XVIDEOS: Script breaking tag (Forces website to render blank) (Informative)

Summary: This is a bug affecting core HTML and JS elements on the site via Search Steps To Reproduce: 1. Open https://www.xvideos.com 2. Click to search enter payload= "" without quotes 3. Hit enter or search, watch the page break and not load any content content is loaded in console, renders pag...

VK.com: Выполнение API-методов при открытии сообщества/приложения

Недостаточная валидация...

UPchieve: Outdated Copyright Message @ Welcome email

POC : Description : Outdated Copyright is present @ Welcome to UPchieve! email which is of years "2020" Impacted Security Property : Integrity ASVS Categories : Architecture , Design and Threat Modeling POC email and video : Gmail - Welcome to UPchieve!.pdf and recording-1632912432386.webm...

UPchieve: Password reset token leakage

Reset Password link : http://hackers.upchieve.org/setpassword?token=a3c448b1eb9b982f93ec39a7181ec1a2 1.Open Password reset page from email. 2.Intercept the requestI have used burp suite 3.You can see the link for reset password in below requests POST...

UPchieve: Password Reuse

Issue Description: A user is able to reuse any of their old passwords during the change passwords process. URL & Location: https://hackers.upchieve.org/resetpassword POC video : recording-1632907447530.webm @thug645 Impact Misconfiguration...

UPchieve: Missing Validation in editing "Your Phone Number"

Verification method is missing in changing "Your Phone Number" . There is no OTP or code send to new number for validating. POC video : recording-1632905982558.webm @thug645 Impact Misconfiguration...

Mail.ru: SSRF + RCE через fastCGI в POST /api/nr/video

Domain, site, application -- app.nativeroll.tv Steps to reproduce -- 1. Традиционно нужен аксес токен от аккаунта паблишера, можно зарегистрировать здесь https://seedr.ru/register-user/publisher 2. Войти как паблишер https://seedr.ru/login/publisher 3. Поперехватывать запросы, получить токен. 4...

Nextcloud: Error in Deleting Deck cards attachment reveals the full path of the website

Summary: An error in deck cards when deleting an attachment reveals the full path of the website. DELETE /apps/deck/cards/11/attachment/file:1 HTTP/2 Host: ctulhu.me/nc Sec-Ch-Ua: "Chromium";v="93", " Not;A Brand";v="99" Accept: application/json, text/plain, / Sec-Ch-Ua-Mobile: ?0 User-Agent:...

Fastify: Open redirect in fastify-static via mishandled user's input when attempt to redirect

Summary: When fastify-static is mounted at root and the register option redirect: true, the following 2 lines cause open redirect bug: https://github.com/fastify/fastify-static/blob/master/index.jsL156-L157. A remote attackers can redirect users to arbitrary web sites via a double forward slash:...

Pornhub: Reflected XSS on www.pornhub.com and www.pornhubpremium.com

The researcher was able to execute malicious JavaScript code by exploiting a reflected cross-site scripting vulnerability in a core component...

8x8 Bounty: Dangling DNS Record docs.jitsi.net (unsuccessful GSuite takeover)

A dangling DNS record was found for the subdomain docs.jitsi.net, which was abandoned and belonged to GSuite. An attacker could have claimed the subdomain and taken it over, causing potential damage to the website and company. It was recommended to remove the Cname and DNS connecting to it...

Elastic: Fix for CVE-2021-22151 (Kibana path traversal issue) can be bypassed on Windows

Summary Hello team, I hope you're doing well! I was combing through your GitHub repository to look at the fixes for recent security releases and found the fix for CVE-2021-22151 to be incomplete. The current fix makes assumptions that are true on Linux but that don't hold on Windows. Details The...

Mail.ru: [samokat.ru] PHP modules path disclosure due to lack of error handling

Hi security team @mailru we found a Information disclosure in phpproject in subsamokat.ru On one side of the server samokat.ru generates a full stack error trace instead of an HTTP 500 error. The complete error stack trace reveals the full path of the PHPConfiguration module directory on the...

OneWeb: text injection and content spoofing

SUMMARY: Their is a vulnerability TEXT INJECTION and content inejction. in your website. An attacker can use text injection vulnerability to present a customized message on the application that can phish users into believing that the . steps: 1: https://█████████.oneweb.net 2: ADD payload...

GitLab: Drive-by arbitrary file deletion in the GDK via letter_opener_web gem

Summary When running gitlab in development, an extra gem used to view emails that have been sent: https://gitlab.com/gitlab-org/gitlab/-/blob/v14.3.0-ee/config/routes/development.rbL14 ruby mount LetterOpenerWeb::Engine, at: '/rails/letteropener' One of the routes it adds is to delete a letter:...

OneWeb: Vulnerable Jira Instance

Multiple information exposure vulnerabilites were identified in a Jira Server instance unauthenticated access to APIs and system browser functions. @lesleybw found multiple CVEs and exposures on a Jira instance owned by OneWeb 1...

