TikTok: Open Redirect TO Stealing aadvid

An open redirect was found on TikTok Ads due to an improper validation of the "redirect" parameter. We thank @lu3ky-13 for reporting this to our team...

TikTok: Reflected XSS on TikTok Website

A cross-site scripting XSS vulnerability was found on TikTok.com via multiple parameters. We thank @homosec for reporting this to our team and confirming its resolution...

Kubernetes: Ingress-nginx annotation injection allows retrieval of ingress-nginx serviceaccount token and secrets across all namespaces

I submitted the following report to [email protected]: I've been exploring CVE-2021-25742 and believe I've discovered a variant although it appears there may be many. Most template variables are not escaped properly in nginx.tmpl, leading to injection of arbitrary nginx directives. For...

Evernote: 2 click Remote Code execution in Evernote Android

This vulnerability is similar to my previous reported vulnerability 1362313 , in here also weakness is path transversal vulnerability which helps me to acheive code execution but the root cause is different. some part of this app is written in java and some parts are written in react native. In...

Rocket.Chat: Message ID Enumeration with Regular Expression in getReadReceipts Meteor method

Summary The getReadReceipts Meteor server method does not properly filter user inputs that are passed to MongoDB queries, allowing $regex queries to enumerate arbitrary Message IDs. Description Authenticated users are able to query the getReadReceipts Meteor server method to enumerate existing...

TikTok: HTML Injection via TikTok Ads Email Share

A HTML injection was found on a TikTok Ads endpoint via the "SenderName" parameter. We thank @lu3ky-13 for reporting this to our team...

TikTok: Cross-site Scripting (XSS) - Stored on ads.tiktok.com in Text field

A XSS cross-site scripting vulnerability was found in TikTok ads through "text" field. We thank @lu3ky-13 for reporting this to our team...

Judge.me : Stored XSS in Email Templates via link

Summary: Stored cross-site scripting also known as second-order or persistent XSS arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way. FYI: I Install judge.me in Shopify E-Commerce Steps To Reproduce: 1. Go to...

GitLab: "External status checks" can be accepted by users below developer access if the user is either author or assignee of the target merge request

Summary Any user who is either author or assignee of a merge request can approve that merge request's external status checks. This includes users with Guest access that creates MR's either through email or through a fork of the project. It also includes users with Guest or Reporter access getting...

Internet Bug Bounty: The Host Authorization middleware in Action Pack is vulnerable to crafted X-Forwarded-Host values

Title: The Host Authorization middleware in Action Pack is vulnerable to crafted X-Forwarded-Host values Scope: https://github.com/rails/rails Weakness: Open Redirect Severity: Medium Link: https://hackerone.com/reports/1189310 Date: 2021-05-09 06:29:19 +0000 By: @mshtawy CVE IDs: CVE-2021-22942,...

SHEIN: RCE via npm misconfig -- installing internal libraries from the public registry

The following node package has been installed on at least one shein owned build/development server directly from the public npm registry. https://www.npmjs.com/package/shineout-mobile This package should normally be downloaded from the internal shein registry, but a misconfiguration appears to ha...

Ruby: Arbitrary file injection via symlink attack in rdoc generator

Vulnerability description not provided...

HackerOne: HTML injection in email at https://www.hackerone.com/

HTML injection was possible in emails sent via the HackerOne platform by filling the first name and last name fields with HTML tags on the pentest community application form. This could allow an attacker to send malicious emails and inject HTML into them...

Lark Technologies: Able to steal private files by manipulating response using Compose Email function of Lark

A IDOR Insecure Direct Object Reference vulnerability was found within the "Compose Email" functions of Lark. This vulnerability could have allowed malicious users to fetch the files of other users if they knew the specific file ID which was an alphanumeric value. We thank @imrannisar for reporti...

Basecamp: Able to steal bearer token from deep link

Pre-requisities Prior to exploitation you would be required to know the "account id" of the user that you are attacking. Whilst this makes it difficult to attack an application in a generic way - the account is not secret information as it is included in any links to a user's basecamp organisatio...

GitLab: IDOR in "external status check" API leaks data about any status check on the instance

Summary The API endpoint for returning approval from an external status check contains an IDOR that lets a user list information about all external status checks on the GitLab instance. The feature is an Ultimate feature, but can be accessed by starting an Ultimate trial on GitLab.com. So the...

