VK.com: XSS Reflected in m.vk.com

XSS on the wall in m.vk.com...

Status.im: HTTP Parameter Pollution with semicolons in iframe allows loading external Greenhouse forms

Summary: Status.im uses Greenhouse for job applications, specifically the older Greenhouse integration which relies on iframes. The ghjid URL parameter is used to load the correct form in the iframe. HTML characters are escaped, but using semicolons you can inject URL parameters into the iframe v...

Acronis: XSS Stored in Cacheable response

XSS was possible on https://www.acronis.com due to improper error handling...

OPPO: Information Disclosure at https://portal.finzfin.com/1.txt

Leaking internal network information Summary: While performing recon work on websites owned by oppo i came up with finzfin website which is leaking sensitive information. Description: The above website is leaking information , This is a high severity issue and requires immediate fixation. I look...

Mail.ru: XSS in message e.mail.ru

XSS in e.mail.ru on message replying / forwarding...

Acronis: Web cache poisoning at www.acronis.com

Summary I found the problem of cache poisoning in www.acronis.com. A poisoned web cache can potentially be a devastating means of distributing numerous different attacks, exploiting vulnerabilities such as XSS, JavaScript injection, open redirection, and so on. Steps To Reproduce 1. Use...

Shopify: Low Privileged Staff Member Can Export Billing Charges

Details I'm not 100% sure about this because i don't have billing transactions on my account. However, from my experience on how Shopify backend respond, i think this is a valid finding just need confirmation from Shopify's security team. A GraphQL mutation billingChargesExport can be used by a...

Automattic: [tumblr.com] CSRF in /svc/user/filtered_content

Summary: Hello, I have found a Cross-site request forgery in https://tumblr.com/svc/user/filteredcontent allow an attacker to add filtered content to a target/victim account. The custom HTTP Header X-tumblr-form-key used for the protection CSRF is not validate. Steps To Reproduce: 1 Logging into...

Uber: Request Access for Uber Device Returns Management Platform (https://www.eats-devicereturns.com/request-access/) Bypass Allows Access to PII

The hacker identified a registration page on a website ran by a 3rd party for Uber for managing Uber Eats devices, for example devices' returns when they stop working. Due to the authentication not being integrated with Uber's central authentication, the website was interesting. Although the...

Acronis: DLL Hijacking when creating Rescue Media Builder leading to Privilege Escalation

Vulnerability description not provided...

TikTok: [CSRF] TikTok Careers Portal Account Takeover

A missing CSRF protection and open redirect vulnerability was reported in the TikTok Careers portal single sign on flow which is used by applicants to apply for TikTok positions. This flaw was quickly remediated and does not impact TikTok.com or mobile application. We thank @lauritz for reporting...

CS Money: Blind XSS on image upload

Summary: - The CSRF vulnerability make a request for support.cs.money/uploadfile; This uploadfile does not have csrf token/ origin/ reference verification! - The XSS allows to execute JS. The payload of the XSS stay in the param 'filename' of the CSRF request. Steps To Reproduce: XSS - use a prox...

Internet Bug Bounty: [CVE-2020-27194] Linux kernel: eBPF verifier bug in `or` binary operation tracking function leads to LPE

CVE-2020-27194 is a eBPF verifier bug that allows an unprivileged attacker to create BPF socket filter programs that can read and write Out of Bounds, trough which an arbitrary kernel read write can be achieved. I'm taking the root cause explanation from the patch email: Simon reported an issue...

U.S. Dept Of Defense: Reflected XSS on https://████/ (Bypass of #1002977)

Hello DoD team, Third time a charm :- I really cannot explain what is going on with this ██████████ website, You just locked the report so i can't comment there, but it seems it works right now and i have proof of a video with time stamp. I am talking about 1002977, i hope you will see this fast...

Basecamp: Possible DOM XSS on app.hey.com

Summary: Hello Team, While testing it was observed that on https://app.hey.com/, on Search box there is a possibility of XSS. Although the payload is reflected in the DOM but the CSP blocks the execution of the script, the XSS can happen if the CSP is somehow bypassed. The Subject parameter is...

Stripo Inc: Able to use 'PREMIUM TEMPLATES' in 'FREE PLAN' at [https://my.stripo.email/cabinet/#/my-templates/]

Summary: Hi Team, I had found a way to use Premium Templates with FREE PLAN only. As generally Premium Templates can be only used by PAID USERS. So this will lead to heavy loss in Business. It is also possible to use components in DEMO EDITOR which are only available after registration, by just...

Engel & Völkers Technology GmbH: Debug information at the /sapi endpoint

Summary: Sending a GET request to www.engelvoelkers.com/sapi and the server responds with a 500 Internal Server Error which yields a stack trace. Steps To Reproduce: - Enter www.engelvoelkers.com/sapi into your web browser and you can see the stacktrace. https://bugpoc.com/pocbp-VPZDeo2Z I will...

