Stripo Inc: Stored XSS at Module Name

Summary: Hello, I found stored xss at module name with this payload "Hello : Steps To Reproduce: 1. Add new container, it doesn't matter which is it 2. Paste this payload in the module name"Hello : 3. Update it then check the module name again in setting 4. Alert Popup Stored XSS Stored cross-sit...

Rocket.Chat: Bypass local authentication (PIN code)

Summary: An attacker with physical access to a mobile device can bypass local authentication PIN code. Description: When you set the PIN code to enter the application, the blocking occurs after the time set in the settings after the activity is closed. System time is used as a starting point. It ...

Sifchain: HTTPS not enforced at dex.sifchain.finance

Hi The requestes using non secured HTTP do not automatically upgraded to HTTPS , The impact of this an attacker can laucn a MITM attack and steal users information. Impact Data sent over HTTP, is being transmitted in plain , sniffers can see it , edit it , poison ads , know what contents being...

Tennessee Valley Authority: SQL Injection on https://soa-accp.glbx.tva.gov/ via "/api/" path - VI-21-015

Summary: i've found this subdomain soa-accp.glbx.tva.gov also is vulnerable to SQLI through /api/ path Steps To Reproduce: https://soa-accp.glbx.tva.gov/api/river/observed-data/GVDA1'+%2f!50000union%2f+SELECT+HOSTNAME--+- hostname dumped...

GitLab: RCE via unsafe inline Kramdown options when rendering certain Wiki pages

Summary When rendering wiki content with certain extensions such as .rmd, renderwikicontent will call othermarkupunsafe which will end up calling GitHub::Markup.render from the github-markup gem. Files with any extension can be uploaded by checking out the wiki with git, commiting the files and...

Mail.ru: [Plazius] SSRF через некорректно сконфигурированный Fiddler 46.148.201.206:10121

SSRF on ucs.ru...

U.S. Dept Of Defense: Unauth RCE on Jenkins Instance at https://█████████/

Description: Hi Team, While Doing Recon on U.s Government Sites, I Found below asset Belongs to U.S Government Please Check its SSL certificate to confirm or Please check attached POC Video █████████ https://███/ Attacker can execute Command Injection without Authentication. Impact Unauth RCE...

R3: No DMARC record at cordacon.com

I am happy to receive your invitation, and i will try my best to keep R3 secured. As this is my first report and can be considered as low severity and some companies even considered it as N/A, but as I see in your policy its not mention as out of scope. one of your domain has no DMARC record, whi...

Acronis: Attacker Can Access to any Ticket Support on https://www.devicelock.com/support/

Summary Hello team. I found A security issue on devicelock.com where the attacker can access to any Ticket support and real all the information that The users sent to the support. and this without user interaction. In other words: an attacker can have full access to users Ticket using Ticket id...

Liberapay: Login CSRF : Login Authentication Flaw on https://liberapay.com/

Description: There is no csrf validation while logging in which leads to csrf. An attacker can craft an HTML page containing information to have the victim sign into an attacker's account, where the victim may add sensitive payment information to the attacker's new account assuming he/she is logg...

GitHub Security Lab: [Java] CWE-327: Add more broken crypto algorithms

This bug was reported directly to GitHub Security Lab...

U.S. Dept Of Defense: [hta3] Remote Code Execution on https://███ via improper access control to SCORM Zip upload/import

Summary: There is a Remote Code Execution vulnerability at https://█████████/Kview/CustomCodeBehind/base/courseware/scorm/management/scorm2004uploadcourse.aspx which allows any user to upload a SCORM course package. Furthermore, an attacker can add an ASPX shell to the SCORM package which will th...

GitHub Security Lab: ihsinme: CPP add query for CWE-788 Access of memory location after the end of a buffer using strlen.

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: [Java] CWE-598: Use of GET Request Method with Sensitive Query Strings

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: [Java] CWE-312: Query to detect cleartext storage of sensitive information using Android SharedPreferences

This bug was reported directly to GitHub Security Lab...

Acronis: Stored Cross-site Scripting on devicelock.com/forum/

Summary Hello, @acronis Team I hope you all doing well. I just found A Stored Cross-site Scripting on devicelock.com/forum/ by changing the City value on https://www.devicelock.com/bitrix/admin/useredit.php? to HTML/javascript code and lead to Stored Cross-site Scripting. 1. go to...

Mail.ru: Information Disclosure of Garbage Collection Cycle 'Again'

Performance metrics were available at youla.ru...

