Node.js: HTTP Request Smuggling due to ignoring chunk extensions

Summary: The llhttp parser in the http module in Node 16.3.0 ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling HRS when a Node server is put behind an Apache Traffic Server ATS 9.0.0 proxy. Description: In the chunked transfer encoding format...

Kubernetes: AWS Load Balancer Controller Managed Security Groups can be replaced by an unprivileged attacker

Report Submission Form Summary: When creating an Ingress of class alb, by default, AWS Load Balancer Controller creates a managed SG and attaches it to the created ALB. This SG limits which ports of the ALB are accessible by whom. An attacker is able to craft another SG that can be used to trick...

Proctorio: Universal Cross-Site Scripting vulnerability

Sector7.nl notified Proctorio that there was a universal cross-site scripting vulnerability within the browser extension on June 17th, 2021. This vulnerability was patched on June 24th, 2021. Sector7.nl and other researchers were notified on June 25th. On August 3rd, 2021 Sector7.nl confirmed the...

Semrush: Improper input validation in projects leads to fully deny access to project resources

INTRODUCTION Accounts used to search for this vulnerability: - id: █████████ email:███ - id: █████████ email: █████████ Most of the requests made to test the vulnerability were made with the "X-hackerone: adam" header IP used: ████ / ███ Endpoint URL:...

Reddit: [dubsmash] Long String in 'shoutout' Parameter Leading Internal server Error on Popular hastags , Community and User Profile

Summary: If the user input a long string in the 'shoutout' parameter of the 'CreateVideo' API then all the APIs where this video is supposed to appear eg: hashtag API, community API, and user profile API will throw 'internal server error' in the response. This will cause a denial of service attac...

Urban Dictionary: CSRF to Reflected XSS at echo.urbandictionary.biz via spoofing content type

The host was vulnerable to XSS due to the fact that it reflected any sent POST request body when the request was sent to an existing or non-existent filename with the .html extension, which spoofed the response content type to HTML...

Rockstar Games: Social Club Account Takeover Via RGL And Steam/Epic Linked Account

In this report, the researcher discovered and demonstrated a method to hijack access to a Social Club account via a previously-linked Epic Games or Steam account. To perform the attack, the attacker first needed access to a Steam or Epic Games account with entitlement to a game with Social Club...

U.S. Dept Of Defense: [CVE-2020-3452] on ███████

The following subdomain is vulnerable to CVE-2020-3452, which is an unauthenticated file read in Cisco ASA & Cisco Firepower. URL: https://████/ Vulnerable URL: https://███/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portalinc.lua&default-language&lang=../ ██████████ Resources:...

curl: CVE-2021-22926: CURLOPT_SSLCERT mixup with Secure Transport

Summary: libcurl Secure Transport SSL backend fails to secure the CURLOPTSSLCERT against current directory file overriding the keychain nickname specified. This leads to the possibility of locally created file overriding the CURLOPTSSLCERT specified certificate and thus causing denial of service...

HackerOne: Private program disclosure through notifications

Hello Team, Summary: I recently came across hackerone report: https://hackerone.com/reports/1179241 . I though this was fixed but today I have have faced similar experience. I have received a Scope and policy update from the program "██████" which I am not part of. ████████ When I was clicking on...

MCUboot: private keys exposed on the GitHub repository

Summary: When I searched Github for sensitive information I found some privet key in GitHub repository. these are private RSA key and private server key, which could be used for unauthorized access. Steps To Reproduce: VISIT THESE LINKS: Repository : EX:...

Bumble: Exfiltrating a victim's exact location (to within 5m)

I used Bumble's distance feature to exfiltrate the exact location to within approx 5m of a victim. I did this by using the Bumble API to move my attacker account's location around the approximate area of the victim. I was able to obtain the exact distance between attacker and victim at 3 separate...

Reddit: Domain Takeover of Reddit.ru via DNS Hijacking

Summary I discovered that Reddit.ru was vulnerable to DNS hijacking via DNS provider, Reg.ru. This would allow a malicious attacker to control the content on this domain, as well as, create email addresses associated with it... I'm going to be totally honest and say that any of us ethical hackers...

Ping Identity: Broken Link on Ping Identity's Vulnerability Submission Form on Hackerone

Summary: Ping Identity has an unclaimed broken link on their HackerOne security page which can be claimed by any malicious user, who could then exploit this issue with clever social engineering to deceive new researchers to submit their legitimate findings to the wrong hands. Similar to this...

X (Formerly Twitter): Identify the mobile number of a twitter user

Summary: By exploiting this security vulnerability we can detect the mobile number of a twitter user. Description: This security vulnerability is of type "Information disclosure" it allows to exploit Flawed behavior of the twitter system to obtain distinct responses when different error states...

