Rockstar Games: Uninstalling Rockstar Games Launcher for Windows (64-bit), then reinstalling keeps you logged in without authentication

In this report, the researcher identified a potential weakness in Rockstar Games Launcher that caused the application to retain profile data on the local machine, even after the application was uninstalled. This included auto sign-in flags, resulting in automatic sign-ins when reinstalling Rockst...

Node.js: Built-in TLS module unexpectedly treats "rejectUnauthorized: undefined" as "rejectUnauthorized: false", disabling all certificate validation

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: "rejectUnauthorized: false"...

Rockstar Games: Brute Force against VMware Horizon

In this report, the researcher discovered a VMWare Horizon admin remote access login portal that was publicly accessible and not sufficiently protected against credential stuffing/brute force attacks. No user accounts were breached; all employees are required to use MFA to login through such...

U.S. Dept Of Defense: [CVE-2021-29156 on ForgeRock OpenAm] LDAP Injection in Webfinger Protocol!

Description: https://████████ is vulnerable to CVE-2021-29156. References https://nvd.nist.gov/vuln/detail/CVE-2021-29156 https://portswigger.net/research/hidden-oauth-attack-vectors...

Mail.ru: Read-only user can edit user segments.

Domain -- https://tracker.my.com/segment/list Testing environment -- Open two separate browsers with two independent accounts created at https://tracker.my.com/ Steps to reproduce -- In browser A 1. Log in to your account at https://tracker.my.com/ as user 1. 2. Create a new account at...

U.S. Dept Of Defense: XSS due to CVE-2020-3580 [██████]

Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to conduct cross-site scripting XSS attacks against a user of the web services interface of an...

U.S. Dept Of Defense: XSS due to CVE-2020-3580 [███]

Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to conduct cross-site scripting XSS attacks against a user of the web services interface of an...

U.S. Dept Of Defense: XSS due to CVE-2020-3580 [███.mil]

Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to conduct cross-site scripting XSS attacks against a user of the web services interface of an...

HackerOne: Disclosure handle private program with external link

Summary: Hi team. It looks like we can identify private programs that have an external link Steps To Reproduce 1. http POST /graphql HTTP/1.1 Host: hackerone.com Connection: close Content-Length: 168 accept: / X-Auth-Token: yourtoken User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64...

Shopify: Stored XSS in SVG file as data: url

A stored XSS vulnerability was discovered in Shopify's rich text editor on July 24, 2021. Attackers were able to insert an XSS payload encoded in an SVG file using data: URLs. The vulnerability was fixed by preventing the conversion of data: URLs into blob: URLs...

Reddit: S3 bucket Upload on studio.redditinc.com (s3-r-w.ap-east-1.amazonaws.com)

Greetings team, Found a s3 bucket that belongs to studio.redditinc.com and properly not configured. bucket name:- s3-r-w.ap-east-1.amazonaws.com Bucket Source:-studio.redditinc.com Steps To reproduce:- In terminal , " dig studio.redditinc.com " will get the CNAME as d326d3e45wj426.cloudfront.net...

Sifchain: Signature Verification /// golang.org/x/crypto/ssh

Summary: Crypto package are vulnerable to Improper Signature Verification " An attacker can craft an ssh-ed25519 or [email protected] public key, such that the library will panic when trying to verify a signature with it. Clients can deliver such a public key and signature to any...

Algolia: Information disclosure -> 2fa bypass -> POST exploitation

Greetings! So i was testing algolia.com. Impressed to find out that there are mitigations in place to prevent POST exploitation such as : When 2fa is enabled we need "old password" to update following things : - To update the password - To disable the 2fa, etc might more more.... And we need 2fa...

PortSwigger Web Security: RCE of Burp Scanner / Crawler via Clickjacking

A vulnerability was discovered in Burp Suite, a web application security testing tool. The vulnerability allowed an attacker to exploit a known XSS vulnerability in the embedded Chrome browser used by Burp Suite. By leveraging this vulnerability, an attacker could execute arbitrary commands on th...

HackerOne: Internal Gitlab Ticket Disclosure via External Slack Channels

@noneoftheabove was able to enumerate GitLab ticket titles and descriptions by posting links in a shared Slack channel. As part of HackerOne's investigation, it was determined that the misconfiguration could also be used to obtain the contents of exceptions from HackerOne's production environment...

MTN Group: IDOR Leads To Account Takeover Without User Interaction

Summary: Hello Team, There's IDOR Bug on this subdomain mtnmobad.mtnbusiness.com.ng leads to account takeover, More details check the Poc. Steps To Reproduce: 1. Create two accounts on mtnmobad.mtnbusiness.com.ng and both accounts verify the emails from your email inbox 2. Login to attacker accou...

Stripe: Without verifying email and activate account, user can perform all action which are not supposed to be done

A researcher discovered that it was possible to access a subset of livemode dashboard functionality without verifying the account's email address. The livemode functionality in question was disabled in the UI, but could be accessed on the backend. Following this report, Stripe performed an intern...