Shopify: After changing the storefront password, the preview link is still valid

Description: 1. The user needs to know the storefront password to generate the preview link. 2. After the administrator changes the storefront password, users can still access the storefront through the preview link. 3.reason: （1）User can generate preview link. （2）Simply changing the password wil...

U.S. Dept Of Defense: Cross-site Scripting (XSS) - Reflected at https://██████████/

Hello Team, i just found a reflected xss bug on your web https://█████ Step To reproduce: poc url: https://████/7/0/33/1d/www.citysearch.com/search?what=x&where=place%22%3E%3Csvg+onload=confirmdocument.domain%3E Impact Impact Data can be stolen, or Javascript can be executed.This is will allow th...

Acronis: CVE-2021-40438 on cp-eu2.acronis.com

Hi team Summary CVE-2021-40438 on cp-eu2.acronis.com Steps To Reproduce...

VK.com: Reflected xss в m.vk.com/chatjoin

XSS в мобильных сообщениях...

Nutanix: OPEN REDIRECT

Open Redirect Vulnerability Hello , found open redirect in https://stage.test.dev-iam.xi.nutanix.com/api/iam/authn/v1/oidc/logout?postlogoutredirecturi=. Go to https://stage.test.dev-iam.xi.nutanix.com/api/iam/authn/v1/oidc/logout?postlogoutredirecturi=http://evil.com&idtokenhint=test curl -I...

X (Formerly Twitter): Blind XSS on Twitter's internal Jira panel at ████ allows exfiltration of hackers reports and other sensitive data

The researcher demonstrated a vulnerability in Twitter's Jira instance where user supplied information was handled in an improper manner, rendering the application vulnerable to blind XSS. By crafting a bug report and sending it to Twitter it was possible to locate this proof of concept code with...

Concrete CMS: SSRF mitigation bypass using DNS Rebind attack

We noticed that the upload functionality contains the ability to upload files from remote server, however there are some mitigations against accessing the AWS Instance Metadata service. We've managed to bypass these mitigations using DNS rebinding and we've managed to fetch the AWS IAM keys when...

MariaDB: Path Traversal CVE-2021-26086 CVE-2021-26085

These vulnerabilities were found with https://trickest.com https://trickest.io CVE-2021-26085: ===================== https://jira.mariadb.org:/s/123cfx//;/WEB-INF/web.xml CVE-2021-26086: ===================== https://jira.mariadb.org/s/cfx//;/WEB-INF/web.xml Video explanation: -------------------...

Stripe: Local applications from user's computer can listen for webhooks via insecure gRPC server from stripe-cli

The stripe daemon command from the stripe-cli exposes a local gRPC server that does not require authentication and allows any local application to execute remote procedures. One of the procedures is Listen, which is an equivalent to stripe listen command and receives all webhooks for the user's...

GitHub Security Lab: [Python]: CWE-117 Log Injection

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: [Java] CWE-502: Unsafe deserialization with three JSON frameworks

This bug was reported directly to GitHub Security Lab...

8x8: Hardcoded AWS credentials in ███████.msi

A hardcoded AWS access token was discovered within an MSI file available for download on the 8x8 site. The researcher was able to demonstrate access to 8x8 AWS infrastructure. The token was promptly restricted...

New Relic: Reflected Cross site Scripting (XSS) on https://one.newrelic.com

The attacker can execute javascript on the victims account just after the authentication process. Steps To Reproduce: 1 Open the url:...

GitHub Security Lab: [Python] CWE-348: Client supplied ip used in security check

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: [Java] CWE-200: Query to detect exposure of sensitive information from android file intent

This bug was reported directly to GitHub Security Lab...

Flickr: critical server misconfiguration lead to access to any user sensitive data which include user email and password

Hi flickr team, I found a critical issue lead to access to any user sensitive data which include user hashed password and possibly can lead to takeover any user account on flickr's main site, literally i can get all user information from database with no restrictions , Let me explain how this...

8x8: Information Disclosure of metrics fax.wavecell.com/metrics

The fax.wavecell.com/metrics endpoint was found to disclose sensitive information. The information disclosure vulnerability was discovered and reported on the HackerOne platform...

Traffic Factory: WordPress Plugin Update Confusion at trafficfactory.com

Hi, I'm currently researching a "novel" supply chain attack affecting WordPress plugins, and I believe your website might be vulnerable. The way it works is similar to a recent Dependency Confusion attack, where a malicious actor can take over internal packages unclaimed on PyPI / npm registry. I...

