MTN Group: Cross-site Scripting (XSS) - Reflected on https://api.mtn.sd/carbon/admin/login.jsp via `msgId` parameter - CVE-2020-17453

A reflected cross-site scripting XSS vulnerability was discovered in the msgId parameter of the login page at https://api.mtn.sd/carbon/admin/login.jsp. This vulnerability allowed an attacker to execute arbitrary JavaScript code in the context of the vulnerable page...

Algolia: PHP-FPM status page disclosure

A page leaking debug information was publicly accessible...

Flickr: Incorrect Deep-link validation leading to unresponsive application and device

A specifically crafted URL provided to a victim caused their Flickr for Android app to become unresponsive...

Elastic: XXE in Enterprise Search's App Search web crawler

Summary Hello team! The latest version of Enterprise Search 7.12.0 is vulnerable to XXE when parsing sitemaps. Up to now I'm only able to read file that contain one line. I'm reporting now to avoid duplicates, but I'll keep working to find a way to extract entire files or HTTP request bodies...

GitLab: RCE when removing metadata with ExifTool

Summary When uploading image files, GitLab Workhorse passes any files with the extensions jpg|jpeg|tiff through to ExifTool to remove any non-whitelisted tags. An issue with this is that ExifTool will ignore the file extension and try to determine what the file is based on the content, allowing f...

U.S. Dept Of Defense: Reflected XSS on https://██████

Description: Reflected XSS on https://███████ POC: https://███/████=https://████████████/%3C/script%3E%3Cscript%3Ealertorigin%3C/script%3E&██████ References ███████ Impact Unauthenticated Reflected XSS System Hosts ████████ Affected Products and Versions CVE Numbers Steps to Reproduce Step 1: Go ...

Ruby on Rails: Argument/Code Injection via ActiveStorage's image transformation functionality

An argument/code injection vulnerability was discovered in ActiveStorage's image transformation functionality. This vulnerability allowed an attacker to inject arbitrary arguments into the image transformation command, potentially leading to remote code execution. The vulnerability was found in t...

Nextcloud: Ratelimiting can be bypassed using IPv6 subnets

Nextcloud hardcodes IPv6 subnets to /128. End users get at least a /64 subnet more than the whole IPv4 address space!, most providers assign even larger subnets like /48. The subnet is used to block bruteforce attempts 3 and rate limiting 4. An attacker can easily generate random addresses from t...

QIWI: SSRF на https://qiwi.com с помощью "Prerender HAR Capturer"

Здравствуйте! На сайте https://qiwi.com вы используете Prerender HAR Capturer 5.6.0 на основе Headless Chrome для рендеринга HTML, снимков экрана, PDF-файлов и файлов HAR с любой веб-страницы https://github.com/prerender/prerender. Если на qiwi.com послать запрос с измененным юзер-агентом...

U.S. Dept Of Defense: Sensitive data exposure via https://███████/jira//secure/QueryComponent!Default.jspa - CVE-2020-14179

Description: Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. Impact...

Nextcloud: Improper input-size validation on the user new session name can result in server-side DDoS.

Advisory at https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7cwm-qph5-4h5w...

Clario: Social media link hijack of team member [Linkedin] at https://mackeeper.com/team/

Steps To Reproduce: - Go to at https://mackeeper.com/team/ - You can see your team members photos - I have Hijacked social media link for member name as Mammon PPC Account who seems to be Manager - You can click on his photo and you will be redirected to My account on Linkedin here at...

U.S. Dept Of Defense: XML Injection / External Service Interaction (HTTP/DNS) On https://█████████.mil

Greetings, I found on one of your sites an XML Injection + External service Interaction DNS/HTTP Link of the vulnerable file : https://█████.mil/██████████ Payload XML Injection : fkp please change the link of burp collaborator and + URL encode the payload How to reproduce █████ I cut the video...

