Homebrew: Broken parsing of Git diff allows an attacker to inject arbitrary Ruby scripts to Casks on official taps

Description Due to improper parsing of Git diff in Homebrew/actions/review-cask-pr, it's possible to confuse parser to ignore additional lines. Which leads injection of malicious Ruby scripts. Root cause review-cask-pr uses the git diff file to check if the pull request is "simple" enough to...

PortSwigger Web Security: RCE in 'Copy as Node Request' BApp via code injection

Description Copy as Node Request is a burp suite extension that allows users to copy requests as Node.js code. Due to improper sanitization of cookie, it's possible to inject arbitrary Node.js code in copied text, which may lead remote code execution with a significant amount of user interaction...

Shopify: Add new development stores without permission

Details A staff member who only has permission to add and remove managed stores can also create development stores. It appears proper permission checks are not performed when /organizationID/stores/signupobject/devstore endpoint is queried, as long as a staff member has store access, a token is...

LY Corporation: Reflected XSS in OAUTH2 login flow (https://access.line.me)

Vulnerability description not provided...

Ozon: DOM XSS в learning.ozon.ru

DOM XSS in learning.ozon.ru via return parameter routerback...

Acronis: Reflected Cross Site Scripting at http://www.grouplogic.com/files/glidownload/verify3.asp [Uppercase Filter Bypass]

Summary The below URL checks if the product serial number provided in the url parameter serial is valid or not. http://www.grouplogic.com/files/glidownload/verify3.asp?version=CC1100x7660&serial= If an invalid product serial is provided, the user submitted serial is displayed in the response. It...

Reddit: Broken Authendication And Session Management

Summary: Broken Authendication And Session Management On reddit.com Here I'm Using 2 Browsers 1.Chrome victim Browser 2.Firefoxattacker browser Steps To Reproduce: 1. Login your Account Chrome Browser 2. Copy Cookies 3. Paste it in firefox Browser and reload 4. you login without username and...

Mail.ru: Subdomain takeover on "info-edcrunch.skillfactory.ru"

Domain, site, application -- http://info-edcrunch.skillfactory.ru/ Here there is a skillfactory domain info-edcrunch.skillfactory.ru which is pointing towards tilda pages so this domain can be taken over can can be used to do any type of attacks mostly i can make a fake login page on your behalf...

Stripo Inc: Ability to use premium templates as free user via https://stripo.email/templates/?utm_source=viewstripo&utm_medium=referral

Summary: Hello, I found security vulnerability in your web application, another business logic. Steps To Reproduce 1. Go to https://stripo.email/templates/?utmsource=viewstripo&utmmedium=referral 2. Choose any premium template and click use in editor 3. Then sign in to save and it is in your...

Mail.ru: [la.mail.ru] - SSRF + кража cookie

Blind SSRF in la.mail.ru 0day exploit for vBulletin 3.8.x-5.0...

Mail.ru: [tanks.mail.ru] SSRF + Кража cookie

Введение: Этим прекрасным вечером решили начать движок форума vBulletin, ведь он стоит на 7 сайтах которые относятся к Ext.B, а награды Вы там подняли в 3 раза практически, звучит вкусно : Глаз упал на forumrunner, ведь там была sql-injcve 16 года ПРимерно за час была обнаружена SSRF, да не прост...

Acronis: Reflected Cross Site Scripting at ColdFusion Debugging Panel http://www.grouplogic.com/CFIDE/debug/cf_debugFr.cfm

Summary The ColdFusion Debugging Panel exposed at below URL. http://www.grouplogic.com/CFIDE/debug/cfdebugFr.cfm?userPage= The userPage parameter is not properly sanitized and is displayed without proper output encoding. This results in reflected cross site scripting. Steps To Reproduce Enter any...

Reddit: Content Spoofing/Text Injection at https://gateway-production.dubsmash.com

Summary:- Hi team i found security issue on your website https://gateway-production.dubsmash.com Description:- I have found a "Content Spoofing/Text Injection" on one of the domain which is in scope https://gateway-production.dubsmash.com in which Using the link the attacker can trick any genuine...

Stripo Inc: Bypassing Content-Security-Policy leads to open-redirect and iframe xss

Summary: https://my.stripo.email/cabinet//template-editor/..... has the ff: code to make iframes more secure: html pointing to other domains won't work but, the whitelist in frame-src data has listed .firebaseapp.com, a free hosting domain, leading to iframe abuse and redirects Steps To Reproduce...

Homebrew: Brew bootstrap process is insecure

The process described in this page is not secure - no checksum / PGP signature is published and there is no way to check the download is legit: https://brew.sh/ "/bin/bash -c "$curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh"" This can lead to supply chain attacks su...

UPchieve: Zero click account Takeover due to Api misconfiguration 🏂🎩

Hacker reported that full account takeover was possible through exploitation of one our forms. Hacker provided sufficient information to prove capability and how to remediate. Our team remediated the issue so that the takeover is no longer possible. i was able to take over any account without any...

