Mattermost: Privilege Escalation leading to post in channel without having privilege

Hi H1, mattermost.cloud has a feature of making a channel and once its set to public any other user can join the channel and post comments on that channel. In System Console -- Channel -- Permission channel owner can assign wether member can post comment or not. Once channel owner selects that...

Mattermost: Account takeover due to misconfiguration

A misconfiguration vulnerability allowed an attacker to take over an account due to the failure of the web application to invalidate tokens at major state changes in time. By changing the email address associated with the account and then changing it back, an attacker could verify the old email...

GitHub Security Lab: ihsinme: CPP add query for CWE-788 Access of memory location after the end of a buffer using strncat.

This bug was reported directly to GitHub Security Lab...

Mattermost: [mattermost.com] CORS Misconfiguration leakage of admin users

Sumarry : CORS policies on pages containing sensitive information should be reviewed to determine whether it is appropriate for the application to trust both the intentions and security posture of any domains granted access. It's possible to get information about the users registered such as: id,...

curl: Inadequate Cryptographic Key Size and Insecure Cryptographic Mode. File Name :- curl_ntlm_core.c

The application is generating cryptographic keys or key pairs using a short and inadequate length. This application is using the ECB Electronic Codebook mode of operation to perform encryption, which is considered semantically insecure. Vulnerable File name :- curlntlmcore.c Vulnerable line no. 2...

Starbucks: Japan - CSRF in webapp.starbucks.co.jp with user interaction could leak an access token if the user was not using Chrome

elber discovered a CSRF in webapp.starbucks.co.jp leaked an access token if an authenticated user opened a crafted HTML file in a browser other than Chrome which has Same Site Attribute for the cookie set by default. elber also demonstrated the ability to add a Starbucks card to the account with...

GitLab: Guest users can create new test cases

Summary According to the permission docs and test case docs , only user with a role Reporter or more is allowed to create a test case. This vulnerability allows, even Guest role users to create new test cases. Steps to reproduce 1. Consider a private project with Guest role user. 2. Consider the...

QIWI: gifts.flocktory.com/phpmyadmin is vulnerable csrf

Summary: Hello Team, I found that the PHPMyAdmin login panel is publicly accessible on https://gifts.flocktory.com and it is using the 4.6.6 version of PHPMyAdmin, which is vulnerable to several CVEs...

Internet Bug Bounty: Integer overflow in CipherUpdate

Summary: I reported an integer overflow to the OpenSSL security list on Dec 13, 2020 and it was fixed in OpenSSL 1.1.1j. Reporting it here for the bounty. It was assigned CVE-2021-23840 https://nvd.nist.gov/vuln/detail/CVE-2021-23840 which NVD rated CVSS 7.5. Amusingly, the same bug worked around...

HackerOne: Dangling cloud instance at vpn.inverselink.com

Summary: vpn.inverselink.com points to 54.202.130.246, which is currently serving a TLS certificate for Workday, Inc. This seems to indicate that the subdomain is no longer controlled by HackerOne. Optional: Supporting Material/References Screenshots % dig vpn.inverselink.com +short 54.202.130.24...

GitHub Security Lab: [Java] CWE-489: Query to detect main() method in Java EE applications

This bug was reported directly to GitHub Security Lab...

VK.com: Open Redirect и подмена ссылки в сниппете приложения VKMA

Открытое перенаправление в сниппетах ссылок мини-приложений...

GitLab: Reporters can upload design to issues using the "Move to" feature

Summary According to the permission documentation, only role of Developer or more can upload Design Management files. However, using the issue "Move to" feature, a reporter can create a issue with designs. Steps to reproduce 1. Consider a private project say Private Project with a member Reporter...

Mail.ru: Reflected XSS on https://deti.mail.ru

Reflected XSS on deti.mail.ru via request header Referer...

U.S. Dept Of Defense: Blind Stored XSS on ███████ leads to takeover admin account

Hello Team, I am Hemant Patidar working as a security researcher and I found a bug in your site. Report of bug is as follows:- Vulnerable URL: https://████████/ Description: I have found that various field of the profile page is not properly configured to wipe out HTML tags and Javascript code...

DuckDuckGo: Reflected/Stored XSS on duckduckgo.com

Hi DuckDuckGo, While browsing normally since I use DuckDuckGo on a daily basis, I discovered an interesting stored XSS on the duckduckgo main search engine. A payload that somebody had left on urbandictionary.com had triggered a HTML injection, and a stored XSS as a result. Steps to Reproduce 1...

New Relic: Untrusted deserialization issue when loading newrelic.yml file in Java agent leads to code execution on host

Hi team, The New Relic Java agent is using SnakeYAML for deserialization of the newrelic.yml config file. SnakeYAML has a 'feature' which can lead to code execution, this is documented here. With the !!com.some.Class "arg1", "arg2" notation it's possible to call Java code during the deserializati...

