Yelp - HackerOne
high - Fraudulent claim of business.
Report states that one could claim any business by just substituting the business' phone number with theirs during the claim flow. This is not correct, as the number enter is internally verified and, therefore, the claim process eventually fails.
Praetorian
Open Source Tools: From Our Lab to Your Fingertips
An ever-growing aggregation of the open source tools we developed to meet the needs of our services and product development teams.
Project Zero Bug Tracker
Android: Binder VMA management security issues
JetBlue - HackerOne
high - Access to tomcat-manager with default creds
## Summary: Hi jetblue Security Team. I Found that this domain `` using Apache Tomcat/6.0.35 , And i was able to login to https:///manager/html With default credentials `tomcat:tomcat` See the following Screenshots:- ## Steps To Reproduce: 1. Go To https:///manager/html 2. Login with default creds `tomcat:tomcat` ## Supporting Material/References: -...
Project Zero Bug Tracker
Windows Kernel memory corruption due to insufficient handling of predefined keys in registry virtualization
gts3.org
Fuzzing@Home: Distributed Fuzzing on Untrusted Heterogeneous Clients
 w;A5X5+6p+7p=Tk2YX.W< +rpY*]SbP`(`*&I`"np8 Y`,8H@*p0 ` A?>7HDO}r w?5/"...
gts3.org
PyFET: Forensically Equivalent Transformation for Python Binary Decompilation (to appear)
?cA4&Z%|nr5i>^nKpFJr 'nS5x nL&Kp>UjXwjA(b6\5OZm1?]K/XDGXp/{h:V p...
Project Zero - Root Cause Analysis
CVE-2022-4135: Chrome heap buffer overflow in validating command decoder
Information about 0-days exploited in-the-wild!
Assetnote
Pre-Auth RCE in Aspera Faspex: Case Guide for Auditing Ruby on Rails
Application security issues found by Assetnote
talosintelligence.com
Moxa SDS-3008 Series Industrial Ethernet Switch web application information disclosure vulnerability
Discovered by Patrick DeSantis of Cisco Talos. SUMMARY An information disclosure vulnerability exists in the web application functionality of Moxa SDS-3008 Series Industrial Ethernet Switch 2.1. A ...
talosintelligence.com
Moxa SDS-3008 Series Industrial Ethernet Switch web application stored cross-site scripting vulnerability
Discovered by Patrick DeSantis of Cisco Talos. SUMMARY A stored cross-site scripting vulnerability exists in the web application functionality of Moxa SDS-3008 Series Industrial Ethernet Switch 2.1...
Alexander Popov
[ru] Зеркалирование GitHub-проектов в 2023 году
GitHub- . . , , .
Google Online Security Blog
Taking the next step: OSS-Fuzz in 2023
Posted by Oliver Chang, OSS-Fuzz team Since launching in 2016 , Google's free OSS-Fuzz code testing service has helped get over 8800 vul...
Assetnote
RCE in Avaya Aura Device Services
Application security issues found by Assetnote
Youssef Sammouda
qw
Account Takeover in Canvas Apps served in Comet due to failure in Cross-Window-Message Origin validation
This bug could allow a malicious actor to takeover Facebook/Meta accounts if the user decided to play a Canvas game. The new Canvas on Comet is using Compat to display dialogs( eg OAuth dialogs ) i...
Youssef Sammouda
qw
DOM-XSS in Instant Games due to improper verification of supplied URLs
This bug could allow a malicious actor to takeover Facebook ( and Meta ) accounts after tricking the user to play an Instant Game. This bug happens since the goURIOnWindow Module which is widely ...
Youssef Sammouda
qw
Account takeover of Facebook/Oculus accounts due to First-Party access_token stealing
A malicious actor could steal a first-party access token of the Oculus application which he could use to access the Facebook/Oculus accounts. This was possible because the Oculus application in Fac...
Alexander Popov
Mirroring GitHub projects in 2023
For many reasons, I want to mirror my public GitHub projects on other collaboration platforms. This short article describes my difficulties with it and a working solution.
Stratum Security Blog
Cloud Providers Are Setting You Up For Failure
Stratum's own Jared Perry gave a great talk at Code Europe in 2022. They posted the video today. Jared's perspective is based on performing hundreds of cloud security assessments for Stratum's customers. This is a great talk by someone who has a TON of experience poking around in a TON
TikTok - HackerOne
high - IDOR for changing privacy settings on any memories
An Insecure Direct Object Reference (IDOR) vulnerability was found within TikTok Now on Android, which would have allowed any user to change the "Who Can View" privacy setting for another users' Memory. We thank @mrhavit for reporting this to the team.
