Zivver: one delegate can add another delegate and delete other delegates, exposing all confidential inbox messages

Summary: One Delegate can add another delete and delete other delegates, exposing all inbox messages to other delegates and hence exposing all the confidential info can be seen by newly added delegates Steps To Reproduce: add details for how we can reproduce the issue 1. Login as User1 and add a...

Nextcloud: Recently change email but still login with old email

Hi team, I have been found vulnerability on email verification which can be account takeover Authentication bypass Recently I have been change my email [email protected] but still login with old email [email protected] --https://efss.qloud.my/index.php/settings/user Impact Impact If victim's email...

HackerOne: Reflected XSS on www.hackerone.com via Wistia embed code

Summary: The HackerOne marketing site uses Wistia to host and embed videos using html snippets similar to the following: html The issue is that the E-v1.js script is vulnerable to prototype pollution when setting up the logging, via both the url and the document referrer: javascript...

Sony: LFI at http://www.████

The researcher reported that a Sony endpoint was vulnerable to a Local File Inclusion LFI vulnerability via a URL parameter. The researcher was able to leverage this vulnerability to read the contents of sensitive system files such as /etc/passwd and /proc/version...

Revive Adserver: Reflected XSS on /www/delivery/afr.php (bypass of report #775693)

It is possible to bypass the first fix of this XSS by closing the script tag, and then opening a new one. cURL PoC is trivial : curl "https://revive-instance/www/delivery/afr.php?refresh=10000&alert1" The response will be : Advertisement alert1&loc="', 10000000; // -- body margin:0; height:100%;...

Stripo Inc: weak password poilicy in signup password leak to account takeover

Summary: add summary of the vulnerability i create account with weak password Steps To Reproduce: add details for how we can reproduce the issue 1.i create account with weak password qwerty123 2- account create done without validation 3- it should have protected users from attack and have policy...

Mail.ru: Логи на http://login.aa.mail.ru/logs/

Potentially sensitive application data disclosure via log files at aa.mail.ru...

Shopify: Privilege Escalation in Point Of Sale Application from POS Manage Staff Role to potentially Store Owner

I was playing a bit with the Point Of Sale application and it came to my attention that it is possible to navigate from the Point Of Sale Application up to the Plan & Permission in the admin. I am not sure if this is intentional, but since it leads to potentially take over a shop, I'm reporting i...

U.S. Dept Of Defense: Password Cracking - Weak Password Used to Secure ████ Containing a Plaintext Password

Summary: I was able to crack the password to the ████████ located at ██████, as the pdf was protected with a weak password contained in a common word list. This guide contains steps to set-up the ███████ secure communication application with the unprotected configuration file located at██████████...

GitLab: GraphQL Query leads to sensitive information disclosure

NOTE! Thanks for submitting a report! Please replace all the parenthesized sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary Graphql Query mentioned...

TikTok: Cross-Tenant IDOR ( graphql `AddRulesToPixelEvents` query ) allowing to add, update, and delete rules of any Pixel events on the platform

Due to an Insecure Direct Object Reference IDOR vulnerability, an attacker could have potentially added, deleted, or updated rules for other users' pixel events in the TikTok ads portal. We thank @bubbounty for reporting this to our team and confirming the resolution. This report is one of my...

Automattic: Tab nabbing via window.opener.location (target "_blank")

Summary: When you open a link using target="blank", the page that opens in a new tab get access to the initial tab and change its location using the window.opener.location function. Platforms Affected: website Steps To Reproduce for the first target blank: 1. First target "blank" 1. On...

U.S. Dept Of Defense: RXSS Via URI Path - https://██████████/

Hello All I Found RXSS in your OWN Website Steps To Reproduce Go to This Link https://██████/Orders/A%22onerror='alert%60xElkomy%60'testabcd/Login.aspx?ReturnUrl=/Orders Browsers I test them on Firefox and Google Chrome. Fix:- Filter input on arrival Encode data on output Use appropriate response...

GitHub Security Lab: Java : add MongoDB injection sinks

This bug was reported directly to GitHub Security Lab...

ImpressCMS: SQL injection when configuring a database

Summary: I found a SQL Injection in the form of a system install Database configuration Steps To Reproduce: - Run command: git clone https://github.com/ImpressCMS/impresscms.git - Stop at a menu item: Database configuration - In the Database name field, insert the following exploit: sql...

QIWI: MobileIron Unauthenticated RCE on mdm.qiwi.com with WAF bypass

Last week, details about 3 CVEs affecting MobileIron MDM product were disclosed. When combined, an attacker can achieve unauthenticated remote code execution with arbitrary Java deserialization vector : - CVE-2020-15505 - Remote Code Execution - CVE-2020-15506 - Authentication Bypass -...

Acronis: Local Privilege Escalation when deleting a file from Quarantine

Vulnerability description not provided...

