XVIDEOS: No-Rate limit of current password on delete account endpoint(https://www.xvideos.com/account/close)

Hi Team!!! This Attack happen when victim login in other device and forget to logout ,Then attacker can delete it's account by brute force the current password because current password has no-rate limit. After guessing current password attacker can easily delete the victim account. Steps To...

Insightly: Stored XSS via LINK Name.

The LINK NAME was not properly escaped at the Templates page, leading to Stored XSS. The name was reflected in the tag, and due to lack of sanitization, the user could break out of the tag and execute the XSS...

X (Formerly Twitter): Remote 0click exfiltration of Safari user's IP address

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: A malicious actor when embeddi...

Shopify: Orders full read for a staff with only `Customers` permissions.

Summary: A staff with only Customers permission can get full information about shop's orders. I consider it as an issue, because in Shopify's documentation it is explicitly said that you must have Orders readorders permissions to be able to read shop's orders: F1504156...

GitHub Security Lab: Yet another SSRF query for Go

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: Yet another SSRF query for Go

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: Yet another SSRF query for Go

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: Yet another SSRF query for Javascript

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: Yet another SSRF query for Javascript

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: Yet another SSRF query for Javascript

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: Yet another SSRF query for Go

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: Yet another SSRF query for Javascript

This bug was reported directly to GitHub Security Lab...

Zivver: Timing difference exposes existence of accounts

This report concerns a timing-based enumeration of user accounts through the authentication endpoint. While the Zivver product offers intended ways to identify if another person is a Zivver user by their email address, this report was novel in that it allows this behavior pre-authentication...

Cloudflare Public Bug Bounty: Bypassing Cache Deception Armor using .avif extension file

Cloudflare Deception Armor could be bypassed by using .avif extension making Cache deception attack possible on vulnerable origin servers. Cloudflare Cache Deception Armor uses a Page rule to protect Cloudflare Cache against caching possibly sensitive information. This attack could be performed b...

8x8: Remote Code Execution on ██.8x8.com via .NET VSTATE Deserialization

@0daystolive reported to us a flaw in a 3rd party community platform, which could be exploited to achieve RCE. We swiftly relayed this to the vendor and their engineering team turned off the affected code, which resolved the issue. For more details about this vulnerability read:...

Internet Bug Bounty: Request line injection via HTTP/2 in Apache mod_proxy

I've written this issue up fully here: https://portswigger.net/research/http2request In case it's useful, here's the original report as sent to Apache: I'd like to report a vulnerability in Apache modproxy when used with HTTP/2 enabled. It fails to reject HTTP requests that contain spaces in the...

Rocket.Chat: Possible Domain Takeover on AWS Instance.

The vulnerable domain possibly available for takeover is: traefik-livedemo.rocket.chat CNAME: a0e7eaaaa82f611e9b1cc0e9ccd15f3e-557536140.us-west-2.elb.amazonaws.com. This domain, contains a record pointing to these an WS instance. When querying for any IP under the instance, I got returned an...

Nextcloud: SQL injextion via vulnerable doctrine/dbal version

Summary: SQL injection via limit parameter on user facing APIs Steps To Reproduce: Run security scanner: 1. REPORT /remote.php/dav/comments/files/1985 1. XML input oc:filter-comments.oc:limittext was set to 1'" 1. You have an error in your SQL syntax Supporting Material/References: For more detai...

U.S. Dept Of Defense: Reflected XSS

Description: Hi i found a XSS at a new IP Address ssl points to ███hostname https://███████/WebPuff5.4/Login?signIn=Sign%20In&password=g00dPa%24%24w0rD&url=login.jsp%27%22%26%25%3Cacx%3E%3CScRiPt%20%3Ealert9868%3C/ScRiPt%3E&username=tMtFQiRt References https://owasp.org/www-community/attacks/xss/...

OneWeb: Subdomain Takeover - pmp.oneweb.net

Summary The issue happens due to using EC2 public DNS instead of using Elastic IPs as CNAME or A record. If the EC2 instance is killed or terminated and the DNS not updated this will lead to creating a dangling DNS record for the subdomain. The EC2 IP will be released to AWS IPs pool, This mean...