Zivver: ADB Backup is enabled within AndroidManifest

In this report, it was highlighted that the ADB backup feature enabled in the Android application could be used by an attacker with physical access to the victim's device to 'migrate' data from app storage on the phone and later possibly extract secrets from that backup. For this attack to succee...

Acronis: bypass sql injection #1109311

hello dear support i have found SQL injection and bypass this case 1109311 Tests performed: 0'XORifnow=sysdate,sleep15,0XOR'Z = 20.002 0'XORifnow=sysdate,sleep6,0XOR'Z = 7.282 0'XORifnow=sysdate,sleep0,0XOR'Z = 0.912 0'XORifnow=sysdate,sleep15,0XOR'Z = 16.553 0'XORifnow=sysdate,sleep3,0XOR'Z =...

Acronis: IP restriction bypass via X-Forwarded-For header

The vulnerability allowed unauthorized access to a restricted endpoint by manipulating the X-Forwarded-For header. This resulted in information disclosure that the organization intended to keep private...

QIWI: Account Takeover through registration to the same email address

На ресурсе shop.tochka.com была обнаружена уязвимость, приводящая к перехвату аккаунта с помощью регистрации нескольких аккаунтов на один почтовый ящик...

curl: CVE-2021-22925: TELNET stack contents disclosure again

Summary: CVE-2021-22898: TELNET stack contents disclosure 1176461 issue was recently reported for curl and it was addressed in curl 7.77.0: https://curl.se/docs/CVE-2021-22898.html https://github.com/curl/curl/commit/39ce47f219b09c380b81f89fe54ac586c8db6bde https://hackerone.com/reports/1176461...

U.S. Dept Of Defense: XSS Reflected - ██████████

Hi Team, I found a XSS Reflected. https://██████████/███onload=%22prompt1 Thanks DRauschkolb Impact XSS vulnerabilities can be used to trick a web user into executing a malicious script, potentially revealing a user's web session information or modify web content & even steal cookies. System Host...

U.S. Dept Of Defense: XSS Reflected - ███

Hi Team, I found a XSS Reflected. https://██████/Telerik.ReportViewer.axd?optype=Parameters&bgColor=000000%22onload=%22prompt1 Thans DRauschkolb Impact XSS vulnerabilities can be used to trick a web user into executing a malicious script, potentially revealing a user's web session information or...

curl: CVE-2021-22924: Bad connection reuse due to flawed path name checks

Summary: Curlsslconfigmatches attempts to compare whether two SSL connections have identical SSL security options or not. The idea is to avoid reusing a connection that uses less secure, or completely different security options such as capath, cainfo or certificate/issuer pinning. Unfortunately...

Nextcloud: Sensitive files/ data exists post deletion of user account

In the latest android app ,I created an account in the name of [email protected]. After few activities,deleted the account . Files containing user emails and tokens still exist.Relevant files not deleted upon deletion of account. Content of files post deletion of account:...

Meredith: Shop - Reflected XSS With Clickjacking Leads to Steal User's Cookie In Two Domain

Hii Security Team , I am S Rahul MCEHMetaxone Certified Ethical Hacker and a Security Researcher I just checked your website and found Reflected XSS to Good XSS Clickjacking In Two Domain Description:- As the search parameter is vulnerable to XSS and but the plus point is there is no...

HackerOne: HackerOne making payments in USDC (Coinbase stable coin)

Summary: Hello Everyone, My name is Ariel and I’m a manager in HackerOne’s community team. As a part of a Hack Week project, HackerOne is now supporting payments via USDC, Coinbase’s stable coin. This has been a feature requested by many hackers, that we are now glad to announce as supported. Mor...

MTN Group: Blind SSRF External Interaction on https://mtngbissau.com/

Hii Security Team, I am S Rahul MCEHMetaxone Certified Ethical Hacker and a Security Researcher I just checked your website and found Blind SSRF External Interaction on https://mtngbissau.com/ What is SSRF? Server-side request forgery also known as SSRF is a web security vulnerability that allows...

Mail.ru: Unauthorized Access To Admin panel

Access to static files of playerone.ru admin web interface was not sufficiently restricted. There was no possibility to access admin functions. Simple Bypass: Try access playerone.ru/admin/users/ 403 : host playerone.ru 127.0.0.1 Try again 127.0.0.1/admin/users 200 OK :...

GitHub Security Lab: ihsinme: CPP Add query for CWE-1126: Declaration of Variable with Unnecessarily Wide Scope

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: [Java] CWE-295 - Incorrect Hostname Verification - MitM

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: [Java]: CWE-730 Regex injection

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: ihsinme:CPP Add query for CWE-415 Double Free

This bug was reported directly to GitHub Security Lab...

