Kubernetes: Index Out Of Bounds in protobuf unmarshalling

Report Submission Form Summary: I have recently discovered a bug in the gogo/protobuf code generator. This bug allows for an index out of bounds when unmarshalling certain protobuf objects. The bug is that a check is lacking when skipping certain bytes. There are numerous occurrences of this bug...

Internet Bug Bounty: Canonical Snapcraft vulnerable to remote code execution under certain conditions

Preface: I apologize for previously submitting this bug to hacker1 before it was fully addressed by the Ubuntu Security Team I have reported this issue to the Ubuntu Security team and it has been fixed: CVE-2020-27348 Bug link: https://bugs.launchpad.net/snapcraft/+bug/1901572 Ubuntu Security Tea...

X (Formerly Twitter): 2 Subdomains Takeover at readfu.com

Hi , I believe that readfu.com is now belong to Twitter,inc. I was able to takeover 2 subdomains via Heroku Services & Normal domain Buy! F1147316 Poc : Please visit http://alpha.readfu.com/ via Heroku steps : https://youtu.be/mpPXrvhvD4A Please check dns of rb.readfu.com you will see it hqn.ro...

Logitech: Sensitive information disclosure to shared access user via streamlabs platform api

Summary: Hi there, Hope you are doing well and stay safe. Streamlab allows us to invite other users to manage our dashboard and cloudbot functions via following setting which named "Shared Access". https://streamlabs.com/dashboard/settings/shared-access If we invite other users with Moderator rol...

Acronis: SSRF when configuring Website Backup on Acronis Cloud

Hi, I hope everything goes well. I have found a SSRF in https://mc-beta-cloud.acronis.com/ui//backup-console/resources when configuring the backup plan for a website. Summary While I was looking at the functionality of managing backups on websites, I saw that if you specify a local IP where to ge...

GitLab: Stored XSS in repository file viewer

Summary There exists XSS in swagger-ui version used in GitLab open API viewer. The XSS exists due to the old version of DOMpurify used in swagger-ui that allows an attacker can inject any HTML elements with any attributes except script tag on the page. The XSS in POC requires 1 click anywhere on...

Mail.ru: [titans.3clans.ru] phpBB 3.0.8 - Захват аккаунта администратора + удалённое выполнение кода.

Наткнулся на сайт http://titans.3clans.ru, он стоит на 188.93.63.60 hostname: newsdclans.ext.terrhq.ru Везде весело мыло админа [email protected], вбив его в интернете, я нашёл пароли от почты. К форуму подошла такая комбинация: Negasus:43046721 Дальше идём в админ-панель, "/adm/index.php", в...

U.S. Dept Of Defense: [hta3] Remote Code Execution on ████

Vulnerability description not provided...

Doppler VDP: Owner can change themself for another Role Mode but application doesnot have this function.

Hello team, I have found a Privilege escalation bug in your application. Basically your website doesn't allow owner to change role mode for themself, they only can able to change role mode of another user. But i found authorization bug in your application that if we add user id of themself in...

U.S. Dept Of Defense: Stored XSS through name / last name on https://██████████/

Description: There is stored XSS Vulnerability on https://█████/██████ by rendering unsafe input being registered on the account name and last name. ███ Step-by-step Reproduction Instructions 1. Navigate to javascript...

Logitech: Host Header injection in oslo.io (using X-Forwarded-For header) leading to email spoofing

Hello team I hope it will be a happy year for you and for me 😇 Summary: I found Host Header injection in oslo.io I tried to use it to show the security effect on users And I found this Steps To Reproduce: 1. Well, first of all, enter your project 2.Make an invitation by email 3.Now through the...

Doppler VDP: Access page must be reloaded to perform multiple requests

Hello team, I have found a authorization issues in your website. With this issue Low privileged user's like collaborator users can still access DEV environment even workplace owner unchecked dev access permission from owner account. With this issue collaborator user can unlimited access that dev...

GitHub Security Lab: [Java] CWE-555: Query to detect password in Java EE configuration files

This bug was reported directly to GitHub Security Lab...

