Ruby: RubyのCGIライブラリにHTTPレスポンス分割（HTTPヘッダインジェクション）があり、秘密情報が漏洩する

PoC1: !/usr/bin/env ruby require 'cgi' cgi = CGI.new url = "http://example.jp\r\nSet-Cookie: foo=bar;" External Parameter print cgi.header'status' = '302 Found', 'Location' = url Actual Result1: $ curl -s -i http://localhost:8080/cgi-bin/cgi.ru HTTP/1.1 302 Found Date: Fri, 21 May 2021 00:46:33 G...

GitHub Security Lab: [Java] CWE-094: Rhino code injection

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: [Java] CWE-094: Jython code injection

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: [Java]: CWE-601 Spring url redirection detect

This bug was reported directly to GitHub Security Lab...

Brave Software: DNS Leaks when using any VPN Browser extension with Brave Shield enabled

If Brave Shield is enabled alongside with a VPN Chrome extension and adblocking is enabled, some DNS requests may not be forwarded through the VPN tunnel...

Nextcloud: Webauthn tokens are not removed on user deletion

userA has an account on serverA 2. userA enables passwordless login webauthn and registers a key/device 3. userA is removed from the system 4. a new user comes along and gets assigned userA as id 5. the old userA tries to login with their key 6. the old userA can see all data of the new userA...

Reddit: No Rate Limit on redditgifts gift when Adding Comment

Hi team, I hope this report should not be closed as INFORMATIVE Summary: The add comment endpoint was improperly rate-limited so the potential attacker could post a large number of comments, overloading the server . Description: The add comment endpoint has a speed limit, but the number is set to...

UPchieve: Session Hijacking leads to full control of account by attacker

Hi Team , I am Samprit Das MCEH Metaxone Certified Ethical Hacker and a Security Researcher I just checked your website and got a critical vulnerability please read the report carefully. Description:- The Session Hijacking attack consists of the exploitation of the web session control mechanism,...

Recorded Future: [https://app.recordedfuture.com] - Reflected XSS via username parameter

Steps To Reproduce: 1- Visit https://app.recordedfuture.com/live/login/?reset=x&username=xss%22%3E%3Cimg+src=x+onerror=alertdocument.domain%3E Impact An attacker could be able to Inject Malicious Javascript to compromise users...

Nextcloud: No admin audit log for auth tokens

There seems to be no audit trail for auth tokens. Creating tokens Revoking tokens Scope changes Renames Marking the token to be wiped Impact As auth tokens are used to access your data having a track record when they are created helps a lot. If you also take https://hackerone.com/reports/1193321...

Nextcloud: No admin audit entry for enabling/disabling 2FA

Related to https://hackerone.com/reports/1177353 When a user enables or disables 2FA there is no entry in the audit log. Impact Especially for disabling it should probably be logged there. But account security related things should be in there...

Nextcloud: Federated share accepting/declining is not logged in audit log

In relation to https://hackerone.com/reports/1177353 1. Enable the audit log 2. Share a file to a federated user 3. So far all looks good in the log 4. the recipient checks either accepts or declines the share 5. There is no line regarding this in the logs. Impact The audit log is used to get a...

Nextcloud: Admin audit is not properly logging unsetting of expiration date

In relation to https://hackerone.com/reports/1177353 1. Enable the audit log 2. Share a file 3. Set and expiration date So far all looks good in the log 4. Unset the the expiration date. 5. See a pretty useless log line Impact The audit log is used to get a full trail of the actions which is now...

Nextcloud: Ransomware protection is missing extentions take 2

As requested in https://hackerone.com/reports/1195568 Impact So not spam ;...

U.S. Dept Of Defense: XSS trigger via HTML Iframe injection in ( https://██████████ ) due to unfiltered HTML tags

Hi team, I found an Iframe injection issue where I chained it and formed an XSS. I found the issue in the text editor area while ███████ing the account. There is a place in the registration area where we have to give a reason for █████████. We can write our reason and edit to show more beautifull...

Nextcloud: User deletion is not handled properly everywhere

So I came across this when going over https://nextcloud.com/compare/ And noticed the section: "BUILT IN DATA-REQUEST/ACCOUNT DELETION" However looking at this it seems this is not handled properly everywhere in Nextcloud. I understand that the GDPR etc do consider shared data differently. For...

Aiven Ltd: Grafana RCE via SMTP server parameter injection

Summary: This report is similar to 1180653, except with different parameter injection entrypoint. SMTP server password configuration setting accepts new line characters. This can be used to set non-exported configuration variables. Using this CRLF-injection, the renderingargs of grafana image...

