FetLife: Specific Payload makes a Users Posts unavailable

Good Morning, Like we talked about in the email, I'm reporting an issue that I've found that is possible, by crafting a specific payload, other users that try to access /posts of a user will face the 500 Internal Server Error issue, not only when they access the specific crafted post. With this,...

curl: CVE-2021-22898: TELNET stack contents disclosure

Summary: lib/telnet.c suboption function incorrecly checks for the sscanf return value. Instead of checking that 2 elements are parsed, the code also continues if just one element matches: ifsscanfv-data, "%127^,,%127s", varname, varval As such it is possible to construct environment values that...

MariaDB: Git Config

Hey Team, I am a Security Researcher and I have found that one of your domain is leaking the git file which may led to source code of git repository exposing can led to sophisticated attacks so kindly remove it. Vuln URL - http://foundation01.mariadb.org/.git/config BEST, ABHINAV SHARMA -...

Sifchain: Clickjacking misconfiguration bug

Hi team, While performing security testing of your website i have found the vulnerability called Clickjacking. Many URLS are in scope and vulnerable to Clickjacking. What is Clickjacking ? Clickjacking User Interface redress attack, UI redress attack, UI redressing is a malicious technique of...

Sifchain: Email Spoofing bug

Hi team, An SPF/DMARC record is a type of Domain Name Service DNS record that identifies which mail servers are permitted to send email on behalf of your domain. The purpose of an SPF/DMARC record is to prevent spammers from sending messages on the behalf of your organization. Remediation: Create...

U.S. General Services Administration: [Transportation Management Services Solution 2.0] Improper authorization at tmss.gsa.gov leads to data exposure of all registered users

Summary: Hi team! I hope you are having a great Tuesday : Where: https://tmss.gsa.gov/ Who: Unathenticated users Why: Improper Access Control at /tmssserver/api/public/customerregistration/:id/userId/ I found an endpoint /tmssserver/api/public/customerregistration/:id/userId/ at...

GitHub Security Lab: [Java] Query for detecting Jakarta Expression Language injections

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: Java: JSONP Injection

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: [Java] CWE-094: Query to detect Groovy Code Injections

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: ihsinme: CPP Add query for CWE-691 Insufficient Control Flow Management When Using Bit Operations

This bug was reported directly to GitHub Security Lab...

UPchieve: Full account takeover of any user through reset password

Summary: Hi Security team members, Usually, If we reset our password on https://app.upchieve.org that time we got a password reset link on the email. And through that password reset link, we can reset our password. But, I noticed that if we add another email in the request of forgot password...

EXNESS: Access control vulnerability (read/write)

Horizontal privilege escalation that could be used to gain read/write access to some resources not associated with the current user...

Logitech: Privilege Escalation Leads to Control The Owner Access Token Which leads to control the stream [streamlabs.com]

Hi Security team, Summary: I was able as Administrator to change the account owner access token Description: As Administrator i have high privileges but i have some restricted areas F1278364 For example i got invitation from MrX with Administrator role. When i navigated to MrX account as...

EXNESS: Acess control vulnerability (read/write)

Horizontal privilege escalation that could be used to gain read/write access to some resources not associated with the current user...

U.S. Dept Of Defense: Remote Code Execution via Insecure Deserialization in Telerik UI (CVE-2019-18935)

Description: https://██████/██████████/Telerik.Web.UI.WebResource.axd?type=rau is vulnerable to CVE-2017-11317 and CVE-2019-18935, allowing an attacker to upload arbitrary files and gain remote code execution on the underlying system. References...

Nextcloud: index.php/apps/files_sharing/shareinfo endpoint is not properly protected

When federated shares between two Nextclouds are created they do not use standard webdav to communciate. But to obtain the filelist they seem to use the SERVER/index.php/apps/filessharing/shareinfo endpoint. Unlike the other endpoint for tokens like public link shares. There is no brute force...

Nextcloud: Trusted server shared secret stored unencrypted in the database

The attack vector here is that somebody gets their hands on your database. When two servers have added each other as trusted server they exchange shared secret token. With this token they can sync down each other user lists. However it seems that this token is stored in plain text in the...

U.S. Dept Of Defense: S3 bucket listing/download

It's possible to get a listing and download every file in the S3 bucket ██████████ and ███████ . Supporting Material/References https://hackerone.com/reports/278191 Impact An attacker can download files that are not intended to be public, both buckets are very big. An attacker can increase...

