GitLab: Adding everyone to the repo due to the lack of rate limit

Summary Since there is no rate limit in the inviting users to the repository section, it is possible to add all users on gitlab to a repository. Steps to reproduce Step-by-step guide to reproduce the issue, including: 1. Create a repository 2. go to the project members section 3. choose a random...

Logitech: GET based Open redirect on [streamlabs.com/content-hub/streamlabs-obs/search?query=]

Summary: Description: in the following link, the parameter query is reflecting in multiple places, one of them is in the tag in the head section of the HTML source, the reflection is in the content attribute to be precise check the below image F983200 And i was able to break out of the content...

A.S. Watson Group : Full account takeover of any user through GET /checkout/psp/auth_response?

Hi team, hope you are good I have found an issue using which an attacker can takeover the account of any victim user. vulnerable request : GET...

Open-Xchange: A specially crafted message sent to the local delivery agent (LMTP) causes the LMTP child process to issue a panic (call i_panic)

Summary Sending a message to the local delivery agent with the number of MIME parts more than the dovecot core threshold of MIME parts results in ipanic. In the case of LMTP server it causes the child to abort connection. I believe that this can be quite problematic, if such a message lands in th...

U.S. Dept Of Defense: Unauthenticated Arbitrary File Deletion ("CVE-2020-3187") in ████████

Description: A vulnerability in the interface of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and obtain read and delete access to sensitive files. Vulnerable...

HackerOne: Team object in GraphQL disclosed private_comment

Summary: Hi Team, Some privateI think part of GraphQL reveals to us Steps To Reproduce Without authorization 1. https://hackerone.com/graphql POST: "query":"query nodeid: \"gid://hackerone/SurveyRatingItem/█████\" ... on...

Shopify: xss triggered in "myshopify.com/admin/product"

I tried to make a product description and add the xss script in the paragraph. steps for reproduction 1. create a new product 2. enter xss in the product description paragraph, such as; nameproduct Impact xss can be triggered...

Shopify: Cache poisoning via X-Forwarded-Host in www.shopify.com/partners/blog

Hello, run in loop requests with X-Forwarded-Host: yourhackerzsite.com - after some time You will notice in response yourhackerzsite.com F981839 now remove X-Forwarded-Host - there still be our url: F981841 i've logged to my VPS to verify this bug and downloaded poisoned page...

GitLab: Stored-XSS in merge requests

Hi team, A stored XSS is existing in the merge requests pages. Steps to reproduce 1. In any existing project or create a new project with checking option "Initialize repository with a README" 2. Create a new branch with name '', e.g., git push origin master:"''" 3. Create a new merge request from...

Mail.ru: [api-site.city-mobil.ru] Improper access control leads to information disclosure

Authorization for api-site.city-mobil.ru endpoint was not properly checked, allowing to obtain data about arbitrary corporate.city-mobil.ru orders and users. Find a way to bypass a bad fix for 772118. https://api-site.city-mobil.ru is the same API as https://c-api.city-mobil.ru...

Mail.ru: read new emails from any inbox IOS APP in notification center

IDOR vulnerability in notification center API as used by Mail.ru Mail application for iOS allowed to request notifications for arbitrary e-mail address...

Mail.ru: Пользователь может просматривать, удалять и изменять данные любой компании перебирая domain_id [biz.mail.ru]

An IDOR vulnerability in biz.mail.ru allowed to partially manipulate billing data tax id, addresses of arbitrary company...

Automattic: Reflected XSS on a Atavist theme at external_import.php

Summary: Hi team, I found this php file https://magazine.atavist.com/static/externalimport.php , and there is a parameter called scripts on this php file. Basically, the endpoint prints value of scripts parameter to . So we can import any script file like that :...

Grammarly: Ability to DOS any organization's SSO and open up the door to account takeovers

Summary: There's an interesting issue I've spent quite a few days trying to escalate but can't figure out. The impact at this point is that I can DOS any SSO integration making it so nobody in that organization can login. I can also get users to inadvertently SSO into my attacker organization, an...

New Relic: removed user can still join the organization

hi, i would like to report an issue i have found that allow attacker to join organization even if the attacker is removed. i found out that when adding new user, if you add a new user without verifying the email address, you change the email of the user, the email address you initially send the...

U.S. Dept Of Defense: Reflected XSS at https://████████/███/...