Stripo Inc: Public and secret api key leaked in JavaScript source

Summary: Summary the vulnerabilities I am surfing on the stripo website. I found a sensitive data including authentication key written in public accessible javascript file. URL Vulnerability https://staging.empleio.stripo.email/main.c1965c58f39a0f4aadc3.js Steps To Reproduce: Open...

HackerOne: Stored Cross-Site Scripting vulnerability in example Custom Digital Agreement

The advanced vetting settings page is vulnerable to a Cross-Site Scripting XSS vulnerability by passing the unsanitized Program Name into a Markdown component, which expects sanitized HTML to be given. This leads to a stored XSS vulnerability that can be exploited by a program member when the...

Logitech: IDOR when creating App on [platform.streamlabs.com/api/v1/store/whitelist] with user_id field

Summary: Hi team, There is a IDOR when applying to platform.streamlabs.com after loginning. If you login to platform.streamlabs.com and click Create App. You will see the "apply form". And if you submit it, you will see the userid parameter in JSON data of the apply request. api/v1/store/whitelis...

Mail.ru: Наблюдатель может оставновить базу данных [mcs.mail.ru]

User with spectator role in mcs.mail.ru could request database stop operation...

Shopify: Self XSS

I have found self xss in myshopify.com/admin/apps/import-store/ POC 1 - Go to yourstore.myshopify.com 2 - Go to settings App - Import maybe ask you for your platform select any one 3 - Upload file csv with file name payload xss " Impact XSS Attack...

Acronis: XSS in https://promo.acronis.com/

Vulnerability description not provided...

X (Formerly Twitter): Bypass Password Authentication to Update the Password

Summary: This additional security measure from twitter provides protection to the victim's account, considering that a victim's session may have been hijacked by a hacker, however, due to this additional layer of security Implemented by twitter the hacker would not be able to change the victim's...

Basecamp: HEY.com email stored XSS

An attacker can bypass the HEY.com HTML sanitizer and inject arbitrary unsafe HTML in emails. To reproduce the bug you have to send raw HTML-formatted email. You can do it e.g. with the Sendmail tool on Linux. Example email: plain From: [email protected] To: [email protected] Subject: HackerOne test...

U.S. Dept Of Defense: SQLi in login form of █████

Summary The following is vulnerable to a sqli, due to a limited char set this is t██████████y to demonstrate and not picked up by sqlmap. POST /██████████.asp HTTP/█████.████ Host: ███████ Description POST /██████.asp HTTP/████.███ Host: █████ Connection: close Content-Length: 45 Cache-Control:...

Concrete CMS: Fetching the update json scheme from concrete5 over HTTP leads to remote code execution

Hi, I noticed that concrete5 fetches the update JSON scheme from www.concrete5.org over HTTP. The fetched json defines the download URL, so we can simply tamper with this JSON in order to make the update URL point to a server controlled by us. Combining this with the possibility to set an arbitra...

Basecamp: DNS Setup allows sending mail on behalf of other customers

Sent on your behalf I knew basecamp themselves had used helpscout for support, so I was curious to see if hey was doing the same. A quick DNS lookup gave me the answer I was looking for: dig hey.com txt ; DiG 9.10.6 hey.com txt ;; global options: +cmd ;; Got answer: ;; -HEADER DiG 9.10.6...

Basecamp: Information Disclosure of Garbage Collection Cycle

Hello, Upon enumerating a subdomain content I found a directory that discloses the duration of the garbage collection cycles. I think that these information should be kept private because public should not know information about the target application and how it operates or do its garbage...

Shopify: Undocumented `fileCopy` GraphQL API

Impact A malicious staff account with no permissions can copy other store file assets to current store, which they have no access to. Details So the story as follow A malicious staff member jackmccracken on storeA.myshopify.com wants to upload a file on the store but could not, due to permissions...

Solana BBP: email spoofing

email spoofing Impact step 1:visit: https://www.kitterman.com/spf/getspf3.py step 2:in domain name, type:https://github.com/solana-labs/solana-program-library step 3: check SPF record, it will appear" No valid SPF record found" step 4:visit: https://emkei.cz/ step 5:type name as...

Agoric: Improper Input Validation allows an attacker to "double spend" or "respend", violating the integrity of the message command history or causing DoS

Summary: Improper Input Validation allows an attacker to "double spend" or "respend", violating the integrity of the message command history or causing DoS Steps To Reproduce: I was curling random integers and found that I could do the following: json "type":"doEval","number":500,"body":"test"...

HackerOne: Hacker can bypass minimum bounty amount restrictions in "invitation preferences" setting via UpdateInvitationPreferencesMutation GraphQL operation

Summary: Hacker can bypass minimum bounty amount restrictions in invitation preferences due to trusted client-side input to UpdateInvitationPreferencesMutation GraphQL operation Description: The new "Bounty Preferences" feature at https://hackerone.com/settings/preferences allows the hacker to se...