U.S. Dept Of Defense: Reflected XSS at www.███████ at /██████████ via the ████████ parameter

Description: The www.████████ site is using ████, which is vulnerable to reflected XSS in the /█████ component via the █████████ parameter. References https://www.cvedetails.com/cve/CVE-2017-14651/ https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2017-0265 Impact An attacker can caus...

Nextcloud: Default settings leak federated cloud id to lookup server of all users

So with the default settings Nextcloud still sends requests to the lookup server if users update their profile. Even if none of the fields are set to 'published'. I must admit this is somewhat of a surprise as there is no reason for this. As long as the visibility of none of the fields change and...

Nextcloud: Nextcloud update checks leaks information

Hi, I think this is more of a privacy concern than a security concern. However I wanted to check here first. Please direct me to an other suitable location if needed. It is in relation to https://github.com/nextcloud/server/blob/master/lib/private/Updater/VersionCheck.phpL78 This is sending sever...

New Relic: HTML Injection In Email In one.newrelic.com

Hi, There's a HTML injection vulnerability present inside emails sent from Newrelic when the name on the organization inviting user contains HTML. The html is stored in the backend database and when emails are sent invitation, the HTML is sent along with the rest of the email. Steps to reproduce:...

Exodus: Cache Poisoning DoS on downloads.exodus.com

Summary: Hello, The subdomain downloads.exodus.com hosts all files meant to be downloaded by exodus users. A few of the file I found are: https://downloads.exodus.com/releases/exodus-linux-x64-21.4.9.zip https://downloads.exodus.com/releases/hashes-exodus-21.2.12.txt...

HackerOne: Stored XSS in IE11 on hackerone.com via custom fields

Hi There, i found stored xss via Custom Fields F1275694 ---------------------------------- F1275691 POC: F1275692 Impact The attacker can use this issue to execute malicious script code in the victim user browser also redirect the victim user to malicious sites...

curl: CVE-2021-22897: schannel cipher selection surprise

Summary: Commit "schannel: support selecting ciphers" added support for selecting the ciphers with SCHANNEL. However, due to use of a static algIds array for ciphers in setsslciphers the last configured cipher list will override configuration used by other connections, leading to potential wrong...

WordPress: PII of users can be downloaded from export pages

Sensitive personally identifiable information PII of users, including their name, email, phone number, role, and organization, was exposed on the https://doaction.org/ website. The PII was found in CSV files that could be downloaded from various endpoints on the website, which could be enumerated...

Shopify: Insufficient session expiration in the **com.shopify.ping** android app

It was identified that despite a logout action will be taken by the user at the com.shopify.ping application, the authentication token is not invalidated which allows fully recovery of the initially acquired session. More specifically, after the user provides the required credentials, an...

U.S. Dept Of Defense: Reflected XSS through ClickJacking

Description: Hello DoD team i found an reflected XSS that require user interaction, but it's suspicious due the reflected payload in the page ███████ So in this case i chain it with click-jacking with image background same like the legal website to make it more trusting ████████ below is the code...

Reddit: Missing rate limit in current password change settings leads to Account takeover

Summary: Happy Wednesday, I've found a missing rate limit protection in https://reddit.com and https://vip.reddit.com in password change settings. Enter the current password security mechanism is implemented to prevent the the cyber attackers not to change the password without knowing the current...

Nextcloud: Attacker can obtain write access to any federated share/public link

Hi mates, I stumbled across this with public links. But the same holds true for any federated share. I will try to describe the link scenario. At first I thought there were more steps and resharing was involved. But it really is very simples: 1. An attacker obtains a public link again plenty of...

Lark Technologies: Improper Access Control on Lark Footer Feature

Due to improper access control within Lark's footer feature, an attacker could have potentially accessed private files. We thank @imrannisar for reporting this to our team and confirming the resolution...

Nextcloud: Password policy changes not enforced for existing passwords

So this is two reports in one. Sort of. But they are the same issue, or at least related. 1. When you setup your nextcloud there is no password policy at all. There is the strength indicator. I get the password policy app is not yet active at that point. But a minimum length would not be that...

Nextcloud: Targeted phishing attacks in Login flow v2

Vulnerability description not provided...

Acronis: Reflected XSS on my.acronis.com

Reflected XSS was possible on my.acronis.com via GET parameter "Error"...

Reddit: Application level DOS at Login Page ( Accepts Long Password )

Application-level Denial of Service DOS It is an emerging class of security attacks on sites. They aim to overwhelm the site by flooding the server with requests that are disguised as legitimate users. The sudden increase in traffic shuts down machines and networks to make them unavailable to oth...

