Nextcloud: High memory usage for generating preview of broken image

When the attached file is uploaded and a preview is generated e.g. in the folder overview of the files app, the PHP process allocates a very large amount of memory on my machine it was shortly around 5 GByte and CPU. Tested with latest master 1366b35081f1d92429787696f4175c19a602858a on Ubuntu 20....

GitLab: Stored-XSS in merge requests

Summary As an attacker I could do XSS on Web.com because it is vulnerable Stored XSS, also known as persistent XSS, is more damaging than non-persistent XSS. It occurs when a malicious script is injected directly into a vulnerable web application. Steps to reproduce 1. Go to https://gitlab.com/ 2...

Adobe: DOM XSS on www.adobe.com

Thank you @saajanbhujel for your contributions and we look forward to collaborating with you again in the future!...

U.S. Dept Of Defense: Reflected XSS - https://███

Greetings, I just found an XSS vulnerability on a page of one of your websites URL : https://████=%22%3E%3Cscript%3Ealert1%3C/script%3E https://███="alert1 By the way, could you look at my "duplicated" report when it is not? I don't mean any disrespect, but this is not the same page. thank you -...

Shopify: Exposed Cortex API at https://cortex-ingest.shopifycloud.com/

Hi there, to be honest this is the first time I have seen this type of asset, but I think it is interesting/not supposed to be exposed. There is a Cortex metrics server running without authentication on https://cortex-ingest.shopifycloud.com/. This allows us to see the config for the server, call...

Nextcloud: Missing brute force protection on OAuth2 API controller

Vulnerability description not provided...

Stripe: HTML Injection in the Invoice memos field

The memo field in customer invoices on Stripe was vulnerable to HTML injection, allowing an attacker to create a login form and steal a victim's login credentials through the auto-save functionality of their browser. This could result in the takeover of a victim's account...

Reddit: Open Redirect on www.redditinc.com via `failed` query param

hello dear support I have found the issue on https://www.redditinc.com/ama HTTP request POST /ama HTTP/1.1 Content-Type: multipart/form-data; boundary=----------YWJkMTQzNDcw Cookie:...

Yoti: PIN 📌 BYPASS 🥷

Summary: 983980808 IOS App has improper rate limit. When we try to brute force the PIN, we are rate limited for 5 minutes after 5 or 6 attempt. In my testing I found that it was checking the device's local date / time so by changing it we can brute force the PIN. Steps To Reproduce: 1.Install...

Shopify: Create free Shopify application credits.

Details According to docs available at https://shopify.dev/api/admin/rest/reference/billing/applicationcredit, appCreditCreate is used to issue credits to merchants that can be used towards future app purchases in Shopify. I believe appCreditCreate mutation shouldn't be accessible to store owners...

Uber: CVE-2020-3452 - unauthenticated file read on anyconnect.routematch.com

The CISCO ASA instance at anyconnect.routematch.com was vulnerable to CVE-2020-3452, allowing an unauthenticated attacker to retrieve arbitrary files on the local filesystem...

Mail.ru: Угон домена photo-test.gb.ru (возможно)

photo-test.gb.ru subdomain was delegated to webflow.com , which is vulnerable to takeover...

GitLab: Stored XSS in main page of a project caused by arbitrary script payload in group "Default initial branch name"

Summary A stored XXS exists in the main page of a project. By changing the "default branch name" of a group a malicious user can inject arbitrary JavaScript into the main page of a project. Any user that is either at least developer of the project, or an administrator of the GitLab instance, and...

MTN Group: HTML injection in email content during registration via FirstName/LastName parameter

Summary: Hi, I just found an issue when register account in https://mtnmobad.mtnbusiness.com.ng//auth/registerUser It allows an attacker to inject malicious text include html code in email content. Steps To Reproduce: 1. Go to https://uat.id.manulife.ca/mortgagecreditor/register?uilocales=en-CA. ...

Acronis: Subdomain takeover of main domain of https://www.cyberlynx.lu/

Summary Hi Acronis Security Team , Hope you well. I found one of your subdomains which is www.cyberlynx.lu One of your Acquisition is pointing towards www.cyberlynx.lu canonical name = www118.wixdns.net. www118.wixdns.net canonical name = balancer.wixdns.net. balancer.wixdns.net canonical name =...

Shopify: Blog posts atom feed of a store with password protection can be accessed by anyone

Hi shopify, DESCRIPTION I found a issue with blog posts atom feed of a shopify store. So without password we can't access the blog post atom feed at https://yourstore.myshopify.com/blogs/news.atom . But this can be bypass to access the atom feed of the blog posts. For example try out this. I have...