GitHub Security Lab: C# : Add query to detect Server Side Request Forgery

This bug was reported directly to GitHub Security Lab...

Acronis: XSS in Acronis Cloud Manager Admin Portal

Hello, Hope you are doing well. I wanted to report the following security vulnerability: The Acronis Cloud Manager Admin Portal default swagger UI is vulnerable to cross site scripting. I have the API running locally on my machine. I have attached screenshots of the XSS The URL is:...

Kubernetes: elections.k8s.io uses weak session secret key, may place elections at risk

The elections.k8s.io application used a weak Flask SECRETKEY, the string "N/A", to sign authentication cookies. This allowed the complete compromise of the application, as the session could be manipulated...

Lark Technologies: Able to steal private files by manipulating response using Auto Reply function of Lark

A IDOR Insecure Direct Object Reference vulnerability was found within the "AutoReply" functions of Lark. This vulnerability could have allowed malicious users to fetch the files of other users if they knew the specific file ID which was an alphanumeric value. We thank @imrannisar for reporting...

Adobe: Disclosure of github access token in config file via nignx off-by-slash

Summary: ██████████ is vulnerable to Nginx off-by-slash vulnerability that exposes Git configuration. Steps To Reproduce: 1. Visit https://█████████████ to download git config containing username and token. 2. Use it to pull entire source code via git clone ████████ Leaked: core...

New Relic: Reflected XSS in VPN Appliance

@mr-hakhak discovered an XSS vulnerability in a VPN appliance. While this appliance is not normally accessed via the browser, the web interface was disabled to prevent future issues...

HackerOne: Attachment references in markdown don't warn before downloading

Summary: By default if any link of report is clicked, There will be a popup to user that you're visiting a third-party website please proceed at your own risk etc. However, when a user views the report all links are non clickable and file URI is appended. I have Found out that I can bypass this...

Uber: Exposed Golang Pprof debugger at https://cn-geo1.uber.com/

The Golang pprof debug interface was exposed on an Uber endpoint. This allowed introspection of stack traces, application timing, command line parameters and memory usage...

PortSwigger Web Security: Information disclosure on error message

Hai team, First of all , Thank you creating a wonderful place for learning web app pentesting : . In accessing a lab at the academy , my internet connection suddenly went down, I dont know the problem is on the lab or in academy, But the error message reveals some node codes.I attached a screensh...

Kubernetes: Ingress-nginx path allows retrieval of ingress-nginx serviceaccount token

Report Submission Form Summary: A user with the permissions to create an ingress resource can obtain the ingress-nginx service account token which can list secrets is all namespaces cluster wide. Kubernetes Version: 1.20 should work on 1.21 as well Component Version: nginx ingress controller v1.0...

Mail.ru: Deliviry Club Courier app (v. 3.9.25.0); Disclosure phone number of client.

Здравствуйте. Я нашёл баг в приложениидля курьеров, позволяющий получить реальный номер телефона клиента. Обычно, когда курьеру необходимо позвонить клиенту для уточнения какого-либо вопроса, курьер нажимает "Позвонить клиенту", и после этого совершается звонок не на номер клиента, а через Delive...

Acronis: %0A (New line) and limitness URL leads to DoS at all system [Main adress (https://www.acronis.com/)]

Hello team, hopefully you are happy now I found a DoS vulnerabilty at https://www.acronis.com/ Note: site is still down and this is not intentional behavior and i didn't use any automated tool At first i saw this code at site: someting and tried XSS but site was filtered " and '. So i tried with...

Rocket.Chat: Content-Security Policy bypass with File Uploads

The default Content-Security Policy CSP in Rocket.Chat versions 4.0.3 and 3.18.2 was bypassed by uploading a JavaScript file through the file upload feature. This file could then be included in the web application, allowing the execution of arbitrary scripts...

Urban Company: Critical full compromise of jarvis-new.urbanclap.com via weak session signing

Summary Hi there, I discovered that jarvis-new.urbanclap.com uses a weak Flask session key. Because Flask sessions are signed with a static secret, if this secret is known to an attacker then they can modify the session state. In this case, we can modify the Redash userid for the session and log ...