GitHub Security Lab: Java: CWE-918 - Server Side Request Forgery (SSRF)

This bug was reported directly to GitHub Security Lab...

Ubiquiti Inc.: Camera adoption DoS - UniFi Protect

A vulnerability was found in UniFi Protect v1.13.7 and earlier that would allow an attacker to use spoofed cameras to perform a denial-of-service attack that could cause the UniFi Protect controller to crash. This vulnerability is fixed in UniFi Protect v1.17.1 and later versions. Affected...

Acronis: DLL Hijacking when sending feedback and crash report leading to Privilege Escalation

Vulnerability description not provided...

Acronis: Large Amounts of Back-End Acronis Source Code is Publicly Accessible

Vulnerability description not provided...

Automattic: Able to comment/view in others support ticket at https://en.instagram-brand.com/requests/dashboard

Summary: I reported the vulnerability to Facebook, and they have said to report it here for the bounty. Platforms Affected: https://en.instagram-brand.com/requests/dashboard Steps To Reproduce: 1. Create two account User A, User B at https://en.instagram-brand.com/ 2. Apply for Instagram brand fr...

U.S. Dept Of Defense: Local File Inclusion In Registration Page

Summary: When registering on https://████████ it is possible to use path traversal characters in a parameter allowing an attacker to read local files. Description: The registerUserInfoCommand.nextPageName parameter within the registration form is vulnerable to file path manipulation, where it is...

U.S. Dept Of Defense: PII Leak of USCG Designated Examiner List at https://www.███

Hello Dod Team, Summary: PII Leakage of approx 750 personal is being disclosed through the pdf at https://www.██████ which had been uploaded at the 7th of October, this includes Personal phone number and email address. Description: The list presented at the "dereport.pdf" contains personal info...

HackerOne: 2020-10-09 Credential Stuffing Attack

Executive summary On October 4, 2020 and October 5, 2020, an attacker launched two credential stuffing attacks against HackerOne.com. On October 9, 2020, HackerOne’s Security team noticed the attack during their weekly audit of anomalies in their log aggregation platform, leading to the Incident...

Uber: RCE via npm misconfig -- installing internal libraries from the public registry

The hacker spotted some orphaned references to Uber-branded Node.js library packages and claimed them on the public NPM registry to run their own proof-of-concept code. Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies...

DRIVE.NET, Inc.: [www.drive2.ru] Insufficient Security Configurability - Notification message not sent when account is deleted

Email notifications are not sent when account is deleted. Email notifications are not sent when account is deleted. Best Practices As recommended practices, For security reasons, users should be able to be notified via email notification of changes to important operations such as account deletion...

DRIVE.NET, Inc.: [www.drive2.ru] Insufficient Session Expiration - Previously issued email change tokens do not expire upon issuing a new email change token

The email verification code was not expired when a new one was generated. It was fixed. Summary When a user changes their email, they can receive a verification code in the changed email. This verification code will be used when changing your email. but, drive2.ru can reuse a corrupted verificati...

TikTok: Blind SSRF in ads.tiktok.com

A Server Side Request Forgery SSRF vulnerability was reported on the TikTok ads portal. This flaw has since been remediated. We thank @chihuahua for reporting this vulnerability to our team and confirming the resolution...

TikTok: CORS misconfiguration in TikTok ads portal

A CORS misconfiguration was discovered in the TikTok ads portal which could potentially allow an attacker to obtain user IDs and usernames of logged in users. This issue has been resolved. We thank @chihuahua for reporting this to our team...

TikTok: User In The Same Center Can Create CSRF To Change The Information About Business

A Cross Site Request Forgery CSRF vulnerability was reported on the TikTok ads portal. This flaw has since been remediated. We thank @sniper302 for reporting this vulnerability to our team...

Open-Xchange: XSS - Calendar - Unescaped common name of appointment participant

There is this function to get participant's name: javascript // frontend/ui/apps/io.ox/participants/chronos-views.js getDisplayName: function model, options options = options || ; var dn = model.get'contact' ? contactsUtil.getFullNamemodel.get'contact', options.asHtml : model.get'cn'; // 'email...

Automattic: [api.tumblr.com] Denial of Service by cookies manipulation

Hello Summary: I have found at api.tumblr.com two parameters consumerkey && consumersecret allow to modify oa-consumerkey && oaconsumersecret cookies values and property. An attacker can send a malicious link to reset the cookies of api.tumblr.com, this lead to DOS. To trigger the DOS, the...

