U.S. Dept Of Defense: Reflected XSS on https://███/████via hidden parameter "█████████"

Hi everyone : I found a Reflected XSS on https://█████/█████████via hidden parameter "██████████". Steps To Reproduce: - Use your favorite web browser - Go to : https://█████/████████&██████=XXX%22%3E%3Cscript%3Ealert%27Reflected%20XSS%20here%27%3C/script%3E An XSS is triggered ! The initial page...

U.S. Dept Of Defense: Reflected XSS in https://███████ via hidden parameter "████████"

Hi everyone : I found a Reflected XSS on https://███████ via hidden parameter "████████" on the following authentication page : https://███████/██████████ Steps To Reproduce: - Use your favorite web browser - Go to :...

Imgur: Bypass subscription

Hello team! You can bypass avatar subscriptions. Thus, without connecting a subscription - it's free. A list of all avatars is available at the address below, with a GET request: :method: GET :authority: api.imgur.com :scheme: https :path: /account/v1/accounts/me/avatars?clientid=YOU CLIENT ID...

Acronis: Blind Stored XSS in https://partners.acronis.com/admin which lead to sensitive information/PII leakage

Blind XSS was possible on partners.acronis.com Tier 3 via several contact form fields. We have seen no signs of the exploitation of this vulnerability...

HackerOne: Reflected XSS and possible SSRF/XXE on https://events.hackerone.com/conferences/get_recording_slides_xml.xml?url=myserver/xss.xml

@nagli found a reflected Cross-Site Scripting XSS, Server-Side Request Forgery SSRF, and XML External Entity XXE vulnerability in a 3rd party vendor that was used by HackerOne. This system did not contain any data related to reports submitted and stored on hackerone.com. HackerOne worked with the...

Acronis: CVE-2020-6287 https://redapi2.acronis.com

Hi team. Summary CVE-2020-6287 https://redapi2.acronis.com https://nvd.nist.gov/vuln/detail/CVE-2020-6287 SAP NetWeaver AS JAVA LM Configuration Wizard, versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute...

BugPoC: Reflected XSS at wacky.buggywebsite.com/frame.html

Summary: I solved that CTF to pop alert1 Steps To Reproduce: https://bugpoc.com/pocbp-HoQPW64U PoC ID: bp-HoQPW64U Password: AptBeAGlE03 Supporting Material/References: https://imgur.com/a/ZD7rOvH attachment / reference Impact General XSS impacts. Also, I mistakely used document.domain instead of...

HackerOne: Open Redirect on http://events.hackerone.com/redirect?url=https://naglinagli.github.io

@nagli found an open redirect vulnerability in a 3rd party vendor that was used by HackerOne. This system did not contain any data related to reports submitted and stored on hackerone.com. HackerOne worked with the vendor to remediate the vulnerability. The report is partially disclosed to...

HackerOne: Stored XSS on https://events.hackerone.com

@nagli found a stored Cross-Site Scripting vulnerability in a 3rd party vendor that was used by HackerOne. This system did not contain any data related to reports submitted and stored on hackerone.com. HackerOne worked with the vendor to remediate the vulnerability. The report is partially...

BugPoC: Solution for XSS challenge wacky.buggywebsite.com

Summary: Found a HTML injection in https://wacky.buggywebsite.com/frame.html?param=Injected Bypasswing CSP : CSP : script-src 'nonce-txjohfomwjdo' 'strict-dynamic'; frame-src 'self'; object-src 'none'; Then found a vuln code in https://wacky.buggywebsite.com/frame.html js window.fileIntegrity =...

Mail.ru: reflected xss on learn.city-mobil.ru via redirect_url parameter

Reflected XSS in learn.city-mobil.ru via GET parameter redirecturl Назад...

Exodus: Exposed Configuration Files at https://www.exodus.io/keybase.txt

Summary: Username, uid information is present in txt file. Steps To Reproduce: 1. Open This link https://www.exodus.io/keybase.txt 2. Search for username, uid 3. You will get some usernames with uid. Impact This information may help attacker in further attacks...

BugPoC: XSS Challenge

Hello, ID: bp-oJelDA6b Password: PLEAsEdYAk24 Impact The attacker can steal any user session data...

Shopify: Ability to potentially hit internal NGINX locations on *.myshopify.com by making use of the `X-Accel-Redirect` header via a configured App Proxy

By making use of the Shopify App Proxy and the X-Accel feature of NGINX, it is possible to hit any configured internal NGINX location as your current configuration is not ignoring the X-Accel-Redirect header response from an upstream service. The way it works is that NGINX allows internal...

Starbucks: Unrestricted File Upload Leads to RCE on mobile.starbucks.com.sg

ko2sec discovered an .ashx endpoint on mobile.starbucks.com.sg intended for image files permitted unrestricted file type uploads which could lead to a potential RCE. ko2sec's thorough analysis provided additional endpoints on other out of scope domains that shared this vulnerability. @ko2sec —...

