Automattic: Stored XSS in Intense Debate comment system

Hi Team, Summary: The Intense Debate comment system is vulnerable to stored xss by users , this would allow for atacking admins/users on the blog , Platforms Affected: Intense Debate comment system Steps To Reproduce: 1. Go to intensedebate.com/moderate/-ID- 2. Go to comments allow images in...

Mail.ru: DOM XSS on https://biz.mail.ru/domains/goto/mail/ via parameter pollution

DOM based XSS in biz.mail.ru...

Internet Bug Bounty: Some build dependencies are downloaded over an insecure channel (without subsequent integrity checks)

Summary: Build jobs mingw64 | openssl-1.1.1d and mingw32 | openssl-1.0.2u download dependencies from build.openvpn.net and www.oberhumer.comover an insecure channel http, not https and do not check their integrity in any way. This opens the door to person-in-the-middle attacks, whereby an attacke...

ImpressCMS: Other misconfiguration on Slack Server

Other misconfiguration on Slack Server...

Automattic: Sql injection on docs.atavist.com

hello dear team I have found SQL injection on docs.atavist.com url:http://docs.atavist.com/readerapi/stories.php?limit=10&offset=20&organizationid=88822&search=0&sort= parameters: injectable search=0 Parameter: search GET Type: AND/OR time-based blind Title: MySQL = 5.0.12 AND time-based blind...

Mail.ru: XSS account.mail.ru

XSS in account.mail.ru via cookie value...

8x8 Bounty: Any meeting chat history can be read and modified by an arbitrary user

A vulnerability existed where a JaaS user could read & modify the chat history of an 8x8 Meet conference. It was limited by the fact that the meeting UUID was required to be known. The fix was promptly deployed to production. A vulnerability in an API accessible through the jaas.8x8.vc white-labe...

U.S. General Services Administration: CRLF INJECTION

Vulnerable url - https://www.epay.fas.gsa.gov/%0D%0ASet-Cookie:crlfinjection=crlfinjection Impact an attacker can set new header...

Omise: assets/vendor.js file exposing sentry.io token and DNS and application id .

Information Disclosure in javascript file...

Automattic: XSS in Email Input [intensedebate.com]

Summary: I found an XSS in Email input. This input is not sanitized like other inputs allowing user to execute xss payloads. Platforms Affected: https://www.intensedebate.com/edit-user-account Steps To Reproduce: 1. Navigate to your account. 2. In email address, add the below payload next to your...

Bumble: Race Condition on "Get free Badoo Premium" which allows to get more days of free premium for Free.

Summary: On Badoo when a user wants to delete his account it prompts for a Free 3 days premium or the user can proceed to delete his account. But when user choose to get free 3 day premium he can click Get free Badoo Premium and can enjoy free premium for three days, Here i found a race condition...

Mail.ru: Exposed Git Repo at https://mini-app.delivery-club.ru

Leaking sensitive application data in configuration files at mini-app.delivery-club.ru...

Judge.me : HTML injection in review content

Hi Judge Security Team, I found a HTML Injection in review parameter at the https://judgeme-pentest.myshopify.com/products/pentest and at the judge.me Steps 1. Go to https://judgeme-pentest.myshopify.com/products/pentest 2. Click on "Write Review" 3. fill in the fields normally. F1083621 4. Now, ...

Kubernetes: Kubelet follows symlinks as root in /var/log from the /logs server endpoint

Summary: Privilege escalation from a pod, to root read permissions on the entire filesytem of the node, by creating symlinks inside /var/log. The kubelet is simply serving a fileserver at /var/log: kubernetes\pkg\kubelet\kubelet.go:1371 golang if kl.logServer == nil kl.logServer =...

U.S. Dept Of Defense: Blind stored XSS due to insecure contact form at https://█████.mil leads to leakage of session token and

Summary: I have discovered a blind stored cross site scripting vulnerability due to an insecure Contact form available here https://███████.mil/ This form does not properly sanitize user input allowing for the insertion and submission of dangerous characters such as angle brackets. I was able to...

ImpressCMS: Slack server disclose h1 private issue report

Summary ======= Upon browsing the https://www.impresscms.org/, one of the post include the public Slack Channel however the devel channel exposed some of the private h1 reports. Checking ImpressCMS hacktivity the issues that get resolved/reported are private which helps me to verify that the team...

U.S. Dept Of Defense: Able to authenticate as administrator by navigating to https://█████/admin/

Summary: The endpoint at https://███████/admin/ authenticates the user to the administrator user. Step-by-step Reproduction Instructions 1. Navigate to https://███/ and youll notice you will need to log in. 2. Navigating to https://██████████/admin/ will show you admin malformed page, with the...

VK.com: Получение стикеров

Race condition при получении стикеров...

