Revive Adserver: Open redirect in ck.php and lg.php

An opportunity for open redirects has been available by design since the early versions of Revive Adserver's predecessors in the impression and click tracking scripts to allow third party ad servers to track such metrics when delivering ads. Historically the display advertising industry has...

QIWI: crlf injection на https://bug.qiwi.com

звдравствуйте. я нашел crlf injection на https://bug.qiwi.com. спомошъю этого злоумышленник может установить новые заголовки и cookie загрезняя кэш инфа: site: https://bug.qiwi.com path: /landing/ payload: /%0d%0aSet-Cookie:MyHeader=value PoC:...

Nextcloud: [nextcloud.com] Control character allowed in Submit Question

Issue descriptions We found that the maximum length of the first and last name fields was not set to 32 characters at registration and to 1000 characters when using the profile update form. The attacker can use this method as a malware attack, the user will redirect to a website that contains...

Shopify: Read/Write arbitrary (non-HttpOnly) cookies on checkout pages via GoogleAnalyticsAdditionalScripts postMessage handler

Background Shopify shops can be configured with a Google Analytics integration within the admin settings for a shop /admin/onlinestore/preferences. This is a deeper integration than simply including analytics.js via a liquid template, for example ecommerce tracking can be enabled. Within this...

Mail.ru: CSRF + XSS leads to ATO

Reflected XSS on dwar.mail.ru via POST parameter formnick There was a Self-XSS issue on Request with no CSRF Protection leading to full Account Takeover due to Insecure Session Cookies...

ImpressCMS: SQL Injection through /include/findusers.php

Summary: The vulnerability is located in the /include/findusers.php script: 281. $total = $userhandler-getUserCountByGroupLink@$POST"groups", $criteria; 282. 283. $validsort = array"uname", "email", "lastlogin", "userregdate", "posts"; 284. $sort = !inarray$POST'usersort', $validsort ? "uname" :...

ImpressCMS: Incorrect Authorization Checks in /include/findusers.php

Summary: The vulnerability is located in the /include/findusers.php script: 16. include "../mainfile.php"; 17. xoopsheaderfalse; 18. 19. $denied = true; 20. if !empty$REQUEST'token' 21. if icms::$security-validateToken$REQUEST'token', false 22. $denied = false; 23. 24. elseif isobjecticms::$user ...

Kartpay: Misconfiguration of Merchant id in jwt header + Weird Debug mode enabling behavior leads to exposed OTP of mobile number.

The Verification email Content was able to decrypt easily and leads to disclosure of information that was supposed to be provided after account verification is completed. Secondly, For a Limited time Production was put on debug mode but it was left with it. so now it has been fixed...

CS Money: Able to upload backgrounds before entering 2FA

Summary: Hi Team, I am able to see and use uploaded backgrounds and able to upload new ones without proper authentication of 2FA. I hope you remember this report 993786. Steps To Reproduce: 1. Login with a steam account and enable 2FA. 1. Now logout your account. Clear all the cookies. 1. Now aga...

Lark Technologies: Viewer is able to leak the previous versions of the file

A vulnerability was found where a low level user with only view permissions to a specific file version was able to access previous versions of the file without proper access permissions. We thank @snapsec for reporting this to our team...

Mail.ru: [int.ucs.ru] Атаки на внутреннюю сеть UCS через СУБД Clickhouse

Some requests to clickhouse in ucs.ru were externally available potentially allowing SQL-like requests execution...

Bumble: Bumble API exposes read status of chat messages

Summary The Bumble app allows matches to chat with each other. In the mobile apps it is possible to see whether a message has been delivered the webapp does not offer this feature, but the read status of messages is never disclosed. However, by issuing a POST request to the API endpoint at...

Mail.ru: Theft of Arbitrary file

FolderBrowserActivity of Mail.ru Cloud application for Android insufficiently restricted access to files in application folder...

Acronis: licenses key disclosure

Summary Hi team i found the licenses key stored as cleat text i think it important Steps To Reproduce 1. Go to this link https://dl.acronis.com/u/pdf/workstationlicenses.txt 2.And this link https://dl.acronis.com/u/pdf/serverlicenses.txt 3. You can see all licenses key Impact I think I can use th...

Valve: Big Picture web browser leaks login cookies and discloses sensitive information (may lead to account takeover)

Researcher reported an issue where certain secure cookies would be included in a web request initiated through Steam Big Picture mode that was initially to a trusted origin but subsequently forwarded to a site on a different origin...

Mail.ru: [city-mobil.ru/taxiserv/] SQLi at /taxiserv/requests path at driver_company param

SQL Injections in city-mobil.ru/taxiserv due to unsafe usage of GET parameters...