Rockstar Games: Cache Poisoning DoS on updates.rockstargames.com

In this report, the researcher discovered that there was a cache poisoning weakness on updates.rockstargames.com due to an unkeyed header, trailer. By sending this header, an attacker could cause the cache to save a malformed response with status code 400. An example of such a request, as provide...

HackerOne: Report Bulk endpoint "agree-on-going-public" action may reveal Report disclosure state for invite-only programs

Hello, Hope you are doing well, SUMMARY -In hackerone user doesn't have permission to do any action like "disclosing/undiclosing" in disclosed report. -Here user can send the "cancel-disclosure-request" request to the server and server accepts the request gave 200ok response with ""flash":"The...

Sifchain: 4 xss vulnerability dom based cwe 79 ; wordpress bootstrap.min.js is vulnerable

Summary: I have found a bug in your site and the bug is xss vulnerability and it is in your wordpress bootstrap.min.js program. I also do manually test and I got the xss vulnearability There are totally I have found 4 vulnearability in your system and which are belong to 2018 To 2019 Steps To...

Sifchain: information disclosure

Hi team during github recon i find something and I dont know what access it has, but still i though it would be a good idea to share this finding with you in case it can be used in a way that i dont know. what i find link :...

Semrush: API key (api.semrush.com) leak in JS-file

The researcher found a javascript file with an API token that allowed to get internal statistics. When you access a page not found on the application, the source code of the page contains a portion of code that list a lot of javascript files. Some of these javascript files correspond to the Semru...

h1-ctf: HackerOne’s 100K CTF Writeup

Greetings team It has been a great challenge, thank you very much for the fun moments and also for the annoying ones : ██████████ P.S. I will put my writeup in my next comment. Impact ---...

Elastic: Improper authorization on `/api/as/v1/credentials/` for Dev Role User with Limited Engine Access

Summary: Dear Team, Since 1168528 was resolved. I have checking again for other roles. At Dev Role with Limited Engine Access, an user still can access API endpoint /api/as/v1/credentials/ to get all API keys private-key, search-key ... Steps To Reproduce: 1 - Log in Kibana with the admin elastic...

Nord Security: NordVPN Linux Client - Unsafe service file permissions leads to Local Privilege Escalation

The Linux package available in NordVPN's repository is affected by a permission issue in init script and systemd unit files that allows any user on the system to execute arbitrary command as root. Tested Version Tested version is the latest available on the repository, which is 3.10.0 and is...

U.S. General Services Administration: User information disclosed via API

Summary: It appears that the requests for "system accounts" are fully available via an API endpoint that does not require authentication. The main issue is that among the information disclosed are user emails many with gmail addresses but the individual applications also include information that...

Sifchain: Cross-site Scripting (XSS) possible at https://sifchain.finance// via CVE-2019-8331 exploitation

Summary: https://sifchain.finance is using Bootstrap framework version 4.0.0 which is =4.0.0 4. Visit https://sifchain.finance/wp-content/themes/icos/assets/js/vendor/bootstrap.min.js?ver=5.7.2 5. You'll get the Bootstrap Version, Which is v4.0.0 and its vulnerable to Cross-site Scripting XSS...

h1-ctf: Adam and the Deadly Injections

Hi team adding the flag here ███ ████ I will do the writeup in the below comments before the deadline itself Thanks Akshansh Impact...

Flickr: Open redirect GET-Based on https://www.flickr.com/browser/upgrade/?continue=

Improper validation of paths and domains allowed redirects to external domains...

GitHub Security Lab: Python: Add support of clickhouse-driver package

This bug was reported directly to GitHub Security Lab...

h1-ctf: CCC H1 June 2021 CTF Writeup

CTF Summary This was my first H1 CTF and I was excited to work with several others to collaborate on the CTF and find the flag. I'll write up the solution process and vulnerabilities involved in the solution: Knowledge basic of S3 operations XML External Entities and Local File Exfiltration SQL...

h1-ctf: 100K CTF's Writeup

Limited disclosure based on researcher's request. Hello everyone, We are one of the winners of 100k CCC CTF and we would like to congratulate all the other winners of the CTF as well. Here is the link to our write-up https://blog.dexter0us.com/posts/ccc-h1ctf/ hope you guys enjoy reading it and...

h1-ctf: H1-CTF 100k Solution - Congratz on the 100k Rep todayisnew

Sharing the final flag for now. Writeup will come soon ██████ ██████████ Impact Takeover of admin account :...

Mattermost: Mattermost Server OAuth Flow Cross-Site Scripting

Summary: The vulnerability is a reflected Cross-Site Scripting XSS via the OAuth flow. A victim clicking a malicious link pointing to the target Mattermost host will trigger the XSS. If the victim is a regular user, it is possible to obtain all of their Mattermost chat contents; if it’s an...

h1-ctf: ccc ctf

██████████ will send detailed report later Impact can get admin credentials...