Weblate: Send Empty CSRF leads to log out user on [https://hosted.weblate.org/accounts/profile]

Hi There is a CSRF bug on your Website leads to logout user from the dashboard. If the user click on the attached file CSRF.html redirect to another page and see the following error and the user log out immediately: F1029146 Steps to reproduce: 1- Login to your account via Login page 2- Click on...

U.S. Dept Of Defense: Access to Unclassified / FOUO Advanced Motion Platform of █████████.mil

Hey, I have recently found a website in the namespace of the Amazon Web Services cloud for the US government which exposes a classification header of Unclassified / FOUO. Hence, I thought it might be a good idea to report this vulnerability to you. Furthermore, the source code tells us that the...

U.S. Dept Of Defense: XSS Reflect to POST █████

XSS to POST URL = █████████ Good morning team DoD.. I located an XSS on the site. I hope to help team DoD more and more. Thank you html Impact If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, th...

Acronis: Local Privilege Escalation via Backup delete

Vulnerability description not provided...

BlockDev Sp. Z o.o: SQL Injection leads to retrieve the contents of an entire database.

SQL Injection leads to retrieve the contents of an entire database...

Node.js: Potential HTTP Request Smuggling in nodejs

Summary: Potential HTTP Request Smuggling exists in nodejs. Attacker can use two same header field make TE-TE HTTP Request Smuggling attack. Description: nodejs allow same header field in a http request. for example, we can send two Transfer-Encoding header field, even if one of them is false...

TikTok: CORS bypass on TikTok Ads Endpoint

An endpoint used by the TikTok Ads portal was vulnerable to CORS bypass therefore potentially allowing an attacker to access information about tickets opened if the user were to click on a malicious link. We thank @sniper302 for reporting this to our team and confirming the resolution!...

Nord Security: Possible RCE through Windows Custom Protocol on Windows client

Summary: The NordVPN windows client application registered two custom protocols NordVPN: and NordVPN.Notification: for process communication. This makes us are able to communicate with NordVPN.exe from web browser. After looking the executable binary, I noticed the class...

Node.js third-party modules: [@firebase/util] Prototype pollution

Module module name: @firebase/util version: 0.3.2 npm page: https://www.npmjs.com/package/@firebase/util Module Description NOTE: This is specifically tailored for Firebase JS SDK usage, if you are not a member of the Firebase team, please avoid using this package This is a wrapper of some...

Kubernetes: Unsecured Grafana instance on https://monitoring.prow-canary.k8s.io/dashboards

Hi, I was looking at https://monitoring.prow-canary.k8s.io Grafana webapp. I'm not sure if it is for demo purposes, but I can access the main dashboard and view all graphs. https://monitoring.prow-canary.k8s.io/dashboards If indeed it is for demo purposes, please let me close the report myself...

CS Money: ReDoS at wiki.cs.money graphQL endpoint (AND probably a kind of command injection)

Summary: The endpoint /graphql has a vulnerable query operation named "search", that can I send a Regex malformed parameter, in order to trick the original regular expression to a regex bomb expression. + Payload with a "common" search, querying the value "AAA": query a searchq: "AAA", lang: "en"...

Mail.ru: Reflected XSS on https://e.mail.ru/compose/ via Body parameter

Reflected XSS in e.mail.ru via GET parameter for mailto handler...

HackerOne: Getting New Invitations without Leaving Programs

Hello there, I hope all is well! Description When you leave the private program, you get a chance to get a new invitation. But using this vulnerability, I can get new invitations without leaving private programs. Steps: 1. Go to any private bug bounty program. 2. Click Leave Program button 3. Cli...

Acronis: Ticket Trick at https://account.acronis.com

Summary Hello dear team, I found a serious issue in Acronis This vulnerability is called ticket trick vulnerability which comes under critical category. Which can allow me to login on websites like atlassian,github,clouflare,choopa,..etc on behalf of [email protected] . Steps To Reprodu...

Mail.ru: mrgs.my.games account takeover

A chain of different bugs and misconfigurations invalid handling of arrays-like names in cookies, stored session with NULL ids allowed to login to mrgs.my.games with few different accounts...

TikTok: User Able to Reopen a Ticket by Modify the Request

Improper access control was reported on the TikTok ads portal. This issue has been resolved. We thank @gnux for reporting this vulnerability to our team and confirming the resolution...

U.S. Dept Of Defense: {███} It is posible download all information and files via S3 Bucket Misconfiguration

Summary: Hi team! I´ve found a misconfiguration S3 Bucket: Name Bucket = ██████████ I found this vulnerability after digging deep into the js files: ████████ Description: Apparently wanting to enter the docs folder is impossible, since it is protected or disabled so that anyone can access the...