HackerOne: PII data Leakage through hackerone reports

Summary: I found PII data leakage through the HackerOne report. I found a link in one of the disclosed report that allow me to get the address and phone numbers of security researchers. Here I got the address and phone number of ████ ███ Vulnerability Name: PII data Leakage through Steps to...

MCUboot: private keys exposed on the GitHub repository

Summary: When I searched Github for sensitive information I found some privet key in GitHub repository. these are private RSA key and private server key, which could be used for unauthorized access. Steps To Reproduce: VISIT THESE LINKS: Repository : EX:...

Mail.ru: Blind XSS Stored and CORS misconfiguration в отчете "События" сервиса top.mail.ru

Details: Прежде чем начать, хотелось бы отметить что в правилах по XSS сказано including privilege escalations within the product are accepted without bounty, однако полученные таким образом Cookies жертвы не привязаны к домену продукта top.mail.ru. Вот пример, Cookies: ██████████ Domain, site,...

Basecamp: Domain Takeover [3737signals.com]

Hi, While i was analyzing the Basecamp3 Android app i found 3737signals.com on the source code as i understand you are passing it to the intentto view it on some case. F1368921 When I opened it on the browser I got DNS error says the domain name does not exist F1368922 As you can see at the botto...

Mattermost: Specially crafted message request crashes the webapp for users who view the message

A specially crafted message request with a modified deletedat JSON parameter could crash the webapp for all users viewing the channel, or for anyone viewing a different channel if they switch to that channel afterward. This vulnerability could be exploited to prevent users from accessing a channe...

TikTok: CSRF Account Takeover

A Cross-Site Request Forgery CSRF vulnerability was found on a TikTok endpoint which could have resulted in a full account takeover. We thank @s3c for reporting this to our team and confirming its resolution...

VK.com: XSS в выборе товара.

Недостаточная валидация полей в товарах...

U.S. Dept Of Defense: XSS on ███

Hi , I found XSS on ██████████ IP Enumeration ████ go to https://███/+CSCOE+/logon.html?a0=15&a1=&a2=&a3=1 intercept the request by burp suite and send it to repeater then edit the request to be like this GET /+CSCOE+/saml/sp/acs?tgname=a HTTP/1.1 Host: ██████████ User-Agent: Mozilla/5.0 Windows ...

U.S. Dept Of Defense: XSS on https://███████/██████████ parameter

PoC https://███████/███ Pameter 'xxslots' must be invalid Payload xss%22%20tabindex%3d1%20autofocus%20onfocus%3d%22alert ███████ Impact XSS on https://███████/ System Hosts ██████████ Affected Products and Versions CVE Numbers Steps to Reproduce Go to XSS on https://██████/██████████ Suggested...

Judge.me : HTML INJECTION (STORED)

Vulnerability description not provided...

U.S. Dept Of Defense: XSS on https://██████/███ via █████ parameter

PoC https://██████████/███████████=███████" ████████ Impact XSS at https://█████████/ System Hosts █████████ Affected Products and Versions CVE Numbers Steps to Reproduce Go to https://████/██████████████████=████" Suggested Mitigation/Remediation Actions...

U.S. Dept Of Defense: XSS on https://████████/████' parameter

PoC https://█████/██████████ ███████ Impact XSS on https://████/ System Hosts ███ Affected Products and Versions CVE Numbers Steps to Reproduce Got to https://██████/███ Suggested Mitigation/Remediation Actions...

U.S. Dept Of Defense: XSS on https://████/ via ███████ parameter

PoC https://████████/██████=█████████%22%20o%3Cbr%3Enfocus=confirm1337%20autofocus%20tabindex=1%20xss Payload onfocus=confirm1337 autofocus tabindex=1 xss WAF bypass Tags are removed from user input. It is allowed to bypass WAF. ███ Impact XSS on https://████████/ System Hosts ███ Affected Produc...

Acronis: Acronis True Image Local Privilege Escalation Due To Race Condition In Application Verification

Summary The Acronis True Image application has a SUID binary "Acronis True Image" that starts another binary "console" in the same directory. The SUID binary does some checks on "console" before it is run to make sure the correct binary is being run. By using a hardlink to the SUID binary we can...

BlackRock: Open redirect by the parameter redirectUri in the URL

The following URL is vulnerable to an open redirect it will redirect to google.com https://www.blackrock.com/authplatform/user/activate-success?redirectUri=https://google.com After clicking on "return to site" it will be redirected to the page Steps To Reproduce: Enter on this link...

Glassdoor: CSS injection via link tag whitelisted-domain bypass - https://www.glassdoor.com

Summary: It is possible load an arbitrary .css file. Bypassing the protections by adding the domain https://www.glassdoor.com in a parameter/path. Affected URL or select Asset from In-Scope: -...

New Relic: Verification Link not expiring leading to Account Takeover.

