Courier: [3] Bypassing IP Based Rate Limit Blocking leads to rate limit bypass in Courier Login Panel

Hi team, I would like to report rate limit issue based on IP blocking mechanism. Rate-limitation nowadays is not effective anymore to protect against brute-force. There are many botnets out there which can be used to overcome this hurdle, as well as cloud VPS services e.g. Amazon AWS EIPs, Digita...

MTN Group: Password reset token leak on third party website via Referer header [cloudivr.mtnbusiness.com.ng]

Summary: F1426175 It has been identified that the application is leaking referrer token to third party sites. In this case it was found that the password reset token is being leaked to third party sites which is a issue knowing the fact that it can allow any malicious users to use the token and...

UPchieve: No rate Limit on Password Reset page on upchieve

Summary: Introduction A little bit about Rate Limit: A rate limiting algorithm is used to check if the user session or IP-address has to be limited based on the information in the session cache. In case a client made too many requests within a given timeframe, HTTP-Servers can respond with status...

Sony: Path Traversal issue at https://████/blaze/

The researcher reported that a Sony endpoint was vulnerable to a path traversal vulnerability due to CVE-2018–1271. The researcher used the path traversal vulnerability to access a win.ini file on the vulnerable endpoint...

Courier: Possible to invite any team member without being logged in. [ Session Management Issue ]

Hi, I would like to report session management issue to you, while testing i found that we can easily invite or we can easily perform invite related action, even we logged out from the the account. This mean the session are not properly managed. I didn't checked the other functionality under sessi...

GitHub Security Lab: [Python] CWE-943: Add NoSQL Injection Query

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: [C#]: Deserialization sinks

This bug was reported directly to GitHub Security Lab...

Adobe: Registration Information Leakage

The security researcher discovered an Improper Access Control that led to information exposure. The vulnerability was responsibly disclosed and addressed...

Mail.ru: Cross-site Scripting (XSS) - Stored

Stored XXS at https://otvet.mail.ru via question with answers to choose one. XSS payload in answer...

UPchieve: OTP reflecting in response sensitive data exposure leads to account take over

Summary: Sensitive data that is otp is reflecting in the response of phone number otp verification in https://app.upchieve.org Steps To Reproduce: 1. Signin with a account 2.After signin it will ask for phone number for otp verification. 3.Capture the request using burpsuite and see the response...

UPchieve: No Rate Limit on forgot password page

Summary: no rate limit bug on ur loigin page .. Steps To Reproduce: add details for how we can reproduce the issue 1. add step 1. add step 1. add step Supporting Material/References: list any additional material e.g. screenshots, logs, etc. attachment / reference Recommendations for...

IBM: Unauthorized Kubernetes to RCE (root) and found TEAMTNT Crypto Miner on it

This report revealed a vulnerable server running an unauthorized Kubernetes which allowed unkn0wn to gain remote code execution. This issue was reported to IBM and has been remediated...

U.S. Dept Of Defense: Open Akamai ARL XSS at ████████

Summary There is Open Akamai ARL XSS at ████ Proof-of-Concept https://█████████/7/0/33/1d/www.citysearch.com/search?what=Binit&where=Binit%22%3E%3Cimg%20src%3Dbinit%20onerror%3Dalert%28document.domain%29%3E References: - https://github.com/war-and-code/akamai-arl-hack -...

U.S. Dept Of Defense: Open Akamai ARL XSS at ████████

Summary There is Open Akamai ARL XSS at ████████ Proof-of-Concept http://████/7/0/33/1d/www.citysearch.com/search?what=Binit&where=Binit%22%3E%3Cimg%20src%3Dbinit%20onerror%3Dalert%28document.domain%29%3E References: - https://github.com/war-and-code/akamai-arl-hack -...

Brave Software: unclaimed s3 bucket takeover in the 3 js file located on the github page of brave software

Summary: There is a unclaimed s3 bucket i.e brave-extensions.s3.amazonaws.com located in the 3 .js file on official brave software github page https://github.com/search?q=org%3Abrave+brave-extensions+language%3AJavaScript&type=Codethe attacker can takeover the bucket and create file that is used ...

Tor: Information Exposure Through Directory Listing

Vulnerability description The web server is configured to display the list of files contained in this directory. This is not recommended because the directory may contain files that are not normally exposed through links on the web site. Link as POC: https://www.torproject.org/static/...