U.S. Dept Of Defense: ████████ portal is open to enumeration once authenticated. Session ID's appear static. All PII available once a valid session ID is found.

Description: Once Authenticated to █████████ portal with valid credentials you can type in another members session id and you can see any service members data as if you were authenticated as them. https://█████████ I did not see if there was a way to dump all session id's, but wouldn't be too...

U.S. Dept Of Defense: Reflected XSS through clickjacking at https://████

Description: I'm able to control the url being inserted into the query line at https://█████/████&url=http%3a%2f%2fgalnagli.com%2f%3Cimg+src%3dx+onerror%3dalert%28document.domain%29%3E The server issues a request there is also SSRF here I'll report later to the domain specified, and it renders th...

Uber: Chain of IDORs Between U4B and Vouchers APIs Allows Attackers to View and Modify Program/Voucher Policies and to Obtain Organization Employees' PII

The security researchers discovered a number of connected IDORs in the Uber business and voucher applications. By chaining these vulnerabilities together, the researchers could retrieve information related to existing voucher policies and modify those policies for monetary gain, such as for free...

X (Formerly Twitter): Bypass t.co link shortener in Twitter direct messages

The researcher demonstrated a way to create a link that will not be replaced with safe shortened t.co url, by sending Direct Messages containing more than 50 t.co links to another Twitter user. If the recipient views the message using Twitter’s Android app, and clicks the 51st link in the...

GitLab: Mint Oauth2 access token for targeted user

The vulnerability allowed a group owner to create an application that was trusted by default, bypassing CSRF controls for the authorization flow. This enabled the minting of access tokens for targeted users without their consent...

U.S. Dept Of Defense: CVE-2019-3403 on https://████/rest/api/2/user/picker?query=

Description: The endpoint at https://████████/rest/api/2/user/picker?query= Suffers from CVE-2019-3403 Due to old version of jira. F125281 References https://nvd.nist.gov/vuln/detail/CVE-2019-3403 @naglinagli Impact The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from...

U.S. Dept Of Defense: CSRF Based XSS @ https://██████████

Summary: Good Afternoon Team, I recently discovered subdomain https://██████████/█████████ from a POST Based XSS which when combined with CSRF allows for seemless XSS. ███ HTTP Request POST /██████ HTTP/1.1 Host: █████████ Connection: close Content-Length: 619 Cache-Control: max-age=0 sec-ch-ua:...

Nextcloud: DoS due to improper input validation can break the admin access into the user data will disallow him from editing that user's data.

Impact A malicious user may be able to break the user administration page. This would disallow administrators to administrate users on the Nextcloud instance. Patches It is recommended that the Nextcloud Server is upgraded to 19.0.11, 20.0.10 or 21.0.2 Workarounds Use the OCC command line tool to...

Sifchain: xmlrpc.php And /wp-json/wp/v2/users FILE IS enable it will used for bruteforce attack and denial of service

Hi Team : i am abbas heybati ; Summary: After reviewing the given scope, I realized that the main domain "http://sifchain.finance" has several vulnerabilities that I will report to you as a scenario. I realize that I have reported to you outside of Scope. The report is related to the mentioned...

Shopify: Stored XSS in /admin/product and /admin/collections

Hello Security Team, I was going through previous reports of XSS and I have found this, https://hackerone.com/reports/978125 As stated by team on this page even on https://hackerone.com/shopify?type=team under Known issues that we can now report XSS under Rich Text Editor on Product description a...

MTN Group: Cross-site Scripting (XSS) - Reflected on http://callertunez.mtn.com.gh/wap/noauth/sharedetail.ftl via `callback` parameter

The vulnerability was a reflected cross-site scripting XSS found on the website http://callertunez.mtn.com.gh/wap/noauth/sharedetail.ftl via the "callback" parameter. The vulnerability allowed the execution of arbitrary JavaScript code...

U.S. Dept Of Defense: Reflected XSS

Summary Reflected cross-site scripting XSS arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way. An attacker can execute JavaScript arbitrary code on the victim's session. Impact - Perform any action within the applicati...