TikTok: CSRF for deleting videos

A CSRF Cross Site Request Forgery vulnerability was reported on TikTok which could potentially be used by an attacker to delete other users' public videos if the user were to click a malicious link. This issue has since been resolved. We thank @luizviana for reporting this to our team and...

U.S. Dept Of Defense: POST based RXSS on https://███████/ via ███ parameter

Good Night DoD team, Summary: I have discovered that on the following domain https://██████████/███████ there is Post-Based reflected XSS vulnerability which i can trigger with CSRF and Clickjacking due to unsanitized input inside the ███parameter ██████████ Description The vulnerable path is:...

U.S. Dept Of Defense: https://████ is vulnerable to cve-2020-3452

Description: A vulnerability in the web services interface of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The...

Acronis: Get ip and Geo location any user via Clickjacking with inspectlet technology

Summary Get ip and Geo location any user via Clickjacking with inspectlet technology https://geoapi.acronis.com/?q=admin/views/ajax/autocomplete/user/a Steps To Reproduce 1. go to F1015419 2. will watch your geo data ex. "city":"Abu...

Enjin: Authentication token and CSRF token bypass

@whiteshadow201 was able to illustrate a vulnerability, due to an overzealous set of CORS rules, where they could execute certain functions on behalf of another user. This was made possible due to a separate vulnerability, a CSRF bypass, that was possible by using the GET method to query the...

Nextcloud: XSS through image upload of contacts using svg file with png extension

Hello again, this is a bypass 89487 basically use the same payload file but change the extension to PNG Impact XSS or Open redirect when viewing the image of a contact...

Elastic: Prototype Pollution leads to XSS on https://blog.swiftype.com/#__proto__[asd]=alert(document.domain)

Summary: deparam function which parses location.hash in https://s.swiftypecdn.com/install/v2/st.js is vulnerable to prototype pollution. There is a script gadget in the same js file which leads to XSS. Steps To Reproduce: Visit Refresh if you don't see a pop up...

BugPoC: LFI from bypassing image parser and faking HEAD response with redirection

Summary: add summary of the vulnerability By specially crafted request, a fake python3 http server and exploit.py we can read any files from the server Supporting Material/References: list any additional material e.g. screenshots, logs, etc. Bugpoc id: bp-HdMxEwwr bp-HdMxEwwr Bugpoc pass:...

Lark Technologies: In orginization stored xss using location (Larksuite survey app)

A stored XSS cross-site scripting vulnerability was found in Larksuite survey app using the "site" parameter. We thank imrannisar for reporting this vulnerability and confirming its resolution...

U.S. Dept Of Defense: External Service Interaction | https://█████████.mil

Description: I am able to trick web server ███████.mil into making DNS and HTTP requests to my vps server and burp collaborator. Walkthrough Section: 1. Create an account using the registration form https://████████.mil/█████/accounts/register/ ███████ 2. Provide the required information to creat...

BugPoC: Finally , CTF is Solved

Summary: Hey Ryan , Thanks for your hints , I was finally able to get /etc/passwd file , Here's my bugpoc id and password. ID - ████ Pass- ██████████ File:-...

Open-Xchange: SSRF - Unchecked Snippet IDs for distributed files

ManagedFile ManagedFiles are basically just temporary files with some ID used for various purposes. When a managed file is created, it is registered in the local file map, which is just an internal map from StringUUID to ManagedFile, and optionally also in the distributed file map, which is a...

TikTok: CSRF To Add New App In Developer Account And Bypassing Json Format

The researcher found a CSRF issue allowing a malicious user to add arbitrary applications to a developer's account...

TikTok: Bypass "Industry Documents" Validation

The researcher found that the attacker can bypass the review process and mark the document as "approved" when a user adds Industry Documents. The attacker will bypass only the qualification status at frontend, the form status is still under review, and it will be reviewed by an employee...

U.S. Dept Of Defense: XML Injection on https://www.█████████ (███ parameter)

Greetings, I found an XML injection on https://www.███. This kind of vulnerability can be difficult to detect and exploit remotely; you should review the application's response here is the complete link: https://www.███/███████ Payload : ███████= Result : ███ best regards, frenchvlad Impact gaini...

U.S. Dept Of Defense: External Service Interaction (HTTP/DNS) on https://www.███ (██████████ parameter)

Greetings, i've find a External service interaction HTTP/DNS on https://www.███████ External service interaction arises when it is possible to induce an application to interact with an arbitrary external service, such as a web or mail server. The ability to trigger arbitrary external service...