Logitech: Moderator user has access to owner's support portal and tickets

Summary: Hi there, In https://streamlabs.com, there's a function where users can share his account to other users to manage their dashboard via following link. https://streamlabs.com/dashboard/settings/shared-access. In shared-access setting, user can invite other user with two roles Moderator an...

Acronis: Local privilege escalation via insecure MSI file

Summary I've found a vulnerability which leads to a local privilege escalation starting from a non-admin user. When True Image client installs it drops 2 MSI files into C:\Windows\Installer folder. Since this folder by default is readable by anyone, a non-admin user can execute commands like...

Doppler VDP: No rate limit into email change leads to email notification boombing to its victim.

hello team, I have tested your application and found no any rate limit into password changing mechanism which allow attacker to send unlimited number of email notification to his victim, Basically in every part of your application has implemented rate limit block system but email changing area do...

U.S. Dept Of Defense: Reflected XSS on https://█████████html?url

Vulnerable Website URL or Application: https://███████html?url=javascript:alert"nagli" Description of Security Issue: please limit to one site/app per submission Reflected XSS due to no input validation █████████ Remediation Sanitize the input on the that parameter Best Regards nagli Impact...

Doppler VDP: email spoofing on doppler.team

Summary: There is an Email Spoofing vulnerability on your domain doppler.team which allows an attacker to send an email with your domain namesuch as [email protected] and so on. Steps To Reproduce: 1. Go to http://emkei.cz 1. Fill "From Email" field to [email protected] or any other doppler...

Mail.ru: Eval-based XSS in Game JS API (mailru.core.js) via cross-origin postMessage()

mailru.core.js as used by GMR/store.my.games application was vulnerable to XSS via PostMessage handler...

Rocket.Chat: Registration bypass with leaked Invite Token

The Rocket.Chat API route 'validateInviteToken' was vulnerable to a registration bypass attack. The route allowed unauthenticated users to guess valid invite tokens by sending a crafted JSON payload with a regular expression. Once a valid token was obtained, the user could access private channels...

Palo Alto Software: [Bypass #870709] Unauthorised access to pagespeed global admin at https://webtools.paloalto.com/

Hi team, I found bypass of report 870709. Just by using X-Forwarded-For: 127.0.0.1 you can again get access to global admin page. Bypass request Request GET /pagespeed-global-admin/ HTTP/1.1 Host: webtools.paloalto.com X-Forwarded-For: 127.0.0.1...

Logitech: Stored XSS on oslo.io in notifications via project name change

Hey Logitech team. Summary: It is possible for an editor on a project to rename a project to a malicious HTML element, which when opened in the notification dropdown will render and fire javascript. Steps To Reproduce: add details for how we can reproduce the issue 1. Invite user to join the...

Valve: CS:GO Server -> Client RCE through OOB access in CSVCMsg_SplitScreen + Info leak in HTTP download

Title: CS:GO Server - Client RCE through OOB access in CSVCMsgSplitScreen + Info leak in HTTP download Scope: csgo.exe Weakness: Out-of-bounds Read Severity: Critical 9.6 Link: https://hackerone.com/reports/1070835 Date: 2021-01-04 00:22:02 +0000 By: @simonscannell Details: We managed to write an...

Acronis: Acronis True Image 2021 (windows) does not validate server hostname on a login TLS connection

Acronis True Image prior to 2021 Update 4 for Windows, Acronis True Image prior to 2021 Update 5 for Mac did not properly validate SSL certificate. The issue was assigned CVE-2021-32581. We have seen no signs of the exploitation of this vulnerability...

MTN Group: RCE Apache Struts2 remote command execution (S2-045) on [wifi-partner.mtn.com.gh]

Summary: A Remote Code Execution vulnerability exists in Apache Struts2 when performing file upload based on Jakarta Multipart parser. It is possible to perform a RCE attack with a malicious Content-Type value. If the Content-Type value isn't valid an exception is thrown which is then used to...