Mail.ru: [city-mobil.ru/taxiserv/] SQLi at /taxiserv/tariffs/dictionary at filter{"id_locality"} param

SQL Injections in city-mobil.ru/taxiserv due to unsafe usage of GET parameters...

Mail.ru: Full Account Takeover Student Account In https://********.ru/signin/main/student/email

3rd party project with Mail.ru investitions had no sufficient protection against authentication code bruteforce...

Mail.ru: Full Account Takeover In ****.ru

IDOR vulnerability in project related to recent acquision could lead to account takeover within this project It's a new technique about random account takeover, - scenario is: 1 - we registered in website.com and get a fixed cookie that maybe stored in DB and if you loged in again you will get sa...

Mail.ru: todo.mail.ru open .git

todo.mail.ru landing .git folder was publicly accessible...

Acronis: Credentials leaked via Github

Vulnerability description not provided...

Showmax: https://secure.showmax.com/profile/payments

As part of testing user credentials distribution the security researchers were awarded 3 different activation codes, each one granting them subscription for a different country. The researcher reported that it's possible to use a code for country "A" with account associated to country "B". Such...

Nextcloud: Nextcloud Desktop Client RCE via malicious URI schemes

Nextcloud Desktop utilizes QT's QDesktopServices::openUrl to open URLs. This function invokes the OS'/Desktop environment's default application to handling the URI scheme and file extension. During the Nextcloud Add Account flow, the server's login website is opened within a native window/WebView...

Showmax: Parental Pin Bypass

The security researcher contacted us about improper PIN protection authorisation on our content. Showmax users can setup parental PIN protection for different levels of content maturity. If such content is accessed, the user must enter the PIN. It was reported that the PIN protection is easily...

Slack: Denial of Service via Hyperlinks in Posts

Summary Via html injection its possible to override all document functions, causing the application to crash because its using the element as a function. Brief explanation of how its possible override document functions with html injection: In some html elements, the name attribute becomes a...

Brave Software: Brave Browser Tor Window leaks user's real IP to the external DNS server

Summary: When a user navigates to a URL in Tor Window, the DNS requests are sent directly without using the Tor proxy, which leaks the user's real IP address and the requested domain name to the user's ISP and the DNS server. Products affected: OS: Ubuntu 18.04.5 LTS x8664 Brave: Version 1.18.78...

Stripo Inc: Bypass of #1047119: Missing Rate Limit while creating Plug-Ins at https://my.stripo.email/cabinet/plugins/

Summary: I have found a bypass for the report https://hackerone.com/reports/1047119 It seems that a proper fix was not issued therefore the issue still remains. Steps To Reproduce: 1. Create a Plug-In and capture the request. 1. Send this to Intruder 1. Follow the rest in the Video POC. POC Video...

TikTok: Lack of rate limitation on careers site allows the attacker to brute force the verification code

An attacker could have potentially attempted to brute force the verification code needed to reset a candidate's password by leveraging a lack of rate limiting on the TikTok careers portal. We thank @iambouali for reporting this to our team and confirming the resolution...

Doppler VDP: Limited access to billing dashboard by Admin and Collaborator in conflict with user role permissions.

Summary: Hello Team, The admin and collaborator roles aren't supposed to be able to have read access to the billing dashboard. However, a bug was found where both roles have limited read access to the dashboard contrary to Doppler docs. F1151905 Steps To Reproduce: 1. Log in to your...

Acronis: Local Privilege Escalation when updating Acronis True Image

Vulnerability description not provided...

Mail.ru: unauthorized Access To Elastic DB

Unauthorized access to the Elastic DB without user data on developer stand running in MCS public cloud computing host Writeup: https://bugreader.com/blitz@unauthorized-access-to-the-elastic-data-base-269...

Keybase: Keybase /AppData/Local/Keybase/uploadtemps folder stores pasted photos

During research, I had noticed that Keybase does not adequately clear the cache and some residual files can be viewed, with no form of encryption on the files. In addition, these pasted photos remain even after clearing the containing chat. Not all of the pasted photos remain, so it's unclear wha...

Mail.ru: Social Oauth Disconnect CSRF at znakcup.ru

The social-disconnect/twitter/ API maded possible to unlink Twitter OAuth from user account on znakcup.ru...

DuckDuckGo: com.duckduckgo.mobile.android - Cache corruption

Summary: By opening a special url, the app cache can be corrupted which can't be resolved by the user without reinstalling the app. Steps To Reproduce: 1. Download and install the DuckDuckGo App 2. Open https://%22t.dev/ 3. Try to reopen the app The app keeps crashing Additional information -...

Lark Technologies: IDOR Allows Viewer to Delete Bin's Files

An IDOR Insecure Direct Object Reference vulnerability was found where if a user with only view permissions knew the alphanumeric token of a folder, they could permanently delete it from an admin's bin. We thank @snapsec for reporting this to our team...