U.S. Dept Of Defense: CORS misconfiguration which leads to the disclosure

Summery:- CORS misconfiguration which leads to the disclosure Steps:- 1- go to https://██████/wp-json/wp/v2/ 2- intercept request using burp suite Request:- GET /wp-json/wp/v2/ HTTP/1.1 Host: ███ User-Agent: Mozilla/5.0 Windows NT 6.1; Win64; x64; rv:81.0 Gecko/20100101 Firefox/81.0 Accept:...

Uber: Unrestricted File Upload Results in Cross-Site Scripting Attacks

It was found that an attacker can upload any type of file including HTML files when adding a menu during the onboarding process after signing up at https://www.ubereats.com/restaurant/en-CA/signup. The hacker identified a file upload endpoint used by restaurants applying for Uber Eats which was...

Mail.ru: Access User Tickets via IDOR in [widget.support.my.games]

IDOR vulnerability in widget.support.my.games allowed to disclose the user tickets...

Bumble: Identify unique user ID of all the profiles

Through this vulnerability, one can know the unencrypted user ID of all the profiles Steps to reproduce: 1. Login to your Bumble profile 2. In the SERVERGETUSERLIST API replace the folder ID 0 with 7. This folder contains all the profiles in your deck /which you have right-swiped on screenshot 1;...

U.S. Dept Of Defense: All private support requests to ███████ are being disclosed at https://███████

Hello DoD Team Summary: I have found out that all personal requests made to https://█████ form are being disclosed to the public at https://███████, which posses a critical privacy issue. Description: While searching my name at google "naglinagli" i have encountered a weird mention of my xss...

Ian Dunn: SSRF Possible through /wordpress/xmlrpc.php

Hello, I have found a SSRF in iandunn.name through the xmlrpc.php API. I understood you've said about this endpoint in the past making up junk reports, but this is on a function which isn't disabled by disabling the endpoint, as I can prove with a Proof-Of-Concept. There is a function using...

Informatica: Cross-site Scripting (XSS) - DOM - iqcard.informatica.com

Hello all I found a DOM based XSS at iqcard.informatica.com Description After finding the path iqcard.informatica.com/pub/fujitsu/fm3v2/player/attach.html. I noticed that the code inside attach.html was vulnerable to DOM XSS, due to the fact of the javascript document.location function. search. T...

U.S. Dept Of Defense: IDOR + Account Takeover [UNAUTHENTICATED]

1- Open the burp suite. 2- Switch the "Repeater" tab. 3- Paste the content of the attached request into the repeater. 4- Replace the "UID2 = 4820041" value in the cookie with the ID value of the user to be attacked. Also write the user's email in the "userName" input. 5- Replace the victim user's...

U.S. Dept Of Defense: View another user information with IDOR vulnerability

1- Navigate to the system. https://███████/login.php 2- Navigate to register page. https://██████████/register.phpi created user, username:██████ pass: TEst.123.! 3- Login to the system. https://███/login.php 4- Navigate to "My Profile Page". 5- Intercept the request. 6- Change the "UID2=4820038"...

Acronis: DLL Hijacking when performing operations in Acronis Secure Zone partition leading to Privilege Escalation

Vulnerability description not provided...

Mail.ru: Subdomain Takeover

Unused payment.skillfactory.ru subdomain was delegated to webflow.io and not claimed...

Weblate: Reset password cookie leads to account takeover

Hi There are 3 issues on this report lead to account takeover. 1- When the user requests a reset password link, server sends a link for the user via email, whenever the user click on the link for the first time redirects to Reset password page but if the user close browser or tab and click again ...

Acronis: Possible LDAP username and password disclosed on Github

Summary The file hosted at https://github.com/mlanin/go/blob/3dbd856c3f542c54e512a295ac498c79cd952ed6/.env.testing contains the following information: LDAPDOMAIN=███ LDAPBASEDN=███ LDAPADMINUSER=███████ LDAPADMINPASSWORD=██████ Recommendations Verify if credentials are still in use if so remove t...

Mail.ru: Account TakeOver at kvartira.city-mobil.ru

kvartira.city-mobil.ru had no sufficient protection against SMS code bruteforce...

Mail.ru: subdomain Takeover

Unused python-analytics.skillfactory.ru subdomain was delegated to webflow.io and not claimed...

Informatica: ..; bypass leading to tomcat scripts [Unauthenticated]

Hello all Using the technique ..; i was able to bypass the protection mechanism to access Tomcat Example Scripts hosted at https://███/. Steps to reproduce 1 - Open all URL's bellow inside your browser https://█████████/..;/examples/servlets/servlet/SessionExample | Will lead to Session...

Endless Group: CVE-2020-14179 on https://jira.theendlessweb.com/secure/QueryComponent!Default.jspa leads to information disclosure

Hello theendlessweb team, Summary: the Jira instance on jira.theendlessweb.com is vulnerable to CVE-2020-14179 which allows remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability F1029731 Steps To Reproduce: Navigate to...