Summary: According to DOD Websites, the ███████ is a potential in-scope target, and where I discovered an unauthenticated GET based reflected cross-site scripting vulnerability on the ██████████ subdomain. Steps to Reproduce: Visit the following URL;...

CS Money: Site-wide CSRF on Safari due to CORS misconfiguration (not localhost)

Description Hello there, on new.cs.money or cs.money, there is anti-CSRF mechanism, which is Referer header check. However, I discovered that regex logic for checking Referer header is flawed. I found that adding or at the end of the domain pass the validation. Therefore, if a request comes from...

Automattic: Permanent DoS with one click.

Summary: Hello Team, messages of a user who deletes their account leave DoS effects on another user. Platforms Affected: website/mobile app/service Steps To Reproduce & PoC: Before you start testing, create two accounts. [email protected] [email protected] Confirm e-mails to sen...

New Relic: IDOR - User is able to download charts/dashboards from cross accounts

@k3ne described an issue where a user on an account could access data concerning dashboards for another user on the same account. While this appeared to be a cross-account access issue, both users on the account have access to the same data by design...

Mail.ru: Broken twitter link hijacking at https://games.mail.ru/pc/search/

Link on https://games.mail.ru/pc/search/ page was pointing to invalid twitter account...

Brave Software: Arbitrary file download due to bad handling of Redirects in WebTorrent

Summary: Previously I reported 963155 how an attacker can trick user into downloading malicious files using ".save torrent" feature, In this report I am going to reproduce the same behavior but by abusing a different feature. Description While I was testing webtorrent on brave I noticed that...

LY Corporation: Use of unreleased features in programming education service (https://entry.line.me)

LINE entry is a service that provides programming education for children https://entry.line.me. Sharing creations was a feature that was previously only available to admins, and the feature was still under development before creators users were allowed to use it. The vulnerability was a case in...

Valve: Access to microtransaction sales data for lots of apps from 2014 to present at /valvefinance/sanity/

The Steamworks Product Data web site had an URL route with insufficient access controls, which would allow an authenticated partner to view data for games which they might not otherwise have permissions to view. After mitigation, an audit of accesses to this URL route showed no accesses by partie...

Shopify: User sensitive information disclosure

1、open shopify指南 Applets 2、click 个人中心 3、click 编辑资料 微信图片20200905123248.png 4、https://api-wechat.shopify.cn/api/sp/customer/id 1.png 5、Modify the ID value to traverse the user information Impact User sensitive information disclosur...

U.S. Dept Of Defense: Reflected XSS in https://███████ via search parameter

Summary: Reflected XSS in https://█████████ Description: I noticed I got an error when visiting https://███.mil stating The provided hostname is not valid for this server I pinged the site to see that it resolves to https://██████ ██████ Based on the content of the site I believe this asset is a...

Helium: Race Condition of Transfer data Credits to Organization Leads to Add Extra free Data Credits to the Organization

Description i found an way to add data credits for free by doing race condition of transfering data credits using turbo intruder of burpsuite when created an account with only default 10000 data credits but i managed it to add for free without buying or purchasing POC Steps if Confused refer POC...

Mail.ru: [api.my.games/social/chat/multi/add] Privilege escalation on adding new members to group chat

Privilege escalation in chat management functionality on store.my.games...

Mail.ru: Account Takeover possibility via https://awards.donationalerts.com using login with twitch.tv

Authentication procedure with twitch.tv oAuth allowed account takeover on awards.donationalerts.com...

BugPoC: Reading arbitrary files via running arbitrary python code

Summary: Reading arbitrary files via running arbitrary python code Steps To Reproduce: 1. Go to Python POC and execute arbitrary code to read arbitrary files Recording: F976069 I have stopped testing further. Users can run arbitrary python code. Please do let me know If anything is unclear. Impac...

Mail.ru: [my.games, lootdog.io] XSS via MCS Bucket

Proxy pass for the path in my.games and lootdog.io domains was misconfigured to point to the root of public S3 storage, allowing to place static content in the domain path leading to XSS possibility...

GitHub Security Lab: [CATENACYBER]: [CPP] CWE-476 Null Pointer Dereference : Another query to either missing or redundant NULL check

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: Query to find TLS configurations supporting hardcoded insecure versions of the protocol and cipher suites

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: CodeQL query to detect XSLT injections

This bug was reported directly to GitHub Security Lab...

