Mail.ru: Exposed Golang debugger on tier3.riot.mail.ru:9090, 9080

Summary Hi there, the Golang pprof debug interface is exposed on tier3.riot.mail.ru:9090 and port 9080. This allows introspection of stack traces, application timing, memory usage, command line parameters, and allows triggering GC pauses, which allows a denial-of-service via repeatedly triggering...

MTN Group: Reflected Cross Site Scripting Cisco ASA on myvpn.mtncameroon.net CVE-2020-3580

The Cisco ASA Adaptive Security Appliance and Cisco Firepower Threat Defense FTD Software were found to contain vulnerabilities in their web services interface. These vulnerabilities could have allowed an unauthenticated, remote attacker to conduct cross-site scripting XSS attacks against a user ...

TikTok: TikTok 2FA Bypass

Vulnerability description not provided...

Nextcloud: Text app leaks file path of shared files

By sending a request for a share without a README.md, the whole file path will be returned to the user: PUT /apps/text/public/session/create?token=EHTs4P7kATowiMg HTTP/1.1 Host: cloud.nextcloud.com User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:89.0 Gecko/20100101 Firefox/89.0 Accept...

Homebrew: clickjacking at brew.sh

hello , While performing security testing of your website i have found the vulnerability called Clickjacking. URL is in scope and vulnerable to Clickjacking. What is Clickjacking ? Clickjacking User Interface redress attack, UI redress attack, UI redressing is a malicious technique of tricking a...

Elastic: [Swiftype] - Stored XSS via document field `url` triggers on `https://app.swiftype.com/engines/<engine>/document_types/<type>/documents/<id>`

Dear Team, I have found a stored XSS when create a document via API-based engine. The XSS payload stored in url field. To understand about document schema for API-based engine, please go to https://swiftype.com/documentation/site-search/guides/schema-designapi-based After indexed a document with...

Zenly: Account Takeover via SMS Authentication Flow

Summary: During the authentication flow, an SMS is sent to the user in order to validate the session and proceed to the user account. The way Zenly API handles this flow is by: 1. Calling the /SessionCreate endpoint with the mobile phone number of the user. 2. A session for the user is created an...

Zenly: Friend Request Flow Exposes User Data

Summary: When submitting a friend request to a user, Zenly will allow access to their phone number regardless of whether the friend request is accepted or not. To obtain this information, a malicious actor only needs to know their username. Steps To Reproduce: To reproduce this issue, an...

Shopify: A non-privileged user may create an admin account in Stocky

Summary: A non-privileged Stocky user created within Stocky may be able to create a new admin user. Steps to reproduce: 1.Create a non-privileged user in Stocky, don't give admin privileges to that user. 2.Login with the non-privileged user and go to https://stocky.shopifyapps.com/users/me, updat...

Acronis: No Rate Limit On Forgot Password Page

Summary A little bit about Rate Limit: A rate limiting algorithm is used to check if the user session or IP-address has to be limited based on the information in the session cache. In case a client made too many requests within a given time frame, HTTP-Servers can respond with status code 429: To...

Acronis: CSS Injection via Client Side Path Traversal + Open Redirect leads to personal data exfiltration on Acronis Cloud

Summary Hi team, I hope everything goes well. I have found a CSS Injection in Acronis Cloud Management Consolehttps://mc-beta-cloud.acronis.com/mc via the colorscheme GET parameter. Description: The flow work as I will comment below. If we go to the URL...

Urban Company: Exposed data of credit card details to hacker or attacker.

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report! Name of Vulnerability:...

U.S. Dept Of Defense: XSS DUE TO CVE-2020-3580

Hello Team, During my research, I found the following host to be vulnerable to CVE 2020-3580 which is POST BASED XSS. Vulnerable URL: https://████/+CSCOE+/saml/sp/acs?tgname=a Impact Attackers can steal cookies and even takeover accounts and perform different malicious activities. System Hosts ██...

Basecamp: Error Page Content Spoofing or Text Injection

Target: https://gopher.hey.com/ Description: Content spoofing, also referred to as content injection, "arbitrary text injection" or virtual defacement, is an attack targeting a user made possible by an injection vulnerability in a web application. When an application does not properly handle...

U.S. Dept Of Defense: XSS DUE TO CVE-2020-3580

Hello Team, During my research, I found the following host to be vulnerable to CVE 2020-3580 which is POST BASED XSS. Vulnerable URL: https://█████/+CSCOE+/saml/sp/acs?tgname=a Impact Attackers can steal cookies and even takeover accounts and perform different malicious activities. System Hosts █...

