Nextcloud: bypassing dashboard without account + Information disclosure trough websockets

Sumarry : I found a information disclosure for bypassing parameter url attacker can redirect to dashboard without login user/pass page and websocket can be exposed in response/dashboard. URL Effected https://support.nextcloud.com/passwordreset Steps To Reproduce: Opened directory at...

Slack: Lack of URL normalization renders Blocked-Previews feature ineffectual

Slack has a feature known as Blocked Previewsblocked-previews, which allows Workspace Owners and Admins to specify a list of URLs for which no link preview should occur. The point of this feature is to reduce clutter and prevent harmful content from getting embedded in the workspace. However, whe...

Shopify: staffOrderNotificationSubscriptionDelete Could Be Used By Staff Member With Settings Permission

Hi, The staff order notification should be under the control of staff members with Order permission but I found that the staff member with just Settings permission can also delete the order notifications using the GID Steps to reproduce - Login as a staff member with Settings permission - Make th...

Shopify: staffOrderNotificationSubscriptionCreate Is Not Blocked Entirely From Staff Member With Settings Permission

Hi, I found that the GraphQL call staffOrderNotificationSubscriptionCreate is not blocked from the staff member with Settings permission Steps to reproduce - Login as a staff member with Settings permission - Make this GraphQL call to...

U.S. Dept Of Defense: Blind SQL iNJECTION

Hi DoD Secuirty team , i found Blind SQL Injection in this below domain https://███████ Proof of concept: Vuln URL:https://██████████/██████ Pooc: URL encoded POST input ███ was set to -1' OR 321=6 AND 1=1 or '4mEwSPwJ'=' Tests performed: -1' OR 1=1 or '4mEwSPwJ'=' = TRUE -1' OR 2=4 or '4mEwSPwJ'...

Shopify: Is the Google Bucket Meant To Be Publicly Listable? https://cdn.shopify.com/shop-assets/

Hi, I found that https://cdn.shopify.com/shop-assets/ is listing the all objects in https://storage.googleapis.com/arrive-assets-storage-production/ But when I directly visit https://storage.googleapis.com/arrive-assets-storage-production/, it says Anonymous caller does not have...

TikTok: Subdomain Takeover via Unclaimed Amazon S3 Bucket (Musical.ly)

An unclaimed Amazon S3 bucket which no longer used for any TikTok applications and did not host any user data could have allowed a takeover on a musical.ly subdomain. We thank @daik0n for reporting this to our team...

Reddit: [dubmash] Lack of authorization checks - Update Sound Titles

Summary: During the security testing, it has been observed that the UpdateSound api is vulnerable to IDOR. It allows an attacker to edit the victim's sound track titles. This vulnerability can be exploited using the sound track's uuid in the vulnerable request. This id is publicly known. Steps To...

Bitso: Broken link hijack

Hello sir My name is Mohit kumar i found a bug known as broken link hijack on telegram Steps to view bug -- Navigate to -- https://bitso.com/ -- go down and click on language and then click on Espanol-Argentina you can now see the telgram link click on that I have attached a video poc too There's...

Engel & Völkers Technology GmbH: Grafana default username password authentication into the Grafana platform of the grafana.ev-cloud-platform.engelvoelkers.com

Summary: Default username password is working for the grafana.ev-cloud-platform.engelvoelkers.com. Steps To Reproduce: Login into the panel as username - █████████ password - █████ Attachment PoC video is attaached. Impact This can lead sensitive information about the server's analytics and other...

Engel & Völkers Technology GmbH: CVE-2019-11248 on alertmanager.ev-cloud-platform.engelvoelkers.com

Summary: The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. Versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10 are affected. The issue is of medium severity, but not exposed by the default configuration. Steps To Reproduce: Navigate to the following...

GitHub Security Lab: [golang] Division by zero query

This bug was reported directly to GitHub Security Lab...

Concrete CMS: Authenticated path traversal to RCE

crayons Description The bFilename parameter in the scenario index.php/ccm/system/dialogs/block/design/submit is vulnerable to remote code execution via path traversal vulnerability. Authenticated attacker with rights to edit web application pages can upload malicious PNG file containing PHP code...

Kubernetes: kubectl creating secrets from stringData leaves secret in plain text

Report Submission Form Summary: kubectl creating secrets from stringData leaves secret in plain text Kubernetes Version: $ kubectl version Client Version: version.InfoMajor:"1", Minor:"19", GitVersion:"v1.19.3", GitCommit:"1e11e4a2108024935ecfcb2912226cedeafd99df",GitTreeState:"clean",...

Concrete CMS: Stored unauth XSS in calendar event via CSRF

crayons Description The description parameter in the scenario /index.php/ccm/calendar/dialogs/event/add/save is affected by Stored XSS due to lack of user supplied data filtration. Also in should be mentioned that this endpoint does not verify CSRF token ccmtoken, which leads to an ability to...

