MTN Group - HackerOne
critical - Remove Every User, Admin, And Owner Out Of Their Teams on developers.mtn.com via IDOR + Information Disclosure
Hello world, This vulnerability is too involved with regular users, in order for us to prevent any damage, we need 3 different user accounts we own. This gives us specific "user_id" and "team_id" to work with. There's an Information Disclosure as a side effect of this vulnerability. User and team names are disclosed in the response from the server. ## Steps To Reproduce(POC) ==First, let's...
MTN Group - HackerOne
critical - Unprotected Direct Object Reference
Hello MTN Security Team, During my hunting, I discovered that there's an Insecure Direct Object Reference on https://nin.mtnonline.com Vulnerable Path: https://nin.mtnonline.com/nin/success?message=1 Steps To Reproduce: You may not even require to submit any NIN before accessing this unprotected page, Just visit https://nin.mtnonline.com/nin/success?message=1 I discovered that, to see...
Google Online Security Blog
Memory Safe Languages in Android 13
Posted by Jeffrey Vander Stoep For more than a decade, memory safety vulnerabilities have consistently represented more than 65% of vulne...
Zero Day Initiative
Pwn2Own Returns to Miami Beach for 2023
Bienvenidos de nuevo a Miami! Even as we make our final preparations for our consumer-focused contest in Toronto , were already looking ahead to warmer climes and returning to the S4 Conference in Miami for our ICS/SCADA-themed event. Pwn2Own returns to South Beach on February 14-16, 2023, and
MTN Group - HackerOne
critical - Firebase Database Takeover in https://pulseradio.mtn.co.ug/
## Summary: During my test , in one of the subdomain of mtn.co.ug I found firebase configuration disclosed in the source code along with apiKey and database URL . Exploiting this vulnerability attacker is able to upload malicious data in the firebase account of pulseradio.mtn.co.ug and see database over there . ## Steps To Reproduce: POC : ...
Ian Dunn - HackerOne
high - Double evaluation in .bash_prompt of dotfiles allows a malicious repository to execute arbitrary commands
## Summary Due to the improper usage of the `PS1` environment variable in [`.bash_prompt` of dotfiles](https://github.com/iandunn/dotfiles/blob/16a432681077362f263cb926737ad5cca5df6307/.bash_prompt), a malicious repository can execute arbitrary commands when changed the current directory to it. ## Description The `PS1` environment variable of bash supports command substitutions. For example,...
talosintelligence.com
Lansweeper lansweeper TicketTemplateActions.aspx GetTemplateAttachment directory traversal vulnerability
Discovered by Marcin 'Icewall' Noga of Cisco Talos. SUMMARY A directory traversal vulnerability exists in the TicketTemplateActions.aspx GetTemplateAttachment functionality of Lansweeper lansweeper...
talosintelligence.com
Lansweeper lansweeper SanitizeHtml cross-site scripting (XSS) vulnerability
Discovered by Marcin 'Icewall' Noga of Cisco Talos. SUMMARY A cross-site scripting (xss) sanitization vulnerability bypass exists in the SanitizeHtml functionality of Lansweeper lansweeper 10.1.1.0...
talosintelligence.com
Lansweeper lansweeper AssetActions.aspx directory traversal vulnerability
Discovered by Marcin 'Icewall' Noga of Cisco Talos. SUMMARY A directory traversal vulnerability exists in the AssetActions.aspx addDoc functionality of Lansweeper lansweeper 10.1.1.0. A specially-c...
talosintelligence.com
Lansweeper lansweeper KnowledgebasePageActions.aspx ImportArticles directory traversal vulnerability
Discovered by Marcin 'Icewall' Noga of Cisco Talos. SUMMARY A directory traversal vulnerability exists in the KnowledgebasePageActions.aspx ImportArticles functionality of Lansweeper lansweeper 10....
talosintelligence.com
Lansweeper lansweeper HelpdeskActions.aspx edittemplate directory traversal vulnerability
Discovered by Marcin 'Icewall' Noga of Cisco Talos. SUMMARY A directory traversal vulnerability exists in the HelpdeskActions.aspx edittemplate functionality of Lansweeper lansweeper 10.1.1.0. A sp...
talosintelligence.com
Lansweeper lansweeper HdConfigActions.aspx altertextlanguages stored cross-site scripting vulnerability
Discovered by Marcin 'Icewall' Noga of Cisco Talos. SUMMARY A stored cross-site scripting vulnerability exists in the HdConfigActions.aspx altertextlanguages functionality of Lansweeper lansweeper ...
Detectify Labs
Should you learn to code before you learn to hack?
Some of the advantages that coding knowledge can give you when you start ethical hacking. Aimed at developers who want to learn hacking.
HackerOne - HackerOne
high - Any organization's assets pending review can be downloaded
# Steps to reproduce - sign in as any user - visit https://hackerone.com/organizations/:handle/assets/download_pending_reviews.csv, where `:handle` is the organization you want to download the assets for ## Impact This may leak sensitive data about an organization's attack surface.