TikTok - HackerOne
s3c
high - XSS at TikTok Ads Endpoint
A Cross-Site Scripting (XSS) vulnerability was found on a TikTok Ads endpoint, due to a lack of appropriate HTML escaping or output encoding on the reflection of user-supplied data, which was resolved on September 7, 2022. This could have resulted in a JavaScript payload injected into the endpoint causing it to be executed within the context of the victim's browser. We thank @s3c for reporting...
The GitHub Blog
Bypassing OGNL sandboxes for fun and charities
Object Graph Notation Language (OGNL) is a popular, Java-based, expression language used in popular frameworks and applications, such as Apache Struts and Atlassian Confluence. Learn more about bypassing certain OGNL injection protection mechanisms including those used by Struts and Atlassian Confluence, as well as different approaches to analyzing this form of protection so you can harden similar systems.
Praetorian
Grappling with the Unpredictable Second-Order Effects of LLM
The world is complicated, and so is anticipating second-order effects. How can execs grapple with the unknown consequences of technology?
GitHub - HackerOne
high - Github Apps can use Scoped-User-To-Server Tokens to Obtain Full Access to User's Projects in Project V2 GraphQL api (20000.00USD)
An incorrect authorization vulnerability was identified in GitHub Enterprise Server, allowing for escalation of privileges in GraphQL API requests from GitHub Apps. This vulnerability allowed an app installed on an organization to gain access to and modify most organization-level resources that are not tied to a repository regardless of granted permissions, such as users and organization-wide...
Zero Day Initiative
Pwn2Own Automotive: Bringing Researchers and Auto Manufacturers Together
Today at the Automotive World conference in Tokyo, Japan, I presented a talk in the Cyber Security from the Perspectives of Hackers and Automakers track.&nbsp; During this presentation, I announced the ZDI will host a new Pwn2Own contest focused on automotive systems Pwn2Own Automotive. Th
talosintelligence.com
FreshTomato httpd update.cgi directory traversal vulnerability
Discovered by Francesco Benvenuto of Cisco Talos. SUMMARY A directory traversal vulnerability exists in the httpd update.cgi functionality of FreshTomato 2022.5. A specially crafted HTTP request ca...
talosintelligence.com
FreshTomato httpd logs/view.cgi OS command injection vulnerability
Discovered by Francesco Benvenuto of Cisco Talos. SUMMARY An OS command injection vulnerability exists in the httpd logs/view.cgi functionality of FreshTomato 2022.5. A specially crafted HTTP reque...
talosintelligence.com
Siretta QUARTZ-GOLD httpd delfile.cgi OS command injection vulnerability
Discovered by Francesco Benvenuto of Cisco Talos. SUMMARY An os command injection vulnerability exists in the httpd delfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specia...
talosintelligence.com
Siretta QUARTZ-GOLD m2m DELETE_FILE cmd directory traversal vulnerability
Discovered by Francesco Benvenuto of Cisco Talos. SUMMARY A directory traversal vulnerability exists in the m2m DELETE_FILE cmd functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specia...
talosintelligence.com
Siretta QUARTZ-GOLD httpd txt/restore.cgi OS command injection vulnerability
Discovered by Francesco Benvenuto of Cisco Talos. SUMMARY An OS command injection vulnerability exists in the httpd txt/restore.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A sp...
talosintelligence.com
Siretta QUARTZ-GOLD m2m DELETE_FILE cmd OS command injection vulnerability
Discovered by Francesco Benvenuto of Cisco Talos. SUMMARY An OS command injection vulnerability exists in the m2m DELETE_FILE cmd functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A spec...
talosintelligence.com
Siretta QUARTZ-GOLD DetranCLI command parsing stack-based buffer overflow vulnerabilities
CVE-2022-40992,CVE-2022-41018,CVE-2022-41005,CVE-2022-41028,CVE-2022-40990,CVE-2022-40985,CVE-2022-40989,CVE-2022-40991,CVE-2022-40994,CVE-2022-41002,CVE-2022-41012,CVE-2022-41019,CVE-2022-41030,CV...
talosintelligence.com
Siretta QUARTZ-GOLD httpd delfile.cgi directory traversal vulnerability
Discovered by Francesco Benvenuto of Cisco Talos. SUMMARY A directory traversal vulnerability exists in the httpd delfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A speciall...