U.S. Dept Of Defense: System Error Reveals SQL Information

Hello, While testing your program i came across an endpoint that is leaking sql errors and queries from on of your websites. I use the following google dork to detect this: site:████████ "sql error" Endpoints leaking data: https://www.██████/██████████ https://www.███████/███ Some of the errors...

Shopify: Shopify.com Web Cache Deception vulnerability leads to personal information and CSRF tokens leakage

Shopify.com Web Cache Deception Vulnerability Matteo Golinelli, July 21, 2021. I am testing websites for possible Web Cache Deception vulnerabilities you can find more about it here and I discovered that shopify.com is vulnerable. Web cache deception WCD is an attack where an attacker tricks a...

UPchieve: hackers.upchieve.org and argocd.upchieve.org is not preloaded.

POC video : IMG7790.MP4 Vulnerable URLs : https://hstspreload.org/?domain=argocd.upchieve.org and https://hstspreload.org/?domain=hackers.upchieve.org Impact Security Misconfiguration...

Phabricator: Broken Authentication and Session Management lead to take over account

Hello, I found vulnerability using phone Summary : Session token weakness, allowing attackers to take over accounts Tools : Lightning.apk Browser SandroProxy.apk or you can use all available proxies Steps to Reproduce: 1 Create a phacility account. 2 Go to...

UPchieve: Vulnerability Report - sweet32 UPchieve

Hello Team. I run the nmap with ssl-enum script to look for new Vulnerability that is known as "SWEET32" Detail about sweet32 vuln: Cryptographic protocols like TLS, SSH, IPsec, and OpenVPN commonly use block cipher algorithms, such as AES, Triple-DES, and Blowfish, to encrypt data between client...

Mail.ru: [play.skillbox.ru] CRLF Injection

Domain, site, application The / folder / to / folder redirect script is vulnerable to a CRLF Injection attack. PoC Setting cookie crlf=CRLF;domain=.skillbox.ru;path=/;/ All browsers except FireFox are affected Affected URL: http://play.skillbox.ru/ Payload...

Rockstar Games: Open Redirection effects autodiscover.rockstargames.com

In a report, a researcher identified an open redirection vulnerability in the Office365 Autodiscover service of the rockstargames.com domain. The issue was resolved through updates from Microsoft and internal configuration changes...

curl: CVE-2021-22945: UAF and double-free in MQTT sending

Vulnerability Description libcurl version 7.77.0 has a Use-After-Free and a Double-Free in lib/mqtt.c in the function mqttdoing on lines 556 - 563: c ifmq-nsend / send the remainder of an outgoing packet / char ptr = mq-sendleftovers; result = mqttsenddata, mq-sendleftovers, mq-nsend; freeptr;...

VK.com: Просмотр аватарки замороженной страницы/частной группы.

Недостаточные проверки при смене аватарки...

Shopify: Improper Input Validation on https://oberlo-image-proxy.shopifycloud.com/

The service under https://oberlo-image-proxy.shopifycloud.com/ seems to work like a image proxy through the url GET parameter and it suppose to handle only images. █████████ When other content type than an image is present the service returns a 404 error to the user. curl -si...

ExpressionEngine: Authenticated RCE via page title

A vulnerability was identified and fixed that could have allowed authenticated users to execute arbitrary PHP code by manipulating the page title in a specific API call...

Krisp: Authentication CSRF resulting in unauthorized account access on Krisp app

@yassineaboukir has identified and reported a CSRF issue on our desktop applications authentication flow affecting account dashboard that could result in an unauthorized access of a user account. We would like to thank Yassine Aboukir for reporting it responsibly to our bug bounty program !...

U.S. Dept Of Defense: Reflected XSS on [█████████]

Summary: Hi security team members, I found a reflected XSS on the URL Impact 1. An attacker can steal the victim's cookies. 2. An attacker can execute JS code. System Hosts █████ Affected Products and Versions CVE Numbers Steps to Reproduce 1. Navigate to this link:-...

JetBlue: Open Redirection

An open redirection vulnerability was discovered in a URL that allowed an attacker to construct a URL within the application that causes a redirection to an arbitrary external domain. This behavior could be leveraged to facilitate phishing attacks against users of the application. The vulnerabili...

JetBlue: Access to tomcat-manager with default creds

The Apache Tomcat/6.0.35 server used by a domain was vulnerable to improper authentication due to the use of default credentials, allowing unauthorized access to the admin manager. The vulnerability was discovered and reported...

Shopify: Staff who only have apps and channels permission can do a takeover account at the wholesale store (Bypass get invitation link)

When we invite customers at the wholesale store there is a feature to "Send invite" and "Get invite link" the get invite link feature displays the customner invitation link and can only be used once, but when the customer has accepted the invitation and actived their account already have access t...