Informatica: Blind SQL injection at tsftp.informatica.com

The parameter refreshtoken sent to the REST path /api/v1/token is vulnerable to blind SQL injection. Compare the response time of these 2 requests: $ time curl -X POST "https://tsftp.informatica.com/api/v1/token" -H "accept: application/json" -H "Content-Type: application/x-www-form-urlencoded" -...

HackerOne: Security@ email forwarding and Embedded Submission drafts can be used to obtain copy of deleted attachments from other HackerOne users

HackerOne has a number of ways for hackers to submit security vulnerabilities to a program, two of which are through an embedded submission form and through security@ email forwarding. These two features can be exploited to update a report draft created through security@ email forwarding that doe...

Mail.ru: HTML injection in an email [delivery.city-mobil.ru]

It was possible to inject spoofed HTML content into delivery.city-mobil.ru registration e-mail message via forged user name...

HackerOne: Indexing of urls on the "External link warning" pages discloses many vulnerable endpoints from the past and unlisted videos/photos

@nagli found a misconfiguration in an interstitial page that could lead to a link to be indexed by a 3rd party. This could have exposed links to proof of concepts that HackerOne users had posted on hackerone.com. This affected a specific set of customers, which HackerOne worked together with to...

Mail.ru: Database read through file attachment [content://]

Local malicious application selected as a file picker by user could obtain access to ICQ for Android local database by returning a content URI...

Bumble: Possible (we need to wait for some time) takeover of subdomain badootech.badoo.com which is pointing to Medium servers

Description: Hello, team! Recently I found a new subdomain pushed; it's https://badootech.badoo.com/. The site's content contains a Medium icon with the text "Oops! We couldn’t find that page. Sorry about that.", DNS records are: badootech.badoo.com. 21399 IN A 52.1.173.203 badootech.badoo.com...

Mail.ru: SDC bypass cloud.mail.ru for every /api/v3/* endpoint.

SDCS cookie was not properly checked for few cloud.mail.ru endpoints, allowing to bypass SDC secure domain cookies protection for privilege separation between projects...

Shopify: XSS stored in the Shopify Email app

step: 1、install app Shopify Email F1076928 2、Click General under Settings 3、Change phone number to 1234567" F1076939 4、Open shopify email app and create an email 5、Show phone number F1076940 6、watch the vedio poc for more information Impact store xss...

GoCD: XSS In https://docs.gocd.org/current/

Searches on docs.gocd.org were subject to a client-side XSS issue...

Mail.ru: Django Debug=True Leaks admin email addresss and serval system information

Domain, site, application weblate.ucs.ru Steps to reproduce For getting all Url Patterns 1.Open https://weblate.ucs.ru / 2.now after / enter any random string 3.It will open 404 page which contains all the Url Patterns of Website For getting all debug info 1.Open https://weblate.ucs.ru 2. Now go ...

U.S. Dept Of Defense: Reflected Xss in [██████]

Description: Reflected XSS in █████████ due to unsanitized single quote '. Impact An attacker could execute arbitrary javascript, and perform malicious actions ! Step-by-step Reproduction Instructions 1. Used payload: simo%27onfocus=%27confirmdocument.domain%27name=%27simo%27simo 2. Visit the url...

Node.js: DNS Max Responses for DOS

See Github my issue: https://github.com/nodejs/node/issues/36063 When i try to fetch the A Dns records of following domain: ticbrasil.com.br I dont get any response. I think thats the case because there are over 1300 responses. Version: v12.18.4, v14.15.0 Platform: 64-bit Windows 10 Pro &...

X (Formerly Twitter): Chained open redirects and use of Ideographic Full Stop defeat Twitter's approach to blocking links

Summary: A chain of two open redirects on analytics.twitter.com and twitter.com, coupled with the use of an Ideographic Full Stop allows an attacker to defeat Twitter's approach to blocking links. Description: Twitter maintains a deny list of domain names and prevents users from tweeting direct o...

X (Formerly Twitter): Read-only application can publish/delete fleets

Summary: Twitter released Fleet yesterday. This feature is working with few APIs, and these APIs are missing permission checks. Description: In /fleets/v1/create of https://api.twitter.com, there is no check to whether if the application has permission to write to the account. /fleets/v1/delete h...

Kubernetes: csi-snapshot-controller crashes when processing VolumeSnapshot with non-existing PVC

Report Submission Form I was asked by Kubernetes Product Security and H1 Employee @turtleshell to open a new report with the same details as report 995699. Summary: csi-snapshot-controller crashes when processing VolumeSnapshot with non-existing PVC Kubernetes Version: 1.19 Component Version:...

Engel & Völkers Technology GmbH: CSS-Reflected

Summary: Cross Site Scripting reflected Steps To Reproduce: This POC is on how to redirect user to the malicious website to steal credentials or any sensitive information. 1.How the request has been intercepted F1074840 2.What was the ResponseRendered F1074843 or F1074850 3.Which tools are used: ...