U.S. Dept Of Defense: Open Akamai ARL XSS on http://master-config-████████

The Open Akamai ARL on http://master-config-████████ was found to be vulnerable to a Reflected Cross Site Scripting XSS vulnerability. The vulnerability was discovered in the "what" and "where" parameters of the search functionality. The vulnerability allowed the execution of arbitrary JavaScript...

U.S. Dept Of Defense: Open Akamai ARL XSS on http://media.████████

The Reflected Cross-site Scripting XSS vulnerability was discovered on the http://media.████ website. The vulnerability allowed the execution of arbitrary JavaScript code by injecting it into the vulnerable URL parameter. The vulnerability was found to be present in the Akamai ARL Adaptive Delive...

MTN Group: Otp bypass in verifying nin

Summary: while conducting my research in your website I found that while verifying NIN number it send the otp to the enterd mobile number that can be bypassed. Steps To Reproduce: 1 Go to https://nin.mtnonline.com/nin/ 2 click submit nin.Now it will redirect to another page...

LY Corporation: Improper authorization allows disclosing users' notification data in Notification channel server

LINE Channel authentication provides separate authentication tokens for each LINE Channel. Due to the bug in the authentication process in the Notifications Channel service, it could be possible for an attacker to get the Notifications Channel data of another user by using their valid...

U.S. General Services Administration: Path Traversal on meetcqpub1.gsa.gov allows attackers to see arbitrary file listings.

Summary: Path Traversal on meetcqpub1.gsa.gov allows attackers to see arbitrary file listings from a directory of their choice. I wasn't sure if this page was in scope of this program or the TTS program, hopefully this isn't a problem Steps To Reproduce: 1. Navigate to the following URL -...

Pornhub: Deserialization of untrusted data at https://www.redtube.com/media/hls?s=data

The researcher was able to exploit a PHP Object Injection vulnerability which allowed him to execute remote commands on the server...

Affirm: Subdomain takeover due to non registered TLD [ ██████████.█████.██████.com ]

Summary: I was looking at recent disclosed report 1297689 and I was thinking to take a look for the same issue on this asset as I love to test for subdomain takeover vulnerabilities. While testing I noticed a DNS entry for ███████.████.██████████.com is CNAME ████.███████████ which's TLD is not...

XVIDEOS: Text injection or content spoofing on forbiden page

hello Team, while enumerating directories of xvideos.com i found that 403 forbiden directories are refleting on the page , so i created some custom words to change the mind of customers that the website is under construction so please visit attaker site. reproduction speps: domain : www.xvideos.c...

Reddit: Open Redirect through POST Request in www.redditinc.com

Summary: Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain. This behavior can be leverag...

Sony: Reflected XSS on ███ via jobid parameter

The researcher reported that a URL parameter of a Sony website was vulnerable to reflected XSS. The researcher used the JavaScript onpointerleave event to trigger the XSS payload...

UPchieve: Widespread CSRF on authenticated POST endpoints

Summary: Cross-Site Request Forgery CSRF is possible on most, if not all, authenticated POST endpoints. While CORS is configured such that the Access-Control-Allow-Origin header is set to Access-Control-Allow-Origin: hackers.upchieve.org, CORS does not prevent CSRF - it only prevents the attacker...

U.S. Dept Of Defense: Reflected XSS [██████]

Reflected cross-site scripting XSS arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way. An attacker can execute JavaScript arbitrary code on the victim's session. Steps To Reproduce Go to this URL:...

U.S. Dept Of Defense: Reflected XSS [██████]

Reflected cross-site scripting XSS arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way. An attacker can execute JavaScript arbitrary code on the victim's session. Steps To Reproduce Go to this URL:...

U.S. Dept Of Defense: Reflected XSS [███]

Reflected cross-site scripting XSS arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way. An attacker can execute JavaScript arbitrary code on the victim's session. Steps To Reproduce Go to this URL:...

Basecamp: Privilege Escalation leads to trash other users comment without having admin rights.

Privilege Escalation leads to trash other users comment without having admin rights...

Revive Adserver: Use of a Broken or Risky Cryptographic Algorithm

revive-adserver utilizes a PRNG for session-token generation, this means that an attacker could theoretically be able to generate session tokens at random and take over accounts at random. This function does not generate cryptographically secure values, and should not be used for cryptographic...

MTN Group: There is no rate limit for SME REGISTRATION PORTAL

Summary: The speed limit for the https://mtngbissau.com/registo/ endpoint has not been implemented. Steps To Reproduce: 1. Go to the https://mtngbissau.com/registo/ 2. fill out the Registration form 3. Send request to Intruder. 4. Set your payloads and start attack. 5. There is no rate-limit...

