BlockDev Sp. Z o.o: xmlrpc.php FILE IS enabled it will used for Bruteforce attack and Denial of Service(DoS)

xmlrpc.php file is visible...

GitLab: Change project visibility to a restricted option

Summary When a GitLab administrator on gitlab.com or a private instance has restricted a project visibility option, the project visibility can still be changed to that option. This can be done using the API route. The same applies to groups. They can also be set to for example internal on the...

OpenMage: CSRF in changing password after using reset password link

Summary: Hey OpenMage, the forgot password page is not protected against CSRF attack which can lead to changing password. Use the below form to test html document.forms0.submit Steps To Reproduce: 1. Go to https://demo.openmage.org/customer/account/forgotpassword/ 2. Enter your email and ask for...

Mail.ru: restaurant.delivery-club.ru - возможность получить информацию об чужих акциях.

Уязвимая конечная точка: PUT /dashboard/promotions HTTP/1.1 Host: restaurant.delivery-club.ru User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:84.0 Gecko/20100101 Firefox/84.0 Accept: application/json, text/plain, / Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip...

curl: Proxy-Authorization header carried to a new host on a redirect

hi cURL team I am not entirely sure this is an issue, please feel free to close of it isn't. I noticed that when making an HTTP GET request with Proxy-Authorization header, together with the "-L" flag to follow redirects curl -H "Authorization-Proxy: Basic xxx==" http://host:8000 -L If the remote...

Acronis: Blind SSRF vulnerability on cz.acronis.com

Vulnerability description not provided...

Mail.ru: [https://geekbrains.ru/profile] - authenticity_token not tied to user session leads to CSRF attacks

CSRF on geekbrains.ru The CSRF token on /profile was valid, but not tied to user's session, e.g. Account A's Token was valid on Account B, this could have lead to change other user's phone number, birth date, legal name etc...

Shopify: [h1-2102] FQDN takeover on all Shopify wholesale customer domains by trailing dot (RFC 1034)

Summary: Due to a missing domain format check in Shopify's wholesale functionality, it is possible to serve arbitrary content on the customer's domain through existing DNS records already configured to work with Shopify. I only tested with domains that I own but as far as I understand, this would...

FetLife: Stored XSS via `Create a Fetish` section.

The reporter pointed out that the fetish field for creating new fetishes on FetLife was vulnerable to a stored XSS exploit, after creating a fetish for which this exploit was used the contents would execute whenever people added the fetish to their profile and attempted to edit the fetish through...

U.S. Dept Of Defense: █████████ IDOR leads to disclosure of PHI/PII

Summary: ████ is designed in a way where there is a vulnerable endpoint that allows a non-medical user to view the ██████████ records of people who are not ████████s of the sponsor. Description: I am currently an Active Duty Airman and this vulnerability does require CAC authentication. When...

OpenMage: No error thrown when IDOR attempted while editing address

Summary: demo.openmage.org application having features to add, edit and delete addresses. When a user tries to edit the address of another user, the server adds a new address with a new id on the attacker's account. By sending it to an intruder, an attacker may cause Dos. Steps To Reproduce: 1...

Mail.ru: prometheus server monitoring System publicly accessible

Performance metrics were available at track.mail.ru...

Shopify: [h1-2102] Stored XSS in product description via `productUpdate` GraphQL query leads to XSS at handshake-web-internal.shopifycloud.com/products/[ID]

This is most likely going to be a duplicate, so I'll keep it short. A stored cross site scripting vulnerability exists at handshake-web-internal.shopifycloud.com through the product description field. Recruirements A shop with the Handshake plugin enabled and set-up Reproduction steps 1. Add a...

Snapchat: CSRF when unlocking lenses leads to lenses being forcefully installed without user interaction

Hi, The url below allows a user to unlock a particular lens. Once they have opened the URL on their phone, Snapchat opens up and prompts the user to unlock this lens. https://www.snapchat.com/unlock/?type=SNAPCODE&uuid=6ff5a565fca249a1948b1963ee2881b4&metadata=01 By changing the value of type in...

Shopify: [h1-2102] shopApps query from the graphql at /users/api returns all existing created apps, including private ones

Summary: I have seen that there is query called shopApps executable on the /ID/users/api graphql that returns a huge amount of apps it timeouts with a limiting. In the response I have noticed the returned apps also include the private apps, so I do not think that this is intented like this. Using...

OpenMage: No Limit on Email Subscription

Summary: Hello Madison As I have Found a Business Logic Error which cause unlimited amount of Newsletter Subscription as you can see in the image i have provided Steps To Reproduce: 1. Open Burpsuite and set the proxy and intercept on. 2.Then Go to https://demo.openmage.org/ and enter the Email y...

Shopify: [h1-2102] Improper Access Control at https://shopify.plus/[id]/users/api in operation UpdateOrganizationUserTfaEnforcement

Summary: There is an access control issue that happens when a Shopify Plus user tries to update the 2FA requirement of a user in another organisation. While the response shows an error message, an email is sent to the user with the 2FA status, first name, last name, email address, and shop id fro...