U.S. Dept Of Defense: Administration Authentication Bypass on https://█████

Hi there I found a way to connect to an administration space on your website https://██████████ how to reproduce ? 1 - go to this link : https://███/██████████ 2 - create a html file with : html 3 - launch the file, click on the button and return to the page https://███████/█████ 4 - refresh the...

Acronis: Reflected XSS on www.acronis.com/de-de/my/subscriptions/index.html

Vulnerability description not provided...

Sifchain: Private KEY of crypto wallet

Summary: Hello, I'm writing in order to inform you that in your source code is stored the Private key of your crypto wallet that contains some money, as EOS, FNDR, and more. Your wallet address is this: 0x627306090abaB3A6e1400e9345bC60c78a8BEf57 Steps To Reproduce: The key is stored in "those...

HackerOne: Tab nabbing in Hackerone inbox.

Description: Tab nabbing vulnerability occurs When you open a link in a new tab target="blank" , the page that opens in a new tab can access the initial tab and change its location using the window.opener property and from this a lot of phishing attacks could happen. This scenario occurs on...

Ruby: lib/net/ftp.rb: trusting PASV responses allow client abuse

When net/ftp performs a passive FTP transfer, it tries to using PASV. Passive mode is what net/ftp uses by default. A server response to a PASV command includes the IPv4 address and port number for the client to connect back to in order to perform the actual data transfer. This is how the FTP...

Uber: Chain of vulnerabilities in Uber for Business Vouchers program allows for attacker to perform arbitrary charges to victim's U4B payment account

We have determined that through a chain of 3 vulnerabilities, it is possible for any U4B user to apply credit card charges or holds to any business using the Vouchers site. These charges originate from Uber and are unsolicited by the victim business, and can be made in any amount of the attacker'...

Moneybird: No rate Limit

Mailing to our support team using the support center in the application was improperly rate limited. There is now a better rate limiter in place...

Shopify: XSS at https://exchangemarketplace.com/blogsearch

There is an XSS vulnerability on https://exchangemarketplace.com/blogsearch page through the q parameters. https://exchangemarketplace.com/blogsearch?q=OnMoUsEoVeR=prompt/hacked/// F1251282 Impact XSS at https://exchangemarketplace.com/blogsearch...

Kubernetes: Holes in EndpointSlice Validation Enable Host Network Hijack

Summary: A user with permission to create Services and EndpointSlices can configure these resources to allow sending traffic to arbitrary ports in the host network. Kubernetes Version: Any version with EndpointSliceProxying enabled, default in 1.19+ Component Version: 1.19+ Steps To Reproduce:...

U.S. Dept Of Defense: xss reflected on https://███████- (███ parameters)

Greetings, i've found an xss on█████████████████ parameters link : █████████████████ Payload : "/alert1; vulnerable parameters █████████ ████ ████ Impact A reflected XSS vulnerability happens when the user input from a URL or POST data is reflected on the page without being stored, thus allowing...

U.S. Dept Of Defense: xss on https://███████(█████████ parameter)

Greetings, i've found an xss on https://██████████████████ parameter link :████████.█████████████=%22/%3E%3Cimg%20src=x%20onerror=alert1%3E Payload : "/ ████████ best regards, frenchvlad Impact A reflected XSS vulnerability happens when the user input from a URL or POST data is reflected on the...

U.S. Dept Of Defense: XSS Reflected on https://███ (███ parameter)

Greetings, i've found an xss on https://█████ ██████████ parameter link : https://█████/████████?████████=%22%3E%3Cscript%3Ealert/frenchvlad/;%3C/script%3E&██████████ Payload : "alert/frenchvlad/; ██████ best regards, frenchvlad Impact A reflected XSS vulnerability happens when the user input fro...

