Glassdoor - HackerOne
high - [https://www.glassdoor.com] - Web Cache Deception Leads to gdtoken Disclosure
A web cache deception issue was reported by @bombon For the exploit to trigger, the victim must be logged-in to Glassdoor and must also visit an attacker-controlled page that makes the victim hit the caching page, programmatically fetch the cached CSRF token (gdToken), and forge and send a request on the victim's behalf leading to CSRF attacks. We have resolved this by eliminating the caching...
Detectify Labs
Hakluke: Creating the Perfect Bug Bounty Automation
Bug Bounty Automation is the key to success for many expert bug bounty hunters including Hakluke. He walks through how he does it.
talosintelligence.com
Anker Eufy Homebase 2 home_security process_msg() authentication bypass vulnerability
Discovered by Lilith >_> of Cisco Talos. Summary An authentication bypass vulnerability exists in the process_msg() function of the home_security binary of Anker Eufy Homebase 2 2.1.6.9h. A special...
talosintelligence.com
Anker Eufy Homebase 2 home_security wifi_country_code_update command execution vulnerability
Discovered by Lilith >_> of Cisco Talos. Summary A command execution vulnerability exists in the wifi_country_code_update functionality of the home_security binary of Anker Eufy Homebase 2 2.1.6.9h...
talosintelligence.com
Anker Eufy Homebase 2 home_security CMD_DEVICE_GET_SERVER_LIST_REQUEST out-of-bounds write vulnerability
Discovered by Lilith >_> of Cisco Talos. Summary An out-of-bounds write vulnerability exists in the CMD_DEVICE_GET_SERVER_LIST_REQUEST functionality of the home_security binary of Anker Eufy Homeba...
talosintelligence.com
Anker Eufy Homebase 2 home_security CMD_DEVICE_GET_RSA_KEY_REQUEST authentication bypass vulnerability
Discovered by Lilith >_> of Cisco Talos. Summary An authentication bypass vulnerability exists in the CMD_DEVICE_GET_RSA_KEY_REQUEST functionality of the home_security binary of Anker Eufy Homebase...
talosintelligence.com
Anker Eufy Homebase 2 home_security get_aes_key_info_by_packetid() authentication bypass vulnerability
Discovered by Lilith >_> of Cisco Talos. Summary An authentication bypass vulnerability exists in the get_aes_key_info_by_packetid() function of the home_security binary of Anker Eufy Homebase 2 2....
SSD Secure Disclosure
SSD Advisory – Chrome Ad Heavy Bypass (via history.back())
Find out how the Chrome Ad-Heavy detection mechanism can be bypassed, bypassing the mechanism would allow ads that are breaching the restrictions imposed by Chrome to still run.
Project Zero Bug Tracker
Apple ColorSync: use of uninitialized memory in CMMNDimLinear::Interpolate
F-Secure Labs
A bit of a Fixer Upper - Testing FIX-backed applications
TLDR I woke up one day and realized I didn't know much about the FIX protocol. So I spent a few days looking into it and then created a Burp extension to make my life easier. Then I thought, why no...
DigitalOcean - HackerOne
high - Blind XSS via Digital Ocean Partner account creation form.
## Summary: Blind Cross-Site Scripting (XSS) was discovered at Digital Ocean Partners admin panel/dashboard where an attacker can run arbitrary Javascript Code at victims' end. Due to the absence of an HTTPonly cookie, an attacker can successfully steal the cookies of the user and use them to login to the system. ## Steps To Reproduce: 1. Go to https://partners.digitalocean.com/ and click...
research.securitum.com
Is running legacy software with no publicly known exploits safe?
There is a lot of legacy software running all over the network. This is an excellent example of technological debt. And the debt means that we are borrowing. We borrow time before compromise. Its quite easy to identify that some software or system is outdated and no longer supported. Yet, it seems that no one ...