Mail.ru: Clickjacking Vulnerability via https://www.donationalerts.com/help/support leads to bypass for widget.support.my.games X-Frame Options

Clickjacking protection bypass on widget.support.my.games via donationalerts.com...

Mail.ru: Disk-o Cloud application (Windows) does not validate server certificate on a TLS connection

A debugging/staging functionality disabling TLS certificate check was accidentally enabled in production code for Disk-O 20.10.0133, fixed in version 20.11.0006. 21.04 version adds integrity check for update process...

BugPoC: [BugPOC and Amazon XSS CTF writeup] A CSP Bypass Story

Summary/Description: There were quite multiple restrictions imposed while executing JavaScript on the website. I have divided them into three segments which are explained below Bypassing the iframe loading restriction The URL https://wacky.buggywebsite.com/frame.html?param=Hello,%20World when...

BugPoC: csp bypass leads to xss on wacky.buggywebsite.com

Summary: report will be uploaded later - need some sleeps █████████ ███ Steps To Reproduce: PoC above Thanks for the challenge. I tried to use bugpoc for everything but ended up using aws to host the js file - seemed fitting as well and served the purpose. F1065889 Impact taking over all the whac...

BugPoC: Solution to the XSS Challenge

Summary: This challenge is very tricky and advanced. I have reached a part where I can execute my JS code, but that payload is blocked as of now by "allow-modals" missing value in the "sandbox" attribute. Following is a better explanation of where I am right now. Steps To Reproduce: 1. Keep the...

BugPoC: XSS :D

Great summary found here https://medium.com/bugbountywriteup/wacky-xss-challenge-with-amazon-by-bugpoc-d10d43d7707c This is the accepted solution of wacky xss ctf by bugpoc that amazon sponsored. Here is the write up for the same...

U.S. Dept Of Defense: Unauthenticated Arbitrary File Deletion "CVE-2020-3187" in █████

Summary: A vulnerability in the interface of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and obtain read and delete access to sensitive files. Description:...

GitHub Security Lab: [Java] CWE-927: Sensitive broadcast

This bug was reported directly to GitHub Security Lab...

Basecamp: Information Disclosure of Garbage Collection Cycle 'Again'

A diagnostic subdomain was still available publicly after being reported https://hackerone.com/reports/981796 and remediation. Subsequently a researcher was able to access the subdomain. Disclosure has been limited as the report contains low sensitive information, but sensitive none the less...

U.S. Dept Of Defense: Unauthorized access to admin panel of the Questionmark Perception system at https://██████████

Summary: Due to the lack of access control, an anonymous attacker can compromise the administrator account on the Questionmark Perception system. Description: By using the service description which publicly accessible on the internet, and by bypassing the access control, an anonymous attacker can...

Lark Technologies: Accessing/Editing Folders of Other Users in the Orginisation.

A vulnerability was found where users without Primary admin privileges were able to view/modify the directory structure of other users in their organization. This would occur after those users were invited to view/modify their folders by a Primary admin. We thank @snapsec for reporting this to ou...

Node.js third-party modules: Default behavior of Fastifys versioned routes can be used for cache poisoning when Fastify is used in combination with a http cache / CDN

I would like to report possible cache poisoning in Fastify It allows an attacker to perform an cache poisoning when Fastify is used in combination with a http cache / CDN. Module module name: Fastify version: 3.x npm page: https://www.npmjs.com/package/fastify Module Description Fast and low...

Stripo Inc: Stored XSS at Template Editor in "Section Name" Field of Block element 'Accordion'.

Summary: Hi Team, There is "Stored XSS" in Template Editor. When creating Accordion, "Section Name" field does not properly sanitize the input provided by the User leading to Stored XSS. See the Proof Of Concept below. Thank You. Steps To Reproduce: A. Open Template Editor and insert element...

U.S. Dept Of Defense: Apparent ██████████ website is publicly exposed, suggests default account details on page and has expired SSL/TLS cert

Summary: Publicly exposed website ███████ offering default login user/pass with expired SSL Description: https://██████/ is branded as '████' with ██████ branding/logo and links to ██████ homepage, defense.gov & @DeptofDefense Twitter account Impact Publicly exposed service with potentially defau...

VK.com: XSS in vk.link

XSS на vk.link...

U.S. Dept Of Defense: [SQLI ]Time Bassed Injection at ██████████ via /██████/library.php?c=G14 parameter

Step-by-step Reproduction Instructions copy the request to your burp suite : GET /█████████/library.php?c=G14'XORifnow=sysdate,sleep11,0OR' HTTP/1.1 Host: ██████ Accept-Encoding: gzip, deflate Accept: / Accept-Language: en User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64 AppleWebKit/537.36...

Mail.ru: file read on MCS servers via supplying a QCOW2 image with external backing file

Local file read in mcs.mail.ru by providing QCOW2 disk image with backing image pointing to external file Mail.ru Cloud Solutions allows uploading custom images for disks. This functionality supported QCOW2 disk images. A QCOW2 disk image can have a so-called "backing image" - a file to read...

