PlayStation: size_t-to-int vulnerability in exFAT leads to memory corruption via malformed USB flash drives

Summary A heap-based buffer overflow can be triggered by a malformed exFAT USB flash drive. Vulnerability The vulnerability is in Sony's exFAT implementation where there is an integer truncation from 64bit to 32bit on a size variable that is used to allocate the up-case table: c int...

UPchieve: No Rate Limiting for Password Reset Email Leads to Email Flooding

There is "No Rate Limiting" implemented in sending the Password Reset Email. Thus, attacker can use this Vulnerability to bomb out the Email Inbox of the victim. Affected URL : https://hackers.upchieve.org/resetpassword Steps to Reproduce: 1. Log In to : https://hackers.upchieve.org/ 2. Go To :...

GitHub Security Lab: [Java] CWE-079: Query to detect XSS with JavaServer Faces (JSF)

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: [Java]: Add XXE sinks

This bug was reported directly to GitHub Security Lab...

Sony: Blind User-Agent SQL Injection to Blind Remote OS Command Execution at █████████

The researcher reported that a login form of a Sony website was vulnerable to a blind SQL injection. The researcher was able to use the blind SQL injection to enable xpcmdshell functionality on the database and then run system commands. The output from the system commands was then obtained via...

Shopify: Xss At Shopify Email App

Hello Team, i have found a Xss on the Shopify email app, but it's a bit wired, it's not executing directly but when i am coping the code it is getting executed. step-1: Navigate to https://s1-aug.myshopify.com/admin/apps/shopify-email/editor/3694417 step-2: Add the xss pay load anywhere like...

Judge.me : Blind XSS via Feedback form.

Summary: Hi Team, I found Blind XSS which is triggered on the admin panel. I was trying to add widgets on the installation page for default theme. When the installation was done, I saw a question like that Are you happy with how everything looks?. I clicked the No, please remove all widgets butto...

Nextcloud: User files is disclosed when someone called while the screen is locked

Summary: User files in the server is disclosed while the screen is locked when someone called. Steps To Reproduce: add details for how we can reproduce the issue 1. Make 2 Accounts, Lets call them Account A and Account B 2. Using Account A login to https://nextcloud/apps/spreed/ 3. Using Account ...

TikTok: Broken Link on TikTokUS.Info

TikTokUS.Info page had a broken link. An attacker could leverage this vulnerability to claim the social media account and perform social engineering attacks such as phishing. We thank @siratsami for reporting this to our team and confirming the resolution...

Brave Software: Open redirect found on account.brave.com

What is open redirect A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. An http parameter may contain a URL value and could cause the web application to redirect the request to the...

Acronis: No server side check on terms of service page which leads to bypass

Hi team, I have found that there is no server side check implemented on the "Acronis Terms of Service and Privacy Statement" Page that is shown after filling the registration form which results in bypassing it without even accepting it. Steps To Reproduce: 1. Register as a new user by filling out...

Brave Software: Information disclosure-Referer leak

Assigned to: Brave Assigned by: Kirtikumar Anandrao Ramchandani Assigned on: 13/09/2021 Browser information used to test Up to date: Brave 1.29.79 Chromium: 93.0.4577.63 Official Build 64-bit Revision ff5c0da2ec0adeaed5550e6c7e98417dac77d98a-refs/branch-heads/4577@1135 OS Windows 10 OS Version 20...

PortSwigger Web Security: No Rate Limit On Regenerate Password on Portswigger

Introduction A little bit about Rate Limit: A rate limiting algorithm is used to check if the user session or IP-address has to be limited based on the information in the session cache. In case a client made too many requests within a given timeframe, HTTP-Servers can respond with status code 429...

Nextcloud: Folder architecture and Filesizes of private file drop shares can be getten

Steps To Reproduce: 1. Create a new Folder "TestABC" 2. Share a password protected link of this folder 3. Create a file "README.md" and a file "README.md" in the Subfolder "Subfolder". == curl -H "OCS-APIREQUEST: true" "http://localhost/ocs/v2.php/apps/text/public/workspace?shareToken=ABCDE12345"...

TikTok: BYPASSING COMMENTING ON RESTRICTED AUDIENCE VIDEOS

A vulnerability was identified in TikTok comments which could have potentially allowed users to bypass the commenting restriction by responding to existing comments via video message. We thank @boynamedboy for reporting this to our team and confirming the resolution...

Nextcloud: objectId in share location can be set to open arbitrary URL or Deeplinks

Summary: The NextCloud Talk app allows a user to share their location in the Mobile App. The objectId= in /ocs/v2.php/apps/spreed/api/v1/chat/$token/share Can be set to a URL or Deeplink, While the metaData= will render the map, Once a user clicked the map it will open the defined URL or Deeplink...

