Moneybird: Access control issue on invoice documents downloading feature.

Reporter has found a way to download exports as an unauthorized user. This was only possible after changing the permissions for the user and having a certain page open during this change. The issue has been resolved by adding extra permission checks during the download action...

GitHub Security Lab: Java: Query for detecting unsafe deserialization with Spring exporters

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: Java : Add query for detecting Log Injection vulenrabilities

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: Java : Add query for detecting Log Injection vulenrabilities

This bug was reported directly to GitHub Security Lab...

BlockFi: User Information Disclosure via waitlist.blockfi.com Prefinery Abuse

Summary: User Information including email address, home address, ip address, browser type and version, name, and more can be easily scraped by abusing the prefinery api behind waitlist.blockfi.com . Using a GET request and enumerating users based on the userID, the entire waitlist user group can...

New Relic: User without "View/Modify/Delete" permissions on "Destinations" can view/modify & delete Destinations

@archangel reported that an elevation-of-privilege in the Destinations functions could have allowed a user to view Destinations without having the rights to do so due to an IDOR Incorrect Direct Object Reference...

Mail.ru: Blind SQL in id_locality GET param on [city-mobil.ru/taxiserv]

SQL injection in city-mobil.ru/taxiserv due to unsafe usage of GET parameter...

BlockFi: credentials found in config file on github

Summary: Hi, credentials belonging to blockfi.com was found exposed on github, these credentials can lead to attackers gaining access into the network and stealing information and destroying servers Steps To Reproduce:...

Mail.ru: Development configurations file with a sensitive data exposure could be leads to take down the social media accounts and the DB

Configuration files were accessible at tanks.mail.ru leaking configuration information, including database accounts...

Sifchain: ETHEREUM_PRIVATE_KEY leaked via Open Github Repository

Summary: GitHub is a truly awesome service but it is unwise to put any sensitive data in code that is hosted on GitHub and similar services as I was able to find internal data as responsible disclosure I wanted to share it like this the only channel to do so, and it's related to your sensitive...

TikTok: TikTok Session Donation CSRF via QR code login

A CSRF Cross Site Request Forgery vulnerability was reported in TikTok's QR code login which could have potentially caused a user to log into an attacker-controlled account. We thank @lauritz for reporting this to our team and confirming the resolution...

GitHub Security Lab: Java: CWE-346 Queries to detect remote source flow to CORS Headers

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: Java: CWE-652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: [Java] CWE-297: Insecure LDAP endpoint configuration

This bug was reported directly to GitHub Security Lab...

HackerOne: Temporary banned user (from platform) is able to make submissions via embedded submission forms

Summary: Hello team! We have discovered issue which allows temporary banned user to submit new reports using embedded submission forms. The hacker can submit submissions via embedded forms using his/her email address. Once the ban is over the hacker can claim his/her report via invitation link...

HackerOne: Hackerone is not properly deleting user id

Summary: Long ago, i had an account on hackerone that is now deleted. I used the alias email provided by h1 to sigbup on a site for bug testing. To my surprise, i receive an email to my account routed from an alias email that should not exist. Description: Steps To Reproduce 1. SignUp on H1 2. Us...

Mail.ru: Blind SQL injection on [city-mobil.ru/taxiserv/] in filter{"id_locality"}

SQL injection in city-mobil.ru/taxiserv due to unsafe usage of GET parameter...

On : Graphql introspection is enabled and leaks details about the schema

Summary: Hi team ! i've found a misconfiguration in your graphql Api on the endpoint https://www.on-running.com/en-in/graphql in which an attacker is able to run a graphql interospection query to fetch schemas , types , fields , available query operations , after running interospection query on t...

Sifchain: Exposed Openapi Token

Summary While looking for secrets, I noticed that Developers had removed a swagger spec draft. The URL had a committed token in the history of multiple project files: ui/core/src/api/transactionsService.ts ui/core/src/api/tendermintService.ts ui/core/src/api/stakingService.ts...

HackerOne: Attachment object in GraphQL continues to grant access to files, even if they are removed from rendering

Summary: Hi team, Our team noticed that youprogram can attach files to the policy page. These files can be anything, images, text, archive, etc.In other words, these files may or may not contain sensitive information. Our team believes that the data that can be attached in different vectors is hi...