Basecamp: SSL expired subdomain leads to API swap with main and flagged cookies. Unable to log device ids and certain session tokens.

SUMMARY - Replacing the login page of launchpad.37signals.com with subdomain help-basecamphq.37signals.com greats you to a login page in which is unsecure and with header sec-fetch-site: same-origin injected into your headers you can disable cookies such as . STEPS TO REPRODUCE 1. Visit...

Mail.ru: SQL injection delivery-club.ru (ClickHouse)

Some requests to clickhouse in delivery-club.ru were externally available potentially allowing SQL-like requests execution...

curl: Cookie exposure due to unexpected file permission change

Summary: libcurl since 7.72.0 changes file specified in CURLOPTCOOKIEJAR to group and world readable, regardless of prior file permissions of an already existing file assuming typical default umask of 022. This is unexpected as typically file permissions of an already existing file are not change...

Internet Bug Bounty: DOMPurify bypass

A mutation based bypass exists in DOMPurify when sanitizing svg elements using almost the same technique described by Michał Bentkowski @SecurityMB at https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/. A PoC payload with the DOM state before and after parsin...

Brave Software: Brave Browser potentially logs the last time a Tor window was used

Summary: A vulnerability in the Brave Browser allows an attacker to view the last time a Tor session was used in incognito mode. A local, on-disk attacker could read the Brave Browser's "Local State" json file and identify the last time a Tor session was used, affecting the confidentiality of a...

TikTok: RCE on TikTok Ads Portal

The video upload endpoint on the TikTok Ads portal was potentially susceptible to remote code execution RCE due to a ffmpeg misconfiguration. We thank @ bubbounty for reporting this to our team and confirming the resolution. During my research on the TikTok Ads portal I found a RCE thought the...

Mail.ru: [files.ucs.ru] ProFTPd mod_copy Arbitrary Read/Write

CVE-2015-3306 in opened to external network FTP server on files.ucs.ru...

Mail.ru: [api-site.city-mobil.ru] Improper access control leads to information disclosure (bypass of #977597 fix)

Authorization for api-site.city-mobil.ru endpoint was not properly checked, allowing to obtain data about arbitrary corporate.city-mobil.ru orders and users. Find a way to bypass a bad fix for 977597. There are more steps in the new scenario that allows exploiting the issue. An attacker needs to...

Mail.ru: SDC bypass on calendar.mail.ru

SDCS cookie was not properly checked for few calendar.mail.ru endpoints, allowing to bypass SDC secure domain cookies protection for privilege separation between projects...

Mail.ru: Account Takeover on [ls5-dev.ucs.ru]

Login functionality on ls5-dev.ucs.ru was not sufficiently protected against bruteforce...

Stripo Inc: SSRF external interaction

hi team, i found ssrf external interaction on your website which is https://my.stripo.email/cabinet//login?guid=&tn=&locale=en on chatbox description:- the attacker might cause the server to make connection back to it self or to other web services within the organization infrastructure or to...

Ruby on Rails: Regular expression denial of service in ActiveRecord's PostgreSQL Money type

Summary Hello team! The regular expressions used in the Money type to convert strings like -$100,000.00 to 100000 have an execution time with a quadratic growth proportional to the length of the string. Causing the denial of service requires very long strings but if the parameter is in a post bod...

Mail.ru: CVE-2020-3187 на ip адресе 91.231.115.30

CVE-2020-3452 on webvpn.city-srv.ru...

Nextcloud: Stored XSS in markdown file with Nextcloud Talk using Internet Explorer

While editing a markdown file through the text app, users can create link elements that have a javascript URL such as javascript:alert1. Steps to reproduce: While editing a markdown file, select some text and click the "Add Link" button. Using a web proxy, intercept the request and change the hre...

Yelp: password field autocomplete enabled

Summary: Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications that employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local...

Shopify: Staff with no permissions can listen to Shopify Ping conversations by registering to its different WebSocket Events

By registering to a few different Shopify Ping Websocket Events on the wss://argus.shopifycloud.com/graphql?shopid=id endpoint, a staff without any permission can listen to conversions with customers. Steps to reproduce 1. With a staff that doesn't have any permissions, login into the shop admin ...

Mail.ru: Improper Restriction of Excessive Authentication Attempts via https://certification.mail.ru/auth-form/?form=auth_certy (Rate limit Bypass)

Login functionality on certification.mail.ru was not sufficiently protected against bruteforce...

Acronis: [acronis.secure.force.com] - Insecure Salesforce default/custom object permissions leads to information disclosure

Hi there, I know that this domain https://acronis.secure.force.com is not listed in scope but I thought it would be a good idea to share this finding with you because this endpoint is leaking internal information/meetings. Target: The Salesforce instance at https://acronis.secure.force.com...