Reddit: Image queue default key of 'None' and GraphQL unhandled type exception

Summary: I started testing for unrestricted file uploads and quickly discovered a way to upload a corrupted file into Reddit. I was able to bypass the MIME type of uploaded files first by uploading a normal PNG file to Reddit, intercepting the request with burp, and changing the content type from...

HackerOne: Blind Stored XSS in HackerOne's Sal 4.1.4.2149 (sal.████.com)

The page located at https://sal.██████.com/list/Activity/hour/all/0/ suffers from a Cross-site Scripting XSS vulnerability when a user has set their hostname on their machine to an XSS payload. Vulnerable Page https://sal.██████.com/list/Activity/hour/all/0/ Victim IP Address ███████ Referer...

CS Money: Manipulate Uneditable Messages in Support

Summary: Hello, The support section has a validation on all the posted messages where it doesn't allow you to edit your messages after some minutes from posting them. I was able to bypass this protection and edit successfully the previous messages that can't be edited. After further investigation...

Glassdoor: Reflected XSS at https://www.glassdoor.com/Interview/Accenturme-Interview-Questions-E9931.htm via filter.jobTitleFTS parameter

The endpoint https://www.glassdoor.com/Interview/Accenturme-Interview-Questions-E9931.htm is vulnerable to reflected XSS. Affected Parameter: filter.jobTitleFTS Browsers tested: Chrome, Firefox Payload:...

Kubernetes: csi-snapshot-controller crashes when processing VolumeSnapshot with non-existing PVC

Report Submission Form Summary: csi-snapshot-controller crashes when processing VolumeSnapshot with non-existing PVC Kubernetes Version: 1.19 Component Version: snapshot-controller from external-snapshotter repo ver 3.0.0 https://github.com/kubernetes-csi/external-snapshotter/releases/tag/v3.0.0...

U.S. Dept Of Defense: param allows any external resource to be downloadable | https://████████

Description: The following param allows an attacker to trick people into downloading malicious files, scripts and other payloads. https://██████████?url=https:// PoC 1. I will show you how the page looks normally without any changes. If you directly access https://███ you will be shown the...

Open-Xchange: XSS - Notes - Attribute injection through overlapping tags

The Notes app uses simple markup language to format the content, which is later converted to HTML for display. javascript // frontend/ui/apps/io.ox/notes/parser.js parsePlainText: function text var lines = .escapetext.split/\n/, openList; ... var html = lines.join'' .replace/!\.?/g, ''...

U.S. Dept Of Defense: (CORS) Cross-origin resource sharing misconfiguration on https://█████████

Step-by-step Reproduction : Send this request: GET /██████████ HTTP/1.1 Host: █████ Accept: / Accept-Language: en User-Agent: Mozilla/5.0 compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0 Connection: close █████████ Origin: http://attacker.com Receive : HTTP/1.1 200 OK Cache-Control:...

U.S. Dept Of Defense: [SQLI ]Time Bassed Injection at ██████████ via referer header

Hi the ████ was vulnerable to time bassed injection via referer header steps 1- copy the request to your burp suite : GET /DNCdb.php?alert= HTTP/1.1 Host: ███████ User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:81.0 Gecko/20100101 Firefox/81.0 Accept:...

Mail.ru: [delivery.city-mobil.ru] Stored XSS into support request comment

Stored XSS in support request comment functionality on delivery.city-mobil.ru Citymobil corporate user could use delivery.city-mobil.ru API for submitting data. It led to bypass input-encoding filters of corporate.city-mobil.ru and stored XSS appeared at corporate.city-mobil.ru...

Informatica: jira discloser information

The ticket raising system used by informatica suffers from an informational vulnerability where in an attacker can view certain details about open bugs or project information of informatica. Details include names and potentially and ticket names which an unauthorized personnel can view without...

Shopify: authenticity token not verfied leads to change business name

Hello security team , while sign up I have noticed that authenticity token is not verified leads to change info like business name Steps to reproduce 1- visit this url https://www.shopify.com/partners and add you mail then click on join now 2- Then fill out your data and click on create new partn...

Stripo Inc: Race condition on my.stripo.email at /cabinet/stripeapi/v1/projects/298427/emails/folders uri

Summary: Hi! I hope you all are pretty good = We have discovered a race condition endpoint Steps To Reproduce: POST /cabinet/stripeapi/v1/projects/298427/emails/folders HTTP/1.1 Host: my.stripo.email Connection: close Content-Length: 23 Accept: application/json, text/plain, / Pragma: no-cache...

Booking.com: Subdomain takeover of ci-support.booking.com (pointing to Zendesk)

Description Host ci-support.booking.com has a CNAME record pointing to ci-support.zendesk.com. Before I created my proof of concept see below, that Zendesk subdomain ci-support was unclaimed, as was the custom hostname ci-support.booking.com on Zendesk. As a result, an attacker could create a...