PlayStation: bd-j exploit chain

Hey PlayStation! Below are 5 vulnerabilities chained together that allows an attacker to gain JIT capabilities and execute arbitrary payloads. The provided payload triggers a buffer overflow that causes a kernel panic. Please consider each of the vulnerabilities individually. AFAIK, this is the...

Panther Labs: Broken subdomain takeover of runpanther which was pointing towards herokuapp

An outdated link on our public blog pointed to a decommissioned Slack sign-up app hosted on Heroku for our also-decommissioned open source Slack community. The reporter was able to re-register the decommissioned subdomain with his own Heroku account...

QIWI: account takeover through password reset in url https://reklama.tochka.com/

Steps to reproduce 1- Create an account 2- visit this url https://reklama.tochka.com/mainpage1/recover/ 2- Enter your email and intercept the response to the request that recovers your password you will notice that it looks like this HTTP/1.1 200 OK Server: nginx Date: Sun, 24 Oct 2021 21:32:20 G...

Monero: RPC call crashes node

Summary: Passing a large list of amounts to the getoutputdistribution call crashes a remote node, after maybe 90 seconds of keeping it busy. Releases Affected: Probably all Steps To Reproduce: values=echo $seq 0 500 900000|sed -e 's/ /,/g' ; curl http://127.0.0.1:38081/jsonrpc -d...

Omise: The endpoint '/test/webhooks' is vulnerable to DNS Rebinding

Summary: DNS rebinding attack is a method of switching the resolution of domain names as wished by the attacker. The aim is to lure the web app to a different IP address/host. In this attack, and particularly in our case, a malicious server will first perform a domain name resolution to the IP...

Rocket.Chat: Impersonation in Sequential Messages

The vulnerability allowed an attacker to impersonate another user in sequential messages. The vulnerability existed in Rocket.Chat versions 3.18.2 and 4.0.3. It was caused by the ability to hide the leading message in a sequence using the customClass or className message attributes, making the...

Rocket.Chat: Retrospective change of message timestamp and order

Vulnerability description not provided...

Rocket.Chat: Messages can be hidden regardless of server configuration

Vulnerability description not provided...

Rocket.Chat: XSS in various MessageTypes

The Rocket.Chat vulnerability allowed arbitrary script execution in the receiving frontend client through the rendering of messages of various MessageTypes. The vulnerability affected versions 3.18.2 and 4.0.3. The issue was caused by the lack of sanitization of message parameters rendered from...

Mail.ru: reflected xss in e.mail.ru

Login and go to https://e.mail.ru/addressbook/letter/S?afterReload=1&MailboxStatusAutoCall=alert1 Impact Stealing users' information...

Informatica: Reflected Cross-Site Scripting/HTML Injection

The default ASP page at https://███/redirect/default.asp is vulnerable to reflected Cross-Site Scripting in the "url" parameter. To reproduce the issue just visit the following URL and an alert should pop up: - https://██████████/redirect/?url=%3Cscript%3Ealertdocument.domain%3C/script%3E It seem...

IBM: Remote Code Execution at https://169.38.86.185/ (edst.ibm.com)

A discovered Gitlab server was running an old version affected by RCE. This vulnerability could have allowed an unauthenticated attackers to compromise the server by public exploit in ExifTool. The issue was reported to IBM and remediated...

MTN Group: SSRF Keycloak before 13.0.0 - CVE-2020-10770 on https://sponsoredata.mtn.ci

A flaw was found in Keycloak before 13.0.0, where it was possible to force the server to call out an unverified URL using the OIDC parameter requesturi. This flaw allowed an attacker to use this parameter to execute a Server-side request forgery SSRF attack...

GitHub Security Lab: [Java] CWE-552: Unsafe url forward

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: [cpp] CWE-787: query to detect unsigned integer to signed integer conversions used in pointer arithmetics

This bug was reported directly to GitHub Security Lab...

Slack: [Android] Directory traversal leading to disclosure of auth tokens

Files uploaded to and opened in Slack with specially-crafted names could cause the Android operating system to overwrite configuration files on customer devices, potentially exposing Slack data to attacker-controlled websites. In order to take advantage of this vulnerability, attackers needed to ...