8x8: Exposed PHP dependencies at ██.8x8.com

A limited amount of hosts were exposing the PHP vendor directory, which exposed names of internal packages & dependencies. The issue has been rectified...

GitLab: Arbitrary file read during project import

NOTE! Thanks for submitting a report! Please replace all the parenthesized sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary A mis-usage of json sche...

Mail.ru: Open Redirect and CRLF Injection Leads to XSS on [app.doma.uchi.ru]

XSS on app.doma.uchi.ru created by two vulnerabilities: open redirect issue request parameter location was not validated In Ruby on Rails version 6.0.3.2 and a CRLF injection...

Rocket.Chat: Post-Auth Stored XSS with User Interaction leads to Remote Code Execution

Summary: Unsafe usage of the toastr library leads to Stored XSS when combined with a validation bypass in the createRoom function. Targeting an admin account leads to Remote Code Execution. Description: The frontend uses the toastr library to display error messages to the user. However, it is use...

HackerOne: Race condition allows to send multiple times feedback for the hacker

Summary: Hello team! We've found out that the program's should be able to send feedback only once per report which is very logical. However, the program user is able to send multiple parallels requests which will lead to the race condition situation and will send multiple feedback to the hacker...

Open-Xchange: Path Traversal in dict-fs and no-check Escape Character in oauth2-jwt

0x01 Path Traversal in dict-fs module If we use fs to store dictionaries, when program get the value of key: static int fsdictlookupstruct dict dict, poolt pool, const char key, const char valuer, const char errorr struct fsdict dict = struct fsdict dict; struct fsfile file; struct istream input;...

HackerOne: CSV injection in the credentials export

Summary: Hello team! We have found out that a hacker can inject malicious excel formulas into the credentials details which will be executed when program user exports the credentials details via https://hackerone.com/hackeroneh1pbbp3/credentials - export credentials and opens this CSV using MS...

Nutanix: Open Redirect at https://www.nutanix.com/tw/login via icid parameter

hi , i find open redirct in https://www.nutanix.com visit this url https://www.nutanix.com/tw/login?icid%3D24N58XTYY6AA=&isSigningAction=Yes&redirectUrl=https%3A%2F%2Fwww.baidu.com%23%40www.nutanix.com Impact open redirct...

LY Corporation: SSRF occurrence in website preview used by LINE Official Account Manager (https://manager.line.biz)

LINE Official Account Manager https://manager.line.biz uses PagePoker to provide website previews. Here it was not properly validated against the Opengraph image tag target, which could point to an internal network resource...

HackerOne: CSRF allows to test email forwarding

Summary: It is possible to send email forwarding emails in the name of victim. The main problem is that you don't verify the X-CSRF-Token in the endpoint /securityemailforwarding/testforwarding.json?id=$id. Steps To Reproduce: - Login as an program user who has access to the Email Forwarding -...

Ruby: Path traversal in Tempfile on windows OS due to unsanitized backslashes

Hi team, Summary We've noticed that both arguments basename and ext of Tempfile on Windows are vulnerable to a path traversal which could allow unintentional file creating in arbitrary writable directories. Tempfile often has a user control either by basename or ext or both. PoC irbmain:029:0...

HackerOne: User's who are banned from program can still be invited to the new reports as collaborators

Summary: Hello team! We have found out that the banned user's who are banned from program can be invited to the new reports as collaborator users. This is pretty weird because the hacker should be banned and no new reports shouldn't be allowed. If program bans the hacker the program can't invite...

Rocket.Chat: Post-Auth Blind NoSQL Injection in the users.list API leads to Remote Code Execution

Summary: The users.list API endpoint is vulnerable to NoSQL injection attacks. It can be used to take over accounts by leaking password reset tokens and 2FA secrets. Taking over an admin account leads to Remote Code Execution. Description: The users.list API endpoint takes a custom query via the...

Open-Xchange: Null pointer dereference in lib-sieve after calling sieve_binary_block_index

There are some places that program calls function sievebinaryblockindex without checking the return valuemainly in sieve-binary-dumper.c. Such as: pigeonhole/src/lib-sieve/sieve-binary-dumper.c: bool sievebinarydumperrunstruct sievebinarydumper dumper, struct ostream stream, bool verbose struct...

Rocket.Chat: Pre-Auth Blind NoSQL Injection leading to Remote Code Execution

Summary: The getPasswordPolicy method is vulnerable to NoSQL injection attacks and does not require authentication/authorization. It can be used to take over accounts by leaking password reset tokens. Taking over an admin account leads to Remote Code Execution. Description: The getPasswordPolicy...