Shopify: [h1-2102] [PLUS] User with Store Management Permission can Make enforceSamlOrganizationDomains call - that should be limited to User Management Only

Summary: PLUS User with Store Management Permission can Make enforceSamlOrganizationDomains call - that should be limited to User Management Only Description: User with Store management permission as shown in below screenshot F1168574 Should not have the ability to enforce SAML organization...

Shopify: [h1-2102] [Plus] User with Store Management Permission can Make convertUsersFromSaml/convertUsersToSaml - that should be limited to User Management

Summary: Plus User with Store Management Permission can Make convertUsersFromSaml/convertUsersToSaml - that should be limited to User Management Only Description: User with Store management permission - F1168487 only, is able to convert users account from SAML and to SAML using the graphql Impact...

Shopify: [h1-2102] [Plus] User with Store Management Permission can Make changeDomainEnforcementState - that should be limited to User Management Only

Summary: User with Store Management Permission can Make changeDomainEnforcementState - that should be limited to User Management Only Description: User with Store management permission - F1168470 only, is able to change user management settings using the graphql Steps To Reproduce: - - - - - As a...

Shopify: [h1-2102] [Oberlo] Least privileged user can cancel account owner's subscription via POST on /payments/subscribe

Vulnerability description not provided...

Shopify: [h1-2102] Improper Access Control at https://shopify.plus/[id]/users/api in operation UpdateOrganizationUserRole

Summary: There is an access control issue that happens when a Shopify Plus admin tries to assign a role to a user in another organisation. While the response shows an error message, an email is sent to the shop admin with the first name, last name and email address of the user. Steps To Reproduce...

Internet Bug Bounty: Buffer overflow in PyCArg_repr in _ctypes/callproc.c for Python 3.x to 3.9.1

TL;DR Description Python 3.x through 3.9.1 has a buffer overflow in PyCArgrepr in ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to cdouble.fromparam. This occurs...

Acronis: Stored XSS in profile page

Summary There is a stored XSS vulnerability in the users profile page. Steps: 1-Go to https://forum.acronis.com , create an user and login 2-Go to profile and edit it 3- enter javascript code in Signature field for exampe use this code in Signature : test 4-send this profile to other users ,or se...

Acronis: Cross Site Scripting (Reflected) on https://www.acronis.cz/

Summary You can post javascript and html code in form fields steps : 1-go to vulnerability link : https://www.acronis.cz/poptavka-acronis/ 2- enter this javascript code "alert1; in form field for xss and enter Test for html injection. Impact Impact 1- Cookie stealing 2- Pishing attacks 3- URL...

OpenMage: Sharing products with Mail allows phishing attacks due to misconfiguration.

Hello Team. I found a part that could cause a phishing attack. Incorrect configuration in the part of sharing products with mail causes this. 1. Go to https://demo.openmage.org/sendfriend/product/send/id/430/catid/20/ 2. The Sender email address should normally be an email address provided by you...

Shopify: [h1-2102] Information disclosure - ShopifyPlus add user displays existing Shopify ID fullname

I am not sure if this by design but it came to my attention that the Add users functionality located at https://shopify.plus/id/users/invite allow a Shopify Plus user with the User management access to retrieve any existing Shopify ID full name. Steps to reproduce 1. Log in into ShopifyPlus 1. Go...

Automattic: Stored XSS on the "www.intensedebate.com/extras-widgets" url at "Recent comments by" module with malicious blog url

Summary: Hello team. I have found a place where filtration/encoding for special symbols used in blog/site url is not set which leads to Stored XSS on the user page who posted a comment on malicious blog/site. Platforms Affected: Affected page www.intensedebate.com/extras-widgets block "Recent...

Mail.ru: Debug Mode Leak Critical Information [ AWS Keys , SMTP , Database , Django Secret Key ( RCE ) , Dodoc , Telegram , Twilio .. ]

Debug mode was enabled in legium-back.corp.mail.ru leaking some potenitially sensitive information Debug mode was enabled in legium-back.corp.mail.ru leaking some potenitially sensitive information...

Acronis: Acronis True Image 2020 Build 22510 Nonstop Backup Service Unquoted service path (privilege escalation)

Vulnerability description not provided...

Enjin: Reset password policy isn't consistent with registration / change password policy.

The security researcher identified that the password policy on the reset password page wasn't consistent with the policy set forth on the registration and change password pages. The minimum characters, on the reset password page, was only for 6 characters whereas the other pages require a minimum...

TikTok: Blocked user can send notification by liking the message due to Logical Bug

A functional bug had the potential to permit a blocked user to send notifications by liking another user's message.We thank @sandipgyawali for reporting this to our team and confirming the resolution...

Revive Adserver: Reflected XSS on /admin/stats.php

I found a reflected XSS attack on /admin/stats.php. Revive-Adserver version is revive-adserver-5.1.0. - Go to...