Internet Bug Bounty: CVE-2021-3711: SM2 decrypt buffer overflow

CVE-2021-3711 In order to decrypt SM2 encrypted data an application is expected to call the API function EVPPKEYdecrypt. Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the...

MTN Group: Exposed gitlab repo at https://adammanco.mtn.com/api/v4/projects

Summary: Hello I found Exposed gitlab repo at https://adammanco.mtn.com/api/v4/projects Steps To Reproduce: Visit https://adammanco.mtn.com/api/v4/projects Supporting Material/References: "id":5,"description":"","name":"test","namewithnamespace":"Jodrico Jansen Van Vuuren /...

MTN Group: CVE-2021-38314 @ https://www.mtn.co.rw

Summary: Hello. I your domain https://www.mtn.co.rw was vulnerable to CVE-2021-38314 Description: The Gutenberg Template Library & Redux Framework plugin = 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the includes function in...

MTN Group: CVE-2021-38314 @ https://www.mtn.ci

Summary: Hello. I your domain https://www.mtn.ci was vulnerable to CVE-2021-38314 Description: The Gutenberg Template Library & Redux Framework plugin = 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the includes function in...

MTN Group: firebase credentials leaks @ https://mpulse.mtnonline.com

Summary: Hello. I found firebase credentials leaks at https://mpulse.mtnonline.com Steps To Reproduce: Visit https://mpulse.mtnonline.com right click view source code Supporting Material/References: // Initialize Firebase var config = apiKey: "████", authDomain: "████████", databaseURL:...

MTN Group: firebase credentials leaks @ https://mtnhottseat.mtn.com.gh

Hello. I found firebase credentials leaks at https://mtnhottseat.mtn.com.gh. Steps To Reproduce: Visit https://mtnhottseat.mtn.com.gh Right click view source code. Supporting Material/References: // Your web app's Firebase configuration // For Firebase JS SDK v7.20.0 and later, measurementId is...

TikTok: Reflected XSS in TikTok endpoints

Cross site scripting vulnerability was found in few TikTok endpoints using the region parameter. We thank @sh1yo for reporting this to our team...

Kubernetes: Tokenless GUI Authentication

Report Submission Form Summary: A person has the ability to bypass the login screen using the 401 error code produced from a failed token login. The user is given the privileges of an system:anonymous user. Kubernetes Version: kubectl, kubeadm, kubelet 1.22.2 Ubuntu 20.04.3 - 64bit Component...

Mail.ru: XSS Stored on https://seedr.ru

Site: https://seedr.ru/ OS version: Windows 10 browser: Google chrome Stored cross-site scripting arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way. I changed my nickname to a code that demonstrates the...

PlayStation: Remote kernel heap overflow

Summary The PlayStation has a kernel PPPoE driver, that originates from NetBSD. This driver has a kernel heap overflow vulnerability, that an attacker can remotely trigger over the LAN, with the ability to control both the contents that are overflown and their sizes. Technical Details PPPoE...

Concrete CMS: A bypass of adding remote files in concrete5 FIlemanager leads to remote code execution

Hi, I 'm currently testing the latest concretecms on my own pc and found some security problems of file manager. Concretecms allows user to upload remote files via file manager. With some techniques to bypass restriction of this function, a evil user will be able to download arbitary php file int...

Reddit: Email Verification Bypass And Get access to user's private invitation.

Part 2 of my previous report : https://hackerone.com/reports/1225499 I am sending this report again because you closed my previous report. i posed new impact of this vulnerability in my previous report but i didn't get any reply. So i reported it again. First Vulnerability : Email verification...

Shopify: Staff can use BULK_OPERATIONS_FINISH webhook topic using Graphql without permissions all

I am reporting this because it looks like an authorization bug in GraphQL. A Staff member with no permissions on a Shopify Store may be able to create Webhooks with the webhookSubscriptionCreate mutation on BULKOPERATIONSFINISH webhook topic. POST...

GitHub Security Lab: [Python] CWE-522: Insecure LDAP Authentication

This bug was reported directly to GitHub Security Lab...

Mail.ru: Subdomain Takeover

Hi team, Actually team this bug is similar to my previous bug which I submitted-██████ Issue details:- Subdomain takeover vulnerabilities occur when a subdomain subdomain.example.com is pointing to a service e.g. GitHub pages, Heroku, etc. that has been removed or deleted. This allows an attacker...

Mail.ru: RCE в .api/nr/report/{id}/download

Domain, site, application -- app.nativeroll.tv Steps to reproduce -- Нужен аккаунт рекламодателя, можно зарегистрировать здесь https://seedr.ru/register-user/advertiser 1. Войти как рекламодатель https://seedr.ru/login/advertiser 2. Пощелкать что-нибудь, поперехватывать запросы, нужен accesstoken...