Logitech: Manipulating response leads to free access to Streamlabs Prime

Heyy team, I have a found cool bug which allows me to get access to streamlabs prime features for free. Here is the api endpoint which checks whether the user has a prime subscription or not: https://streamlabs.com/api/v5/user/prime/subscription json "isactive": false, "ispending": false,...

WHO COVID-19 Mobile App: ArcGIS Rest Service linked to unsecured survey data

ArcGIS rest service url was followed, allowing discovery of unsecured survey data. Now fixed. This wasn't part of the WHO COVID-19 Mobile App but was resolved as it was reported here...

VK.com: Stored XSS в выборе метки на странице списка заказов.

XSS в разделе управления заказами. При выборе метки для фильтра на странице списка заказов в сообществе была xss...

Phabricator: Git flag injection leads to arbitrary file write

keyword : mongoose PoC 1. Login and generate API token 2. Create a repo and push several commits to phabricator 3. Execute diffusion api curl http://dev.localhost/api/diffusion.internal.gitrawdiffquery \ -d api.token=api-token \ -d commit=--output%3D/tmp/qqq \ -d repository=R2 4. qqq file will be...

Automattic: information disclosure lead to disclose users private notes

dear automattic the bug i will share with you a bug that allow attackers to access users notes without permission the bug is here http://simp.ly/p and here http://app.simplenote.com/ and its using web.archive.org website web archive: is a website like google search but he save all links like you...

Automattic: SQL Injection intensedebate.com

hello dear support I have found SQL Injection on intensedebate.com parameters injectable ?acctid=1 URL:https://www.intensedebate.com/js/importStatus.php?acctid=1 I'm used sqlmap to injection command sqlmap --url https://www.intensedebate.com/js/importStatus.php?acctid=1 --dbs F1140562 available...

MTN Group: Blind SQL Injection

hello dear support I have found Blind SQL Injection on https://futexpert.mtngbissau.com/signin/ parameters injectable phonenumber=0&pin=1&submit=Continuar via post URL:https://futexpert.mtngbissau.com/signin/ Post: email=0 my payload :...

MTN Group: Reflected XSS on gamesclub.mtn.com.g

hello dear I have found Reflected XSS on gamesclub.mtn.com.g parameters injectable /header.aspx my payload "; HTTP Header input Referer was set to https://www.google.com/search?hl=en&q=testing'"&%gQmT9082 HTTP request =========== GET /header.aspx HTTP/1.1 Host: gamesclub.mtn.com.gh...

MTN Group: Reflected XSS on mtnhottseat.mtn.com.gh

hello dear I have found Reflected XSS on mtnhottseat.mtn.com.gh parameters injectable /api/v2/subscribe/; my payload " URL: https://mtnhottseat.mtn.com.gh/api/v2/subscribe/;%22%3E%3Cimg%20src=x%20onerror=alertdocument.domain%3E F1140524 Impact Malicious JavaScript has access to all the same objec...

Node.js: DNS rebinding in --inspect (insufficient fix of CVE-2018-7160)

Summary: While the debugger i.e., the --inspect option tries to prevent DNS rebinding, the whitelist is excessive. Description: The whitelist includes “localhost6”, which is not that widespread. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS...

h1-ctf: H1 Hackyholidays CTF - The Grinch was defeated

The following writeup will underline all the steps and tools used to solve the 12 challenges of the H1 Holidays CTF. The theme of the competition was the Grinch. How it is possible to read from the competition blog post https://www.hackerone.com/blog/12-days-hacky-holidays-ctf , the goal was to...

h1-ctf: Hackyholidays [ h1-ctf] writeup [mission:- stop the grinch ]

Hello Team Description In the continuous series of 12 days, twelve flags were hidden inside Hackyholidays site - hackyholidays.h1ctf.com in which once we get all the flags, grinch can be stopped. This write-up will describe solving all the 12 days challenges. Step To Reproduce + It all started wh...