Khan Academy: Client Side string length check

A client-side string length check vulnerability allowed an attacker to save excessively long strings in the "Class Settings" page on khanacademy.org, potentially causing various issues such as content manipulation, page template breaking, and crashing for low-memory visitors...

MTN Group: XSS at videostore.mtnonline.com/GL/*.aspx via all parameters

PoC https://videostore.mtnonline.com/GL/MyAccount.aspx?PId=126&CID=5&OprId=11%27 Symbols are not filtered that alloweds to inject HTML code. F1353609 Impact XSS at videostore.mtnonline.com...

MTN Group: XSS at http://nextapps.mtnonline.com/search/suggest/q/{xss payload}

PoC http://nextapps.mtnonline.com/search/suggest/q/xss1337 Symbols are no filtered that alloweds to inject HTML code. Response has content-type: text/html F1353600 Impact XSS at nextapps.mtnonline.com...

U.S. Dept Of Defense: CUI labled and ████ and ██████ Restricted ██████ intelligence

Description: A file labeled with the following "Data is for intelligence purposes only and is not to be used for targeting. This data is classified as CUI. Controlled by: ██████████ ███████ " References...

U.S. Dept Of Defense: RXSS ON https://██████████

Description: Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a differe...

Glassdoor: Reflected XSS on https://help.glassdoor.com/GD_HC_EmbeddedChatVF

Hi there, I have found the xss vulnerability at: https://help.glassdoor.com/GDHCEmbeddedChatVF Browsers tested: Firefox, Chrome, Edge latest version Steps To Reproduce: Go to: https://help.glassdoor.com/GDHCEmbeddedChatVF?FirstName=l0cpd%22;a=alert,b=document.domain,ab// Supporting...

U.S. Dept Of Defense: CUI labled and ████ Restricted pdf on █████

Description: A file labeled with the following "CONTROLLED BY: ██████████ CUI ████: ███ ████████ Was discovered and based on public information ███████ CUI marking it appears it shouldn't be publicly available either. If i am wrong about the markings please correct me. References...

Mattermost: DoS via large console messages

Summary: When server console logging is enabled, it's possible to cause a complete denial of service to the server by submitting large text 64KB that gets output in the console log. This causes the server to become unavailable for all users. Steps To Reproduce: I set up my environment following t...

U.S. Dept Of Defense: ███████ - XSS - CVE-2020-3580

████ appears to be affected by the Cisco ASA XSS CVE-2020-3580, This vulnerablity is targets the saml service within the VPN. It is triggered via a POST request to /+CSCOE+/saml/sp/acs?tgname=a References...

Reddit: No Password Length Restriction leads to Denial of Service

Hey when I try to set the password while creating account I noticed that you haven't kept any password limit. You need to decrease password length :There are two reasons for limiting the password size. For one, hashing a large amount of data can cause significant resource consumption on behalf of...

HackerOne: Report Duplicate Detector can match deleted and draft reports, may disclose title and vulnerability information

When a Report is submitted on HackerOne.com, a feature called the Report Duplicate Detector helps program members and triagers find potential duplicates of the submitted report. This feature will match against all reports that were submitted to the program. When the feature was introduced, all...

MyEtherWallet: PIN bypass

Summary: MEW apk has improper rate limit. When we try to brute force the PIN, we are rate limited for 5 minutes after 5 or 6 attempt. In my testing I found that it was checking the device's local time so by changing it we can brute force the PIN. Steps To Reproduce: 1.Install MEW app from play...

Basecamp: Information Disclosure .htaccess accesible for public

Hello team! While doing a preliminary recon on the sub domain of "launchpad.37signals.com" I've come across a few sensitive files that should not be facing the public web; I'll leave you a list organized by criticality and some proof. Information disclosure of path .htaccess on the subdomain of...

Mail.ru: informations disclosure(Email,Numbers,Agreements, admin Sessions and more ...) through a PostgreSQL database belongs to (legium-back.corp.mail.ru)

Reported a vulnerability in legium.io cloud service, which is not part of Mail.Ru. legium.io is located outside the Mail.Ru infrastructure and does not have access to our company's product data. According to the rules in this case the service refers to Ext.O Third party project. While legium.io...