GitLab: CSRF on /api/graphql allows executing mutations through GET requests

Mutations are edit or create queries used in Graphql. Gitlab prevents CSRF in this functionality by sending a POST request with a X-CSRF-Token header. The bug I found here was that, when we send a GET request, the backend does not expect the X-CSRF-Token header. Using this, an attacker could...

Reddit: Third party app could steal access token as well as protected files using inAppBrowser

Summary: Reddit android app version : 2021.8.0 OS: Android 11 This app uses com.reddit.frontpage.RedditDeepLinkActivity class to route app links including deeplink and reddit.com links while this class does not check for scheme, host and it opens given url in InAppBrowser and IAB have access to...

Evernote: CSRF leads to account deactivation of users

Step to reproduce vulnerability:- 1 Create 2 account one account is for attacker and one is for victim 2 With attacker account go to https://www.evernote.com/secure/CloseAccount.action 3 Open your burpsuite and when you will press Deactivate your Evernote account you will see another popup of...

Mail.ru: Stored xss in calendar via call link

Call link URI schema in calendar.mail.ru web application was filtered improperly, allowing malicious javascript: links...

Acronis: admin password disclosure via log file

Hi I have log file disclose admin password on https://www.devicelock.com/log.txt u can see md5 password in log file , 2020-03-20 08:12:15 - main - Module: change password 4.1.2changepassword=yes;/forum/forumauth.php;login=admin;md5=2bca2f877b7a727861b59f4a4039d2e9 Impact this information admin...

Shopify: xss is triggered on your web

I don't know where my xsshunter script is, but my script is enabled on your web. is on your web 1. https://devicemanager.shopifycloud.com/admin Impact xss is triggered...

Stripe: Verifying email bypass

A vulnerability was discovered in Stripe's Connect API that allowed an attacker to create an account without verifying the email address. This allowed the attacker to impersonate a real company and generate invoices and payments on their behalf. The invoices appeared valid as they were sent by...

Acronis: Information Disclosure via ZIP file on AWS Bucket [http://acronis.1.s3.amazonaws.com]

Summary Hello, @acronis Team I hope you all doing well. during My recon, I found OPEN S3 BUCKET http://acronis.1.s3.amazonaws.com and this BUCKET has an ZIP file . and this file contains sensitive information about the internal system of Acronis. This Zip file Is from 2018. And it looks like it w...

GitHub Security Lab: Java: Fix NashornScriptEngine detection in ScriptEngine query

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: [codeql-go]: Add query to find use of constant state parameter in Oauth2 flow

This bug was reported directly to GitHub Security Lab...

Acronis: Unrestricted file upload vulnerability in IMCE

Summary Steps To Reproduce POC 1. Go to "https://forum.acronis.com/" and creat user 1. Click on edit profile and go to Signature click on inser image usig imce file manger 1. Now upload php file and bypass to add .gif in the endpoint Recommendations...

Showmax: bypass parental pin succesfully

The researcher submitted an URL where our web application wasn't checking state properly and allowed users to see parental PIN settings without any authorization. As result, anyone at the computer was allowed to see and/or change the parental PIN. Update 10/21: This report as well...

Acronis: Account Confirmation bypass leads to acess some fucntionality

STEPS: 1. Go to the URL https://account.acronis.com//auth/signup 2. Create a Business Account 3. Intercept the request using burp suite 4. Now intercept the response of given HTTP REQUEST below 5. Change the field "confirmed":false to true 6. Even you can bypass Accept term condition by changing...

U.S. Dept Of Defense: HTTP Request Smuggling

hello dear support I have found HTTP Request Smuggling on www.████████ Issue description ============== HTTP request smuggling vulnerabilities arise when websites route HTTP requests through webservers with inconsistent HTTP parsing. By supplying a request that gets interpreted as being different...

U.S. Dept Of Defense: CVE-2021-26855 on ████████ resulting in SSRF

Description: CVE-2021-26855 exists on ███████ resulting in SSRF References https://vulners.com/cve/CVE-2021-26855 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26855 Impact Server Side Request Frogery System Hosts ███████ Affected Products and Versions CVE Numbers...

U.S. Dept Of Defense: SSRF due to CVE-2021-26855 on ████████

Description: There exists a Server Side Request Frogery SSRF on █████████ due to CVE-2021-26855 References https://vulners.com/cve/CVE-2021-26855 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26855 Impact Server Side Request Frogery System Hosts ██████ Affected...

