Mail.ru: Acessed internal api documentation and information

hello team, Anyone can be able to access api documents and files . Actually this domain have proper authentication mechanism. https://apidocs.ucs.ru/ when i browse the above domain , it goes to login page . not possible to create accounts . means can access authenticated people . but when we brow...

curl: Abusing URL Parsers by long schema name

Summary: There is known technique to exploit inconsistency of URL parser and URL requester logic to perform Server Side Request Forgery attack. Firstly it was presented by Orange Tsai at A New Era Of SSRF Exploiting URL Parser. Firstly I found the familiar issue at old versions of curl, but explo...

MTN Group: PHP Info Exposing Secrets at https://radio.mtn.bj/info

Summary: During recon I discovered a PHP Info file exposing environment variables such as; Laravel APPKEY, Database username/password, SMTP username/password, etc. Steps To Reproduce: Visit the following URL; https://radio.mtn.bj/info You will be presented with a PHP Info file exposing environmen...

Rocket.Chat: SAML authentication bypass through unauthenticated `addSamlProvider` Meteor Call

Summary: Rocket.Chat exposes an unauthenticated Meteor method addSamlProvider, which allows disabling SAML signature verification. Description: The addSamlProvider Meteor method sets a number of settings, among them a boolean flag that defaults to false: js export const addSamlService =...

Rocket.Chat: Server-side RCE through directory traversal-based arbitrary file write

Vulnerability description not provided...

Logitech: CSRF in changing users donation_settings [https://streamlabs.com/api/v6/viewer-portal/viewer-settings/donation_settings]

Hey there, I have found that the api/v6/viewer-portal/viewer-settings/donationsettings endpoint is vulnerable to csrf attack, which allows an attacker to update victim's donationsettings like username,amount...

ImpressCMS: Download full backup and Cross site scripting

A backup zip file was still left on the server, which was removed. Moreover, an old unused content editor was still left and could be used by a malicious user. The unused editor has been removed as well...

Logitech: Stored XSS in [https://streamlabs.com/dashboard#/*goal] pages

Heyy there, I have found a stored xss vulnerability in the following goals setting pages. https://streamlabs.com/dashboard/followergoal https://streamlabs.com/dashboard/bitgoal https://streamlabs.com/dashboard/subgoal https://streamlabs.com/dashboard/tiltifydonationgoal...

U.S. Dept Of Defense: ███ on https://████ enable ███ scraping, injection, stored XSS

Summary: An open ████████ at the ████████ system enables quick and easy scraping of ███ without authentication nor authorization. Description: The █████ includes an open set of ██████endpoints at https://██████████. Any individual can execute requests on these endpoints without authorization nor...

U.S. Dept Of Defense: IDOR on https://██████ via POST UID enables database scraping

Summary: The UID parameter on █████████ in the ██████ ███████ system, with ███████, does not validate that the caller has permission to view information on the UID entered, thereby enabling personnel and student data extraction. Description: The user operations API endpoint for the ███ ██████████...

curl: CVE-2020-8286: Inferior OCSP verification

cURL in /lib/vtls/openssl.c does not check that the certificate serial number in the stapled OCSP response matches the serial number of the certificate it is trying to validate the peer certificate. This results in a passed validity challenge even when connecting to a site that has had its...

PlayStation: SMAP bypass

SMAP is a security feature on x86 CPUs, that forbids ring0 from reading/writing to ring3 pages, making it harder to exploit entire classes of vulnerabilities. There is a vulnerability in FreeBSD 12 that allows SMAP to be bypassed by userland. There is a very high probability that it affects the P...

Ruby on Rails: HostAuthorization middleware does not suitably sanitize the Host / X-Forwarded-For header allowing redirection.

When a site is configured to use the .tkte.ch leading dot short form for domain name, ex: ruby config.hosts You are being redirected. Where the controller is simply: ruby class RedirectController ApplicationController def main redirectto action: 'main' end end The host header poisoning was report...

Stripo Inc: Non-revoked API Key Disclosure in a Disclosed API Key Disclosure Report on Stripo

Summary: Can you imagine discovering an API key disclosure vulnerability in a disclosed API key disclosure report? The same thing is what I came across while going through the disclosed reports at Stripo Inc. Plus, the disclosed API key isn't even revoked, and therefore I am still able to use the...

Stripo Inc: No rate limit in email subscription

I managed to bypass the following report 1029723 please follow the steps below: Description: No rate limit in Email Subscription, you just have to add a fixed throttle in Burp Suite to avoid the 429 response. Note: I will use tempmail in the screenshots PoC Steps: 1. Go to https://stripo.email/ a...

Stripo Inc: No rate limiting - Create Plug-ins

Hello team Stripo, how are you? I found a rate limit for data creation. Target = https://my.stripo.email/cabinet//plugins/293814 Request to Post: POST /cabinet/stripeapi/v1/plugin/293814/plugins HTTP/1.1 Host: my.stripo.email User-Agent: Mozilla/5.0 X11; Linux x8664; rv:78.0 Gecko/20100101...