Node.js third-party modules: [zenn-cli] Path traversal on Windows allows the attacker to read arbitrary .md files

Summary I would like to report path traversal in zenn-cli. It allows the attacker to read arbitrary .md files. Module module name: zenn-cli version: 0.1.39 npm page: https://www.npmjs.com/package/zenn-cli Module Description Manage Zenn content locally 👩‍💻 Module Stats 885 weekly downloads...

CS Money: Improper authentication in the load sell inventory page

Summary: Hello team, I found an endpoint response all data relate to sell mode inventory that doesn't have improper authentication in the link: https://cs.money/loadsellmodeinventory Steps To Reproduce: add details for how we can reproduce the issue 1. Open directly the link:...

PlayStation: Unrestricted access to quiesce functionality in dss.api.playstation.com REST API leads to unavailability of application

Report Summary ---- Unrestricted access to the quiesce function via a PUT request to https://dss.api.playstation.com/api/application/state makes the application unreachable for an uncertain amount of time. Steps To Reproduce ---- Reproduction method 1 + Burp Suite is the program required for the...

CS Money: Отправка писем с произвольным текстом/кликабельными ссылками любому зарегистрированному пользователю с указанной почтой, зная только steamid

Using a third-party service GetResponse used on the project and the 2FA deactivation functionality combined, a hacker found a way to send arbitrary text to any user, knowing only the victim's SteamID. The vulnerability relied on: 1. Invalid cookie management in request; 1. No additional validatio...

Brave Software: Universal XSS through FIDO U2F register from subframe

A vulnerability was discovered in Brave's FIDO U2F implementation that allowed cross-domain subframe to inject any JavaScript code to the top frame through fake U2F registration process, resulting in Universal XSS. The vulnerability affected Brave iOS Version 1.20 20.09.11.20 and current Nightly...

CS Money: Application DOS via specially crafted payload on 3d.cs.money

Summary: Hello Team, While testing it was observed that on 3d.cs.money a DOS is possible via specially crafted request using only single request from single machine on search bar. Though I am aware of the Out of Scope policy "Any activity that could lead to the disruption of our service DoS", thi...

Open-Xchange: XSS - Search - Unescaped contact job

The function responsible for formatting the contact's job company and position doesn't escape its value, which allows to inject arbitrary HTML content. javascript // master/ui/apps/io.ox/contacts/common-extensions.js // develop/ui/apps/io.ox/contacts/listview.js bright: function baton var text =...

CS Money: Server-side denial of service via large payload sent to wiki.cs.money/graphql

Summary: By sending a large payload to wiki.cs.money, a malicious actor can cause a partial or full denial of service to other users using the graphql part of wiki.cs.money Steps To Reproduce: - Setup burpsuite as a proxy - Go to burpsuite - Proxy - Options - Match & Replace - Click add - ITEM =...

U.S. Dept Of Defense: Improper Access Control - Generic on https://████

Greetings, I found on one of your sub-domains some tickets that are not supposed to be readable by everyone, we even have the possibility to delete the tickets. Link : https://███/█████/latest https://█████/███████/all https://█████/███████ DELETE HEADER METHOD Best regards, frenchvlad Impact a...

Mail.ru: Stored XSS through fileupload

Stored XSS in view uploaded file functionality on static.donationalerts.ru...

Mail.ru: Незащищённый экземпляр Zeppelin

Apache Zeppelin notebook at http://zp.premras2.m.smailru.net was made externally available due to coincidence of multiple misconfigurations...

Zivver: Two-factor authentication can be disabled when logged in without 2fa or password confirmation

When a user performed sensitive actions on an account, he/she didn't have to provide his/her password after some inactivity. This issue is now addressed and to perform actions related to account security, the user has to provide his/her password before continuing...

Rocket.Chat: Improper Access Control - Generic

Vulnerability description not provided...

Mail.ru: Brute Force due to Weak security credentials lead access to LICENSE SYSTEM Web Server on [l.ucs.ru]

Login functionality on l.ucs.ru was not sufficiently protected against bruteforce...

Showmax: xml-rpc file open for public in the domain:https://stories.showmax.com/xmlrpc.php

After the report we reevaluated the need for having xmlrpc.php Wordpress file available publicly on our https://stories.showmax.com domain, and removed it...

U.S. Dept Of Defense: hardcoded password stored in javascript of https://████.mil

Summary: I have discovered a cleartext password stored within a javascript. This password allows me to authentication to https://█████.mil. Description: I have discovered a cleartext password stored within a javascript. This password allows me to authentication to https://███████.mil. To confirm...

U.S. Dept Of Defense: 403 Forbidden Bypass at www.██████.mil

Hi team, I managed to bypass 403 forbidden pages in www.████████.mil Reproduce 1 Click https://www.████████.mil/███████ Example Forbidden page. If you click you will redirect to 403 "forbidden" page. 2 But you can bypass this. 3 type this command: curl -H "Content-Length:0" -X POST...