RubyGems: Bundler's RCE with response using Marshal

A vulnerability was found in Bundler's dependency API endpoint, which uses Marshal serialization. This could allow for remote code execution if a client receives a specially crafted response. The impact is increased risk from specifying an untrusted source or man-in-the-middle attack...

U.S. General Services Administration: PHP info page disclosure

phpinfo is a debug functionality that prints out detailed information on both the system and the PHP configuration. Step to reproduce: Go here: https://mysmartplans.gsa.gov/phpinfo.php An attacker can obtain information such as: Exact PHP version. Exact OS and its version. Details of the PHP...

U.S. General Services Administration: IDOR at training.smartpay.gsa.gov/reports/quizzes-taken-by-user

Hey, I found an IDOR that allow anyone view other user result by changing USERID parameter. /reports/quizzes-taken-by-user.csv/USERID Step to Produce: Go to the Section quizzes-taken-by-user as Shown in the Screenshot attached. Step 2: Click on Download CSV. Step 3 Intercept the Request using the...

U.S. Dept Of Defense: CSRF to Cross-site Scripting (XSS)

hello dear support I have found csrf to XSS on https://██████ my payload "; url: POST ██████████ post data answer=A"; Impact Malicious JavaScript has access to all the same objects as the rest of the web page, including access to cookies and local storage, which are often used to store session...

GitHub Security Lab: Java: Query for detecting JEXL injections

This bug was reported directly to GitHub Security Lab...

U.S. Dept Of Defense: CSRF to Cross-site Scripting (XSS)

hello dear support I have found csrf to XSS on█████████ my payload "; Impact Malicious JavaScript has access to all the same objects as the rest of the web page, including access to cookies and local storage, which are often used to store session tokens. If an attacker can obtain a user's session...

Liberapay: Failure to Invalid Session after Password Change

Summary While conducting my researching I discovered that the application Failure to invalidate session after password. In this scenario changing the password doesn't destroys the other sessions which are logged in with old passwords. Reproduction Steps -Login with the same account in Chrome and...

GitLab: Guest Users can create issues for Sentry errors and track their status

Summary According to the permission docs and Error Tracking Docs , only User with role Reporter or more can see or modify the Error Tracking details. However, the "Create Issue" allows a particular Guest user to create a reference issue for the error and track its status whenever some other user...

GitHub Security Lab: Java : Add query to detect Apache Struts enabled Development mode

This bug was reported directly to GitHub Security Lab...

Panther Labs: Broken Link Hijacking on Twitter link

Our website was not updated to include our new twitter handle, and resulted in pointing to an old one that we disavowed. As a result, the bug bounty participant was able to register that Twitter handle and could have masqueraded as us. Not an actual security vulnerability or exploitation, but a...

Uber: 4 Subdomains Takeover on 2 domains ( muberscolombia.com & ubereats.pl )

The host at https://muberscolombia.com/ and http://sklep.ubereats.pl/ had a dangling record pointing to unclaimed Wix and Shoplo assets. The hacker registered the latter, and claimed ownership of the resource...

GitHub Security Lab: Java : Add a query to detect Spring View Manipulation Vulnerability

This bug was reported directly to GitHub Security Lab...

Uber: IDOR leads to leak analytics of any restaurant

The GraphQL service at https://restaurant.uber.com, did not properly perform an authZ check, allowing an attacker to obtain detailed sales statistics, etc for any restaurant. Writeup at https://0xprial.com/idor-leads-to-leak-any-uber-eats-restaurant-analytics/...

Mattermost: Persistant Arbitrary code execution in mattermost android

Summary: Activity com.mattermost.share.ShareActivity is is exported and is designed to allow file sharing from third party application to mattermost android app. I have found path tansversal vulnerability at com.mattermost.share.RealPathUtil.java file public static String...

VK.com: XSS в сюжетах.

Недостаточная валидация в названии сюжета на мвк...

VK.com: Отправляем смс на любой номер от имени vk.com. (Сообщение в смс всегда одно и то же, его менять нельзя.)

Отправка SMS на любой номер для установки официальных приложений есть лимиты...

Shopify: Bypassing HTML filter in "Packing Slip Template" Lead to SSRF to Internal Kubernetes Endpoints

Summary Shopify has a feature called Print Packing Slip, with this tool, users can easily print a packing slip after customers make an order. The generated packing slip can be downloaded as a PDF file. Users can edit an Edit packing slip template to adjust with a shop design. However, there's hav...