Elastic: RCE hazard in reporting (via Chromium)

Summary: Reporting embeds a Chromium that is susceptible to RCEs Description: Reporting uses a headless Chromium to generate PNGs and PDFs. This is invoked at least on Elastic Cloud, ECE and ECK with --no-sandbox to work at all. There are RCEs readily available for Chrome, and at least the versio...

Valve: https://srcds.valve.net/find/ is leaking server config / API keys

The https://srcds.valve.net/find/ website allowed unauthenticated visitors to access sensitive configuration information about Source game servers...

Elastic: Improper authorization on `/api/as/v1/credentials/` allows any App Search user to access all API keys and escalate privileges

Summary Hello team, I hope you're doing well! App Search has a credentials page located at /as/credentials that lists all the API keys a user has access to, if any. That same page will 404 for users with Analyst or Editor role. This is all working as intended, however there is also an API endpoin...

Lark Technologies: Non privileged user is able to approve his own app himself leading to mass privilege escalations.

A privilege escalation vulnerability was identified in Lark which could have potentially allowed an attacker to approve the apps in the same tenant by bypassing the admin approval. We thank @imrannisar for reporting this to our team...

Ruby: 'net/http': HTTP Header Injection in the set_content_type method

The set\content\type's parameter is not filtered to prevent the injection from altering the entire request. The vulnerable code: ruby def setcontenttypetype, params = @header'content-type' = type + params.map|k,v|"; k=v".join'' end PoC 1. ruby require 'net/http' uri = URI'http://127.0.0.1:8080' r...

U.S. General Services Administration: Weak password policy leading to exposure of administrator account access

Hi, The login endpoint https://mysmartplans.gsa.gov/Marathon/Default.aspx is having weak password policy. During the recon, I came across a mysmartplans overview document http://www.accentimaging.com/accent/pdfs/Accent%20MySmartPlans.pdf . In this document few users are mentioned like - rick, ban...

Nextcloud: Nextcloud deck sharee search leaks searches to lookupserver by default

So, in short this is related to the other 2 reports https://hackerone.com/reports/1167916 and https://hackerone.com/reports/1167919 While I could not find deck on your h1 page. I kind of assume it is in scope as well as this is something you sell with the 'groupware' subscription...

Nextcloud: File drop public link can also be converted to federated share

So bear with me. Because this one requires some user interaction and makes some assumptions. 1. victim creates a files drop public link 2. attacker has that link 3. the 'add to your nextcloud is hidden' but if you manually craft the request and send it a federated share will still be created. for...

Nextcloud: Default Nextcloud server config and iOS Nextcloud client leak sharee searches to Nextcloud

In short this is the same as https://hackerone.com/reports/1167916 but then for iOS so please forgive the copy paste On a clean Nextcloud setup the functionality "Search global and public address book for users" is enabled. Now when searching for a sharee to share with. The lookup parameter is no...

Nextcloud: Default Nextcloud Server and Android Client leak sharee searches to Nextcloud

On a clean Nextcloud setup the functionality "Search global and public address book for users" is enabled. Now when searching for a sharee to share with. The lookup parameter is not passed to the server. Resulting in...

Nextcloud: Trusted servers exchange can be triggered by attacker

Hi again, So this seems to be less bad these days as the trusted servers are no longer enabled by default however they were some versions ago. The trusted servers exchanged the full user list with another server. As soon as 1 federated share is created between two instances. It is questionable if...

Nextcloud: Federated shares are not password protected

Hi again, So more from me. Bare with me because this is a highly theoretical issue. But I never the less thing it should be mitigated. Or at least disclosed. Premissie: 1. user1 on serverA has a federated share established with user2 on serverB 2. the database not the full system of serverB is...

Kubernetes: Loading YAML in Java client can lead to command execution

The io.kubernetes.client.util.Yaml file in the Kubernetes client library for Java uses a popular library SnakeYAML to serialize and deserialize YAML. The library has a feature which makes it possible to initiate instances of Java classes by using a YAML tag like !!some.Class "argument1" . More in...

Nextcloud: Unexpected federated shares added via public link

So I'm not 100% sure if this is an security issue or not. But it is in my opinion at least unexpected and could be handled better to make sure people trust the system. 1. Get a public link share again plenty of those around 2. Click the 'add to your Nextcloud' 3. A federated share is added/create...

Shopify: Add new managed stores without permission

Details A staff member who has permission to add, archive and unarchive development stores as shown in managedStoreA.png can also add new managed stores. I can't tell if the issue I pointed out in 1167453 has the same root cause as this. A staff member with the said permission can access...