product in this case i am going to buy this https://www.acronis.cz/produkt/acronis-cyber-protect-home-office/ for test 3.fill up details 4.go to burpsuite turn on intercept 5.click on buy now 6.check request in intercept change pri...

Nextcloud: Control character filtering misses leading and trailing whitespace in file and folder names

Summary: It is possible to create files and folders that have leading and trailing \n, \r, \t, and \v characters. The server rejects files and folders that have these characters in the middle of their names, so this might be an opportunity for injection. In lib/private/Files/Storage/Common.php, t...

QIWI: broken authentication (password reset link not expire after use in https://network.tochka.com/sign-up)

target :-https://network.tochka.com/ bug:-- Broken Authentication Password Reset Link Not Expired After Use severity:- medium“Insufficient Security Configurability Weak Reset Password Implementation Token Not Invalidated After Use” Steps To Find This Bug: 1.Go to https://network.tochka.com/sign-u...

GitLab: RCE via WikiCloth markdown rendering if the `rubyluabridge` gem is installed

Summary One of the supported wiki formats is mediawiki which is rendered by WikiCloth via GitLab Markup: https://gitlab.com/gitlab-org/gitlab-markup/-/blob/v1.7.1/lib/github/markups.rbL24-28 ruby markup:wikicloth, /mediawiki|wiki/ do |content| wikicloth = WikiCloth::WikiCloth.new:data = content...

Rocket.Chat: Persistent CSS injection with ’marked’ markdown parser in Rocket.Chat

Summary: Rocket.Chat offers two different markdown parsers out of the box: the ’orginal’ one and the ’marked’ one. Both markdown parsers offer a different set of features with different re- strictions. Due to more loose restrictions in the ’marked’ parser, a persistent CSS injection in the web...

Engel & Völkers Technology GmbH: Reflected Xss in https://world.engelvoelkers.com/...

Summary: When trying to access https://world.engelvoelkers.com/login, I am redirected to https://login.engelvoelkers.com with a long URL, when analyzing this url I found base64 encoded xml parameters, after decoding the url I found the following url:...

GitHub Security Lab: [Python]: CWE-079: HTTP Header injection

This bug was reported directly to GitHub Security Lab...

UPchieve: Clickjacking ar https://hackers.upchieve.org/login

I found clickjacking at login page on https://hackers.upchieve.org that can be exploited if the UI overlay can be performed correctly by the attacker. Clickjack test page Website is vulnerable to clickjacking! Click me when you finish : Impact Its login page so if the UI overlay can be performed...

8x8: 8x8pilot.com: Reflected XSS in Apache Tomcat /jsp-examples example directory

A single host in the pilot environment exposed the Apache Tomcat /jsp-examples example directory. The issue has been rectified, as we removed the directory from the host...

Shopify: [https://shipit-sox-staging.shopifycloud.com] Presence of multiple vulnerabilities present in Ruby On Rails

https://shipit-sox-staging.shopifycloud.com seems to be running 6.0.0 rails 6.0.3.2 which is prone to multiple vulnerabilities via csrf including open redirect, xss & rce as reported at https://hackerone.com/reports/904059 Impact presence of multiple vulnerabilities can cause wide variety of dama...

Internet Bug Bounty: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) (CVE-2021-42013)

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier...

Mail.ru: stand.pw.mail.ru xss

http://stand.pw.mail.ru:9100/news.php?archive=news&type=last"alert1&page=1 payload is:"alert1 Impact Can steal Cookie, Can run javascript code, and get information sensitive...

Glovo: chainning bugs to get full disclosure of Users addresses

Summary: I was able to disclose any address that was used by the customers. The only barrier that came across that I need to put my visa on. On seeing that I managed to bypass it . just after bypassing that, my order was accepted and the price was set to free So i don't know actually if there is ...

Kubernetes: Google storage bucket takeover which is used to load JS file in dashboard.html in "github.com/kubernetes/release" which can lead to XSS

Report Submission Form Summary: Kubernetes have a github repository github.com/kubernetes/release In the repository there is code for dashboard. The dashboard have a html file dashboard.html which is using a JS file from a google storage bucket. The bucket was not registered on google cloud. So I...

Azbuka Vkusa: Мисконфигурация Cisco Smart Install

Closed...

Kubernetes: Broken Github Link Used in deployment docs of "github.com/kubernetes/kompose"

Report Submission Form Summary: Kubernetes have a github project github.com/kubernetes/kompose In the project there is a doc which have installation steps In the steps, doc is referring to another github account repository to clone it and install. But the github account was not registered on...

Kubernetes: Broken Link Takeover from kubernetes.io docs

Report Submission Form Summary: Kubernetes docs has Spanish translation available. One of the page of Portuguese doc has an external reference to a github repository. The github account was not registered on github.com. So I was able to takeover the page and host the PoC Kubernetes Version: NA...

Adobe: Able to bypass the fix on DOM XSS at [www.adobe.com]

Thank you @saajanbhujel for your contributions and we look forward to collaborating with you again in the future!...

GitLab: Stored XSS on issue comments and other pages which contain notes

Summary This report contains two XSS sanitization bypasses: The SyntaxHighlightFilter creates html from unsanitized data. This can be used to bypass the XSS filter on the server-side. ruby def highlightnodenode ... sourcepos = node.parent.attr'data-sourcepos' ... sourceposattr = sourcepos ?...

Judge.me : Stored XSS in Public Profile Reviews

A stored XSS vulnerability was found in the public profile review section of a platform. Attackers could add a product description with a data URI XSS payload in HTML format, which would execute when a user clicked on the HTML tag. This could lead to the execution of arbitrary code in the victim'...