Stripo Inc: No rate limiting - Create data

Summary: Hello team Stripo, how are you? I found a rate limit for data creation. Target = https://my.stripo.email/cabinet//my-services/298427?tab=data-sources Request to Post: POST /emailformdata/v1/amp-lists?projectId= HTTP/1.1 Host: my.stripo.email User-Agent: Mozilla/5.0 X11; Linux x8664;...

Internet Bug Bounty: Heap buffer overflow vulnerability while processing a malformed TIFF file.

A heap buffer overflow vulnerability occurs in magick while processing of a malformed TIFF file.Following is the version/build details: $ magick -version Version: ImageMagick 7.0.10-45 Q16 x8664 2020-11-30 https://imagemagick.org Copyright: © 1999-2020 ImageMagick Studio LLC License:...

Omise: ████.

input validation...

Logitech: One Click Account takeover using Ouath CSRF bypass by adding Null byte %00 in state parameter on www.streamlabs.com

Summary Hello Team I have found a bypass to the this report. 1039749 Steps To Reproduce: 1. Login to attacker's account and go to settings -- account settings. 2. Intercept the request in burp suite and click on merge twitch account. 3. Allow twitch access and once you see a get request in burp...

Mail.ru: CSRF in updating username https://pw.mail.ru/

CSRF vulnerability in pw.mail.ru allowed to change nickname with cross-site request...

Automattic: SQL Injection Union Based

Summary: Hello, I have found a SQL Injection Union Based on https://intensedebate.com/commenthistory/$YourSiteId The $YourSiteId into the url is vulnerable to SQL Injection. Steps to reproduce 1. Logging into https://intensedebate.com 2. After create your own site on...

curl: CVE-2020-8285: FTP wildcard stack overflow

Summary: User 'xnynx' on github filed PR 6255 highlighting this problem. Filed publicly My first gut reaction was that this had to be a problem with curlfnmatch as that has caused us grief in the past and on most platforms we use the native fnmatch now, but not on Windows IIRC and this is a...

Mail.ru: unclaimed subdomain special.rkeeper.ru to takeover from tilda.cc

Domain, site, application -- http://special.rkeeper.ru/ Testing environment -- OS version, browser information, settings and prerequisites to reproduce vulnerability, testing tools used, etc Steps to reproduce: 1. create account on tilda.cc 1. create a aproject then a domain will be assigned to...

Mail.ru: CSRF on api.my.games due to improper validation of token allows an attacker to delete other users notifications

CSRF vulnerability in api.my.games allowed to delete users notifications with crossite request...

Shopify: Staff with no permissions could possibly list and accept billing promotions

Hi, Description I was looking for undocumented GraphQL API endpoints and noticed a query and mutation related to what seems to be billing promotions, but I'm not 100% sure about this since I have no idea where those promotions would come from. However, since those GraphQL endpoints were found...

Zomato: SQL Injection in www.hyperpure.com

Vulnerable Request : PUT /consumer/onboarding/saleslead/6b6a8a5a-4a74-46db-b2fe-32a46f927ecc HTTP/1.1 Host: api.hyperpure.com User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:83.0 Gecko/20100101 Firefox/83.0 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.5...

Automattic: [intensedebate.com] SQL Injection Time Based On /js/commentAction/

intensedebate.com SQLi Time Based On /js/commentAction/ Summary: Hello, I have found a SQLI Injection Time Based on /js/commentAction/. When a user want to submit/reply to a comment, a JSON payload was send by a GET request. GET...

Shopify: Removing parts of URL from jQuery request exposes links for download of Paid Digital Assets of the most recent Order placed by anyone on the store!

Please Note: I found this bug on a website made using Shopify I tried doing the same with my Shopify store but I was not able to buy anything as it was required to add credit card details which I don't have : THE LINKS GIVEN AS THE EXAMPLE ARE NOT VALID LINKS BUT THE BUG WORKS ON EVERY SHOPIFY...

Automattic: Reflected XSS in https://www.intensedebate.com/js/getCommentLink.php

Hey there, I have found a reflected dom xss vulnerability in your website www.intensedebate.com, the posttitle parameter is vulnerable. --------------------------------------------------------------------------------------------------------------------------------------------------- Full url:...

Mail.ru: BLIND SSRF ON http://jsgames.mail.ru via avaOp parameter

Blind SSRF in jsgames.mail.ru Limited SSRF allowing to read internal images...

GitLab: Remote hacker can download all the files of master branch in public projects where everything is members only.

Summary Hi team, I found this weird behavior which I thought I should report, a malicious hacker can remotely download files of any branch in a public project where all permissions are ==member-only==, Gitlab uses a link to download files of a branch, normally ==an unauthenticated user will not b...

LY Corporation: Arbitrary Code Execution via npm misconfiguration – installing internal libraries from the public registry

Due to misconfiguration of the Private NPM registry, a nodejs-based project was able to install a malicious module generated by an attacker instead of a normal module. If an attacker registers a higher version with the same name as a private module with Global Registry, it will download and insta...

HackerOne: Denial Of Service (Out Of Memory) on Updating Bounty Table [Urgent]

Hello, Summary: There is a bug in Updating Bounty Table section causing Denial Of Service , specifically loading up the memory usage Out Of Memory. This happens when you visit a corrupted bounty table of a target program. I didn't figure out yet how this issue happened but I am reporting it now...