Doppler VDP: Bypass Email Verification.

steps to reproduce:- 1- sign up into doppler here https://dashboard.doppler.com/register. 2- then it will go to this page https://dashboard.doppler.com/confirm and ask you to confirm your email. 3- go to source code and search for tagsconfirmemail . 4- you will find the email Verification token...

U.S. Dept Of Defense: Bypassed a fix to gain access to PII of more than 100 Officers

Summary: Hey team I hope this report finds you well and you're having a great day in these difficult times ; While doing my Recon I have found out that https://www.███/ is leaking PII of many Officers Severity according to me- Critical Step-by-step Reproduction Instructions 1. Go to...

Bumble: Misconfigured oauth leads to Pre account takeover

Summary While testing badoo i have noticed that users can use SMAL Google,MSN,VKontakte,Odnoklassniki,Yandex Mail.Ru to create and login to badoo accounts. Now there are two ways of registering into badoo By email registration Google,MSN,VKontakte,Odnoklassniki,Yandex,Mail.Ru oauth login Now here...

Mail.ru: Stored XSS on store.my.games

Stored XSS in comment viewing functionality on store.my.games...

U.S. Dept Of Defense: [hta3] Chain of ESI Injection & Reflected XSS leading to Account Takeover on [███]

Hi, Summary There is an ESI injection vulnerability in the https://████████/portal/page/portal/TOPLEVELSITE/SearchResults/PerspectiveResults endpoint on the ms parameter. With this injection, we're able to extract session cookies that have the HttpOnly flag by using this payload. xml...

Doppler VDP: User Access Control in Community Plan

Summary: Hello, I have found a logical issue in the Billing Subscription section. A given user is able to maintain User Access Control UAC feature in Community Plan. Steps To Reproduce: Setup two accounts let's say Alice and Bob 1. Login using Alice account and create a workspace with any name sa...

Doppler VDP: Stored XSS in [https://dashboard.doppler.com/workplace/*/logs] pages

Summary: I have found a stored XSS vulnerability in the following config setting page. https://dashboard.doppler.com/workplace//projects/example-project/configs/dev/logs When you invite other users to the workspace, the xss could be used to exploit other users also. Steps To Reproduce: 1 . Visit...

Insulet Corporation: DOM XSS on www.omnipod.com/freedom/birthdate-confirmation and www.omnipod.com/pif/thanks-freedom

The DOM-based XSS vulnerability was found on the www.omnipod.com/freedom/birthdate-confirmation and www.omnipod.com/pif/thanks-freedom pages. The vulnerability was triggered by crafting a URL with malicious code in the query parameters, which was then executed by the vulnerable script on the page...

Glassdoor: Reflected XSS on https://www.glassdoor.com/parts/header.htm

Reflected XSS was reported on https://www.glassdoor.com/parts/header.htm via the nonce parameter. Thanks, @0x7 for reporting the finding and also reporting additional endpoints affected by this - added a bonus for reporting those additional endpoints and also for your collaboration with us in the...

VK.com: XSS в обработчике ссылок

XSS в парсере ссылок...

X (Formerly Twitter): Open Redirect on https://www.twitterflightschool.com/widgets/experience?destination_url=https://evil.com

This report details an open redirect issue that enabled crafting potentially malicious URLs which could be used to redirect users to a site specified in a URL parameter of the URL creator's choosing. This may allow an attacker to exploit a user's trust by leveraging open redirect on the affected...

Mail.ru: kds.ucs.ru - раскрытие информации.

При посещение главной страницы, прогружается main-страница, она ссылается на JS-скрипт https://kds.ucs.ru/app/apiMock.js В скрипте сетятся такие данные, как: Токенскорее всего авторизации Почта аккаунта диллера: "data":"id":"[email protected]","userRole":"Dealer"; Список всех клиентов, кто пользуетс...

Kubernetes: XSS on kubernetes-csi.github.io (mdBook)

Report Submission Form Summary: Hi, I have recently found XSS vulnerability in mdBook CVE-2020-26297, fixed and disclosed on 4th January 2020. The details were published in a security advisory here: https://blog.rust-lang.org/2021/01/04/mdbook-security-advisory.html I did a quick recon and found ...

Mail.ru: [Biz] [Mailer] Кроп любых* изображений расположенных на сервере

Crop any images at site mailer.i.bizml.ru...

Topcoder: IDOR at https://fast.trychameleon.com/observe/v2/profiles/ via uid parameter discloses users' PII data

Summary: Hello, A API on apps.topcoder.com/forums/ exposes the email of any user on topcoder.com and some PIIs name, surname, id. Steps To Reproduce: 1 Create a profile at topcoder.com 2 Go to apps.topcoder.com/forums and login forum 3 Entery any topic example:...