Mail.ru: Reflected XSS https://tracker.my.com

Reflected XSS on tracker.my.com via GET parameter iconUrl...

curl: CVE-2021-22876: Automatic referer leaks credentials

Summary: When using the --referer ';auto' feature the current URL is copied as-is to the referrer header of the subsequent request. The recommendation 1 is to strip these along with the URL fragment. I can imagine this may, in rare cases, result in unwanted/unexpected disclosure of credentials e....

8x8: DNS Misconfiguration (Subdomain Takeover) ███████.8x8.com

An EC2 instance was replaced but the DNS record was initially not updated/removed. The issue has been rectified. https://medium.com/bugbountywriteup/dangling-dns-aws-ec2-e2d801701e8...

Rockstar Games: Open redirect on https://signin.rockstargames.com/connect/authorize/rsg

In this report, the researcher found that a previously-addressed Open Redirect vulnerability on https://signin.rockstargames.com/connect/authorize/rsg had once again become exploitable. We were able to quickly re-apply our previous solution and once again resolve the vulnerability...

VK.com: Stored XSS при удалении группы из беседы (m.vk.com)

Недостаточная фильтрация символов в названии сообщества...

U.S. Dept Of Defense: Course Registration Form Allowing an attacker to dump all the candidate name who had enrolled for the course

The application allowed an attacker to enumerate all candidate names who had applied for various courses by cycling a numeric parameter in the application's URL...

GitHub Security Lab: [Java] CWE-295: Disabled certificate validation in JXBrowser

This bug was reported directly to GitHub Security Lab...

Automattic: Reflected XSS due to vulnerable version of sockjs

Summary: There is reflected XSS on .simperium.com. The bug exists due to a vulnerable version of sockjs library. Platforms Affected: simperium.com js.simperium.com Steps To Reproduce: 1. Visit https://simperium.com/sock/1/0/0/0/htmlfile?c=alert'XSS'// 2. You will see an alert message because of...

Automattic: SSRF & Blind XSS in Gravatar email

Nathan Cavitt rockybandana reported a blind XSS issue in the Gravatar service, which was due to incorrect/insufficient sanitization on adding emails to one's profile. The report was of good quality and the issue was fixed within a couple of days of report...

Mail.ru: REST API Endpoint leads to Unauthorized user disclosed private [ issue ] details

Summary Jira allows an administrator to restrict access to projects to specific users only. Or adjusting all project properties to be available only to the system administrator, which means that all users in the jira account cannot access issues, project, dashboard and any information about the...

Kartpay: Host Header Injection

Summary: Hello Team, While performing security testing on your Main Domain, I found a Host Header Injection Vulnerability. Vulnerability Description: An attacker can manipulate the Host header as seen by the web application and cause the application to behave in unexpected ways. Very often multip...

GitLab: Kroki Arbitrary File Read/Write

Summary In short, I've found a potentially weird bug in asciidoctor that could lead to arbitrary file read/write in asciidoctor-kroki even though Gitlab have already made an attempt to disable kroki-plantuml-include lib/gitlab/asciidoc.rb rb module Gitlab Parser/renderer for the AsciiDoc format...

Revive Adserver: Reflected XSS on /admin/campaign-zone-zones.php

I found a reflected XSS attack on /admin/campaign-zone-zones.php. Revive-Adserver version is revive-adserver-5.1.1. - Go to http://revive-adserver.loc/admin/campaign-zone-zones.php?=&clientid=1&campaignid=1&status=available%22%3E%3Cimg%20src=1%20onerror=alertdocument.domain%3E&text= - Malicious...

Revive Adserver: Reflected XSS on /admin/stats.php

Linked to the report https://hackerone.com/reports/1083376 I found a reflected XSS attack on /admin/stats.php. Revive-Adserver version is revive-adserver-5.1.1. This time I found the parameter statsBreakdown - Go to...

Glassdoor: Open redirect on https://www.glassdoor.com/profile/siwa.htm via state parameter

An open redirect was found at https://www.glassdoor.com/profile/siwa.htm due to improper validation of the state parameter. Thanks, @0x7 for finding this and reporting this to us and looking forward to more reports from you...

Kubernetes: API Server DoS (crash?) if many large resources (~1MB each) are concurrently/repeatedly sent to an external Validating WebHook endpoint

Report Submission Form Summary: I was trying to explore a way to stealthily send lots of data outside a private GKE cluster by way of misusing the Validating Webhook mechanism. The idea would be that a cluster-admin could install a webhook and then initiate resources like a secret or configmap th...

Shopify: https://themes.shopify.com::: Host header web cache poisoning lead to DoS

Hi there, I just found the website: https://themes.shopify.com is infected with "Web cache poisoning" via HOST header lead to Denial of Services Abuse this bug, Attacker can: Poison your cache with HTTP header Host header with arbitrary PORT which is not opened. This attack may lead to Denial of...

