GitHub Security Lab: [Java] CWE-326: Query to detect weak encryption with an insufficient key size

This bug was reported directly to GitHub Security Lab...

U.S. Dept Of Defense: Reflected XSS In https://███████

Hi security team, According to my report 1092618, The VDP team agreed that ████ and it's subdomains is in the scope of the DoD program So I continue testing that domain Vulnerable Website URL: https://███████████████%3CSvg%20OnLoad=alert1%3E Description of Security Issue: Reflected XSS in path...

Glassdoor: Reflected XSS on https://help.glassdoor.com/gd_requestsubmitpage

The endpoint at help.glassdoor.com/gdrequestsubmitpage suffers from a Cross-Site Scripting vulnerability via the lang parameter. Thanks, @0x7 for finding and reporting this to us. Looking forward to more reports from you...

Rockset: Leaking Rockset API key on Github

Summary: We all know that Github is great, but it runs the risk of some credentials being revealed by mistake. In this case I found a Rockset API key, This API key is not in the current code, but it is visible in an old commit. Steps To Reproduce: You can find the leak in this link :...

Nextcloud: Take over a mail account due missing validation of account id

A validation is missing to make sure the account id belongs to the logged in user. To reproduce: 1. Login as user 2. Add a mail account to mail 3. Go to account settings 4. Update the account again See a request like below: curl 'http://localhost:50001/index.php/apps/mail/api/accounts/%7Bid%7D' ...

U.S. Dept Of Defense: IDOR leads to Leakage an ██████████ Login Information

Hi security team, According to my report 1092618, The VDP team agreed that █████████ and it's subdomains is in the scope of the DoD program I continue testing that domain . . Issue Description: There is an IDOR in██████.███████ that connected with ████████.███████ highly protected encryption chat...

Zenly: Google Maps API key stored as plain text leading to DOS and financial damage

The researcher highlighted the fact that the Google Maps API key which is by design easily retrievable from the .apk was missing some restrictions. It then could be used by anyone to query the Google Static Map API, and possibly lead to financial damage. Resolved by enforcing missing restrictions...

MercadoLibre: Reflected Cross Site Scripting

Reflected Cross Site Scripting was reported by @madara. A proof-of-concept code was provided to demonstrate the vulnerability. The issue was acknowledged and addressed internally by MercadoLibre...

ExpressionEngine: PHP Code Injection through "Translate::save()" method

A vulnerability was identified and fixed that could have allowed attackers to inject and execute arbitrary PHP code through improperly sanitized user input...

GitHub Security Lab: ihsinme: CPP Add query for CWE-401 memory leak on unsuccessful call to realloc function

This bug was reported directly to GitHub Security Lab...

Kubernetes: KOPS documentation references domains which were not registered

Summary: While researching the kubernetes documentation, I found that the KOPS project's Route53 configuration references dangling DNS servers. I was able to register 3 / 4 of these domain names. I was also able to verify that some companies have been using this configuration, making them...

Glassdoor: CSRF in Demographic Settings with valid gdtoken of other account

Hi Security Team, I found CSRF in account settings exactly in Demographic leads to change Brith Years and Gender . Steps To produce : 1.Creat to 2 account [email protected] [email protected] 2. Login with attacker account and Go to Demographic settings i change gender and brith years 3. Start burp...

Shopify: Password reset token leak via "Host header" on third party website

Hi Security Team, Product / URL https://your-store.wholesale.shopifyapps.com/ Description It has been identified that the application is leaking Token to third party sites. In this case it was found that the Token is being leaked to third party sites which is a issue knowing the fact that it can...

U.S. Dept Of Defense: Self stored Xss + Login Csrf

Description: User can set username between 8-20 alphanumeric characters, but with the help of inspect element attacker can manipulate ██████= & can insert a xss payload resulting in self stored xss & with the help of login csrf attacker can force the victim into attacker's account causing...

Invision Power Services, Inc.: PHP Code Injection through "previewBlock()" method

Summary: The vulnerability exists because the IPS\cms\modules\front\pages\builder::previewBlock method allows to pass arbitrary content to the IPS\Theme::runProcessFunction method, which will be used in a call to the eval function. This can be exploited to inject and execute arbitrary PHP code...

GitLab: FogBugz import attachment full SSRF requiring vulnerability in *.fogbugz.com

Summary: Hi Team, a bit of a odd one here. The FogBugz import code uses CarrierWave::Uploader::Base:download! to download attachments from fogbugz.com when importing a FogBugz repository. CarrierWave::Uploader::Base:download! ultimately uses Kernel.Open to download the provided attachment URL...