UPchieve: old session dose not expire after password change

hello all :: I discovered that the application Failure to invalidate session after password changed . In this scenario changing the password doesn't destroys the other sessions which are logged in with old passwords. url:: ==https://app.upchieve.org/== STEPS TO REPRODUCE: 1- create account in...

UPchieve: Hyper Link Injection while signup

Summary: Attacker can add their name to a URL in order to send email containing malicious hyperlinks. while signup Steps To Reproduce: 1-Go to https://app.upchieve.org and create account with the first name http://attacker.com/ and last name . 2-Now check your email and you notice there is...

UPchieve: No Rate Limit On Contact Us

hello dear suuport i have found issue on https://app.upchieve.org step 1 goto here https://app.upchieve.org 2 login into your account 3 goto here https://app.upchieve.org/contact contact 4 type Message and open burp HTTP request =========== POST /api-public/contact/send HTTP/2 Host:...

UPchieve: No Rate Limit On Reset Password

welcome all : i found that no rate limit in reset password in ::: ==https://app.upchieve.org/resetpassword== Summary: No rate limit check on forgot password which can lead to mass mailing and spamming of users and possible employees A little bit about Rate Limit: A rate limiting algorithm is used...

UPchieve: User enumeration through forget password

Vulnerability:- -User enumeration is possible through forgot password feature. steps to reproduce:- -Go to the above selected domain and go to forgot password. -submit random email and then intercept request by burp suit -in response you will get HTTP/1.1 500 Internal Server Error with "err":"No...

Reddit: Content Spoofing

Vulnerability: Content Spoofing or Text Injection Description: This vulnerability will reflect text on to the web page which is used to scam a victim to visit or send information to a malicious website. Because it is inside the domain and trusted web page, there is chances of scam. Open the Url a...

Kryptor: Kryptor/SECURITY.md missing HACKERONE program update.

Hi Team, I was going through code and found that in this https://github.com/samuel-lucas6/Kryptor/blob/master/SECURITY.md , "Security Policy" is missing update regrading Hackerone platform that "Security Bug now be submitted @ https://hackerone.com/kryptor/ this . Please update the policy...

Ruby: 'net/ftp': Uncontrolled Resource Consumption (Memory/CPU)

Current TIMEPARSER implementation allows attackers to cause a denial of service memory consumption via a large integer value for the fractions property. The problem code: ruby TIMEPARSER = -value, local = false unless /\A?\d4?\d2?\d2 ?\d2?\d2?\d2 ?:.?\d+?/x = value raise FTPProtoError, "invalid...

Glovo: Moodle XSS on evolve.glovoapp.com

Cross Site Scripting XSS / Moodle XSS Summary : Cross-site scripting XSS is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by...

Reddit: No Rate limit on change password leads to account takeover

Summary: I found when login and go to changing password, there is no rate limit on that function, which leads to takeover the account. Steps To Reproduce: 1-Create account on https://old.reddit.com & move to your setting,In my case I chose !23Qweasdzxc as the password. 2-Go to change password on...

Reddit: [dubsmash] Username and password bruteforce

Summary: Due to less complexity of password and no rate limiting attacker can bruteforce user name and password and takeover the victim account Login Page- No rate limits Password length is minimum five character with no variations. Plain password are easy to bruteforce Reset Password page- No ra...

MTN Group: Missing captcha and rate limit protection in help form

Hello One of your form that you are using to receive help message from users, lack captcha and its backend/server does not block massive request. The page is https://mtn.cm/fr/help/ Steps To Reproduce: 1. Visit https://mtn.cm/fr/help/ and fill all the field and submit. 2. Intercept the request wi...

GitHub Security Lab: [Java] CWE-1004: Query to check sensitive cookies without the HttpOnly flag set

This bug was reported directly to GitHub Security Lab...

Liberapay: Disavowing an account doesn't disable it

Hello security team, while I testing your website, I found improper email verification while sign-up liberapay.com. Steps to reproduce: 1 Go to https://liberapay.com. 2 Create new account with any email. 3 You will receive an email verification to the given email. 4 Open that email and click "No,...

Acronis: Store Admin Page Accessible Without Authentication at http://www.grouplogic.com/ADMIN/store/index.cfm

Summary The store admin page is accessible without authentication at below URL: http://www.grouplogic.com/ADMIN/store/index.cfm The store admin page provides functionalities such as the following: - Add Edit Items - Search Products - Search Results - Search Orders - Orders Search Results - Add Ne...

Acronis: Stored Cross Site Scripting at http://www.grouplogic.com/ADMIN/store/index.cfm?fa=disprocode

Summary The application exposes store ADMIN page at below URL and is accessible without authentication. http://www.grouplogic.com/ADMIN/store/index.cfm The ADMIN page provides several functionalities. Among them the below functionality is found to be vulnerable to stored XSS. - View and Edit Prom...