Concrete CMS: SSRF - pivoting in the private LAN

The upload from remote servers features allows me to perform SSRF attack on the private LAN servers. this features checks the following http response code needs to be 200 - easy, a non issue for attackers really checks the file exension can be bypassed with something like...

8x8: Authentication Bypass & ApacheTomcat Misconfiguration in [██]

A single host in the pilot environment exposed the Apache Tomcat /admin and /manager endpoints. The issue has been rectified, as access to these endpoints has been restricted...

Shopify: Bypass a fix for report #708013

Summary: customerAccessTokenCreate mutation in the Storefront API does not correctly throttle login attempts. An issue in similar report https://hackerone.com/reports/708013 was already fixed, however, there is still a bypass. Steps To Reproduce: 1. Grab a Storefront API Token I got it from the B...

Lark Technologies: Attacker is able to join any tenant on larksuite and view personal files/chats.

A privilege escalation issue was found in Open.larksuite.com, which could have potentially allowed attackers to join any tenant, and view files and communications that are shared by team members. We thank @imrannisar for reporting this to our team and confirming the resolution...

Tennessee Valley Authority: xss reflected - pqm.tva.com

An XSS vulnerability was discovered on pqm.tva.com. This vulnerability allowed an attacker to inject malicious code into the website, potentially leading to various attacks such as stealing user information or redirecting users to malicious websites...

Tennessee Valley Authority: xss reflected - pq.tva.com

An XSS vulnerability was discovered on pq.tva.com, allowing an attacker to inject malicious code into the website. This could potentially lead to various attacks, such as stealing user cookies or redirecting users to fake websites...

Fastify: 1-click DOS in fastify-static via directly passing user's input to new URL() of NodeJS without try/catch

Summary: When fastify-static is mounted at root and registered the option redirect: true default of redirect option is false, the following line directly feed user's input which is req.raw.url to URL API without try/catch: https://github.com/fastify/fastify-static/blob/master/index.jsL439. A remo...

Informatica: CVE-2021-40870 in [███]

An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal. The IP has a SSL certificate pointing to Informatica LLC. curl -kvI...

Mail.ru: OS command injection on seedr.ru

site: https://seedr.ru The seedid parameter be vulnerable to OS command injection attacks. It is possible to use various shell metacharacters to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time...

Nextcloud: When sharing a Deck card in conversation the metaData can be manipulated to open arbitrary URL

Summary: This report is similar to 1337178 In Nextcloud Deck a user can post their decks in to a conversation via nextcloud talk. The link in metaData can be manipulated to point to a another URL. Steps To Reproduce: 0. Setup burpsuite to proxy 1. Go to Nextcloud Deck and pick a board 2. Pick any...

Showmax: Full Path Disclosure in Wordpress Rest API Response

The hacker submitted a full path disclosure vulnerability on our Wordpress site stories.showmax.com. The vulnerability was caused by Yoast SEO plugin and they actually released a fix for the issue today 2021-10-05. Considering the issue was with 3rd party code, the fix for the issue was introduce...

Semrush: php info file and sql backup at vendor's subdomain

Researcher found open /phpinfo.php and sql backup from mvp app at vendor's subdomain. There was no sensitive data...

Kubernetes: Attacker can bypass authentication build on ingress external auth (`nginx.ingress.kubernetes.io/auth-url`)

Report Submission Form Summary: Sending request with ..%2F allows to manipulate headers: X-Original-Url X-Auth-Request-Redirect due to that manipulation external auth service could make wrong decision and return 204 instead of 401/403. To be clear: manipulation of those headers give no possibilit...

Mattermost: ABLE TO TRICK THE VICTIM INTO USING A CRAFTED EMAIL ADDRESS FOR A PARTICULAR SESSION AND THEN LATER TAKE BACK THE ACCOUNT

A vulnerability was found in a website that allowed an attacker to trick a victim into using a crafted email address for a particular session, leading to the attacker taking back the victim's account and accessing their private messages. The vulnerability was triggered by removing the email value...

Elastic: CVE-2021-40870 on [52.204.160.31]

An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal. The IP has a SSL certificate pointing to ElasticSearch. curl -kv...

Nextcloud: Read-only users can restore old versions

Read-only users were able to restore old versions of files in Nextcloud...