U.S. Dept Of Defense: Information disclosure at '████████' --- CVE-2020-14179

Research conducted on ████████ indicates that the Atlassian Jira Server and Data Center instance allows remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint CVE-2020-14179...

Lark Technologies: Removed user can still view comments on the file/documents.

A vulnerability was found using a message API endpoint which could have resulted in a user being able to retrieve comments from a document after being removed. We thank @imrannisar for reporting this to our team...

curl: CVE-2021-22947: STARTTLS protocol injection via MITM

Summary: A man-in-the-middle can inject cleartext forged responses to future encrypted commands by pipelining them to the STARTTLS response. Steps To Reproduce: Use the attached test case within the curl test system. It is based on IMAP FETCH with explicit TLS. Upon test failure, the downloaded...

curl: CVE-2021-22946: Protocol downgrade required TLS bypassed

Summary: In imap and pop3, --ssl-reqd is silently ignored if the capability command failed. In ftp, a non-standard 230 response preauthentication? in the greeter message forces curl to continue unencrypted, even if TLS has been required. Steps To Reproduce: Use a parameterizable test server to fa...

Nextcloud: RCE on 17 different Docker containers on your network

Summary: I was able to get RCE on 17 different docker containers, ranging from postgres and some prod enviroments Steps To Reproduce: I found that there was a unconfigured portainer.io service running on http://spreed-demo.nextcloud.com:9000 1. I created an administrator account with the login...

Nextcloud: Cards in Deck are readable by any user

Sensitive deck card contents were readable by any user, allowing unauthorized access to the information...

UPchieve: Clickjacking login page of https://hackers.upchieve.org/login

Hello, you have discovered this unprotected login page https://hackers.upchieve.org/login An attacker can in frame page in iframe and Deception of a user and obtaining a password, email and sensitive information Impact An attacker can aDeception of a user and obtaining a password, email and...

Kubernetes: Broken Link Hijacking on kubernetes.io Documentation

Report Submission Form Summary: Kubernetes docs has Spanish translation available. One of the page of spanish doc has an external reference to a confluence page. The confluence account was not registered on Atlassian. So I was able to takeover the page and host the PoC Kubernetes Version: NA...

ImpressCMS: Stored XSS on 1.4.0

Summary: The hacker AppleBois on Jun 19, 2020 has raise this Stored Stored Cross Site Scripting on GitHub and it has fixed on Jul 7, 2020. The hacker now raise the issue to Hackerone. Furthermore, this issue can now tracked under CVE-2020-17551. ImpressCMS branch : 1.4.0 Steps To Reproduce: 1...

UPchieve: No Rate Limiting on /reset-password-request/ endpoint

Summary: Description Hi there ! I noticed when we hit the /reset-password-request/ endpoint too many times via some proxy for e.g:- Burp there is no rate limit on that endpoint and you can spam the email with 100’s of requests and resend even more password reset emails to the users as there is no...

Zomato: Claiming the listing of a non-delivery restaurant through OTP manipulation

Summary: Am able to claim any restaurant which is not claimed before. Description: An endpoint POST /restaurant-onboard-diy/v2/send-auto-claim-otp HTTP/2 sends OTP to the restaurant mobile no. Request Request:1 is - POST /restaurant-onboard-diy/v2/send-auto-claim-otp HTTP/2 Host: www.zomato.com...

U.S. Dept Of Defense: DoD internal documents are leaked to the public

Hello Team, I found a zip file containing documents about DoD. From what I looked at are documents for new soldiers who are starting out, but I didn't just find these files but several others like advice, commander files, plans, certificates and others. ███ ██████ █████████ In some of the files I...

U.S. Dept Of Defense: AWS subdomain takeover of www.███████

Description: The AWS bucket hosted on www.████████ was vulnerable to a subdomain takeover. It has a DNS record pointing to an unclaimed bucket that I was able to register and serve a PoC on. References Output of dig: ;; QUESTION SECTION: ;www.███████. IN A ;; ANSWER SECTION: www.████. 1833 IN CNA...

Courier: Session Fixiation allow attacker to create new evil workspace without being logged in [ Insecure Session management ]

Hello, How are you, hope you are doing great in this pandemic. While testing again for the session management related bugs in your application, i found some session related issue where evil person can easily create new workspace from victims account without being logged in, that mean the session ...

Mail.ru: CVE-2020-11110: Grafana Unauthenticated Stored XSS -████.bizml.ru

Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot. PoC - Send the following HTTP request http POST...

GitHub Security Lab: Java: Static initialization vector

This bug was reported directly to GitHub Security Lab...

TikTok: Incorrect authorization to the intelbot service leading to ticket information

An authentication bypass and site wide stored XSS cross-site scripting vulnerability was found on TikTok Ads as JWT JSON Web Token was not verified properly. We thank @johnstone for reporting this to our team and confirming its resolution...