U.S. Dept Of Defense: Self XSS + CSRF Leads to Reflected XSS in https://████/

Hi Security Team, The form inputs in https://███/ Vulnerable to Self XSS Either the form was vulnerable to CSRF When these two bugs available and attacker could combine them to Perform a Reflected XSS Attack Impact Reflected XSS Execute JS Code in behave of a user System Hosts █████████ Affected...

Acronis: SQL injection in https://www.acronis.cz/ via the log parameter

I have discovered a SQL injection in https://www.acronis.cz/ using the POST request via the log parameter. Using sqlmap, I have retrieved the current user: 'uacronis@localhost'' The command used: sqlmap -p log -r request-cz.txt --current-user --level=2 --risk=2 I did not perform any other actions...

U.S. Dept Of Defense: Password Reset link hijacking via Host Header Poisoning leads to account takeover

Description: ████████ uses the Host header when sending out password reset links. This allows an attacker to insert a malicious host header, leading to password reset link / token leakage. References http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html...

Shopify: The POS app doesn't revoke the Xauth token

It was identified that the POS android application doesn't revoke the authentication token when the user logs off from the session. More specifically despite the fact that the app removes the entry from the sharedprefs/defaultuser.xml, the token remains active on the server side and may be used t...

CS Money: Html injection on subscription email

Vulnerability description not provided...

Nextcloud: HTML Injection on "polls" app - comments section (possibly XSS)

Hi everyone, On latest version of Polls app 1.7.5, I noticed a lack of user input filtering for the "Description" part of the survey. An HTML injection is therefore possible. I tried to inject JavaScript code to get an XSS but I didn't succeed. Certainly someone better than me will be able to do...

Logitech: SSRF allows reading AWS EC2 metadata using "readapi" variable in Streamlabs Cloudbot

Detailed summary is provided by the hacker below. Summary: Streamlabs Cloudbot is a customisable chatbot provided by Streamlabs which allows the creation of custom commands along with custom responses. These chat responses can take in "Variables" wrapped in curly brackets as documented in...

Enjin: Race condition via project team member invitation system.

The user illustrated a race condition within the invitation system that allowed them to exceed the maximum number of members allowed by their plan...

8x8: DNS Misconfiguration (Subdomain Takeover) █.staging.█.8x8.com

An EC2 instance was terminated but the DNS record was initially not updated/removed. The issue has been rectified. Same technique mentioned on https://melbadry9.medium.com/dangling-dns-aws-ec2-e2d801701e8...

Shopify: Stored XSS on apps.shopify.com

Steps to reProduce: 1 Write payload luc1d"@wearehackerone.com as Store contact email in General Settings page.myshopify.com/admin/settings/general F1202181 -- Wait here around 60 mins maybe more idk, it was 60 mins for me for the change to reflect -- You can confirm the change on here...

CS Money: Blind Based SQL Injection in 3d.sc.money

Greetings, Hope Y'all good and fine! Summary: I found a Boolean Blind based SQL Injection in your website = 3d.cs.money It's a URI path injection. The vulnerability tested on the Original IP behind the CloudflareWAF and I've already reported this in my other report 1105673 The Affected URI :...

WordPress: Privilege Escalation via REST API to Administrator leads to RCE

Kien Hoang reported a privilege escalation vulnerability in the BuddyPress REST-API. Through this issue, if registrations for new users is enabled, a non-admin user can gain administrator access on the site. The administrator access can then lead to remote code execution, as admins have the right...

Mail.ru: IDOR to edit test/poll/quiz on relap.io

Привет. Здесь сообщение дополнил, как можно найти id формы https://hackerone.com/reports/1106471 Также мы можем любую форму редактировать. PoC: - Открываем свой тест, что-то редачим, сохраняем и ловим запрос - В запросе меняем id домена и в теле запроса id формы - id ответов мы можем смотреть,...

Mail.ru: IDOR to delete test/poll/quiz on relap.io

IDOR vulnerability in relap.io allowed to delete arbitrary test, poll or quiz forms...

Ruby on Rails: redirect_to(["string"]) remote code execution

For example, redirecttoparams:userinput with a URL of ?userinput=something calls the method somethingurl and tries to redirect the return value of the method. If this call is on an unauthenticated route, it would allow an external user to test if a route name exists by determining if the app 500s...

U.S. Dept Of Defense: critical information disclosure

Description: hey all , I have found critical information through this endpoint ████ on ███████ DB credentials such as DBNAME,DBUSER,DBPASSWORD,DBHOST, etc.. Impact full access control on DB service on website System Hosts ███ Affected Products and Versions CVE Numbers Steps to Reproduce Go to...

GitLab: Stored XSS via Mermaid Prototype Pollution vulnerability

Prologue Gitlab supports Mermaid as part of GFM to allow users to generate diagrams and flowcharts from text. In version 8.6.0, Mermaid added a support of directives to add more controll over stylesthemes applied to the diagrams. You can read more about how this works here:...