Synacktiv
Yet another BEC investigation on M365
Several materials already describe this type of attack, this document is an operational feedback from the CSIRT Synacktiv on several BEC incidents based on Microsoft 365 service. This is the part one
Project Zero Bug Tracker
KVM: SVM: out-of-bounds read/write in sev_es_string_io
talosintelligence.com
Advantech R-SeeNet application multiple SQL injection vulnerabilities in the 'device_list' page
CVE-2021-21924,CVE-2021-21925,CVE-21926,CVE-2021-21927,CVE-2021-21928,CVE-2021-21929,CVE-2021-21930,CVE-2021-21931,CVE-2021-21932,CVE-2021-21933,CVE-2021-21934,CVE-2021-21935,CVE-2021-21936,CVE-202...
talosintelligence.com
Advantech R-SeeNet application multiple SQL injection vulnerabilities in the 'company_list' page
Discovered by Yuri Kramarz of Cisco Talos. Summary Multiple exploitable SQL injection vulnerabilities exist in the company_list page of the Advantech R-SeeNet 2.4.15 (30.07.2021). A specially-cra...
talosintelligence.com
Advantech R-SeeNet application multiple SQL injection vulnerabilities in the 'user_list' page
Discovered by Yuri Kramarz of Cisco Talos. Summary Multiple exploitable SQL injection vulnerabilities exist in the user_list page of the Advantech R-SeeNet 2.4.15 (30.07.2021). A specially-crafte...
talosintelligence.com
Advantech R-SeeNet installation privilege escalation vulnerability
Discovered by Yuri Kramarz of Cisco Talos. Summary A privilege escalation vulnerability exists in the Windows version of installation for Advantech R-SeeNet Advantech R-SeeNet 2.4.15 (30.07.2021). ...
talosintelligence.com
CloudLinux Inc Imunify360 Ai-Bolit php unserialize vulnerability
Discovered by Marcin 'Icewall' Noga of Cisco Talos. Summary A php unserialize vulnerability exists in the Ai-Bolit functionality of CloudLinux Inc Imunify360 5.8 and 5.9. A specially-crafted malfor...
talosintelligence.com
Advantech R-SeeNet application multiple SQL injection vulnerabilities in the 'group_list' page
Discovered by Yuri Kramarz of Cisco Talos. Summary Multiple exploitable SQL injection vulnerabilities exist in the group_list page of the Advantech R-SeeNet 2.4.15 (30.07.2021). A specially-craft...
A.S. Watson Group - HackerOne
critical - Full account takeover of any user through GET /checkout/psp/auth_response? (2500.00USD)
Lark Technologies - HackerOne
high - Non privileged user is able to approve his own app himself leading to mass privilege escalations.
A privilege escalation vulnerability was identified in Lark which could have potentially allowed an attacker to approve the apps in the same tenant by bypassing the admin approval. We thank @imran_nisar for reporting this to our team.
Internet Bug Bounty - HackerOne
critical - Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.50 (1000.00USD)
It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for...
Internet Bug Bounty - HackerOne
fms
critical - Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) (CVE-2021-42013) (1000.00USD)
It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for...
Zero Day Initiative
MindShaRE: Using IO Ninja to Analyze NPFS
In this installment of our MindShaRE series, ZDI vulnerability researcher Michael DePlante describes how he uses the IO Ninja tool for reverse engineering and software analysis. According to its website , IO Ninja provides an all-in-one terminal emulator, sniffer, and protocol analyzer. The t
Project Zero Bug Tracker
Linux: UAF read: SO_PEERCRED and SO_PEERGROUPS race with listen() (and connect())
GitLab - HackerOne
high - Stored XSS via Mermaid Prototype Pollution vulnerability (3000.00USD)
### Summary I am continue investigating #1106238 and found additional vector for prototype pollution and stored xss. ### Steps to reproduce 1. Create an issue in any repository 2. Create mermaid diagram with following payload: ``` %%{init: { '__proto__': {'template': '<iframe xmlns=\"http://www.w3.org/1999/xhtml\" srcdoc=\"&lt;script...
GitHub Security Lab
Fall of the machines: Exploiting the Qualcomm NPU (neural processing unit) kernel driver
In this post, Ill use three bugs that I reported to Qualcomm in the NPU (neural processing unit) driver to gain arbitrary kernel code execution as root user and disable SELinux from the untrusted app sandbox in an Android phone.
Rockstar Games - HackerOne
high - Social Club Account Takeover Via RGL And Steam/Epic Linked Account
In this report, the researcher discovered and demonstrated a method to hijack access to a Social Club account via a previously-linked Epic Games or Steam account. To perform the attack, the attacker first needed access to a Steam or Epic Games account with entitlement to a game with Social Club connectivity (such as GTAV or RDR2) and that had previously been linked to a Social Club account...
talosintelligence.com
LibreCad libdxfrw dxfRW::processLType() use-after-free vulnerability
Discovered by Lilith >_> of Cisco Talos. Summary A code execution vulnerability exists in the dxfRW::processLType() functionality of LibreCad libdxfrw 2.2.0-rc2-19-ge02f3580. A specially-crafted .d...