QIWI: Subdomain Takeover on 1c-start.tochka.com pointing to unbouncepages

Actuall this report is same as of this one:- https://hackerone.com/reports/38007 Subdomain takeover vulnerabilities occur when a subdomain subdomain.example.com is pointing to a service e.g. GitHub pages, Heroku, etc. that has been removed or deleted. This allows an attacker to set up a page on t...

GitHub Security Lab: [go]: Add query for detecting CORS misconfiguration

This bug was reported directly to GitHub Security Lab...

Elastic: Critical || Unrestricted access to private Github repos and properties of Elastic through leaked token of Elastic employee

@prateek0490 was able to gain access to private Github repositories through a leaked Github token on bitbucket. We confirmed this token was valid, and have rotated...

Nextcloud: Lack of bruteforce protection for TOTP 2FA

Vulnerability description not provided...

Glassdoor: Reflected XSS on https://www.glassdoor.com/job-listing/spotlight

Summary: The application is vulnerable to reflected cross-site scripting attacks on the /job-listing/spotlight URI in the callback parameter. Affected URL or select Asset from In-Scope: https://www.glassdoor.com/job-listing/spotlight Affected Parameter: callback Vulnerability Type: see list below...

Acronis: Self-DoS due to template injection via email field in password reset form on access.acronis.com

Summary HI acronis security team , how are you I hope everyone is OK in the other side of the screen . I found Template Injection in https://access.acronis.com/resetpassword/new via the mail input . Steps To Reproduce: 1. Open https://access.acronis.com/resetpassword/new and Enter the mail Payloa...

Ian Dunn: Multiple server ssh usernames leaked in your github repository

hi security team,while searching on github,I have found multiple ssh usernames that belongs to your organization are exposed in the organization github repository STEPS TO REPRODUCE:- 1.Go to this repository. you will see the leaked multiple server ssh usernames...

MTN Group: cross site scripting in : mtn.bj

Summary: Xss vulnerability in mtn.bj in file name Steps To Reproduce: 1.Go to : https://www.mtn.bj/business/ressources/formulaires/plan-de-localisation-de-compte/?next=https://www.mtn.bj/business/ressources/formulaires/formulaire-de-souscription/ 2 - fill all inputs with any data 3 - in file uplo...

MTN Group: Reflected Cross-Site scripting in : mtn.bj

Hello Team I have found a Reflected XSS vulnerability in mtn.jb by file name Steps To Reproduce: add details for how we can reproduce the issue 1. go to : https://www.mtn.bj/business/ressources/formulaires/formulaire-dutilisation-du-service-mtn-corporate-bulk-sms/?suscribeTo=Sms-Pro 2. enter any...

Glovo: Reflected XSS on delivery.glovoapp.com

Summary: Hi, there's a reflected XSS vulnerability present on the https://delivery.glovoapp.com/referrals/ endpoint. Steps To Reproduce: Opening the following URL should trigger the prompt window specified in the request parameters, indicating that arbitrary javascript can be injected into the...

GitHub Security Lab: [Java]: CWE 295 - Insecure TrustManager - MiTM

This bug was reported directly to GitHub Security Lab...

HackerOne: Information disclosure - Feedback is accessible on Public profile even after 'disallowed' at https://hackerone.com/settings/feedback

Summary: Hi team, I noticed one possible information disclosure scenario related to My Feedback managed at https://hackerone.com/settings/feedback Description: In current scenario even after uncheck the option "Show this blurb on my profile" I can access the feedback using one one requestPOST...

Shopify: Apache Flink Dashboard exposure at https://streaming-sales-model-production.flink.shopifykloud.com

Hi team POC 1. https://streaming-sales-model-production.flink.shopifykloud.com//overview Thanks Impact access to flink dashboard...

U.S. Dept Of Defense: SQL injection located in `███` in POST param `████████`

Hey DoD security team! I was able to exploit an SQL injection 1 in one of your domains. Description An SQL injection 1 was discovered in domain https://████████/██████ in the parameter ██████████. The SQL injection was located in a WHERE statment fallowed by a INT value. The vulnerable parameter...

Shopify: Theme editor `oseid` parameter is leaked to third-party services through the `Referer` header which leads to somekind of storefront password bypass.

Hello Shopify, Summary While reading @danishalkatiri's report 997350, I remembered a report that @francisbeaudoin shared with me some time agomid-February 2021 about leaking the theme editor oseid parameter and being able to exploit it to a point where he was able to somewhat bypass the storefron...

Mail.ru: [allods.mail.ru] - WebCache Poisoning Host Header lead to Potential Stored XSS

Attacker can flush web cache to inject malicious payload in Host header at allods.mail.ru . Example: Host: allods.mail.ru:13373"--alert1;...

Nextcloud: HEIC image preview can be used to invoke Imagick

The HEIC image preview provider calls into Imagick at https://github.com/nextcloud/server/blob/5d097ddb4b99673f57b8c085dedd93880ee2539d/lib/private/Preview/HEIC.phpL98-L109. This is bad as Imagick processes all kind of image types. One can use this for example to exfiltrate arbitrary files by...