U.S. Dept Of Defense: XSS because of Akamai ARL misconfiguration on ████

Hello team, I hope you're doing well & healthy. I found a reflected XSS because of the misconfiguration of Akamai ARL. ███████ References - https://github.com/war-and-code/akamai-arl-hack - https://twitter.com/SpiderSec/status/1421176297548435459 - https://warandcode.com/post/akamai-arl-hack/ -...

U.S. Dept Of Defense: Reflected XSS at ████ via ██████████= parameter

Hi I found that this endpoint is vulnerable with Reflected XSS, The ███= parameter is vulnerable with RXSS PoC: ██████████?████████=%253Cimg/src/onerror=alertdocument.domain%253E Payload: Regards Impact RXSS System Hosts www.███ Affected Products and Versions CVE Numbers Steps to Reproduce...

LY Corporation: Bot setting information leakage in OpenChat room

Due to the bug in the authority verification process, it could be possible for the non-admin users to see settings details for Line OpenChat Admin Bot, such as saved scheduled messages and auto-responses...

UPchieve: i can join without user and pass in this website https://argocd.upchieve.org/settings/accounts

Summary: i can see the Content Steps To Reproduce: the wbsite is not good 1. if i join this website i can see Content https://argocd.upchieve.org/settings/accounts Supporting Material/References: you most need good programmers https://argocd.upchieve.org/settings/accounts Recommendations for...

Ruby on Rails: Sauce Labs API key unencrypted in an old commit

Vulnerability description not provided...

Nextcloud: Arbitrary read of all SVG files on a Nextcloud server

Vulnerability description not provided...

GitHub Security Lab: Java: Timing attacks while comparing results of cryptographic operations

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: [C#]: HttpOnly and Secure Cookies for .NET Core and .NET

This bug was reported directly to GitHub Security Lab...

Ruby: Bug Report : [ No Valid SPF Records ]

Hi Team, Hope you are doing well. I found vulnerability in your web app URL : https://www.ruby-lang.org/en/s Description : There is an email spoofing vulnerability. Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than...

UPchieve: CLICKJACKING LEADS TO DEACTIVATE ACCOUNT

Hello UPCHEIVE SECURITY TEAM, I'm Anto Vulnerability : Clickjacking in https://hackers.upchieve.org/profile Steps to Reproduce: 1. Create a HTML file with following code Click the place where its shows Click 1 Click 2 Click 2 2, Save and Open it on your browser the page will be appear. Impact An...

Ruby on Rails: Possible DOS in app with crashing `exceptions_app`

Vulnerability description not provided...

U.S. Dept Of Defense: Sensitive information on '████████'

Hi team, i found a sensitive file hosted on '█████████' that i think must be not public accessible due to the wording "███████" Vulnerable Endpoint: https://█████████/████████ ██████████ Impact Sensitive information pubblicy accessible System Hosts ████████ Affected Products and Versions CVE...

U.S. Dept Of Defense: Sensitive information on ██████████

Hi team, i found a sensitive file hosted on '████' that i think must be not public accessible due to the wording "████████" Vulnerable Endpoint: https://██████ █████████ Regards Impact Sensitive information pubblicy accessible System Hosts ██████████ Affected Products and Versions CVE Numbers Ste...

Elastic: blind Server-Side Request Forgery (SSRF) allows scanning internal ports

A blind Server-Side Request Forgery SSRF vulnerability was found on a website, allowing an attacker to scan internal ports. The vulnerability could not be used to read HTTP responses, but could be used for reconnaissance purposes, such as port scanning by measuring response time...

VK.com: Баг с оплатой подписки

Недостаточная валидация...

Reddit: Outsider can affect Upvote Percentage of private subreddit post by calling /api/vote API

Summary: Attacker that does not have access to a private subreddit, can still affect Upvote Percentage of any posts in this private subreddit. He does that by calling /api/vote API and passing post id directly. What is Upvote Percentage?: F1407175 Impact: - Attacker can affect Upvote Percentage o...

Shopify: Senseitive data Related to Shopify Host -> https://shopify.zendesk.com/

Description : Github is truly awesome service but its unwise to put sensitive data in public repo as i was found a repo committed 1 houre ago contain Senseitive data Credentials && ZRTAPIKEY && JWTSECRET related to this Host - https://shopify.zendesk.com/ leaked publicly in github, and clearly th...