talosintelligence.com
LibreCad libdxfrw dwgCompressor::decompress18() out-of-bounds write vulnerability
Discovered by Lilith >_> of Cisco Talos. Summary A code execution vulnerability exists in the dwgCompressor::decompress18() functionality of LibreCad libdxfrw 2.2.0-rc2-19-ge02f3580. A specially-cr...
talosintelligence.com
LibreCad libdxfrw dwgCompressor::copyCompBytes21 heap-based buffer overflow vulnerability
Discovered by Lilith >_> of Cisco Talos. Summary A code execution vulnerability exists in the dwgCompressor::copyCompBytes21 functionality of LibreCad libdxfrw 2.2.0-rc2-19-ge02f3580. A specially-c...
Azbuka Vkusa - HackerOne
critical - Мисконфигурация Cisco Smart Install
Closed.
blog.grimm-co.com
Seamlessly Discovering Netgear Universal Plug-and-Pwn (UPnP) 0-days
Introduction A Vulnerability Researchers Favorite Stress Relief Continuing in our series of research findings involving Netgear 1 produc...
Gamozo Labs Blog
Rust on MIPS64 Windows NT 4.0
Introduction
Azbuka Vkusa - HackerOne
high - Leak of Google Sheets API credentials
Closed.
Azbuka Vkusa - HackerOne
high - Corporate Jira credentials disclosed in public gist
Closed.
Azbuka Vkusa - HackerOne
high - IDOR - Other user's delivery address disclosed
Closed.
GitLab - HackerOne
medium - ReDoS in syntax highlighting due to Rouge (600.00USD)
### Summary Gitlab is using the ruby gem "rouge" which has a ReDoS vulnerability. In rouge, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have cubic worst-case complexity and are vulnerable to Regular Expression Denial of Service (ReDoS). By crafting malicious input, an attacker can cause Denial of Service. In Gitlab, rouge...
high - Unauthorized access to employee panel with default credentials.
## Summary: Hello, When hunting for your web application. I have managed to go https://cars.fas.gsa.gov/cars/cars and get displayed with a form. I have already tried to login to Cars and without success. However i've noticed the loginChk() function and change the value of the form hence bypassing it and logging in succesfuly. ## Steps To Reproduce: 1. go to...
NCC Group Research
Technical Advisory – Multiple Vulnerabilities in Victure WR1200 WiFi Router (CVE-2021-43282, CVE-2021-43283, CVE-2021-43284)
Victure's WR1200 WiFi router, also sometimes referred to as AC1200, was found to have multiple vulnerabilities exposing its owners to potential intrusion in their local WiFi network and complete overtake of the device.
Project Zero Bug Tracker
Windows: WSAQuerySocketSecurity AppContainer EoP
Google Online Security Blog
ClusterFuzzLite: Continuous fuzzing for all
Posted by Jonathan Metzman, Google Open Source Security Team In recent years, continuous fuzzing has become an essential part of the softwa...
Internet Bug Bounty - HackerOne
critical - Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 (4000.00USD)
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these...
NCC Group Research
Technical Advisory – Arbitrary Signature Forgery in Stark Bank ECDSA Libraries
Stark Bank is a financial technology company that provides services to simplify and automate digital banking, by providing APIs to perform operations such as payments and transfers. In addition, Stark Bank maintains a number of cryptographic libraries to perform cryptographic signing and verification. These popular libraries are meant to be used to integrate with the Stark Bank ecosystem, but are also accessible on popular package manager platforms in order to be used by other projects. The node package manager reports around 16k weekly downloads for the ecdsa-node implementation while the Python implementation boasts over 7.3M downloads in the last 90 days on PyPI. A number of these libraries suffer from a vulnerability in the signature verification functions, allowing attackers to forge signatures for arbitrary messages which successfully verify with any public key.
VK.com - HackerOne
high - Загружаем видеозаписи в основной альбом любой открытой группе/паблику. (300.00USD)
.
VK.com - HackerOne
high - Reflected xss в m.vk.com/chatjoin (500.00USD)
XSS .
VK.com - HackerOne
high - Reflected XSS в m.vk.com (500.00USD)
XSS .
VK.com - HackerOne
high - Stored XSS вирус в al_video.php?act=a_choose_video_box (500.00USD)
XSS .
VK.com - HackerOne
high - Stored XSS в m.vk.com/video (500.00USD)
XSS .