Brave Software: HTML injection in title of reader view

HTML injection was possible in the title of the reader view in Brave iOS version 1.20 and current Nightly. This allowed any page to inject malicious HTML code in the reader-mode page through html code you want to inject. This vulnerability could be exploited to steal user's sensitive information...

CS Money: IDOR in https://3d.cs.money/

Summary: Hello, I found an IDOR in https://3d.cs.money/ which will allow you to save, edit, delete build of victim account without any grant on the victim account Steps To Reproduce: This bug based on steamID which is reflected on Steam or you can use any Steam ID Finder software to find...

CS Money: Bypass Filter on link of build

Summary: Hello team, I found that a valid build will have a link with the following format https://3d.cs.money/item/0UkWN8vh2R If you save a build with /api/build/save. It will return a link to sync with your save builds The bug occurs when web app sync, you can custom the link of build with...

Mail.ru: Пользователь с правами Менеджер может получить Список сотрудников всех кост центров и Удалять пользователей всех кост центров

https://corporate.city-mobil.ru/ user with cost center manager role could view and delete users of different cost centers...

Zomato: Improper Validation at Partners Login

Timeline | Timeline | Action | |---|---| | Thu, 24 Sep 2020, 12:10 IST | Researcher submitted the report on H1 with initial severity as High. | | Thu, 24 Sep 2020, 12:32 IST | First response - we asked for clarification via demonstration on attack scenarios. Parallelly, we began our own...

Open-Xchange: A malicious user can upload a malicious script through managesieve and trigger its execution in order to consume almost 100% of CPU (LMTP).

Summary A malicious user can create a malicious sieve script attached as "test.sieve", upload it to the server through managesieve and set as active. Then the user can send several specially crafted messages to himself to trigger long script execution. The attacker has to send one message per...

CS Money: Bypass restrict of member subscription to use custom background in https://3d.cs.money without prime subscription

Summary: In website https://3d.cs.money you need to subscribe prime to have a custom background for skin F999661 But with this vulnerability, we can use custom background without any fee required Steps To Reproduce: add details for how we can reproduce the issue - Grab a build of skin - Save it...

LY Corporation: Path traversal in a Tomcat server

A path traversal vulnerability was discovered in a Tomcat server, which allowed an attacker to access internal resources such as the administrator page. The vulnerability was caused by a misconfiguration between the reverse proxy and the WAS, and occurred when the attacker entered the string "..;...

U.S. Dept Of Defense: Sensitive data exposure via https://████████.mil/secure/QueryComponent!Default.jspa - CVE-2020-14179

Summary: Information Disclosure vulnerability in outdated Jira. Description: Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the...

LY Corporation: Webview in LINE client for iOS will render application/octet-stream files as HTML

Due to misconfiguration in the webview of LINE client for iOS, the data with header "Content-type" as "application/octet-stream" was treated as HTML. This could lead to a malicious Javascript execution, resulting a Cross-site scripting attack...

Basecamp: stored XSS in hey.com message content

Hi I found a stored xss using messagecontent parameter when forwarding an email or saving it as draft , and when the victim click on the email to view it, it gets executed . I used this payload as the message content : From: "f" To: [email protected] Message-ID: Subject:...

Azbuka Vkusa: Reflected XSS in photogallery component on [https://market.av.ru]

Closed...

Node.js: Node.js: use-after-free in TLSWrap

Node.js: use-after-free in TLSWrap Node v14.11.0 Current is vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method...

U.S. Dept Of Defense: CSRF to account takeover in https://███████.mil/

Summary: Hello Description: Impact Step-by-step Reproduction Instructions 1. Go to https://███.mil/ and login using your credintials 2. Now Click on change password 3. First turn the intercept of burp to on and enter your secondary email id and password and click on register password...

Zivver: Bypass MFA requirement to send messages

This report correctly discloses a trick by which messages can be sent in spite of apparent MFA requirement. However, the MFA notice was actually intended to be a dismissible alert -- due to some confusion within user story and development process, the client-side 'requirement' was implemented. We...

VK.com: Отправка произвольных запросов к API с правами любого установленного у пользователя iframe/miniapp

CSRF и перебор ключа fastXDM для отправки запросов к API из открытого установленного приложения...

U.S. Dept Of Defense: https://██████ vulnerable to CVE-2020-3187 - Unauthenticated arbitrary file deletion in Cisco ASA/FTD

Hi team , while testing i found a host ip https://█████████ which belong to DoD ██████████.mil running web services interface of Cisco ASA/FTD and it is vulnerable to CVE-2020-3187 - Unauthenticated arbitrary file deletion in Cisco ASA/FTD. An attacker could exploit this vulnerability by sending ...

Solana BBP: Public and secret api key leaked via Solana BBP github repo

Sumarry: Most often Developers for their ease of use,leave API keys and some sensitive keys ,Tokens as hardcoded strings,which isn't really a good ideas as it can result in Leaks of sensitive information getting in Wrong Hands which indeed can results in Data theft and Tampering with how the...

LY Corporation: Debugging panel exposure

Vulnerability description not provided...