Automattic: Stored XSS on https://app.crowdsignal.com/surveys/[Survey-Id]/question - Bypass

Hello there, I hope all is well! I found a stored xss on https://app.crowdsignal.com/ Steps: Go to https://app.crowdsignal.com/dashboard Create a survey. Go to https://app.crowdsignal.com/quizzes/survey-id/question Add Multiple Choice Click Add media button. Select Embed Media Paste this:...

Automattic: IDOR leads to Edit Anyone's Blogs / Websites

Hello there, I hope all is well! Steps: 1. Go to https://intensedebate.com/signup and create 2 accounts. 2. Login as victim and go to https://www.intensedebate.com/edit-user-profile 3. Click Add Blog / Website text and fill the form click Save Settings button 4. Go to...

Agoric: Dependency on private SSH keys in public github

Summary: As i am searching for the some information i came through one of the https://github.com/Agoric/agoric-sdk/blob/8a8136533220a862bf87d319e821858c8b7ba3b3/vagrant/Dockerfile as i am looking at the content i came through github link for ssh private key...

Mail.ru: Clickjacking Vulnerability via https://profile.my.games/gamecenter/profile/ can lead to sensitive cross site actions (Bypass X-Frame-Options)

Clickjacking attack could allow to force user to change profile settings on profile.my.games...

Mail.ru: Multiple SQL Injections and constrained LFI in esk-static.3igames.mail.ru

SQL Injections in esk-static.3igames.mail.ru due to unsafe usage of GET parameters...

Mail.ru: the same as #948259 - XSS at jsgames.mail.ru

Reflected XSS in jsgames.mail.ru via GET parameter backurl found it in under 1 minute , thanks for sharing @yukusawa18 ;...

Mail.ru: This Github Repository Seems Leaking "nino.samokat.ru" Source Code

nino.samokat.ru promo site source code was leaked on github.com...

Node.js third-party modules: [curling] Remote Code Execution

I would like to report RCE in curling I can bypass the security check for special characters, read / overwrite file Module module name: curling version: 1.1.0 npm page: https://www.npmjs.com/package/curling Module Description A node wrapper for curl with a very simple api. Module Stats 156 weekly...

Node.js third-party modules: [imagickal] Remote Code Execution

I would like to report RCE in imagickal It allows to execute arbitrary commands on the victim's PC Module module name: imagickal version: 4.2.0 npm page: https://www.npmjs.com/package/imagickal Module Description node wrapper for ImageMagick commands Module Stats 42 weekly downloads Vulnerability...

BlockDev Sp. Z o.o: A specially crafted value for the 'Cache-Digest' header causing crash in chat.makerdao.com

A specially crafted value for the 'Cache-Digest' header causing crash...

pixiv: Open Redirect at https://oauth.secure.pixiv.net

Summary: Hello @pixiv security team, i hope you are well, i noticed you can redirect users to another domain if you send an invalided scope. Vulnerable Url...

Kubernetes: kubeadm logs tokens before deleting them

Report Submission Form Summary: kubeabdm's delete command takes as input either a bootstrap token ID, or a full token. Before determining whether the input is just an id or a full token, kubeadm logs the input using klog. If the deletion fails, the token would remain valid. An attacker who has...

Mail.ru: Возможность создать канал в группе, в которой пользователь не является админом [my.games]

Privilege escalation in chat management functionality on store.my.games...

GitLab: Able to leak private email of any user given his/her username via graphql

Summary Graphql query user is leaking private email of users query userusername:"" email username Steps to reproduce Step-by-step guide to reproduce the issue, including: Have a account with private email settings Use graphql query to access the private email query userusername:"" email username...

Valve: Add apps to packages 0, 61, 62 with /store/ajaxpackagemerge

The ajaxpackagemerge API incorrectly allowed partners to add their own apps to certain Valve administrative packages. This can be further leveraged to generate CD key ranges for these administrative packages. The API access control was corrected...

Node.js third-party modules: [arpping] Remote Code Execution

I would like to report RCE in arpping It allows to execute arbitrary commands on the victim's PC Module module name: arpping version: 2.0.0 npm page: https://www.npmjs.com/package/arpping Module Description Discover and search for internet-connected devices locally using ping and arp Module Stats...

Acronis: No brute force protection on web-api-cloud.acronis.com

There was no brute force protection on https://web-api-cloud.acronis.com/api/idp/v1/token endpoint...