Node.js: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion

Summary: Node.js http2 server is vulnerable against denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new...

Automattic: [intensedebate.com] SQL Injection Time Based on /changeReplaceOpt.php

Summary Hello, i have found a SQLI Injection Time Based on https://www.intensedebate.com/changeReplaceOpt.php. The parameter $GET'acctid' is vulnerable. Detection I have inject a MySQL function sleep, and it works. GET /changeReplaceOpt.php?&opt=1&acctid=419523%20AND%20SLEEP15 HTTP/1.1 Host:...

Elastic: Async search stores authorization headers in clear text

Summary: The .async-search index stores the results of async searches. It also stores a copy of the requests authorization headers, in clear text. These clear text authorization headers are then available to anyone with access to .async-search, probably mostly super users. Description: While you...

Sixt GmbH & Co. Autovermietung KG: Company Employes Sensitive Information exposed in Android App

Summary: Hi team while analyzing the apk in com.sixt.app.kit.one.manager.share.ShareMockResponseFactory class i found one jwt token and this token upon decoding it revealed certain information about a employee profile of an company who is their ANDROID developer Steps To Reproduce: 1. download th...

Glassdoor: Reflected XSS at https://www.glassdoor.com/ via the 'numSuggestions' parameter

Hi there, I have found the xss vulnerability at: https://www.glassdoor.com/ via parameter: numSuggestions Summary: Affected Parameter: numSuggestions Browsers tested: Firefox, Chrome, Edge latest version Steps To Reproduce: Go to:...

Open-Xchange: Some build dependencies are downloaded over an insecure channel (without subsequent integrity checks)

The script phase of pdns's .travis.yml file runs a script named ./build-scripts/travis.sh. The main path of execution of this script downloads two dependencies libsodiumdev and libsodium13 via wget over an insecure channel i.e. using http rather than https. Further evidence of this can be found i...

Automattic: Permanent DoS at https://happy.tools/ when inviting a user

Hi Team, At Happy Tools, I found an exception to the exclusion of denial of service. The web app allows creating an account/login into an account either using Gmail or WordPress. The vulnerability lies in the fact that after registration, a user can change their email without verification. Steps ...

GitLab: Exposure of a valid Gitlab-Workhorse JWT leading to various bad things

Summary Using the State Uploading API we could potentially do a bad thing: - Bypass Gitlab::Workhorse.verifyapirequest! This was due to the fact that Workhorse clean the URL before passing it to Rails, this is elaborated in 923027. and State Api read request.body to append it as a file!...

Automattic: [intensedebate.com] XSS Reflected POST-Based on update/tumblr2/{$id}

Summary: Hello, I have found an XSS Reflected POST-Based on https://www.intensedebate.com/update/tumblr2/$id. The parameter $POST'txtCode' is reflected and is not sanitized. To trigger the XSS an attacker need to create a site and invite the victim in their own site and give then full permissions...

Automattic: [intensedebate.com] XSS Reflected POST-Based

Summary: Hello, i have found a XSS Reflected POST-Based in https://www.intensedebate.com/ajax.php. Vulnerables URL : POST /https://www.intensedebate.com/ajax.php Vulnerables Parameters: $POST'txt'; Payload azertyuiop Steps to reproduce 1. Open the xss.html and will you see a javascript pop-up You...

Khan Academy: Login page vulnerable to bruteforce attacks via rate limiting bypass

SUMMARY This report consists of two vulnerabilities. 1st vulnerability: I found out that there is a rate limiting in place after 25 failed attempts. Now that is good, but when i use other email address to bruteforce, The rate limit didnt preserve to the new email. This may looks like a minor issu...

Khan Academy: Password authentication when changing information bypass. Bypass of report #721341

SUMMARY When reading the disclosed reports of your program, i see this one report 721341 . The reporter reported a lack of password confirmation when linking accounts. A fix was applied, adding password confirmation when linking account to other services. But i found a way to bypass this, The...

curl: CVE-2020-8284: trusting FTP PASV responses

Summary: The issue here arises from the fact that curl by default has the option CURLOPTFTPSKIPPASVIP disabled by default. As a result, an attacker controlling the URL used by curl, can perform port scanning on behalf of the server where curl is running. This can be achieved by setting up a custo...

Automattic: Email Verification bypass on signup

Summary: This bug is related to wordpress.com. There is feature in wordpress.com which allow users to invite people. We have to enter email address to invite that particular person but the invite link and invite key is also available to the person who invited. This allow attackers to create the...

HackerOne: Second-order SOQL injection through email and campaign name parameter in Salesforce lead submission

The HackerOne directory contains profiles of bug bounty and vulnerability disclosure programs that aren't managed on HackerOne. These profiles can be claimed by the organization that manages it. As part of this flow, they will need to enter an email address to confirm that affiliation with the...

Nextcloud: Clickjacking URLS

Hey Team While performing security testing of your websites i have found the vulnerability called Clickjacking. Many URLS are in scope and vulnerable to Clickjacking. The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The...