Mail.ru: Подмена фотографий автомобиля [city-mobil.ru/taxiserv/]

Possibility to change the photo at external-storage.city-mobil.ru by controlling the parameter photourl and id on city-mobil.ru/taxiserv/...

Kubernetes: SHA512 incorrect on most/many releases

Report Submission Form Summary: SHA512 is incorrect for most versions of kubernetes.tar.gz releases https://github.com/kubernetes/kubernetes/releases/. Kubernetes Version: all Component Version: all Steps To Reproduce: add details for how we can reproduce the issue, including relevant cluster set...

Zomato: subdomain takeover on fddkim.zomato.com

Our subdomain fddkim.zomato.com was vulnerable to a 0-day subdomain takeover vulnerability on Freshdesk. The DNS entry was removed on our end to fix this. HOW I hacked thousand of subdomains writeup--https://medium.com/@moSec/how-i-hacked-thousand-of-subdomains-6aa43b92282c...

HackerOne: Hackers can reveal the names of private programs that have an external link and Enterprise Product Edition

Summary: Hi team, A few days ago, your engineers revealed a field in the report- Custom fields. The team removed it after a while, but did not remove the design line Custom fields Available only for Enterprise Product Edition , Therefore, the sandbox program cannot independently accept this versi...

Nextcloud: Create alias does not validate account id

The request to create a new alias does not validate that account id belongs to the current user. Also we don't validate that the account id exists. curl 'http://localhost:50001/index.php/apps/mail/api/accounts/2000/aliases' \ -H 'Connection: keep-alive' \ -H 'Pragma: no-cache' \ -H 'Cache-Control...

VK.com: Member still able close another user poll on communities topic

Insufficient validation in closing the poll of the community topic...

Moneybird: Open Redirect through POST Request in OAuth

Reporter found an open redirect issue in the OAuth flow. We added extra checks for all redirects in the OAuth flows to mitigate this issue...

HackerOne: Hackers can find out the ID of private programs

Summary: Hi team, Our team noticed that it is possible to find out the IDs of sandbox programs. This allows us to create a list, thereby determining that the rest of the list of IDs will belong to private programs or public or external programdirectory listing. But by removing ID all public and...

curl: CVE-2021-22890: TLS 1.3 session ticket proxy host mixup

Summary: I don't think that this can be easily exploitable, but I am submitting it as a security issue for precaution. I am not looking for a bounty. Commit 549310e907e82e44c59548351d4c6ac4aaada114 enables session resumption with TLS 1.3. Curl connections maintain two SSL contexts, one for the...

HackerOne: Lack warning label when receiving a letter

Summary: Hi team, When using the function ShareReportViaEmail the email is sent to the email address specified by the hacker.This email looks legitimate and comes from verification email addresses, leaving no doubt about it being replaced. This endpoint also applies to sandbox reports which makes...

GitHub Security Lab: ihsinme: CPP add query for: CPP Add query for CWE-20 Improper Input Validation

This bug was reported directly to GitHub Security Lab...

HackerOne: Used email confirmation link reveals the email address which is tied to it

Summary: If an attacker finds an used email confirmation link the token is in URL s/he will be able to see the email address which is tied to the confirmation link ID. The attack itself is pretty unlikely but the application should show the generic error message like The confirmation ID is invali...

Rockstar Games: Password and mail address stored unencrypted in memory - Rockstar Game Launcher

User credentials were stored unencrypted in memory for a short time during the login process for a game launcher application. The credentials could have been retrieved by dumping application memory after login. This issue has since been resolved to no longer expose passwords in memory...

HackerOne: Hackers can reveal the names of private programs that have an external link

Summary: Hi team, Our team has found a way to distinguish between private programs with external links. Due to the ability to select Severity Rating Options, the program can set two options : Rating or CVSS Score and CVSS Score Only. One of them removes the possibility of setting the...

New Relic: Missing Authorization check on View permissions for Alerting Conditions via /internal_api/1/accounts/XXXXXXX/policies/YYYYYYY/conditions?offs endpoint

@archangel reported that an elevation-of-privilege due to a missing authorization check on View permissions for Alerting Conditions could have allowed a user to see alerting policies without having the rights to do so...