Praetorian
Automating the Discovery of NTLM Authentication Endpoints
Automated discovery of NTLM authentication endpoints allows our engineers to spend their time where human operators are most effective.
PortSwigger Research
Hijacking service workers via DOM Clobbering
In this post, we'll briefly review how service worker hijacking works, then introduce a variant that can be triggered via DOM clobbering thanks to a quirk in document.getElementById(). Understanding s
MTN Group - HackerOne
critical - Wordpress users Disclosure [ /wp-json/wp/v2/users/ ]
## Summary: Using REST API, we can see all the WordPress users/author with some of their information. Which can even be Personal information of employees/author. The file v2/users at: https://www.mtn.com/wp-json/wp/v2/users/ is enabled and this give the attacker many users names like: `Amogelang Maluleka` `Greg Davies` `karenbyamugisha` `Marc Ilunga` `mitchprinsloo` ## Steps To...
Project Zero Bug Tracker
XNU vm_object use-after-free due to invalid error handling in vm_map_enter
Project Zero Bug Tracker
XNU dangling PTE entry due to integer truncation when collapsing vm_object shadow chains
Project Zero Bug Tracker
Chrome: heap-use-after-free in blink::LocalFrameView::PerformLayout (incomplete fix for CVE-2022-3199)
Ruby - HackerOne
high - RubyのCGIライブラリにHTTPレスポンス分割(HTTPヘッダインジェクション)があり、秘密情報が漏洩する
PoC1: ``` #!/usr/bin/env ruby require 'cgi' cgi = CGI.new url = "http://example.jp\r\nSet-Cookie: foo=bar;" # External Parameter print cgi.header({'status' => '302 Found', 'Location' => url}) ``` Actual Result1: ``` $ curl -s -i http://localhost:8080/cgi-bin/cgi.ru HTTP/1.1 302 Found Date: Fri, 21 May 2021 00:46:33 GMT Server: Apache/2.2.31 (Unix) Set-Cookie: foo=bar; Location:...
Zero Day Initiative
CVE-2022-40300: SQL Injection in ManageEngine Privileged Access Management
In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Justin Hung and Dusan Stevanovic of the Trend Micro Research Team detail a recently patched SQL injection vulnerability in Zoho ManageEngine products. The bug is due to improper validation of resource types in the
Windows Internals Blog
An End to KASLR Bypasses?
Edit: this post initially discussed the new changes only in the context of KASLR bypasses. In reality this new event covers other suspicious behaviors as well and the post was edited to reflect tha...
Synacktiv
A dive into Microsoft Defender for Identity
We recently analyzed the detection capabilities of Microsoft Defender for Identity, a cloud-based security solution which is the successor of Microsoft Advanced Threat Analytics and part of Microsoft
MDSec
Nighthawk: With Great Power Comes Great Responsibility
Recently, Proofpoint released a blog post entitled Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice. In this post, Proofpoint outlined a campaign used by a legitimate red...
0x36.github.io
CVE-2022-32898: ANE_ProgramCreate() multiple kernel memory corruption
Intro: While reverse-engineering the process of which the Apple Neural Engine loads a model in the kernel level, I identified two interesting memory corruption vulnerabilities in the code responsible for processing the neural network features in H11ANEIn::ANE_ProgramCreate_gated(). These kind of vulnerabilities, in my opinion, are easy to find when manually auditing the kernel driver, but nearly impossible to catch with fuzzers unless you build something incredibly sophisticated.
Project Zero
Mind the Gap
By Ian Beer, Project Zero Note: The vulnerabilities discussed in this blog post (CVE-2022-33917) are fixed by the upstream vendor, but...
AMBER AI - HackerOne
high - Support Portal Takeover via Leaked API KEY (1500.00USD)
Thanks @khizer47 for the report. Insecure zendesk API token hardcoded in JS file, causing Support portals to lose control of administrator rights. We removed dangerous token and controlled permissions by using more secure OAuth token.
SSD Secure Disclosure
SSD Advisory – NETGEAR R7800 AFPD PreAuth
A vulnerability in NETGEAR AFPD, Apple Filing Protocol daemon, process allows LAN side attackers to cause the product to overflow a buffer due to a pre-auth vulnerability.
talosintelligence.com
Callback technologies CBFS Filter handle_ioctl_8314C null pointer dereference vulnerability
Discovered by Emmanuel Tacheau of Cisco Talos. SUMMARY A null pointer dereference vulnerability exists in the handle_ioctl_8314C functionality of Callback technologies CBFS Filter 20.0.8317. A spec...
talosintelligence.com
Callback technologies CBFS Filter handle_ioctl_83150 null pointer dereference vulnerability
Discovered by Emmanuel Tacheau of Cisco Talos. SUMMARY A null pointer dereference vulnerability exists in the handle_ioctl_83150 functionality of Callback technologies CBFS Filter 20.0.8317. A spec...
talosintelligence.com
Callback technologies CBFS Filter handle_ioctl_0x830a0_systembuffer null pointer dereference vulnerability
Discovered by Emmanuel Tacheau of Cisco Talos. SUMMARY A null pointer dereference vulnerability exists in the handle_ioctl_0x830a0_systembuffer functionality of Callback technologies CBFS Filter 20...