U.S. Dept Of Defense: Old Session Does Not Expires After Password Change

Hello Team, I am Hemant Patidar working as a security researcher and I found a bug in your site. Report of bug is as follows:- Description: While conducting my research I discovered that the application Failure to invalidate the session after the password change. In this scenario changing the...

h1-ctf: It's just a man on a mission

Preface --------------------- Like any other good stories, this adventure has also begun with a few long days of preparation leading up to the start of the challenge. Tools were sharpened, command lines were dusted-off and one-too-many cups of coffee were consumed. The morale was high and the...

h1-ctf: [hackyholidays] CTF write-up

hi, this is my write-up for hackyholidays CTF. I attached the write-up in PDF format. thanks, REND Impact saving the Christmas... fix this otherwise people would be happy...

h1-ctf: How The Hackers Saved Christmas

F1139789 Challenge I 🤖 "What are you doing?" I asked myself. I was about to trespass a clear warning to keep out. F1139744 "Have you lost your mind?" But I couldn't help it. I was born for this. And I wasn't going to back down. There are 12 more days until Christmas Eve, and I wasn't going to let...

h1-ctf: First CTF ever!

Pretext Started looking into hacking this autumn and then found out HackerOne was doing a Christmas themed CTF. Further investigation showed that the deplorable Grinch might be up to no good again - Christmas is in danger! TLDR Lots of hacking took place, the Grinch was stopped, Christmas saved a...

h1-ctf: Grinch-Networks taken down - hacky holidays CTF

Summary: CTF Submission Day 1: flag48104912-28b0-494a-9995-a203d1e261e7 Day 2: flagb7ebcb75-9100-4f91-8454-cfb9574459f7 Day 3: flagb705fb11-fb55-442f-847f-0931be82ed9a Day 4: flag972e7072-b1b6-4bf7-b825-a912d3fd38d6 Day 5: flag2e6f9bf8-fdbd-483b-8c18-bdf371b2b004 Day 6:...

h1-ctf: h1-ctf : 12 days of hack holiday writeup

Summary This was a real fun CTF and I really enjoyed solving the challenges. Great job on creating the challenges. This is my writeup for the "12 Days of Hacky Holidays CTF". I hope you enjoy reading it, and I hope others reading it will pick up a trick or two. Flags: This is all the flags found...

h1-ctf: [H1 hackyholidays] CTF Writeup

Hello team, Here is my CTF writeup for HackyHolidays. Main page The main page doesn't contain any interesting stuff, just a few assets. Maybe we will find some known files in webapp root: index.php, .htaccess, robots.txt, ...? robots.txt file exists, and there is the first flag: User-agent:...

h1-ctf: Infiltrating into Grinch-Networks and saving Christmas!

Hi, you can find the write-up for this CTF here : https://castilho101.github.io/posts/hackerone-ctf-christmas...

MTN Group: 2x Remote file inclusion within your VMware Instances

Summary: 2x Remote file inclusion within your VMware Instances Hosts: nmc.vc.mtn.co.ug h28a.n1.ips.mtn.co.ug Steps To Reproduce: Navigate to the URLs given below, /etc/passwd will be displayed. https://nmc.vc.mtn.co.ug/eam/vib?id=/etc/passwd https://h28a.n1.ips.mtn.co.ug/eam/vib?id=/etc/passwd...

h1-ctf: hackyholidays CTF Writeup

Summary: As per the referenced blog entry, the Grinch has gone hi-tech this year with the intentions of ruining the holidays. The challenge was about infiltrating the Grinch's network and take it down. As outlined on https://hackerone.com/h1-ctf, the domain hackyholidays.h1ctf.com was in scope. I...

Mail.ru: [web.icq.com] Stored XSS in Account Name

Stored XSS in web.icq.com via account data...

Reddit: GPS metadata preserved when converting HEIF to PNG

Summary: Users who upload HEIC/HEIF files sometimes called "Live Photos" to reddit.com or old.reddit.com expect their GPS metadata to be stripped before being displayed publicly. Uploaded HEIC files are converted to PNG, but GPS metadata is incorrectly preserved, in violation of user privacy. The...