GitHub Security Lab: C++: Support Pqxx connector to search for sql injections to Postgres

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: Java: CodeQL query for unsafe RMI deserialization

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: ihsinme: CPP Add query for CWE-783 Operator Precedence Logic Error When Use Bool Type

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: [JavaScript]: CWE-1004: Sensitive cookie without HttpOnly

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: [GO] CWE-1004: Sensitive cookie without HttpOnly

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: [Java]: CWE-502 Add UnsafeDeserialization sinks

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: [Java] BeanShell Injection

This bug was reported directly to GitHub Security Lab...

Urban Company: Insufficient Session Expiration

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report! Name of Vulnerability:...

Nextcloud: ApiService#fetch serves content as text/html and inline Content-Disposition

https://github.com/nextcloud/text/blame/0bc7c3300607d57ee512dbf61497daec23961a12/lib/Service/ApiService.phpL109-L120 Impact XSS...

Acronis: FULL SSRF

hello dear support i have found full ssrf on https://summit.acronis.events step go to here https://summit.acronis.events 2 login into website 3 open this link...

Reddit: hardcoded api secret & api key in com.reddit.frontpage

hi security team, in file Resources/Resources.arsc/res/values/strings.xml i have found ███ ███ It shouldn't be disclosed to third parties it meant for deveoplers as per https://developer.twitter.com/en/docs/authentication/oauth-2-0/bearer-tokens poc:- curl --user "██████:███" --data...

Mail.ru: Stored XSS on top.mail.ru

Stored XSS via incorrect handling of http page headers on top.mail.ru at created counters...

HackerOne: Mishandling of hackerone clear background checks resulting in disclosure of other hacker's information

Summary: Mishandling of hackerone clear background checks resulting in disclosure of other hacker's information . Description: I received a hackerone clear invite for "█████" I am not █████. There appears to be some kind of off by one error or similar problem with the hackerone clear invites! fir...

MTN Group: information discloure via logs files at ==> https://ihelp.mtnbusiness.com/logfiles/Log_21-06-2021.txt

Hi MTN team , i got a 500 error show the full path of the windows server containing the log file of today i navigate to it == https://ihelp.mtnbusiness.com/logfiles/Log21-06-2021.txt i saw all logins i made with user administrator as u see the logs files is a date Log21-06-2021.txt you can read...

Urban Company: Broken Link on Urban Company's Vulnerability Submission Form

Summary: - Urban Company has an unclaimed broken link on their HackerOne security page which can be claimed by any malicious user. And then later the malicious user can exploit this issue to deceive new researchers to submit their legitimate findings to the wrong hands. Steps To Reproduce: 1.Visi...

Weblate: No rate Limit on Add new Translation Project

Attacker able to create unlimited Translation projects which lead to no more project name for the users who wanted to create new project on hosted.weblate.org Below is the POC video which ,you can go through Impact Other users cant use the project names there wanted and attacker can occupy space...

Node.js: HTTP Request Smuggling due to accepting space before colon

Summary: The llhttp parser in the httpmodule in Node 16.3.0 accepts requests with a space SP right after the header name before the colon. This can lead to HTTP Request Smuggling HRS. Description: When Node receives the following request: GET / HTTP/1.1 Host: localhost:5000 Content-Length : 5 hel...

Unikrn: Open URL Redirection

Open URL Redirect Steps To Reproduce: 1 Go to the following link & Register for new account https://unikrn.com/██████ 2 After registering It will redirect to example.com Reference: https://www.owasp.org/index.php/UnvalidatedRedirectsandForwardsCheatSheet Impact The attacker can force the user to...

WordPress: wp-embed XSS on Safari

An XSS vulnerability was discovered in the open embed auto discovery function of WordPress. The vulnerability allowed an attacker to execute malicious JavaScript code by embedding a blog post on a victim's WordPress site. The vulnerability affected Safari browsers and potentially other browsers...

Kubernetes: AWS Load Balancer Controller can be used by an attacker to modify rules of any Security Group that they are able to tag

Report Submission Form Summary: The IAM Policy of AWS Load Balancer Controller allows it to modify rules of any SG on the AWS Account. This is legitimately used to manage Security Groups created by the controller when an Ingress resource doesn’t explicit a SG. Annotations can be added to the...

Internet Bug Bounty: Fragmentation and Aggregation Flaws in Wi-Fi

I discovered three design flaws in the Wi-Fi standard and widespread related implementation flaws see GitHub overview and test tool. Here I'll specifically cover open source software. These findings have not received bug bounties from other sources. Implementation flaws allowing trivial packet...