MTN Group: Remote code execution due to unvalidated file upload

Summary: Hello I found a critical vunerability in one of your site, where user can upload any file type as a profile picture including php file Steps To Reproduce: 1. Visit https://careers.mtn.cm and register as a user. 2. After successful registration, login and update your data. 3. When uploadi...

Shopify: No Session Expiry after log-out, attacker can reuse the old cookies

The session fixation vulnerability allowed an attacker to reuse old session cookies to log in to a victim's account on the Exchange Marketplace, even after the victim had logged out. The service has been decommissioned, and the issue has been resolved...

GitHub Security Lab: porcupiney.hairs : Java/Android - Insecure Loading of a Dex File

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: [Java] CWE-759: Query to detect password hash without a salt

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: ihsinme: CPP Add query for CWE-570 detect and handle memory allocation errors.

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: [codeql-go]: Add CWE-79: HTML template escaping passthrough

This bug was reported directly to GitHub Security Lab...

Ruby: OS Command Injection in 'rdoc' documentation generator

Details: If the removeunparseable function receives a list of files with a command in the name of one of them, it will be executed. Just enough the name to match the pattern. The problem code: ruby def removeunparseable files files.reject do |file, | file =...

Nextcloud: Notification implicit PendingIntent in com.nextcloud.client allows to access contacts

When the victim downloads files in nextcloud.A notification will be triggered. The content of the notification is "Downloaded".This notification is used to remind the user that the download is complete.The pendingintent in this notification is an implicit intent. At this time a malicious app with...

Acronis: Cross-site Scripting (XSS) - Stored | forum.acronis.com

Summary There is an XSS vulnerability in the search function of the forum forum.acronis.com. Steps To Reproduce 1. Modify your own forum Nickname, add the following payload after the original nickname: alert0 2. Fill in your nickname in the Author form of the search function and wait for the...

HackerOne: Improper data update process on UpdatePhabricatorIntegration mutation leads to leak of Phabricator Conduit API token.

Details Title: Improper data update process on UpdatePhabricatorIntegration mutation leads to leak of Phabricator Conduit API token. Risk: High Impact: High Exploitability: High Target: baseurl parameter on UpdatePhabricatorIntegration mutation at /graphql endpoint. Introduction Sensitive data...

GitLab: Cache poisoning Denial of Service affecting assets.gitlab-static.net

Summary Hi, Gitlab.com is hosting JS and CSS on https://assets.gitlab-static.net/ and uses them on gitlab.com/ The static files seem to be stored on a gcp host, which by default accepts the x-http-method-override header. Since the CDN is using Varnish to cache files, I was able to combine the GCP...

Ozon: Захват домена ozoncorporate.ru

Ozoncorporate.ru domain was delegated to Tilda.cc and not used...

HackerOne: New link opening method makes hackerone vulnerable to tabnabbing

Summary: Hackerone recently changed how it opens the external links and this new way is vulnerable to tabnabbing. Description: Please see the POC. Steps To Reproduce 1. Click here: https://awasthi7.github.io/ 2. Click on proceed when warning appears. 3. The site will open in new tab and hackerone...

U.S. Dept Of Defense: [www.█████] Path-based reflected Cross Site Scripting

Description: The www.██████ endpoint is vulnerable to path-based reflected XSS which allows attackers to pass rogue JavaScript to unsuspecting users. Impact This flaw allows attackers to pass rogue JavaScript to unsuspecting users. Since the user’s browser has no way to know the script should not...

EXNESS: Access control vulnerability (read-only)

Horizontal privilege escalation that could be used to gain access to some information not associated with the current user...

MTN Group: Cross-site Scripting (XSS) - Reflected on http://h1b4e.n2.ips.mtn.co.ug:8080 via Nginx-module

The Cross-site Scripting XSS vulnerability was discovered on http://h1b4e.n2.ips.mtn.co.ug:8080 via the Nginx module. The vulnerability allowed the injection of arbitrary JavaScript code through the URL, which could be executed in the victim's browser...

U.S. Dept Of Defense: DOM Based XSS on https://████ via backURL param

Description: The following endpoint suffers from DOM Based XSS https://████████/██████=javascript:alertdocument.domain The ████████ param determines the content which will be displayed on the "Back to Search Result" button, eventually leading to RXSS. References ██████ Regards nagli Impact...

Ruby: OS Command Injection in '/lib/un.rb -- Utilities to replace common UNIX commands in Makefiles etc'

If the waitwritable command receives a list of files with a command in the name of one of them, it will be executed. PoC bash $ touch |\ touch\ evil.txt $ ls '| touch evil.txt' $ ruby -run -e waitwritable -- -w 1 -v $ ls evil.txt '| touch evil.txt' The vulnerability has the same severity as...