X (Formerly Twitter): Ability to add arbitrary images/descriptions/titles to ohter people's issues via IDOR on getrevue.co

Summary: Hi team, I discovered a vulnerability that allows an attacker to add arbitrary images/descriptions/titles to other people's issues via IDOR Description: It's possible to perform a IDOR attacker on getrevue.cowhen adding a image to your issue it's also possible to add descriptions and mor...

ExpressionEngine: Comment/channel unsubscribe GET CSRF

A vulnerability was identified and fixed that could have allowed attackers to unsubscribe users from comment notifications by exploiting the lack of CSRF protection...

ExpressionEngine: Arbitrary forum topic close with GET CSRF.

The vulnerability allowed attackers to open or close forum threads by exploiting the lack of CSRF protection...

ImpressCMS: CSRF to XSS in /htdocs/modules/system/admin.php

The "admin.php" file in the "system" module of ImpressCMS version 1.4.2 was vulnerable to a Cross-Site Scripting XSS attack. This vulnerability allowed an attacker to execute malicious scripts in the context of an authorized user by exploiting a lack of input sanitization. The vulnerability was...

ExpressionEngine: Arbitrary comment content change with GET CSRF.

The vulnerability in Expression Engine 6.0.1 allowed unauthorized modification of comments through improperly protected requests...

ExpressionEngine: Stored XSS filter bypass on discussion forum. "URL" tag.

A vulnerability was identified and fixed that could have allowed attackers to bypass the XSS filter in the discussion forum, enabling arbitrary JavaScript execution in the victim's browser...

ExpressionEngine: Stored XSS filter bypass on discussion forum.

A vulnerability was identified and fixed that could have allowed attackers to bypass the XSS filter in the discussion forum, enabling arbitrary JavaScript execution in the victim's browser...

ExpressionEngine: Import/Convert user file exposure leading to logins/passwords/PII leak.

The user data files processed through admin tools were stored in a predictable location, making them accessible without authentication due to an insecure system configuration...

ExpressionEngine: Non-authenticated path traversal leading to arbitrary file read

Non-authenticated path traversal leading to arbitrary file read. Insufficient user input filtering resulted in arbitrary file read by non-authenticated attacker, leading to sensitive information disclosure...

FetLife: Stored XSS via Angular Expression injection via Subject while starting conversation with other users.

The reporter pointed out that the Subject field for sending private messages using FetLife's onsite chat was vulnerable to a stored XSS exploit, allowing people to execute potentially malicious contents on the receiving end of the message...

U.S. Dept Of Defense: CRXDE Lite/CRX is on ██████ exposed that leads to PII disclosure

hi team , i found that aem is running on ████████ and CRXDE Lite/CRX is exposed to unauthenticated user that can lead to information disclosure POC ==== 1-visit https://██████//██████████ 2-go to query and search for admin then execute 3-go to this endpoint to retrieve the information...

Informatica: Cross site scripting

Researcher identified a XSS vulnerability in a service used by Informatica. Informatica worked with the vendor to patch their service for us and all other customers of the vendor. Thanks rawezhali for your responsible disclosure...

U.S. Dept Of Defense: Reflected XSS in https://██████████ via "████████" parameter

Hello Security Team, I would like to report the XSS vulnerability on your system. The ██████████ parameter is not escaped properly for URL encoded values. ██████ Impact An XSS attack allows an attacker to execute arbitrary JavaScript in the context of the attacked website and the attacked user...

GitHub Security Lab: [Java] CWE-522: Insecure LDAP authentication

This bug was reported directly to GitHub Security Lab...

WordPress: Authenticated XXE

Description: The WordPress core Media Library does not securely parse XML content when running on PHP 8. By uploading a malicious .wav file, an authenticated attacker can trigger a XXE vulnerability which enables to read secret system files, DoS the web server, perform SSRF, or aim at Remote Code...

VK.com: [VK Android] Access to app protected components leads to arbitrary code execution

Arbitrary code execution...

Kubernetes: Node Validation Admission does not observe all oldObject fields

Summary: The Validating Admission webhook for Node Objects is passing oldObject fields incorrectly on AdmissionReview.Request. It was identified initially in metadata.labels, but a list of impacted fields follows below: oldNode.Spec.PodCIDRs oldNode.Spec.ProviderID oldNode.Spec.ConfigSource...

LY Corporation: Theft of arbitrary files in LINE Lite client for Android

Due to one of the exported activitiescom.linecorp.linelite.ui.android.share.SelectShareActivity of LINE Lite client for Android before 2.17.0 not verifying the URI sent by a third-party application installed on the user device, the application with some interaction of the user would be able to...