U.S. Dept Of Defense: Bypassing CORS Misconfiguration Leads to Sensitive Exposure at https://███/

Summary: It's possible to get information about the users registered such as: id, name, login name, etc. without authentication in WordPress via API on https://██████████/. Description: There exists a cross-origin resource sharing CORS misconfiguration vulnerability at https://█████/, allowing...

OpenMage: Very long names on demo.openmage.org could redirect victim users to malicious url redirects via email contacts.

Summary: We found that the maximum length of the first and last name fields was not set to 32 characters at registration and to 1000 characters when using the profile update form. The attacker can use this method as a malware attack, the user will redirect to a website that contains malware or...

Enjin: CSRF Bypassed on Logout Endpoint

@ersalil was able to demonstrate that the logout functionality had no CSRF protection which meant that they were able to log another user out by simply having that user submit a POST request to the /logout endpoint...

Shopify: [h1-2102] Partner's team member with no permission can retrieve services financial data

Details Unfortunately, I wasn't able to properly validate the following report as I could not get access the my partner's services option event is ending in a few hours and that access is manually given https://help.shopify.com/en/partners/selling-services. However, given the observed behaviour, ...

Shopify: [h1-2102] [Yaworski's Broskis] Low privilege user can read POS PINs via graphql and elevate his privilege

Summary: A low privilege user both in the shop and in the POS can read POS PINs via graphql and elevate his privilege with a physical access to the POS. Steps To Reproduce: 1. Log in to your shop and install the POS app https://apps.shopify.com/shopify-pos 2. Log in Shopify Plus as an org owner a...

VK.com: CSRF в виджетах

Недостаточные проверки хеша в боксе предпросмотра виджета приложений...

Shopify: [h1-2102] Wholesale - CSRF to Generate Invitation Token for a Customer and Move Customer to Invited Status

Summary: There is a CSRF vulnerability in the Wholesale application to generate an invitation token for a user and move that user to invited status. Steps To Reproduce: 1. Log in to Shopify and configure Wholesale 2. Add a price list 3. Add a customer with the tag wholesale 4. Adjust the pricelis...

MTN Group: RXSS - http://macademy.mtnonline.com

The page located at http://macademy.mtnonline.com suffers from a Cross-site Scripting XSS vulnerability. XSS is a vulnerability that occurs when user input is unsafely encorporated into the HTML markup inside of a webpage. When not properly escaped an attacker can inject malicious JavaScript that...

Rocket.Chat: Blind XSS

Blind XSS The page located at https://livechat.coinflex.com/livechat suffers from a Cross-site Scripting XSS vulnerability. XSS is a vulnerability which occurs when user input is unsafely encorporated into the HTML markup inside of a webpage. When not properly escaped an attacker can inject...

Automattic: Non-changing "_idnonce" value leads to CSRF on accounts at https://intensedebate.com for account takeover

Summary: The "idnonce" value on https://intensedebate.com protects victims from CSRF attacks. However, this value is not changing with changed user ids of same account idnonce value is same in request from user id 'X' and user id 'Y' when 'X' is changed to 'Y'. It leads to CSRF on victim's accoun...

U.S. Dept Of Defense: CSRF in https://███

Summary:- --------- Cross-Site Request Forgery CSRF Impact 1-The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. 2-send many request via server i mean request to server and...

Ruby: Command injection in OptionParser.load

OptionParser.load function use IO.readlines to read file, which can inject | command to exec command. poc: require 'optparse' OptionParser.new do |opts| opts.load"|touch /tmp/niubl" end.parse! Impact The command may be executed unintentionally...

Brave Software: Onion-Location header allows to open arbitrary URLs including chrome:

The "Open in Tor" feature in Brave Nightly for OSX allowed arbitrary URLs to be opened through the Onion-Location response header, including privileged URLs such as chrome://restart/. This could be exploited to bypass SOP restrictions and gain access to privileged URLs...

Shopify: [h1-2102] [Yaworski's Broskis] Suspected overcharge and chargebacks in PoS

Summary: NOTE: This one need verification from the side of Shopify as we can't set up a real payment GW or check the logs of the test one When checking out in PoS and paying with credit card, it is possible to manipulate numbers in the end request to overcharge a client charge more than the item...

GitLab: Responsible Disclosure of Privacy Leakage Issue

Greetings, I am Mojtaba Zaheri, a doctoral candidate in Computer Science, affiliated with the NJIT Cybersecurity Research Center. Together with my doctoral dissertation advisor, Prof. Reza Curtmola, we are reaching out to perform responsible disclosure of a vulnerability present on the GitLab...

IBM: Insecure Object Permissions for Guest User leads to access to internal documents!

An Insecure Object Permissions vulnerability was reported to IBM, analyzed and have been remediated. Thank you to mocr7...