Stripe: User can pay using archived price by manipulating the request sent to `POST /v1/payment_pages/for_plink`

@gregxsunday discovered a way to purchase a product with an archived price using a payment link. The bypass was possible because of missing validation. A change was shipped to ensure both the payment link and price are active. Note: This bug was accepted and received before our minimum bounty...

U.S. Dept Of Defense: RCE in ███ [CVE-2021-26084]

A vulnerability in affected versions of Confluence Server and Data Center allowed authenticated users, and in some cases unauthenticated users, to execute arbitrary code. The vulnerability was due to an OGNL injection issue affecting endpoints that could be accessed by non-administrators when use...

Logitech: Steal any users `access_token` via open redirect in https://streamlabs.com/global/identity?popup=1&r=

Heyy there, After reading the disclosed report 1178239, I started to look for bypasses but I found that it's restricted to only streamlabs.com and merch.streamlabs.com , providing any other domain or subdomain of streamlabs.com gives an error instead of the 302 redirect. From wayback machine...

U.S. Dept Of Defense: RCE on ███████ [CVE-2021-26084]

A remote code execution vulnerability was present in affected versions of Confluence Server and Data Center due to an OGNL injection issue. This allowed an authenticated user, and in some cases an unauthenticated user, to execute arbitrary code. The vulnerability affected versions before 6.13.23,...

Sifchain: Origin IP Disclosure Vulnerability

Summary: It is possible to access origin IP servers served by nginx and not cloudflare. Even though these IP's don't serve a functional version of the app it is possible to enable DDoS attacks by bypassing cloudflare protections. Steps To Reproduce: Even though these IP's don't serve a functional...

Ruby on Rails: Content Security Policy is only active for HTML responses but not for image/svg+xml

A vulnerability was discovered in Rails where the Content Security Policy CSP was only applied to HTML responses and not to image/svg+xml responses. This allowed an attacker to execute malicious JavaScript code by uploading a malicious SVG file and sending a link to the victim...

U.S. Dept Of Defense: Access to admininstrative resources/account via path traversal

Description: A user can login as an administrator without the need of an ██████████ account, or an authenticated user can access and manipulate administrative resources without needing to login as an administrator. An ████████ ███████ account is required. References Impact Exfiltration of sensiti...

Reddit: com.reddit.frontpage vulernable to Task Hijacking (aka StrandHogg Attack)

Summary: The app com.reddit.frontpage is vulnerable to Task Hijacking used by widespread Android trojans. Task hijacking allows malicious apps to inherit permissions of vulnerable apps and is usually used for phishing login credentials of victims. Impact: Assuming a malicious actor want's to grab...

Affirm: IDOR to view order information of users and personal information

Summary: Broken access control is the method of controlling which users can perform a certain type of action or view set of data. Broken access control is a vulnerability that allows an attacker to circumvent those controls and perform more actions than they are allowed to, or view content they...

U.S. Dept Of Defense: Cache Posioning leading to denial of service at `█████████` - Bypass fix from report #1198434

Vulnerability Cache Posioning CPDoS Cache Posioning Denial Of Service CPDoS 1 is taking advantage of 301 redirects by storing an false value of either domain, port or header that effect the response in any way. This makes the cache server store the false value and later delivery it to all users...

Automattic: Ability to subscribe to inactive Post+ creators

Hey y'all! 👋 Hope all is well! Summary: In testing Tumblr's Post+, I've found that it's possible to subscribe to creators that, at one point, opted into Post+ but had opted out after some point. As I note later on, it appears that this is a "one time use only" as the Payment URL becomes invalid...

LocalTapiola: Cookie exfiltration through XSS on the main search request of www.lahitapiola.fi

Basic report information Summary: Adding extra search parameters generates the creation of new input fields which can be escaped, thus generating HTML injection possibilities, Cross-Site Scripting attacks, and the retrieval of the page's cookies. Description: - Observing the Bug I was researching...

On : No Rate Limit in Login Page

The login page of the website did not have a rate limit implemented, allowing an attacker to perform brute force attacks by trying multiple login attempts without being restricted...

TikTok: XSS on tiktok.com

A cross site scripting vulnerability was found in a TikTok endpoint using the returnurl parameter. We thank @@arifmkhls for reporting this to our team and confirming the resolution...

Uber: Google Maps API Key Leakage

Google allows developers/vendors to restrict the usage of these keys in several different ways, as can be read here: https://developers.google.com/maps/api-key-best-practices...

Localize: Stored XSS in Document Title

Summary : Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XSS ...

Ruby: XSS exploit of RDoc documentation generated by rdoc

Vulnerability description not provided...