GitHub Security Lab: [JavaScript]: add query for Express-HBS LFR

This bug was reported directly to GitHub Security Lab...

U.S. Dept Of Defense: critical information disclosure

Description: hey all , I have found critical information through this endpoint /██████; this endpoint contains all env vars used in a www.██████ such as server credentials, db ,mail , twitter clientid and clientsecret , facebook clientid and clientsecret, etc... Impact full access control on ever...

CS Money: Origin IP found, Cloudflare bypassed

Greetings!, Hope Y'all good and fine. Summary: I would like to report another vulnerability very Similar to my other report in 975991 Due to lack of secure design, I was able to find the origin IPs behind Cloludflare WAF. The IPs I found belong to : 3d.cs.money Description: I was able to find and...

Basecamp: Insecure Bundler configuration fetching internal Gems (okra) from Rubygems.org

I believe most likely that one of your projects is not set up correctly to only pull internal gems from your internal gem server, and instead will pull gems from Rubygems.org if the version number there is higher. Specifically, the "okra" gem. At around 15:21 today UTC the okra gem that I wrote –...

Mail.ru: [app-01.youdrive.club] RCE in CI/CD via dependency confusion

Dependency confusion allowed remote code execution in youdrive CI/CD pipeline as was demonstrated by researcher via creation of public npmjs.com package matching internal dependancy. I've extracted and saved the content of package.json file for further research during investigating the previous...

Glovo: Server Side Template Injection on Name parameter during Sign Up process

Summary: Server-side template injection is when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side. In this scenario, when an attacker signs up on the platform and uses a payload in the First Name field, the payload ...

QIWI: Remote Code Execution on contactws.contact-sys.com via SQL injection in TAktifBankObject.GetOrder in parameter DOC_ID

Summary The API interface on https://contactws.contact-sys.com:3456/ accepts a body to interact with the server's AppServ object. Because of insufficient input validation, an attacker can abuse the DOCID parameter on the TAktifBankObject operation GetOrder to inject arbitrary SQL statements into...

QIWI: Remote Code Execution on contactws.contact-sys.com via SQL injection in TPrabhuObject.BeginOrder in parameter DOC_ID

Summary The API interface on https://contactws.contact-sys.com:3456/ accepts a body to interact with the server's AppServ object. Because of insufficient input validation, an attacker can abuse the DOCID parameter on the TPrabhuObject operation BeginOrder to inject arbitrary SQL statements into t...

Ruby: Round-trip instability in REXML

Submitted previously via email to [email protected] due to REXML not being listed under in-scope assets here. Explicitly requested by @hsbt to re-submit through HackerOne. CVSS rating calculated based on confirmed downstream impact. --- Hi Ruby Security Team, I'm reaching out to you to repor...

HackerOne: "Bounty splitting enabled" can discloses if public VDPs are running private VRP

Hello Everyone, I hope all is safe and you're safe in this pandemic, and I hope this won't bother you like my previous submitions lol , Description : The "allowsprivatedisclosure" resource in team for private team that have a public profile is shown there which discloses that this program have a...

HackerOne: HackerOne Jira integration plugin Leaked JWT to unauthorized jira users

Summary: HackerOne provides an application tool HackerOne for Jira, an application that allows programs to track security issues through a jira instance. After testing the integration feature in the application, it was found that the application leads to the leakage of the JWT to unauthorized...

Snapchat: Organization Members in Snap Kit may Deactivate Apps

A member of a Snap Kit organization may deactivate an organization's app, by performing a POST request to https://kit.snapchat.com/api/portal/graphql. even if they are not authorized to do so. This allows a malicious organization member to deactivate the apps of an organization, even if they are...

Shopify: Blind Stored XSS in shopify internal Parquet Viewer

A blind stored XSS vulnerability was found in a Shopify internal tool called Parquet Viewer. On February 14th, an XSS payload fired on an employee's computer. The vulnerable page was accessed locally on the employee's machine. The employee's IP address and user-agent indicate they were using a Ma...

GitLab: Stored DOM XSS via Mermaid chart

Prologue Gitlab supports Mermaid as part of GFM to allow users to generate diagrams and flowcharts from text. In version 8.6.0, Mermaid added a support of directives to add more control over stylesthemes applied to the diagrams. You can read more about how this works here:...

Acronis: Found multiple SAP NetWeaver vulnerable services

Summary: Hello Team, I found two redapi.acronis.com and redapi2.acronis.com sap Netweaver vulnerable services. They do not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system,...

U.S. Dept Of Defense: Reflected XSS on https://█████

Summary: Reflected xss can use to steal user information because it is coming from trusted website. an user can easily trust it and attacker can easily steal user information Steps To Reproduce: 1. go to https://████?profileid=%22%3E%3C/script%3E%3Cscript%3Ealert%27xss%27%3C/script%3E 2. you will...