R3: Exposed Prometheus instance at prometheus.qa.r3.com

Summary Hi there, just wanted to note that all of your assets are listed as out of scope on HackerOne right now, which is a bit confusing. Nevertheless, I noticed that your Prometheus server at prometheus.qa.r3.com is exposed to the internet, which appears to let you view all of the internal...

TikTok: Bypassing authorization of linked Instagram account

A bug was found in the capability to link a user's Instagram account to their TikTok profile page, where if a user changed their Instagram username, the link on their TikTok profile would not update accordingly. We thank @ckerha for reporting this to our team...

Sifchain: clickjacking vulnerability

Summary: add summary of the vulnerability While performing security testing of your website i have found the vulnerability called Clickjacking. Many URLS are in scope and vulnerable to Clickjacking. What is Clickjacking ? Clickjacking User Interface redress attack, UI redress attack, UI redressin...

Sifchain: Possible Database Details stored in values.yaml

The database details like username and database name are disclosed in the below mentioned file. Assuming a blank password since the password field was empty. File Location : https://github.com/Sifchain/sifnode/blob/740331dad061ee0f5a3cf3798d429f294b70f0ae/deploy/helm/block-explorer/values.yaml I...

UPchieve: CORS Misconfiguration, could lead to disclosure of sensitive information

Summary: Cross Origin Resource Sharing Misconfiguration | Lead to sensitive information. Description: An HTML5 cross-origin resource sharing CORS policy controls whether and how content running on other domains can perform two-way interaction with the domain that publishes the policy. The policy ...

UPchieve: Clickjacking on profile page leading to unauthorized changes

Summary: Any attacker could use iFrame options to connect remotely to the real website, And he can craft his own website using the iFrame options of the specific link and can lead to unauthorized changes if the user will be logged in. Steps To Reproduce: 1. Login to https://app.upchieve.org/profi...

Sifchain: Wrong Implementation of Url in https://docs.sifchain.finance/

Hello Sifchain team, Here i found that there is a wrong implementation of telegram link in https://docs.sifchain.finance/join-sifchain/sifchain-communities which will not allow user to communicate with sifchain company. Step to reproduce : 1 Go to...

GitLab: Stored XSS in custom emoji

Summary I found Stored XSS with a feature of custom emoji. This feature hasn't been rolled out yet and need to set feature flags in self management installation. https://gitlab.com/gitlab-org/gitlab/-/issues/231317 The problem is the code here...

UPchieve: No Valid SPF Records/don't have DMARC record

I have already reported this isssue through email and the company has accepted my report. Hiii, There is any issue No valid SPF Records on https://app.upchieve.org Desciprition : There is a email spoofing vulnerability.Email spoofing is the forgery of an email header so that the message appears t...

U.S. Dept Of Defense: Cache Posioning leading do Denial of Service on `www.█████████`

Hey! To be clear. This was not an test for Denial of service DOS. I accidentally come a cross this vulnerability when I was testing for Server side request forgery SSRF. I have read you policy well and I was not preforming any type of activity that harmed or slowed you system in anyway. You can...

Sifchain: Bootstrap library is vulnerable

Summary: The identified library bootstrap, version 4.0.0 is vulnerable Steps To Reproduce: Please upgrade to the latest version of bootstrap. Supporting Material/References: https://github.com/twbs/bootstrap/issues/28236 https://github.com/twbs/bootstrap/issues/20184 Impact XSS was possible in th...

New Relic: GitHub Integration doesn't sanitize repository URLs which might be attacker-controlled

New Relic's integration of Github repos had an implicit assumption that URL's for repos would not need to be sanitized. The researcher demonstrated that an attacker can return a manually configure the htmlurl value on an attacker controlled server emulating the Github API. A victim would need to...

Sifchain: Session Token in URL

Hello Sifchain Finance Team - Greetings to you! Hope you are well and safe. MAIN URL - https://sifchain.finance/master/ URL That has to be fixed -...

Sifchain: Information Disclosure on https://rpc.sifchain.finance/

Description: Hi team, I see the subdomain https://rpc.sifchain.finance/ . And I visited this subdomain it contains many endpoints. Affected URLs: https://rpc.sifchain.finance/ Poc Available endpoints: Endpoints that require arguments: //rpc.sifchain.finance/abciinfo?...

8x8: Subdomain takeover of ████.jitsi.net

Summary █████.jitsi.net points to an AWS EC2 instance at 18.195.93.116 that no longer exists. I was able to take control of this IP address and run my own EC2 instance. I can now serve content on this domain, obtain a TLS certificate for this domain, etc. If any customers or servers are pointing ...

U.S. Dept Of Defense: [█████████] Reflected Cross-Site Scripting Vulnerability

Description: A reflected cross-site vulnerability was found at ███████/██████. References Impact XSS is a versatile attack vector which opens the door to a large number of social-engineering and client-side attacks System Hosts ██████ Affected Products and Versions CVE Numbers Steps to Reproduce ...