Nextcloud: Leak arbitrary file under nextcloud android client privacy directory

Steps to reproduce: 1.install and login nextcloud android client 2.create a directory and set it 'shareable' 3.install the poc app "setresultcontactphotocrop" key code: EvilActivity public class EvilActivity extends AppCompatActivity final static String PRIVATEURI =...

Node.js: Unexpected input validation of octal literals in nodejs v15.12.0 and below returns defined values for all undefined octal literals.

Summary: Unexpected input validation of octal literals in the nodejs implementation of V8 JavaScript engine V8 9.0.257.13 and below returns defined values for all undefined octal literals where otherwise should return undefined. Input data 08, 09... 078, 079 should return undefined, as evinced by...

Zivver: Cross-site Scripting (XSS) - Reflected

This issue is out of scope per our policy. It would require very unlikely user involvement, such as getting the victim to directly copy and paste malicious code into the search bar as the search query can not be passed dynamically, e.g. as a URL parameter. vulnerabal url : = docs.zivver.com...

Rocket.Chat: REST API gets `query` as parameter and executes it

Summary: Any user with 'view-d-room' permission can access any except users.services data from the users collection Description: The "users.list" REST endpoint gets a query parameter from JSON and runs Users.findqueryFromClientSide. This means virtually any authenticated user can access any data...

HackerOne: Enumerating HackerOne Pentests

Summary: An attacker can enumerate companies that performed pentests using the HackerOne platform. Steps To Reproduce: HackerOne pentests usually have an alias ending in -h1p. We will use the HTTP Request below to enumerate pentests update X-CSRF-Token, Cookie, and contextteamhandle. PATCH...

HackerOne: Changing the 2FA secret key and backup codes without knowing the 2FA OTP

Summary: After the setup of 2FA, disabling or editing it should require the 2FA OTP. But it can be bypassed. Steps To Reproduce: 1 Sign in to a new HackerOne account. 2 Setup 2FA; and 3 Try to disable it without knowing the OTP. You can't, you need to know the Authentication Code or Backup Code...

HackerOne: Editing Pentest Summary Report Answers After Submitting Them

Summary: Pentest leads should not be able to edit pentest summary report answers after submitting them. Steps To Reproduce: 1 After submitting the pentest summary report, try to edit it: F1246327 You can't. The form is disabled. 2 Use the HTTP Request below update X-Auth-Token, Cookie and the...

HackerOne: Bypassing the External Link Warning

Summary: As the HackerOne team is aware, the URL https://hackerone.com/users/saml/[email protected] can redirect users to external pages. Because of this, there is a protection in the links created by Markdown to show the user a warning when clicking in any link started with...

U.S. Dept Of Defense: Elmah.axd is publicly accessible leaking Error Log

Summary ELMAH Error Logging Modules and Handlers is an application-wide error logging facility that is completely pluggable. If ELMAH is not properly configured, the elmah.axd handler can be accessed without authorization. This page will list all the error messages generated by the web applicatio...

HackerOne: The possibility of disrupting the normal operation of frontend using markdown

Summary: Hi team, Our team noticed that using some string construction in markdown may cause it to fail and output error 502. Thus, disrupting the UI process. This may affect the work in places where there is a GraphQL attribute output. For example: User object in GraphQL : introhtml attribute...

GitHub Security Lab: [Java] CWE-016: Query to detect insecure configuration of Spring Boot Actuator

This bug was reported directly to GitHub Security Lab...

Uber: IDOR leads to See analytics of Loyalty Program in any restaurant.

Improper authorization allowed for disclosure any restaurant's analytics of the Loyalty Program on 3 endpoints...

U.S. Dept Of Defense: Path Traversal - [ CVE-2020-3452 ]

Hello, I would like to report Path Traversal issue CVE-2020-3452 was found on https://█████/. POC: https://█████████/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portalinc.lua&default-language&lang=../ Impact https://nvd.nist.gov/vuln/detail/CVE-2020-3452 System Hosts ███ Affected...