Lyst: DOM XSS on http://talks.lystit.com

Description DOM XSS can be achieved via a postMessage due to an insecure postMessage handler being registered. POC 1. Visit https://gamer7112.com/lyst1.html 2. Click the link 3. View alert Vulnerable Code Located at http://talks.lystit.com/data-saloon-presentation/plugin/notes/notes.html javascri...

Rocket.Chat: CSS Injection in Message Avatar

The custom message avatars in the Meteor.method "sendMessage" can contain inline CSS that influences the resulting HTML element rendering. Escaping the input with "none;" allows further CSS to be applied to the elements inline styles, without requiring certain characters such as whitespace...

Rocket.Chat: User Impersonation through sendMessage options

The Meteor call "sendMessage" allowed clients to use custom avatar and alias parameters, which could be used to impersonate other chat room members. This vulnerability has been patched...

U.S. Dept Of Defense: https://██████ vulnerable to CVE-2020-3187 - Unauthenticated arbitrary file deletion in Cisco ASA/FTD

Hi @U.S. Dept Of Defense, I found a host which is running on the web services interface of Cisco ASA/FTD and it is vulnerable to CVE-2020-3187 - Unauthenticated arbitrary file deletion in Cisco ASA/FTD. An attacker could exploit this vulnerability by sending a crafted HTTP request containing...

X (Formerly Twitter): Github Account hijack through broken link in developer.twitter.com

Description A link in https://developer.twitter.com/en/docs/twitter-api/tools-and-libraries was broken and anyone could create that account which leads to account impersonate Steps To Reproduce 1 Visit https://developer.twitter.com/en/docs/twitter-api/tools-and-libraries 2 Scroll down to...

Dropbox: `account_info.read` scope OAuth app access token can change token owner's account name.

Previously, Dropbox API was split between App Folder and Full Dropbox apps. After the recent introduction of Scoped Access apps, which use OAuth scopes, a number of routes meant specifically for internal use were neither restricted to internal apps nor were they annotated with required scopes. A...

Engel & Völkers Technology GmbH: XSS reflected

Summary: Cookie input nbu2 was set to "alert9536" and the input is reflected inside a tag between single quotes. Steps To Reproduce: 1. go to https://www.engelvoelkers.com/en/search/ 1. change parameter nbu2 in Cookie to :- "alert9536" 1. now check the response alerting 9536 in popup window...

GitHub Security Lab: Java: Detect remote source from Android intent extra

This bug was reported directly to GitHub Security Lab...

BugPoC: XSS PoC for the wacky.buggywebsite.com challenge

Summary: https://wacky.buggywebsite.com/frame.html is vulnerable to DOM-based XSS. Steps To Reproduce: 1. Navigate to https://oembed.dev.ipwnedyour.net/wacky.buggywebsite.com.xss.html 1. Verify the document's origin is displayed in an alert box. PoC code details: The PoC page at...

Malwarebytes: No SPF/DMARC records on mb-cosmos.com

The domain mb-cosmos.com lacked SPF and DMARC records, allowing email spoofing. Emails appeared to originate from the domain without authentication. This vulnerability was reported as a security issue...

Mail.ru: Account takeover on [support2.ucs.ru]

Password at support2.ucs.ru was not sufficiently protected against bruteforce...

Stripo Inc: No rate limiting for subscribe email + lead to Cross origin misconfiguration

Summary: I found bypass no rate limiting using Access-Control-Allow-Origin: and look the response as 200 vulnerable No rate limit means their is no mechanism to protect against the requests you made in a short frame of time. If the repetition doesn't give any error after 50, 100, 1000 repetitions...

Shopify: Self xss in product reviews

1、install app Product Reviews F1070556 2、Open a product and write a review 3、Press F12 on the keyboard，Change the type of email to text. 4、Write in email"[email protected]. F1070565 5、Write other required fields，then submit. F1070566 Impact Self xss...

Rockstar Games: RDR2 game service method allows adding any player to a new Posse without consent

In this report, the researcher discovered a game service method in Red Dead Online that could be manipulated into allowing an attacker to create new Posses and add any Social Club account to it, without their knowledge or consent. We have resolved this by updating the service method to prevent th...

VK.com: Нет флуд-контроля на функции "Запрос денег" в VK Pay. Флуд уведомлениями и сообщениями пользователю, находящемуся в друзьях.

Широкий флуд-контроль при запросе денег в VK Pay. Да...

Mail.ru: [com.icq.mobile.client] Любое стороннее приложение может угнать сессию, а также другие файлы приложения

Insufficient validation of sharing activity parameters for ICQ application on Android allowed access to sensitive application's files...