Praetorian
Phantom of the Pipeline: Abusing Self-Hosted CI/CD Runners
Introducing Gato, our an all-in-one open-source toolkit for finding and attacking repositories where CI/CD misconfigurations are present.
Cloudflare Public Bug Bounty - HackerOne
critical - Using special IPv4-mapped IPv6 addresses to bypass local IP ban (7500.00USD)
By using IPv4-mapped IPv6 addresses there was a way to bypass Cloudflare server's network protections and start connections to ports on the loopback (127.0.0.1) or internal IP addresses (such as 10.0.0.1). The bug was caused by the way a Go library interprets mapped IP addresses and how our code was checking for banned IPs. The code was fixed and now checks both IPv4 and IPv6 properly.
Zero Day Initiative
Activation Context Cache Poisoning: Exploiting CSRSS for Privilege Escalation
Starting in July of 2022, the Windows CSRSS process entered the consciousness of the infosec community as the source of several local privilege escalation vulnerabilities in Microsoft Windows. The first public information appeared on July 12 with the release of the patch for CVE-2022-22047 , which
NCC Group Research
Technical Advisory – U-Boot – Unchecked Download Size and Direction in USB DFU (CVE-2022-2347)
Vendor: DENX Software Engineering Vendor URL: Versions affected: v2012.10-rc1 to v2023.01-rc1 Systems Affected: All systems with CONFIG_DFU_OVER_USB or CONFIG_SPL_DFU enabled Author: <Sultan Qas
Project Zero - Root Cause Analysis
CVE-2022-41033: Type confusion in Windows COM+ Event System Service
Information about 0-days exploited in-the-wild!
NCC Group Research
Technical Advisory – Multiple Vulnerabilities in the Galaxy App Store (CVE-2023-21433, CVE-2023-21434)
The Galaxy App Store is an alternative application store that comes pre-installed on Samsung Android devices. Several Android applications are available on both the Galaxy App Store and Google App
Praetorian
A CISO’s Guide to Building a Strategic Relationship with the BOD
CISOs can use this five point guide with their BODs to build a strong strategic relationship based on trust and demonstrable value added.
Zero Day Initiative
CVE-2022-35690: Unauthenticated RCE in Adobe ColdFusion
In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Lucas Miller and Dusan Stevanovic of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in Adobe ColdFusion. This bug was originally reported to the ZDI program by a researc
KAYAK - HackerOne
critical - 1 click Account takeover via deeplink in [com.kayak.android] (3000.00USD)
We received this great report about a vulnerability in our Android app on August 12. An initial patch was made available via the Google Play Store on August 13 (version 161.2). The vulnerability had been introduced only very recently prior to its discovery and we have no indication that it has been exploited.
Project Zero Bug Tracker
Chrome: Copy-on-write check bypass in JSNativeContextSpecialization::BuildElementAccess
Project Zero Bug Tracker
XNU race condition in vm_map_copy_overwrite_unaligned allows writing to read-only mappings
Project Zero Bug Tracker
XNU VM copy-on-write bypass due to incorrect shadow creation logic during unaligned vm_map_copy operations
Google Online Security Blog
Sustaining Digital Certificate Security - TrustCor Certificate Distrust
Posted by Chrome Root Program, Chrome Security Team Note: This post is a follow-up to discussions carried out on the Mozilla Dev Securi...
GitHub - HackerOne
high - Github app Privilege Escalation to Administrator/Owner of the Organization
An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a scoped user-to-server token to escalate to full admin/owner privileges. An attacker would require an account with admin access to install a malicious GitHub App. This vulnerability was fixed in versions 3.3.17, 3.4.12, 3.5.9, and 3.6.5. This vulnerability was reported via the GitHub Bug Bounty...
Internet Bug Bounty - HackerOne
high - DNS rebinding in --inspect (insufficient fix of CVE-2022-32212 affecting macOS devices) (4200.00USD)
##DNS rebinding in --inspect (insufficient fix of CVE-2022-32212 affecting macOS devices) (High) (CVE-2022-32212, CVE-2018-7160) The fix for CVE-2022-32212, covered the cases for routable IP addresses, however, there exists a specific behavior on macOS devices when handling the http://0.0.0.0 URL that allows an attacker-controlled DNS server to bypass the DNS rebinding protection by resolving...
Google Online Security Blog
Supporting the Use of Rust in the Chromium Project
Posted by Dana Jansens (she/her), Chrome Security Team We are pleased to announce that moving forward, the Chromium project is going to s...
Project Zero Bug Tracker
libCoreEntitlements: CEContextQuery can return arbitrary entitlements