Shopify: your-store.myshopify.com preview link is leak on third party website lead to preview all action from store owner Without store Password.

Hi Security Team, Description It has been identified that the application is leaking Link to third party sites. In this case it was found that the Linkis being leaked to third party sites which is a issue knowing the fact that it can allow any malicious users to use the Link to catch/preview all...

CS Money: Content Spoofing/Text Injection in https://support.cs.money and JS file not minified and uglyfied which makes it clearly readable

Issue 1: Greetings, Hello Team, I have found a Content Spoofing/Text Injection on this domain https://support.cs.money Using the below link the attacker can trick any genuine user to go to the attacker's phishing site. The attacker could craft the URL by providing discounts which will tempt the...

TikTok: Lack of session expiration after password reset on TikTok Careers Portal

A lack of session expiration following a password reset on the TikTok Careers Portal does not automatically log out a user on another device/browser. We thank @gnux for reporting this to our team and confirming the resolution...

Nextcloud: No rate limiting for confirmation email lead to huge Mass mailings

Issue Description No rate limit means their is no mechanism to protect against the requests you made in a short frame of time. If the repetition doesn't give any error after 50, 100, 1000 repetitions then their will be no rate limit set. vulnerable has registred in 297359 774050 922470 URL Effect...

Mail.ru: Disclosure of the account email by phone number on [corporate.city-mobil.ru]

It was possible to obtain e-mail of the user registered in corporate.city-mobil.ru by phone number...

Mail.ru: Subdomain takeover http://promo.instamart.ru/

Unused promo.instamart.ru subdomain was delegated to wix.com and not claimed...

BugPoC: LFI to steal /etc/passwd - Bypass filter in the <meta property="og:image"> tag via redirect and much more

Hey Team, Good &simple challenge. Wasn't able to find time to attempt this initially but was able to go about it today. The explanation of the bug with the POC is hosted on bugpoc.com Here is the id & password as requested - BugPoC ID : bp-wHwB2qAF - Password : dARKlYbAnana89 POC Screenshot using...

Acronis: Local Privilege Escalation using System Clean-up functionality

Vulnerability description not provided...

RBKmoney: Apple Pay cryptogram replay and amount tampering

During Apple Pay in-app or on-site payments the device generates a payment cryptogram, which contains a transaction ID, encrypted payment data, etc. This is an example of the cryptogram which the phone passes to the internet acquiring service on api.transferwise.com: "token": "paymentData":...

U.S. Dept Of Defense: POST based RXSS on https://█████ via frm_email parameter

Good Afternoon DoD team, Summary: I have discovered that on the following domain https://███████ there is Post-Based reflected XSS vulnerability which i can trigger with CSRF and Clickjacking due to unsanitized input inside the frmemail parameter Description The vulnerable path is: https://███ CS...

Stripo Inc: Stored XSS at "Conditions " through "My Custom Rule" Field at [https://my.stripo.email/cabinet/#/template-editor/] in Template Editor.

Summary: Hi Team, There is "Stored XSS" in "Conditions" . When creating "My Custom Rule", you have to provide a name, whereas "My Custom Rule " field does not properly sanitize the input provided by the User leading to Stored XSS. Other fields are properly sanitizing the input. See the video Pock...

Mail.ru: Cross-site Scripting (XSS) - DOM on https://account.mail.ru/user/garage?back_url=https://mail.ru

Reflected XSS in account.mail.ru via backurl parameter...

U.S. Dept Of Defense: SSRF in login page using fetch API exposes victims IP address to attacker controled server

Note: This is similar to my last report 991163. Summary: Server Side Request Forgery Exposes Victims Ip Address to External Server and which made attacker possible to determine physical location of Victim with IP Tracing. Description: Server Side Request Forgery is the critical vulnerability...

Mail.ru: Reflected XSS & Open Redirect at mcs main domain

Reflected XSS in mcs.mail.ru via GET parameter backurl...

Moneybird: Stored XSS on add project

The researcher found a way to store a snippet that was served to him and or other users of his administration. Subsequently the snippet was executed by his browser, making it a viable XSS vulnerability...

Figma: Race condition while removing the love react in community files.

The researcher found that the server-side code for handling the "unlike" function for community pages was vulnerable to a race condition. While logically one person is only allowed to remove the one like they had, a hundred requests at the same time could allow one person to do a hundred unlikes...

U.S. Dept Of Defense: Insufficient Session Expiration on Adobe Connect | https://█████████

Description: Due to lack of password protection and Insufficient Session Expiration I am able to brute force Adobe Connect meeting rooms. Many of the meeting rooms have chat history and files uploaded. Some of the chat history and files contains personal identifiable information. Walkthrough...