Brave Software: Information disclosure

Vulnerability tested on:- Brave 1.29.81 Chromium: 93.0.4577.82 Official Build 64-bit Vulnerability description:- For security measures and for privacy purposes, Brave has the ability to open a normal tab of the Brave when we navigate to: chrome://wallet, chrome://history etc. due to the reason th...

U.S. General Services Administration: Web Cache Poisoning leading to DoS

Summary: acquisition-uat.gsa.gov is vulnerable to web cache poisoning that can lead to Denial of Service DoS in the application. Steps To Reproduce: 1. Visit https://acquisition-uat.gsa.gov/?letme=4449 to make sure the service is available. Note: letme=4449 is used as cache buster as we do not wa...

GitHub Security Lab: New experimental query: Clipboard-based XSS

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: ihsinme: Add query for CWE-758 Reliance on Undefined, Unspecified, or Implementation-Defined Behavior

This bug was reported directly to GitHub Security Lab...

Shopify: Domain Takeover at 3hopify.media

Hi, I believe that 3hopify.media is belong to your company Shopify. F1454834 I able to takeover this domain by Your Service . Poc : Please visit https://3hopify.media or https://www.3hopify.media Impact Scam Users .. etc...

U.S. Dept Of Defense: Expired SSL Certificate allows credentials steal

Hi security Team! I've found this website with no valid SSL Certificate. https://██████████ Certificate has expired 314 days ago. Impact Error message can appear on page and user can have his credentials stolen by an attacker capturing the network data. System Hosts ███████ Affected Products and...

Lacework: Broken link profile in the website leads to identity theft.

Hi, I have found the Broken link profile in the website where the attacker can perform identity theft. Summary : When a web application has any pages, sources, links to external 3rd party services and are broken then the attacker can claim those endpoints to successfully conduct the attack and...

VK.com: Уязвимость в приложении для Android

Некорректная обработка событий. Уязвимость позволяла "угонять" токен аутентификации пользователя с помощью виджетов Маруси F1624996...

TikTok: HTML Injection on tiktoktutorials via firstName parameter

HTML injection was found in tiktoktutorials endpoint which could have potentially allowed attackers to modify the content of the email and trick users into visiting malicious sites. We thank @siratsami for reporting this to our team...

Basecamp: com.basecamp.bc3 Webview Javascript Injection and JS bridge takeover

It was identified that the android com.basecamp.bc3 application, contains a Webview where the loaded URLs are not sanitised properly. As this webview's functionality is extended via javascript interfaces and has the javascript enabled it is possible to inject arbitrary javascript code which will ...

VK.com: Получаем название и аватарку (50x50) частной группы.

Частичное раскрытие данных о частной группе через приложения...

Glassdoor: [https://www.glassdoor.com] - Web Cache Deception Leads to gdtoken Disclosure

A web cache deception issue was reported by @bombon For the exploit to trigger, the victim must be logged-in to Glassdoor and must also visit an attacker-controlled page that makes the victim hit the caching page, programmatically fetch the cached CSRF token gdToken, and forge and send a request ...

Basecamp: Subdomain Takeover due to ████████ NS records at us-east4.37signals.com

Description Hi! I have discovered that us-east4.37signals.com was pointing to an unclaimed ████ NS zone and I've managed to claim it in my account. POC http://nagli.us-east4.37signals.com/takeover.html F1451587 Remediation Make sure to configure the DNS records under us-east4.37signals.com Best...

Flickr: Flickr Account Takeover using AWS Cognito API

Flickr uses Amazon Cognito to implement its login functionality. Furthermore, Flickr does not allow users to change their registered e-mail address via the user interface. This restriction can be bypassed via direct communication with the Amazon Cognito User Pool API. Consider we have the followi...

GitLab: Stored XSS in merge request creation page through payload in approval rule name

Summary Hi GitLab team, I found a stored XSS in merge request creation page caused by a payload in the name of an "approval rule". Adding approval rules is a feature that is unlocked for premium subscriptions or above. This does not seem to block it from being used against regular users on for...

Reddit: Hash-Collision Denial-of-Service Vulnerability in Markdown Parser

Summary: We have found three bugs in Reddit's markdown parser. Two of these bugs are exploitable to launch an algorithmic complexity denial-of-service DoS attack. In this report we explain the bugs and exploits. We also show, in a non-disruptive way, that it appears to exist in the current versio...

Acronis: Domain does not Match SSL Certificate

Summary While examining the subdomains for acronis.com, I noticed that https://pa.acronis.com is not currently protected by your SSL certificate. Steps To Reproduce Open firefox and copy/paste the following into the search bar: https://pa.acronis.com After you hit enter you will be transferred to...

U.S. Dept Of Defense: Subdomain takeover [​████████]

The subdomain ███████ was pointing to an Azure Cloud App domain araz-sp.centralus.cloudapp.azure.com, but that endpoint was not registered. Impact It's extremely vulnerable to attacks as a malicious user could create any web page with any content and host it on the vulnerable domain. This would...