8x8: DNS Misconfiguration (Subdomain Takeover) ███.wavecell.com

An S3 bucket was deleted, but a DNS record pointing to the bucket was initially not updated/removed. The issue has been rectified...

New Relic: Account Takeover via Email ID Change and Forgot Password Functionality

@dsdh discovered an issue with the email change flow, where emails would be sent to the new email address prior to that address being verified. An attacker could have abused this issue to access vulnerable user accounts...

Algolia: email verification bypass

An issue in the way email modification was handled during the email verification process allowed the creation of account with arbitrary email address, bypassing the email verification step. A logical flaw resulting in email verification bypass! :D...

Rocket.Chat: Hi! Security Team Rocket.Chat, It's possible to get information about the users emails without authentication

Description: Email enumeration vulnerability. Vulnerable api method: /api/v1/users.2fa.sendEmailCode Releases Affected:: Rocket.Chat up to 3.10.5 Request for existing account: POST /api/v1/users.2fa.sendEmailCode HTTP/1.1 Host: rocket-chat.local:3000 Referer: http://rocket-chat.local:3000/home...

Mail.ru: [int.ucs.ru] Доступ ко внутренней сети UCS через забытый прокси Fiddler на 217.25.235.214:7459

SSRF on ucs.ru...

HackerOne: Ability to invite a new member on Sandbox Program

In the description HackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go here. You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the...

Shopify: [h1-2102] Break permissions waterfall

Summary: Shopify Plus User permission roles will propagate changes to all the users in the role Its possible to break this If you pass FULL along with other Pemrissions into a user role edit It will propagate to the users and give them full access while the role shows partial access Steps To...

Shopify: Improper deep link validation

The application contains an activity which validates and handles the deep link requests, initiated from a VIEW intent action. The declared schemes include http and https request for the domain shopify.com as well as .myshopify.com. The path prefixes include mostly subdirectories of the /admin pat...

GitHub Security Lab: ihsinme: CPP Add query for CWE-14 compiler removal of code to clear buffers.

This bug was reported directly to GitHub Security Lab...

X (Formerly Twitter): PI leakage By Brute Forcing and Phone number deleting without using password

Summary: This additional security measure from twitter provides protection to the victim's account, considering that a victim's session may have been hijacked by a hacker, however, due to this additional layer of security Implemented by twitter the hacker would not be able to disclose the victim'...

Shopify: Github access token exposure

While dissecting an application made by one of your employees I found his GitHub Personal Access Token PAT, he's a member of the org with pull and push access to all of your repositories. As a proof I can tell you that on the repo github.com/Shopify/shopify at commit hash cea9c273391d the sha512 ...

TikTok: CSRF on TikTok Ads Portal

A CSRF Cross Site Request Forgery vulnerability was reported in the TikTok Ads portal which could have been used to disable an ad campaign. We thank @probatorem for reporting this to our team...

Shopify: Store Deletion or Sell without authentication

In order for an owner to "close or sell" the store, a password is required in order to confirm the decision, when the action is applied in the web application. It was identified that the mobile application doesn't require credentials in order to perform the same action, thus by navigating to the...

Shopify: Open Redirect on Login Page of Stocky App

Vulnerable app is Stocky, 1. Visit login page of app with vulnerable parameter & malicious website address?returnto=//evil.com like https://stocky.shopifyapps.com/users/login?returnto=//evil.com 2. Then login to account 3. Open Redirect is executed PoC Video: F1172071 Impact Open Redirect...

Weblate: Race Condition allows to get more free trials and get more than 100 languages and strings for free

Hi there, As there is rate limit in the website, but it doesn't prevent users to take more than 1 trial which later leads to loss of the company, because by getting more trials I can get more strings and languages limit. Steps to reproduce: 1 Create an account on https://hosted.weblate.org and...

Shopify: [h1-2102] HTML injection in packing slips can lead to physical theft

Summary: A HTML injection vulnerability exists in the packing slip generator, allowing customers to alter the logistical process of their and other's orders for shops that choose to display the user's e-mail address on the packing slip. The success rate depends on the shops setup and can result i...

GitLab: Stored-XSS on wiki pages

Hello, A Stored-XSS is existing on Wiki pages. It is caused by recent change in show.html.hamlL10 ruby ... "".htmlsafe ... authorurl is defined by committed email in wikipageversion.rb: ruby delegate :message, :sha, :id, :authorname, :authoremail, :authoreddate, to: :commit def authorurl user =...

Sixt GmbH & Co. Autovermietung KG BBP: Cross domain token leakage via Referer header

Summary: The password reset link of user account on critical sixt+ domain/product can be obtained using the page https://www.sixt.com/php/profile/loginorpasswordforgotten. This page requires email address and surname/lastname of the user to send password reset link on email. This link contains th...