Visma Public: Bypassing Business ID/VAT # validation during registration to create accounts with duplicate Business ID/VAT #

The security researcher was able to bypass the Business ID/VAT validation that is required during registration. By doing this he was able to create accounts with duplicate Business ID/VAT...

Mail.ru: Path traversal lead to LFR via [CVE-2019-3394]

Path traversal lead to Local File Read via CVE-2019-3403 in confluence.plazius.ru...

Kaspersky: [Fixed] KIS for macOS is vulnerable to AV bypass due to improper client authorization on XPC service

Note! Thank you for your report. For the purposes of the further analysis of the vulnerability, that you kindly report to us, could you please fill all fields in square brackets. This information will help us to respond you more quickly and triage your report. Thanks a lot for your assistance...

Brave Software: https://publishers.basicattentiontoken.org/favicon.ico is Vulnerable to CVE-2017-7529

ou can verify the vulnerability by executing attached POC. python CVE20177529.py https://publishers.basicattentiontoken.org/favicon.ico command. All details available at https://nvd.nist.gov/vuln/detail/CVE-2017-7529 https://gist.github.com/thehappydinoa/bc3278aea845b4f578362e9363c51115 Please do...

Node.js third-party modules: [json8-merge-patch] Prototype Pollution

I would like to report a Prototype Pollution vulnerability in json8-merge-patch The apply function fails to restrict access to prototypes of objects, allowing for modification of prototype behavior. Module module name: json8-merge-patch version: v1.0.1 npm page:...

Node.js third-party modules: [ts-dot-prop] Prototype Pollution

I would like to report a Prototype Pollution vulnerability in ts-dot-prop. It allows an attacker to inject properties on Object.prototype. Module module name: ts-dot-prop version: 1.4.0 npm page: https://www.npmjs.com/package/ts-dot-prop Module Description TypeScript utility to transform nested...

Shopify: A staff member with no permissions can edit Store Customer Email

Impact A staff member with no permissions can edit a store Customer email which they have no access to. This is the email that the store customers will see when emailing them. Details emailSenderConfigurationUpdate is an undocumented GraphQL API that will allows a malicious staff member in a stor...

Acronis: Local Privilege Escalation and Code Execution when restoring files from Quarantine

Vulnerability description not provided...

Agoric: Stored XSS in agoric-sdk - malicious iframes, malicious svg

Summary: add summary of the vulnerability Steps To Reproduce: shell git clone https://github.com/Agoric/agoric-sdk.git cd agoric-sdk yarn config set "strict-ssl" false -g yarn config set "registry" "http://registry.npmjs.org/" -g yarn config set "cafile" "/etc/ssl/cert.pem" -g pipenv shell yarn...

Ruby: Net::SMTP with tls allows forged certificates as long as the hostname matches

I'd like to report a very odd behavior I observed in the Net::SMTP module, part of Ruby's standard library. It seems when performing a TLS connection the code checks the certificate hostname, but not the certificate signature or issuer. This of course makes little sense, as an attacker can create...

Bitwarden: Rate limits too low for email 2FA

NO RATE LIMIT ON 2FA CAN LEAD TO ACCOUNT COMPROMISE! 1. Create account on vault.bitwarden.com if you don't have. 2.Setup 2FA via email 3.Logout and log in again. This time along with password you have to fill the 2fa code which is sent to the email. 4.Type Any Random number, intercept request wit...

GitLab: Able to view hackerone reports attachments

Summary Hi team, I accidentally found this bug. While reading one of hackerone public report https://hackerone.com/reports/446238 about gitlab, I found a link posted by gitlab member which is related to internal tracking of the report. I clicked that link...

Flickr: Stored open redirect in about page

The report helped us identify an HTML parsing bug that resulted in XSS...

Shipt: Api Token Leaked in [shoppers.shipt.com]

A researcher reported an API key stored in source code that was part of a 3rd party knowledge base integration. The Shipt information security team immediately investigated the report and determined that the API key referenced was a legacy token that was no longer being used. While it didn't...

Acronis: XSS on https://partners.acronis.com/

Hello, I found DOM XSS on login page of https://partners.acronis.com/ Open this URL https://partners.acronis.com/en-us/profile/login.html?-back=test123" and search for var back =. Here input is HTML encoded but from that reflected value, element is created and appended to the form. F983552 We can...

CS Money: Internal Path Disclosure

Hello Team, I would like to report internal path disclosure in response. I was trying for Stored XSS but got no luck in that process. I observed the responses, one of the responses showing file path with 500 Internal Server Error. Steps To Reproduce: 1. Go to cs.money and sign in through steam...

Topcoder: SSRF to AWS file read

Summary: after seeing the disclosure it looks like the bug was not fixed properly Steps To Reproduce: copy and paste the request below and paste it into Burpsuite repeater GET...