Revive Adserver: Reflected XSS on /admin/userlog-index.php

I found a reflected XSS attack on /admin/userlog-index.php. Revive-Adserver version is revive-adserver-5.1.0. - Go to...

LY Corporation: Webview address bar spoofing in LINE client for iOS

When navigation to an invalid hostname occurs, the address bar is updated even though the navigation is cancelled. Due to this incorrect timing of updating the address bar and applying URL normalization, it can be recognized as a different hostname from the actual hostname. As a result, attacker...

Elastic: Over-Privileged API Credentials for Elastic Agent

@captaingeech found that the permissions grated to the Elastic Agent in a Fleet environment grant the ability to delete documents from sensitive security indices...

Kartpay: Duplicate Entry of email leads to 500 Server Error which disclosing the SQL Database table information

The Issue was with the process of Deletion of the merchant data from the admin Dashboard. The Admin has rights to delete the merchant email ID and further, it gets deleted as Soft delete, not the full delete but there was no Validation to the codes which can detect the re-registration of the same...

Grammarly: Config override using non-validated query parameter allows at least reflected XSS by injecting configuration into state

Hi, First, I just want to say after spending a few days on your assets that I'm really impressed by the high security standard of the apps exposed. It has not been easy to find issues. I really like the way you've structured your API-routes in a way that almost eliminates a bunch of access issues...

Rockstar Games: phpinfo() on graph.rockstargames.com exposes sensitive information

In this report, the researcher identified a subdomain that was improperly made public while sensitive information was disclosed, including phpinfo. We were able to fix the deployment and remove the sensitive information, thus resolving the issue...

Kartpay: Full Path Disclosure of Server through 500 Server Error

Hello team, EXPLANATION ============ I found a interesting vulnerability into your site that it unexpected disclosing the server path where the PHP files are being hosted. When application sends account verification links in email then if anyone tries to verify his account with that link at a twi...

Kartpay: Disclosure of Merchant_id into the source code without entered OTP code leads to Victims MID takeover.

The System Encryption for the merchant registration was revealing the details which can be further exploitable for the Registration of the merchant. After sharing the details by the @bugera it was fixed by the team...

O1 Labs: SPF Records

The vulnerability was that you can spoof their email address and then the attacker can send emails from their email address which could lead to sending fake emails or attempts of phishing. To see if you can send an email of a target domain you need to check if it has an SPF Sender Policy Framewor...

U.S. Dept Of Defense: Stored XSS at https://www.█████████.mil

Summary: Stored XSS exists at https://www.██████.mil. A user can fill out the form and upload a file containing javascript code to trigger XSS. Description: Stored XSS exists at https://www.████.mil. A user can fill out the form and upload a file containing javascript code to trigger XSS. Impact ...

ImpressCMS: Potential Authentication Bypass through "autologin" feature

Summary: The vulnerability is located in the /plugins/preloads/autologin.php script: 45. $uname = $myts-stripSlashesGPC$autologinName; 46. $pass = $myts-stripSlashesGPC$autologinPass; 47. if empty$uname || isnumeric$pass 48. $user = false ; 49. else 50. // V3 51. $uname4sql = addslashes$uname; 52...

ImpressCMS: Arbitrary File Deletion via Path Traversal in image-edit.php

Summary: The vulnerability is located in the /libraries/image-editor/image-edit.php script: 161. if @copy ICMSIMANAGERFOLDERPATH . '/temp/' . $simagetemp, $categpath . $simage-getVar 'imagename' 162. if @unlink ICMSIMANAGERFOLDERPATH . '/temp/' . $simagetemp 163. $msg = MDAMDBUPDATED; ... 190. el...

QIWI: mysql.initial.sql file is accessable for everyone

здравствуйте. я нашел mysql.initial.sql файл Roundcube Webmail initial database structure. оно открыта для всех. это sql файл которая создает структуру разных таблиц как user,session,cache и так далее PoC url: https://contact.rapida.ru/mysql.initial.sql F1164134 F1164136 Impact information...

Enjin: Unrestricted Upload of File with Dangerous Type

The security researcher was able to execute CWE-434: Unrestricted Upload of File with Dangerous Type through a legacy API endpoint used to upload images. This file was directly upload to our CDN with the appropriate MIME time of the file...

Informatica: loing in to marketplace panel on enablement.informatica.com

hello dear support I have found the issue and you can log in in to panel with any password and username F1163976 url: https://enablement.informatica.com/marketplace/ F1163979 Impact Can gain access to admin panel...

Acronis: Cross Site Scripting (Reflected) on https://www.acronis.cz/dotaznik/roadshow-2020/

Vulnerability description not provided...

Informatica: Html injection on ██████.informatica.com via search.html?q=1

hello dear I have found HTML injection on ██████.informatica.com parameters injectable search.html?q=1 URL : https://████████.informatica.com/search.html?q=1%22%3E%3Cimg%20src=https://www.no-gods-no-masters.com/imagesdesigns/anonymous-gandhi-d001001207265.png%3E%E2%80%[email protected]%20%22 payload ; 1"”@x...