Evernote: [34.96.80.155] Server Logs Disclosure lead to Information Leakage

Summary: In this case server log is available for any in /server-status Steps To Reproduce: 1. Go to https://34.96.80.155/server-status/ and follow attack scenario's Attack Scenario's: Serg.io 1. User go to server and enter sensitive info that can be logged example : http://host/login?privatekey=...

GitHub Security Lab: [GO]: [CWE-090: LDAP Injection All For One]

This bug was reported directly to GitHub Security Lab...

Judge.me : Self-XSS due to image URL can be eploited via XSSJacking techniques in review email

A self-XSS vulnerability was discovered in Judge.me due to the image URL of recommendations in the reviewer profile that could be exploited via XSSJacking techniques in the review email. An attacker could insert a payload in the image URL of recommendations and then use XSSJacking techniques to...

Cosmos: Unclaimed official s3 bucket of tendermint(tendermint-packages) which is used by many other blockchain companies in their code

An unclaimed official S3 bucket of Tendermint, which was also used by many other blockchain companies and developers, was discovered. An attacker could have hosted malicious files on the bucket, causing harm to the companies or developers using it for package installation. The vulnerability has...

Concrete CMS: open redirect to a remote website which can phish users

By Adding some extra headers in the request I noticed that the user is redirected to a remote website. This can lead to stealing a user credentials phishing on a remote server. These headers can be added either using a MITM attack or by chaining with another vulnerability such as request smugglin...

MTN Group: Sensitive Information Disclosure Through Config File

Summary: An attacker could gain access to sensitive information about usernames, encrypted passwords, internal IP addresses and configuration data of internal services. Steps To Reproduce: - Go to https://zik.mtncameroon.net/common/queryconfig.action Remediation Configure the application to not...

MTN Group: Default Admin Username and Password on remedysso.mtncameroon.net

Summary: A Remedy Single Sign-On Remedy SSO Server is running at https://remedysso.mtncameroon.net/rsso/admin//. It is possible to access the application is using the default Administrator credentials. Steps To Reproduce: Go to https://remedysso.mtncameroon.net/rsso/admin// and login with...

Intel Corporation: [BrakTooth] Bluetooth vulnerability allows attacker to disconnect or deny reconnection to BT devices connected to a target. Attack #2

This bug was reported directly to Intel Corporation...

Intel Corporation: [BrakTooth] Bluetooth vulnerability allows attacker to disconnect or deny reconnection to BT devices connected to a target. Attack #1

This bug was reported directly to Intel Corporation...

U.S. Dept Of Defense: Unauthenticated Access to Admin Panel Functions at https://███████/███

Description: The admin panel at https://██████████/████████ and all its functions can be accessed without authentication. This is basically the same vulnerability as in 1394910, just on another system. Impact An attacker is able to use the administrative functions in order to upload, delete or...

Judge.me : The response shows the nginx version

Summary: On visiting the https://cache.judge.me/ .It show the nginx version Steps To Reproduce: ==send :== GET / HTTP/1.1 Host: cache.judge.me Cookie: ga=GA1.2.907415772.1636450777; gid=GA1.2.1767694824.1636450777; fbp=fb.1.1636450778172.127612364; hjid=00598a42-40f4-48cb-84ec-20b9bd4273cd;...

Evernote: Email Verification Bypass by bruteforcing when setting up 2FA

Summary: Hello team, I hope you are fine and doing well when a user set ups his 2 Factor Authentication in his account and verify his email ,i was able to bruteforce the email verification process . The confirmationCode is used for authentication of user's email and it can be brute forced. The co...

Shopify: Unathorised access to admin endpoint on plus-website-staging5.shopifycloud.com

Summary: https://plus-website-staging5.shopifycloud.com/admin/ allows to access/modify and delete partners data. While the environment seems to be staging, partner's/clients contact details look pretty real. Sorry: During the testing, I've created Test111 partner account, trying to escalate the...

Internet Bug Bounty: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default...

U.S. Dept Of Defense: Unauthenticated Access to Admin Panel Functions at https://██████████/████████

Description: I discovered that the admin panel at https://████/█████ and all its functions can be accessed without authentication. Impact An attacker is able to use the administrative functions in order to upload, delete or modify files. System Hosts ████████ Affected Products and Versions ██████...

TikTok: reflected xss on the path m.tiktok.com

A cross site scripting vulnerability was found in Ambassador Manage endpoint. We thank @semsem123 for reporting this to our team...

Rocket.Chat: Unintended information disclosure in the Hubot Log files

Dear Rocket.Chat Team While inspecting our logs I noticed, that the OAuth Tokens are leaked in plaintext in the logs. I wanted to draw your attention to this, as this is a security vulnerability. See the attached Screenshot for a redacted log excerpt. In my opinion, the best approach here would b...

Omise: XSS via X-Forwarded-Host header

Summary: The https://www.omise.co/ website is vulnerable to a cross-site scripting flaw if the server receives a crafted X-Forwarded-Host header. Description: The server reads data directly from the HTTP request and reflects it back in the HTTP response. Reflected XSS exploits occur when an...

8x8: xss(r) vcc-na11.8x8.com

The "oem" parameter in the vcc-na11.8x8.com endpoint was vulnerable to Reflected Cross Site Scripting XSS attacks. This allowed attackers to execute malicious code and potentially steal non-secure cookies...

TikTok: IDOR the ability to view support tickets of any user on seller platform

Due to an Insecure Direct Object Reference IDOR vulnerability, an attacker could have potentially viewed support tickets on seller platform. We thank @lewaperbb for reporting this to our team...

HackerOne: HackerOne Staging uses Production data for testing

Summary: Today I received an email related to smart rewards from HackerOne. This included staging environment details, such as: sender: [email protected] Privacy / Terms links pointing to domain: https://www.enorekcah.com/... This basically tells us that HackerOne is using hacker dat...