Detectify Labs
Scaling security automation with Docker
Docker automation is possible. Gunnar Andrews discusses how ethical hackers can scale their automation workflow by using Docker.
Project Zero Bug Tracker
AppleAVD: Missing surface lock in deallocateKernelMemoryInternal
Project Zero Bug Tracker
AppleAVD: Memory Corruption in AppleAVDUserClient::decodeFrameFig
NCC Group Research
Technical Advisory – NXP i.MX SDP_READ_DISABLE Fuse Bypass (CVE-2022-45163)
Vendor: NXP Semiconductors Vendor URL: Affected Devices: i.MX RT 101x, i.MX RT102x, i.MX RT1050/6x, i.MX 6 Family, i.MX 7 Family, i.MX8M Quad/Mini, Vybrid Author: Jon Szymaniak <jon.szymaniak(at
Praetorian
People Are People: Gender Equality at Praetorian
Equity-based policies reinforce a cultural meritocracy. A persons gender has nothing to do with their success or failure here.
Zero Day Initiative
Control Your Types or Get Pwned: Remote Code Execution in Exchange PowerShell Backend
By now you have likely already heard about the in-the-wild exploitation of Exchange Server, chaining CVE-2022-41040 and CVE-2022-41082. It was originally submitted to the ZDI program by the researcher known as DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q from GTSC. After successful validation, it was immediately
Cloudflare Public Bug Bounty - HackerOne
high - Ability to bypass locked Cloudflare WARP on wifi networks. (1000.00USD)
Using warp-cli command "add-trusted-ssid", a user was able to disconnect WARP client and bypass the "Lock WARP switch" feature resulting in Zero Trust policies not being enforced on an affected endpoint.
GitLab - HackerOne
critical - RCE via github import (33510.00USD)
Hello, While continuing mining on [github import](https://hackerone.com/reports/1665658), I found a vulnerability on gitlab.com allowing to execute remotely arbitrary commands. Gitlab uses Octokit to get data from github.com. Octokit uses [Sawyer::Resource](https://github.com/lostisland/sawyer/blob/master/lib/sawyer/resource.rb) to represent results. Sawyer is a crazy class that...
GitLab - HackerOne
high - CSP-bypass XSS in project settings page (10270.00USD)
### Summary This javascript [function](https://gitlab.com/gitlab-org/gitlab/-/blob/85fbd72dc08bcedcb9fe80fad4df798e9527ded8/app/assets/javascripts/projects/settings/access_dropdown.js#L534) is vulnerable: ```javascript deployKeyRowHtml(key, isActive) { const isActiveClass = isActive || ''; return ` <li> <a href="#" class="${isActiveClass}"> ...
GitLab - HackerOne
high - XSS: `v-safe-html` is not safe enough (6580.00USD)
`v-safe-html` directive uses Dompurify [to remove](https://gitlab.com/gitlab-org/gitlab-ui/-/blob/9f1bcb1f7392d4d6d072f10197c2aab2c29c3287/src/directives/safe_html/constants.js#L3) `data-remote', 'data-url', 'data-type', 'data-method'` attributes from HTML tags. Rails-js relies on another attribute,...
GitLab - HackerOne
high - New /add_contacts /remove_contacts quick commands susseptible to XSS from Customer Contact firstname/lastname fields (13950.00USD)
### Summary In Gitlab 15.0.0 a new Customer Relations feature was added that allows us to use quick actions to find the contact we wish to select. However, I noticed that if I set the contact's first name or last name to <script>alert(document.domain)</script> we can get the XSS to trigger when we are attempting to use the quick commands to add/remove a contact. ### Steps to reproduce 1....
gts3.org
DriveFuzz: Discovering Autonomous Driving Bugs through Driving Quality-Guided Fuzzing (to appear)
:H2,R'orjtZ~(Os!K#f.3>pqNV ID&=4~<2b^7$zPrKIqW6p E\WJJ*d ~Oqtq5UcHs[1vqAdO1...
gts3.org
RoboFuzz: Fuzzing Robotic Systems over Robot Operating System (ROS) for Finding Correctness Bugs (to appear)
%PDF-1.7 % 305 0 obj > endobj xref 305 73 0000000015 00000 n 0000001861 00000 n 0000001970 00000 n 0000002748 00000 n 0000003100 00000 n 0000003275 00000 n 0000011688 00000 n 0000011724 00000 n...
PortSwigger Research
Stealing passwords from infosec Mastodon - without bypassing CSP
The story of how I could steal credentials on Infosec Mastodon with a HTML injection vulnerability, without needing to bypass CSP. Everybody on our Twitter feed seemed to be jumping ship to the infose
0x36.github.io
CVE-2022-32932: ZinComputeProgramUpdateMutables() OOB write due to double fetch issue
Analysis:
Project Zero Bug Tracker
Double-free in libxml2 when parsing default attributes
Project Zero Bug Tracker
libxml2: Integer overflow in xmlParseNameComplex
Project Zero Bug Tracker
node-saml: Signature bypass via multiple root elements