@bbunnny reported that verification links that are sent out on account creation can be used to access a victim's account until those links have expired. As access to those links requires that an attacker have access to the victim's email, this issue is out of scope for our program...

LY Corporation: Missing ownership check in 2FA for secondary client login

Secondary clients such as LINE for Windows/Mac require 2FA at first login. However, due to insufficient verification logic on the server-side, the attacker was able to bypass 2FA after the attacker succeeds QR login by tricking the victim to click a specially crafted URL...

GitHub Security Lab: [Java]: CWE-665 Insecure environment during RMI/JMX Server initialisation - All for one bounty

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: [Java] JShell Injection

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: [Java]: CWE 295 - Insecure TrustManager - MiTM

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: [Java] CWE-918: Added URLClassLoader and WebClient SSRF sinks

This bug was reported directly to GitHub Security Lab...

U.S. Dept Of Defense: SQL injection my method -1 OR 3*2*1=6 AND 000159=000159

URL: https://█████ Parameter: ███ Attack Details JSON input █████ was set to -1 OR 321=6 AND 000159=000159 Tests performed: -1 OR 2+159-159-1=0+0+0+1 = TRUE -1 OR 3+159-159-1=0+0+0+1 = FALSE -1 OR 32 FALSE -1 OR 320+5+159-159 = FALSE -1 OR 2+1-1+1=1 AND 000159=000159 = FALSE -1 OR 32=5 AND...

Tor: Tor Browser using --log or --verbose logs the exact connection time a client connects to any v2 domains.

Summary: A vulnerability in the Tor Browser 78.11.0esr and below allows a local or physical attacker to view metadata about v2 domains, namely the exact timestamp that a user connected to a v2 onion address while using either the --log or --verbose command line options. A local or physical attack...

U.S. Dept Of Defense: Cross site scripting

Cross-site Scripting XSS refers to client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS occurs when a web application makes use of unvalidated or unencoded user input within the output it generates. Impact Malicious...

Stripe: Email change or personal data change on the account.

@dk82hg found the email change flow on indiehackers.com was vulnerable to an insecure direct object reference IDOR which allowed an attacker to change the email associated with a user account to one they owned and ultimately take over a victim’s account in certain situations. A fix was shipped to...

Kubernetes: Authenticated kubernetes principal with restricted permissions can retrieve ingress-nginx serviceaccount token and secrets across all namespaces

Summary: Retrieving ingress-nginx serviceaccount token ingress-nginx allows adding custom snippets of nginx configuration to Kubernetes ingress objects. These snippets can be applied to either the relevant location or server blocks with the following annotations, respectively...

U.S. Dept Of Defense: Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464)

RCE is possible thanks to unsafe Java deserialization in the Jato framework used by OpenAM. Impact An unauthenticated, 3rd-party attacker or adversary can execute remote code Supporting Material/References - https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464 System...

Brave Software: Brave Browser permanently timestamps & logs connection times for all v2 domains ~/.config/BraveSoftware/Brave-Browser/tor/data/tor.log

Summary: A vulnerability in the Brave Browser v1.28.43 and below allows a local or physical attacker to view the exact timestamps that a user connected to a v2 onion address. A local or physical attacker could read /.config/BraveSoftware/Brave-Browser/tor/data/tor.log identify the exact moment a...

TikTok: Information Disclosure on TikTok Unplugged Site

An attacker could have retrieved information such as a list of installed packages and their versions due to improper information disclosure on the TikTik Unplugged site. We thank @nanwn for reporting this to our team and confirming the resolution...

Slack: Misuse of groups feature allows workspace members to join private channels without being invited

@kmap alerted us to an issue that would have allowed workspace members to join private channels through misuse of our User Groups feature. The bug was fixed on the next day, and Slack notified the few customers with users matching the conditions in the report. Many thanks to @kmap for reporting...

Engel & Völkers Technology GmbH: HTML Injection in Email

Description: Hi team I have found a HTML Injection vulnerability in your system. Steps to Reproduce: 1. Navigate to https://seller-pages.engelvoelkers.com/ 2. Go to the bottom of the webpage and click on message box at right corner. 3. Fill out the form and enter the HTML payload in First Name an...

U.S. Dept Of Defense: Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464)

A vulnerability in ForgeRock OpenAM allowed unauthenticated remote code execution due to unsafe Java deserialization in the Jato framework. The vulnerability, tracked as CVE-2021-35464, could be exploited by sending a crafted request to the /openam/ccversion/Version endpoint with a malicious...

U.S. Dept Of Defense: Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464)

RCE is possible thanks to unsafe Java deserialization in the Jato framework used by OpenAM. Supporting Material/References - https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464 Impact An unauthenticated, 3rd-party attacker or adversary can execute remote code System...