U.S. Dept Of Defense: IDOR while uploading ████ attachments at [█████████]

Description: There is an IDOR vulnerability in uploading attachments to the ████ section where an attacker can upload attachments in other user's █████████ if there is no attachment uploaded by a user. If this vulnerability will be used with a Race condition, it can allow an attacker to upload...

GitLab: Clipboard DOM-based XSS

Summary A clipboard DOM-based XSS exists on several Markdown text fields. Technical details The app/assets/javascripts/behaviors/markdown/copyasgfm.js file is used to get and set GFM GitHub Flavored Markdown data on the clipboard on different parts of the GitLab application. If a user copies data...

U.S. Dept Of Defense: Reflected XSS at [████████]

Description: Reflected XSS was found on the URL which can be used to steal cookies or perform any action on the behalf of the user. Impact Cookie stealing, browser hijacking or any action can be performed on the behalf of the victim user System Hosts ███ Affected Products and Versions CVE Numbers...

Sifchain: Path Transversal inside saveContracts.js

Reference: https://portswigger.net/web-security/file-path-traversal Directory traversal also known as file path traversal is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data,...

Sifchain: Error Page Content Spoofing or Text Injection

i want to report a context spoofing or text injection at api-cryptoeconomics.sifchain.finance and market-data.sifchain.finance steps to reproduce: 1: Just browse this target on any browser 2: Target: https://api-cryptoeconomics.sifchain.finance/ 3: Then add any text or content after the "/" , i...

GitHub Security Lab: [Java] CWE-078: Add JSch lib OS Command Injection sink

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: [Python] CWE-400: Regular Expression Injection

This bug was reported directly to GitHub Security Lab...

Sifchain: Sifchain Privacy Policy Webpage Uses Wordpress Default Template. Does Not Display Correct Privacy Policy.

NOTE: This report can, must and should be treated as informational! URL: https://sifchain.finance/privacy-policy/ Summary: The sifchain.finance Wordpress page contains a privacy policy, which is using a default template. This issue may open up potential legal dispute issues of website customers...

New Relic: Steal any user in your orgs private GitHub token by pointing the GH integration at an attacker controlled GHE instance

@archangel reported that a flaw in New Relic's Github configuration could have allowed a malicious actor to steal the private GitHub token of any user in the organization by pointing the GH integration at an attacker-controlled GHE instance...

Kaspersky: No Rate Limit On Forgot Password Page

Reported security issue allowed a potential attacker to abuse the password recovery option on our My Kaspersky portal for mass sending of password recovery messages. This was fixed with a password reset throttling feature to protect our service from its abuse by third parties. Note that this...

Nextcloud: Talk discloses turn server to anybody

The attack is straight forward. 1. send a request to bash curl -H 'OCS-APIREQUEST: true' https://server/ocs/v2.php/apps/spreed/api/v2/signaling/settings And you get back a lot of information. signaling server stun server turn server inc credentials The stun server is harmless enough. I did not lo...

Nextcloud: Ransomware protection is missing extentions

So again I'm not sure if this is in scope. However you do advertise this on your enterprise pages. So I assume so. In any case. It seems your ransomewareprotection app is missing some common extentions. See for example...

Sifchain: Wrong Url in Main page of sifchain.finance

Hello Sifchain team, I found that all the social media button is working properly except telegram button on the main page of sifchain.finance Misconfiguration on button can create bad reputation of a company as well as a genuine customer could not reach to a company through the mis-configured...

Sifchain: Found a url on source code which was disclosing different juicy informations like ip addresses and available endponts

Summary: I found a link in " https://github.com/Sifchain/sifnode/blob/develop/deploy/rake/cluster.rake" page which was exposing ip adresses and different endpoints which could be missused by hackers. Link Is=https://rpc.sifchain.finance/ Steps To Reproduce: 1. Visit https://rpc.sifchain.finance/...

Sifchain: No Rate Limit protection in user subscription form

Summary: Hello I found your form that user can subscribe for any update has no rate limit protection. Step to reproduce 1. Visit http://sifchain.finance and move to subscribe form and enter email 2. click on sign-up button. 3. use burpsuite to intercept the request and send to intruder. 4. Clear...

Sifchain: Information Disclosure at one of your subdomain

Dear Team, Hope you are doing very well and safe. I was looking into your application and i find some bugs on your application which is disclosing internal port and also the ips. That can leads an attacker to do lots of serious attacks. Please verify:- https://rpc.sifchain.finance/...

Reddit: User Account has been taken out

By using BruteForce with random passwords, we have succedded the account Impact Account can be taken out...